From: Sasha Levin Date: Mon, 17 Oct 2022 02:10:15 +0000 (-0400) Subject: Fixes for 6.0 X-Git-Tag: v5.4.219~54 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8f7de1960d48db43a6ff64be6b969dda686d91fc;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 6.0 Signed-off-by: Sasha Levin --- diff --git a/queue-6.0/acl-return-eopnotsupp-in-posix_acl_fix_xattr_common.patch b/queue-6.0/acl-return-eopnotsupp-in-posix_acl_fix_xattr_common.patch new file mode 100644 index 00000000000..f409c265710 --- /dev/null +++ b/queue-6.0/acl-return-eopnotsupp-in-posix_acl_fix_xattr_common.patch @@ -0,0 +1,102 @@ +From fad567eb3ddd29cd2cc7f3b139d9d262dd056792 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 14:38:41 +0200 +Subject: acl: return EOPNOTSUPP in posix_acl_fix_xattr_common() + +From: Christian Brauner + +[ Upstream commit 985a6d0b3c800265a2d5312a52c549bf09254e55 ] + +Return EOPNOTSUPP when the POSIX ACL version doesn't match and zero if +there are no entries. This will allow us to reuse the helper in +posix_acl_from_xattr(). This change will have no user visible effects. + +Fixes: 0c5fd887d2bb ("acl: move idmapped mount fixup into vfs_{g,s}etxattr()") +Signed-off-by: Christian Brauner (Microsoft) +Reviewed-by: Seth Forshee (DigitalOcean) > +Signed-off-by: Sasha Levin +--- + fs/posix_acl.c | 25 +++++++++---------------- + 1 file changed, 9 insertions(+), 16 deletions(-) + +diff --git a/fs/posix_acl.c b/fs/posix_acl.c +index 5af33800743e..abe387700ba9 100644 +--- a/fs/posix_acl.c ++++ b/fs/posix_acl.c +@@ -710,9 +710,9 @@ EXPORT_SYMBOL(posix_acl_update_mode); + /* + * Fix up the uids and gids in posix acl extended attributes in place. + */ +-static int posix_acl_fix_xattr_common(void *value, size_t size) ++static int posix_acl_fix_xattr_common(const void *value, size_t size) + { +- struct posix_acl_xattr_header *header = value; ++ const struct posix_acl_xattr_header *header = value; + int count; + + if (!header) +@@ -720,13 +720,13 @@ static int posix_acl_fix_xattr_common(void *value, size_t size) + if (size < sizeof(struct posix_acl_xattr_header)) + return -EINVAL; + if (header->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION)) +- return -EINVAL; ++ return -EOPNOTSUPP; + + count = posix_acl_xattr_count(size); + if (count < 0) + return -EINVAL; + if (count == 0) +- return -EINVAL; ++ return 0; + + return count; + } +@@ -748,7 +748,7 @@ void posix_acl_getxattr_idmapped_mnt(struct user_namespace *mnt_userns, + return; + + count = posix_acl_fix_xattr_common(value, size); +- if (count < 0) ++ if (count <= 0) + return; + + for (end = entry + count; entry != end; entry++) { +@@ -788,7 +788,7 @@ void posix_acl_setxattr_idmapped_mnt(struct user_namespace *mnt_userns, + return; + + count = posix_acl_fix_xattr_common(value, size); +- if (count < 0) ++ if (count <= 0) + return; + + for (end = entry + count; entry != end; entry++) { +@@ -822,7 +822,7 @@ static void posix_acl_fix_xattr_userns( + kgid_t gid; + + count = posix_acl_fix_xattr_common(value, size); +- if (count < 0) ++ if (count <= 0) + return; + + for (end = entry + count; entry != end; entry++) { +@@ -870,16 +870,9 @@ posix_acl_from_xattr(struct user_namespace *user_ns, + struct posix_acl *acl; + struct posix_acl_entry *acl_e; + +- if (!value) +- return NULL; +- if (size < sizeof(struct posix_acl_xattr_header)) +- return ERR_PTR(-EINVAL); +- if (header->a_version != cpu_to_le32(POSIX_ACL_XATTR_VERSION)) +- return ERR_PTR(-EOPNOTSUPP); +- +- count = posix_acl_xattr_count(size); ++ count = posix_acl_fix_xattr_common(value, size); + if (count < 0) +- return ERR_PTR(-EINVAL); ++ return ERR_PTR(count); + if (count == 0) + return NULL; + +-- +2.35.1 + diff --git a/queue-6.0/acpi-apei-do-not-add-task_work-to-kernel-thread-to-a.patch b/queue-6.0/acpi-apei-do-not-add-task_work-to-kernel-thread-to-a.patch new file mode 100644 index 00000000000..0f6945f7982 --- /dev/null +++ b/queue-6.0/acpi-apei-do-not-add-task_work-to-kernel-thread-to-a.patch @@ -0,0 +1,78 @@ +From eddd4abeb1b0bd6dbf3d047ac570dc7267d77d08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Sep 2022 15:49:53 +0800 +Subject: ACPI: APEI: do not add task_work to kernel thread to avoid memory + leak + +From: Shuai Xue + +[ Upstream commit 415fed694fe11395df56e05022d6e7cee1d39dd3 ] + +If an error is detected as a result of user-space process accessing a +corrupt memory location, the CPU may take an abort. Then the platform +firmware reports kernel via NMI like notifications, e.g. NOTIFY_SEA, +NOTIFY_SOFTWARE_DELEGATED, etc. + +For NMI like notifications, commit 7f17b4a121d0 ("ACPI: APEI: Kick the +memory_failure() queue for synchronous errors") keep track of whether +memory_failure() work was queued, and make task_work pending to flush out +the queue so that the work is processed before return to user-space. + +The code use init_mm to check whether the error occurs in user space: + + if (current->mm != &init_mm) + +The condition is always true, becase _nobody_ ever has "init_mm" as a real +VM any more. + +In addition to abort, errors can also be signaled as asynchronous +exceptions, such as interrupt and SError. In such case, the interrupted +current process could be any kind of thread. When a kernel thread is +interrupted, the work ghes_kick_task_work deferred to task_work will never +be processed because entry_handler returns to call ret_to_kernel() instead +of ret_to_user(). Consequently, the estatus_node alloced from +ghes_estatus_pool in ghes_in_nmi_queue_one_entry() will not be freed. +After around 200 allocations in our platform, the ghes_estatus_pool will +run of memory and ghes_in_nmi_queue_one_entry() returns ENOMEM. As a +result, the event failed to be processed. + + sdei: event 805 on CPU 113 failed with error: -2 + +Finally, a lot of unhandled events may cause platform firmware to exceed +some threshold and reboot. + +The condition should generally just do + + if (current->mm) + +as described in active_mm.rst documentation. + +Then if an asynchronous error is detected when a kernel thread is running, +(e.g. when detected by a background scrubber), do not add task_work to it +as the original patch intends to do. + +Fixes: 7f17b4a121d0 ("ACPI: APEI: Kick the memory_failure() queue for synchronous errors") +Signed-off-by: Shuai Xue +Reviewed-by: Tony Luck +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/apei/ghes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c +index d91ad378c00d..80ad530583c9 100644 +--- a/drivers/acpi/apei/ghes.c ++++ b/drivers/acpi/apei/ghes.c +@@ -985,7 +985,7 @@ static void ghes_proc_in_irq(struct irq_work *irq_work) + ghes_estatus_cache_add(generic, estatus); + } + +- if (task_work_pending && current->mm != &init_mm) { ++ if (task_work_pending && current->mm) { + estatus_node->task_work.func = ghes_kick_task_work; + estatus_node->task_work_cpu = smp_processor_id(); + ret = task_work_add(current, &estatus_node->task_work, +-- +2.35.1 + diff --git a/queue-6.0/acpi-pcc-fix-tx-acknowledge-in-the-pcc-address-space.patch b/queue-6.0/acpi-pcc-fix-tx-acknowledge-in-the-pcc-address-space.patch new file mode 100644 index 00000000000..8a9a98db621 --- /dev/null +++ b/queue-6.0/acpi-pcc-fix-tx-acknowledge-in-the-pcc-address-space.patch @@ -0,0 +1,43 @@ +From ea95ed3113415fc26a4bf7fbafb459398d8afced Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 17:45:00 +0800 +Subject: ACPI: PCC: Fix Tx acknowledge in the PCC address space handler + +From: Huisong Li + +[ Upstream commit 18729106c26fb97d4c9ae63ba7aba9889a058dc4 ] + +Currently, mbox_client_txdone() is called from the PCC address space +handler and that expects the user the Tx state machine to be controlled +by the client which is not the case and the below warning is thrown: + + | PCCT: Client can't run the TX ticker + +Let the controller run the state machine and the end of Tx can be +acknowledge by calling mbox_chan_txdone() instead. + +Fixes: 77e2a04745ff ("ACPI: PCC: Implement OperationRegion handler for the PCC Type 3 subtype") +Signed-off-by: Huisong Li +Reviewed-by: Sudeep Holla +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_pcc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpi_pcc.c b/drivers/acpi/acpi_pcc.c +index 16ba875e3293..ee4ce5ba1fb2 100644 +--- a/drivers/acpi/acpi_pcc.c ++++ b/drivers/acpi/acpi_pcc.c +@@ -121,7 +121,7 @@ acpi_pcc_address_space_handler(u32 function, acpi_physical_address addr, + } + } + +- mbox_client_txdone(data->pcc_chan->mchan, ret); ++ mbox_chan_txdone(data->pcc_chan->mchan, ret); + + memcpy_fromio(value, data->pcc_comm_addr, data->ctx.length); + +-- +2.35.1 + diff --git a/queue-6.0/acpi-pcc-release-resources-on-address-space-setup-fa.patch b/queue-6.0/acpi-pcc-release-resources-on-address-space-setup-fa.patch new file mode 100644 index 00000000000..7585fab3b9f --- /dev/null +++ b/queue-6.0/acpi-pcc-release-resources-on-address-space-setup-fa.patch @@ -0,0 +1,47 @@ +From 0e4a6943010969e80165bacaa9e725a507af392b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 12:33:19 -0300 +Subject: ACPI: PCC: Release resources on address space setup failure path + +From: Rafael Mendonca + +[ Upstream commit f890157e61b85ce8ae01a41ffa375e3b99853698 ] + +The allocated memory for the pcc_data struct doesn't get freed under an +error path in pcc_mbox_request_channel() or acpi_os_ioremap(). Also, the +PCC mailbox channel doesn't get freed under an error path in +acpi_os_ioremap(). + +Fixes: 77e2a04745ff8 ("ACPI: PCC: Implement OperationRegion handler for the PCC Type 3 subtype") +Signed-off-by: Rafael Mendonca +Reviewed-by: Sudeep Holla +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_pcc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/acpi_pcc.c b/drivers/acpi/acpi_pcc.c +index a12b55d81209..84f1ac416b57 100644 +--- a/drivers/acpi/acpi_pcc.c ++++ b/drivers/acpi/acpi_pcc.c +@@ -63,6 +63,7 @@ acpi_pcc_address_space_setup(acpi_handle region_handle, u32 function, + if (IS_ERR(data->pcc_chan)) { + pr_err("Failed to find PCC channel for subspace %d\n", + ctx->subspace_id); ++ kfree(data); + return AE_NOT_FOUND; + } + +@@ -72,6 +73,8 @@ acpi_pcc_address_space_setup(acpi_handle region_handle, u32 function, + if (!data->pcc_comm_addr) { + pr_err("Failed to ioremap PCC comm region mem for %d\n", + ctx->subspace_id); ++ pcc_mbox_free_channel(data->pcc_chan); ++ kfree(data); + return AE_NO_MEMORY; + } + +-- +2.35.1 + diff --git a/queue-6.0/acpi-pcc-replace-wait_for_completion.patch b/queue-6.0/acpi-pcc-replace-wait_for_completion.patch new file mode 100644 index 00000000000..f3942bdc51e --- /dev/null +++ b/queue-6.0/acpi-pcc-replace-wait_for_completion.patch @@ -0,0 +1,76 @@ +From 07e87c80aa91e3d0e14983a7b699eacf6e62c522 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 17:44:59 +0800 +Subject: ACPI: PCC: replace wait_for_completion() + +From: Huisong Li + +[ Upstream commit 91cefefb699120efd0a5ba345d12626b688f86ce ] + +Currently, the function waiting for completion of mailbox operation is +'wait_for_completion()'. The PCC method will be permanently blocked if +this mailbox message fails to execute. So this patch replaces it with +'wait_for_completion_timeout()'. And set the timeout interval to an +arbitrary retries on top of nominal to prevent the remote processor is +slow to respond to PCC commands. + +Fixes: 77e2a04745ff ("ACPI: PCC: Implement OperationRegion handler for the PCC Type 3 subtype") +Signed-off-by: Huisong Li +Reviewed-by: Sudeep Holla +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_pcc.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/acpi_pcc.c b/drivers/acpi/acpi_pcc.c +index 84f1ac416b57..16ba875e3293 100644 +--- a/drivers/acpi/acpi_pcc.c ++++ b/drivers/acpi/acpi_pcc.c +@@ -23,6 +23,12 @@ + + #include + ++/* ++ * Arbitrary retries in case the remote processor is slow to respond ++ * to PCC commands ++ */ ++#define PCC_CMD_WAIT_RETRIES_NUM 500 ++ + struct pcc_data { + struct pcc_mbox_chan *pcc_chan; + void __iomem *pcc_comm_addr; +@@ -89,6 +95,7 @@ acpi_pcc_address_space_handler(u32 function, acpi_physical_address addr, + { + int ret; + struct pcc_data *data = region_context; ++ u64 usecs_lat; + + reinit_completion(&data->done); + +@@ -99,8 +106,20 @@ acpi_pcc_address_space_handler(u32 function, acpi_physical_address addr, + if (ret < 0) + return AE_ERROR; + +- if (data->pcc_chan->mchan->mbox->txdone_irq) +- wait_for_completion(&data->done); ++ if (data->pcc_chan->mchan->mbox->txdone_irq) { ++ /* ++ * pcc_chan->latency is just a Nominal value. In reality the remote ++ * processor could be much slower to reply. So add an arbitrary ++ * amount of wait on top of Nominal. ++ */ ++ usecs_lat = PCC_CMD_WAIT_RETRIES_NUM * data->pcc_chan->latency; ++ ret = wait_for_completion_timeout(&data->done, ++ usecs_to_jiffies(usecs_lat)); ++ if (ret == 0) { ++ pr_err("PCC command executed timeout!\n"); ++ return AE_TIME; ++ } ++ } + + mbox_client_txdone(data->pcc_chan->mchan, ret); + +-- +2.35.1 + diff --git a/queue-6.0/acpi-tables-fpdt-don-t-call-acpi_os_map_memory-on-in.patch b/queue-6.0/acpi-tables-fpdt-don-t-call-acpi_os_map_memory-on-in.patch new file mode 100644 index 00000000000..719c54a6712 --- /dev/null +++ b/queue-6.0/acpi-tables-fpdt-don-t-call-acpi_os_map_memory-on-in.patch @@ -0,0 +1,108 @@ +From 907c0d7a0bda62df61abe14ffa950aad5b1c49b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 14:34:12 +0200 +Subject: ACPI: tables: FPDT: Don't call acpi_os_map_memory() on invalid phys + address + +From: Hans de Goede + +[ Upstream commit 211391bf04b3c74e250c566eeff9cf808156c693 ] + +On a Packard Bell Dot SC (Intel Atom N2600 model) there is a FPDT table +which contains invalid physical addresses, with high bits set which fall +outside the range of the CPU-s supported physical address range. + +Calling acpi_os_map_memory() on such an invalid phys address leads to +the below WARN_ON in ioremap triggering resulting in an oops/stacktrace. + +Add code to verify the physical address before calling acpi_os_map_memory() +to fix / avoid the oops. + +[ 1.226900] ioremap: invalid physical address 3001000000000000 +[ 1.226949] ------------[ cut here ]------------ +[ 1.226962] WARNING: CPU: 1 PID: 1 at arch/x86/mm/ioremap.c:200 __ioremap_caller.cold+0x43/0x5f +[ 1.226996] Modules linked in: +[ 1.227016] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc3+ #490 +[ 1.227029] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013 +[ 1.227038] RIP: 0010:__ioremap_caller.cold+0x43/0x5f +[ 1.227054] Code: 96 00 00 e9 f8 af 24 ff 89 c6 48 c7 c7 d8 0c 84 99 e8 6a 96 00 00 e9 76 af 24 ff 48 89 fe 48 c7 c7 a8 0c 84 99 e8 56 96 00 00 <0f> 0b e9 60 af 24 ff 48 8b 34 24 48 c7 c7 40 0d 84 99 e8 3f 96 00 +[ 1.227067] RSP: 0000:ffffb18c40033d60 EFLAGS: 00010286 +[ 1.227084] RAX: 0000000000000032 RBX: 3001000000000000 RCX: 0000000000000000 +[ 1.227095] RDX: 0000000000000001 RSI: 00000000ffffdfff RDI: 00000000ffffffff +[ 1.227105] RBP: 3001000000000000 R08: 0000000000000000 R09: ffffb18c40033c18 +[ 1.227115] R10: 0000000000000003 R11: ffffffff99d62fe8 R12: 0000000000000008 +[ 1.227124] R13: 0003001000000000 R14: 0000000000001000 R15: 3001000000000000 +[ 1.227135] FS: 0000000000000000(0000) GS:ffff913a3c080000(0000) knlGS:0000000000000000 +[ 1.227146] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1.227156] CR2: 0000000000000000 CR3: 0000000018c26000 CR4: 00000000000006e0 +[ 1.227167] Call Trace: +[ 1.227176] +[ 1.227185] ? acpi_os_map_iomem+0x1c9/0x1e0 +[ 1.227215] ? kmem_cache_alloc_trace+0x187/0x370 +[ 1.227254] acpi_os_map_iomem+0x1c9/0x1e0 +[ 1.227288] acpi_init_fpdt+0xa8/0x253 +[ 1.227308] ? acpi_debugfs_init+0x1f/0x1f +[ 1.227339] do_one_initcall+0x5a/0x300 +[ 1.227406] ? rcu_read_lock_sched_held+0x3f/0x80 +[ 1.227442] kernel_init_freeable+0x28b/0x2cc +[ 1.227512] ? rest_init+0x170/0x170 +[ 1.227538] kernel_init+0x16/0x140 +[ 1.227552] ret_from_fork+0x1f/0x30 +[ 1.227639] +[ 1.227647] irq event stamp: 186819 +[ 1.227656] hardirqs last enabled at (186825): [] __up_console_sem+0x5e/0x70 +[ 1.227672] hardirqs last disabled at (186830): [] __up_console_sem+0x43/0x70 +[ 1.227686] softirqs last enabled at (186576): [] __irq_exit_rcu+0xed/0x160 +[ 1.227701] softirqs last disabled at (186569): [] __irq_exit_rcu+0xed/0x160 +[ 1.227715] ---[ end trace 0000000000000000 ]--- + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_fpdt.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/drivers/acpi/acpi_fpdt.c b/drivers/acpi/acpi_fpdt.c +index 6922a44b3ce7..a2056c4c8cb7 100644 +--- a/drivers/acpi/acpi_fpdt.c ++++ b/drivers/acpi/acpi_fpdt.c +@@ -143,6 +143,23 @@ static const struct attribute_group boot_attr_group = { + + static struct kobject *fpdt_kobj; + ++#if defined CONFIG_X86 && defined CONFIG_PHYS_ADDR_T_64BIT ++#include ++static bool fpdt_address_valid(u64 address) ++{ ++ /* ++ * On some systems the table contains invalid addresses ++ * with unsuppored high address bits set, check for this. ++ */ ++ return !(address >> boot_cpu_data.x86_phys_bits); ++} ++#else ++static bool fpdt_address_valid(u64 address) ++{ ++ return true; ++} ++#endif ++ + static int fpdt_process_subtable(u64 address, u32 subtable_type) + { + struct fpdt_subtable_header *subtable_header; +@@ -151,6 +168,11 @@ static int fpdt_process_subtable(u64 address, u32 subtable_type) + u32 length, offset; + int result; + ++ if (!fpdt_address_valid(address)) { ++ pr_info(FW_BUG "invalid physical address: 0x%llx!\n", address); ++ return -EINVAL; ++ } ++ + subtable_header = acpi_os_map_memory(address, sizeof(*subtable_header)); + if (!subtable_header) + return -ENOMEM; +-- +2.35.1 + diff --git a/queue-6.0/acpi-video-add-toshiba-satellite-portege-z830-quirk.patch b/queue-6.0/acpi-video-add-toshiba-satellite-portege-z830-quirk.patch new file mode 100644 index 00000000000..979cbb103f8 --- /dev/null +++ b/queue-6.0/acpi-video-add-toshiba-satellite-portege-z830-quirk.patch @@ -0,0 +1,59 @@ +From 18fae22da10237b3f2e369a43399f1ea4022ccc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 20:49:50 +0200 +Subject: ACPI: video: Add Toshiba Satellite/Portege Z830 quirk + +From: Arvid Norlander + +[ Upstream commit 574160b8548deff8b80b174f03201e94ab8431e2 ] + +Toshiba Satellite Z830 needs the quirk video_disable_backlight_sysfs_if +for proper backlight control after suspend/resume cycles. + +Toshiba Portege Z830 is simply the same laptop rebranded for certain +markets (I looked through the manual to other language sections to confirm +this) and thus also needs this quirk. + +Thanks to Hans de Goede for suggesting this fix. + +Link: https://www.spinics.net/lists/platform-driver-x86/msg34394.html +Suggested-by: Hans de Goede +Signed-off-by: Arvid Norlander +Reviewed-by: Hans de Goede +Tested-by: Arvid Norlander +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_video.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c +index 5cbe2196176d..2a4990733cf0 100644 +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -496,6 +496,22 @@ static const struct dmi_system_id video_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "SATELLITE R830"), + }, + }, ++ { ++ .callback = video_disable_backlight_sysfs_if, ++ .ident = "Toshiba Satellite Z830", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "SATELLITE Z830"), ++ }, ++ }, ++ { ++ .callback = video_disable_backlight_sysfs_if, ++ .ident = "Toshiba Portege Z830", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE Z830"), ++ }, ++ }, + /* + * Some machine's _DOD IDs don't have bit 31(Device ID Scheme) set + * but the IDs actually follow the Device ID Scheme. +-- +2.35.1 + diff --git a/queue-6.0/acpi-x86-add-a-quirk-for-dell-inspiron-14-2-in-1-for.patch b/queue-6.0/acpi-x86-add-a-quirk-for-dell-inspiron-14-2-in-1-for.patch new file mode 100644 index 00000000000..86fda771fce --- /dev/null +++ b/queue-6.0/acpi-x86-add-a-quirk-for-dell-inspiron-14-2-in-1-for.patch @@ -0,0 +1,63 @@ +From 2f712beea2e616a8967adfbed3bbff48e4a85657 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 13:23:14 -0500 +Subject: ACPI: x86: Add a quirk for Dell Inspiron 14 2-in-1 for + StorageD3Enable + +From: Mario Limonciello + +[ Upstream commit 018d6711c26e4bd26e20a819fcc7f8ab902608f3 ] + +Dell Inspiron 14 2-in-1 has two ACPI nodes under GPP1 both with _ADR of +0, both without _HID. It's ambiguous which the kernel should take, but +it seems to take "DEV0". Unfortunately "DEV0" is missing the device +property `StorageD3Enable` which is present on "NVME". + +To avoid this causing problems for suspend, add a quirk for this system +to behave like `StorageD3Enable` property was found. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216440 +Reported-and-tested-by: Luya Tshimbalanga +Signed-off-by: Mario Limonciello +Reviewed-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/x86/utils.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c +index 664070fc8349..d7cdd8406c84 100644 +--- a/drivers/acpi/x86/utils.c ++++ b/drivers/acpi/x86/utils.c +@@ -207,9 +207,26 @@ static const struct x86_cpu_id storage_d3_cpu_ids[] = { + {} + }; + ++static const struct dmi_system_id force_storage_d3_dmi[] = { ++ { ++ /* ++ * _ADR is ambiguous between GPP1.DEV0 and GPP1.NVME ++ * but .NVME is needed to get StorageD3Enable node ++ * https://bugzilla.kernel.org/show_bug.cgi?id=216440 ++ */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 14 7425 2-in-1"), ++ } ++ }, ++ {} ++}; ++ + bool force_storage_d3(void) + { +- return x86_match_cpu(storage_d3_cpu_ids); ++ const struct dmi_system_id *dmi_id = dmi_first_match(force_storage_d3_dmi); ++ ++ return dmi_id || x86_match_cpu(storage_d3_cpu_ids); + } + + /* +-- +2.35.1 + diff --git a/queue-6.0/af_unix-fix-memory-leaks-of-the-whole-sk-due-to-oob-.patch b/queue-6.0/af_unix-fix-memory-leaks-of-the-whole-sk-due-to-oob-.patch new file mode 100644 index 00000000000..f311dfa8c3f --- /dev/null +++ b/queue-6.0/af_unix-fix-memory-leaks-of-the-whole-sk-due-to-oob-.patch @@ -0,0 +1,102 @@ +From f41b8eed4fa9bce8ea1665901fcc3be75deabb81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 08:52:04 -0700 +Subject: af_unix: Fix memory leaks of the whole sk due to OOB skb. + +From: Kuniyuki Iwashima + +[ Upstream commit 7a62ed61367b8fd01bae1e18e30602c25060d824 ] + +syzbot reported a sequence of memory leaks, and one of them indicated we +failed to free a whole sk: + + unreferenced object 0xffff8880126e0000 (size 1088): + comm "syz-executor419", pid 326, jiffies 4294773607 (age 12.609s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 7d 00 00 00 00 00 00 00 ........}....... + 01 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ + backtrace: + [<000000006fefe750>] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:1970 + [<0000000074006db5>] sk_alloc+0x3b/0x800 net/core/sock.c:2029 + [<00000000728cd434>] unix_create1+0xaf/0x920 net/unix/af_unix.c:928 + [<00000000a279a139>] unix_create+0x113/0x1d0 net/unix/af_unix.c:997 + [<0000000068259812>] __sock_create+0x2ab/0x550 net/socket.c:1516 + [<00000000da1521e1>] sock_create net/socket.c:1566 [inline] + [<00000000da1521e1>] __sys_socketpair+0x1a8/0x550 net/socket.c:1698 + [<000000007ab259e1>] __do_sys_socketpair net/socket.c:1751 [inline] + [<000000007ab259e1>] __se_sys_socketpair net/socket.c:1748 [inline] + [<000000007ab259e1>] __x64_sys_socketpair+0x97/0x100 net/socket.c:1748 + [<000000007dedddc1>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] + [<000000007dedddc1>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 + [<000000009456679f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +We can reproduce this issue by creating two AF_UNIX SOCK_STREAM sockets, +send()ing an OOB skb to each other, and close()ing them without consuming +the OOB skbs. + + int skpair[2]; + + socketpair(AF_UNIX, SOCK_STREAM, 0, skpair); + + send(skpair[0], "x", 1, MSG_OOB); + send(skpair[1], "x", 1, MSG_OOB); + + close(skpair[0]); + close(skpair[1]); + +Currently, we free an OOB skb in unix_sock_destructor() which is called via +__sk_free(), but it's too late because the receiver's unix_sk(sk)->oob_skb +is accounted against the sender's sk->sk_wmem_alloc and __sk_free() is +called only when sk->sk_wmem_alloc is 0. + +In the repro sequences, we do not consume the OOB skb, so both two sk's +sock_put() never reach __sk_free() due to the positive sk->sk_wmem_alloc. +Then, no one can consume the OOB skb nor call __sk_free(), and we finally +leak the two whole sk. + +Thus, we must free the unconsumed OOB skb earlier when close()ing the +socket. + +Fixes: 314001f0bf92 ("af_unix: Add OOB support") +Reported-by: syzbot +Signed-off-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index bf338b782fc4..d686804119c9 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -569,12 +569,6 @@ static void unix_sock_destructor(struct sock *sk) + + skb_queue_purge(&sk->sk_receive_queue); + +-#if IS_ENABLED(CONFIG_AF_UNIX_OOB) +- if (u->oob_skb) { +- kfree_skb(u->oob_skb); +- u->oob_skb = NULL; +- } +-#endif + DEBUG_NET_WARN_ON_ONCE(refcount_read(&sk->sk_wmem_alloc)); + DEBUG_NET_WARN_ON_ONCE(!sk_unhashed(sk)); + DEBUG_NET_WARN_ON_ONCE(sk->sk_socket); +@@ -620,6 +614,13 @@ static void unix_release_sock(struct sock *sk, int embrion) + + unix_state_unlock(sk); + ++#if IS_ENABLED(CONFIG_AF_UNIX_OOB) ++ if (u->oob_skb) { ++ kfree_skb(u->oob_skb); ++ u->oob_skb = NULL; ++ } ++#endif ++ + wake_up_interruptible_all(&u->peer_wait); + + if (skpair != NULL) { +-- +2.35.1 + diff --git a/queue-6.0/alsa-dmaengine-increment-buffer-pointer-atomically.patch b/queue-6.0/alsa-dmaengine-increment-buffer-pointer-atomically.patch new file mode 100644 index 00000000000..b9ed13c1971 --- /dev/null +++ b/queue-6.0/alsa-dmaengine-increment-buffer-pointer-atomically.patch @@ -0,0 +1,49 @@ +From b36a19d248afdf1517b4dad8e29e27e285a71199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 18:58:13 +0200 +Subject: ALSA: dmaengine: increment buffer pointer atomically + +From: Andreas Pape + +[ Upstream commit d1c442019594692c64a70a86ad88eb5b6db92216 ] + +Setting pointer and afterwards checking for wraparound leads +to the possibility of returning the inconsistent pointer position. + +This patch increments buffer pointer atomically to avoid this issue. + +Fixes: e7f73a1613567a ("ASoC: Add dmaengine PCM helper functions") +Signed-off-by: Andreas Pape +Signed-off-by: Eugeniu Rosca +Link: https://lore.kernel.org/r/1664211493-11789-1-git-send-email-erosca@de.adit-jv.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm_dmaengine.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/sound/core/pcm_dmaengine.c b/sound/core/pcm_dmaengine.c +index 5b2ca028f5aa..494ec0c207fa 100644 +--- a/sound/core/pcm_dmaengine.c ++++ b/sound/core/pcm_dmaengine.c +@@ -133,12 +133,14 @@ EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_set_config_from_dai_data); + + static void dmaengine_pcm_dma_complete(void *arg) + { ++ unsigned int new_pos; + struct snd_pcm_substream *substream = arg; + struct dmaengine_pcm_runtime_data *prtd = substream_to_prtd(substream); + +- prtd->pos += snd_pcm_lib_period_bytes(substream); +- if (prtd->pos >= snd_pcm_lib_buffer_bytes(substream)) +- prtd->pos = 0; ++ new_pos = prtd->pos + snd_pcm_lib_period_bytes(substream); ++ if (new_pos >= snd_pcm_lib_buffer_bytes(substream)) ++ new_pos = 0; ++ prtd->pos = new_pos; + + snd_pcm_period_elapsed(substream); + } +-- +2.35.1 + diff --git a/queue-6.0/alsa-hda-beep-simplify-keep-power-at-enable-behavior.patch b/queue-6.0/alsa-hda-beep-simplify-keep-power-at-enable-behavior.patch new file mode 100644 index 00000000000..8940541a2be --- /dev/null +++ b/queue-6.0/alsa-hda-beep-simplify-keep-power-at-enable-behavior.patch @@ -0,0 +1,135 @@ +From bcce0037d12ff0995d167aabb6b829c64629882f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 11:23:06 +0200 +Subject: ALSA: hda: beep: Simplify keep-power-at-enable behavior + +From: Takashi Iwai + +[ Upstream commit 4c8d695cb9bc5f6fd298a586602947b2fc099a64 ] + +The recent fix for IDT codecs to keep the power up while the beep is +enabled can be better integrated into the beep helper code. +This patch cleans up the code with refactoring. + +Fixes: 414d38ba8710 ("ALSA: hda/sigmatel: Keep power up while beep is enabled") +Link: https://lore.kernel.org/r/20220906092306.26183-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_beep.c | 15 +++++++++++++-- + sound/pci/hda/hda_beep.h | 1 + + sound/pci/hda/patch_sigmatel.c | 25 ++----------------------- + 3 files changed, 16 insertions(+), 25 deletions(-) + +diff --git a/sound/pci/hda/hda_beep.c b/sound/pci/hda/hda_beep.c +index 53a2b89f8983..e63621bcb214 100644 +--- a/sound/pci/hda/hda_beep.c ++++ b/sound/pci/hda/hda_beep.c +@@ -118,6 +118,12 @@ static int snd_hda_beep_event(struct input_dev *dev, unsigned int type, + return 0; + } + ++static void turn_on_beep(struct hda_beep *beep) ++{ ++ if (beep->keep_power_at_enable) ++ snd_hda_power_up_pm(beep->codec); ++} ++ + static void turn_off_beep(struct hda_beep *beep) + { + cancel_work_sync(&beep->beep_work); +@@ -125,6 +131,8 @@ static void turn_off_beep(struct hda_beep *beep) + /* turn off beep */ + generate_tone(beep, 0); + } ++ if (beep->keep_power_at_enable) ++ snd_hda_power_down_pm(beep->codec); + } + + /** +@@ -140,7 +148,9 @@ int snd_hda_enable_beep_device(struct hda_codec *codec, int enable) + enable = !!enable; + if (beep->enabled != enable) { + beep->enabled = enable; +- if (!enable) ++ if (enable) ++ turn_on_beep(beep); ++ else + turn_off_beep(beep); + return 1; + } +@@ -167,7 +177,8 @@ static int beep_dev_disconnect(struct snd_device *device) + input_unregister_device(beep->dev); + else + input_free_device(beep->dev); +- turn_off_beep(beep); ++ if (beep->enabled) ++ turn_off_beep(beep); + return 0; + } + +diff --git a/sound/pci/hda/hda_beep.h b/sound/pci/hda/hda_beep.h +index a25358a4807a..db76e3ddba65 100644 +--- a/sound/pci/hda/hda_beep.h ++++ b/sound/pci/hda/hda_beep.h +@@ -25,6 +25,7 @@ struct hda_beep { + unsigned int enabled:1; + unsigned int linear_tone:1; /* linear tone for IDT/STAC codec */ + unsigned int playing:1; ++ unsigned int keep_power_at_enable:1; /* set by driver */ + struct work_struct beep_work; /* scheduled task for beep event */ + struct mutex mutex; + void (*power_hook)(struct hda_beep *beep, bool on); +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c +index 7f340f18599c..a794a01a68ca 100644 +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -4311,6 +4311,8 @@ static int stac_parse_auto_config(struct hda_codec *codec) + if (codec->beep) { + /* IDT/STAC codecs have linear beep tone parameter */ + codec->beep->linear_tone = spec->linear_tone_beep; ++ /* keep power up while beep is enabled */ ++ codec->beep->keep_power_at_enable = 1; + /* if no beep switch is available, make its own one */ + caps = query_amp_caps(codec, nid, HDA_OUTPUT); + if (!(caps & AC_AMPCAP_MUTE)) { +@@ -4444,28 +4446,6 @@ static int stac_suspend(struct hda_codec *codec) + + return 0; + } +- +-static int stac_check_power_status(struct hda_codec *codec, hda_nid_t nid) +-{ +-#ifdef CONFIG_SND_HDA_INPUT_BEEP +- struct sigmatel_spec *spec = codec->spec; +-#endif +- int ret = snd_hda_gen_check_power_status(codec, nid); +- +-#ifdef CONFIG_SND_HDA_INPUT_BEEP +- if (nid == spec->gen.beep_nid && codec->beep) { +- if (codec->beep->enabled != spec->beep_power_on) { +- spec->beep_power_on = codec->beep->enabled; +- if (spec->beep_power_on) +- snd_hda_power_up_pm(codec); +- else +- snd_hda_power_down_pm(codec); +- } +- ret |= spec->beep_power_on; +- } +-#endif +- return ret; +-} + #else + #define stac_suspend NULL + #endif /* CONFIG_PM */ +@@ -4478,7 +4458,6 @@ static const struct hda_codec_ops stac_patch_ops = { + .unsol_event = snd_hda_jack_unsol_event, + #ifdef CONFIG_PM + .suspend = stac_suspend, +- .check_power_status = stac_check_power_status, + #endif + }; + +-- +2.35.1 + diff --git a/queue-6.0/alsa-hda-fix-page-fault-in-snd_hda_codec_shutdown.patch b/queue-6.0/alsa-hda-fix-page-fault-in-snd_hda_codec_shutdown.patch new file mode 100644 index 00000000000..6e54f2c8781 --- /dev/null +++ b/queue-6.0/alsa-hda-fix-page-fault-in-snd_hda_codec_shutdown.patch @@ -0,0 +1,108 @@ +From b868d4706e47b8774c88ffc6377778d08926640c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 13:17:27 +0200 +Subject: ALSA: hda: Fix page fault in snd_hda_codec_shutdown() + +From: Cezary Rojewski + +[ Upstream commit f2bd1c5ae2cb0cf9525c9bffc0038c12dd7e1338 ] + +If early probe of HDAudio bus driver fails e.g.: due to missing +firmware file, snd_hda_codec_shutdown() ends in manipulating +uninitialized codec->pcm_list_head causing page fault. + +Initialization of HDAudio codec in ASoC is split in two: +- snd_hda_codec_device_init() +- snd_hda_codec_device_new() + +snd_hda_codec_device_init() is called during probe_codecs() by HDAudio +bus driver while snd_hda_codec_device_new() is called by +codec-component's ->probe(). The second call will not happen until all +components required by related sound card are present within the ASoC +framework. With firmware failing to load during the PCI's deferred +initialization i.e.: probe_work(), no platform components are ever +registered. HDAudio codec enumeration is done at that point though, so +the codec components became registered to ASoC framework, calling +snd_hda_codec_device_init() in the process. + +Now, during platform reboot snd_hda_codec_shutdown() is called for every +codec found on the HDAudio bus causing oops if any of them has not +completed both of their initialization steps. Relocating field +initialization fixes the issue. + +Reviewed-by: Kai Vehmanen +Reviewed-by: Pierre-Louis Bossart +Signed-off-by: Cezary Rojewski +Link: https://lore.kernel.org/r/20220816111727.3218543-7-cezary.rojewski@intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_codec.c | 41 +++++++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 21 deletions(-) + +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index 384426d7e9dd..4ae8b9574778 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -931,8 +931,28 @@ snd_hda_codec_device_init(struct hda_bus *bus, unsigned int codec_addr, + } + + codec->bus = bus; ++ codec->depop_delay = -1; ++ codec->fixup_id = HDA_FIXUP_ID_NOT_SET; ++ codec->core.dev.release = snd_hda_codec_dev_release; ++ codec->core.exec_verb = codec_exec_verb; + codec->core.type = HDA_DEV_LEGACY; + ++ mutex_init(&codec->spdif_mutex); ++ mutex_init(&codec->control_mutex); ++ snd_array_init(&codec->mixers, sizeof(struct hda_nid_item), 32); ++ snd_array_init(&codec->nids, sizeof(struct hda_nid_item), 32); ++ snd_array_init(&codec->init_pins, sizeof(struct hda_pincfg), 16); ++ snd_array_init(&codec->driver_pins, sizeof(struct hda_pincfg), 16); ++ snd_array_init(&codec->cvt_setups, sizeof(struct hda_cvt_setup), 8); ++ snd_array_init(&codec->spdif_out, sizeof(struct hda_spdif_out), 16); ++ snd_array_init(&codec->jacktbl, sizeof(struct hda_jack_tbl), 16); ++ snd_array_init(&codec->verbs, sizeof(struct hda_verb *), 8); ++ INIT_LIST_HEAD(&codec->conn_list); ++ INIT_LIST_HEAD(&codec->pcm_list_head); ++ INIT_DELAYED_WORK(&codec->jackpoll_work, hda_jackpoll_work); ++ refcount_set(&codec->pcm_ref, 1); ++ init_waitqueue_head(&codec->remove_sleep); ++ + return codec; + } + EXPORT_SYMBOL_GPL(snd_hda_codec_device_init); +@@ -985,29 +1005,8 @@ int snd_hda_codec_device_new(struct hda_bus *bus, struct snd_card *card, + if (snd_BUG_ON(codec_addr > HDA_MAX_CODEC_ADDRESS)) + return -EINVAL; + +- codec->core.dev.release = snd_hda_codec_dev_release; +- codec->core.exec_verb = codec_exec_verb; +- + codec->card = card; + codec->addr = codec_addr; +- mutex_init(&codec->spdif_mutex); +- mutex_init(&codec->control_mutex); +- snd_array_init(&codec->mixers, sizeof(struct hda_nid_item), 32); +- snd_array_init(&codec->nids, sizeof(struct hda_nid_item), 32); +- snd_array_init(&codec->init_pins, sizeof(struct hda_pincfg), 16); +- snd_array_init(&codec->driver_pins, sizeof(struct hda_pincfg), 16); +- snd_array_init(&codec->cvt_setups, sizeof(struct hda_cvt_setup), 8); +- snd_array_init(&codec->spdif_out, sizeof(struct hda_spdif_out), 16); +- snd_array_init(&codec->jacktbl, sizeof(struct hda_jack_tbl), 16); +- snd_array_init(&codec->verbs, sizeof(struct hda_verb *), 8); +- INIT_LIST_HEAD(&codec->conn_list); +- INIT_LIST_HEAD(&codec->pcm_list_head); +- refcount_set(&codec->pcm_ref, 1); +- init_waitqueue_head(&codec->remove_sleep); +- +- INIT_DELAYED_WORK(&codec->jackpoll_work, hda_jackpoll_work); +- codec->depop_delay = -1; +- codec->fixup_id = HDA_FIXUP_ID_NOT_SET; + + #ifdef CONFIG_PM + codec->power_jiffies = jiffies; +-- +2.35.1 + diff --git a/queue-6.0/alsa-hda-hdmi-change-type-for-the-assigned-variable.patch b/queue-6.0/alsa-hda-hdmi-change-type-for-the-assigned-variable.patch new file mode 100644 index 00000000000..e30ab36bff0 --- /dev/null +++ b/queue-6.0/alsa-hda-hdmi-change-type-for-the-assigned-variable.patch @@ -0,0 +1,92 @@ +From 7e9366c5bf62aad91473edd289639192c6835375 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 09:03:07 +0200 +Subject: ALSA: hda/hdmi: change type for the 'assigned' variable + +From: Jaroslav Kysela + +[ Upstream commit 4053a41282f8aae290d3fe7b8daef4c8c53a4ab8 ] + +This change converts the assigned value from int type to +the bool type to retain consistency with other structure +members like 'setup', 'non_pcm' etc. + +Signed-off-by: Jaroslav Kysela +Link: https://lore.kernel.org/r/20220913070307.3234038-1-perex@perex.cz +Signed-off-by: Takashi Iwai +Stable-dep-of: fc6f923ecfa2 ("ALSA: hda/hdmi: Fix the converter allocation for the silent stream") +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_hdmi.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index c239d9dbbaef..69afea67bf3e 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -53,7 +53,7 @@ MODULE_PARM_DESC(enable_all_pins, "Forcibly enable all pins"); + + struct hdmi_spec_per_cvt { + hda_nid_t cvt_nid; +- int assigned; ++ bool assigned; /* the stream has been assigned */ + unsigned int channels_min; + unsigned int channels_max; + u32 rates; +@@ -1204,7 +1204,7 @@ static int hdmi_pcm_open_no_pin(struct hda_pcm_stream *hinfo, + return err; + + per_cvt = get_cvt(spec, cvt_idx); +- per_cvt->assigned = 1; ++ per_cvt->assigned = true; + hinfo->nid = per_cvt->cvt_nid; + + pin_cvt_fixup(codec, NULL, per_cvt->cvt_nid); +@@ -1273,7 +1273,7 @@ static int hdmi_pcm_open(struct hda_pcm_stream *hinfo, + + per_cvt = get_cvt(spec, cvt_idx); + /* Claim converter */ +- per_cvt->assigned = 1; ++ per_cvt->assigned = true; + + set_bit(pcm_idx, &spec->pcm_in_use); + per_pin = get_pin(spec, pin_idx); +@@ -1308,7 +1308,7 @@ static int hdmi_pcm_open(struct hda_pcm_stream *hinfo, + snd_hdmi_eld_update_pcm_info(&eld->info, hinfo); + if (hinfo->channels_min > hinfo->channels_max || + !hinfo->rates || !hinfo->formats) { +- per_cvt->assigned = 0; ++ per_cvt->assigned = false; + hinfo->nid = 0; + snd_hda_spdif_ctls_unassign(codec, pcm_idx); + err = -ENODEV; +@@ -1767,7 +1767,7 @@ static void silent_stream_enable(struct hda_codec *codec, + } + + per_cvt = get_cvt(spec, cvt_idx); +- per_cvt->assigned = 1; ++ per_cvt->assigned = true; + per_pin->cvt_nid = per_cvt->cvt_nid; + per_pin->silent_stream = true; + +@@ -1827,7 +1827,7 @@ static void silent_stream_disable(struct hda_codec *codec, + cvt_idx = cvt_nid_to_cvt_index(codec, per_pin->cvt_nid); + if (cvt_idx >= 0 && cvt_idx < spec->num_cvts) { + per_cvt = get_cvt(spec, cvt_idx); +- per_cvt->assigned = 0; ++ per_cvt->assigned = false; + } + + if (spec->silent_stream_type == SILENT_STREAM_I915) { +@@ -2223,7 +2223,7 @@ static int hdmi_pcm_close(struct hda_pcm_stream *hinfo, + goto unlock; + } + per_cvt = get_cvt(spec, cvt_idx); +- per_cvt->assigned = 0; ++ per_cvt->assigned = false; + hinfo->nid = 0; + + azx_stream(get_azx_dev(substream))->stripe = 0; +-- +2.35.1 + diff --git a/queue-6.0/alsa-hda-hdmi-don-t-skip-notification-handling-durin.patch b/queue-6.0/alsa-hda-hdmi-don-t-skip-notification-handling-durin.patch new file mode 100644 index 00000000000..7d74eff42e9 --- /dev/null +++ b/queue-6.0/alsa-hda-hdmi-don-t-skip-notification-handling-durin.patch @@ -0,0 +1,63 @@ +From 1825c901731b0d56469b1513d4e57c10fbaf0020 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Oct 2022 09:48:10 +0200 +Subject: ALSA: hda/hdmi: Don't skip notification handling during PM operation + +From: Takashi Iwai + +[ Upstream commit 5226c7b9784eee215e3914f440b3c2e1764f67a8 ] + +The HDMI driver skips the notification handling from the graphics +driver when the codec driver is being in the PM operation. This +behavior was introduced by the commit eb399d3c99d8 ("ALSA: hda - Skip +ELD notification during PM process"). This skip may cause a problem, +as we may miss the ELD update when the connection/disconnection +happens right at the runtime-PM operation of the audio codec. + +Although this workaround was valid at that time, it's no longer true; +the fix was required just because the ELD update procedure needed to +wake up the audio codec, which had lead to a runtime-resume during a +runtime-suspend. Meanwhile, the ELD update procedure doesn't need a +codec wake up any longer since the commit 788d441a164c ("ALSA: hda - +Use component ops for i915 HDMI/DP audio jack handling"); i.e. there +is no much reason for skipping the notification. + +Let's drop those checks for addressing the missing notification. + +Fixes: 788d441a164c ("ALSA: hda - Use component ops for i915 HDMI/DP audio jack handling") +Reported-by: Brent Lu +Link: https://lore.kernel.org/r/20220927135807.4097052-1-brent.lu@intel.com +Link: https://lore.kernel.org/r/20221001074809.7461-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_hdmi.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index d463c968b3a4..287f4f78e7b1 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -2751,9 +2751,6 @@ static void generic_acomp_pin_eld_notify(void *audio_ptr, int port, int dev_id) + */ + if (codec->core.dev.power.power_state.event == PM_EVENT_SUSPEND) + return; +- /* ditto during suspend/resume process itself */ +- if (snd_hdac_is_in_pm(&codec->core)) +- return; + + check_presence_and_report(codec, pin_nid, dev_id); + } +@@ -2937,9 +2934,6 @@ static void intel_pin_eld_notify(void *audio_ptr, int port, int pipe) + */ + if (codec->core.dev.power.power_state.event == PM_EVENT_SUSPEND) + return; +- /* ditto during suspend/resume process itself */ +- if (snd_hdac_is_in_pm(&codec->core)) +- return; + + snd_hdac_i915_set_bclk(&codec->bus->core); + check_presence_and_report(codec, pin_nid, dev_id); +-- +2.35.1 + diff --git a/queue-6.0/alsa-hda-hdmi-fix-the-converter-allocation-for-the-s.patch b/queue-6.0/alsa-hda-hdmi-fix-the-converter-allocation-for-the-s.patch new file mode 100644 index 00000000000..f6b5196ebf1 --- /dev/null +++ b/queue-6.0/alsa-hda-hdmi-fix-the-converter-allocation-for-the-s.patch @@ -0,0 +1,120 @@ +From b3f582c8b14551f27218e4bc15d0d809019ed5b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 15:54:44 +0200 +Subject: ALSA: hda/hdmi: Fix the converter allocation for the silent stream + +From: Jaroslav Kysela + +[ Upstream commit fc6f923ecfa2fafd0600f1b7e2de09baf29865e2 ] + +Track the converters handling the silent stream using a new +variable to avoid mixing of the open/close and silent stream +use. This change ensures the proper allocation of the converters. + +Fixes: 5f80d6bd2b01 ("ALSA: hda/hdmi: Fix the converter reuse for the silent stream") + +Signed-off-by: Jaroslav Kysela +Reviewed-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20220919135444.3554982-1-perex@perex.cz +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_hdmi.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 69afea67bf3e..d463c968b3a4 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -54,6 +54,7 @@ MODULE_PARM_DESC(enable_all_pins, "Forcibly enable all pins"); + struct hdmi_spec_per_cvt { + hda_nid_t cvt_nid; + bool assigned; /* the stream has been assigned */ ++ bool silent_stream; /* silent stream activated */ + unsigned int channels_min; + unsigned int channels_max; + u32 rates; +@@ -988,7 +989,8 @@ static int hdmi_setup_stream(struct hda_codec *codec, hda_nid_t cvt_nid, + * of the pin. + */ + static int hdmi_choose_cvt(struct hda_codec *codec, +- int pin_idx, int *cvt_id) ++ int pin_idx, int *cvt_id, ++ bool silent) + { + struct hdmi_spec *spec = codec->spec; + struct hdmi_spec_per_pin *per_pin; +@@ -1003,6 +1005,9 @@ static int hdmi_choose_cvt(struct hda_codec *codec, + + if (per_pin && per_pin->silent_stream) { + cvt_idx = cvt_nid_to_cvt_index(codec, per_pin->cvt_nid); ++ per_cvt = get_cvt(spec, cvt_idx); ++ if (per_cvt->assigned && !silent) ++ return -EBUSY; + if (cvt_id) + *cvt_id = cvt_idx; + return 0; +@@ -1013,7 +1018,7 @@ static int hdmi_choose_cvt(struct hda_codec *codec, + per_cvt = get_cvt(spec, cvt_idx); + + /* Must not already be assigned */ +- if (per_cvt->assigned) ++ if (per_cvt->assigned || per_cvt->silent_stream) + continue; + if (per_pin == NULL) + break; +@@ -1199,7 +1204,7 @@ static int hdmi_pcm_open_no_pin(struct hda_pcm_stream *hinfo, + if (pcm_idx < 0) + return -EINVAL; + +- err = hdmi_choose_cvt(codec, -1, &cvt_idx); ++ err = hdmi_choose_cvt(codec, -1, &cvt_idx, false); + if (err) + return err; + +@@ -1267,7 +1272,7 @@ static int hdmi_pcm_open(struct hda_pcm_stream *hinfo, + } + } + +- err = hdmi_choose_cvt(codec, pin_idx, &cvt_idx); ++ err = hdmi_choose_cvt(codec, pin_idx, &cvt_idx, false); + if (err < 0) + goto unlock; + +@@ -1278,7 +1283,6 @@ static int hdmi_pcm_open(struct hda_pcm_stream *hinfo, + set_bit(pcm_idx, &spec->pcm_in_use); + per_pin = get_pin(spec, pin_idx); + per_pin->cvt_nid = per_cvt->cvt_nid; +- per_pin->silent_stream = false; + hinfo->nid = per_cvt->cvt_nid; + + /* flip stripe flag for the assigned stream if supported */ +@@ -1760,14 +1764,14 @@ static void silent_stream_enable(struct hda_codec *codec, + } + + pin_idx = pin_id_to_pin_index(codec, per_pin->pin_nid, per_pin->dev_id); +- err = hdmi_choose_cvt(codec, pin_idx, &cvt_idx); ++ err = hdmi_choose_cvt(codec, pin_idx, &cvt_idx, true); + if (err) { + codec_err(codec, "hdmi: no free converter to enable silent mode\n"); + goto unlock_out; + } + + per_cvt = get_cvt(spec, cvt_idx); +- per_cvt->assigned = true; ++ per_cvt->silent_stream = true; + per_pin->cvt_nid = per_cvt->cvt_nid; + per_pin->silent_stream = true; + +@@ -1827,7 +1831,7 @@ static void silent_stream_disable(struct hda_codec *codec, + cvt_idx = cvt_nid_to_cvt_index(codec, per_pin->cvt_nid); + if (cvt_idx >= 0 && cvt_idx < spec->num_cvts) { + per_cvt = get_cvt(spec, cvt_idx); +- per_cvt->assigned = false; ++ per_cvt->silent_stream = false; + } + + if (spec->silent_stream_type == SILENT_STREAM_I915) { +-- +2.35.1 + diff --git a/queue-6.0/alsa-intel-dspconfig-add-es8336-support-for-alderlak.patch b/queue-6.0/alsa-intel-dspconfig-add-es8336-support-for-alderlak.patch new file mode 100644 index 00000000000..8a6e582e4e8 --- /dev/null +++ b/queue-6.0/alsa-intel-dspconfig-add-es8336-support-for-alderlak.patch @@ -0,0 +1,40 @@ +From 3eb68616ce5d21cc1569b9573b03b11064893f59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 13:45:48 +0200 +Subject: ALSA: intel-dspconfig: add ES8336 support for AlderLake-PS + +From: Muralidhar Reddy + +[ Upstream commit 9db1c9fa214ef41d098633ff40a87284ca6e1870 ] + +added quirks for ESS8336 for AlderLake-PS + +Reviewed-by: Ranjani Sridharan +Signed-off-by: Muralidhar Reddy +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20220919114548.42769-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/hda/intel-dsp-config.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/sound/hda/intel-dsp-config.c b/sound/hda/intel-dsp-config.c +index 5a478649f338..b9eb3208f288 100644 +--- a/sound/hda/intel-dsp-config.c ++++ b/sound/hda/intel-dsp-config.c +@@ -427,6 +427,11 @@ static const struct config_entry config_table[] = { + .device = 0x51cd, + }, + /* Alderlake-PS */ ++ { ++ .flags = FLAG_SOF, ++ .device = 0x51c9, ++ .codec_hid = &essx_83x6, ++ }, + { + .flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC_OR_SOUNDWIRE, + .device = 0x51c9, +-- +2.35.1 + diff --git a/queue-6.0/alsa-usb-audio-add-quirk-to-enable-avid-mbox-3-suppo.patch b/queue-6.0/alsa-usb-audio-add-quirk-to-enable-avid-mbox-3-suppo.patch new file mode 100644 index 00000000000..2396b272218 --- /dev/null +++ b/queue-6.0/alsa-usb-audio-add-quirk-to-enable-avid-mbox-3-suppo.patch @@ -0,0 +1,430 @@ +From ada0c96ac91d345c7174d97efcd4c7dc768d7605 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 17:14:33 -0300 +Subject: ALSA: usb-audio: Add quirk to enable Avid Mbox 3 support + +From: Conner Knox + +[ Upstream commit b01104fc62b6194c852124f6c6df1c0a5c031fc1 ] + +Add support for Avid Mbox3 USB audio interface at 48kHz + +Signed-off-by: Conner Knox +Link: https://lore.kernel.org/r/20220818201433.16360-1-mbarriolinares@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/quirks-table.h | 76 ++++++++++ + sound/usb/quirks.c | 302 +++++++++++++++++++++++++++++++++++++++ + 2 files changed, 378 insertions(+) + +diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h +index f93201a830b5..06dfdd45cff8 100644 +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -2985,6 +2985,82 @@ YAMAHA_DEVICE(0x7010, "UB99"), + } + } + }, ++/* DIGIDESIGN MBOX 3 */ ++{ ++ USB_DEVICE(0x0dba, 0x5000), ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { ++ .vendor_name = "Digidesign", ++ .product_name = "Mbox 3", ++ .ifnum = QUIRK_ANY_INTERFACE, ++ .type = QUIRK_COMPOSITE, ++ .data = (const struct snd_usb_audio_quirk[]) { ++ { ++ .ifnum = 0, ++ .type = QUIRK_IGNORE_INTERFACE ++ }, ++ { ++ .ifnum = 1, ++ .type = QUIRK_IGNORE_INTERFACE ++ }, ++ { ++ .ifnum = 2, ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, ++ .data = &(const struct audioformat) { ++ .formats = SNDRV_PCM_FMTBIT_S24_3LE, ++ .channels = 4, ++ .iface = 2, ++ .altsetting = 1, ++ .altset_idx = 1, ++ .attributes = 0x00, ++ .endpoint = 0x01, ++ .ep_attr = USB_ENDPOINT_XFER_ISOC | ++ USB_ENDPOINT_SYNC_ASYNC, ++ .rates = SNDRV_PCM_RATE_48000, ++ .rate_min = 48000, ++ .rate_max = 48000, ++ .nr_rates = 1, ++ .rate_table = (unsigned int[]) { ++ 48000 ++ } ++ } ++ }, ++ { ++ .ifnum = 3, ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, ++ .data = &(const struct audioformat) { ++ .formats = SNDRV_PCM_FMTBIT_S24_3LE, ++ .channels = 4, ++ .iface = 3, ++ .altsetting = 1, ++ .altset_idx = 1, ++ .endpoint = 0x81, ++ .attributes = 0x00, ++ .ep_attr = USB_ENDPOINT_XFER_ISOC | ++ USB_ENDPOINT_SYNC_ASYNC, ++ .maxpacksize = 0x009c, ++ .rates = SNDRV_PCM_RATE_48000, ++ .rate_min = 48000, ++ .rate_max = 48000, ++ .nr_rates = 1, ++ .rate_table = (unsigned int[]) { ++ 48000 ++ } ++ } ++ }, ++ { ++ .ifnum = 4, ++ .type = QUIRK_MIDI_FIXED_ENDPOINT, ++ .data = &(const struct snd_usb_midi_endpoint_info) { ++ .out_cables = 0x0001, ++ .in_cables = 0x0001 ++ } ++ }, ++ { ++ .ifnum = -1 ++ } ++ } ++ } ++}, + { + /* Tascam US122 MKII - playback-only support */ + USB_DEVICE_VENDOR_SPEC(0x0644, 0x8021), +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 5b4d8f5eade2..194c75c45628 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1020,6 +1020,304 @@ static int snd_usb_axefx3_boot_quirk(struct usb_device *dev) + return 0; + } + ++static void mbox3_setup_48_24_magic(struct usb_device *dev) ++{ ++ /* The Mbox 3 is "little endian" */ ++ /* max volume is: 0x0000. */ ++ /* min volume is: 0x0080 (shown in little endian form) */ ++ ++ ++ /* Load 48000Hz rate into buffer */ ++ u8 com_buff[4] = {0x80, 0xbb, 0x00, 0x00}; ++ ++ /* Set 48000Hz sample rate */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 0x01, 0x21, 0x0100, 0x0001, &com_buff, 4); //Is this really needed? ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 0x01, 0x21, 0x0100, 0x8101, &com_buff, 4); ++ ++ /* Deactivate Tuner */ ++ /* on = 0x01*/ ++ /* off = 0x00*/ ++ com_buff[0] = 0x00; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 0x01, 0x21, 0x0003, 0x2001, &com_buff, 1); ++ ++ /* Set clock source to Internal (as opposed to S/PDIF) */ ++ com_buff[0] = 0x01; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0100, 0x8001, &com_buff, 1); ++ ++ /* Mute the hardware loopbacks to start the device in a known state. */ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x80; ++ /* Analogue input 1 left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0110, 0x4001, &com_buff, 2); ++ /* Analogue input 1 right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0111, 0x4001, &com_buff, 2); ++ /* Analogue input 2 left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0114, 0x4001, &com_buff, 2); ++ /* Analogue input 2 right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0115, 0x4001, &com_buff, 2); ++ /* Analogue input 3 left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0118, 0x4001, &com_buff, 2); ++ /* Analogue input 3 right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0119, 0x4001, &com_buff, 2); ++ /* Analogue input 4 left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x011c, 0x4001, &com_buff, 2); ++ /* Analogue input 4 right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x011d, 0x4001, &com_buff, 2); ++ ++ /* Set software sends to output */ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x00; ++ /* Analogue software return 1 left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0100, 0x4001, &com_buff, 2); ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x80; ++ /* Analogue software return 1 right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0101, 0x4001, &com_buff, 2); ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x80; ++ /* Analogue software return 2 left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0104, 0x4001, &com_buff, 2); ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x00; ++ /* Analogue software return 2 right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0105, 0x4001, &com_buff, 2); ++ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x80; ++ /* Analogue software return 3 left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0108, 0x4001, &com_buff, 2); ++ /* Analogue software return 3 right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0109, 0x4001, &com_buff, 2); ++ /* Analogue software return 4 left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x010c, 0x4001, &com_buff, 2); ++ /* Analogue software return 4 right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x010d, 0x4001, &com_buff, 2); ++ ++ /* Return to muting sends */ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x80; ++ /* Analogue fx return left channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0120, 0x4001, &com_buff, 2); ++ /* Analogue fx return right channel: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0121, 0x4001, &com_buff, 2); ++ ++ /* Analogue software input 1 fx send: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0100, 0x4201, &com_buff, 2); ++ /* Analogue software input 2 fx send: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0101, 0x4201, &com_buff, 2); ++ /* Analogue software input 3 fx send: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0102, 0x4201, &com_buff, 2); ++ /* Analogue software input 4 fx send: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0103, 0x4201, &com_buff, 2); ++ /* Analogue input 1 fx send: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0104, 0x4201, &com_buff, 2); ++ /* Analogue input 2 fx send: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0105, 0x4201, &com_buff, 2); ++ /* Analogue input 3 fx send: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0106, 0x4201, &com_buff, 2); ++ /* Analogue input 4 fx send: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0107, 0x4201, &com_buff, 2); ++ ++ /* Toggle allowing host control */ ++ com_buff[0] = 0x02; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 3, 0x21, 0x0000, 0x2001, &com_buff, 1); ++ ++ /* Do not dim fx returns */ ++ com_buff[0] = 0x00; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 3, 0x21, 0x0002, 0x2001, &com_buff, 1); ++ ++ /* Do not set fx returns to mono */ ++ com_buff[0] = 0x00; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 3, 0x21, 0x0001, 0x2001, &com_buff, 1); ++ ++ /* Mute the S/PDIF hardware loopback ++ * same odd volume logic here as above ++ */ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x80; ++ /* S/PDIF hardware input 1 left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0112, 0x4001, &com_buff, 2); ++ /* S/PDIF hardware input 1 right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0113, 0x4001, &com_buff, 2); ++ /* S/PDIF hardware input 2 left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0116, 0x4001, &com_buff, 2); ++ /* S/PDIF hardware input 2 right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0117, 0x4001, &com_buff, 2); ++ /* S/PDIF hardware input 3 left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x011a, 0x4001, &com_buff, 2); ++ /* S/PDIF hardware input 3 right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x011b, 0x4001, &com_buff, 2); ++ /* S/PDIF hardware input 4 left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x011e, 0x4001, &com_buff, 2); ++ /* S/PDIF hardware input 4 right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x011f, 0x4001, &com_buff, 2); ++ /* S/PDIF software return 1 left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0102, 0x4001, &com_buff, 2); ++ /* S/PDIF software return 1 right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0103, 0x4001, &com_buff, 2); ++ /* S/PDIF software return 2 left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0106, 0x4001, &com_buff, 2); ++ /* S/PDIF software return 2 right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0107, 0x4001, &com_buff, 2); ++ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x00; ++ /* S/PDIF software return 3 left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x010a, 0x4001, &com_buff, 2); ++ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x80; ++ /* S/PDIF software return 3 right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x010b, 0x4001, &com_buff, 2); ++ /* S/PDIF software return 4 left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x010e, 0x4001, &com_buff, 2); ++ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x00; ++ /* S/PDIF software return 4 right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x010f, 0x4001, &com_buff, 2); ++ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x80; ++ /* S/PDIF fx returns left channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0122, 0x4001, &com_buff, 2); ++ /* S/PDIF fx returns right channel */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0123, 0x4001, &com_buff, 2); ++ ++ /* Set the dropdown "Effect" to the first option */ ++ /* Room1 = 0x00 */ ++ /* Room2 = 0x01 */ ++ /* Room3 = 0x02 */ ++ /* Hall 1 = 0x03 */ ++ /* Hall 2 = 0x04 */ ++ /* Plate = 0x05 */ ++ /* Delay = 0x06 */ ++ /* Echo = 0x07 */ ++ com_buff[0] = 0x00; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0200, 0x4301, &com_buff, 1); /* max is 0xff */ ++ /* min is 0x00 */ ++ ++ ++ /* Set the effect duration to 0 */ ++ /* max is 0xffff */ ++ /* min is 0x0000 */ ++ com_buff[0] = 0x00; ++ com_buff[1] = 0x00; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0400, 0x4301, &com_buff, 2); ++ ++ /* Set the effect volume and feedback to 0 */ ++ /* max is 0xff */ ++ /* min is 0x00 */ ++ com_buff[0] = 0x00; ++ /* feedback: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0500, 0x4301, &com_buff, 1); ++ /* volume: */ ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 1, 0x21, 0x0300, 0x4301, &com_buff, 1); ++ ++ /* Set soft button hold duration */ ++ /* 0x03 = 250ms */ ++ /* 0x05 = 500ms DEFAULT */ ++ /* 0x08 = 750ms */ ++ /* 0x0a = 1sec */ ++ com_buff[0] = 0x05; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 3, 0x21, 0x0005, 0x2001, &com_buff, 1); ++ ++ /* Use dim LEDs for button of state */ ++ com_buff[0] = 0x00; ++ snd_usb_ctl_msg(dev, usb_sndctrlpipe(dev, 0), ++ 3, 0x21, 0x0004, 0x2001, &com_buff, 1); ++} ++ ++#define MBOX3_DESCRIPTOR_SIZE 464 ++ ++static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) ++{ ++ struct usb_host_config *config = dev->actconfig; ++ int err; ++ int descriptor_size; ++ ++ descriptor_size = le16_to_cpu(get_cfg_desc(config)->wTotalLength); ++ ++ if (descriptor_size != MBOX3_DESCRIPTOR_SIZE) { ++ dev_err(&dev->dev, "Invalid descriptor size=%d.\n", descriptor_size); ++ return -ENODEV; ++ } ++ ++ dev_dbg(&dev->dev, "device initialised!\n"); ++ ++ err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, ++ &dev->descriptor, sizeof(dev->descriptor)); ++ config = dev->actconfig; ++ if (err < 0) ++ dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); ++ ++ err = usb_reset_configuration(dev); ++ if (err < 0) ++ dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); ++ dev_dbg(&dev->dev, "mbox3_boot: new boot length = %d\n", ++ le16_to_cpu(get_cfg_desc(config)->wTotalLength)); ++ ++ mbox3_setup_48_24_magic(dev); ++ dev_info(&dev->dev, "Digidesign Mbox 3: 24bit 48kHz"); ++ ++ return 0; /* Successful boot */ ++} + + #define MICROBOOK_BUF_SIZE 128 + +@@ -1324,6 +1622,10 @@ int snd_usb_apply_boot_quirk(struct usb_device *dev, + case USB_ID(0x0dba, 0x3000): + /* Digidesign Mbox 2 */ + return snd_usb_mbox2_boot_quirk(dev); ++ case USB_ID(0x0dba, 0x5000): ++ /* Digidesign Mbox 3 */ ++ return snd_usb_mbox3_boot_quirk(dev); ++ + + case USB_ID(0x1235, 0x0010): /* Focusrite Novation Saffire 6 USB */ + case USB_ID(0x1235, 0x0018): /* Focusrite Novation Twitch */ +-- +2.35.1 + diff --git a/queue-6.0/alsa-usb-audio-properly-refcounting-clock-rate.patch b/queue-6.0/alsa-usb-audio-properly-refcounting-clock-rate.patch new file mode 100644 index 00000000000..f8dfeeb1cd9 --- /dev/null +++ b/queue-6.0/alsa-usb-audio-properly-refcounting-clock-rate.patch @@ -0,0 +1,73 @@ +From 7d68abce80a2dfaa7d00b6283cc80459b668a106 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 20:11:26 +0200 +Subject: ALSA: usb-audio: Properly refcounting clock rate + +From: Takashi Iwai + +[ Upstream commit 9a737e7f8b371e97eb649904276407cee2c9cf30 ] + +We fixed the bug introduced by the patch for managing the shared +clocks at the commit 809f44a0cc5a ("ALSA: usb-audio: Clear fixed clock +rate at closing EP"), but it was merely a workaround. By this change, +the clock reference rate is cleared at each EP close, hence the still +remaining EP may need a re-setup of rate unnecessarily. + +This patch introduces the proper refcounting for the clock reference +object so that the clock setup is done only when needed. + +Fixes: 809f44a0cc5a ("ALSA: usb-audio: Clear fixed clock rate at closing EP") +Fixes: c11117b634f4 ("ALSA: usb-audio: Refcount multiple accesses on the single clock") +Link: https://lore.kernel.org/r/20220920181126.4912-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/endpoint.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index f8a5329fb131..48a3843a08f1 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -39,6 +39,7 @@ struct snd_usb_iface_ref { + struct snd_usb_clock_ref { + unsigned char clock; + atomic_t locked; ++ int opened; + int rate; + bool need_setup; + struct list_head list; +@@ -804,6 +805,7 @@ snd_usb_endpoint_open(struct snd_usb_audio *chip, + ep = NULL; + goto unlock; + } ++ ep->clock_ref->opened++; + } + + ep->cur_audiofmt = fp; +@@ -927,8 +929,10 @@ void snd_usb_endpoint_close(struct snd_usb_audio *chip, + endpoint_set_interface(chip, ep, false); + + if (!--ep->opened) { +- if (ep->clock_ref && !atomic_read(&ep->clock_ref->locked)) +- ep->clock_ref->rate = 0; ++ if (ep->clock_ref) { ++ if (!--ep->clock_ref->opened) ++ ep->clock_ref->rate = 0; ++ } + ep->iface = 0; + ep->altsetting = 0; + ep->cur_audiofmt = NULL; +@@ -1649,8 +1653,7 @@ void snd_usb_endpoint_stop(struct snd_usb_endpoint *ep, bool keep_pending) + WRITE_ONCE(ep->sync_source->sync_sink, NULL); + stop_urbs(ep, false, keep_pending); + if (ep->clock_ref) +- if (!atomic_dec_return(&ep->clock_ref->locked)) +- ep->clock_ref->rate = 0; ++ atomic_dec(&ep->clock_ref->locked); + } + } + +-- +2.35.1 + diff --git a/queue-6.0/alsa-usb-audio-register-card-at-the-last-interface.patch b/queue-6.0/alsa-usb-audio-register-card-at-the-last-interface.patch new file mode 100644 index 00000000000..a4750dc8969 --- /dev/null +++ b/queue-6.0/alsa-usb-audio-register-card-at-the-last-interface.patch @@ -0,0 +1,192 @@ +From d2813634190e1817b641e4f5c077e893dda53026 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 18:12:47 +0200 +Subject: ALSA: usb-audio: Register card at the last interface + +From: Takashi Iwai + +[ Upstream commit 6392dcd1d0c7034ccf630ec55fc9e5810ecadf3b ] + +The USB-audio driver matches per interface, and as default, it +registers the card instance at the very first instance. This can be a +problem for the devices that have multiple interfaces to be probed, as +the udev rule isn't applied properly for the later appearing +interfaces. Although we introduced the delayed_register option and +the quirks for covering those shortcomings, it's nothing but a +workaround for specific devices. + +This patch is an another attempt to fix the problem in a more generic +way. Now the driver checks the whole USB device descriptor at the +very first time when an interface is attached to a sound card. It +looks at each matching interface in the descriptor and remembers the +last matching one. The snd_card_register() is invoked only when this +last interface is probed. + +After this change, the quirks for the delayed registration become +superfluous, hence they are removed along with the patch. OTOH, the +delayed_register option is still kept, as it might be useful for some +corner cases (e.g. a special driver overtakes the interface probe from +the standard driver, and the last interface probe may miss). + +Link: https://lore.kernel.org/r/20220904161247.16461-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/card.c | 32 +++++++++++++++++++++++++------- + sound/usb/quirks.c | 42 ------------------------------------------ + sound/usb/quirks.h | 2 -- + sound/usb/usbaudio.h | 1 + + 4 files changed, 26 insertions(+), 51 deletions(-) + +diff --git a/sound/usb/card.c b/sound/usb/card.c +index 706d249a9ad6..3aea241435fb 100644 +--- a/sound/usb/card.c ++++ b/sound/usb/card.c +@@ -690,7 +690,7 @@ static bool get_alias_id(struct usb_device *dev, unsigned int *id) + return false; + } + +-static bool check_delayed_register_option(struct snd_usb_audio *chip, int iface) ++static int check_delayed_register_option(struct snd_usb_audio *chip) + { + int i; + unsigned int id, inum; +@@ -699,14 +699,31 @@ static bool check_delayed_register_option(struct snd_usb_audio *chip, int iface) + if (delayed_register[i] && + sscanf(delayed_register[i], "%x:%x", &id, &inum) == 2 && + id == chip->usb_id) +- return iface < inum; ++ return inum; + } + +- return false; ++ return -1; + } + + static const struct usb_device_id usb_audio_ids[]; /* defined below */ + ++/* look for the last interface that matches with our ids and remember it */ ++static void find_last_interface(struct snd_usb_audio *chip) ++{ ++ struct usb_host_config *config = chip->dev->actconfig; ++ struct usb_interface *intf; ++ int i; ++ ++ if (!config) ++ return; ++ for (i = 0; i < config->desc.bNumInterfaces; i++) { ++ intf = config->interface[i]; ++ if (usb_match_id(intf, usb_audio_ids)) ++ chip->last_iface = intf->altsetting[0].desc.bInterfaceNumber; ++ } ++ usb_audio_dbg(chip, "Found last interface = %d\n", chip->last_iface); ++} ++ + /* look for the corresponding quirk */ + static const struct snd_usb_audio_quirk * + get_alias_quirk(struct usb_device *dev, unsigned int id) +@@ -813,6 +830,7 @@ static int usb_audio_probe(struct usb_interface *intf, + err = -ENODEV; + goto __error; + } ++ find_last_interface(chip); + } + + if (chip->num_interfaces >= MAX_CARD_INTERFACES) { +@@ -862,11 +880,11 @@ static int usb_audio_probe(struct usb_interface *intf, + chip->need_delayed_register = false; /* clear again */ + } + +- /* we are allowed to call snd_card_register() many times, but first +- * check to see if a device needs to skip it or do anything special ++ /* register card if we reach to the last interface or to the specified ++ * one given via option + */ +- if (!snd_usb_registration_quirk(chip, ifnum) && +- !check_delayed_register_option(chip, ifnum)) { ++ if (check_delayed_register_option(chip) == ifnum || ++ chip->last_iface == ifnum) { + err = snd_card_register(chip->card); + if (err < 0) + goto __error; +diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c +index 194c75c45628..eadac586bcc8 100644 +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -2030,48 +2030,6 @@ void snd_usb_audioformat_attributes_quirk(struct snd_usb_audio *chip, + } + } + +-/* +- * registration quirk: +- * the registration is skipped if a device matches with the given ID, +- * unless the interface reaches to the defined one. This is for delaying +- * the registration until the last known interface, so that the card and +- * devices appear at the same time. +- */ +- +-struct registration_quirk { +- unsigned int usb_id; /* composed via USB_ID() */ +- unsigned int interface; /* the interface to trigger register */ +-}; +- +-#define REG_QUIRK_ENTRY(vendor, product, iface) \ +- { .usb_id = USB_ID(vendor, product), .interface = (iface) } +- +-static const struct registration_quirk registration_quirks[] = { +- REG_QUIRK_ENTRY(0x0951, 0x16d8, 2), /* Kingston HyperX AMP */ +- REG_QUIRK_ENTRY(0x0951, 0x16ed, 2), /* Kingston HyperX Cloud Alpha S */ +- REG_QUIRK_ENTRY(0x0951, 0x16ea, 2), /* Kingston HyperX Cloud Flight S */ +- REG_QUIRK_ENTRY(0x0ecb, 0x1f46, 2), /* JBL Quantum 600 */ +- REG_QUIRK_ENTRY(0x0ecb, 0x1f47, 2), /* JBL Quantum 800 */ +- REG_QUIRK_ENTRY(0x0ecb, 0x1f4c, 2), /* JBL Quantum 400 */ +- REG_QUIRK_ENTRY(0x0ecb, 0x2039, 2), /* JBL Quantum 400 */ +- REG_QUIRK_ENTRY(0x0ecb, 0x203c, 2), /* JBL Quantum 600 */ +- REG_QUIRK_ENTRY(0x0ecb, 0x203e, 2), /* JBL Quantum 800 */ +- { 0 } /* terminator */ +-}; +- +-/* return true if skipping registration */ +-bool snd_usb_registration_quirk(struct snd_usb_audio *chip, int iface) +-{ +- const struct registration_quirk *q; +- +- for (q = registration_quirks; q->usb_id; q++) +- if (chip->usb_id == q->usb_id) +- return iface < q->interface; +- +- /* Register as normal */ +- return false; +-} +- + /* + * driver behavior quirk flags + */ +diff --git a/sound/usb/quirks.h b/sound/usb/quirks.h +index 31abb7cb01a5..f9bfd5ac7bab 100644 +--- a/sound/usb/quirks.h ++++ b/sound/usb/quirks.h +@@ -48,8 +48,6 @@ void snd_usb_audioformat_attributes_quirk(struct snd_usb_audio *chip, + struct audioformat *fp, + int stream); + +-bool snd_usb_registration_quirk(struct snd_usb_audio *chip, int iface); +- + void snd_usb_init_quirk_flags(struct snd_usb_audio *chip); + + #endif /* __USBAUDIO_QUIRKS_H */ +diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h +index ffbb4b0d09a0..2c6575029b1c 100644 +--- a/sound/usb/usbaudio.h ++++ b/sound/usb/usbaudio.h +@@ -37,6 +37,7 @@ struct snd_usb_audio { + unsigned int quirk_flags; + unsigned int need_delayed_register:1; /* warn for delayed registration */ + int num_interfaces; ++ int last_iface; + int num_suspended_intf; + int sample_rate_read_error; + +-- +2.35.1 + diff --git a/queue-6.0/alsa-usb-audio-split-endpoint-setups-for-hw_params-a.patch b/queue-6.0/alsa-usb-audio-split-endpoint-setups-for-hw_params-a.patch new file mode 100644 index 00000000000..48a4fb2853f --- /dev/null +++ b/queue-6.0/alsa-usb-audio-split-endpoint-setups-for-hw_params-a.patch @@ -0,0 +1,345 @@ +From e9c127906f179a83ac7127486144883d68e22e17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 20:11:06 +0200 +Subject: ALSA: usb-audio: Split endpoint setups for hw_params and prepare + (take#2) + +From: Takashi Iwai + +[ Upstream commit 2be79d58645465351af5320eb14c70a94724c5ef ] + +This is a second attempt to fix the bug appearing on Android with the +recent kernel; the first try was ff878b408a03 and reverted at commit +79764ec772bc. + +The details taken from the v1 patch: + +One of the former changes for the endpoint management was the more +consistent setup of endpoints at hw_params. +snd_usb_endpoint_configure() is a single function that does the full +setup, and it's called from both PCM hw_params and prepare callbacks. +Although the EP setup at the prepare phase is usually skipped (by +checking need_setup flag), it may be still effective in some cases +like suspend/resume that requires the interface setup again. + +As it's a full and single setup, the invocation of +snd_usb_endpoint_configure() includes not only the USB interface setup +but also the buffer release and allocation. OTOH, doing the buffer +release and re-allocation at PCM prepare phase is rather superfluous, +and better to be done only in the hw_params phase. + +For those optimizations, this patch splits the endpoint setup to two +phases: snd_usb_endpoint_set_params() and snd_usb_endpoint_prepare(), +to be called from hw_params and from prepare, respectively. + +Note that this patch changes the driver operation slightly, +effectively moving the USB interface setup again to PCM prepare stage +instead of hw_params stage, while the buffer allocation and such +initializations are still done at hw_params stage. + +And, the change of the USB interface setup timing (moving to prepare) +gave an interesting "fix", too: it was reported that the recent +kernels caused silent output at the beginning on playbacks on some +devices on Android, and this change casually fixed the regression. +It seems that those devices are picky about the sample rate change (or +the interface change?), and don't follow the too immediate rate +changes. + +Meanwhile, Android operates the PCM in the following order: +- open, then hw_params with the possibly highest sample rate +- close without prepare +- re-open, hw_params with the normal sample rate +- prepare, and start streaming +This procedure ended up the hw_params twice with different rates, and +because the recent kernel did set up the sample rate twice one and +after, it screwed up the device. OTOH, the earlier kernels didn't set +up the USB interface at hw_params, hence this problem didn't appear. + +Now, with this patch, the USB interface setup is again back to the +prepare phase, and it works around the problem automagically. +Although we should address the sample rate problem in a more solid +way in future, let's keep things working as before for now. + +*** + +What's new in the take#2 patch: +- The regression caused by the v1 patch (bko#216500) was due to the + missing check of need_setup flag at hw_params. Now the check is + added, and the snd_usb_endpoint_set_params() call is skipped when + the running EP is re-opened. + +- There was another bug in v1 where the clock reference rate wasn't + updated at hw_params phase, which may lead to a lack of the proper + hw constraints when an application doesn't issue the prepare but + only the hw_params call. This patch fixes it as well by tracking + the clock rate change in the prepare callback with a new flag + "need_update" for the clock reference object, just like others. + +- The configure_endpoints() are simplified and folded back into + snd_usb_pcm_prepare(). + +Fixes: bf6313a0ff76 ("ALSA: usb-audio: Refactor endpoint management") +Fixes: ff878b408a03 ("ALSA: usb-audio: Split endpoint setups for hw_params and prepare") +Reported-by: chihhao chen +Link: https://lore.kernel.org/r/87e6d6ae69d68dc588ac9acc8c0f24d6188375c3.camel@mediatek.com +Link: https://lore.kernel.org/r/20220901124136.4984-1-tiwai@suse.de +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216500 +Link: https://lore.kernel.org/r/20220920181106.4894-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/endpoint.c | 76 +++++++++++++++++++++++++++----------------- + sound/usb/endpoint.h | 6 ++-- + sound/usb/pcm.c | 51 ++++++++++++----------------- + 3 files changed, 70 insertions(+), 63 deletions(-) + +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index 6d8989482ade..f8a5329fb131 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -40,6 +40,7 @@ struct snd_usb_clock_ref { + unsigned char clock; + atomic_t locked; + int rate; ++ bool need_setup; + struct list_head list; + }; + +@@ -759,7 +760,8 @@ bool snd_usb_endpoint_compatible(struct snd_usb_audio *chip, + * The endpoint needs to be closed via snd_usb_endpoint_close() later. + * + * Note that this function doesn't configure the endpoint. The substream +- * needs to set it up later via snd_usb_endpoint_configure(). ++ * needs to set it up later via snd_usb_endpoint_set_params() and ++ * snd_usb_endpoint_prepare(). + */ + struct snd_usb_endpoint * + snd_usb_endpoint_open(struct snd_usb_audio *chip, +@@ -1289,15 +1291,39 @@ static int sync_ep_set_params(struct snd_usb_endpoint *ep) + return -ENOMEM; + } + ++/* update the rate of the referred clock; return the actual rate */ ++static int update_clock_ref_rate(struct snd_usb_audio *chip, ++ struct snd_usb_endpoint *ep) ++{ ++ struct snd_usb_clock_ref *clock = ep->clock_ref; ++ int rate = ep->cur_rate; ++ ++ if (!clock || clock->rate == rate) ++ return rate; ++ if (clock->rate) { ++ if (atomic_read(&clock->locked)) ++ return clock->rate; ++ if (clock->rate != rate) { ++ usb_audio_err(chip, "Mismatched sample rate %d vs %d for EP 0x%x\n", ++ clock->rate, rate, ep->ep_num); ++ return clock->rate; ++ } ++ } ++ clock->rate = rate; ++ clock->need_setup = true; ++ return rate; ++} ++ + /* + * snd_usb_endpoint_set_params: configure an snd_usb_endpoint + * ++ * It's called either from hw_params callback. + * Determine the number of URBs to be used on this endpoint. + * An endpoint must be configured before it can be started. + * An endpoint that is already running can not be reconfigured. + */ +-static int snd_usb_endpoint_set_params(struct snd_usb_audio *chip, +- struct snd_usb_endpoint *ep) ++int snd_usb_endpoint_set_params(struct snd_usb_audio *chip, ++ struct snd_usb_endpoint *ep) + { + const struct audioformat *fmt = ep->cur_audiofmt; + int err; +@@ -1349,49 +1375,46 @@ static int snd_usb_endpoint_set_params(struct snd_usb_audio *chip, + ep->maxframesize = ep->maxpacksize / ep->cur_frame_bytes; + ep->curframesize = ep->curpacksize / ep->cur_frame_bytes; + +- return 0; ++ return update_clock_ref_rate(chip, ep); + } + + static int init_sample_rate(struct snd_usb_audio *chip, + struct snd_usb_endpoint *ep) + { + struct snd_usb_clock_ref *clock = ep->clock_ref; +- int err; ++ int rate, err; + +- if (clock) { +- if (atomic_read(&clock->locked)) +- return 0; +- if (clock->rate == ep->cur_rate) +- return 0; +- if (clock->rate && clock->rate != ep->cur_rate) { +- usb_audio_dbg(chip, "Mismatched sample rate %d vs %d for EP 0x%x\n", +- clock->rate, ep->cur_rate, ep->ep_num); +- return -EINVAL; +- } +- } ++ rate = update_clock_ref_rate(chip, ep); ++ if (rate < 0) ++ return rate; ++ if (clock && !clock->need_setup) ++ return 0; + +- err = snd_usb_init_sample_rate(chip, ep->cur_audiofmt, ep->cur_rate); +- if (err < 0) ++ err = snd_usb_init_sample_rate(chip, ep->cur_audiofmt, rate); ++ if (err < 0) { ++ if (clock) ++ clock->rate = 0; /* reset rate */ + return err; ++ } + + if (clock) +- clock->rate = ep->cur_rate; ++ clock->need_setup = false; + return 0; + } + + /* +- * snd_usb_endpoint_configure: Configure the endpoint ++ * snd_usb_endpoint_prepare: Prepare the endpoint + * + * This function sets up the EP to be fully usable state. +- * It's called either from hw_params or prepare callback. ++ * It's called either from prepare callback. + * The function checks need_setup flag, and performs nothing unless needed, + * so it's safe to call this multiple times. + * + * This returns zero if unchanged, 1 if the configuration has changed, + * or a negative error code. + */ +-int snd_usb_endpoint_configure(struct snd_usb_audio *chip, +- struct snd_usb_endpoint *ep) ++int snd_usb_endpoint_prepare(struct snd_usb_audio *chip, ++ struct snd_usb_endpoint *ep) + { + bool iface_first; + int err = 0; +@@ -1412,9 +1435,6 @@ int snd_usb_endpoint_configure(struct snd_usb_audio *chip, + if (err < 0) + goto unlock; + } +- err = snd_usb_endpoint_set_params(chip, ep); +- if (err < 0) +- goto unlock; + goto done; + } + +@@ -1442,10 +1462,6 @@ int snd_usb_endpoint_configure(struct snd_usb_audio *chip, + if (err < 0) + goto unlock; + +- err = snd_usb_endpoint_set_params(chip, ep); +- if (err < 0) +- goto unlock; +- + err = snd_usb_select_mode_quirk(chip, ep->cur_audiofmt); + if (err < 0) + goto unlock; +diff --git a/sound/usb/endpoint.h b/sound/usb/endpoint.h +index 6a9af04cf175..e67ea28faa54 100644 +--- a/sound/usb/endpoint.h ++++ b/sound/usb/endpoint.h +@@ -17,8 +17,10 @@ snd_usb_endpoint_open(struct snd_usb_audio *chip, + bool is_sync_ep); + void snd_usb_endpoint_close(struct snd_usb_audio *chip, + struct snd_usb_endpoint *ep); +-int snd_usb_endpoint_configure(struct snd_usb_audio *chip, +- struct snd_usb_endpoint *ep); ++int snd_usb_endpoint_set_params(struct snd_usb_audio *chip, ++ struct snd_usb_endpoint *ep); ++int snd_usb_endpoint_prepare(struct snd_usb_audio *chip, ++ struct snd_usb_endpoint *ep); + int snd_usb_endpoint_get_clock_rate(struct snd_usb_audio *chip, int clock); + + bool snd_usb_endpoint_compatible(struct snd_usb_audio *chip, +diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c +index d45d1d7e6664..e721fc12acde 100644 +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -433,35 +433,6 @@ static void close_endpoints(struct snd_usb_audio *chip, + } + } + +-static int configure_endpoints(struct snd_usb_audio *chip, +- struct snd_usb_substream *subs) +-{ +- int err; +- +- if (subs->data_endpoint->need_setup) { +- /* stop any running stream beforehand */ +- if (stop_endpoints(subs, false)) +- sync_pending_stops(subs); +- if (subs->sync_endpoint) { +- err = snd_usb_endpoint_configure(chip, subs->sync_endpoint); +- if (err < 0) +- return err; +- } +- err = snd_usb_endpoint_configure(chip, subs->data_endpoint); +- if (err < 0) +- return err; +- snd_usb_set_format_quirk(subs, subs->cur_audiofmt); +- } else { +- if (subs->sync_endpoint) { +- err = snd_usb_endpoint_configure(chip, subs->sync_endpoint); +- if (err < 0) +- return err; +- } +- } +- +- return 0; +-} +- + /* + * hw_params callback + * +@@ -551,7 +522,16 @@ static int snd_usb_hw_params(struct snd_pcm_substream *substream, + subs->cur_audiofmt = fmt; + mutex_unlock(&chip->mutex); + +- ret = configure_endpoints(chip, subs); ++ if (!subs->data_endpoint->need_setup) ++ goto unlock; ++ ++ if (subs->sync_endpoint) { ++ ret = snd_usb_endpoint_set_params(chip, subs->sync_endpoint); ++ if (ret < 0) ++ goto unlock; ++ } ++ ++ ret = snd_usb_endpoint_set_params(chip, subs->data_endpoint); + + unlock: + if (ret < 0) +@@ -634,9 +614,18 @@ static int snd_usb_pcm_prepare(struct snd_pcm_substream *substream) + goto unlock; + } + +- ret = configure_endpoints(chip, subs); ++ if (subs->sync_endpoint) { ++ ret = snd_usb_endpoint_prepare(chip, subs->sync_endpoint); ++ if (ret < 0) ++ goto unlock; ++ } ++ ++ ret = snd_usb_endpoint_prepare(chip, subs->data_endpoint); + if (ret < 0) + goto unlock; ++ else if (ret > 0) ++ snd_usb_set_format_quirk(subs, subs->cur_audiofmt); ++ ret = 0; + + /* reset the pointer */ + subs->buffer_bytes = frames_to_bytes(runtime, runtime->buffer_size); +-- +2.35.1 + diff --git a/queue-6.0/arm-9233-1-stacktrace-skip-frame-pointer-boundary-ch.patch b/queue-6.0/arm-9233-1-stacktrace-skip-frame-pointer-boundary-ch.patch new file mode 100644 index 00000000000..52c3f4d60b4 --- /dev/null +++ b/queue-6.0/arm-9233-1-stacktrace-skip-frame-pointer-boundary-ch.patch @@ -0,0 +1,131 @@ +From 76287c94137a118cb4747192019a75991a2a3ec0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 09:06:22 +0100 +Subject: ARM: 9233/1: stacktrace: Skip frame pointer boundary check for + call_with_stack() + +From: Li Huafei + +[ Upstream commit 5854e4d8530e6ed4c2532a71a6b0474e199d44dd ] + +When using the frame pointer unwinder, it was found that the stack trace +output of stack_trace_save() is incomplete if the stack contains +call_with_stack(): + + [0x7f00002c] dump_stack_task+0x2c/0x90 [hrtimer] + [0x7f0000a0] hrtimer_hander+0x10/0x18 [hrtimer] + [0x801a67f0] __hrtimer_run_queues+0x1b0/0x3b4 + [0x801a7350] hrtimer_run_queues+0xc4/0xd8 + [0x801a597c] update_process_times+0x3c/0x88 + [0x801b5a98] tick_periodic+0x50/0xd8 + [0x801b5bf4] tick_handle_periodic+0x24/0x84 + [0x8010ffc4] twd_handler+0x38/0x48 + [0x8017d220] handle_percpu_devid_irq+0xa8/0x244 + [0x80176e9c] generic_handle_domain_irq+0x2c/0x3c + [0x8052e3a8] gic_handle_irq+0x7c/0x90 + [0x808ab15c] generic_handle_arch_irq+0x60/0x80 + [0x8051191c] call_with_stack+0x1c/0x20 + +For the frame pointer unwinder, unwind_frame() checks stackframe::fp by +stackframe::sp. Since call_with_stack() switches the SP from one stack +to another, stackframe::fp and stackframe: :sp will point to different +stacks, so we can no longer check stackframe::fp by stackframe::sp. Skip +checking stackframe::fp at this point to avoid this problem. + +Signed-off-by: Li Huafei +Reviewed-by: Linus Waleij +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/stacktrace.c | 40 ++++++++++++++++++++++++++++------ + arch/arm/lib/call_with_stack.S | 2 ++ + 2 files changed, 35 insertions(+), 7 deletions(-) + +diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c +index d0fa2037460a..af87040b0353 100644 +--- a/arch/arm/kernel/stacktrace.c ++++ b/arch/arm/kernel/stacktrace.c +@@ -9,6 +9,8 @@ + #include + #include + ++#include "reboot.h" ++ + #if defined(CONFIG_FRAME_POINTER) && !defined(CONFIG_ARM_UNWIND) + /* + * Unwind the current stack frame and store the new register values in the +@@ -39,29 +41,53 @@ + * Note that with framepointer enabled, even the leaf functions have the same + * prologue and epilogue, therefore we can ignore the LR value in this case. + */ +-int notrace unwind_frame(struct stackframe *frame) ++ ++extern unsigned long call_with_stack_end; ++ ++static int frame_pointer_check(struct stackframe *frame) + { + unsigned long high, low; + unsigned long fp = frame->fp; ++ unsigned long pc = frame->pc; ++ ++ /* ++ * call_with_stack() is the only place we allow SP to jump from one ++ * stack to another, with FP and SP pointing to different stacks, ++ * skipping the FP boundary check at this point. ++ */ ++ if (pc >= (unsigned long)&call_with_stack && ++ pc < (unsigned long)&call_with_stack_end) ++ return 0; + + /* only go to a higher address on the stack */ + low = frame->sp; + high = ALIGN(low, THREAD_SIZE); + +-#ifdef CONFIG_CC_IS_CLANG + /* check current frame pointer is within bounds */ ++#ifdef CONFIG_CC_IS_CLANG + if (fp < low + 4 || fp > high - 4) + return -EINVAL; +- +- frame->sp = frame->fp; +- frame->fp = READ_ONCE_NOCHECK(*(unsigned long *)(fp)); +- frame->pc = READ_ONCE_NOCHECK(*(unsigned long *)(fp + 4)); + #else +- /* check current frame pointer is within bounds */ + if (fp < low + 12 || fp > high - 4) + return -EINVAL; ++#endif ++ ++ return 0; ++} ++ ++int notrace unwind_frame(struct stackframe *frame) ++{ ++ unsigned long fp = frame->fp; ++ ++ if (frame_pointer_check(frame)) ++ return -EINVAL; + + /* restore the registers from the stack frame */ ++#ifdef CONFIG_CC_IS_CLANG ++ frame->sp = frame->fp; ++ frame->fp = READ_ONCE_NOCHECK(*(unsigned long *)(fp)); ++ frame->pc = READ_ONCE_NOCHECK(*(unsigned long *)(fp + 4)); ++#else + frame->fp = READ_ONCE_NOCHECK(*(unsigned long *)(fp - 12)); + frame->sp = READ_ONCE_NOCHECK(*(unsigned long *)(fp - 8)); + frame->pc = READ_ONCE_NOCHECK(*(unsigned long *)(fp - 4)); +diff --git a/arch/arm/lib/call_with_stack.S b/arch/arm/lib/call_with_stack.S +index 0a268a6c513c..5030d4e8d126 100644 +--- a/arch/arm/lib/call_with_stack.S ++++ b/arch/arm/lib/call_with_stack.S +@@ -46,4 +46,6 @@ UNWIND( .setfp fpreg, sp ) + pop {fpreg, pc} + UNWIND( .fnend ) + #endif ++ .globl call_with_stack_end ++call_with_stack_end: + ENDPROC(call_with_stack) +-- +2.35.1 + diff --git a/queue-6.0/arm-9234-1-stacktrace-avoid-duplicate-saving-of-exce.patch b/queue-6.0/arm-9234-1-stacktrace-avoid-duplicate-saving-of-exce.patch new file mode 100644 index 00000000000..00deb2c1e9a --- /dev/null +++ b/queue-6.0/arm-9234-1-stacktrace-avoid-duplicate-saving-of-exce.patch @@ -0,0 +1,177 @@ +From 470a131720c8f3115c7da56ad633195d8da89da1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 09:08:46 +0100 +Subject: ARM: 9234/1: stacktrace: Avoid duplicate saving of exception PC value + +From: Li Huafei + +[ Upstream commit 752ec621ef5c30777958cc5eb5f1cf394f7733f4 ] + +Because an exception stack frame is not created in the exception entry, +save_trace() does special handling for the exception PC, but this is +only needed when CONFIG_FRAME_POINTER_UNWIND=y. When +CONFIG_ARM_UNWIND=y, unwind annotations have been added to the exception +entry and save_trace() will repeatedly save the exception PC: + + [0x7f000090] hrtimer_hander+0x8/0x10 [hrtimer] + [0x8019ec50] __hrtimer_run_queues+0x18c/0x394 + [0x8019f760] hrtimer_run_queues+0xbc/0xd0 + [0x8019def0] update_process_times+0x34/0x80 + [0x801ad2a4] tick_periodic+0x48/0xd0 + [0x801ad3dc] tick_handle_periodic+0x1c/0x7c + [0x8010f2e0] twd_handler+0x30/0x40 + [0x80177620] handle_percpu_devid_irq+0xa0/0x23c + [0x801718d0] generic_handle_domain_irq+0x24/0x34 + [0x80502d28] gic_handle_irq+0x74/0x88 + [0x8085817c] generic_handle_arch_irq+0x58/0x78 + [0x80100ba8] __irq_svc+0x88/0xc8 + [0x80108114] arch_cpu_idle+0x38/0x3c + [0x80108114] arch_cpu_idle+0x38/0x3c <==== duplicate saved exception PC + [0x80861bf8] default_idle_call+0x38/0x130 + [0x8015d5cc] do_idle+0x150/0x214 + [0x8015d978] cpu_startup_entry+0x18/0x1c + [0x808589c0] rest_init+0xd8/0xdc + [0x80c00a44] arch_post_acpi_subsys_init+0x0/0x8 + +We can move the special handling of the exception PC in save_trace() to +the unwind_frame() of the frame pointer unwinder. + +Signed-off-by: Li Huafei +Reviewed-by: Linus Waleij +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/include/asm/stacktrace.h | 6 +++++ + arch/arm/kernel/return_address.c | 1 + + arch/arm/kernel/stacktrace.c | 44 +++++++++++++++++++++---------- + 3 files changed, 37 insertions(+), 14 deletions(-) + +diff --git a/arch/arm/include/asm/stacktrace.h b/arch/arm/include/asm/stacktrace.h +index 3e78f921b8b2..39be2d1aa27b 100644 +--- a/arch/arm/include/asm/stacktrace.h ++++ b/arch/arm/include/asm/stacktrace.h +@@ -21,6 +21,9 @@ struct stackframe { + struct llist_node *kr_cur; + struct task_struct *tsk; + #endif ++#ifdef CONFIG_UNWINDER_FRAME_POINTER ++ bool ex_frame; ++#endif + }; + + static __always_inline +@@ -34,6 +37,9 @@ void arm_get_current_stackframe(struct pt_regs *regs, struct stackframe *frame) + frame->kr_cur = NULL; + frame->tsk = current; + #endif ++#ifdef CONFIG_UNWINDER_FRAME_POINTER ++ frame->ex_frame = in_entry_text(frame->pc); ++#endif + } + + extern int unwind_frame(struct stackframe *frame); +diff --git a/arch/arm/kernel/return_address.c b/arch/arm/kernel/return_address.c +index 8aac1e10b117..38f1ea9c724d 100644 +--- a/arch/arm/kernel/return_address.c ++++ b/arch/arm/kernel/return_address.c +@@ -47,6 +47,7 @@ void *return_address(unsigned int level) + frame.kr_cur = NULL; + frame.tsk = current; + #endif ++ frame.ex_frame = false; + + walk_stackframe(&frame, save_return_addr, &data); + +diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c +index af87040b0353..85443b5d1922 100644 +--- a/arch/arm/kernel/stacktrace.c ++++ b/arch/arm/kernel/stacktrace.c +@@ -82,6 +82,27 @@ int notrace unwind_frame(struct stackframe *frame) + if (frame_pointer_check(frame)) + return -EINVAL; + ++ /* ++ * When we unwind through an exception stack, include the saved PC ++ * value into the stack trace. ++ */ ++ if (frame->ex_frame) { ++ struct pt_regs *regs = (struct pt_regs *)frame->sp; ++ ++ /* ++ * We check that 'regs + sizeof(struct pt_regs)' (that is, ++ * ®s[1]) does not exceed the bottom of the stack to avoid ++ * accessing data outside the task's stack. This may happen ++ * when frame->ex_frame is a false positive. ++ */ ++ if ((unsigned long)®s[1] > ALIGN(frame->sp, THREAD_SIZE)) ++ return -EINVAL; ++ ++ frame->pc = regs->ARM_pc; ++ frame->ex_frame = false; ++ return 0; ++ } ++ + /* restore the registers from the stack frame */ + #ifdef CONFIG_CC_IS_CLANG + frame->sp = frame->fp; +@@ -98,6 +119,9 @@ int notrace unwind_frame(struct stackframe *frame) + (void *)frame->fp, &frame->kr_cur); + #endif + ++ if (in_entry_text(frame->pc)) ++ frame->ex_frame = true; ++ + return 0; + } + #endif +@@ -128,7 +152,6 @@ static int save_trace(struct stackframe *frame, void *d) + { + struct stack_trace_data *data = d; + struct stack_trace *trace = data->trace; +- struct pt_regs *regs; + unsigned long addr = frame->pc; + + if (data->no_sched_functions && in_sched_functions(addr)) +@@ -139,19 +162,6 @@ static int save_trace(struct stackframe *frame, void *d) + } + + trace->entries[trace->nr_entries++] = addr; +- +- if (trace->nr_entries >= trace->max_entries) +- return 1; +- +- if (!in_entry_text(frame->pc)) +- return 0; +- +- regs = (struct pt_regs *)frame->sp; +- if ((unsigned long)®s[1] > ALIGN(frame->sp, THREAD_SIZE)) +- return 0; +- +- trace->entries[trace->nr_entries++] = regs->ARM_pc; +- + return trace->nr_entries >= trace->max_entries; + } + +@@ -193,6 +203,9 @@ static noinline void __save_stack_trace(struct task_struct *tsk, + frame.kr_cur = NULL; + frame.tsk = tsk; + #endif ++#ifdef CONFIG_UNWINDER_FRAME_POINTER ++ frame.ex_frame = false; ++#endif + + walk_stackframe(&frame, save_trace, &data); + } +@@ -214,6 +227,9 @@ void save_stack_trace_regs(struct pt_regs *regs, struct stack_trace *trace) + frame.kr_cur = NULL; + frame.tsk = current; + #endif ++#ifdef CONFIG_UNWINDER_FRAME_POINTER ++ frame.ex_frame = in_entry_text(frame.pc); ++#endif + + walk_stackframe(&frame, save_trace, &data); + } +-- +2.35.1 + diff --git a/queue-6.0/arm-9242-1-kasan-only-map-modules-if-config_kasan_vm.patch b/queue-6.0/arm-9242-1-kasan-only-map-modules-if-config_kasan_vm.patch new file mode 100644 index 00000000000..15382363073 --- /dev/null +++ b/queue-6.0/arm-9242-1-kasan-only-map-modules-if-config_kasan_vm.patch @@ -0,0 +1,77 @@ +From 32023abf27c148d884da9c99d729badef18c2364 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 16:26:59 +0100 +Subject: ARM: 9242/1: kasan: Only map modules if CONFIG_KASAN_VMALLOC=n + +From: Alex Sverdlin + +[ Upstream commit 823f606ab6b4759a1faf0388abcf4fb0776710d2 ] + +In case CONFIG_KASAN_VMALLOC=y kasan_populate_vmalloc() allocates the +shadow pages dynamically. But even worse is that kasan_release_vmalloc() +releases them, which is not compatible with create_mapping() of +MODULES_VADDR..MODULES_END range: + +BUG: Bad page state in process kworker/9:1 pfn:2068b +page:e5e06160 refcount:0 mapcount:0 mapping:00000000 index:0x0 +flags: 0x1000(reserved) +raw: 00001000 e5e06164 e5e06164 00000000 00000000 00000000 ffffffff 00000000 +page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set +bad because of flags: 0x1000(reserved) +Modules linked in: ip_tables +CPU: 9 PID: 154 Comm: kworker/9:1 Not tainted 5.4.188-... #1 +Hardware name: LSI Axxia AXM55XX +Workqueue: events do_free_init +unwind_backtrace +show_stack +dump_stack +bad_page +free_pcp_prepare +free_unref_page +kasan_depopulate_vmalloc_pte +__apply_to_page_range +apply_to_existing_page_range +kasan_release_vmalloc +__purge_vmap_area_lazy +_vm_unmap_aliases.part.0 +__vunmap +do_free_init +process_one_work +worker_thread +kthread + +Reviewed-by: Linus Walleij +Signed-off-by: Alexander Sverdlin +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mm/kasan_init.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/mm/kasan_init.c b/arch/arm/mm/kasan_init.c +index 29caee9c79ce..46d9f4a622cb 100644 +--- a/arch/arm/mm/kasan_init.c ++++ b/arch/arm/mm/kasan_init.c +@@ -268,12 +268,17 @@ void __init kasan_init(void) + + /* + * 1. The module global variables are in MODULES_VADDR ~ MODULES_END, +- * so we need to map this area. ++ * so we need to map this area if CONFIG_KASAN_VMALLOC=n. With ++ * VMALLOC support KASAN will manage this region dynamically, ++ * refer to kasan_populate_vmalloc() and ARM's implementation of ++ * module_alloc(). + * 2. PKMAP_BASE ~ PKMAP_BASE+PMD_SIZE's shadow and MODULES_VADDR + * ~ MODULES_END's shadow is in the same PMD_SIZE, so we can't + * use kasan_populate_zero_shadow. + */ +- create_mapping((void *)MODULES_VADDR, (void *)(PKMAP_BASE + PMD_SIZE)); ++ if (!IS_ENABLED(CONFIG_KASAN_VMALLOC) && IS_ENABLED(CONFIG_MODULES)) ++ create_mapping((void *)MODULES_VADDR, (void *)(MODULES_END)); ++ create_mapping((void *)PKMAP_BASE, (void *)(PKMAP_BASE + PMD_SIZE)); + + /* + * KAsan may reuse the contents of kasan_early_shadow_pte directly, so +-- +2.35.1 + diff --git a/queue-6.0/arm-9243-1-riscpc-unbreak-the-build.patch b/queue-6.0/arm-9243-1-riscpc-unbreak-the-build.patch new file mode 100644 index 00000000000..ef47928255f --- /dev/null +++ b/queue-6.0/arm-9243-1-riscpc-unbreak-the-build.patch @@ -0,0 +1,57 @@ +From f8e79cbfa9608d069a9d8332d4f833ee254ab89c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 23:13:53 +0100 +Subject: ARM: 9243/1: riscpc: Unbreak the build +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bart Van Assche + +[ Upstream commit 32844a8eecaa4a3e65841c53e43e04a9087d1ef6 ] + +This patch fixes the following build error: + +In file included from ./include/linux/io.h:13, + from ./arch/arm/mach-rpc/include/mach/uncompress.h:9, + from arch/arm/boot/compressed/misc.c:31: +./arch/arm/include/asm/io.h:85:22: error: conflicting types for ‘__raw_writeb’ + 85 | #define __raw_writeb __raw_writeb + | ^~~~~~~~~~~~ +./arch/arm/include/asm/io.h:86:20: note: in expansion of macro ‘__raw_writeb’ + 86 | static inline void __raw_writeb(u8 val, volatile void __iomem *addr) + | ^~~~~~~~~~~~ +In file included from arch/arm/boot/compressed/misc.c:26: +arch/arm/boot/compressed/misc-ep93xx.h:13:20: note: previous definition of ‘__raw_writeb’ was here + 13 | static inline void __raw_writeb(unsigned char value, unsigned int ptr) + | ^~~~~~~~~~~~ + +To: Russell King + +Cc: Arnd Bergmann +Cc: linux-arm-kernel@lists.infradead.org +Fixes: 0361c7e504b1 ("ARM: ep93xx: multiplatform support") +Signed-off-by: Bart Van Assche +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/boot/compressed/misc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/boot/compressed/misc.c b/arch/arm/boot/compressed/misc.c +index cb2e069dc73f..abfed1aa2baa 100644 +--- a/arch/arm/boot/compressed/misc.c ++++ b/arch/arm/boot/compressed/misc.c +@@ -23,7 +23,9 @@ unsigned int __machine_arch_type; + #include + #include + #include "misc.h" ++#ifdef CONFIG_ARCH_EP93XX + #include "misc-ep93xx.h" ++#endif + + static void putstr(const char *ptr); + +-- +2.35.1 + diff --git a/queue-6.0/arm-9244-1-dump-fix-wrong-pg_level-in-walk_pmd.patch b/queue-6.0/arm-9244-1-dump-fix-wrong-pg_level-in-walk_pmd.patch new file mode 100644 index 00000000000..bd39a5b0469 --- /dev/null +++ b/queue-6.0/arm-9244-1-dump-fix-wrong-pg_level-in-walk_pmd.patch @@ -0,0 +1,36 @@ +From b88dd105097228a52f736ff1a91a50ccc6195484 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 05:25:51 +0100 +Subject: ARM: 9244/1: dump: Fix wrong pg_level in walk_pmd() + +From: Wang Kefeng + +[ Upstream commit 2ccd19b3ffac07cc7e75a2bd1ed779728bb67197 ] + +After ARM supports p4d page tables, the pg_level for note_page() +in walk_pmd() should be 4, not 3, fix it. + +Fixes: 84e6ffb2c49c ("arm: add support for folded p4d page tables") +Signed-off-by: Kefeng Wang +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mm/dump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mm/dump.c b/arch/arm/mm/dump.c +index fb688003d156..712da6a81b23 100644 +--- a/arch/arm/mm/dump.c ++++ b/arch/arm/mm/dump.c +@@ -346,7 +346,7 @@ static void walk_pmd(struct pg_state *st, pud_t *pud, unsigned long start) + addr = start + i * PMD_SIZE; + domain = get_domain_name(pmd); + if (pmd_none(*pmd) || pmd_large(*pmd) || !pmd_present(*pmd)) +- note_page(st, addr, 3, pmd_val(*pmd), domain); ++ note_page(st, addr, 4, pmd_val(*pmd), domain); + else + walk_pte(st, pmd, addr, domain); + +-- +2.35.1 + diff --git a/queue-6.0/arm-9247-1-mm-set-readonly-for-mt_memory_ro-with-arm.patch b/queue-6.0/arm-9247-1-mm-set-readonly-for-mt_memory_ro-with-arm.patch new file mode 100644 index 00000000000..c3d9477da1b --- /dev/null +++ b/queue-6.0/arm-9247-1-mm-set-readonly-for-mt_memory_ro-with-arm.patch @@ -0,0 +1,46 @@ +From 77a9cb07e3f6b3c0dc42d22bb0e4d6ca2e3ba039 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 12:10:49 +0100 +Subject: ARM: 9247/1: mm: set readonly for MT_MEMORY_RO with ARM_LPAE + +From: Wang Kefeng + +[ Upstream commit 14ca1a4690750bb54e1049e49f3140ef48958a6e ] + +MT_MEMORY_RO is introduced by commit 598f0a99fa8a ("ARM: 9210/1: +Mark the FDT_FIXED sections as shareable"), which is a readonly +memory type for FDT area, but there are some different between +ARM_LPAE and non-ARM_LPAE, we need to setup PMD_SECT_AP2 and +L_PMD_SECT_RDONLY for MT_MEMORY_RO when ARM_LAPE enabled. + +non-ARM_LPAE 0xff800000-0xffa00000 2M PGD KERNEL ro NX SHD +ARM_LPAE 0xff800000-0xffc00000 4M PMD RW NX SHD +ARM_LPAE+fix 0xff800000-0xffc00000 4M PMD ro NX SHD + +Fixes: 598f0a99fa8a ("ARM: 9210/1: Mark the FDT_FIXED sections as shareable") +Signed-off-by: Kefeng Wang +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mm/mmu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c +index a49f0b9c0f75..463fc2a8448f 100644 +--- a/arch/arm/mm/mmu.c ++++ b/arch/arm/mm/mmu.c +@@ -300,7 +300,11 @@ static struct mem_type mem_types[] __ro_after_init = { + .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY | + L_PTE_XN | L_PTE_RDONLY, + .prot_l1 = PMD_TYPE_TABLE, ++#ifdef CONFIG_ARM_LPAE ++ .prot_sect = PMD_TYPE_SECT | L_PMD_SECT_RDONLY | PMD_SECT_AP2, ++#else + .prot_sect = PMD_TYPE_SECT, ++#endif + .domain = DOMAIN_KERNEL, + }, + [MT_ROM] = { +-- +2.35.1 + diff --git a/queue-6.0/arm-decompressor-include-.data.rel.ro.local.patch b/queue-6.0/arm-decompressor-include-.data.rel.ro.local.patch new file mode 100644 index 00000000000..cfc40133624 --- /dev/null +++ b/queue-6.0/arm-decompressor-include-.data.rel.ro.local.patch @@ -0,0 +1,50 @@ +From 6208456b75d340e4eefc86e5f714f97c6e7fcfce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 15:41:03 -0700 +Subject: ARM: decompressor: Include .data.rel.ro.local + +From: Kees Cook + +[ Upstream commit 1b64daf413acd86c2c13f5443f6b4ef3690c8061 ] + +The .data.rel.ro.local section has the same semantics as .data.rel.ro +here, so include it in the .rodata section of the decompressor. +Additionally since the .printk_index section isn't usable outside of +the core kernel, discard it in the decompressor. Avoids these warnings: + +arm-linux-gnueabi-ld: warning: orphan section `.data.rel.ro.local' from `arch/arm/boot/compressed/fdt_rw.o' being placed in section `.data.rel.ro.local' +arm-linux-gnueabi-ld: warning: orphan section `.printk_index' from `arch/arm/boot/compressed/fdt_rw.o' being placed in section `.printk_index' + +Reported-by: kernel test robot +Link: https://lore.kernel.org/linux-mm/202209080545.qMIVj7YM-lkp@intel.com +Cc: Russell King +Cc: linux-arm-kernel@lists.infradead.org +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + arch/arm/boot/compressed/vmlinux.lds.S | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/boot/compressed/vmlinux.lds.S b/arch/arm/boot/compressed/vmlinux.lds.S +index 1bcb68ac4b01..3fcb3e62dc56 100644 +--- a/arch/arm/boot/compressed/vmlinux.lds.S ++++ b/arch/arm/boot/compressed/vmlinux.lds.S +@@ -23,6 +23,7 @@ SECTIONS + *(.ARM.extab*) + *(.note.*) + *(.rel.*) ++ *(.printk_index) + /* + * Discard any r/w data - this produces a link error if we have any, + * which is required for PIC decompression. Local data generates +@@ -57,6 +58,7 @@ SECTIONS + *(.rodata) + *(.rodata.*) + *(.data.rel.ro) ++ *(.data.rel.ro.*) + } + .piggydata : { + *(.piggydata) +-- +2.35.1 + diff --git a/queue-6.0/arm-dma-mapp-ng-don-t-override-dma_coherent-when-set.patch b/queue-6.0/arm-dma-mapp-ng-don-t-override-dma_coherent-when-set.patch new file mode 100644 index 00000000000..2d1a4ea6138 --- /dev/null +++ b/queue-6.0/arm-dma-mapp-ng-don-t-override-dma_coherent-when-set.patch @@ -0,0 +1,61 @@ +From b4ca3b0eaa3466f8f75368b2d9b01aa8f30db3bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Oct 2022 09:10:19 +0200 +Subject: =?UTF-8?q?ARM/dma-mapp=D1=96ng:=20don't=20override=20->dma=5Fcohe?= + =?UTF-8?q?rent=20when=20set=20from=20a=20bus=20notifier?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christoph Hellwig + +[ Upstream commit 49bc8bebae79c8516cb12f91818f3a7907e3ebce ] + +Commit ae626eb97376 ("ARM/dma-mapping: use dma-direct unconditionally") +caused a regression on the mvebu platform, wherein devices that are +dma-coherent are marked as dma-noncoherent, because although +mvebu_hwcc_notifier() after that commit still marks then as coherent, +the arm_coherent_dma_ops() function, which is called later, overwrites +this setting, since it is being called from drivers/of/device.c with +coherency parameter determined by of_dma_is_coherent(), and the +device-trees do not declare the 'dma-coherent' property. + +Fix this by defaulting never clearing the dma_coherent flag in +arm_coherent_dma_ops(). + +Fixes: ae626eb97376 ("ARM/dma-mapping: use dma-direct unconditionally") +Reported-by: Marek Behún +Signed-off-by: Christoph Hellwig +Reviewed-by: Russell King (Oracle) +Tested-by: Marek Behún +Signed-off-by: Sasha Levin +--- + arch/arm/mm/dma-mapping.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c +index 089c9c644cce..bfc7476f1411 100644 +--- a/arch/arm/mm/dma-mapping.c ++++ b/arch/arm/mm/dma-mapping.c +@@ -1769,8 +1769,16 @@ static void arm_teardown_iommu_dma_ops(struct device *dev) { } + void arch_setup_dma_ops(struct device *dev, u64 dma_base, u64 size, + const struct iommu_ops *iommu, bool coherent) + { +- dev->archdata.dma_coherent = coherent; +- dev->dma_coherent = coherent; ++ /* ++ * Due to legacy code that sets the ->dma_coherent flag from a bus ++ * notifier we can't just assign coherent to the ->dma_coherent flag ++ * here, but instead have to make sure we only set but never clear it ++ * for now. ++ */ ++ if (coherent) { ++ dev->archdata.dma_coherent = true; ++ dev->dma_coherent = true; ++ } + + /* + * Don't override the dma_ops if they have already been set. Ideally +-- +2.35.1 + diff --git a/queue-6.0/arm-drop-cmdline_-dependency-on-atags.patch b/queue-6.0/arm-drop-cmdline_-dependency-on-atags.patch new file mode 100644 index 00000000000..2f7c80c6b10 --- /dev/null +++ b/queue-6.0/arm-drop-cmdline_-dependency-on-atags.patch @@ -0,0 +1,45 @@ +From a0542bf6bde10de583a531b572c8a2d5116c1950 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 15:28:26 +0200 +Subject: ARM: Drop CMDLINE_* dependency on ATAGS + +From: Geert Uytterhoeven + +[ Upstream commit 136f4b1ec7c962ee37a787e095fd37b058d72bd3 ] + +On arm32, the configuration options to specify the kernel command line +type depend on ATAGS. However, the actual CMDLINE cofiguration option +does not depend on ATAGS, and the code that handles this is not specific +to ATAGS (see drivers/of/fdt.c:early_init_dt_scan_chosen()). + +Hence users who desire to override the kernel command line on arm32 must +enable support for ATAGS, even on a pure-DT system. Other architectures +(arm64, loongarch, microblaze, nios2, powerpc, and riscv) do not impose +such a restriction. + +Hence drop the dependency on ATAGS. + +Fixes: bd51e2f595580fb6 ("ARM: 7506/1: allow for ATAGS to be configured out when DT support is selected") +Signed-off-by: Geert Uytterhoeven +Acked-by: Ard Biesheuvel +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig +index 87badeae3181..11ecf09aadc8 100644 +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -1671,7 +1671,6 @@ config CMDLINE + choice + prompt "Kernel command line type" if CMDLINE != "" + default CMDLINE_FROM_BOOTLOADER +- depends on ATAGS + + config CMDLINE_FROM_BOOTLOADER + bool "Use bootloader kernel arguments if available" +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-exynos-correct-s5k6a3-reset-polarity-on-mida.patch b/queue-6.0/arm-dts-exynos-correct-s5k6a3-reset-polarity-on-mida.patch new file mode 100644 index 00000000000..8c5daa0701b --- /dev/null +++ b/queue-6.0/arm-dts-exynos-correct-s5k6a3-reset-polarity-on-mida.patch @@ -0,0 +1,42 @@ +From 92b3520f34ae624ac208a6e93a06dba6d15b3f2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 12:43:53 +0200 +Subject: ARM: dts: exynos: correct s5k6a3 reset polarity on Midas family + +From: Dmitry Torokhov + +[ Upstream commit 3ba2d4bb9592bf7a6a3fe3dbe711ecfc3d004bab ] + +According to s5k6a3 driver code, the reset line for the chip appears to +be active low. This also matches the typical polarity of reset lines in +general. Let's fix it up as having correct polarity in DTS is important +when the driver will be switched over to gpiod API. + +Fixes: b4fec64758ab ("ARM: dts: Add camera device nodes for Exynos4412 TRATS2 board") +Signed-off-by: Dmitry Torokhov +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20220913164104.203957-1-dmitry.torokhov@gmail.com +Link: https://lore.kernel.org/r/20220926104354.118578-2-krzysztof.kozlowski@linaro.org' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos4412-midas.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos4412-midas.dtsi b/arch/arm/boot/dts/exynos4412-midas.dtsi +index b967397a46c5..8e1c19a8ad06 100644 +--- a/arch/arm/boot/dts/exynos4412-midas.dtsi ++++ b/arch/arm/boot/dts/exynos4412-midas.dtsi +@@ -586,7 +586,7 @@ + clocks = <&camera 1>; + clock-names = "extclk"; + samsung,camclk-out = <1>; +- gpios = <&gpm1 6 GPIO_ACTIVE_HIGH>; ++ gpios = <&gpm1 6 GPIO_ACTIVE_LOW>; + + port { + is_s5k6a3_ep: endpoint { +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-exynos-fix-polarity-of-vbus-gpio-of-origen.patch b/queue-6.0/arm-dts-exynos-fix-polarity-of-vbus-gpio-of-origen.patch new file mode 100644 index 00000000000..62b8542c411 --- /dev/null +++ b/queue-6.0/arm-dts-exynos-fix-polarity-of-vbus-gpio-of-origen.patch @@ -0,0 +1,39 @@ +From a0b09d937473a5f79e717836f400f47e423848b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 15:05:03 -0700 +Subject: ARM: dts: exynos: fix polarity of VBUS GPIO of Origen + +From: Dmitry Torokhov + +[ Upstream commit a08137bd1e0a7ce951dce9ce4a83e39d379b6e1b ] + +EHCI Oxynos (drivers/usb/host/ehci-exynos.c) drives VBUS GPIO high when +trying to power up the bus, therefore the GPIO in DTS must be marked as +"active high". This will be important when EHCI driver is converted to +gpiod API that respects declared polarities. + +Fixes: 4e8991def565 ("ARM: dts: exynos: Enable AX88760 USB hub on Origen board") +Signed-off-by: Dmitry Torokhov +Link: https://lore.kernel.org/r/20220927220504.3744878-1-dmitry.torokhov@gmail.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos4412-origen.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos4412-origen.dts b/arch/arm/boot/dts/exynos4412-origen.dts +index 6db09dba07ff..a3905e27b9cd 100644 +--- a/arch/arm/boot/dts/exynos4412-origen.dts ++++ b/arch/arm/boot/dts/exynos4412-origen.dts +@@ -95,7 +95,7 @@ + }; + + &ehci { +- samsung,vbus-gpio = <&gpx3 5 1>; ++ samsung,vbus-gpio = <&gpx3 5 GPIO_ACTIVE_HIGH>; + status = "okay"; + phys = <&exynos_usbphy 2>, <&exynos_usbphy 3>; + phy-names = "hsic0", "hsic1"; +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-imx6-delete-interrupts-property-if-interrupt.patch b/queue-6.0/arm-dts-imx6-delete-interrupts-property-if-interrupt.patch new file mode 100644 index 00000000000..e020d9983c2 --- /dev/null +++ b/queue-6.0/arm-dts-imx6-delete-interrupts-property-if-interrupt.patch @@ -0,0 +1,170 @@ +From 64483a633ac3c51f39fe3a3e55535d2eef75bbea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jul 2022 08:41:58 +0200 +Subject: ARM: dts: imx6: delete interrupts property if interrupts-extended is + set + +From: Alexander Stein + +[ Upstream commit c9d38ff7080b2c4fa6786b82210fa13115895aae ] + +In most cases this is related to fsl,err006687-workaround-present, which +requires a GPIO interrupt next a GIC interrupt. + +This fixes the dtbs_check warning: +imx6dl-mba6a.dtb: ethernet@2188000: More than one condition true in oneOf schema: + {'$filename': 'Documentation/devicetree/bindings/net/fsl,fec.yaml', +[...] + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6dl-riotboard.dts | 1 + + arch/arm/boot/dts/imx6q-arm2.dts | 1 + + arch/arm/boot/dts/imx6q-evi.dts | 1 + + arch/arm/boot/dts/imx6q-mccmon6.dts | 1 + + arch/arm/boot/dts/imx6qdl-nit6xlite.dtsi | 1 + + arch/arm/boot/dts/imx6qdl-nitrogen6_max.dtsi | 1 + + arch/arm/boot/dts/imx6qdl-nitrogen6_som2.dtsi | 1 + + arch/arm/boot/dts/imx6qdl-nitrogen6x.dtsi | 1 + + arch/arm/boot/dts/imx6qdl-sabreauto.dtsi | 1 + + arch/arm/boot/dts/imx6qdl-tqma6a.dtsi | 1 + + arch/arm/boot/dts/imx6qdl-ts7970.dtsi | 1 + + 11 files changed, 11 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6dl-riotboard.dts b/arch/arm/boot/dts/imx6dl-riotboard.dts +index e7d9bfbfd0e4..e7be05f205d3 100644 +--- a/arch/arm/boot/dts/imx6dl-riotboard.dts ++++ b/arch/arm/boot/dts/imx6dl-riotboard.dts +@@ -90,6 +90,7 @@ + pinctrl-0 = <&pinctrl_enet>; + phy-mode = "rgmii-id"; + phy-handle = <&rgmii_phy>; ++ /delete-property/ interrupts; + interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>, + <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>; + fsl,err006687-workaround-present; +diff --git a/arch/arm/boot/dts/imx6q-arm2.dts b/arch/arm/boot/dts/imx6q-arm2.dts +index 0b40f52268b3..75586299d9ca 100644 +--- a/arch/arm/boot/dts/imx6q-arm2.dts ++++ b/arch/arm/boot/dts/imx6q-arm2.dts +@@ -178,6 +178,7 @@ + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_enet>; + phy-mode = "rgmii"; ++ /delete-property/ interrupts; + interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>, + <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>; + fsl,err006687-workaround-present; +diff --git a/arch/arm/boot/dts/imx6q-evi.dts b/arch/arm/boot/dts/imx6q-evi.dts +index c63f371ede8b..78d941fef5df 100644 +--- a/arch/arm/boot/dts/imx6q-evi.dts ++++ b/arch/arm/boot/dts/imx6q-evi.dts +@@ -146,6 +146,7 @@ + pinctrl-0 = <&pinctrl_enet>; + phy-mode = "rgmii"; + phy-reset-gpios = <&gpio1 25 GPIO_ACTIVE_LOW>; ++ /delete-property/ interrupts; + interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>, + <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>; + fsl,err006687-workaround-present; +diff --git a/arch/arm/boot/dts/imx6q-mccmon6.dts b/arch/arm/boot/dts/imx6q-mccmon6.dts +index 55692c73943d..64ab01018b71 100644 +--- a/arch/arm/boot/dts/imx6q-mccmon6.dts ++++ b/arch/arm/boot/dts/imx6q-mccmon6.dts +@@ -100,6 +100,7 @@ + pinctrl-0 = <&pinctrl_enet>; + phy-mode = "rgmii"; + phy-reset-gpios = <&gpio1 27 GPIO_ACTIVE_LOW>; ++ /delete-property/ interrupts; + interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>, + <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>; + status = "okay"; +diff --git a/arch/arm/boot/dts/imx6qdl-nit6xlite.dtsi b/arch/arm/boot/dts/imx6qdl-nit6xlite.dtsi +index 0ad4cb4f1e82..a53a5d0766a5 100644 +--- a/arch/arm/boot/dts/imx6qdl-nit6xlite.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-nit6xlite.dtsi +@@ -192,6 +192,7 @@ + phy-mode = "rgmii"; + phy-handle = <ðphy>; + phy-reset-gpios = <&gpio1 27 GPIO_ACTIVE_LOW>; ++ /delete-property/ interrupts; + interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>, + <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>; + fsl,err006687-workaround-present; +diff --git a/arch/arm/boot/dts/imx6qdl-nitrogen6_max.dtsi b/arch/arm/boot/dts/imx6qdl-nitrogen6_max.dtsi +index beaa2dcd436c..57c21a01f126 100644 +--- a/arch/arm/boot/dts/imx6qdl-nitrogen6_max.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-nitrogen6_max.dtsi +@@ -334,6 +334,7 @@ + phy-mode = "rgmii"; + phy-handle = <ðphy>; + phy-reset-gpios = <&gpio1 27 GPIO_ACTIVE_LOW>; ++ /delete-property/ interrupts; + interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>, + <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>; + fsl,err006687-workaround-present; +diff --git a/arch/arm/boot/dts/imx6qdl-nitrogen6_som2.dtsi b/arch/arm/boot/dts/imx6qdl-nitrogen6_som2.dtsi +index ee7e2371f94b..000e9dc97b1a 100644 +--- a/arch/arm/boot/dts/imx6qdl-nitrogen6_som2.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-nitrogen6_som2.dtsi +@@ -263,6 +263,7 @@ + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_enet>; + phy-mode = "rgmii"; ++ /delete-property/ interrupts; + interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>, + <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>; + fsl,err006687-workaround-present; +diff --git a/arch/arm/boot/dts/imx6qdl-nitrogen6x.dtsi b/arch/arm/boot/dts/imx6qdl-nitrogen6x.dtsi +index 904d5d051d63..731759bdd7f5 100644 +--- a/arch/arm/boot/dts/imx6qdl-nitrogen6x.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-nitrogen6x.dtsi +@@ -267,6 +267,7 @@ + phy-mode = "rgmii"; + phy-handle = <ðphy>; + phy-reset-gpios = <&gpio1 27 GPIO_ACTIVE_LOW>; ++ /delete-property/ interrupts; + interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>, + <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>; + fsl,err006687-workaround-present; +diff --git a/arch/arm/boot/dts/imx6qdl-sabreauto.dtsi b/arch/arm/boot/dts/imx6qdl-sabreauto.dtsi +index 1368a4762037..3dbb460ef102 100644 +--- a/arch/arm/boot/dts/imx6qdl-sabreauto.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-sabreauto.dtsi +@@ -295,6 +295,7 @@ + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_enet>; + phy-mode = "rgmii-id"; ++ /delete-property/ interrupts; + interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>, + <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>; + fsl,err006687-workaround-present; +diff --git a/arch/arm/boot/dts/imx6qdl-tqma6a.dtsi b/arch/arm/boot/dts/imx6qdl-tqma6a.dtsi +index 7dc3f0005b0f..0a36e1bce375 100644 +--- a/arch/arm/boot/dts/imx6qdl-tqma6a.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-tqma6a.dtsi +@@ -7,6 +7,7 @@ + #include + + &fec { ++ /delete-property/ interrupts; + interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>, + <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>; + fsl,err006687-workaround-present; +diff --git a/arch/arm/boot/dts/imx6qdl-ts7970.dtsi b/arch/arm/boot/dts/imx6qdl-ts7970.dtsi +index d6ba4b2a60f6..c096d25a6f5b 100644 +--- a/arch/arm/boot/dts/imx6qdl-ts7970.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-ts7970.dtsi +@@ -192,6 +192,7 @@ + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_enet>; + phy-mode = "rgmii"; ++ /delete-property/ interrupts; + interrupts-extended = <&gpio1 6 IRQ_TYPE_LEVEL_HIGH>, + <&intc 0 119 IRQ_TYPE_LEVEL_HIGH>; + fsl,err006687-workaround-present; +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-imx6dl-add-missing-properties-for-sram.patch b/queue-6.0/arm-dts-imx6dl-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..6c467d5a6cc --- /dev/null +++ b/queue-6.0/arm-dts-imx6dl-add-missing-properties-for-sram.patch @@ -0,0 +1,38 @@ +From 84c533255616a50cd05efd5180a38a0f9300d16b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 07:53:32 +0200 +Subject: ARM: dts: imx6dl: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit f5848b95633d598bacf0500e0108dc5961af88c0 ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: +sram@900000: '#address-cells' is a required property +sram@900000: '#size-cells' is a required property +sram@900000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6dl.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6dl.dtsi b/arch/arm/boot/dts/imx6dl.dtsi +index 8e0ed209ede0..dc919e09a505 100644 +--- a/arch/arm/boot/dts/imx6dl.dtsi ++++ b/arch/arm/boot/dts/imx6dl.dtsi +@@ -84,6 +84,9 @@ + ocram: sram@900000 { + compatible = "mmio-sram"; + reg = <0x00900000 0x20000>; ++ ranges = <0 0x00900000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6QDL_CLK_OCRAM>; + }; + +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-imx6dl-yapp4-bind-the-backlight-controller-t.patch b/queue-6.0/arm-dts-imx6dl-yapp4-bind-the-backlight-controller-t.patch new file mode 100644 index 00000000000..f28a43e8c83 --- /dev/null +++ b/queue-6.0/arm-dts-imx6dl-yapp4-bind-the-backlight-controller-t.patch @@ -0,0 +1,41 @@ +From 12e62bf9291b4e7216019a542a32526fb6e882ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jul 2022 18:25:15 +0200 +Subject: ARM: dts: imx6dl-yapp4: Bind the backlight controller to the LCD + panel +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Vokáč + +[ Upstream commit 8b212526a957e012e88d68d7f33bb11b312c2ea6 ] + +Add connection between the backlight controller and LCD panel. +With that the backlight is automatically switched on when the panel +is on or switched off when the panel is blanked. + +Signed-off-by: Michal Vokáč +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Stable-dep-of: afd8f77957e3 ("ARM: dts: imx6qdl-kontron-samx6i: hook up DDC i2c bus") +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6dl-yapp4-common.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi +index 674af39c884a..52162e8c7274 100644 +--- a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi ++++ b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi +@@ -55,6 +55,7 @@ + panel: panel { + compatible = "dataimage,scf0700c48ggu18"; + power-supply = <&sw2_reg>; ++ backlight = <&backlight>; + status = "disabled"; + + port { +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-imx6q-add-missing-properties-for-sram.patch b/queue-6.0/arm-dts-imx6q-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..8bee939ce5e --- /dev/null +++ b/queue-6.0/arm-dts-imx6q-add-missing-properties-for-sram.patch @@ -0,0 +1,38 @@ +From b502b60291989b7b97a611d9080b3eb50681f720 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 07:53:31 +0200 +Subject: ARM: dts: imx6q: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit b11d083c5dcec7c42fe982c854706d404ddd3a5f ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: +sram@900000: '#address-cells' is a required property +sram@900000: '#size-cells' is a required property +sram@900000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6q.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6q.dtsi b/arch/arm/boot/dts/imx6q.dtsi +index 3b77eae40e39..df86049a695b 100644 +--- a/arch/arm/boot/dts/imx6q.dtsi ++++ b/arch/arm/boot/dts/imx6q.dtsi +@@ -163,6 +163,9 @@ + ocram: sram@900000 { + compatible = "mmio-sram"; + reg = <0x00900000 0x40000>; ++ ranges = <0 0x00900000 0x40000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6QDL_CLK_OCRAM>; + }; + +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-imx6qdl-kontron-samx6i-hook-up-ddc-i2c-bus.patch b/queue-6.0/arm-dts-imx6qdl-kontron-samx6i-hook-up-ddc-i2c-bus.patch new file mode 100644 index 00000000000..ca62716aaf6 --- /dev/null +++ b/queue-6.0/arm-dts-imx6qdl-kontron-samx6i-hook-up-ddc-i2c-bus.patch @@ -0,0 +1,50 @@ +From dd3471c8185f608a98623ebe373e025936167541 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jul 2022 15:05:23 +0200 +Subject: ARM: dts: imx6qdl-kontron-samx6i: hook up DDC i2c bus + +From: Lucas Stach + +[ Upstream commit afd8f77957e3e83adf21d9229c61ff37f44a177a ] + +i2c2 is routed to the pins dedicated as DDC in the module standard. +Reduce clock rate to 100kHz to be in line with VESA standard and hook +this bus up to the HDMI node. + +Fixes: 708ed2649ad8 ("ARM: dts: imx6qdl-kontron-samx6i: increase i2c-frequency") +Signed-off-by: Lucas Stach +[m.felsch@pengutronix.de: add fixes line] +Signed-off-by: Marco Felsch +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi b/arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi +index 6b791d515e29..683f6e58ab23 100644 +--- a/arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi +@@ -263,6 +263,10 @@ + phy-reset-gpios = <&gpio1 25 GPIO_ACTIVE_LOW>; + }; + ++&hdmi { ++ ddc-i2c-bus = <&i2c2>; ++}; ++ + &i2c_intern { + pmic@8 { + compatible = "fsl,pfuze100"; +@@ -387,7 +391,7 @@ + + /* HDMI_CTRL */ + &i2c2 { +- clock-frequency = <375000>; ++ clock-frequency = <100000>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_i2c2>; + }; +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-imx6qp-add-missing-properties-for-sram.patch b/queue-6.0/arm-dts-imx6qp-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..78776948099 --- /dev/null +++ b/queue-6.0/arm-dts-imx6qp-add-missing-properties-for-sram.patch @@ -0,0 +1,47 @@ +From c23d5091cac28db27c98c3b6d48a276d5f7907fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 07:53:33 +0200 +Subject: ARM: dts: imx6qp: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit 088fe5237435ee2f7ed4450519b2ef58b94c832f ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: +sram@940000: '#address-cells' is a required property +sram@940000: '#size-cells' is a required property +sram@940000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qp.dtsi | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6qp.dtsi b/arch/arm/boot/dts/imx6qp.dtsi +index 050365513836..fc164991d2ae 100644 +--- a/arch/arm/boot/dts/imx6qp.dtsi ++++ b/arch/arm/boot/dts/imx6qp.dtsi +@@ -9,12 +9,18 @@ + ocram2: sram@940000 { + compatible = "mmio-sram"; + reg = <0x00940000 0x20000>; ++ ranges = <0 0x00940000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6QDL_CLK_OCRAM>; + }; + + ocram3: sram@960000 { + compatible = "mmio-sram"; + reg = <0x00960000 0x20000>; ++ ranges = <0 0x00960000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6QDL_CLK_OCRAM>; + }; + +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-imx6sl-add-missing-properties-for-sram.patch b/queue-6.0/arm-dts-imx6sl-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..17274591e85 --- /dev/null +++ b/queue-6.0/arm-dts-imx6sl-add-missing-properties-for-sram.patch @@ -0,0 +1,38 @@ +From 14e9205f48c5709bcac0330604bfc4aece83c4c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 07:53:34 +0200 +Subject: ARM: dts: imx6sl: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit 60c9213a1d9941a8b33db570796c3f9be8984974 ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: +sram@900000: '#address-cells' is a required property +sram@900000: '#size-cells' is a required property +sram@900000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sl.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6sl.dtsi b/arch/arm/boot/dts/imx6sl.dtsi +index 06a515121dfc..cfd6b4972ae7 100644 +--- a/arch/arm/boot/dts/imx6sl.dtsi ++++ b/arch/arm/boot/dts/imx6sl.dtsi +@@ -115,6 +115,9 @@ + ocram: sram@900000 { + compatible = "mmio-sram"; + reg = <0x00900000 0x20000>; ++ ranges = <0 0x00900000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6SL_CLK_OCRAM>; + }; + +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-imx6sl-use-tabs-for-code-indent.patch b/queue-6.0/arm-dts-imx6sl-use-tabs-for-code-indent.patch new file mode 100644 index 00000000000..024a2517c46 --- /dev/null +++ b/queue-6.0/arm-dts-imx6sl-use-tabs-for-code-indent.patch @@ -0,0 +1,97 @@ +From 9e908abd003192c1e43aa99c3627cd60b3f873d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 21:22:48 +0200 +Subject: ARM: dts: imx6sl: use tabs for code indent + +From: Marcel Ziswiler + +[ Upstream commit 218db824a7519856d0eaaeb5c41ca504ed550210 ] + +This fixes the following error: + +arch/arm/boot/dts/imx6sl.dtsi:714: error: code indent should use tabs +where possible + +Signed-off-by: Marcel Ziswiler +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sl.dtsi | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/arm/boot/dts/imx6sl.dtsi b/arch/arm/boot/dts/imx6sl.dtsi +index cfd6b4972ae7..01122ddfdc0d 100644 +--- a/arch/arm/boot/dts/imx6sl.dtsi ++++ b/arch/arm/boot/dts/imx6sl.dtsi +@@ -61,10 +61,10 @@ + <792000 1175000>, + <396000 975000>; + fsl,soc-operating-points = +- /* ARM kHz SOC-PU uV */ +- <996000 1225000>, +- <792000 1175000>, +- <396000 1175000>; ++ /* ARM kHz SOC-PU uV */ ++ <996000 1225000>, ++ <792000 1175000>, ++ <396000 1175000>; + clock-latency = <61036>; /* two CLK32 periods */ + #cooling-cells = <2>; + clocks = <&clks IMX6SL_CLK_ARM>, <&clks IMX6SL_CLK_PLL2_PFD2>, +@@ -225,7 +225,7 @@ + + uart5: serial@2018000 { + compatible = "fsl,imx6sl-uart", +- "fsl,imx6q-uart", "fsl,imx21-uart"; ++ "fsl,imx6q-uart", "fsl,imx21-uart"; + reg = <0x02018000 0x4000>; + interrupts = <0 30 IRQ_TYPE_LEVEL_HIGH>; + clocks = <&clks IMX6SL_CLK_UART>, +@@ -238,7 +238,7 @@ + + uart1: serial@2020000 { + compatible = "fsl,imx6sl-uart", +- "fsl,imx6q-uart", "fsl,imx21-uart"; ++ "fsl,imx6q-uart", "fsl,imx21-uart"; + reg = <0x02020000 0x4000>; + interrupts = <0 26 IRQ_TYPE_LEVEL_HIGH>; + clocks = <&clks IMX6SL_CLK_UART>, +@@ -251,7 +251,7 @@ + + uart2: serial@2024000 { + compatible = "fsl,imx6sl-uart", +- "fsl,imx6q-uart", "fsl,imx21-uart"; ++ "fsl,imx6q-uart", "fsl,imx21-uart"; + reg = <0x02024000 0x4000>; + interrupts = <0 27 IRQ_TYPE_LEVEL_HIGH>; + clocks = <&clks IMX6SL_CLK_UART>, +@@ -312,7 +312,7 @@ + + uart3: serial@2034000 { + compatible = "fsl,imx6sl-uart", +- "fsl,imx6q-uart", "fsl,imx21-uart"; ++ "fsl,imx6q-uart", "fsl,imx21-uart"; + reg = <0x02034000 0x4000>; + interrupts = <0 28 IRQ_TYPE_LEVEL_HIGH>; + clocks = <&clks IMX6SL_CLK_UART>, +@@ -325,7 +325,7 @@ + + uart4: serial@2038000 { + compatible = "fsl,imx6sl-uart", +- "fsl,imx6q-uart", "fsl,imx21-uart"; ++ "fsl,imx6q-uart", "fsl,imx21-uart"; + reg = <0x02038000 0x4000>; + interrupts = <0 29 IRQ_TYPE_LEVEL_HIGH>; + clocks = <&clks IMX6SL_CLK_UART>, +@@ -714,7 +714,7 @@ + #power-domain-cells = <0>; + power-supply = <®_pu>; + clocks = <&clks IMX6SL_CLK_GPU2D_OVG>, +- <&clks IMX6SL_CLK_GPU2D_PODF>; ++ <&clks IMX6SL_CLK_GPU2D_PODF>; + }; + + pd_disp: power-domain@2 { +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-imx6sll-add-missing-properties-for-sram.patch b/queue-6.0/arm-dts-imx6sll-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..f36dcc79c92 --- /dev/null +++ b/queue-6.0/arm-dts-imx6sll-add-missing-properties-for-sram.patch @@ -0,0 +1,38 @@ +From 1a4e16eadbeedf9d069099899b256f746ceab120 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 07:53:35 +0200 +Subject: ARM: dts: imx6sll: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit 7492a83ed9b7a151e2dd11d64b06da7a7f0fa7f9 ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: +sram@900000: '#address-cells' is a required property +sram@900000: '#size-cells' is a required property +sram@900000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sll.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6sll.dtsi b/arch/arm/boot/dts/imx6sll.dtsi +index d4a000c3dde7..2873369a57c0 100644 +--- a/arch/arm/boot/dts/imx6sll.dtsi ++++ b/arch/arm/boot/dts/imx6sll.dtsi +@@ -115,6 +115,9 @@ + ocram: sram@900000 { + compatible = "mmio-sram"; + reg = <0x00900000 0x20000>; ++ ranges = <0 0x00900000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + }; + + intc: interrupt-controller@a01000 { +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-imx6sx-add-missing-properties-for-sram.patch b/queue-6.0/arm-dts-imx6sx-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..3df53dcad98 --- /dev/null +++ b/queue-6.0/arm-dts-imx6sx-add-missing-properties-for-sram.patch @@ -0,0 +1,47 @@ +From 8a12d386956f04b87b4740d6d0c6d16668c8283f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 07:53:36 +0200 +Subject: ARM: dts: imx6sx: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit 415432c008b2bce8138841356ba444631cabaa50 ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: +sram@900000: '#address-cells' is a required property +sram@900000: '#size-cells' is a required property +sram@900000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sx.dtsi | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6sx.dtsi b/arch/arm/boot/dts/imx6sx.dtsi +index 4d075e2bf749..2611eef3b2a2 100644 +--- a/arch/arm/boot/dts/imx6sx.dtsi ++++ b/arch/arm/boot/dts/imx6sx.dtsi +@@ -164,12 +164,18 @@ + ocram_s: sram@8f8000 { + compatible = "mmio-sram"; + reg = <0x008f8000 0x4000>; ++ ranges = <0 0x008f8000 0x4000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6SX_CLK_OCRAM_S>; + }; + + ocram: sram@900000 { + compatible = "mmio-sram"; + reg = <0x00900000 0x20000>; ++ ranges = <0 0x00900000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6SX_CLK_OCRAM>; + }; + +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-imx6sx-udoo-neo-don-t-use-multiple-blank-lin.patch b/queue-6.0/arm-dts-imx6sx-udoo-neo-don-t-use-multiple-blank-lin.patch new file mode 100644 index 00000000000..23ba2c481c2 --- /dev/null +++ b/queue-6.0/arm-dts-imx6sx-udoo-neo-don-t-use-multiple-blank-lin.patch @@ -0,0 +1,77 @@ +From 912dab307e9169935b4886b9b8bfde05fe9724e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 21:22:49 +0200 +Subject: ARM: dts: imx6sx-udoo-neo: don't use multiple blank lines + +From: Marcel Ziswiler + +[ Upstream commit fd2dd7077c7498765e7326c1b7f34bde85f1a975 ] + +This fixes the following warning: + +arch/arm/boot/dts/imx6sx-udoo-neo.dtsi:309: check: Please don't use multiple +blank lines + +While at it, use tabs indent for some pinctrl entries. + +Signed-off-by: Marcel Ziswiler +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sx-udoo-neo.dtsi | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/arch/arm/boot/dts/imx6sx-udoo-neo.dtsi b/arch/arm/boot/dts/imx6sx-udoo-neo.dtsi +index 35861bbea94e..c84ea1fac5e9 100644 +--- a/arch/arm/boot/dts/imx6sx-udoo-neo.dtsi ++++ b/arch/arm/boot/dts/imx6sx-udoo-neo.dtsi +@@ -226,7 +226,7 @@ + &iomuxc { + pinctrl_bt_reg: btreggrp { + fsl,pins = +- ; ++ ; + }; + + pinctrl_enet1: enet1grp { +@@ -306,7 +306,6 @@ + >; + }; + +- + pinctrl_uart1: uart1grp { + fsl,pins = + , +@@ -347,24 +346,23 @@ + + pinctrl_otg1_reg: otg1grp { + fsl,pins = +- ; ++ ; + }; + +- + pinctrl_otg2_reg: otg2grp { + fsl,pins = +- ; ++ ; + }; + + pinctrl_usb_otg1: usbotg1grp { + fsl,pins = +- , +- ; ++ , ++ ; + }; + + pinctrl_usb_otg2: usbot2ggrp { + fsl,pins = +- ; ++ ; + }; + + pinctrl_usdhc2: usdhc2grp { +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-imx7d-sdb-config-the-max-pressure-for-tsc204.patch b/queue-6.0/arm-dts-imx7d-sdb-config-the-max-pressure-for-tsc204.patch new file mode 100644 index 00000000000..fbf4f5305bd --- /dev/null +++ b/queue-6.0/arm-dts-imx7d-sdb-config-the-max-pressure-for-tsc204.patch @@ -0,0 +1,60 @@ +From b2baee3c5789128a7bf36f15908f02a67158e8ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 18:16:22 +0800 +Subject: ARM: dts: imx7d-sdb: config the max pressure for tsc2046 + +From: Haibo Chen + +[ Upstream commit e7c4ebe2f9cd68588eb24ba4ed122e696e2d5272 ] + +Use the general touchscreen method to config the max pressure for +touch tsc2046(data sheet suggest 8 bit pressure), otherwise, for +ABS_PRESSURE, when config the same max and min value, weston will +meet the following issue, + +[17:19:39.183] event1 - ADS7846 Touchscreen: is tagged by udev as: Touchscreen +[17:19:39.183] event1 - ADS7846 Touchscreen: kernel bug: device has min == max on ABS_PRESSURE +[17:19:39.183] event1 - ADS7846 Touchscreen: was rejected +[17:19:39.183] event1 - not using input device '/dev/input/event1' + +This will then cause the APP weston-touch-calibrator can't list touch devices. + +root@imx6ul7d:~# weston-touch-calibrator +could not load cursor 'dnd-move' +could not load cursor 'dnd-copy' +could not load cursor 'dnd-none' +No devices listed. + +And accroding to binding Doc, "ti,x-max", "ti,y-max", "ti,pressure-max" +belong to the deprecated properties, so remove them. Also for "ti,x-min", +"ti,y-min", "ti,x-plate-ohms", the value set in dts equal to the default +value in driver, so are redundant, also remove here. + +Signed-off-by: Haibo Chen +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx7d-sdb.dts | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/arch/arm/boot/dts/imx7d-sdb.dts b/arch/arm/boot/dts/imx7d-sdb.dts +index 78f4224a9bf4..e93b9cd9c27b 100644 +--- a/arch/arm/boot/dts/imx7d-sdb.dts ++++ b/arch/arm/boot/dts/imx7d-sdb.dts +@@ -206,12 +206,7 @@ + interrupt-parent = <&gpio2>; + interrupts = <29 0>; + pendown-gpio = <&gpio2 29 GPIO_ACTIVE_HIGH>; +- ti,x-min = /bits/ 16 <0>; +- ti,x-max = /bits/ 16 <0>; +- ti,y-min = /bits/ 16 <0>; +- ti,y-max = /bits/ 16 <0>; +- ti,pressure-max = /bits/ 16 <0>; +- ti,x-plate-ohms = /bits/ 16 <400>; ++ touchscreen-max-pressure = <255>; + wakeup-source; + }; + }; +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-kirkwood-lsxl-fix-serial-line.patch b/queue-6.0/arm-dts-kirkwood-lsxl-fix-serial-line.patch new file mode 100644 index 00000000000..3750e6ec916 --- /dev/null +++ b/queue-6.0/arm-dts-kirkwood-lsxl-fix-serial-line.patch @@ -0,0 +1,50 @@ +From e14528fdb0833c9f5a206dfbfd0a9628022701ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 02:10:24 +0200 +Subject: ARM: dts: kirkwood: lsxl: fix serial line + +From: Michael Walle + +[ Upstream commit 04eabc6ac10fda9424606d9a7ab6ab9a5d95350a ] + +Commit 327e15428977 ("ARM: dts: kirkwood: consolidate common pinctrl +settings") unknowingly broke the serial output on this board. Before +this commit, the pinmux was still configured by the bootloader and the +kernel didn't reconfigured it again. This was an oversight by the +initial board support where the pinmux for the serial line was never +configured by the kernel. But with this commit, the serial line will be +reconfigured to the wrong pins. This is especially confusing, because +the output still works, but the input doesn't. Presumingly, the input is +reconfigured to MPP10, but the output is connected to both MPP11 and +MPP5. + +Override the pinmux in the board device tree. + +Fixes: 327e15428977 ("ARM: dts: kirkwood: consolidate common pinctrl settings") +Signed-off-by: Michael Walle +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/kirkwood-lsxl.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm/boot/dts/kirkwood-lsxl.dtsi b/arch/arm/boot/dts/kirkwood-lsxl.dtsi +index 7b151acb9984..321a40a98ed2 100644 +--- a/arch/arm/boot/dts/kirkwood-lsxl.dtsi ++++ b/arch/arm/boot/dts/kirkwood-lsxl.dtsi +@@ -10,6 +10,11 @@ + + ocp@f1000000 { + pinctrl: pin-controller@10000 { ++ /* Non-default UART pins */ ++ pmx_uart0: pmx-uart0 { ++ marvell,pins = "mpp4", "mpp5"; ++ }; ++ + pmx_power_hdd: pmx-power-hdd { + marvell,pins = "mpp10"; + marvell,function = "gpo"; +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-kirkwood-lsxl-remove-first-ethernet-port.patch b/queue-6.0/arm-dts-kirkwood-lsxl-remove-first-ethernet-port.patch new file mode 100644 index 00000000000..ef4f07c8e57 --- /dev/null +++ b/queue-6.0/arm-dts-kirkwood-lsxl-remove-first-ethernet-port.patch @@ -0,0 +1,53 @@ +From 9781e0b2b67d1bf0ee064c47d5594e99b4884efe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 02:10:25 +0200 +Subject: ARM: dts: kirkwood: lsxl: remove first ethernet port + +From: Michael Walle + +[ Upstream commit 2d528eda7c96ce5c70f895854ecd5684bd5d80b9 ] + +Both the Linkstation LS-CHLv2 and the LS-XHL have only one ethernet +port. This has always been wrong, i.e. the board code used to set up +both ports, but the driver will play nice and return -ENODEV if the +assiciated PHY is not found. Nevertheless, it is wrong. Remove it. + +Fixes: 876e23333511 ("ARM: kirkwood: add gigabit ethernet and mvmdio device tree nodes") +Signed-off-by: Michael Walle +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/kirkwood-lsxl.dtsi | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/arch/arm/boot/dts/kirkwood-lsxl.dtsi b/arch/arm/boot/dts/kirkwood-lsxl.dtsi +index 321a40a98ed2..88b70ba1c8fe 100644 +--- a/arch/arm/boot/dts/kirkwood-lsxl.dtsi ++++ b/arch/arm/boot/dts/kirkwood-lsxl.dtsi +@@ -218,22 +218,11 @@ + &mdio { + status = "okay"; + +- ethphy0: ethernet-phy@0 { +- reg = <0>; +- }; +- + ethphy1: ethernet-phy@8 { + reg = <8>; + }; + }; + +-ð0 { +- status = "okay"; +- ethernet0-port@0 { +- phy-handle = <ðphy0>; +- }; +-}; +- + ð1 { + status = "okay"; + ethernet1-port@0 { +-- +2.35.1 + diff --git a/queue-6.0/arm-dts-turris-omnia-fix-mpp26-pin-name-and-comment.patch b/queue-6.0/arm-dts-turris-omnia-fix-mpp26-pin-name-and-comment.patch new file mode 100644 index 00000000000..8734405ce6e --- /dev/null +++ b/queue-6.0/arm-dts-turris-omnia-fix-mpp26-pin-name-and-comment.patch @@ -0,0 +1,53 @@ +From f0e40a30f288662c9c3042d71174dc2cc50d38f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 14:56:10 +0200 +Subject: ARM: dts: turris-omnia: Fix mpp26 pin name and comment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit 49e93898f0dc177e645c22d0664813567fd9ec00 ] + +There is a bug in Turris Omnia's schematics, whereupon the MPP[26] pin, +which is routed to CN11 pin header, is documented as SPI CS1, but +MPP[26] pin does not support this function. Instead it controls chip +select 2 if in "spi0" mode. + +Fix the name of the pin node in pinctrl node and fix the comment in SPI +node. + +Fixes: 26ca8b52d6e1 ("ARM: dts: add support for Turris Omnia") +Signed-off-by: Marek Behún +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-385-turris-omnia.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/armada-385-turris-omnia.dts b/arch/arm/boot/dts/armada-385-turris-omnia.dts +index d1e0db6e5730..a41902e3815c 100644 +--- a/arch/arm/boot/dts/armada-385-turris-omnia.dts ++++ b/arch/arm/boot/dts/armada-385-turris-omnia.dts +@@ -476,7 +476,7 @@ + marvell,function = "spi0"; + }; + +- spi0cs1_pins: spi0cs1-pins { ++ spi0cs2_pins: spi0cs2-pins { + marvell,pins = "mpp26"; + marvell,function = "spi0"; + }; +@@ -511,7 +511,7 @@ + }; + }; + +- /* MISO, MOSI, SCLK and CS1 are routed to pin header CN11 */ ++ /* MISO, MOSI, SCLK and CS2 are routed to pin header CN11 */ + }; + + &uart0 { +-- +2.35.1 + diff --git a/queue-6.0/arm-orion-fix-include-path.patch b/queue-6.0/arm-orion-fix-include-path.patch new file mode 100644 index 00000000000..1523648b5d3 --- /dev/null +++ b/queue-6.0/arm-orion-fix-include-path.patch @@ -0,0 +1,39 @@ +From 11e94b28bed67be359ebda343e7ef77c6054f266 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Sep 2022 21:55:50 +0200 +Subject: ARM: orion: fix include path + +From: Arnd Bergmann + +[ Upstream commit 63872304bdb3decd5454f4dd210c25395278ed13 ] + +Now that CONFIG_ARCH_MULTIPLATFORM can be disabled anywhere, +there is a build failure for plat-orion: + +arch/arm/plat-orion/irq.c:19:10: fatal error: plat/irq.h: No such file or directory + +Make the include path unconditional. + +Reported-by: kernel test robot +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/plat-orion/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/plat-orion/Makefile b/arch/arm/plat-orion/Makefile +index 4e3f25de13c1..830b0be038c6 100644 +--- a/arch/arm/plat-orion/Makefile ++++ b/arch/arm/plat-orion/Makefile +@@ -2,7 +2,7 @@ + # + # Makefile for the linux kernel. + # +-ccflags-$(CONFIG_ARCH_MULTIPLATFORM) := -I$(srctree)/$(src)/include ++ccflags-y := -I$(srctree)/$(src)/include + + orion-gpio-$(CONFIG_GPIOLIB) += gpio.o + obj-$(CONFIG_PLAT_ORION_LEGACY) += irq.o pcie.o time.o common.o mpp.o +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-exynos-fix-polarity-of-enable-line-of-nfc-.patch b/queue-6.0/arm64-dts-exynos-fix-polarity-of-enable-line-of-nfc-.patch new file mode 100644 index 00000000000..545642d5708 --- /dev/null +++ b/queue-6.0/arm64-dts-exynos-fix-polarity-of-enable-line-of-nfc-.patch @@ -0,0 +1,54 @@ +From 843d764dbb26173a59f14db9c3cd12ed3751638e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Sep 2022 18:15:55 -0700 +Subject: arm64: dts: exynos: fix polarity of "enable" line of NFC chip in TM2 + +From: Dmitry Torokhov + +[ Upstream commit bd1a665a01b4d65fd8dc6fece4b376fa5c8c55bb ] + +According to s3fwrn5 driver code the "enable" GPIO line is driven "high" +when chip is not in use (mode is S3FWRN5_MODE_COLD), and is driven "low" +when chip is in use. + +s3fwrn5_phy_power_ctrl(): + + ... + gpio_set_value(phy->gpio_en, 1); + ... + if (mode != S3FWRN5_MODE_COLD) { + msleep(S3FWRN5_EN_WAIT_TIME); + gpio_set_value(phy->gpio_en, 0); + msleep(S3FWRN5_EN_WAIT_TIME); + } + +Therefore the line described by "en-gpios" property should be annotated +as "active low". + +The wakeup gpio appears to have correct polarity (active high). + +Signed-off-by: Dmitry Torokhov +Link: https://lore.kernel.org/r/20220929011557.4165216-1-dmitry.torokhov@gmail.com +Signed-off-by: Krzysztof Kozlowski +Stable-dep-of: a08137bd1e0a ("ARM: dts: exynos: fix polarity of VBUS GPIO of Origen") +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/exynos/exynos5433-tm2-common.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/exynos/exynos5433-tm2-common.dtsi b/arch/arm64/boot/dts/exynos/exynos5433-tm2-common.dtsi +index 91c9bd1b47dd..bde6a6bb8dfc 100644 +--- a/arch/arm64/boot/dts/exynos/exynos5433-tm2-common.dtsi ++++ b/arch/arm64/boot/dts/exynos/exynos5433-tm2-common.dtsi +@@ -795,7 +795,7 @@ + reg = <0x27>; + interrupt-parent = <&gpa1>; + interrupts = <3 IRQ_TYPE_EDGE_RISING>; +- en-gpios = <&gpf1 4 GPIO_ACTIVE_HIGH>; ++ en-gpios = <&gpf1 4 GPIO_ACTIVE_LOW>; + wake-gpios = <&gpj0 2 GPIO_ACTIVE_HIGH>; + }; + }; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-imx8mm-kontron-use-the-vselect-signal-to-s.patch b/queue-6.0/arm64-dts-imx8mm-kontron-use-the-vselect-signal-to-s.patch new file mode 100644 index 00000000000..9561d1e6926 --- /dev/null +++ b/queue-6.0/arm64-dts-imx8mm-kontron-use-the-vselect-signal-to-s.patch @@ -0,0 +1,81 @@ +From 4336d29e76f02eed74df5c60c27e3e4201e79481 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 10:03:50 +0200 +Subject: arm64: dts: imx8mm-kontron: Use the VSELECT signal to switch SD card + IO voltage + +From: Frieder Schrempf + +[ Upstream commit eef2c0217e02b6c7ed5b10b82ea944127145e113 ] + +It turns out that it is not necessary to declare the VSELECT signal as +GPIO and let the PMIC driver set it to a fixed high level. This switches +the voltage between 3.3V and 1.8V by setting the PMIC register for LDO5 +accordingly. + +Instead we can do it like other boards already do and simply mux the +VSELECT signal of the USDHC interface to the pin. This makes sure that +the correct voltage is selected by setting the PMIC's SD_VSEL input +to high or low accordingly. + +Reported-by: Heiko Thiery +Signed-off-by: Frieder Schrempf +Reviewed-by: Heiko Thiery +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts | 3 +++ + arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-som.dtsi | 2 -- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts b/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts +index 23be1ec538ba..c54536c0a2ba 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts ++++ b/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts +@@ -321,6 +321,7 @@ + MX8MM_IOMUXC_SD2_DATA2_USDHC2_DATA2 0x1d0 + MX8MM_IOMUXC_SD2_DATA3_USDHC2_DATA3 0x1d0 + MX8MM_IOMUXC_SD2_CD_B_GPIO2_IO12 0x019 ++ MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x1d0 + >; + }; + +@@ -333,6 +334,7 @@ + MX8MM_IOMUXC_SD2_DATA2_USDHC2_DATA2 0x1d4 + MX8MM_IOMUXC_SD2_DATA3_USDHC2_DATA3 0x1d4 + MX8MM_IOMUXC_SD2_CD_B_GPIO2_IO12 0x019 ++ MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x1d0 + >; + }; + +@@ -345,6 +347,7 @@ + MX8MM_IOMUXC_SD2_DATA2_USDHC2_DATA2 0x1d6 + MX8MM_IOMUXC_SD2_DATA3_USDHC2_DATA3 0x1d6 + MX8MM_IOMUXC_SD2_CD_B_GPIO2_IO12 0x019 ++ MX8MM_IOMUXC_GPIO1_IO04_USDHC2_VSELECT 0x1d0 + >; + }; + }; +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-som.dtsi +index 8f90eb02550d..6307af803429 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-som.dtsi +@@ -86,7 +86,6 @@ + pinctrl-0 = <&pinctrl_pmic>; + interrupt-parent = <&gpio1>; + interrupts = <0 IRQ_TYPE_LEVEL_LOW>; +- sd-vsel-gpios = <&gpio1 4 GPIO_ACTIVE_HIGH>; + + regulators { + reg_vdd_soc: BUCK1 { +@@ -229,7 +228,6 @@ + pinctrl_pmic: pmicgrp { + fsl,pins = < + MX8MM_IOMUXC_GPIO1_IO00_GPIO1_IO0 0x141 +- MX8MM_IOMUXC_GPIO1_IO04_GPIO1_IO4 0x141 + >; + }; + +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-imx8mp-add-snps-gfladj-refclk-lpm-sel-quir.patch b/queue-6.0/arm64-dts-imx8mp-add-snps-gfladj-refclk-lpm-sel-quir.patch new file mode 100644 index 00000000000..f79c1465d51 --- /dev/null +++ b/queue-6.0/arm64-dts-imx8mp-add-snps-gfladj-refclk-lpm-sel-quir.patch @@ -0,0 +1,48 @@ +From 8b4ee8a4b70d732a22b8e0e9d45311590377456b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 08:28:54 +0200 +Subject: arm64: dts: imx8mp: Add snps,gfladj-refclk-lpm-sel quirk to USB nodes + +From: Alexander Stein + +[ Upstream commit 5c3d5ecf48ab06c709c012bf1e8f0c91e1fcd7ad ] + +With this set the SOF/ITP counter is based on ref_clk when 2.0 ports are +suspended. +snps,dis-u2-freeclk-exists-quirk can be removed as +snps,gfladj-refclk-lpm-sel also clears the free running clock configuration +bit. + +Signed-off-by: Alexander Stein +Link: https://lore.kernel.org/r/20220915062855.751881-4-alexander.stein@ew.tq-group.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mp.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mp.dtsi b/arch/arm64/boot/dts/freescale/imx8mp.dtsi +index fe178b7d063c..522ab47426c3 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mp.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mp.dtsi +@@ -1189,7 +1189,7 @@ + interrupts = ; + phys = <&usb3_phy0>, <&usb3_phy0>; + phy-names = "usb2-phy", "usb3-phy"; +- snps,dis-u2-freeclk-exists-quirk; ++ snps,gfladj-refclk-lpm-sel-quirk; + }; + + }; +@@ -1231,7 +1231,7 @@ + interrupts = ; + phys = <&usb3_phy1>, <&usb3_phy1>; + phy-names = "usb2-phy", "usb3-phy"; +- snps,dis-u2-freeclk-exists-quirk; ++ snps,gfladj-refclk-lpm-sel-quirk; + }; + }; + +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-imx8mq-librem5-add-bq25895-as-max17055-s-p.patch b/queue-6.0/arm64-dts-imx8mq-librem5-add-bq25895-as-max17055-s-p.patch new file mode 100644 index 00000000000..d95d9169422 --- /dev/null +++ b/queue-6.0/arm64-dts-imx8mq-librem5-add-bq25895-as-max17055-s-p.patch @@ -0,0 +1,36 @@ +From bf1bfb90e7f2b5e5c939fccb60df0b47a01f2ef9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 10:42:13 +0200 +Subject: arm64: dts: imx8mq-librem5: Add bq25895 as max17055's power supply + +From: Sebastian Krzyszkowiak + +[ Upstream commit 6effe295e1a87408033c29dbcea9d5a5c8b937d5 ] + +This allows the userspace to notice that there's not enough +current provided to charge the battery, and also fixes issues +with 0% SOC values being considered invalid. + +Signed-off-by: Sebastian Krzyszkowiak +Signed-off-by: Martin Kepplinger +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi +index 9eec8a7eecfc..127fc7f904c8 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi +@@ -1077,6 +1077,7 @@ + interrupts = <20 IRQ_TYPE_LEVEL_LOW>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_gauge>; ++ power-supplies = <&bq25895>; + maxim,over-heat-temp = <700>; + maxim,over-volt = <4500>; + maxim,rsns-microohm = <5000>; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-imx8ulp-no-executable-source-file-permissi.patch b/queue-6.0/arm64-dts-imx8ulp-no-executable-source-file-permissi.patch new file mode 100644 index 00000000000..b53af46db88 --- /dev/null +++ b/queue-6.0/arm64-dts-imx8ulp-no-executable-source-file-permissi.patch @@ -0,0 +1,29 @@ +From cc6e5762e39c9ada0d70c58d93eb7f890df14c37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 21:22:50 +0200 +Subject: arm64: dts: imx8ulp: no executable source file permission + +From: Marcel Ziswiler + +[ Upstream commit 7db9905d48e1b9a97a28224c5a201262ebce7489 ] + +This fixes the following error: + +arch/arm64/boot/dts/freescale/imx8ulp-pinfunc.h: error: do not set + execute permissions for source files + +Signed-off-by: Marcel Ziswiler +Acked-by: Peng Fan +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8ulp-pinfunc.h | 0 + 1 file changed, 0 insertions(+), 0 deletions(-) + mode change 100755 => 100644 arch/arm64/boot/dts/freescale/imx8ulp-pinfunc.h + +diff --git a/arch/arm64/boot/dts/freescale/imx8ulp-pinfunc.h b/arch/arm64/boot/dts/freescale/imx8ulp-pinfunc.h +old mode 100755 +new mode 100644 +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-marvell-98dx25xx-use-correct-property-for-.patch b/queue-6.0/arm64-dts-marvell-98dx25xx-use-correct-property-for-.patch new file mode 100644 index 00000000000..9f838949741 --- /dev/null +++ b/queue-6.0/arm64-dts-marvell-98dx25xx-use-correct-property-for-.patch @@ -0,0 +1,50 @@ +From 5e0159fea3fca6f59377c13697b165ea83bc09c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 14:28:08 +1200 +Subject: arm64: dts: marvell: 98dx25xx: use correct property for i2c gpios + +From: Chris Packham + +[ Upstream commit 2b14d382ec97ca5b420239ee6e16da390fab476c ] + +Use the correct names for scl-gpios and sda-gpios so that the generic +i2c recovery code will find them. While we're here set the +GPIO_OPEN_DRAIN flag on the gpios. + +Fixes: b795fadfc46b ("arm64: dts: marvell: Add Armada 98DX2530 SoC and RD-AC5X board") +Signed-off-by: Chris Packham +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi b/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi +index 80b44c7df56a..881bf948d1df 100644 +--- a/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi ++++ b/arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi +@@ -117,8 +117,8 @@ + pinctrl-names = "default", "gpio"; + pinctrl-0 = <&i2c0_pins>; + pinctrl-1 = <&i2c0_gpio>; +- scl_gpio = <&gpio0 26 GPIO_ACTIVE_HIGH>; +- sda_gpio = <&gpio0 27 GPIO_ACTIVE_HIGH>; ++ scl-gpios = <&gpio0 26 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>; ++ sda-gpios = <&gpio0 27 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>; + status = "disabled"; + }; + +@@ -136,8 +136,8 @@ + pinctrl-names = "default", "gpio"; + pinctrl-0 = <&i2c1_pins>; + pinctrl-1 = <&i2c1_gpio>; +- scl_gpio = <&gpio0 20 GPIO_ACTIVE_HIGH>; +- sda_gpio = <&gpio0 21 GPIO_ACTIVE_HIGH>; ++ scl-gpios = <&gpio0 20 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>; ++ sda-gpios = <&gpio0 21 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>; + status = "disabled"; + }; + +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-qcom-ipq8074-fix-pcie-phy-serdes-size.patch b/queue-6.0/arm64-dts-qcom-ipq8074-fix-pcie-phy-serdes-size.patch new file mode 100644 index 00000000000..920d3996157 --- /dev/null +++ b/queue-6.0/arm64-dts-qcom-ipq8074-fix-pcie-phy-serdes-size.patch @@ -0,0 +1,47 @@ +From be500bcf91d2007aec55b6bb51791f6d1e3fb53c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 16:34:30 +0200 +Subject: arm64: dts: qcom: ipq8074: fix PCIe PHY serdes size + +From: Johan Hovold + +[ Upstream commit ed22cc93abae68f9d3fc4957c20a1d902cf28882 ] + +The size of the PCIe PHY serdes register region is 0x1c4 and the +corresponding 'reg' property should specifically not include the +adjacent regions that are defined in the child node (e.g. tx and rx). + +Fixes: 33057e1672fe ("ARM: dts: ipq8074: Add pcie nodes") +Signed-off-by: Johan Hovold +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220915143431.19842-1-johan+linaro@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/ipq8074.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/ipq8074.dtsi b/arch/arm64/boot/dts/qcom/ipq8074.dtsi +index d53675fc1595..b9bf43215ada 100644 +--- a/arch/arm64/boot/dts/qcom/ipq8074.dtsi ++++ b/arch/arm64/boot/dts/qcom/ipq8074.dtsi +@@ -199,7 +199,7 @@ + + pcie_qmp0: phy@86000 { + compatible = "qcom,ipq8074-qmp-pcie-phy"; +- reg = <0x00086000 0x1000>; ++ reg = <0x00086000 0x1c4>; + #address-cells = <1>; + #size-cells = <1>; + ranges; +@@ -227,7 +227,7 @@ + + pcie_qmp1: phy@8e000 { + compatible = "qcom,ipq8074-qmp-pcie-phy"; +- reg = <0x0008e000 0x1000>; ++ reg = <0x0008e000 0x1c4>; + #address-cells = <1>; + #size-cells = <1>; + ranges; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-qcom-pm8350c-drop-pwm-reg-declaration.patch b/queue-6.0/arm64-dts-qcom-pm8350c-drop-pwm-reg-declaration.patch new file mode 100644 index 00000000000..54998510929 --- /dev/null +++ b/queue-6.0/arm64-dts-qcom-pm8350c-drop-pwm-reg-declaration.patch @@ -0,0 +1,41 @@ +From 25b770aa702a3b0482456d854a0033ecee6b4f7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Aug 2022 14:26:48 +0100 +Subject: arm64: dts: qcom: pm8350c: Drop PWM reg declaration + +From: Bryan O'Donoghue + +[ Upstream commit eeca7d46217ccfe9289530e959c0fb29190af0d6 ] + +The PWM is a part of the SPMI PMIC block and maps several different +addresses within the SPMI block. It is not accurate to describe as pwm@reg +as a result. + +Fixes: 5be66d2dc887 ("arm64: dts: qcom: pm8350c: Add pwm support") +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220828132648.3624126-3-bryan.odonoghue@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/pm8350c.dtsi | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/pm8350c.dtsi b/arch/arm64/boot/dts/qcom/pm8350c.dtsi +index e0bbb67717fe..f28e71487d5c 100644 +--- a/arch/arm64/boot/dts/qcom/pm8350c.dtsi ++++ b/arch/arm64/boot/dts/qcom/pm8350c.dtsi +@@ -30,9 +30,8 @@ + #interrupt-cells = <2>; + }; + +- pm8350c_pwm: pwm@e800 { ++ pm8350c_pwm: pwm { + compatible = "qcom,pm8350c-pwm"; +- reg = <0xe800>; + #pwm-cells = <2>; + status = "disabled"; + }; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-qcom-sa8295p-adp-disallow-regulator-mode-s.patch b/queue-6.0/arm64-dts-qcom-sa8295p-adp-disallow-regulator-mode-s.patch new file mode 100644 index 00000000000..84ced1bf0c8 --- /dev/null +++ b/queue-6.0/arm64-dts-qcom-sa8295p-adp-disallow-regulator-mode-s.patch @@ -0,0 +1,123 @@ +From 539ce76c939c00dd22cde3998c2ea12932fc2d96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 14:19:42 +0200 +Subject: arm64: dts: qcom: sa8295p-adp: disallow regulator mode switches + +From: Johan Hovold + +[ Upstream commit 2a6164cef63cae77edbd9deef844b1774886fcb7 ] + +Do not allow the RPMh regulators to switch to low-power mode with an +exception for the UFS regulators (l3c, l6c, l10c and l17c) as UFS +supports an idle mode. + +This specifically avoids having regulators be but in low-power mode when +only some consumers specify loads while the actual total load really +warrants high-power mode. + +Fixes: 519183af39b2 ("arm64: dts: qcom: add SA8540P and ADP") +Link: https://lore.kernel.org/all/YtkrDcjTGhpaU1e0@hovoldconsulting.com +Signed-off-by: Johan Hovold +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220803121942.30236-4-johan+linaro@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sa8295p-adp.dts | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sa8295p-adp.dts b/arch/arm64/boot/dts/qcom/sa8295p-adp.dts +index 9398f0349944..ca5f5ad32ce5 100644 +--- a/arch/arm64/boot/dts/qcom/sa8295p-adp.dts ++++ b/arch/arm64/boot/dts/qcom/sa8295p-adp.dts +@@ -35,7 +35,6 @@ + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <1208000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l5a: ldo5 { +@@ -43,7 +42,6 @@ + regulator-min-microvolt = <912000>; + regulator-max-microvolt = <912000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l7a: ldo7 { +@@ -51,7 +49,6 @@ + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l13a: ldo13 { +@@ -59,7 +56,6 @@ + regulator-min-microvolt = <3072000>; + regulator-max-microvolt = <3072000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + }; + +@@ -72,7 +68,6 @@ + regulator-min-microvolt = <912000>; + regulator-max-microvolt = <912000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l2c: ldo2 { +@@ -80,7 +75,6 @@ + regulator-min-microvolt = <3072000>; + regulator-max-microvolt = <3072000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l3c: ldo3 { +@@ -96,7 +90,6 @@ + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <1208000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l6c: ldo6 { +@@ -112,7 +105,6 @@ + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l10c: ldo10 { +@@ -141,7 +133,6 @@ + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <1200000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l7g: ldo7 { +@@ -149,7 +140,6 @@ + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l8g: ldo8 { +@@ -157,7 +147,6 @@ + regulator-min-microvolt = <880000>; + regulator-max-microvolt = <880000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + }; + }; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-qcom-sc7180-trogdor-keep-pm6150_adc-enable.patch b/queue-6.0/arm64-dts-qcom-sc7180-trogdor-keep-pm6150_adc-enable.patch new file mode 100644 index 00000000000..48da895548e --- /dev/null +++ b/queue-6.0/arm64-dts-qcom-sc7180-trogdor-keep-pm6150_adc-enable.patch @@ -0,0 +1,58 @@ +From d8830a1624453a1dd258f57656b52336eca96c2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 17:49:00 -0700 +Subject: arm64: dts: qcom: sc7180-trogdor: Keep pm6150_adc enabled for TZ + +From: Stephen Boyd + +[ Upstream commit 144fbd028fdec2deeb3b99d5e60dbf3167950ebe ] + +There's still a thermal zone using pm6150_adc in the pm6150.dtsi file, +pm6150_thermal. It's not super obvious because it indirectly uses the +adc through an iio channel in pm6150_temp. Let's keep this enabled on +lazor and coachz so that reading the temperature of the pm6150_thermal +zone continues to work. Otherwise we get -EINVAL when reading the zone, +and I suspect the PMIC temperature trip doesn't work properly so we +don't shutdown when the PMIC overheats. + +Cc: Matthias Kaehlcke +Fixes: b8d1e3d33487 ("arm64: dts: qcom: sc7180-trogdor: Delete ADC config for unused thermistors") +Signed-off-by: Stephen Boyd +Reviewed-by: Matthias Kaehlcke +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220827004901.511543-1-swboyd@chromium.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sc7180-trogdor-coachz-r1.dts | 2 -- + arch/arm64/boot/dts/qcom/sc7180-trogdor-lazor.dtsi | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc7180-trogdor-coachz-r1.dts b/arch/arm64/boot/dts/qcom/sc7180-trogdor-coachz-r1.dts +index 8290d036044a..edfcd47e1a00 100644 +--- a/arch/arm64/boot/dts/qcom/sc7180-trogdor-coachz-r1.dts ++++ b/arch/arm64/boot/dts/qcom/sc7180-trogdor-coachz-r1.dts +@@ -24,8 +24,6 @@ + }; + + &pm6150_adc { +- status = "disabled"; +- + /delete-node/ skin-temp-thermistor@4e; + /delete-node/ charger-thermistor@4f; + }; +diff --git a/arch/arm64/boot/dts/qcom/sc7180-trogdor-lazor.dtsi b/arch/arm64/boot/dts/qcom/sc7180-trogdor-lazor.dtsi +index 2cf7d5212c61..002663d752da 100644 +--- a/arch/arm64/boot/dts/qcom/sc7180-trogdor-lazor.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7180-trogdor-lazor.dtsi +@@ -55,8 +55,6 @@ ap_ts_pen_1v8: &i2c4 { + }; + + &pm6150_adc { +- status = "disabled"; +- + /delete-node/ charger-thermistor@4f; + }; + +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-qcom-sc7280-cleanup-the-lpasscc-node.patch b/queue-6.0/arm64-dts-qcom-sc7280-cleanup-the-lpasscc-node.patch new file mode 100644 index 00000000000..1781af026d1 --- /dev/null +++ b/queue-6.0/arm64-dts-qcom-sc7280-cleanup-the-lpasscc-node.patch @@ -0,0 +1,42 @@ +From a4d72ef1aeb1a0edcacc14e85ccf37fb9034f490 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Aug 2022 10:35:07 +0530 +Subject: arm64: dts: qcom: sc7280: Cleanup the lpasscc node + +From: Satya Priya + +[ Upstream commit 8c7ebabd2e3f33ef24378d3cac00d3e59886cecb ] + +Remove "cc" regmap from lpasscc node which is overlapping +with the lpass_aon regmap. + +Fixes: 422a295221bb ("arm64: dts: qcom: sc7280: Add clock controller nodes") +Signed-off-by: Satya Priya +Signed-off-by: Taniya Das +Reviewed-by: Stephen Boyd +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/1660107909-27947-2-git-send-email-quic_c_skakit@quicinc.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sc7280.dtsi | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc7280.dtsi b/arch/arm64/boot/dts/qcom/sc7280.dtsi +index dac3b69e314f..1d48f92a2982 100644 +--- a/arch/arm64/boot/dts/qcom/sc7280.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7280.dtsi +@@ -2168,9 +2168,8 @@ + lpasscc: lpasscc@3000000 { + compatible = "qcom,sc7280-lpasscc"; + reg = <0 0x03000000 0 0x40>, +- <0 0x03c04000 0 0x4>, +- <0 0x03389000 0 0x24>; +- reg-names = "qdsp6ss", "top_cc", "cc"; ++ <0 0x03c04000 0 0x4>; ++ reg-names = "qdsp6ss", "top_cc"; + clocks = <&gcc GCC_CFG_NOC_LPASS_CLK>; + clock-names = "iface"; + #clock-cells = <1>; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-qcom-sc7280-idp-correct-adc-channel-node-n.patch b/queue-6.0/arm64-dts-qcom-sc7280-idp-correct-adc-channel-node-n.patch new file mode 100644 index 00000000000..701708bbbb0 --- /dev/null +++ b/queue-6.0/arm64-dts-qcom-sc7280-idp-correct-adc-channel-node-n.patch @@ -0,0 +1,59 @@ +From 84ba3a6c4dc0c6f5ca9eb1226a0da0462525275b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Aug 2022 11:43:38 +0300 +Subject: arm64: dts: qcom: sc7280-idp: correct ADC channel node name and unit + address + +From: Krzysztof Kozlowski + +[ Upstream commit 5589ffb2da2a66988ab3a68334dad3e68b42e3a9 ] + +Correct SPMI PMIC VADC channel node name: +1. Use hyphens instead of underscores, +2. Add missing unit address. + +This fixes `make dtbs_check` warnings like: + + qcom/sc7280-idp.dtb: pmic@0: adc@3100: 'pmk8350_die_temp', 'pmr735a_die_temp' do not match any of the regexes: '^.*@[0-9a-f]+$', 'pinctrl-[0-9]+' + +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Stephen Boyd +Reviewed-by: Vinod Koul +Reviewed-by: David Heidelberg +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220828084341.112146-12-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sc7280-idp.dts | 2 +- + arch/arm64/boot/dts/qcom/sc7280-idp.dtsi | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc7280-idp.dts b/arch/arm64/boot/dts/qcom/sc7280-idp.dts +index 6d3ff80582ae..e2e37a0292ad 100644 +--- a/arch/arm64/boot/dts/qcom/sc7280-idp.dts ++++ b/arch/arm64/boot/dts/qcom/sc7280-idp.dts +@@ -78,7 +78,7 @@ + }; + + &pmk8350_vadc { +- pmr735a_die_temp { ++ pmr735a-die-temp@403 { + reg = ; + label = "pmr735a_die_temp"; + qcom,pre-scaling = <1 1>; +diff --git a/arch/arm64/boot/dts/qcom/sc7280-idp.dtsi b/arch/arm64/boot/dts/qcom/sc7280-idp.dtsi +index a74e0b730db6..27c47ddbdf02 100644 +--- a/arch/arm64/boot/dts/qcom/sc7280-idp.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7280-idp.dtsi +@@ -264,7 +264,7 @@ + }; + + &pmk8350_vadc { +- pmk8350_die_temp { ++ pmk8350-die-temp@3 { + reg = ; + label = "pmk8350_die_temp"; + qcom,pre-scaling = <1 1>; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-qcom-sc7280-update-lpasscore-node.patch b/queue-6.0/arm64-dts-qcom-sc7280-update-lpasscore-node.patch new file mode 100644 index 00000000000..1cf42ac8058 --- /dev/null +++ b/queue-6.0/arm64-dts-qcom-sc7280-update-lpasscore-node.patch @@ -0,0 +1,46 @@ +From a2ed6445a64059aa590a76f6312e9ead9ee5ca69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Aug 2022 10:35:09 +0530 +Subject: arm64: dts: qcom: sc7280: Update lpasscore node + +From: Satya Priya + +[ Upstream commit d9a1e922730389afc425f2250de361b7f07acdbc ] + +To maintain consistency with other lpass nodes(lpass_audiocc, +lpass_aon and lpass_hm), update lpasscore to lpass_core. + +Fixes: 9499240d15f2 ("arm64: dts: qcom: sc7280: Add lpasscore & lpassaudio clock controllers") +Signed-off-by: Taniya Das +Signed-off-by: Satya Priya +Reviewed-by: Stephen Boyd +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/1660107909-27947-4-git-send-email-quic_c_skakit@quicinc.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sc7280.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc7280.dtsi b/arch/arm64/boot/dts/qcom/sc7280.dtsi +index 1d48f92a2982..51ed691075ad 100644 +--- a/arch/arm64/boot/dts/qcom/sc7280.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7280.dtsi +@@ -2191,13 +2191,13 @@ + reg = <0 0x03380000 0 0x30000>; + clocks = <&rpmhcc RPMH_CXO_CLK>, + <&rpmhcc RPMH_CXO_CLK_A>, +- <&lpasscore LPASS_CORE_CC_CORE_CLK>; ++ <&lpass_core LPASS_CORE_CC_CORE_CLK>; + clock-names = "bi_tcxo", "bi_tcxo_ao", "iface"; + #clock-cells = <1>; + #power-domain-cells = <1>; + }; + +- lpasscore: clock-controller@3900000 { ++ lpass_core: clock-controller@3900000 { + compatible = "qcom,sc7280-lpasscorecc"; + reg = <0 0x03900000 0 0x50000>; + clocks = <&rpmhcc RPMH_CXO_CLK>; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-qcom-sc8280xp-crd-disallow-regulator-mode-.patch b/queue-6.0/arm64-dts-qcom-sc8280xp-crd-disallow-regulator-mode-.patch new file mode 100644 index 00000000000..6a7f83795c0 --- /dev/null +++ b/queue-6.0/arm64-dts-qcom-sc8280xp-crd-disallow-regulator-mode-.patch @@ -0,0 +1,107 @@ +From cd034c6494f8497255799bb85a78a7826c89c822 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 14:19:40 +0200 +Subject: arm64: dts: qcom: sc8280xp-crd: disallow regulator mode switches + +From: Johan Hovold + +[ Upstream commit 412737a60c846a6adb7f7571905c200da036815e ] + +Do not allow the RPMh regulators to switch to low-power mode with an +exception for the UFS regulators (l7c and l3d) as UFS supports an idle +mode. + +This specifically avoids having regulators be but in low-power mode when +only some consumers specify loads while the actual total load really +warrants high-power mode. + +Fixes: ccd3517faf18 ("arm64: dts: qcom: sc8280xp: Add reference device") +Link: https://lore.kernel.org/all/YtkrDcjTGhpaU1e0@hovoldconsulting.com +Signed-off-by: Johan Hovold +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220803121942.30236-2-johan+linaro@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sc8280xp-crd.dts | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc8280xp-crd.dts b/arch/arm64/boot/dts/qcom/sc8280xp-crd.dts +index 45058ad0a1c8..6792e88b2c6c 100644 +--- a/arch/arm64/boot/dts/qcom/sc8280xp-crd.dts ++++ b/arch/arm64/boot/dts/qcom/sc8280xp-crd.dts +@@ -87,7 +87,6 @@ + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <1200000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + regulator-boot-on; + regulator-always-on; + }; +@@ -97,7 +96,6 @@ + regulator-min-microvolt = <912000>; + regulator-max-microvolt = <912000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l6b: ldo6 { +@@ -105,7 +103,6 @@ + regulator-min-microvolt = <880000>; + regulator-max-microvolt = <880000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + regulator-boot-on; + }; + }; +@@ -119,7 +116,6 @@ + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l7c: ldo7 { +@@ -135,7 +131,6 @@ + regulator-min-microvolt = <3072000>; + regulator-max-microvolt = <3072000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + }; + +@@ -158,7 +153,6 @@ + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <1200000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l6d: ldo6 { +@@ -166,7 +160,6 @@ + regulator-min-microvolt = <880000>; + regulator-max-microvolt = <880000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l7d: ldo7 { +@@ -174,7 +167,6 @@ + regulator-min-microvolt = <3072000>; + regulator-max-microvolt = <3072000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l9d: ldo9 { +@@ -182,7 +174,6 @@ + regulator-min-microvolt = <912000>; + regulator-max-microvolt = <912000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + }; + }; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-qcom-sc8280xp-lenovo-thinkpad-x13s-disallo.patch b/queue-6.0/arm64-dts-qcom-sc8280xp-lenovo-thinkpad-x13s-disallo.patch new file mode 100644 index 00000000000..e1706131aa2 --- /dev/null +++ b/queue-6.0/arm64-dts-qcom-sc8280xp-lenovo-thinkpad-x13s-disallo.patch @@ -0,0 +1,114 @@ +From b5a42110a3ec065a077976af892b7a338b9e6f41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 14:19:41 +0200 +Subject: arm64: dts: qcom: sc8280xp-lenovo-thinkpad-x13s: disallow regulator + mode switches + +From: Johan Hovold + +[ Upstream commit 648ec2f2ddc05346287e308fbc31a6b8117a1edd ] + +Do not allow the RPMh regulators to switch to low-power mode. + +This specifically avoids having regulators be but in low-power mode when +only some consumers specify loads while the actual total load really +warrants high-power mode. + +Fixes: 32c231385ed4 ("arm64: dts: qcom: sc8280xp: add Lenovo Thinkpad X13s devicetree") +Link: https://lore.kernel.org/all/YtkrDcjTGhpaU1e0@hovoldconsulting.com +Signed-off-by: Johan Hovold +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220803121942.30236-3-johan+linaro@kernel.org +Signed-off-by: Sasha Levin +--- + .../boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts b/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts +index 4c404e2eafba..f0ab207cc8e9 100644 +--- a/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts ++++ b/arch/arm64/boot/dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts +@@ -79,7 +79,6 @@ + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <1200000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + regulator-boot-on; + }; + +@@ -88,7 +87,6 @@ + regulator-min-microvolt = <912000>; + regulator-max-microvolt = <912000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l6b: ldo6 { +@@ -96,7 +94,6 @@ + regulator-min-microvolt = <880000>; + regulator-max-microvolt = <880000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + regulator-boot-on; + regulator-always-on; // FIXME: VDD_A_EDP_0_0P9 + }; +@@ -111,7 +108,6 @@ + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l12c: ldo12 { +@@ -119,7 +115,6 @@ + regulator-min-microvolt = <1800000>; + regulator-max-microvolt = <1800000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l13c: ldo13 { +@@ -127,7 +122,6 @@ + regulator-min-microvolt = <3072000>; + regulator-max-microvolt = <3072000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + }; + +@@ -142,7 +136,6 @@ + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <1200000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l4d: ldo4 { +@@ -150,7 +143,6 @@ + regulator-min-microvolt = <1200000>; + regulator-max-microvolt = <1200000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l7d: ldo7 { +@@ -158,7 +150,6 @@ + regulator-min-microvolt = <3072000>; + regulator-max-microvolt = <3072000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + + vreg_l9d: ldo9 { +@@ -166,7 +157,6 @@ + regulator-min-microvolt = <912000>; + regulator-max-microvolt = <912000>; + regulator-initial-mode = ; +- regulator-allow-set-load; + }; + }; + }; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-qcom-sc8280xp-pmics-remove-reg-entry-use-c.patch b/queue-6.0/arm64-dts-qcom-sc8280xp-pmics-remove-reg-entry-use-c.patch new file mode 100644 index 00000000000..ce4c1a86bc2 --- /dev/null +++ b/queue-6.0/arm64-dts-qcom-sc8280xp-pmics-remove-reg-entry-use-c.patch @@ -0,0 +1,55 @@ +From fd5adcd1f69bb9a5f9d6cb39485cd327f45760c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 12:32:40 +0530 +Subject: arm64: dts: qcom: sc8280xp-pmics: Remove reg entry & use correct node + name for pmc8280c_lpg node + +From: Bhupesh Sharma + +[ Upstream commit 7dac7991408f77b0b33ee5e6b729baa683889277 ] + +Commit eeca7d46217c ("arm64: dts: qcom: pm8350c: Drop PWM reg declaration") +dropped PWM reg declaration for pm8350c pwm(s), but there is a leftover +'reg' entry inside the lpg/pwm node in sc8280xp dts file. Remove the same. + +While at it, also remove the unused unit address in the node +label. + +Also, since dt-bindings expect LPG/PWM node name to be "pwm", +use correct node name as well, to fix the following +error reported by 'make dtbs_check': + + 'lpg' does not match any of the regexes + +Fixes: eeca7d46217c ("arm64: dts: qcom: pm8350c: Drop PWM reg declaration") +Cc: Krzysztof Kozlowski +Cc: Bryan O'Donoghue +Cc: Bjorn Andersson +Signed-off-by: Bhupesh Sharma +Reviewed-by: Bryan O'Donoghue +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220905070240.1634997-1-bhupesh.sharma@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sc8280xp-pmics.dtsi | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc8280xp-pmics.dtsi b/arch/arm64/boot/dts/qcom/sc8280xp-pmics.dtsi +index ae90b97aecb8..24836b6b9bbc 100644 +--- a/arch/arm64/boot/dts/qcom/sc8280xp-pmics.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc8280xp-pmics.dtsi +@@ -60,9 +60,8 @@ + #interrupt-cells = <2>; + }; + +- pmc8280c_lpg: lpg@e800 { ++ pmc8280c_lpg: pwm { + compatible = "qcom,pm8350c-pwm"; +- reg = <0xe800>; + + #address-cells = <1>; + #size-cells = <0>; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-qcom-sdm845-narrow-llcc-address-space.patch b/queue-6.0/arm64-dts-qcom-sdm845-narrow-llcc-address-space.patch new file mode 100644 index 00000000000..7672ed291f4 --- /dev/null +++ b/queue-6.0/arm64-dts-qcom-sdm845-narrow-llcc-address-space.patch @@ -0,0 +1,45 @@ +From b2c83d7350882592f9c9be9a163fc5a60704ab00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 13:37:47 +0200 +Subject: arm64: dts: qcom: sdm845: narrow LLCC address space + +From: Krzysztof Kozlowski + +[ Upstream commit 300b5f661eebefb8571841b78091343eb87eca54 ] + +The Last Level Cache Controller (LLCC) device does not need to access +entire LLCC address space. Currently driver uses only hardware info and +status registers which both reside in LLCC0_COMMON range (offset +0x30000, size 0x1000). Narrow the address space to allow binding other +drivers to rest of LLCC address space. + +Cc: Rajendra Nayak +Cc: Sibi Sankar +Reported-by: Steev Klimaszewski +Suggested-by: Sibi Sankar +Signed-off-by: Krzysztof Kozlowski +Tested-by: Steev Klimaszewski +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220728113748.170548-11-krzysztof.kozlowski@linaro.org +Stable-dep-of: 5a0504945878 ("arm64: dts: qcom: sdm845-xiaomi-polaris: Fix sde_dsi_active pinctrl") +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845.dtsi b/arch/arm64/boot/dts/qcom/sdm845.dtsi +index f0e286715d1b..4d5ae5897d1d 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi +@@ -2138,7 +2138,7 @@ + + llcc: system-cache-controller@1100000 { + compatible = "qcom,sdm845-llcc"; +- reg = <0 0x01100000 0 0x200000>, <0 0x01300000 0 0x50000>; ++ reg = <0 0x01100000 0 0x31000>, <0 0x01300000 0 0x50000>; + reg-names = "llcc_base", "llcc_broadcast_base"; + interrupts = ; + }; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-qcom-sdm845-xiaomi-polaris-fix-sde_dsi_act.patch b/queue-6.0/arm64-dts-qcom-sdm845-xiaomi-polaris-fix-sde_dsi_act.patch new file mode 100644 index 00000000000..b6d6afc8c4f --- /dev/null +++ b/queue-6.0/arm64-dts-qcom-sdm845-xiaomi-polaris-fix-sde_dsi_act.patch @@ -0,0 +1,41 @@ +From 173e33c4ffee1aa4d2224d5ea4dbe0f56b6aa6df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 12:14:23 +0200 +Subject: arm64: dts: qcom: sdm845-xiaomi-polaris: Fix sde_dsi_active pinctrl + +From: Geert Uytterhoeven + +[ Upstream commit 5a0504945878b4af7534c1ce668a5678dc0201cf ] + +"make dtbs_check" says: + + bias-disable: boolean property with value b'\x00\x00\x00\x00' + +Fix this by dropping the offending value. + +Fixes: be497abe19bf08fb ("arm64: dts: qcom: Add support for Xiaomi Mi Mix2s") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Caleb Connolly +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/629afd26008c2b1ba5822799ea7ea5b5271895e8.1660903997.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts +index 7747081b9887..dba7c2693ff5 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts ++++ b/arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts +@@ -617,7 +617,7 @@ + pins = "gpio6", "gpio10"; + function = "gpio"; + drive-strength = <8>; +- bias-disable = <0>; ++ bias-disable; + }; + + sde_dsi_suspend: sde-dsi-suspend { +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-qcom-sm8350-sagami-correct-ts-pin-property.patch b/queue-6.0/arm64-dts-qcom-sm8350-sagami-correct-ts-pin-property.patch new file mode 100644 index 00000000000..c7270dda4e0 --- /dev/null +++ b/queue-6.0/arm64-dts-qcom-sm8350-sagami-correct-ts-pin-property.patch @@ -0,0 +1,36 @@ +From e0768cb6308c31481e9c414ed7d83e2b65cb28af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 08:17:42 +0200 +Subject: arm64: dts: qcom: sm8350-sagami: correct TS pin property + +From: Krzysztof Kozlowski + +[ Upstream commit c9c53d1f4329564f98ed0decfe3c377c6639ec5d ] + +The pin configuration is selected with "pins", not "pin" property. + +Fixes: 1209e9246632 ("arm64: dts: qcom: sm8350-sagami: Enable and populate I2C/SPI nodes") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220912061746.6311-37-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8350-sony-xperia-sagami.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8350-sony-xperia-sagami.dtsi b/arch/arm64/boot/dts/qcom/sm8350-sony-xperia-sagami.dtsi +index cb9bbd234b7b..b702ab1605bb 100644 +--- a/arch/arm64/boot/dts/qcom/sm8350-sony-xperia-sagami.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8350-sony-xperia-sagami.dtsi +@@ -223,7 +223,7 @@ + gpio-reserved-ranges = <44 4>; + + ts_int_default: ts-int-default { +- pin = "gpio23"; ++ pins = "gpio23"; + function = "gpio"; + drive-strength = <2>; + bias-disable; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-qcom-sm8450-fix-ufs-phy-serdes-size.patch b/queue-6.0/arm64-dts-qcom-sm8450-fix-ufs-phy-serdes-size.patch new file mode 100644 index 00000000000..3066c9e1833 --- /dev/null +++ b/queue-6.0/arm64-dts-qcom-sm8450-fix-ufs-phy-serdes-size.patch @@ -0,0 +1,38 @@ +From ae0a99046410da9a419462b10a5b89b5402e99e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 16:34:31 +0200 +Subject: arm64: dts: qcom: sm8450: fix UFS PHY serdes size + +From: Johan Hovold + +[ Upstream commit 677920072e9d757ae158d66b8fdb695992bb3f1a ] + +The size of the UFS PHY serdes register region is 0x1c4 and the +corresponding 'reg' property should specifically not include the +adjacent regions that are defined in the child node (e.g. tx and rx). + +Fixes: 07fa917a335e ("arm64: dts: qcom: sm8450: add ufs nodes") +Signed-off-by: Johan Hovold +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220915143431.19842-2-johan+linaro@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8450.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8450.dtsi b/arch/arm64/boot/dts/qcom/sm8450.dtsi +index 4978c5ba5dd0..8a6c0f3e7bb7 100644 +--- a/arch/arm64/boot/dts/qcom/sm8450.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8450.dtsi +@@ -3117,7 +3117,7 @@ + + ufs_mem_phy: phy@1d87000 { + compatible = "qcom,sm8450-qmp-ufs-phy"; +- reg = <0 0x01d87000 0 0xe10>; ++ reg = <0 0x01d87000 0 0x1c4>; + #address-cells = <2>; + #size-cells = <2>; + ranges; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-renesas-r9a07g043-fix-sci-rx-tx-interrupt-.patch b/queue-6.0/arm64-dts-renesas-r9a07g043-fix-sci-rx-tx-interrupt-.patch new file mode 100644 index 00000000000..56661dcb44d --- /dev/null +++ b/queue-6.0/arm64-dts-renesas-r9a07g043-fix-sci-rx-tx-interrupt-.patch @@ -0,0 +1,50 @@ +From 72b4fc9cc9fd42e21d8fc8353fafaa20630ec68d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 11:15:34 +0100 +Subject: arm64: dts: renesas: r9a07g043: Fix SCI{Rx,Tx} interrupt types + +From: Biju Das + +[ Upstream commit 72a482dbaec4b9e4d54b81be6bdb8c016fd2f4bd ] + +As per the RZ/G2UL Hardware User's Manual (Rev.1.00 Apr, 2022), +the interrupt type of SCI{Rx,Tx} is edge triggered. + +Signed-off-by: Biju Das +Fixes: cf40c9689e5109bf ("arm64: dts: renesas: Add initial DTSI for RZ/G2UL SoC") +Link: https://lore.kernel.org/r/20220802101534.1401342-3-biju.das.jz@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r9a07g043.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r9a07g043.dtsi b/arch/arm64/boot/dts/renesas/r9a07g043.dtsi +index 40201a16d653..af84d4797972 100644 +--- a/arch/arm64/boot/dts/renesas/r9a07g043.dtsi ++++ b/arch/arm64/boot/dts/renesas/r9a07g043.dtsi +@@ -334,8 +334,8 @@ + compatible = "renesas,r9a07g043-sci", "renesas,sci"; + reg = <0 0x1004d000 0 0x400>; + interrupts = , +- , +- , ++ , ++ , + ; + interrupt-names = "eri", "rxi", "txi", "tei"; + clocks = <&cpg CPG_MOD R9A07G043_SCI0_CLKP>; +@@ -349,8 +349,8 @@ + compatible = "renesas,r9a07g043-sci", "renesas,sci"; + reg = <0 0x1004d400 0 0x400>; + interrupts = , +- , +- , ++ , ++ , + ; + interrupt-names = "eri", "rxi", "txi", "tei"; + clocks = <&cpg CPG_MOD R9A07G043_SCI1_CLKP>; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-renesas-r9a07g044-fix-sci-rx-tx-interrupt-.patch b/queue-6.0/arm64-dts-renesas-r9a07g044-fix-sci-rx-tx-interrupt-.patch new file mode 100644 index 00000000000..60c684b3e8e --- /dev/null +++ b/queue-6.0/arm64-dts-renesas-r9a07g044-fix-sci-rx-tx-interrupt-.patch @@ -0,0 +1,50 @@ +From 3bc686a80be1d34953a549e43cc0a24492b6a736 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 11:15:32 +0100 +Subject: arm64: dts: renesas: r9a07g044: Fix SCI{Rx,Tx} interrupt types + +From: Biju Das + +[ Upstream commit f3b7bc89c97b98aa6f157d5f296695af8940a5ac ] + +As per the latest RZ/G2L Hardware User's Manual (Rev.1.10 Apr, 2022), +the interrupt type of SCI{Rx,Tx} is edge triggered. + +Signed-off-by: Biju Das +Fixes: f9a2adcc9e908907 ("arm64: dts: renesas: r9a07g044: Add SCI[0-1] nodes") +Link: https://lore.kernel.org/r/20220802101534.1401342-1-biju.das.jz@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r9a07g044.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r9a07g044.dtsi b/arch/arm64/boot/dts/renesas/r9a07g044.dtsi +index 3652e511160f..265140b20dad 100644 +--- a/arch/arm64/boot/dts/renesas/r9a07g044.dtsi ++++ b/arch/arm64/boot/dts/renesas/r9a07g044.dtsi +@@ -394,8 +394,8 @@ + compatible = "renesas,r9a07g044-sci", "renesas,sci"; + reg = <0 0x1004d000 0 0x400>; + interrupts = , +- , +- , ++ , ++ , + ; + interrupt-names = "eri", "rxi", "txi", "tei"; + clocks = <&cpg CPG_MOD R9A07G044_SCI0_CLKP>; +@@ -409,8 +409,8 @@ + compatible = "renesas,r9a07g044-sci", "renesas,sci"; + reg = <0 0x1004d400 0 0x400>; + interrupts = , +- , +- , ++ , ++ , + ; + interrupt-names = "eri", "rxi", "txi", "tei"; + clocks = <&cpg CPG_MOD R9A07G044_SCI1_CLKP>; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-renesas-r9a07g054-fix-sci-rx-tx-interrupt-.patch b/queue-6.0/arm64-dts-renesas-r9a07g054-fix-sci-rx-tx-interrupt-.patch new file mode 100644 index 00000000000..cb094a3f776 --- /dev/null +++ b/queue-6.0/arm64-dts-renesas-r9a07g054-fix-sci-rx-tx-interrupt-.patch @@ -0,0 +1,50 @@ +From 1fe39f4c2272a95be85ba8a4bde4e678292d4bcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 11:15:33 +0100 +Subject: arm64: dts: renesas: r9a07g054: Fix SCI{Rx,Tx} interrupt types + +From: Biju Das + +[ Upstream commit 13dec051c7f139eef345c55a60941843e72128f1 ] + +As per the RZ/V2L Hardware User's Manual (Rev.1.00 Nov, 2021), +the interrupt type of SCI{Rx,Tx} is edge triggered. + +Signed-off-by: Biju Das +Fixes: 7c2b8198f4f321df ("arm64: dts: renesas: Add initial DTSI for RZ/V2L SoC") +Link: https://lore.kernel.org/r/20220802101534.1401342-2-biju.das.jz@bp.renesas.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/r9a07g054.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/renesas/r9a07g054.dtsi b/arch/arm64/boot/dts/renesas/r9a07g054.dtsi +index 4d6b9d7684c9..d0eeca4f6aa1 100644 +--- a/arch/arm64/boot/dts/renesas/r9a07g054.dtsi ++++ b/arch/arm64/boot/dts/renesas/r9a07g054.dtsi +@@ -399,8 +399,8 @@ + compatible = "renesas,r9a07g054-sci", "renesas,sci"; + reg = <0 0x1004d000 0 0x400>; + interrupts = , +- , +- , ++ , ++ , + ; + interrupt-names = "eri", "rxi", "txi", "tei"; + clocks = <&cpg CPG_MOD R9A07G054_SCI0_CLKP>; +@@ -414,8 +414,8 @@ + compatible = "renesas,r9a07g054-sci", "renesas,sci"; + reg = <0 0x1004d400 0 0x400>; + interrupts = , +- , +- , ++ , ++ , + ; + interrupt-names = "eri", "rxi", "txi", "tei"; + clocks = <&cpg CPG_MOD R9A07G054_SCI1_CLKP>; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-ti-k3-j7200-fix-main-pinmux-range.patch b/queue-6.0/arm64-dts-ti-k3-j7200-fix-main-pinmux-range.patch new file mode 100644 index 00000000000..33a45d41320 --- /dev/null +++ b/queue-6.0/arm64-dts-ti-k3-j7200-fix-main-pinmux-range.patch @@ -0,0 +1,78 @@ +From 468b12935668d03adcfebe86663caf1e03fe1751 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 13:57:23 -0700 +Subject: arm64: dts: ti: k3-j7200: fix main pinmux range + +From: Matt Ranostay + +[ Upstream commit 0d0a0b4413460383331088b2203ba09a6971bc3a ] + +Range size of 0x2b4 was incorrect since there isn't 173 configurable +pins for muxing. Additionally there is a non-addressable region in the +mapping which requires splitting into two ranges. + +main_pmx0 -> 67 pins +main_pmx1 -> 3 pins + +Fixes: d361ed88455f ("arm64: dts: ti: Add support for J7200 SoC") +Signed-off-by: Matt Ranostay +Signed-off-by: Vignesh Raghavendra +Tested-by: Vaishnav Achath +Link: https://lore.kernel.org/r/20220919205723.8342-1-mranostay@ti.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-j7200-common-proc-board.dts | 10 ++++++---- + arch/arm64/boot/dts/ti/k3-j7200-main.dtsi | 11 ++++++++++- + 2 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-j7200-common-proc-board.dts b/arch/arm64/boot/dts/ti/k3-j7200-common-proc-board.dts +index 121975dc8239..7e8552fd2b6a 100644 +--- a/arch/arm64/boot/dts/ti/k3-j7200-common-proc-board.dts ++++ b/arch/arm64/boot/dts/ti/k3-j7200-common-proc-board.dts +@@ -134,15 +134,17 @@ + >; + }; + +- main_usbss0_pins_default: main-usbss0-pins-default { ++ vdd_sd_dv_pins_default: vdd-sd-dv-pins-default { + pinctrl-single,pins = < +- J721E_IOPAD(0x120, PIN_OUTPUT, 0) /* (T4) USB0_DRVVBUS */ ++ J721E_IOPAD(0xd0, PIN_OUTPUT, 7) /* (T5) SPI0_D1.GPIO0_55 */ + >; + }; ++}; + +- vdd_sd_dv_pins_default: vdd-sd-dv-pins-default { ++&main_pmx1 { ++ main_usbss0_pins_default: main-usbss0-pins-default { + pinctrl-single,pins = < +- J721E_IOPAD(0xd0, PIN_OUTPUT, 7) /* (T5) SPI0_D1.GPIO0_55 */ ++ J721E_IOPAD(0x04, PIN_OUTPUT, 0) /* (T4) USB0_DRVVBUS */ + >; + }; + }; +diff --git a/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi b/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi +index 16684a2f054d..e12a53f1857f 100644 +--- a/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi ++++ b/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi +@@ -295,7 +295,16 @@ + main_pmx0: pinctrl@11c000 { + compatible = "pinctrl-single"; + /* Proxy 0 addressing */ +- reg = <0x00 0x11c000 0x00 0x2b4>; ++ reg = <0x00 0x11c000 0x00 0x10c>; ++ #pinctrl-cells = <1>; ++ pinctrl-single,register-width = <32>; ++ pinctrl-single,function-mask = <0xffffffff>; ++ }; ++ ++ main_pmx1: pinctrl@11c11c { ++ compatible = "pinctrl-single"; ++ /* Proxy 0 addressing */ ++ reg = <0x00 0x11c11c 0x00 0xc>; + #pinctrl-cells = <1>; + pinctrl-single,register-width = <32>; + pinctrl-single,function-mask = <0xffffffff>; +-- +2.35.1 + diff --git a/queue-6.0/arm64-dts-uniphier-add-usb-device-support-for-pxs3-r.patch b/queue-6.0/arm64-dts-uniphier-add-usb-device-support-for-pxs3-r.patch new file mode 100644 index 00000000000..bf0ab13eb05 --- /dev/null +++ b/queue-6.0/arm64-dts-uniphier-add-usb-device-support-for-pxs3-r.patch @@ -0,0 +1,162 @@ +From b6dbe3bd3da7ae3cc28ab6b79c440d73a0abce8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 13:23:18 +0900 +Subject: arm64: dts: uniphier: Add USB-device support for PXs3 reference board + +From: Kunihiko Hayashi + +[ Upstream commit 19fee1a1096d21ab1f1e712148b5417bda2939a2 ] + +PXs3 reference board can change each USB port 0 and 1 to device mode +with jumpers. Prepare devicetree sources for USB port 0 and 1. + +This specifies dr_mode, pinctrl, and some quirks and removes nodes for +unused phys and vbus-supply properties. + +Signed-off-by: Kunihiko Hayashi +Link: https://lore.kernel.org/r/20220913042321.4817-8-hayashi.kunihiko@socionext.com' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/uniphier-pinctrl.dtsi | 10 +++++ + arch/arm64/boot/dts/socionext/Makefile | 4 +- + .../socionext/uniphier-pxs3-ref-gadget0.dts | 41 +++++++++++++++++++ + .../socionext/uniphier-pxs3-ref-gadget1.dts | 40 ++++++++++++++++++ + 4 files changed, 94 insertions(+), 1 deletion(-) + create mode 100644 arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget0.dts + create mode 100644 arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget1.dts + +diff --git a/arch/arm/boot/dts/uniphier-pinctrl.dtsi b/arch/arm/boot/dts/uniphier-pinctrl.dtsi +index c0fd029b37e5..f909ec2e5333 100644 +--- a/arch/arm/boot/dts/uniphier-pinctrl.dtsi ++++ b/arch/arm/boot/dts/uniphier-pinctrl.dtsi +@@ -196,11 +196,21 @@ + function = "usb0"; + }; + ++ pinctrl_usb0_device: usb0-device { ++ groups = "usb0_device"; ++ function = "usb0"; ++ }; ++ + pinctrl_usb1: usb1 { + groups = "usb1"; + function = "usb1"; + }; + ++ pinctrl_usb1_device: usb1-device { ++ groups = "usb1_device"; ++ function = "usb1"; ++ }; ++ + pinctrl_usb2: usb2 { + groups = "usb2"; + function = "usb2"; +diff --git a/arch/arm64/boot/dts/socionext/Makefile b/arch/arm64/boot/dts/socionext/Makefile +index dda3da33614b..33989a9643ac 100644 +--- a/arch/arm64/boot/dts/socionext/Makefile ++++ b/arch/arm64/boot/dts/socionext/Makefile +@@ -5,4 +5,6 @@ dtb-$(CONFIG_ARCH_UNIPHIER) += \ + uniphier-ld20-akebi96.dtb \ + uniphier-ld20-global.dtb \ + uniphier-ld20-ref.dtb \ +- uniphier-pxs3-ref.dtb ++ uniphier-pxs3-ref.dtb \ ++ uniphier-pxs3-ref-gadget0.dtb \ ++ uniphier-pxs3-ref-gadget1.dtb +diff --git a/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget0.dts b/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget0.dts +new file mode 100644 +index 000000000000..7069f51bc120 +--- /dev/null ++++ b/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget0.dts +@@ -0,0 +1,41 @@ ++// SPDX-License-Identifier: GPL-2.0-or-later OR MIT ++// ++// Device Tree Source for UniPhier PXs3 Reference Board (for USB-Device #0) ++// ++// Copyright (C) 2021 Socionext Inc. ++// Author: Kunihiko Hayashi ++ ++/dts-v1/; ++#include "uniphier-pxs3-ref.dts" ++ ++/ { ++ model = "UniPhier PXs3 Reference Board (USB-Device #0)"; ++}; ++ ++/* I2C3 pinctrl is shared with USB*VBUSIN */ ++&i2c3 { ++ status = "disabled"; ++}; ++ ++&usb0 { ++ status = "okay"; ++ dr_mode = "peripheral"; ++ pinctrl-0 = <&pinctrl_usb0_device>; ++ snps,dis_enblslpm_quirk; ++ snps,dis_u2_susphy_quirk; ++ snps,dis_u3_susphy_quirk; ++ snps,usb2_gadget_lpm_disable; ++ phy-names = "usb2-phy", "usb3-phy"; ++ phys = <&usb0_hsphy0>, <&usb0_ssphy0>; ++}; ++ ++&usb0_hsphy0 { ++ /delete-property/ vbus-supply; ++}; ++ ++&usb0_ssphy0 { ++ /delete-property/ vbus-supply; ++}; ++ ++/delete-node/ &usb0_hsphy1; ++/delete-node/ &usb0_ssphy1; +diff --git a/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget1.dts b/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget1.dts +new file mode 100644 +index 000000000000..a3cfa8113ffb +--- /dev/null ++++ b/arch/arm64/boot/dts/socionext/uniphier-pxs3-ref-gadget1.dts +@@ -0,0 +1,40 @@ ++// SPDX-License-Identifier: GPL-2.0-or-later OR MIT ++// ++// Device Tree Source for UniPhier PXs3 Reference Board (for USB-Device #1) ++// ++// Copyright (C) 2021 Socionext Inc. ++// Author: Kunihiko Hayashi ++ ++/dts-v1/; ++#include "uniphier-pxs3-ref.dts" ++ ++/ { ++ model = "UniPhier PXs3 Reference Board (USB-Device #1)"; ++}; ++ ++/* I2C3 pinctrl is shared with USB*VBUSIN */ ++&i2c3 { ++ status = "disabled"; ++}; ++ ++&usb1 { ++ status = "okay"; ++ dr_mode = "peripheral"; ++ pinctrl-0 = <&pinctrl_usb1_device>; ++ snps,dis_enblslpm_quirk; ++ snps,dis_u2_susphy_quirk; ++ snps,dis_u3_susphy_quirk; ++ snps,usb2_gadget_lpm_disable; ++ phy-names = "usb2-phy", "usb3-phy"; ++ phys = <&usb1_hsphy0>, <&usb1_ssphy0>; ++}; ++ ++&usb1_hsphy0 { ++ /delete-property/ vbus-supply; ++}; ++ ++&usb1_ssphy0 { ++ /delete-property/ vbus-supply; ++}; ++ ++/delete-node/ &usb1_hsphy1; +-- +2.35.1 + diff --git a/queue-6.0/arm64-ftrace-fix-module-plts-with-mcount.patch b/queue-6.0/arm64-ftrace-fix-module-plts-with-mcount.patch new file mode 100644 index 00000000000..d2f646dcc90 --- /dev/null +++ b/queue-6.0/arm64-ftrace-fix-module-plts-with-mcount.patch @@ -0,0 +1,127 @@ +From 7c16a74e10b28b5aaa5c405a496cb195046835b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 14:45:25 +0100 +Subject: arm64: ftrace: fix module PLTs with mcount + +From: Mark Rutland + +[ Upstream commit 8cfb08575c6d4585f1ce0deeb189e5c824776b04 ] + +Li Huafei reports that mcount-based ftrace with module PLTs was broken +by commit: + + a6253579977e4c6f ("arm64: ftrace: consistently handle PLTs.") + +When a module PLTs are used and a module is loaded sufficiently far away +from the kernel, we'll create PLTs for any branches which are +out-of-range. These are separate from the special ftrace trampoline +PLTs, which the module PLT code doesn't directly manipulate. + +When mcount is in use this is a problem, as each mcount callsite in a +module will be initialized to point to a module PLT, but since commit +a6253579977e4c6f ftrace_make_nop() will assume that the callsite has +been initialized to point to the special ftrace trampoline PLT, and +ftrace_find_callable_addr() rejects other cases. + +This means that when ftrace tries to initialize a callsite via +ftrace_make_nop(), the call to ftrace_find_callable_addr() will find +that the `_mcount` stub is out-of-range and is not handled by the ftrace +PLT, resulting in a splat: + +| ftrace_test: loading out-of-tree module taints kernel. +| ftrace: no module PLT for _mcount +| ------------[ ftrace bug ]------------ +| ftrace failed to modify +| [] 0xffff800029180014 +| actual: 44:00:00:94 +| Initializing ftrace call sites +| ftrace record flags: 2000000 +| (0) +| expected tramp: ffff80000802eb3c +| ------------[ cut here ]------------ +| WARNING: CPU: 3 PID: 157 at kernel/trace/ftrace.c:2120 ftrace_bug+0x94/0x270 +| Modules linked in: +| CPU: 3 PID: 157 Comm: insmod Tainted: G O 6.0.0-rc6-00151-gcd722513a189-dirty #22 +| Hardware name: linux,dummy-virt (DT) +| pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +| pc : ftrace_bug+0x94/0x270 +| lr : ftrace_bug+0x21c/0x270 +| sp : ffff80000b2bbaf0 +| x29: ffff80000b2bbaf0 x28: 0000000000000000 x27: ffff0000c4d38000 +| x26: 0000000000000001 x25: ffff800009d7e000 x24: ffff0000c4d86e00 +| x23: 0000000002000000 x22: ffff80000a62b000 x21: ffff8000098ebea8 +| x20: ffff0000c4d38000 x19: ffff80000aa24158 x18: ffffffffffffffff +| x17: 0000000000000000 x16: 0a0d2d2d2d2d2d2d x15: ffff800009aa9118 +| x14: 0000000000000000 x13: 6333626532303830 x12: 3030303866666666 +| x11: 203a706d61727420 x10: 6465746365707865 x9 : 3362653230383030 +| x8 : c0000000ffffefff x7 : 0000000000017fe8 x6 : 000000000000bff4 +| x5 : 0000000000057fa8 x4 : 0000000000000000 x3 : 0000000000000001 +| x2 : ad2cb14bb5438900 x1 : 0000000000000000 x0 : 0000000000000022 +| Call trace: +| ftrace_bug+0x94/0x270 +| ftrace_process_locs+0x308/0x430 +| ftrace_module_init+0x44/0x60 +| load_module+0x15b4/0x1ce8 +| __do_sys_init_module+0x1ec/0x238 +| __arm64_sys_init_module+0x24/0x30 +| invoke_syscall+0x54/0x118 +| el0_svc_common.constprop.4+0x84/0x100 +| do_el0_svc+0x3c/0xd0 +| el0_svc+0x1c/0x50 +| el0t_64_sync_handler+0x90/0xb8 +| el0t_64_sync+0x15c/0x160 +| ---[ end trace 0000000000000000 ]--- +| ---------test_init----------- + +Fix this by reverting to the old behaviour of ignoring the old +instruction when initialising an mcount callsite in a module, which was +the behaviour prior to commit a6253579977e4c6f. + +Signed-off-by: Mark Rutland +Fixes: a6253579977e ("arm64: ftrace: consistently handle PLTs.") +Reported-by: Li Huafei +Link: https://lore.kernel.org/linux-arm-kernel/20220929094134.99512-1-lihuafei1@huawei.com +Cc: Ard Biesheuvel +Cc: Will Deacon +Link: https://lore.kernel.org/r/20220929134525.798593-1-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/ftrace.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/ftrace.c b/arch/arm64/kernel/ftrace.c +index ea5dc7c90f46..b49ba9a24bcc 100644 +--- a/arch/arm64/kernel/ftrace.c ++++ b/arch/arm64/kernel/ftrace.c +@@ -217,11 +217,26 @@ int ftrace_make_nop(struct module *mod, struct dyn_ftrace *rec, + unsigned long pc = rec->ip; + u32 old = 0, new; + ++ new = aarch64_insn_gen_nop(); ++ ++ /* ++ * When using mcount, callsites in modules may have been initalized to ++ * call an arbitrary module PLT (which redirects to the _mcount stub) ++ * rather than the ftrace PLT we'll use at runtime (which redirects to ++ * the ftrace trampoline). We can ignore the old PLT when initializing ++ * the callsite. ++ * ++ * Note: 'mod' is only set at module load time. ++ */ ++ if (!IS_ENABLED(CONFIG_DYNAMIC_FTRACE_WITH_REGS) && ++ IS_ENABLED(CONFIG_ARM64_MODULE_PLTS) && mod) { ++ return aarch64_insn_patch_text_nosync((void *)pc, new); ++ } ++ + if (!ftrace_find_callable_addr(rec, mod, &addr)) + return -EINVAL; + + old = aarch64_insn_gen_branch_imm(pc, addr, AARCH64_INSN_BRANCH_LINK); +- new = aarch64_insn_gen_nop(); + + return ftrace_modify_code(pc, old, new, true); + } +-- +2.35.1 + diff --git a/queue-6.0/arm64-run-softirqs-on-the-per-cpu-irq-stack.patch b/queue-6.0/arm64-run-softirqs-on-the-per-cpu-irq-stack.patch new file mode 100644 index 00000000000..addb3e3816c --- /dev/null +++ b/queue-6.0/arm64-run-softirqs-on-the-per-cpu-irq-stack.patch @@ -0,0 +1,77 @@ +From 8b72cc663801f6e97e2b8b4ce7d035ad41a7854d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Aug 2022 20:47:39 +0800 +Subject: arm64: run softirqs on the per-CPU IRQ stack + +From: Qi Zheng + +[ Upstream commit 8eb858c44b98e0326bb32fca34ae671995cd73bb ] + +Currently arm64 supports per-CPU IRQ stack, but softirqs +are still handled in the task context. + +Since any call to local_bh_enable() at any level in the task's +call stack may trigger a softirq processing run, which could +potentially cause a task stack overflow if the combined stack +footprints exceed the stack's size, let's run these softirqs +on the IRQ stack as well. + +Signed-off-by: Qi Zheng +Reviewed-by: Arnd Bergmann +Acked-by: Will Deacon +Link: https://lore.kernel.org/r/20220815124739.15948-1-zhengqi.arch@bytedance.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/Kconfig | 1 + + arch/arm64/kernel/irq.c | 14 ++++++++++++++ + 2 files changed, 15 insertions(+) + +diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig +index 3795eb5ba1cd..6bd34a77d4f5 100644 +--- a/arch/arm64/Kconfig ++++ b/arch/arm64/Kconfig +@@ -230,6 +230,7 @@ config ARM64 + select HAVE_ARCH_USERFAULTFD_MINOR if USERFAULTFD + select TRACE_IRQFLAGS_SUPPORT + select TRACE_IRQFLAGS_NMI_SUPPORT ++ select HAVE_SOFTIRQ_ON_OWN_STACK + help + ARM 64-bit (AArch64) Linux support. + +diff --git a/arch/arm64/kernel/irq.c b/arch/arm64/kernel/irq.c +index bda49430c9ea..38dbd3828f13 100644 +--- a/arch/arm64/kernel/irq.c ++++ b/arch/arm64/kernel/irq.c +@@ -21,7 +21,9 @@ + #include + #include + #include ++#include + #include ++#include + + /* Only access this in an NMI enter/exit */ + DEFINE_PER_CPU(struct nmi_ctx, nmi_contexts); +@@ -71,6 +73,18 @@ static void init_irq_stacks(void) + } + #endif + ++#ifndef CONFIG_PREEMPT_RT ++static void ____do_softirq(struct pt_regs *regs) ++{ ++ __do_softirq(); ++} ++ ++void do_softirq_own_stack(void) ++{ ++ call_on_irq_stack(NULL, ____do_softirq); ++} ++#endif ++ + static void default_handle_irq(struct pt_regs *regs) + { + panic("IRQ taken without a root IRQ handler\n"); +-- +2.35.1 + diff --git a/queue-6.0/asoc-amd-acp-add-missing-platform_device_unregister-.patch b/queue-6.0/asoc-amd-acp-add-missing-platform_device_unregister-.patch new file mode 100644 index 00000000000..4a864554dec --- /dev/null +++ b/queue-6.0/asoc-amd-acp-add-missing-platform_device_unregister-.patch @@ -0,0 +1,36 @@ +From f08e7e5312f1656fe916ae2d5523da4a0c0eec75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 15:37:56 +0800 +Subject: ASoC: amd: acp: add missing platform_device_unregister() in + acp_pci_probe() + +From: Yang Yingliang + +[ Upstream commit 6a4ce20fd776d2fd19ffaf85cf34a53761e2c888 ] + +Add missing platform_device_unregister() in error path in acp_pci_probe(). + +Fixes: c49f5e74a11e ("ASoC: amd: acp: Add error handling cases") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20220819073758.1273160-1-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/acp/acp-pci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/amd/acp/acp-pci.c b/sound/soc/amd/acp/acp-pci.c +index 2c8e960cc9a6..5bb23ebe1216 100644 +--- a/sound/soc/amd/acp/acp-pci.c ++++ b/sound/soc/amd/acp/acp-pci.c +@@ -104,6 +104,7 @@ static int acp_pci_probe(struct pci_dev *pci, const struct pci_device_id *pci_id + addr = pci_resource_start(pci, 0); + chip->base = devm_ioremap(&pci->dev, addr, pci_resource_len(pci, 0)); + if (!chip->base) { ++ platform_device_unregister(dmic_dev); + ret = -ENOMEM; + goto release_regions; + } +-- +2.35.1 + diff --git a/queue-6.0/asoc-amd-yc-add-asus-um5302ta-into-dmi-table.patch b/queue-6.0/asoc-amd-yc-add-asus-um5302ta-into-dmi-table.patch new file mode 100644 index 00000000000..6a5432af685 --- /dev/null +++ b/queue-6.0/asoc-amd-yc-add-asus-um5302ta-into-dmi-table.patch @@ -0,0 +1,45 @@ +From daeda050ff1d44ece27ded6f610f1ee3dc6445cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 15:14:34 -0500 +Subject: ASoC: amd: yc: Add ASUS UM5302TA into DMI table + +From: Xiaoyan Li + +[ Upstream commit 4df5b13dec9e1b5a12db47ee92eb3f7da5c3deb5 ] + +ASUS Zenbook S 13 OLED (UM5302TA) needs this quirk to get the built-in +microphone working properly. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216270 +Signed-off-by: Xiaoyan Li +Suggested-by: Mario Limonciello +Reviewed-by: Mario Limonciello +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20220920201436.19734-2-mario.limonciello@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index e0b24e1daef3..5eab3baf3573 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -171,6 +171,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "21J6"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "UM5302TA"), ++ } ++ }, + {} + }; + +-- +2.35.1 + diff --git a/queue-6.0/asoc-amd-yc-add-lenovo-yoga-slim-7-pro-x-to-quirks-t.patch b/queue-6.0/asoc-amd-yc-add-lenovo-yoga-slim-7-pro-x-to-quirks-t.patch new file mode 100644 index 00000000000..24e82c0e9b9 --- /dev/null +++ b/queue-6.0/asoc-amd-yc-add-lenovo-yoga-slim-7-pro-x-to-quirks-t.patch @@ -0,0 +1,45 @@ +From 16d83b2472718bdcb79ecfb6474c05033483511b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 15:14:35 -0500 +Subject: ASoC: amd: yc: Add Lenovo Yoga Slim 7 Pro X to quirks table + +From: Mario Limonciello + +[ Upstream commit 2232b2dd8cd4f1e6d554b2c3f6899ce36f791b67 ] + +Lenovo Yoga Slim 7 Pro X has an ACP DMIC that isn't specified in the +ASL or existing quirk list. Add it to the quirk table to let DMIC +work on these systems. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216299 +Tested-by: Sebastian S +Reported-and-tested-by: Travis Glenn Hansen +Signed-off-by: Mario Limonciello +Link: https://lore.kernel.org/r/20220920201436.19734-3-mario.limonciello@amd.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/amd/yc/acp6x-mach.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c +index 5eab3baf3573..2cb50d5cf1a9 100644 +--- a/sound/soc/amd/yc/acp6x-mach.c ++++ b/sound/soc/amd/yc/acp6x-mach.c +@@ -171,6 +171,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "21J6"), + } + }, ++ { ++ .driver_data = &acp6x_card, ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "82"), ++ } ++ }, + { + .driver_data = &acp6x_card, + .matches = { +-- +2.35.1 + diff --git a/queue-6.0/asoc-codecs-tx-macro-fix-kcontrol-put.patch b/queue-6.0/asoc-codecs-tx-macro-fix-kcontrol-put.patch new file mode 100644 index 00000000000..f4b0d570556 --- /dev/null +++ b/queue-6.0/asoc-codecs-tx-macro-fix-kcontrol-put.patch @@ -0,0 +1,68 @@ +From 9cfef11ecd5ce14eb92732a6e0922fef5a659665 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 18:01:05 +0100 +Subject: ASoC: codecs: tx-macro: fix kcontrol put + +From: Srinivas Kandagatla + +[ Upstream commit c1057a08af438e0cf5450c1d977a3011198ed2f8 ] + +tx_macro_tx_mixer_put() and tx_macro_dec_mode_put() currently returns zero +eventhough it changes the value. +Fix this, so that change notifications are sent correctly. + +Fixes: d207bdea0ca9 ("ASoC: codecs: lpass-tx-macro: add dapm widgets and route") +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20220906170112.1984-6-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/lpass-tx-macro.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/lpass-tx-macro.c b/sound/soc/codecs/lpass-tx-macro.c +index 55503ba480bb..e162a08d9945 100644 +--- a/sound/soc/codecs/lpass-tx-macro.c ++++ b/sound/soc/codecs/lpass-tx-macro.c +@@ -823,17 +823,23 @@ static int tx_macro_tx_mixer_put(struct snd_kcontrol *kcontrol, + struct tx_macro *tx = snd_soc_component_get_drvdata(component); + + if (enable) { ++ if (tx->active_decimator[dai_id] == dec_id) ++ return 0; ++ + set_bit(dec_id, &tx->active_ch_mask[dai_id]); + tx->active_ch_cnt[dai_id]++; + tx->active_decimator[dai_id] = dec_id; + } else { ++ if (tx->active_decimator[dai_id] == -1) ++ return 0; ++ + tx->active_ch_cnt[dai_id]--; + clear_bit(dec_id, &tx->active_ch_mask[dai_id]); + tx->active_decimator[dai_id] = -1; + } + snd_soc_dapm_mixer_update_power(widget->dapm, kcontrol, enable, update); + +- return 0; ++ return 1; + } + + static int tx_macro_enable_dec(struct snd_soc_dapm_widget *w, +@@ -1019,9 +1025,12 @@ static int tx_macro_dec_mode_put(struct snd_kcontrol *kcontrol, + int path = e->shift_l; + struct tx_macro *tx = snd_soc_component_get_drvdata(component); + ++ if (tx->dec_mode[path] == value) ++ return 0; ++ + tx->dec_mode[path] = value; + +- return 0; ++ return 1; + } + + static int tx_macro_get_bcs(struct snd_kcontrol *kcontrol, +-- +2.35.1 + diff --git a/queue-6.0/asoc-da7219-fix-an-error-handling-path-in-da7219_reg.patch b/queue-6.0/asoc-da7219-fix-an-error-handling-path-in-da7219_reg.patch new file mode 100644 index 00000000000..bc83a18316c --- /dev/null +++ b/queue-6.0/asoc-da7219-fix-an-error-handling-path-in-da7219_reg.patch @@ -0,0 +1,58 @@ +From f8956ac040315468ac5c8dacd91742bbb7ffcf76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 21:44:57 +0200 +Subject: ASoC: da7219: Fix an error handling path in + da7219_register_dai_clks() + +From: Christophe JAILLET + +[ Upstream commit abb4e4349afe7eecdb0499582f1c777031e3a7c8 ] + +If clk_hw_register() fails, the corresponding clk should not be +unregistered. + +To handle errors from loops, clean up partial iterations before doing the +goto. So add a clk_hw_unregister(). +Then use a while (--i >= 0) loop in the unwind section. + +Fixes: 78013a1cf297 ("ASoC: da7219: Fix clock handling around codec level probe") +Reported-by: Dan Carpenter +Signed-off-by: Christophe JAILLET +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/e4acceab57a0d9e477a8d5890a45c5309e553e7c.1663875789.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/da7219.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/da7219.c b/sound/soc/codecs/da7219.c +index 50ecf30e6136..4746c8700451 100644 +--- a/sound/soc/codecs/da7219.c ++++ b/sound/soc/codecs/da7219.c +@@ -2196,6 +2196,7 @@ static int da7219_register_dai_clks(struct snd_soc_component *component) + dai_clk_lookup = clkdev_hw_create(dai_clk_hw, init.name, + "%s", dev_name(dev)); + if (!dai_clk_lookup) { ++ clk_hw_unregister(dai_clk_hw); + ret = -ENOMEM; + goto err; + } else { +@@ -2217,12 +2218,12 @@ static int da7219_register_dai_clks(struct snd_soc_component *component) + return 0; + + err: +- do { ++ while (--i >= 0) { + if (da7219->dai_clks_lookup[i]) + clkdev_drop(da7219->dai_clks_lookup[i]); + + clk_hw_unregister(&da7219->dai_clks_hw[i]); +- } while (i-- > 0); ++ } + + if (np) + kfree(da7219->clk_hw_data); +-- +2.35.1 + diff --git a/queue-6.0/asoc-es8316-fix-register-sync-error-in-suspend-resum.patch b/queue-6.0/asoc-es8316-fix-register-sync-error-in-suspend-resum.patch new file mode 100644 index 00000000000..f928be3b884 --- /dev/null +++ b/queue-6.0/asoc-es8316-fix-register-sync-error-in-suspend-resum.patch @@ -0,0 +1,48 @@ +From dfd7430cc91816d875b3df073652594739e6fff3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 11:59:12 +0200 +Subject: ASoC: es8316: fix register sync error in suspend/resume tests +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Louis Bossart + +[ Upstream commit 6de0b0292b548010b09917e8cdfc337a6dcf67ce ] + +The SOF CI tests report failures with the following error thrown + +kernel: es8316 i2c-ESSX8336:00: Unable to sync registers 0x0-0x1. -121 + +ES8336 only supports I2C read/write one byte a time, so we do need to +set the .use_single_read and .use_single_write flags to avoid this +sync issue. + +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Péter Ujfalusi +Reviewed-by: FRED OH +Reviewed-by: Bard Liao +Link: https://lore.kernel.org/r/20220922095912.27010-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Stable-dep-of: e18f6bcf8e86 ("ASoC: wcd-mbhc-v2: Revert "ASoC: wcd-mbhc-v2: use pm_runtime_resume_and_get()"") +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/es8316.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/codecs/es8316.c b/sound/soc/codecs/es8316.c +index de7185f73e1e..10a204255b6a 100644 +--- a/sound/soc/codecs/es8316.c ++++ b/sound/soc/codecs/es8316.c +@@ -793,6 +793,8 @@ static const struct regmap_access_table es8316_volatile_table = { + static const struct regmap_config es8316_regmap = { + .reg_bits = 8, + .val_bits = 8, ++ .use_single_read = true, ++ .use_single_write = true, + .max_register = 0x53, + .volatile_table = &es8316_volatile_table, + .cache_type = REGCACHE_RBTREE, +-- +2.35.1 + diff --git a/queue-6.0/asoc-eureka-tlv320-hold-reference-returned-from-of_f.patch b/queue-6.0/asoc-eureka-tlv320-hold-reference-returned-from-of_f.patch new file mode 100644 index 00000000000..ff9cc55be68 --- /dev/null +++ b/queue-6.0/asoc-eureka-tlv320-hold-reference-returned-from-of_f.patch @@ -0,0 +1,69 @@ +From b995eb969f1a31bfb0b8a69e0ebd89916017a668 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 21:43:54 +0800 +Subject: ASoC: eureka-tlv320: Hold reference returned from of_find_xxx API + +From: Liang He + +[ Upstream commit bfb735a3ceff0bab6473bac275da96f9b2a06dec ] + +In eukrea_tlv320_probe(), we need to hold the reference returned +from of_find_compatible_node() which has increased the refcount +and then call of_node_put() with it when done. + +Fixes: 66f232908de2 ("ASoC: eukrea-tlv320: Add DT support.") +Co-authored-by: Kelin Wang +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220914134354.3995587-1-windhl@126.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/eukrea-tlv320.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/fsl/eukrea-tlv320.c b/sound/soc/fsl/eukrea-tlv320.c +index 8b61582753c8..9af4c4a35eb1 100644 +--- a/sound/soc/fsl/eukrea-tlv320.c ++++ b/sound/soc/fsl/eukrea-tlv320.c +@@ -86,7 +86,7 @@ static int eukrea_tlv320_probe(struct platform_device *pdev) + int ret; + int int_port = 0, ext_port; + struct device_node *np = pdev->dev.of_node; +- struct device_node *ssi_np = NULL, *codec_np = NULL; ++ struct device_node *ssi_np = NULL, *codec_np = NULL, *tmp_np = NULL; + + eukrea_tlv320.dev = &pdev->dev; + if (np) { +@@ -143,7 +143,7 @@ static int eukrea_tlv320_probe(struct platform_device *pdev) + } + + if (machine_is_eukrea_cpuimx27() || +- of_find_compatible_node(NULL, NULL, "fsl,imx21-audmux")) { ++ (tmp_np = of_find_compatible_node(NULL, NULL, "fsl,imx21-audmux"))) { + imx_audmux_v1_configure_port(MX27_AUDMUX_HPCR1_SSI0, + IMX_AUDMUX_V1_PCR_SYN | + IMX_AUDMUX_V1_PCR_TFSDIR | +@@ -158,10 +158,11 @@ static int eukrea_tlv320_probe(struct platform_device *pdev) + IMX_AUDMUX_V1_PCR_SYN | + IMX_AUDMUX_V1_PCR_RXDSEL(MX27_AUDMUX_HPCR1_SSI0) + ); ++ of_node_put(tmp_np); + } else if (machine_is_eukrea_cpuimx25sd() || + machine_is_eukrea_cpuimx35sd() || + machine_is_eukrea_cpuimx51sd() || +- of_find_compatible_node(NULL, NULL, "fsl,imx31-audmux")) { ++ (tmp_np = of_find_compatible_node(NULL, NULL, "fsl,imx31-audmux"))) { + if (!np) + ext_port = machine_is_eukrea_cpuimx25sd() ? + 4 : 3; +@@ -178,6 +179,7 @@ static int eukrea_tlv320_probe(struct platform_device *pdev) + IMX_AUDMUX_V2_PTCR_SYN, + IMX_AUDMUX_V2_PDCR_RXDSEL(int_port) + ); ++ of_node_put(tmp_np); + } else { + if (np) { + /* The eukrea,asoc-tlv320 driver was explicitly +-- +2.35.1 + diff --git a/queue-6.0/asoc-mediatek-mt8195-mt6359-properly-register-sound-.patch b/queue-6.0/asoc-mediatek-mt8195-mt6359-properly-register-sound-.patch new file mode 100644 index 00000000000..f70fdc9136c --- /dev/null +++ b/queue-6.0/asoc-mediatek-mt8195-mt6359-properly-register-sound-.patch @@ -0,0 +1,46 @@ +From 6d1342331321d6028f47cc1101900d1384ab591f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 11:27:23 +0200 +Subject: ASoC: mediatek: mt8195-mt6359: Properly register sound card for SOF + +From: AngeloGioacchino Del Regno + +[ Upstream commit 64ec924c781ee846bd469be8d1d6bbed78c0f439 ] + +Adding a probe callback on this snd_soc_card is required when +Sound Open Firmware support is desired, as we need to appropriately +populate the stream_name for SOF to be able to bind widgets. +Failing to do so will produce errors when applying the SOF topology +leading to card registration failure (so, no sound). +While at it, also make sure to fill the topology_shortname as required. + +Fixes: 0caf1120c583 ("ASoC: mediatek: mt8195: extract SOF common code") +Signed-off-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20220906092727.37324-2-angelogioacchino.delregno@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/mediatek/mt8195/mt8195-mt6359.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sound/soc/mediatek/mt8195/mt8195-mt6359.c b/sound/soc/mediatek/mt8195/mt8195-mt6359.c +index c530e3fc27e4..961e769602d6 100644 +--- a/sound/soc/mediatek/mt8195/mt8195-mt6359.c ++++ b/sound/soc/mediatek/mt8195/mt8195-mt6359.c +@@ -1383,7 +1383,13 @@ static int mt8195_mt6359_dev_probe(struct platform_device *pdev) + sof_priv->num_streams = ARRAY_SIZE(g_sof_conn_streams); + sof_priv->sof_dai_link_fixup = mt8195_dai_link_fixup; + soc_card_data->sof_priv = sof_priv; ++ card->probe = mtk_sof_card_probe; + card->late_probe = mtk_sof_card_late_probe; ++ if (!card->topology_shortname_created) { ++ snprintf(card->topology_shortname, 32, "sof-%s", card->name); ++ card->topology_shortname_created = true; ++ } ++ card->name = card->topology_shortname; + sof_on = 1; + } + +-- +2.35.1 + diff --git a/queue-6.0/asoc-mt6359-fix-tests-for-platform_get_irq-failure.patch b/queue-6.0/asoc-mt6359-fix-tests-for-platform_get_irq-failure.patch new file mode 100644 index 00000000000..314ddd43b8e --- /dev/null +++ b/queue-6.0/asoc-mt6359-fix-tests-for-platform_get_irq-failure.patch @@ -0,0 +1,55 @@ +From aa6694fb95b644d7f205c21d2254f1cb5727e375 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Aug 2022 14:01:26 +0300 +Subject: ASoC: mt6359: fix tests for platform_get_irq() failure + +From: Dan Carpenter + +[ Upstream commit 51eea3a6fb4d39c2cc71824e6eee5949d7ae4d1c ] + +The platform_get_irq() returns negative error codes. It can't actually +return zero, but if it did that should be treated as success. + +Fixes: eef07b9e0925 ("ASoC: mediatek: mt6359: add MT6359 accdet jack driver") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YvThhr86N3qQM2EO@kili +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/mt6359-accdet.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/mt6359-accdet.c b/sound/soc/codecs/mt6359-accdet.c +index c190628e2905..7f624854948c 100644 +--- a/sound/soc/codecs/mt6359-accdet.c ++++ b/sound/soc/codecs/mt6359-accdet.c +@@ -965,7 +965,7 @@ static int mt6359_accdet_probe(struct platform_device *pdev) + mutex_init(&priv->res_lock); + + priv->accdet_irq = platform_get_irq(pdev, 0); +- if (priv->accdet_irq) { ++ if (priv->accdet_irq >= 0) { + ret = devm_request_threaded_irq(&pdev->dev, priv->accdet_irq, + NULL, mt6359_accdet_irq, + IRQF_TRIGGER_HIGH | IRQF_ONESHOT, +@@ -979,7 +979,7 @@ static int mt6359_accdet_probe(struct platform_device *pdev) + + if (priv->caps & ACCDET_PMIC_EINT0) { + priv->accdet_eint0 = platform_get_irq(pdev, 1); +- if (priv->accdet_eint0) { ++ if (priv->accdet_eint0 >= 0) { + ret = devm_request_threaded_irq(&pdev->dev, + priv->accdet_eint0, + NULL, mt6359_accdet_irq, +@@ -994,7 +994,7 @@ static int mt6359_accdet_probe(struct platform_device *pdev) + } + } else if (priv->caps & ACCDET_PMIC_EINT1) { + priv->accdet_eint1 = platform_get_irq(pdev, 2); +- if (priv->accdet_eint1) { ++ if (priv->accdet_eint1 >= 0) { + ret = devm_request_threaded_irq(&pdev->dev, + priv->accdet_eint1, + NULL, mt6359_accdet_irq, +-- +2.35.1 + diff --git a/queue-6.0/asoc-mt6660-fix-pm-disable-depth-imbalance-in-mt6660.patch b/queue-6.0/asoc-mt6660-fix-pm-disable-depth-imbalance-in-mt6660.patch new file mode 100644 index 00000000000..3bea20a0a5d --- /dev/null +++ b/queue-6.0/asoc-mt6660-fix-pm-disable-depth-imbalance-in-mt6660.patch @@ -0,0 +1,51 @@ +From 65c9db7a4398539f7ad688363c747eb9cd72978d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 00:01:16 +0800 +Subject: ASoC: mt6660: Fix PM disable depth imbalance in mt6660_i2c_probe + +From: Zhang Qilong + +[ Upstream commit b73f11e895e140537e7f8c7251211ccd3ce0782b ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. We fix it by moving +pm_runtime_enable to the endding of mt6660_i2c_probe. + +Fixes:f289e55c6eeb4 ("ASoC: Add MediaTek MT6660 Speaker Amp Driver") + +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20220928160116.125020-5-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/mt6660.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/mt6660.c b/sound/soc/codecs/mt6660.c +index ba11555796ad..45e0df13afb9 100644 +--- a/sound/soc/codecs/mt6660.c ++++ b/sound/soc/codecs/mt6660.c +@@ -503,13 +503,17 @@ static int mt6660_i2c_probe(struct i2c_client *client) + dev_err(chip->dev, "read chip revision fail\n"); + goto probe_fail; + } +- pm_runtime_set_active(chip->dev); +- pm_runtime_enable(chip->dev); + + ret = devm_snd_soc_register_component(chip->dev, + &mt6660_component_driver, + &mt6660_codec_dai, 1); ++ if (!ret) { ++ pm_runtime_set_active(chip->dev); ++ pm_runtime_enable(chip->dev); ++ } ++ + return ret; ++ + probe_fail: + _mt6660_chip_power_on(chip, 0); + mutex_destroy(&chip->io_lock); +-- +2.35.1 + diff --git a/queue-6.0/asoc-rockchip-i2s-use-regmap_read_poll_timeout-to-po.patch b/queue-6.0/asoc-rockchip-i2s-use-regmap_read_poll_timeout-to-po.patch new file mode 100644 index 00000000000..9ab3095f530 --- /dev/null +++ b/queue-6.0/asoc-rockchip-i2s-use-regmap_read_poll_timeout-to-po.patch @@ -0,0 +1,99 @@ +From e2915bc10329ba08baf9d54b9dedbf6e2b18b618 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 03:12:34 +0000 +Subject: ASoC: rockchip: i2s: use regmap_read_poll_timeout to poll I2S_CLR + +From: Judy Hsiao + +[ Upstream commit fbb0ec656ee5ee43b4b3022fd8290707265c52df ] + +Use regmap_read_poll_timeout to poll I2S_CLR. +It also fixes the 'rockchip-i2s ff070000.i2s; fail to clear' when +the read of I2S_CLR exceeds the retry limit. + +Fixes: 0ff9f8b9f592 ("ASoC: rockchip: i2s: Fix error code when fail to read I2S_CLR") +Signed-off-by: Judy Hsiao +Reviewed-by: Brian Norris +Link: https://lore.kernel.org/r/20220914031234.2250298-1-judyhsiao@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/rockchip/rockchip_i2s.c | 41 ++++++++++++------------------- + 1 file changed, 16 insertions(+), 25 deletions(-) + +diff --git a/sound/soc/rockchip/rockchip_i2s.c b/sound/soc/rockchip/rockchip_i2s.c +index f5f3540a9e18..28c86f5e435e 100644 +--- a/sound/soc/rockchip/rockchip_i2s.c ++++ b/sound/soc/rockchip/rockchip_i2s.c +@@ -126,7 +126,6 @@ static inline struct rk_i2s_dev *to_info(struct snd_soc_dai *dai) + static int rockchip_snd_txctrl(struct rk_i2s_dev *i2s, int on) + { + unsigned int val = 0; +- int retry = 10; + int ret = 0; + + spin_lock(&i2s->lock); +@@ -163,18 +162,14 @@ static int rockchip_snd_txctrl(struct rk_i2s_dev *i2s, int on) + I2S_CLR_TXC | I2S_CLR_RXC); + if (ret < 0) + goto end; +- regmap_read(i2s->regmap, I2S_CLR, &val); +- +- /* Should wait for clear operation to finish */ +- while (val) { +- regmap_read(i2s->regmap, I2S_CLR, &val); +- retry--; +- if (!retry) { +- dev_warn(i2s->dev, "fail to clear\n"); +- ret = -EBUSY; +- break; +- } +- } ++ ret = regmap_read_poll_timeout(i2s->regmap, ++ I2S_CLR, ++ val, ++ val != 0, ++ 20, ++ 200); ++ if (ret < 0) ++ dev_warn(i2s->dev, "fail to clear: %d\n", ret); + } + } + end: +@@ -188,7 +183,6 @@ static int rockchip_snd_txctrl(struct rk_i2s_dev *i2s, int on) + static int rockchip_snd_rxctrl(struct rk_i2s_dev *i2s, int on) + { + unsigned int val = 0; +- int retry = 10; + int ret = 0; + + spin_lock(&i2s->lock); +@@ -226,17 +220,14 @@ static int rockchip_snd_rxctrl(struct rk_i2s_dev *i2s, int on) + I2S_CLR_TXC | I2S_CLR_RXC); + if (ret < 0) + goto end; +- regmap_read(i2s->regmap, I2S_CLR, &val); +- /* Should wait for clear operation to finish */ +- while (val) { +- regmap_read(i2s->regmap, I2S_CLR, &val); +- retry--; +- if (!retry) { +- dev_warn(i2s->dev, "fail to clear\n"); +- ret = -EBUSY; +- break; +- } +- } ++ ret = regmap_read_poll_timeout(i2s->regmap, ++ I2S_CLR, ++ val, ++ val != 0, ++ 20, ++ 200); ++ if (ret < 0) ++ dev_warn(i2s->dev, "fail to clear: %d\n", ret); + } + } + end: +-- +2.35.1 + diff --git a/queue-6.0/asoc-rockchip-i2s-use-regmap_read_poll_timeout_atomi.patch b/queue-6.0/asoc-rockchip-i2s-use-regmap_read_poll_timeout_atomi.patch new file mode 100644 index 00000000000..9ce624f468d --- /dev/null +++ b/queue-6.0/asoc-rockchip-i2s-use-regmap_read_poll_timeout_atomi.patch @@ -0,0 +1,69 @@ +From 25f431669651eba09e30bd4bdbe00d844d23d065 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 15:15:46 +0000 +Subject: ASoC: rockchip: i2s: use regmap_read_poll_timeout_atomic to poll + I2S_CLR + +From: Judy Hsiao + +[ Upstream commit f0c8d7468af0001b80b0c86802ee28063f800987 ] + +1. Uses regmap_read_poll_timeout_atomic to poll I2S_CLR as it is called + within a spin lock. + +2. Fixes the typo of break condition in regmap_read_poll_timeout_atomic. + +Fixes: fbb0ec656ee5 ("ASoC: rockchip: i2s: use regmap_read_poll_timeout to poll I2S_CLR") +Signed-off-by: Judy Hsiao +Link: https://lore.kernel.org/r/20220930151546.2017667-1-judyhsiao@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/rockchip/rockchip_i2s.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/sound/soc/rockchip/rockchip_i2s.c b/sound/soc/rockchip/rockchip_i2s.c +index 28c86f5e435e..a8758ad68442 100644 +--- a/sound/soc/rockchip/rockchip_i2s.c ++++ b/sound/soc/rockchip/rockchip_i2s.c +@@ -162,12 +162,12 @@ static int rockchip_snd_txctrl(struct rk_i2s_dev *i2s, int on) + I2S_CLR_TXC | I2S_CLR_RXC); + if (ret < 0) + goto end; +- ret = regmap_read_poll_timeout(i2s->regmap, +- I2S_CLR, +- val, +- val != 0, +- 20, +- 200); ++ ret = regmap_read_poll_timeout_atomic(i2s->regmap, ++ I2S_CLR, ++ val, ++ val == 0, ++ 20, ++ 200); + if (ret < 0) + dev_warn(i2s->dev, "fail to clear: %d\n", ret); + } +@@ -220,12 +220,12 @@ static int rockchip_snd_rxctrl(struct rk_i2s_dev *i2s, int on) + I2S_CLR_TXC | I2S_CLR_RXC); + if (ret < 0) + goto end; +- ret = regmap_read_poll_timeout(i2s->regmap, +- I2S_CLR, +- val, +- val != 0, +- 20, +- 200); ++ ret = regmap_read_poll_timeout_atomic(i2s->regmap, ++ I2S_CLR, ++ val, ++ val == 0, ++ 20, ++ 200); + if (ret < 0) + dev_warn(i2s->dev, "fail to clear: %d\n", ret); + } +-- +2.35.1 + diff --git a/queue-6.0/asoc-rsnd-add-check-for-rsnd_mod_power_on.patch b/queue-6.0/asoc-rsnd-add-check-for-rsnd_mod_power_on.patch new file mode 100644 index 00000000000..598062526aa --- /dev/null +++ b/queue-6.0/asoc-rsnd-add-check-for-rsnd_mod_power_on.patch @@ -0,0 +1,116 @@ +From 3e26d4a2801b3e27c0176174f936409eac20b4c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 09:30:30 +0800 +Subject: ASoC: rsnd: Add check for rsnd_mod_power_on + +From: Jiasheng Jiang + +[ Upstream commit 376be51caf8871419bbcbb755e1e615d30dc3153 ] + +As rsnd_mod_power_on() can return negative numbers, +it should be better to check the return value and +deal with the exception. + +Fixes: e7d850dd10f4 ("ASoC: rsnd: use mod base common method on SSI-parent") +Signed-off-by: Jiasheng Jiang +Acked-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/20220902013030.3691266-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sh/rcar/ctu.c | 6 +++++- + sound/soc/sh/rcar/dvc.c | 6 +++++- + sound/soc/sh/rcar/mix.c | 6 +++++- + sound/soc/sh/rcar/src.c | 5 ++++- + sound/soc/sh/rcar/ssi.c | 4 +++- + 5 files changed, 22 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/sh/rcar/ctu.c b/sound/soc/sh/rcar/ctu.c +index 6156445bcb69..e39eb2ac7e95 100644 +--- a/sound/soc/sh/rcar/ctu.c ++++ b/sound/soc/sh/rcar/ctu.c +@@ -171,7 +171,11 @@ static int rsnd_ctu_init(struct rsnd_mod *mod, + struct rsnd_dai_stream *io, + struct rsnd_priv *priv) + { +- rsnd_mod_power_on(mod); ++ int ret; ++ ++ ret = rsnd_mod_power_on(mod); ++ if (ret < 0) ++ return ret; + + rsnd_ctu_activation(mod); + +diff --git a/sound/soc/sh/rcar/dvc.c b/sound/soc/sh/rcar/dvc.c +index 5137e03a9d7c..16befcbc312c 100644 +--- a/sound/soc/sh/rcar/dvc.c ++++ b/sound/soc/sh/rcar/dvc.c +@@ -186,7 +186,11 @@ static int rsnd_dvc_init(struct rsnd_mod *mod, + struct rsnd_dai_stream *io, + struct rsnd_priv *priv) + { +- rsnd_mod_power_on(mod); ++ int ret; ++ ++ ret = rsnd_mod_power_on(mod); ++ if (ret < 0) ++ return ret; + + rsnd_dvc_activation(mod); + +diff --git a/sound/soc/sh/rcar/mix.c b/sound/soc/sh/rcar/mix.c +index 3572c2c5686c..1de0e085804c 100644 +--- a/sound/soc/sh/rcar/mix.c ++++ b/sound/soc/sh/rcar/mix.c +@@ -146,7 +146,11 @@ static int rsnd_mix_init(struct rsnd_mod *mod, + struct rsnd_dai_stream *io, + struct rsnd_priv *priv) + { +- rsnd_mod_power_on(mod); ++ int ret; ++ ++ ret = rsnd_mod_power_on(mod); ++ if (ret < 0) ++ return ret; + + rsnd_mix_activation(mod); + +diff --git a/sound/soc/sh/rcar/src.c b/sound/soc/sh/rcar/src.c +index 0ea84ae57c6a..f832165e46bc 100644 +--- a/sound/soc/sh/rcar/src.c ++++ b/sound/soc/sh/rcar/src.c +@@ -463,11 +463,14 @@ static int rsnd_src_init(struct rsnd_mod *mod, + struct rsnd_priv *priv) + { + struct rsnd_src *src = rsnd_mod_to_src(mod); ++ int ret; + + /* reset sync convert_rate */ + src->sync.val = 0; + +- rsnd_mod_power_on(mod); ++ ret = rsnd_mod_power_on(mod); ++ if (ret < 0) ++ return ret; + + rsnd_src_activation(mod); + +diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c +index 43c5e27dc5c8..7ade6c5ed96f 100644 +--- a/sound/soc/sh/rcar/ssi.c ++++ b/sound/soc/sh/rcar/ssi.c +@@ -480,7 +480,9 @@ static int rsnd_ssi_init(struct rsnd_mod *mod, + + ssi->usrcnt++; + +- rsnd_mod_power_on(mod); ++ ret = rsnd_mod_power_on(mod); ++ if (ret < 0) ++ return ret; + + rsnd_ssi_config_init(mod, io); + +-- +2.35.1 + diff --git a/queue-6.0/asoc-soc-pcm.c-call-__soc_pcm_close-in-soc_pcm_close.patch b/queue-6.0/asoc-soc-pcm.c-call-__soc_pcm_close-in-soc_pcm_close.patch new file mode 100644 index 00000000000..2360cc704b4 --- /dev/null +++ b/queue-6.0/asoc-soc-pcm.c-call-__soc_pcm_close-in-soc_pcm_close.patch @@ -0,0 +1,55 @@ +From b08a080294fddd40155e56f004736ceeec1e534c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 02:35:32 +0000 +Subject: ASoC: soc-pcm.c: call __soc_pcm_close() in soc_pcm_close() + +From: Kuninori Morimoto + +[ Upstream commit 6bbabd28805f36baf6d0f3eb082db032a638f612 ] + +commit b7898396f4bbe16 ("ASoC: soc-pcm: Fix and cleanup DPCM locking") +added __soc_pcm_close() for non-lock version of soc_pcm_close(). +But soc_pcm_close() is not using it. It is no problem, but confusable. + + static int __soc_pcm_close(...) + { +=> return soc_pcm_clean(rtd, substream, 0); + } + + static int soc_pcm_close(...) + { + ... + snd_soc_dpcm_mutex_lock(rtd); +=> soc_pcm_clean(rtd, substream, 0); + snd_soc_dpcm_mutex_unlock(rtd); + return 0; + } + +This patch use it. + +Fixes: b7898396f4bbe16 ("ASoC: soc-pcm: Fix and cleanup DPCM locking") +Cc: Takashi Iwai +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/87czctgg3w.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-pcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c +index 4f60c0a83311..4d9b91e7e14f 100644 +--- a/sound/soc/soc-pcm.c ++++ b/sound/soc/soc-pcm.c +@@ -723,7 +723,7 @@ static int soc_pcm_close(struct snd_pcm_substream *substream) + struct snd_soc_pcm_runtime *rtd = asoc_substream_to_rtd(substream); + + snd_soc_dpcm_mutex_lock(rtd); +- soc_pcm_clean(rtd, substream, 0); ++ __soc_pcm_close(rtd, substream); + snd_soc_dpcm_mutex_unlock(rtd); + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/asoc-sof-add-quirk-to-override-topology-mclk_id.patch b/queue-6.0/asoc-sof-add-quirk-to-override-topology-mclk_id.patch new file mode 100644 index 00000000000..433579643c1 --- /dev/null +++ b/queue-6.0/asoc-sof-add-quirk-to-override-topology-mclk_id.patch @@ -0,0 +1,105 @@ +From 45131003d9ae905cecc28d1e6e555257307539d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 13:53:48 +0200 +Subject: ASoC: SOF: add quirk to override topology mclk_id + +From: Pierre-Louis Bossart + +[ Upstream commit d136949dd8e2e309dc2f186507486b71cbe9acdb ] + +Some Intel-based platforms rely on a topology file that hard-codes the +use of MCLK0. This is incorrect in 10% of the cases. Rather than +generating yet another set of topology files, this patch adds a kernel +module parameter to override the topology value. + +In hindsight, we should never have allowed mclks to be specified in +topology, this is a hardware-level information that should not have +been visible in the topology. + +Future patches will try to set this value automagically, e.g. by +parsing the NHLT content. + +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Kai Vehmanen +Reviewed-by: Bard Liao +Link: https://lore.kernel.org/r/20220919115350.43104-3-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/intel/hda.c | 11 +++++++++++ + sound/soc/sof/ipc3-topology.c | 7 +++++++ + sound/soc/sof/sof-priv.h | 4 ++++ + 3 files changed, 22 insertions(+) + +diff --git a/sound/soc/sof/intel/hda.c b/sound/soc/sof/intel/hda.c +index 6d4ecbe14adf..ada2e6775749 100644 +--- a/sound/soc/sof/intel/hda.c ++++ b/sound/soc/sof/intel/hda.c +@@ -376,6 +376,10 @@ static int dmic_num_override = -1; + module_param_named(dmic_num, dmic_num_override, int, 0444); + MODULE_PARM_DESC(dmic_num, "SOF HDA DMIC number"); + ++static int mclk_id_override = -1; ++module_param_named(mclk_id, mclk_id_override, int, 0444); ++MODULE_PARM_DESC(mclk_id, "SOF SSP mclk_id"); ++ + #if IS_ENABLED(CONFIG_SND_SOC_SOF_HDA) + static bool hda_codec_use_common_hdmi = IS_ENABLED(CONFIG_SND_HDA_CODEC_HDMI); + module_param_named(use_common_hdmi, hda_codec_use_common_hdmi, bool, 0444); +@@ -1565,6 +1569,13 @@ struct snd_soc_acpi_mach *hda_machine_select(struct snd_sof_dev *sdev) + + sof_pdata->tplg_filename = tplg_filename; + } ++ ++ /* check if mclk_id should be modified from topology defaults */ ++ if (mclk_id_override >= 0) { ++ dev_info(sdev->dev, "Overriding topology with MCLK %d from kernel_parameter\n", mclk_id_override); ++ sdev->mclk_id_override = true; ++ sdev->mclk_id_quirk = mclk_id_override; ++ } + } + + /* +diff --git a/sound/soc/sof/ipc3-topology.c b/sound/soc/sof/ipc3-topology.c +index 65923e7a5976..a39b43850f0e 100644 +--- a/sound/soc/sof/ipc3-topology.c ++++ b/sound/soc/sof/ipc3-topology.c +@@ -1249,6 +1249,7 @@ static int sof_link_afe_load(struct snd_soc_component *scomp, struct snd_sof_dai + static int sof_link_ssp_load(struct snd_soc_component *scomp, struct snd_sof_dai_link *slink, + struct sof_ipc_dai_config *config, struct snd_sof_dai *dai) + { ++ struct snd_sof_dev *sdev = snd_soc_component_get_drvdata(scomp); + struct snd_soc_tplg_hw_config *hw_config = slink->hw_configs; + struct sof_dai_private_data *private = dai->private; + u32 size = sizeof(*config); +@@ -1273,6 +1274,12 @@ static int sof_link_ssp_load(struct snd_soc_component *scomp, struct snd_sof_dai + + config[i].hdr.size = size; + ++ if (sdev->mclk_id_override) { ++ dev_dbg(scomp->dev, "tplg: overriding topology mclk_id %d by quirk %d\n", ++ config[i].ssp.mclk_id, sdev->mclk_id_quirk); ++ config[i].ssp.mclk_id = sdev->mclk_id_quirk; ++ } ++ + /* copy differentiating hw configs to ipc structs */ + config[i].ssp.mclk_rate = le32_to_cpu(hw_config[i].mclk_rate); + config[i].ssp.bclk_rate = le32_to_cpu(hw_config[i].bclk_rate); +diff --git a/sound/soc/sof/sof-priv.h b/sound/soc/sof/sof-priv.h +index 823583086279..828c74bb75f8 100644 +--- a/sound/soc/sof/sof-priv.h ++++ b/sound/soc/sof/sof-priv.h +@@ -594,6 +594,10 @@ struct snd_sof_dev { + /* to protect the ipc_rx_handler_list and dsp_state_handler_list list */ + struct mutex client_event_handler_mutex; + ++ /* quirks to override topology values */ ++ bool mclk_id_override; ++ u16 mclk_id_quirk; /* same size as in IPC3 definitions */ ++ + void *private; /* core does not touch this */ + }; + +-- +2.35.1 + diff --git a/queue-6.0/asoc-sof-ipc4-topology-free-the-ida-when-ipc-fails-i.patch b/queue-6.0/asoc-sof-ipc4-topology-free-the-ida-when-ipc-fails-i.patch new file mode 100644 index 00000000000..66557bc0c39 --- /dev/null +++ b/queue-6.0/asoc-sof-ipc4-topology-free-the-ida-when-ipc-fails-i.patch @@ -0,0 +1,53 @@ +From 3fe692642d2609b8bab064bc229368ec0535e0b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 14:27:51 +0300 +Subject: ASoC: SOF: ipc4-topology: Free the ida when IPC fails in + sof_ipc4_widget_setup() + +From: Peter Ujfalusi + +[ Upstream commit 61eb0add28023119773d6aab8f402e149473920c ] + +The allocated ida needs to be freed up if the IPC message fails since +next time when we try again to set up the widget we are going to try to +allocate another ID and given enough tries, we are going to run out of +unique IDs. + +Fixes: 711d0427c713 ("ASoC: SOF: ipc4-topology: move ida allocate/free to widget_setup/free") + +Signed-off-by: Peter Ujfalusi +Reviewed-by: Ranjani Sridharan +Reviewed-by: Bard Liao +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20220921112751.9253-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/ipc4-topology.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c +index 64929dc9af39..340d92452d7c 100644 +--- a/sound/soc/sof/ipc4-topology.c ++++ b/sound/soc/sof/ipc4-topology.c +@@ -1544,9 +1544,16 @@ static int sof_ipc4_widget_setup(struct snd_sof_dev *sdev, struct snd_sof_widget + msg->data_ptr = ipc_data; + + ret = sof_ipc_tx_message(sdev->ipc, msg, ipc_size, NULL, 0); +- if (ret < 0) ++ if (ret < 0) { + dev_err(sdev->dev, "failed to create module %s\n", swidget->widget->name); + ++ if (swidget->id != snd_soc_dapm_scheduler) { ++ struct sof_ipc4_fw_module *fw_module = swidget->module_info; ++ ++ ida_free(&fw_module->m_ida, swidget->instance_id); ++ } ++ } ++ + return ret; + } + +-- +2.35.1 + diff --git a/queue-6.0/asoc-sof-mediatek-mt8195-import-namespace-snd_soc_so.patch b/queue-6.0/asoc-sof-mediatek-mt8195-import-namespace-snd_soc_so.patch new file mode 100644 index 00000000000..f081e75bf42 --- /dev/null +++ b/queue-6.0/asoc-sof-mediatek-mt8195-import-namespace-snd_soc_so.patch @@ -0,0 +1,34 @@ +From 0b29bea6d5e2556c12f6748a7bcaa5ffa6d4b2b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 11:27:24 +0200 +Subject: ASoC: SOF: mediatek: mt8195: Import namespace SND_SOC_SOF_MTK_COMMON + +From: AngeloGioacchino Del Regno + +[ Upstream commit 404bec4c8f6c38ae5fa208344f1086d38026e93d ] + +Here we're using function mtk_adsp_dump() from mtk-adsp-common: +explicitly import its namespace. + +Fixes: 3a054f90e955 ("ASoC: SOF: mediatek: Add mt8195 debug dump") +Signed-off-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20220906092727.37324-3-angelogioacchino.delregno@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/mediatek/mt8195/mt8195.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/sof/mediatek/mt8195/mt8195.c b/sound/soc/sof/mediatek/mt8195/mt8195.c +index 9c146015cd1b..ff575de7e46a 100644 +--- a/sound/soc/sof/mediatek/mt8195/mt8195.c ++++ b/sound/soc/sof/mediatek/mt8195/mt8195.c +@@ -652,4 +652,5 @@ static struct platform_driver snd_sof_of_mt8195_driver = { + module_platform_driver(snd_sof_of_mt8195_driver); + + MODULE_IMPORT_NS(SND_SOC_SOF_XTENSA); ++MODULE_IMPORT_NS(SND_SOC_SOF_MTK_COMMON); + MODULE_LICENSE("Dual BSD/GPL"); +-- +2.35.1 + diff --git a/queue-6.0/asoc-sof-pci-change-dmi-match-info-to-support-all-ch.patch b/queue-6.0/asoc-sof-pci-change-dmi-match-info-to-support-all-ch.patch new file mode 100644 index 00000000000..cfc192e0c77 --- /dev/null +++ b/queue-6.0/asoc-sof-pci-change-dmi-match-info-to-support-all-ch.patch @@ -0,0 +1,45 @@ +From ad23f7c269df791f4a2c4d8c9c1acc632b79aafe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 13:44:29 +0200 +Subject: ASoC: SOF: pci: Change DMI match info to support all Chrome platforms + +From: Jairaj Arava + +[ Upstream commit c1c1fc8103f794a10c5c15e3c17879caf4f42c8f ] + +In some Chrome platforms if OEM's use their own string as SYS_VENDOR than +"Google", it leads to firmware load failure from intel/sof/community path. + +Hence, changing SYS_VENDOR to PRODUCT_FAMILY in which "Google" is used +as common prefix and is supported in all Chrome platforms. + +Reviewed-by: Ranjani Sridharan +Reviewed-by: Chao Song +Reviewed-by: Curtis Malainey +Signed-off-by: Jairaj Arava +Signed-off-by: Curtis Malainey +Signed-off-by: Sathyanarayana Nujella +Signed-off-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20220919114429.42700-1-pierre-louis.bossart@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/sof-pci-dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/sof/sof-pci-dev.c b/sound/soc/sof/sof-pci-dev.c +index d627092b399d..643fd1036d60 100644 +--- a/sound/soc/sof/sof-pci-dev.c ++++ b/sound/soc/sof/sof-pci-dev.c +@@ -138,7 +138,7 @@ static const struct dmi_system_id community_key_platforms[] = { + .ident = "Google Chromebooks", + .callback = chromebook_use_community_key, + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Google"), ++ DMI_MATCH(DMI_PRODUCT_FAMILY, "Google"), + } + }, + {}, +-- +2.35.1 + diff --git a/queue-6.0/asoc-stm-fix-pm-disable-depth-imbalance-in-stm32_i2s.patch b/queue-6.0/asoc-stm-fix-pm-disable-depth-imbalance-in-stm32_i2s.patch new file mode 100644 index 00000000000..9abdd2786bb --- /dev/null +++ b/queue-6.0/asoc-stm-fix-pm-disable-depth-imbalance-in-stm32_i2s.patch @@ -0,0 +1,50 @@ +From 398d015df7c0fbd692e62451610a08d7c7215038 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 22:26:40 +0800 +Subject: ASoC: stm: Fix PM disable depth imbalance in stm32_i2s_probe + +From: Zhang Qilong + +[ Upstream commit 93618e5e05a3ce4aa6750268c5025bdb4cb7dc6e ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. We fix it by moving +pm_runtime_enable to the endding of stm32_i2s_probe. + +Fixes:32a956a1fadf ("ASoC: stm32: i2s: add pm_runtime support") + +Signed-off-by: Zhang Qilong +Reviewed-by: Olivier Moysan +Link: https://lore.kernel.org/r/20220927142640.64647-1-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/stm/stm32_i2s.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/stm/stm32_i2s.c b/sound/soc/stm/stm32_i2s.c +index 6aafe793eec4..ce7f6942308f 100644 +--- a/sound/soc/stm/stm32_i2s.c ++++ b/sound/soc/stm/stm32_i2s.c +@@ -1136,8 +1136,6 @@ static int stm32_i2s_probe(struct platform_device *pdev) + return dev_err_probe(&pdev->dev, PTR_ERR(i2s->regmap), + "Regmap init error\n"); + +- pm_runtime_enable(&pdev->dev); +- + ret = snd_dmaengine_pcm_register(&pdev->dev, &stm32_i2s_pcm_config, 0); + if (ret) + return dev_err_probe(&pdev->dev, ret, "PCM DMA register error\n"); +@@ -1180,6 +1178,8 @@ static int stm32_i2s_probe(struct platform_device *pdev) + FIELD_GET(I2S_VERR_MIN_MASK, val)); + } + ++ pm_runtime_enable(&pdev->dev); ++ + return ret; + + error: +-- +2.35.1 + diff --git a/queue-6.0/asoc-stm32-dfsdm-fix-pm-disable-depth-imbalance-in-s.patch b/queue-6.0/asoc-stm32-dfsdm-fix-pm-disable-depth-imbalance-in-s.patch new file mode 100644 index 00000000000..ee6da560397 --- /dev/null +++ b/queue-6.0/asoc-stm32-dfsdm-fix-pm-disable-depth-imbalance-in-s.patch @@ -0,0 +1,57 @@ +From 899f8e4b3f3f1f7ae3174ea85976b72e52540435 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 22:26:00 +0800 +Subject: ASoC: stm32: dfsdm: Fix PM disable depth imbalance in + stm32_adfsdm_probe + +From: Zhang Qilong + +[ Upstream commit b9a0da5b2edcae2a901b85c8cc42efc5bec4bd7b ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. We fix it by moving +pm_runtime_enable to the endding of stm32_adfsdm_probe. + +Fixes:98e500a12f934 ("ASoC: stm32: dfsdm: add pm_runtime support for audio") + +Signed-off-by: Zhang Qilong +Reviewed-by: Olivier Moysan +Link: https://lore.kernel.org/r/20220927142601.64266-2-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/stm/stm32_adfsdm.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/stm/stm32_adfsdm.c b/sound/soc/stm/stm32_adfsdm.c +index 04f2912e1418..643fc8a17018 100644 +--- a/sound/soc/stm/stm32_adfsdm.c ++++ b/sound/soc/stm/stm32_adfsdm.c +@@ -335,8 +335,6 @@ static int stm32_adfsdm_probe(struct platform_device *pdev) + + dev_set_drvdata(&pdev->dev, priv); + +- pm_runtime_enable(&pdev->dev); +- + ret = devm_snd_soc_register_component(&pdev->dev, + &stm32_adfsdm_dai_component, + &priv->dai_drv, 1); +@@ -366,9 +364,13 @@ static int stm32_adfsdm_probe(struct platform_device *pdev) + #endif + + ret = snd_soc_add_component(component, NULL, 0); +- if (ret < 0) ++ if (ret < 0) { + dev_err(&pdev->dev, "%s: Failed to register PCM platform\n", + __func__); ++ return ret; ++ } ++ ++ pm_runtime_enable(&pdev->dev); + + return ret; + } +-- +2.35.1 + diff --git a/queue-6.0/asoc-stm32-spdifrx-fix-pm-disable-depth-imbalance-in.patch b/queue-6.0/asoc-stm32-spdifrx-fix-pm-disable-depth-imbalance-in.patch new file mode 100644 index 00000000000..92fd77e384d --- /dev/null +++ b/queue-6.0/asoc-stm32-spdifrx-fix-pm-disable-depth-imbalance-in.patch @@ -0,0 +1,51 @@ +From 23cab2a564e73f30fb9ab968ecf8ba685dd550bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 22:26:01 +0800 +Subject: ASoC: stm32: spdifrx: Fix PM disable depth imbalance in + stm32_spdifrx_probe + +From: Zhang Qilong + +[ Upstream commit 0325cc0ac7980e1c7b744aab8df59afab6daeb43 ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. We fix it by moving +pm_runtime_enable to the endding of stm32_spdifrx_probe. + +Fixes:ac5e3efd55868 ("ASoC: stm32: spdifrx: add pm_runtime support") + +Signed-off-by: Zhang Qilong +Reviewed-by: Olivier Moysan +Link: https://lore.kernel.org/r/20220927142601.64266-3-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/stm/stm32_spdifrx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/stm/stm32_spdifrx.c b/sound/soc/stm/stm32_spdifrx.c +index 0f7146756717..d399c906bb92 100644 +--- a/sound/soc/stm/stm32_spdifrx.c ++++ b/sound/soc/stm/stm32_spdifrx.c +@@ -1002,8 +1002,6 @@ static int stm32_spdifrx_probe(struct platform_device *pdev) + udelay(2); + reset_control_deassert(rst); + +- pm_runtime_enable(&pdev->dev); +- + pcm_config = &stm32_spdifrx_pcm_config; + ret = snd_dmaengine_pcm_register(&pdev->dev, pcm_config, 0); + if (ret) +@@ -1036,6 +1034,8 @@ static int stm32_spdifrx_probe(struct platform_device *pdev) + FIELD_GET(SPDIFRX_VERR_MIN_MASK, ver)); + } + ++ pm_runtime_enable(&pdev->dev); ++ + return ret; + + error: +-- +2.35.1 + diff --git a/queue-6.0/asoc-sunxi-sun4i-codec-set-debugfs_prefix-for-cpu-da.patch b/queue-6.0/asoc-sunxi-sun4i-codec-set-debugfs_prefix-for-cpu-da.patch new file mode 100644 index 00000000000..d90b9c4facb --- /dev/null +++ b/queue-6.0/asoc-sunxi-sun4i-codec-set-debugfs_prefix-for-cpu-da.patch @@ -0,0 +1,42 @@ +From 45fec26e20948967042c9157a8a6c5ce84c78ea8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 00:22:55 +0300 +Subject: ASoC: sunxi: sun4i-codec: set debugfs_prefix for CPU DAI component + +From: Mikhail Rudenko + +[ Upstream commit 717a8ff20f32792d6a94f2883e771482c37d844b ] + +At present, succesfull probing of H3 Codec results in an error + + debugfs: Directory '1c22c00.codec' with parent 'H3 Audio Codec' already present! + +This is caused by a directory name conflict between codec +components. Fix it by setting debugfs_prefix for the CPU DAI +component. + +Signed-off-by: Mikhail Rudenko +Link: https://lore.kernel.org/r/20220913212256.151799-2-mike.rudenko@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sunxi/sun4i-codec.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/soc/sunxi/sun4i-codec.c b/sound/soc/sunxi/sun4i-codec.c +index 830beb38bf15..fdf3165acd70 100644 +--- a/sound/soc/sunxi/sun4i-codec.c ++++ b/sound/soc/sunxi/sun4i-codec.c +@@ -1232,6 +1232,9 @@ static const struct snd_soc_component_driver sun8i_a23_codec_codec = { + static const struct snd_soc_component_driver sun4i_codec_component = { + .name = "sun4i-codec", + .legacy_dai_naming = 1, ++#ifdef CONFIG_DEBUG_FS ++ .debugfs_prefix = "cpu", ++#endif + }; + + #define SUN4I_CODEC_RATES SNDRV_PCM_RATE_CONTINUOUS +-- +2.35.1 + diff --git a/queue-6.0/asoc-tas2764-allow-mono-streams.patch b/queue-6.0/asoc-tas2764-allow-mono-streams.patch new file mode 100644 index 00000000000..e06456909ea --- /dev/null +++ b/queue-6.0/asoc-tas2764-allow-mono-streams.patch @@ -0,0 +1,43 @@ +From 8d3d3cf16d06449f9f4c8fe61bad05529e6c3ffb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 16:02:37 +0200 +Subject: ASoC: tas2764: Allow mono streams +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin PoviÅ¡er + +[ Upstream commit 23204d928a27146d13e11c9383632775345ecca8 ] + +The part is a mono speaker amp, but it can do downmix and switch between +left and right channel, so the right channel range is 1 to 2. + +(This mirrors commit bf54d97a835d ("ASoC: tas2770: Allow mono streams") +which was a fix to the tas2770 driver.) + +Fixes: 827ed8a0fa50 ("ASoC: tas2764: Add the driver for the TAS2764") +Signed-off-by: Martin PoviÅ¡er +Link: https://lore.kernel.org/r/20220825140241.53963-2-povik+lin@cutebit.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2764.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/tas2764.c b/sound/soc/codecs/tas2764.c +index 846d9d3ecc9d..0df5d975c3c9 100644 +--- a/sound/soc/codecs/tas2764.c ++++ b/sound/soc/codecs/tas2764.c +@@ -485,7 +485,7 @@ static struct snd_soc_dai_driver tas2764_dai_driver[] = { + .id = 0, + .playback = { + .stream_name = "ASI1 Playback", +- .channels_min = 2, ++ .channels_min = 1, + .channels_max = 2, + .rates = TAS2764_RATES, + .formats = TAS2764_FORMATS, +-- +2.35.1 + diff --git a/queue-6.0/asoc-tas2764-drop-conflicting-set_bias_level-power-s.patch b/queue-6.0/asoc-tas2764-drop-conflicting-set_bias_level-power-s.patch new file mode 100644 index 00000000000..c850fae44d5 --- /dev/null +++ b/queue-6.0/asoc-tas2764-drop-conflicting-set_bias_level-power-s.patch @@ -0,0 +1,83 @@ +From 0158913cefdbc67853b12d2bac4bfc6e8ed305a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 16:02:38 +0200 +Subject: ASoC: tas2764: Drop conflicting set_bias_level power setting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin PoviÅ¡er + +[ Upstream commit 09273f38832406db19a8907a934687cc10660a6b ] + +The driver is setting the PWR_CTRL field in both the set_bias_level +callback and on DAPM events of the DAC widget (and also in the +mute_stream method). Drop the set_bias_level callback altogether as the +power setting it does is in conflict with the other code paths. + +(This mirrors commit c8a6ae3fe1c8 ("ASoC: tas2770: Drop conflicting +set_bias_level power setting") which was a fix to the tas2770 driver.) + +Fixes: 827ed8a0fa50 ("ASoC: tas2764: Add the driver for the TAS2764") +Signed-off-by: Martin PoviÅ¡er +Link: https://lore.kernel.org/r/20220825140241.53963-3-povik+lin@cutebit.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2764.c | 33 --------------------------------- + 1 file changed, 33 deletions(-) + +diff --git a/sound/soc/codecs/tas2764.c b/sound/soc/codecs/tas2764.c +index 0df5d975c3c9..f4ac6edefdc0 100644 +--- a/sound/soc/codecs/tas2764.c ++++ b/sound/soc/codecs/tas2764.c +@@ -50,38 +50,6 @@ static void tas2764_reset(struct tas2764_priv *tas2764) + usleep_range(1000, 2000); + } + +-static int tas2764_set_bias_level(struct snd_soc_component *component, +- enum snd_soc_bias_level level) +-{ +- struct tas2764_priv *tas2764 = snd_soc_component_get_drvdata(component); +- +- switch (level) { +- case SND_SOC_BIAS_ON: +- snd_soc_component_update_bits(component, TAS2764_PWR_CTRL, +- TAS2764_PWR_CTRL_MASK, +- TAS2764_PWR_CTRL_ACTIVE); +- break; +- case SND_SOC_BIAS_STANDBY: +- case SND_SOC_BIAS_PREPARE: +- snd_soc_component_update_bits(component, TAS2764_PWR_CTRL, +- TAS2764_PWR_CTRL_MASK, +- TAS2764_PWR_CTRL_MUTE); +- break; +- case SND_SOC_BIAS_OFF: +- snd_soc_component_update_bits(component, TAS2764_PWR_CTRL, +- TAS2764_PWR_CTRL_MASK, +- TAS2764_PWR_CTRL_SHUTDOWN); +- break; +- +- default: +- dev_err(tas2764->dev, +- "wrong power level setting %d\n", level); +- return -EINVAL; +- } +- +- return 0; +-} +- + #ifdef CONFIG_PM + static int tas2764_codec_suspend(struct snd_soc_component *component) + { +@@ -549,7 +517,6 @@ static const struct snd_soc_component_driver soc_component_driver_tas2764 = { + .probe = tas2764_codec_probe, + .suspend = tas2764_codec_suspend, + .resume = tas2764_codec_resume, +- .set_bias_level = tas2764_set_bias_level, + .controls = tas2764_snd_controls, + .num_controls = ARRAY_SIZE(tas2764_snd_controls), + .dapm_widgets = tas2764_dapm_widgets, +-- +2.35.1 + diff --git a/queue-6.0/asoc-tas2764-fix-mute-unmute.patch b/queue-6.0/asoc-tas2764-fix-mute-unmute.patch new file mode 100644 index 00000000000..6e7426f7d43 --- /dev/null +++ b/queue-6.0/asoc-tas2764-fix-mute-unmute.patch @@ -0,0 +1,139 @@ +From f8b8fba257cc7b6485c12646eb7996cb35f70b60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 16:02:39 +0200 +Subject: ASoC: tas2764: Fix mute/unmute +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Martin PoviÅ¡er + +[ Upstream commit f5ad67f13623548e5aff847f89700c178aaf2a98 ] + +Because the PWR_CTRL field is modeled as the power state of the DAC +widget, and at the same time it is used to implement mute/unmute, we +need some additional book-keeping to have the right end result no matter +the sequence of calls. Without this fix, one permanently mutes an +ongoing stream by toggling the associated speaker pin control. + +(This mirrors commit 1e5907bcb3a3 ("ASoC: tas2770: Fix handling of +mute/unmute") which was a fix to the tas2770 driver.) + +Fixes: 827ed8a0fa50 ("ASoC: tas2764: Add the driver for the TAS2764") +Signed-off-by: Martin PoviÅ¡er +Link: https://lore.kernel.org/r/20220825140241.53963-4-povik+lin@cutebit.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/tas2764.c | 57 +++++++++++++++++++++----------------- + 1 file changed, 32 insertions(+), 25 deletions(-) + +diff --git a/sound/soc/codecs/tas2764.c b/sound/soc/codecs/tas2764.c +index f4ac6edefdc0..39902f77a2e0 100644 +--- a/sound/soc/codecs/tas2764.c ++++ b/sound/soc/codecs/tas2764.c +@@ -34,6 +34,9 @@ struct tas2764_priv { + + int v_sense_slot; + int i_sense_slot; ++ ++ bool dac_powered; ++ bool unmuted; + }; + + static void tas2764_reset(struct tas2764_priv *tas2764) +@@ -50,6 +53,26 @@ static void tas2764_reset(struct tas2764_priv *tas2764) + usleep_range(1000, 2000); + } + ++static int tas2764_update_pwr_ctrl(struct tas2764_priv *tas2764) ++{ ++ struct snd_soc_component *component = tas2764->component; ++ unsigned int val; ++ int ret; ++ ++ if (tas2764->dac_powered) ++ val = tas2764->unmuted ? ++ TAS2764_PWR_CTRL_ACTIVE : TAS2764_PWR_CTRL_MUTE; ++ else ++ val = TAS2764_PWR_CTRL_SHUTDOWN; ++ ++ ret = snd_soc_component_update_bits(component, TAS2764_PWR_CTRL, ++ TAS2764_PWR_CTRL_MASK, val); ++ if (ret < 0) ++ return ret; ++ ++ return 0; ++} ++ + #ifdef CONFIG_PM + static int tas2764_codec_suspend(struct snd_soc_component *component) + { +@@ -82,9 +105,7 @@ static int tas2764_codec_resume(struct snd_soc_component *component) + usleep_range(1000, 2000); + } + +- ret = snd_soc_component_update_bits(component, TAS2764_PWR_CTRL, +- TAS2764_PWR_CTRL_MASK, +- TAS2764_PWR_CTRL_ACTIVE); ++ ret = tas2764_update_pwr_ctrl(tas2764); + + if (ret < 0) + return ret; +@@ -118,14 +139,12 @@ static int tas2764_dac_event(struct snd_soc_dapm_widget *w, + + switch (event) { + case SND_SOC_DAPM_POST_PMU: +- ret = snd_soc_component_update_bits(component, TAS2764_PWR_CTRL, +- TAS2764_PWR_CTRL_MASK, +- TAS2764_PWR_CTRL_MUTE); ++ tas2764->dac_powered = true; ++ ret = tas2764_update_pwr_ctrl(tas2764); + break; + case SND_SOC_DAPM_PRE_PMD: +- ret = snd_soc_component_update_bits(component, TAS2764_PWR_CTRL, +- TAS2764_PWR_CTRL_MASK, +- TAS2764_PWR_CTRL_SHUTDOWN); ++ tas2764->dac_powered = false; ++ ret = tas2764_update_pwr_ctrl(tas2764); + break; + default: + dev_err(tas2764->dev, "Unsupported event\n"); +@@ -170,17 +189,11 @@ static const struct snd_soc_dapm_route tas2764_audio_map[] = { + + static int tas2764_mute(struct snd_soc_dai *dai, int mute, int direction) + { +- struct snd_soc_component *component = dai->component; +- int ret; +- +- ret = snd_soc_component_update_bits(component, TAS2764_PWR_CTRL, +- TAS2764_PWR_CTRL_MASK, +- mute ? TAS2764_PWR_CTRL_MUTE : 0); ++ struct tas2764_priv *tas2764 = ++ snd_soc_component_get_drvdata(dai->component); + +- if (ret < 0) +- return ret; +- +- return 0; ++ tas2764->unmuted = !mute; ++ return tas2764_update_pwr_ctrl(tas2764); + } + + static int tas2764_set_bitwidth(struct tas2764_priv *tas2764, int bitwidth) +@@ -494,12 +507,6 @@ static int tas2764_codec_probe(struct snd_soc_component *component) + if (ret < 0) + return ret; + +- ret = snd_soc_component_update_bits(component, TAS2764_PWR_CTRL, +- TAS2764_PWR_CTRL_MASK, +- TAS2764_PWR_CTRL_MUTE); +- if (ret < 0) +- return ret; +- + return 0; + } + +-- +2.35.1 + diff --git a/queue-6.0/asoc-wcd-mbhc-v2-revert-asoc-wcd-mbhc-v2-use-pm_runt.patch b/queue-6.0/asoc-wcd-mbhc-v2-revert-asoc-wcd-mbhc-v2-use-pm_runt.patch new file mode 100644 index 00000000000..b9c57765f76 --- /dev/null +++ b/queue-6.0/asoc-wcd-mbhc-v2-revert-asoc-wcd-mbhc-v2-use-pm_runt.patch @@ -0,0 +1,68 @@ +From 54e18079a6981221bb8afcee22921dc4216939e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 15:15:28 +0200 +Subject: ASoC: wcd-mbhc-v2: Revert "ASoC: wcd-mbhc-v2: use + pm_runtime_resume_and_get()" + +From: Krzysztof Kozlowski + +[ Upstream commit e18f6bcf8e864ea0e9690691d0d749c662b6a2c7 ] + +This reverts commit ddea4bbf287b6028eaa15a185d0693856956ecf2 ("ASoC: +wcd-mbhc-v2: use pm_runtime_resume_and_get()"), because it introduced +double runtime PM put if pm_runtime_get_sync() returns -EACCES: + + wcd934x-codec wcd934x-codec.3.auto: WCD934X Minor:0x1 Version:0x401 + wcd934x-codec wcd934x-codec.3.auto: Runtime PM usage count underflow! + +The commit claimed no changes in functionality except dropping the +reference on -EACCESS. This is exactly the change introducing bug +because function calls unconditionally pm_runtime_put_autosuspend() at +the end. + +Fixes: ddea4bbf287b ("ASoC: wcd-mbhc-v2: use pm_runtime_resume_and_get()") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220929131528.217502-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wcd-mbhc-v2.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/codecs/wcd-mbhc-v2.c b/sound/soc/codecs/wcd-mbhc-v2.c +index 98baef594bf3..31009283e7d4 100644 +--- a/sound/soc/codecs/wcd-mbhc-v2.c ++++ b/sound/soc/codecs/wcd-mbhc-v2.c +@@ -714,11 +714,12 @@ static int wcd_mbhc_initialise(struct wcd_mbhc *mbhc) + struct snd_soc_component *component = mbhc->component; + int ret; + +- ret = pm_runtime_resume_and_get(component->dev); ++ ret = pm_runtime_get_sync(component->dev); + if (ret < 0 && ret != -EACCES) { + dev_err_ratelimited(component->dev, +- "pm_runtime_resume_and_get failed in %s, ret %d\n", ++ "pm_runtime_get_sync failed in %s, ret %d\n", + __func__, ret); ++ pm_runtime_put_noidle(component->dev); + return ret; + } + +@@ -1096,11 +1097,12 @@ static void wcd_correct_swch_plug(struct work_struct *work) + mbhc = container_of(work, struct wcd_mbhc, correct_plug_swch); + component = mbhc->component; + +- ret = pm_runtime_resume_and_get(component->dev); ++ ret = pm_runtime_get_sync(component->dev); + if (ret < 0 && ret != -EACCES) { + dev_err_ratelimited(component->dev, +- "pm_runtime_resume_and_get failed in %s, ret %d\n", ++ "pm_runtime_get_sync failed in %s, ret %d\n", + __func__, ret); ++ pm_runtime_put_noidle(component->dev); + return; + } + micbias_mv = wcd_mbhc_get_micbias(mbhc); +-- +2.35.1 + diff --git a/queue-6.0/asoc-wm5102-fix-pm-disable-depth-imbalance-in-wm5102.patch b/queue-6.0/asoc-wm5102-fix-pm-disable-depth-imbalance-in-wm5102.patch new file mode 100644 index 00000000000..7900bd1a084 --- /dev/null +++ b/queue-6.0/asoc-wm5102-fix-pm-disable-depth-imbalance-in-wm5102.patch @@ -0,0 +1,51 @@ +From ac9d1b2c7b0a541629d1a9129576d133168de644 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 00:01:15 +0800 +Subject: ASoC: wm5102: Fix PM disable depth imbalance in wm5102_probe + +From: Zhang Qilong + +[ Upstream commit fcbb60820cd3008bb44334a0395e5e57ccb77329 ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. We fix it by moving +pm_runtime_enable to the endding of wm5102_probe. + +Fixes:93e8791dd34ca ("ASoC: wm5102: Initial driver") + +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20220928160116.125020-4-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm5102.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/wm5102.c b/sound/soc/codecs/wm5102.c +index af7d324e3352..c09c9ac51b3e 100644 +--- a/sound/soc/codecs/wm5102.c ++++ b/sound/soc/codecs/wm5102.c +@@ -2099,9 +2099,6 @@ static int wm5102_probe(struct platform_device *pdev) + regmap_update_bits(arizona->regmap, wm5102_digital_vu[i], + WM5102_DIG_VU, WM5102_DIG_VU); + +- pm_runtime_enable(&pdev->dev); +- pm_runtime_idle(&pdev->dev); +- + ret = arizona_request_irq(arizona, ARIZONA_IRQ_DSP_IRQ1, + "ADSP2 Compressed IRQ", wm5102_adsp2_irq, + wm5102); +@@ -2134,6 +2131,9 @@ static int wm5102_probe(struct platform_device *pdev) + goto err_spk_irqs; + } + ++ pm_runtime_enable(&pdev->dev); ++ pm_runtime_idle(&pdev->dev); ++ + return ret; + + err_spk_irqs: +-- +2.35.1 + diff --git a/queue-6.0/asoc-wm5110-fix-pm-disable-depth-imbalance-in-wm5110.patch b/queue-6.0/asoc-wm5110-fix-pm-disable-depth-imbalance-in-wm5110.patch new file mode 100644 index 00000000000..913e5320c24 --- /dev/null +++ b/queue-6.0/asoc-wm5110-fix-pm-disable-depth-imbalance-in-wm5110.patch @@ -0,0 +1,51 @@ +From cbc17b5e13348256391024a74ba02ad89d1c9a34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 00:01:14 +0800 +Subject: ASoC: wm5110: Fix PM disable depth imbalance in wm5110_probe + +From: Zhang Qilong + +[ Upstream commit 86b46bf1feb83898d89a2b4a8d08d21e9ea277a7 ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. We fix it by moving +pm_runtime_enable to the endding of wm5110_probe. + +Fixes:5c6af635fd772 ("ASoC: wm5110: Add audio CODEC driver") + +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20220928160116.125020-3-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm5110.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/wm5110.c b/sound/soc/codecs/wm5110.c +index f3f4a10bf0f7..fc634c995834 100644 +--- a/sound/soc/codecs/wm5110.c ++++ b/sound/soc/codecs/wm5110.c +@@ -2457,9 +2457,6 @@ static int wm5110_probe(struct platform_device *pdev) + regmap_update_bits(arizona->regmap, wm5110_digital_vu[i], + WM5110_DIG_VU, WM5110_DIG_VU); + +- pm_runtime_enable(&pdev->dev); +- pm_runtime_idle(&pdev->dev); +- + ret = arizona_request_irq(arizona, ARIZONA_IRQ_DSP_IRQ1, + "ADSP2 Compressed IRQ", wm5110_adsp2_irq, + wm5110); +@@ -2492,6 +2489,9 @@ static int wm5110_probe(struct platform_device *pdev) + goto err_spk_irqs; + } + ++ pm_runtime_enable(&pdev->dev); ++ pm_runtime_idle(&pdev->dev); ++ + return ret; + + err_spk_irqs: +-- +2.35.1 + diff --git a/queue-6.0/asoc-wm8997-fix-pm-disable-depth-imbalance-in-wm8997.patch b/queue-6.0/asoc-wm8997-fix-pm-disable-depth-imbalance-in-wm8997.patch new file mode 100644 index 00000000000..3f8ccd91c2d --- /dev/null +++ b/queue-6.0/asoc-wm8997-fix-pm-disable-depth-imbalance-in-wm8997.patch @@ -0,0 +1,51 @@ +From fd9fb0c7f58ea826c3003d0db16d78c1804fe5ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 00:01:13 +0800 +Subject: ASoC: wm8997: Fix PM disable depth imbalance in wm8997_probe + +From: Zhang Qilong + +[ Upstream commit 41a736ac20602f64773e80f0f5b32cde1830a44a ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. We fix it by moving +pm_runtime_enable to the endding of wm8997_probe + +Fixes:40843aea5a9bd ("ASoC: wm8997: Initial CODEC driver") + +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20220928160116.125020-2-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm8997.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/codecs/wm8997.c b/sound/soc/codecs/wm8997.c +index 210ad662fc26..77136a521605 100644 +--- a/sound/soc/codecs/wm8997.c ++++ b/sound/soc/codecs/wm8997.c +@@ -1161,9 +1161,6 @@ static int wm8997_probe(struct platform_device *pdev) + regmap_update_bits(arizona->regmap, wm8997_digital_vu[i], + WM8997_DIG_VU, WM8997_DIG_VU); + +- pm_runtime_enable(&pdev->dev); +- pm_runtime_idle(&pdev->dev); +- + arizona_init_common(arizona); + + ret = arizona_init_vol_limit(arizona); +@@ -1182,6 +1179,9 @@ static int wm8997_probe(struct platform_device *pdev) + goto err_spk_irqs; + } + ++ pm_runtime_enable(&pdev->dev); ++ pm_runtime_idle(&pdev->dev); ++ + return ret; + + err_spk_irqs: +-- +2.35.1 + diff --git a/queue-6.0/asoc-wm_adsp-handle-optional-legacy-support.patch b/queue-6.0/asoc-wm_adsp-handle-optional-legacy-support.patch new file mode 100644 index 00000000000..45e90f2c695 --- /dev/null +++ b/queue-6.0/asoc-wm_adsp-handle-optional-legacy-support.patch @@ -0,0 +1,57 @@ +From 30274fe86e26e273d34cb4aceec882453308aeaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 01:05:30 +0300 +Subject: ASoC: wm_adsp: Handle optional legacy support + +From: Cristian Ciocaltea + +[ Upstream commit 35c8ae25c4fdeabf490e005692795a3be17ca5f6 ] + +The tracing capabilities for the speaker protection fw enabled via +commit c55b3e46cb99 ("ASoC: wm_adsp: Add trace caps to speaker +protection FW") are not be available on all platforms, such as the +Valve's Steam Deck which is based on the Halo Core DSP. + +As a consequence, whenever the firmware is loaded, a rather misleading +'Failed to parse legacy: -19' error message is written to the kernel +ring buffer: + +[ 288.977412] steamdeck kernel: cs35l41 spi-VLV1776:01: DSP1: Firmware version: 3 +[ 288.978002] steamdeck kernel: cs35l41 spi-VLV1776:01: DSP1: cs35l41-dsp1-spk-prot.wmfw: Fri 02 Apr 2021 21:03:50 W. Europe Daylight Time +[ 289.094065] steamdeck kernel: cs35l41 spi-VLV1776:01: DSP1: Firmware: 400a4 vendor: 0x2 v0.33.0, 2 algorithms +[ 289.095073] steamdeck kernel: cs35l41 spi-VLV1776:01: DSP1: 0: ID cd v29.53.0 XM@94 YM@e +[ 289.095665] steamdeck kernel: cs35l41 spi-VLV1776:01: DSP1: 1: ID f20b v0.0.1 XM@170 YM@0 +[ 289.096275] steamdeck kernel: cs35l41 spi-VLV1776:01: DSP1: Protection: C:\Users\ocanavan\Desktop\cirrusTune_july2021.bin +[ 291.172383] steamdeck kernel: cs35l41 spi-VLV1776:01: DSP1: Failed to parse legacy: -19 + +Update wm_adsp_buffer_init() to print a more descriptive info message +when wm_adsp_buffer_parse_legacy() returns -ENODEV. + +Fixes: c55b3e46cb99 ("ASoC: wm_adsp: Add trace caps to speaker protection FW") +Signed-off-by: Cristian Ciocaltea +Acked-by: Charles Keepax +Link: https://lore.kernel.org/r/20220825220530.1205141-1-cristian.ciocaltea@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm_adsp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c +index cfaa45ede916..8a2e9771bb50 100644 +--- a/sound/soc/codecs/wm_adsp.c ++++ b/sound/soc/codecs/wm_adsp.c +@@ -1602,7 +1602,9 @@ static int wm_adsp_buffer_init(struct wm_adsp *dsp) + if (list_empty(&dsp->buffer_list)) { + /* Fall back to legacy support */ + ret = wm_adsp_buffer_parse_legacy(dsp); +- if (ret) ++ if (ret == -ENODEV) ++ adsp_info(dsp, "Legacy support not available\n"); ++ else if (ret) + adsp_warn(dsp, "Failed to parse legacy: %d\n", ret); + } + +-- +2.35.1 + diff --git a/queue-6.0/ata-fix-ata_id_has_devslp.patch b/queue-6.0/ata-fix-ata_id_has_devslp.patch new file mode 100644 index 00000000000..41e33743aa2 --- /dev/null +++ b/queue-6.0/ata-fix-ata_id_has_devslp.patch @@ -0,0 +1,57 @@ +From b69500e1df1e586c93a3b595cff07a5c57d1c0ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 14:28:33 +0200 +Subject: ata: fix ata_id_has_devslp() + +From: Niklas Cassel + +[ Upstream commit 9c6e09a434e1317e09b78b3b69cd384022ec9a03 ] + +ACS-5 section +7.13.6.36 Word 78: Serial ATA features supported +states that: + +If word 76 is not 0000h or FFFFh, word 78 reports the features supported +by the device. If this word is not supported, the word shall be cleared +to zero. + +(This text also exists in really old ACS standards, e.g. ACS-3.) + +Additionally, move the macro to the other ATA_ID_FEATURE_SUPP macros +(which already have this check), thus making it more likely that the +next ATA_ID_FEATURE_SUPP macro that is added will include this check. + +Fixes: 65fe1f0f66a5 ("ahci: implement aggressive SATA device sleep support") +Signed-off-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + include/linux/ata.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/linux/ata.h b/include/linux/ata.h +index 868bfd503aee..bc136a43689f 100644 +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -566,6 +566,10 @@ struct ata_bmdma_prd { + ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ + ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ + ((id)[ATA_ID_FEATURE_SUPP] & (1 << 2))) ++#define ata_id_has_devslp(id) \ ++ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ ++ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ ++ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 8))) + #define ata_id_iordy_disable(id) ((id)[ATA_ID_CAPABILITY] & (1 << 10)) + #define ata_id_has_iordy(id) ((id)[ATA_ID_CAPABILITY] & (1 << 11)) + #define ata_id_u32(id,n) \ +@@ -578,7 +582,6 @@ struct ata_bmdma_prd { + + #define ata_id_cdb_intr(id) (((id)[ATA_ID_CONFIG] & 0x60) == 0x20) + #define ata_id_has_da(id) ((id)[ATA_ID_SATA_CAPABILITY_2] & (1 << 4)) +-#define ata_id_has_devslp(id) ((id)[ATA_ID_FEATURE_SUPP] & (1 << 8)) + #define ata_id_has_ncq_autosense(id) \ + ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7)) + +-- +2.35.1 + diff --git a/queue-6.0/ata-fix-ata_id_has_dipm.patch b/queue-6.0/ata-fix-ata_id_has_dipm.patch new file mode 100644 index 00000000000..10fb275a36d --- /dev/null +++ b/queue-6.0/ata-fix-ata_id_has_dipm.patch @@ -0,0 +1,76 @@ +From 6f8bf2e6d1f47e66224331694e1743d9a7ca5670 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 14:28:35 +0200 +Subject: ata: fix ata_id_has_dipm() + +From: Niklas Cassel + +[ Upstream commit 630624cb1b5826d753ac8e01a0e42de43d66dedf ] + +ACS-5 section +7.13.6.36 Word 78: Serial ATA features supported +states that: + +If word 76 is not 0000h or FFFFh, word 78 reports the features supported +by the device. If this word is not supported, the word shall be cleared +to zero. + +(This text also exists in really old ACS standards, e.g. ACS-3.) + +The problem with ata_id_has_dipm() is that the while it performs a +check against 0 and 0xffff, it performs the check against +ATA_ID_FEATURE_SUPP (word 78), the same word where the feature bit +is stored. + +Fix this by performing the check against ATA_ID_SATA_CAPABILITY +(word 76), like required by the spec. The feature bit check itself +is of course still performed against ATA_ID_FEATURE_SUPP (word 78). + +Additionally, move the macro to the other ATA_ID_FEATURE_SUPP macros +(which already have this check), thus making it more likely that the +next ATA_ID_FEATURE_SUPP macro that is added will include this check. + +Fixes: ca77329fb713 ("[libata] Link power management infrastructure") +Signed-off-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + include/linux/ata.h | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/include/linux/ata.h b/include/linux/ata.h +index 4845443e0f08..e3050e153a71 100644 +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -574,6 +574,10 @@ struct ata_bmdma_prd { + ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ + ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ + ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7))) ++#define ata_id_has_dipm(id) \ ++ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ ++ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ ++ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 3))) + #define ata_id_iordy_disable(id) ((id)[ATA_ID_CAPABILITY] & (1 << 10)) + #define ata_id_has_iordy(id) ((id)[ATA_ID_CAPABILITY] & (1 << 11)) + #define ata_id_u32(id,n) \ +@@ -597,17 +601,6 @@ static inline bool ata_id_has_hipm(const u16 *id) + return val & (1 << 9); + } + +-static inline bool ata_id_has_dipm(const u16 *id) +-{ +- u16 val = id[ATA_ID_FEATURE_SUPP]; +- +- if (val == 0 || val == 0xffff) +- return false; +- +- return val & (1 << 3); +-} +- +- + static inline bool ata_id_has_fua(const u16 *id) + { + if ((id[ATA_ID_CFSSE] & 0xC000) != 0x4000) +-- +2.35.1 + diff --git a/queue-6.0/ata-fix-ata_id_has_ncq_autosense.patch b/queue-6.0/ata-fix-ata_id_has_ncq_autosense.patch new file mode 100644 index 00000000000..27c615229eb --- /dev/null +++ b/queue-6.0/ata-fix-ata_id_has_ncq_autosense.patch @@ -0,0 +1,58 @@ +From 7b5aba60b27a089e79a602b0761d7ffe3ff28788 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 14:28:34 +0200 +Subject: ata: fix ata_id_has_ncq_autosense() + +From: Niklas Cassel + +[ Upstream commit a5fb6bf853148974dbde092ec1bde553bea5e49f ] + +ACS-5 section +7.13.6.36 Word 78: Serial ATA features supported +states that: + +If word 76 is not 0000h or FFFFh, word 78 reports the features supported +by the device. If this word is not supported, the word shall be cleared +to zero. + +(This text also exists in really old ACS standards, e.g. ACS-3.) + +Additionally, move the macro to the other ATA_ID_FEATURE_SUPP macros +(which already have this check), thus making it more likely that the +next ATA_ID_FEATURE_SUPP macro that is added will include this check. + +Fixes: 5b01e4b9efa0 ("libata: Implement NCQ autosense") +Signed-off-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + include/linux/ata.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/include/linux/ata.h b/include/linux/ata.h +index bc136a43689f..4845443e0f08 100644 +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -570,6 +570,10 @@ struct ata_bmdma_prd { + ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ + ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ + ((id)[ATA_ID_FEATURE_SUPP] & (1 << 8))) ++#define ata_id_has_ncq_autosense(id) \ ++ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ ++ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ ++ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7))) + #define ata_id_iordy_disable(id) ((id)[ATA_ID_CAPABILITY] & (1 << 10)) + #define ata_id_has_iordy(id) ((id)[ATA_ID_CAPABILITY] & (1 << 11)) + #define ata_id_u32(id,n) \ +@@ -582,8 +586,6 @@ struct ata_bmdma_prd { + + #define ata_id_cdb_intr(id) (((id)[ATA_ID_CONFIG] & 0x60) == 0x20) + #define ata_id_has_da(id) ((id)[ATA_ID_SATA_CAPABILITY_2] & (1 << 4)) +-#define ata_id_has_ncq_autosense(id) \ +- ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7)) + + static inline bool ata_id_has_hipm(const u16 *id) + { +-- +2.35.1 + diff --git a/queue-6.0/ata-fix-ata_id_sense_reporting_enabled-and-ata_id_ha.patch b/queue-6.0/ata-fix-ata_id_sense_reporting_enabled-and-ata_id_ha.patch new file mode 100644 index 00000000000..01507600b8d --- /dev/null +++ b/queue-6.0/ata-fix-ata_id_sense_reporting_enabled-and-ata_id_ha.patch @@ -0,0 +1,72 @@ +From 8f5da874606456de9e554402f75bee369575b1e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 14:28:32 +0200 +Subject: ata: fix ata_id_sense_reporting_enabled() and + ata_id_has_sense_reporting() + +From: Niklas Cassel + +[ Upstream commit 690aa8c3ae308bc696ec8b1b357b995193927083 ] + +ACS-5 section +7.13.6.41 Words 85..87, 120: Commands and feature sets supported or enabled +states that: + +If bit 15 of word 86 is set to one, bit 14 of word 119 is set to one, +and bit 15 of word 119 is cleared to zero, then word 119 is valid. + +If bit 15 of word 86 is set to one, bit 14 of word 120 is set to one, +and bit 15 of word 120 is cleared to zero, then word 120 is valid. + +(This text also exists in really old ACS standards, e.g. ACS-3.) + +Currently, ata_id_sense_reporting_enabled() and +ata_id_has_sense_reporting() both check bit 15 of word 86, +but neither of them check that bit 14 of word 119 is set to one, +or that bit 15 of word 119 is cleared to zero. + +Additionally, make ata_id_sense_reporting_enabled() return false +if !ata_id_has_sense_reporting(), similar to how e.g. +ata_id_flush_ext_enabled() returns false if !ata_id_has_flush_ext(). + +Fixes: e87fd28cf9a2 ("libata: Implement support for sense data reporting") +Signed-off-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + include/linux/ata.h | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/include/linux/ata.h b/include/linux/ata.h +index 21292b5bbb55..868bfd503aee 100644 +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -771,16 +771,21 @@ static inline bool ata_id_has_read_log_dma_ext(const u16 *id) + + static inline bool ata_id_has_sense_reporting(const u16 *id) + { +- if (!(id[ATA_ID_CFS_ENABLE_2] & (1 << 15))) ++ if (!(id[ATA_ID_CFS_ENABLE_2] & BIT(15))) ++ return false; ++ if ((id[ATA_ID_COMMAND_SET_3] & (BIT(15) | BIT(14))) != BIT(14)) + return false; +- return id[ATA_ID_COMMAND_SET_3] & (1 << 6); ++ return id[ATA_ID_COMMAND_SET_3] & BIT(6); + } + + static inline bool ata_id_sense_reporting_enabled(const u16 *id) + { +- if (!(id[ATA_ID_CFS_ENABLE_2] & (1 << 15))) ++ if (!ata_id_has_sense_reporting(id)) ++ return false; ++ /* ata_id_has_sense_reporting() == true, word 86 must have bit 15 set */ ++ if ((id[ATA_ID_COMMAND_SET_4] & (BIT(15) | BIT(14))) != BIT(14)) + return false; +- return id[ATA_ID_COMMAND_SET_4] & (1 << 6); ++ return id[ATA_ID_COMMAND_SET_4] & BIT(6); + } + + /** +-- +2.35.1 + diff --git a/queue-6.0/ata-libahci_platform-sanity-check-the-dt-child-nodes.patch b/queue-6.0/ata-libahci_platform-sanity-check-the-dt-child-nodes.patch new file mode 100644 index 00000000000..25b19293764 --- /dev/null +++ b/queue-6.0/ata-libahci_platform-sanity-check-the-dt-child-nodes.patch @@ -0,0 +1,67 @@ +From b891d28b58e63aeb1afb92119ee963d3ab9906ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 22:36:06 +0300 +Subject: ata: libahci_platform: Sanity check the DT child nodes number + +From: Serge Semin + +[ Upstream commit 3c132ea6508b34956e5ed88d04936983ec230601 ] + +Having greater than AHCI_MAX_PORTS (32) ports detected isn't that critical +from the further AHCI-platform initialization point of view since +exceeding the ports upper limit will cause allocating more resources than +will be used afterwards. But detecting too many child DT-nodes doesn't +seem right since it's very unlikely to have it on an ordinary platform. In +accordance with the AHCI specification there can't be more than 32 ports +implemented at least due to having the CAP.NP field of 5 bits wide and the +PI register of dword size. Thus if such situation is found the DTB must +have been corrupted and the data read from it shouldn't be reliable. Let's +consider that as an erroneous situation and halt further resources +allocation. + +Note it's logically more correct to have the nports set only after the +initialization value is checked for being sane. So while at it let's make +sure nports is assigned with a correct value. + +Signed-off-by: Serge Semin +Reviewed-by: Hannes Reinecke +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libahci_platform.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/libahci_platform.c b/drivers/ata/libahci_platform.c +index 32495ae96567..986f1923a76d 100644 +--- a/drivers/ata/libahci_platform.c ++++ b/drivers/ata/libahci_platform.c +@@ -451,14 +451,24 @@ struct ahci_host_priv *ahci_platform_get_resources(struct platform_device *pdev, + } + } + +- hpriv->nports = child_nodes = of_get_child_count(dev->of_node); ++ /* ++ * Too many sub-nodes most likely means having something wrong with ++ * the firmware. ++ */ ++ child_nodes = of_get_child_count(dev->of_node); ++ if (child_nodes > AHCI_MAX_PORTS) { ++ rc = -EINVAL; ++ goto err_out; ++ } + + /* + * If no sub-node was found, we still need to set nports to + * one in order to be able to use the + * ahci_platform_[en|dis]able_[phys|regulators] functions. + */ +- if (!child_nodes) ++ if (child_nodes) ++ hpriv->nports = child_nodes; ++ else + hpriv->nports = 1; + + hpriv->phys = devm_kcalloc(dev, hpriv->nports, sizeof(*hpriv->phys), GFP_KERNEL); +-- +2.35.1 + diff --git a/queue-6.0/audit-explicitly-check-audit_context-context-enum-va.patch b/queue-6.0/audit-explicitly-check-audit_context-context-enum-va.patch new file mode 100644 index 00000000000..1cd6733054c --- /dev/null +++ b/queue-6.0/audit-explicitly-check-audit_context-context-enum-va.patch @@ -0,0 +1,36 @@ +From ad0960563cae29102cb1b89ea882207a950a4113 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 15:32:38 -0400 +Subject: audit: explicitly check audit_context->context enum value + +From: Richard Guy Briggs + +[ Upstream commit 3ed66951f952ed8f1a5d03e171722bf2631e8d58 ] + +Be explicit in checking the struct audit_context "context" member enum +value rather than assuming the order of context enum values. + +Fixes: 12c5e81d3fd0 ("audit: prepare audit_context for use in calling contexts beyond syscalls") +Signed-off-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + kernel/auditsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/auditsc.c b/kernel/auditsc.c +index 79a5da1bc5bb..0ee09447ad04 100644 +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -2069,7 +2069,7 @@ void __audit_syscall_exit(int success, long return_code) + /* run through both filters to ensure we set the filterkey properly */ + audit_filter_syscall(current, context); + audit_filter_inodes(current, context); +- if (context->current_state < AUDIT_STATE_RECORD) ++ if (context->current_state != AUDIT_STATE_RECORD) + goto out; + + audit_log_exit(); +-- +2.35.1 + diff --git a/queue-6.0/audit-free-audit_proctitle-only-on-task-exit.patch b/queue-6.0/audit-free-audit_proctitle-only-on-task-exit.patch new file mode 100644 index 00000000000..c3ffdd75382 --- /dev/null +++ b/queue-6.0/audit-free-audit_proctitle-only-on-task-exit.patch @@ -0,0 +1,45 @@ +From 418a4fb1b4e176073669f8f508a456939a692254 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 15:32:39 -0400 +Subject: audit: free audit_proctitle only on task exit + +From: Richard Guy Briggs + +[ Upstream commit c3f3ea8af44d0c5fba79fe8b198087342d0c7e04 ] + +Since audit_proctitle is generated at syscall exit time, its value is +used immediately and cached for the next syscall. Since this is the +case, then only clear it at task exit time. Otherwise, there is no +point in caching the value OR bearing the overhead of regenerating it. + +Fixes: 12c5e81d3fd0 ("audit: prepare audit_context for use in calling contexts beyond syscalls") +Signed-off-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + kernel/auditsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/auditsc.c b/kernel/auditsc.c +index 0ee09447ad04..63a6fe99aa3a 100644 +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -1016,7 +1016,6 @@ static void audit_reset_context(struct audit_context *ctx) + WARN_ON(!list_empty(&ctx->killed_trees)); + audit_free_module(ctx); + ctx->fds[0] = -1; +- audit_proctitle_free(ctx); + ctx->type = 0; /* reset last for audit_free_*() */ + } + +@@ -1077,6 +1076,7 @@ static inline void audit_free_context(struct audit_context *context) + { + /* resetting is extra work, but it is likely just noise */ + audit_reset_context(context); ++ audit_proctitle_free(context); + free_tree_refs(context); + kfree(context->filterkey); + kfree(context); +-- +2.35.1 + diff --git a/queue-6.0/bcache-fix-set_at_max_writeback_rate-for-multiple-at.patch b/queue-6.0/bcache-fix-set_at_max_writeback_rate-for-multiple-at.patch new file mode 100644 index 00000000000..050e9072e5c --- /dev/null +++ b/queue-6.0/bcache-fix-set_at_max_writeback_rate-for-multiple-at.patch @@ -0,0 +1,136 @@ +From a0b901a3ad3d16f2f0bd9bf62d58d38ee3ffca43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 00:16:47 +0800 +Subject: bcache: fix set_at_max_writeback_rate() for multiple attached devices + +From: Coly Li + +[ Upstream commit d2d05b88035d2d51a5bb6c5afec88a0880c73df4 ] + +Inside set_at_max_writeback_rate() the calculation in following if() +check is wrong, + if (atomic_inc_return(&c->idle_counter) < + atomic_read(&c->attached_dev_nr) * 6) + +Because each attached backing device has its own writeback thread +running and increasing c->idle_counter, the counter increates much +faster than expected. The correct calculation should be, + (counter / dev_nr) < dev_nr * 6 +which equals to, + counter < dev_nr * dev_nr * 6 + +This patch fixes the above mistake with correct calculation, and helper +routine idle_counter_exceeded() is added to make code be more clear. + +Reported-by: Mingzhe Zou +Signed-off-by: Coly Li +Acked-by: Mingzhe Zou +Link: https://lore.kernel.org/r/20220919161647.81238-6-colyli@suse.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/bcache/writeback.c | 73 +++++++++++++++++++++++++---------- + 1 file changed, 52 insertions(+), 21 deletions(-) + +diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.c +index 3f0ff3aab6f2..9c227e4a8465 100644 +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -157,6 +157,53 @@ static void __update_writeback_rate(struct cached_dev *dc) + dc->writeback_rate_target = target; + } + ++static bool idle_counter_exceeded(struct cache_set *c) ++{ ++ int counter, dev_nr; ++ ++ /* ++ * If c->idle_counter is overflow (idel for really long time), ++ * reset as 0 and not set maximum rate this time for code ++ * simplicity. ++ */ ++ counter = atomic_inc_return(&c->idle_counter); ++ if (counter <= 0) { ++ atomic_set(&c->idle_counter, 0); ++ return false; ++ } ++ ++ dev_nr = atomic_read(&c->attached_dev_nr); ++ if (dev_nr == 0) ++ return false; ++ ++ /* ++ * c->idle_counter is increased by writeback thread of all ++ * attached backing devices, in order to represent a rough ++ * time period, counter should be divided by dev_nr. ++ * Otherwise the idle time cannot be larger with more backing ++ * device attached. ++ * The following calculation equals to checking ++ * (counter / dev_nr) < (dev_nr * 6) ++ */ ++ if (counter < (dev_nr * dev_nr * 6)) ++ return false; ++ ++ return true; ++} ++ ++/* ++ * Idle_counter is increased every time when update_writeback_rate() is ++ * called. If all backing devices attached to the same cache set have ++ * identical dc->writeback_rate_update_seconds values, it is about 6 ++ * rounds of update_writeback_rate() on each backing device before ++ * c->at_max_writeback_rate is set to 1, and then max wrteback rate set ++ * to each dc->writeback_rate.rate. ++ * In order to avoid extra locking cost for counting exact dirty cached ++ * devices number, c->attached_dev_nr is used to calculate the idle ++ * throushold. It might be bigger if not all cached device are in write- ++ * back mode, but it still works well with limited extra rounds of ++ * update_writeback_rate(). ++ */ + static bool set_at_max_writeback_rate(struct cache_set *c, + struct cached_dev *dc) + { +@@ -167,21 +214,8 @@ static bool set_at_max_writeback_rate(struct cache_set *c, + /* Don't set max writeback rate if gc is running */ + if (!c->gc_mark_valid) + return false; +- /* +- * Idle_counter is increased everytime when update_writeback_rate() is +- * called. If all backing devices attached to the same cache set have +- * identical dc->writeback_rate_update_seconds values, it is about 6 +- * rounds of update_writeback_rate() on each backing device before +- * c->at_max_writeback_rate is set to 1, and then max wrteback rate set +- * to each dc->writeback_rate.rate. +- * In order to avoid extra locking cost for counting exact dirty cached +- * devices number, c->attached_dev_nr is used to calculate the idle +- * throushold. It might be bigger if not all cached device are in write- +- * back mode, but it still works well with limited extra rounds of +- * update_writeback_rate(). +- */ +- if (atomic_inc_return(&c->idle_counter) < +- atomic_read(&c->attached_dev_nr) * 6) ++ ++ if (!idle_counter_exceeded(c)) + return false; + + if (atomic_read(&c->at_max_writeback_rate) != 1) +@@ -195,13 +229,10 @@ static bool set_at_max_writeback_rate(struct cache_set *c, + dc->writeback_rate_change = 0; + + /* +- * Check c->idle_counter and c->at_max_writeback_rate agagain in case +- * new I/O arrives during before set_at_max_writeback_rate() returns. +- * Then the writeback rate is set to 1, and its new value should be +- * decided via __update_writeback_rate(). ++ * In case new I/O arrives during before ++ * set_at_max_writeback_rate() returns. + */ +- if ((atomic_read(&c->idle_counter) < +- atomic_read(&c->attached_dev_nr) * 6) || ++ if (!idle_counter_exceeded(c) || + !atomic_read(&c->at_max_writeback_rate)) + return false; + +-- +2.35.1 + diff --git a/queue-6.0/blk-mq-use-quiesced-elevator-switch-when-reinitializ.patch b/queue-6.0/blk-mq-use-quiesced-elevator-switch-when-reinitializ.patch new file mode 100644 index 00000000000..633f2895129 --- /dev/null +++ b/queue-6.0/blk-mq-use-quiesced-elevator-switch-when-reinitializ.patch @@ -0,0 +1,118 @@ +From d473e27343ecca8daf7a24f792949a8988f5974a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 08:56:52 -0700 +Subject: blk-mq: use quiesced elevator switch when reinitializing queues + +From: Keith Busch + +[ Upstream commit 8237c01f1696bc53c470493bf1fe092a107648a6 ] + +The hctx's run_work may be racing with the elevator switch when +reinitializing hardware queues. The queue is merely frozen in this +context, but that only prevents requests from allocating and doesn't +stop the hctx work from running. The work may get an elevator pointer +that's being torn down, and can result in use-after-free errors and +kernel panics (example below). Use the quiesced elevator switch instead, +and make the previous one static since it is now only used locally. + + nvme nvme0: resetting controller + nvme nvme0: 32/0/0 default/read/poll queues + BUG: kernel NULL pointer dereference, address: 0000000000000008 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 80000020c8861067 P4D 80000020c8861067 PUD 250f8c8067 PMD 0 + Oops: 0000 [#1] SMP PTI + Workqueue: kblockd blk_mq_run_work_fn + RIP: 0010:kyber_has_work+0x29/0x70 + +... + + Call Trace: + __blk_mq_do_dispatch_sched+0x83/0x2b0 + __blk_mq_sched_dispatch_requests+0x12e/0x170 + blk_mq_sched_dispatch_requests+0x30/0x60 + __blk_mq_run_hw_queue+0x2b/0x50 + process_one_work+0x1ef/0x380 + worker_thread+0x2d/0x3e0 + +Signed-off-by: Keith Busch +Reviewed-by: Ming Lei +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20220927155652.3260724-1-kbusch@fb.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 6 +++--- + block/blk.h | 3 +-- + block/elevator.c | 4 ++-- + 3 files changed, 6 insertions(+), 7 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index c96c8c4f751b..887b8682eb69 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -4473,14 +4473,14 @@ static bool blk_mq_elv_switch_none(struct list_head *head, + list_add(&qe->node, head); + + /* +- * After elevator_switch_mq, the previous elevator_queue will be ++ * After elevator_switch, the previous elevator_queue will be + * released by elevator_release. The reference of the io scheduler + * module get by elevator_get will also be put. So we need to get + * a reference of the io scheduler module here to prevent it to be + * removed. + */ + __module_get(qe->type->elevator_owner); +- elevator_switch_mq(q, NULL); ++ elevator_switch(q, NULL); + mutex_unlock(&q->sysfs_lock); + + return true; +@@ -4512,7 +4512,7 @@ static void blk_mq_elv_switch_back(struct list_head *head, + kfree(qe); + + mutex_lock(&q->sysfs_lock); +- elevator_switch_mq(q, t); ++ elevator_switch(q, t); + mutex_unlock(&q->sysfs_lock); + } + +diff --git a/block/blk.h b/block/blk.h +index d7142c4d2fef..52432eab621e 100644 +--- a/block/blk.h ++++ b/block/blk.h +@@ -270,8 +270,7 @@ bool blk_bio_list_merge(struct request_queue *q, struct list_head *list, + + void blk_insert_flush(struct request *rq); + +-int elevator_switch_mq(struct request_queue *q, +- struct elevator_type *new_e); ++int elevator_switch(struct request_queue *q, struct elevator_type *new_e); + void elevator_exit(struct request_queue *q); + int elv_register_queue(struct request_queue *q, bool uevent); + void elv_unregister_queue(struct request_queue *q); +diff --git a/block/elevator.c b/block/elevator.c +index c319765892bb..bd71f0fc4e4b 100644 +--- a/block/elevator.c ++++ b/block/elevator.c +@@ -588,7 +588,7 @@ void elv_unregister(struct elevator_type *e) + } + EXPORT_SYMBOL_GPL(elv_unregister); + +-int elevator_switch_mq(struct request_queue *q, ++static int elevator_switch_mq(struct request_queue *q, + struct elevator_type *new_e) + { + int ret; +@@ -723,7 +723,7 @@ void elevator_init_mq(struct request_queue *q) + * need for the new one. this way we have a chance of going back to the old + * one, if the new one fails init for some reason. + */ +-static int elevator_switch(struct request_queue *q, struct elevator_type *new_e) ++int elevator_switch(struct request_queue *q, struct elevator_type *new_e) + { + int err; + +-- +2.35.1 + diff --git a/queue-6.0/blk-throttle-prevent-overflow-while-calculating-wait.patch b/queue-6.0/blk-throttle-prevent-overflow-while-calculating-wait.patch new file mode 100644 index 00000000000..f1a9a4df41f --- /dev/null +++ b/queue-6.0/blk-throttle-prevent-overflow-while-calculating-wait.patch @@ -0,0 +1,51 @@ +From 014dd2dc003758a7d1a3d9295f829f495ff2f1ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 10:22:38 +0800 +Subject: blk-throttle: prevent overflow while calculating wait time + +From: Yu Kuai + +[ Upstream commit 8d6bbaada2e0a65f9012ac4c2506460160e7237a ] + +There is a problem found by code review in tg_with_in_bps_limit() that +'bps_limit * jiffy_elapsed_rnd' might overflow. Fix the problem by +calling mul_u64_u64_div_u64() instead. + +Signed-off-by: Yu Kuai +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20220829022240.3348319-3-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-throttle.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/block/blk-throttle.c b/block/blk-throttle.c +index 3c02a9b3275a..35cf744ea9d1 100644 +--- a/block/blk-throttle.c ++++ b/block/blk-throttle.c +@@ -806,7 +806,7 @@ static bool tg_with_in_bps_limit(struct throtl_grp *tg, struct bio *bio, + u64 bps_limit, unsigned long *wait) + { + bool rw = bio_data_dir(bio); +- u64 bytes_allowed, extra_bytes, tmp; ++ u64 bytes_allowed, extra_bytes; + unsigned long jiffy_elapsed, jiffy_wait, jiffy_elapsed_rnd; + unsigned int bio_size = throtl_bio_data_size(bio); + +@@ -824,10 +824,8 @@ static bool tg_with_in_bps_limit(struct throtl_grp *tg, struct bio *bio, + jiffy_elapsed_rnd = tg->td->throtl_slice; + + jiffy_elapsed_rnd = roundup(jiffy_elapsed_rnd, tg->td->throtl_slice); +- +- tmp = bps_limit * jiffy_elapsed_rnd; +- do_div(tmp, HZ); +- bytes_allowed = tmp; ++ bytes_allowed = mul_u64_u64_div_u64(bps_limit, (u64)jiffy_elapsed_rnd, ++ (u64)HZ); + + if (tg->bytes_disp[rw] + bio_size <= bytes_allowed) { + if (wait) +-- +2.35.1 + diff --git a/queue-6.0/block-fix-the-enum-blk_eh_timer_return-documentation.patch b/queue-6.0/block-fix-the-enum-blk_eh_timer_return-documentation.patch new file mode 100644 index 00000000000..44c00cf47a8 --- /dev/null +++ b/queue-6.0/block-fix-the-enum-blk_eh_timer_return-documentation.patch @@ -0,0 +1,55 @@ +From 5295b35a207e040b6ff3814f8f26f85cb2db2e63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 13:06:26 -0700 +Subject: block: Fix the enum blk_eh_timer_return documentation + +From: Bart Van Assche + +[ Upstream commit b2bed51a5261f4266ecb857bba680a7f668d3ddf ] + +The documentation of the blk_eh_timer_return enumeration values does not +reflect correctly how e.g. the SCSI core uses these values. Fix the +documentation. + +Cc: Christoph Hellwig +Cc: Ming Lei +Cc: Hannes Reinecke +Cc: Damien Le Moal +Cc: Johannes Thumshirn +Fixes: 88b0cfad2888 ("block: document the blk_eh_timer_return values") +Signed-off-by: Bart Van Assche +Reviewed-by: Johannes Thumshirn +Reviewed-by: Damien Le Moal +Link: https://lore.kernel.org/r/20220920200626.3422296-1-bvanassche@acm.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + include/linux/blk-mq.h | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/include/linux/blk-mq.h b/include/linux/blk-mq.h +index 92294a5fb083..1532cd07a597 100644 +--- a/include/linux/blk-mq.h ++++ b/include/linux/blk-mq.h +@@ -268,9 +268,16 @@ static inline void rq_list_move(struct request **src, struct request **dst, + rq_list_add(dst, rq); + } + ++/** ++ * enum blk_eh_timer_return - How the timeout handler should proceed ++ * @BLK_EH_DONE: The block driver completed the command or will complete it at ++ * a later time. ++ * @BLK_EH_RESET_TIMER: Reset the request timer and continue waiting for the ++ * request to complete. ++ */ + enum blk_eh_timer_return { +- BLK_EH_DONE, /* drivers has completed the command */ +- BLK_EH_RESET_TIMER, /* reset timer and try again */ ++ BLK_EH_DONE, ++ BLK_EH_RESET_TIMER, + }; + + #define BLK_TAG_ALLOC_FIFO 0 /* allocate starting from 0 */ +-- +2.35.1 + diff --git a/queue-6.0/block-replace-blk_queue_nowait-with-bdev_nowait.patch b/queue-6.0/block-replace-blk_queue_nowait-with-bdev_nowait.patch new file mode 100644 index 00000000000..3aef33bf539 --- /dev/null +++ b/queue-6.0/block-replace-blk_queue_nowait-with-bdev_nowait.patch @@ -0,0 +1,116 @@ +From ad5478c1cf85137aee014156879d3fcf8342dc5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 09:58:15 +0200 +Subject: block: replace blk_queue_nowait with bdev_nowait + +From: Christoph Hellwig + +[ Upstream commit 568ec936bf1384fc15873908c96a9aeb62536edb ] + +Replace blk_queue_nowait with a bdev_nowait helpers that takes the +block_device given that the I/O submission path should not have to +look into the request_queue. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Pankaj Raghav +Link: https://lore.kernel.org/r/20220927075815.269694-1-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-core.c | 2 +- + drivers/md/dm-table.c | 4 +--- + drivers/md/md.c | 4 ++-- + include/linux/blkdev.h | 6 +++++- + io_uring/io_uring.c | 2 +- + 5 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/block/blk-core.c b/block/blk-core.c +index 651057c4146b..4ec669b0eadc 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -717,7 +717,7 @@ void submit_bio_noacct(struct bio *bio) + * For a REQ_NOWAIT based request, return -EOPNOTSUPP + * if queue does not support NOWAIT. + */ +- if ((bio->bi_opf & REQ_NOWAIT) && !blk_queue_nowait(q)) ++ if ((bio->bi_opf & REQ_NOWAIT) && !bdev_nowait(bdev)) + goto not_supported; + + if (should_fail_bio(bio)) +diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c +index 332f96b58252..d8034ff0cb24 100644 +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -1856,9 +1856,7 @@ static bool dm_table_supports_write_zeroes(struct dm_table *t) + static int device_not_nowait_capable(struct dm_target *ti, struct dm_dev *dev, + sector_t start, sector_t len, void *data) + { +- struct request_queue *q = bdev_get_queue(dev->bdev); +- +- return !blk_queue_nowait(q); ++ return !bdev_nowait(dev->bdev); + } + + static bool dm_table_supports_nowait(struct dm_table *t) +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 470a975e4be9..a467b492d4ad 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5845,7 +5845,7 @@ int md_run(struct mddev *mddev) + } + } + sysfs_notify_dirent_safe(rdev->sysfs_state); +- nowait = nowait && blk_queue_nowait(bdev_get_queue(rdev->bdev)); ++ nowait = nowait && bdev_nowait(rdev->bdev); + } + + if (!bioset_initialized(&mddev->bio_set)) { +@@ -6982,7 +6982,7 @@ static int hot_add_disk(struct mddev *mddev, dev_t dev) + * If the new disk does not support REQ_NOWAIT, + * disable on the whole MD. + */ +- if (!blk_queue_nowait(bdev_get_queue(rdev->bdev))) { ++ if (!bdev_nowait(rdev->bdev)) { + pr_info("%s: Disabling nowait because %pg does not support nowait\n", + mdname(mddev), rdev->bdev); + blk_queue_flag_clear(QUEUE_FLAG_NOWAIT, mddev->queue); +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index 84b13fdd34a7..4750772ef228 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -618,7 +618,6 @@ bool blk_queue_flag_test_and_set(unsigned int flag, struct request_queue *q); + #define blk_queue_quiesced(q) test_bit(QUEUE_FLAG_QUIESCED, &(q)->queue_flags) + #define blk_queue_pm_only(q) atomic_read(&(q)->pm_only) + #define blk_queue_registered(q) test_bit(QUEUE_FLAG_REGISTERED, &(q)->queue_flags) +-#define blk_queue_nowait(q) test_bit(QUEUE_FLAG_NOWAIT, &(q)->queue_flags) + #define blk_queue_sq_sched(q) test_bit(QUEUE_FLAG_SQ_SCHED, &(q)->queue_flags) + + extern void blk_set_pm_only(struct request_queue *q); +@@ -1280,6 +1279,11 @@ static inline bool bdev_fua(struct block_device *bdev) + return test_bit(QUEUE_FLAG_FUA, &bdev_get_queue(bdev)->queue_flags); + } + ++static inline bool bdev_nowait(struct block_device *bdev) ++{ ++ return test_bit(QUEUE_FLAG_NOWAIT, &bdev_get_queue(bdev)->queue_flags); ++} ++ + static inline enum blk_zoned_model bdev_zoned_model(struct block_device *bdev) + { + struct request_queue *q = bdev_get_queue(bdev); +diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c +index c5dd483a7de2..e0e20307bd68 100644 +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -1388,7 +1388,7 @@ static void io_iopoll_req_issued(struct io_kiocb *req, unsigned int issue_flags) + + static bool io_bdev_nowait(struct block_device *bdev) + { +- return !bdev || blk_queue_nowait(bdev_get_queue(bdev)); ++ return !bdev || bdev_nowait(bdev); + } + + /* +-- +2.35.1 + diff --git a/queue-6.0/block-sed-opal-add-ioctl-to-return-device-status.patch b/queue-6.0/block-sed-opal-add-ioctl-to-return-device-status.patch new file mode 100644 index 00000000000..314ff9621aa --- /dev/null +++ b/queue-6.0/block-sed-opal-add-ioctl-to-return-device-status.patch @@ -0,0 +1,283 @@ +From 0541b0f427c3bd52d73e735dd29202e59804317e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 15:07:13 +0100 +Subject: block: sed-opal: Add ioctl to return device status + +From: dougmill@linux.vnet.ibm.com + +[ Upstream commit c6ea70604249bc357ce09e9f8e16c29df0fb2fa2 ] + +Provide a mechanism to retrieve basic status information about +the device, including the "supported" flag indicating whether +SED-OPAL is supported. The information returned is from the various +feature descriptors received during the discovery0 step, and so +this ioctl does nothing more than perform the discovery0 step +and then save the information received. See "struct opal_status" +and OPAL_FL_* bits for the status information currently returned. + +This is necessary to be able to check whether a device is OPAL +enabled, set up, locked or unlocked from userspace programs +like systemd-cryptsetup and libcryptsetup. Right now we just +have to assume the user 'knows' or blindly attempt setup/lock/unlock +operations. + +Signed-off-by: Douglas Miller +Tested-by: Luca Boccassi +Reviewed-by: Scott Bauer +Acked-by: Christian Brauner (Microsoft) +Link: https://lore.kernel.org/r/20220816140713.84893-1-luca.boccassi@gmail.com +Signed-off-by: Jens Axboe +Stable-dep-of: 040b83fcecfb ("sbitmap: fix possible io hung due to lost wakeup") +Signed-off-by: Sasha Levin +--- + block/opal_proto.h | 5 ++ + block/sed-opal.c | 89 ++++++++++++++++++++++++++++++----- + include/linux/sed-opal.h | 1 + + include/uapi/linux/sed-opal.h | 13 +++++ + 4 files changed, 96 insertions(+), 12 deletions(-) + +diff --git a/block/opal_proto.h b/block/opal_proto.h +index b486b3ec7dc4..7152aa1f1a49 100644 +--- a/block/opal_proto.h ++++ b/block/opal_proto.h +@@ -39,7 +39,12 @@ enum opal_response_token { + #define FIRST_TPER_SESSION_NUM 4096 + + #define TPER_SYNC_SUPPORTED 0x01 ++/* FC_LOCKING features */ ++#define LOCKING_SUPPORTED_MASK 0x01 ++#define LOCKING_ENABLED_MASK 0x02 ++#define LOCKED_MASK 0x04 + #define MBR_ENABLED_MASK 0x10 ++#define MBR_DONE_MASK 0x20 + + #define TINY_ATOM_DATA_MASK 0x3F + #define TINY_ATOM_SIGNED 0x40 +diff --git a/block/sed-opal.c b/block/sed-opal.c +index 9700197000f2..2c5327a0543a 100644 +--- a/block/sed-opal.c ++++ b/block/sed-opal.c +@@ -74,8 +74,7 @@ struct parsed_resp { + }; + + struct opal_dev { +- bool supported; +- bool mbr_enabled; ++ u32 flags; + + void *data; + sec_send_recv *send_recv; +@@ -280,6 +279,30 @@ static bool check_tper(const void *data) + return true; + } + ++static bool check_lcksuppt(const void *data) ++{ ++ const struct d0_locking_features *lfeat = data; ++ u8 sup_feat = lfeat->supported_features; ++ ++ return !!(sup_feat & LOCKING_SUPPORTED_MASK); ++} ++ ++static bool check_lckenabled(const void *data) ++{ ++ const struct d0_locking_features *lfeat = data; ++ u8 sup_feat = lfeat->supported_features; ++ ++ return !!(sup_feat & LOCKING_ENABLED_MASK); ++} ++ ++static bool check_locked(const void *data) ++{ ++ const struct d0_locking_features *lfeat = data; ++ u8 sup_feat = lfeat->supported_features; ++ ++ return !!(sup_feat & LOCKED_MASK); ++} ++ + static bool check_mbrenabled(const void *data) + { + const struct d0_locking_features *lfeat = data; +@@ -288,6 +311,14 @@ static bool check_mbrenabled(const void *data) + return !!(sup_feat & MBR_ENABLED_MASK); + } + ++static bool check_mbrdone(const void *data) ++{ ++ const struct d0_locking_features *lfeat = data; ++ u8 sup_feat = lfeat->supported_features; ++ ++ return !!(sup_feat & MBR_DONE_MASK); ++} ++ + static bool check_sum(const void *data) + { + const struct d0_single_user_mode *sum = data; +@@ -435,7 +466,7 @@ static int opal_discovery0_end(struct opal_dev *dev) + u32 hlen = be32_to_cpu(hdr->length); + + print_buffer(dev->resp, hlen); +- dev->mbr_enabled = false; ++ dev->flags &= OPAL_FL_SUPPORTED; + + if (hlen > IO_BUFFER_LENGTH - sizeof(*hdr)) { + pr_debug("Discovery length overflows buffer (%zu+%u)/%u\n", +@@ -461,7 +492,16 @@ static int opal_discovery0_end(struct opal_dev *dev) + check_geometry(dev, body); + break; + case FC_LOCKING: +- dev->mbr_enabled = check_mbrenabled(body->features); ++ if (check_lcksuppt(body->features)) ++ dev->flags |= OPAL_FL_LOCKING_SUPPORTED; ++ if (check_lckenabled(body->features)) ++ dev->flags |= OPAL_FL_LOCKING_ENABLED; ++ if (check_locked(body->features)) ++ dev->flags |= OPAL_FL_LOCKED; ++ if (check_mbrenabled(body->features)) ++ dev->flags |= OPAL_FL_MBR_ENABLED; ++ if (check_mbrdone(body->features)) ++ dev->flags |= OPAL_FL_MBR_DONE; + break; + case FC_ENTERPRISE: + case FC_DATASTORE: +@@ -2109,7 +2149,8 @@ static int check_opal_support(struct opal_dev *dev) + mutex_lock(&dev->dev_lock); + setup_opal_dev(dev); + ret = opal_discovery0_step(dev); +- dev->supported = !ret; ++ if (!ret) ++ dev->flags |= OPAL_FL_SUPPORTED; + mutex_unlock(&dev->dev_lock); + + return ret; +@@ -2148,6 +2189,7 @@ struct opal_dev *init_opal_dev(void *data, sec_send_recv *send_recv) + + INIT_LIST_HEAD(&dev->unlk_lst); + mutex_init(&dev->dev_lock); ++ dev->flags = 0; + dev->data = data; + dev->send_recv = send_recv; + if (check_opal_support(dev) != 0) { +@@ -2528,7 +2570,7 @@ bool opal_unlock_from_suspend(struct opal_dev *dev) + if (!dev) + return false; + +- if (!dev->supported) ++ if (!(dev->flags & OPAL_FL_SUPPORTED)) + return false; + + mutex_lock(&dev->dev_lock); +@@ -2546,7 +2588,7 @@ bool opal_unlock_from_suspend(struct opal_dev *dev) + was_failure = true; + } + +- if (dev->mbr_enabled) { ++ if (dev->flags & OPAL_FL_MBR_ENABLED) { + ret = __opal_set_mbr_done(dev, &suspend->unlk.session.opal_key); + if (ret) + pr_debug("Failed to set MBR Done in S3 resume\n"); +@@ -2620,6 +2662,23 @@ static int opal_generic_read_write_table(struct opal_dev *dev, + return ret; + } + ++static int opal_get_status(struct opal_dev *dev, void __user *data) ++{ ++ struct opal_status sts = {0}; ++ ++ /* ++ * check_opal_support() error is not fatal, ++ * !dev->supported is a valid condition ++ */ ++ if (!check_opal_support(dev)) ++ sts.flags = dev->flags; ++ if (copy_to_user(data, &sts, sizeof(sts))) { ++ pr_debug("Error copying status to userspace\n"); ++ return -EFAULT; ++ } ++ return 0; ++} ++ + int sed_ioctl(struct opal_dev *dev, unsigned int cmd, void __user *arg) + { + void *p; +@@ -2629,12 +2688,14 @@ int sed_ioctl(struct opal_dev *dev, unsigned int cmd, void __user *arg) + return -EACCES; + if (!dev) + return -ENOTSUPP; +- if (!dev->supported) ++ if (!(dev->flags & OPAL_FL_SUPPORTED)) + return -ENOTSUPP; + +- p = memdup_user(arg, _IOC_SIZE(cmd)); +- if (IS_ERR(p)) +- return PTR_ERR(p); ++ if (cmd & IOC_IN) { ++ p = memdup_user(arg, _IOC_SIZE(cmd)); ++ if (IS_ERR(p)) ++ return PTR_ERR(p); ++ } + + switch (cmd) { + case IOC_OPAL_SAVE: +@@ -2685,11 +2746,15 @@ int sed_ioctl(struct opal_dev *dev, unsigned int cmd, void __user *arg) + case IOC_OPAL_GENERIC_TABLE_RW: + ret = opal_generic_read_write_table(dev, p); + break; ++ case IOC_OPAL_GET_STATUS: ++ ret = opal_get_status(dev, arg); ++ break; + default: + break; + } + +- kfree(p); ++ if (cmd & IOC_IN) ++ kfree(p); + return ret; + } + EXPORT_SYMBOL_GPL(sed_ioctl); +diff --git a/include/linux/sed-opal.h b/include/linux/sed-opal.h +index 1ac0d712a9c3..6f837bb6c715 100644 +--- a/include/linux/sed-opal.h ++++ b/include/linux/sed-opal.h +@@ -43,6 +43,7 @@ static inline bool is_sed_ioctl(unsigned int cmd) + case IOC_OPAL_MBR_DONE: + case IOC_OPAL_WRITE_SHADOW_MBR: + case IOC_OPAL_GENERIC_TABLE_RW: ++ case IOC_OPAL_GET_STATUS: + return true; + } + return false; +diff --git a/include/uapi/linux/sed-opal.h b/include/uapi/linux/sed-opal.h +index 6f5af1a84213..2573772e2fb3 100644 +--- a/include/uapi/linux/sed-opal.h ++++ b/include/uapi/linux/sed-opal.h +@@ -132,6 +132,18 @@ struct opal_read_write_table { + __u64 priv; + }; + ++#define OPAL_FL_SUPPORTED 0x00000001 ++#define OPAL_FL_LOCKING_SUPPORTED 0x00000002 ++#define OPAL_FL_LOCKING_ENABLED 0x00000004 ++#define OPAL_FL_LOCKED 0x00000008 ++#define OPAL_FL_MBR_ENABLED 0x00000010 ++#define OPAL_FL_MBR_DONE 0x00000020 ++ ++struct opal_status { ++ __u32 flags; ++ __u32 reserved; ++}; ++ + #define IOC_OPAL_SAVE _IOW('p', 220, struct opal_lock_unlock) + #define IOC_OPAL_LOCK_UNLOCK _IOW('p', 221, struct opal_lock_unlock) + #define IOC_OPAL_TAKE_OWNERSHIP _IOW('p', 222, struct opal_key) +@@ -148,5 +160,6 @@ struct opal_read_write_table { + #define IOC_OPAL_MBR_DONE _IOW('p', 233, struct opal_mbr_done) + #define IOC_OPAL_WRITE_SHADOW_MBR _IOW('p', 234, struct opal_shadow_mbr) + #define IOC_OPAL_GENERIC_TABLE_RW _IOW('p', 235, struct opal_read_write_table) ++#define IOC_OPAL_GET_STATUS _IOR('p', 236, struct opal_status) + + #endif /* _UAPI_SED_OPAL_H */ +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-avoid-hci_dev_test_and_set_flag-in-mgmt_in.patch b/queue-6.0/bluetooth-avoid-hci_dev_test_and_set_flag-in-mgmt_in.patch new file mode 100644 index 00000000000..787d4c90100 --- /dev/null +++ b/queue-6.0/bluetooth-avoid-hci_dev_test_and_set_flag-in-mgmt_in.patch @@ -0,0 +1,60 @@ +From 688bab541911201c90a243f371e24d67ae8b480a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 01:21:42 +0900 +Subject: Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev() + +From: Tetsuo Handa + +[ Upstream commit f74ca25d6d6629ffd4fd80a1a73037253b57d06b ] + +syzbot is again reporting attempt to cancel uninitialized work +at mgmt_index_removed() [1], for setting of HCI_MGMT flag from +mgmt_init_hdev() from hci_mgmt_cmd() from hci_sock_sendmsg() can +race with testing of HCI_MGMT flag from mgmt_index_removed() from +hci_sock_bind() due to lack of serialization via hci_dev_lock(). + +Since mgmt_init_hdev() is called with mgmt_chan_list_lock held, we can +safely split hci_dev_test_and_set_flag() into hci_dev_test_flag() and +hci_dev_set_flag(). Thus, in order to close this race, set HCI_MGMT flag +after INIT_DELAYED_WORK() completed. + +This is a local fix based on mgmt_chan_list_lock. Lack of serialization +via hci_dev_lock() might be causing different race conditions somewhere +else. But a global fix based on hci_dev_lock() should deserve a future +patch. + +Link: https://syzkaller.appspot.com/bug?extid=844c7bf1b1aa4119c5de +Reported-by: syzbot+844c7bf1b1aa4119c5de@syzkaller.appspotmail.com +Signed-off-by: Tetsuo Handa +Fixes: 3f2893d3c142986a ("Bluetooth: don't try to cancel uninitialized works at mgmt_index_removed()") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/mgmt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c +index 72e6595a71cc..3d1cd0666968 100644 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -1050,7 +1050,7 @@ static void discov_off(struct work_struct *work) + + static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev) + { +- if (hci_dev_test_and_set_flag(hdev, HCI_MGMT)) ++ if (hci_dev_test_flag(hdev, HCI_MGMT)) + return; + + BT_INFO("MGMT ver %d.%d", MGMT_VERSION, MGMT_REVISION); +@@ -1065,6 +1065,8 @@ static void mgmt_init_hdev(struct sock *sk, struct hci_dev *hdev) + * it + */ + hci_dev_clear_flag(hdev, HCI_BONDABLE); ++ ++ hci_dev_set_flag(hdev, HCI_MGMT); + } + + static int read_controller_info(struct sock *sk, struct hci_dev *hdev, +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-btintel-mark-intel-controller-to-support-l.patch b/queue-6.0/bluetooth-btintel-mark-intel-controller-to-support-l.patch new file mode 100644 index 00000000000..60f63117883 --- /dev/null +++ b/queue-6.0/bluetooth-btintel-mark-intel-controller-to-support-l.patch @@ -0,0 +1,73 @@ +From 90d5816edbd96d9b25492b9774188dd032c0a2af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 12:49:45 +0530 +Subject: Bluetooth: btintel: Mark Intel controller to support LE_STATES quirk + +From: Kiran K + +[ Upstream commit dd0a1794f4334ddbf9b7c5e7d642aaffff38c69b ] + +HarrrisonPeak, CyclonePeak, SnowFieldPeak and SandyPeak controllers +are marked to support HCI_QUIRK_LE_STATES. + +Signed-off-by: Kiran K +Signed-off-by: Chethan T N +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btintel.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c +index 818681c89db8..d44a96667517 100644 +--- a/drivers/bluetooth/btintel.c ++++ b/drivers/bluetooth/btintel.c +@@ -2439,15 +2439,20 @@ static int btintel_setup_combined(struct hci_dev *hdev) + INTEL_ROM_LEGACY_NO_WBS_SUPPORT)) + set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, + &hdev->quirks); ++ if (ver.hw_variant == 0x08 && ver.fw_variant == 0x22) ++ set_bit(HCI_QUIRK_VALID_LE_STATES, ++ &hdev->quirks); + + err = btintel_legacy_rom_setup(hdev, &ver); + break; + case 0x0b: /* SfP */ +- case 0x0c: /* WsP */ + case 0x11: /* JfP */ + case 0x12: /* ThP */ + case 0x13: /* HrP */ + case 0x14: /* CcP */ ++ set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); ++ fallthrough; ++ case 0x0c: /* WsP */ + /* Apply the device specific HCI quirks + * + * All Legacy bootloader devices support WBS +@@ -2455,11 +2460,6 @@ static int btintel_setup_combined(struct hci_dev *hdev) + set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, + &hdev->quirks); + +- /* Valid LE States quirk for JfP/ThP familiy */ +- if (ver.hw_variant == 0x11 || ver.hw_variant == 0x12) +- set_bit(HCI_QUIRK_VALID_LE_STATES, +- &hdev->quirks); +- + /* Setup MSFT Extension support */ + btintel_set_msft_opcode(hdev, ver.hw_variant); + +@@ -2530,9 +2530,8 @@ static int btintel_setup_combined(struct hci_dev *hdev) + */ + set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, &hdev->quirks); + +- /* Valid LE States quirk for JfP/ThP familiy */ +- if (ver.hw_variant == 0x11 || ver.hw_variant == 0x12) +- set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); ++ /* Set Valid LE States quirk */ ++ set_bit(HCI_QUIRK_VALID_LE_STATES, &hdev->quirks); + + /* Setup MSFT Extension support */ + btintel_set_msft_opcode(hdev, ver.hw_variant); +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-btusb-mediatek-fix-wmt-failure-during-runt.patch b/queue-6.0/bluetooth-btusb-mediatek-fix-wmt-failure-during-runt.patch new file mode 100644 index 00000000000..ed092a75c72 --- /dev/null +++ b/queue-6.0/bluetooth-btusb-mediatek-fix-wmt-failure-during-runt.patch @@ -0,0 +1,62 @@ +From a6404a1bca426dbb740979738b18befbefb7b22a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Aug 2022 08:49:07 +0800 +Subject: Bluetooth: btusb: mediatek: fix WMT failure during runtime suspend + +From: Sean Wang + +[ Upstream commit fd3f106677bac70437dc12e76c827294ed495a44 ] + +WMT cmd/event doesn't follow up the generic HCI cmd/event handling, it +needs constantly polling control pipe until the host received the WMT +event, thus, we should require to specifically acquire PM counter on the +USB to prevent the interface from entering auto suspended while WMT +cmd/event in progress. + +Fixes: a1c49c434e15 ("Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices") +Co-developed-by: Jing Cai +Signed-off-by: Jing Cai +Signed-off-by: Sean Wang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 15caa6469538..1bb46cbff0fa 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -2477,15 +2477,29 @@ static int btusb_mtk_hci_wmt_sync(struct hci_dev *hdev, + + set_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags); + ++ /* WMT cmd/event doesn't follow up the generic HCI cmd/event handling, ++ * it needs constantly polling control pipe until the host received the ++ * WMT event, thus, we should require to specifically acquire PM counter ++ * on the USB to prevent the interface from entering auto suspended ++ * while WMT cmd/event in progress. ++ */ ++ err = usb_autopm_get_interface(data->intf); ++ if (err < 0) ++ goto err_free_wc; ++ + err = __hci_cmd_send(hdev, 0xfc6f, hlen, wc); + + if (err < 0) { + clear_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags); ++ usb_autopm_put_interface(data->intf); + goto err_free_wc; + } + + /* Submit control IN URB on demand to process the WMT event */ + err = btusb_mtk_submit_wmt_recv_urb(hdev); ++ ++ usb_autopm_put_interface(data->intf); ++ + if (err < 0) + goto err_free_wc; + +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-hci_-ldisc-serdev-check-percpu_init_rwsem-.patch b/queue-6.0/bluetooth-hci_-ldisc-serdev-check-percpu_init_rwsem-.patch new file mode 100644 index 00000000000..39254f702da --- /dev/null +++ b/queue-6.0/bluetooth-hci_-ldisc-serdev-check-percpu_init_rwsem-.patch @@ -0,0 +1,93 @@ +From 84fddcfd42d833dd3beff4d732df09fbb39d5638 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 23:58:12 +0900 +Subject: Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure + +From: Tetsuo Handa + +[ Upstream commit 3124d320c22f3f4388d9ac5c8f37eaad0cefd6b1 ] + +syzbot is reporting NULL pointer dereference at hci_uart_tty_close() [1], +for rcu_sync_enter() is called without rcu_sync_init() due to +hci_uart_tty_open() ignoring percpu_init_rwsem() failure. + +While we are at it, fix that hci_uart_register_device() ignores +percpu_init_rwsem() failure and hci_uart_unregister_device() does not +call percpu_free_rwsem(). + +Link: https://syzkaller.appspot.com/bug?extid=576dfca25381fb6fbc5f [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Fixes: 67d2f8781b9f00d1 ("Bluetooth: hci_ldisc: Allow sleeping while proto locks are held.") +Fixes: d73e172816652772 ("Bluetooth: hci_serdev: Init hci_uart proto_lock to avoid oops") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_ldisc.c | 7 +++++-- + drivers/bluetooth/hci_serdev.c | 10 +++++++--- + 2 files changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c +index f537673ede17..865112e96ff9 100644 +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -493,6 +493,11 @@ static int hci_uart_tty_open(struct tty_struct *tty) + BT_ERR("Can't allocate control structure"); + return -ENFILE; + } ++ if (percpu_init_rwsem(&hu->proto_lock)) { ++ BT_ERR("Can't allocate semaphore structure"); ++ kfree(hu); ++ return -ENOMEM; ++ } + + tty->disc_data = hu; + hu->tty = tty; +@@ -505,8 +510,6 @@ static int hci_uart_tty_open(struct tty_struct *tty) + INIT_WORK(&hu->init_ready, hci_uart_init_work); + INIT_WORK(&hu->write_work, hci_uart_write_work); + +- percpu_init_rwsem(&hu->proto_lock); +- + /* Flush any pending characters in the driver */ + tty_driver_flush_buffer(tty); + +diff --git a/drivers/bluetooth/hci_serdev.c b/drivers/bluetooth/hci_serdev.c +index c0e5f42ec6b7..f16fd79bc02b 100644 +--- a/drivers/bluetooth/hci_serdev.c ++++ b/drivers/bluetooth/hci_serdev.c +@@ -310,11 +310,12 @@ int hci_uart_register_device(struct hci_uart *hu, + + serdev_device_set_client_ops(hu->serdev, &hci_serdev_client_ops); + ++ if (percpu_init_rwsem(&hu->proto_lock)) ++ return -ENOMEM; ++ + err = serdev_device_open(hu->serdev); + if (err) +- return err; +- +- percpu_init_rwsem(&hu->proto_lock); ++ goto err_rwsem; + + err = p->open(hu); + if (err) +@@ -389,6 +390,8 @@ int hci_uart_register_device(struct hci_uart *hu, + p->close(hu); + err_open: + serdev_device_close(hu->serdev); ++err_rwsem: ++ percpu_free_rwsem(&hu->proto_lock); + return err; + } + EXPORT_SYMBOL_GPL(hci_uart_register_device); +@@ -410,5 +413,6 @@ void hci_uart_unregister_device(struct hci_uart *hu) + clear_bit(HCI_UART_PROTO_READY, &hu->flags); + serdev_device_close(hu->serdev); + } ++ percpu_free_rwsem(&hu->proto_lock); + } + EXPORT_SYMBOL_GPL(hci_uart_unregister_device); +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-hci_core-fix-not-handling-link-timeouts-pr.patch b/queue-6.0/bluetooth-hci_core-fix-not-handling-link-timeouts-pr.patch new file mode 100644 index 00000000000..212f2a7f08f --- /dev/null +++ b/queue-6.0/bluetooth-hci_core-fix-not-handling-link-timeouts-pr.patch @@ -0,0 +1,104 @@ +From 19bbc25ce02735c93d31096481aa5a8160dbea78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 15:44:42 -0700 +Subject: Bluetooth: hci_core: Fix not handling link timeouts propertly + +From: Luiz Augusto von Dentz + +[ Upstream commit 116523c8fac05d1d26f748fee7919a4ec5df67ea ] + +Change that introduced the use of __check_timeout did not account for +link types properly, it always assumes ACL_LINK is used thus causing +hdev->acl_last_tx to be used even in case of LE_LINK and then again +uses ACL_LINK with hci_link_tx_to. + +To fix this __check_timeout now takes the link type as parameter and +then procedure to use the right last_tx based on the link type and pass +it to hci_link_tx_to. + +Fixes: 1b1d29e51499 ("Bluetooth: Make use of __check_timeout on hci_sched_le") +Signed-off-by: Luiz Augusto von Dentz +Tested-by: David Beinder +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 34 +++++++++++++++++++++++----------- + 1 file changed, 23 insertions(+), 11 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 9873d2e67988..e6be18eb7fe6 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -3478,15 +3478,27 @@ static inline int __get_blocks(struct hci_dev *hdev, struct sk_buff *skb) + return DIV_ROUND_UP(skb->len - HCI_ACL_HDR_SIZE, hdev->block_len); + } + +-static void __check_timeout(struct hci_dev *hdev, unsigned int cnt) ++static void __check_timeout(struct hci_dev *hdev, unsigned int cnt, u8 type) + { +- if (!hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) { +- /* ACL tx timeout must be longer than maximum +- * link supervision timeout (40.9 seconds) */ +- if (!cnt && time_after(jiffies, hdev->acl_last_tx + +- HCI_ACL_TX_TIMEOUT)) +- hci_link_tx_to(hdev, ACL_LINK); ++ unsigned long last_tx; ++ ++ if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) ++ return; ++ ++ switch (type) { ++ case LE_LINK: ++ last_tx = hdev->le_last_tx; ++ break; ++ default: ++ last_tx = hdev->acl_last_tx; ++ break; + } ++ ++ /* tx timeout must be longer than maximum link supervision timeout ++ * (40.9 seconds) ++ */ ++ if (!cnt && time_after(jiffies, last_tx + HCI_ACL_TX_TIMEOUT)) ++ hci_link_tx_to(hdev, type); + } + + /* Schedule SCO */ +@@ -3544,7 +3556,7 @@ static void hci_sched_acl_pkt(struct hci_dev *hdev) + struct sk_buff *skb; + int quote; + +- __check_timeout(hdev, cnt); ++ __check_timeout(hdev, cnt, ACL_LINK); + + while (hdev->acl_cnt && + (chan = hci_chan_sent(hdev, ACL_LINK, "e))) { +@@ -3587,8 +3599,6 @@ static void hci_sched_acl_blk(struct hci_dev *hdev) + int quote; + u8 type; + +- __check_timeout(hdev, cnt); +- + BT_DBG("%s", hdev->name); + + if (hdev->dev_type == HCI_AMP) +@@ -3596,6 +3606,8 @@ static void hci_sched_acl_blk(struct hci_dev *hdev) + else + type = ACL_LINK; + ++ __check_timeout(hdev, cnt, type); ++ + while (hdev->block_cnt > 0 && + (chan = hci_chan_sent(hdev, type, "e))) { + u32 priority = (skb_peek(&chan->data_q))->priority; +@@ -3669,7 +3681,7 @@ static void hci_sched_le(struct hci_dev *hdev) + + cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt; + +- __check_timeout(hdev, cnt); ++ __check_timeout(hdev, cnt, LE_LINK); + + tmp = cnt; + while (cnt && (chan = hci_chan_sent(hdev, LE_LINK, "e))) { +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-hci_event-make-sure-iso-events-don-t-affec.patch b/queue-6.0/bluetooth-hci_event-make-sure-iso-events-don-t-affec.patch new file mode 100644 index 00000000000..d43eec9936e --- /dev/null +++ b/queue-6.0/bluetooth-hci_event-make-sure-iso-events-don-t-affec.patch @@ -0,0 +1,55 @@ +From 7f8af1bf803f7b8ccc3bd5842b37a66332388599 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 11:10:17 -0700 +Subject: Bluetooth: hci_event: Make sure ISO events don't affect non-ISO + connections + +From: Luiz Augusto von Dentz + +[ Upstream commit ed680f925aea76ac666f34d9923cb40558f4e97b ] + +ISO events (CIS/BIS) shall only be relevant for connection with link +type of ISO_LINK, otherwise the controller is probably buggy or it is +the result of fuzzer tools such as syzkaller. + +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index d6f0e6ca0e7e..ab79a978deb5 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -6778,6 +6778,13 @@ static void hci_le_cis_estabilished_evt(struct hci_dev *hdev, void *data, + goto unlock; + } + ++ if (conn->type != ISO_LINK) { ++ bt_dev_err(hdev, ++ "Invalid connection link type handle 0x%4.4x", ++ handle); ++ goto unlock; ++ } ++ + if (conn->role == HCI_ROLE_SLAVE) { + __le32 interval; + +@@ -6898,6 +6905,13 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data, + if (!conn) + goto unlock; + ++ if (conn->type != ISO_LINK) { ++ bt_dev_err(hdev, ++ "Invalid connection link type handle 0x%2.2x", ++ ev->handle); ++ goto unlock; ++ } ++ + if (ev->num_bis) + conn->handle = __le16_to_cpu(ev->bis_handle[0]); + +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-hci_sync-fix-not-indicating-power-state.patch b/queue-6.0/bluetooth-hci_sync-fix-not-indicating-power-state.patch new file mode 100644 index 00000000000..c79e777fcda --- /dev/null +++ b/queue-6.0/bluetooth-hci_sync-fix-not-indicating-power-state.patch @@ -0,0 +1,37 @@ +From edf3f23b2232b922de610ea43ac881873780de2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 13:12:30 -0700 +Subject: Bluetooth: hci_sync: Fix not indicating power state + +From: Luiz Augusto von Dentz + +[ Upstream commit 6abf0dae8c3c927f54e62c46faf8aba580ba0d04 ] + +When setting power state using legacy/non-mgmt API +(e.g hcitool hci0 up) the likes of mgmt_set_powered_complete won't be +called causing clients of the MGMT API to not be notified of the change +of the state. + +Fixes: cf75ad8b41d2 ("Bluetooth: hci_sync: Convert MGMT_SET_POWERED") +Signed-off-by: Luiz Augusto von Dentz +Tested-by: Tedd Ho-Jeong An +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sync.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c +index fbd5613eebfc..f70798589bf5 100644 +--- a/net/bluetooth/hci_sync.c ++++ b/net/bluetooth/hci_sync.c +@@ -4355,6 +4355,7 @@ int hci_dev_open_sync(struct hci_dev *hdev) + hci_dev_test_flag(hdev, HCI_MGMT) && + hdev->dev_type == HCI_PRIMARY) { + ret = hci_powered_update_sync(hdev); ++ mgmt_power_on(hdev, ret); + } + } else { + /* Init failed, cleanup */ +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-hci_sysfs-fix-attempting-to-call-device_ad.patch b/queue-6.0/bluetooth-hci_sysfs-fix-attempting-to-call-device_ad.patch new file mode 100644 index 00000000000..6be4d35f2a5 --- /dev/null +++ b/queue-6.0/bluetooth-hci_sysfs-fix-attempting-to-call-device_ad.patch @@ -0,0 +1,67 @@ +From ec67039babdffa42118aa383e6f8592afaaeec5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 10:56:59 -0700 +Subject: Bluetooth: hci_sysfs: Fix attempting to call device_add multiple + times + +From: Luiz Augusto von Dentz + +[ Upstream commit 448a496f760664d3e2e79466aa1787e6abc922b5 ] + +device_add shall not be called multiple times as stated in its +documentation: + + 'Do not call this routine or device_register() more than once for + any device structure' + +Syzkaller reports a bug as follows [1]: +------------[ cut here ]------------ +kernel BUG at lib/list_debug.c:33! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +[...] +Call Trace: + + __list_add include/linux/list.h:69 [inline] + list_add_tail include/linux/list.h:102 [inline] + kobj_kset_join lib/kobject.c:164 [inline] + kobject_add_internal+0x18f/0x8f0 lib/kobject.c:214 + kobject_add_varg lib/kobject.c:358 [inline] + kobject_add+0x150/0x1c0 lib/kobject.c:410 + device_add+0x368/0x1e90 drivers/base/core.c:3452 + hci_conn_add_sysfs+0x9b/0x1b0 net/bluetooth/hci_sysfs.c:53 + hci_le_cis_estabilished_evt+0x57c/0xae0 net/bluetooth/hci_event.c:6799 + hci_le_meta_evt+0x2b8/0x510 net/bluetooth/hci_event.c:7110 + hci_event_func net/bluetooth/hci_event.c:7440 [inline] + hci_event_packet+0x63d/0xfd0 net/bluetooth/hci_event.c:7495 + hci_rx_work+0xae7/0x1230 net/bluetooth/hci_core.c:4007 + process_one_work+0x991/0x1610 kernel/workqueue.c:2289 + worker_thread+0x665/0x1080 kernel/workqueue.c:2436 + kthread+0x2e4/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + + +Link: https://syzkaller.appspot.com/bug?id=da3246e2d33afdb92d66bc166a0934c5b146404a +Signed-off-by: Luiz Augusto von Dentz +Tested-by: Hawkins Jiawei +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sysfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c +index 4e3e0451b08c..08542dfc2dc5 100644 +--- a/net/bluetooth/hci_sysfs.c ++++ b/net/bluetooth/hci_sysfs.c +@@ -48,6 +48,9 @@ void hci_conn_add_sysfs(struct hci_conn *conn) + + BT_DBG("conn %p", conn); + ++ if (device_is_registered(&conn->dev)) ++ return; ++ + dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle); + + if (device_add(&conn->dev) < 0) { +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-l2cap-fix-user-after-free.patch b/queue-6.0/bluetooth-l2cap-fix-user-after-free.patch new file mode 100644 index 00000000000..aa30d1a09d8 --- /dev/null +++ b/queue-6.0/bluetooth-l2cap-fix-user-after-free.patch @@ -0,0 +1,61 @@ +From 78722f230adea1d32f9db20b1f62f026784d9108 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 13:27:13 -0700 +Subject: Bluetooth: L2CAP: Fix user-after-free + +From: Luiz Augusto von Dentz + +[ Upstream commit 35fcbc4243aad7e7d020b7c1dfb14bb888b20a4f ] + +This uses l2cap_chan_hold_unless_zero() after calling +__l2cap_get_chan_blah() to prevent the following trace: + +Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref +*kref) +Bluetooth: chan 0000000023c4974d +Bluetooth: parent 00000000ae861c08 +================================================================== +BUG: KASAN: use-after-free in __mutex_waiter_is_first +kernel/locking/mutex.c:191 [inline] +BUG: KASAN: use-after-free in __mutex_lock_common +kernel/locking/mutex.c:671 [inline] +BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400 +kernel/locking/mutex.c:729 +Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389 + +Link: https://lore.kernel.org/lkml/20220622082716.478486-1-lee.jones@linaro.org +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sungwoo Kim +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 770891f68703..1f34b82ca0ec 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4309,6 +4309,12 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, + } + } + ++ chan = l2cap_chan_hold_unless_zero(chan); ++ if (!chan) { ++ err = -EBADSLT; ++ goto unlock; ++ } ++ + err = 0; + + l2cap_chan_lock(chan); +@@ -4338,6 +4344,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, + } + + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + + unlock: + mutex_unlock(&conn->chan_lock); +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-l2cap-initialize-delayed-works-at-l2cap_ch.patch b/queue-6.0/bluetooth-l2cap-initialize-delayed-works-at-l2cap_ch.patch new file mode 100644 index 00000000000..bb2c24a29fa --- /dev/null +++ b/queue-6.0/bluetooth-l2cap-initialize-delayed-works-at-l2cap_ch.patch @@ -0,0 +1,82 @@ +From cce48609c8ef8523fb790f57db7e1189f2ff8ea2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 00:32:56 +0900 +Subject: Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() + +From: Tetsuo Handa + +[ Upstream commit 2d2cb3066f2c90cd8ca540b36ba7a55e7f2406e0 ] + +syzbot is reporting cancel_delayed_work() without INIT_DELAYED_WORK() at +l2cap_chan_del() [1], for CONF_NOT_COMPLETE flag (which meant to prevent +l2cap_chan_del() from calling cancel_delayed_work()) is cleared by timer +which fires before l2cap_chan_del() is called by closing file descriptor +created by socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP). + +l2cap_bredr_sig_cmd(L2CAP_CONF_REQ) and l2cap_bredr_sig_cmd(L2CAP_CONF_RSP) +are calling l2cap_ertm_init(chan), and they call l2cap_chan_ready() (which +clears CONF_NOT_COMPLETE flag) only when l2cap_ertm_init(chan) succeeded. + +l2cap_sock_init() does not call l2cap_ertm_init(chan), and it instead sets +CONF_NOT_COMPLETE flag by calling l2cap_chan_set_defaults(). However, when +connect() is requested, "command 0x0409 tx timeout" happens after 2 seconds + from connect() request, and CONF_NOT_COMPLETE flag is cleared after 4 +seconds from connect() request, for l2cap_conn_start() from +l2cap_info_timeout() callback scheduled by + + schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT); + +in l2cap_connect() is calling l2cap_chan_ready(). + +Fix this problem by initializing delayed works used by L2CAP_MODE_ERTM +mode as soon as l2cap_chan_create() allocates a channel, like I did in +commit be8597239379f0f5 ("Bluetooth: initialize skb_queue_head at +l2cap_chan_create()"). + +Link: https://syzkaller.appspot.com/bug?extid=83672956c7aa6af698b3 [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 2c9de67daadc..770891f68703 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -61,6 +61,9 @@ static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err); + + static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + struct sk_buff_head *skbs, u8 event); ++static void l2cap_retrans_timeout(struct work_struct *work); ++static void l2cap_monitor_timeout(struct work_struct *work); ++static void l2cap_ack_timeout(struct work_struct *work); + + static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type) + { +@@ -476,6 +479,9 @@ struct l2cap_chan *l2cap_chan_create(void) + write_unlock(&chan_list_lock); + + INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout); ++ INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout); ++ INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout); ++ INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout); + + chan->state = BT_OPEN; + +@@ -3320,10 +3326,6 @@ int l2cap_ertm_init(struct l2cap_chan *chan) + chan->rx_state = L2CAP_RX_STATE_RECV; + chan->tx_state = L2CAP_TX_STATE_XMIT; + +- INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout); +- INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout); +- INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout); +- + skb_queue_head_init(&chan->srej_q); + + err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win); +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-prevent-double-register-of-suspend.patch b/queue-6.0/bluetooth-prevent-double-register-of-suspend.patch new file mode 100644 index 00000000000..0db90588daa --- /dev/null +++ b/queue-6.0/bluetooth-prevent-double-register-of-suspend.patch @@ -0,0 +1,69 @@ +From 11c1c1ab1a3b216441edeb40371465ec8b7ecbef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 09:58:15 -0700 +Subject: Bluetooth: Prevent double register of suspend + +From: Abhishek Pandit-Subedi + +[ Upstream commit 4b8af331bb4d4cc8bb91c284b11b98dd1e265185 ] + +Suspend notifier should only be registered and unregistered once per +hdev. Simplify this by only registering during driver registration and +simply exiting early when HCI_USER_CHANNEL is set. + +Reported-by: syzbot +Fixes: 359ee4f834f5 (Bluetooth: Unregister suspend with userchannel) +Signed-off-by: Abhishek Pandit-Subedi +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 4 ++++ + net/bluetooth/hci_sock.c | 3 --- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index e6be18eb7fe6..6ae5aa5c0927 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -2400,6 +2400,10 @@ static int hci_suspend_notifier(struct notifier_block *nb, unsigned long action, + container_of(nb, struct hci_dev, suspend_notifier); + int ret = 0; + ++ /* Userspace has full control of this device. Do nothing. */ ++ if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) ++ return NOTIFY_DONE; ++ + if (action == PM_SUSPEND_PREPARE) + ret = hci_suspend_dev(hdev); + else if (action == PM_POST_SUSPEND) +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index 0d015d4a8e41..bd8358b44aa4 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -887,7 +887,6 @@ static int hci_sock_release(struct socket *sock) + */ + hci_dev_do_close(hdev); + hci_dev_clear_flag(hdev, HCI_USER_CHANNEL); +- hci_register_suspend_notifier(hdev); + mgmt_index_added(hdev); + } + +@@ -1216,7 +1215,6 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, + } + + mgmt_index_removed(hdev); +- hci_unregister_suspend_notifier(hdev); + + err = hci_dev_open(hdev->id); + if (err) { +@@ -1231,7 +1229,6 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, + err = 0; + } else { + hci_dev_clear_flag(hdev, HCI_USER_CHANNEL); +- hci_register_suspend_notifier(hdev); + mgmt_index_added(hdev); + hci_dev_put(hdev); + goto done; +-- +2.35.1 + diff --git a/queue-6.0/bluetooth-rfcomm-fix-possible-deadlock-on-socket-shu.patch b/queue-6.0/bluetooth-rfcomm-fix-possible-deadlock-on-socket-shu.patch new file mode 100644 index 00000000000..51fdbbc880f --- /dev/null +++ b/queue-6.0/bluetooth-rfcomm-fix-possible-deadlock-on-socket-shu.patch @@ -0,0 +1,51 @@ +From bee023759c0fc70eefade612dba6214aaa0d10de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 16:08:13 -0700 +Subject: Bluetooth: RFCOMM: Fix possible deadlock on socket shutdown/release + +From: Luiz Augusto von Dentz + +[ Upstream commit 812e92b824c1db16c9519f8624d48a9901a0d38f ] + +Due to change to switch to use lock_sock inside rfcomm_sk_state_change +the socket shutdown/release procedure can cause a deadlock: + + rfcomm_sock_shutdown(): + lock_sock(); + __rfcomm_sock_close(): + rfcomm_dlc_close(): + __rfcomm_dlc_close(): + rfcomm_dlc_lock(); + rfcomm_sk_state_change(): + lock_sock(); + +To fix this when the call __rfcomm_sock_close is now done without +holding the lock_sock since rfcomm_dlc_lock exists to protect +the dlc data there is no need to use lock_sock in that code path. + +Link: https://lore.kernel.org/all/CAD+dNTsbuU4w+Y_P7o+VEN7BYCAbZuwZx2+tH+OTzCdcZF82YA@mail.gmail.com/ +Fixes: b7ce436a5d79 ("Bluetooth: switch to lock_sock in RFCOMM") +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/rfcomm/sock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c +index 4bf4ea6cbb5e..21e24da4847f 100644 +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -902,7 +902,10 @@ static int rfcomm_sock_shutdown(struct socket *sock, int how) + lock_sock(sk); + if (!sk->sk_shutdown) { + sk->sk_shutdown = SHUTDOWN_MASK; ++ ++ release_sock(sk); + __rfcomm_sock_close(sk); ++ lock_sock(sk); + + if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime && + !(current->flags & PF_EXITING)) +-- +2.35.1 + diff --git a/queue-6.0/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch b/queue-6.0/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch new file mode 100644 index 00000000000..d8c5cbf6862 --- /dev/null +++ b/queue-6.0/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch @@ -0,0 +1,40 @@ +From b52b7af93fac5f4b00a41c49955b4d84b9a6f558 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 14:28:43 +0800 +Subject: bnx2x: fix potential memory leak in bnx2x_tpa_stop() + +From: Jianglei Nie + +[ Upstream commit b43f9acbb8942b05252be83ac25a81cec70cc192 ] + +bnx2x_tpa_stop() allocates a memory chunk from new_data with +bnx2x_frag_alloc(). The new_data should be freed when gets some error. +But when "pad + len > fp->rx_buf_size" is true, bnx2x_tpa_stop() returns +without releasing the new_data, which will lead to a memory leak. + +We should free the new_data with bnx2x_frag_free() when "pad + len > +fp->rx_buf_size" is true. + +Fixes: 07b0f00964def8af9321cfd6c4a7e84f6362f728 ("bnx2x: fix possible panic under memory stress") +Signed-off-by: Jianglei Nie +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +index 712b5595bc39..24bfc65e28e1 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -789,6 +789,7 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp, + BNX2X_ERR("skb_put is about to fail... pad %d len %d rx_buf_size %d\n", + pad, len, fp->rx_buf_size); + bnx2x_panic(); ++ bnx2x_frag_free(fp, new_data); + return; + } + #endif +-- +2.35.1 + diff --git a/queue-6.0/bnxt_en-replace-reset-with-config-timestamps.patch b/queue-6.0/bnxt_en-replace-reset-with-config-timestamps.patch new file mode 100644 index 00000000000..df26c2f69c4 --- /dev/null +++ b/queue-6.0/bnxt_en-replace-reset-with-config-timestamps.patch @@ -0,0 +1,53 @@ +From 8b8914ee2bff7ebd41fb722f34dd0a9b241a61d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 22:10:38 +0300 +Subject: bnxt_en: replace reset with config timestamps + +From: Vadim Fedorenko + +[ Upstream commit 8db3d514e96715c897fe793c4d5fc0fd86aca517 ] + +Any change to the hardware timestamps configuration triggers nic restart, +which breaks transmition and reception of network packets for a while. +But there is no need to fully restart the device because while configuring +hardware timestamps. The code for changing configuration runs after all +of the initialisation, when the NIC is actually up and running. This patch +changes the code that ioctl will only update configuration registers and +will not trigger carrier status change, but in case of timestamps for +all rx packetes it fallbacks to close()/open() sequnce because of +synchronization issues in the hardware. Tested on BCM57504. + +Cc: Richard Cochran +Signed-off-by: Vadim Fedorenko +Reviewed-by: Michael Chan +Link: https://lore.kernel.org/r/20220922191038.29921-1-vfedorenko@novek.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c +index 8e316367f6ce..2132ce63193c 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c +@@ -505,9 +505,13 @@ static int bnxt_hwrm_ptp_cfg(struct bnxt *bp) + ptp->tstamp_filters = flags; + + if (netif_running(bp->dev)) { +- rc = bnxt_close_nic(bp, false, false); +- if (!rc) +- rc = bnxt_open_nic(bp, false, false); ++ if (ptp->rx_filter == HWTSTAMP_FILTER_ALL) { ++ rc = bnxt_close_nic(bp, false, false); ++ if (!rc) ++ rc = bnxt_open_nic(bp, false, false); ++ } else { ++ bnxt_ptp_cfg_tstamp_filters(bp); ++ } + if (!rc && !ptp->tstamp_filters) + rc = -EIO; + } +-- +2.35.1 + diff --git a/queue-6.0/bpf-adjust-kprobe_multi-entry_ip-for-config_x86_kern.patch b/queue-6.0/bpf-adjust-kprobe_multi-entry_ip-for-config_x86_kern.patch new file mode 100644 index 00000000000..32b55bf706f --- /dev/null +++ b/queue-6.0/bpf-adjust-kprobe_multi-entry_ip-for-config_x86_kern.patch @@ -0,0 +1,108 @@ +From bf15e28c9c6eec82799002b09c64af70019746aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 17:33:38 +0200 +Subject: bpf: Adjust kprobe_multi entry_ip for CONFIG_X86_KERNEL_IBT + +From: Jiri Olsa + +[ Upstream commit c09eb2e578eb1668bbc84dc07e8d8bd6f04b9a02 ] + +Martynas reported bpf_get_func_ip returning +4 address when +CONFIG_X86_KERNEL_IBT option is enabled. + +When CONFIG_X86_KERNEL_IBT is enabled we'll have endbr instruction +at the function entry, which screws return value of bpf_get_func_ip() +helper that should return the function address. + +There's short term workaround for kprobe_multi bpf program made by +Alexei [1], but we need this fixup also for bpf_get_attach_cookie, +that returns cookie based on the entry_ip value. + +Moving the fixup in the fprobe handler, so both bpf_get_func_ip +and bpf_get_attach_cookie get expected function address when +CONFIG_X86_KERNEL_IBT option is enabled. + +Also renaming kprobe_multi_link_handler entry_ip argument to fentry_ip +so it's clearer this is an ftrace __fentry__ ip. + +[1] commit 7f0059b58f02 ("selftests/bpf: Fix kprobe_multi test.") + +Cc: Peter Zijlstra +Reported-by: Martynas Pumputis +Acked-by: Andrii Nakryiko +Signed-off-by: Jiri Olsa +Link: https://lore.kernel.org/r/20220926153340.1621984-5-jolsa@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/trace/bpf_trace.c | 20 +++++++++++++++++-- + .../selftests/bpf/progs/kprobe_multi.c | 4 +--- + 2 files changed, 19 insertions(+), 5 deletions(-) + +diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c +index 68e5cdd24cef..b1daf7c9b895 100644 +--- a/kernel/trace/bpf_trace.c ++++ b/kernel/trace/bpf_trace.c +@@ -1026,6 +1026,22 @@ static const struct bpf_func_proto bpf_get_func_ip_proto_tracing = { + .arg1_type = ARG_PTR_TO_CTX, + }; + ++#ifdef CONFIG_X86_KERNEL_IBT ++static unsigned long get_entry_ip(unsigned long fentry_ip) ++{ ++ u32 instr; ++ ++ /* Being extra safe in here in case entry ip is on the page-edge. */ ++ if (get_kernel_nofault(instr, (u32 *) fentry_ip - 1)) ++ return fentry_ip; ++ if (is_endbr(instr)) ++ fentry_ip -= ENDBR_INSN_SIZE; ++ return fentry_ip; ++} ++#else ++#define get_entry_ip(fentry_ip) fentry_ip ++#endif ++ + BPF_CALL_1(bpf_get_func_ip_kprobe, struct pt_regs *, regs) + { + struct kprobe *kp = kprobe_running(); +@@ -2414,13 +2430,13 @@ kprobe_multi_link_prog_run(struct bpf_kprobe_multi_link *link, + } + + static void +-kprobe_multi_link_handler(struct fprobe *fp, unsigned long entry_ip, ++kprobe_multi_link_handler(struct fprobe *fp, unsigned long fentry_ip, + struct pt_regs *regs) + { + struct bpf_kprobe_multi_link *link; + + link = container_of(fp, struct bpf_kprobe_multi_link, fp); +- kprobe_multi_link_prog_run(link, entry_ip, regs); ++ kprobe_multi_link_prog_run(link, get_entry_ip(fentry_ip), regs); + } + + static int symbols_cmp_r(const void *a, const void *b, const void *priv) +diff --git a/tools/testing/selftests/bpf/progs/kprobe_multi.c b/tools/testing/selftests/bpf/progs/kprobe_multi.c +index 08f95a8155d1..98c3399e15c0 100644 +--- a/tools/testing/selftests/bpf/progs/kprobe_multi.c ++++ b/tools/testing/selftests/bpf/progs/kprobe_multi.c +@@ -36,15 +36,13 @@ __u64 kretprobe_test6_result = 0; + __u64 kretprobe_test7_result = 0; + __u64 kretprobe_test8_result = 0; + +-extern bool CONFIG_X86_KERNEL_IBT __kconfig __weak; +- + static void kprobe_multi_check(void *ctx, bool is_return) + { + if (bpf_get_current_pid_tgid() >> 32 != pid) + return; + + __u64 cookie = test_cookie ? bpf_get_attach_cookie(ctx) : 0; +- __u64 addr = bpf_get_func_ip(ctx) - (CONFIG_X86_KERNEL_IBT ? 4 : 0); ++ __u64 addr = bpf_get_func_ip(ctx); + + #define SET(__var, __addr, __cookie) ({ \ + if (((const void *) addr == __addr) && \ +-- +2.35.1 + diff --git a/queue-6.0/bpf-btf-fix-truncated-last_member_type_id-in-btf_str.patch b/queue-6.0/bpf-btf-fix-truncated-last_member_type_id-in-btf_str.patch new file mode 100644 index 00000000000..b73fa52fb08 --- /dev/null +++ b/queue-6.0/bpf-btf-fix-truncated-last_member_type_id-in-btf_str.patch @@ -0,0 +1,47 @@ +From 6bdd1482ad84d4001ce9b652d8f4a3c14de5c2b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Sep 2022 11:01:20 +0000 +Subject: bpf: btf: fix truncated last_member_type_id in btf_struct_resolve + +From: Lorenz Bauer + +[ Upstream commit a37a32583e282d8d815e22add29bc1e91e19951a ] + +When trying to finish resolving a struct member, btf_struct_resolve +saves the member type id in a u16 temporary variable. This truncates +the 32 bit type id value if it exceeds UINT16_MAX. + +As a result, structs that have members with type ids > UINT16_MAX and +which need resolution will fail with a message like this: + + [67414] STRUCT ff_device size=120 vlen=12 + effect_owners type_id=67434 bits_offset=960 Member exceeds struct_size + +Fix this by changing the type of last_member_type_id to u32. + +Fixes: a0791f0df7d2 ("bpf: fix BTF limits") +Reviewed-by: Stanislav Fomichev +Signed-off-by: Lorenz Bauer +Link: https://lore.kernel.org/r/20220910110120.339242-1-oss@lmb.io +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/btf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index 7e64447659f3..36fd4b509294 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -3128,7 +3128,7 @@ static int btf_struct_resolve(struct btf_verifier_env *env, + if (v->next_member) { + const struct btf_type *last_member_type; + const struct btf_member *last_member; +- u16 last_member_type_id; ++ u32 last_member_type_id; + + last_member = btf_type_member(v->t) + v->next_member - 1; + last_member_type_id = last_member->type; +-- +2.35.1 + diff --git a/queue-6.0/bpf-cgroup-reject-prog_attach_flags-array-when-effec.patch b/queue-6.0/bpf-cgroup-reject-prog_attach_flags-array-when-effec.patch new file mode 100644 index 00000000000..31800ef864f --- /dev/null +++ b/queue-6.0/bpf-cgroup-reject-prog_attach_flags-array-when-effec.patch @@ -0,0 +1,156 @@ +From c860ebe44f2873f1dbdc4221877e1660b3512bc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 10:46:02 +0000 +Subject: bpf, cgroup: Reject prog_attach_flags array when effective query + +From: Pu Lehui + +[ Upstream commit 0e426a3ae030a9e891899370229e117158b35de6 ] + +Attach flags is only valid for attached progs of this layer cgroup, +but not for effective progs. For querying with EFFECTIVE flags, +exporting attach flags does not make sense. So when effective query, +we reject prog_attach_flags array and don't need to populate it. +Also we limit attach_flags to output 0 during effective query. + +Fixes: b79c9fc9551b ("bpf: implement BPF_PROG_QUERY for BPF_LSM_CGROUP") +Signed-off-by: Pu Lehui +Link: https://lore.kernel.org/r/20220921104604.2340580-2-pulehui@huaweicloud.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + include/uapi/linux/bpf.h | 7 +++++-- + kernel/bpf/cgroup.c | 28 ++++++++++++++++++---------- + tools/include/uapi/linux/bpf.h | 7 +++++-- + 3 files changed, 28 insertions(+), 14 deletions(-) + +diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h +index 59a217ca2dfd..4eff7fc7ae58 100644 +--- a/include/uapi/linux/bpf.h ++++ b/include/uapi/linux/bpf.h +@@ -1233,7 +1233,7 @@ enum { + + /* Query effective (directly attached + inherited from ancestor cgroups) + * programs that will be executed for events within a cgroup. +- * attach_flags with this flag are returned only for directly attached programs. ++ * attach_flags with this flag are always returned 0. + */ + #define BPF_F_QUERY_EFFECTIVE (1U << 0) + +@@ -1432,7 +1432,10 @@ union bpf_attr { + __u32 attach_flags; + __aligned_u64 prog_ids; + __u32 prog_cnt; +- __aligned_u64 prog_attach_flags; /* output: per-program attach_flags */ ++ /* output: per-program attach_flags. ++ * not allowed to be set during effective query. ++ */ ++ __aligned_u64 prog_attach_flags; + } query; + + struct { /* anonymous struct used by BPF_RAW_TRACEPOINT_OPEN command */ +diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c +index 4a400cd63731..22888aaa68b6 100644 +--- a/kernel/bpf/cgroup.c ++++ b/kernel/bpf/cgroup.c +@@ -1020,6 +1020,7 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr, + union bpf_attr __user *uattr) + { + __u32 __user *prog_attach_flags = u64_to_user_ptr(attr->query.prog_attach_flags); ++ bool effective_query = attr->query.query_flags & BPF_F_QUERY_EFFECTIVE; + __u32 __user *prog_ids = u64_to_user_ptr(attr->query.prog_ids); + enum bpf_attach_type type = attr->query.attach_type; + enum cgroup_bpf_attach_type from_atype, to_atype; +@@ -1029,8 +1030,12 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr, + int total_cnt = 0; + u32 flags; + ++ if (effective_query && prog_attach_flags) ++ return -EINVAL; ++ + if (type == BPF_LSM_CGROUP) { +- if (attr->query.prog_cnt && prog_ids && !prog_attach_flags) ++ if (!effective_query && attr->query.prog_cnt && ++ prog_ids && !prog_attach_flags) + return -EINVAL; + + from_atype = CGROUP_LSM_START; +@@ -1045,7 +1050,7 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr, + } + + for (atype = from_atype; atype <= to_atype; atype++) { +- if (attr->query.query_flags & BPF_F_QUERY_EFFECTIVE) { ++ if (effective_query) { + effective = rcu_dereference_protected(cgrp->bpf.effective[atype], + lockdep_is_held(&cgroup_mutex)); + total_cnt += bpf_prog_array_length(effective); +@@ -1054,6 +1059,8 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr, + } + } + ++ /* always output uattr->query.attach_flags as 0 during effective query */ ++ flags = effective_query ? 0 : flags; + if (copy_to_user(&uattr->query.attach_flags, &flags, sizeof(flags))) + return -EFAULT; + if (copy_to_user(&uattr->query.prog_cnt, &total_cnt, sizeof(total_cnt))) +@@ -1068,7 +1075,7 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr, + } + + for (atype = from_atype; atype <= to_atype && total_cnt; atype++) { +- if (attr->query.query_flags & BPF_F_QUERY_EFFECTIVE) { ++ if (effective_query) { + effective = rcu_dereference_protected(cgrp->bpf.effective[atype], + lockdep_is_held(&cgroup_mutex)); + cnt = min_t(int, bpf_prog_array_length(effective), total_cnt); +@@ -1090,15 +1097,16 @@ static int __cgroup_bpf_query(struct cgroup *cgrp, const union bpf_attr *attr, + if (++i == cnt) + break; + } +- } + +- if (prog_attach_flags) { +- flags = cgrp->bpf.flags[atype]; ++ if (prog_attach_flags) { ++ flags = cgrp->bpf.flags[atype]; + +- for (i = 0; i < cnt; i++) +- if (copy_to_user(prog_attach_flags + i, &flags, sizeof(flags))) +- return -EFAULT; +- prog_attach_flags += cnt; ++ for (i = 0; i < cnt; i++) ++ if (copy_to_user(prog_attach_flags + i, ++ &flags, sizeof(flags))) ++ return -EFAULT; ++ prog_attach_flags += cnt; ++ } + } + + prog_ids += cnt; +diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h +index 59a217ca2dfd..4eff7fc7ae58 100644 +--- a/tools/include/uapi/linux/bpf.h ++++ b/tools/include/uapi/linux/bpf.h +@@ -1233,7 +1233,7 @@ enum { + + /* Query effective (directly attached + inherited from ancestor cgroups) + * programs that will be executed for events within a cgroup. +- * attach_flags with this flag are returned only for directly attached programs. ++ * attach_flags with this flag are always returned 0. + */ + #define BPF_F_QUERY_EFFECTIVE (1U << 0) + +@@ -1432,7 +1432,10 @@ union bpf_attr { + __u32 attach_flags; + __aligned_u64 prog_ids; + __u32 prog_cnt; +- __aligned_u64 prog_attach_flags; /* output: per-program attach_flags */ ++ /* output: per-program attach_flags. ++ * not allowed to be set during effective query. ++ */ ++ __aligned_u64 prog_attach_flags; + } query; + + struct { /* anonymous struct used by BPF_RAW_TRACEPOINT_OPEN command */ +-- +2.35.1 + diff --git a/queue-6.0/bpf-cleanup-check_refcount_ok.patch b/queue-6.0/bpf-cleanup-check_refcount_ok.patch new file mode 100644 index 00000000000..158c78c4858 --- /dev/null +++ b/queue-6.0/bpf-cleanup-check_refcount_ok.patch @@ -0,0 +1,171 @@ +From 0a983e5a6bc67e1bbe7fe1015434b59acbb470b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Aug 2022 10:15:59 -0700 +Subject: bpf: Cleanup check_refcount_ok + +From: Dave Marchevsky + +[ Upstream commit b2d8ef19c6e7ed71ba5092feb0710063a751834f ] + +Discussion around a recently-submitted patch provided historical +context for check_refcount_ok [0]. Specifically, the function and its +helpers - may_be_acquire_function and arg_type_may_be_refcounted - +predate the OBJ_RELEASE type flag and the addition of many more helpers +with acquire/release semantics. + +The purpose of check_refcount_ok is to ensure: + 1) Helper doesn't have multiple uses of return reg's ref_obj_id + 2) Helper with release semantics only has one arg needing to be + released, since that's tracked using meta->ref_obj_id + +With current verifier, it's safe to remove check_refcount_ok and its +helpers. Since addition of OBJ_RELEASE type flag, case 2) has been +handled by the arg_type_is_release check in check_func_arg. To ensure +case 1) won't result in verifier silently prioritizing one use of +ref_obj_id, this patch adds a helper_multiple_ref_obj_use check which +fails loudly if a helper passes > 1 test for use of ref_obj_id. + + [0]: lore.kernel.org/bpf/20220713234529.4154673-1-davemarchevsky@fb.com + +Signed-off-by: Dave Marchevsky +Acked-by: Martin KaFai Lau +Acked-by: Joanne Koong +Acked-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20220808171559.3251090-1-davemarchevsky@fb.com +Signed-off-by: Alexei Starovoitov +Stable-dep-of: 883743422ced ("bpf: Fix ref_obj_id for dynptr data slices in verifier") +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 74 +++++++++++++++++-------------------------- + 1 file changed, 29 insertions(+), 45 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 3eadb14e090b..1141a35216a7 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -467,25 +467,11 @@ static bool type_is_rdonly_mem(u32 type) + return type & MEM_RDONLY; + } + +-static bool arg_type_may_be_refcounted(enum bpf_arg_type type) +-{ +- return type == ARG_PTR_TO_SOCK_COMMON; +-} +- + static bool type_may_be_null(u32 type) + { + return type & PTR_MAYBE_NULL; + } + +-static bool may_be_acquire_function(enum bpf_func_id func_id) +-{ +- return func_id == BPF_FUNC_sk_lookup_tcp || +- func_id == BPF_FUNC_sk_lookup_udp || +- func_id == BPF_FUNC_skc_lookup_tcp || +- func_id == BPF_FUNC_map_lookup_elem || +- func_id == BPF_FUNC_ringbuf_reserve; +-} +- + static bool is_acquire_function(enum bpf_func_id func_id, + const struct bpf_map *map) + { +@@ -518,6 +504,26 @@ static bool is_ptr_cast_function(enum bpf_func_id func_id) + func_id == BPF_FUNC_skc_to_tcp_request_sock; + } + ++static bool is_dynptr_acquire_function(enum bpf_func_id func_id) ++{ ++ return func_id == BPF_FUNC_dynptr_data; ++} ++ ++static bool helper_multiple_ref_obj_use(enum bpf_func_id func_id, ++ const struct bpf_map *map) ++{ ++ int ref_obj_uses = 0; ++ ++ if (is_ptr_cast_function(func_id)) ++ ref_obj_uses++; ++ if (is_acquire_function(func_id, map)) ++ ref_obj_uses++; ++ if (is_dynptr_acquire_function(func_id)) ++ ref_obj_uses++; ++ ++ return ref_obj_uses > 1; ++} ++ + static bool is_cmpxchg_insn(const struct bpf_insn *insn) + { + return BPF_CLASS(insn->code) == BPF_STX && +@@ -6456,33 +6462,6 @@ static bool check_arg_pair_ok(const struct bpf_func_proto *fn) + return true; + } + +-static bool check_refcount_ok(const struct bpf_func_proto *fn, int func_id) +-{ +- int count = 0; +- +- if (arg_type_may_be_refcounted(fn->arg1_type)) +- count++; +- if (arg_type_may_be_refcounted(fn->arg2_type)) +- count++; +- if (arg_type_may_be_refcounted(fn->arg3_type)) +- count++; +- if (arg_type_may_be_refcounted(fn->arg4_type)) +- count++; +- if (arg_type_may_be_refcounted(fn->arg5_type)) +- count++; +- +- /* A reference acquiring function cannot acquire +- * another refcounted ptr. +- */ +- if (may_be_acquire_function(func_id) && count) +- return false; +- +- /* We only support one arg being unreferenced at the moment, +- * which is sufficient for the helper functions we have right now. +- */ +- return count <= 1; +-} +- + static bool check_btf_id_ok(const struct bpf_func_proto *fn) + { + int i; +@@ -6506,8 +6485,7 @@ static int check_func_proto(const struct bpf_func_proto *fn, int func_id, + { + return check_raw_mode_ok(fn) && + check_arg_pair_ok(fn) && +- check_btf_id_ok(fn) && +- check_refcount_ok(fn, func_id) ? 0 : -EINVAL; ++ check_btf_id_ok(fn) ? 0 : -EINVAL; + } + + /* Packet data might have moved, any old PTR_TO_PACKET[_META,_END] +@@ -7460,6 +7438,12 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn + if (type_may_be_null(regs[BPF_REG_0].type)) + regs[BPF_REG_0].id = ++env->id_gen; + ++ if (helper_multiple_ref_obj_use(func_id, meta.map_ptr)) { ++ verbose(env, "verifier internal error: func %s#%d sets ref_obj_id more than once\n", ++ func_id_name(func_id), func_id); ++ return -EFAULT; ++ } ++ + if (is_ptr_cast_function(func_id)) { + /* For release_reference() */ + regs[BPF_REG_0].ref_obj_id = meta.ref_obj_id; +@@ -7472,10 +7456,10 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn + regs[BPF_REG_0].id = id; + /* For release_reference() */ + regs[BPF_REG_0].ref_obj_id = id; +- } else if (func_id == BPF_FUNC_dynptr_data) { ++ } else if (is_dynptr_acquire_function(func_id)) { + int dynptr_id = 0, i; + +- /* Find the id of the dynptr we're acquiring a reference to */ ++ /* Find the id of the dynptr we're tracking the reference of */ + for (i = 0; i < MAX_BPF_FUNC_REG_ARGS; i++) { + if (arg_type_is_dynptr(fn->arg_type[i])) { + if (dynptr_id) { +-- +2.35.1 + diff --git a/queue-6.0/bpf-disable-preemption-when-increasing-per-cpu-map_l.patch b/queue-6.0/bpf-disable-preemption-when-increasing-per-cpu-map_l.patch new file mode 100644 index 00000000000..ac0c5399e66 --- /dev/null +++ b/queue-6.0/bpf-disable-preemption-when-increasing-per-cpu-map_l.patch @@ -0,0 +1,113 @@ +From 6bfab3bfec3c315cf1aa2520d8efa9cddcb4dfca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 12:26:27 +0800 +Subject: bpf: Disable preemption when increasing per-cpu map_locked + +From: Hou Tao + +[ Upstream commit 2775da21628738ce073a3a6a806adcbaada0f091 ] + +Per-cpu htab->map_locked is used to prohibit the concurrent accesses +from both NMI and non-NMI contexts. But since commit 74d862b682f5 +("sched: Make migrate_disable/enable() independent of RT"), +migrate_disable() is also preemptible under CONFIG_PREEMPT case, so now +map_locked also disallows concurrent updates from normal contexts +(e.g. userspace processes) unexpectedly as shown below: + +process A process B + +htab_map_update_elem() + htab_lock_bucket() + migrate_disable() + /* return 1 */ + __this_cpu_inc_return() + /* preempted by B */ + + htab_map_update_elem() + /* the same bucket as A */ + htab_lock_bucket() + migrate_disable() + /* return 2, so lock fails */ + __this_cpu_inc_return() + return -EBUSY + +A fix that seems feasible is using in_nmi() in htab_lock_bucket() and +only checking the value of map_locked for nmi context. But it will +re-introduce dead-lock on bucket lock if htab_lock_bucket() is re-entered +through non-tracing program (e.g. fentry program). + +One cannot use preempt_disable() to fix this issue as htab_use_raw_lock +being false causes the bucket lock to be a spin lock which can sleep and +does not work with preempt_disable(). + +Therefore, use migrate_disable() when using the spinlock instead of +preempt_disable() and defer fixing concurrent updates to when the kernel +has its own BPF memory allocator. + +Fixes: 74d862b682f5 ("sched: Make migrate_disable/enable() independent of RT") +Reviewed-by: Hao Luo +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20220831042629.130006-2-houtao@huaweicloud.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + kernel/bpf/hashtab.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index 6c530a5e560a..ad09da139589 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -162,17 +162,25 @@ static inline int htab_lock_bucket(const struct bpf_htab *htab, + unsigned long *pflags) + { + unsigned long flags; ++ bool use_raw_lock; + + hash = hash & HASHTAB_MAP_LOCK_MASK; + +- migrate_disable(); ++ use_raw_lock = htab_use_raw_lock(htab); ++ if (use_raw_lock) ++ preempt_disable(); ++ else ++ migrate_disable(); + if (unlikely(__this_cpu_inc_return(*(htab->map_locked[hash])) != 1)) { + __this_cpu_dec(*(htab->map_locked[hash])); +- migrate_enable(); ++ if (use_raw_lock) ++ preempt_enable(); ++ else ++ migrate_enable(); + return -EBUSY; + } + +- if (htab_use_raw_lock(htab)) ++ if (use_raw_lock) + raw_spin_lock_irqsave(&b->raw_lock, flags); + else + spin_lock_irqsave(&b->lock, flags); +@@ -185,13 +193,18 @@ static inline void htab_unlock_bucket(const struct bpf_htab *htab, + struct bucket *b, u32 hash, + unsigned long flags) + { ++ bool use_raw_lock = htab_use_raw_lock(htab); ++ + hash = hash & HASHTAB_MAP_LOCK_MASK; +- if (htab_use_raw_lock(htab)) ++ if (use_raw_lock) + raw_spin_unlock_irqrestore(&b->raw_lock, flags); + else + spin_unlock_irqrestore(&b->lock, flags); + __this_cpu_dec(*(htab->map_locked[hash])); +- migrate_enable(); ++ if (use_raw_lock) ++ preempt_enable(); ++ else ++ migrate_enable(); + } + + static bool htab_lru_map_delete_node(void *arg, struct bpf_lru_node *node); +-- +2.35.1 + diff --git a/queue-6.0/bpf-ensure-correct-locking-around-vulnerable-functio.patch b/queue-6.0/bpf-ensure-correct-locking-around-vulnerable-functio.patch new file mode 100644 index 00000000000..61b1c9804f7 --- /dev/null +++ b/queue-6.0/bpf-ensure-correct-locking-around-vulnerable-functio.patch @@ -0,0 +1,43 @@ +From af5c2d8d48dad29af2b033fa9749012fddab4faa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 14:38:55 +0100 +Subject: bpf: Ensure correct locking around vulnerable function find_vpid() + +From: Lee Jones + +[ Upstream commit 83c10cc362d91c0d8d25e60779ee52fdbbf3894d ] + +The documentation for find_vpid() clearly states: + + "Must be called with the tasklist_lock or rcu_read_lock() held." + +Presently we do neither for find_vpid() instance in bpf_task_fd_query(). +Add proper rcu_read_lock/unlock() to fix the issue. + +Fixes: 41bdc4b40ed6f ("bpf: introduce bpf subcommand BPF_TASK_FD_QUERY") +Signed-off-by: Lee Jones +Signed-off-by: Daniel Borkmann +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20220912133855.1218900-1-lee@kernel.org +Signed-off-by: Sasha Levin +--- + kernel/bpf/syscall.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index f798acd43a28..22e7a805c672 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -4395,7 +4395,9 @@ static int bpf_task_fd_query(const union bpf_attr *attr, + if (attr->task_fd_query.flags != 0) + return -EINVAL; + ++ rcu_read_lock(); + task = get_pid_task(find_vpid(pid), PIDTYPE_PID); ++ rcu_read_unlock(); + if (!task) + return -ENOENT; + +-- +2.35.1 + diff --git a/queue-6.0/bpf-fix-ref_obj_id-for-dynptr-data-slices-in-verifie.patch b/queue-6.0/bpf-fix-ref_obj_id-for-dynptr-data-slices-in-verifie.patch new file mode 100644 index 00000000000..6b8ac2cedcc --- /dev/null +++ b/queue-6.0/bpf-fix-ref_obj_id-for-dynptr-data-slices-in-verifie.patch @@ -0,0 +1,111 @@ +From 013ce3fd2e6d3344c1cac5cf64584741629233cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Aug 2022 14:40:54 -0700 +Subject: bpf: Fix ref_obj_id for dynptr data slices in verifier + +From: Joanne Koong + +[ Upstream commit 883743422ced8c961ab05dc63ec81b75a4e56052 ] + +When a data slice is obtained from a dynptr (through the bpf_dynptr_data API), +the ref obj id of the dynptr must be found and then associated with the data +slice. + +The ref obj id of the dynptr must be found *before* the caller saved regs are +reset. Without this fix, the ref obj id tracking is not correct for +dynptrs that are at an offset from the frame pointer. + +Please also note that the data slice's ref obj id must be assigned after the +ret types are parsed, since RET_PTR_TO_ALLOC_MEM-type return regs get +zero-marked. + +Fixes: 34d4ef5775f7 ("bpf: Add dynptr data slices") +Signed-off-by: Joanne Koong +Acked-by: David Vernet +Link: https://lore.kernel.org/r/20220809214055.4050604-1-joannelkoong@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 38 ++++++++++++++++++++------------------ + 1 file changed, 20 insertions(+), 18 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 1141a35216a7..c127585ad429 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -504,7 +504,7 @@ static bool is_ptr_cast_function(enum bpf_func_id func_id) + func_id == BPF_FUNC_skc_to_tcp_request_sock; + } + +-static bool is_dynptr_acquire_function(enum bpf_func_id func_id) ++static bool is_dynptr_ref_function(enum bpf_func_id func_id) + { + return func_id == BPF_FUNC_dynptr_data; + } +@@ -518,7 +518,7 @@ static bool helper_multiple_ref_obj_use(enum bpf_func_id func_id, + ref_obj_uses++; + if (is_acquire_function(func_id, map)) + ref_obj_uses++; +- if (is_dynptr_acquire_function(func_id)) ++ if (is_dynptr_ref_function(func_id)) + ref_obj_uses++; + + return ref_obj_uses > 1; +@@ -7322,6 +7322,23 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn + } + } + break; ++ case BPF_FUNC_dynptr_data: ++ for (i = 0; i < MAX_BPF_FUNC_REG_ARGS; i++) { ++ if (arg_type_is_dynptr(fn->arg_type[i])) { ++ if (meta.ref_obj_id) { ++ verbose(env, "verifier internal error: meta.ref_obj_id already set\n"); ++ return -EFAULT; ++ } ++ /* Find the id of the dynptr we're tracking the reference of */ ++ meta.ref_obj_id = stack_slot_get_id(env, ®s[BPF_REG_1 + i]); ++ break; ++ } ++ } ++ if (i == MAX_BPF_FUNC_REG_ARGS) { ++ verbose(env, "verifier internal error: no dynptr in bpf_dynptr_data()\n"); ++ return -EFAULT; ++ } ++ break; + } + + if (err) +@@ -7444,7 +7461,7 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn + return -EFAULT; + } + +- if (is_ptr_cast_function(func_id)) { ++ if (is_ptr_cast_function(func_id) || is_dynptr_ref_function(func_id)) { + /* For release_reference() */ + regs[BPF_REG_0].ref_obj_id = meta.ref_obj_id; + } else if (is_acquire_function(func_id, meta.map_ptr)) { +@@ -7456,21 +7473,6 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn + regs[BPF_REG_0].id = id; + /* For release_reference() */ + regs[BPF_REG_0].ref_obj_id = id; +- } else if (is_dynptr_acquire_function(func_id)) { +- int dynptr_id = 0, i; +- +- /* Find the id of the dynptr we're tracking the reference of */ +- for (i = 0; i < MAX_BPF_FUNC_REG_ARGS; i++) { +- if (arg_type_is_dynptr(fn->arg_type[i])) { +- if (dynptr_id) { +- verbose(env, "verifier internal error: multiple dynptr args in func\n"); +- return -EFAULT; +- } +- dynptr_id = stack_slot_get_id(env, ®s[BPF_REG_1 + i]); +- } +- } +- /* For release_reference() */ +- regs[BPF_REG_0].ref_obj_id = dynptr_id; + } + + do_refine_retval_range(regs, fn->ret_type, func_id, &meta); +-- +2.35.1 + diff --git a/queue-6.0/bpf-fix-reference-state-management-for-synchronous-c.patch b/queue-6.0/bpf-fix-reference-state-management-for-synchronous-c.patch new file mode 100644 index 00000000000..b7fd76132f9 --- /dev/null +++ b/queue-6.0/bpf-fix-reference-state-management-for-synchronous-c.patch @@ -0,0 +1,190 @@ +From 84ad2ecdf75728fe7de1a8864cf0e35ecff430e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 03:31:25 +0200 +Subject: bpf: Fix reference state management for synchronous callbacks + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit 9d9d00ac29d0ef7ce426964de46fa6b380357d0a ] + +Currently, verifier verifies callback functions (sync and async) as if +they will be executed once, (i.e. it explores execution state as if the +function was being called once). The next insn to explore is set to +start of subprog and the exit from nested frame is handled using +curframe > 0 and prepare_func_exit. In case of async callback it uses a +customized variant of push_stack simulating a kind of branch to set up +custom state and execution context for the async callback. + +While this approach is simple and works when callback really will be +executed only once, it is unsafe for all of our current helpers which +are for_each style, i.e. they execute the callback multiple times. + +A callback releasing acquired references of the caller may do so +multiple times, but currently verifier sees it as one call inside the +frame, which then returns to caller. Hence, it thinks it released some +reference that the cb e.g. got access through callback_ctx (register +filled inside cb from spilled typed register on stack). + +Similarly, it may see that an acquire call is unpaired inside the +callback, so the caller will copy the reference state of callback and +then will have to release the register with new ref_obj_ids. But again, +the callback may execute multiple times, but the verifier will only +account for acquired references for a single symbolic execution of the +callback, which will cause leaks. + +Note that for async callback case, things are different. While currently +we have bpf_timer_set_callback which only executes it once, even for +multiple executions it would be safe, as reference state is NULL and +check_reference_leak would force program to release state before +BPF_EXIT. The state is also unaffected by analysis for the caller frame. +Hence async callback is safe. + +Since we want the reference state to be accessible, e.g. for pointers +loaded from stack through callback_ctx's PTR_TO_STACK, we still have to +copy caller's reference_state to callback's bpf_func_state, but we +enforce that whatever references it adds to that reference_state has +been released before it hits BPF_EXIT. This requires introducing a new +callback_ref member in the reference state to distinguish between caller +vs callee references. Hence, check_reference_leak now errors out if it +sees we are in callback_fn and we have not released callback_ref refs. +Since there can be multiple nested callbacks, like frame 0 -> cb1 -> cb2 +etc. we need to also distinguish between whether this particular ref +belongs to this callback frame or parent, and only error for our own, so +we store state->frameno (which is always non-zero for callbacks). + +In short, callbacks can read parent reference_state, but cannot mutate +it, to be able to use pointers acquired by the caller. They must only +undo their changes (by releasing their own acquired_refs before +BPF_EXIT) on top of caller reference_state before returning (at which +point the caller and callback state will match anyway, so no need to +copy it back to caller). + +Fixes: 69c087ba6225 ("bpf: Add bpf_for_each_map_elem() helper") +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20220823013125.24938-1-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + include/linux/bpf_verifier.h | 11 ++++++++++ + kernel/bpf/verifier.c | 42 ++++++++++++++++++++++++++++-------- + 2 files changed, 44 insertions(+), 9 deletions(-) + +diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h +index 2e3bad8640dc..1fdddbf3546b 100644 +--- a/include/linux/bpf_verifier.h ++++ b/include/linux/bpf_verifier.h +@@ -212,6 +212,17 @@ struct bpf_reference_state { + * is used purely to inform the user of a reference leak. + */ + int insn_idx; ++ /* There can be a case like: ++ * main (frame 0) ++ * cb (frame 1) ++ * func (frame 3) ++ * cb (frame 4) ++ * Hence for frame 4, if callback_ref just stored boolean, it would be ++ * impossible to distinguish nested callback refs. Hence store the ++ * frameno and compare that to callback_ref in check_reference_leak when ++ * exiting a callback function. ++ */ ++ int callback_ref; + }; + + /* state of the program: +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index c127585ad429..8b5ea7f6b536 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -1092,6 +1092,7 @@ static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx) + id = ++env->id_gen; + state->refs[new_ofs].id = id; + state->refs[new_ofs].insn_idx = insn_idx; ++ state->refs[new_ofs].callback_ref = state->in_callback_fn ? state->frameno : 0; + + return id; + } +@@ -1104,6 +1105,9 @@ static int release_reference_state(struct bpf_func_state *state, int ptr_id) + last_idx = state->acquired_refs - 1; + for (i = 0; i < state->acquired_refs; i++) { + if (state->refs[i].id == ptr_id) { ++ /* Cannot release caller references in callbacks */ ++ if (state->in_callback_fn && state->refs[i].callback_ref != state->frameno) ++ return -EINVAL; + if (last_idx && i != last_idx) + memcpy(&state->refs[i], &state->refs[last_idx], + sizeof(*state->refs)); +@@ -6919,10 +6923,17 @@ static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx) + caller->regs[BPF_REG_0] = *r0; + } + +- /* Transfer references to the caller */ +- err = copy_reference_state(caller, callee); +- if (err) +- return err; ++ /* callback_fn frame should have released its own additions to parent's ++ * reference state at this point, or check_reference_leak would ++ * complain, hence it must be the same as the caller. There is no need ++ * to copy it back. ++ */ ++ if (!callee->in_callback_fn) { ++ /* Transfer references to the caller */ ++ err = copy_reference_state(caller, callee); ++ if (err) ++ return err; ++ } + + *insn_idx = callee->callsite + 1; + if (env->log.level & BPF_LOG_LEVEL) { +@@ -7044,13 +7055,20 @@ record_func_key(struct bpf_verifier_env *env, struct bpf_call_arg_meta *meta, + static int check_reference_leak(struct bpf_verifier_env *env) + { + struct bpf_func_state *state = cur_func(env); ++ bool refs_lingering = false; + int i; + ++ if (state->frameno && !state->in_callback_fn) ++ return 0; ++ + for (i = 0; i < state->acquired_refs; i++) { ++ if (state->in_callback_fn && state->refs[i].callback_ref != state->frameno) ++ continue; + verbose(env, "Unreleased reference id=%d alloc_insn=%d\n", + state->refs[i].id, state->refs[i].insn_idx); ++ refs_lingering = true; + } +- return state->acquired_refs ? -EINVAL : 0; ++ return refs_lingering ? -EINVAL : 0; + } + + static int check_bpf_snprintf_call(struct bpf_verifier_env *env, +@@ -12319,6 +12337,16 @@ static int do_check(struct bpf_verifier_env *env) + return -EINVAL; + } + ++ /* We must do check_reference_leak here before ++ * prepare_func_exit to handle the case when ++ * state->curframe > 0, it may be a callback ++ * function, for which reference_state must ++ * match caller reference state when it exits. ++ */ ++ err = check_reference_leak(env); ++ if (err) ++ return err; ++ + if (state->curframe) { + /* exit from nested function */ + err = prepare_func_exit(env, &env->insn_idx); +@@ -12328,10 +12356,6 @@ static int do_check(struct bpf_verifier_env *env) + continue; + } + +- err = check_reference_leak(env); +- if (err) +- return err; +- + err = check_return_code(env); + if (err) + return err; +-- +2.35.1 + diff --git a/queue-6.0/bpf-only-add-btf-ids-for-socket-security-hooks-when-.patch b/queue-6.0/bpf-only-add-btf-ids-for-socket-security-hooks-when-.patch new file mode 100644 index 00000000000..e2870baba5e --- /dev/null +++ b/queue-6.0/bpf-only-add-btf-ids-for-socket-security-hooks-when-.patch @@ -0,0 +1,69 @@ +From a1759e22e6619a41c2fb5633ab029f208fa23b20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 14:51:26 +0800 +Subject: bpf: Only add BTF IDs for socket security hooks when + CONFIG_SECURITY_NETWORK is on + +From: Hou Tao + +[ Upstream commit ef331a8d4c0061ea4d353cd0db1c9b33fd45f0f2 ] + +When CONFIG_SECURITY_NETWORK is disabled, there will be build warnings +from resolve_btfids: + + WARN: resolve_btfids: unresolved symbol bpf_lsm_socket_socketpair + ...... + WARN: resolve_btfids: unresolved symbol bpf_lsm_inet_conn_established + +Fixing it by wrapping these BTF ID definitions by CONFIG_SECURITY_NETWORK. + +Fixes: 69fd337a975c ("bpf: per-cgroup lsm flavor") +Fixes: 9113d7e48e91 ("bpf: expose bpf_{g,s}etsockopt to lsm cgroup") +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20220901065126.3856297-1-houtao@huaweicloud.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + kernel/bpf/bpf_lsm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c +index fa71d58b7ded..832a0e48a2a1 100644 +--- a/kernel/bpf/bpf_lsm.c ++++ b/kernel/bpf/bpf_lsm.c +@@ -41,17 +41,21 @@ BTF_SET_END(bpf_lsm_hooks) + */ + BTF_SET_START(bpf_lsm_current_hooks) + /* operate on freshly allocated sk without any cgroup association */ ++#ifdef CONFIG_SECURITY_NETWORK + BTF_ID(func, bpf_lsm_sk_alloc_security) + BTF_ID(func, bpf_lsm_sk_free_security) ++#endif + BTF_SET_END(bpf_lsm_current_hooks) + + /* List of LSM hooks that trigger while the socket is properly locked. + */ + BTF_SET_START(bpf_lsm_locked_sockopt_hooks) ++#ifdef CONFIG_SECURITY_NETWORK + BTF_ID(func, bpf_lsm_socket_sock_rcv_skb) + BTF_ID(func, bpf_lsm_sock_graft) + BTF_ID(func, bpf_lsm_inet_csk_clone) + BTF_ID(func, bpf_lsm_inet_conn_established) ++#endif + BTF_SET_END(bpf_lsm_locked_sockopt_hooks) + + /* List of LSM hooks that trigger while the socket is _not_ locked, +@@ -59,8 +63,10 @@ BTF_SET_END(bpf_lsm_locked_sockopt_hooks) + * in the early init phase. + */ + BTF_SET_START(bpf_lsm_unlocked_sockopt_hooks) ++#ifdef CONFIG_SECURITY_NETWORK + BTF_ID(func, bpf_lsm_socket_post_create) + BTF_ID(func, bpf_lsm_socket_socketpair) ++#endif + BTF_SET_END(bpf_lsm_unlocked_sockopt_hooks) + + #ifdef CONFIG_CGROUP_BPF +-- +2.35.1 + diff --git a/queue-6.0/bpf-propagate-error-from-htab_lock_bucket-to-userspa.patch b/queue-6.0/bpf-propagate-error-from-htab_lock_bucket-to-userspa.patch new file mode 100644 index 00000000000..396270df9b5 --- /dev/null +++ b/queue-6.0/bpf-propagate-error-from-htab_lock_bucket-to-userspa.patch @@ -0,0 +1,50 @@ +From 09c8286c845367e43a26a1b54fec7d07bb4054a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 12:26:28 +0800 +Subject: bpf: Propagate error from htab_lock_bucket() to userspace + +From: Hou Tao + +[ Upstream commit 66a7a92e4d0d091e79148a4c6ec15d1da65f4280 ] + +In __htab_map_lookup_and_delete_batch() if htab_lock_bucket() returns +-EBUSY, it will go to next bucket. Going to next bucket may not only +skip the elements in current bucket silently, but also incur +out-of-bound memory access or expose kernel memory to userspace if +current bucket_cnt is greater than bucket_size or zero. + +Fixing it by stopping batch operation and returning -EBUSY when +htab_lock_bucket() fails, and the application can retry or skip the busy +batch as needed. + +Fixes: 20b6cc34ea74 ("bpf: Avoid hashtab deadlock with map_locked") +Reported-by: Hao Sun +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20220831042629.130006-3-houtao@huaweicloud.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + kernel/bpf/hashtab.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c +index ad09da139589..75f77df910dc 100644 +--- a/kernel/bpf/hashtab.c ++++ b/kernel/bpf/hashtab.c +@@ -1704,8 +1704,11 @@ __htab_map_lookup_and_delete_batch(struct bpf_map *map, + /* do not grab the lock unless need it (bucket_cnt > 0). */ + if (locked) { + ret = htab_lock_bucket(htab, b, batch, &flags); +- if (ret) +- goto next_batch; ++ if (ret) { ++ rcu_read_unlock(); ++ bpf_enable_instrumentation(); ++ goto after_loop; ++ } + } + + bucket_cnt = 0; +-- +2.35.1 + diff --git a/queue-6.0/bpf-use-bpf_prog_pack-for-bpf_dispatcher.patch b/queue-6.0/bpf-use-bpf_prog_pack-for-bpf_dispatcher.patch new file mode 100644 index 00000000000..093a7b7a1e0 --- /dev/null +++ b/queue-6.0/bpf-use-bpf_prog_pack-for-bpf_dispatcher.patch @@ -0,0 +1,244 @@ +From 31dfaa0450cb1ca003aa18c13d7f124fc90c27ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 11:47:38 -0700 +Subject: bpf: use bpf_prog_pack for bpf_dispatcher + +From: Song Liu + +[ Upstream commit 19c02415da2345d0dda2b5c4495bc17cc14b18b5 ] + +Allocate bpf_dispatcher with bpf_prog_pack_alloc so that bpf_dispatcher +can share pages with bpf programs. + +arch_prepare_bpf_dispatcher() is updated to provide a RW buffer as working +area for arch code to write to. + +This also fixes CPA W^X warnning like: + +CPA refuse W^X violation: 8000000000000163 -> 0000000000000163 range: ... + +Signed-off-by: Song Liu +Link: https://lore.kernel.org/r/20220926184739.3512547-2-song@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/x86/net/bpf_jit_comp.c | 16 ++++++++-------- + include/linux/bpf.h | 3 ++- + include/linux/filter.h | 5 +++++ + kernel/bpf/core.c | 9 +++++++-- + kernel/bpf/dispatcher.c | 27 +++++++++++++++++++++------ + 5 files changed, 43 insertions(+), 17 deletions(-) + +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index c1f6c1c51d99..362562c832e6 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -2209,7 +2209,7 @@ int arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *image, void *i + return ret; + } + +-static int emit_bpf_dispatcher(u8 **pprog, int a, int b, s64 *progs) ++static int emit_bpf_dispatcher(u8 **pprog, int a, int b, s64 *progs, u8 *image, u8 *buf) + { + u8 *jg_reloc, *prog = *pprog; + int pivot, err, jg_bytes = 1; +@@ -2225,12 +2225,12 @@ static int emit_bpf_dispatcher(u8 **pprog, int a, int b, s64 *progs) + EMIT2_off32(0x81, add_1reg(0xF8, BPF_REG_3), + progs[a]); + err = emit_cond_near_jump(&prog, /* je func */ +- (void *)progs[a], prog, ++ (void *)progs[a], image + (prog - buf), + X86_JE); + if (err) + return err; + +- emit_indirect_jump(&prog, 2 /* rdx */, prog); ++ emit_indirect_jump(&prog, 2 /* rdx */, image + (prog - buf)); + + *pprog = prog; + return 0; +@@ -2255,7 +2255,7 @@ static int emit_bpf_dispatcher(u8 **pprog, int a, int b, s64 *progs) + jg_reloc = prog; + + err = emit_bpf_dispatcher(&prog, a, a + pivot, /* emit lower_part */ +- progs); ++ progs, image, buf); + if (err) + return err; + +@@ -2269,7 +2269,7 @@ static int emit_bpf_dispatcher(u8 **pprog, int a, int b, s64 *progs) + emit_code(jg_reloc - jg_bytes, jg_offset, jg_bytes); + + err = emit_bpf_dispatcher(&prog, a + pivot + 1, /* emit upper_part */ +- b, progs); ++ b, progs, image, buf); + if (err) + return err; + +@@ -2289,12 +2289,12 @@ static int cmp_ips(const void *a, const void *b) + return 0; + } + +-int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs) ++int arch_prepare_bpf_dispatcher(void *image, void *buf, s64 *funcs, int num_funcs) + { +- u8 *prog = image; ++ u8 *prog = buf; + + sort(funcs, num_funcs, sizeof(funcs[0]), cmp_ips, NULL); +- return emit_bpf_dispatcher(&prog, 0, num_funcs - 1, funcs); ++ return emit_bpf_dispatcher(&prog, 0, num_funcs - 1, funcs, image, buf); + } + + struct x64_jit_data { +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index 20c26aed7896..80fc8a88c610 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -891,6 +891,7 @@ struct bpf_dispatcher { + struct bpf_dispatcher_prog progs[BPF_DISPATCHER_MAX]; + int num_progs; + void *image; ++ void *rw_image; + u32 image_off; + struct bpf_ksym ksym; + }; +@@ -909,7 +910,7 @@ int bpf_trampoline_unlink_prog(struct bpf_tramp_link *link, struct bpf_trampolin + struct bpf_trampoline *bpf_trampoline_get(u64 key, + struct bpf_attach_target_info *tgt_info); + void bpf_trampoline_put(struct bpf_trampoline *tr); +-int arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs); ++int arch_prepare_bpf_dispatcher(void *image, void *buf, s64 *funcs, int num_funcs); + #define BPF_DISPATCHER_INIT(_name) { \ + .mutex = __MUTEX_INITIALIZER(_name.mutex), \ + .func = &_name##_func, \ +diff --git a/include/linux/filter.h b/include/linux/filter.h +index a5f21dc3c432..f2c47df5ad2a 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -1018,6 +1018,8 @@ extern long bpf_jit_limit_max; + + typedef void (*bpf_jit_fill_hole_t)(void *area, unsigned int size); + ++void bpf_jit_fill_hole_with_zero(void *area, unsigned int size); ++ + struct bpf_binary_header * + bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr, + unsigned int alignment, +@@ -1030,6 +1032,9 @@ void bpf_jit_free(struct bpf_prog *fp); + struct bpf_binary_header * + bpf_jit_binary_pack_hdr(const struct bpf_prog *fp); + ++void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns); ++void bpf_prog_pack_free(struct bpf_binary_header *hdr); ++ + static inline bool bpf_prog_kallsyms_verify_off(const struct bpf_prog *fp) + { + return list_empty(&fp->aux->ksym.lnode) || +diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c +index 3d9eb3ae334c..c4600a5781de 100644 +--- a/kernel/bpf/core.c ++++ b/kernel/bpf/core.c +@@ -825,6 +825,11 @@ struct bpf_prog_pack { + unsigned long bitmap[]; + }; + ++void bpf_jit_fill_hole_with_zero(void *area, unsigned int size) ++{ ++ memset(area, 0, size); ++} ++ + #define BPF_PROG_SIZE_TO_NBITS(size) (round_up(size, BPF_PROG_CHUNK_SIZE) / BPF_PROG_CHUNK_SIZE) + + static DEFINE_MUTEX(pack_mutex); +@@ -864,7 +869,7 @@ static struct bpf_prog_pack *alloc_new_pack(bpf_jit_fill_hole_t bpf_fill_ill_ins + return pack; + } + +-static void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns) ++void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insns) + { + unsigned int nbits = BPF_PROG_SIZE_TO_NBITS(size); + struct bpf_prog_pack *pack; +@@ -905,7 +910,7 @@ static void *bpf_prog_pack_alloc(u32 size, bpf_jit_fill_hole_t bpf_fill_ill_insn + return ptr; + } + +-static void bpf_prog_pack_free(struct bpf_binary_header *hdr) ++void bpf_prog_pack_free(struct bpf_binary_header *hdr) + { + struct bpf_prog_pack *pack = NULL, *tmp; + unsigned int nbits; +diff --git a/kernel/bpf/dispatcher.c b/kernel/bpf/dispatcher.c +index 2444bd15cc2d..fa64b80b8bca 100644 +--- a/kernel/bpf/dispatcher.c ++++ b/kernel/bpf/dispatcher.c +@@ -85,12 +85,12 @@ static bool bpf_dispatcher_remove_prog(struct bpf_dispatcher *d, + return false; + } + +-int __weak arch_prepare_bpf_dispatcher(void *image, s64 *funcs, int num_funcs) ++int __weak arch_prepare_bpf_dispatcher(void *image, void *buf, s64 *funcs, int num_funcs) + { + return -ENOTSUPP; + } + +-static int bpf_dispatcher_prepare(struct bpf_dispatcher *d, void *image) ++static int bpf_dispatcher_prepare(struct bpf_dispatcher *d, void *image, void *buf) + { + s64 ips[BPF_DISPATCHER_MAX] = {}, *ipsp = &ips[0]; + int i; +@@ -99,12 +99,12 @@ static int bpf_dispatcher_prepare(struct bpf_dispatcher *d, void *image) + if (d->progs[i].prog) + *ipsp++ = (s64)(uintptr_t)d->progs[i].prog->bpf_func; + } +- return arch_prepare_bpf_dispatcher(image, &ips[0], d->num_progs); ++ return arch_prepare_bpf_dispatcher(image, buf, &ips[0], d->num_progs); + } + + static void bpf_dispatcher_update(struct bpf_dispatcher *d, int prev_num_progs) + { +- void *old, *new; ++ void *old, *new, *tmp; + u32 noff; + int err; + +@@ -117,8 +117,14 @@ static void bpf_dispatcher_update(struct bpf_dispatcher *d, int prev_num_progs) + } + + new = d->num_progs ? d->image + noff : NULL; ++ tmp = d->num_progs ? d->rw_image + noff : NULL; + if (new) { +- if (bpf_dispatcher_prepare(d, new)) ++ /* Prepare the dispatcher in d->rw_image. Then use ++ * bpf_arch_text_copy to update d->image, which is RO+X. ++ */ ++ if (bpf_dispatcher_prepare(d, new, tmp)) ++ return; ++ if (IS_ERR(bpf_arch_text_copy(new, tmp, PAGE_SIZE / 2))) + return; + } + +@@ -140,9 +146,18 @@ void bpf_dispatcher_change_prog(struct bpf_dispatcher *d, struct bpf_prog *from, + + mutex_lock(&d->mutex); + if (!d->image) { +- d->image = bpf_jit_alloc_exec_page(); ++ d->image = bpf_prog_pack_alloc(PAGE_SIZE, bpf_jit_fill_hole_with_zero); + if (!d->image) + goto out; ++ d->rw_image = bpf_jit_alloc_exec(PAGE_SIZE); ++ if (!d->rw_image) { ++ u32 size = PAGE_SIZE; ++ ++ bpf_arch_text_copy(d->image, &size, sizeof(size)); ++ bpf_prog_pack_free((struct bpf_binary_header *)d->image); ++ d->image = NULL; ++ goto out; ++ } + bpf_image_ksym_add(d->image, &d->ksym); + } + +-- +2.35.1 + diff --git a/queue-6.0/bpf-use-this_cpu_-inc-dec-inc_return-for-bpf_task_st.patch b/queue-6.0/bpf-use-this_cpu_-inc-dec-inc_return-for-bpf_task_st.patch new file mode 100644 index 00000000000..2adb216a391 --- /dev/null +++ b/queue-6.0/bpf-use-this_cpu_-inc-dec-inc_return-for-bpf_task_st.patch @@ -0,0 +1,80 @@ +From 035d9e3789948241710c528cc074f8fa0380ccbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 14:19:35 +0800 +Subject: bpf: Use this_cpu_{inc|dec|inc_return} for bpf_task_storage_busy + +From: Hou Tao + +[ Upstream commit 197827a05e13808c60f52632e9887eede63f1c16 ] + +Now migrate_disable() does not disable preemption and under some +architectures (e.g. arm64) __this_cpu_{inc|dec|inc_return} are neither +preemption-safe nor IRQ-safe, so for fully preemptible kernel concurrent +lookups or updates on the same task local storage and on the same CPU +may make bpf_task_storage_busy be imbalanced, and +bpf_task_storage_trylock() on the specific cpu will always fail. + +Fixing it by using this_cpu_{inc|dec|inc_return} when manipulating +bpf_task_storage_busy. + +Fixes: bc235cdb423a ("bpf: Prevent deadlock from recursive bpf_task_storage_[get|delete]") +Signed-off-by: Hou Tao +Acked-by: Alexei Starovoitov +Link: https://lore.kernel.org/r/20220901061938.3789460-2-houtao@huaweicloud.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + kernel/bpf/bpf_local_storage.c | 4 ++-- + kernel/bpf/bpf_task_storage.c | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/kernel/bpf/bpf_local_storage.c b/kernel/bpf/bpf_local_storage.c +index 8ce40fd869f6..d13ffb00e981 100644 +--- a/kernel/bpf/bpf_local_storage.c ++++ b/kernel/bpf/bpf_local_storage.c +@@ -555,11 +555,11 @@ void bpf_local_storage_map_free(struct bpf_local_storage_map *smap, + struct bpf_local_storage_elem, map_node))) { + if (busy_counter) { + migrate_disable(); +- __this_cpu_inc(*busy_counter); ++ this_cpu_inc(*busy_counter); + } + bpf_selem_unlink(selem, false); + if (busy_counter) { +- __this_cpu_dec(*busy_counter); ++ this_cpu_dec(*busy_counter); + migrate_enable(); + } + cond_resched_rcu(); +diff --git a/kernel/bpf/bpf_task_storage.c b/kernel/bpf/bpf_task_storage.c +index e9014dc62682..6f290623347e 100644 +--- a/kernel/bpf/bpf_task_storage.c ++++ b/kernel/bpf/bpf_task_storage.c +@@ -26,20 +26,20 @@ static DEFINE_PER_CPU(int, bpf_task_storage_busy); + static void bpf_task_storage_lock(void) + { + migrate_disable(); +- __this_cpu_inc(bpf_task_storage_busy); ++ this_cpu_inc(bpf_task_storage_busy); + } + + static void bpf_task_storage_unlock(void) + { +- __this_cpu_dec(bpf_task_storage_busy); ++ this_cpu_dec(bpf_task_storage_busy); + migrate_enable(); + } + + static bool bpf_task_storage_trylock(void) + { + migrate_disable(); +- if (unlikely(__this_cpu_inc_return(bpf_task_storage_busy) != 1)) { +- __this_cpu_dec(bpf_task_storage_busy); ++ if (unlikely(this_cpu_inc_return(bpf_task_storage_busy) != 1)) { ++ this_cpu_dec(bpf_task_storage_busy); + migrate_enable(); + return false; + } +-- +2.35.1 + diff --git a/queue-6.0/bpf-use-this_cpu_-inc_return-dec-for-prog-active.patch b/queue-6.0/bpf-use-this_cpu_-inc_return-dec-for-prog-active.patch new file mode 100644 index 00000000000..e19c981317b --- /dev/null +++ b/queue-6.0/bpf-use-this_cpu_-inc_return-dec-for-prog-active.patch @@ -0,0 +1,69 @@ +From cf872db648af62b52d089e90cfaa9be5d7c308e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 14:19:36 +0800 +Subject: bpf: Use this_cpu_{inc_return|dec} for prog->active + +From: Hou Tao + +[ Upstream commit c89e843a11f1075d27684f6b42256213e4592383 ] + +Both __this_cpu_inc_return() and __this_cpu_dec() are not preemption +safe and now migrate_disable() doesn't disable preemption, so the update +of prog-active is not atomic and in theory under fully preemptible kernel +recurisve prevention may do not work. + +Fixing by using the preemption-safe and IRQ-safe variants. + +Fixes: ca06f55b9002 ("bpf: Add per-program recursion prevention mechanism") +Signed-off-by: Hou Tao +Acked-by: Alexei Starovoitov +Link: https://lore.kernel.org/r/20220901061938.3789460-3-houtao@huaweicloud.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + kernel/bpf/trampoline.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c +index ff87e38af8a7..ad76940b02cc 100644 +--- a/kernel/bpf/trampoline.c ++++ b/kernel/bpf/trampoline.c +@@ -895,7 +895,7 @@ u64 notrace __bpf_prog_enter(struct bpf_prog *prog, struct bpf_tramp_run_ctx *ru + + run_ctx->saved_run_ctx = bpf_set_run_ctx(&run_ctx->run_ctx); + +- if (unlikely(__this_cpu_inc_return(*(prog->active)) != 1)) { ++ if (unlikely(this_cpu_inc_return(*(prog->active)) != 1)) { + inc_misses_counter(prog); + return 0; + } +@@ -930,7 +930,7 @@ void notrace __bpf_prog_exit(struct bpf_prog *prog, u64 start, struct bpf_tramp_ + bpf_reset_run_ctx(run_ctx->saved_run_ctx); + + update_prog_stats(prog, start); +- __this_cpu_dec(*(prog->active)); ++ this_cpu_dec(*(prog->active)); + migrate_enable(); + rcu_read_unlock(); + } +@@ -966,7 +966,7 @@ u64 notrace __bpf_prog_enter_sleepable(struct bpf_prog *prog, struct bpf_tramp_r + migrate_disable(); + might_fault(); + +- if (unlikely(__this_cpu_inc_return(*(prog->active)) != 1)) { ++ if (unlikely(this_cpu_inc_return(*(prog->active)) != 1)) { + inc_misses_counter(prog); + return 0; + } +@@ -982,7 +982,7 @@ void notrace __bpf_prog_exit_sleepable(struct bpf_prog *prog, u64 start, + bpf_reset_run_ctx(run_ctx->saved_run_ctx); + + update_prog_stats(prog, start); +- __this_cpu_dec(*(prog->active)); ++ this_cpu_dec(*(prog->active)); + migrate_enable(); + rcu_read_unlock_trace(); + } +-- +2.35.1 + diff --git a/queue-6.0/bpftool-clear-errno-after-libcap-s-checks.patch b/queue-6.0/bpftool-clear-errno-after-libcap-s-checks.patch new file mode 100644 index 00000000000..64ce2df2719 --- /dev/null +++ b/queue-6.0/bpftool-clear-errno-after-libcap-s-checks.patch @@ -0,0 +1,70 @@ +From 8f1ca494b2820789d8209750ac06e6e47ea071f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Aug 2022 17:22:05 +0100 +Subject: bpftool: Clear errno after libcap's checks + +From: Quentin Monnet + +[ Upstream commit cea558855c39b7f1f02ff50dcf701ca6596bc964 ] + +When bpftool is linked against libcap, the library runs a "constructor" +function to compute the number of capabilities of the running kernel +[0], at the beginning of the execution of the program. As part of this, +it performs multiple calls to prctl(). Some of these may fail, and set +errno to a non-zero value: + + # strace -e prctl ./bpftool version + prctl(PR_CAPBSET_READ, CAP_MAC_OVERRIDE) = 1 + prctl(PR_CAPBSET_READ, 0x30 /* CAP_??? */) = -1 EINVAL (Invalid argument) + prctl(PR_CAPBSET_READ, CAP_CHECKPOINT_RESTORE) = 1 + prctl(PR_CAPBSET_READ, 0x2c /* CAP_??? */) = -1 EINVAL (Invalid argument) + prctl(PR_CAPBSET_READ, 0x2a /* CAP_??? */) = -1 EINVAL (Invalid argument) + prctl(PR_CAPBSET_READ, 0x29 /* CAP_??? */) = -1 EINVAL (Invalid argument) + ** fprintf added at the top of main(): we have errno == 1 + ./bpftool v7.0.0 + using libbpf v1.0 + features: libbfd, libbpf_strict, skeletons + +++ exited with 0 +++ + +This has been addressed in libcap 2.63 [1], but until this version is +available everywhere, we can fix it on bpftool side. + +Let's clean errno at the beginning of the main() function, to make sure +that these checks do not interfere with the batch mode, where we error +out if errno is set after a bpftool command. + + [0] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/tree/libcap/cap_alloc.c?h=libcap-2.65#n20 + [1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=f25a1b7e69f7b33e6afb58b3e38f3450b7d2d9a0 + +Signed-off-by: Quentin Monnet +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20220815162205.45043-1-quentin@isovalent.com +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/main.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/tools/bpf/bpftool/main.c b/tools/bpf/bpftool/main.c +index 451cefc2d0da..ccd7457f92bf 100644 +--- a/tools/bpf/bpftool/main.c ++++ b/tools/bpf/bpftool/main.c +@@ -435,6 +435,16 @@ int main(int argc, char **argv) + + setlinebuf(stdout); + ++#ifdef USE_LIBCAP ++ /* Libcap < 2.63 hooks before main() to compute the number of ++ * capabilities of the running kernel, and doing so it calls prctl() ++ * which may fail and set errno to non-zero. ++ * Let's reset errno to make sure this does not interfere with the ++ * batch mode. ++ */ ++ errno = 0; ++#endif ++ + last_do_help = do_help; + pretty_output = false; + json_output = false; +-- +2.35.1 + diff --git a/queue-6.0/bpftool-fix-a-wrong-type-cast-in-btf_dumper_int.patch b/queue-6.0/bpftool-fix-a-wrong-type-cast-in-btf_dumper_int.patch new file mode 100644 index 00000000000..3b00103867c --- /dev/null +++ b/queue-6.0/bpftool-fix-a-wrong-type-cast-in-btf_dumper_int.patch @@ -0,0 +1,40 @@ +From 63148473cd74cb94edf7dd6e8c7fd42f3f911bed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 15:59:00 -0700 +Subject: bpftool: Fix a wrong type cast in btf_dumper_int + +From: Lam Thai + +[ Upstream commit 7184aef9c0f7a81db8fd18d183ee42481d89bf35 ] + +When `data` points to a boolean value, casting it to `int *` is problematic +and could lead to a wrong value being passed to `jsonw_bool`. Change the +cast to `bool *` instead. + +Fixes: b12d6ec09730 ("bpf: btf: add btf print functionality") +Signed-off-by: Lam Thai +Signed-off-by: Andrii Nakryiko +Reviewed-by: Quentin Monnet +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20220824225859.9038-1-lamthai@arista.com +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/btf_dumper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/bpf/bpftool/btf_dumper.c b/tools/bpf/bpftool/btf_dumper.c +index 125798b0bc5d..19924b6ce796 100644 +--- a/tools/bpf/bpftool/btf_dumper.c ++++ b/tools/bpf/bpftool/btf_dumper.c +@@ -452,7 +452,7 @@ static int btf_dumper_int(const struct btf_type *t, __u8 bit_offset, + *(char *)data); + break; + case BTF_INT_BOOL: +- jsonw_bool(jw, *(int *)data); ++ jsonw_bool(jw, *(bool *)data); + break; + default: + /* shouldn't happen */ +-- +2.35.1 + diff --git a/queue-6.0/bpftool-fix-wrong-cgroup-attach-flags-being-assigned.patch b/queue-6.0/bpftool-fix-wrong-cgroup-attach-flags-being-assigned.patch new file mode 100644 index 00000000000..fa16c4b6096 --- /dev/null +++ b/queue-6.0/bpftool-fix-wrong-cgroup-attach-flags-being-assigned.patch @@ -0,0 +1,180 @@ +From 79117e1487587553c159b0e2629da8c50066ebc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 10:46:03 +0000 +Subject: bpftool: Fix wrong cgroup attach flags being assigned to effective + progs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pu Lehui + +[ Upstream commit bdcee1b0b0834d031c76a12209840afe949b048a ] + +When root-cgroup attach multi progs and sub-cgroup attach a override prog, +bpftool will display incorrectly for the attach flags of the sub-cgroup’s +effective progs: + +$ bpftool cgroup tree /sys/fs/cgroup effective +CgroupPath +ID AttachType AttachFlags Name +/sys/fs/cgroup +6 cgroup_sysctl multi sysctl_tcp_mem +13 cgroup_sysctl multi sysctl_tcp_mem +/sys/fs/cgroup/cg1 +20 cgroup_sysctl override sysctl_tcp_mem +6 cgroup_sysctl override sysctl_tcp_mem <- wrong +13 cgroup_sysctl override sysctl_tcp_mem <- wrong +/sys/fs/cgroup/cg1/cg2 +20 cgroup_sysctl sysctl_tcp_mem +6 cgroup_sysctl sysctl_tcp_mem +13 cgroup_sysctl sysctl_tcp_mem + +Attach flags is only valid for attached progs of this layer cgroup, +but not for effective progs. For querying with EFFECTIVE flags, +exporting attach flags does not make sense. So let's remove the +AttachFlags field and the associated logic. After this patch, the +above effective cgroup tree will show as bellow: + +$ bpftool cgroup tree /sys/fs/cgroup effective +CgroupPath +ID AttachType Name +/sys/fs/cgroup +6 cgroup_sysctl sysctl_tcp_mem +13 cgroup_sysctl sysctl_tcp_mem +/sys/fs/cgroup/cg1 +20 cgroup_sysctl sysctl_tcp_mem +6 cgroup_sysctl sysctl_tcp_mem +13 cgroup_sysctl sysctl_tcp_mem +/sys/fs/cgroup/cg1/cg2 +20 cgroup_sysctl sysctl_tcp_mem +6 cgroup_sysctl sysctl_tcp_mem +13 cgroup_sysctl sysctl_tcp_mem + +Fixes: b79c9fc9551b ("bpf: implement BPF_PROG_QUERY for BPF_LSM_CGROUP") +Fixes: a98bf57391a2 ("tools: bpftool: add support for reporting the effective cgroup progs") +Signed-off-by: Pu Lehui +Link: https://lore.kernel.org/r/20220921104604.2340580-3-pulehui@huaweicloud.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/cgroup.c | 54 ++++++++++++++++++++++++++++++++++---- + 1 file changed, 49 insertions(+), 5 deletions(-) + +diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c +index cced668fb2a3..b46a998d8f8d 100644 +--- a/tools/bpf/bpftool/cgroup.c ++++ b/tools/bpf/bpftool/cgroup.c +@@ -136,8 +136,8 @@ static int show_bpf_prog(int id, enum bpf_attach_type attach_type, + jsonw_string_field(json_wtr, "attach_type", attach_type_str); + else + jsonw_uint_field(json_wtr, "attach_type", attach_type); +- jsonw_string_field(json_wtr, "attach_flags", +- attach_flags_str); ++ if (!(query_flags & BPF_F_QUERY_EFFECTIVE)) ++ jsonw_string_field(json_wtr, "attach_flags", attach_flags_str); + jsonw_string_field(json_wtr, "name", prog_name); + if (attach_btf_name) + jsonw_string_field(json_wtr, "attach_btf_name", attach_btf_name); +@@ -150,7 +150,10 @@ static int show_bpf_prog(int id, enum bpf_attach_type attach_type, + printf("%-15s", attach_type_str); + else + printf("type %-10u", attach_type); +- printf(" %-15s %-15s", attach_flags_str, prog_name); ++ if (query_flags & BPF_F_QUERY_EFFECTIVE) ++ printf(" %-15s", prog_name); ++ else ++ printf(" %-15s %-15s", attach_flags_str, prog_name); + if (attach_btf_name) + printf(" %-15s", attach_btf_name); + else if (info.attach_btf_id) +@@ -195,6 +198,32 @@ static int cgroup_has_attached_progs(int cgroup_fd) + + return no_prog ? 0 : 1; + } ++ ++static int show_effective_bpf_progs(int cgroup_fd, enum bpf_attach_type type, ++ int level) ++{ ++ LIBBPF_OPTS(bpf_prog_query_opts, p); ++ __u32 prog_ids[1024] = {0}; ++ __u32 iter; ++ int ret; ++ ++ p.query_flags = query_flags; ++ p.prog_cnt = ARRAY_SIZE(prog_ids); ++ p.prog_ids = prog_ids; ++ ++ ret = bpf_prog_query_opts(cgroup_fd, type, &p); ++ if (ret) ++ return ret; ++ ++ if (p.prog_cnt == 0) ++ return 0; ++ ++ for (iter = 0; iter < p.prog_cnt; iter++) ++ show_bpf_prog(prog_ids[iter], type, NULL, level); ++ ++ return 0; ++} ++ + static int show_attached_bpf_progs(int cgroup_fd, enum bpf_attach_type type, + int level) + { +@@ -245,6 +274,14 @@ static int show_attached_bpf_progs(int cgroup_fd, enum bpf_attach_type type, + return 0; + } + ++static int show_bpf_progs(int cgroup_fd, enum bpf_attach_type type, ++ int level) ++{ ++ return query_flags & BPF_F_QUERY_EFFECTIVE ? ++ show_effective_bpf_progs(cgroup_fd, type, level) : ++ show_attached_bpf_progs(cgroup_fd, type, level); ++} ++ + static int do_show(int argc, char **argv) + { + enum bpf_attach_type type; +@@ -292,6 +329,8 @@ static int do_show(int argc, char **argv) + + if (json_output) + jsonw_start_array(json_wtr); ++ else if (query_flags & BPF_F_QUERY_EFFECTIVE) ++ printf("%-8s %-15s %-15s\n", "ID", "AttachType", "Name"); + else + printf("%-8s %-15s %-15s %-15s\n", "ID", "AttachType", + "AttachFlags", "Name"); +@@ -304,7 +343,7 @@ static int do_show(int argc, char **argv) + * If we were able to get the show for at least one + * attach type, let's return 0. + */ +- if (show_attached_bpf_progs(cgroup_fd, type, 0) == 0) ++ if (show_bpf_progs(cgroup_fd, type, 0) == 0) + ret = 0; + } + +@@ -362,7 +401,7 @@ static int do_show_tree_fn(const char *fpath, const struct stat *sb, + + btf_vmlinux = libbpf_find_kernel_btf(); + for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) +- show_attached_bpf_progs(cgroup_fd, type, ftw->level); ++ show_bpf_progs(cgroup_fd, type, ftw->level); + + if (errno == EINVAL) + /* Last attach type does not support query. +@@ -436,6 +475,11 @@ static int do_show_tree(int argc, char **argv) + + if (json_output) + jsonw_start_array(json_wtr); ++ else if (query_flags & BPF_F_QUERY_EFFECTIVE) ++ printf("%s\n" ++ "%-8s %-15s %-15s\n", ++ "CgroupPath", ++ "ID", "AttachType", "Name"); + else + printf("%s\n" + "%-8s %-15s %-15s %-15s\n", +-- +2.35.1 + diff --git a/queue-6.0/btrfs-add-kcsan-annotations-for-unlocked-access-to-b.patch b/queue-6.0/btrfs-add-kcsan-annotations-for-unlocked-access-to-b.patch new file mode 100644 index 00000000000..b00612f9837 --- /dev/null +++ b/queue-6.0/btrfs-add-kcsan-annotations-for-unlocked-access-to-b.patch @@ -0,0 +1,90 @@ +From 1d1a3f9298043318b9ce0d9ef5bba16c97e97c8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 18:32:23 +0200 +Subject: btrfs: add KCSAN annotations for unlocked access to block_rsv->full + +From: David Sterba + +[ Upstream commit 748f553c3c4c4f175c6c834358632aff802d72cf ] + +KCSAN reports that there's unlocked access mixed with locked access, +which is technically correct but is not a bug. To avoid false alerts at +least from KCSAN, add annotation and use a wrapper whenever ->full is +accessed for read outside of lock. + +It is used as a fast check and only advisory. In the worst case the +block reserve is found !full and becomes full in the meantime, but +properly handled. + +Depending on the value of ->full, btrfs_block_rsv_release decides +where to return the reservation, and block_rsv_release_bytes handles a +NULL pointer for block_rsv and if it's not NULL then it double checks +the full status under a lock. + +Link: https://lore.kernel.org/linux-btrfs/CAAwBoOJDjei5Hnem155N_cJwiEkVwJYvgN-tQrwWbZQGhFU=cA@mail.gmail.com/ +Link: https://lore.kernel.org/linux-btrfs/YvHU/vsXd7uz5V6j@hungrycats.org +Reported-by: Zygo Blaxell +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/block-rsv.c | 2 +- + fs/btrfs/block-rsv.h | 9 +++++++++ + fs/btrfs/transaction.c | 4 ++-- + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/block-rsv.c b/fs/btrfs/block-rsv.c +index 06be0644dd37..046caf14a4bb 100644 +--- a/fs/btrfs/block-rsv.c ++++ b/fs/btrfs/block-rsv.c +@@ -286,7 +286,7 @@ u64 btrfs_block_rsv_release(struct btrfs_fs_info *fs_info, + */ + if (block_rsv == delayed_rsv) + target = global_rsv; +- else if (block_rsv != global_rsv && !delayed_rsv->full) ++ else if (block_rsv != global_rsv && !btrfs_block_rsv_full(delayed_rsv)) + target = delayed_rsv; + + if (target && block_rsv->space_info != target->space_info) +diff --git a/fs/btrfs/block-rsv.h b/fs/btrfs/block-rsv.h +index 0c183709be00..578c3497a455 100644 +--- a/fs/btrfs/block-rsv.h ++++ b/fs/btrfs/block-rsv.h +@@ -92,4 +92,13 @@ static inline void btrfs_unuse_block_rsv(struct btrfs_fs_info *fs_info, + btrfs_block_rsv_release(fs_info, block_rsv, 0, NULL); + } + ++/* ++ * Fast path to check if the reserve is full, may be carefully used outside of ++ * locks. ++ */ ++static inline bool btrfs_block_rsv_full(const struct btrfs_block_rsv *rsv) ++{ ++ return data_race(rsv->full); ++} ++ + #endif /* BTRFS_BLOCK_RSV_H */ +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c +index 6e3b2cb6a04a..255b0c0e1674 100644 +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -635,7 +635,7 @@ start_transaction(struct btrfs_root *root, unsigned int num_items, + */ + num_bytes = btrfs_calc_insert_metadata_size(fs_info, num_items); + if (flush == BTRFS_RESERVE_FLUSH_ALL && +- delayed_refs_rsv->full == 0) { ++ btrfs_block_rsv_full(delayed_refs_rsv) == 0) { + delayed_refs_bytes = num_bytes; + num_bytes <<= 1; + } +@@ -660,7 +660,7 @@ start_transaction(struct btrfs_root *root, unsigned int num_items, + if (rsv->space_info->force_alloc) + do_chunk_alloc = true; + } else if (num_items == 0 && flush == BTRFS_RESERVE_FLUSH_ALL && +- !delayed_refs_rsv->full) { ++ !btrfs_block_rsv_full(delayed_refs_rsv)) { + /* + * Some people call with btrfs_start_transaction(root, 0) + * because they can be throttled, but have some other mechanism +-- +2.35.1 + diff --git a/queue-6.0/btrfs-add-lockdep-annotations-for-num_extwriters-wai.patch b/queue-6.0/btrfs-add-lockdep-annotations-for-num_extwriters-wai.patch new file mode 100644 index 00000000000..971eb95c278 --- /dev/null +++ b/queue-6.0/btrfs-add-lockdep-annotations-for-num_extwriters-wai.patch @@ -0,0 +1,114 @@ +From cfca5f04b3bb29b3a74ff00154aacebe440602ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 15:11:50 -0700 +Subject: btrfs: add lockdep annotations for num_extwriters wait event + +From: Ioannis Angelakopoulos + +[ Upstream commit 5a9ba6709f13313984900d635b4c73c9eb7d644e ] + +Similarly to the num_writers wait event in fs/btrfs/transaction.c add a +lockdep annotation for the num_extwriters wait event. + +Reviewed-by: Josef Bacik +Signed-off-by: Ioannis Angelakopoulos +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.h | 1 + + fs/btrfs/disk-io.c | 1 + + fs/btrfs/transaction.c | 13 +++++++++++++ + 3 files changed, 15 insertions(+) + +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index 707e644bab92..e886cf639c0f 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -1097,6 +1097,7 @@ struct btrfs_fs_info { + * compiled without lockdep). + */ + struct lockdep_map btrfs_trans_num_writers_map; ++ struct lockdep_map btrfs_trans_num_extwriters_map; + + #ifdef CONFIG_BTRFS_FS_REF_VERIFY + spinlock_t ref_verify_lock; +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index a04b32f7df9d..811d743e26e6 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2991,6 +2991,7 @@ void btrfs_init_fs_info(struct btrfs_fs_info *fs_info) + seqlock_init(&fs_info->profiles_lock); + + btrfs_lockdep_init_map(fs_info, btrfs_trans_num_writers); ++ btrfs_lockdep_init_map(fs_info, btrfs_trans_num_extwriters); + + INIT_LIST_HEAD(&fs_info->dirty_cowonly_roots); + INIT_LIST_HEAD(&fs_info->space_info); +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c +index b3cb54d852f8..44e47db4c8e8 100644 +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -314,6 +314,7 @@ static noinline int join_transaction(struct btrfs_fs_info *fs_info, + extwriter_counter_inc(cur_trans, type); + spin_unlock(&fs_info->trans_lock); + btrfs_lockdep_acquire(fs_info, btrfs_trans_num_writers); ++ btrfs_lockdep_acquire(fs_info, btrfs_trans_num_extwriters); + return 0; + } + spin_unlock(&fs_info->trans_lock); +@@ -336,6 +337,7 @@ static noinline int join_transaction(struct btrfs_fs_info *fs_info, + return -ENOMEM; + + btrfs_lockdep_acquire(fs_info, btrfs_trans_num_writers); ++ btrfs_lockdep_acquire(fs_info, btrfs_trans_num_extwriters); + + spin_lock(&fs_info->trans_lock); + if (fs_info->running_transaction) { +@@ -343,11 +345,13 @@ static noinline int join_transaction(struct btrfs_fs_info *fs_info, + * someone started a transaction after we unlocked. Make sure + * to redo the checks above + */ ++ btrfs_lockdep_release(fs_info, btrfs_trans_num_extwriters); + btrfs_lockdep_release(fs_info, btrfs_trans_num_writers); + kfree(cur_trans); + goto loop; + } else if (BTRFS_FS_ERROR(fs_info)) { + spin_unlock(&fs_info->trans_lock); ++ btrfs_lockdep_release(fs_info, btrfs_trans_num_extwriters); + btrfs_lockdep_release(fs_info, btrfs_trans_num_writers); + kfree(cur_trans); + return -EROFS; +@@ -1028,6 +1032,7 @@ static int __btrfs_end_transaction(struct btrfs_trans_handle *trans, + + cond_wake_up(&cur_trans->writer_wait); + ++ btrfs_lockdep_release(info, btrfs_trans_num_extwriters); + btrfs_lockdep_release(info, btrfs_trans_num_writers); + + btrfs_put_transaction(cur_trans); +@@ -2270,6 +2275,13 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + if (ret) + goto lockdep_release; + ++ /* ++ * The thread has started/joined the transaction thus it holds the ++ * lockdep map as a reader. It has to release it before acquiring the ++ * lockdep map as a writer. ++ */ ++ btrfs_lockdep_release(fs_info, btrfs_trans_num_extwriters); ++ btrfs_might_wait_for_event(fs_info, btrfs_trans_num_extwriters); + wait_event(cur_trans->writer_wait, + extwriter_counter_read(cur_trans) == 0); + +@@ -2541,6 +2553,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + return ret; + + lockdep_release: ++ btrfs_lockdep_release(fs_info, btrfs_trans_num_extwriters); + btrfs_lockdep_release(fs_info, btrfs_trans_num_writers); + goto cleanup_transaction; + } +-- +2.35.1 + diff --git a/queue-6.0/btrfs-add-lockdep-annotations-for-num_writers-wait-e.patch b/queue-6.0/btrfs-add-lockdep-annotations-for-num_writers-wait-e.patch new file mode 100644 index 00000000000..9d00df13d20 --- /dev/null +++ b/queue-6.0/btrfs-add-lockdep-annotations-for-num_writers-wait-e.patch @@ -0,0 +1,181 @@ +From 4c3eac5e35f1d4118988475c65fddc92b7dced27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 15:11:48 -0700 +Subject: btrfs: add lockdep annotations for num_writers wait event + +From: Ioannis Angelakopoulos + +[ Upstream commit e1489b4fe6045a79a5e9c658eed65311977e230a ] + +Annotate the num_writers wait event in fs/btrfs/transaction.c with +lockdep in order to catch deadlocks involving this wait event. + +Reviewed-by: Josef Bacik +Signed-off-by: Ioannis Angelakopoulos +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.h | 6 ++++++ + fs/btrfs/disk-io.c | 2 ++ + fs/btrfs/transaction.c | 38 +++++++++++++++++++++++++++++++++----- + 3 files changed, 41 insertions(+), 5 deletions(-) + +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index dfeb7174219e..707e644bab92 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -1092,6 +1092,12 @@ struct btrfs_fs_info { + /* Updates are not protected by any lock */ + struct btrfs_commit_stats commit_stats; + ++ /* ++ * Annotations for transaction events (structures are empty when ++ * compiled without lockdep). ++ */ ++ struct lockdep_map btrfs_trans_num_writers_map; ++ + #ifdef CONFIG_BTRFS_FS_REF_VERIFY + spinlock_t ref_verify_lock; + struct rb_root block_tree; +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 2633137c3e9f..a04b32f7df9d 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2990,6 +2990,8 @@ void btrfs_init_fs_info(struct btrfs_fs_info *fs_info) + mutex_init(&fs_info->zoned_data_reloc_io_lock); + seqlock_init(&fs_info->profiles_lock); + ++ btrfs_lockdep_init_map(fs_info, btrfs_trans_num_writers); ++ + INIT_LIST_HEAD(&fs_info->dirty_cowonly_roots); + INIT_LIST_HEAD(&fs_info->space_info); + INIT_LIST_HEAD(&fs_info->tree_mod_seq_list); +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c +index 0bec10740ad3..b3cb54d852f8 100644 +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -313,6 +313,7 @@ static noinline int join_transaction(struct btrfs_fs_info *fs_info, + atomic_inc(&cur_trans->num_writers); + extwriter_counter_inc(cur_trans, type); + spin_unlock(&fs_info->trans_lock); ++ btrfs_lockdep_acquire(fs_info, btrfs_trans_num_writers); + return 0; + } + spin_unlock(&fs_info->trans_lock); +@@ -334,16 +335,20 @@ static noinline int join_transaction(struct btrfs_fs_info *fs_info, + if (!cur_trans) + return -ENOMEM; + ++ btrfs_lockdep_acquire(fs_info, btrfs_trans_num_writers); ++ + spin_lock(&fs_info->trans_lock); + if (fs_info->running_transaction) { + /* + * someone started a transaction after we unlocked. Make sure + * to redo the checks above + */ ++ btrfs_lockdep_release(fs_info, btrfs_trans_num_writers); + kfree(cur_trans); + goto loop; + } else if (BTRFS_FS_ERROR(fs_info)) { + spin_unlock(&fs_info->trans_lock); ++ btrfs_lockdep_release(fs_info, btrfs_trans_num_writers); + kfree(cur_trans); + return -EROFS; + } +@@ -1022,6 +1027,9 @@ static int __btrfs_end_transaction(struct btrfs_trans_handle *trans, + extwriter_counter_dec(cur_trans, trans->type); + + cond_wake_up(&cur_trans->writer_wait); ++ ++ btrfs_lockdep_release(info, btrfs_trans_num_writers); ++ + btrfs_put_transaction(cur_trans); + + if (current->journal_info == trans) +@@ -1994,6 +2002,12 @@ static void cleanup_transaction(struct btrfs_trans_handle *trans, int err) + if (cur_trans == fs_info->running_transaction) { + cur_trans->state = TRANS_STATE_COMMIT_DOING; + spin_unlock(&fs_info->trans_lock); ++ ++ /* ++ * The thread has already released the lockdep map as reader ++ * already in btrfs_commit_transaction(). ++ */ ++ btrfs_might_wait_for_event(fs_info, btrfs_trans_num_writers); + wait_event(cur_trans->writer_wait, + atomic_read(&cur_trans->num_writers) == 1); + +@@ -2222,7 +2236,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + + btrfs_put_transaction(prev_trans); + if (ret) +- goto cleanup_transaction; ++ goto lockdep_release; + } else { + spin_unlock(&fs_info->trans_lock); + } +@@ -2236,7 +2250,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + */ + if (BTRFS_FS_ERROR(fs_info)) { + ret = -EROFS; +- goto cleanup_transaction; ++ goto lockdep_release; + } + } + +@@ -2250,19 +2264,21 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + + ret = btrfs_start_delalloc_flush(fs_info); + if (ret) +- goto cleanup_transaction; ++ goto lockdep_release; + + ret = btrfs_run_delayed_items(trans); + if (ret) +- goto cleanup_transaction; ++ goto lockdep_release; + + wait_event(cur_trans->writer_wait, + extwriter_counter_read(cur_trans) == 0); + + /* some pending stuffs might be added after the previous flush. */ + ret = btrfs_run_delayed_items(trans); +- if (ret) ++ if (ret) { ++ btrfs_lockdep_release(fs_info, btrfs_trans_num_writers); + goto cleanup_transaction; ++ } + + btrfs_wait_delalloc_flush(fs_info); + +@@ -2284,6 +2300,14 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + add_pending_snapshot(trans); + cur_trans->state = TRANS_STATE_COMMIT_DOING; + spin_unlock(&fs_info->trans_lock); ++ ++ /* ++ * The thread has started/joined the transaction thus it holds the ++ * lockdep map as a reader. It has to release it before acquiring the ++ * lockdep map as a writer. ++ */ ++ btrfs_lockdep_release(fs_info, btrfs_trans_num_writers); ++ btrfs_might_wait_for_event(fs_info, btrfs_trans_num_writers); + wait_event(cur_trans->writer_wait, + atomic_read(&cur_trans->num_writers) == 1); + +@@ -2515,6 +2539,10 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + cleanup_transaction(trans, ret); + + return ret; ++ ++lockdep_release: ++ btrfs_lockdep_release(fs_info, btrfs_trans_num_writers); ++ goto cleanup_transaction; + } + + /* +-- +2.35.1 + diff --git a/queue-6.0/btrfs-add-lockdep-annotations-for-pending_ordered-wa.patch b/queue-6.0/btrfs-add-lockdep-annotations-for-pending_ordered-wa.patch new file mode 100644 index 00000000000..336e764ee3d --- /dev/null +++ b/queue-6.0/btrfs-add-lockdep-annotations-for-pending_ordered-wa.patch @@ -0,0 +1,94 @@ +From 5898b5a0ae847ba581045a1ebfa11348731daa5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 15:11:54 -0700 +Subject: btrfs: add lockdep annotations for pending_ordered wait event + +From: Ioannis Angelakopoulos + +[ Upstream commit 8b53779eaa98b55f4cccadd4d12b3233e9633140 ] + +In contrast to the num_writers and num_extwriters wait events, the +condition for the pending ordered wait event is signaled in a different +context from the wait event itself. The condition signaling occurs in +btrfs_remove_ordered_extent() in fs/btrfs/ordered-data.c while the wait +event is implemented in btrfs_commit_transaction() in +fs/btrfs/transaction.c + +Thus the thread signaling the condition has to acquire the lockdep map +as a reader at the start of btrfs_remove_ordered_extent() and release it +after it has signaled the condition. In this case some dependencies +might be left out due to the placement of the annotation, but it is +better than no annotation at all. + +Reviewed-by: Josef Bacik +Signed-off-by: Ioannis Angelakopoulos +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.h | 1 + + fs/btrfs/disk-io.c | 1 + + fs/btrfs/ordered-data.c | 3 +++ + fs/btrfs/transaction.c | 1 + + 4 files changed, 6 insertions(+) + +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index f8172e269f03..8bd9a6d5ade6 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -1099,6 +1099,7 @@ struct btrfs_fs_info { + struct lockdep_map btrfs_trans_num_writers_map; + struct lockdep_map btrfs_trans_num_extwriters_map; + struct lockdep_map btrfs_state_change_map[4]; ++ struct lockdep_map btrfs_trans_pending_ordered_map; + + #ifdef CONFIG_BTRFS_FS_REF_VERIFY + spinlock_t ref_verify_lock; +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 68c6cb4e9283..393553fdfed6 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2992,6 +2992,7 @@ void btrfs_init_fs_info(struct btrfs_fs_info *fs_info) + + btrfs_lockdep_init_map(fs_info, btrfs_trans_num_writers); + btrfs_lockdep_init_map(fs_info, btrfs_trans_num_extwriters); ++ btrfs_lockdep_init_map(fs_info, btrfs_trans_pending_ordered); + btrfs_state_lockdep_init_map(fs_info, btrfs_trans_commit_start, + BTRFS_LOCKDEP_TRANS_COMMIT_START); + btrfs_state_lockdep_init_map(fs_info, btrfs_trans_unblocked, +diff --git a/fs/btrfs/ordered-data.c b/fs/btrfs/ordered-data.c +index 1952ac85222c..2a4cb6db42d1 100644 +--- a/fs/btrfs/ordered-data.c ++++ b/fs/btrfs/ordered-data.c +@@ -525,6 +525,7 @@ void btrfs_remove_ordered_extent(struct btrfs_inode *btrfs_inode, + struct rb_node *node; + bool pending; + ++ btrfs_lockdep_acquire(fs_info, btrfs_trans_pending_ordered); + /* This is paired with btrfs_add_ordered_extent. */ + spin_lock(&btrfs_inode->lock); + btrfs_mod_outstanding_extents(btrfs_inode, -1); +@@ -580,6 +581,8 @@ void btrfs_remove_ordered_extent(struct btrfs_inode *btrfs_inode, + } + } + ++ btrfs_lockdep_release(fs_info, btrfs_trans_pending_ordered); ++ + spin_lock(&root->ordered_extent_lock); + list_del_init(&entry->root_extent_list); + root->nr_ordered_extents--; +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c +index d3576f84020d..6e3b2cb6a04a 100644 +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -2310,6 +2310,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + * transaction. Otherwise if this transaction commits before the ordered + * extents complete we lose logged data after a power failure. + */ ++ btrfs_might_wait_for_event(fs_info, btrfs_trans_pending_ordered); + wait_event(cur_trans->pending_wait, + atomic_read(&cur_trans->pending_ordered) == 0); + +-- +2.35.1 + diff --git a/queue-6.0/btrfs-add-lockdep-annotations-for-the-ordered-extent.patch b/queue-6.0/btrfs-add-lockdep-annotations-for-the-ordered-extent.patch new file mode 100644 index 00000000000..1fc9d111f63 --- /dev/null +++ b/queue-6.0/btrfs-add-lockdep-annotations-for-the-ordered-extent.patch @@ -0,0 +1,158 @@ +From dbaab36298dc01beea6a2d8ffe12e7d7180f2b30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 15:11:59 -0700 +Subject: btrfs: add lockdep annotations for the ordered extents wait event + +From: Ioannis Angelakopoulos + +[ Upstream commit 5f4403e10f9b75b081bcc763b98d73e29de8c248 ] + +This wait event is very similar to the pending ordered wait event in the +sense that it occurs in a different context than the condition signaling +for the event. The signaling occurs in btrfs_remove_ordered_extent() +while the wait event is implemented in btrfs_start_ordered_extent() in +fs/btrfs/ordered-data.c + +However, in this case a thread must not acquire the lockdep map for the +ordered extents wait event when the ordered extent is related to a free +space inode. That is because lockdep creates dependencies between locks +acquired both in execution paths related to normal inodes and paths +related to free space inodes, thus leading to false positives. + +Reviewed-by: Josef Bacik +Signed-off-by: Ioannis Angelakopoulos +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.h | 1 + + fs/btrfs/disk-io.c | 1 + + fs/btrfs/inode.c | 13 +++++++++++++ + fs/btrfs/ordered-data.c | 18 ++++++++++++++++++ + 4 files changed, 33 insertions(+) + +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index 8bd9a6d5ade6..804962f97452 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -1100,6 +1100,7 @@ struct btrfs_fs_info { + struct lockdep_map btrfs_trans_num_extwriters_map; + struct lockdep_map btrfs_state_change_map[4]; + struct lockdep_map btrfs_trans_pending_ordered_map; ++ struct lockdep_map btrfs_ordered_extent_map; + + #ifdef CONFIG_BTRFS_FS_REF_VERIFY + spinlock_t ref_verify_lock; +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 393553fdfed6..e0e1730e67d7 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2993,6 +2993,7 @@ void btrfs_init_fs_info(struct btrfs_fs_info *fs_info) + btrfs_lockdep_init_map(fs_info, btrfs_trans_num_writers); + btrfs_lockdep_init_map(fs_info, btrfs_trans_num_extwriters); + btrfs_lockdep_init_map(fs_info, btrfs_trans_pending_ordered); ++ btrfs_lockdep_init_map(fs_info, btrfs_ordered_extent); + btrfs_state_lockdep_init_map(fs_info, btrfs_trans_commit_start, + BTRFS_LOCKDEP_TRANS_COMMIT_START); + btrfs_state_lockdep_init_map(fs_info, btrfs_trans_unblocked, +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 1372210869b1..b06955727055 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -3225,6 +3225,8 @@ int btrfs_finish_ordered_io(struct btrfs_ordered_extent *ordered_extent) + clear_bits |= EXTENT_DELALLOC_NEW; + + freespace_inode = btrfs_is_free_space_inode(inode); ++ if (!freespace_inode) ++ btrfs_lockdep_acquire(fs_info, btrfs_ordered_extent); + + if (test_bit(BTRFS_ORDERED_IOERR, &ordered_extent->flags)) { + ret = -EIO; +@@ -8959,6 +8961,7 @@ void btrfs_destroy_inode(struct inode *vfs_inode) + struct btrfs_ordered_extent *ordered; + struct btrfs_inode *inode = BTRFS_I(vfs_inode); + struct btrfs_root *root = inode->root; ++ bool freespace_inode; + + WARN_ON(!hlist_empty(&vfs_inode->i_dentry)); + WARN_ON(vfs_inode->i_data.nrpages); +@@ -8980,6 +8983,12 @@ void btrfs_destroy_inode(struct inode *vfs_inode) + if (!root) + return; + ++ /* ++ * If this is a free space inode do not take the ordered extents lockdep ++ * map. ++ */ ++ freespace_inode = btrfs_is_free_space_inode(inode); ++ + while (1) { + ordered = btrfs_lookup_first_ordered_extent(inode, (u64)-1); + if (!ordered) +@@ -8988,6 +8997,10 @@ void btrfs_destroy_inode(struct inode *vfs_inode) + btrfs_err(root->fs_info, + "found ordered extent %llu %llu on inode cleanup", + ordered->file_offset, ordered->num_bytes); ++ ++ if (!freespace_inode) ++ btrfs_lockdep_acquire(root->fs_info, btrfs_ordered_extent); ++ + btrfs_remove_ordered_extent(inode, ordered); + btrfs_put_ordered_extent(ordered); + btrfs_put_ordered_extent(ordered); +diff --git a/fs/btrfs/ordered-data.c b/fs/btrfs/ordered-data.c +index 2a4cb6db42d1..eb24a6d20ff8 100644 +--- a/fs/btrfs/ordered-data.c ++++ b/fs/btrfs/ordered-data.c +@@ -524,6 +524,13 @@ void btrfs_remove_ordered_extent(struct btrfs_inode *btrfs_inode, + struct btrfs_fs_info *fs_info = root->fs_info; + struct rb_node *node; + bool pending; ++ bool freespace_inode; ++ ++ /* ++ * If this is a free space inode the thread has not acquired the ordered ++ * extents lockdep map. ++ */ ++ freespace_inode = btrfs_is_free_space_inode(btrfs_inode); + + btrfs_lockdep_acquire(fs_info, btrfs_trans_pending_ordered); + /* This is paired with btrfs_add_ordered_extent. */ +@@ -597,6 +604,8 @@ void btrfs_remove_ordered_extent(struct btrfs_inode *btrfs_inode, + } + spin_unlock(&root->ordered_extent_lock); + wake_up(&entry->wait); ++ if (!freespace_inode) ++ btrfs_lockdep_release(fs_info, btrfs_ordered_extent); + } + + static void btrfs_run_ordered_extent_work(struct btrfs_work *work) +@@ -715,9 +724,16 @@ void btrfs_start_ordered_extent(struct btrfs_ordered_extent *entry, int wait) + u64 start = entry->file_offset; + u64 end = start + entry->num_bytes - 1; + struct btrfs_inode *inode = BTRFS_I(entry->inode); ++ bool freespace_inode; + + trace_btrfs_ordered_extent_start(inode, entry); + ++ /* ++ * If this is a free space inode do not take the ordered extents lockdep ++ * map. ++ */ ++ freespace_inode = btrfs_is_free_space_inode(inode); ++ + /* + * pages in the range can be dirty, clean or writeback. We + * start IO on any dirty ones so the wait doesn't stall waiting +@@ -726,6 +742,8 @@ void btrfs_start_ordered_extent(struct btrfs_ordered_extent *entry, int wait) + if (!test_bit(BTRFS_ORDERED_DIRECT, &entry->flags)) + filemap_fdatawrite_range(inode->vfs_inode.i_mapping, start, end); + if (wait) { ++ if (!freespace_inode) ++ btrfs_might_wait_for_event(inode->root->fs_info, btrfs_ordered_extent); + wait_event(entry->wait, test_bit(BTRFS_ORDERED_COMPLETE, + &entry->flags)); + } +-- +2.35.1 + diff --git a/queue-6.0/btrfs-add-lockdep-annotations-for-transaction-states.patch b/queue-6.0/btrfs-add-lockdep-annotations-for-transaction-states.patch new file mode 100644 index 00000000000..5fa5fefe581 --- /dev/null +++ b/queue-6.0/btrfs-add-lockdep-annotations-for-transaction-states.patch @@ -0,0 +1,289 @@ +From 3c196fc7745196ba3f6358ce334e0512366c86f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 15:11:52 -0700 +Subject: btrfs: add lockdep annotations for transaction states wait events + +From: Ioannis Angelakopoulos + +[ Upstream commit 3e738c531aad8caa7f3d20ab878a8a0d3574e730 ] + +Add lockdep annotations for the transaction states that have wait +events; + + 1) TRANS_STATE_COMMIT_START + 2) TRANS_STATE_UNBLOCKED + 3) TRANS_STATE_SUPER_COMMITTED + 4) TRANS_STATE_COMPLETED + +The new macros introduced here to annotate the transaction states wait +events have the same effect as the generic lockdep annotation macros. + +With the exception of the lockdep annotation for TRANS_STATE_COMMIT_START +the transaction thread has to acquire the lockdep maps for the +transaction states as reader after the lockdep map for num_writers is +released so that lockdep does not complain. + +Reviewed-by: Josef Bacik +Signed-off-by: Ioannis Angelakopoulos +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.h | 32 +++++++++++++++++++++++++ + fs/btrfs/disk-io.c | 8 +++++++ + fs/btrfs/transaction.c | 53 ++++++++++++++++++++++++++++++++++-------- + 3 files changed, 83 insertions(+), 10 deletions(-) + +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index e886cf639c0f..f8172e269f03 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -1098,6 +1098,7 @@ struct btrfs_fs_info { + */ + struct lockdep_map btrfs_trans_num_writers_map; + struct lockdep_map btrfs_trans_num_extwriters_map; ++ struct lockdep_map btrfs_state_change_map[4]; + + #ifdef CONFIG_BTRFS_FS_REF_VERIFY + spinlock_t ref_verify_lock; +@@ -1181,6 +1182,13 @@ enum { + BTRFS_ROOT_RESET_LOCKDEP_CLASS, + }; + ++enum btrfs_lockdep_trans_states { ++ BTRFS_LOCKDEP_TRANS_COMMIT_START, ++ BTRFS_LOCKDEP_TRANS_UNBLOCKED, ++ BTRFS_LOCKDEP_TRANS_SUPER_COMMITTED, ++ BTRFS_LOCKDEP_TRANS_COMPLETED, ++}; ++ + /* + * Lockdep annotation for wait events. + * +@@ -1219,6 +1227,22 @@ enum { + #define btrfs_lockdep_release(owner, lock) \ + rwsem_release(&owner->lock##_map, _THIS_IP_) + ++/* ++ * Macros for the transaction states wait events, similar to the generic wait ++ * event macros. ++ */ ++#define btrfs_might_wait_for_state(owner, i) \ ++ do { \ ++ rwsem_acquire(&owner->btrfs_state_change_map[i], 0, 0, _THIS_IP_); \ ++ rwsem_release(&owner->btrfs_state_change_map[i], _THIS_IP_); \ ++ } while (0) ++ ++#define btrfs_trans_state_lockdep_acquire(owner, i) \ ++ rwsem_acquire_read(&owner->btrfs_state_change_map[i], 0, 0, _THIS_IP_) ++ ++#define btrfs_trans_state_lockdep_release(owner, i) \ ++ rwsem_release(&owner->btrfs_state_change_map[i], _THIS_IP_) ++ + /* Initialization of the lockdep map */ + #define btrfs_lockdep_init_map(owner, lock) \ + do { \ +@@ -1226,6 +1250,14 @@ enum { + lockdep_init_map(&owner->lock##_map, #lock, &lock##_key, 0); \ + } while (0) + ++/* Initialization of the transaction states lockdep maps. */ ++#define btrfs_state_lockdep_init_map(owner, lock, state) \ ++ do { \ ++ static struct lock_class_key lock##_key; \ ++ lockdep_init_map(&owner->btrfs_state_change_map[state], #lock, \ ++ &lock##_key, 0); \ ++ } while (0) ++ + static inline void btrfs_wake_unfinished_drop(struct btrfs_fs_info *fs_info) + { + clear_and_wake_up_bit(BTRFS_FS_UNFINISHED_DROPS, &fs_info->flags); +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index 811d743e26e6..68c6cb4e9283 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2992,6 +2992,14 @@ void btrfs_init_fs_info(struct btrfs_fs_info *fs_info) + + btrfs_lockdep_init_map(fs_info, btrfs_trans_num_writers); + btrfs_lockdep_init_map(fs_info, btrfs_trans_num_extwriters); ++ btrfs_state_lockdep_init_map(fs_info, btrfs_trans_commit_start, ++ BTRFS_LOCKDEP_TRANS_COMMIT_START); ++ btrfs_state_lockdep_init_map(fs_info, btrfs_trans_unblocked, ++ BTRFS_LOCKDEP_TRANS_UNBLOCKED); ++ btrfs_state_lockdep_init_map(fs_info, btrfs_trans_super_committed, ++ BTRFS_LOCKDEP_TRANS_SUPER_COMMITTED); ++ btrfs_state_lockdep_init_map(fs_info, btrfs_trans_completed, ++ BTRFS_LOCKDEP_TRANS_COMPLETED); + + INIT_LIST_HEAD(&fs_info->dirty_cowonly_roots); + INIT_LIST_HEAD(&fs_info->space_info); +diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c +index 44e47db4c8e8..d3576f84020d 100644 +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -550,6 +550,7 @@ static void wait_current_trans(struct btrfs_fs_info *fs_info) + refcount_inc(&cur_trans->use_count); + spin_unlock(&fs_info->trans_lock); + ++ btrfs_might_wait_for_state(fs_info, BTRFS_LOCKDEP_TRANS_UNBLOCKED); + wait_event(fs_info->transaction_wait, + cur_trans->state >= TRANS_STATE_UNBLOCKED || + TRANS_ABORTED(cur_trans)); +@@ -868,6 +869,15 @@ static noinline void wait_for_commit(struct btrfs_transaction *commit, + u64 transid = commit->transid; + bool put = false; + ++ /* ++ * At the moment this function is called with min_state either being ++ * TRANS_STATE_COMPLETED or TRANS_STATE_SUPER_COMMITTED. ++ */ ++ if (min_state == TRANS_STATE_COMPLETED) ++ btrfs_might_wait_for_state(fs_info, BTRFS_LOCKDEP_TRANS_COMPLETED); ++ else ++ btrfs_might_wait_for_state(fs_info, BTRFS_LOCKDEP_TRANS_SUPER_COMMITTED); ++ + while (1) { + wait_event(commit->commit_wait, commit->state >= min_state); + if (put) +@@ -1980,6 +1990,7 @@ void btrfs_commit_transaction_async(struct btrfs_trans_handle *trans) + * Wait for the current transaction commit to start and block + * subsequent transaction joins + */ ++ btrfs_might_wait_for_state(fs_info, BTRFS_LOCKDEP_TRANS_COMMIT_START); + wait_event(fs_info->transaction_blocked_wait, + cur_trans->state >= TRANS_STATE_COMMIT_START || + TRANS_ABORTED(cur_trans)); +@@ -2137,12 +2148,12 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + ktime_t interval; + + ASSERT(refcount_read(&trans->use_count) == 1); ++ btrfs_trans_state_lockdep_acquire(fs_info, BTRFS_LOCKDEP_TRANS_COMMIT_START); + + /* Stop the commit early if ->aborted is set */ + if (TRANS_ABORTED(cur_trans)) { + ret = cur_trans->aborted; +- btrfs_end_transaction(trans); +- return ret; ++ goto lockdep_trans_commit_start_release; + } + + btrfs_trans_release_metadata(trans); +@@ -2159,10 +2170,8 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + * Any running threads may add more while we are here. + */ + ret = btrfs_run_delayed_refs(trans, 0); +- if (ret) { +- btrfs_end_transaction(trans); +- return ret; +- } ++ if (ret) ++ goto lockdep_trans_commit_start_release; + } + + btrfs_create_pending_block_groups(trans); +@@ -2191,10 +2200,8 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + + if (run_it) { + ret = btrfs_start_dirty_block_groups(trans); +- if (ret) { +- btrfs_end_transaction(trans); +- return ret; +- } ++ if (ret) ++ goto lockdep_trans_commit_start_release; + } + } + +@@ -2209,6 +2216,9 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + + if (trans->in_fsync) + want_state = TRANS_STATE_SUPER_COMMITTED; ++ ++ btrfs_trans_state_lockdep_release(fs_info, ++ BTRFS_LOCKDEP_TRANS_COMMIT_START); + ret = btrfs_end_transaction(trans); + wait_for_commit(cur_trans, want_state); + +@@ -2222,6 +2232,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + + cur_trans->state = TRANS_STATE_COMMIT_START; + wake_up(&fs_info->transaction_blocked_wait); ++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_COMMIT_START); + + if (cur_trans->list.prev != &fs_info->trans_list) { + enum btrfs_trans_state want_state = TRANS_STATE_COMPLETED; +@@ -2323,6 +2334,16 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + wait_event(cur_trans->writer_wait, + atomic_read(&cur_trans->num_writers) == 1); + ++ /* ++ * Make lockdep happy by acquiring the state locks after ++ * btrfs_trans_num_writers is released. If we acquired the state locks ++ * before releasing the btrfs_trans_num_writers lock then lockdep would ++ * complain because we did not follow the reverse order unlocking rule. ++ */ ++ btrfs_trans_state_lockdep_acquire(fs_info, BTRFS_LOCKDEP_TRANS_COMPLETED); ++ btrfs_trans_state_lockdep_acquire(fs_info, BTRFS_LOCKDEP_TRANS_SUPER_COMMITTED); ++ btrfs_trans_state_lockdep_acquire(fs_info, BTRFS_LOCKDEP_TRANS_UNBLOCKED); ++ + /* + * We've started the commit, clear the flag in case we were triggered to + * do an async commit but somebody else started before the transaction +@@ -2332,6 +2353,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + + if (TRANS_ABORTED(cur_trans)) { + ret = cur_trans->aborted; ++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_UNBLOCKED); + goto scrub_continue; + } + /* +@@ -2466,6 +2488,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + mutex_unlock(&fs_info->reloc_mutex); + + wake_up(&fs_info->transaction_wait); ++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_UNBLOCKED); + + ret = btrfs_write_and_wait_transaction(trans); + if (ret) { +@@ -2497,6 +2520,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + */ + cur_trans->state = TRANS_STATE_SUPER_COMMITTED; + wake_up(&cur_trans->commit_wait); ++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_SUPER_COMMITTED); + + btrfs_finish_extent_commit(trans); + +@@ -2510,6 +2534,7 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + */ + cur_trans->state = TRANS_STATE_COMPLETED; + wake_up(&cur_trans->commit_wait); ++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_COMPLETED); + + spin_lock(&fs_info->trans_lock); + list_del_init(&cur_trans->list); +@@ -2538,7 +2563,10 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + + unlock_reloc: + mutex_unlock(&fs_info->reloc_mutex); ++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_UNBLOCKED); + scrub_continue: ++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_SUPER_COMMITTED); ++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_COMPLETED); + btrfs_scrub_continue(fs_info); + cleanup_transaction: + btrfs_trans_release_metadata(trans); +@@ -2556,6 +2584,11 @@ int btrfs_commit_transaction(struct btrfs_trans_handle *trans) + btrfs_lockdep_release(fs_info, btrfs_trans_num_extwriters); + btrfs_lockdep_release(fs_info, btrfs_trans_num_writers); + goto cleanup_transaction; ++ ++lockdep_trans_commit_start_release: ++ btrfs_trans_state_lockdep_release(fs_info, BTRFS_LOCKDEP_TRANS_COMMIT_START); ++ btrfs_end_transaction(trans); ++ return ret; + } + + /* +-- +2.35.1 + diff --git a/queue-6.0/btrfs-add-macros-for-annotating-wait-events-with-loc.patch b/queue-6.0/btrfs-add-macros-for-annotating-wait-events-with-loc.patch new file mode 100644 index 00000000000..7c57fc1a350 --- /dev/null +++ b/queue-6.0/btrfs-add-macros-for-annotating-wait-events-with-loc.patch @@ -0,0 +1,143 @@ +From 9b390e7dfd1a0faeff4012513dc4864e9df58bab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 15:11:46 -0700 +Subject: btrfs: add macros for annotating wait events with lockdep + +From: Ioannis Angelakopoulos + +[ Upstream commit ab9a323f9ab576000795285dd7ac6afeedf29e32 ] + +Introduce four macros that are used to annotate wait events in btrfs code +with lockdep; + + 1) the btrfs_lockdep_init_map + 2) the btrfs_lockdep_acquire, + 3) the btrfs_lockdep_release + 4) the btrfs_might_wait_for_event macros. + +The btrfs_lockdep_init_map macro is used to initialize a lockdep map. + +The btrfs_lockdep_ macros are used by threads to take +the lockdep map as readers (shared lock) and release it, respectively. + +The btrfs_might_wait_for_event macro is used by threads to take the +lockdep map as writers (exclusive lock) and release it. + +In general, the lockdep annotation for wait events work as follows: + +The condition for a wait event can be modified and signaled at the same +time by multiple threads. These threads hold the lockdep map as readers +when they enter a context in which blocking would prevent signaling the +condition. Frequently, this occurs when a thread violates a condition +(lockdep map acquire), before restoring it and signaling it at a later +point (lockdep map release). + +The threads that block on the wait event take the lockdep map as writers +(exclusive lock). These threads have to block until all the threads that +hold the lockdep map as readers signal the condition for the wait event +and release the lockdep map. + +The lockdep annotation is used to warn about potential deadlock scenarios +that involve the threads that modify and signal the wait event condition +and threads that block on the wait event. A simple example is illustrated +below: + +Without lockdep: + +TA TB +cond = false + lock(A) + wait_event(w, cond) + unlock(A) +lock(A) +cond = true +signal(w) +unlock(A) + +With lockdep: + +TA TB +rwsem_acquire_read(lockdep_map) +cond = false + lock(A) + rwsem_acquire(lockdep_map) + rwsem_release(lockdep_map) + wait_event(w, cond) + unlock(A) +lock(A) +cond = true +signal(w) +unlock(A) +rwsem_release(lockdep_map) + +In the second case, with the lockdep annotation, lockdep would warn about +an ABBA deadlock, while the first case would just deadlock at some point. + +Reviewed-by: Josef Bacik +Signed-off-by: Ioannis Angelakopoulos +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.h | 45 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) + +diff --git a/fs/btrfs/ctree.h b/fs/btrfs/ctree.h +index df8c99c99df9..dfeb7174219e 100644 +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -1174,6 +1174,51 @@ enum { + BTRFS_ROOT_RESET_LOCKDEP_CLASS, + }; + ++/* ++ * Lockdep annotation for wait events. ++ * ++ * @owner: The struct where the lockdep map is defined ++ * @lock: The lockdep map corresponding to a wait event ++ * ++ * This macro is used to annotate a wait event. In this case a thread acquires ++ * the lockdep map as writer (exclusive lock) because it has to block until all ++ * the threads that hold the lock as readers signal the condition for the wait ++ * event and release their locks. ++ */ ++#define btrfs_might_wait_for_event(owner, lock) \ ++ do { \ ++ rwsem_acquire(&owner->lock##_map, 0, 0, _THIS_IP_); \ ++ rwsem_release(&owner->lock##_map, _THIS_IP_); \ ++ } while (0) ++ ++/* ++ * Protection for the resource/condition of a wait event. ++ * ++ * @owner: The struct where the lockdep map is defined ++ * @lock: The lockdep map corresponding to a wait event ++ * ++ * Many threads can modify the condition for the wait event at the same time ++ * and signal the threads that block on the wait event. The threads that modify ++ * the condition and do the signaling acquire the lock as readers (shared ++ * lock). ++ */ ++#define btrfs_lockdep_acquire(owner, lock) \ ++ rwsem_acquire_read(&owner->lock##_map, 0, 0, _THIS_IP_) ++ ++/* ++ * Used after signaling the condition for a wait event to release the lockdep ++ * map held by a reader thread. ++ */ ++#define btrfs_lockdep_release(owner, lock) \ ++ rwsem_release(&owner->lock##_map, _THIS_IP_) ++ ++/* Initialization of the lockdep map */ ++#define btrfs_lockdep_init_map(owner, lock) \ ++ do { \ ++ static struct lock_class_key lock##_key; \ ++ lockdep_init_map(&owner->lock##_map, #lock, &lock##_key, 0); \ ++ } while (0) ++ + static inline void btrfs_wake_unfinished_drop(struct btrfs_fs_info *fs_info) + { + clear_and_wake_up_bit(BTRFS_FS_UNFINISHED_DROPS, &fs_info->flags); +-- +2.35.1 + diff --git a/queue-6.0/btrfs-call-__btrfs_remove_free_space_cache_locked-on.patch b/queue-6.0/btrfs-call-__btrfs_remove_free_space_cache_locked-on.patch new file mode 100644 index 00000000000..6a082ed82d2 --- /dev/null +++ b/queue-6.0/btrfs-call-__btrfs_remove_free_space_cache_locked-on.patch @@ -0,0 +1,156 @@ +From f405bb590036e32502c7d4698281340aab21f78d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Aug 2022 16:10:26 -0400 +Subject: btrfs: call __btrfs_remove_free_space_cache_locked on cache load + failure + +From: Josef Bacik + +[ Upstream commit 8a1ae2781dee9fc21ca82db682d37bea4bd074ad ] + +Now that lockdep is staying enabled through our entire CI runs I started +seeing the following stack in generic/475 + +------------[ cut here ]------------ +WARNING: CPU: 1 PID: 2171864 at fs/btrfs/discard.c:604 btrfs_discard_update_discardable+0x98/0xb0 +CPU: 1 PID: 2171864 Comm: kworker/u4:0 Not tainted 5.19.0-rc8+ #789 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 +Workqueue: btrfs-cache btrfs_work_helper +RIP: 0010:btrfs_discard_update_discardable+0x98/0xb0 +RSP: 0018:ffffb857c2f7bad0 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff8c85c605c200 RCX: 0000000000000001 +RDX: 0000000000000000 RSI: ffffffff86807c5b RDI: ffffffff868a831e +RBP: ffff8c85c4c54000 R08: 0000000000000000 R09: 0000000000000000 +R10: ffff8c85c66932f0 R11: 0000000000000001 R12: ffff8c85c3899010 +R13: ffff8c85d5be4f40 R14: ffff8c85c4c54000 R15: ffff8c86114bfa80 +FS: 0000000000000000(0000) GS:ffff8c863bd00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f2e7f168160 CR3: 000000010289a004 CR4: 0000000000370ee0 +Call Trace: + + __btrfs_remove_free_space_cache+0x27/0x30 + load_free_space_cache+0xad2/0xaf0 + caching_thread+0x40b/0x650 + ? lock_release+0x137/0x2d0 + btrfs_work_helper+0xf2/0x3e0 + ? lock_is_held_type+0xe2/0x140 + process_one_work+0x271/0x590 + ? process_one_work+0x590/0x590 + worker_thread+0x52/0x3b0 + ? process_one_work+0x590/0x590 + kthread+0xf0/0x120 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + +This is the code + + ctl = block_group->free_space_ctl; + discard_ctl = &block_group->fs_info->discard_ctl; + + lockdep_assert_held(&ctl->tree_lock); + +We have a temporary free space ctl for loading the free space cache in +order to avoid having allocations happening while we're loading the +cache. When we hit an error we free it all up, however this also calls +btrfs_discard_update_discardable, which requires +block_group->free_space_ctl->tree_lock to be held. However this is our +temporary ctl so this lock isn't held. Fix this by calling +__btrfs_remove_free_space_cache_locked instead so that we only clean up +the entries and do not mess with the discardable stats. + +Signed-off-by: Josef Bacik +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/free-space-cache.c | 53 +++++++++++++++++++++++-------------- + 1 file changed, 33 insertions(+), 20 deletions(-) + +diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c +index 835071fa39a9..2f88053cfc5e 100644 +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -48,6 +48,25 @@ static void bitmap_clear_bits(struct btrfs_free_space_ctl *ctl, + struct btrfs_free_space *info, u64 offset, + u64 bytes, bool update_stats); + ++static void __btrfs_remove_free_space_cache_locked( ++ struct btrfs_free_space_ctl *ctl) ++{ ++ struct btrfs_free_space *info; ++ struct rb_node *node; ++ ++ while ((node = rb_last(&ctl->free_space_offset)) != NULL) { ++ info = rb_entry(node, struct btrfs_free_space, offset_index); ++ if (!info->bitmap) { ++ unlink_free_space(ctl, info, true); ++ kmem_cache_free(btrfs_free_space_cachep, info); ++ } else { ++ free_bitmap(ctl, info); ++ } ++ ++ cond_resched_lock(&ctl->tree_lock); ++ } ++} ++ + static struct inode *__lookup_free_space_inode(struct btrfs_root *root, + struct btrfs_path *path, + u64 offset) +@@ -881,7 +900,14 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode, + return ret; + free_cache: + io_ctl_drop_pages(&io_ctl); +- __btrfs_remove_free_space_cache(ctl); ++ ++ /* ++ * We need to call the _locked variant so we don't try to update the ++ * discard counters. ++ */ ++ spin_lock(&ctl->tree_lock); ++ __btrfs_remove_free_space_cache_locked(ctl); ++ spin_unlock(&ctl->tree_lock); + goto out; + } + +@@ -1017,7 +1043,13 @@ int load_free_space_cache(struct btrfs_block_group *block_group) + if (ret == 0) + ret = 1; + } else { ++ /* ++ * We need to call the _locked variant so we don't try to update ++ * the discard counters. ++ */ ++ spin_lock(&tmp_ctl.tree_lock); + __btrfs_remove_free_space_cache(&tmp_ctl); ++ spin_unlock(&tmp_ctl.tree_lock); + btrfs_warn(fs_info, + "block group %llu has wrong amount of free space", + block_group->start); +@@ -2980,25 +3012,6 @@ static void __btrfs_return_cluster_to_free_space( + btrfs_put_block_group(block_group); + } + +-static void __btrfs_remove_free_space_cache_locked( +- struct btrfs_free_space_ctl *ctl) +-{ +- struct btrfs_free_space *info; +- struct rb_node *node; +- +- while ((node = rb_last(&ctl->free_space_offset)) != NULL) { +- info = rb_entry(node, struct btrfs_free_space, offset_index); +- if (!info->bitmap) { +- unlink_free_space(ctl, info, true); +- kmem_cache_free(btrfs_free_space_cachep, info); +- } else { +- free_bitmap(ctl, info); +- } +- +- cond_resched_lock(&ctl->tree_lock); +- } +-} +- + void __btrfs_remove_free_space_cache(struct btrfs_free_space_ctl *ctl) + { + spin_lock(&ctl->tree_lock); +-- +2.35.1 + diff --git a/queue-6.0/btrfs-change-the-lockdep-class-of-free-space-inode-s.patch b/queue-6.0/btrfs-change-the-lockdep-class-of-free-space-inode-s.patch new file mode 100644 index 00000000000..5d6377a8f56 --- /dev/null +++ b/queue-6.0/btrfs-change-the-lockdep-class-of-free-space-inode-s.patch @@ -0,0 +1,61 @@ +From a029bfa12be1da1c419fa9f774fbb645899d2832 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 15:11:57 -0700 +Subject: btrfs: change the lockdep class of free space inode's invalidate_lock + +From: Ioannis Angelakopoulos + +[ Upstream commit 9d7464c87b159bbf763c24faeb7a2dcaac96e4a1 ] + +Reinitialize the class of the lockdep map for struct inode's +mapping->invalidate_lock in load_free_space_cache() function in +fs/btrfs/free-space-cache.c. This will prevent lockdep from producing +false positives related to execution paths that make use of free space +inodes and paths that make use of normal inodes. + +Specifically, with this change lockdep will create separate lock +dependencies that include the invalidate_lock, in the case that free +space inodes are used and in the case that normal inodes are used. + +The lockdep class for this lock was first initialized in +inode_init_always() in fs/inode.c. + +Reviewed-by: Josef Bacik +Signed-off-by: Ioannis Angelakopoulos +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/free-space-cache.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c +index 85404c62a1c2..835071fa39a9 100644 +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -920,6 +920,8 @@ static int copy_free_space_cache(struct btrfs_block_group *block_group, + return ret; + } + ++static struct lock_class_key btrfs_free_space_inode_key; ++ + int load_free_space_cache(struct btrfs_block_group *block_group) + { + struct btrfs_fs_info *fs_info = block_group->fs_info; +@@ -989,6 +991,14 @@ int load_free_space_cache(struct btrfs_block_group *block_group) + } + spin_unlock(&block_group->lock); + ++ /* ++ * Reinitialize the class of struct inode's mapping->invalidate_lock for ++ * free space inodes to prevent false positives related to locks for normal ++ * inodes. ++ */ ++ lockdep_set_class(&(&inode->i_data)->invalidate_lock, ++ &btrfs_free_space_inode_key); ++ + ret = __load_free_space_cache(fs_info->tree_root, inode, &tmp_ctl, + path, block_group->start); + btrfs_free_path(path); +-- +2.35.1 + diff --git a/queue-6.0/btrfs-check-superblock-to-ensure-the-fs-was-not-modi.patch b/queue-6.0/btrfs-check-superblock-to-ensure-the-fs-was-not-modi.patch new file mode 100644 index 00000000000..36f815e499d --- /dev/null +++ b/queue-6.0/btrfs-check-superblock-to-ensure-the-fs-was-not-modi.patch @@ -0,0 +1,254 @@ +From e0be5b40aa9590bb5a5e2e1cda7141ab157304ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 20:16:22 +0800 +Subject: btrfs: check superblock to ensure the fs was not modified at thaw + time + +From: Qu Wenruo + +[ Upstream commit a05d3c9153145283ce9c58a1d7a9056fbb85f6a1 ] + +[BACKGROUND] +There is an incident report that, one user hibernated the system, with +one btrfs on removable device still mounted. + +Then by some incident, the btrfs got mounted and modified by another +system/OS, then back to the hibernated system. + +After resuming from the hibernation, new write happened into the victim btrfs. + +Now the fs is completely broken, since the underlying btrfs is no longer +the same one before the hibernation, and the user lost their data due to +various transid mismatch. + +[REPRODUCER] +We can emulate the situation using the following small script: + + truncate -s 1G $dev + mkfs.btrfs -f $dev + mount $dev $mnt + fsstress -w -d $mnt -n 500 + sync + xfs_freeze -f $mnt + cp $dev $dev.backup + + # There is no way to mount the same cloned fs on the same system, + # as the conflicting fsid will be rejected by btrfs. + # Thus here we have to wipe the fs using a different btrfs. + mkfs.btrfs -f $dev.backup + + dd if=$dev.backup of=$dev bs=1M + xfs_freeze -u $mnt + fsstress -w -d $mnt -n 20 + umount $mnt + btrfs check $dev + +The final fsck will fail due to some tree blocks has incorrect fsid. + +This is enough to emulate the problem hit by the unfortunate user. + +[ENHANCEMENT] +Although such case should not be that common, it can still happen from +time to time. + +From the view of btrfs, we can detect any unexpected super block change, +and if there is any unexpected change, we just mark the fs read-only, +and thaw the fs. + +By this we can limit the damage to minimal, and I hope no one would lose +their data by this anymore. + +Suggested-by: Goffredo Baroncelli +Link: https://lore.kernel.org/linux-btrfs/83bf3b4b-7f4c-387a-b286-9251e3991e34@bluemole.com/ +Reviewed-by: Anand Jain +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/disk-io.c | 25 ++++++++++++++----- + fs/btrfs/disk-io.h | 4 +++- + fs/btrfs/super.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++ + fs/btrfs/volumes.c | 2 +- + 4 files changed, 83 insertions(+), 8 deletions(-) + +diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c +index e0e1730e67d7..d9881b54efd1 100644 +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -2600,8 +2600,8 @@ static int btrfs_read_roots(struct btrfs_fs_info *fs_info) + * 1, 2 2nd and 3rd backup copy + * -1 skip bytenr check + */ +-static int validate_super(struct btrfs_fs_info *fs_info, +- struct btrfs_super_block *sb, int mirror_num) ++int btrfs_validate_super(struct btrfs_fs_info *fs_info, ++ struct btrfs_super_block *sb, int mirror_num) + { + u64 nodesize = btrfs_super_nodesize(sb); + u64 sectorsize = btrfs_super_sectorsize(sb); +@@ -2785,7 +2785,7 @@ static int validate_super(struct btrfs_fs_info *fs_info, + */ + static int btrfs_validate_mount_super(struct btrfs_fs_info *fs_info) + { +- return validate_super(fs_info, fs_info->super_copy, 0); ++ return btrfs_validate_super(fs_info, fs_info->super_copy, 0); + } + + /* +@@ -2799,7 +2799,7 @@ static int btrfs_validate_write_super(struct btrfs_fs_info *fs_info, + { + int ret; + +- ret = validate_super(fs_info, sb, -1); ++ ret = btrfs_validate_super(fs_info, sb, -1); + if (ret < 0) + goto out; + if (!btrfs_supported_super_csum(btrfs_super_csum_type(sb))) { +@@ -3846,7 +3846,7 @@ static void btrfs_end_super_write(struct bio *bio) + } + + struct btrfs_super_block *btrfs_read_dev_one_super(struct block_device *bdev, +- int copy_num) ++ int copy_num, bool drop_cache) + { + struct btrfs_super_block *super; + struct page *page; +@@ -3864,6 +3864,19 @@ struct btrfs_super_block *btrfs_read_dev_one_super(struct block_device *bdev, + if (bytenr + BTRFS_SUPER_INFO_SIZE >= bdev_nr_bytes(bdev)) + return ERR_PTR(-EINVAL); + ++ if (drop_cache) { ++ /* This should only be called with the primary sb. */ ++ ASSERT(copy_num == 0); ++ ++ /* ++ * Drop the page of the primary superblock, so later read will ++ * always read from the device. ++ */ ++ invalidate_inode_pages2_range(mapping, ++ bytenr >> PAGE_SHIFT, ++ (bytenr + BTRFS_SUPER_INFO_SIZE) >> PAGE_SHIFT); ++ } ++ + page = read_cache_page_gfp(mapping, bytenr >> PAGE_SHIFT, GFP_NOFS); + if (IS_ERR(page)) + return ERR_CAST(page); +@@ -3895,7 +3908,7 @@ struct btrfs_super_block *btrfs_read_dev_super(struct block_device *bdev) + * later supers, using BTRFS_SUPER_MIRROR_MAX instead + */ + for (i = 0; i < 1; i++) { +- super = btrfs_read_dev_one_super(bdev, i); ++ super = btrfs_read_dev_one_super(bdev, i, false); + if (IS_ERR(super)) + continue; + +diff --git a/fs/btrfs/disk-io.h b/fs/btrfs/disk-io.h +index 47ad8e0a2d33..aef981de672c 100644 +--- a/fs/btrfs/disk-io.h ++++ b/fs/btrfs/disk-io.h +@@ -46,10 +46,12 @@ int __cold open_ctree(struct super_block *sb, + struct btrfs_fs_devices *fs_devices, + char *options); + void __cold close_ctree(struct btrfs_fs_info *fs_info); ++int btrfs_validate_super(struct btrfs_fs_info *fs_info, ++ struct btrfs_super_block *sb, int mirror_num); + int write_all_supers(struct btrfs_fs_info *fs_info, int max_mirrors); + struct btrfs_super_block *btrfs_read_dev_super(struct block_device *bdev); + struct btrfs_super_block *btrfs_read_dev_one_super(struct block_device *bdev, +- int copy_num); ++ int copy_num, bool drop_cache); + int btrfs_commit_super(struct btrfs_fs_info *fs_info); + struct btrfs_root *btrfs_read_tree_root(struct btrfs_root *tree_root, + struct btrfs_key *key); +diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c +index ad3ce9700eaf..079855e9c881 100644 +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -2562,11 +2562,71 @@ static int btrfs_freeze(struct super_block *sb) + return btrfs_commit_transaction(trans); + } + ++static int check_dev_super(struct btrfs_device *dev) ++{ ++ struct btrfs_fs_info *fs_info = dev->fs_info; ++ struct btrfs_super_block *sb; ++ int ret = 0; ++ ++ /* This should be called with fs still frozen. */ ++ ASSERT(test_bit(BTRFS_FS_FROZEN, &fs_info->flags)); ++ ++ /* Missing dev, no need to check. */ ++ if (!dev->bdev) ++ return 0; ++ ++ /* Only need to check the primary super block. */ ++ sb = btrfs_read_dev_one_super(dev->bdev, 0, true); ++ if (IS_ERR(sb)) ++ return PTR_ERR(sb); ++ ++ /* Btrfs_validate_super() includes fsid check against super->fsid. */ ++ ret = btrfs_validate_super(fs_info, sb, 0); ++ if (ret < 0) ++ goto out; ++ ++ if (btrfs_super_generation(sb) != fs_info->last_trans_committed) { ++ btrfs_err(fs_info, "transid mismatch, has %llu expect %llu", ++ btrfs_super_generation(sb), ++ fs_info->last_trans_committed); ++ ret = -EUCLEAN; ++ goto out; ++ } ++out: ++ btrfs_release_disk_super(sb); ++ return ret; ++} ++ + static int btrfs_unfreeze(struct super_block *sb) + { + struct btrfs_fs_info *fs_info = btrfs_sb(sb); ++ struct btrfs_device *device; ++ int ret = 0; + ++ /* ++ * Make sure the fs is not changed by accident (like hibernation then ++ * modified by other OS). ++ * If we found anything wrong, we mark the fs error immediately. ++ * ++ * And since the fs is frozen, no one can modify the fs yet, thus ++ * we don't need to hold device_list_mutex. ++ */ ++ list_for_each_entry(device, &fs_info->fs_devices->devices, dev_list) { ++ ret = check_dev_super(device); ++ if (ret < 0) { ++ btrfs_handle_fs_error(fs_info, ret, ++ "super block on devid %llu got modified unexpectedly", ++ device->devid); ++ break; ++ } ++ } + clear_bit(BTRFS_FS_FROZEN, &fs_info->flags); ++ ++ /* ++ * We still return 0, to allow VFS layer to unfreeze the fs even the ++ * above checks failed. Since the fs is either fine or read-only, we're ++ * safe to continue, without causing further damage. ++ */ + return 0; + } + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index f63ff91e2883..b4df6f74855c 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -2017,7 +2017,7 @@ void btrfs_scratch_superblocks(struct btrfs_fs_info *fs_info, + struct page *page; + int ret; + +- disk_super = btrfs_read_dev_one_super(bdev, copy_num); ++ disk_super = btrfs_read_dev_one_super(bdev, copy_num, false); + if (IS_ERR(disk_super)) + continue; + +-- +2.35.1 + diff --git a/queue-6.0/btrfs-don-t-print-information-about-space-cache-or-t.patch b/queue-6.0/btrfs-don-t-print-information-about-space-cache-or-t.patch new file mode 100644 index 00000000000..fac9e32ac99 --- /dev/null +++ b/queue-6.0/btrfs-don-t-print-information-about-space-cache-or-t.patch @@ -0,0 +1,61 @@ +From fba5d505b1dd649164b27c1b902cf6af2d91a029 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 17:28:20 +0200 +Subject: btrfs: don't print information about space cache or tree every + remount + +From: Maciej S. Szmigiero + +[ Upstream commit dbecac26630014d336a8e5ea67096ff18210fb9c ] + +btrfs currently prints information about space cache or free space tree +being in use on every remount, regardless whether such remount actually +enabled or disabled one of these features. + +This is actually unnecessary since providing remount options changing the +state of these features will explicitly print the appropriate notice. + +Let's instead print such unconditional information just on an initial mount +to avoid filling the kernel log when, for example, laptop-mode-tools +remount the fs on some events. + +Signed-off-by: Maciej S. Szmigiero +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/super.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c +index 6eeb3402b4a2..ad3ce9700eaf 100644 +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -626,6 +626,7 @@ int btrfs_parse_options(struct btrfs_fs_info *info, char *options, + int saved_compress_level; + bool saved_compress_force; + int no_compress = 0; ++ const bool remounting = test_bit(BTRFS_FS_STATE_REMOUNTING, &info->fs_state); + + if (btrfs_fs_compat_ro(info, FREE_SPACE_TREE)) + btrfs_set_opt(info->mount_opt, FREE_SPACE_TREE); +@@ -1137,10 +1138,12 @@ int btrfs_parse_options(struct btrfs_fs_info *info, char *options, + } + if (!ret) + ret = btrfs_check_mountopts_zoned(info); +- if (!ret && btrfs_test_opt(info, SPACE_CACHE)) +- btrfs_info(info, "disk space caching is enabled"); +- if (!ret && btrfs_test_opt(info, FREE_SPACE_TREE)) +- btrfs_info(info, "using free space tree"); ++ if (!ret && !remounting) { ++ if (btrfs_test_opt(info, SPACE_CACHE)) ++ btrfs_info(info, "disk space caching is enabled"); ++ if (btrfs_test_opt(info, FREE_SPACE_TREE)) ++ btrfs_info(info, "using free space tree"); ++ } + return ret; + } + +-- +2.35.1 + diff --git a/queue-6.0/btrfs-dump-extra-info-if-one-free-space-cache-has-mo.patch b/queue-6.0/btrfs-dump-extra-info-if-one-free-space-cache-has-mo.patch new file mode 100644 index 00000000000..472c0a04270 --- /dev/null +++ b/queue-6.0/btrfs-dump-extra-info-if-one-free-space-cache-has-mo.patch @@ -0,0 +1,66 @@ +From 455062e2a519128c2e1d88cefa3c9e8db1f4a6d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 09:35:57 +0800 +Subject: btrfs: dump extra info if one free space cache has more bitmaps than + it should + +From: Qu Wenruo + +[ Upstream commit 62cd9d4474282a1eb84f945955c56cbfc42e1ffe ] + +There is an internal report on hitting the following ASSERT() in +recalculate_thresholds(): + + ASSERT(ctl->total_bitmaps <= max_bitmaps); + +Above @max_bitmaps is calculated using the following variables: + +- bytes_per_bg + 8 * 4096 * 4096 (128M) for x86_64/x86. + +- block_group->length + The length of the block group. + +@max_bitmaps is the rounded up value of block_group->length / 128M. + +Normally one free space cache should not have more bitmaps than above +value, but when it happens the ASSERT() can be triggered if +CONFIG_BTRFS_ASSERT is also enabled. + +But the ASSERT() itself won't provide enough info to know which is going +wrong. +Is the bg too small thus it only allows one bitmap? +Or is there something else wrong? + +So although I haven't found extra reports or crash dump to do further +investigation, add the extra info to make it more helpful to debug. + +Reviewed-by: Anand Jain +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/free-space-cache.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c +index 996da650ecdc..85404c62a1c2 100644 +--- a/fs/btrfs/free-space-cache.c ++++ b/fs/btrfs/free-space-cache.c +@@ -693,6 +693,12 @@ static void recalculate_thresholds(struct btrfs_free_space_ctl *ctl) + + max_bitmaps = max_t(u64, max_bitmaps, 1); + ++ if (ctl->total_bitmaps > max_bitmaps) ++ btrfs_err(block_group->fs_info, ++"invalid free space control: bg start=%llu len=%llu total_bitmaps=%u unit=%u max_bitmaps=%llu bytes_per_bg=%llu", ++ block_group->start, block_group->length, ++ ctl->total_bitmaps, ctl->unit, max_bitmaps, ++ bytes_per_bg); + ASSERT(ctl->total_bitmaps <= max_bitmaps); + + /* +-- +2.35.1 + diff --git a/queue-6.0/btrfs-scrub-properly-report-super-block-errors-in-sy.patch b/queue-6.0/btrfs-scrub-properly-report-super-block-errors-in-sy.patch new file mode 100644 index 00000000000..28f6130f0ad --- /dev/null +++ b/queue-6.0/btrfs-scrub-properly-report-super-block-errors-in-sy.patch @@ -0,0 +1,145 @@ +From 1895aea733da6440417c727ac11c86be54f1405c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 14:53:02 +0800 +Subject: btrfs: scrub: properly report super block errors in system log + +From: Qu Wenruo + +[ Upstream commit e69bf81c9a339f1b2c041b112a6fbb9f60fc9340 ] + +[PROBLEM] + +Unlike data/metadata corruption, if scrub detected some error in the +super block, the only error message is from the updated device status: + + BTRFS info (device dm-1): scrub: started on devid 2 + BTRFS error (device dm-1): bdev /dev/mapper/test-scratch2 errs: wr 0, rd 0, flush 0, corrupt 1, gen 0 + BTRFS info (device dm-1): scrub: finished on devid 2 with status: 0 + +This is not helpful at all. + +[CAUSE] +Unlike data/metadata error reporting, there is no visible report in +kernel dmesg to report supper block errors. + +In fact, return value of scrub_checksum_super() is intentionally +skipped, thus scrub_handle_errored_block() will never be called for +super blocks. + +[FIX] +Make super block errors to output an error message, now the full +dmesg would looks like this: + + BTRFS info (device dm-1): scrub: started on devid 2 + BTRFS warning (device dm-1): super block error on device /dev/mapper/test-scratch2, physical 67108864 + BTRFS error (device dm-1): bdev /dev/mapper/test-scratch2 errs: wr 0, rd 0, flush 0, corrupt 1, gen 0 + BTRFS info (device dm-1): scrub: finished on devid 2 with status: 0 + BTRFS info (device dm-1): scrub: started on devid 2 + +This fix involves: + +- Move the super_errors reporting to scrub_handle_errored_block() + This allows the device status message to show after the super block + error message. + But now we no longer distinguish super block corruption and generation + mismatch, now all counted as corruption. + +- Properly check the return value from scrub_checksum_super() +- Add extra super block error reporting for scrub_print_warning(). + +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/scrub.c | 33 ++++++++++++--------------------- + 1 file changed, 12 insertions(+), 21 deletions(-) + +diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c +index 3afe5fa50a63..0fe7c4882e1f 100644 +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -729,6 +729,13 @@ static void scrub_print_warning(const char *errstr, struct scrub_block *sblock) + dev = sblock->sectors[0]->dev; + fs_info = sblock->sctx->fs_info; + ++ /* Super block error, no need to search extent tree. */ ++ if (sblock->sectors[0]->flags & BTRFS_EXTENT_FLAG_SUPER) { ++ btrfs_warn_in_rcu(fs_info, "%s on device %s, physical %llu", ++ errstr, rcu_str_deref(dev->name), ++ sblock->sectors[0]->physical); ++ return; ++ } + path = btrfs_alloc_path(); + if (!path) + return; +@@ -804,7 +811,7 @@ static inline void scrub_put_recover(struct btrfs_fs_info *fs_info, + static int scrub_handle_errored_block(struct scrub_block *sblock_to_check) + { + struct scrub_ctx *sctx = sblock_to_check->sctx; +- struct btrfs_device *dev; ++ struct btrfs_device *dev = sblock_to_check->sectors[0]->dev; + struct btrfs_fs_info *fs_info; + u64 logical; + unsigned int failed_mirror_index; +@@ -825,13 +832,15 @@ static int scrub_handle_errored_block(struct scrub_block *sblock_to_check) + fs_info = sctx->fs_info; + if (sblock_to_check->sectors[0]->flags & BTRFS_EXTENT_FLAG_SUPER) { + /* +- * if we find an error in a super block, we just report it. ++ * If we find an error in a super block, we just report it. + * They will get written with the next transaction commit + * anyway + */ ++ scrub_print_warning("super block error", sblock_to_check); + spin_lock(&sctx->stat_lock); + ++sctx->stat.super_errors; + spin_unlock(&sctx->stat_lock); ++ btrfs_dev_stat_inc_and_print(dev, BTRFS_DEV_STAT_CORRUPTION_ERRS); + return 0; + } + logical = sblock_to_check->sectors[0]->logical; +@@ -840,7 +849,6 @@ static int scrub_handle_errored_block(struct scrub_block *sblock_to_check) + is_metadata = !(sblock_to_check->sectors[0]->flags & + BTRFS_EXTENT_FLAG_DATA); + have_csum = sblock_to_check->sectors[0]->have_csum; +- dev = sblock_to_check->sectors[0]->dev; + + if (!sctx->is_dev_replace && btrfs_repair_one_zone(fs_info, logical)) + return 0; +@@ -1762,7 +1770,7 @@ static int scrub_checksum(struct scrub_block *sblock) + else if (flags & BTRFS_EXTENT_FLAG_TREE_BLOCK) + ret = scrub_checksum_tree_block(sblock); + else if (flags & BTRFS_EXTENT_FLAG_SUPER) +- (void)scrub_checksum_super(sblock); ++ ret = scrub_checksum_super(sblock); + else + WARN_ON(1); + if (ret) +@@ -1901,23 +1909,6 @@ static int scrub_checksum_super(struct scrub_block *sblock) + if (memcmp(calculated_csum, s->csum, sctx->fs_info->csum_size)) + ++fail_cor; + +- if (fail_cor + fail_gen) { +- /* +- * if we find an error in a super block, we just report it. +- * They will get written with the next transaction commit +- * anyway +- */ +- spin_lock(&sctx->stat_lock); +- ++sctx->stat.super_errors; +- spin_unlock(&sctx->stat_lock); +- if (fail_cor) +- btrfs_dev_stat_inc_and_print(sector->dev, +- BTRFS_DEV_STAT_CORRUPTION_ERRS); +- else +- btrfs_dev_stat_inc_and_print(sector->dev, +- BTRFS_DEV_STAT_GENERATION_ERRS); +- } +- + return fail_cor + fail_gen; + } + +-- +2.35.1 + diff --git a/queue-6.0/btrfs-scrub-try-to-fix-super-block-errors.patch b/queue-6.0/btrfs-scrub-try-to-fix-super-block-errors.patch new file mode 100644 index 00000000000..270aa91f207 --- /dev/null +++ b/queue-6.0/btrfs-scrub-try-to-fix-super-block-errors.patch @@ -0,0 +1,147 @@ +From 28896fc5bb084876a978d85940a8ccb737d05f3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 14:53:03 +0800 +Subject: btrfs: scrub: try to fix super block errors + +From: Qu Wenruo + +[ Upstream commit f9eab5f0bba76742af654f33d517bf62a0db8f12 ] + +[BUG] +The following script shows that, although scrub can detect super block +errors, it never tries to fix it: + + mkfs.btrfs -f -d raid1 -m raid1 $dev1 $dev2 + xfs_io -c "pwrite 67108864 4k" $dev2 + + mount $dev1 $mnt + btrfs scrub start -B $dev2 + btrfs scrub start -Br $dev2 + umount $mnt + +The first scrub reports the super error correctly: + + scrub done for f3289218-abd3-41ac-a630-202f766c0859 + Scrub started: Tue Aug 2 14:44:11 2022 + Status: finished + Duration: 0:00:00 + Total to scrub: 1.26GiB + Rate: 0.00B/s + Error summary: super=1 + Corrected: 0 + Uncorrectable: 0 + Unverified: 0 + +But the second read-only scrub still reports the same super error: + + Scrub started: Tue Aug 2 14:44:11 2022 + Status: finished + Duration: 0:00:00 + Total to scrub: 1.26GiB + Rate: 0.00B/s + Error summary: super=1 + Corrected: 0 + Uncorrectable: 0 + Unverified: 0 + +[CAUSE] +The comments already shows that super block can be easily fixed by +committing a transaction: + + /* + * If we find an error in a super block, we just report it. + * They will get written with the next transaction commit + * anyway + */ + +But the truth is, such assumption is not always true, and since scrub +should try to repair every error it found (except for read-only scrub), +we should really actively commit a transaction to fix this. + +[FIX] +Just commit a transaction if we found any super block errors, after +everything else is done. + +We cannot do this just after scrub_supers(), as +btrfs_commit_transaction() will try to pause and wait for the running +scrub, thus we can not call it with scrub_lock hold. + +Signed-off-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/scrub.c | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c +index 0fe7c4882e1f..7d9b09e3ca70 100644 +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -4093,6 +4093,7 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start, + int ret; + struct btrfs_device *dev; + unsigned int nofs_flag; ++ bool need_commit = false; + + if (btrfs_fs_closing(fs_info)) + return -EAGAIN; +@@ -4196,6 +4197,12 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start, + */ + nofs_flag = memalloc_nofs_save(); + if (!is_dev_replace) { ++ u64 old_super_errors; ++ ++ spin_lock(&sctx->stat_lock); ++ old_super_errors = sctx->stat.super_errors; ++ spin_unlock(&sctx->stat_lock); ++ + btrfs_info(fs_info, "scrub: started on devid %llu", devid); + /* + * by holding device list mutex, we can +@@ -4204,6 +4211,16 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start, + mutex_lock(&fs_info->fs_devices->device_list_mutex); + ret = scrub_supers(sctx, dev); + mutex_unlock(&fs_info->fs_devices->device_list_mutex); ++ ++ spin_lock(&sctx->stat_lock); ++ /* ++ * Super block errors found, but we can not commit transaction ++ * at current context, since btrfs_commit_transaction() needs ++ * to pause the current running scrub (hold by ourselves). ++ */ ++ if (sctx->stat.super_errors > old_super_errors && !sctx->readonly) ++ need_commit = true; ++ spin_unlock(&sctx->stat_lock); + } + + if (!ret) +@@ -4230,6 +4247,25 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start, + scrub_workers_put(fs_info); + scrub_put_ctx(sctx); + ++ /* ++ * We found some super block errors before, now try to force a ++ * transaction commit, as scrub has finished. ++ */ ++ if (need_commit) { ++ struct btrfs_trans_handle *trans; ++ ++ trans = btrfs_start_transaction(fs_info->tree_root, 0); ++ if (IS_ERR(trans)) { ++ ret = PTR_ERR(trans); ++ btrfs_err(fs_info, ++ "scrub: failed to start transaction to fix super block errors: %d", ret); ++ return ret; ++ } ++ ret = btrfs_commit_transaction(trans); ++ if (ret < 0) ++ btrfs_err(fs_info, ++ "scrub: failed to commit transaction to fix super block errors: %d", ret); ++ } + return ret; + out: + scrub_workers_put(fs_info); +-- +2.35.1 + diff --git a/queue-6.0/btrfs-separate-out-the-eb-and-extent-state-leak-help.patch b/queue-6.0/btrfs-separate-out-the-eb-and-extent-state-leak-help.patch new file mode 100644 index 00000000000..ee58fb23ff5 --- /dev/null +++ b/queue-6.0/btrfs-separate-out-the-eb-and-extent-state-leak-help.patch @@ -0,0 +1,144 @@ +From 72845648c29a262b9cfbbe0e1ac678db0bc6166d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 17:53:19 -0400 +Subject: btrfs: separate out the eb and extent state leak helpers + +From: Josef Bacik + +[ Upstream commit a40246e8afc0af3ffdee21854fb755c9364b8346 ] + +Currently we have the add/del functions generic so that we can use them +for both extent buffers and extent states. We want to separate this +code however, so separate these helpers into per-object helpers in +anticipation of the split. + +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/extent_io.c | 58 +++++++++++++++++++++++++++++--------------- + 1 file changed, 38 insertions(+), 20 deletions(-) + +diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c +index cf4f19e80e2f..d9d254b59bd1 100644 +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -44,25 +44,42 @@ static inline bool extent_state_in_tree(const struct extent_state *state) + static LIST_HEAD(states); + static DEFINE_SPINLOCK(leak_lock); + +-static inline void btrfs_leak_debug_add(spinlock_t *lock, +- struct list_head *new, +- struct list_head *head) ++static inline void btrfs_leak_debug_add_eb(struct extent_buffer *eb) ++{ ++ struct btrfs_fs_info *fs_info = eb->fs_info; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&fs_info->eb_leak_lock, flags); ++ list_add(&eb->leak_list, &fs_info->allocated_ebs); ++ spin_unlock_irqrestore(&fs_info->eb_leak_lock, flags); ++} ++ ++static inline void btrfs_leak_debug_add_state(struct extent_state *state) + { + unsigned long flags; + +- spin_lock_irqsave(lock, flags); +- list_add(new, head); +- spin_unlock_irqrestore(lock, flags); ++ spin_lock_irqsave(&leak_lock, flags); ++ list_add(&state->leak_list, &states); ++ spin_unlock_irqrestore(&leak_lock, flags); ++} ++ ++static inline void btrfs_leak_debug_del_eb(struct extent_buffer *eb) ++{ ++ struct btrfs_fs_info *fs_info = eb->fs_info; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&fs_info->eb_leak_lock, flags); ++ list_del(&eb->leak_list); ++ spin_unlock_irqrestore(&fs_info->eb_leak_lock, flags); + } + +-static inline void btrfs_leak_debug_del(spinlock_t *lock, +- struct list_head *entry) ++static inline void btrfs_leak_debug_del_state(struct extent_state *state) + { + unsigned long flags; + +- spin_lock_irqsave(lock, flags); +- list_del(entry); +- spin_unlock_irqrestore(lock, flags); ++ spin_lock_irqsave(&leak_lock, flags); ++ list_del(&state->leak_list); ++ spin_unlock_irqrestore(&leak_lock, flags); + } + + void btrfs_extent_buffer_leak_debug_check(struct btrfs_fs_info *fs_info) +@@ -126,9 +143,11 @@ static inline void __btrfs_debug_check_extent_io_range(const char *caller, + } + } + #else +-#define btrfs_leak_debug_add(lock, new, head) do {} while (0) +-#define btrfs_leak_debug_del(lock, entry) do {} while (0) +-#define btrfs_extent_state_leak_debug_check() do {} while (0) ++#define btrfs_leak_debug_add_eb(eb) do {} while (0) ++#define btrfs_leak_debug_add_state(state) do {} while (0) ++#define btrfs_leak_debug_del_eb(eb) do {} while (0) ++#define btrfs_leak_debug_del_state(state) do {} while (0) ++#define btrfs_extent_state_leak_debug_check() do {} while (0) + #define btrfs_debug_check_extent_io_range(c, s, e) do {} while (0) + #endif + +@@ -353,7 +372,7 @@ static struct extent_state *alloc_extent_state(gfp_t mask) + state->state = 0; + state->failrec = NULL; + RB_CLEAR_NODE(&state->rb_node); +- btrfs_leak_debug_add(&leak_lock, &state->leak_list, &states); ++ btrfs_leak_debug_add_state(state); + refcount_set(&state->refs, 1); + init_waitqueue_head(&state->wq); + trace_alloc_extent_state(state, mask, _RET_IP_); +@@ -366,7 +385,7 @@ void free_extent_state(struct extent_state *state) + return; + if (refcount_dec_and_test(&state->refs)) { + WARN_ON(extent_state_in_tree(state)); +- btrfs_leak_debug_del(&leak_lock, &state->leak_list); ++ btrfs_leak_debug_del_state(state); + trace_free_extent_state(state, _RET_IP_); + kmem_cache_free(extent_state_cache, state); + } +@@ -5856,7 +5875,7 @@ static void btrfs_release_extent_buffer_pages(struct extent_buffer *eb) + static inline void btrfs_release_extent_buffer(struct extent_buffer *eb) + { + btrfs_release_extent_buffer_pages(eb); +- btrfs_leak_debug_del(&eb->fs_info->eb_leak_lock, &eb->leak_list); ++ btrfs_leak_debug_del_eb(eb); + __free_extent_buffer(eb); + } + +@@ -5873,8 +5892,7 @@ __alloc_extent_buffer(struct btrfs_fs_info *fs_info, u64 start, + eb->bflags = 0; + init_rwsem(&eb->lock); + +- btrfs_leak_debug_add(&fs_info->eb_leak_lock, &eb->leak_list, +- &fs_info->allocated_ebs); ++ btrfs_leak_debug_add_eb(eb); + INIT_LIST_HEAD(&eb->release_list); + + spin_lock_init(&eb->refs_lock); +@@ -6342,7 +6360,7 @@ static int release_extent_buffer(struct extent_buffer *eb) + spin_unlock(&eb->refs_lock); + } + +- btrfs_leak_debug_del(&eb->fs_info->eb_leak_lock, &eb->leak_list); ++ btrfs_leak_debug_del_eb(eb); + /* Should be safe to release our pages at this point */ + btrfs_release_extent_buffer_pages(eb); + #ifdef CONFIG_BTRFS_FS_RUN_SANITY_TESTS +-- +2.35.1 + diff --git a/queue-6.0/can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch b/queue-6.0/can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch new file mode 100644 index 00000000000..cf064233f72 --- /dev/null +++ b/queue-6.0/can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch @@ -0,0 +1,53 @@ +From 5ad0f74461f6f4a6c941a0214ea50824075c8a48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 09:55:56 +0800 +Subject: can: bcm: check the result of can_send() in bcm_can_tx() + +From: Ziyang Xuan + +[ Upstream commit 3fd7bfd28cfd68ae80a2fe92ea1615722cc2ee6e ] + +If can_send() fail, it should not update frames_abs counter +in bcm_can_tx(). Add the result check for can_send() in bcm_can_tx(). + +Suggested-by: Marc Kleine-Budde +Suggested-by: Oliver Hartkopp +Signed-off-by: Ziyang Xuan +Link: https://lore.kernel.org/all/9851878e74d6d37aee2f1ee76d68361a46f89458.1663206163.git.william.xuanziyang@huawei.com +Acked-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/bcm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/can/bcm.c b/net/can/bcm.c +index e60161bec850..f16271a7ae2e 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -274,6 +274,7 @@ static void bcm_can_tx(struct bcm_op *op) + struct sk_buff *skb; + struct net_device *dev; + struct canfd_frame *cf = op->frames + op->cfsiz * op->currframe; ++ int err; + + /* no target device? => exit */ + if (!op->ifindex) +@@ -298,11 +299,11 @@ static void bcm_can_tx(struct bcm_op *op) + /* send with loopback */ + skb->dev = dev; + can_skb_set_owner(skb, op->sk); +- can_send(skb, 1); ++ err = can_send(skb, 1); ++ if (!err) ++ op->frames_abs++; + +- /* update statistics */ + op->currframe++; +- op->frames_abs++; + + /* reached last frame? */ + if (op->currframe >= op->nframes) +-- +2.35.1 + diff --git a/queue-6.0/can-rx-offload-can_rx_offload_init_queue-fix-typo.patch b/queue-6.0/can-rx-offload-can_rx_offload_init_queue-fix-typo.patch new file mode 100644 index 00000000000..85b7227e703 --- /dev/null +++ b/queue-6.0/can-rx-offload-can_rx_offload_init_queue-fix-typo.patch @@ -0,0 +1,39 @@ +From 8b891242bff602c5046eed9d740e3164ed349362 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Aug 2022 21:38:00 +0200 +Subject: can: rx-offload: can_rx_offload_init_queue(): fix typo +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marc Kleine-Budde + +[ Upstream commit 766108d91246530d31b42765046f7ec2d1e42581 ] + +Fix typo "rounted" -> "rounded". + +Link: https://lore.kernel.org/all/20220811093617.1861938-2-mkl@pengutronix.de +Fixes: d254586c3453 ("can: rx-offload: Add support for HW fifo based irq offloading") +Reported-by: Uwe Kleine-König +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/dev/rx-offload.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/dev/rx-offload.c b/drivers/net/can/dev/rx-offload.c +index a32a01c172d4..ad8eb243fe78 100644 +--- a/drivers/net/can/dev/rx-offload.c ++++ b/drivers/net/can/dev/rx-offload.c +@@ -329,7 +329,7 @@ static int can_rx_offload_init_queue(struct net_device *dev, + { + offload->dev = dev; + +- /* Limit queue len to 4x the weight (rounted to next power of two) */ ++ /* Limit queue len to 4x the weight (rounded to next power of two) */ + offload->skb_queue_len_max = 2 << fls(weight); + offload->skb_queue_len_max *= 4; + skb_queue_head_init(&offload->skb_queue); +-- +2.35.1 + diff --git a/queue-6.0/cgroup-cpuset-enable-update_tasks_cpumask-on-top_cpu.patch b/queue-6.0/cgroup-cpuset-enable-update_tasks_cpumask-on-top_cpu.patch new file mode 100644 index 00000000000..070103f9402 --- /dev/null +++ b/queue-6.0/cgroup-cpuset-enable-update_tasks_cpumask-on-top_cpu.patch @@ -0,0 +1,71 @@ +From 782b31a48ac9ff0e3f4e4ac6a13777621d74977c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 16:57:36 -0400 +Subject: cgroup/cpuset: Enable update_tasks_cpumask() on top_cpuset + +From: Waiman Long + +[ Upstream commit ec5fbdfb99d18482619ac42605cb80fbb56068ee ] + +Previously, update_tasks_cpumask() is not supposed to be called with +top cpuset. With cpuset partition that takes CPUs away from the top +cpuset, adjusting the cpus_mask of the tasks in the top cpuset is +necessary. Percpu kthreads, however, are ignored. + +Fixes: ee8dde0cd2ce ("cpuset: Add new v2 cpuset.sched.partition flag") +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cpuset.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c +index 1f3a55297f39..50bf837571ac 100644 +--- a/kernel/cgroup/cpuset.c ++++ b/kernel/cgroup/cpuset.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1127,10 +1128,18 @@ static void update_tasks_cpumask(struct cpuset *cs) + { + struct css_task_iter it; + struct task_struct *task; ++ bool top_cs = cs == &top_cpuset; + + css_task_iter_start(&cs->css, 0, &it); +- while ((task = css_task_iter_next(&it))) ++ while ((task = css_task_iter_next(&it))) { ++ /* ++ * Percpu kthreads in top_cpuset are ignored ++ */ ++ if (top_cs && (task->flags & PF_KTHREAD) && ++ kthread_is_per_cpu(task)) ++ continue; + set_cpus_allowed_ptr(task, cs->effective_cpus); ++ } + css_task_iter_end(&it); + } + +@@ -2092,12 +2101,7 @@ static int update_prstate(struct cpuset *cs, int new_prs) + update_flag(CS_CPU_EXCLUSIVE, cs, 0); + } + +- /* +- * Update cpumask of parent's tasks except when it is the top +- * cpuset as some system daemons cannot be mapped to other CPUs. +- */ +- if (parent != &top_cpuset) +- update_tasks_cpumask(parent); ++ update_tasks_cpumask(parent); + + if (parent->child_ecpus_count) + update_sibling_cpumasks(parent, cs, &tmpmask); +-- +2.35.1 + diff --git a/queue-6.0/cgroup-honor-caller-s-cgroup-ns-when-resolving-path.patch b/queue-6.0/cgroup-honor-caller-s-cgroup-ns-when-resolving-path.patch new file mode 100644 index 00000000000..fd2e28c11c1 --- /dev/null +++ b/queue-6.0/cgroup-honor-caller-s-cgroup-ns-when-resolving-path.patch @@ -0,0 +1,49 @@ +From da21919d14e66271230c4da5bd61c43353c07b8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 18:52:35 +0200 +Subject: cgroup: Honor caller's cgroup NS when resolving path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Koutný + +[ Upstream commit 74e4b956eb1cac0e4c10c240339b1bbfbc9a4c48 ] + +cgroup_get_from_path() is not widely used function. Its callers presume +the path is resolved under cgroup namespace. (There is one caller +currently and resolving in init NS won't make harm (netfilter). However, +future users may be subject to different effects when resolving +globally.) +Since, there's currently no use for the global resolution, modify the +existing function to take cgroup NS into account. + +Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces") +Signed-off-by: Michal Koutný +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index 5f2090d051ac..29296a6374ef 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -6638,8 +6638,12 @@ struct cgroup *cgroup_get_from_path(const char *path) + { + struct kernfs_node *kn; + struct cgroup *cgrp = ERR_PTR(-ENOENT); ++ struct cgroup *root_cgrp; + +- kn = kernfs_walk_and_get(cgrp_dfl_root.cgrp.kn, path); ++ spin_lock_irq(&css_set_lock); ++ root_cgrp = current_cgns_cgroup_from_root(&cgrp_dfl_root); ++ kn = kernfs_walk_and_get(root_cgrp->kn, path); ++ spin_unlock_irq(&css_set_lock); + if (!kn) + goto out; + +-- +2.35.1 + diff --git a/queue-6.0/cifs-return-correct-error-in-calc_signature.patch b/queue-6.0/cifs-return-correct-error-in-calc_signature.patch new file mode 100644 index 00000000000..45c231dcb72 --- /dev/null +++ b/queue-6.0/cifs-return-correct-error-in-calc_signature.patch @@ -0,0 +1,57 @@ +From e946e793ba9337f012505e8c1a0833dd55090053 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 20:57:05 -0300 +Subject: cifs: return correct error in ->calc_signature() + +From: Enzo Matsumiya + +[ Upstream commit 09a1f9a168ae1f69f701689429871793174417d2 ] + +If an error happens while getting the key or session in the +->calc_signature implementations, 0 (success) is returned. Fix it by +returning a proper error code. + +Since it seems to be highly unlikely to happen wrap the rc check in +unlikely() too. + +Reviewed-by: Ronnie Sahlberg +Fixes: 32811d242ff6 ("cifs: Start using per session key for smb2/3 for signature generation") +Signed-off-by: Enzo Matsumiya +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2transport.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/fs/cifs/smb2transport.c b/fs/cifs/smb2transport.c +index 1a5fc3314dbf..4640fc4a8b13 100644 +--- a/fs/cifs/smb2transport.c ++++ b/fs/cifs/smb2transport.c +@@ -225,9 +225,9 @@ smb2_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server, + struct smb_rqst drqst; + + ses = smb2_find_smb_ses(server, le64_to_cpu(shdr->SessionId)); +- if (!ses) { ++ if (unlikely(!ses)) { + cifs_server_dbg(VFS, "%s: Could not find session\n", __func__); +- return 0; ++ return -ENOENT; + } + + memset(smb2_signature, 0x0, SMB2_HMACSHA256_SIZE); +@@ -557,8 +557,10 @@ smb3_calc_signature(struct smb_rqst *rqst, struct TCP_Server_Info *server, + u8 key[SMB3_SIGN_KEY_SIZE]; + + rc = smb2_get_sign_key(le64_to_cpu(shdr->SessionId), server, key); +- if (rc) +- return 0; ++ if (unlikely(rc)) { ++ cifs_server_dbg(VFS, "%s: Could not get signing key\n", __func__); ++ return rc; ++ } + + if (allocate_crypto) { + rc = cifs_alloc_hash("cmac(aes)", &hash, &sdesc); +-- +2.35.1 + diff --git a/queue-6.0/clk-ast2600-bclk-comes-from-epll.patch b/queue-6.0/clk-ast2600-bclk-comes-from-epll.patch new file mode 100644 index 00000000000..0bc82a17bf2 --- /dev/null +++ b/queue-6.0/clk-ast2600-bclk-comes-from-epll.patch @@ -0,0 +1,38 @@ +From cf273fdb632637d71b29c60dc5a48df5b548325c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Apr 2022 13:34:26 +0930 +Subject: clk: ast2600: BCLK comes from EPLL + +From: Joel Stanley + +[ Upstream commit b8c1dc9c00b252b3be853720a71b05ed451ddd9f ] + +This correction was made in the u-boot SDK recently. There are no +in-tree users of this clock so the impact is minimal. + +Fixes: d3d04f6c330a ("clk: Add support for AST2600 SoC") +Link: https://github.com/AspeedTech-BMC/u-boot/commit/8ad54a5ae15f27fea5e894cc2539a20d90019717 +Signed-off-by: Joel Stanley +Link: https://lore.kernel.org/r/20220421040426.171256-1-joel@jms.id.au +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-ast2600.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/clk-ast2600.c b/drivers/clk/clk-ast2600.c +index 24dab2312bc6..9c3305bcb27a 100644 +--- a/drivers/clk/clk-ast2600.c ++++ b/drivers/clk/clk-ast2600.c +@@ -622,7 +622,7 @@ static int aspeed_g6_clk_probe(struct platform_device *pdev) + regmap_write(map, 0x308, 0x12000); /* 3x3 = 9 */ + + /* P-Bus (BCLK) clock divider */ +- hw = clk_hw_register_divider_table(dev, "bclk", "hpll", 0, ++ hw = clk_hw_register_divider_table(dev, "bclk", "epll", 0, + scu_g6_base + ASPEED_G6_CLK_SELECTION1, 20, 3, 0, + ast2600_div_table, + &aspeed_g6_clk_lock); +-- +2.35.1 + diff --git a/queue-6.0/clk-baikal-t1-add-sata-internal-ref-clock-buffer.patch b/queue-6.0/clk-baikal-t1-add-sata-internal-ref-clock-buffer.patch new file mode 100644 index 00000000000..e9bb9b0df8c --- /dev/null +++ b/queue-6.0/clk-baikal-t1-add-sata-internal-ref-clock-buffer.patch @@ -0,0 +1,234 @@ +From 6dbdd1c028b9ad1fe802a7b4d19bcfa25a26cc91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 01:53:58 +0300 +Subject: clk: baikal-t1: Add SATA internal ref clock buffer + +From: Serge Semin + +[ Upstream commit 081a9b7c74eae4e12b2cb1b86720f836a8f29247 ] + +It turns out the internal SATA reference clock signal will stay +unavailable for the SATA interface consumer until the buffer on it's way +is ungated. So aside with having the actual clock divider enabled we need +to ungate a buffer placed on the signal way to the SATA controller (most +likely some rudiment from the initial SoC release). Seeing the switch flag +is placed in the same register as the SATA-ref clock divider at a +non-standard ffset, let's implement it as a separate clock controller with +the set-rate propagation to the parental clock divider wrapper. As such +we'll be able to disable/enable and still change the original clock source +rate. + +Fixes: 353afa3a8d2e ("clk: Add Baikal-T1 CCU Dividers driver") +Signed-off-by: Serge Semin +Link: https://lore.kernel.org/r/20220929225402.9696-5-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/baikal-t1/ccu-div.c | 64 +++++++++++++++++++++++++++++ + drivers/clk/baikal-t1/ccu-div.h | 4 ++ + drivers/clk/baikal-t1/clk-ccu-div.c | 18 +++++++- + 3 files changed, 85 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/baikal-t1/ccu-div.c b/drivers/clk/baikal-t1/ccu-div.c +index bbfa3526ee10..a6642f3d33d4 100644 +--- a/drivers/clk/baikal-t1/ccu-div.c ++++ b/drivers/clk/baikal-t1/ccu-div.c +@@ -34,6 +34,7 @@ + #define CCU_DIV_CTL_CLKDIV_MASK(_width) \ + GENMASK((_width) + CCU_DIV_CTL_CLKDIV_FLD - 1, CCU_DIV_CTL_CLKDIV_FLD) + #define CCU_DIV_CTL_LOCK_SHIFTED BIT(27) ++#define CCU_DIV_CTL_GATE_REF_BUF BIT(28) + #define CCU_DIV_CTL_LOCK_NORMAL BIT(31) + + #define CCU_DIV_RST_DELAY_US 1 +@@ -170,6 +171,40 @@ static int ccu_div_gate_is_enabled(struct clk_hw *hw) + return !!(val & CCU_DIV_CTL_EN); + } + ++static int ccu_div_buf_enable(struct clk_hw *hw) ++{ ++ struct ccu_div *div = to_ccu_div(hw); ++ unsigned long flags; ++ ++ spin_lock_irqsave(&div->lock, flags); ++ regmap_update_bits(div->sys_regs, div->reg_ctl, ++ CCU_DIV_CTL_GATE_REF_BUF, 0); ++ spin_unlock_irqrestore(&div->lock, flags); ++ ++ return 0; ++} ++ ++static void ccu_div_buf_disable(struct clk_hw *hw) ++{ ++ struct ccu_div *div = to_ccu_div(hw); ++ unsigned long flags; ++ ++ spin_lock_irqsave(&div->lock, flags); ++ regmap_update_bits(div->sys_regs, div->reg_ctl, ++ CCU_DIV_CTL_GATE_REF_BUF, CCU_DIV_CTL_GATE_REF_BUF); ++ spin_unlock_irqrestore(&div->lock, flags); ++} ++ ++static int ccu_div_buf_is_enabled(struct clk_hw *hw) ++{ ++ struct ccu_div *div = to_ccu_div(hw); ++ u32 val = 0; ++ ++ regmap_read(div->sys_regs, div->reg_ctl, &val); ++ ++ return !(val & CCU_DIV_CTL_GATE_REF_BUF); ++} ++ + static unsigned long ccu_div_var_recalc_rate(struct clk_hw *hw, + unsigned long parent_rate) + { +@@ -323,6 +358,7 @@ static const struct ccu_div_dbgfs_bit ccu_div_bits[] = { + CCU_DIV_DBGFS_BIT_ATTR("div_en", CCU_DIV_CTL_EN), + CCU_DIV_DBGFS_BIT_ATTR("div_rst", CCU_DIV_CTL_RST), + CCU_DIV_DBGFS_BIT_ATTR("div_bypass", CCU_DIV_CTL_SET_CLKDIV), ++ CCU_DIV_DBGFS_BIT_ATTR("div_buf", CCU_DIV_CTL_GATE_REF_BUF), + CCU_DIV_DBGFS_BIT_ATTR("div_lock", CCU_DIV_CTL_LOCK_NORMAL) + }; + +@@ -441,6 +477,9 @@ static void ccu_div_var_debug_init(struct clk_hw *hw, struct dentry *dentry) + continue; + } + ++ if (!strcmp("div_buf", name)) ++ continue; ++ + bits[didx] = ccu_div_bits[bidx]; + bits[didx].div = div; + +@@ -477,6 +516,21 @@ static void ccu_div_gate_debug_init(struct clk_hw *hw, struct dentry *dentry) + &ccu_div_dbgfs_fixed_clkdiv_fops); + } + ++static void ccu_div_buf_debug_init(struct clk_hw *hw, struct dentry *dentry) ++{ ++ struct ccu_div *div = to_ccu_div(hw); ++ struct ccu_div_dbgfs_bit *bit; ++ ++ bit = kmalloc(sizeof(*bit), GFP_KERNEL); ++ if (!bit) ++ return; ++ ++ *bit = ccu_div_bits[3]; ++ bit->div = div; ++ debugfs_create_file_unsafe(bit->name, ccu_div_dbgfs_mode, dentry, bit, ++ &ccu_div_dbgfs_bit_fops); ++} ++ + static void ccu_div_fixed_debug_init(struct clk_hw *hw, struct dentry *dentry) + { + struct ccu_div *div = to_ccu_div(hw); +@@ -489,6 +543,7 @@ static void ccu_div_fixed_debug_init(struct clk_hw *hw, struct dentry *dentry) + + #define ccu_div_var_debug_init NULL + #define ccu_div_gate_debug_init NULL ++#define ccu_div_buf_debug_init NULL + #define ccu_div_fixed_debug_init NULL + + #endif /* !CONFIG_DEBUG_FS */ +@@ -520,6 +575,13 @@ static const struct clk_ops ccu_div_gate_ops = { + .debug_init = ccu_div_gate_debug_init + }; + ++static const struct clk_ops ccu_div_buf_ops = { ++ .enable = ccu_div_buf_enable, ++ .disable = ccu_div_buf_disable, ++ .is_enabled = ccu_div_buf_is_enabled, ++ .debug_init = ccu_div_buf_debug_init ++}; ++ + static const struct clk_ops ccu_div_fixed_ops = { + .recalc_rate = ccu_div_fixed_recalc_rate, + .round_rate = ccu_div_fixed_round_rate, +@@ -566,6 +628,8 @@ struct ccu_div *ccu_div_hw_register(const struct ccu_div_init_data *div_init) + } else if (div_init->type == CCU_DIV_GATE) { + hw_init.ops = &ccu_div_gate_ops; + div->divider = div_init->divider; ++ } else if (div_init->type == CCU_DIV_BUF) { ++ hw_init.ops = &ccu_div_buf_ops; + } else if (div_init->type == CCU_DIV_FIXED) { + hw_init.ops = &ccu_div_fixed_ops; + div->divider = div_init->divider; +diff --git a/drivers/clk/baikal-t1/ccu-div.h b/drivers/clk/baikal-t1/ccu-div.h +index b6a9c8e45318..4eb49ff4803c 100644 +--- a/drivers/clk/baikal-t1/ccu-div.h ++++ b/drivers/clk/baikal-t1/ccu-div.h +@@ -15,8 +15,10 @@ + + /* + * CCU Divider private clock IDs ++ * @CCU_SYS_SATA_CLK: CCU SATA internal clock + * @CCU_SYS_XGMAC_CLK: CCU XGMAC internal clock + */ ++#define CCU_SYS_SATA_CLK -1 + #define CCU_SYS_XGMAC_CLK -2 + + /* +@@ -37,11 +39,13 @@ + * enum ccu_div_type - CCU Divider types + * @CCU_DIV_VAR: Clocks gate with variable divider. + * @CCU_DIV_GATE: Clocks gate with fixed divider. ++ * @CCU_DIV_BUF: Clock gate with no divider. + * @CCU_DIV_FIXED: Ungateable clock with fixed divider. + */ + enum ccu_div_type { + CCU_DIV_VAR, + CCU_DIV_GATE, ++ CCU_DIV_BUF, + CCU_DIV_FIXED + }; + +diff --git a/drivers/clk/baikal-t1/clk-ccu-div.c b/drivers/clk/baikal-t1/clk-ccu-div.c +index 3953ae5664be..90f4fda406ee 100644 +--- a/drivers/clk/baikal-t1/clk-ccu-div.c ++++ b/drivers/clk/baikal-t1/clk-ccu-div.c +@@ -76,6 +76,16 @@ + .divider = _divider \ + } + ++#define CCU_DIV_BUF_INFO(_id, _name, _pname, _base, _flags) \ ++ { \ ++ .id = _id, \ ++ .name = _name, \ ++ .parent_name = _pname, \ ++ .base = _base, \ ++ .type = CCU_DIV_BUF, \ ++ .flags = _flags \ ++ } ++ + #define CCU_DIV_FIXED_INFO(_id, _name, _pname, _divider) \ + { \ + .id = _id, \ +@@ -188,11 +198,14 @@ static const struct ccu_div_rst_map axi_rst_map[] = { + * for the SoC devices registers IO-operations. + */ + static const struct ccu_div_info sys_info[] = { +- CCU_DIV_VAR_INFO(CCU_SYS_SATA_REF_CLK, "sys_sata_ref_clk", ++ CCU_DIV_VAR_INFO(CCU_SYS_SATA_CLK, "sys_sata_clk", + "sata_clk", CCU_SYS_SATA_REF_BASE, 4, + CLK_SET_RATE_GATE, + CCU_DIV_SKIP_ONE | CCU_DIV_LOCK_SHIFTED | + CCU_DIV_RESET_DOMAIN), ++ CCU_DIV_BUF_INFO(CCU_SYS_SATA_REF_CLK, "sys_sata_ref_clk", ++ "sys_sata_clk", CCU_SYS_SATA_REF_BASE, ++ CLK_SET_RATE_PARENT), + CCU_DIV_VAR_INFO(CCU_SYS_APB_CLK, "sys_apb_clk", + "pcie_clk", CCU_SYS_APB_BASE, 5, + CLK_IS_CRITICAL, CCU_DIV_RESET_DOMAIN), +@@ -398,6 +411,9 @@ static int ccu_div_clk_register(struct ccu_div_data *data) + init.base = info->base; + init.sys_regs = data->sys_regs; + init.divider = info->divider; ++ } else if (init.type == CCU_DIV_BUF) { ++ init.base = info->base; ++ init.sys_regs = data->sys_regs; + } else { + init.divider = info->divider; + } +-- +2.35.1 + diff --git a/queue-6.0/clk-baikal-t1-add-shared-xgmac-ref-ptp-clocks-intern.patch b/queue-6.0/clk-baikal-t1-add-shared-xgmac-ref-ptp-clocks-intern.patch new file mode 100644 index 00000000000..d4fc1730823 --- /dev/null +++ b/queue-6.0/clk-baikal-t1-add-shared-xgmac-ref-ptp-clocks-intern.patch @@ -0,0 +1,84 @@ +From 476c68e2512c917715aeefa47cab8fd7ff8765bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 01:53:57 +0300 +Subject: clk: baikal-t1: Add shared xGMAC ref/ptp clocks internal parent + +From: Serge Semin + +[ Upstream commit e2eef312762e0b5a5a70d29fe59a245c0a3cffa0 ] + +Baikal-T1 CCU reference manual says that both xGMAC reference and xGMAC +PTP clocks are generated by two different wrappers with the same constant +divider thus each producing a 156.25 MHz signal. But for some reason both +of these clock sources are gated by a single switch-flag in the CCU +registers space - CCU_SYS_XGMAC_BASE.BIT(0). In order to make the clocks +handled independently we need to define a shared parental gate so the base +clock signal would be switched off only if both of the child-clocks are +disabled. + +Note the ID is intentionally set to -2 since we are going to add a one +more internal clock identifier in the next commit. + +Fixes: 353afa3a8d2e ("clk: Add Baikal-T1 CCU Dividers driver") +Signed-off-by: Serge Semin +Link: https://lore.kernel.org/r/20220929225402.9696-4-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/baikal-t1/ccu-div.c | 1 + + drivers/clk/baikal-t1/ccu-div.h | 6 ++++++ + drivers/clk/baikal-t1/clk-ccu-div.c | 8 +++++--- + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/baikal-t1/ccu-div.c b/drivers/clk/baikal-t1/ccu-div.c +index 4062092d67f9..bbfa3526ee10 100644 +--- a/drivers/clk/baikal-t1/ccu-div.c ++++ b/drivers/clk/baikal-t1/ccu-div.c +@@ -579,6 +579,7 @@ struct ccu_div *ccu_div_hw_register(const struct ccu_div_init_data *div_init) + goto err_free_div; + } + parent_data.fw_name = div_init->parent_name; ++ parent_data.name = div_init->parent_name; + hw_init.parent_data = &parent_data; + hw_init.num_parents = 1; + +diff --git a/drivers/clk/baikal-t1/ccu-div.h b/drivers/clk/baikal-t1/ccu-div.h +index 795665caefbd..b6a9c8e45318 100644 +--- a/drivers/clk/baikal-t1/ccu-div.h ++++ b/drivers/clk/baikal-t1/ccu-div.h +@@ -13,6 +13,12 @@ + #include + #include + ++/* ++ * CCU Divider private clock IDs ++ * @CCU_SYS_XGMAC_CLK: CCU XGMAC internal clock ++ */ ++#define CCU_SYS_XGMAC_CLK -2 ++ + /* + * CCU Divider private flags + * @CCU_DIV_SKIP_ONE: Due to some reason divider can't be set to 1. +diff --git a/drivers/clk/baikal-t1/clk-ccu-div.c b/drivers/clk/baikal-t1/clk-ccu-div.c +index ea77eec40ddd..3953ae5664be 100644 +--- a/drivers/clk/baikal-t1/clk-ccu-div.c ++++ b/drivers/clk/baikal-t1/clk-ccu-div.c +@@ -204,10 +204,12 @@ static const struct ccu_div_info sys_info[] = { + "eth_clk", CCU_SYS_GMAC1_BASE, 5), + CCU_DIV_FIXED_INFO(CCU_SYS_GMAC1_PTP_CLK, "sys_gmac1_ptp_clk", + "eth_clk", 10), +- CCU_DIV_GATE_INFO(CCU_SYS_XGMAC_REF_CLK, "sys_xgmac_ref_clk", +- "eth_clk", CCU_SYS_XGMAC_BASE, 8), ++ CCU_DIV_GATE_INFO(CCU_SYS_XGMAC_CLK, "sys_xgmac_clk", ++ "eth_clk", CCU_SYS_XGMAC_BASE, 1), ++ CCU_DIV_FIXED_INFO(CCU_SYS_XGMAC_REF_CLK, "sys_xgmac_ref_clk", ++ "sys_xgmac_clk", 8), + CCU_DIV_FIXED_INFO(CCU_SYS_XGMAC_PTP_CLK, "sys_xgmac_ptp_clk", +- "eth_clk", 8), ++ "sys_xgmac_clk", 8), + CCU_DIV_GATE_INFO(CCU_SYS_USB_CLK, "sys_usb_clk", + "eth_clk", CCU_SYS_USB_BASE, 10), + CCU_DIV_VAR_INFO(CCU_SYS_PVT_CLK, "sys_pvt_clk", +-- +2.35.1 + diff --git a/queue-6.0/clk-baikal-t1-fix-invalid-xgmac-ptp-clock-divider.patch b/queue-6.0/clk-baikal-t1-fix-invalid-xgmac-ptp-clock-divider.patch new file mode 100644 index 00000000000..005b8ae8820 --- /dev/null +++ b/queue-6.0/clk-baikal-t1-fix-invalid-xgmac-ptp-clock-divider.patch @@ -0,0 +1,38 @@ +From e404e0f4e18fa9b30560b52a8166de464ae8b5f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 01:53:56 +0300 +Subject: clk: baikal-t1: Fix invalid xGMAC PTP clock divider + +From: Serge Semin + +[ Upstream commit 3c742088686ce922704aec5b11d09bcc5a396589 ] + +Most likely due to copy-paste mistake the divider has been set to 10 while +according to the SoC reference manual it's supposed to be 8 thus having +PTP clock frequency of 156.25 MHz. + +Fixes: 353afa3a8d2e ("clk: Add Baikal-T1 CCU Dividers driver") +Signed-off-by: Serge Semin +Link: https://lore.kernel.org/r/20220929225402.9696-3-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/baikal-t1/clk-ccu-div.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/baikal-t1/clk-ccu-div.c b/drivers/clk/baikal-t1/clk-ccu-div.c +index f141fda12b09..ea77eec40ddd 100644 +--- a/drivers/clk/baikal-t1/clk-ccu-div.c ++++ b/drivers/clk/baikal-t1/clk-ccu-div.c +@@ -207,7 +207,7 @@ static const struct ccu_div_info sys_info[] = { + CCU_DIV_GATE_INFO(CCU_SYS_XGMAC_REF_CLK, "sys_xgmac_ref_clk", + "eth_clk", CCU_SYS_XGMAC_BASE, 8), + CCU_DIV_FIXED_INFO(CCU_SYS_XGMAC_PTP_CLK, "sys_xgmac_ptp_clk", +- "eth_clk", 10), ++ "eth_clk", 8), + CCU_DIV_GATE_INFO(CCU_SYS_USB_CLK, "sys_usb_clk", + "eth_clk", CCU_SYS_USB_BASE, 10), + CCU_DIV_VAR_INFO(CCU_SYS_PVT_CLK, "sys_pvt_clk", +-- +2.35.1 + diff --git a/queue-6.0/clk-bcm2835-fix-bcm2835_clock_rate_from_divisor-decl.patch b/queue-6.0/clk-bcm2835-fix-bcm2835_clock_rate_from_divisor-decl.patch new file mode 100644 index 00000000000..3049e1c9c9b --- /dev/null +++ b/queue-6.0/clk-bcm2835-fix-bcm2835_clock_rate_from_divisor-decl.patch @@ -0,0 +1,43 @@ +From de296f658b9076d91fd6655335ffd5d7b9218eeb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 16:10:37 +0200 +Subject: clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration + +From: Stefan Wahren + +[ Upstream commit 0b919a3728691c172312dee99ba654055ccd8c84 ] + +The return value of bcm2835_clock_rate_from_divisor is always unsigned +and also all caller expect this. So fix the declaration accordingly. + +Fixes: 41691b8862e2 ("clk: bcm2835: Add support for programming the audio domain clocks") +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20220904141037.38816-1-stefan.wahren@i2se.com +Reviewed-by: Ivan T. Ivanov +Reviewed-by: Florian Fainelli +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-bcm2835.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c +index 19de0e83b65d..f1102b4c7e88 100644 +--- a/drivers/clk/bcm/clk-bcm2835.c ++++ b/drivers/clk/bcm/clk-bcm2835.c +@@ -966,9 +966,9 @@ static u32 bcm2835_clock_choose_div(struct clk_hw *hw, + return div; + } + +-static long bcm2835_clock_rate_from_divisor(struct bcm2835_clock *clock, +- unsigned long parent_rate, +- u32 div) ++static unsigned long bcm2835_clock_rate_from_divisor(struct bcm2835_clock *clock, ++ unsigned long parent_rate, ++ u32 div) + { + const struct bcm2835_clock_data *data = clock->data; + u64 temp; +-- +2.35.1 + diff --git a/queue-6.0/clk-bcm2835-make-peripheral-pllc-critical.patch b/queue-6.0/clk-bcm2835-make-peripheral-pllc-critical.patch new file mode 100644 index 00000000000..3123bcdcac4 --- /dev/null +++ b/queue-6.0/clk-bcm2835-make-peripheral-pllc-critical.patch @@ -0,0 +1,51 @@ +From b46a1e053268e5d2f65a7f0f84c68f9be452f8c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 10:45:09 +0200 +Subject: clk: bcm2835: Make peripheral PLLC critical +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maxime Ripard + +[ Upstream commit 6c5422851d8be8c7451e968fd2e6da41b6109e17 ] + +When testing for a series affecting the VEC, it was discovered that +turning off and on the VEC clock is crashing the system. + +It turns out that, when disabling the VEC clock, it's the only child of +the PLLC-per clock which will also get disabled. The source of the crash +is PLLC-per being disabled. + +It's likely that some other device might not take a clock reference that +it actually needs, but it's unclear which at this point. Let's make +PLLC-per critical so that we don't have that crash. + +Reported-by: Noralf Trønnes +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20220926084509.12233-1-maxime@cerno.tech +Reviewed-by: Stefan Wahren +Acked-by: Noralf Trønnes +Signed-off-by: Stephen Boyd +Stable-dep-of: 0b919a372869 ("clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration") +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-bcm2835.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c +index 48a1eb9f2d55..19de0e83b65d 100644 +--- a/drivers/clk/bcm/clk-bcm2835.c ++++ b/drivers/clk/bcm/clk-bcm2835.c +@@ -1784,7 +1784,7 @@ static const struct bcm2835_clk_desc clk_desc_array[] = { + .load_mask = CM_PLLC_LOADPER, + .hold_mask = CM_PLLC_HOLDPER, + .fixed_divider = 1, +- .flags = CLK_SET_RATE_PARENT), ++ .flags = CLK_IS_CRITICAL | CLK_SET_RATE_PARENT), + + /* + * PLLD is the display PLL, used to drive DSI display panels. +-- +2.35.1 + diff --git a/queue-6.0/clk-bcm2835-round-uart-input-clock-up.patch b/queue-6.0/clk-bcm2835-round-uart-input-clock-up.patch new file mode 100644 index 00000000000..8eac0e9d300 --- /dev/null +++ b/queue-6.0/clk-bcm2835-round-uart-input-clock-up.patch @@ -0,0 +1,126 @@ +From 232206a3097c08c00f9567cb86c39f415b269b62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 11:13:04 +0300 +Subject: clk: bcm2835: Round UART input clock up + +From: Ivan T. Ivanov + +[ Upstream commit f690a4d7a8f66430662975511c86819dc9965bcc ] + +It was reported that RPi3[1] and RPi Zero 2W boards have issues with +the Bluetooth. It turns out that when switching from initial to +operation speed host and device no longer can talk each other because +host uses incorrect UART baud rate. + +The UART driver used in this case is amba-pl011. Original fix, see +below Github link[2], was inside pl011 module, but somehow it didn't +look as the right place to fix. Beside that this original rounding +function is not exactly perfect for all possible clock values. So I +deiced to move the hack to the platform which actually need it. + +The UART clock is initialised to be as close to the requested +frequency as possible without exceeding it. Now that there is a +clock manager that returns the actual frequencies, an expected +48MHz clock is reported as 47999625. If the requested baud rate +== requested clock/16, there is no headroom and the slight +reduction in actual clock rate results in failure. + +If increasing a clock by less than 0.1% changes it from ..999.. +to ..000.., round it up. + +[1] https://bugzilla.suse.com/show_bug.cgi?id=1188238 +[2] https://github.com/raspberrypi/linux/commit/ab3f1b39537f6d3825b8873006fbe2fc5ff057b7 + +Cc: Phil Elwell +Signed-off-by: Ivan T. Ivanov +Reviewed-by: Stefan Wahren +Link: https://lore.kernel.org/r/20220912081306.24662-1-iivanov@suse.de +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-bcm2835.c | 35 +++++++++++++++++++++++++++++++++-- + 1 file changed, 33 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c +index f1102b4c7e88..e74fe6219d14 100644 +--- a/drivers/clk/bcm/clk-bcm2835.c ++++ b/drivers/clk/bcm/clk-bcm2835.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -502,6 +503,8 @@ struct bcm2835_clock_data { + bool low_jitter; + + u32 tcnt_mux; ++ ++ bool round_up; + }; + + struct bcm2835_gate_data { +@@ -993,12 +996,34 @@ static unsigned long bcm2835_clock_rate_from_divisor(struct bcm2835_clock *clock + return temp; + } + ++static unsigned long bcm2835_round_rate(unsigned long rate) ++{ ++ unsigned long scaler; ++ unsigned long limit; ++ ++ limit = rate / 100000; ++ ++ scaler = 1; ++ while (scaler < limit) ++ scaler *= 10; ++ ++ /* ++ * If increasing a clock by less than 0.1% changes it ++ * from ..999.. to ..000.., round up. ++ */ ++ if ((rate + scaler - 1) / scaler % 1000 == 0) ++ rate = roundup(rate, scaler); ++ ++ return rate; ++} ++ + static unsigned long bcm2835_clock_get_rate(struct clk_hw *hw, + unsigned long parent_rate) + { + struct bcm2835_clock *clock = bcm2835_clock_from_hw(hw); + struct bcm2835_cprman *cprman = clock->cprman; + const struct bcm2835_clock_data *data = clock->data; ++ unsigned long rate; + u32 div; + + if (data->int_bits == 0 && data->frac_bits == 0) +@@ -1006,7 +1031,12 @@ static unsigned long bcm2835_clock_get_rate(struct clk_hw *hw, + + div = cprman_read(cprman, data->div_reg); + +- return bcm2835_clock_rate_from_divisor(clock, parent_rate, div); ++ rate = bcm2835_clock_rate_from_divisor(clock, parent_rate, div); ++ ++ if (data->round_up) ++ rate = bcm2835_round_rate(rate); ++ ++ return rate; + } + + static void bcm2835_clock_wait_busy(struct bcm2835_clock *clock) +@@ -2143,7 +2173,8 @@ static const struct bcm2835_clk_desc clk_desc_array[] = { + .div_reg = CM_UARTDIV, + .int_bits = 10, + .frac_bits = 12, +- .tcnt_mux = 28), ++ .tcnt_mux = 28, ++ .round_up = true), + + /* TV encoder clock. Only operating frequency is 108Mhz. */ + [BCM2835_CLOCK_VEC] = REGISTER_PER_CLK( +-- +2.35.1 + diff --git a/queue-6.0/clk-berlin-add-of_node_put-for-of_get_parent.patch b/queue-6.0/clk-berlin-add-of_node_put-for-of_get_parent.patch new file mode 100644 index 00000000000..39ee1182d1d --- /dev/null +++ b/queue-6.0/clk-berlin-add-of_node_put-for-of_get_parent.patch @@ -0,0 +1,77 @@ +From 1ddcbf5f41cbeaabe5280ad1dd010a804c07a2dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jul 2022 16:49:00 +0800 +Subject: clk: berlin: Add of_node_put() for of_get_parent() + +From: Liang He + +[ Upstream commit 37c381b812dcbfde9c3f1f3d3e75fdfc1b40d5bc ] + +In berlin2_clock_setup() and berlin2q_clock_setup(), we need to +call of_node_put() for the reference returned by of_get_parent() +which has increased the refcount. We should call *_put() in fail +path or when it is not used anymore. + +Fixes: 26b3b6b959b2 ("clk: berlin: prepare simple-mfd conversion") +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220708084900.311684-1-windhl@126.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/berlin/bg2.c | 5 ++++- + drivers/clk/berlin/bg2q.c | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/berlin/bg2.c b/drivers/clk/berlin/bg2.c +index bccdfa00fd37..67a9edbba29c 100644 +--- a/drivers/clk/berlin/bg2.c ++++ b/drivers/clk/berlin/bg2.c +@@ -500,12 +500,15 @@ static void __init berlin2_clock_setup(struct device_node *np) + int n, ret; + + clk_data = kzalloc(struct_size(clk_data, hws, MAX_CLKS), GFP_KERNEL); +- if (!clk_data) ++ if (!clk_data) { ++ of_node_put(parent_np); + return; ++ } + clk_data->num = MAX_CLKS; + hws = clk_data->hws; + + gbase = of_iomap(parent_np, 0); ++ of_node_put(parent_np); + if (!gbase) + return; + +diff --git a/drivers/clk/berlin/bg2q.c b/drivers/clk/berlin/bg2q.c +index e9518d35f262..dd2784bb75b6 100644 +--- a/drivers/clk/berlin/bg2q.c ++++ b/drivers/clk/berlin/bg2q.c +@@ -286,19 +286,23 @@ static void __init berlin2q_clock_setup(struct device_node *np) + int n, ret; + + clk_data = kzalloc(struct_size(clk_data, hws, MAX_CLKS), GFP_KERNEL); +- if (!clk_data) ++ if (!clk_data) { ++ of_node_put(parent_np); + return; ++ } + clk_data->num = MAX_CLKS; + hws = clk_data->hws; + + gbase = of_iomap(parent_np, 0); + if (!gbase) { ++ of_node_put(parent_np); + pr_err("%pOF: Unable to map global base\n", np); + return; + } + + /* BG2Q CPU PLL is not part of global registers */ + cpupll_base = of_iomap(parent_np, 1); ++ of_node_put(parent_np); + if (!cpupll_base) { + pr_err("%pOF: Unable to map cpupll base\n", np); + iounmap(gbase); +-- +2.35.1 + diff --git a/queue-6.0/clk-gcc-sc8280xp-keep-pcie-power-domains-always-on.patch b/queue-6.0/clk-gcc-sc8280xp-keep-pcie-power-domains-always-on.patch new file mode 100644 index 00000000000..2adf20c04b9 --- /dev/null +++ b/queue-6.0/clk-gcc-sc8280xp-keep-pcie-power-domains-always-on.patch @@ -0,0 +1,85 @@ +From fb1f3ada91a657538c12abc69e16b5ee1bc663e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Aug 2022 14:12:49 +0200 +Subject: clk: gcc-sc8280xp: keep PCIe power-domains always-on + +From: Johan Hovold + +[ Upstream commit 12d2a4769380f0dc9ba6f827839869db2b81ef00 ] + +The Qualcomm PCIe driver does not yet implement suspend so to keep the +PCIe power domains always-on for now to avoid crashing during resume. + +Signed-off-by: Johan Hovold +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220805121250.10347-2-johan+linaro@kernel.org +Stable-dep-of: 5a6d30675d17 ("clk: qcom: gcc-msm8916: use ARRAY_SIZE instead of specifying num_parents") +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sc8280xp.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/clk/qcom/gcc-sc8280xp.c b/drivers/clk/qcom/gcc-sc8280xp.c +index a2f3ffcc5849..eaeada42e13a 100644 +--- a/drivers/clk/qcom/gcc-sc8280xp.c ++++ b/drivers/clk/qcom/gcc-sc8280xp.c +@@ -6768,6 +6768,10 @@ static struct gdsc pcie_1_tunnel_gdsc = { + .flags = VOTABLE, + }; + ++/* ++ * The Qualcomm PCIe driver does not yet implement suspend so to keep the ++ * PCIe power domains always-on for now. ++ */ + static struct gdsc pcie_2a_gdsc = { + .gdscr = 0x9d004, + .collapse_ctrl = 0x52128, +@@ -6776,7 +6780,7 @@ static struct gdsc pcie_2a_gdsc = { + .name = "pcie_2a_gdsc", + }, + .pwrsts = PWRSTS_OFF_ON, +- .flags = VOTABLE, ++ .flags = VOTABLE | ALWAYS_ON, + }; + + static struct gdsc pcie_2b_gdsc = { +@@ -6787,7 +6791,7 @@ static struct gdsc pcie_2b_gdsc = { + .name = "pcie_2b_gdsc", + }, + .pwrsts = PWRSTS_OFF_ON, +- .flags = VOTABLE, ++ .flags = VOTABLE | ALWAYS_ON, + }; + + static struct gdsc pcie_3a_gdsc = { +@@ -6798,7 +6802,7 @@ static struct gdsc pcie_3a_gdsc = { + .name = "pcie_3a_gdsc", + }, + .pwrsts = PWRSTS_OFF_ON, +- .flags = VOTABLE, ++ .flags = VOTABLE | ALWAYS_ON, + }; + + static struct gdsc pcie_3b_gdsc = { +@@ -6809,7 +6813,7 @@ static struct gdsc pcie_3b_gdsc = { + .name = "pcie_3b_gdsc", + }, + .pwrsts = PWRSTS_OFF_ON, +- .flags = VOTABLE, ++ .flags = VOTABLE | ALWAYS_ON, + }; + + static struct gdsc pcie_4_gdsc = { +@@ -6820,7 +6824,7 @@ static struct gdsc pcie_4_gdsc = { + .name = "pcie_4_gdsc", + }, + .pwrsts = PWRSTS_OFF_ON, +- .flags = VOTABLE, ++ .flags = VOTABLE | ALWAYS_ON, + }; + + static struct gdsc ufs_card_gdsc = { +-- +2.35.1 + diff --git a/queue-6.0/clk-imx-scu-fix-memleak-on-platform_device_add-fails.patch b/queue-6.0/clk-imx-scu-fix-memleak-on-platform_device_add-fails.patch new file mode 100644 index 00000000000..b917ac5bafa --- /dev/null +++ b/queue-6.0/clk-imx-scu-fix-memleak-on-platform_device_add-fails.patch @@ -0,0 +1,42 @@ +From 3b60e927dd1447d9ab0e1a1e5bb749410255c7de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 11:32:06 +0800 +Subject: clk: imx: scu: fix memleak on platform_device_add() fails + +From: Lin Yujun + +[ Upstream commit 855ae87a2073ebf1b395e020de54fdf9ce7d166f ] + +No error handling is performed when platform_device_add() +fails. Add error processing before return, and modified +the return value. + +Fixes: 77d8f3068c63 ("clk: imx: scu: add two cells binding support") +Signed-off-by: Lin Yujun +Link: https://lore.kernel.org/r/20220914033206.98046-1-linyujun809@huawei.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-scu.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/imx/clk-scu.c b/drivers/clk/imx/clk-scu.c +index c56e406138db..1e6870f3671f 100644 +--- a/drivers/clk/imx/clk-scu.c ++++ b/drivers/clk/imx/clk-scu.c +@@ -695,7 +695,11 @@ struct clk_hw *imx_clk_scu_alloc_dev(const char *name, + pr_warn("%s: failed to attached the power domain %d\n", + name, ret); + +- platform_device_add(pdev); ++ ret = platform_device_add(pdev); ++ if (ret) { ++ platform_device_put(pdev); ++ return ERR_PTR(ret); ++ } + + /* For API backwards compatiblilty, simply return NULL for success */ + return NULL; +-- +2.35.1 + diff --git a/queue-6.0/clk-imx8mp-tune-the-order-of-enet_qos_root_clk.patch b/queue-6.0/clk-imx8mp-tune-the-order-of-enet_qos_root_clk.patch new file mode 100644 index 00000000000..db56155c55e --- /dev/null +++ b/queue-6.0/clk-imx8mp-tune-the-order-of-enet_qos_root_clk.patch @@ -0,0 +1,54 @@ +From 43a948b4edd5355f88c5be9dd39a7474e4205f92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Aug 2022 09:34:28 +0800 +Subject: clk: imx8mp: tune the order of enet_qos_root_clk + +From: Peng Fan + +[ Upstream commit c68cd258a67730c24566b9688d7c134e67459ac6 ] + +The enet_qos_root_clk takes sim_enet_root_clk as parent. When +registering enet_qos_root_clk, it will be put into clk orphan list, +because sim_enet_root_clk is not ready. + +When sim_enet_root_clk is ready, clk_core_reparent_orphans_nolock will +set enet_qos_root_clk parent to sim_enet_root_clk. + +Because CLK_OPS_PARENT_ENABLE is set, sim_enet_root_clk will be +enabled and disabled during the enet_qos_root_clk reparent phase. + +All the above are correct. But with M7 booted early and using +enet, M7 enet feature will be broken, because clk driver probe phase +disable the needed clks, in case M7 firmware not configure +sim_enet_root_clk. + +And tune the order would also save cpu cycles. + +Reviewed-by: Ye Li +Signed-off-by: Peng Fan +Reviewed-by: Abel Vesa +Signed-off-by: Abel Vesa +Link: https://lore.kernel.org/r/20220815013428.476015-1-peng.fan@oss.nxp.com +Stable-dep-of: 855ae87a2073 ("clk: imx: scu: fix memleak on platform_device_add() fails") +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx8mp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/imx/clk-imx8mp.c b/drivers/clk/imx/clk-imx8mp.c +index e89db568f5a8..652ae58c2735 100644 +--- a/drivers/clk/imx/clk-imx8mp.c ++++ b/drivers/clk/imx/clk-imx8mp.c +@@ -665,8 +665,8 @@ static int imx8mp_clocks_probe(struct platform_device *pdev) + hws[IMX8MP_CLK_CAN1_ROOT] = imx_clk_hw_gate2("can1_root_clk", "can1", ccm_base + 0x4350, 0); + hws[IMX8MP_CLK_CAN2_ROOT] = imx_clk_hw_gate2("can2_root_clk", "can2", ccm_base + 0x4360, 0); + hws[IMX8MP_CLK_SDMA1_ROOT] = imx_clk_hw_gate4("sdma1_root_clk", "ipg_root", ccm_base + 0x43a0, 0); +- hws[IMX8MP_CLK_ENET_QOS_ROOT] = imx_clk_hw_gate4("enet_qos_root_clk", "sim_enet_root_clk", ccm_base + 0x43b0, 0); + hws[IMX8MP_CLK_SIM_ENET_ROOT] = imx_clk_hw_gate4("sim_enet_root_clk", "enet_axi", ccm_base + 0x4400, 0); ++ hws[IMX8MP_CLK_ENET_QOS_ROOT] = imx_clk_hw_gate4("enet_qos_root_clk", "sim_enet_root_clk", ccm_base + 0x43b0, 0); + hws[IMX8MP_CLK_GPU2D_ROOT] = imx_clk_hw_gate4("gpu2d_root_clk", "gpu2d_core", ccm_base + 0x4450, 0); + hws[IMX8MP_CLK_GPU3D_ROOT] = imx_clk_hw_gate4("gpu3d_root_clk", "gpu3d_core", ccm_base + 0x4460, 0); + hws[IMX8MP_CLK_UART1_ROOT] = imx_clk_hw_gate4("uart1_root_clk", "uart1", ccm_base + 0x4490, 0); +-- +2.35.1 + diff --git a/queue-6.0/clk-mediatek-clk-mt8195-mfg-reparent-mfg_bg3d-and-pr.patch b/queue-6.0/clk-mediatek-clk-mt8195-mfg-reparent-mfg_bg3d-and-pr.patch new file mode 100644 index 00000000000..466550f0f14 --- /dev/null +++ b/queue-6.0/clk-mediatek-clk-mt8195-mfg-reparent-mfg_bg3d-and-pr.patch @@ -0,0 +1,55 @@ +From 4c249b26fc9529bb39f905aac0e6c2c25761fab6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 12:11:23 +0200 +Subject: clk: mediatek: clk-mt8195-mfg: Reparent mfg_bg3d and propagate rate + changes + +From: AngeloGioacchino Del Regno + +[ Upstream commit a5f7bf5458c2cf6730106e16a6373638a0e5ed1e ] + +The MFG_BG3D is a gate to enable/disable clock output to the GPU, +but the actual output is decided by multiple muxes; in particular: +mfg_ck_fast_ref muxes between "slow" (top_mfg_core_tmp) and +"fast" (MFGPLL) clock, while top_mfg_core_tmp muxes between the +26MHz clock and various system PLLs. + +The clock gate comes after all the muxes, so its parent is +mfg_ck_fast_reg, not top_mfg_core_tmp. +Reparent MFG_BG3D to the latter to match the hardware and add the +CLK_SET_RATE_PARENT flag to it: this way we ensure propagating +rate changes that are requested on MFG_BG3D along its entire clock +tree. + +Fixes: 35016f10c0e5 ("clk: mediatek: Add MT8195 mfgcfg clock support") +Signed-off-by: AngeloGioacchino Del Regno +Reviewed-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20220927101128.44758-6-angelogioacchino.delregno@collabora.com +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-mt8195-mfg.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/mediatek/clk-mt8195-mfg.c b/drivers/clk/mediatek/clk-mt8195-mfg.c +index 9411c556a5a9..c94cb71bd9b9 100644 +--- a/drivers/clk/mediatek/clk-mt8195-mfg.c ++++ b/drivers/clk/mediatek/clk-mt8195-mfg.c +@@ -17,10 +17,12 @@ static const struct mtk_gate_regs mfg_cg_regs = { + }; + + #define GATE_MFG(_id, _name, _parent, _shift) \ +- GATE_MTK(_id, _name, _parent, &mfg_cg_regs, _shift, &mtk_clk_gate_ops_setclr) ++ GATE_MTK_FLAGS(_id, _name, _parent, &mfg_cg_regs, \ ++ _shift, &mtk_clk_gate_ops_setclr, \ ++ CLK_SET_RATE_PARENT) + + static const struct mtk_gate mfg_clks[] = { +- GATE_MFG(CLK_MFG_BG3D, "mfg_bg3d", "top_mfg_core_tmp", 0), ++ GATE_MFG(CLK_MFG_BG3D, "mfg_bg3d", "mfg_ck_fast_ref", 0), + }; + + static const struct mtk_clk_desc mfg_desc = { +-- +2.35.1 + diff --git a/queue-6.0/clk-mediatek-clk-mt8195-vdo0-set-rate-on-vdo0_dp_int.patch b/queue-6.0/clk-mediatek-clk-mt8195-vdo0-set-rate-on-vdo0_dp_int.patch new file mode 100644 index 00000000000..1ab7330fc1a --- /dev/null +++ b/queue-6.0/clk-mediatek-clk-mt8195-vdo0-set-rate-on-vdo0_dp_int.patch @@ -0,0 +1,59 @@ +From b92aa1cf7dc0f19b4f84d33e866fadade008a6d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 15:32:55 -0400 +Subject: clk: mediatek: clk-mt8195-vdo0: Set rate on vdo0_dp_intf0_dp_intf's + parent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: AngeloGioacchino Del Regno + +[ Upstream commit 3f0dadd230cc2630202a977fe52cd1dd7a7579a7 ] + +Add the CLK_SET_RATE_PARENT flag to the CLK_VDO0_DP_INTF0_DP_INTF +clock: this is required to trigger clock source selection on +CLK_TOP_EDP, while avoiding to manage the enablement of the former +separately from the latter in the displayport driver. + +Fixes: 70282c90d4a2 ("clk: mediatek: Add MT8195 vdosys0 clock support") +Signed-off-by: AngeloGioacchino Del Regno +Tested-by: Bo-Chen Chen +Reviewed-by: Bo-Chen Chen +Signed-off-by: Nícolas F. R. A. Prado + +Link: https://lore.kernel.org/r/20220816193257.658487-2-nfraprado@collabora.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-mt8195-vdo0.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/mediatek/clk-mt8195-vdo0.c b/drivers/clk/mediatek/clk-mt8195-vdo0.c +index 261a7f76dd3c..07b46bfd5040 100644 +--- a/drivers/clk/mediatek/clk-mt8195-vdo0.c ++++ b/drivers/clk/mediatek/clk-mt8195-vdo0.c +@@ -37,6 +37,10 @@ static const struct mtk_gate_regs vdo0_2_cg_regs = { + #define GATE_VDO0_2(_id, _name, _parent, _shift) \ + GATE_MTK(_id, _name, _parent, &vdo0_2_cg_regs, _shift, &mtk_clk_gate_ops_setclr) + ++#define GATE_VDO0_2_FLAGS(_id, _name, _parent, _shift, _flags) \ ++ GATE_MTK_FLAGS(_id, _name, _parent, &vdo0_2_cg_regs, _shift, \ ++ &mtk_clk_gate_ops_setclr, _flags) ++ + static const struct mtk_gate vdo0_clks[] = { + /* VDO0_0 */ + GATE_VDO0_0(CLK_VDO0_DISP_OVL0, "vdo0_disp_ovl0", "top_vpp", 0), +@@ -85,7 +89,8 @@ static const struct mtk_gate vdo0_clks[] = { + /* VDO0_2 */ + GATE_VDO0_2(CLK_VDO0_DSI0_DSI, "vdo0_dsi0_dsi", "top_dsi_occ", 0), + GATE_VDO0_2(CLK_VDO0_DSI1_DSI, "vdo0_dsi1_dsi", "top_dsi_occ", 8), +- GATE_VDO0_2(CLK_VDO0_DP_INTF0_DP_INTF, "vdo0_dp_intf0_dp_intf", "top_edp", 16), ++ GATE_VDO0_2_FLAGS(CLK_VDO0_DP_INTF0_DP_INTF, "vdo0_dp_intf0_dp_intf", ++ "top_edp", 16, CLK_SET_RATE_PARENT), + }; + + static int clk_mt8195_vdo0_probe(struct platform_device *pdev) +-- +2.35.1 + diff --git a/queue-6.0/clk-mediatek-clk-mt8195-vdo1-reparent-and-set-rate-o.patch b/queue-6.0/clk-mediatek-clk-mt8195-vdo1-reparent-and-set-rate-o.patch new file mode 100644 index 00000000000..47524493a0d --- /dev/null +++ b/queue-6.0/clk-mediatek-clk-mt8195-vdo1-reparent-and-set-rate-o.patch @@ -0,0 +1,60 @@ +From ad661699998f4ba6f3283ee486b3d43dca6270ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 15:32:56 -0400 +Subject: clk: mediatek: clk-mt8195-vdo1: Reparent and set rate on + vdo1_dpintf's parent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: AngeloGioacchino Del Regno + +[ Upstream commit f24d71feb206631116ff9adaa6d43650c5dd8849 ] + +Like it was done for the vdo0_dp_intf0_dp_intf clock (used for eDP), +add the CLK_SET_RATE_PARENT flag to CLK_VDO1_DPINTF (used for DP) +and also fix its parent clock name as it has to be "top_dp" for two +reasons: + - This is its real parent! + - Likewise to eDP/VDO0 counterpart, we need clock source + selection on CLK_TOP_DP. + +Fixes: 269987505ba9 ("clk: mediatek: Add MT8195 vdosys1 clock support") +Signed-off-by: AngeloGioacchino Del Regno +Tested-by: Bo-Chen Chen +Reviewed-by: Bo-Chen Chen +Signed-off-by: Nícolas F. R. A. Prado +Link: https://lore.kernel.org/r/20220816193257.658487-3-nfraprado@collabora.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-mt8195-vdo1.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/mediatek/clk-mt8195-vdo1.c b/drivers/clk/mediatek/clk-mt8195-vdo1.c +index 3378487d2c90..d54d7726d186 100644 +--- a/drivers/clk/mediatek/clk-mt8195-vdo1.c ++++ b/drivers/clk/mediatek/clk-mt8195-vdo1.c +@@ -43,6 +43,10 @@ static const struct mtk_gate_regs vdo1_3_cg_regs = { + #define GATE_VDO1_2(_id, _name, _parent, _shift) \ + GATE_MTK(_id, _name, _parent, &vdo1_2_cg_regs, _shift, &mtk_clk_gate_ops_setclr) + ++#define GATE_VDO1_2_FLAGS(_id, _name, _parent, _shift, _flags) \ ++ GATE_MTK_FLAGS(_id, _name, _parent, &vdo1_2_cg_regs, _shift, \ ++ &mtk_clk_gate_ops_setclr, _flags) ++ + #define GATE_VDO1_3(_id, _name, _parent, _shift) \ + GATE_MTK(_id, _name, _parent, &vdo1_3_cg_regs, _shift, &mtk_clk_gate_ops_setclr) + +@@ -99,7 +103,7 @@ static const struct mtk_gate vdo1_clks[] = { + GATE_VDO1_2(CLK_VDO1_DISP_MONITOR_DPI0, "vdo1_disp_monitor_dpi0", "top_vpp", 1), + GATE_VDO1_2(CLK_VDO1_DPI1, "vdo1_dpi1", "top_vpp", 8), + GATE_VDO1_2(CLK_VDO1_DISP_MONITOR_DPI1, "vdo1_disp_monitor_dpi1", "top_vpp", 9), +- GATE_VDO1_2(CLK_VDO1_DPINTF, "vdo1_dpintf", "top_vpp", 16), ++ GATE_VDO1_2_FLAGS(CLK_VDO1_DPINTF, "vdo1_dpintf", "top_dp", 16, CLK_SET_RATE_PARENT), + GATE_VDO1_2(CLK_VDO1_DISP_MONITOR_DPINTF, "vdo1_disp_monitor_dpintf", "top_vpp", 17), + /* VDO1_3 */ + GATE_VDO1_3(CLK_VDO1_26M_SLOW, "vdo1_26m_slow", "clk26m", 8), +-- +2.35.1 + diff --git a/queue-6.0/clk-mediatek-fix-unregister-function-in-mtk_clk_regi.patch b/queue-6.0/clk-mediatek-fix-unregister-function-in-mtk_clk_regi.patch new file mode 100644 index 00000000000..2348d41e220 --- /dev/null +++ b/queue-6.0/clk-mediatek-fix-unregister-function-in-mtk_clk_regi.patch @@ -0,0 +1,42 @@ +From b56c6018ce6eb8c4ba60f12f29ddf1c65714bbec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 18:25:18 +0800 +Subject: clk: mediatek: fix unregister function in mtk_clk_register_dividers + cleanup + +From: Chen-Yu Tsai + +[ Upstream commit 20f7a0dba9075fb0e3d645495bc24d7025b58de1 ] + +When the cleanup paths for the various clk register APIs in the MediaTek +clk library were added, the one in the dividers type used the wrong type +of unregister function. This would result in incorrect dereferencing of +the clk pointer and freeing of invalid pointers. + +Fix this by switching to the correct type of clk unregistration call. + +Fixes: 3c3ba2ab0226 ("clk: mediatek: mtk: Implement error handling in register APIs") +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20220926102523.2367530-2-wenst@chromium.org +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-mtk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/mediatek/clk-mtk.c b/drivers/clk/mediatek/clk-mtk.c +index 05a188c62119..9b82956260d3 100644 +--- a/drivers/clk/mediatek/clk-mtk.c ++++ b/drivers/clk/mediatek/clk-mtk.c +@@ -393,7 +393,7 @@ int mtk_clk_register_dividers(const struct mtk_clk_divider *mcds, int num, + if (IS_ERR_OR_NULL(clk_data->hws[mcd->id])) + continue; + +- mtk_clk_unregister_composite(clk_data->hws[mcd->id]); ++ clk_hw_unregister_divider(clk_data->hws[mcd->id]); + clk_data->hws[mcd->id] = ERR_PTR(-ENOENT); + } + +-- +2.35.1 + diff --git a/queue-6.0/clk-mediatek-migrate-remaining-clk_unregister_-to-cl.patch b/queue-6.0/clk-mediatek-migrate-remaining-clk_unregister_-to-cl.patch new file mode 100644 index 00000000000..f239153cc69 --- /dev/null +++ b/queue-6.0/clk-mediatek-migrate-remaining-clk_unregister_-to-cl.patch @@ -0,0 +1,78 @@ +From a2f704ac99c7b49be6019841beb04cce7b5d0647 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 18:25:19 +0800 +Subject: clk: mediatek: Migrate remaining clk_unregister_*() to + clk_hw_unregister_*() + +From: Chen-Yu Tsai + +[ Upstream commit fef14676fc4be40b8441745a3c96b7e7d7d8592d ] + +During the previous |struct clk| to |struct clk_hw| clk provider API +migration in commit 6f691a586296 ("clk: mediatek: Switch to clk_hw +provider APIs"), a few clk_unregister_*() calls were missed. + +Migrate the remaining ones to the |struct clk_hw| provider API, i.e. +change clk_unregister_*() to clk_hw_unregister_*(). + +Fixes: 6f691a586296 ("clk: mediatek: Switch to clk_hw provider APIs") +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20220926102523.2367530-3-wenst@chromium.org +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-mtk.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/clk/mediatek/clk-mtk.c b/drivers/clk/mediatek/clk-mtk.c +index 9b82956260d3..e1b445f2c5c5 100644 +--- a/drivers/clk/mediatek/clk-mtk.c ++++ b/drivers/clk/mediatek/clk-mtk.c +@@ -80,7 +80,7 @@ int mtk_clk_register_fixed_clks(const struct mtk_fixed_clk *clks, int num, + if (IS_ERR_OR_NULL(clk_data->hws[rc->id])) + continue; + +- clk_unregister_fixed_rate(clk_data->hws[rc->id]->clk); ++ clk_hw_unregister_fixed_rate(clk_data->hws[rc->id]); + clk_data->hws[rc->id] = ERR_PTR(-ENOENT); + } + +@@ -102,7 +102,7 @@ void mtk_clk_unregister_fixed_clks(const struct mtk_fixed_clk *clks, int num, + if (IS_ERR_OR_NULL(clk_data->hws[rc->id])) + continue; + +- clk_unregister_fixed_rate(clk_data->hws[rc->id]->clk); ++ clk_hw_unregister_fixed_rate(clk_data->hws[rc->id]); + clk_data->hws[rc->id] = ERR_PTR(-ENOENT); + } + } +@@ -146,7 +146,7 @@ int mtk_clk_register_factors(const struct mtk_fixed_factor *clks, int num, + if (IS_ERR_OR_NULL(clk_data->hws[ff->id])) + continue; + +- clk_unregister_fixed_factor(clk_data->hws[ff->id]->clk); ++ clk_hw_unregister_fixed_factor(clk_data->hws[ff->id]); + clk_data->hws[ff->id] = ERR_PTR(-ENOENT); + } + +@@ -168,7 +168,7 @@ void mtk_clk_unregister_factors(const struct mtk_fixed_factor *clks, int num, + if (IS_ERR_OR_NULL(clk_data->hws[ff->id])) + continue; + +- clk_unregister_fixed_factor(clk_data->hws[ff->id]->clk); ++ clk_hw_unregister_fixed_factor(clk_data->hws[ff->id]); + clk_data->hws[ff->id] = ERR_PTR(-ENOENT); + } + } +@@ -414,7 +414,7 @@ void mtk_clk_unregister_dividers(const struct mtk_clk_divider *mcds, int num, + if (IS_ERR_OR_NULL(clk_data->hws[mcd->id])) + continue; + +- clk_unregister_divider(clk_data->hws[mcd->id]->clk); ++ clk_hw_unregister_divider(clk_data->hws[mcd->id]); + clk_data->hws[mcd->id] = ERR_PTR(-ENOENT); + } + } +-- +2.35.1 + diff --git a/queue-6.0/clk-mediatek-mt8183-mfgcfg-propagate-rate-changes-to.patch b/queue-6.0/clk-mediatek-mt8183-mfgcfg-propagate-rate-changes-to.patch new file mode 100644 index 00000000000..300ceaf36b9 --- /dev/null +++ b/queue-6.0/clk-mediatek-mt8183-mfgcfg-propagate-rate-changes-to.patch @@ -0,0 +1,44 @@ +From 3e1009c2c83e0936b94941c25ca9b93af577b743 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 12:11:20 +0200 +Subject: clk: mediatek: mt8183: mfgcfg: Propagate rate changes to parent + +From: Chen-Yu Tsai + +[ Upstream commit 9f94f545f258b15bfa6357eb62e1e307b712851e ] + +The only clock in the MT8183 MFGCFG block feeds the GPU. Propagate its +rate change requests to its parent, so that DVFS for the GPU can work +properly. + +Fixes: acddfc2c261b ("clk: mediatek: Add MT8183 clock support") +Signed-off-by: Chen-Yu Tsai +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20220927101128.44758-3-angelogioacchino.delregno@collabora.com +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-mt8183-mfgcfg.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/mediatek/clk-mt8183-mfgcfg.c b/drivers/clk/mediatek/clk-mt8183-mfgcfg.c +index d774edaf760b..230299728859 100644 +--- a/drivers/clk/mediatek/clk-mt8183-mfgcfg.c ++++ b/drivers/clk/mediatek/clk-mt8183-mfgcfg.c +@@ -18,9 +18,9 @@ static const struct mtk_gate_regs mfg_cg_regs = { + .sta_ofs = 0x0, + }; + +-#define GATE_MFG(_id, _name, _parent, _shift) \ +- GATE_MTK(_id, _name, _parent, &mfg_cg_regs, _shift, \ +- &mtk_clk_gate_ops_setclr) ++#define GATE_MFG(_id, _name, _parent, _shift) \ ++ GATE_MTK_FLAGS(_id, _name, _parent, &mfg_cg_regs, _shift, \ ++ &mtk_clk_gate_ops_setclr, CLK_SET_RATE_PARENT) + + static const struct mtk_gate mfg_clks[] = { + GATE_MFG(CLK_MFG_BG3D, "mfg_bg3d", "mfg_sel", 0) +-- +2.35.1 + diff --git a/queue-6.0/clk-mediatek-mt8195-infra_ao-set-pwrmcu-clocks-as-cr.patch b/queue-6.0/clk-mediatek-mt8195-infra_ao-set-pwrmcu-clocks-as-cr.patch new file mode 100644 index 00000000000..a6bc07e3e4e --- /dev/null +++ b/queue-6.0/clk-mediatek-mt8195-infra_ao-set-pwrmcu-clocks-as-cr.patch @@ -0,0 +1,65 @@ +From 8dd76d2d5be589d32c64deaa82824b5d9254c957 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 11:33:16 +0200 +Subject: clk: mediatek: mt8195-infra_ao: Set pwrmcu clocks as critical + +From: AngeloGioacchino Del Regno + +[ Upstream commit 3f10f49cd9f8ab6471639d4ca2c6db9451121779 ] + +The pwrmcu is responsible for power management and idle states in SSPM: +on older SoCs this was managed in Linux drivers like sspm/mcupm/eemgpu +but, at least on MT8195, this functionality was transferred to the ATF +firmware. +For this reason, turning off the pwrmcu related clocks from the kernel +will lead to unability to resume the platform after suspend and other +currently unknown PM related side-effects. + +Set the PWRMCU and PWRMCU_BUS_H clocks as critical to prevent the +kernel from turning them off, fixing the aforementioned issue. + +Fixes: e2edf59dec0b ("clk: mediatek: Add MT8195 infrastructure clock support") +Signed-off-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20220719093316.37253-1-angelogioacchino.delregno@collabora.com +Reviewed-by: Matthias Brugger +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-mt8195-infra_ao.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/mediatek/clk-mt8195-infra_ao.c b/drivers/clk/mediatek/clk-mt8195-infra_ao.c +index 97657f255618..832160c92996 100644 +--- a/drivers/clk/mediatek/clk-mt8195-infra_ao.c ++++ b/drivers/clk/mediatek/clk-mt8195-infra_ao.c +@@ -55,8 +55,12 @@ static const struct mtk_gate_regs infra_ao4_cg_regs = { + #define GATE_INFRA_AO1(_id, _name, _parent, _shift) \ + GATE_INFRA_AO1_FLAGS(_id, _name, _parent, _shift, 0) + ++#define GATE_INFRA_AO2_FLAGS(_id, _name, _parent, _shift, _flag) \ ++ GATE_MTK_FLAGS(_id, _name, _parent, &infra_ao2_cg_regs, _shift, \ ++ &mtk_clk_gate_ops_setclr, _flag) ++ + #define GATE_INFRA_AO2(_id, _name, _parent, _shift) \ +- GATE_MTK(_id, _name, _parent, &infra_ao2_cg_regs, _shift, &mtk_clk_gate_ops_setclr) ++ GATE_INFRA_AO2_FLAGS(_id, _name, _parent, _shift, 0) + + #define GATE_INFRA_AO3_FLAGS(_id, _name, _parent, _shift, _flag) \ + GATE_MTK_FLAGS(_id, _name, _parent, &infra_ao3_cg_regs, _shift, \ +@@ -136,8 +140,11 @@ static const struct mtk_gate infra_ao_clks[] = { + GATE_INFRA_AO2(CLK_INFRA_AO_UNIPRO_SYS, "infra_ao_unipro_sys", "top_ufs", 11), + GATE_INFRA_AO2(CLK_INFRA_AO_UNIPRO_TICK, "infra_ao_unipro_tick", "top_ufs_tick1us", 12), + GATE_INFRA_AO2(CLK_INFRA_AO_UFS_MP_SAP_B, "infra_ao_ufs_mp_sap_b", "top_ufs_mp_sap_cfg", 13), +- GATE_INFRA_AO2(CLK_INFRA_AO_PWRMCU, "infra_ao_pwrmcu", "top_pwrmcu", 15), +- GATE_INFRA_AO2(CLK_INFRA_AO_PWRMCU_BUS_H, "infra_ao_pwrmcu_bus_h", "top_axi", 17), ++ /* pwrmcu is used by ATF for platform PM: clocks must never be disabled by the kernel */ ++ GATE_INFRA_AO2_FLAGS(CLK_INFRA_AO_PWRMCU, "infra_ao_pwrmcu", "top_pwrmcu", 15, ++ CLK_IS_CRITICAL), ++ GATE_INFRA_AO2_FLAGS(CLK_INFRA_AO_PWRMCU_BUS_H, "infra_ao_pwrmcu_bus_h", "top_axi", 17, ++ CLK_IS_CRITICAL), + GATE_INFRA_AO2(CLK_INFRA_AO_APDMA_B, "infra_ao_apdma_b", "top_axi", 18), + GATE_INFRA_AO2(CLK_INFRA_AO_SPI4, "infra_ao_spi4", "top_spi", 25), + GATE_INFRA_AO2(CLK_INFRA_AO_SPI5, "infra_ao_spi5", "top_spi", 26), +-- +2.35.1 + diff --git a/queue-6.0/clk-meson-hold-reference-returned-by-of_get_parent.patch b/queue-6.0/clk-meson-hold-reference-returned-by-of_get_parent.patch new file mode 100644 index 00000000000..ef6e6150ee1 --- /dev/null +++ b/queue-6.0/clk-meson-hold-reference-returned-by-of_get_parent.patch @@ -0,0 +1,98 @@ +From 4fb14431924b25e21e69851c2520a03bc690fa07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jun 2022 22:10:38 +0800 +Subject: clk: meson: Hold reference returned by of_get_parent() + +From: Liang He + +[ Upstream commit 89ab396d712f7c91fe94f55cff23460426f5fc81 ] + +We should hold the reference returned by of_get_parent() and use it +to call of_node_put() for refcount balance. + +Fixes: 88e2da81241e ("clk: meson: aoclk: refactor common code into dedicated file") +Fixes: 6682bd4d443f ("clk: meson: factorise meson64 peripheral clock controller drivers") +Fixes: bb6eddd1d28c ("clk: meson: meson8b: use the HHI syscon if available") + +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220628141038.168383-1-windhl@126.com +Reviewed-by: Neil Armstrong +Reviewed-by: Martin Blumenstingl +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/meson/meson-aoclk.c | 5 ++++- + drivers/clk/meson/meson-eeclk.c | 5 ++++- + drivers/clk/meson/meson8b.c | 5 ++++- + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/meson/meson-aoclk.c b/drivers/clk/meson/meson-aoclk.c +index 27cd2c1f3f61..434cd8f9de82 100644 +--- a/drivers/clk/meson/meson-aoclk.c ++++ b/drivers/clk/meson/meson-aoclk.c +@@ -38,6 +38,7 @@ int meson_aoclkc_probe(struct platform_device *pdev) + struct meson_aoclk_reset_controller *rstc; + struct meson_aoclk_data *data; + struct device *dev = &pdev->dev; ++ struct device_node *np; + struct regmap *regmap; + int ret, clkid; + +@@ -49,7 +50,9 @@ int meson_aoclkc_probe(struct platform_device *pdev) + if (!rstc) + return -ENOMEM; + +- regmap = syscon_node_to_regmap(of_get_parent(dev->of_node)); ++ np = of_get_parent(dev->of_node); ++ regmap = syscon_node_to_regmap(np); ++ of_node_put(np); + if (IS_ERR(regmap)) { + dev_err(dev, "failed to get regmap\n"); + return PTR_ERR(regmap); +diff --git a/drivers/clk/meson/meson-eeclk.c b/drivers/clk/meson/meson-eeclk.c +index 8d5a5dab955a..0e5e6b57eb20 100644 +--- a/drivers/clk/meson/meson-eeclk.c ++++ b/drivers/clk/meson/meson-eeclk.c +@@ -18,6 +18,7 @@ int meson_eeclkc_probe(struct platform_device *pdev) + { + const struct meson_eeclkc_data *data; + struct device *dev = &pdev->dev; ++ struct device_node *np; + struct regmap *map; + int ret, i; + +@@ -26,7 +27,9 @@ int meson_eeclkc_probe(struct platform_device *pdev) + return -EINVAL; + + /* Get the hhi system controller node */ +- map = syscon_node_to_regmap(of_get_parent(dev->of_node)); ++ np = of_get_parent(dev->of_node); ++ map = syscon_node_to_regmap(np); ++ of_node_put(np); + if (IS_ERR(map)) { + dev_err(dev, + "failed to get HHI regmap\n"); +diff --git a/drivers/clk/meson/meson8b.c b/drivers/clk/meson/meson8b.c +index 8f3b7a94a667..827e78fb16a8 100644 +--- a/drivers/clk/meson/meson8b.c ++++ b/drivers/clk/meson/meson8b.c +@@ -3792,12 +3792,15 @@ static void __init meson8b_clkc_init_common(struct device_node *np, + struct clk_hw_onecell_data *clk_hw_onecell_data) + { + struct meson8b_clk_reset *rstc; ++ struct device_node *parent_np; + const char *notifier_clk_name; + struct clk *notifier_clk; + struct regmap *map; + int i, ret; + +- map = syscon_node_to_regmap(of_get_parent(np)); ++ parent_np = of_get_parent(np); ++ map = syscon_node_to_regmap(parent_np); ++ of_node_put(parent_np); + if (IS_ERR(map)) { + pr_err("failed to get HHI regmap - Trying obsolete regs\n"); + return; +-- +2.35.1 + diff --git a/queue-6.0/clk-move-from-strlcpy-with-unused-retval-to-strscpy.patch b/queue-6.0/clk-move-from-strlcpy-with-unused-retval-to-strscpy.patch new file mode 100644 index 00000000000..894aaeb38ed --- /dev/null +++ b/queue-6.0/clk-move-from-strlcpy-with-unused-retval-to-strscpy.patch @@ -0,0 +1,67 @@ +From 6cc1efb08cfc43014d598fd8dfcd7952dd0b2fce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 23:00:00 +0200 +Subject: clk: move from strlcpy with unused retval to strscpy + +From: Wolfram Sang + +[ Upstream commit c19edff61210eb846bf8ec44c9f87d1ca9efdfd2 ] + +Follow the advice of the below link and prefer 'strscpy' in this +subsystem. Conversion is 1:1 because the return value is not used. +Generated by a coccinelle script. + +Link: https://lore.kernel.org/r/CAHk-=wgfRnXz0W3D37d01q3JFkr_i_uTL=V6A6G1oUZcprmknw@mail.gmail.com/ +Signed-off-by: Wolfram Sang +Link: https://lore.kernel.org/r/20220818210000.6600-1-wsa+renesas@sang-engineering.com +Signed-off-by: Stephen Boyd +Stable-dep-of: 9c59a01caba2 ("clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe") +Signed-off-by: Sasha Levin +--- + drivers/clk/clkdev.c | 2 +- + drivers/clk/mvebu/dove-divider.c | 2 +- + drivers/clk/tegra/clk-bpmp.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/clkdev.c b/drivers/clk/clkdev.c +index 67f601a41023..a4d4bd3f5be5 100644 +--- a/drivers/clk/clkdev.c ++++ b/drivers/clk/clkdev.c +@@ -165,7 +165,7 @@ vclkdev_alloc(struct clk_hw *hw, const char *con_id, const char *dev_fmt, + + cla->cl.clk_hw = hw; + if (con_id) { +- strlcpy(cla->con_id, con_id, sizeof(cla->con_id)); ++ strscpy(cla->con_id, con_id, sizeof(cla->con_id)); + cla->cl.con_id = cla->con_id; + } + +diff --git a/drivers/clk/mvebu/dove-divider.c b/drivers/clk/mvebu/dove-divider.c +index 7e35c891e168..0a90452ee808 100644 +--- a/drivers/clk/mvebu/dove-divider.c ++++ b/drivers/clk/mvebu/dove-divider.c +@@ -170,7 +170,7 @@ static struct clk *clk_register_dove_divider(struct device *dev, + .num_parents = num_parents, + }; + +- strlcpy(name, dc->name, sizeof(name)); ++ strscpy(name, dc->name, sizeof(name)); + + dc->hw.init = &init; + dc->base = base; +diff --git a/drivers/clk/tegra/clk-bpmp.c b/drivers/clk/tegra/clk-bpmp.c +index 3748a39dae7c..d82a71f10c2c 100644 +--- a/drivers/clk/tegra/clk-bpmp.c ++++ b/drivers/clk/tegra/clk-bpmp.c +@@ -349,7 +349,7 @@ static int tegra_bpmp_clk_get_info(struct tegra_bpmp *bpmp, unsigned int id, + if (err < 0) + return err; + +- strlcpy(info->name, response.name, MRQ_CLK_NAME_MAXLEN); ++ strscpy(info->name, response.name, MRQ_CLK_NAME_MAXLEN); + info->num_parents = response.num_parents; + + for (i = 0; i < info->num_parents; i++) +-- +2.35.1 + diff --git a/queue-6.0/clk-nomadik-add-missing-of_node_put.patch b/queue-6.0/clk-nomadik-add-missing-of_node_put.patch new file mode 100644 index 00000000000..d0fa201bf88 --- /dev/null +++ b/queue-6.0/clk-nomadik-add-missing-of_node_put.patch @@ -0,0 +1,49 @@ +From 2a7d1a4282444c9b3d89dee5de053d92e5f3fc40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jun 2022 09:43:08 +0800 +Subject: clk: nomadik: Add missing of_node_put() + +From: Liang He + +[ Upstream commit 28a0b0984e76df8fd64b6850fa56cf5201e6e638 ] + +In nomadik_src_init(), of_find_matching_node() will return a node +pointer with refcount incremented. We should use of_node_put() in +fail path or when it is not used anymore. + +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220617014308.4001511-1-windhl@126.com +Reviewed-by: Linus Walleij +Signed-off-by: Stephen Boyd +Stable-dep-of: 89ab396d712f ("clk: meson: Hold reference returned by of_get_parent()") +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-nomadik.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/clk-nomadik.c b/drivers/clk/clk-nomadik.c +index bad2677e11ae..71fbe687fa7b 100644 +--- a/drivers/clk/clk-nomadik.c ++++ b/drivers/clk/clk-nomadik.c +@@ -99,7 +99,7 @@ static void __init nomadik_src_init(void) + if (!src_base) { + pr_err("%s: must have src parent node with REGS (%pOFn)\n", + __func__, np); +- return; ++ goto out_put; + } + + /* Set all timers to use the 2.4 MHz TIMCLK */ +@@ -132,6 +132,9 @@ static void __init nomadik_src_init(void) + } + writel(val, src_base + SRC_XTALCR); + register_reboot_notifier(&nomadik_clk_reboot_notifier); ++ ++out_put: ++ of_node_put(np); + } + + /** +-- +2.35.1 + diff --git a/queue-6.0/clk-oxnas-hold-reference-returned-by-of_get_parent.patch b/queue-6.0/clk-oxnas-hold-reference-returned-by-of_get_parent.patch new file mode 100644 index 00000000000..127e40c2c6e --- /dev/null +++ b/queue-6.0/clk-oxnas-hold-reference-returned-by-of_get_parent.patch @@ -0,0 +1,49 @@ +From 5319ac1a79fdb0aa534b7427947853f201544247 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jun 2022 22:31:55 +0800 +Subject: clk: oxnas: Hold reference returned by of_get_parent() + +From: Liang He + +[ Upstream commit 1d6aa08c54cd0e005210ab8e3b1e92ede70f8a4f ] + +In oxnas_stdclk_probe(), we need to hold the reference returned by +of_get_parent() and use it to call of_node_put() for refcount +balance. + +Fixes: 0bbd72b4c64f ("clk: Add Oxford Semiconductor OXNAS Standard Clocks") +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220628143155.170550-1-windhl@126.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-oxnas.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/clk-oxnas.c b/drivers/clk/clk-oxnas.c +index cda5e258355b..584e293156ad 100644 +--- a/drivers/clk/clk-oxnas.c ++++ b/drivers/clk/clk-oxnas.c +@@ -207,7 +207,7 @@ static const struct of_device_id oxnas_stdclk_dt_ids[] = { + + static int oxnas_stdclk_probe(struct platform_device *pdev) + { +- struct device_node *np = pdev->dev.of_node; ++ struct device_node *np = pdev->dev.of_node, *parent_np; + const struct oxnas_stdclk_data *data; + struct regmap *regmap; + int ret; +@@ -215,7 +215,9 @@ static int oxnas_stdclk_probe(struct platform_device *pdev) + + data = of_device_get_match_data(&pdev->dev); + +- regmap = syscon_node_to_regmap(of_get_parent(np)); ++ parent_np = of_get_parent(np); ++ regmap = syscon_node_to_regmap(parent_np); ++ of_node_put(parent_np); + if (IS_ERR(regmap)) { + dev_err(&pdev->dev, "failed to have parent regmap\n"); + return PTR_ERR(regmap); +-- +2.35.1 + diff --git a/queue-6.0/clk-qcom-apss-ipq6018-mark-apcs_alias0_core_clk-as-c.patch b/queue-6.0/clk-qcom-apss-ipq6018-mark-apcs_alias0_core_clk-as-c.patch new file mode 100644 index 00000000000..66b009e821e --- /dev/null +++ b/queue-6.0/clk-qcom-apss-ipq6018-mark-apcs_alias0_core_clk-as-c.patch @@ -0,0 +1,42 @@ +From 597c8d95bbdea21b3b4a70470e65aa1c34d6d412 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 00:06:22 +0200 +Subject: clk: qcom: apss-ipq6018: mark apcs_alias0_core_clk as critical + +From: Robert Marko + +[ Upstream commit 86e78995c93ee182433f965babfccd48417d4dcf ] + +While fixing up the driver I noticed that my IPQ8074 board was hanging +after CPUFreq switched the frequency during boot, WDT would eventually +reset it. + +So mark apcs_alias0_core_clk as critical since its the clock feeding the +CPU cluster and must never be disabled. + +Fixes: 5e77b4ef1b19 ("clk: qcom: Add ipq6018 apss clock controller") +Signed-off-by: Robert Marko +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220818220628.339366-3-robimarko@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/apss-ipq6018.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/apss-ipq6018.c b/drivers/clk/qcom/apss-ipq6018.c +index d78ff2f310bf..b5d93657e1ee 100644 +--- a/drivers/clk/qcom/apss-ipq6018.c ++++ b/drivers/clk/qcom/apss-ipq6018.c +@@ -57,7 +57,7 @@ static struct clk_branch apcs_alias0_core_clk = { + .parent_hws = (const struct clk_hw *[]){ + &apcs_alias0_clk_src.clkr.hw }, + .num_parents = 1, +- .flags = CLK_SET_RATE_PARENT, ++ .flags = CLK_SET_RATE_PARENT | CLK_IS_CRITICAL, + .ops = &clk_branch2_ops, + }, + }, +-- +2.35.1 + diff --git a/queue-6.0/clk-qcom-gcc-sdm660-use-floor-ops-for-sdcc1-clock.patch b/queue-6.0/clk-qcom-gcc-sdm660-use-floor-ops-for-sdcc1-clock.patch new file mode 100644 index 00000000000..d5d2ce8f2c7 --- /dev/null +++ b/queue-6.0/clk-qcom-gcc-sdm660-use-floor-ops-for-sdcc1-clock.patch @@ -0,0 +1,46 @@ +From 18f7fc8354f8397f79487fc8fbfcd7f27122ea48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jul 2022 22:38:22 +0200 +Subject: clk: qcom: gcc-sdm660: Use floor ops for SDCC1 clock + +From: Marijn Suijten + +[ Upstream commit 6956c18f4ad9200aa945f7ea37d65a05afc49d51 ] + +In commit 3f905469c8ce ("clk: qcom: gcc: Use floor ops for SDCC clocks") +floor ops were applied to SDCC2 only, but flooring is also required on +the SDCC1 apps clock which is used by the eMMC card on Sony's Nile +platform, and otherwise result in the typicial "Card appears +overclocked" warnings observed on many other platforms before: + + mmc0: Card appears overclocked; req 52000000 Hz, actual 100000000 Hz + mmc0: Card appears overclocked; req 52000000 Hz, actual 100000000 Hz + mmc0: Card appears overclocked; req 104000000 Hz, actual 192000000 Hz + +Fixes: f2a76a2955c0 ("clk: qcom: Add Global Clock controller (GCC) driver for SDM660") +Signed-off-by: Marijn Suijten +Tested-by: Alexey Minnekhanov +Reviewed-by: Stephen Boyd +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220714203822.186448-1-marijn.suijten@somainline.org +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sdm660.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/qcom/gcc-sdm660.c b/drivers/clk/qcom/gcc-sdm660.c +index 9b97425008ce..db918c92a522 100644 +--- a/drivers/clk/qcom/gcc-sdm660.c ++++ b/drivers/clk/qcom/gcc-sdm660.c +@@ -757,7 +757,7 @@ static struct clk_rcg2 sdcc1_apps_clk_src = { + .name = "sdcc1_apps_clk_src", + .parent_data = gcc_parent_data_xo_gpll0_gpll4_gpll0_early_div, + .num_parents = ARRAY_SIZE(gcc_parent_data_xo_gpll0_gpll4_gpll0_early_div), +- .ops = &clk_rcg2_ops, ++ .ops = &clk_rcg2_floor_ops, + }, + }; + +-- +2.35.1 + diff --git a/queue-6.0/clk-qcom-gcc-sm6115-override-default-alpha-pll-regs.patch b/queue-6.0/clk-qcom-gcc-sm6115-override-default-alpha-pll-regs.patch new file mode 100644 index 00000000000..3328752ec68 --- /dev/null +++ b/queue-6.0/clk-qcom-gcc-sm6115-override-default-alpha-pll-regs.patch @@ -0,0 +1,193 @@ +From cfab03d9c6c85bd19a8119ca89b9f599967fd1a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 10:56:18 +0300 +Subject: clk: qcom: gcc-sm6115: Override default Alpha PLL regs + +From: Adam Skladowski + +[ Upstream commit 068a0605ef5a6b430e7278c169bfcd25b680b28f ] + +The DEFAULT and BRAMMO PLL offsets are non-standard in downstream, but +currently only BRAMMO ones are overridden. Override DEFAULT ones too. + +A very similar thing is happening in gcc-qcm2290 driver. + +Fixes: cbe63bfdc54f ("clk: qcom: Add Global Clock controller (GCC) driver for SM6115") +Signed-off-by: Adam Skladowski +Signed-off-by: Iskren Chernev +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220830075620.974009-2-iskren.chernev@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-sm6115.c | 46 +++++++++++++++++++++++------------ + 1 file changed, 30 insertions(+), 16 deletions(-) + +diff --git a/drivers/clk/qcom/gcc-sm6115.c b/drivers/clk/qcom/gcc-sm6115.c +index 68fe9f6f0d2f..e24a977c2580 100644 +--- a/drivers/clk/qcom/gcc-sm6115.c ++++ b/drivers/clk/qcom/gcc-sm6115.c +@@ -53,11 +53,25 @@ static struct pll_vco gpll10_vco[] = { + { 750000000, 1500000000, 1 }, + }; + ++static const u8 clk_alpha_pll_regs_offset[][PLL_OFF_MAX_REGS] = { ++ [CLK_ALPHA_PLL_TYPE_DEFAULT] = { ++ [PLL_OFF_L_VAL] = 0x04, ++ [PLL_OFF_ALPHA_VAL] = 0x08, ++ [PLL_OFF_ALPHA_VAL_U] = 0x0c, ++ [PLL_OFF_TEST_CTL] = 0x10, ++ [PLL_OFF_TEST_CTL_U] = 0x14, ++ [PLL_OFF_USER_CTL] = 0x18, ++ [PLL_OFF_USER_CTL_U] = 0x1c, ++ [PLL_OFF_CONFIG_CTL] = 0x20, ++ [PLL_OFF_STATUS] = 0x24, ++ }, ++}; ++ + static struct clk_alpha_pll gpll0 = { + .offset = 0x0, + .vco_table = default_vco, + .num_vco = ARRAY_SIZE(default_vco), +- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], ++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT], + .clkr = { + .enable_reg = 0x79000, + .enable_mask = BIT(0), +@@ -83,7 +97,7 @@ static struct clk_alpha_pll_postdiv gpll0_out_aux2 = { + .post_div_table = post_div_table_gpll0_out_aux2, + .num_post_div = ARRAY_SIZE(post_div_table_gpll0_out_aux2), + .width = 4, +- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], ++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT], + .clkr.hw.init = &(struct clk_init_data){ + .name = "gpll0_out_aux2", + .parent_hws = (const struct clk_hw *[]){ &gpll0.clkr.hw }, +@@ -115,7 +129,7 @@ static struct clk_alpha_pll_postdiv gpll0_out_main = { + .post_div_table = post_div_table_gpll0_out_main, + .num_post_div = ARRAY_SIZE(post_div_table_gpll0_out_main), + .width = 4, +- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], ++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT], + .clkr.hw.init = &(struct clk_init_data){ + .name = "gpll0_out_main", + .parent_hws = (const struct clk_hw *[]){ &gpll0.clkr.hw }, +@@ -137,7 +151,7 @@ static struct clk_alpha_pll gpll10 = { + .offset = 0xa000, + .vco_table = gpll10_vco, + .num_vco = ARRAY_SIZE(gpll10_vco), +- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], ++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT], + .clkr = { + .enable_reg = 0x79000, + .enable_mask = BIT(10), +@@ -163,7 +177,7 @@ static struct clk_alpha_pll_postdiv gpll10_out_main = { + .post_div_table = post_div_table_gpll10_out_main, + .num_post_div = ARRAY_SIZE(post_div_table_gpll10_out_main), + .width = 4, +- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], ++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT], + .clkr.hw.init = &(struct clk_init_data){ + .name = "gpll10_out_main", + .parent_hws = (const struct clk_hw *[]){ &gpll10.clkr.hw }, +@@ -189,7 +203,7 @@ static struct clk_alpha_pll gpll11 = { + .vco_table = default_vco, + .num_vco = ARRAY_SIZE(default_vco), + .flags = SUPPORTS_DYNAMIC_UPDATE, +- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], ++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT], + .clkr = { + .enable_reg = 0x79000, + .enable_mask = BIT(11), +@@ -215,7 +229,7 @@ static struct clk_alpha_pll_postdiv gpll11_out_main = { + .post_div_table = post_div_table_gpll11_out_main, + .num_post_div = ARRAY_SIZE(post_div_table_gpll11_out_main), + .width = 4, +- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], ++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT], + .clkr.hw.init = &(struct clk_init_data){ + .name = "gpll11_out_main", + .parent_hws = (const struct clk_hw *[]){ &gpll11.clkr.hw }, +@@ -229,7 +243,7 @@ static struct clk_alpha_pll gpll3 = { + .offset = 0x3000, + .vco_table = default_vco, + .num_vco = ARRAY_SIZE(default_vco), +- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], ++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT], + .clkr = { + .enable_reg = 0x79000, + .enable_mask = BIT(3), +@@ -248,7 +262,7 @@ static struct clk_alpha_pll gpll4 = { + .offset = 0x4000, + .vco_table = default_vco, + .num_vco = ARRAY_SIZE(default_vco), +- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], ++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT], + .clkr = { + .enable_reg = 0x79000, + .enable_mask = BIT(4), +@@ -274,7 +288,7 @@ static struct clk_alpha_pll_postdiv gpll4_out_main = { + .post_div_table = post_div_table_gpll4_out_main, + .num_post_div = ARRAY_SIZE(post_div_table_gpll4_out_main), + .width = 4, +- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], ++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT], + .clkr.hw.init = &(struct clk_init_data){ + .name = "gpll4_out_main", + .parent_hws = (const struct clk_hw *[]){ &gpll4.clkr.hw }, +@@ -287,7 +301,7 @@ static struct clk_alpha_pll gpll6 = { + .offset = 0x6000, + .vco_table = default_vco, + .num_vco = ARRAY_SIZE(default_vco), +- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], ++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT], + .clkr = { + .enable_reg = 0x79000, + .enable_mask = BIT(6), +@@ -313,7 +327,7 @@ static struct clk_alpha_pll_postdiv gpll6_out_main = { + .post_div_table = post_div_table_gpll6_out_main, + .num_post_div = ARRAY_SIZE(post_div_table_gpll6_out_main), + .width = 4, +- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], ++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT], + .clkr.hw.init = &(struct clk_init_data){ + .name = "gpll6_out_main", + .parent_hws = (const struct clk_hw *[]){ &gpll6.clkr.hw }, +@@ -326,7 +340,7 @@ static struct clk_alpha_pll gpll7 = { + .offset = 0x7000, + .vco_table = default_vco, + .num_vco = ARRAY_SIZE(default_vco), +- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], ++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT], + .clkr = { + .enable_reg = 0x79000, + .enable_mask = BIT(7), +@@ -352,7 +366,7 @@ static struct clk_alpha_pll_postdiv gpll7_out_main = { + .post_div_table = post_div_table_gpll7_out_main, + .num_post_div = ARRAY_SIZE(post_div_table_gpll7_out_main), + .width = 4, +- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], ++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT], + .clkr.hw.init = &(struct clk_init_data){ + .name = "gpll7_out_main", + .parent_hws = (const struct clk_hw *[]){ &gpll7.clkr.hw }, +@@ -380,7 +394,7 @@ static struct clk_alpha_pll gpll8 = { + .offset = 0x8000, + .vco_table = default_vco, + .num_vco = ARRAY_SIZE(default_vco), +- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], ++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT], + .flags = SUPPORTS_DYNAMIC_UPDATE, + .clkr = { + .enable_reg = 0x79000, +@@ -407,7 +421,7 @@ static struct clk_alpha_pll_postdiv gpll8_out_main = { + .post_div_table = post_div_table_gpll8_out_main, + .num_post_div = ARRAY_SIZE(post_div_table_gpll8_out_main), + .width = 4, +- .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_DEFAULT], ++ .regs = clk_alpha_pll_regs_offset[CLK_ALPHA_PLL_TYPE_DEFAULT], + .clkr.hw.init = &(struct clk_init_data){ + .name = "gpll8_out_main", + .parent_hws = (const struct clk_hw *[]){ &gpll8.clkr.hw }, +-- +2.35.1 + diff --git a/queue-6.0/clk-qcom-sm6115-select-qcom_gdsc.patch b/queue-6.0/clk-qcom-sm6115-select-qcom_gdsc.patch new file mode 100644 index 00000000000..a2837eb3669 --- /dev/null +++ b/queue-6.0/clk-qcom-sm6115-select-qcom_gdsc.patch @@ -0,0 +1,42 @@ +From f74969d69d2d8401a3775d5682fa85fcc0b0e552 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Sep 2022 00:02:07 +0700 +Subject: clk: qcom: sm6115: Select QCOM_GDSC + +From: Dang Huynh + +[ Upstream commit 50ee65dc512b9b5c4de354cf3b4dded34f46c571 ] + +While working on the Fxtec Pro1X device, this error shows up with +my own minimal configuration: + +gcc-sm6115: probe of 1400000.clock-controller failed with error -38 + +The clock driver depends on CONFIG_QCOM_GDSC and after enabling +that, the driver probes successfully. + +Signed-off-by: Dang Huynh +Fixes: cbe63bfdc54f ("clk: qcom: Add Global Clock controller (GCC) +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220910170207.1592220-1-danct12@riseup.net +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/qcom/Kconfig b/drivers/clk/qcom/Kconfig +index 1cf1ef70e347..d566fbdebdf9 100644 +--- a/drivers/clk/qcom/Kconfig ++++ b/drivers/clk/qcom/Kconfig +@@ -645,6 +645,7 @@ config SM_DISPCC_6350 + + config SM_GCC_6115 + tristate "SM6115 and SM4250 Global Clock Controller" ++ select QCOM_GDSC + help + Support for the global clock controller on SM6115 and SM4250 devices. + Say Y if you want to use peripheral devices such as UART, SPI, +-- +2.35.1 + diff --git a/queue-6.0/clk-qoriq-hold-reference-returned-by-of_get_parent.patch b/queue-6.0/clk-qoriq-hold-reference-returned-by-of_get_parent.patch new file mode 100644 index 00000000000..06384cf237e --- /dev/null +++ b/queue-6.0/clk-qoriq-hold-reference-returned-by-of_get_parent.patch @@ -0,0 +1,56 @@ +From 45510612ed9066d4160c19308c37436b72ab2461 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jun 2022 22:38:51 +0800 +Subject: clk: qoriq: Hold reference returned by of_get_parent() + +From: Liang He + +[ Upstream commit a8ea4273bc26256ce3cce83164f0f51c5bf6e127 ] + +In legacy_init_clockgen(), we need to hold the reference returned +by of_get_parent() and use it to call of_node_put() for refcount +balance. + +Beside, in create_sysclk(), we need to call of_node_put() on 'sysclk' +also for refcount balance. + +Fixes: 0dfc86b3173f ("clk: qoriq: Move chip-specific knowledge into driver") +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220628143851.171299-1-windhl@126.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-qoriq.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/clk-qoriq.c b/drivers/clk/clk-qoriq.c +index 88898b97a443..5eddb9f0d6bd 100644 +--- a/drivers/clk/clk-qoriq.c ++++ b/drivers/clk/clk-qoriq.c +@@ -1063,8 +1063,13 @@ static void __init _clockgen_init(struct device_node *np, bool legacy); + */ + static void __init legacy_init_clockgen(struct device_node *np) + { +- if (!clockgen.node) +- _clockgen_init(of_get_parent(np), true); ++ if (!clockgen.node) { ++ struct device_node *parent_np; ++ ++ parent_np = of_get_parent(np); ++ _clockgen_init(parent_np, true); ++ of_node_put(parent_np); ++ } + } + + /* Legacy node */ +@@ -1159,6 +1164,7 @@ static struct clk * __init create_sysclk(const char *name) + sysclk = of_get_child_by_name(clockgen.node, "sysclk"); + if (sysclk) { + clk = sysclk_from_fixed(sysclk, name); ++ of_node_put(sysclk); + if (!IS_ERR(clk)) + return clk; + } +-- +2.35.1 + diff --git a/queue-6.0/clk-samsung-exynosautov9-correct-register-offsets-of.patch b/queue-6.0/clk-samsung-exynosautov9-correct-register-offsets-of.patch new file mode 100644 index 00000000000..d6f7056e143 --- /dev/null +++ b/queue-6.0/clk-samsung-exynosautov9-correct-register-offsets-of.patch @@ -0,0 +1,76 @@ +From 7785a71d37e4872ed135f3adddb475fe70792b1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 11:13:57 +0900 +Subject: clk: samsung: exynosautov9: correct register offsets of peric0/c1 + +From: Chanho Park + +[ Upstream commit 67d98943408bce835185688cb75ebbb45b91e572 ] + +Some register offsets of peric0 and peric1 cmu blocks need to be +corrected and re-ordered by numerical order. + +Fixes: f2dd366992d0 ("clk: samsung: exynosautov9: add cmu_peric0 clock support") +Fixes: b35f27fe73d8 ("clk: samsung: exynosautov9: add cmu_peric1 clock support") +Signed-off-by: Chanho Park +Reviewed-by: Krzysztof Kozlowski +Acked-by: Chanwoo Choi +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220727021357.152421-4-chanho61.park@samsung.com +Signed-off-by: Sasha Levin +--- + drivers/clk/samsung/clk-exynosautov9.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/drivers/clk/samsung/clk-exynosautov9.c b/drivers/clk/samsung/clk-exynosautov9.c +index d9e1f8e4a7b4..487a71b32a00 100644 +--- a/drivers/clk/samsung/clk-exynosautov9.c ++++ b/drivers/clk/samsung/clk-exynosautov9.c +@@ -1170,9 +1170,9 @@ static const struct samsung_cmu_info fsys2_cmu_info __initconst = { + #define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_2 0x2058 + #define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_3 0x205c + #define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_4 0x2060 +-#define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_7 0x206c + #define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_5 0x2064 + #define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_6 0x2068 ++#define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_7 0x206c + #define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_8 0x2070 + #define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_9 0x2074 + #define CLK_CON_GAT_GOUT_BLK_PERIC0_UID_PERIC0_TOP0_IPCLKPORT_PCLK_10 0x204c +@@ -1418,14 +1418,14 @@ static const struct samsung_cmu_info peric0_cmu_info __initconst = { + #define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_IPCLK_11 0x2020 + #define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_0 0x2044 + #define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_1 0x2048 +-#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_2 0x2058 +-#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_3 0x205c +-#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_4 0x2060 +-#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_7 0x206c +-#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_5 0x2064 +-#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_6 0x2068 +-#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_8 0x2070 +-#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_9 0x2074 ++#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_2 0x2054 ++#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_3 0x2058 ++#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_4 0x205c ++#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_5 0x2060 ++#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_6 0x2064 ++#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_7 0x2068 ++#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_8 0x206c ++#define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_9 0x2070 + #define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_10 0x204c + #define CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_11 0x2050 + +@@ -1463,9 +1463,9 @@ static const unsigned long peric1_clk_regs[] __initconst = { + CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_2, + CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_3, + CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_4, +- CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_7, + CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_5, + CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_6, ++ CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_7, + CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_8, + CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_9, + CLK_CON_GAT_GOUT_BLK_PERIC1_UID_PERIC1_TOP0_IPCLKPORT_PCLK_10, +-- +2.35.1 + diff --git a/queue-6.0/clk-sprd-hold-reference-returned-by-of_get_parent.patch b/queue-6.0/clk-sprd-hold-reference-returned-by-of_get_parent.patch new file mode 100644 index 00000000000..2af7c46417c --- /dev/null +++ b/queue-6.0/clk-sprd-hold-reference-returned-by-of_get_parent.patch @@ -0,0 +1,52 @@ +From f451a8ce5830c250384547efdc040dd09b9f9249 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Jul 2022 08:47:29 +0800 +Subject: clk: sprd: Hold reference returned by of_get_parent() + +From: Liang He + +[ Upstream commit 91e6455bf715fb1558a0bf8f645ec1c131254a3c ] + +We should hold the reference returned by of_get_parent() and use it +to call of_node_put() for refcount balance. + +Fixes: f95e8c7923d1 ("clk: sprd: support to get regmap from parent node") +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220704004729.272481-1-windhl@126.com +Reviewed-by: Orson Zhai +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/sprd/common.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/sprd/common.c b/drivers/clk/sprd/common.c +index d620bbbcdfc8..ce81e4087a8f 100644 +--- a/drivers/clk/sprd/common.c ++++ b/drivers/clk/sprd/common.c +@@ -41,7 +41,7 @@ int sprd_clk_regmap_init(struct platform_device *pdev, + { + void __iomem *base; + struct device *dev = &pdev->dev; +- struct device_node *node = dev->of_node; ++ struct device_node *node = dev->of_node, *np; + struct regmap *regmap; + + if (of_find_property(node, "sprd,syscon", NULL)) { +@@ -50,9 +50,10 @@ int sprd_clk_regmap_init(struct platform_device *pdev, + pr_err("%s: failed to get syscon regmap\n", __func__); + return PTR_ERR(regmap); + } +- } else if (of_device_is_compatible(of_get_parent(dev->of_node), +- "syscon")) { +- regmap = device_node_to_regmap(of_get_parent(dev->of_node)); ++ } else if (of_device_is_compatible(np = of_get_parent(node), "syscon") || ++ (of_node_put(np), 0)) { ++ regmap = device_node_to_regmap(np); ++ of_node_put(np); + if (IS_ERR(regmap)) { + dev_err(dev, "failed to get regmap from its parent.\n"); + return PTR_ERR(regmap); +-- +2.35.1 + diff --git a/queue-6.0/clk-st-hold-reference-returned-by-of_get_parent.patch b/queue-6.0/clk-st-hold-reference-returned-by-of_get_parent.patch new file mode 100644 index 00000000000..baac762921a --- /dev/null +++ b/queue-6.0/clk-st-hold-reference-returned-by-of_get_parent.patch @@ -0,0 +1,73 @@ +From 2cc16f8c18499c7cda01049e535c3abf8e1467b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Jun 2022 22:24:15 +0800 +Subject: clk: st: Hold reference returned by of_get_parent() + +From: Liang He + +[ Upstream commit 429973306f860470cbbb8402c8c53143b450faba ] + +We should hold the reference returned by of_get_parent() and use it +to call of_node_put() for refcount balance. + +Fixes: 3efe64ef5186 ("clk: st: clkgen-fsyn: search reg within node or parent") +Fixes: 810251b0d36a ("clk: st: clkgen-mux: search reg within node or parent") + +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220628142416.169808-1-windhl@126.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/st/clkgen-fsyn.c | 5 ++++- + drivers/clk/st/clkgen-mux.c | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/st/clkgen-fsyn.c b/drivers/clk/st/clkgen-fsyn.c +index 582a22c04919..d820292a381d 100644 +--- a/drivers/clk/st/clkgen-fsyn.c ++++ b/drivers/clk/st/clkgen-fsyn.c +@@ -987,6 +987,7 @@ static void __init st_of_quadfs_setup(struct device_node *np, + const char *pll_name, *clk_parent_name; + void __iomem *reg; + spinlock_t *lock; ++ struct device_node *parent_np; + + /* + * First check for reg property within the node to keep backward +@@ -994,7 +995,9 @@ static void __init st_of_quadfs_setup(struct device_node *np, + */ + reg = of_iomap(np, 0); + if (!reg) { +- reg = of_iomap(of_get_parent(np), 0); ++ parent_np = of_get_parent(np); ++ reg = of_iomap(parent_np, 0); ++ of_node_put(parent_np); + if (!reg) { + pr_err("%s: Failed to get base address\n", __func__); + return; +diff --git a/drivers/clk/st/clkgen-mux.c b/drivers/clk/st/clkgen-mux.c +index ee39af7a0b72..596e939ad905 100644 +--- a/drivers/clk/st/clkgen-mux.c ++++ b/drivers/clk/st/clkgen-mux.c +@@ -56,6 +56,7 @@ static void __init st_of_clkgen_mux_setup(struct device_node *np, + void __iomem *reg; + const char **parents; + int num_parents = 0; ++ struct device_node *parent_np; + + /* + * First check for reg property within the node to keep backward +@@ -63,7 +64,9 @@ static void __init st_of_clkgen_mux_setup(struct device_node *np, + */ + reg = of_iomap(np, 0); + if (!reg) { +- reg = of_iomap(of_get_parent(np), 0); ++ parent_np = of_get_parent(np); ++ reg = of_iomap(parent_np, 0); ++ of_node_put(parent_np); + if (!reg) { + pr_err("%s: Failed to get base address\n", __func__); + return; +-- +2.35.1 + diff --git a/queue-6.0/clk-tegra-fix-refcount-leak-in-tegra114_clock_init.patch b/queue-6.0/clk-tegra-fix-refcount-leak-in-tegra114_clock_init.patch new file mode 100644 index 00000000000..5e240e4c0cd --- /dev/null +++ b/queue-6.0/clk-tegra-fix-refcount-leak-in-tegra114_clock_init.patch @@ -0,0 +1,37 @@ +From 680b29e147bc1ad7a09c20cb88a02b897d191b09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 18:38:34 +0400 +Subject: clk: tegra: Fix refcount leak in tegra114_clock_init + +From: Miaoqian Lin + +[ Upstream commit db16a80c76ea395766913082b1e3f939dde29b2c ] + +of_find_matching_node() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 2cb5efefd6f7 ("clk: tegra: Implement clocks for Tegra114") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220523143834.7587-1-linmq006@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra114.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/tegra/clk-tegra114.c b/drivers/clk/tegra/clk-tegra114.c +index ef718c4b3826..f7405a58877e 100644 +--- a/drivers/clk/tegra/clk-tegra114.c ++++ b/drivers/clk/tegra/clk-tegra114.c +@@ -1317,6 +1317,7 @@ static void __init tegra114_clock_init(struct device_node *np) + } + + pmc_base = of_iomap(node, 0); ++ of_node_put(node); + if (!pmc_base) { + pr_err("Can't map pmc registers\n"); + WARN_ON(1); +-- +2.35.1 + diff --git a/queue-6.0/clk-tegra-fix-refcount-leak-in-tegra210_clock_init.patch b/queue-6.0/clk-tegra-fix-refcount-leak-in-tegra210_clock_init.patch new file mode 100644 index 00000000000..52407be6d05 --- /dev/null +++ b/queue-6.0/clk-tegra-fix-refcount-leak-in-tegra210_clock_init.patch @@ -0,0 +1,37 @@ +From 3052d186ee562ae5dd03e714438139fdb3eabb48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 18:26:08 +0400 +Subject: clk: tegra: Fix refcount leak in tegra210_clock_init + +From: Miaoqian Lin + +[ Upstream commit 56c78cb1f00a9dde8cd762131ce8f4c5eb046fbb ] + +of_find_matching_node() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 6b301a059eb2 ("clk: tegra: Add support for Tegra210 clocks") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220523142608.65074-1-linmq006@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra210.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/tegra/clk-tegra210.c b/drivers/clk/tegra/clk-tegra210.c +index b9099012dc7b..499f999e91e1 100644 +--- a/drivers/clk/tegra/clk-tegra210.c ++++ b/drivers/clk/tegra/clk-tegra210.c +@@ -3748,6 +3748,7 @@ static void __init tegra210_clock_init(struct device_node *np) + } + + pmc_base = of_iomap(node, 0); ++ of_node_put(node); + if (!pmc_base) { + pr_err("Can't map pmc registers\n"); + WARN_ON(1); +-- +2.35.1 + diff --git a/queue-6.0/clk-tegra20-fix-refcount-leak-in-tegra20_clock_init.patch b/queue-6.0/clk-tegra20-fix-refcount-leak-in-tegra20_clock_init.patch new file mode 100644 index 00000000000..271c24b2910 --- /dev/null +++ b/queue-6.0/clk-tegra20-fix-refcount-leak-in-tegra20_clock_init.patch @@ -0,0 +1,37 @@ +From 81aeb3492c8400c26d9974faf8a6a976b3fcbefc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 19:28:11 +0400 +Subject: clk: tegra20: Fix refcount leak in tegra20_clock_init + +From: Miaoqian Lin + +[ Upstream commit 4e343bafe03ff68a62f48f8235cf98f2c685468b ] + +of_find_matching_node() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 37c26a906527 ("clk: tegra: add clock support for Tegra20") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220523152811.19692-1-linmq006@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra20.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/tegra/clk-tegra20.c b/drivers/clk/tegra/clk-tegra20.c +index be3c33441cfc..8a4514f6d503 100644 +--- a/drivers/clk/tegra/clk-tegra20.c ++++ b/drivers/clk/tegra/clk-tegra20.c +@@ -1131,6 +1131,7 @@ static void __init tegra20_clock_init(struct device_node *np) + } + + pmc_base = of_iomap(node, 0); ++ of_node_put(node); + if (!pmc_base) { + pr_err("Can't map pmc registers\n"); + BUG(); +-- +2.35.1 + diff --git a/queue-6.0/clk-ti-balance-of_node_get-calls-for-of_find_node_by.patch b/queue-6.0/clk-ti-balance-of_node_get-calls-for-of_find_node_by.patch new file mode 100644 index 00000000000..8947a7f7264 --- /dev/null +++ b/queue-6.0/clk-ti-balance-of_node_get-calls-for-of_find_node_by.patch @@ -0,0 +1,48 @@ +From e8fd4671ec76a6413c5844d36af977cb51be9b2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 11:11:21 +0800 +Subject: clk: ti: Balance of_node_get() calls for of_find_node_by_name() + +From: Liang He + +[ Upstream commit 058a3996b888ab60eb1857fb4fd28f1b89a9a95a ] + +In ti_find_clock_provider(), of_find_node_by_name() will call +of_node_put() for the 'from' argument, possibly putting the node one too +many times. Let's maintain the of_node_get() from the previous search +and only put when we're exiting the function early. This should avoid a +misbalanced reference count on the node. + +Fixes: 51f661ef9a10 ("clk: ti: Add ti_find_clock_provider() to use clock-output-names") +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220915031121.4003589-1-windhl@126.com +[sboyd@kernel.org: Rewrite commit text, maintain reference instead of +get again] +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/ti/clk.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/ti/clk.c b/drivers/clk/ti/clk.c +index 373e9438b57a..1dc2f15fb75b 100644 +--- a/drivers/clk/ti/clk.c ++++ b/drivers/clk/ti/clk.c +@@ -140,11 +140,12 @@ static struct device_node *ti_find_clock_provider(struct device_node *from, + break; + } + } +- of_node_put(from); + kfree(tmp); + +- if (found) ++ if (found) { ++ of_node_put(from); + return np; ++ } + + /* Fall back to using old node name base provider name */ + return of_find_node_by_name(from, name); +-- +2.35.1 + diff --git a/queue-6.0/clk-ti-dra7-atl-fix-reference-leak-in-of_dra7_atl_cl.patch b/queue-6.0/clk-ti-dra7-atl-fix-reference-leak-in-of_dra7_atl_cl.patch new file mode 100644 index 00000000000..63129815a35 --- /dev/null +++ b/queue-6.0/clk-ti-dra7-atl-fix-reference-leak-in-of_dra7_atl_cl.patch @@ -0,0 +1,60 @@ +From 75c70986b1d322ec6054b247337c71442940c4ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 07:08:36 +0400 +Subject: clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe + +From: Miaoqian Lin + +[ Upstream commit 9c59a01caba26ec06fefd6ca1f22d5fd1de57d63 ] + +pm_runtime_get_sync() will increment pm usage counter. +Forgetting to putting operation will result in reference leak. +Add missing pm_runtime_put_sync in some error paths. + +Fixes: 9ac33b0ce81f ("CLK: TI: Driver for DRA7 ATL (Audio Tracking Logic)") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220602030838.52057-1-linmq006@gmail.com +Reviewed-by: Tony Lindgren +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/ti/clk-dra7-atl.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/ti/clk-dra7-atl.c b/drivers/clk/ti/clk-dra7-atl.c +index f0f5bf68b6d2..ff4d6a951681 100644 +--- a/drivers/clk/ti/clk-dra7-atl.c ++++ b/drivers/clk/ti/clk-dra7-atl.c +@@ -245,14 +245,16 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev) + if (rc) { + pr_err("%s: failed to lookup atl clock %d\n", __func__, + i); +- return -EINVAL; ++ ret = -EINVAL; ++ goto pm_put; + } + + clk = of_clk_get_from_provider(&clkspec); + if (IS_ERR(clk)) { + pr_err("%s: failed to get atl clock %d from provider\n", + __func__, i); +- return PTR_ERR(clk); ++ ret = PTR_ERR(clk); ++ goto pm_put; + } + + cdesc = to_atl_desc(__clk_get_hw(clk)); +@@ -285,8 +287,9 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev) + if (cdesc->enabled) + atl_clk_enable(__clk_get_hw(clk)); + } +- pm_runtime_put_sync(cinfo->dev); + ++pm_put: ++ pm_runtime_put_sync(cinfo->dev); + return ret; + } + +-- +2.35.1 + diff --git a/queue-6.0/clk-vc5-fix-5p49v6901-outputs-disabling-when-enablin.patch b/queue-6.0/clk-vc5-fix-5p49v6901-outputs-disabling-when-enablin.patch new file mode 100644 index 00000000000..c1bd56527e8 --- /dev/null +++ b/queue-6.0/clk-vc5-fix-5p49v6901-outputs-disabling-when-enablin.patch @@ -0,0 +1,55 @@ +From 6c59af31209c37db31722a85bf9d6bee5d4485e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 01:53:55 +0300 +Subject: clk: vc5: Fix 5P49V6901 outputs disabling when enabling FOD + +From: Serge Semin + +[ Upstream commit c388cc804016cf0f65afdc2362b120aa594ff3e6 ] + +We have discovered random glitches during the system boot up procedure. +The problem investigation led us to the weird outcomes: when none of the +Renesas 5P49V6901 ports are explicitly enabled by the kernel driver, the +glitches disappeared. It was a mystery since the SoC external clock +domains were fed with different 5P49V6901 outputs. The driver code didn't +seem like bogus either. We almost despaired to find out a root cause when +the solution has been found for a more modern revision of the chip. It +turned out the 5P49V6901 clock generator stopped its output for a short +period of time during the VC5_OUT_DIV_CONTROL register writing. The same +problem was found for the 5P49V6965 revision of the chip and was +successfully fixed in commit fc336ae622df ("clk: vc5: fix output disabling +when enabling a FOD") by enabling the "bypass_sync" flag hidden inside +"Unused Factory Reserved Register". Even though the 5P49V6901 registers +description and programming guide doesn't provide any intel regarding that +flag, setting it up anyway in the officially unused register completely +eliminated the denoted glitches. Thus let's activate the functionality +submitted in commit fc336ae622df ("clk: vc5: fix output disabling when +enabling a FOD") for the Renesas 5P49V6901 chip too in order to remove the +ports implicit inter-dependency. + +Fixes: dbf6b16f5683 ("clk: vc5: Add support for IDT VersaClock 5P49V6901") +Signed-off-by: Serge Semin +Reviewed-by: Luca Ceresoli +Link: https://lore.kernel.org/r/20220929225402.9696-2-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-versaclock5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/clk-versaclock5.c b/drivers/clk/clk-versaclock5.c +index e7be3e54b9be..03cfef494b49 100644 +--- a/drivers/clk/clk-versaclock5.c ++++ b/drivers/clk/clk-versaclock5.c +@@ -1204,7 +1204,7 @@ static const struct vc5_chip_info idt_5p49v6901_info = { + .model = IDT_VC6_5P49V6901, + .clk_fod_cnt = 4, + .clk_out_cnt = 5, +- .flags = VC5_HAS_PFD_FREQ_DBL, ++ .flags = VC5_HAS_PFD_FREQ_DBL | VC5_HAS_BYPASS_SYNC_BIT, + }; + + static const struct vc5_chip_info idt_5p49v6965_info = { +-- +2.35.1 + diff --git a/queue-6.0/clk-zynqmp-fix-stack-out-of-bounds-in-strncpy.patch b/queue-6.0/clk-zynqmp-fix-stack-out-of-bounds-in-strncpy.patch new file mode 100644 index 00000000000..79aedd300ae --- /dev/null +++ b/queue-6.0/clk-zynqmp-fix-stack-out-of-bounds-in-strncpy.patch @@ -0,0 +1,118 @@ +From 458b16c8aaa9753424bec956401dc1f9170ad2cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 12:31:54 +0530 +Subject: clk: zynqmp: Fix stack-out-of-bounds in strncpy` + +From: Ian Nam + +[ Upstream commit dd80fb2dbf1cd8751efbe4e53e54056f56a9b115 ] + +"BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68" + +Linux-ATF interface is using 16 bytes of SMC payload. In case clock name is +longer than 15 bytes, string terminated NULL character will not be received +by Linux. Add explicit NULL character at last byte to fix issues when clock +name is longer. + +This fixes below bug reported by KASAN: + + ================================================================== + BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68 + Read of size 1 at addr ffff0008c89a7410 by task swapper/0/1 + + CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.0-00396-g81ef9e7-dirty #3 + Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT) + Call trace: + dump_backtrace+0x0/0x1e8 + show_stack+0x14/0x20 + dump_stack+0xd4/0x108 + print_address_description.isra.0+0xbc/0x37c + __kasan_report+0x144/0x198 + kasan_report+0xc/0x18 + __asan_load1+0x5c/0x68 + strncpy+0x30/0x68 + zynqmp_clock_probe+0x238/0x7b8 + platform_drv_probe+0x6c/0xc8 + really_probe+0x14c/0x418 + driver_probe_device+0x74/0x130 + __device_attach_driver+0xc4/0xe8 + bus_for_each_drv+0xec/0x150 + __device_attach+0x160/0x1d8 + device_initial_probe+0x10/0x18 + bus_probe_device+0xe0/0xf0 + device_add+0x528/0x950 + of_device_add+0x5c/0x80 + of_platform_device_create_pdata+0x120/0x168 + of_platform_bus_create+0x244/0x4e0 + of_platform_populate+0x50/0xe8 + zynqmp_firmware_probe+0x370/0x3a8 + platform_drv_probe+0x6c/0xc8 + really_probe+0x14c/0x418 + driver_probe_device+0x74/0x130 + device_driver_attach+0x94/0xa0 + __driver_attach+0x70/0x108 + bus_for_each_dev+0xe4/0x158 + driver_attach+0x30/0x40 + bus_add_driver+0x21c/0x2b8 + driver_register+0xbc/0x1d0 + __platform_driver_register+0x7c/0x88 + zynqmp_firmware_driver_init+0x1c/0x24 + do_one_initcall+0xa4/0x234 + kernel_init_freeable+0x1b0/0x24c + kernel_init+0x10/0x110 + ret_from_fork+0x10/0x18 + + The buggy address belongs to the page: + page:ffff0008f9be1c88 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 + raw: 0008d00000000000 ffff0008f9be1c90 ffff0008f9be1c90 0000000000000000 + raw: 0000000000000000 0000000000000000 00000000ffffffff + page dumped because: kasan: bad access detected + + addr ffff0008c89a7410 is located in stack of task swapper/0/1 at offset 112 in frame: + zynqmp_clock_probe+0x0/0x7b8 + + this frame has 3 objects: + [32, 44) 'response' + [64, 80) 'ret_payload' + [96, 112) 'name' + + Memory state around the buggy address: + ffff0008c89a7300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff0008c89a7380: 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2 00 00 f2 f2 + >ffff0008c89a7400: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 + ^ + ffff0008c89a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff0008c89a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ================================================================== + +Signed-off-by: Ian Nam +Signed-off-by: Shubhrajyoti Datta +Link: https://lore.kernel.org/r/20220510070154.29528-3-shubhrajyoti.datta@xilinx.com +Acked-by: Michal Simek +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/zynqmp/clkc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/clk/zynqmp/clkc.c b/drivers/clk/zynqmp/clkc.c +index eb25303eefed..2c9da6623b84 100644 +--- a/drivers/clk/zynqmp/clkc.c ++++ b/drivers/clk/zynqmp/clkc.c +@@ -710,6 +710,13 @@ static void zynqmp_get_clock_info(void) + FIELD_PREP(CLK_ATTR_NODE_INDEX, i); + + zynqmp_pm_clock_get_name(clock[i].clk_id, &name); ++ ++ /* ++ * Terminate with NULL character in case name provided by firmware ++ * is longer and truncated due to size limit. ++ */ ++ name.name[sizeof(name.name) - 1] = '\0'; ++ + if (!strcmp(name.name, RESERVED_CLK_NAME)) + continue; + strncpy(clock[i].clk_name, name.name, MAX_NAME_LEN); +-- +2.35.1 + diff --git a/queue-6.0/clk-zynqmp-pll-rectify-rate-rounding-in-zynqmp_pll_r.patch b/queue-6.0/clk-zynqmp-pll-rectify-rate-rounding-in-zynqmp_pll_r.patch new file mode 100644 index 00000000000..956abe9aea7 --- /dev/null +++ b/queue-6.0/clk-zynqmp-pll-rectify-rate-rounding-in-zynqmp_pll_r.patch @@ -0,0 +1,92 @@ +From d1776d109ec6ffc33576b5f9cb4c296b2c528a63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 22:20:30 +0800 +Subject: clk: zynqmp: pll: rectify rate rounding in zynqmp_pll_round_rate + +From: Quanyang Wang + +[ Upstream commit 30eaf02149ecc3c5815e45d27187bf09e925071d ] + +The function zynqmp_pll_round_rate is used to find a most appropriate +PLL frequency which the hardware can generate according to the desired +frequency. For example, if the desired frequency is 297MHz, considering +the limited range from PS_PLL_VCO_MIN (1.5GHz) to PS_PLL_VCO_MAX (3.0GHz) +of PLL, zynqmp_pll_round_rate should return 1.872GHz (297MHz * 5). + +There are two problems with the current code of zynqmp_pll_round_rate: + +1) When the rate is below PS_PLL_VCO_MIN, it can't find a correct rate +when the parameter "rate" is an integer multiple of *prate, in other words, +if "f" is zero, zynqmp_pll_round_rate won't return a valid frequency which +is from PS_PLL_VCO_MIN to PS_PLL_VCO_MAX. For example, *prate is 33MHz +and the rate is 660MHz, zynqmp_pll_round_rate will not boost up rate and +just return 660MHz, and this will cause clk_calc_new_rates failure since +zynqmp_pll_round_rate returns an invalid rate out of its boundaries. + +2) Even if the rate is higher than PS_PLL_VCO_MIN, there is still a risk +that zynqmp_pll_round_rate returns an invalid rate because the function +DIV_ROUND_CLOSEST makes some loss in the fractional part. If the parent +clock *prate is 33333333Hz and we want to set the PLL rate to 1.5GHz, +this function will return 1499999985Hz by using the formula below: + value = *prate * DIV_ROUND_CLOSEST(rate, *prate)). +This value is also invalid since it's slightly smaller than PS_PLL_VCO_MIN. +because DIV_ROUND_CLOSEST makes some loss in the fractional part. + +Signed-off-by: Quanyang Wang +Link: https://lore.kernel.org/r/20220826142030.213805-1-quanyang.wang@windriver.com +Reviewed-by: Shubhrajyoti Datta +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/zynqmp/pll.c | 31 +++++++++++++++---------------- + 1 file changed, 15 insertions(+), 16 deletions(-) + +diff --git a/drivers/clk/zynqmp/pll.c b/drivers/clk/zynqmp/pll.c +index 91a6b4cc910e..0d3e1377b092 100644 +--- a/drivers/clk/zynqmp/pll.c ++++ b/drivers/clk/zynqmp/pll.c +@@ -102,26 +102,25 @@ static long zynqmp_pll_round_rate(struct clk_hw *hw, unsigned long rate, + unsigned long *prate) + { + u32 fbdiv; +- long rate_div, f; ++ u32 mult, div; + +- /* Enable the fractional mode if needed */ +- rate_div = (rate * FRAC_DIV) / *prate; +- f = rate_div % FRAC_DIV; +- if (f) { +- if (rate > PS_PLL_VCO_MAX) { +- fbdiv = rate / PS_PLL_VCO_MAX; +- rate = rate / (fbdiv + 1); +- } +- if (rate < PS_PLL_VCO_MIN) { +- fbdiv = DIV_ROUND_UP(PS_PLL_VCO_MIN, rate); +- rate = rate * fbdiv; +- } +- return rate; ++ /* Let rate fall inside the range PS_PLL_VCO_MIN ~ PS_PLL_VCO_MAX */ ++ if (rate > PS_PLL_VCO_MAX) { ++ div = DIV_ROUND_UP(rate, PS_PLL_VCO_MAX); ++ rate = rate / div; ++ } ++ if (rate < PS_PLL_VCO_MIN) { ++ mult = DIV_ROUND_UP(PS_PLL_VCO_MIN, rate); ++ rate = rate * mult; + } + + fbdiv = DIV_ROUND_CLOSEST(rate, *prate); +- fbdiv = clamp_t(u32, fbdiv, PLL_FBDIV_MIN, PLL_FBDIV_MAX); +- return *prate * fbdiv; ++ if (fbdiv < PLL_FBDIV_MIN || fbdiv > PLL_FBDIV_MAX) { ++ fbdiv = clamp_t(u32, fbdiv, PLL_FBDIV_MIN, PLL_FBDIV_MAX); ++ rate = *prate * fbdiv; ++ } ++ ++ return rate; + } + + /** +-- +2.35.1 + diff --git a/queue-6.0/clocksource-drivers-arm_arch_timer-fix-handling-of-a.patch b/queue-6.0/clocksource-drivers-arm_arch_timer-fix-handling-of-a.patch new file mode 100644 index 00000000000..ffbf10f46d9 --- /dev/null +++ b/queue-6.0/clocksource-drivers-arm_arch_timer-fix-handling-of-a.patch @@ -0,0 +1,48 @@ +From aa35da596b448f6d4fb9d11ae03265fd6628f0c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 14:14:24 +0800 +Subject: clocksource/drivers/arm_arch_timer: Fix handling of ARM erratum + 858921 + +From: Kunkun Jiang + +[ Upstream commit 6c3b62d93e195f78c1437c8fa7581e9b2f00886e ] + +The commit a38b71b0833e ("clocksource/drivers/arm_arch_timer: +Move system register timer programming over to CVAL") moves the +programming of the timers from the countdown timer (TVAL) over +to the comparator (CVAL). This makes it necessary to read the +counter when programming next event. However, the workaround of +Cortex-A73 erratum 858921 does not set the corresponding +set_next_event_phys and set_next_event_virt. + +Add the appropriate hooks to apply the erratum mitigation when +programming the next timer event. + +Fixes: a38b71b0833e ("clocksource/drivers/arm_arch_timer: Move system register timer programming over to CVAL") +Signed-off-by: Kunkun Jiang +Acked-by: Marc Zyngier +Reviewed-by: Oliver Upton +Link: https://lore.kernel.org/r/20220914061424.1260-1-jiangkunkun@huawei.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/arm_arch_timer.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/clocksource/arm_arch_timer.c b/drivers/clocksource/arm_arch_timer.c +index 8122a1646925..a7ff77550e17 100644 +--- a/drivers/clocksource/arm_arch_timer.c ++++ b/drivers/clocksource/arm_arch_timer.c +@@ -473,6 +473,8 @@ static const struct arch_timer_erratum_workaround ool_workarounds[] = { + .desc = "ARM erratum 858921", + .read_cntpct_el0 = arm64_858921_read_cntpct_el0, + .read_cntvct_el0 = arm64_858921_read_cntvct_el0, ++ .set_next_event_phys = erratum_set_next_event_phys, ++ .set_next_event_virt = erratum_set_next_event_virt, + }, + #endif + #ifdef CONFIG_SUN50I_ERRATUM_UNKNOWN1 +-- +2.35.1 + diff --git a/queue-6.0/clocksource-drivers-timer-gxp-add-missing-error-hand.patch b/queue-6.0/clocksource-drivers-timer-gxp-add-missing-error-hand.patch new file mode 100644 index 00000000000..efed9c588bf --- /dev/null +++ b/queue-6.0/clocksource-drivers-timer-gxp-add-missing-error-hand.patch @@ -0,0 +1,50 @@ +From fa28dbe36d36001f3fc47181cdd5dd4c4e66647c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 11:30:18 +0800 +Subject: clocksource/drivers/timer-gxp: Add missing error handling in + gxp_timer_probe + +From: Lin Yujun + +[ Upstream commit 0e2c8e6d769bcdc4f6634a02c545356282275e68 ] + +Add platform_device_put() to make sure to free the platform +device in the event platform_device_add() fails. + +Fixes: 5184f4bf151b ("clocksource/drivers/timer-gxp: Add HPE GXP Timer") +Signed-off-by: Lin Yujun +Link: https://lore.kernel.org/r/20220914033018.97484-1-linyujun809@huawei.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-gxp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/clocksource/timer-gxp.c b/drivers/clocksource/timer-gxp.c +index 8b38b3212388..fe4fa8d7b3f1 100644 +--- a/drivers/clocksource/timer-gxp.c ++++ b/drivers/clocksource/timer-gxp.c +@@ -171,6 +171,7 @@ static int gxp_timer_probe(struct platform_device *pdev) + { + struct platform_device *gxp_watchdog_device; + struct device *dev = &pdev->dev; ++ int ret; + + if (!gxp_timer) { + pr_err("Gxp Timer not initialized, cannot create watchdog"); +@@ -187,7 +188,11 @@ static int gxp_timer_probe(struct platform_device *pdev) + gxp_watchdog_device->dev.platform_data = gxp_timer->counter; + gxp_watchdog_device->dev.parent = dev; + +- return platform_device_add(gxp_watchdog_device); ++ ret = platform_device_add(gxp_watchdog_device); ++ if (ret) ++ platform_device_put(gxp_watchdog_device); ++ ++ return ret; + } + + static const struct of_device_id gxp_timer_of_match[] = { +-- +2.35.1 + diff --git a/queue-6.0/coresight-docs-fix-a-broken-reference.patch b/queue-6.0/coresight-docs-fix-a-broken-reference.patch new file mode 100644 index 00000000000..ebe3d01807b --- /dev/null +++ b/queue-6.0/coresight-docs-fix-a-broken-reference.patch @@ -0,0 +1,41 @@ +From d25068b9669700293c08becb7fcdd86694868809 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jul 2022 09:06:48 +0200 +Subject: coresight: docs: Fix a broken reference + +From: Christophe JAILLET + +[ Upstream commit b99ee26a1a98a8ac0d8241224c40e6c047091d4d ] + +Since the commit in Fixes: tag, "coresight-cpu-debug.txt" has been turned +into "arm,coresight-cpu-debug.yaml". + +Update the doc accordingly to avoid a 'make htmldocs' warning + +Fixes: 66d052047ca8 ("dt-bindings: arm: Convert CoreSight CPU debug to DT schema") +Signed-off-by: Christophe JAILLET +Reviewed-by: James Clark +Link: https://lore.kernel.org/r/c7f864854e9e03916017712017ff59132c51c338.1659251193.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + Documentation/trace/coresight/coresight-cpu-debug.rst | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/Documentation/trace/coresight/coresight-cpu-debug.rst b/Documentation/trace/coresight/coresight-cpu-debug.rst +index 993dd294b81b..836b35532667 100644 +--- a/Documentation/trace/coresight/coresight-cpu-debug.rst ++++ b/Documentation/trace/coresight/coresight-cpu-debug.rst +@@ -117,7 +117,8 @@ divide into below cases: + Device Tree Bindings + -------------------- + +-See Documentation/devicetree/bindings/arm/coresight-cpu-debug.txt for details. ++See Documentation/devicetree/bindings/arm/arm,coresight-cpu-debug.yaml for ++details. + + + How to use the module +-- +2.35.1 + diff --git a/queue-6.0/coresight-trbe-fix-kconfig-its-grammar.patch b/queue-6.0/coresight-trbe-fix-kconfig-its-grammar.patch new file mode 100644 index 00000000000..70c659b941e --- /dev/null +++ b/queue-6.0/coresight-trbe-fix-kconfig-its-grammar.patch @@ -0,0 +1,47 @@ +From 85c37cb7cbe5ccb30663f4f827c120c68acfcc90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jul 2022 18:59:25 -0700 +Subject: coresight: trbe: fix Kconfig "its" grammar + +From: Randy Dunlap + +[ Upstream commit 8c6989e5463a2d9415b743a20e3b843a2354beec ] + +Use the possessive "its" instead of the contraction "it's" +where appropriate. + +Signed-off-by: Randy Dunlap +Cc: Anshuman Khandual +Cc: Mathieu Poirier +Cc: Suzuki K Poulose +Cc: Alexander Shishkin +Cc: coresight@lists.linaro.org +Cc: linux-arm-kernel@lists.infradead.org +Link: https://lore.kernel.org/r/20220715015925.12569-1-rdunlap@infradead.org +Signed-off-by: Mathieu Poirier +Stable-dep-of: b99ee26a1a98 ("coresight: docs: Fix a broken reference") +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwtracing/coresight/Kconfig b/drivers/hwtracing/coresight/Kconfig +index 514a9b8086e3..45c1eb5dfcb7 100644 +--- a/drivers/hwtracing/coresight/Kconfig ++++ b/drivers/hwtracing/coresight/Kconfig +@@ -193,10 +193,10 @@ config CORESIGHT_TRBE + depends on ARM64 && CORESIGHT_SOURCE_ETM4X + help + This driver provides support for percpu Trace Buffer Extension (TRBE). +- TRBE always needs to be used along with it's corresponding percpu ETE ++ TRBE always needs to be used along with its corresponding percpu ETE + component. ETE generates trace data which is then captured with TRBE. + Unlike traditional sink devices, TRBE is a CPU feature accessible via +- system registers. But it's explicit dependency with trace unit (ETE) ++ system registers. But its explicit dependency with trace unit (ETE) + requires it to be plugged in as a coresight sink device. + + To compile this driver as a module, choose M here: the module will be +-- +2.35.1 + diff --git a/queue-6.0/cpufreq-amd-pstate-fix-initial-highest_perf-value.patch b/queue-6.0/cpufreq-amd-pstate-fix-initial-highest_perf-value.patch new file mode 100644 index 00000000000..6f759f7a911 --- /dev/null +++ b/queue-6.0/cpufreq-amd-pstate-fix-initial-highest_perf-value.patch @@ -0,0 +1,83 @@ +From 3e76fdfd0fda435ad5e0a1eed28143634ea9111f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 09:56:00 +0800 +Subject: cpufreq: amd-pstate: Fix initial highest_perf value + +From: Perry Yuan + +[ Upstream commit bedadcfb011fef55273bd686e8893fdd8911dcdb ] + +To avoid some new AMD processors use wrong highest perf when amd pstate +driver loaded, this fix will query the highest perf from MSR register +MSR_AMD_CPPC_CAP1 and cppc_acpi interface firstly, then compare with the +highest perf value got by calling amd_get_highest_perf() function. + +The lower value will be the correct highest perf we need to use. +Otherwise the CPU max MHz will be incorrect if the +amd_get_highest_perf() did not cover the new process family and model ID. + +Like this lscpu info, the max frequency is incorrect. + +Vendor ID: AuthenticAMD + Socket(s): 1 + Stepping: 2 + CPU max MHz: 5410.0000 + CPU min MHz: 400.0000 + BogoMIPS: 5600.54 + +Fixes: 3743d55b289c2 (x86, sched: Fix the AMD CPPC maximum performance value on certain AMD Ryzen generations) +Acked-by: Huang Rui +Signed-off-by: Perry Yuan +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/amd-pstate.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c +index 9ac75c1cde9c..365f3ad166a7 100644 +--- a/drivers/cpufreq/amd-pstate.c ++++ b/drivers/cpufreq/amd-pstate.c +@@ -152,6 +152,7 @@ static inline int amd_pstate_enable(bool enable) + static int pstate_init_perf(struct amd_cpudata *cpudata) + { + u64 cap1; ++ u32 highest_perf; + + int ret = rdmsrl_safe_on_cpu(cpudata->cpu, MSR_AMD_CPPC_CAP1, + &cap1); +@@ -163,7 +164,11 @@ static int pstate_init_perf(struct amd_cpudata *cpudata) + * + * CPPC entry doesn't indicate the highest performance in some ASICs. + */ +- WRITE_ONCE(cpudata->highest_perf, amd_get_highest_perf()); ++ highest_perf = amd_get_highest_perf(); ++ if (highest_perf > AMD_CPPC_HIGHEST_PERF(cap1)) ++ highest_perf = AMD_CPPC_HIGHEST_PERF(cap1); ++ ++ WRITE_ONCE(cpudata->highest_perf, highest_perf); + + WRITE_ONCE(cpudata->nominal_perf, AMD_CPPC_NOMINAL_PERF(cap1)); + WRITE_ONCE(cpudata->lowest_nonlinear_perf, AMD_CPPC_LOWNONLIN_PERF(cap1)); +@@ -175,12 +180,17 @@ static int pstate_init_perf(struct amd_cpudata *cpudata) + static int cppc_init_perf(struct amd_cpudata *cpudata) + { + struct cppc_perf_caps cppc_perf; ++ u32 highest_perf; + + int ret = cppc_get_perf_caps(cpudata->cpu, &cppc_perf); + if (ret) + return ret; + +- WRITE_ONCE(cpudata->highest_perf, amd_get_highest_perf()); ++ highest_perf = amd_get_highest_perf(); ++ if (highest_perf > cppc_perf.highest_perf) ++ highest_perf = cppc_perf.highest_perf; ++ ++ WRITE_ONCE(cpudata->highest_perf, highest_perf); + + WRITE_ONCE(cpudata->nominal_perf, cppc_perf.nominal_perf); + WRITE_ONCE(cpudata->lowest_nonlinear_perf, +-- +2.35.1 + diff --git a/queue-6.0/cpufreq-amd_pstate-fix-wrong-lowest-perf-fetch.patch b/queue-6.0/cpufreq-amd_pstate-fix-wrong-lowest-perf-fetch.patch new file mode 100644 index 00000000000..5d648ed996b --- /dev/null +++ b/queue-6.0/cpufreq-amd_pstate-fix-wrong-lowest-perf-fetch.patch @@ -0,0 +1,40 @@ +From d6187669e61fb32ccc9e516ce5fff0c186cfffa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Aug 2022 00:35:45 +0800 +Subject: cpufreq: amd_pstate: fix wrong lowest perf fetch + +From: Perry Yuan + +[ Upstream commit b185c5053c65b7704ead4537e4d4d9b33dc398dc ] + +Fix the wrong lowest perf value reading which is used for new +des_perf calculation by governor requested, the incorrect min_perf will +get incorrect des_perf to be set , that will cause the system frequency +changing unexpectedly. + +Reviewed-by: Huang Rui +Acked-by: Viresh Kumar +Signed-off-by: Perry Yuan +Signed-off-by: Su Jinzhou +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/amd-pstate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c +index 365f3ad166a7..d63a28c5f95a 100644 +--- a/drivers/cpufreq/amd-pstate.c ++++ b/drivers/cpufreq/amd-pstate.c +@@ -322,7 +322,7 @@ static int amd_pstate_target(struct cpufreq_policy *policy, + return -ENODEV; + + cap_perf = READ_ONCE(cpudata->highest_perf); +- min_perf = READ_ONCE(cpudata->lowest_nonlinear_perf); ++ min_perf = READ_ONCE(cpudata->lowest_perf); + max_perf = cap_perf; + + freqs.old = policy->cur; +-- +2.35.1 + diff --git a/queue-6.0/cpufreq-intel_pstate-add-tigerlake-support-in-no-hwp.patch b/queue-6.0/cpufreq-intel_pstate-add-tigerlake-support-in-no-hwp.patch new file mode 100644 index 00000000000..384a6e7f023 --- /dev/null +++ b/queue-6.0/cpufreq-intel_pstate-add-tigerlake-support-in-no-hwp.patch @@ -0,0 +1,44 @@ +From c2e989bec5ce541cd7d4ad84dbfe55865b99380f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 13:28:57 -0700 +Subject: cpufreq: intel_pstate: Add Tigerlake support in no-HWP mode + +From: Doug Smythies + +[ Upstream commit 71bb5c82aaaea007167f3ba68d3a669c74d7d55d ] + +Users may disable HWP in firmware, in which case intel_pstate wouldn't load +unless the CPU model is explicitly supported. + +Add TIGERLAKE to the list of CPUs that can register intel_pstate while not +advertising the HWP capability. Without this change, an TIGERLAKE in no-HWP +mode could only use the acpi_cpufreq frequency scaling driver. + +See also commits: +d8de7a44e11f: cpufreq: intel_pstate: Add Skylake servers support +fbdc21e9b038: cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode +706c5328851d: cpufreq: intel_pstate: Add Cometlake support in no-HWP mode + +Reported by: M. Cargi Ari +Signed-off-by: Doug Smythies +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/intel_pstate.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index 57cdb3679885..fc3ebeb0bbe5 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -2416,6 +2416,7 @@ static const struct x86_cpu_id intel_pstate_cpu_ids[] = { + X86_MATCH(SKYLAKE_X, core_funcs), + X86_MATCH(COMETLAKE, core_funcs), + X86_MATCH(ICELAKE_X, core_funcs), ++ X86_MATCH(TIGERLAKE, core_funcs), + {} + }; + MODULE_DEVICE_TABLE(x86cpu, intel_pstate_cpu_ids); +-- +2.35.1 + diff --git a/queue-6.0/cpuidle-riscv-sbi-fix-cpu_pm_cpu_idle_enter_xyz-macr.patch b/queue-6.0/cpuidle-riscv-sbi-fix-cpu_pm_cpu_idle_enter_xyz-macr.patch new file mode 100644 index 00000000000..63b37f50a12 --- /dev/null +++ b/queue-6.0/cpuidle-riscv-sbi-fix-cpu_pm_cpu_idle_enter_xyz-macr.patch @@ -0,0 +1,49 @@ +From c9edb433f1aae3016b59e5cff9c4eab1b297c081 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jul 2022 14:15:53 +0530 +Subject: cpuidle: riscv-sbi: Fix CPU_PM_CPU_IDLE_ENTER_xyz() macro usage + +From: Anup Patel + +[ Upstream commit cfadbb9df8c4dc917787da4458327e5ec14743d4 ] + +Currently, we are using CPU_PM_CPU_IDLE_ENTER_PARAM() for all SBI HSM +suspend types so retentive suspend types are also treated non-retentive +and kernel will do redundant additional work for these states. + +The BIT[31] of SBI HSM suspend types allows us to differentiate between +retentive and non-retentive suspend types so we should use this BIT +to call appropriate CPU_PM_CPU_IDLE_ENTER_xyz() macro. + +Fixes: 6abf32f1d9c5 ("cpuidle: Add RISC-V SBI CPU idle driver") +Signed-off-by: Anup Patel +Link: https://lore.kernel.org/r/20220718084553.2056169-1-apatel@ventanamicro.com/ +Reviewed-by: Andrew Jones +Signed-off-by: Palmer Dabbelt +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/cpuidle-riscv-sbi.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpuidle/cpuidle-riscv-sbi.c b/drivers/cpuidle/cpuidle-riscv-sbi.c +index 862a2876f1c9..05fe2902df9a 100644 +--- a/drivers/cpuidle/cpuidle-riscv-sbi.c ++++ b/drivers/cpuidle/cpuidle-riscv-sbi.c +@@ -97,8 +97,13 @@ static int sbi_cpuidle_enter_state(struct cpuidle_device *dev, + struct cpuidle_driver *drv, int idx) + { + u32 *states = __this_cpu_read(sbi_cpuidle_data.states); ++ u32 state = states[idx]; + +- return CPU_PM_CPU_IDLE_ENTER_PARAM(sbi_suspend, idx, states[idx]); ++ if (state & SBI_HSM_SUSP_NON_RET_BIT) ++ return CPU_PM_CPU_IDLE_ENTER_PARAM(sbi_suspend, idx, state); ++ else ++ return CPU_PM_CPU_IDLE_ENTER_RETENTION_PARAM(sbi_suspend, ++ idx, state); + } + + static int __sbi_enter_domain_idle_state(struct cpuidle_device *dev, +-- +2.35.1 + diff --git a/queue-6.0/crypto-akcipher-default-implementation-for-setting-a.patch b/queue-6.0/crypto-akcipher-default-implementation-for-setting-a.patch new file mode 100644 index 00000000000..a09bd3bc280 --- /dev/null +++ b/queue-6.0/crypto-akcipher-default-implementation-for-setting-a.patch @@ -0,0 +1,70 @@ +From 09fd9e789436b513e000c4c3a59b7cb906b53d09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 19:37:06 +0100 +Subject: crypto: akcipher - default implementation for setting a private key + +From: Ignat Korchagin + +[ Upstream commit bc155c6c188c2f0c5749993b1405673d25a80389 ] + +Changes from v1: + * removed the default implementation from set_pub_key: it is assumed that + an implementation must always have this callback defined as there are + no use case for an algorithm, which doesn't need a public key + +Many akcipher implementations (like ECDSA) support only signature +verifications, so they don't have all callbacks defined. + +Commit 78a0324f4a53 ("crypto: akcipher - default implementations for +request callbacks") introduced default callbacks for sign/verify +operations, which just return an error code. + +However, these are not enough, because before calling sign the caller would +likely call set_priv_key first on the instantiated transform (as the +in-kernel testmgr does). This function does not have a default stub, so the +kernel crashes, when trying to set a private key on an akcipher, which +doesn't support signature generation. + +I've noticed this, when trying to add a KAT vector for ECDSA signature to +the testmgr. + +With this patch the testmgr returns an error in dmesg (as it should) +instead of crashing the kernel NULL ptr dereference. + +Fixes: 78a0324f4a53 ("crypto: akcipher - default implementations for request callbacks") +Signed-off-by: Ignat Korchagin +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/akcipher.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/crypto/akcipher.c b/crypto/akcipher.c +index f866085c8a4a..ab975a420e1e 100644 +--- a/crypto/akcipher.c ++++ b/crypto/akcipher.c +@@ -120,6 +120,12 @@ static int akcipher_default_op(struct akcipher_request *req) + return -ENOSYS; + } + ++static int akcipher_default_set_key(struct crypto_akcipher *tfm, ++ const void *key, unsigned int keylen) ++{ ++ return -ENOSYS; ++} ++ + int crypto_register_akcipher(struct akcipher_alg *alg) + { + struct crypto_alg *base = &alg->base; +@@ -132,6 +138,8 @@ int crypto_register_akcipher(struct akcipher_alg *alg) + alg->encrypt = akcipher_default_op; + if (!alg->decrypt) + alg->decrypt = akcipher_default_op; ++ if (!alg->set_priv_key) ++ alg->set_priv_key = akcipher_default_set_key; + + akcipher_prepare_alg(alg); + return crypto_register_alg(base); +-- +2.35.1 + diff --git a/queue-6.0/crypto-cavium-prevent-integer-overflow-loading-firmw.patch b/queue-6.0/crypto-cavium-prevent-integer-overflow-loading-firmw.patch new file mode 100644 index 00000000000..2778796477b --- /dev/null +++ b/queue-6.0/crypto-cavium-prevent-integer-overflow-loading-firmw.patch @@ -0,0 +1,56 @@ +From d1a8ad3a71b749a9d5d73bad6333585bed5bef8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 09:43:27 +0300 +Subject: crypto: cavium - prevent integer overflow loading firmware + +From: Dan Carpenter + +[ Upstream commit 2526d6bf27d15054bb0778b2f7bc6625fd934905 ] + +The "code_length" value comes from the firmware file. If your firmware +is untrusted realistically there is probably very little you can do to +protect yourself. Still we try to limit the damage as much as possible. +Also Smatch marks any data read from the filesystem as untrusted and +prints warnings if it not capped correctly. + +The "ntohl(ucode->code_length) * 2" multiplication can have an +integer overflow. + +Fixes: 9e2c7d99941d ("crypto: cavium - Add Support for Octeon-tx CPT Engine") +Signed-off-by: Dan Carpenter +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/cavium/cpt/cptpf_main.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/cavium/cpt/cptpf_main.c b/drivers/crypto/cavium/cpt/cptpf_main.c +index 8c32d0eb8fcf..6872ac344001 100644 +--- a/drivers/crypto/cavium/cpt/cptpf_main.c ++++ b/drivers/crypto/cavium/cpt/cptpf_main.c +@@ -253,6 +253,7 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae) + const struct firmware *fw_entry; + struct device *dev = &cpt->pdev->dev; + struct ucode_header *ucode; ++ unsigned int code_length; + struct microcode *mcode; + int j, ret = 0; + +@@ -263,11 +264,12 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae) + ucode = (struct ucode_header *)fw_entry->data; + mcode = &cpt->mcode[cpt->next_mc_idx]; + memcpy(mcode->version, (u8 *)fw_entry->data, CPT_UCODE_VERSION_SZ); +- mcode->code_size = ntohl(ucode->code_length) * 2; +- if (!mcode->code_size) { ++ code_length = ntohl(ucode->code_length); ++ if (code_length == 0 || code_length >= INT_MAX / 2) { + ret = -EINVAL; + goto fw_release; + } ++ mcode->code_size = code_length * 2; + + mcode->is_ae = is_ae; + mcode->core_mask = 0ULL; +-- +2.35.1 + diff --git a/queue-6.0/crypto-ccp-fail-the-psp-initialization-when-writing-.patch b/queue-6.0/crypto-ccp-fail-the-psp-initialization-when-writing-.patch new file mode 100644 index 00000000000..eefeebaac89 --- /dev/null +++ b/queue-6.0/crypto-ccp-fail-the-psp-initialization-when-writing-.patch @@ -0,0 +1,111 @@ +From 787887b29c40fae5189d4d85469e7b1c7aa60d4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 19:32:09 +0000 +Subject: crypto: ccp - Fail the PSP initialization when writing psp data file + failed + +From: Jacky Li + +[ Upstream commit efb4b01c1c993d245e6608076684ff2162cf9dc6 ] + +Currently the OS continues the PSP initialization when there is a write +failure to the init_ex_file. Therefore, the userspace would be told that +SEV is properly INIT'd even though the psp data file is not updated. +This is problematic because later when asked for the SEV data, the OS +won't be able to provide it. + +Fixes: 3d725965f836 ("crypto: ccp - Add SEV_INIT_EX support") +Reported-by: Peter Gonda +Reported-by: kernel test robot +Signed-off-by: Jacky Li +Acked-by: David Rientjes +Acked-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/sev-dev.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/drivers/crypto/ccp/sev-dev.c b/drivers/crypto/ccp/sev-dev.c +index 9f588c9728f8..6c49e6d06114 100644 +--- a/drivers/crypto/ccp/sev-dev.c ++++ b/drivers/crypto/ccp/sev-dev.c +@@ -231,7 +231,7 @@ static int sev_read_init_ex_file(void) + return 0; + } + +-static void sev_write_init_ex_file(void) ++static int sev_write_init_ex_file(void) + { + struct sev_device *sev = psp_master->sev_data; + struct file *fp; +@@ -241,14 +241,16 @@ static void sev_write_init_ex_file(void) + lockdep_assert_held(&sev_cmd_mutex); + + if (!sev_init_ex_buffer) +- return; ++ return 0; + + fp = open_file_as_root(init_ex_path, O_CREAT | O_WRONLY, 0600); + if (IS_ERR(fp)) { ++ int ret = PTR_ERR(fp); ++ + dev_err(sev->dev, +- "SEV: could not open file for write, error %ld\n", +- PTR_ERR(fp)); +- return; ++ "SEV: could not open file for write, error %d\n", ++ ret); ++ return ret; + } + + nwrite = kernel_write(fp, sev_init_ex_buffer, NV_LENGTH, &offset); +@@ -259,18 +261,20 @@ static void sev_write_init_ex_file(void) + dev_err(sev->dev, + "SEV: failed to write %u bytes to non volatile memory area, ret %ld\n", + NV_LENGTH, nwrite); +- return; ++ return -EIO; + } + + dev_dbg(sev->dev, "SEV: write successful to NV file\n"); ++ ++ return 0; + } + +-static void sev_write_init_ex_file_if_required(int cmd_id) ++static int sev_write_init_ex_file_if_required(int cmd_id) + { + lockdep_assert_held(&sev_cmd_mutex); + + if (!sev_init_ex_buffer) +- return; ++ return 0; + + /* + * Only a few platform commands modify the SPI/NV area, but none of the +@@ -285,10 +289,10 @@ static void sev_write_init_ex_file_if_required(int cmd_id) + case SEV_CMD_PEK_GEN: + break; + default: +- return; ++ return 0; + } + +- sev_write_init_ex_file(); ++ return sev_write_init_ex_file(); + } + + static int __sev_do_cmd_locked(int cmd, void *data, int *psp_ret) +@@ -361,7 +365,7 @@ static int __sev_do_cmd_locked(int cmd, void *data, int *psp_ret) + cmd, reg & PSP_CMDRESP_ERR_MASK); + ret = -EIO; + } else { +- sev_write_init_ex_file_if_required(cmd); ++ ret = sev_write_init_ex_file_if_required(cmd); + } + + print_hex_dump_debug("(out): ", DUMP_PREFIX_OFFSET, 16, 2, data, +-- +2.35.1 + diff --git a/queue-6.0/crypto-ccp-release-dma-channels-before-dmaengine-unr.patch b/queue-6.0/crypto-ccp-release-dma-channels-before-dmaengine-unr.patch new file mode 100644 index 00000000000..04394e73871 --- /dev/null +++ b/queue-6.0/crypto-ccp-release-dma-channels-before-dmaengine-unr.patch @@ -0,0 +1,54 @@ +From d63b9f663d3d607de0ffb91aa642361af05a8503 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 22:47:12 +0800 +Subject: crypto: ccp - Release dma channels before dmaengine unrgister + +From: Koba Ko + +[ Upstream commit 68dbe80f5b510c66c800b9e8055235c5b07e37d1 ] + +A warning is shown during shutdown, + +__dma_async_device_channel_unregister called while 2 clients hold a reference +WARNING: CPU: 15 PID: 1 at drivers/dma/dmaengine.c:1110 __dma_async_device_channel_unregister+0xb7/0xc0 + +Call dma_release_channel for occupied channles before dma_async_device_unregister. + +Fixes: 54cce8ecb925 ("crypto: ccp - ccp_dmaengine_unregister release dma channels") +Reported-by: kernel test robot +Signed-off-by: Koba Ko +Acked-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/ccp-dmaengine.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/ccp/ccp-dmaengine.c b/drivers/crypto/ccp/ccp-dmaengine.c +index 7d4b4ad1db1f..9f753cb4f5f1 100644 +--- a/drivers/crypto/ccp/ccp-dmaengine.c ++++ b/drivers/crypto/ccp/ccp-dmaengine.c +@@ -641,6 +641,10 @@ static void ccp_dma_release(struct ccp_device *ccp) + for (i = 0; i < ccp->cmd_q_count; i++) { + chan = ccp->ccp_dma_chan + i; + dma_chan = &chan->dma_chan; ++ ++ if (dma_chan->client_count) ++ dma_release_channel(dma_chan); ++ + tasklet_kill(&chan->cleanup_tasklet); + list_del_rcu(&dma_chan->device_node); + } +@@ -766,8 +770,8 @@ void ccp_dmaengine_unregister(struct ccp_device *ccp) + if (!dmaengine) + return; + +- dma_async_device_unregister(dma_dev); + ccp_dma_release(ccp); ++ dma_async_device_unregister(dma_dev); + + kmem_cache_destroy(ccp->dma_desc_cache); + kmem_cache_destroy(ccp->dma_cmd_cache); +-- +2.35.1 + diff --git a/queue-6.0/crypto-hisilicon-qm-fix-missing-put-dfx-access.patch b/queue-6.0/crypto-hisilicon-qm-fix-missing-put-dfx-access.patch new file mode 100644 index 00000000000..5329f22b6c3 --- /dev/null +++ b/queue-6.0/crypto-hisilicon-qm-fix-missing-put-dfx-access.patch @@ -0,0 +1,41 @@ +From 275e62c7a374401754a60e6f9e57b54ed1412dcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Aug 2022 18:27:37 +0800 +Subject: crypto: hisilicon/qm - fix missing put dfx access + +From: Weili Qian + +[ Upstream commit 5afc904f443de2afd31c4e0686ba178beede86fe ] + +In function qm_cmd_write(), if function returns from +branch 'atomic_read(&qm->status.flags) == QM_STOP', +the got dfx access is forgotten to put. + +Fixes: 607c191b371d ("crypto: hisilicon - support runtime PM for accelerator device") +Signed-off-by: Weili Qian +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/hisilicon/qm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c +index ad83c194d664..9fa2efe60153 100644 +--- a/drivers/crypto/hisilicon/qm.c ++++ b/drivers/crypto/hisilicon/qm.c +@@ -2245,8 +2245,10 @@ static ssize_t qm_cmd_write(struct file *filp, const char __user *buffer, + return ret; + + /* Judge if the instance is being reset. */ +- if (unlikely(atomic_read(&qm->status.flags) == QM_STOP)) +- return 0; ++ if (unlikely(atomic_read(&qm->status.flags) == QM_STOP)) { ++ ret = 0; ++ goto put_dfx_access; ++ } + + if (count > QM_DBG_WRITE_LEN) { + ret = -ENOSPC; +-- +2.35.1 + diff --git a/queue-6.0/crypto-hisilicon-zip-fix-mismatch-in-get-set-sgl_sge.patch b/queue-6.0/crypto-hisilicon-zip-fix-mismatch-in-get-set-sgl_sge.patch new file mode 100644 index 00000000000..fba64837aeb --- /dev/null +++ b/queue-6.0/crypto-hisilicon-zip-fix-mismatch-in-get-set-sgl_sge.patch @@ -0,0 +1,53 @@ +From dfe95f0ee22c5080d24ea17e496b8e9538c86f17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 10:07:58 +0800 +Subject: crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr + +From: Ye Weihua + +[ Upstream commit d74f9340097a881869c4c22ca376654cc2516ecc ] + +KASAN reported this Bug: + + [17619.659757] BUG: KASAN: global-out-of-bounds in param_get_int+0x34/0x60 + [17619.673193] Read of size 4 at addr fffff01332d7ed00 by task read_all/1507958 + ... + [17619.698934] The buggy address belongs to the variable: + [17619.708371] sgl_sge_nr+0x0/0xffffffffffffa300 [hisi_zip] + +There is a mismatch in hisi_zip when get/set the variable sgl_sge_nr. +The type of sgl_sge_nr is u16, and get/set sgl_sge_nr by +param_get/set_int. + +Replacing param_get/set_int to param_get/set_ushort can fix this bug. + +Fixes: f081fda293ffb ("crypto: hisilicon - add sgl_sge_nr module param for zip") +Signed-off-by: Ye Weihua +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/hisilicon/zip/zip_crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/hisilicon/zip/zip_crypto.c b/drivers/crypto/hisilicon/zip/zip_crypto.c +index ad35434a3fdb..06a2d6e81ae9 100644 +--- a/drivers/crypto/hisilicon/zip/zip_crypto.c ++++ b/drivers/crypto/hisilicon/zip/zip_crypto.c +@@ -123,12 +123,12 @@ static int sgl_sge_nr_set(const char *val, const struct kernel_param *kp) + if (ret || n == 0 || n > HISI_ACC_SGL_SGE_NR_MAX) + return -EINVAL; + +- return param_set_int(val, kp); ++ return param_set_ushort(val, kp); + } + + static const struct kernel_param_ops sgl_sge_nr_ops = { + .set = sgl_sge_nr_set, +- .get = param_get_int, ++ .get = param_get_ushort, + }; + + static u16 sgl_sge_nr = HZIP_SGL_SGE_NR; +-- +2.35.1 + diff --git a/queue-6.0/crypto-inside-secure-change-swab-to-swab32.patch b/queue-6.0/crypto-inside-secure-change-swab-to-swab32.patch new file mode 100644 index 00000000000..bfa0fab11d6 --- /dev/null +++ b/queue-6.0/crypto-inside-secure-change-swab-to-swab32.patch @@ -0,0 +1,65 @@ +From f05b58aee57d4595686d3da831e89b0e950a6fda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 10:51:28 +0800 +Subject: crypto: inside-secure - Change swab to swab32 + +From: Peter Harliman Liem + +[ Upstream commit 664593407e936b6438fbfaaf98876910fd31cf9a ] + +The use of swab() is causing failures in 64-bit arch, as it +translates to __swab64() instead of the intended __swab32(). +It eventually causes wrong results in xcbcmac & cmac algo. + +Fixes: 78cf1c8bfcb8 ("crypto: inside-secure - Move ipad/opad into safexcel_context") +Signed-off-by: Peter Harliman Liem +Acked-by: Antoine Tenart +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/inside-secure/safexcel_hash.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/crypto/inside-secure/safexcel_hash.c b/drivers/crypto/inside-secure/safexcel_hash.c +index bc60b5802256..2124416742f8 100644 +--- a/drivers/crypto/inside-secure/safexcel_hash.c ++++ b/drivers/crypto/inside-secure/safexcel_hash.c +@@ -383,7 +383,7 @@ static int safexcel_ahash_send_req(struct crypto_async_request *async, int ring, + u32 x; + + x = ipad[i] ^ ipad[i + 4]; +- cache[i] ^= swab(x); ++ cache[i] ^= swab32(x); + } + } + cache_len = AES_BLOCK_SIZE; +@@ -821,7 +821,7 @@ static int safexcel_ahash_final(struct ahash_request *areq) + u32 *result = (void *)areq->result; + + /* K3 */ +- result[i] = swab(ctx->base.ipad.word[i + 4]); ++ result[i] = swab32(ctx->base.ipad.word[i + 4]); + } + areq->result[0] ^= 0x80; // 10- padding + crypto_cipher_encrypt_one(ctx->kaes, areq->result, areq->result); +@@ -2106,7 +2106,7 @@ static int safexcel_xcbcmac_setkey(struct crypto_ahash *tfm, const u8 *key, + crypto_cipher_encrypt_one(ctx->kaes, (u8 *)key_tmp + AES_BLOCK_SIZE, + "\x3\x3\x3\x3\x3\x3\x3\x3\x3\x3\x3\x3\x3\x3\x3\x3"); + for (i = 0; i < 3 * AES_BLOCK_SIZE / sizeof(u32); i++) +- ctx->base.ipad.word[i] = swab(key_tmp[i]); ++ ctx->base.ipad.word[i] = swab32(key_tmp[i]); + + crypto_cipher_clear_flags(ctx->kaes, CRYPTO_TFM_REQ_MASK); + crypto_cipher_set_flags(ctx->kaes, crypto_ahash_get_flags(tfm) & +@@ -2189,7 +2189,7 @@ static int safexcel_cmac_setkey(struct crypto_ahash *tfm, const u8 *key, + return ret; + + for (i = 0; i < len / sizeof(u32); i++) +- ctx->base.ipad.word[i + 8] = swab(aes.key_enc[i]); ++ ctx->base.ipad.word[i + 8] = swab32(aes.key_enc[i]); + + /* precompute the CMAC key material */ + crypto_cipher_clear_flags(ctx->kaes, CRYPTO_TFM_REQ_MASK); +-- +2.35.1 + diff --git a/queue-6.0/crypto-marvell-octeontx-prevent-integer-overflows.patch b/queue-6.0/crypto-marvell-octeontx-prevent-integer-overflows.patch new file mode 100644 index 00000000000..88c02af8611 --- /dev/null +++ b/queue-6.0/crypto-marvell-octeontx-prevent-integer-overflows.patch @@ -0,0 +1,79 @@ +From ec25206905b17c3df733ef993ee4c5c82ac912a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 09:43:19 +0300 +Subject: crypto: marvell/octeontx - prevent integer overflows + +From: Dan Carpenter + +[ Upstream commit caca37cf6c749ff0303f68418cfe7b757a4e0697 ] + +The "code_length" value comes from the firmware file. If your firmware +is untrusted realistically there is probably very little you can do to +protect yourself. Still we try to limit the damage as much as possible. +Also Smatch marks any data read from the filesystem as untrusted and +prints warnings if it not capped correctly. + +The "code_length * 2" can overflow. The round_up(ucode_size, 16) + +sizeof() expression can overflow too. Prevent these overflows. + +Fixes: d9110b0b01ff ("crypto: marvell - add support for OCTEON TX CPT engine") +Signed-off-by: Dan Carpenter +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + .../crypto/marvell/octeontx/otx_cptpf_ucode.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c b/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c +index 40b482198ebc..a765eefb18c2 100644 +--- a/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c ++++ b/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c +@@ -286,6 +286,7 @@ static int process_tar_file(struct device *dev, + struct tar_ucode_info_t *tar_info; + struct otx_cpt_ucode_hdr *ucode_hdr; + int ucode_type, ucode_size; ++ unsigned int code_length; + + /* + * If size is less than microcode header size then don't report +@@ -303,7 +304,13 @@ static int process_tar_file(struct device *dev, + if (get_ucode_type(ucode_hdr, &ucode_type)) + return 0; + +- ucode_size = ntohl(ucode_hdr->code_length) * 2; ++ code_length = ntohl(ucode_hdr->code_length); ++ if (code_length >= INT_MAX / 2) { ++ dev_err(dev, "Invalid code_length %u\n", code_length); ++ return -EINVAL; ++ } ++ ++ ucode_size = code_length * 2; + if (!ucode_size || (size < round_up(ucode_size, 16) + + sizeof(struct otx_cpt_ucode_hdr) + OTX_CPT_UCODE_SIGN_LEN)) { + dev_err(dev, "Ucode %s invalid size\n", filename); +@@ -886,6 +893,7 @@ static int ucode_load(struct device *dev, struct otx_cpt_ucode *ucode, + { + struct otx_cpt_ucode_hdr *ucode_hdr; + const struct firmware *fw; ++ unsigned int code_length; + int ret; + + set_ucode_filename(ucode, ucode_filename); +@@ -896,7 +904,13 @@ static int ucode_load(struct device *dev, struct otx_cpt_ucode *ucode, + ucode_hdr = (struct otx_cpt_ucode_hdr *) fw->data; + memcpy(ucode->ver_str, ucode_hdr->ver_str, OTX_CPT_UCODE_VER_STR_SZ); + ucode->ver_num = ucode_hdr->ver_num; +- ucode->size = ntohl(ucode_hdr->code_length) * 2; ++ code_length = ntohl(ucode_hdr->code_length); ++ if (code_length >= INT_MAX / 2) { ++ dev_err(dev, "Ucode invalid code_length %u\n", code_length); ++ ret = -EINVAL; ++ goto release_fw; ++ } ++ ucode->size = code_length * 2; + if (!ucode->size || (fw->size < round_up(ucode->size, 16) + + sizeof(struct otx_cpt_ucode_hdr) + OTX_CPT_UCODE_SIGN_LEN)) { + dev_err(dev, "Ucode %s invalid size\n", ucode_filename); +-- +2.35.1 + diff --git a/queue-6.0/crypto-qat-fix-default-value-of-wdt-timer.patch b/queue-6.0/crypto-qat-fix-default-value-of-wdt-timer.patch new file mode 100644 index 00000000000..4d03349fb92 --- /dev/null +++ b/queue-6.0/crypto-qat-fix-default-value-of-wdt-timer.patch @@ -0,0 +1,41 @@ +From fb63facafc8d7079ea277e928287e2398b1a94fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 12:32:16 +0200 +Subject: crypto: qat - fix default value of WDT timer + +From: Lucas Segarra Fernandez + +[ Upstream commit cc40b04c08400d86d2d6ea0159e0617e717f729c ] + +The QAT HW supports an hardware mechanism to detect an accelerator hang. +The reporting of a hang occurs after a watchdog timer (WDT) expires. + +The value of the WDT set previously was too small and was causing false +positives. +Change the default value of the WDT to 0x7000000ULL to avoid this. + +Fixes: 1c4d9d5bbb5a ("crypto: qat - enable detection of accelerators hang") +Reviewed-by: Giovanni Cabiddu +Signed-off-by: Lucas Segarra Fernandez +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_gen4_hw_data.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h b/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h +index 43b8f864806b..4fb4b3df5a18 100644 +--- a/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h ++++ b/drivers/crypto/qat/qat_common/adf_gen4_hw_data.h +@@ -107,7 +107,7 @@ do { \ + * Timeout is in cycles. Clock speed may vary across products but this + * value should be a few milli-seconds. + */ +-#define ADF_SSM_WDT_DEFAULT_VALUE 0x200000 ++#define ADF_SSM_WDT_DEFAULT_VALUE 0x7000000ULL + #define ADF_SSM_WDT_PKE_DEFAULT_VALUE 0x8000000 + #define ADF_SSMWDTL_OFFSET 0x54 + #define ADF_SSMWDTH_OFFSET 0x5C +-- +2.35.1 + diff --git a/queue-6.0/crypto-qat-fix-dma-transfer-direction.patch b/queue-6.0/crypto-qat-fix-dma-transfer-direction.patch new file mode 100644 index 00000000000..1e09f2a14ed --- /dev/null +++ b/queue-6.0/crypto-qat-fix-dma-transfer-direction.patch @@ -0,0 +1,156 @@ +From a2dad91c8fc6fb002bce75dd681477fa24397132 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 11:49:12 +0100 +Subject: crypto: qat - fix DMA transfer direction + +From: Damian Muszynski + +[ Upstream commit cf5bb835b7c8a5fee7f26455099cca7feb57f5e9 ] + +When CONFIG_DMA_API_DEBUG is selected, while running the crypto self +test on the QAT crypto algorithms, the function add_dma_entry() reports +a warning similar to the one below, saying that overlapping mappings +are not supported. This occurs in tests where the input and the output +scatter list point to the same buffers (i.e. two different scatter lists +which point to the same chunks of memory). + +The logic that implements the mapping uses the flag DMA_BIDIRECTIONAL +for both the input and the output scatter lists which leads to +overlapped write mappings. These are not supported by the DMA layer. + +Fix by specifying the correct DMA transfer directions when mapping +buffers. For in-place operations where the input scatter list +matches the output scatter list, buffers are mapped once with +DMA_BIDIRECTIONAL, otherwise input buffers are mapped using the flag +DMA_TO_DEVICE and output buffers are mapped with DMA_FROM_DEVICE. +Overlapping a read mapping with a write mapping is a valid case in +dma-coherent devices like QAT. +The function that frees and unmaps the buffers, qat_alg_free_bufl() +has been changed accordingly to the changes to the mapping function. + + DMA-API: 4xxx 0000:06:00.0: cacheline tracking EEXIST, overlapping mappings aren't supported + WARNING: CPU: 53 PID: 4362 at kernel/dma/debug.c:570 add_dma_entry+0x1e9/0x270 + ... + Call Trace: + dma_map_page_attrs+0x82/0x2d0 + ? preempt_count_add+0x6a/0xa0 + qat_alg_sgl_to_bufl+0x45b/0x990 [intel_qat] + qat_alg_aead_dec+0x71/0x250 [intel_qat] + crypto_aead_decrypt+0x3d/0x70 + test_aead_vec_cfg+0x649/0x810 + ? number+0x310/0x3a0 + ? vsnprintf+0x2a3/0x550 + ? scnprintf+0x42/0x70 + ? valid_sg_divisions.constprop.0+0x86/0xa0 + ? test_aead_vec+0xdf/0x120 + test_aead_vec+0xdf/0x120 + alg_test_aead+0x185/0x400 + alg_test+0x3d8/0x500 + ? crypto_acomp_scomp_free_ctx+0x30/0x30 + ? __schedule+0x32a/0x12a0 + ? ttwu_queue_wakelist+0xbf/0x110 + ? _raw_spin_unlock_irqrestore+0x23/0x40 + ? try_to_wake_up+0x83/0x570 + ? _raw_spin_unlock_irqrestore+0x23/0x40 + ? __set_cpus_allowed_ptr_locked+0xea/0x1b0 + ? crypto_acomp_scomp_free_ctx+0x30/0x30 + cryptomgr_test+0x27/0x50 + kthread+0xe6/0x110 + ? kthread_complete_and_exit+0x20/0x20 + ret_from_fork+0x1f/0x30 + +Fixes: d370cec ("crypto: qat - Intel(R) QAT crypto interface") +Link: https://lore.kernel.org/linux-crypto/20220223080400.139367-1-gilad@benyossef.com/ +Signed-off-by: Damian Muszynski +Signed-off-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/qat_algs.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/crypto/qat/qat_common/qat_algs.c b/drivers/crypto/qat/qat_common/qat_algs.c +index fb45fa83841c..cad9c58caab1 100644 +--- a/drivers/crypto/qat/qat_common/qat_algs.c ++++ b/drivers/crypto/qat/qat_common/qat_algs.c +@@ -673,11 +673,14 @@ static void qat_alg_free_bufl(struct qat_crypto_instance *inst, + dma_addr_t blpout = qat_req->buf.bloutp; + size_t sz = qat_req->buf.sz; + size_t sz_out = qat_req->buf.sz_out; ++ int bl_dma_dir; + int i; + ++ bl_dma_dir = blp != blpout ? DMA_TO_DEVICE : DMA_BIDIRECTIONAL; ++ + for (i = 0; i < bl->num_bufs; i++) + dma_unmap_single(dev, bl->bufers[i].addr, +- bl->bufers[i].len, DMA_BIDIRECTIONAL); ++ bl->bufers[i].len, bl_dma_dir); + + dma_unmap_single(dev, blp, sz, DMA_TO_DEVICE); + +@@ -691,7 +694,7 @@ static void qat_alg_free_bufl(struct qat_crypto_instance *inst, + for (i = bufless; i < blout->num_bufs; i++) { + dma_unmap_single(dev, blout->bufers[i].addr, + blout->bufers[i].len, +- DMA_BIDIRECTIONAL); ++ DMA_FROM_DEVICE); + } + dma_unmap_single(dev, blpout, sz_out, DMA_TO_DEVICE); + +@@ -716,6 +719,7 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst, + struct scatterlist *sg; + size_t sz_out, sz = struct_size(bufl, bufers, n); + int node = dev_to_node(&GET_DEV(inst->accel_dev)); ++ int bufl_dma_dir; + + if (unlikely(!n)) + return -EINVAL; +@@ -733,6 +737,8 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst, + qat_req->buf.sgl_src_valid = true; + } + ++ bufl_dma_dir = sgl != sglout ? DMA_TO_DEVICE : DMA_BIDIRECTIONAL; ++ + for_each_sg(sgl, sg, n, i) + bufl->bufers[i].addr = DMA_MAPPING_ERROR; + +@@ -744,7 +750,7 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst, + + bufl->bufers[y].addr = dma_map_single(dev, sg_virt(sg), + sg->length, +- DMA_BIDIRECTIONAL); ++ bufl_dma_dir); + bufl->bufers[y].len = sg->length; + if (unlikely(dma_mapping_error(dev, bufl->bufers[y].addr))) + goto err_in; +@@ -787,7 +793,7 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst, + + bufers[y].addr = dma_map_single(dev, sg_virt(sg), + sg->length, +- DMA_BIDIRECTIONAL); ++ DMA_FROM_DEVICE); + if (unlikely(dma_mapping_error(dev, bufers[y].addr))) + goto err_out; + bufers[y].len = sg->length; +@@ -817,7 +823,7 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst, + if (!dma_mapping_error(dev, buflout->bufers[i].addr)) + dma_unmap_single(dev, buflout->bufers[i].addr, + buflout->bufers[i].len, +- DMA_BIDIRECTIONAL); ++ DMA_FROM_DEVICE); + + if (!qat_req->buf.sgl_dst_valid) + kfree(buflout); +@@ -831,7 +837,7 @@ static int qat_alg_sgl_to_bufl(struct qat_crypto_instance *inst, + if (!dma_mapping_error(dev, bufl->bufers[i].addr)) + dma_unmap_single(dev, bufl->bufers[i].addr, + bufl->bufers[i].len, +- DMA_BIDIRECTIONAL); ++ bufl_dma_dir); + + if (!qat_req->buf.sgl_src_valid) + kfree(bufl); +-- +2.35.1 + diff --git a/queue-6.0/crypto-sahara-don-t-sleep-when-in-softirq.patch b/queue-6.0/crypto-sahara-don-t-sleep-when-in-softirq.patch new file mode 100644 index 00000000000..eca6ad03360 --- /dev/null +++ b/queue-6.0/crypto-sahara-don-t-sleep-when-in-softirq.patch @@ -0,0 +1,95 @@ +From 7fa931835d2e5b70481f5b4e349f50fed7b90def Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 12:09:28 +0800 +Subject: crypto: sahara - don't sleep when in softirq + +From: Zhengchao Shao + +[ Upstream commit 108586eba094b318e6a831f977f4ddcc403a15da ] + +Function of sahara_aes_crypt maybe could be called by function +of crypto_skcipher_encrypt during the rx softirq, so it is not +allowed to use mutex lock. + +Fixes: c0c3c89ae347 ("crypto: sahara - replace tasklets with...") +Signed-off-by: Zhengchao Shao +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/sahara.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/crypto/sahara.c b/drivers/crypto/sahara.c +index 457084b344c1..b07ae4ba165e 100644 +--- a/drivers/crypto/sahara.c ++++ b/drivers/crypto/sahara.c +@@ -26,10 +26,10 @@ + #include + #include + #include +-#include + #include + #include + #include ++#include + + #define SHA_BUFFER_LEN PAGE_SIZE + #define SAHARA_MAX_SHA_BLOCK_SIZE SHA256_BLOCK_SIZE +@@ -196,7 +196,7 @@ struct sahara_dev { + void __iomem *regs_base; + struct clk *clk_ipg; + struct clk *clk_ahb; +- struct mutex queue_mutex; ++ spinlock_t queue_spinlock; + struct task_struct *kthread; + struct completion dma_completion; + +@@ -642,9 +642,9 @@ static int sahara_aes_crypt(struct skcipher_request *req, unsigned long mode) + + rctx->mode = mode; + +- mutex_lock(&dev->queue_mutex); ++ spin_lock_bh(&dev->queue_spinlock); + err = crypto_enqueue_request(&dev->queue, &req->base); +- mutex_unlock(&dev->queue_mutex); ++ spin_unlock_bh(&dev->queue_spinlock); + + wake_up_process(dev->kthread); + +@@ -1043,10 +1043,10 @@ static int sahara_queue_manage(void *data) + do { + __set_current_state(TASK_INTERRUPTIBLE); + +- mutex_lock(&dev->queue_mutex); ++ spin_lock_bh(&dev->queue_spinlock); + backlog = crypto_get_backlog(&dev->queue); + async_req = crypto_dequeue_request(&dev->queue); +- mutex_unlock(&dev->queue_mutex); ++ spin_unlock_bh(&dev->queue_spinlock); + + if (backlog) + backlog->complete(backlog, -EINPROGRESS); +@@ -1092,9 +1092,9 @@ static int sahara_sha_enqueue(struct ahash_request *req, int last) + rctx->first = 1; + } + +- mutex_lock(&dev->queue_mutex); ++ spin_lock_bh(&dev->queue_spinlock); + ret = crypto_enqueue_request(&dev->queue, &req->base); +- mutex_unlock(&dev->queue_mutex); ++ spin_unlock_bh(&dev->queue_spinlock); + + wake_up_process(dev->kthread); + +@@ -1449,7 +1449,7 @@ static int sahara_probe(struct platform_device *pdev) + + crypto_init_queue(&dev->queue, SAHARA_QUEUE_LENGTH); + +- mutex_init(&dev->queue_mutex); ++ spin_lock_init(&dev->queue_spinlock); + + dev_ptr = dev; + +-- +2.35.1 + diff --git a/queue-6.0/cw1200-fix-incorrect-check-to-determine-if-no-elemen.patch b/queue-6.0/cw1200-fix-incorrect-check-to-determine-if-no-elemen.patch new file mode 100644 index 00000000000..366fa7a893c --- /dev/null +++ b/queue-6.0/cw1200-fix-incorrect-check-to-determine-if-no-elemen.patch @@ -0,0 +1,75 @@ +From 627316298aa7d05fb37c7e1bc83b3db556f5ba67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 17:17:23 +0800 +Subject: cw1200: fix incorrect check to determine if no element is found in + list + +From: Xiaomeng Tong + +[ Upstream commit 86df5de5c632d3bd940f59bbb14ae912aa9cc363 ] + +The bug is here: "} else if (item) {". + +The list iterator value will *always* be set and non-NULL by +list_for_each_entry(), so it is incorrect to assume that the iterator +value will be NULL if the list is empty or no element is found in list. + +Use a new value 'iter' as the list iterator, while use the old value +'item' as a dedicated pointer to point to the found element, which +1. can fix this bug, due to now 'item' is NULL only if it's not found. +2. do not need to change all the uses of 'item' after the loop. +3. can also limit the scope of the list iterator 'iter' *only inside* + the traversal loop by simply declaring 'iter' inside the loop in the + future, as usage of the iterator outside of the list_for_each_entry + is considered harmful. https://lkml.org/lkml/2022/2/17/1032 + +Fixes: a910e4a94f692 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") +Signed-off-by: Xiaomeng Tong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220413091723.17596-1-xiam0nd.tong@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/st/cw1200/queue.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/st/cw1200/queue.c b/drivers/net/wireless/st/cw1200/queue.c +index e06da4b3b0d4..805a3c1bf8fe 100644 +--- a/drivers/net/wireless/st/cw1200/queue.c ++++ b/drivers/net/wireless/st/cw1200/queue.c +@@ -91,23 +91,25 @@ static void __cw1200_queue_gc(struct cw1200_queue *queue, + bool unlock) + { + struct cw1200_queue_stats *stats = queue->stats; +- struct cw1200_queue_item *item = NULL, *tmp; ++ struct cw1200_queue_item *item = NULL, *iter, *tmp; + bool wakeup_stats = false; + +- list_for_each_entry_safe(item, tmp, &queue->queue, head) { +- if (time_is_after_jiffies(item->queue_timestamp + queue->ttl)) ++ list_for_each_entry_safe(iter, tmp, &queue->queue, head) { ++ if (time_is_after_jiffies(iter->queue_timestamp + queue->ttl)) { ++ item = iter; + break; ++ } + --queue->num_queued; +- --queue->link_map_cache[item->txpriv.link_id]; ++ --queue->link_map_cache[iter->txpriv.link_id]; + spin_lock_bh(&stats->lock); + --stats->num_queued; +- if (!--stats->link_map_cache[item->txpriv.link_id]) ++ if (!--stats->link_map_cache[iter->txpriv.link_id]) + wakeup_stats = true; + spin_unlock_bh(&stats->lock); + cw1200_debug_tx_ttl(stats->priv); +- cw1200_queue_register_post_gc(head, item); +- item->skb = NULL; +- list_move_tail(&item->head, &queue->free_pool); ++ cw1200_queue_register_post_gc(head, iter); ++ iter->skb = NULL; ++ list_move_tail(&iter->head, &queue->free_pool); + } + + if (wakeup_stats) +-- +2.35.1 + diff --git a/queue-6.0/dmaengine-dw-edma-remove-runtime-pm-support.patch b/queue-6.0/dmaengine-dw-edma-remove-runtime-pm-support.patch new file mode 100644 index 00000000000..9a1716010d5 --- /dev/null +++ b/queue-6.0/dmaengine-dw-edma-remove-runtime-pm-support.patch @@ -0,0 +1,99 @@ +From 9e9ef8ef75372445466f2b0a378ea53c71b61fea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Sep 2022 11:17:00 +0530 +Subject: dmaengine: dw-edma: Remove runtime PM support + +From: Manivannan Sadhasivam + +[ Upstream commit a0188eb6e71c93ab7dd9bfa4305fac43c70db309 ] + +Currently, the dw-edma driver enables the runtime_pm for parent device +(chip->dev) and increments/decrements the refcount during alloc/free +chan resources callbacks. + +This leads to a problem when the eDMA driver has been probed, but the +channels were not used. This scenario can happen when the DW PCIe driver +probes eDMA driver successfully, but the PCI EPF driver decides not to +use eDMA channels and use iATU instead for PCI transfers. + +In this case, the underlying device would be runtime suspended due to +pm_runtime_enable() in dw_edma_probe() and the PCI EPF driver would have +no knowledge of it. + +Ideally, the eDMA driver should not be the one doing the runtime PM of +the parent device. The responsibility should instead belong to the client +drivers like PCI EPF. + +So let's remove the runtime PM support from eDMA driver. + +Cc: Serge Semin +Cc: Frank Li +Reviewed-by: Serge Semin +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20220910054700.12205-1-manivannan.sadhasivam@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dw-edma/dw-edma-core.c | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/drivers/dma/dw-edma/dw-edma-core.c b/drivers/dma/dw-edma/dw-edma-core.c +index 07f756479663..c54b24ff5206 100644 +--- a/drivers/dma/dw-edma/dw-edma-core.c ++++ b/drivers/dma/dw-edma/dw-edma-core.c +@@ -9,7 +9,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -682,15 +681,12 @@ static int dw_edma_alloc_chan_resources(struct dma_chan *dchan) + if (chan->status != EDMA_ST_IDLE) + return -EBUSY; + +- pm_runtime_get(chan->dw->chip->dev); +- + return 0; + } + + static void dw_edma_free_chan_resources(struct dma_chan *dchan) + { + unsigned long timeout = jiffies + msecs_to_jiffies(5000); +- struct dw_edma_chan *chan = dchan2dw_edma_chan(dchan); + int ret; + + while (time_before(jiffies, timeout)) { +@@ -703,8 +699,6 @@ static void dw_edma_free_chan_resources(struct dma_chan *dchan) + + cpu_relax(); + } +- +- pm_runtime_put(chan->dw->chip->dev); + } + + static int dw_edma_channel_setup(struct dw_edma *dw, bool write, +@@ -977,9 +971,6 @@ int dw_edma_probe(struct dw_edma_chip *chip) + if (err) + goto err_irq_free; + +- /* Power management */ +- pm_runtime_enable(dev); +- + /* Turn debugfs on */ + dw_edma_v0_core_debugfs_on(dw); + +@@ -1009,9 +1000,6 @@ int dw_edma_remove(struct dw_edma_chip *chip) + for (i = (dw->nr_irqs - 1); i >= 0; i--) + free_irq(chip->ops->irq_vector(dev, i), &dw->irq[i]); + +- /* Power management */ +- pm_runtime_disable(dev); +- + /* Deregister eDMA device */ + dma_async_device_unregister(&dw->wr_edma); + list_for_each_entry_safe(chan, _chan, &dw->wr_edma.channels, +-- +2.35.1 + diff --git a/queue-6.0/dmaengine-hisilicon-add-multi-thread-support-for-a-d.patch b/queue-6.0/dmaengine-hisilicon-add-multi-thread-support-for-a-d.patch new file mode 100644 index 00000000000..4f7474fe6d0 --- /dev/null +++ b/queue-6.0/dmaengine-hisilicon-add-multi-thread-support-for-a-d.patch @@ -0,0 +1,102 @@ +From 104cc6834bc52c37eecee491784cc06fa15f959c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 14:22:47 +0800 +Subject: dmaengine: hisilicon: Add multi-thread support for a DMA channel + +From: Jie Hai + +[ Upstream commit 2cbb95883c990d0002a77e13d3278913ab26ad79 ] + +When we get a DMA channel and try to use it in multiple threads it +will cause oops and hanging the system. + +% echo 100 > /sys/module/dmatest/parameters/threads_per_chan +% echo 100 > /sys/module/dmatest/parameters/iterations +% echo 1 > /sys/module/dmatest/parameters/run +[383493.327077] Unable to handle kernel paging request at virtual + address dead000000000108 +[383493.335103] Mem abort info: +[383493.335103] ESR = 0x96000044 +[383493.335105] EC = 0x25: DABT (current EL), IL = 32 bits +[383493.335107] SET = 0, FnV = 0 +[383493.335108] EA = 0, S1PTW = 0 +[383493.335109] FSC = 0x04: level 0 translation fault +[383493.335110] Data abort info: +[383493.335111] ISV = 0, ISS = 0x00000044 +[383493.364739] CM = 0, WnR = 1 +[383493.367793] [dead000000000108] address between user and kernel + address ranges +[383493.375021] Internal error: Oops: 96000044 [#1] PREEMPT SMP +[383493.437574] CPU: 63 PID: 27895 Comm: dma0chan0-copy2 Kdump: + loaded Tainted: GO 5.17.0-rc4+ #2 +[383493.457851] pstate: 204000c9 (nzCv daIF +PAN -UAO -TCO -DIT + -SSBS BTYPE=--) +[383493.465331] pc : vchan_tx_submit+0x64/0xa0 +[383493.469957] lr : vchan_tx_submit+0x34/0xa0 + +This occurs because the transmission timed out, and that's due +to data race. Each thread rewrite channels's descriptor as soon as +device_issue_pending is called. It leads to the situation that +the driver thinks that it uses the right descriptor in interrupt +handler while channels's descriptor has been changed by other +thread. The descriptor which in fact reported interrupt will not +be handled any more, as well as its tx->callback. +That's why timeout reports. + +With current fixes channels' descriptor changes it's value only +when it has been used. A new descriptor is acquired from +vc->desc_issued queue that is already filled with descriptors +that are ready to be sent. Threads have no direct access to DMA +channel descriptor. In case of channel's descriptor is busy, try +to submit to HW again when a descriptor is completed. In this case, +vc->desc_issued may be empty when hisi_dma_start_transfer is called, +so delete error reporting on this. Now it is just possible to queue +a descriptor for further processing. + +Fixes: e9f08b65250d ("dmaengine: hisilicon: Add Kunpeng DMA engine support") +Signed-off-by: Jie Hai +Acked-by: Zhou Wang +Link: https://lore.kernel.org/r/20220830062251.52993-4-haijie1@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/hisi_dma.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/dma/hisi_dma.c b/drivers/dma/hisi_dma.c +index 837f7e4adfa6..0233b42143c7 100644 +--- a/drivers/dma/hisi_dma.c ++++ b/drivers/dma/hisi_dma.c +@@ -271,7 +271,6 @@ static void hisi_dma_start_transfer(struct hisi_dma_chan *chan) + + vd = vchan_next_desc(&chan->vc); + if (!vd) { +- dev_err(&hdma_dev->pdev->dev, "no issued task!\n"); + chan->desc = NULL; + return; + } +@@ -303,7 +302,7 @@ static void hisi_dma_issue_pending(struct dma_chan *c) + + spin_lock_irqsave(&chan->vc.lock, flags); + +- if (vchan_issue_pending(&chan->vc)) ++ if (vchan_issue_pending(&chan->vc) && !chan->desc) + hisi_dma_start_transfer(chan); + + spin_unlock_irqrestore(&chan->vc.lock, flags); +@@ -441,11 +440,10 @@ static irqreturn_t hisi_dma_irq(int irq, void *data) + chan->qp_num, chan->cq_head); + if (FIELD_GET(STATUS_MASK, cqe->w0) == STATUS_SUCC) { + vchan_cookie_complete(&desc->vd); ++ hisi_dma_start_transfer(chan); + } else { + dev_err(&hdma_dev->pdev->dev, "task error!\n"); + } +- +- chan->desc = NULL; + } + + spin_unlock(&chan->vc.lock); +-- +2.35.1 + diff --git a/queue-6.0/dmaengine-hisilicon-disable-channels-when-unregister.patch b/queue-6.0/dmaengine-hisilicon-disable-channels-when-unregister.patch new file mode 100644 index 00000000000..7e5ee1ae415 --- /dev/null +++ b/queue-6.0/dmaengine-hisilicon-disable-channels-when-unregister.patch @@ -0,0 +1,72 @@ +From e104078c8bcb2a4eb6666f90e2f8d21e17b93301 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 14:22:45 +0800 +Subject: dmaengine: hisilicon: Disable channels when unregister hisi_dma + +From: Jie Hai + +[ Upstream commit e3bdaa04ada31f46d0586df83a2789b8913053c5 ] + +When hisi_dma is unloaded or unbinded, all of channels should be +disabled. This patch disables DMA channels when driver is unloaded +or unbinded. + +Fixes: e9f08b65250d ("dmaengine: hisilicon: Add Kunpeng DMA engine support") +Signed-off-by: Jie Hai +Acked-by: Zhou Wang +Link: https://lore.kernel.org/r/20220830062251.52993-2-haijie1@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/hisi_dma.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/dma/hisi_dma.c b/drivers/dma/hisi_dma.c +index 43817ced3a3e..98bc488893cc 100644 +--- a/drivers/dma/hisi_dma.c ++++ b/drivers/dma/hisi_dma.c +@@ -180,7 +180,8 @@ static void hisi_dma_reset_qp_point(struct hisi_dma_dev *hdma_dev, u32 index) + hisi_dma_chan_write(hdma_dev->base, HISI_DMA_CQ_HEAD_PTR, index, 0); + } + +-static void hisi_dma_reset_hw_chan(struct hisi_dma_chan *chan) ++static void hisi_dma_reset_or_disable_hw_chan(struct hisi_dma_chan *chan, ++ bool disable) + { + struct hisi_dma_dev *hdma_dev = chan->hdma_dev; + u32 index = chan->qp_num, tmp; +@@ -201,8 +202,11 @@ static void hisi_dma_reset_hw_chan(struct hisi_dma_chan *chan) + hisi_dma_do_reset(hdma_dev, index); + hisi_dma_reset_qp_point(hdma_dev, index); + hisi_dma_pause_dma(hdma_dev, index, false); +- hisi_dma_enable_dma(hdma_dev, index, true); +- hisi_dma_unmask_irq(hdma_dev, index); ++ ++ if (!disable) { ++ hisi_dma_enable_dma(hdma_dev, index, true); ++ hisi_dma_unmask_irq(hdma_dev, index); ++ } + + ret = readl_relaxed_poll_timeout(hdma_dev->base + + HISI_DMA_Q_FSM_STS + index * HISI_DMA_OFFSET, tmp, +@@ -218,7 +222,7 @@ static void hisi_dma_free_chan_resources(struct dma_chan *c) + struct hisi_dma_chan *chan = to_hisi_dma_chan(c); + struct hisi_dma_dev *hdma_dev = chan->hdma_dev; + +- hisi_dma_reset_hw_chan(chan); ++ hisi_dma_reset_or_disable_hw_chan(chan, false); + vchan_free_chan_resources(&chan->vc); + + memset(chan->sq, 0, sizeof(struct hisi_dma_sqe) * hdma_dev->chan_depth); +@@ -394,7 +398,7 @@ static void hisi_dma_enable_qp(struct hisi_dma_dev *hdma_dev, u32 qp_index) + + static void hisi_dma_disable_qp(struct hisi_dma_dev *hdma_dev, u32 qp_index) + { +- hisi_dma_reset_hw_chan(&hdma_dev->chan[qp_index]); ++ hisi_dma_reset_or_disable_hw_chan(&hdma_dev->chan[qp_index], true); + } + + static void hisi_dma_enable_qps(struct hisi_dma_dev *hdma_dev) +-- +2.35.1 + diff --git a/queue-6.0/dmaengine-hisilicon-fix-cq-head-update.patch b/queue-6.0/dmaengine-hisilicon-fix-cq-head-update.patch new file mode 100644 index 00000000000..7f839d7ec00 --- /dev/null +++ b/queue-6.0/dmaengine-hisilicon-fix-cq-head-update.patch @@ -0,0 +1,55 @@ +From ba951ed2bdfde8e5fe757effd3e7c5e8f07dcaad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 14:22:46 +0800 +Subject: dmaengine: hisilicon: Fix CQ head update + +From: Jie Hai + +[ Upstream commit 94477a79cf80e8ab55b68f14bc579a12ddea1e0b ] + +After completion of data transfer of one or multiple descriptors, +the completion status and the current head pointer to submission +queue are written into the CQ and interrupt can be generated to +inform the software. In interrupt process CQ is read and cq_head +is updated. + +hisi_dma_irq updates cq_head only when the completion status is +success. When an abnormal interrupt reports, cq_head will not update +which will cause subsequent interrupt processes read the error CQ +and never report the correct status. + +This patch updates cq_head whenever CQ is accessed. + +Fixes: e9f08b65250d ("dmaengine: hisilicon: Add Kunpeng DMA engine support") +Signed-off-by: Jie Hai +Acked-by: Zhou Wang +Link: https://lore.kernel.org/r/20220830062251.52993-3-haijie1@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/hisi_dma.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/dma/hisi_dma.c b/drivers/dma/hisi_dma.c +index 98bc488893cc..837f7e4adfa6 100644 +--- a/drivers/dma/hisi_dma.c ++++ b/drivers/dma/hisi_dma.c +@@ -436,12 +436,10 @@ static irqreturn_t hisi_dma_irq(int irq, void *data) + desc = chan->desc; + cqe = chan->cq + chan->cq_head; + if (desc) { ++ chan->cq_head = (chan->cq_head + 1) % hdma_dev->chan_depth; ++ hisi_dma_chan_write(hdma_dev->base, HISI_DMA_CQ_HEAD_PTR, ++ chan->qp_num, chan->cq_head); + if (FIELD_GET(STATUS_MASK, cqe->w0) == STATUS_SUCC) { +- chan->cq_head = (chan->cq_head + 1) % +- hdma_dev->chan_depth; +- hisi_dma_chan_write(hdma_dev->base, +- HISI_DMA_CQ_HEAD_PTR, chan->qp_num, +- chan->cq_head); + vchan_cookie_complete(&desc->vd); + } else { + dev_err(&hdma_dev->pdev->dev, "task error!\n"); +-- +2.35.1 + diff --git a/queue-6.0/dmaengine-idxd-avoid-deadlock-in-process_misc_interr.patch b/queue-6.0/dmaengine-idxd-avoid-deadlock-in-process_misc_interr.patch new file mode 100644 index 00000000000..abdd1a0bdb5 --- /dev/null +++ b/queue-6.0/dmaengine-idxd-avoid-deadlock-in-process_misc_interr.patch @@ -0,0 +1,50 @@ +From 70a8d0c72e8e22212cd11f21dd641441cfc1226b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 09:37:09 -0700 +Subject: dmaengine: idxd: avoid deadlock in process_misc_interrupts() + +From: Jerry Snitselaar + +[ Upstream commit 407171717a4f4d2d80825584643374a2dfdb0540 ] + +idxd_device_clear_state() now grabs the idxd->dev_lock +itself, so don't grab the lock prior to calling it. + +This was seen in testing after dmar fault occurred on system, +resulting in lockup stack traces. + +Cc: Fenghua Yu +Cc: Dave Jiang +Cc: Vinod Koul +Cc: dmaengine@vger.kernel.org +Fixes: cf4ac3fef338 ("dmaengine: idxd: fix lockdep warning on device driver removal") +Signed-off-by: Jerry Snitselaar +Reviewed-by: Dave Jiang +Link: https://lore.kernel.org/r/20220823163709.2102468-1-jsnitsel@redhat.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/irq.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/dma/idxd/irq.c b/drivers/dma/idxd/irq.c +index 743ead5ebc57..5b9921475be6 100644 +--- a/drivers/dma/idxd/irq.c ++++ b/drivers/dma/idxd/irq.c +@@ -324,13 +324,11 @@ static int process_misc_interrupts(struct idxd_device *idxd, u32 cause) + idxd->state = IDXD_DEV_HALTED; + idxd_wqs_quiesce(idxd); + idxd_wqs_unmap_portal(idxd); +- spin_lock(&idxd->dev_lock); + idxd_device_clear_state(idxd); + dev_err(&idxd->pdev->dev, + "idxd halted, need %s.\n", + gensts.reset_type == IDXD_DEVICE_RESET_FLR ? + "FLR" : "system reset"); +- spin_unlock(&idxd->dev_lock); + return -ENXIO; + } + } +-- +2.35.1 + diff --git a/queue-6.0/dmaengine-ioat-stop-mod_timer-from-resurrecting-dele.patch b/queue-6.0/dmaengine-ioat-stop-mod_timer-from-resurrecting-dele.patch new file mode 100644 index 00000000000..852cdebf9e6 --- /dev/null +++ b/queue-6.0/dmaengine-ioat-stop-mod_timer-from-resurrecting-dele.patch @@ -0,0 +1,61 @@ +From aca04f28dfaf63985603b860dffd5d8e487e0d73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 09:58:42 -0700 +Subject: dmaengine: ioat: stop mod_timer from resurrecting deleted timer in + __cleanup() + +From: Dave Jiang + +[ Upstream commit 898ec89dbb55b8294695ad71694a0684e62b2a73 ] + +User reports observing timer event report channel halted but no error +observed in CHANERR register. The driver finished self-test and released +channel resources. Debug shows that __cleanup() can call +mod_timer() after the timer has been deleted and thus resurrect the +timer. While harmless, it causes suprious error message to be emitted. +Use mod_timer_pending() call to prevent deleted timer from being +resurrected. + +Fixes: 3372de5813e4 ("dmaengine: ioatdma: removal of dma_v3.c and relevant ioat3 references") +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/166360672197.3851724.17040290563764838369.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ioat/dma.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma/ioat/dma.c b/drivers/dma/ioat/dma.c +index 37ff4ec7db76..e2070df6cad2 100644 +--- a/drivers/dma/ioat/dma.c ++++ b/drivers/dma/ioat/dma.c +@@ -656,7 +656,7 @@ static void __cleanup(struct ioatdma_chan *ioat_chan, dma_addr_t phys_complete) + if (active - i == 0) { + dev_dbg(to_dev(ioat_chan), "%s: cancel completion timeout\n", + __func__); +- mod_timer(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); ++ mod_timer_pending(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); + } + + /* microsecond delay by sysfs variable per pending descriptor */ +@@ -682,7 +682,7 @@ static void ioat_cleanup(struct ioatdma_chan *ioat_chan) + + if (chanerr & + (IOAT_CHANERR_HANDLE_MASK | IOAT_CHANERR_RECOVER_MASK)) { +- mod_timer(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); ++ mod_timer_pending(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); + ioat_eh(ioat_chan); + } + } +@@ -879,7 +879,7 @@ static void check_active(struct ioatdma_chan *ioat_chan) + } + + if (test_and_clear_bit(IOAT_CHAN_ACTIVE, &ioat_chan->state)) +- mod_timer(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); ++ mod_timer_pending(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); + } + + static void ioat_reboot_chan(struct ioatdma_chan *ioat_chan) +-- +2.35.1 + diff --git a/queue-6.0/dmaengine-ti-k3-udma-reset-udma_chan_rt-byte-counter.patch b/queue-6.0/dmaengine-ti-k3-udma-reset-udma_chan_rt-byte-counter.patch new file mode 100644 index 00000000000..fd32d130b7e --- /dev/null +++ b/queue-6.0/dmaengine-ti-k3-udma-reset-udma_chan_rt-byte-counter.patch @@ -0,0 +1,115 @@ +From 2f9c4412a5bfcf61fb69dcbed844614011d7f86e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 11:18:35 +0530 +Subject: dmaengine: ti: k3-udma: Reset UDMA_CHAN_RT byte counters to prevent + overflow + +From: Vaishnav Achath + +[ Upstream commit 7c94dcfa8fcff2dba53915f1dabfee49a3df8b88 ] + +UDMA_CHAN_RT_*BCNT_REG stores the real-time channel bytecount statistics. +These registers are 32-bit hardware counters and the driver uses these +counters to monitor the operational progress status for a channel, when +transferring more than 4GB of data it was observed that these counters +overflow and completion calculation of a operation gets affected and the +transfer hangs indefinitely. + +This commit adds changes to decrease the byte count for every complete +transaction so that these registers never overflow and the proper byte +count statistics is maintained for ongoing transaction by the RT counters. + +Earlier uc->bcnt used to maintain a count of the completed bytes at driver +side, since the RT counters maintain the statistics of current transaction +now, the maintenance of uc->bcnt is not necessary. + +Signed-off-by: Vaishnav Achath +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20220802054835.19482-1-vaishnav.a@ti.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ti/k3-udma.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/dma/ti/k3-udma.c b/drivers/dma/ti/k3-udma.c +index 2f0d2c68c93c..fcfcde947b30 100644 +--- a/drivers/dma/ti/k3-udma.c ++++ b/drivers/dma/ti/k3-udma.c +@@ -300,8 +300,6 @@ struct udma_chan { + + struct udma_tx_drain tx_drain; + +- u32 bcnt; /* number of bytes completed since the start of the channel */ +- + /* Channel configuration parameters */ + struct udma_chan_config config; + +@@ -757,6 +755,20 @@ static void udma_reset_rings(struct udma_chan *uc) + } + } + ++static void udma_decrement_byte_counters(struct udma_chan *uc, u32 val) ++{ ++ if (uc->desc->dir == DMA_DEV_TO_MEM) { ++ udma_rchanrt_write(uc, UDMA_CHAN_RT_BCNT_REG, val); ++ udma_rchanrt_write(uc, UDMA_CHAN_RT_SBCNT_REG, val); ++ udma_rchanrt_write(uc, UDMA_CHAN_RT_PEER_BCNT_REG, val); ++ } else { ++ udma_tchanrt_write(uc, UDMA_CHAN_RT_BCNT_REG, val); ++ udma_tchanrt_write(uc, UDMA_CHAN_RT_SBCNT_REG, val); ++ if (!uc->bchan) ++ udma_tchanrt_write(uc, UDMA_CHAN_RT_PEER_BCNT_REG, val); ++ } ++} ++ + static void udma_reset_counters(struct udma_chan *uc) + { + u32 val; +@@ -790,8 +802,6 @@ static void udma_reset_counters(struct udma_chan *uc) + val = udma_rchanrt_read(uc, UDMA_CHAN_RT_PEER_BCNT_REG); + udma_rchanrt_write(uc, UDMA_CHAN_RT_PEER_BCNT_REG, val); + } +- +- uc->bcnt = 0; + } + + static int udma_reset_chan(struct udma_chan *uc, bool hard) +@@ -1115,7 +1125,7 @@ static void udma_check_tx_completion(struct work_struct *work) + if (uc->desc) { + struct udma_desc *d = uc->desc; + +- uc->bcnt += d->residue; ++ udma_decrement_byte_counters(uc, d->residue); + udma_start(uc); + vchan_cookie_complete(&d->vd); + break; +@@ -1168,7 +1178,7 @@ static irqreturn_t udma_ring_irq_handler(int irq, void *data) + vchan_cyclic_callback(&d->vd); + } else { + if (udma_is_desc_really_done(uc, d)) { +- uc->bcnt += d->residue; ++ udma_decrement_byte_counters(uc, d->residue); + udma_start(uc); + vchan_cookie_complete(&d->vd); + } else { +@@ -1204,7 +1214,7 @@ static irqreturn_t udma_udma_irq_handler(int irq, void *data) + vchan_cyclic_callback(&d->vd); + } else { + /* TODO: figure out the real amount of data */ +- uc->bcnt += d->residue; ++ udma_decrement_byte_counters(uc, d->residue); + udma_start(uc); + vchan_cookie_complete(&d->vd); + } +@@ -3809,7 +3819,6 @@ static enum dma_status udma_tx_status(struct dma_chan *chan, + bcnt = udma_tchanrt_read(uc, UDMA_CHAN_RT_BCNT_REG); + } + +- bcnt -= uc->bcnt; + if (bcnt && !(bcnt % uc->desc->residue)) + residue = 0; + else +-- +2.35.1 + diff --git a/queue-6.0/drivers-serial-jsm-fix-some-leaks-in-probe.patch b/queue-6.0/drivers-serial-jsm-fix-some-leaks-in-probe.patch new file mode 100644 index 00000000000..4bb6599af36 --- /dev/null +++ b/queue-6.0/drivers-serial-jsm-fix-some-leaks-in-probe.patch @@ -0,0 +1,37 @@ +From bfe97b3c82c4550cdff6971e0aebd1756bf0fac2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 14:22:47 +0300 +Subject: drivers: serial: jsm: fix some leaks in probe + +From: Dan Carpenter + +[ Upstream commit 1d5859ef229e381f4db38dce8ed58e4bf862006b ] + +This error path needs to unwind instead of just returning directly. + +Fixes: 03a8482c17dd ("drivers: serial: jsm: Enable support for Digi Classic adapters") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YyxFh1+lOeZ9WfKO@kili +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/jsm/jsm_driver.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/jsm/jsm_driver.c b/drivers/tty/serial/jsm/jsm_driver.c +index 0ea799bf8dbb..417a5b6bffc3 100644 +--- a/drivers/tty/serial/jsm/jsm_driver.c ++++ b/drivers/tty/serial/jsm/jsm_driver.c +@@ -211,7 +211,8 @@ static int jsm_probe_one(struct pci_dev *pdev, const struct pci_device_id *ent) + + break; + default: +- return -ENXIO; ++ rc = -ENXIO; ++ goto out_kfree_brd; + } + + rc = request_irq(brd->irq, brd->bd_ops->intr, IRQF_SHARED, "JSM", brd); +-- +2.35.1 + diff --git a/queue-6.0/drm-admgpu-skip-cg-pg-on-soc21-under-sriov-vf.patch b/queue-6.0/drm-admgpu-skip-cg-pg-on-soc21-under-sriov-vf.patch new file mode 100644 index 00000000000..2bc46ec2f8e --- /dev/null +++ b/queue-6.0/drm-admgpu-skip-cg-pg-on-soc21-under-sriov-vf.patch @@ -0,0 +1,47 @@ +From c47f2cb89da2d1773407b1bee6e0d311f6fe7489 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 11:02:19 +0800 +Subject: drm/admgpu: Skip CG/PG on SOC21 under SRIOV VF +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yifan Zha + +[ Upstream commit 828418259254863e0af5805bd712284e2bd88e3b ] + +[Why] +There is no CG(Clock Gating)/PG(Power Gating) requirement on SRIOV VF. +For multi VF, VF should not enable any CG/PG features. +For one VF, PF will program CG/PG related registers. + +[How] +Do not set any cg/pg flag bit at early init under sriov. + +Acked-by: Christian König +Signed-off-by: Yifan Zha +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/soc21.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/soc21.c b/drivers/gpu/drm/amd/amdgpu/soc21.c +index 276ff6709881..9c3463b48139 100644 +--- a/drivers/gpu/drm/amd/amdgpu/soc21.c ++++ b/drivers/gpu/drm/amd/amdgpu/soc21.c +@@ -583,6 +583,10 @@ static int soc21_common_early_init(void *handle) + AMD_PG_SUPPORT_JPEG | + AMD_PG_SUPPORT_ATHUB | + AMD_PG_SUPPORT_MMHUB; ++ if (amdgpu_sriov_vf(adev)) { ++ adev->cg_flags = 0; ++ adev->pg_flags = 0; ++ } + adev->external_rev_id = adev->rev_id + 0x1; // TODO: need update + break; + case IP_VERSION(11, 0, 2): +-- +2.35.1 + diff --git a/queue-6.0/drm-amd-display-correct-hostvm-flag.patch b/queue-6.0/drm-amd-display-correct-hostvm-flag.patch new file mode 100644 index 00000000000..0da71303b20 --- /dev/null +++ b/queue-6.0/drm-amd-display-correct-hostvm-flag.patch @@ -0,0 +1,43 @@ +From 82551a45b1977127a9d4e0e7ba1eecdb95b6933f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 00:12:44 +0800 +Subject: drm/amd/display: correct hostvm flag + +From: Sherry Wang + +[ Upstream commit 796d6a37ff5ffaf9f2dc0f3f4bf9f4a1034c00de ] + +[Why] +Hostvm should be enabled/disabled accordding to +the status of riommu_active, but hostvm always +be disabled on DCN31 which causes underflow + +[How] +Set correct hostvm flag on DCN31 + +Reviewed-by: Charlene Liu +Acked-by: Wayne Lin +Signed-off-by: Sherry Wang +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c +index aedff18aff56..2e5a21856eee 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c +@@ -891,7 +891,7 @@ static const struct dc_debug_options debug_defaults_drv = { + .optimize_edp_link_rate = true, + .enable_sw_cntl_psr = true, + .enable_z9_disable_interface = true, /* Allow support for the PMFW interface for disable Z9*/ +- .dml_hostvm_override = DML_HOSTVM_OVERRIDE_FALSE, ++ .dml_hostvm_override = DML_HOSTVM_NO_OVERRIDE, + }; + + static const struct dc_debug_options debug_defaults_diags = { +-- +2.35.1 + diff --git a/queue-6.0/drm-amd-display-fix-array-bounds-error-in-dc_stream_.patch b/queue-6.0/drm-amd-display-fix-array-bounds-error-in-dc_stream_.patch new file mode 100644 index 00000000000..67ceb71b3eb --- /dev/null +++ b/queue-6.0/drm-amd-display-fix-array-bounds-error-in-dc_stream_.patch @@ -0,0 +1,54 @@ +From 276170299bcd3f6cbea11dcb0bd6a576a1ac7a83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 15:01:46 -0400 +Subject: drm/amd/display: fix array-bounds error in + dc_stream_remove_writeback() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hamza Mahfooz + +[ Upstream commit 5d8c3e836fc224dfe633e41f7f2856753b39a905 ] + +Address the following error: +drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c: In function ‘dc_stream_remove_writeback’: +drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:527:55: error: array subscript [0, 0] is outside array bounds of ‘struct dc_writeback_info[1]’ [-Werror=array-bounds] + 527 | stream->writeback_info[j] = stream->writeback_info[i]; + | ~~~~~~~~~~~~~~~~~~~~~~^~~ +In file included from ./drivers/gpu/drm/amd/amdgpu/../display/dc/dc.h:1269, + from ./drivers/gpu/drm/amd/amdgpu/../display/dc/inc/core_types.h:29, + from ./drivers/gpu/drm/amd/amdgpu/../display/dc/basics/dc_common.h:29, + from drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_stream.c:27: +./drivers/gpu/drm/amd/amdgpu/../display/dc/dc_stream.h:241:34: note: while referencing ‘writeback_info’ + 241 | struct dc_writeback_info writeback_info[MAX_DWB_PIPES]; + | + +Currently, we aren't checking to see if j remains within +writeback_info[]'s bounds. So, add a check to make sure that we aren't +overflowing the buffer. + +Reviewed-by: Aurabindo Pillai +Signed-off-by: Hamza Mahfooz +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c +index 0c85ab5933b4..f0a8bd924f43 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c +@@ -519,7 +519,7 @@ bool dc_stream_remove_writeback(struct dc *dc, + } + + /* remove writeback info for disabled writeback pipes from stream */ +- for (i = 0, j = 0; i < stream->num_wb_info; i++) { ++ for (i = 0, j = 0; i < stream->num_wb_info && j < MAX_DWB_PIPES; i++) { + if (stream->writeback_info[i].wb_enabled) { + if (i != j) + /* trim the array */ +-- +2.35.1 + diff --git a/queue-6.0/drm-amd-display-fix-overflow-on-min_i64-definition.patch b/queue-6.0/drm-amd-display-fix-overflow-on-min_i64-definition.patch new file mode 100644 index 00000000000..de2b96b2ebb --- /dev/null +++ b/queue-6.0/drm-amd-display-fix-overflow-on-min_i64-definition.patch @@ -0,0 +1,57 @@ +From 77ef1f27ce6143fc6e4c353cd3f857a3030be1bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Aug 2022 17:43:26 -0300 +Subject: drm/amd/display: fix overflow on MIN_I64 definition +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David Gow + +[ Upstream commit 6ae0632d17759852c07e2d1e0a31c728eb6ba246 ] + +The definition of MIN_I64 in bw_fixed.c can cause gcc to whinge about +integer overflow, because it is treated as a positive value, which is +then negated. The temporary positive value is not necessarily +representable. + +This causes the following warning: +../drivers/gpu/drm/amd/amdgpu/../display/dc/dml/calcs/bw_fixed.c:30:19: +warning: integer overflow in expression ‘-9223372036854775808’ of type +‘long long int’ results in ‘-9223372036854775808’ [-Woverflow] + 30 | (int64_t)(-(1LL << 63)) + | ^ + +Writing out (-MAX_I64 - 1) works instead. + +Signed-off-by: David Gow +Signed-off-by: Tales Aparecida +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dml/calcs/bw_fixed.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/calcs/bw_fixed.c b/drivers/gpu/drm/amd/display/dc/dml/calcs/bw_fixed.c +index 6ca288fb5fb9..2d46bc527b21 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/calcs/bw_fixed.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/calcs/bw_fixed.c +@@ -26,12 +26,12 @@ + #include "bw_fixed.h" + + +-#define MIN_I64 \ +- (int64_t)(-(1LL << 63)) +- + #define MAX_I64 \ + (int64_t)((1ULL << 63) - 1) + ++#define MIN_I64 \ ++ (-MAX_I64 - 1) ++ + #define FRACTIONAL_PART_MASK \ + ((1ULL << BW_FIXED_BITS_PER_FRACTIONAL_PART) - 1) + +-- +2.35.1 + diff --git a/queue-6.0/drm-amd-display-fix-urgent-latency-override-for-dcn3.patch b/queue-6.0/drm-amd-display-fix-urgent-latency-override-for-dcn3.patch new file mode 100644 index 00000000000..0e79e4191fc --- /dev/null +++ b/queue-6.0/drm-amd-display-fix-urgent-latency-override-for-dcn3.patch @@ -0,0 +1,59 @@ +From 04d6aa979704b0eda467618cde9c961f9c37937c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 15:03:50 -0400 +Subject: drm/amd/display: Fix urgent latency override for DCN32/DCN321 + +From: George Shen + +[ Upstream commit e7f2f4cd67443ce308480ca461806fcc3456e0ba ] + +[Why] +The urgent latency override is useful when debugging issues +relating to underflow. + +Current overridden variable is not correct and has no effect +on DCN3.2 and DCN3.21 DML calculations. + +[How] +For DCN3.2 and DCN3.21, override the correct urgent latency +variable when bounding box override is present. + +Reviewed-by: Alvin Lee +Reviewed-by: Nevenko Stupar +Acked-by: Wayne Lin +Signed-off-by: George Shen +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c | 1 + + drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c b/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c +index e573e706430d..b9d3a4000c3d 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c +@@ -2199,6 +2199,7 @@ void dcn32_update_bw_bounding_box_fpu(struct dc *dc, struct clk_bw_params *bw_pa + if ((int)(dcn3_2_soc.urgent_latency_us * 1000) != dc->bb_overrides.urgent_latency_ns + && dc->bb_overrides.urgent_latency_ns) { + dcn3_2_soc.urgent_latency_us = dc->bb_overrides.urgent_latency_ns / 1000.0; ++ dcn3_2_soc.urgent_latency_pixel_data_only_us = dc->bb_overrides.urgent_latency_ns / 1000.0; + } + + if ((int)(dcn3_2_soc.dram_clock_change_latency_us * 1000) +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c b/drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c +index c87091683b5d..b6369758b491 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c +@@ -489,6 +489,7 @@ void dcn321_update_bw_bounding_box_fpu(struct dc *dc, struct clk_bw_params *bw_p + if ((int)(dcn3_21_soc.urgent_latency_us * 1000) != dc->bb_overrides.urgent_latency_ns + && dc->bb_overrides.urgent_latency_ns) { + dcn3_21_soc.urgent_latency_us = dc->bb_overrides.urgent_latency_ns / 1000.0; ++ dcn3_21_soc.urgent_latency_pixel_data_only_us = dc->bb_overrides.urgent_latency_ns / 1000.0; + } + + if ((int)(dcn3_21_soc.dram_clock_change_latency_us * 1000) +-- +2.35.1 + diff --git a/queue-6.0/drm-amd-display-fix-variable-dereferenced-before-che.patch b/queue-6.0/drm-amd-display-fix-variable-dereferenced-before-che.patch new file mode 100644 index 00000000000..ce69e06f5ac --- /dev/null +++ b/queue-6.0/drm-amd-display-fix-variable-dereferenced-before-che.patch @@ -0,0 +1,45 @@ +From 33dbc9775d493aab5b5cb0dd07c57b6b1bdac4ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 16:41:21 +0800 +Subject: drm/amd/display: Fix variable dereferenced before check + +From: sunliming + +[ Upstream commit 45a92f45f4578ff89da7dc5ef50bab4ef870f3b7 ] + +Fixes the following smatch warning: + +drivers/gpu/drm/amd/amdgpu/../display/dc/dc_dmub_srv.c:311 dc_dmub_srv_p_state_delegate() +warn: variable dereferenced before check 'dc' (see line 309) + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: sunliming +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c b/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c +index 76c05ff12e95..755c4f9de6da 100644 +--- a/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c ++++ b/drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c +@@ -323,11 +323,13 @@ bool dc_dmub_srv_p_state_delegate(struct dc *dc, bool should_manage_pstate, stru + struct dmub_cmd_fw_assisted_mclk_switch_config *config_data = &cmd.fw_assisted_mclk_switch.config_data; + int i = 0; + int ramp_up_num_steps = 1; // TODO: Ramp is currently disabled. Reenable it. +- uint8_t visual_confirm_enabled = dc->debug.visual_confirm == VISUAL_CONFIRM_FAMS; ++ uint8_t visual_confirm_enabled; + + if (dc == NULL) + return false; + ++ visual_confirm_enabled = dc->debug.visual_confirm == VISUAL_CONFIRM_FAMS; ++ + // Format command. + cmd.fw_assisted_mclk_switch.header.type = DMUB_CMD__FW_ASSISTED_MCLK_SWITCH; + cmd.fw_assisted_mclk_switch.header.sub_type = DMUB_CMD__FAMS_SETUP_FW_CTRL; +-- +2.35.1 + diff --git a/queue-6.0/drm-amd-display-polling-vid-stream-status-in-hpo-dp-.patch b/queue-6.0/drm-amd-display-polling-vid-stream-status-in-hpo-dp-.patch new file mode 100644 index 00000000000..7709e428d65 --- /dev/null +++ b/queue-6.0/drm-amd-display-polling-vid-stream-status-in-hpo-dp-.patch @@ -0,0 +1,44 @@ +From d34aeb44fef901d6b41c1c1b1621f3e867253ac2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 15:23:38 -0400 +Subject: drm/amd/display: polling vid stream status in hpo dp blank + +From: Wenjing Liu + +[ Upstream commit e32df0c7ecead95d70ca89f39b1b2b02a59ff691 ] + +[why] +vid stream control is double bufferred, if we don't wait for video +stream enable set to 0, we may get temporary image corruption +showing on the stream when setting PIXEL_TO_SYMBOL_FIFO_ENABLE to 0. + +Reviewed-by: Ariel Bernstein +Acked-by: Jasdeep Dhillon +Signed-off-by: Wenjing Liu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/display/dc/dcn31/dcn31_hpo_dp_stream_encoder.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hpo_dp_stream_encoder.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hpo_dp_stream_encoder.c +index 23621ff08c90..52fb2bf3d578 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hpo_dp_stream_encoder.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hpo_dp_stream_encoder.c +@@ -150,9 +150,9 @@ static void dcn31_hpo_dp_stream_enc_dp_blank( + * 10us*5000=50ms. This covers 41.7ms of minimum 24 Hz mode + + * a little more because we may not trust delay accuracy. + */ +- //REG_WAIT(DP_SYM32_ENC_VID_STREAM_CONTROL, +- // VID_STREAM_STATUS, 0, +- // 10, 5000); ++ REG_WAIT(DP_SYM32_ENC_VID_STREAM_CONTROL, ++ VID_STREAM_STATUS, 0, ++ 10, 5000); + + /* Disable SDP tranmission */ + REG_UPDATE(DP_SYM32_ENC_SDP_CONTROL, +-- +2.35.1 + diff --git a/queue-6.0/drm-amd-display-remove-interface-for-periodic-interr.patch b/queue-6.0/drm-amd-display-remove-interface-for-periodic-interr.patch new file mode 100644 index 00000000000..cf929a615d6 --- /dev/null +++ b/queue-6.0/drm-amd-display-remove-interface-for-periodic-interr.patch @@ -0,0 +1,205 @@ +From 8d930fb7c5fdf22b349da54e55035c8daf533e6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 18:07:59 -0400 +Subject: drm/amd/display: Remove interface for periodic interrupt 1 + +From: Aric Cyr + +[ Upstream commit 97d8d6f075bd8f988589be02b91f6fa644d0b0b8 ] + +[why] +Only a single VLINE interrupt is available so interface should not +expose the second one which is used by DMU firmware. + +[how] +Remove references to periodic_interrupt1 and VLINE1 from DC interfaces. + +Reviewed-by: Jaehyun Chung +Acked-by: Jasdeep Dhillon +Signed-off-by: Aric Cyr +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc.c | 16 +++------ + drivers/gpu/drm/amd/display/dc/dc_stream.h | 6 ++-- + .../amd/display/dc/dcn10/dcn10_hw_sequencer.c | 35 ++++++------------- + .../amd/display/dc/dcn10/dcn10_hw_sequencer.h | 3 +- + .../gpu/drm/amd/display/dc/inc/hw_sequencer.h | 8 +---- + 5 files changed, 18 insertions(+), 50 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c +index fb22c3d70528..18d6ee666297 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc.c +@@ -2753,11 +2753,8 @@ static void copy_stream_update_to_stream(struct dc *dc, + if (update->abm_level) + stream->abm_level = *update->abm_level; + +- if (update->periodic_interrupt0) +- stream->periodic_interrupt0 = *update->periodic_interrupt0; +- +- if (update->periodic_interrupt1) +- stream->periodic_interrupt1 = *update->periodic_interrupt1; ++ if (update->periodic_interrupt) ++ stream->periodic_interrupt = *update->periodic_interrupt; + + if (update->gamut_remap) + stream->gamut_remap_matrix = *update->gamut_remap; +@@ -2987,13 +2984,8 @@ static void commit_planes_do_stream_update(struct dc *dc, + + if (!pipe_ctx->top_pipe && !pipe_ctx->prev_odm_pipe && pipe_ctx->stream == stream) { + +- if (stream_update->periodic_interrupt0 && +- dc->hwss.setup_periodic_interrupt) +- dc->hwss.setup_periodic_interrupt(dc, pipe_ctx, VLINE0); +- +- if (stream_update->periodic_interrupt1 && +- dc->hwss.setup_periodic_interrupt) +- dc->hwss.setup_periodic_interrupt(dc, pipe_ctx, VLINE1); ++ if (stream_update->periodic_interrupt && dc->hwss.setup_periodic_interrupt) ++ dc->hwss.setup_periodic_interrupt(dc, pipe_ctx); + + if ((stream_update->hdr_static_metadata && !stream->use_dynamic_meta) || + stream_update->vrr_infopacket || +diff --git a/drivers/gpu/drm/amd/display/dc/dc_stream.h b/drivers/gpu/drm/amd/display/dc/dc_stream.h +index f87f852d4829..ae0922e98ef7 100644 +--- a/drivers/gpu/drm/amd/display/dc/dc_stream.h ++++ b/drivers/gpu/drm/amd/display/dc/dc_stream.h +@@ -212,8 +212,7 @@ struct dc_stream_state { + /* DMCU info */ + unsigned int abm_level; + +- struct periodic_interrupt_config periodic_interrupt0; +- struct periodic_interrupt_config periodic_interrupt1; ++ struct periodic_interrupt_config periodic_interrupt; + + /* from core_stream struct */ + struct dc_context *ctx; +@@ -283,8 +282,7 @@ struct dc_stream_update { + struct dc_info_packet *hdr_static_metadata; + unsigned int *abm_level; + +- struct periodic_interrupt_config *periodic_interrupt0; +- struct periodic_interrupt_config *periodic_interrupt1; ++ struct periodic_interrupt_config *periodic_interrupt; + + struct dc_info_packet *vrr_infopacket; + struct dc_info_packet *vsc_infopacket; +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +index 5b5d952b2b8c..bc9b92838ea9 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +@@ -3768,7 +3768,7 @@ void dcn10_calc_vupdate_position( + { + const struct dc_crtc_timing *dc_crtc_timing = &pipe_ctx->stream->timing; + int vline_int_offset_from_vupdate = +- pipe_ctx->stream->periodic_interrupt0.lines_offset; ++ pipe_ctx->stream->periodic_interrupt.lines_offset; + int vupdate_offset_from_vsync = dc->hwss.get_vupdate_offset_from_vsync(pipe_ctx); + int start_position; + +@@ -3793,18 +3793,10 @@ void dcn10_calc_vupdate_position( + static void dcn10_cal_vline_position( + struct dc *dc, + struct pipe_ctx *pipe_ctx, +- enum vline_select vline, + uint32_t *start_line, + uint32_t *end_line) + { +- enum vertical_interrupt_ref_point ref_point = INVALID_POINT; +- +- if (vline == VLINE0) +- ref_point = pipe_ctx->stream->periodic_interrupt0.ref_point; +- else if (vline == VLINE1) +- ref_point = pipe_ctx->stream->periodic_interrupt1.ref_point; +- +- switch (ref_point) { ++ switch (pipe_ctx->stream->periodic_interrupt.ref_point) { + case START_V_UPDATE: + dcn10_calc_vupdate_position( + dc, +@@ -3813,7 +3805,9 @@ static void dcn10_cal_vline_position( + end_line); + break; + case START_V_SYNC: +- // Suppose to do nothing because vsync is 0; ++ // vsync is line 0 so start_line is just the requested line offset ++ *start_line = pipe_ctx->stream->periodic_interrupt.lines_offset; ++ *end_line = *start_line + 2; + break; + default: + ASSERT(0); +@@ -3823,24 +3817,15 @@ static void dcn10_cal_vline_position( + + void dcn10_setup_periodic_interrupt( + struct dc *dc, +- struct pipe_ctx *pipe_ctx, +- enum vline_select vline) ++ struct pipe_ctx *pipe_ctx) + { + struct timing_generator *tg = pipe_ctx->stream_res.tg; ++ uint32_t start_line = 0; ++ uint32_t end_line = 0; + +- if (vline == VLINE0) { +- uint32_t start_line = 0; +- uint32_t end_line = 0; ++ dcn10_cal_vline_position(dc, pipe_ctx, &start_line, &end_line); + +- dcn10_cal_vline_position(dc, pipe_ctx, vline, &start_line, &end_line); +- +- tg->funcs->setup_vertical_interrupt0(tg, start_line, end_line); +- +- } else if (vline == VLINE1) { +- pipe_ctx->stream_res.tg->funcs->setup_vertical_interrupt1( +- tg, +- pipe_ctx->stream->periodic_interrupt1.lines_offset); +- } ++ tg->funcs->setup_vertical_interrupt0(tg, start_line, end_line); + } + + void dcn10_setup_vupdate_interrupt(struct dc *dc, struct pipe_ctx *pipe_ctx) +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.h b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.h +index 9ae07c77fdc0..0ef7bf7ddb75 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.h ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.h +@@ -175,8 +175,7 @@ void dcn10_set_cursor_attribute(struct pipe_ctx *pipe_ctx); + void dcn10_set_cursor_sdr_white_level(struct pipe_ctx *pipe_ctx); + void dcn10_setup_periodic_interrupt( + struct dc *dc, +- struct pipe_ctx *pipe_ctx, +- enum vline_select vline); ++ struct pipe_ctx *pipe_ctx); + enum dc_status dcn10_set_clock(struct dc *dc, + enum dc_clock_type clock_type, + uint32_t clk_khz, +diff --git a/drivers/gpu/drm/amd/display/dc/inc/hw_sequencer.h b/drivers/gpu/drm/amd/display/dc/inc/hw_sequencer.h +index ccb3c719fc4d..ac94dba72c18 100644 +--- a/drivers/gpu/drm/amd/display/dc/inc/hw_sequencer.h ++++ b/drivers/gpu/drm/amd/display/dc/inc/hw_sequencer.h +@@ -32,11 +32,6 @@ + #include "inc/hw/link_encoder.h" + #include "core_status.h" + +-enum vline_select { +- VLINE0, +- VLINE1 +-}; +- + struct pipe_ctx; + struct dc_state; + struct dc_stream_status; +@@ -116,8 +111,7 @@ struct hw_sequencer_funcs { + int group_index, int group_size, + struct pipe_ctx *grouped_pipes[]); + void (*setup_periodic_interrupt)(struct dc *dc, +- struct pipe_ctx *pipe_ctx, +- enum vline_select vline); ++ struct pipe_ctx *pipe_ctx); + void (*set_drr)(struct pipe_ctx **pipe_ctx, int num_pipes, + struct dc_crtc_timing_adjust adjust); + void (*set_static_screen_control)(struct pipe_ctx **pipe_ctx, +-- +2.35.1 + diff --git a/queue-6.0/drm-amd-fix-potential-memory-leak.patch b/queue-6.0/drm-amd-fix-potential-memory-leak.patch new file mode 100644 index 00000000000..ea25b6de2dd --- /dev/null +++ b/queue-6.0/drm-amd-fix-potential-memory-leak.patch @@ -0,0 +1,36 @@ +From 22a93ccb4747bfed617a65522136de892eb68821 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 23:49:56 -0700 +Subject: drm/amd: fix potential memory leak + +From: Bernard Zhao + +[ Upstream commit 6160216fd2c97107e8a9ab39863b056d677fcd85 ] + +This patch fix potential memory leak (clk_src) when function run +into last return NULL. + +s/free/kfree/ - Alex + +Signed-off-by: Bernard Zhao +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c +index 3cd7c91655c5..6d721fadcbee 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn314/dcn314_resource.c +@@ -1720,6 +1720,7 @@ static struct clock_source *dcn30_clock_source_create( + } + + BREAK_TO_DEBUGGER(); ++ kfree(clk_src); + return NULL; + } + +-- +2.35.1 + diff --git a/queue-6.0/drm-amdgpu-add-missing-pci_disable_device-in-amdgpu_.patch b/queue-6.0/drm-amdgpu-add-missing-pci_disable_device-in-amdgpu_.patch new file mode 100644 index 00000000000..6a1294e142d --- /dev/null +++ b/queue-6.0/drm-amdgpu-add-missing-pci_disable_device-in-amdgpu_.patch @@ -0,0 +1,40 @@ +From 35eb294aca34fba56f76a12dbe8a0bb7cfbb6eb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 16:57:54 +0800 +Subject: drm/amdgpu: add missing pci_disable_device() in + amdgpu_pmops_runtime_resume() + +From: Yang Yingliang + +[ Upstream commit 6b11af6d1c8f5d4135332bb932baaa06e511173d ] + +Add missing pci_disable_device() if amdgpu_device_resume() fails. + +Fixes: 8e4d5d43cc6c ("drm/amdgpu: Handling of amdgpu_device_resume return value for graceful teardown") +Signed-off-by: Yang Yingliang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +index 429fcdf28836..de7144b06e93 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -2563,8 +2563,11 @@ static int amdgpu_pmops_runtime_resume(struct device *dev) + amdgpu_device_baco_exit(drm_dev); + } + ret = amdgpu_device_resume(drm_dev, false); +- if (ret) ++ if (ret) { ++ if (amdgpu_device_supports_px(drm_dev)) ++ pci_disable_device(pdev); + return ret; ++ } + + if (amdgpu_device_supports_px(drm_dev)) + drm_dev->switch_power_state = DRM_SWITCH_POWER_ON; +-- +2.35.1 + diff --git a/queue-6.0/drm-amdgpu-fix-initial-connector-audio-value.patch b/queue-6.0/drm-amdgpu-fix-initial-connector-audio-value.patch new file mode 100644 index 00000000000..d0203d04556 --- /dev/null +++ b/queue-6.0/drm-amdgpu-fix-initial-connector-audio-value.patch @@ -0,0 +1,64 @@ +From 4112b3560f36c91e4291f159d56e7eed4ecd3d43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 17:24:53 +0800 +Subject: drm/amdgpu: fix initial connector audio value + +From: hongao + +[ Upstream commit 4bb71fce58f30df3f251118291d6b0187ce531e6 ] + +This got lost somewhere along the way, This fixes +audio not working until set_property was called. + +Signed-off-by: hongao +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +index b7933c2ce765..491d4846fc02 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -1674,10 +1674,12 @@ amdgpu_connector_add(struct amdgpu_device *adev, + adev->mode_info.dither_property, + AMDGPU_FMT_DITHER_DISABLE); + +- if (amdgpu_audio != 0) ++ if (amdgpu_audio != 0) { + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.audio_property, + AMDGPU_AUDIO_AUTO); ++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO; ++ } + + subpixel_order = SubPixelHorizontalRGB; + connector->interlace_allowed = true; +@@ -1799,6 +1801,7 @@ amdgpu_connector_add(struct amdgpu_device *adev, + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.audio_property, + AMDGPU_AUDIO_AUTO); ++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO; + } + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.dither_property, +@@ -1852,6 +1855,7 @@ amdgpu_connector_add(struct amdgpu_device *adev, + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.audio_property, + AMDGPU_AUDIO_AUTO); ++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO; + } + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.dither_property, +@@ -1902,6 +1906,7 @@ amdgpu_connector_add(struct amdgpu_device *adev, + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.audio_property, + AMDGPU_AUDIO_AUTO); ++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO; + } + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.dither_property, +-- +2.35.1 + diff --git a/queue-6.0/drm-amdgpu-fix-memory-leak-in-hpd_rx_irq_create_work.patch b/queue-6.0/drm-amdgpu-fix-memory-leak-in-hpd_rx_irq_create_work.patch new file mode 100644 index 00000000000..e598f8616a6 --- /dev/null +++ b/queue-6.0/drm-amdgpu-fix-memory-leak-in-hpd_rx_irq_create_work.patch @@ -0,0 +1,51 @@ +From 977fc6f2a8188050ab856d5bfbf8fd017527c2d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 19:34:32 -0300 +Subject: drm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue() + +From: Rafael Mendonca + +[ Upstream commit 7136f956c73c4ba50bfeb61653dfd6a9669ea915 ] + +If construction of the array of work queues to handle hpd_rx_irq offload +work fails, we need to unwind. Destroy all the created workqueues and +the allocated memory for the hpd_rx_irq_offload_work_queue struct array. + +Fixes: 8e794421bc98 ("drm/amd/display: Fork thread to offload work of hpd_rx_irq") +Signed-off-by: Rafael Mendonca +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 6e36427aab46..194142c581c8 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -1296,13 +1296,21 @@ static struct hpd_rx_irq_offload_work_queue *hpd_rx_irq_create_workqueue(struct + + if (hpd_rx_offload_wq[i].wq == NULL) { + DRM_ERROR("create amdgpu_dm_hpd_rx_offload_wq fail!"); +- return NULL; ++ goto out_err; + } + + spin_lock_init(&hpd_rx_offload_wq[i].offload_lock); + } + + return hpd_rx_offload_wq; ++ ++out_err: ++ for (i = 0; i < max_caps; i++) { ++ if (hpd_rx_offload_wq[i].wq) ++ destroy_workqueue(hpd_rx_offload_wq[i].wq); ++ } ++ kfree(hpd_rx_offload_wq); ++ return NULL; + } + + struct amdgpu_stutter_quirk { +-- +2.35.1 + diff --git a/queue-6.0/drm-amdgpu-sdma-update-use-unlocked-iterator.patch b/queue-6.0/drm-amdgpu-sdma-update-use-unlocked-iterator.patch new file mode 100644 index 00000000000..7a3e751a9f0 --- /dev/null +++ b/queue-6.0/drm-amdgpu-sdma-update-use-unlocked-iterator.patch @@ -0,0 +1,63 @@ +From 9b70c754cd9f43a24a25f5edf9c5f64307b8f890 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 15:46:30 -0400 +Subject: drm/amdgpu: SDMA update use unlocked iterator +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Philip Yang + +[ Upstream commit 3913f0179ba366f7d7d160c506ce00de1602bbc4 ] + +SDMA update page table may be called from unlocked context, this +generate below warning. Use unlocked iterator to handle this case. + +WARNING: CPU: 0 PID: 1475 at +drivers/dma-buf/dma-resv.c:483 dma_resv_iter_next +Call Trace: + dma_resv_iter_first+0x43/0xa0 + amdgpu_vm_sdma_update+0x69/0x2d0 [amdgpu] + amdgpu_vm_ptes_update+0x29c/0x870 [amdgpu] + amdgpu_vm_update_range+0x2f6/0x6c0 [amdgpu] + svm_range_unmap_from_gpus+0x115/0x300 [amdgpu] + svm_range_cpu_invalidate_pagetables+0x510/0x5e0 [amdgpu] + __mmu_notifier_invalidate_range_start+0x1d3/0x230 + unmap_vmas+0x140/0x150 + unmap_region+0xa8/0x110 + +Signed-off-by: Philip Yang +Suggested-by: Felix Kuehling +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c +index 1fd3cbca20a2..718db7d98e5a 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c +@@ -211,12 +211,15 @@ static int amdgpu_vm_sdma_update(struct amdgpu_vm_update_params *p, + int r; + + /* Wait for PD/PT moves to be completed */ +- dma_resv_for_each_fence(&cursor, bo->tbo.base.resv, +- DMA_RESV_USAGE_KERNEL, fence) { ++ dma_resv_iter_begin(&cursor, bo->tbo.base.resv, DMA_RESV_USAGE_KERNEL); ++ dma_resv_for_each_fence_unlocked(&cursor, fence) { + r = amdgpu_sync_fence(&p->job->sync, fence); +- if (r) ++ if (r) { ++ dma_resv_iter_end(&cursor); + return r; ++ } + } ++ dma_resv_iter_end(&cursor); + + do { + ndw = p->num_dw_left; +-- +2.35.1 + diff --git a/queue-6.0/drm-amdgpu-skip-the-program-of-mmmc_vm_agp_-in-sriov.patch b/queue-6.0/drm-amdgpu-skip-the-program-of-mmmc_vm_agp_-in-sriov.patch new file mode 100644 index 00000000000..6f828ac1542 --- /dev/null +++ b/queue-6.0/drm-amdgpu-skip-the-program-of-mmmc_vm_agp_-in-sriov.patch @@ -0,0 +1,59 @@ +From 1c40ad5e1a5ab2fd8002f7b2cb55551caa8a0795 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 13:43:50 +0800 +Subject: drm/amdgpu: Skip the program of MMMC_VM_AGP_* in SRIOV on MMHUB + v3_0_0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yifan Zha + +[ Upstream commit c1026c6f319724dc88fc08d9d9d35bcbdf492b42 ] + +[Why] +VF should not program these registers, the value were defined in the host. + +[How] +Skip writing them in SRIOV environment and program them on host side. + +Acked-by: Christian König +Signed-off-by: Yifan Zha +Signed-off-by: Horace Chen +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c b/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c +index bc11b2de37ae..a1d26c4d80b8 100644 +--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c +@@ -169,17 +169,17 @@ static void mmhub_v3_0_init_system_aperture_regs(struct amdgpu_device *adev) + uint64_t value; + uint32_t tmp; + +- /* Disable AGP. */ +- WREG32_SOC15(MMHUB, 0, regMMMC_VM_AGP_BASE, 0); +- WREG32_SOC15(MMHUB, 0, regMMMC_VM_AGP_TOP, 0); +- WREG32_SOC15(MMHUB, 0, regMMMC_VM_AGP_BOT, 0x00FFFFFF); +- + if (!amdgpu_sriov_vf(adev)) { + /* + * the new L1 policy will block SRIOV guest from writing + * these regs, and they will be programed at host. + * so skip programing these regs. + */ ++ /* Disable AGP. */ ++ WREG32_SOC15(MMHUB, 0, regMMMC_VM_AGP_BASE, 0); ++ WREG32_SOC15(MMHUB, 0, regMMMC_VM_AGP_TOP, 0); ++ WREG32_SOC15(MMHUB, 0, regMMMC_VM_AGP_BOT, 0x00FFFFFF); ++ + /* Program the system aperture low logical page number. */ + WREG32_SOC15(MMHUB, 0, regMMMC_VM_SYSTEM_APERTURE_LOW_ADDR, + adev->gmc.vram_start >> 18); +-- +2.35.1 + diff --git a/queue-6.0/drm-amdkfd-fix-ubsan-shift-out-of-bounds-warning.patch b/queue-6.0/drm-amdkfd-fix-ubsan-shift-out-of-bounds-warning.patch new file mode 100644 index 00000000000..da43f307215 --- /dev/null +++ b/queue-6.0/drm-amdkfd-fix-ubsan-shift-out-of-bounds-warning.patch @@ -0,0 +1,106 @@ +From e4458383e9bdd3d5a614a8766e65b42451b56645 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 17:45:59 -0400 +Subject: drm/amdkfd: Fix UBSAN shift-out-of-bounds warning + +From: Felix Kuehling + +[ Upstream commit b292cafe2dd02d96a07147e4b160927e8399d5cc ] + +This was fixed in initialize_cpsch before, but not in initialize_nocpsch. +Factor sdma bitmap initialization into a helper function to apply the +correct implementation in both cases without duplicating it. + +v2: Added a range check + +Reported-by: Ellis Michael +Signed-off-by: Felix Kuehling +Reviewed-by: Graham Sider +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/amdkfd/kfd_device_queue_manager.c | 45 +++++++++---------- + 1 file changed, 21 insertions(+), 24 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +index 007a3db69df1..ecb4c3abc629 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c +@@ -1242,6 +1242,24 @@ static void init_interrupts(struct device_queue_manager *dqm) + dqm->dev->kfd2kgd->init_interrupts(dqm->dev->adev, i); + } + ++static void init_sdma_bitmaps(struct device_queue_manager *dqm) ++{ ++ unsigned int num_sdma_queues = ++ min_t(unsigned int, sizeof(dqm->sdma_bitmap)*8, ++ get_num_sdma_queues(dqm)); ++ unsigned int num_xgmi_sdma_queues = ++ min_t(unsigned int, sizeof(dqm->xgmi_sdma_bitmap)*8, ++ get_num_xgmi_sdma_queues(dqm)); ++ ++ if (num_sdma_queues) ++ dqm->sdma_bitmap = GENMASK_ULL(num_sdma_queues-1, 0); ++ if (num_xgmi_sdma_queues) ++ dqm->xgmi_sdma_bitmap = GENMASK_ULL(num_xgmi_sdma_queues-1, 0); ++ ++ dqm->sdma_bitmap &= ~get_reserved_sdma_queues_bitmap(dqm); ++ pr_info("sdma_bitmap: %llx\n", dqm->sdma_bitmap); ++} ++ + static int initialize_nocpsch(struct device_queue_manager *dqm) + { + int pipe, queue; +@@ -1270,11 +1288,7 @@ static int initialize_nocpsch(struct device_queue_manager *dqm) + + memset(dqm->vmid_pasid, 0, sizeof(dqm->vmid_pasid)); + +- dqm->sdma_bitmap = ~0ULL >> (64 - get_num_sdma_queues(dqm)); +- dqm->sdma_bitmap &= ~(get_reserved_sdma_queues_bitmap(dqm)); +- pr_info("sdma_bitmap: %llx\n", dqm->sdma_bitmap); +- +- dqm->xgmi_sdma_bitmap = ~0ULL >> (64 - get_num_xgmi_sdma_queues(dqm)); ++ init_sdma_bitmaps(dqm); + + return 0; + } +@@ -1452,9 +1466,6 @@ static int set_sched_resources(struct device_queue_manager *dqm) + + static int initialize_cpsch(struct device_queue_manager *dqm) + { +- uint64_t num_sdma_queues; +- uint64_t num_xgmi_sdma_queues; +- + pr_debug("num of pipes: %d\n", get_pipes_per_mec(dqm)); + + mutex_init(&dqm->lock_hidden); +@@ -1463,24 +1474,10 @@ static int initialize_cpsch(struct device_queue_manager *dqm) + dqm->active_cp_queue_count = 0; + dqm->gws_queue_count = 0; + dqm->active_runlist = false; +- +- num_sdma_queues = get_num_sdma_queues(dqm); +- if (num_sdma_queues >= BITS_PER_TYPE(dqm->sdma_bitmap)) +- dqm->sdma_bitmap = ULLONG_MAX; +- else +- dqm->sdma_bitmap = (BIT_ULL(num_sdma_queues) - 1); +- +- dqm->sdma_bitmap &= ~(get_reserved_sdma_queues_bitmap(dqm)); +- pr_info("sdma_bitmap: %llx\n", dqm->sdma_bitmap); +- +- num_xgmi_sdma_queues = get_num_xgmi_sdma_queues(dqm); +- if (num_xgmi_sdma_queues >= BITS_PER_TYPE(dqm->xgmi_sdma_bitmap)) +- dqm->xgmi_sdma_bitmap = ULLONG_MAX; +- else +- dqm->xgmi_sdma_bitmap = (BIT_ULL(num_xgmi_sdma_queues) - 1); +- + INIT_WORK(&dqm->hw_exception_work, kfd_process_hw_exception); + ++ init_sdma_bitmaps(dqm); ++ + return 0; + } + +-- +2.35.1 + diff --git a/queue-6.0/drm-bochs-fix-blanking.patch b/queue-6.0/drm-bochs-fix-blanking.patch new file mode 100644 index 00000000000..bc4c065c224 --- /dev/null +++ b/queue-6.0/drm-bochs-fix-blanking.patch @@ -0,0 +1,43 @@ +From 6785fc02a6140005c6fa7054faaf83dc87b6f73c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 16:29:57 +0200 +Subject: drm/bochs: fix blanking + +From: Gerd Hoffmann + +[ Upstream commit e740ceb53e4579a7a4063712cebecac3c343b189 ] + +VGA_IS1_RC is the color mode register (VGA_IS1_RM the one for monochrome +mode, note C vs. M at the end). So when using VGA_IS1_RC make sure the +vga device is actually in color mode and set the corresponding bit in the +misc register. + +Reproducible when booting VMs in UEFI mode with some edk2 versions (edk2 +fix is on the way too). Doesn't happen in BIOS mode because in that +case the vgabios already flips the bit. + +Fixes: 250e743915d4 ("drm/bochs: Add screen blanking support") +Signed-off-by: Gerd Hoffmann +Acked-by: Thomas Zimmermann +Link: http://patchwork.freedesktop.org/patch/msgid/20220906142957.2763577-1-kraxel@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tiny/bochs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/tiny/bochs.c b/drivers/gpu/drm/tiny/bochs.c +index 82364a0a7b18..490fa92a4dce 100644 +--- a/drivers/gpu/drm/tiny/bochs.c ++++ b/drivers/gpu/drm/tiny/bochs.c +@@ -309,6 +309,8 @@ static void bochs_hw_fini(struct drm_device *dev) + static void bochs_hw_blank(struct bochs_device *bochs, bool blank) + { + DRM_DEBUG_DRIVER("hw_blank %d\n", blank); ++ /* enable color bit (so VGA_IS1_RC access works) */ ++ bochs_vga_writeb(bochs, VGA_MIS_W, VGA_MIS_COLOR); + /* discard ar_flip_flop */ + (void)bochs_vga_readb(bochs, VGA_IS1_RC); + /* blank or unblank; we need only update index and set 0x20 */ +-- +2.35.1 + diff --git a/queue-6.0/drm-bridge-adv7511-fix-cec-power-down-control-regist.patch b/queue-6.0/drm-bridge-adv7511-fix-cec-power-down-control-regist.patch new file mode 100644 index 00000000000..8daadc21f7b --- /dev/null +++ b/queue-6.0/drm-bridge-adv7511-fix-cec-power-down-control-regist.patch @@ -0,0 +1,69 @@ +From 88b32ad3576f0ac3cdf8aed0b7738109f4af7529 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jun 2022 16:48:53 +0200 +Subject: drm: bridge: adv7511: fix CEC power down control register offset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alvin Å ipraga + +[ Upstream commit 1d22b6033ea113a4c3850dfa2c0770885c81aec8 ] + +The ADV7511_REG_CEC_CTRL = 0xE2 register is part of the main register +map - not the CEC register map. As such, we shouldn't apply an offset to +the register address. Doing so will cause us to address a bogus register +for chips with a CEC register map offset (e.g. ADV7533). + +Fixes: 3b1b975003e4 ("drm: adv7511/33: add HDMI CEC support") +Signed-off-by: Alvin Å ipraga +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20220612144854.2223873-2-alvin@pqrs.dk +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/adv7511/adv7511.h | 5 +---- + drivers/gpu/drm/bridge/adv7511/adv7511_cec.c | 4 ++-- + 2 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511.h b/drivers/gpu/drm/bridge/adv7511/adv7511.h +index a031a0cd1f18..94de73cbeb2d 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511.h ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511.h +@@ -394,10 +394,7 @@ void adv7511_cec_irq_process(struct adv7511 *adv7511, unsigned int irq1); + #else + static inline int adv7511_cec_init(struct device *dev, struct adv7511 *adv7511) + { +- unsigned int offset = adv7511->type == ADV7533 ? +- ADV7533_REG_CEC_OFFSET : 0; +- +- regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL + offset, ++ regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL, + ADV7511_CEC_CTRL_POWER_DOWN); + return 0; + } +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_cec.c b/drivers/gpu/drm/bridge/adv7511/adv7511_cec.c +index 0b266f28f150..99964f5a5457 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_cec.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_cec.c +@@ -359,7 +359,7 @@ int adv7511_cec_init(struct device *dev, struct adv7511 *adv7511) + goto err_cec_alloc; + } + +- regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL + offset, 0); ++ regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL, 0); + /* cec soft reset */ + regmap_write(adv7511->regmap_cec, + ADV7511_REG_CEC_SOFT_RESET + offset, 0x01); +@@ -386,7 +386,7 @@ int adv7511_cec_init(struct device *dev, struct adv7511 *adv7511) + dev_info(dev, "Initializing CEC failed with error %d, disabling CEC\n", + ret); + err_cec_parse_dt: +- regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL + offset, ++ regmap_write(adv7511->regmap, ADV7511_REG_CEC_CTRL, + ADV7511_CEC_CTRL_POWER_DOWN); + return ret == -EPROBE_DEFER ? ret : 0; + } +-- +2.35.1 + diff --git a/queue-6.0/drm-bridge-adv7511-unregister-cec-i2c-device-after-c.patch b/queue-6.0/drm-bridge-adv7511-unregister-cec-i2c-device-after-c.patch new file mode 100644 index 00000000000..324f4d0de2a --- /dev/null +++ b/queue-6.0/drm-bridge-adv7511-unregister-cec-i2c-device-after-c.patch @@ -0,0 +1,85 @@ +From e10c1640a17169acbfb342521067c3dbf9c563bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Jun 2022 16:48:54 +0200 +Subject: drm: bridge: adv7511: unregister cec i2c device after cec adapter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alvin Å ipraga + +[ Upstream commit 40cdb02cb9f965732eb543d47f15bef8d10f0f5f ] + +cec_unregister_adapter() assumes that the underlying adapter ops are +callable. For example, if the CEC adapter currently has a valid physical +address, then the unregistration procedure will invalidate the physical +address by setting it to f.f.f.f. Whence the following kernel oops +observed after removing the adv7511 module: + + Unable to handle kernel execution of user memory at virtual address 0000000000000000 + Internal error: Oops: 86000004 [#1] PREEMPT_RT SMP + Call trace: + 0x0 + adv7511_cec_adap_log_addr+0x1ac/0x1c8 [adv7511] + cec_adap_unconfigure+0x44/0x90 [cec] + __cec_s_phys_addr.part.0+0x68/0x230 [cec] + __cec_s_phys_addr+0x40/0x50 [cec] + cec_unregister_adapter+0xb4/0x118 [cec] + adv7511_remove+0x60/0x90 [adv7511] + i2c_device_remove+0x34/0xe0 + device_release_driver_internal+0x114/0x1f0 + driver_detach+0x54/0xe0 + bus_remove_driver+0x60/0xd8 + driver_unregister+0x34/0x60 + i2c_del_driver+0x2c/0x68 + adv7511_exit+0x1c/0x67c [adv7511] + __arm64_sys_delete_module+0x154/0x288 + invoke_syscall+0x48/0x100 + el0_svc_common.constprop.0+0x48/0xe8 + do_el0_svc+0x28/0x88 + el0_svc+0x1c/0x50 + el0t_64_sync_handler+0xa8/0xb0 + el0t_64_sync+0x15c/0x160 + Code: bad PC value + ---[ end trace 0000000000000000 ]--- + +Protect against this scenario by unregistering i2c_cec after +unregistering the CEC adapter. Duly disable the CEC clock afterwards +too. + +Fixes: 3b1b975003e4 ("drm: adv7511/33: add HDMI CEC support") +Signed-off-by: Alvin Å ipraga +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20220612144854.2223873-3-alvin@pqrs.dk +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +index 38bf28720f3a..6031bdd92342 100644 +--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c ++++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c +@@ -1340,9 +1340,6 @@ static int adv7511_remove(struct i2c_client *i2c) + { + struct adv7511 *adv7511 = i2c_get_clientdata(i2c); + +- i2c_unregister_device(adv7511->i2c_cec); +- clk_disable_unprepare(adv7511->cec_clk); +- + adv7511_uninit_regulators(adv7511); + + drm_bridge_remove(&adv7511->bridge); +@@ -1350,6 +1347,8 @@ static int adv7511_remove(struct i2c_client *i2c) + adv7511_audio_exit(adv7511); + + cec_unregister_adapter(adv7511->cec_adap); ++ i2c_unregister_device(adv7511->i2c_cec); ++ clk_disable_unprepare(adv7511->cec_clk); + + i2c_unregister_device(adv7511->i2c_packet); + i2c_unregister_device(adv7511->i2c_edid); +-- +2.35.1 + diff --git a/queue-6.0/drm-bridge-anx7625-fix-refcount-bug-in-anx7625_parse.patch b/queue-6.0/drm-bridge-anx7625-fix-refcount-bug-in-anx7625_parse.patch new file mode 100644 index 00000000000..b3e644a91d7 --- /dev/null +++ b/queue-6.0/drm-bridge-anx7625-fix-refcount-bug-in-anx7625_parse.patch @@ -0,0 +1,39 @@ +From 33fcd927619208ab4ca4adb76adfddd50e1d1195 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 14:54:46 +0800 +Subject: drm/bridge: anx7625: Fix refcount bug in anx7625_parse_dt() + +From: Liang He + +[ Upstream commit 1d43a5120ab49f22ba6c5901ad3994e254510303 ] + +In anx7625_parse_dt(), 'pdata->mipi_host_node' will be assigned a +new reference with of_graph_get_remote_node() which will increase +the refcount of the object, correspondingly, we should call +of_node_put() for the old reference stored in the 'pdata->mipi_host_node'. + +Fixes: 8bdfc5dae4e3 ("drm/bridge: anx7625: Add anx7625 MIPI DSI/DPI to DP") +Signed-off-by: Liang He +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20220719065447.1080817-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/analogix/anx7625.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/bridge/analogix/anx7625.c b/drivers/gpu/drm/bridge/analogix/anx7625.c +index d1f1d525aeb6..79fc7a50b497 100644 +--- a/drivers/gpu/drm/bridge/analogix/anx7625.c ++++ b/drivers/gpu/drm/bridge/analogix/anx7625.c +@@ -1642,6 +1642,7 @@ static int anx7625_parse_dt(struct device *dev, + anx7625_get_swing_setting(dev, pdata); + + pdata->is_dpi = 0; /* default dsi mode */ ++ of_node_put(pdata->mipi_host_node); + pdata->mipi_host_node = of_graph_get_remote_node(np, 0, 0); + if (!pdata->mipi_host_node) { + DRM_DEV_ERROR(dev, "fail to get internal panel.\n"); +-- +2.35.1 + diff --git a/queue-6.0/drm-bridge-avoid-uninitialized-variable-warning.patch b/queue-6.0/drm-bridge-avoid-uninitialized-variable-warning.patch new file mode 100644 index 00000000000..83c80f501fd --- /dev/null +++ b/queue-6.0/drm-bridge-avoid-uninitialized-variable-warning.patch @@ -0,0 +1,49 @@ +From 6986cdaa875b595d68b2c1f1c1f6f0d7a422513d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Jul 2022 13:55:40 +0300 +Subject: drm/bridge: Avoid uninitialized variable warning + +From: Dan Carpenter + +[ Upstream commit 7d1202738efda60155d98b370b3c70d336be0eea ] + +This code works, but technically it uses "num_in_bus_fmts" before it +has been initialized so it leads to static checker warnings and probably +KMEMsan warnings at run time. Initialize the variable to zero to +silence the warning. + +Fixes: f32df58acc68 ("drm/bridge: Add the necessary bits to support bus format negotiation") +Signed-off-by: Dan Carpenter +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/YrrIs3hoGcPVmXc5@kili +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_bridge.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_bridge.c b/drivers/gpu/drm/drm_bridge.c +index 6abf7a2407e9..1545c50fd1c8 100644 +--- a/drivers/gpu/drm/drm_bridge.c ++++ b/drivers/gpu/drm/drm_bridge.c +@@ -847,8 +847,8 @@ static int select_bus_fmt_recursive(struct drm_bridge *first_bridge, + struct drm_connector_state *conn_state, + u32 out_bus_fmt) + { ++ unsigned int i, num_in_bus_fmts = 0; + struct drm_bridge_state *cur_state; +- unsigned int num_in_bus_fmts, i; + struct drm_bridge *prev_bridge; + u32 *in_bus_fmts; + int ret; +@@ -969,7 +969,7 @@ drm_atomic_bridge_chain_select_bus_fmts(struct drm_bridge *bridge, + struct drm_connector *conn = conn_state->connector; + struct drm_encoder *encoder = bridge->encoder; + struct drm_bridge_state *last_bridge_state; +- unsigned int i, num_out_bus_fmts; ++ unsigned int i, num_out_bus_fmts = 0; + struct drm_bridge *last_bridge; + u32 *out_bus_fmts; + int ret = 0; +-- +2.35.1 + diff --git a/queue-6.0/drm-bridge-dw_hdmi-only-trigger-hotplug-event-on-lin.patch b/queue-6.0/drm-bridge-dw_hdmi-only-trigger-hotplug-event-on-lin.patch new file mode 100644 index 00000000000..dda3755642e --- /dev/null +++ b/queue-6.0/drm-bridge-dw_hdmi-only-trigger-hotplug-event-on-lin.patch @@ -0,0 +1,65 @@ +From c0e40d1c07f5051f461454ff8d19bc2a7f224bc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 20:57:33 +0200 +Subject: drm: bridge: dw_hdmi: only trigger hotplug event on link change + +From: Lucas Stach + +[ Upstream commit da09daf881082266e4075657fac53c7966de8e4d ] + +There are two events that signal a real change of the link state: HPD going +high means the sink is newly connected or wants the source to re-read the +EDID, RX sense going low is a indication that the link has been disconnected. + +Ignore the other two events that also trigger interrupts, but don't need +immediate attention: HPD going low does not necessarily mean the link has +been lost and should not trigger a immediate read of the status. RX sense +going high also does not require a detect cycle, as HPD going high is the +right point in time to read the EDID. + +Signed-off-by: Lucas Stach +Reviewed-by: Neil Armstrong (v1) +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20220826185733.3213248-1-l.stach@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c +index 25a60eb4d67c..40d8ca37f5bc 100644 +--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c ++++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi.c +@@ -3096,6 +3096,7 @@ static irqreturn_t dw_hdmi_irq(int irq, void *dev_id) + { + struct dw_hdmi *hdmi = dev_id; + u8 intr_stat, phy_int_pol, phy_pol_mask, phy_stat; ++ enum drm_connector_status status = connector_status_unknown; + + intr_stat = hdmi_readb(hdmi, HDMI_IH_PHY_STAT0); + phy_int_pol = hdmi_readb(hdmi, HDMI_PHY_POL0); +@@ -3134,13 +3135,15 @@ static irqreturn_t dw_hdmi_irq(int irq, void *dev_id) + cec_notifier_phys_addr_invalidate(hdmi->cec_notifier); + mutex_unlock(&hdmi->cec_notifier_mutex); + } +- } + +- if (intr_stat & HDMI_IH_PHY_STAT0_HPD) { +- enum drm_connector_status status = phy_int_pol & HDMI_PHY_HPD +- ? connector_status_connected +- : connector_status_disconnected; ++ if (phy_stat & HDMI_PHY_HPD) ++ status = connector_status_connected; ++ ++ if (!(phy_stat & (HDMI_PHY_HPD | HDMI_PHY_RX_SENSE))) ++ status = connector_status_disconnected; ++ } + ++ if (status != connector_status_unknown) { + dev_dbg(hdmi->dev, "EVENT=%s\n", + status == connector_status_connected ? + "plugin" : "plugout"); +-- +2.35.1 + diff --git a/queue-6.0/drm-bridge-it6505-fix-the-order-of-dp_set_power-comm.patch b/queue-6.0/drm-bridge-it6505-fix-the-order-of-dp_set_power-comm.patch new file mode 100644 index 00000000000..dc155678f91 --- /dev/null +++ b/queue-6.0/drm-bridge-it6505-fix-the-order-of-dp_set_power-comm.patch @@ -0,0 +1,61 @@ +From b0f0d760d06f1c005e1a6a7690fabf806bd3cdaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 12:57:56 +0800 +Subject: drm/bridge: it6505: Fix the order of DP_SET_POWER commands + +From: Pin-yen Lin + +[ Upstream commit 7c1dceaffd99247bf443606730515b54d6285969 ] + +Send DP_SET_POWER_D3 command to the downstream before stopping DP, so the +suspend process will not be interrupted by the HPD interrupt. Also modify +the order in .atomic_enable callback to make the callbacks symmetric. + +Fixes: 46ca7da7f1e8 ("drm/bridge: it6505: Send DPCD SET_POWER to downstream") +Signed-off-by: Pin-yen Lin +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20220830045756.1655954-1-treapking@chromium.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ite-it6505.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/ite-it6505.c b/drivers/gpu/drm/bridge/ite-it6505.c +index e5626035f311..a09d1a39ab0a 100644 +--- a/drivers/gpu/drm/bridge/ite-it6505.c ++++ b/drivers/gpu/drm/bridge/ite-it6505.c +@@ -2945,9 +2945,6 @@ static void it6505_bridge_atomic_enable(struct drm_bridge *bridge, + if (ret) + dev_err(dev, "Failed to setup AVI infoframe: %d", ret); + +- it6505_drm_dp_link_set_power(&it6505->aux, &it6505->link, +- DP_SET_POWER_D0); +- + it6505_update_video_parameter(it6505, mode); + + ret = it6505_send_video_infoframe(it6505, &frame); +@@ -2957,6 +2954,9 @@ static void it6505_bridge_atomic_enable(struct drm_bridge *bridge, + + it6505_int_mask_enable(it6505); + it6505_video_reset(it6505); ++ ++ it6505_drm_dp_link_set_power(&it6505->aux, &it6505->link, ++ DP_SET_POWER_D0); + } + + static void it6505_bridge_atomic_disable(struct drm_bridge *bridge, +@@ -2968,9 +2968,9 @@ static void it6505_bridge_atomic_disable(struct drm_bridge *bridge, + DRM_DEV_DEBUG_DRIVER(dev, "start"); + + if (it6505->powered) { +- it6505_video_disable(it6505); + it6505_drm_dp_link_set_power(&it6505->aux, &it6505->link, + DP_SET_POWER_D3); ++ it6505_video_disable(it6505); + } + } + +-- +2.35.1 + diff --git a/queue-6.0/drm-bridge-it6505-power-on-downstream-device-in-.ato.patch b/queue-6.0/drm-bridge-it6505-power-on-downstream-device-in-.ato.patch new file mode 100644 index 00000000000..c583a5f787e --- /dev/null +++ b/queue-6.0/drm-bridge-it6505-power-on-downstream-device-in-.ato.patch @@ -0,0 +1,42 @@ +From f15b6ec686a0c0dc00e9eb5477f252d20dc14657 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jul 2022 17:39:20 +0800 +Subject: drm/bridge: it6505: Power on downstream device in .atomic_enable + +From: Pin-Yen Lin + +[ Upstream commit fbc1fdaa8338ec4ebd862d918a0ce3e12033e8a3 ] + +Send DPCD DP_SET_POWER_D0 command to the monitor in .atomic_enable +callback. Without this command, some monitors won't show up again after +changing the resolution. + +Fixes: 46ca7da7f1e8 ("drm/bridge: it6505: Send DPCD SET_POWER to downstream") + +Signed-off-by: Pin-Yen Lin +Reviewed-by: Allen Chen +Fixes: 46ca7da7f1e8 ("drm/bridge: it6505: Send DPCD SET_POWER to downstream") +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20220714173715.v2.1.I85af54e9ceda74ec69f661852825845f983fc343@changeid +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ite-it6505.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/bridge/ite-it6505.c b/drivers/gpu/drm/bridge/ite-it6505.c +index 4b673c4792d7..e5626035f311 100644 +--- a/drivers/gpu/drm/bridge/ite-it6505.c ++++ b/drivers/gpu/drm/bridge/ite-it6505.c +@@ -2945,6 +2945,9 @@ static void it6505_bridge_atomic_enable(struct drm_bridge *bridge, + if (ret) + dev_err(dev, "Failed to setup AVI infoframe: %d", ret); + ++ it6505_drm_dp_link_set_power(&it6505->aux, &it6505->link, ++ DP_SET_POWER_D0); ++ + it6505_update_video_parameter(it6505, mode); + + ret = it6505_send_video_infoframe(it6505, &frame); +-- +2.35.1 + diff --git a/queue-6.0/drm-bridge-megachips-fix-a-null-pointer-dereference-.patch b/queue-6.0/drm-bridge-megachips-fix-a-null-pointer-dereference-.patch new file mode 100644 index 00000000000..cb8a31360ca --- /dev/null +++ b/queue-6.0/drm-bridge-megachips-fix-a-null-pointer-dereference-.patch @@ -0,0 +1,52 @@ +From ac87f6418c541f1cb1e362cf18c18052b3a9e27e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 15:34:50 +0800 +Subject: drm/bridge: megachips: Fix a null pointer dereference bug + +From: Zheyu Ma + +[ Upstream commit 1ff673333d46d2c1b053ebd0c1c7c7c79e36943e ] + +When removing the module we will get the following warning: + +[ 31.911505] i2c-core: driver [stdp2690-ge-b850v3-fw] unregistered +[ 31.912484] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI +[ 31.913338] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +[ 31.915280] RIP: 0010:drm_bridge_remove+0x97/0x130 +[ 31.921825] Call Trace: +[ 31.922533] stdp4028_ge_b850v3_fw_remove+0x34/0x60 [megachips_stdpxxxx_ge_b850v3_fw] +[ 31.923139] i2c_device_remove+0x181/0x1f0 + +The two bridges (stdp2690, stdp4028) do not probe at the same time, so +the driver does not call ge_b850v3_resgiter() when probing, causing the +driver to try to remove the object that has not been initialized. + +Fix this by checking whether both the bridges are probed. + +Fixes: 11632d4aa2b3 ("drm/bridge: megachips: Ensure both bridges are probed before registration") +Signed-off-by: Zheyu Ma +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20220830073450.1897020-1-zheyuma97@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +index cce98bf2a4e7..72248a565579 100644 +--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c ++++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +@@ -296,7 +296,9 @@ static void ge_b850v3_lvds_remove(void) + * This check is to avoid both the drivers + * removing the bridge in their remove() function + */ +- if (!ge_b850v3_lvds_ptr) ++ if (!ge_b850v3_lvds_ptr || ++ !ge_b850v3_lvds_ptr->stdp2690_i2c || ++ !ge_b850v3_lvds_ptr->stdp4028_i2c) + goto out; + + drm_bridge_remove(&ge_b850v3_lvds_ptr->bridge); +-- +2.35.1 + diff --git a/queue-6.0/drm-bridge-parade-ps8640-fix-regulator-supply-order.patch b/queue-6.0/drm-bridge-parade-ps8640-fix-regulator-supply-order.patch new file mode 100644 index 00000000000..cb386afe111 --- /dev/null +++ b/queue-6.0/drm-bridge-parade-ps8640-fix-regulator-supply-order.patch @@ -0,0 +1,44 @@ +From 86abd686c7d91ba8894fe834dece03f7ee2f87b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jul 2022 17:22:58 +0800 +Subject: drm/bridge: parade-ps8640: Fix regulator supply order + +From: Chen-Yu Tsai + +[ Upstream commit fc94224c2e0ae8d83ac511a3ef4962178505469d ] + +The datasheet says that VDD12 must be enabled and at full voltage before +VDD33 is enabled. + +Reorder the bulk regulator supply names so that VDD12 is enabled before +VDD33. Any enable ramp delays should be handled by setting proper +constraints on the regulators. + +Fixes: bc1aee7fc8f0 ("drm/bridge: Add I2C based driver for ps8640 bridge") +Signed-off-by: Chen-Yu Tsai +Reviewed-by: Neil Armstrong +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20220721092258.3397461-1-wenst@chromium.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/parade-ps8640.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/parade-ps8640.c b/drivers/gpu/drm/bridge/parade-ps8640.c +index 31e88cb39f8a..49107a6cdac1 100644 +--- a/drivers/gpu/drm/bridge/parade-ps8640.c ++++ b/drivers/gpu/drm/bridge/parade-ps8640.c +@@ -631,8 +631,8 @@ static int ps8640_probe(struct i2c_client *client) + if (!ps_bridge) + return -ENOMEM; + +- ps_bridge->supplies[0].supply = "vdd33"; +- ps_bridge->supplies[1].supply = "vdd12"; ++ ps_bridge->supplies[0].supply = "vdd12"; ++ ps_bridge->supplies[1].supply = "vdd33"; + ret = devm_regulator_bulk_get(dev, ARRAY_SIZE(ps_bridge->supplies), + ps_bridge->supplies); + if (ret) +-- +2.35.1 + diff --git a/queue-6.0/drm-bridge-tc358767-add-of_node_put-when-breaking-ou.patch b/queue-6.0/drm-bridge-tc358767-add-of_node_put-when-breaking-ou.patch new file mode 100644 index 00000000000..101ae2a94b0 --- /dev/null +++ b/queue-6.0/drm-bridge-tc358767-add-of_node_put-when-breaking-ou.patch @@ -0,0 +1,43 @@ +From 4e8fd93fc8efb08de35e28a166ee0f032d5b5066 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 14:54:47 +0800 +Subject: drm/bridge: tc358767: Add of_node_put() when breaking out of loop + +From: Liang He + +[ Upstream commit 14e7157afb055248ed34901fcd6fbf54201cfea1 ] + +In tc_probe_bridge_endpoint(), we should call of_node_put() when +breaking out of the for_each_endpoint_of_node() which will automatically +increase and decrease the refcount. + +Fixes: 71f7d9c03118 ("drm/bridge: tc358767: Detect bridge mode from connected endpoints in DT") +Signed-off-by: Liang He +Reviewed-by: Robert Foss +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20220719065447.1080817-2-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/tc358767.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/tc358767.c b/drivers/gpu/drm/bridge/tc358767.c +index 02bd757a8987..1dc107f13645 100644 +--- a/drivers/gpu/drm/bridge/tc358767.c ++++ b/drivers/gpu/drm/bridge/tc358767.c +@@ -2010,9 +2010,10 @@ static int tc_probe_bridge_endpoint(struct tc_data *tc) + + for_each_endpoint_of_node(dev->of_node, node) { + of_graph_parse_endpoint(node, &endpoint); +- if (endpoint.port > 2) ++ if (endpoint.port > 2) { ++ of_node_put(node); + return -EINVAL; +- ++ } + mode |= BIT(endpoint.port); + } + +-- +2.35.1 + diff --git a/queue-6.0/drm-dp-don-t-rewrite-link-config-when-setting-phy-te.patch b/queue-6.0/drm-dp-don-t-rewrite-link-config-when-setting-phy-te.patch new file mode 100644 index 00000000000..edf91d4a677 --- /dev/null +++ b/queue-6.0/drm-dp-don-t-rewrite-link-config-when-setting-phy-te.patch @@ -0,0 +1,100 @@ +From eb47ca5144c3dc96b84be556e9701f1c204ee8d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 22:49:00 -0700 +Subject: drm/dp: Don't rewrite link config when setting phy test pattern + +From: Khaled Almahallawy + +[ Upstream commit 7b4d8db657192066bc6f1f6635d348413dac1e18 ] + +The sequence for Source DP PHY CTS automation is [2][1]: +1- Emulate successful Link Training(LT) +2- Short HPD and change link rates and number of lanes by LT. +(This is same flow for Link Layer CTS) +3- Short HPD and change PHY test pattern and swing/pre-emphasis +levels (This step should not trigger LT) + +The problem is with DP PHY compliance setup as follow: + + [DPTX + on board LTTPR]------Main Link--->[Scope] + ^ | + | | + | | + ----------Aux Ch------>[Aux Emulator] + +At step 3, before writing TRAINING_LANEx_SET/LINK_QUAL_PATTERN_SET +to declare the pattern/swing requested by scope, we write link +config in LINK_BW_SET/LANE_COUNT_SET on a port that has LTTPR. +As LTTPR snoops aux transaction, LINK_BW_SET/LANE_COUNT_SET writes +indicate a LT will start [Check DP 2.0 E11 -Sec 3.6.8.2 & 3.6.8.6.3], +and LTTPR will reset the link and stop sending DP signals to +DPTX/Scope causing the measurements to fail. Note that step 3 will +not trigger LT and DP link will never recovered by the +Aux Emulator/Scope. + +The reset of link can be tested with a monitor connected to LTTPR +port simply by writing to LINK_BW_SET or LANE_COUNT_SET as follow + + igt/tools/dpcd_reg write --offset=0x100 --value 0x14 --device=2 + +OR + + printf '\x14' | sudo dd of=/dev/drm_dp_aux2 bs=1 count=1 conv=notrunc + seek=$((0x100)) + +This single aux write causes the screen to blank, sending short HPD to +DPTX, setting LINK_STATUS_UPDATE = 1 in DPCD 0x204, and triggering LT. + +As stated in [1]: +"Before any TX electrical testing can be performed, the link between a +DPTX and DPRX (in this case, a piece of test equipment), including all +LTTPRs within the path, shall be trained as defined in this Standard." + +In addition, changing Phy pattern/Swing/Pre-emphasis (Step 3) uses the +same link rate and lane count applied on step 2, so no need to redo LT. + +The fix is to not rewrite link config in step 3, and just writes +TRAINING_LANEx_SET and LINK_QUAL_PATTERN_SET + +[1]: DP 2.0 E11 - 3.6.11.1 LTTPR DPTX_PHY Electrical Compliance + +[2]: Configuring UnigrafDPTC Controller - Automation Test Sequence +https://www.keysight.com/us/en/assets/9922-01244/help-files/ +D9040DPPC-DisplayPort-Test-Software-Online-Help-latest.chm + +Cc: Imre Deak +Cc: Jani Nikula +Cc: Or Cochvi +Signed-off-by: Khaled Almahallawy +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20220916054900.415804-1-khaled.almahallawy@intel.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/display/drm_dp_helper.c | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/drivers/gpu/drm/display/drm_dp_helper.c b/drivers/gpu/drm/display/drm_dp_helper.c +index e5bab236b3ae..4c0c4e3d1e20 100644 +--- a/drivers/gpu/drm/display/drm_dp_helper.c ++++ b/drivers/gpu/drm/display/drm_dp_helper.c +@@ -2638,17 +2638,8 @@ int drm_dp_set_phy_test_pattern(struct drm_dp_aux *aux, + struct drm_dp_phy_test_params *data, u8 dp_rev) + { + int err, i; +- u8 link_config[2]; + u8 test_pattern; + +- link_config[0] = drm_dp_link_rate_to_bw_code(data->link_rate); +- link_config[1] = data->num_lanes; +- if (data->enhanced_frame_cap) +- link_config[1] |= DP_LANE_COUNT_ENHANCED_FRAME_EN; +- err = drm_dp_dpcd_write(aux, DP_LINK_BW_SET, link_config, 2); +- if (err < 0) +- return err; +- + test_pattern = data->phy_pattern; + if (dp_rev < 0x12) { + test_pattern = (test_pattern << 2) & +-- +2.35.1 + diff --git a/queue-6.0/drm-dp_mst-fix-drm_dp_dpcd_read-return-value-checks.patch b/queue-6.0/drm-dp_mst-fix-drm_dp_dpcd_read-return-value-checks.patch new file mode 100644 index 00000000000..0488a81d8ca --- /dev/null +++ b/queue-6.0/drm-dp_mst-fix-drm_dp_dpcd_read-return-value-checks.patch @@ -0,0 +1,57 @@ +From 2079d8c04f211f332d9d94d8fbc3a5dc2a211ed9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Feb 2022 15:40:25 +0000 +Subject: drm/dp_mst: fix drm_dp_dpcd_read return value checks + +From: Simon Ser + +[ Upstream commit 2ac6cdd581f48c8f68747156fde5868486a44985 ] + +drm_dp_dpcd_read returns the number of bytes read. The previous code +would print garbage on DPCD error, and would exit with on error on +success. + +Signed-off-by: Simon Ser +Fixes: cb897542c6d2 ("drm/dp_mst: Fix W=1 warnings") +Cc: Lyude Paul +Cc: Benjamin Gaignard +Reviewed-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/473500/ +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/display/drm_dp_mst_topology.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c +index 57e65423e50d..7a94a5288e8d 100644 +--- a/drivers/gpu/drm/display/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c +@@ -4907,14 +4907,14 @@ void drm_dp_mst_dump_topology(struct seq_file *m, + seq_printf(m, "dpcd: %*ph\n", DP_RECEIVER_CAP_SIZE, buf); + + ret = drm_dp_dpcd_read(mgr->aux, DP_FAUX_CAP, buf, 2); +- if (ret) { ++ if (ret != 2) { + seq_printf(m, "faux/mst read failed\n"); + goto out; + } + seq_printf(m, "faux/mst: %*ph\n", 2, buf); + + ret = drm_dp_dpcd_read(mgr->aux, DP_MSTM_CTRL, buf, 1); +- if (ret) { ++ if (ret != 1) { + seq_printf(m, "mst ctrl read failed\n"); + goto out; + } +@@ -4922,7 +4922,7 @@ void drm_dp_mst_dump_topology(struct seq_file *m, + + /* dump the standard OUI branch header */ + ret = drm_dp_dpcd_read(mgr->aux, DP_BRANCH_OUI, buf, DP_BRANCH_OUI_HEADER_SIZE); +- if (ret) { ++ if (ret != DP_BRANCH_OUI_HEADER_SIZE) { + seq_printf(m, "branch oui read failed\n"); + goto out; + } +-- +2.35.1 + diff --git a/queue-6.0/drm-exynos-fix-return-type-for-mixer_mode_valid-and-.patch b/queue-6.0/drm-exynos-fix-return-type-for-mixer_mode_valid-and-.patch new file mode 100644 index 00000000000..f8297327741 --- /dev/null +++ b/queue-6.0/drm-exynos-fix-return-type-for-mixer_mode_valid-and-.patch @@ -0,0 +1,66 @@ +From 8bf2b90038f49a6a81e60d49118000b00a271056 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 09:31:00 +0900 +Subject: drm/exynos: Fix return type for mixer_mode_valid and hdmi_mode_valid + +From: Nathan Huckleberry + +[ Upstream commit 1261255531088208daeca818e2b486030b5339e5 ] + +The field mode_valid in exynos_drm_crtc_ops is expected to be of type enum +drm_mode_status (*mode_valid)(struct exynos_drm_crtc *crtc, + const struct drm_display_mode *mode); + +Likewise for mode_valid in drm_connector_helper_funcs. + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of mixer_mode_valid and hdmi_mode_valid should be changed +from int to enum drm_mode_status. + +Reported-by: Dan Carpenter +Link: https://protect2.fireeye.com/v1/url?k=3e644738-5fef521d-3e65cc77- +74fe485cbff6-36ad29bf912d3c9f&q=1&e=5cc06174-77dd-4abd-ab50- +155da5711aa3&u=https%3A%2F%2Fgithub.com%2FClangBuiltLinux%2Flinux%2Fissues%2F +1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_hdmi.c | 4 ++-- + drivers/gpu/drm/exynos/exynos_mixer.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_hdmi.c b/drivers/gpu/drm/exynos/exynos_hdmi.c +index 10b0036f8a2e..8453359c92e8 100644 +--- a/drivers/gpu/drm/exynos/exynos_hdmi.c ++++ b/drivers/gpu/drm/exynos/exynos_hdmi.c +@@ -922,8 +922,8 @@ static int hdmi_find_phy_conf(struct hdmi_context *hdata, u32 pixel_clock) + return -EINVAL; + } + +-static int hdmi_mode_valid(struct drm_connector *connector, +- struct drm_display_mode *mode) ++static enum drm_mode_status hdmi_mode_valid(struct drm_connector *connector, ++ struct drm_display_mode *mode) + { + struct hdmi_context *hdata = connector_to_hdmi(connector); + int ret; +diff --git a/drivers/gpu/drm/exynos/exynos_mixer.c b/drivers/gpu/drm/exynos/exynos_mixer.c +index 65260a658684..8d333db813b7 100644 +--- a/drivers/gpu/drm/exynos/exynos_mixer.c ++++ b/drivers/gpu/drm/exynos/exynos_mixer.c +@@ -1045,7 +1045,7 @@ static void mixer_atomic_disable(struct exynos_drm_crtc *crtc) + clear_bit(MXR_BIT_POWERED, &ctx->flags); + } + +-static int mixer_mode_valid(struct exynos_drm_crtc *crtc, ++static enum drm_mode_status mixer_mode_valid(struct exynos_drm_crtc *crtc, + const struct drm_display_mode *mode) + { + struct mixer_context *ctx = crtc->ctx; +-- +2.35.1 + diff --git a/queue-6.0/drm-fix-drm_mipi_dbi-build-errors.patch b/queue-6.0/drm-fix-drm_mipi_dbi-build-errors.patch new file mode 100644 index 00000000000..bcdb94b3651 --- /dev/null +++ b/queue-6.0/drm-fix-drm_mipi_dbi-build-errors.patch @@ -0,0 +1,65 @@ +From a01499f4d326b30e5f1b9e78caa7ff217498ed6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 17:42:43 -0700 +Subject: drm: fix drm_mipi_dbi build errors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit eb7de496451bd969e203f02f66585131228ba4ae ] + +drm_mipi_dbi needs lots of DRM_KMS_HELPER support, so select +that Kconfig symbol like it is done is most other uses, and +the way that it was before MIPS_DBI was moved from tinydrm +to its core location. + +Fixes these build errors: + +ld: drivers/gpu/drm/drm_mipi_dbi.o: in function `mipi_dbi_buf_copy': +drivers/gpu/drm/drm_mipi_dbi.c:205: undefined reference to `drm_gem_fb_get_obj' +ld: drivers/gpu/drm/drm_mipi_dbi.c:211: undefined reference to `drm_gem_fb_begin_cpu_access' +ld: drivers/gpu/drm/drm_mipi_dbi.c:215: undefined reference to `drm_gem_fb_vmap' +ld: drivers/gpu/drm/drm_mipi_dbi.c:222: undefined reference to `drm_fb_swab' +ld: drivers/gpu/drm/drm_mipi_dbi.c:224: undefined reference to `drm_fb_memcpy' +ld: drivers/gpu/drm/drm_mipi_dbi.c:227: undefined reference to `drm_fb_xrgb8888_to_rgb565' +ld: drivers/gpu/drm/drm_mipi_dbi.c:235: undefined reference to `drm_gem_fb_vunmap' +ld: drivers/gpu/drm/drm_mipi_dbi.c:237: undefined reference to `drm_gem_fb_end_cpu_access' +ld: drivers/gpu/drm/drm_mipi_dbi.o: in function `mipi_dbi_dev_init_with_formats': +ld: drivers/gpu/drm/drm_mipi_dbi.o:/X64/../drivers/gpu/drm/drm_mipi_dbi.c:469: undefined reference to `drm_gem_fb_create_with_dirty' + +Fixes: 174102f4de23 ("drm/tinydrm: Move mipi-dbi") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Dillon Min +Cc: Linus Walleij +Cc: Sam Ravnborg +Cc: Noralf Trønnes +Cc: Thomas Zimmermann +Cc: Thierry Reding +Cc: dri-devel@lists.freedesktop.org +Cc: David Airlie +Cc: Daniel Vetter +Signed-off-by: Linus Walleij +Link: https://patchwork.freedesktop.org/patch/msgid/20220823004243.11596-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/Kconfig b/drivers/gpu/drm/Kconfig +index 6c2256e8474b..679ad054ea4b 100644 +--- a/drivers/gpu/drm/Kconfig ++++ b/drivers/gpu/drm/Kconfig +@@ -31,6 +31,7 @@ menuconfig DRM + config DRM_MIPI_DBI + tristate + depends on DRM ++ select DRM_KMS_HELPER + + config DRM_MIPI_DSI + bool +-- +2.35.1 + diff --git a/queue-6.0/drm-format-helper-fix-test-on-big-endian-architectur.patch b/queue-6.0/drm-format-helper-fix-test-on-big-endian-architectur.patch new file mode 100644 index 00000000000..4a607727f52 --- /dev/null +++ b/queue-6.0/drm-format-helper-fix-test-on-big-endian-architectur.patch @@ -0,0 +1,82 @@ +From 7187781d0039c9ef7cabfe54aed40e8c285af5bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 01:09:13 +0200 +Subject: drm/format-helper: Fix test on big endian architectures +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit 18c8485236a5e3f491b670c018ae391c9cb84dfa ] + +The tests fail on big endian architectures, like PowerPC: + + $ ./tools/testing/kunit/kunit.py run \ + --kunitconfig=drivers/gpu/drm/tests \ + --arch=powerpc --cross_compile=powerpc64-linux-gnu- + +Transform the XRGB8888 buffer from little endian to the CPU endian +before calling the conversion function to avoid this error. + +Fixes: 8f456104915f ("drm/format-helper: Add KUnit tests for drm_fb_xrgb8888_to_rgb332()") +Reported-by: David Gow +Reviewed-by: David Gow +Signed-off-by: José Expósito +Link: https://patchwork.freedesktop.org/patch/msgid/20220726230916.390575-2-jose.exposito89@gmail.com +Signed-off-by: Sasha Levin +--- + .../gpu/drm/tests/drm_format_helper_test.c | 23 +++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/tests/drm_format_helper_test.c b/drivers/gpu/drm/tests/drm_format_helper_test.c +index 98583bf56044..eefaba3aaea2 100644 +--- a/drivers/gpu/drm/tests/drm_format_helper_test.c ++++ b/drivers/gpu/drm/tests/drm_format_helper_test.c +@@ -111,6 +111,21 @@ static size_t conversion_buf_size(u32 dst_format, unsigned int dst_pitch, + return dst_pitch * drm_rect_height(clip); + } + ++static u32 *le32buf_to_cpu(struct kunit *test, const u32 *buf, size_t buf_size) ++{ ++ u32 *dst = NULL; ++ int n; ++ ++ dst = kunit_kzalloc(test, sizeof(*dst) * buf_size, GFP_KERNEL); ++ if (!dst) ++ return NULL; ++ ++ for (n = 0; n < buf_size; n++) ++ dst[n] = le32_to_cpu((__force __le32)buf[n]); ++ ++ return dst; ++} ++ + static void xrgb8888_to_rgb332_case_desc(struct xrgb8888_to_rgb332_case *t, + char *desc) + { +@@ -125,6 +140,7 @@ static void xrgb8888_to_rgb332_test(struct kunit *test) + const struct xrgb8888_to_rgb332_case *params = test->param_value; + size_t dst_size; + __u8 *dst = NULL; ++ __u32 *src = NULL; + + struct drm_framebuffer fb = { + .format = drm_format_info(DRM_FORMAT_XRGB8888), +@@ -138,8 +154,11 @@ static void xrgb8888_to_rgb332_test(struct kunit *test) + dst = kunit_kzalloc(test, dst_size, GFP_KERNEL); + KUNIT_ASSERT_NOT_ERR_OR_NULL(test, dst); + +- drm_fb_xrgb8888_to_rgb332(dst, params->dst_pitch, params->xrgb8888, +- &fb, ¶ms->clip); ++ src = le32buf_to_cpu(test, params->xrgb8888, TEST_BUF_SIZE); ++ KUNIT_ASSERT_NOT_ERR_OR_NULL(test, src); ++ ++ drm_fb_xrgb8888_to_rgb332(dst, params->dst_pitch, src, &fb, ++ ¶ms->clip); + KUNIT_EXPECT_EQ(test, memcmp(dst, params->expected, dst_size), 0); + } + +-- +2.35.1 + diff --git a/queue-6.0/drm-i915-dg2-bump-up-cdclk-for-dg2.patch b/queue-6.0/drm-i915-dg2-bump-up-cdclk-for-dg2.patch new file mode 100644 index 00000000000..776fb33bb2c --- /dev/null +++ b/queue-6.0/drm-i915-dg2-bump-up-cdclk-for-dg2.patch @@ -0,0 +1,47 @@ +From a6b1881d3ba0226de2c0c32d47876f27bcf01180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jun 2022 15:30:49 +0300 +Subject: drm/i915/dg2: Bump up CDCLK for DG2 + +From: Stanislav Lisovskiy + +[ Upstream commit 859161b952a453b86362f168fadef72a8ba31a05 ] + +We seem to need this W/A same way as for TGL, in order +to fix some of the underruns, which we currently have and +those not related to PSR. + +Signed-off-by: Stanislav Lisovskiy +Reviewed-by: Uma Shankar +Link: https://patchwork.freedesktop.org/patch/msgid/20220614123049.16183-2-stanislav.lisovskiy@intel.com +Stable-dep-of: 4234ea300512 ("drm/i915/display: avoid warnings when registering dual panel backlight") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_cdclk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_cdclk.c b/drivers/gpu/drm/i915/display/intel_cdclk.c +index 6e80162632dd..86a22c3766e5 100644 +--- a/drivers/gpu/drm/i915/display/intel_cdclk.c ++++ b/drivers/gpu/drm/i915/display/intel_cdclk.c +@@ -2300,7 +2300,7 @@ int intel_crtc_compute_min_cdclk(const struct intel_crtc_state *crtc_state) + min_cdclk = max(min_cdclk, (int)crtc_state->pixel_rate); + + /* +- * HACK. Currently for TGL platforms we calculate ++ * HACK. Currently for TGL/DG2 platforms we calculate + * min_cdclk initially based on pixel_rate divided + * by 2, accounting for also plane requirements, + * however in some cases the lowest possible CDCLK +@@ -2308,7 +2308,7 @@ int intel_crtc_compute_min_cdclk(const struct intel_crtc_state *crtc_state) + * Explicitly stating here that this seems to be currently + * rather a Hack, than final solution. + */ +- if (IS_TIGERLAKE(dev_priv)) { ++ if (IS_TIGERLAKE(dev_priv) || IS_DG2(dev_priv)) { + /* + * Clamp to max_cdclk_freq in case pixel rate is higher, + * in order not to break an 8K, but still leave W/A at place. +-- +2.35.1 + diff --git a/queue-6.0/drm-i915-reset-handle-reset-timeouts-under-unrelated.patch b/queue-6.0/drm-i915-reset-handle-reset-timeouts-under-unrelated.patch new file mode 100644 index 00000000000..f57af7677f2 --- /dev/null +++ b/queue-6.0/drm-i915-reset-handle-reset-timeouts-under-unrelated.patch @@ -0,0 +1,64 @@ +From 299c5a8bbfa2562ba358249b922baa2bcb0e96f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jun 2022 21:39:59 -0700 +Subject: drm/i915/reset: Handle reset timeouts under unrelated kernel hangs + +From: Chris Wilson + +[ Upstream commit 1dab4561a341afdbaafe0ce6091106d0c63c79e0 ] + +When resuming after hibernate sometimes we see hangs in unrelated kernel +subsystems. These hangs often result in the following i915 trace: + +i915 0000:00:02.0: [drm] *ERROR* \ + intel_gt_reset_global timed out, cancelling all in-flight rendering + +implying our reset task has been starved by the hanging kernel subsystem, +causing us to inappropiately declare the system as wedged beyond recovery. + +The trace would be caused by our synchronize_srcu_expedited() taking more +than the allowed 5s due to the unrelated kernel hang. But we neither need +to perform that synchronisation inside the reset watchdog, nor do we need +such a short timeout before declaring the device as unrecoverable. + +v2: Restore watchdog timeout to the previous 5 seconds (Ashutosh) + +Bug: https://gitlab.freedesktop.org/drm/intel/-/issues/3575 +Signed-off-by: Chris Wilson +Signed-off-by: Ashutosh Dixit +Reviewed-by: Ashutosh Dixit +Signed-off-by: Matthew Auld +Link: https://patchwork.freedesktop.org/patch/msgid/20220630043959.5708-1-ashutosh.dixit@intel.com +Stable-dep-of: 774ce1510e6c ("drm/i915/guc: support v69 in parallel to v70") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/intel_reset.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/i915/gt/intel_reset.c b/drivers/gpu/drm/i915/gt/intel_reset.c +index c68d36fb5bbd..1211774e1d91 100644 +--- a/drivers/gpu/drm/i915/gt/intel_reset.c ++++ b/drivers/gpu/drm/i915/gt/intel_reset.c +@@ -1281,9 +1281,6 @@ static void intel_gt_reset_global(struct intel_gt *gt, + intel_wedge_on_timeout(&w, gt, 5 * HZ) { + intel_display_prepare_reset(gt->i915); + +- /* Flush everyone using a resource about to be clobbered */ +- synchronize_srcu_expedited(>->reset.backoff_srcu); +- + intel_gt_reset(gt, engine_mask, reason); + + intel_display_finish_reset(gt->i915); +@@ -1392,6 +1389,9 @@ void intel_gt_handle_error(struct intel_gt *gt, + } + } + ++ /* Flush everyone using a resource about to be clobbered */ ++ synchronize_srcu_expedited(>->reset.backoff_srcu); ++ + intel_gt_reset_global(gt, engine_mask, msg); + + if (!intel_uc_uses_guc_submission(>->uc)) { +-- +2.35.1 + diff --git a/queue-6.0/drm-komeda-fix-handling-of-atomic-commits-in-the-ato.patch b/queue-6.0/drm-komeda-fix-handling-of-atomic-commits-in-the-ato.patch new file mode 100644 index 00000000000..6a630d25ef7 --- /dev/null +++ b/queue-6.0/drm-komeda-fix-handling-of-atomic-commits-in-the-ato.patch @@ -0,0 +1,116 @@ +From f4ee6bdf7aea8e0ad21c7f936f4d3ce61b59adf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jul 2022 16:39:21 +0100 +Subject: drm/komeda: Fix handling of atomic commits in the atomic_commit_tail + hook + +From: Liviu Dudau + +[ Upstream commit eaa225b6b52233d45457fd33730e1528c604d92d ] + +Komeda driver relies on the generic DRM atomic helper functions to handle +commits. It only implements an atomic_commit_tail hook for the +mode_config_helper_funcs and even that one is pretty close to the generic +implementation with the exception of additional dma_fence signalling. + +What the generic helper framework doesn't do is waiting for the actual +hardware to signal that the commit parameters have been written into the +appropriate registers. As we signal CRTC events only on the irq handlers, +we need to flush the configuration and wait for the hardware to respond. + +Add the Komeda specific implementation for atomic_commit_hw_done() that +flushes and waits for flip done before calling drm_atomic_helper_commit_hw_done(). + +The fix was prompted by a patch from Carsten Haitzler where he was trying to +solve the same issue but in a different way that I think can lead to wrong +event signaling to userspace. + +Reported-by: Carsten Haitzler +Tested-by: Carsten Haitzler +Reviewed-by: Carsten Haitzler +Signed-off-by: Liviu Dudau +Link: https://patchwork.freedesktop.org/patch/msgid/20220722122139.288486-1-liviu.dudau@arm.com +Signed-off-by: Sasha Levin +--- + .../gpu/drm/arm/display/komeda/komeda_crtc.c | 4 ++-- + .../gpu/drm/arm/display/komeda/komeda_kms.c | 21 ++++++++++++++++++- + .../gpu/drm/arm/display/komeda/komeda_kms.h | 2 ++ + 3 files changed, 24 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c b/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c +index 59172acb9738..292f533d8cf0 100644 +--- a/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c ++++ b/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c +@@ -235,7 +235,7 @@ void komeda_crtc_handle_event(struct komeda_crtc *kcrtc, + crtc->state->event = NULL; + drm_crtc_send_vblank_event(crtc, event); + } else { +- DRM_WARN("CRTC[%d]: FLIP happen but no pending commit.\n", ++ DRM_WARN("CRTC[%d]: FLIP happened but no pending commit.\n", + drm_crtc_index(&kcrtc->base)); + } + spin_unlock_irqrestore(&crtc->dev->event_lock, flags); +@@ -286,7 +286,7 @@ komeda_crtc_atomic_enable(struct drm_crtc *crtc, + komeda_crtc_do_flush(crtc, old); + } + +-static void ++void + komeda_crtc_flush_and_wait_for_flip_done(struct komeda_crtc *kcrtc, + struct completion *input_flip_done) + { +diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_kms.c b/drivers/gpu/drm/arm/display/komeda/komeda_kms.c +index 93b7f09b96ca..327051bba5b6 100644 +--- a/drivers/gpu/drm/arm/display/komeda/komeda_kms.c ++++ b/drivers/gpu/drm/arm/display/komeda/komeda_kms.c +@@ -69,6 +69,25 @@ static const struct drm_driver komeda_kms_driver = { + .minor = 1, + }; + ++static void komeda_kms_atomic_commit_hw_done(struct drm_atomic_state *state) ++{ ++ struct drm_device *dev = state->dev; ++ struct komeda_kms_dev *kms = to_kdev(dev); ++ int i; ++ ++ for (i = 0; i < kms->n_crtcs; i++) { ++ struct komeda_crtc *kcrtc = &kms->crtcs[i]; ++ ++ if (kcrtc->base.state->active) { ++ struct completion *flip_done = NULL; ++ if (kcrtc->base.state->event) ++ flip_done = kcrtc->base.state->event->base.completion; ++ komeda_crtc_flush_and_wait_for_flip_done(kcrtc, flip_done); ++ } ++ } ++ drm_atomic_helper_commit_hw_done(state); ++} ++ + static void komeda_kms_commit_tail(struct drm_atomic_state *old_state) + { + struct drm_device *dev = old_state->dev; +@@ -81,7 +100,7 @@ static void komeda_kms_commit_tail(struct drm_atomic_state *old_state) + + drm_atomic_helper_commit_modeset_enables(dev, old_state); + +- drm_atomic_helper_commit_hw_done(old_state); ++ komeda_kms_atomic_commit_hw_done(old_state); + + drm_atomic_helper_wait_for_flip_done(dev, old_state); + +diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_kms.h b/drivers/gpu/drm/arm/display/komeda/komeda_kms.h +index 7889e380ab23..7339339ef6b8 100644 +--- a/drivers/gpu/drm/arm/display/komeda/komeda_kms.h ++++ b/drivers/gpu/drm/arm/display/komeda/komeda_kms.h +@@ -183,6 +183,8 @@ void komeda_kms_cleanup_private_objs(struct komeda_kms_dev *kms); + + void komeda_crtc_handle_event(struct komeda_crtc *kcrtc, + struct komeda_events *evts); ++void komeda_crtc_flush_and_wait_for_flip_done(struct komeda_crtc *kcrtc, ++ struct completion *input_flip_done); + + struct komeda_kms_dev *komeda_kms_attach(struct komeda_dev *mdev); + void komeda_kms_detach(struct komeda_kms_dev *kms); +-- +2.35.1 + diff --git a/queue-6.0/drm-meson-explicitly-remove-aggregate-driver-at-modu.patch b/queue-6.0/drm-meson-explicitly-remove-aggregate-driver-at-modu.patch new file mode 100644 index 00000000000..50f74738248 --- /dev/null +++ b/queue-6.0/drm-meson-explicitly-remove-aggregate-driver-at-modu.patch @@ -0,0 +1,197 @@ +From 3340f2a267c63305369f1c7e9cde23d84e3fe49e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 02:09:39 +0100 +Subject: drm/meson: explicitly remove aggregate driver at module unload time +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Adrián Larumbe + +[ Upstream commit 8616f2a0589a80e08434212324250eb22f6a66ce ] + +Because component_master_del wasn't being called when unloading the +meson_drm module, the aggregate device would linger forever in the global +aggregate_devices list. That means when unloading and reloading the +meson_dw_hdmi module, component_add would call into +try_to_bring_up_aggregate_device and find the unbound meson_drm aggregate +device. + +This would in turn dereference some of the aggregate_device's struct +entries which point to memory automatically freed by the devres API when +unbinding the aggregate device from meson_drv_unbind, and trigger an +use-after-free bug: + +[ +0.000014] ============================================================= +[ +0.000007] BUG: KASAN: use-after-free in find_components+0x468/0x500 +[ +0.000017] Read of size 8 at addr ffff000006731688 by task modprobe/2536 +[ +0.000018] CPU: 4 PID: 2536 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1 +[ +0.000010] Hardware name: Hardkernel ODROID-N2Plus (DT) +[ +0.000008] Call trace: +[ +0.000005] dump_backtrace+0x1ec/0x280 +[ +0.000011] show_stack+0x24/0x80 +[ +0.000007] dump_stack_lvl+0x98/0xd4 +[ +0.000010] print_address_description.constprop.0+0x80/0x520 +[ +0.000011] print_report+0x128/0x260 +[ +0.000007] kasan_report+0xb8/0xfc +[ +0.000007] __asan_report_load8_noabort+0x3c/0x50 +[ +0.000009] find_components+0x468/0x500 +[ +0.000008] try_to_bring_up_aggregate_device+0x64/0x390 +[ +0.000009] __component_add+0x1dc/0x49c +[ +0.000009] component_add+0x20/0x30 +[ +0.000008] meson_dw_hdmi_probe+0x28/0x34 [meson_dw_hdmi] +[ +0.000013] platform_probe+0xd0/0x220 +[ +0.000008] really_probe+0x3ac/0xa80 +[ +0.000008] __driver_probe_device+0x1f8/0x400 +[ +0.000008] driver_probe_device+0x68/0x1b0 +[ +0.000008] __driver_attach+0x20c/0x480 +[ +0.000009] bus_for_each_dev+0x114/0x1b0 +[ +0.000007] driver_attach+0x48/0x64 +[ +0.000009] bus_add_driver+0x390/0x564 +[ +0.000007] driver_register+0x1a8/0x3e4 +[ +0.000009] __platform_driver_register+0x6c/0x94 +[ +0.000007] meson_dw_hdmi_platform_driver_init+0x30/0x1000 [meson_dw_hdmi] +[ +0.000014] do_one_initcall+0xc4/0x2b0 +[ +0.000008] do_init_module+0x154/0x570 +[ +0.000010] load_module+0x1a78/0x1ea4 +[ +0.000008] __do_sys_init_module+0x184/0x1cc +[ +0.000008] __arm64_sys_init_module+0x78/0xb0 +[ +0.000008] invoke_syscall+0x74/0x260 +[ +0.000008] el0_svc_common.constprop.0+0xcc/0x260 +[ +0.000009] do_el0_svc+0x50/0x70 +[ +0.000008] el0_svc+0x68/0x1a0 +[ +0.000009] el0t_64_sync_handler+0x11c/0x150 +[ +0.000009] el0t_64_sync+0x18c/0x190 + +[ +0.000014] Allocated by task 902: +[ +0.000007] kasan_save_stack+0x2c/0x5c +[ +0.000009] __kasan_kmalloc+0x90/0xd0 +[ +0.000007] __kmalloc_node+0x240/0x580 +[ +0.000010] memcg_alloc_slab_cgroups+0xa4/0x1ac +[ +0.000010] memcg_slab_post_alloc_hook+0xbc/0x4c0 +[ +0.000008] kmem_cache_alloc_node+0x1d0/0x490 +[ +0.000009] __alloc_skb+0x1d4/0x310 +[ +0.000010] alloc_skb_with_frags+0x8c/0x620 +[ +0.000008] sock_alloc_send_pskb+0x5ac/0x6d0 +[ +0.000010] unix_dgram_sendmsg+0x2e0/0x12f0 +[ +0.000010] sock_sendmsg+0xcc/0x110 +[ +0.000007] sock_write_iter+0x1d0/0x304 +[ +0.000008] new_sync_write+0x364/0x460 +[ +0.000007] vfs_write+0x420/0x5ac +[ +0.000008] ksys_write+0x19c/0x1f0 +[ +0.000008] __arm64_sys_write+0x78/0xb0 +[ +0.000007] invoke_syscall+0x74/0x260 +[ +0.000008] el0_svc_common.constprop.0+0x1a8/0x260 +[ +0.000009] do_el0_svc+0x50/0x70 +[ +0.000007] el0_svc+0x68/0x1a0 +[ +0.000008] el0t_64_sync_handler+0x11c/0x150 +[ +0.000008] el0t_64_sync+0x18c/0x190 + +[ +0.000013] Freed by task 2509: +[ +0.000008] kasan_save_stack+0x2c/0x5c +[ +0.000007] kasan_set_track+0x2c/0x40 +[ +0.000008] kasan_set_free_info+0x28/0x50 +[ +0.000008] ____kasan_slab_free+0x128/0x1d4 +[ +0.000008] __kasan_slab_free+0x18/0x24 +[ +0.000007] slab_free_freelist_hook+0x108/0x230 +[ +0.000010] kfree+0x110/0x35c +[ +0.000008] release_nodes+0xf0/0x16c +[ +0.000008] devres_release_all+0xfc/0x180 +[ +0.000008] device_unbind_cleanup+0x24/0x164 +[ +0.000008] device_release_driver_internal+0x3e8/0x5b0 +[ +0.000010] driver_detach+0xac/0x1b0 +[ +0.000008] bus_remove_driver+0x158/0x29c +[ +0.000008] driver_unregister+0x70/0xb0 +[ +0.000009] platform_driver_unregister+0x20/0x2c +[ +0.000007] 0xffff800003722d98 +[ +0.000012] __do_sys_delete_module+0x288/0x400 +[ +0.000009] __arm64_sys_delete_module+0x5c/0x80 +[ +0.000008] invoke_syscall+0x74/0x260 +[ +0.000008] el0_svc_common.constprop.0+0xcc/0x260 +[ +0.000008] do_el0_svc+0x50/0x70 +[ +0.000007] el0_svc+0x68/0x1a0 +[ +0.000008] el0t_64_sync_handler+0x11c/0x150 +[ +0.000009] el0t_64_sync+0x18c/0x190 + +[ +0.000013] Last potentially related work creation: +[ +0.000007] kasan_save_stack+0x2c/0x5c +[ +0.000007] __kasan_record_aux_stack+0xb8/0xf0 +[ +0.000009] kasan_record_aux_stack_noalloc+0x14/0x20 +[ +0.000008] insert_work+0x54/0x290 +[ +0.000009] __queue_work+0x48c/0xd24 +[ +0.000008] queue_work_on+0x90/0x11c +[ +0.000008] call_usermodehelper_exec+0x188/0x404 +[ +0.000010] kobject_uevent_env+0x5a8/0x794 +[ +0.000010] kobject_uevent+0x14/0x20 +[ +0.000008] driver_register+0x230/0x3e4 +[ +0.000009] __platform_driver_register+0x6c/0x94 +[ +0.000007] gxbb_driver_init+0x28/0x34 +[ +0.000010] do_one_initcall+0xc4/0x2b0 +[ +0.000008] do_initcalls+0x20c/0x24c +[ +0.000010] kernel_init_freeable+0x22c/0x278 +[ +0.000009] kernel_init+0x3c/0x170 +[ +0.000008] ret_from_fork+0x10/0x20 + +[ +0.000013] The buggy address belongs to the object at ffff000006731600 + which belongs to the cache kmalloc-256 of size 256 +[ +0.000009] The buggy address is located 136 bytes inside of + 256-byte region [ffff000006731600, ffff000006731700) + +[ +0.000015] The buggy address belongs to the physical page: +[ +0.000008] page:fffffc000019cc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff000006730a00 pfn:0x6730 +[ +0.000011] head:fffffc000019cc00 order:2 compound_mapcount:0 compound_pincount:0 +[ +0.000008] flags: 0xffff00000010200(slab|head|node=0|zone=0|lastcpupid=0xffff) +[ +0.000016] raw: 0ffff00000010200 fffffc00000c3d08 fffffc0000ef2b08 ffff000000002680 +[ +0.000009] raw: ffff000006730a00 0000000000150014 00000001ffffffff 0000000000000000 +[ +0.000006] page dumped because: kasan: bad access detected + +[ +0.000011] Memory state around the buggy address: +[ +0.000007] ffff000006731580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ +0.000007] ffff000006731600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ +0.000007] >ffff000006731680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ +0.000007] ^ +[ +0.000006] ffff000006731700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ +0.000007] ffff000006731780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ +0.000006] ================================================================== + +Fix by adding 'remove' driver callback for meson-drm, and explicitly deleting the +aggregate device. + +Signed-off-by: Adrián Larumbe +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20220919010940.419893-3-adrian.larumbe@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_drv.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c +index 7df149d42728..8444d90165fb 100644 +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -493,6 +493,13 @@ static int meson_drv_probe(struct platform_device *pdev) + return 0; + }; + ++static int meson_drv_remove(struct platform_device *pdev) ++{ ++ component_master_del(&pdev->dev, &meson_drv_master_ops); ++ ++ return 0; ++} ++ + static struct meson_drm_match_data meson_drm_gxbb_data = { + .compat = VPU_COMPATIBLE_GXBB, + }; +@@ -530,6 +537,7 @@ static const struct dev_pm_ops meson_drv_pm_ops = { + + static struct platform_driver meson_drm_platform_driver = { + .probe = meson_drv_probe, ++ .remove = meson_drv_remove, + .shutdown = meson_drv_shutdown, + .driver = { + .name = "meson-drm", +-- +2.35.1 + diff --git a/queue-6.0/drm-meson-remove-drm-bridges-at-aggregate-driver-unb.patch b/queue-6.0/drm-meson-remove-drm-bridges-at-aggregate-driver-unb.patch new file mode 100644 index 00000000000..37ba78e195c --- /dev/null +++ b/queue-6.0/drm-meson-remove-drm-bridges-at-aggregate-driver-unb.patch @@ -0,0 +1,283 @@ +From e015d3e3f260c25f279c470c7d14d428b9dd2f8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 23:28:42 +0100 +Subject: drm/meson: remove drm bridges at aggregate driver unbind time +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Adrián Larumbe + +[ Upstream commit 09847723c12fc2753749cec3939a02ee92dac468 ] + +drm bridges added by meson_encoder_hdmi_init and meson_encoder_cvbs_init +were not manually removed at module unload time, which caused dangling +references to freed memory to remain linked in the global bridge_list. + +When loading the driver modules back in, the same functions would again +call drm_bridge_add, and when traversing the global bridge_list, would +end up peeking into freed memory. + +Once again KASAN revealed the problem: + +[ +0.000095] ============================================================= +[ +0.000008] BUG: KASAN: use-after-free in __list_add_valid+0x9c/0x120 +[ +0.000018] Read of size 8 at addr ffff00003da291f0 by task modprobe/2483 + +[ +0.000018] CPU: 3 PID: 2483 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1 +[ +0.000011] Hardware name: Hardkernel ODROID-N2Plus (DT) +[ +0.000008] Call trace: +[ +0.000006] dump_backtrace+0x1ec/0x280 +[ +0.000012] show_stack+0x24/0x80 +[ +0.000008] dump_stack_lvl+0x98/0xd4 +[ +0.000011] print_address_description.constprop.0+0x80/0x520 +[ +0.000011] print_report+0x128/0x260 +[ +0.000008] kasan_report+0xb8/0xfc +[ +0.000008] __asan_report_load8_noabort+0x3c/0x50 +[ +0.000009] __list_add_valid+0x9c/0x120 +[ +0.000009] drm_bridge_add+0x6c/0x104 [drm] +[ +0.000165] dw_hdmi_probe+0x1900/0x2360 [dw_hdmi] +[ +0.000022] meson_dw_hdmi_bind+0x520/0x814 [meson_dw_hdmi] +[ +0.000014] component_bind+0x174/0x520 +[ +0.000012] component_bind_all+0x1a8/0x38c +[ +0.000010] meson_drv_bind_master+0x5e8/0xb74 [meson_drm] +[ +0.000032] meson_drv_bind+0x20/0x2c [meson_drm] +[ +0.000027] try_to_bring_up_aggregate_device+0x19c/0x390 +[ +0.000010] component_master_add_with_match+0x1c8/0x284 +[ +0.000009] meson_drv_probe+0x274/0x280 [meson_drm] +[ +0.000026] platform_probe+0xd0/0x220 +[ +0.000009] really_probe+0x3ac/0xa80 +[ +0.000009] __driver_probe_device+0x1f8/0x400 +[ +0.000009] driver_probe_device+0x68/0x1b0 +[ +0.000009] __driver_attach+0x20c/0x480 +[ +0.000008] bus_for_each_dev+0x114/0x1b0 +[ +0.000009] driver_attach+0x48/0x64 +[ +0.000008] bus_add_driver+0x390/0x564 +[ +0.000009] driver_register+0x1a8/0x3e4 +[ +0.000009] __platform_driver_register+0x6c/0x94 +[ +0.000008] meson_drm_platform_driver_init+0x3c/0x1000 [meson_drm] +[ +0.000027] do_one_initcall+0xc4/0x2b0 +[ +0.000011] do_init_module+0x154/0x570 +[ +0.000011] load_module+0x1a78/0x1ea4 +[ +0.000008] __do_sys_init_module+0x184/0x1cc +[ +0.000009] __arm64_sys_init_module+0x78/0xb0 +[ +0.000009] invoke_syscall+0x74/0x260 +[ +0.000009] el0_svc_common.constprop.0+0xcc/0x260 +[ +0.000008] do_el0_svc+0x50/0x70 +[ +0.000007] el0_svc+0x68/0x1a0 +[ +0.000012] el0t_64_sync_handler+0x11c/0x150 +[ +0.000008] el0t_64_sync+0x18c/0x190 + +[ +0.000016] Allocated by task 879: +[ +0.000008] kasan_save_stack+0x2c/0x5c +[ +0.000011] __kasan_kmalloc+0x90/0xd0 +[ +0.000007] __kmalloc+0x278/0x4a0 +[ +0.000011] mpi_resize+0x13c/0x1d0 +[ +0.000011] mpi_powm+0xd24/0x1570 +[ +0.000009] rsa_enc+0x1a4/0x30c +[ +0.000009] pkcs1pad_verify+0x3f0/0x580 +[ +0.000009] public_key_verify_signature+0x7a8/0xba4 +[ +0.000010] public_key_verify_signature_2+0x40/0x60 +[ +0.000008] verify_signature+0xb4/0x114 +[ +0.000008] pkcs7_validate_trust_one.constprop.0+0x3b8/0x574 +[ +0.000009] pkcs7_validate_trust+0xb8/0x15c +[ +0.000008] verify_pkcs7_message_sig+0xec/0x1b0 +[ +0.000012] verify_pkcs7_signature+0x78/0xac +[ +0.000007] mod_verify_sig+0x110/0x190 +[ +0.000009] module_sig_check+0x114/0x1e0 +[ +0.000009] load_module+0xa0/0x1ea4 +[ +0.000008] __do_sys_init_module+0x184/0x1cc +[ +0.000008] __arm64_sys_init_module+0x78/0xb0 +[ +0.000008] invoke_syscall+0x74/0x260 +[ +0.000009] el0_svc_common.constprop.0+0x1a8/0x260 +[ +0.000008] do_el0_svc+0x50/0x70 +[ +0.000007] el0_svc+0x68/0x1a0 +[ +0.000009] el0t_64_sync_handler+0x11c/0x150 +[ +0.000009] el0t_64_sync+0x18c/0x190 + +[ +0.000013] Freed by task 2422: +[ +0.000008] kasan_save_stack+0x2c/0x5c +[ +0.000009] kasan_set_track+0x2c/0x40 +[ +0.000007] kasan_set_free_info+0x28/0x50 +[ +0.000009] ____kasan_slab_free+0x128/0x1d4 +[ +0.000008] __kasan_slab_free+0x18/0x24 +[ +0.000007] slab_free_freelist_hook+0x108/0x230 +[ +0.000010] kfree+0x110/0x35c +[ +0.000008] release_nodes+0xf0/0x16c +[ +0.000009] devres_release_group+0x180/0x270 +[ +0.000008] take_down_aggregate_device+0xcc/0x160 +[ +0.000010] component_del+0x18c/0x360 +[ +0.000009] meson_dw_hdmi_remove+0x28/0x40 [meson_dw_hdmi] +[ +0.000013] platform_remove+0x64/0xb0 +[ +0.000008] device_remove+0xb8/0x154 +[ +0.000009] device_release_driver_internal+0x398/0x5b0 +[ +0.000009] driver_detach+0xac/0x1b0 +[ +0.000009] bus_remove_driver+0x158/0x29c +[ +0.000008] driver_unregister+0x70/0xb0 +[ +0.000009] platform_driver_unregister+0x20/0x2c +[ +0.000007] meson_dw_hdmi_platform_driver_exit+0x1c/0x30 [meson_dw_hdmi] +[ +0.000012] __do_sys_delete_module+0x288/0x400 +[ +0.000009] __arm64_sys_delete_module+0x5c/0x80 +[ +0.000009] invoke_syscall+0x74/0x260 +[ +0.000008] el0_svc_common.constprop.0+0xcc/0x260 +[ +0.000008] do_el0_svc+0x50/0x70 +[ +0.000007] el0_svc+0x68/0x1a0 +[ +0.000008] el0t_64_sync_handler+0x11c/0x150 +[ +0.000009] el0t_64_sync+0x18c/0x190 + +[ +0.000013] The buggy address belongs to the object at ffff00003da29000 + which belongs to the cache kmalloc-1k of size 1024 +[ +0.000008] The buggy address is located 496 bytes inside of + 1024-byte region [ffff00003da29000, ffff00003da29400) + +[ +0.000015] The buggy address belongs to the physical page: +[ +0.000009] page:fffffc0000f68a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3da28 +[ +0.000012] head:fffffc0000f68a00 order:3 compound_mapcount:0 compound_pincount:0 +[ +0.000009] flags: 0xffff00000010200(slab|head|node=0|zone=0|lastcpupid=0xffff) +[ +0.000019] raw: 0ffff00000010200 fffffc0000eb5c08 fffffc0000d96608 ffff000000002a80 +[ +0.000008] raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000 +[ +0.000008] page dumped because: kasan: bad access detected + +[ +0.000011] Memory state around the buggy address: +[ +0.000009] ffff00003da29080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ +0.000007] ffff00003da29100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ +0.000007] >ffff00003da29180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ +0.000007] ^ +[ +0.000008] ffff00003da29200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ +0.000006] ffff00003da29280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ +0.000007] ================================================================== + +Fix by keeping track of which encoders were initialised in the meson_drm +structure and manually removing their bridges at aggregate driver's unbind +time. + +Signed-off-by: Adrián Larumbe +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20220920222842.1053234-1-adrian.larumbe@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_drv.c | 4 ++++ + drivers/gpu/drm/meson/meson_drv.h | 7 +++++++ + drivers/gpu/drm/meson/meson_encoder_cvbs.c | 13 +++++++++++++ + drivers/gpu/drm/meson/meson_encoder_cvbs.h | 1 + + drivers/gpu/drm/meson/meson_encoder_hdmi.c | 13 +++++++++++++ + drivers/gpu/drm/meson/meson_encoder_hdmi.h | 1 + + 6 files changed, 39 insertions(+) + +diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c +index 8444d90165fb..86b90d0f5780 100644 +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -390,6 +390,10 @@ static void meson_drv_unbind(struct device *dev) + drm_atomic_helper_shutdown(drm); + free_irq(priv->vsync_irq, drm); + drm_dev_put(drm); ++ ++ meson_encoder_hdmi_remove(priv); ++ meson_encoder_cvbs_remove(priv); ++ + component_unbind_all(dev, drm); + + if (priv->afbcd.ops) +diff --git a/drivers/gpu/drm/meson/meson_drv.h b/drivers/gpu/drm/meson/meson_drv.h +index 177dac3ca3be..c62ee358456f 100644 +--- a/drivers/gpu/drm/meson/meson_drv.h ++++ b/drivers/gpu/drm/meson/meson_drv.h +@@ -25,6 +25,12 @@ enum vpu_compatible { + VPU_COMPATIBLE_G12A = 3, + }; + ++enum { ++ MESON_ENC_CVBS = 0, ++ MESON_ENC_HDMI, ++ MESON_ENC_LAST, ++}; ++ + struct meson_drm_match_data { + enum vpu_compatible compat; + struct meson_afbcd_ops *afbcd_ops; +@@ -51,6 +57,7 @@ struct meson_drm { + struct drm_crtc *crtc; + struct drm_plane *primary_plane; + struct drm_plane *overlay_plane; ++ void *encoders[MESON_ENC_LAST]; + + const struct meson_drm_soc_limits *limits; + +diff --git a/drivers/gpu/drm/meson/meson_encoder_cvbs.c b/drivers/gpu/drm/meson/meson_encoder_cvbs.c +index 8110a6e39320..5675bc2a92cf 100644 +--- a/drivers/gpu/drm/meson/meson_encoder_cvbs.c ++++ b/drivers/gpu/drm/meson/meson_encoder_cvbs.c +@@ -281,5 +281,18 @@ int meson_encoder_cvbs_init(struct meson_drm *priv) + } + drm_connector_attach_encoder(connector, &meson_encoder_cvbs->encoder); + ++ priv->encoders[MESON_ENC_CVBS] = meson_encoder_cvbs; ++ + return 0; + } ++ ++void meson_encoder_cvbs_remove(struct meson_drm *priv) ++{ ++ struct meson_encoder_cvbs *meson_encoder_cvbs; ++ ++ if (priv->encoders[MESON_ENC_CVBS]) { ++ meson_encoder_cvbs = priv->encoders[MESON_ENC_CVBS]; ++ drm_bridge_remove(&meson_encoder_cvbs->bridge); ++ drm_bridge_remove(meson_encoder_cvbs->next_bridge); ++ } ++} +diff --git a/drivers/gpu/drm/meson/meson_encoder_cvbs.h b/drivers/gpu/drm/meson/meson_encoder_cvbs.h +index 61d9d183ce7f..09710fec3c66 100644 +--- a/drivers/gpu/drm/meson/meson_encoder_cvbs.h ++++ b/drivers/gpu/drm/meson/meson_encoder_cvbs.h +@@ -25,5 +25,6 @@ struct meson_cvbs_mode { + extern struct meson_cvbs_mode meson_cvbs_modes[MESON_CVBS_MODES_COUNT]; + + int meson_encoder_cvbs_init(struct meson_drm *priv); ++void meson_encoder_cvbs_remove(struct meson_drm *priv); + + #endif /* __MESON_VENC_CVBS_H */ +diff --git a/drivers/gpu/drm/meson/meson_encoder_hdmi.c b/drivers/gpu/drm/meson/meson_encoder_hdmi.c +index 2f616c55c271..53231bfdf7e2 100644 +--- a/drivers/gpu/drm/meson/meson_encoder_hdmi.c ++++ b/drivers/gpu/drm/meson/meson_encoder_hdmi.c +@@ -452,6 +452,8 @@ int meson_encoder_hdmi_init(struct meson_drm *priv) + meson_encoder_hdmi->cec_notifier = notifier; + } + ++ priv->encoders[MESON_ENC_HDMI] = meson_encoder_hdmi; ++ + dev_dbg(priv->dev, "HDMI encoder initialized\n"); + + return 0; +@@ -460,3 +462,14 @@ int meson_encoder_hdmi_init(struct meson_drm *priv) + of_node_put(remote); + return ret; + } ++ ++void meson_encoder_hdmi_remove(struct meson_drm *priv) ++{ ++ struct meson_encoder_hdmi *meson_encoder_hdmi; ++ ++ if (priv->encoders[MESON_ENC_HDMI]) { ++ meson_encoder_hdmi = priv->encoders[MESON_ENC_HDMI]; ++ drm_bridge_remove(&meson_encoder_hdmi->bridge); ++ drm_bridge_remove(meson_encoder_hdmi->next_bridge); ++ } ++} +diff --git a/drivers/gpu/drm/meson/meson_encoder_hdmi.h b/drivers/gpu/drm/meson/meson_encoder_hdmi.h +index ed19494f0956..a6cd38eb5f71 100644 +--- a/drivers/gpu/drm/meson/meson_encoder_hdmi.h ++++ b/drivers/gpu/drm/meson/meson_encoder_hdmi.h +@@ -8,5 +8,6 @@ + #define __MESON_ENCODER_HDMI_H + + int meson_encoder_hdmi_init(struct meson_drm *priv); ++void meson_encoder_hdmi_remove(struct meson_drm *priv); + + #endif /* __MESON_ENCODER_HDMI_H */ +-- +2.35.1 + diff --git a/queue-6.0/drm-meson-reorder-driver-deinit-sequence-to-fix-use-.patch b/queue-6.0/drm-meson-reorder-driver-deinit-sequence-to-fix-use-.patch new file mode 100644 index 00000000000..e2345b781fa --- /dev/null +++ b/queue-6.0/drm-meson-reorder-driver-deinit-sequence-to-fix-use-.patch @@ -0,0 +1,161 @@ +From 6938499455a4ead01952db94cb3ced27c6b9f674 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 02:09:38 +0100 +Subject: drm/meson: reorder driver deinit sequence to fix use-after-free bug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Adrián Larumbe + +[ Upstream commit 31c519981eb141c7ec39bfd5be25d35f02edb868 ] + +Unloading the driver triggers the following KASAN warning: + +[ +0.006275] ============================================================= +[ +0.000029] BUG: KASAN: use-after-free in __list_del_entry_valid+0xe0/0x1a0 +[ +0.000026] Read of size 8 at addr ffff000020c395e0 by task rmmod/2695 + +[ +0.000019] CPU: 5 PID: 2695 Comm: rmmod Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1 +[ +0.000013] Hardware name: Hardkernel ODROID-N2Plus (DT) +[ +0.000008] Call trace: +[ +0.000007] dump_backtrace+0x1ec/0x280 +[ +0.000013] show_stack+0x24/0x80 +[ +0.000008] dump_stack_lvl+0x98/0xd4 +[ +0.000011] print_address_description.constprop.0+0x80/0x520 +[ +0.000011] print_report+0x128/0x260 +[ +0.000007] kasan_report+0xb8/0xfc +[ +0.000008] __asan_report_load8_noabort+0x3c/0x50 +[ +0.000010] __list_del_entry_valid+0xe0/0x1a0 +[ +0.000009] drm_atomic_private_obj_fini+0x30/0x200 [drm] +[ +0.000172] drm_bridge_detach+0x94/0x260 [drm] +[ +0.000145] drm_encoder_cleanup+0xa4/0x290 [drm] +[ +0.000144] drm_mode_config_cleanup+0x118/0x740 [drm] +[ +0.000143] drm_mode_config_init_release+0x1c/0x2c [drm] +[ +0.000144] drm_managed_release+0x170/0x414 [drm] +[ +0.000142] drm_dev_put.part.0+0xc0/0x124 [drm] +[ +0.000143] drm_dev_put+0x20/0x30 [drm] +[ +0.000142] meson_drv_unbind+0x1d8/0x2ac [meson_drm] +[ +0.000028] take_down_aggregate_device+0xb0/0x160 +[ +0.000016] component_del+0x18c/0x360 +[ +0.000009] meson_dw_hdmi_remove+0x28/0x40 [meson_dw_hdmi] +[ +0.000015] platform_remove+0x64/0xb0 +[ +0.000009] device_remove+0xb8/0x154 +[ +0.000009] device_release_driver_internal+0x398/0x5b0 +[ +0.000009] driver_detach+0xac/0x1b0 +[ +0.000009] bus_remove_driver+0x158/0x29c +[ +0.000009] driver_unregister+0x70/0xb0 +[ +0.000008] platform_driver_unregister+0x20/0x2c +[ +0.000008] meson_dw_hdmi_platform_driver_exit+0x1c/0x30 [meson_dw_hdmi] +[ +0.000012] __do_sys_delete_module+0x288/0x400 +[ +0.000011] __arm64_sys_delete_module+0x5c/0x80 +[ +0.000009] invoke_syscall+0x74/0x260 +[ +0.000009] el0_svc_common.constprop.0+0xcc/0x260 +[ +0.000009] do_el0_svc+0x50/0x70 +[ +0.000007] el0_svc+0x68/0x1a0 +[ +0.000012] el0t_64_sync_handler+0x11c/0x150 +[ +0.000008] el0t_64_sync+0x18c/0x190 + +[ +0.000018] Allocated by task 0: +[ +0.000007] (stack is not available) + +[ +0.000011] Freed by task 2695: +[ +0.000008] kasan_save_stack+0x2c/0x5c +[ +0.000011] kasan_set_track+0x2c/0x40 +[ +0.000008] kasan_set_free_info+0x28/0x50 +[ +0.000009] ____kasan_slab_free+0x128/0x1d4 +[ +0.000008] __kasan_slab_free+0x18/0x24 +[ +0.000007] slab_free_freelist_hook+0x108/0x230 +[ +0.000011] kfree+0x110/0x35c +[ +0.000008] release_nodes+0xf0/0x16c +[ +0.000009] devres_release_group+0x180/0x270 +[ +0.000008] component_unbind+0x128/0x1e0 +[ +0.000010] component_unbind_all+0x1b8/0x264 +[ +0.000009] meson_drv_unbind+0x1a0/0x2ac [meson_drm] +[ +0.000025] take_down_aggregate_device+0xb0/0x160 +[ +0.000009] component_del+0x18c/0x360 +[ +0.000009] meson_dw_hdmi_remove+0x28/0x40 [meson_dw_hdmi] +[ +0.000012] platform_remove+0x64/0xb0 +[ +0.000008] device_remove+0xb8/0x154 +[ +0.000009] device_release_driver_internal+0x398/0x5b0 +[ +0.000009] driver_detach+0xac/0x1b0 +[ +0.000009] bus_remove_driver+0x158/0x29c +[ +0.000008] driver_unregister+0x70/0xb0 +[ +0.000008] platform_driver_unregister+0x20/0x2c +[ +0.000008] meson_dw_hdmi_platform_driver_exit+0x1c/0x30 [meson_dw_hdmi] +[ +0.000011] __do_sys_delete_module+0x288/0x400 +[ +0.000010] __arm64_sys_delete_module+0x5c/0x80 +[ +0.000008] invoke_syscall+0x74/0x260 +[ +0.000008] el0_svc_common.constprop.0+0xcc/0x260 +[ +0.000008] do_el0_svc+0x50/0x70 +[ +0.000007] el0_svc+0x68/0x1a0 +[ +0.000009] el0t_64_sync_handler+0x11c/0x150 +[ +0.000009] el0t_64_sync+0x18c/0x190 + +[ +0.000014] The buggy address belongs to the object at ffff000020c39000 + which belongs to the cache kmalloc-4k of size 4096 +[ +0.000008] The buggy address is located 1504 bytes inside of + 4096-byte region [ffff000020c39000, ffff000020c3a000) + +[ +0.000016] The buggy address belongs to the physical page: +[ +0.000009] page:fffffc0000830e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20c38 +[ +0.000013] head:fffffc0000830e00 order:3 compound_mapcount:0 compound_pincount:0 +[ +0.000008] flags: 0xffff00000010200(slab|head|node=0|zone=0|lastcpupid=0xffff) +[ +0.000019] raw: 0ffff00000010200 fffffc0000fd4808 fffffc0000126208 ffff000000002e80 +[ +0.000009] raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000 +[ +0.000008] page dumped because: kasan: bad access detected + +[ +0.000011] Memory state around the buggy address: +[ +0.000008] ffff000020c39480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ +0.000007] ffff000020c39500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ +0.000007] >ffff000020c39580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ +0.000007] ^ +[ +0.000007] ffff000020c39600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ +0.000007] ffff000020c39680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ +0.000006] ================================================================== + +The reason this is happening is unloading meson-dw-hdmi will cause the +component API to take down the aggregate device, which in turn will cause +all devres-managed memory to be freed, including the struct dw_hdmi +allocated in dw_hdmi_probe. This struct embeds a struct drm_bridge that is +added at the end of the function, and which is later on picked up in +meson_encoder_hdmi_init. + +However, when attaching the bridge to the encoder created in +meson_encoder_hdmi_init, it's linked to the encoder's bridge chain, from +where it never leaves, even after devres_release_group is called when the +driver's components are unbound and the embedding structure freed. + +Then, when calling drm_dev_put in the aggregate driver's unbind function, +drm_bridge_detach is called for every single bridge linked to the encoder, +including the one whose memory had already been deallocated. + +Fix by calling component_unbind_all after drm_dev_put. + +Signed-off-by: Adrián Larumbe +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20220919010940.419893-2-adrian.larumbe@collabora.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/meson/meson_drv.c b/drivers/gpu/drm/meson/meson_drv.c +index bd4ca11d3ff5..7df149d42728 100644 +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -388,9 +388,9 @@ static void meson_drv_unbind(struct device *dev) + drm_dev_unregister(drm); + drm_kms_helper_poll_fini(drm); + drm_atomic_helper_shutdown(drm); +- component_unbind_all(dev, drm); + free_irq(priv->vsync_irq, drm); + drm_dev_put(drm); ++ component_unbind_all(dev, drm); + + if (priv->afbcd.ops) + priv->afbcd.ops->exit(priv); +-- +2.35.1 + diff --git a/queue-6.0/drm-mipi-dsi-detach-devices-when-removing-the-host.patch b/queue-6.0/drm-mipi-dsi-detach-devices-when-removing-the-host.patch new file mode 100644 index 00000000000..1f94c7eb64f --- /dev/null +++ b/queue-6.0/drm-mipi-dsi-detach-devices-when-removing-the-host.patch @@ -0,0 +1,41 @@ +From 119c5afc9ce12d6e444ed8a3d3ea57a745e502e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 19:38:31 +0200 +Subject: drm/mipi-dsi: Detach devices when removing the host + +From: Maxime Ripard + +[ Upstream commit 668a8f17b5290d04ef7343636a5588a0692731a1 ] + +Whenever the MIPI-DSI host is unregistered, the code of +mipi_dsi_host_unregister() loops over every device currently found on that +bus and will unregister it. + +However, it doesn't detach it from the bus first, which leads to all kind +of resource leaks if the host wants to perform some clean up whenever a +device is detached. + +Fixes: 068a00233969 ("drm: Add MIPI DSI bus support") +Acked-by: Thomas Zimmermann +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20220711173939.1132294-2-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_mipi_dsi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c +index c40bde96cfdf..c317ee9fa445 100644 +--- a/drivers/gpu/drm/drm_mipi_dsi.c ++++ b/drivers/gpu/drm/drm_mipi_dsi.c +@@ -346,6 +346,7 @@ static int mipi_dsi_remove_device_fn(struct device *dev, void *priv) + { + struct mipi_dsi_device *dsi = to_mipi_dsi_device(dev); + ++ mipi_dsi_detach(dsi); + mipi_dsi_device_unregister(dsi); + + return 0; +-- +2.35.1 + diff --git a/queue-6.0/drm-msm-dp-correct-1.62g-link-rate-at-dp_catalog_ctr.patch b/queue-6.0/drm-msm-dp-correct-1.62g-link-rate-at-dp_catalog_ctr.patch new file mode 100644 index 00000000000..8bc5aca4ae6 --- /dev/null +++ b/queue-6.0/drm-msm-dp-correct-1.62g-link-rate-at-dp_catalog_ctr.patch @@ -0,0 +1,50 @@ +From acecbd0649bb04af72c6df2fdbc89b38c25883b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 13:15:50 -0700 +Subject: drm/msm/dp: correct 1.62G link rate at dp_catalog_ctrl_config_msa() + +From: Kuogee Hsieh + +[ Upstream commit aa0bff10af1c4b92e6b56e3e1b7f81c660d3ba78 ] + +At current implementation there is an extra 0 at 1.62G link rate which +cause no correct pixel_div selected for 1.62G link rate to calculate +mvid and nvid. This patch delete the extra 0 to have mvid and nvid be +calculated correctly. + +Changes in v2: +-- fix Fixes tag's text + +Changes in v3: +-- fix misspelling of "Reviewed-by" + +Fixes: 937f941ca06f ("drm/msm/dp: Use qmp phy for DP PLL and PHY") +Signed-off-by: Kuogee Hsieh +Reviewed-by: Stephen Boyd +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/499328/ +Link: https://lore.kernel.org/r/1661372150-3764-1-git-send-email-quic_khsieh@quicinc.com +[DB: rewrapped commit message] +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_catalog.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_catalog.c b/drivers/gpu/drm/msm/dp/dp_catalog.c +index 7257515871a9..676279d0ca8d 100644 +--- a/drivers/gpu/drm/msm/dp/dp_catalog.c ++++ b/drivers/gpu/drm/msm/dp/dp_catalog.c +@@ -431,7 +431,7 @@ void dp_catalog_ctrl_config_msa(struct dp_catalog *dp_catalog, + + if (rate == link_rate_hbr3) + pixel_div = 6; +- else if (rate == 1620000 || rate == 270000) ++ else if (rate == 162000 || rate == 270000) + pixel_div = 2; + else if (rate == link_rate_hbr2) + pixel_div = 4; +-- +2.35.1 + diff --git a/queue-6.0/drm-msm-dpu-index-dpu_kms-hw_vbif-using-vbif_idx.patch b/queue-6.0/drm-msm-dpu-index-dpu_kms-hw_vbif-using-vbif_idx.patch new file mode 100644 index 00000000000..e486363bb51 --- /dev/null +++ b/queue-6.0/drm-msm-dpu-index-dpu_kms-hw_vbif-using-vbif_idx.patch @@ -0,0 +1,127 @@ +From 08ea5e28186601f9a739dd5927eeecd7174a2d39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jun 2022 15:57:01 +0300 +Subject: drm/msm/dpu: index dpu_kms->hw_vbif using vbif_idx + +From: Dmitry Baryshkov + +[ Upstream commit 7538f80ae0d98bf51eb89eee5344aec219902d42 ] + +Remove loops over hw_vbif. Instead always VBIF's idx as an index in the +array. This fixes an error in dpu_kms_hw_init(), where we fill +dpu_kms->hw_vbif[i], but check for an error pointer at +dpu_kms->hw_vbif[vbif_idx]. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/489569/ +Link: https://lore.kernel.org/r/20220615125703.24647-1-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 12 ++++------ + drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c | 29 +++++++++++------------- + 2 files changed, 18 insertions(+), 23 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +index 8646fd0603cb..c99c7a218ddb 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +@@ -823,12 +823,10 @@ static void _dpu_kms_hw_destroy(struct dpu_kms *dpu_kms) + _dpu_kms_mmu_destroy(dpu_kms); + + if (dpu_kms->catalog) { +- for (i = 0; i < dpu_kms->catalog->vbif_count; i++) { +- u32 vbif_idx = dpu_kms->catalog->vbif[i].id; +- +- if ((vbif_idx < VBIF_MAX) && dpu_kms->hw_vbif[vbif_idx]) { +- dpu_hw_vbif_destroy(dpu_kms->hw_vbif[vbif_idx]); +- dpu_kms->hw_vbif[vbif_idx] = NULL; ++ for (i = 0; i < ARRAY_SIZE(dpu_kms->hw_vbif); i++) { ++ if (dpu_kms->hw_vbif[i]) { ++ dpu_hw_vbif_destroy(dpu_kms->hw_vbif[i]); ++ dpu_kms->hw_vbif[i] = NULL; + } + } + } +@@ -1110,7 +1108,7 @@ static int dpu_kms_hw_init(struct msm_kms *kms) + for (i = 0; i < dpu_kms->catalog->vbif_count; i++) { + u32 vbif_idx = dpu_kms->catalog->vbif[i].id; + +- dpu_kms->hw_vbif[i] = dpu_hw_vbif_init(vbif_idx, ++ dpu_kms->hw_vbif[vbif_idx] = dpu_hw_vbif_init(vbif_idx, + dpu_kms->vbif[vbif_idx], dpu_kms->catalog); + if (IS_ERR_OR_NULL(dpu_kms->hw_vbif[vbif_idx])) { + rc = PTR_ERR(dpu_kms->hw_vbif[vbif_idx]); +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c +index 21d20373eb8b..a18fb649301c 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c +@@ -11,6 +11,14 @@ + #include "dpu_hw_vbif.h" + #include "dpu_trace.h" + ++static struct dpu_hw_vbif *dpu_get_vbif(struct dpu_kms *dpu_kms, enum dpu_vbif vbif_idx) ++{ ++ if (vbif_idx < ARRAY_SIZE(dpu_kms->hw_vbif)) ++ return dpu_kms->hw_vbif[vbif_idx]; ++ ++ return NULL; ++} ++ + /** + * _dpu_vbif_wait_for_xin_halt - wait for the xin to halt + * @vbif: Pointer to hardware vbif driver +@@ -148,20 +156,15 @@ static u32 _dpu_vbif_get_ot_limit(struct dpu_hw_vbif *vbif, + void dpu_vbif_set_ot_limit(struct dpu_kms *dpu_kms, + struct dpu_vbif_set_ot_params *params) + { +- struct dpu_hw_vbif *vbif = NULL; ++ struct dpu_hw_vbif *vbif; + struct dpu_hw_mdp *mdp; + bool forced_on = false; + u32 ot_lim; +- int ret, i; ++ int ret; + + mdp = dpu_kms->hw_mdp; + +- for (i = 0; i < ARRAY_SIZE(dpu_kms->hw_vbif); i++) { +- if (dpu_kms->hw_vbif[i] && +- dpu_kms->hw_vbif[i]->idx == params->vbif_idx) +- vbif = dpu_kms->hw_vbif[i]; +- } +- ++ vbif = dpu_get_vbif(dpu_kms, params->vbif_idx); + if (!vbif || !mdp) { + DRM_DEBUG_ATOMIC("invalid arguments vbif %d mdp %d\n", + vbif != NULL, mdp != NULL); +@@ -204,7 +207,7 @@ void dpu_vbif_set_ot_limit(struct dpu_kms *dpu_kms, + void dpu_vbif_set_qos_remap(struct dpu_kms *dpu_kms, + struct dpu_vbif_set_qos_params *params) + { +- struct dpu_hw_vbif *vbif = NULL; ++ struct dpu_hw_vbif *vbif; + struct dpu_hw_mdp *mdp; + bool forced_on = false; + const struct dpu_vbif_qos_tbl *qos_tbl; +@@ -216,13 +219,7 @@ void dpu_vbif_set_qos_remap(struct dpu_kms *dpu_kms, + } + mdp = dpu_kms->hw_mdp; + +- for (i = 0; i < ARRAY_SIZE(dpu_kms->hw_vbif); i++) { +- if (dpu_kms->hw_vbif[i] && +- dpu_kms->hw_vbif[i]->idx == params->vbif_idx) { +- vbif = dpu_kms->hw_vbif[i]; +- break; +- } +- } ++ vbif = dpu_get_vbif(dpu_kms, params->vbif_idx); + + if (!vbif || !vbif->cap) { + DPU_ERROR("invalid vbif %d\n", params->vbif_idx); +-- +2.35.1 + diff --git a/queue-6.0/drm-msm-lookup-the-icc-paths-in-both-mdp5-dpu-and-md.patch b/queue-6.0/drm-msm-lookup-the-icc-paths-in-both-mdp5-dpu-and-md.patch new file mode 100644 index 00000000000..3d13710cd9a --- /dev/null +++ b/queue-6.0/drm-msm-lookup-the-icc-paths-in-both-mdp5-dpu-and-md.patch @@ -0,0 +1,130 @@ +From 3ea8208d49a0865f551e4eae0c25e6901de6e354 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Aug 2022 14:56:30 +0300 +Subject: drm/msm: lookup the ICC paths in both mdp5/dpu and mdss devices + +From: Dmitry Baryshkov + +[ Upstream commit 5ccdcecaf8f732f593e359ebfb65de96b11bae66 ] + +The commit 6874f48bb8b0 ("drm/msm: make mdp5/dpu devices master +components") changed the MDP5 driver to look for the interconnect paths +in the MDSS device rather than in the MDP5 device itself. This was left +unnoticed since on my testing devices the interconnects probably didn't +reach the sync state. + +Rather than just using the MDP5 device for ICC path lookups for the MDP5 +devices, introduce an additional helper to check both MDP5/DPU and MDSS +nodes. This will be helpful for the MDP5->DPU conversion, since the +driver will have to check both nodes. + +Fixes: 6874f48bb8b0 ("drm/msm: make mdp5/dpu devices master components") +Reported-by: Marijn Suijten +Reported-by: Yassine Oudjana +Signed-off-by: Dmitry Baryshkov +Tested-by: Marijn Suijten # On sdm630 +Tested-by: Yassine Oudjana # msm8996 +Patchwork: https://patchwork.freedesktop.org/patch/496488/ +Link: https://lore.kernel.org/r/20220805115630.506391-1-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 7 ++----- + drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c | 9 +++------ + drivers/gpu/drm/msm/msm_drv.h | 2 ++ + drivers/gpu/drm/msm/msm_io_utils.c | 22 ++++++++++++++++++++++ + 4 files changed, 29 insertions(+), 11 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +index 008e1420e6e5..8646fd0603cb 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +@@ -384,12 +384,9 @@ static int dpu_kms_parse_data_bus_icc_path(struct dpu_kms *dpu_kms) + struct icc_path *path1; + struct drm_device *dev = dpu_kms->dev; + struct device *dpu_dev = dev->dev; +- struct device *mdss_dev = dpu_dev->parent; + +- /* Interconnects are a part of MDSS device tree binding, not the +- * MDP/DPU device. */ +- path0 = of_icc_get(mdss_dev, "mdp0-mem"); +- path1 = of_icc_get(mdss_dev, "mdp1-mem"); ++ path0 = msm_icc_get(dpu_dev, "mdp0-mem"); ++ path1 = msm_icc_get(dpu_dev, "mdp1-mem"); + + if (IS_ERR_OR_NULL(path0)) + return PTR_ERR_OR_ZERO(path0); +diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c +index d2a48caf9d27..b0d21838a134 100644 +--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c ++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c +@@ -902,12 +902,9 @@ static int mdp5_init(struct platform_device *pdev, struct drm_device *dev) + + static int mdp5_setup_interconnect(struct platform_device *pdev) + { +- /* Interconnects are a part of MDSS device tree binding, not the +- * MDP5 device. */ +- struct device *mdss_dev = pdev->dev.parent; +- struct icc_path *path0 = of_icc_get(mdss_dev, "mdp0-mem"); +- struct icc_path *path1 = of_icc_get(mdss_dev, "mdp1-mem"); +- struct icc_path *path_rot = of_icc_get(mdss_dev, "rotator-mem"); ++ struct icc_path *path0 = msm_icc_get(&pdev->dev, "mdp0-mem"); ++ struct icc_path *path1 = msm_icc_get(&pdev->dev, "mdp1-mem"); ++ struct icc_path *path_rot = msm_icc_get(&pdev->dev, "rotator-mem"); + + if (IS_ERR(path0)) + return PTR_ERR(path0); +diff --git a/drivers/gpu/drm/msm/msm_drv.h b/drivers/gpu/drm/msm/msm_drv.h +index b3689a2d27d7..80da0d3cfdc1 100644 +--- a/drivers/gpu/drm/msm/msm_drv.h ++++ b/drivers/gpu/drm/msm/msm_drv.h +@@ -433,6 +433,8 @@ void __iomem *msm_ioremap_size(struct platform_device *pdev, const char *name, + phys_addr_t *size); + void __iomem *msm_ioremap_quiet(struct platform_device *pdev, const char *name); + ++struct icc_path *msm_icc_get(struct device *dev, const char *name); ++ + #define msm_writel(data, addr) writel((data), (addr)) + #define msm_readl(addr) readl((addr)) + +diff --git a/drivers/gpu/drm/msm/msm_io_utils.c b/drivers/gpu/drm/msm/msm_io_utils.c +index 7b504617833a..d02cd29ce829 100644 +--- a/drivers/gpu/drm/msm/msm_io_utils.c ++++ b/drivers/gpu/drm/msm/msm_io_utils.c +@@ -5,6 +5,8 @@ + * Author: Rob Clark + */ + ++#include ++ + #include "msm_drv.h" + + /* +@@ -124,3 +126,23 @@ void msm_hrtimer_work_init(struct msm_hrtimer_work *work, + work->worker = worker; + kthread_init_work(&work->work, fn); + } ++ ++struct icc_path *msm_icc_get(struct device *dev, const char *name) ++{ ++ struct device *mdss_dev = dev->parent; ++ struct icc_path *path; ++ ++ path = of_icc_get(dev, name); ++ if (path) ++ return path; ++ ++ /* ++ * If there are no interconnects attached to the corresponding device ++ * node, of_icc_get() will return NULL. ++ * ++ * If the MDP5/DPU device node doesn't have interconnects, lookup the ++ * path in the parent (MDSS) device. ++ */ ++ return of_icc_get(mdss_dev, name); ++ ++} +-- +2.35.1 + diff --git a/queue-6.0/drm-msm-make-.remove-and-.shutdown-hw-shutdown-consi.patch b/queue-6.0/drm-msm-make-.remove-and-.shutdown-hw-shutdown-consi.patch new file mode 100644 index 00000000000..704af1977ef --- /dev/null +++ b/queue-6.0/drm-msm-make-.remove-and-.shutdown-hw-shutdown-consi.patch @@ -0,0 +1,163 @@ +From 4dab53beae7aa74ee48b2d188b01c8c2cc4bedee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 15:46:12 +0200 +Subject: drm/msm: Make .remove and .shutdown HW shutdown consistent + +From: Javier Martinez Canillas + +[ Upstream commit 0a58d2ae572adaec8d046f8d35b40c2c32ac7468 ] + +Drivers' .remove and .shutdown callbacks are executed on different code +paths. The former is called when a device is removed from the bus, while +the latter is called at system shutdown time to quiesce the device. + +This means that some overlap exists between the two, because both have to +take care of properly shutting down the hardware. But currently the logic +used in these two callbacks isn't consistent in msm drivers, which could +lead to kernel panic. + +For example, on .remove the component is deleted and its .unbind callback +leads to the hardware being shutdown but only if the DRM device has been +marked as registered. + +That check doesn't exist in the .shutdown logic and this can lead to the +driver calling drm_atomic_helper_shutdown() for a DRM device that hasn't +been properly initialized. + +A situation like this can happen if drivers for expected sub-devices fail +to probe, since the .bind callback will never be executed. If that is the +case, drm_atomic_helper_shutdown() will attempt to take mutexes that are +only initialized if drm_mode_config_init() is called during a device bind. + +This bug was attempted to be fixed in commit 623f279c7781 ("drm/msm: fix +shutdown hook in case GPU components failed to bind"), but unfortunately +it still happens in some cases as the one mentioned above, i.e: + + systemd-shutdown[1]: Powering off. + kvm: exiting hardware virtualization + platform wifi-firmware.0: Removing from iommu group 12 + platform video-firmware.0: Removing from iommu group 10 + ------------[ cut here ]------------ + WARNING: CPU: 6 PID: 1 at drivers/gpu/drm/drm_modeset_lock.c:317 drm_modeset_lock_all_ctx+0x3c4/0x3d0 + ... + Hardware name: Google CoachZ (rev3+) (DT) + pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : drm_modeset_lock_all_ctx+0x3c4/0x3d0 + lr : drm_modeset_lock_all_ctx+0x48/0x3d0 + sp : ffff80000805bb80 + x29: ffff80000805bb80 x28: ffff327c00128000 x27: 0000000000000000 + x26: 0000000000000000 x25: 0000000000000001 x24: ffffc95d820ec030 + x23: ffff327c00bbd090 x22: ffffc95d8215eca0 x21: ffff327c039c5800 + x20: ffff327c039c5988 x19: ffff80000805bbe8 x18: 0000000000000034 + x17: 000000040044ffff x16: ffffc95d80cac920 x15: 0000000000000000 + x14: 0000000000000315 x13: 0000000000000315 x12: 0000000000000000 + x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 + x8 : ffff80000805bc28 x7 : 0000000000000000 x6 : 0000000000000000 + x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 + x2 : ffff327c00128000 x1 : 0000000000000000 x0 : ffff327c039c59b0 + Call trace: + drm_modeset_lock_all_ctx+0x3c4/0x3d0 + drm_atomic_helper_shutdown+0x70/0x134 + msm_drv_shutdown+0x30/0x40 + platform_shutdown+0x28/0x40 + device_shutdown+0x148/0x350 + kernel_power_off+0x38/0x80 + __do_sys_reboot+0x288/0x2c0 + __arm64_sys_reboot+0x28/0x34 + invoke_syscall+0x48/0x114 + el0_svc_common.constprop.0+0x44/0xec + do_el0_svc+0x2c/0xc0 + el0_svc+0x2c/0x84 + el0t_64_sync_handler+0x11c/0x150 + el0t_64_sync+0x18c/0x190 + ---[ end trace 0000000000000000 ]--- + Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018 + Mem abort info: + ESR = 0x0000000096000004 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x04: level 0 translation fault + Data abort info: + ISV = 0, ISS = 0x00000004 + CM = 0, WnR = 0 + user pgtable: 4k pages, 48-bit VAs, pgdp=000000010eab1000 + [0000000000000018] pgd=0000000000000000, p4d=0000000000000000 + Internal error: Oops: 96000004 [#1] PREEMPT SMP + ... + Hardware name: Google CoachZ (rev3+) (DT) + pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : ww_mutex_lock+0x28/0x32c + lr : drm_modeset_lock_all_ctx+0x1b0/0x3d0 + sp : ffff80000805bb50 + x29: ffff80000805bb50 x28: ffff327c00128000 x27: 0000000000000000 + x26: 0000000000000000 x25: 0000000000000001 x24: 0000000000000018 + x23: ffff80000805bc10 x22: ffff327c039c5ad8 x21: ffff327c039c5800 + x20: ffff80000805bbe8 x19: 0000000000000018 x18: 0000000000000034 + x17: 000000040044ffff x16: ffffc95d80cac920 x15: 0000000000000000 + x14: 0000000000000315 x13: 0000000000000315 x12: 0000000000000000 + x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 + x8 : ffff80000805bc28 x7 : 0000000000000000 x6 : 0000000000000000 + x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 + x2 : ffff327c00128000 x1 : 0000000000000000 x0 : 0000000000000018 + Call trace: + ww_mutex_lock+0x28/0x32c + drm_modeset_lock_all_ctx+0x1b0/0x3d0 + drm_atomic_helper_shutdown+0x70/0x134 + msm_drv_shutdown+0x30/0x40 + platform_shutdown+0x28/0x40 + device_shutdown+0x148/0x350 + kernel_power_off+0x38/0x80 + __do_sys_reboot+0x288/0x2c0 + __arm64_sys_reboot+0x28/0x34 + invoke_syscall+0x48/0x114 + el0_svc_common.constprop.0+0x44/0xec + do_el0_svc+0x2c/0xc0 + el0_svc+0x2c/0x84 + el0t_64_sync_handler+0x11c/0x150 + el0t_64_sync+0x18c/0x190 + Code: aa0103f4 d503201f d2800001 aa0103e3 (c8e37c02) + ---[ end trace 0000000000000000 ]--- + Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b + Kernel Offset: 0x495d77c00000 from 0xffff800008000000 + PHYS_OFFSET: 0xffffcd8500000000 + CPU features: 0x800,00c2a015,19801c82 + Memory Limit: none + ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]--- + +Fixes: 9d5cbf5fe46e ("drm/msm: add shutdown support for display platform_driver") +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Abhinav Kumar +Link: https://patchwork.freedesktop.org/patch/msgid/20220816134612.916527-1-javierm@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_drv.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c +index 16884db272de..0759e2d99f59 100644 +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -1244,10 +1244,15 @@ void msm_drv_shutdown(struct platform_device *pdev) + struct msm_drm_private *priv = platform_get_drvdata(pdev); + struct drm_device *drm = priv ? priv->dev : NULL; + +- if (!priv || !priv->kms) +- return; +- +- drm_atomic_helper_shutdown(drm); ++ /* ++ * Shutdown the hw if we're far enough along where things might be on. ++ * If we run this too early, we'll end up panicking in any variety of ++ * places. Since we don't register the drm device until late in ++ * msm_drm_init, drm_dev->registered is used as an indicator that the ++ * shutdown will be successful. ++ */ ++ if (drm && drm->registered) ++ drm_atomic_helper_shutdown(drm); + } + + static struct platform_driver msm_platform_driver = { +-- +2.35.1 + diff --git a/queue-6.0/drm-nouveau-nouveau_bo-fix-potential-memory-leak-in-.patch b/queue-6.0/drm-nouveau-nouveau_bo-fix-potential-memory-leak-in-.patch new file mode 100644 index 00000000000..ea31d6f1c87 --- /dev/null +++ b/queue-6.0/drm-nouveau-nouveau_bo-fix-potential-memory-leak-in-.patch @@ -0,0 +1,45 @@ +From cb3940d53ef05030063d94e6d33378da31bb9d81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jul 2022 17:43:06 +0800 +Subject: drm/nouveau/nouveau_bo: fix potential memory leak in + nouveau_bo_alloc() + +From: Jianglei Nie + +[ Upstream commit 6dc548745d5b5102e3c53dc5097296ac270b6c69 ] + +nouveau_bo_alloc() allocates a memory chunk for "nvbo" with kzalloc(). +When some error occurs, "nvbo" should be released. But when +WARN_ON(pi < 0)) equals true, the function return ERR_PTR without +releasing the "nvbo", which will lead to a memory leak. + +We should release the "nvbo" with kfree() if WARN_ON(pi < 0)) equals true. + +Signed-off-by: Jianglei Nie +Signed-off-by: Lyude Paul +Reviewed-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20220705094306.2244103-1-niejianglei2021@163.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_bo.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_bo.c b/drivers/gpu/drm/nouveau/nouveau_bo.c +index e29175e4b44c..07a327ad5e2a 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_bo.c ++++ b/drivers/gpu/drm/nouveau/nouveau_bo.c +@@ -281,8 +281,10 @@ nouveau_bo_alloc(struct nouveau_cli *cli, u64 *size, int *align, u32 domain, + break; + } + +- if (WARN_ON(pi < 0)) ++ if (WARN_ON(pi < 0)) { ++ kfree(nvbo); + return ERR_PTR(-EINVAL); ++ } + + /* Disable compression if suitable settings couldn't be found. */ + if (nvbo->comp && !vmm->page[pi].comp) { +-- +2.35.1 + diff --git a/queue-6.0/drm-omap-dss-fix-refcount-leak-bugs.patch b/queue-6.0/drm-omap-dss-fix-refcount-leak-bugs.patch new file mode 100644 index 00000000000..09d41c54a1a --- /dev/null +++ b/queue-6.0/drm-omap-dss-fix-refcount-leak-bugs.patch @@ -0,0 +1,51 @@ +From 25c3cc48a1ffeae32ac21c3fcc721f4e3526fb95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jul 2022 22:43:48 +0800 +Subject: drm/omap: dss: Fix refcount leak bugs + +From: Liang He + +[ Upstream commit 8b42057e62120813ebe9274f508fa785b7cab33a ] + +In dss_init_ports() and __dss_uninit_ports(), we should call +of_node_put() for the reference returned by of_graph_get_port_by_id() +in fail path or when it is not used anymore. + +Fixes: 09bffa6e5192 ("drm: omap: use common OF graph helpers") +Signed-off-by: Liang He +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20220722144348.1306569-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/omapdrm/dss/dss.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/omapdrm/dss/dss.c b/drivers/gpu/drm/omapdrm/dss/dss.c +index 0399f3390a0a..c4febb861910 100644 +--- a/drivers/gpu/drm/omapdrm/dss/dss.c ++++ b/drivers/gpu/drm/omapdrm/dss/dss.c +@@ -1176,6 +1176,7 @@ static void __dss_uninit_ports(struct dss_device *dss, unsigned int num_ports) + default: + break; + } ++ of_node_put(port); + } + } + +@@ -1208,11 +1209,13 @@ static int dss_init_ports(struct dss_device *dss) + default: + break; + } ++ of_node_put(port); + } + + return 0; + + error: ++ of_node_put(port); + __dss_uninit_ports(dss, i); + return r; + } +-- +2.35.1 + diff --git a/queue-6.0/drm-panel-orientation-quirks-add-quirk-for-anbernic-.patch b/queue-6.0/drm-panel-orientation-quirks-add-quirk-for-anbernic-.patch new file mode 100644 index 00000000000..56f26c37ce6 --- /dev/null +++ b/queue-6.0/drm-panel-orientation-quirks-add-quirk-for-anbernic-.patch @@ -0,0 +1,41 @@ +From e519901f5d820dc5daee9c8b0b8ce2620ced0e26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 20:24:03 +0200 +Subject: drm: panel-orientation-quirks: Add quirk for Anbernic Win600 + +From: Maya Matuszczyk + +[ Upstream commit 770e19076065e079a32f33eb11be2057c87f1cde ] + +This device is another x86 gaming handheld, and as (hopefully) there is +only one set of DMI IDs it's using DMI_EXACT_MATCH + +Signed-off-by: Maya Matuszczyk +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20220803182402.1217293-1-maccraft123mc@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index fc1728d46ac2..64b194af003c 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -128,6 +128,12 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "One S1003"), + }, + .driver_data = (void *)&lcd800x1280_rightside_up, ++ }, { /* Anbernic Win600 */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "Anbernic"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Win600"), ++ }, ++ .driver_data = (void *)&lcd720x1280_rightside_up, + }, { /* Asus T100HA */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +-- +2.35.1 + diff --git a/queue-6.0/drm-panel-orientation-quirks-add-quirk-for-aya-neo-a.patch b/queue-6.0/drm-panel-orientation-quirks-add-quirk-for-aya-neo-a.patch new file mode 100644 index 00000000000..354743c05f0 --- /dev/null +++ b/queue-6.0/drm-panel-orientation-quirks-add-quirk-for-aya-neo-a.patch @@ -0,0 +1,55 @@ +From f850b74a22166d977391ea278c009af8559139bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 21:19:47 +0200 +Subject: drm: panel-orientation-quirks: Add quirk for Aya Neo Air + +From: Maya Matuszczyk + +[ Upstream commit e10ea7b9b90219da305a16b3c1252169715a807b ] + +Yet another x86 gaming handheld. + +This one has many SKUs with quite a few of DMI strings, +so let's just use a catchall, just as with Aya Neo Next. + +Signed-off-by: Maya Matuszczyk +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20220825191946.1678798-1-maccraft123mc@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index 64b194af003c..8a0c0e0bb5bd 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -103,6 +103,12 @@ static const struct drm_dmi_panel_orientation_data lcd800x1280_rightside_up = { + .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP, + }; + ++static const struct drm_dmi_panel_orientation_data lcd1080x1920_leftside_up = { ++ .width = 1080, ++ .height = 1920, ++ .orientation = DRM_MODE_PANEL_ORIENTATION_LEFT_UP, ++}; ++ + static const struct drm_dmi_panel_orientation_data lcd1200x1920_rightside_up = { + .width = 1200, + .height = 1920, +@@ -158,6 +164,12 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "AYA NEO 2021"), + }, + .driver_data = (void *)&lcd800x1280_rightside_up, ++ }, { /* AYA NEO AIR */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYANEO"), ++ DMI_MATCH(DMI_BOARD_NAME, "AIR"), ++ }, ++ .driver_data = (void *)&lcd1080x1920_leftside_up, + }, { /* AYA NEO NEXT */ + .matches = { + DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "AYANEO"), +-- +2.35.1 + diff --git a/queue-6.0/drm-panel-use-select-for-ili9341-panel-driver-helper.patch b/queue-6.0/drm-panel-use-select-for-ili9341-panel-driver-helper.patch new file mode 100644 index 00000000000..962544c5c81 --- /dev/null +++ b/queue-6.0/drm-panel-use-select-for-ili9341-panel-driver-helper.patch @@ -0,0 +1,53 @@ +From 3bbcba2eef85f228da06054e1cd4e544159d407d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 17:42:27 -0700 +Subject: drm/panel: use 'select' for Ili9341 panel driver helpers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 84dfc46594b0167e5d3736273b0e0e05365da641 ] + +Use 'select' instead of 'depends on' for DRM helpers for the +Ilitek ILI9341 panel driver. +This is what is done in the vast majority of other cases and +this makes it possible to fix a build error with drm_mipi_dbi. + +Fixes: 5a04227326b0 ("drm/panel: Add ilitek ili9341 panel driver") +Signed-off-by: Randy Dunlap +Cc: Dillon Min +Cc: Linus Walleij +Cc: Sam Ravnborg +Cc: Noralf Trønnes +Cc: Thomas Zimmermann +Cc: Thierry Reding +Cc: dri-devel@lists.freedesktop.org +Cc: David Airlie +Cc: Daniel Vetter +Signed-off-by: Linus Walleij +Link: https://patchwork.freedesktop.org/patch/msgid/20220823004227.10820-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/panel/Kconfig b/drivers/gpu/drm/panel/Kconfig +index a9043eacce97..a582ddd583c2 100644 +--- a/drivers/gpu/drm/panel/Kconfig ++++ b/drivers/gpu/drm/panel/Kconfig +@@ -165,8 +165,8 @@ config DRM_PANEL_ILITEK_IL9322 + config DRM_PANEL_ILITEK_ILI9341 + tristate "Ilitek ILI9341 240x320 QVGA panels" + depends on OF && SPI +- depends on DRM_KMS_HELPER +- depends on DRM_GEM_CMA_HELPER ++ select DRM_KMS_HELPER ++ select DRM_GEM_DMA_HELPER + depends on BACKLIGHT_CLASS_DEVICE + select DRM_MIPI_DBI + help +-- +2.35.1 + diff --git a/queue-6.0/drm-pl111-add-of_node_put-when-breaking-out-of-for_e.patch b/queue-6.0/drm-pl111-add-of_node_put-when-breaking-out-of-for_e.patch new file mode 100644 index 00000000000..2bbbb811221 --- /dev/null +++ b/queue-6.0/drm-pl111-add-of_node_put-when-breaking-out-of-for_e.patch @@ -0,0 +1,41 @@ +From 15ed5e266c14227359ce2eb34d320998c2d99f20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 21:15:50 +0800 +Subject: drm:pl111: Add of_node_put() when breaking out of + for_each_available_child_of_node() + +From: Liang He + +[ Upstream commit e0686dc6f2252e009c455fe99e2ce9d62a60eb47 ] + +The reference 'child' in the iteration of for_each_available_child_of_node() +is only escaped out into a local variable which is only used to check +its value. So we still need to the of_node_put() when breaking of the +for_each_available_child_of_node() which will automatically increase +and decrease the refcount. + +Fixes: ca454bd42dc2 ("drm/pl111: Support the Versatile Express") +Signed-off-by: Liang He +Reviewed-by: Rob Herring +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20220711131550.361350-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/pl111/pl111_versatile.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/pl111/pl111_versatile.c b/drivers/gpu/drm/pl111/pl111_versatile.c +index efb01a554574..1b436b75fd39 100644 +--- a/drivers/gpu/drm/pl111/pl111_versatile.c ++++ b/drivers/gpu/drm/pl111/pl111_versatile.c +@@ -404,6 +404,7 @@ static int pl111_vexpress_clcd_init(struct device *dev, struct device_node *np, + if (of_device_is_compatible(child, "arm,pl111")) { + has_coretile_clcd = true; + ct_clcd = child; ++ of_node_put(child); + break; + } + if (of_device_is_compatible(child, "arm,hdlcd")) { +-- +2.35.1 + diff --git a/queue-6.0/drm-prevent-drm_copy_field-to-attempt-copying-a-null.patch b/queue-6.0/drm-prevent-drm_copy_field-to-attempt-copying-a-null.patch new file mode 100644 index 00000000000..80911b90d8f --- /dev/null +++ b/queue-6.0/drm-prevent-drm_copy_field-to-attempt-copying-a-null.patch @@ -0,0 +1,87 @@ +From a8e68457e36276e93ed5b912ada727130800e720 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jul 2022 12:02:14 +0200 +Subject: drm: Prevent drm_copy_field() to attempt copying a NULL pointer + +From: Javier Martinez Canillas + +[ Upstream commit f6ee30407e883042482ad4ad30da5eaba47872ee ] + +There are some struct drm_driver fields that are required by drivers since +drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION. + +But it can be possible that a driver has a bug and did not set some of the +fields, which leads to drm_copy_field() attempting to copy a NULL pointer: + +[ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 +[ +0.010955] Mem abort info: +[ +0.002835] ESR = 0x0000000096000004 +[ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits +[ +0.005395] SET = 0, FnV = 0 +[ +0.003113] EA = 0, S1PTW = 0 +[ +0.003182] FSC = 0x04: level 0 translation fault +[ +0.004964] Data abort info: +[ +0.002919] ISV = 0, ISS = 0x00000004 +[ +0.003886] CM = 0, WnR = 0 +[ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000 +[ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 +[ +0.006925] Internal error: Oops: 96000004 [#1] SMP +... +[ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ +0.007061] pc : __pi_strlen+0x14/0x150 +[ +0.003895] lr : drm_copy_field+0x30/0x1a4 +[ +0.004156] sp : ffff8000094b3a50 +[ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040 +[ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040 +[ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000 +[ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000 +[ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40 +[ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 +[ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8 +[ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141 +[ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 +[ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000 +[ +0.007240] Call trace: +[ +0.002475] __pi_strlen+0x14/0x150 +[ +0.003537] drm_version+0x84/0xac +[ +0.003448] drm_ioctl_kernel+0xa8/0x16c +[ +0.003975] drm_ioctl+0x270/0x580 +[ +0.003448] __arm64_sys_ioctl+0xb8/0xfc +[ +0.003978] invoke_syscall+0x78/0x100 +[ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4 +[ +0.004767] do_el0_svc+0x38/0x4c +[ +0.003357] el0_svc+0x34/0x100 +[ +0.003185] el0t_64_sync_handler+0x11c/0x150 +[ +0.004418] el0t_64_sync+0x190/0x194 +[ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02) +[ +0.006180] ---[ end trace 0000000000000000 ]--- + +Reported-by: Peter Robinson +Signed-off-by: Javier Martinez Canillas +Acked-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20220705100215.572498-3-javierm@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_ioctl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c +index e1b9a03e619c..ca2a6e6101dc 100644 +--- a/drivers/gpu/drm/drm_ioctl.c ++++ b/drivers/gpu/drm/drm_ioctl.c +@@ -474,6 +474,12 @@ static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value) + { + size_t len; + ++ /* don't attempt to copy a NULL pointer */ ++ if (WARN_ONCE(!value, "BUG: the value to copy was not set!")) { ++ *buf_len = 0; ++ return 0; ++ } ++ + /* don't overflow userbuf */ + len = strlen(value); + if (len > *buf_len) +-- +2.35.1 + diff --git a/queue-6.0/drm-use-size_t-type-for-len-variable-in-drm_copy_fie.patch b/queue-6.0/drm-use-size_t-type-for-len-variable-in-drm_copy_fie.patch new file mode 100644 index 00000000000..a9726be72ad --- /dev/null +++ b/queue-6.0/drm-use-size_t-type-for-len-variable-in-drm_copy_fie.patch @@ -0,0 +1,48 @@ +From 256123fd0dd631be31870e0ac94f38637ae9d5d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jul 2022 12:02:13 +0200 +Subject: drm: Use size_t type for len variable in drm_copy_field() + +From: Javier Martinez Canillas + +[ Upstream commit 94dc3471d1b2b58b3728558d0e3f264e9ce6ff59 ] + +The strlen() function returns a size_t which is an unsigned int on 32-bit +arches and an unsigned long on 64-bit arches. But in the drm_copy_field() +function, the strlen() return value is assigned to an 'int len' variable. + +Later, the len variable is passed as copy_from_user() third argument that +is an unsigned long parameter as well. + +In theory, this can lead to an integer overflow via type conversion. Since +the assignment happens to a signed int lvalue instead of a size_t lvalue. + +In practice though, that's unlikely since the values copied are set by DRM +drivers and not controlled by userspace. But using a size_t for len is the +correct thing to do anyways. + +Signed-off-by: Javier Martinez Canillas +Tested-by: Peter Robinson +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20220705100215.572498-2-javierm@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c +index 8faad23dc1d8..e1b9a03e619c 100644 +--- a/drivers/gpu/drm/drm_ioctl.c ++++ b/drivers/gpu/drm/drm_ioctl.c +@@ -472,7 +472,7 @@ EXPORT_SYMBOL(drm_invalid_op); + */ + static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value) + { +- int len; ++ size_t len; + + /* don't overflow userbuf */ + len = strlen(value); +-- +2.35.1 + diff --git a/queue-6.0/drm-vc4-drv-call-component_unbind_all.patch b/queue-6.0/drm-vc4-drv-call-component_unbind_all.patch new file mode 100644 index 00000000000..19a54ec0b8a --- /dev/null +++ b/queue-6.0/drm-vc4-drv-call-component_unbind_all.patch @@ -0,0 +1,87 @@ +From 851c5d9accd06c1405a4346e783deed0eac1406c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 19:38:42 +0200 +Subject: drm/vc4: drv: Call component_unbind_all() + +From: Maxime Ripard + +[ Upstream commit 6cf61bf49c9bdb9ba2d33be812d90dd406326c6c ] + +While we were using the component framework to deal with all the DRM +subdevices, we were not calling component_unbind_all(). + +This leads to none of the subdevices freeing up their resources as part of +their unbind() or device managed hooks. + +Fixes: c8b75bca92cb ("drm/vc4: Add KMS support for Raspberry Pi.") +Acked-by: Thomas Zimmermann +Reviewed-by: Dave Stevenson +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20220711173939.1132294-13-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_drv.c | 14 ++++++++++++-- + drivers/gpu/drm/vc4/vc4_drv.h | 1 + + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_drv.c b/drivers/gpu/drm/vc4/vc4_drv.c +index 292d1b6a01b6..6b8dfa1e7650 100644 +--- a/drivers/gpu/drm/vc4/vc4_drv.c ++++ b/drivers/gpu/drm/vc4/vc4_drv.c +@@ -267,6 +267,13 @@ static void vc4_match_add_drivers(struct device *dev, + } + } + ++static void vc4_component_unbind_all(void *ptr) ++{ ++ struct vc4_dev *vc4 = ptr; ++ ++ component_unbind_all(vc4->dev, &vc4->base); ++} ++ + static const struct of_device_id vc4_dma_range_matches[] = { + { .compatible = "brcm,bcm2711-hvs" }, + { .compatible = "brcm,bcm2835-hvs" }, +@@ -310,6 +317,7 @@ static int vc4_drm_bind(struct device *dev) + if (IS_ERR(vc4)) + return PTR_ERR(vc4); + vc4->is_vc5 = is_vc5; ++ vc4->dev = dev; + + drm = &vc4->base; + platform_set_drvdata(pdev, drm); +@@ -360,6 +368,10 @@ static int vc4_drm_bind(struct device *dev) + if (ret) + return ret; + ++ ret = devm_add_action_or_reset(dev, vc4_component_unbind_all, vc4); ++ if (ret) ++ return ret; ++ + ret = vc4_plane_create_additional_planes(drm); + if (ret) + goto unbind_all; +@@ -380,8 +392,6 @@ static int vc4_drm_bind(struct device *dev) + return 0; + + unbind_all: +- component_unbind_all(dev, drm); +- + return ret; + } + +diff --git a/drivers/gpu/drm/vc4/vc4_drv.h b/drivers/gpu/drm/vc4/vc4_drv.h +index 1beb96b77b8c..950056b83843 100644 +--- a/drivers/gpu/drm/vc4/vc4_drv.h ++++ b/drivers/gpu/drm/vc4/vc4_drv.h +@@ -76,6 +76,7 @@ struct vc4_perfmon { + + struct vc4_dev { + struct drm_device base; ++ struct device *dev; + + bool is_vc5; + +-- +2.35.1 + diff --git a/queue-6.0/drm-vc4-txp-protect-device-resources.patch b/queue-6.0/drm-vc4-txp-protect-device-resources.patch new file mode 100644 index 00000000000..34dccf16c10 --- /dev/null +++ b/queue-6.0/drm-vc4-txp-protect-device-resources.patch @@ -0,0 +1,120 @@ +From 89ec9d5fb2c26c5d5cfa6f6e908aade485cec799 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 19:39:23 +0200 +Subject: drm/vc4: txp: Protect device resources + +From: Maxime Ripard + +[ Upstream commit b7345c9799da578c150fde3072446e4049c39c41 ] + +Our current code now mixes some resources whose lifetime are tied to the +device (clocks, IO mappings, etc.) and some that are tied to the DRM device +(encoder, bridge). + +The device one will be freed at unbind time, but the DRM one will only be +freed when the last user of the DRM device closes its file handle. + +So we end up with a time window during which we can call the encoder hooks, +but we don't have access to the underlying resources and device. + +Let's protect all those sections with drm_dev_enter() and drm_dev_exit() so +that we bail out if we are during that window. + +Acked-by: Thomas Zimmermann +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20220711173939.1132294-54-maxime@cerno.tech +Stable-dep-of: fcfd3e5fb2f0 ("drm/lcdif: Clean up headers") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_txp.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_txp.c b/drivers/gpu/drm/vc4/vc4_txp.c +index d20b0bc51a18..a6724f15b107 100644 +--- a/drivers/gpu/drm/vc4/vc4_txp.c ++++ b/drivers/gpu/drm/vc4/vc4_txp.c +@@ -15,6 +15,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -276,6 +277,7 @@ static int vc4_txp_connector_atomic_check(struct drm_connector *conn, + static void vc4_txp_connector_atomic_commit(struct drm_connector *conn, + struct drm_atomic_state *state) + { ++ struct drm_device *drm = conn->dev; + struct drm_connector_state *conn_state = drm_atomic_get_new_connector_state(state, + conn); + struct vc4_txp *txp = connector_to_vc4_txp(conn); +@@ -283,6 +285,7 @@ static void vc4_txp_connector_atomic_commit(struct drm_connector *conn, + struct drm_display_mode *mode; + struct drm_framebuffer *fb; + u32 ctrl; ++ int idx; + int i; + + if (WARN_ON(!conn_state->writeback_job)) +@@ -312,6 +315,9 @@ static void vc4_txp_connector_atomic_commit(struct drm_connector *conn, + */ + ctrl |= TXP_ALPHA_INVERT; + ++ if (!drm_dev_enter(drm, &idx)) ++ return; ++ + gem = drm_fb_cma_get_gem_obj(fb, 0); + TXP_WRITE(TXP_DST_PTR, gem->paddr + fb->offsets[0]); + TXP_WRITE(TXP_DST_PITCH, fb->pitches[0]); +@@ -322,6 +328,8 @@ static void vc4_txp_connector_atomic_commit(struct drm_connector *conn, + TXP_WRITE(TXP_DST_CTRL, ctrl); + + drm_writeback_queue_job(&txp->connector, conn_state); ++ ++ drm_dev_exit(idx); + } + + static const struct drm_connector_helper_funcs vc4_txp_connector_helper_funcs = { +@@ -354,7 +362,12 @@ static const struct drm_connector_funcs vc4_txp_connector_funcs = { + + static void vc4_txp_encoder_disable(struct drm_encoder *encoder) + { ++ struct drm_device *drm = encoder->dev; + struct vc4_txp *txp = encoder_to_vc4_txp(encoder); ++ int idx; ++ ++ if (!drm_dev_enter(drm, &idx)) ++ return; + + if (TXP_READ(TXP_DST_CTRL) & TXP_BUSY) { + unsigned long timeout = jiffies + msecs_to_jiffies(1000); +@@ -369,6 +382,8 @@ static void vc4_txp_encoder_disable(struct drm_encoder *encoder) + } + + TXP_WRITE(TXP_DST_CTRL, TXP_POWERDOWN); ++ ++ drm_dev_exit(idx); + } + + static const struct drm_encoder_helper_funcs vc4_txp_encoder_helper_funcs = { +@@ -453,6 +468,16 @@ static irqreturn_t vc4_txp_interrupt(int irq, void *data) + struct vc4_txp *txp = data; + struct vc4_crtc *vc4_crtc = &txp->base; + ++ /* ++ * We don't need to protect the register access using ++ * drm_dev_enter() there because the interrupt handler lifetime ++ * is tied to the device itself, and not to the DRM device. ++ * ++ * So when the device will be gone, one of the first thing we ++ * will be doing will be to unregister the interrupt handler, ++ * and then unregister the DRM device. drm_dev_enter() would ++ * thus always succeed if we are here. ++ */ + TXP_WRITE(TXP_DST_CTRL, TXP_READ(TXP_DST_CTRL) & ~TXP_EI); + vc4_crtc_handle_vblank(vc4_crtc); + drm_writeback_signal_completion(&txp->connector, 0); +-- +2.35.1 + diff --git a/queue-6.0/drm-vc4-vec-fix-timings-for-vec-modes.patch b/queue-6.0/drm-vc4-vec-fix-timings-for-vec-modes.patch new file mode 100644 index 00000000000..96fbf455b10 --- /dev/null +++ b/queue-6.0/drm-vc4-vec-fix-timings-for-vec-modes.patch @@ -0,0 +1,54 @@ +From db8511102c7fd0545c93a13a261c78e08e532d78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 15:11:42 +0200 +Subject: drm/vc4: vec: Fix timings for VEC modes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mateusz Kwiatkowski + +[ Upstream commit 30d7565be96b3946c18a1ce3fd538f7946839092 ] + +This commit fixes vertical timings of the VEC (composite output) modes +to accurately represent the 525-line ("NTSC") and 625-line ("PAL") ITU-R +standards. + +Previous timings were actually defined as 502 and 601 lines, resulting +in non-standard 62.69 Hz and 52 Hz signals being generated, +respectively. + +Signed-off-by: Mateusz Kwiatkowski +Acked-by: Noralf Trønnes +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20220728-rpi-analog-tv-properties-v2-28-459522d653a7@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_vec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_vec.c b/drivers/gpu/drm/vc4/vc4_vec.c +index 11fc3d6f66b1..4e2250b8fa23 100644 +--- a/drivers/gpu/drm/vc4/vc4_vec.c ++++ b/drivers/gpu/drm/vc4/vc4_vec.c +@@ -256,7 +256,7 @@ static void vc4_vec_ntsc_j_mode_set(struct vc4_vec *vec) + static const struct drm_display_mode ntsc_mode = { + DRM_MODE("720x480", DRM_MODE_TYPE_DRIVER, 13500, + 720, 720 + 14, 720 + 14 + 64, 720 + 14 + 64 + 60, 0, +- 480, 480 + 3, 480 + 3 + 3, 480 + 3 + 3 + 16, 0, ++ 480, 480 + 7, 480 + 7 + 6, 525, 0, + DRM_MODE_FLAG_INTERLACE) + }; + +@@ -278,7 +278,7 @@ static void vc4_vec_pal_m_mode_set(struct vc4_vec *vec) + static const struct drm_display_mode pal_mode = { + DRM_MODE("720x576", DRM_MODE_TYPE_DRIVER, 13500, + 720, 720 + 20, 720 + 20 + 64, 720 + 20 + 64 + 60, 0, +- 576, 576 + 2, 576 + 2 + 3, 576 + 2 + 3 + 20, 0, ++ 576, 576 + 4, 576 + 4 + 6, 625, 0, + DRM_MODE_FLAG_INTERLACE) + }; + +-- +2.35.1 + diff --git a/queue-6.0/drm-virtio-correct-drm_gem_shmem_get_sg_table-error-.patch b/queue-6.0/drm-virtio-correct-drm_gem_shmem_get_sg_table-error-.patch new file mode 100644 index 00000000000..3e81934d845 --- /dev/null +++ b/queue-6.0/drm-virtio-correct-drm_gem_shmem_get_sg_table-error-.patch @@ -0,0 +1,39 @@ +From c9facf04f10517b55f86dd5e5008904407c721d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jun 2022 23:07:18 +0300 +Subject: drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling + +From: Dmitry Osipenko + +[ Upstream commit 64b88afbd92fbf434759d1896a7cf705e1c00e79 ] + +Previous commit fixed checking of the ERR_PTR value returned by +drm_gem_shmem_get_sg_table(), but it missed to zero out the shmem->pages, +which will crash virtio_gpu_cleanup_object(). Add the missing zeroing of +the shmem->pages. + +Fixes: c24968734abf ("drm/virtio: Fix NULL vs IS_ERR checking in virtio_gpu_object_shmem_init") +Reviewed-by: Emil Velikov +Signed-off-by: Dmitry Osipenko +Link: http://patchwork.freedesktop.org/patch/msgid/20220630200726.1884320-2-dmitry.osipenko@collabora.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_object.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_object.c b/drivers/gpu/drm/virtio/virtgpu_object.c +index b38c338211aa..75a159df0af6 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_object.c ++++ b/drivers/gpu/drm/virtio/virtgpu_object.c +@@ -170,6 +170,7 @@ static int virtio_gpu_object_shmem_init(struct virtio_gpu_device *vgdev, + shmem->pages = drm_gem_shmem_get_sg_table(&bo->base); + if (IS_ERR(shmem->pages)) { + drm_gem_shmem_unpin(&bo->base); ++ shmem->pages = NULL; + return PTR_ERR(shmem->pages); + } + +-- +2.35.1 + diff --git a/queue-6.0/drm-virtio-fix-same-context-optimization.patch b/queue-6.0/drm-virtio-fix-same-context-optimization.patch new file mode 100644 index 00000000000..c2ec4df26d7 --- /dev/null +++ b/queue-6.0/drm-virtio-fix-same-context-optimization.patch @@ -0,0 +1,38 @@ +From d6bdb7e5a8095a013642f94db89ea243f96e669f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Aug 2022 15:40:00 -0700 +Subject: drm/virtio: Fix same-context optimization + +From: Rob Clark + +[ Upstream commit 3007dc2af6e86ac00b4daf7414142637fdf50bfa ] + +When VIRTGPU_EXECBUF_RING_IDX is used, we should be considering the +timeline that the EB if running on rather than the global driver fence +context. + +Fixes: 85c83ea915ed ("drm/virtio: implement context init: allocate an array of fence contexts") +Signed-off-by: Rob Clark +Link: http://patchwork.freedesktop.org/patch/msgid/20220812224001.2806463-1-robdclark@gmail.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_ioctl.c b/drivers/gpu/drm/virtio/virtgpu_ioctl.c +index 9b2702116f93..3b1701607aae 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c ++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c +@@ -168,7 +168,7 @@ static int virtio_gpu_execbuffer_ioctl(struct drm_device *dev, void *data, + * array contains any fence from a foreign context. + */ + ret = 0; +- if (!dma_fence_match_context(in_fence, vgdev->fence_drv.context)) ++ if (!dma_fence_match_context(in_fence, fence_ctx + ring_idx)) + ret = dma_fence_wait(in_fence, true); + + dma_fence_put(in_fence); +-- +2.35.1 + diff --git a/queue-6.0/drm-virtio-set-fb_modifiers_not_supported.patch b/queue-6.0/drm-virtio-set-fb_modifiers_not_supported.patch new file mode 100644 index 00000000000..bad1c523b57 --- /dev/null +++ b/queue-6.0/drm-virtio-set-fb_modifiers_not_supported.patch @@ -0,0 +1,41 @@ +From a2730912fddf4a69dd12904d24d7c72e6094f125 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 12:06:01 -0700 +Subject: drm/virtio: set fb_modifiers_not_supported + +From: Chia-I Wu + +[ Upstream commit 85faca8ca0f659263b5fb2385e4c231cc075bd84 ] + +Without this, the drm core advertises LINEAR modifier which is +incorrect. + +Also userspace virgl does not support modifiers. For example, it causes +chrome on ozone/drm to fail with "Failed to create scanout buffer". + +Fixes: 2af104290da5 ("drm: introduce fb_modifiers_not_supported flag in mode_config") +Suggested-by: Shao-Chuan Lee +Signed-off-by: Chia-I Wu +Link: http://patchwork.freedesktop.org/patch/msgid/20220831190601.1295129-1-olvaffe@gmail.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_display.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_display.c b/drivers/gpu/drm/virtio/virtgpu_display.c +index 5c7f198c0712..9ea7611a9e0f 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_display.c ++++ b/drivers/gpu/drm/virtio/virtgpu_display.c +@@ -349,6 +349,8 @@ int virtio_gpu_modeset_init(struct virtio_gpu_device *vgdev) + vgdev->ddev->mode_config.max_width = XRES_MAX; + vgdev->ddev->mode_config.max_height = YRES_MAX; + ++ vgdev->ddev->mode_config.fb_modifiers_not_supported = true; ++ + for (i = 0 ; i < vgdev->num_scanouts; ++i) + vgdev_output_init(vgdev, i); + +-- +2.35.1 + diff --git a/queue-6.0/drm-vmwgfx-fix-memory-leak-in-vmw_mksstat_add_ioctl.patch b/queue-6.0/drm-vmwgfx-fix-memory-leak-in-vmw_mksstat_add_ioctl.patch new file mode 100644 index 00000000000..36aaff3919e --- /dev/null +++ b/queue-6.0/drm-vmwgfx-fix-memory-leak-in-vmw_mksstat_add_ioctl.patch @@ -0,0 +1,38 @@ +From a9e265e8e0cb222a40c36918da88477fd843701e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 17:47:51 -0300 +Subject: drm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl() + +From: Rafael Mendonca + +[ Upstream commit a40c7f61d12fbd1e785e59140b9efd57127c0c33 ] + +If the copy of the description string from userspace fails, then the page +for the instance descriptor doesn't get freed before returning -EFAULT, +which leads to a memleak. + +Fixes: 7a7a933edd6c ("drm/vmwgfx: Introduce VMware mks-guest-stats") +Signed-off-by: Rafael Mendonca +Reviewed-by: Martin Krastev +Signed-off-by: Zack Rusin +Link: https://patchwork.freedesktop.org/patch/msgid/20220916204751.720716-1-rafaelmendsr@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c +index 2aceac7856e2..089046fa21be 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.c +@@ -1076,6 +1076,7 @@ int vmw_mksstat_add_ioctl(struct drm_device *dev, void *data, + + if (desc_len < 0) { + atomic_set(&dev_priv->mksstat_user_pids[slot], 0); ++ __free_page(page); + return -EFAULT; + } + +-- +2.35.1 + diff --git a/queue-6.0/dt-bindings-arm-ti-k3-sort-the-am654-board-enums.patch b/queue-6.0/dt-bindings-arm-ti-k3-sort-the-am654-board-enums.patch new file mode 100644 index 00000000000..f342168fb9e --- /dev/null +++ b/queue-6.0/dt-bindings-arm-ti-k3-sort-the-am654-board-enums.patch @@ -0,0 +1,44 @@ +From d60faea58303f87d3fb72023ea7c797b8b1b1a7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 11:05:06 -0500 +Subject: dt-bindings: arm: ti: k3: Sort the am654 board enums + +From: Nishanth Menon + +[ Upstream commit 5f120a4dc7a71187fdae0a11f6c65b7e2cf7a2d7 ] + +Use alphabetical sort to organize the am654 board names. + +Suggested-by: Krzysztof Kozlowski +Signed-off-by: Nishanth Menon +Signed-off-by: Vignesh Raghavendra +Acked-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220830160507.7726-2-nm@ti.com +Stable-dep-of: 0d0a0b441346 ("arm64: dts: ti: k3-j7200: fix main pinmux range") +Signed-off-by: Sasha Levin +--- + Documentation/devicetree/bindings/arm/ti/k3.yaml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Documentation/devicetree/bindings/arm/ti/k3.yaml b/Documentation/devicetree/bindings/arm/ti/k3.yaml +index 61c6ab4f52e2..7e93e87dcdf4 100644 +--- a/Documentation/devicetree/bindings/arm/ti/k3.yaml ++++ b/Documentation/devicetree/bindings/arm/ti/k3.yaml +@@ -22,11 +22,11 @@ properties: + - description: K3 AM654 SoC + items: + - enum: +- - ti,am654-evm +- - siemens,iot2050-basic +- - siemens,iot2050-basic-pg2 + - siemens,iot2050-advanced + - siemens,iot2050-advanced-pg2 ++ - siemens,iot2050-basic ++ - siemens,iot2050-basic-pg2 ++ - ti,am654-evm + - const: ti,am654 + + - description: K3 J721E SoC +-- +2.35.1 + diff --git a/queue-6.0/dt-bindings-clock-exynosautov9-correct-clock-numberi.patch b/queue-6.0/dt-bindings-clock-exynosautov9-correct-clock-numberi.patch new file mode 100644 index 00000000000..5c894e121ad --- /dev/null +++ b/queue-6.0/dt-bindings-clock-exynosautov9-correct-clock-numberi.patch @@ -0,0 +1,103 @@ +From c08000f765db0f59135071785a8ba5999d7ce03b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 11:13:55 +0900 +Subject: dt-bindings: clock: exynosautov9: correct clock numbering of + peric0/c1 + +From: Chanho Park + +[ Upstream commit b6740089b740b842d5e6ff55b4b2c3bf5961c69a ] + +There are duplicated definitions of peric0 and peric1 cmu blocks. Thus, +they should be defined correctly as numerical order. + +Fixes: 680e1c8370a2 ("dt-bindings: clock: add clock binding definitions for Exynos Auto v9") +Signed-off-by: Chanho Park +Reviewed-by: Krzysztof Kozlowski +Acked-by: Chanwoo Choi +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220727021357.152421-2-chanho61.park@samsung.com +Signed-off-by: Sasha Levin +--- + .../dt-bindings/clock/samsung,exynosautov9.h | 56 +++++++++---------- + 1 file changed, 28 insertions(+), 28 deletions(-) + +diff --git a/include/dt-bindings/clock/samsung,exynosautov9.h b/include/dt-bindings/clock/samsung,exynosautov9.h +index ea9f91b4eb1a..a7db6516593f 100644 +--- a/include/dt-bindings/clock/samsung,exynosautov9.h ++++ b/include/dt-bindings/clock/samsung,exynosautov9.h +@@ -226,21 +226,21 @@ + #define CLK_GOUT_PERIC0_IPCLK_8 28 + #define CLK_GOUT_PERIC0_IPCLK_9 29 + #define CLK_GOUT_PERIC0_IPCLK_10 30 +-#define CLK_GOUT_PERIC0_IPCLK_11 30 +-#define CLK_GOUT_PERIC0_PCLK_0 31 +-#define CLK_GOUT_PERIC0_PCLK_1 32 +-#define CLK_GOUT_PERIC0_PCLK_2 33 +-#define CLK_GOUT_PERIC0_PCLK_3 34 +-#define CLK_GOUT_PERIC0_PCLK_4 35 +-#define CLK_GOUT_PERIC0_PCLK_5 36 +-#define CLK_GOUT_PERIC0_PCLK_6 37 +-#define CLK_GOUT_PERIC0_PCLK_7 38 +-#define CLK_GOUT_PERIC0_PCLK_8 39 +-#define CLK_GOUT_PERIC0_PCLK_9 40 +-#define CLK_GOUT_PERIC0_PCLK_10 41 +-#define CLK_GOUT_PERIC0_PCLK_11 42 ++#define CLK_GOUT_PERIC0_IPCLK_11 31 ++#define CLK_GOUT_PERIC0_PCLK_0 32 ++#define CLK_GOUT_PERIC0_PCLK_1 33 ++#define CLK_GOUT_PERIC0_PCLK_2 34 ++#define CLK_GOUT_PERIC0_PCLK_3 35 ++#define CLK_GOUT_PERIC0_PCLK_4 36 ++#define CLK_GOUT_PERIC0_PCLK_5 37 ++#define CLK_GOUT_PERIC0_PCLK_6 38 ++#define CLK_GOUT_PERIC0_PCLK_7 39 ++#define CLK_GOUT_PERIC0_PCLK_8 40 ++#define CLK_GOUT_PERIC0_PCLK_9 41 ++#define CLK_GOUT_PERIC0_PCLK_10 42 ++#define CLK_GOUT_PERIC0_PCLK_11 43 + +-#define PERIC0_NR_CLK 43 ++#define PERIC0_NR_CLK 44 + + /* CMU_PERIC1 */ + #define CLK_MOUT_PERIC1_BUS_USER 1 +@@ -272,21 +272,21 @@ + #define CLK_GOUT_PERIC1_IPCLK_8 28 + #define CLK_GOUT_PERIC1_IPCLK_9 29 + #define CLK_GOUT_PERIC1_IPCLK_10 30 +-#define CLK_GOUT_PERIC1_IPCLK_11 30 +-#define CLK_GOUT_PERIC1_PCLK_0 31 +-#define CLK_GOUT_PERIC1_PCLK_1 32 +-#define CLK_GOUT_PERIC1_PCLK_2 33 +-#define CLK_GOUT_PERIC1_PCLK_3 34 +-#define CLK_GOUT_PERIC1_PCLK_4 35 +-#define CLK_GOUT_PERIC1_PCLK_5 36 +-#define CLK_GOUT_PERIC1_PCLK_6 37 +-#define CLK_GOUT_PERIC1_PCLK_7 38 +-#define CLK_GOUT_PERIC1_PCLK_8 39 +-#define CLK_GOUT_PERIC1_PCLK_9 40 +-#define CLK_GOUT_PERIC1_PCLK_10 41 +-#define CLK_GOUT_PERIC1_PCLK_11 42 ++#define CLK_GOUT_PERIC1_IPCLK_11 31 ++#define CLK_GOUT_PERIC1_PCLK_0 32 ++#define CLK_GOUT_PERIC1_PCLK_1 33 ++#define CLK_GOUT_PERIC1_PCLK_2 34 ++#define CLK_GOUT_PERIC1_PCLK_3 35 ++#define CLK_GOUT_PERIC1_PCLK_4 36 ++#define CLK_GOUT_PERIC1_PCLK_5 37 ++#define CLK_GOUT_PERIC1_PCLK_6 38 ++#define CLK_GOUT_PERIC1_PCLK_7 39 ++#define CLK_GOUT_PERIC1_PCLK_8 40 ++#define CLK_GOUT_PERIC1_PCLK_9 41 ++#define CLK_GOUT_PERIC1_PCLK_10 42 ++#define CLK_GOUT_PERIC1_PCLK_11 43 + +-#define PERIC1_NR_CLK 43 ++#define PERIC1_NR_CLK 44 + + /* CMU_PERIS */ + #define CLK_MOUT_PERIS_BUS_USER 1 +-- +2.35.1 + diff --git a/queue-6.0/dyndbg-drop-exported-dynamic_debug_exec_queries.patch b/queue-6.0/dyndbg-drop-exported-dynamic_debug_exec_queries.patch new file mode 100644 index 00000000000..87f55bbe652 --- /dev/null +++ b/queue-6.0/dyndbg-drop-exported-dynamic_debug_exec_queries.patch @@ -0,0 +1,99 @@ +From f7a4b50ca04ba53165dba35a919cdede8ade1949 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 15:40:46 -0600 +Subject: dyndbg: drop EXPORTed dynamic_debug_exec_queries + +From: Jim Cromie + +[ Upstream commit e26ef3af964acfea311403126acee8c56c89e26b ] + +This exported fn is unused, and will not be needed. Lets dump it. + +The export was added to let drm control pr_debugs, as part of using +them to avoid drm_debug_enabled overheads. But its better to just +implement the drm.debug bitmap interface, then its available for +everyone. + +Fixes: a2d375eda771 ("dyndbg: refine export, rename to dynamic_debug_exec_queries()") +Fixes: 4c0d77828d4f ("dyndbg: export ddebug_exec_queries") +Acked-by: Jason Baron +Acked-by: Daniel Vetter +Signed-off-by: Jim Cromie +Link: https://lore.kernel.org/r/20220904214134.408619-10-jim.cromie@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + include/linux/dynamic_debug.h | 9 --------- + lib/dynamic_debug.c | 29 ----------------------------- + 2 files changed, 38 deletions(-) + +diff --git a/include/linux/dynamic_debug.h b/include/linux/dynamic_debug.h +index f30b01aa9fa4..8d9eec5f6d8b 100644 +--- a/include/linux/dynamic_debug.h ++++ b/include/linux/dynamic_debug.h +@@ -55,9 +55,6 @@ struct _ddebug { + + #if defined(CONFIG_DYNAMIC_DEBUG_CORE) + +-/* exported for module authors to exercise >control */ +-int dynamic_debug_exec_queries(const char *query, const char *modname); +- + int ddebug_add_module(struct _ddebug *tab, unsigned int n, + const char *modname); + extern int ddebug_remove_module(const char *mod_name); +@@ -221,12 +218,6 @@ static inline int ddebug_dyndbg_module_param_cb(char *param, char *val, + rowsize, groupsize, buf, len, ascii); \ + } while (0) + +-static inline int dynamic_debug_exec_queries(const char *query, const char *modname) +-{ +- pr_warn("kernel not built with CONFIG_DYNAMIC_DEBUG_CORE\n"); +- return 0; +-} +- + #endif /* !CONFIG_DYNAMIC_DEBUG_CORE */ + + #endif +diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c +index 4d168efcf779..c9b3d9e5d470 100644 +--- a/lib/dynamic_debug.c ++++ b/lib/dynamic_debug.c +@@ -557,35 +557,6 @@ static int ddebug_exec_queries(char *query, const char *modname) + return nfound; + } + +-/** +- * dynamic_debug_exec_queries - select and change dynamic-debug prints +- * @query: query-string described in admin-guide/dynamic-debug-howto +- * @modname: string containing module name, usually &module.mod_name +- * +- * This uses the >/proc/dynamic_debug/control reader, allowing module +- * authors to modify their dynamic-debug callsites. The modname is +- * canonically struct module.mod_name, but can also be null or a +- * module-wildcard, for example: "drm*". +- */ +-int dynamic_debug_exec_queries(const char *query, const char *modname) +-{ +- int rc; +- char *qry; /* writable copy of query */ +- +- if (!query) { +- pr_err("non-null query/command string expected\n"); +- return -EINVAL; +- } +- qry = kstrndup(query, PAGE_SIZE, GFP_KERNEL); +- if (!qry) +- return -ENOMEM; +- +- rc = ddebug_exec_queries(qry, modname); +- kfree(qry); +- return rc; +-} +-EXPORT_SYMBOL_GPL(dynamic_debug_exec_queries); +- + #define PREFIX_SIZE 64 + + static int remaining(int wrote) +-- +2.35.1 + diff --git a/queue-6.0/dyndbg-fix-module.dyndbg-handling.patch b/queue-6.0/dyndbg-fix-module.dyndbg-handling.patch new file mode 100644 index 00000000000..17f219c92ff --- /dev/null +++ b/queue-6.0/dyndbg-fix-module.dyndbg-handling.patch @@ -0,0 +1,52 @@ +From 9c27914b55c2beacdfe3b0107117802fff8a8ffd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 15:40:39 -0600 +Subject: dyndbg: fix module.dyndbg handling + +From: Jim Cromie + +[ Upstream commit 85d6b66d31c35158364058ee98fb69ab5bb6a6b1 ] + +For CONFIG_DYNAMIC_DEBUG=N, the ddebug_dyndbg_module_param_cb() +stub-fn is too permissive: + +bash-5.1# modprobe drm JUNKdyndbg +bash-5.1# modprobe drm dyndbgJUNK +[ 42.933220] dyndbg param is supported only in CONFIG_DYNAMIC_DEBUG builds +[ 42.937484] ACPI: bus type drm_connector registered + +This caused no ill effects, because unknown parameters are either +ignored by default with an "unknown parameter" warning, or ignored +because dyndbg allows its no-effect use on non-dyndbg builds. + +But since the code has an explicit feedback message, it should be +issued accurately. Fix with strcmp for exact param-name match. + +Fixes: b48420c1d301 dynamic_debug: make dynamic-debug work for module initialization +Reported-by: Rasmus Villemoes +Acked-by: Jason Baron +Acked-by: Daniel Vetter +Signed-off-by: Jim Cromie +Link: https://lore.kernel.org/r/20220904214134.408619-3-jim.cromie@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + include/linux/dynamic_debug.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/dynamic_debug.h b/include/linux/dynamic_debug.h +index dce631e678dd..f30b01aa9fa4 100644 +--- a/include/linux/dynamic_debug.h ++++ b/include/linux/dynamic_debug.h +@@ -201,7 +201,7 @@ static inline int ddebug_remove_module(const char *mod) + static inline int ddebug_dyndbg_module_param_cb(char *param, char *val, + const char *modname) + { +- if (strstr(param, "dyndbg")) { ++ if (!strcmp(param, "dyndbg")) { + /* avoid pr_warn(), which wants pr_fmt() fully defined */ + printk(KERN_WARNING "dyndbg param is supported only in " + "CONFIG_DYNAMIC_DEBUG builds\n"); +-- +2.35.1 + diff --git a/queue-6.0/dyndbg-fix-static_branch-manipulation.patch b/queue-6.0/dyndbg-fix-static_branch-manipulation.patch new file mode 100644 index 00000000000..dbcc7444474 --- /dev/null +++ b/queue-6.0/dyndbg-fix-static_branch-manipulation.patch @@ -0,0 +1,74 @@ +From 55c4ad1622dc360f6618898acd350562ae12ae0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 15:40:38 -0600 +Subject: dyndbg: fix static_branch manipulation + +From: Jim Cromie + +[ Upstream commit ee879be38bc87f8cedc79ae2742958db6533ca59 ] + +In https://lore.kernel.org/lkml/20211209150910.GA23668@axis.com/ + +Vincent's patch commented on, and worked around, a bug toggling +static_branch's, when a 2nd PRINTK-ish flag was added. The bug +results in a premature static_branch_disable when the 1st of 2 flags +was disabled. + +The cited commit computed newflags, but then in the JUMP_LABEL block, +failed to use that result, instead using just one of the terms in it. +Using newflags instead made the code work properly. + +This is Vincents test-case, reduced. It needs the 2nd flag to +demonstrate the bug, but it's explanatory here. + +pt_test() { + echo 5 > /sys/module/dynamic_debug/verbose + + site="module tcp" # just one callsite + echo " $site =_ " > /proc/dynamic_debug/control # clear it + + # A B ~A ~B + for flg in +T +p "-T #broke here" -p; do + echo " $site $flg " > /proc/dynamic_debug/control + done; + + # A B ~B ~A + for flg in +T +p "-p #broke here" -T; do + echo " $site $flg " > /proc/dynamic_debug/control + done +} +pt_test + +Fixes: 84da83a6ffc0 dyndbg: combine flags & mask into a struct, simplify with it +CC: vincent.whitchurch@axis.com +Acked-by: Jason Baron +Acked-by: Daniel Vetter +Signed-off-by: Jim Cromie +Link: https://lore.kernel.org/r/20220904214134.408619-2-jim.cromie@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + lib/dynamic_debug.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c +index dd7f56af9aed..a56c1286ffa4 100644 +--- a/lib/dynamic_debug.c ++++ b/lib/dynamic_debug.c +@@ -211,10 +211,11 @@ static int ddebug_change(const struct ddebug_query *query, + continue; + #ifdef CONFIG_JUMP_LABEL + if (dp->flags & _DPRINTK_FLAGS_PRINT) { +- if (!(modifiers->flags & _DPRINTK_FLAGS_PRINT)) ++ if (!(newflags & _DPRINTK_FLAGS_PRINT)) + static_branch_disable(&dp->key.dd_key_true); +- } else if (modifiers->flags & _DPRINTK_FLAGS_PRINT) ++ } else if (newflags & _DPRINTK_FLAGS_PRINT) { + static_branch_enable(&dp->key.dd_key_true); ++ } + #endif + dp->flags = newflags; + v4pr_info("changed %s:%d [%s]%s =%s\n", +-- +2.35.1 + diff --git a/queue-6.0/dyndbg-let-query-modname-override-actual-module-name.patch b/queue-6.0/dyndbg-let-query-modname-override-actual-module-name.patch new file mode 100644 index 00000000000..ef108d3f80e --- /dev/null +++ b/queue-6.0/dyndbg-let-query-modname-override-actual-module-name.patch @@ -0,0 +1,80 @@ +From 6a6285f398cb881dae90662a88cc7426ce8ba109 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 15:40:44 -0600 +Subject: dyndbg: let query-modname override actual module name + +From: Jim Cromie + +[ Upstream commit e75ef56f74965f426dd819a41336b640ffdd8fbc ] + +dyndbg's control-parser: ddebug_parse_query(), requires that search +terms: module, func, file, lineno, are used only once in a query; a +thing cannot be named both foo and bar. + +The cited commit added an overriding module modname, taken from the +module loader, which is authoritative. So it set query.module 1st, +which disallowed its use in the query-string. + +But now, its useful to allow a module-load to enable classes across a +whole (or part of) a subsystem at once. + + # enable (dynamic-debug in) drm only + modprobe drm dyndbg="class DRM_UT_CORE +p" + + # get drm_helper too + modprobe drm dyndbg="class DRM_UT_CORE module drm* +p" + + # get everything that knows DRM_UT_CORE + modprobe drm dyndbg="class DRM_UT_CORE module * +p" + + # also for boot-args: + drm.dyndbg="class DRM_UT_CORE module * +p" + +So convert the override into a default, by filling it only when/after +the query-string omitted the module. + +NB: the query class FOO handling is forthcoming. + +Fixes: 8e59b5cfb9a6 dynamic_debug: add modname arg to exec_query callchain +Acked-by: Jason Baron +Acked-by: Daniel Vetter +Signed-off-by: Jim Cromie +Link: https://lore.kernel.org/r/20220904214134.408619-8-jim.cromie@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + lib/dynamic_debug.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c +index a56c1286ffa4..4d168efcf779 100644 +--- a/lib/dynamic_debug.c ++++ b/lib/dynamic_debug.c +@@ -384,10 +384,6 @@ static int ddebug_parse_query(char *words[], int nwords, + return -EINVAL; + } + +- if (modname) +- /* support $modname.dyndbg= */ +- query->module = modname; +- + for (i = 0; i < nwords; i += 2) { + char *keyword = words[i]; + char *arg = words[i+1]; +@@ -428,6 +424,13 @@ static int ddebug_parse_query(char *words[], int nwords, + if (rc) + return rc; + } ++ if (!query->module && modname) ++ /* ++ * support $modname.dyndbg=, when ++ * not given in the query itself ++ */ ++ query->module = modname; ++ + vpr_info_dq(query, "parsed"); + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/erofs-fix-order-max_order-warning-due-to-crafted-neg.patch b/queue-6.0/erofs-fix-order-max_order-warning-due-to-crafted-neg.patch new file mode 100644 index 00000000000..9406262f3aa --- /dev/null +++ b/queue-6.0/erofs-fix-order-max_order-warning-due-to-crafted-neg.patch @@ -0,0 +1,43 @@ +From 5aa096949b65c9aa7fe543eae6a3fc8749a99827 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 10:39:48 +0800 +Subject: erofs: fix order >= MAX_ORDER warning due to crafted negative i_size + +From: Gao Xiang + +[ Upstream commit 1dd73601a1cba37a0ed5f89a8662c90191df5873 ] + +As syzbot reported [1], the root cause is that i_size field is a +signed type, and negative i_size is also less than EROFS_BLKSIZ. +As a consequence, it's handled as fast symlink unexpectedly. + +Let's fall back to the generic path to deal with such unusual i_size. + +[1] https://lore.kernel.org/r/000000000000ac8efa05e7feaa1f@google.com + +Reported-by: syzbot+f966c13b1b4fc0403b19@syzkaller.appspotmail.com +Fixes: 431339ba9042 ("staging: erofs: add inode operations") +Reviewed-by: Yue Hu +Link: https://lore.kernel.org/r/20220909023948.28925-1-hsiangkao@linux.alibaba.com +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/erofs/inode.c b/fs/erofs/inode.c +index 95a403720e8c..16cf9a283557 100644 +--- a/fs/erofs/inode.c ++++ b/fs/erofs/inode.c +@@ -214,7 +214,7 @@ static int erofs_fill_symlink(struct inode *inode, void *kaddr, + + /* if it cannot be handled with fast symlink scheme */ + if (vi->datalayout != EROFS_INODE_FLAT_INLINE || +- inode->i_size >= EROFS_BLKSIZ) { ++ inode->i_size >= EROFS_BLKSIZ || inode->i_size < 0) { + inode->i_op = &erofs_symlink_iops; + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/erofs-use-kill_anon_super-to-kill-super-in-fscache-m.patch b/queue-6.0/erofs-use-kill_anon_super-to-kill-super-in-fscache-m.patch new file mode 100644 index 00000000000..6573fed29af --- /dev/null +++ b/queue-6.0/erofs-use-kill_anon_super-to-kill-super-in-fscache-m.patch @@ -0,0 +1,40 @@ +From 647af68a2d99027b942180394409855dd061c16a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Sep 2022 12:34:51 +0800 +Subject: erofs: use kill_anon_super() to kill super in fscache mode + +From: Jia Zhu + +[ Upstream commit 1015c1016c231b26d4e2c9b3da65b6c043eb97a3 ] + +Use kill_anon_super() instead of generic_shutdown_super() since the +mount() in erofs fscache mode uses get_tree_nodev() and associated +anon bdev needs to be freed. + +Fixes: 9c0cc9c729657 ("erofs: add 'fsid' mount option") +Suggested-by: Jingbo Xu +Signed-off-by: Jia Zhu +Reviewed-by: Jingbo Xu +Link: https://lore.kernel.org/r/20220918043456.147-2-zhujia.zj@bytedance.com +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/erofs/super.c b/fs/erofs/super.c +index 3173debeaa5a..9716d355a63e 100644 +--- a/fs/erofs/super.c ++++ b/fs/erofs/super.c +@@ -879,7 +879,7 @@ static void erofs_kill_sb(struct super_block *sb) + WARN_ON(sb->s_magic != EROFS_SUPER_MAGIC); + + if (erofs_is_fscache_mode(sb)) +- generic_shutdown_super(sb); ++ kill_anon_super(sb); + else + kill_block_super(sb); + +-- +2.35.1 + diff --git a/queue-6.0/esp-choose-the-correct-inner-protocol-for-gso-on-int.patch b/queue-6.0/esp-choose-the-correct-inner-protocol-for-gso-on-int.patch new file mode 100644 index 00000000000..8a07d50e45f --- /dev/null +++ b/queue-6.0/esp-choose-the-correct-inner-protocol-for-gso-on-int.patch @@ -0,0 +1,63 @@ +From a6d14d91cef1d139e88900c837f70bfef6d1b9d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 17:16:51 +0200 +Subject: esp: choose the correct inner protocol for GSO on inter address + family tunnels + +From: Sabrina Dubroca + +[ Upstream commit 26dbd66eab8080be51759e48280da04015221e22 ] + +Commit 23c7f8d7989e ("net: Fix esp GSO on inter address family +tunnels.") is incomplete. It passes to skb_eth_gso_segment the +protocol for the outer IP version, instead of the inner IP version, so +we end up calling inet_gso_segment on an inner IPv6 packet and +ipv6_gso_segment on an inner IPv4 packet and the packets are dropped. + +This patch completes the fix by selecting the correct protocol based +on the inner mode's family. + +Fixes: c35fe4106b92 ("xfrm: Add mode handlers for IPsec on layer 2") +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4_offload.c | 5 ++++- + net/ipv6/esp6_offload.c | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c +index 935026f4c807..170152772d33 100644 +--- a/net/ipv4/esp4_offload.c ++++ b/net/ipv4/esp4_offload.c +@@ -110,7 +110,10 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- return skb_eth_gso_segment(skb, features, htons(ETH_P_IP)); ++ __be16 type = x->inner_mode.family == AF_INET6 ? htons(ETH_P_IPV6) ++ : htons(ETH_P_IP); ++ ++ return skb_eth_gso_segment(skb, features, type); + } + + static struct sk_buff *xfrm4_transport_gso_segment(struct xfrm_state *x, +diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c +index 3a293838a91d..79d43548279c 100644 +--- a/net/ipv6/esp6_offload.c ++++ b/net/ipv6/esp6_offload.c +@@ -145,7 +145,10 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x, + struct sk_buff *skb, + netdev_features_t features) + { +- return skb_eth_gso_segment(skb, features, htons(ETH_P_IPV6)); ++ __be16 type = x->inner_mode.family == AF_INET ? htons(ETH_P_IP) ++ : htons(ETH_P_IPV6); ++ ++ return skb_eth_gso_segment(skb, features, type); + } + + static struct sk_buff *xfrm6_transport_gso_segment(struct xfrm_state *x, +-- +2.35.1 + diff --git a/queue-6.0/eth-alx-take-rtnl_lock-on-resume.patch b/queue-6.0/eth-alx-take-rtnl_lock-on-resume.patch new file mode 100644 index 00000000000..8d895cdf00f --- /dev/null +++ b/queue-6.0/eth-alx-take-rtnl_lock-on-resume.patch @@ -0,0 +1,78 @@ +From 71a3fe8df68971451946dd1c12b7e5a22abd2ea2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Sep 2022 11:12:36 -0700 +Subject: eth: alx: take rtnl_lock on resume + +From: Jakub Kicinski + +[ Upstream commit 6ad1c94e1e7e374d88f0cfd77936dddb8339aaba ] + +Zbynek reports that alx trips an rtnl assertion on resume: + + RTNL: assertion failed at net/core/dev.c (2891) + RIP: 0010:netif_set_real_num_tx_queues+0x1ac/0x1c0 + Call Trace: + + __alx_open+0x230/0x570 [alx] + alx_resume+0x54/0x80 [alx] + ? pci_legacy_resume+0x80/0x80 + dpm_run_callback+0x4a/0x150 + device_resume+0x8b/0x190 + async_resume+0x19/0x30 + async_run_entry_fn+0x30/0x130 + process_one_work+0x1e5/0x3b0 + +indeed the driver does not hold rtnl_lock during its internal close +and re-open functions during suspend/resume. Note that this is not +a huge bug as the driver implements its own locking, and does not +implement changing the number of queues, but we need to silence +the splat. + +Fixes: 4a5fe57e7751 ("alx: use fine-grained locking instead of RTNL") +Reported-and-tested-by: Zbynek Michl +Reviewed-by: Niels Dossche +Link: https://lore.kernel.org/r/20220928181236.1053043-1-kuba@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/alx/main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c +index a89b93cb4e26..d5939586c82e 100644 +--- a/drivers/net/ethernet/atheros/alx/main.c ++++ b/drivers/net/ethernet/atheros/alx/main.c +@@ -1912,11 +1912,14 @@ static int alx_suspend(struct device *dev) + + if (!netif_running(alx->dev)) + return 0; ++ ++ rtnl_lock(); + netif_device_detach(alx->dev); + + mutex_lock(&alx->mtx); + __alx_stop(alx); + mutex_unlock(&alx->mtx); ++ rtnl_unlock(); + + return 0; + } +@@ -1927,6 +1930,7 @@ static int alx_resume(struct device *dev) + struct alx_hw *hw = &alx->hw; + int err; + ++ rtnl_lock(); + mutex_lock(&alx->mtx); + alx_reset_phy(hw); + +@@ -1943,6 +1947,7 @@ static int alx_resume(struct device *dev) + + unlock: + mutex_unlock(&alx->mtx); ++ rtnl_unlock(); + return err; + } + +-- +2.35.1 + diff --git a/queue-6.0/eth-lan743x-reject-extts-for-non-pci11x1x-devices.patch b/queue-6.0/eth-lan743x-reject-extts-for-non-pci11x1x-devices.patch new file mode 100644 index 00000000000..4302edad100 --- /dev/null +++ b/queue-6.0/eth-lan743x-reject-extts-for-non-pci11x1x-devices.patch @@ -0,0 +1,50 @@ +From ed8a503900ae3feb07a09844cc4131af36caef61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 14:57:40 +0530 +Subject: eth: lan743x: reject extts for non-pci11x1x devices + +From: Raju Lakkaraju + +[ Upstream commit cb4b12071a4b68df323c339f60805834246b3e9e ] + +Remove PTP_PF_EXTTS support for non-PCI11x1x devices since they do not support +the PTP-IO Input event triggered timestamping mechanisms added + +Fixes: 60942c397af6 ("net: lan743x: Add support for PTP-IO Event Input External Timestamp (extts)") +Signed-off-by: Raju Lakkaraju +Reviewed-by: Horatiu Vultur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/lan743x_ptp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/microchip/lan743x_ptp.c b/drivers/net/ethernet/microchip/lan743x_ptp.c +index 6a11e2ceb013..da3ea905adbb 100644 +--- a/drivers/net/ethernet/microchip/lan743x_ptp.c ++++ b/drivers/net/ethernet/microchip/lan743x_ptp.c +@@ -1049,6 +1049,10 @@ static int lan743x_ptpci_verify_pin_config(struct ptp_clock_info *ptp, + enum ptp_pin_function func, + unsigned int chan) + { ++ struct lan743x_ptp *lan_ptp = ++ container_of(ptp, struct lan743x_ptp, ptp_clock_info); ++ struct lan743x_adapter *adapter = ++ container_of(lan_ptp, struct lan743x_adapter, ptp); + int result = 0; + + /* Confirm the requested function is supported. Parameter +@@ -1057,7 +1061,10 @@ static int lan743x_ptpci_verify_pin_config(struct ptp_clock_info *ptp, + switch (func) { + case PTP_PF_NONE: + case PTP_PF_PEROUT: ++ break; + case PTP_PF_EXTTS: ++ if (!adapter->is_pci11x1x) ++ result = -1; + break; + case PTP_PF_PHYSYNC: + default: +-- +2.35.1 + diff --git a/queue-6.0/eth-sp7021-fix-use-after-free-bug-in-spl2sw_nvmem_ge.patch b/queue-6.0/eth-sp7021-fix-use-after-free-bug-in-spl2sw_nvmem_ge.patch new file mode 100644 index 00000000000..18fc6d2eefa --- /dev/null +++ b/queue-6.0/eth-sp7021-fix-use-after-free-bug-in-spl2sw_nvmem_ge.patch @@ -0,0 +1,37 @@ +From bf98249d4efb223de87381b2486d79c4021681c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Oct 2022 01:57:25 +0800 +Subject: eth: sp7021: fix use after free bug in spl2sw_nvmem_get_mac_address + +From: Zheng Wang + +[ Upstream commit 12aece8b01507a2d357a1861f470e83621fbb6f2 ] + +This frees "mac" and tries to display its address as part of the error +message on the next line. Swap the order. + +Fixes: fd3040b9394c ("net: ethernet: Add driver for Sunplus SP7021") +Signed-off-by: Zheng Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sunplus/spl2sw_driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sunplus/spl2sw_driver.c b/drivers/net/ethernet/sunplus/spl2sw_driver.c +index 546206640492..61d1d07dc070 100644 +--- a/drivers/net/ethernet/sunplus/spl2sw_driver.c ++++ b/drivers/net/ethernet/sunplus/spl2sw_driver.c +@@ -248,8 +248,8 @@ static int spl2sw_nvmem_get_mac_address(struct device *dev, struct device_node * + + /* Check if mac address is valid */ + if (!is_valid_ether_addr(mac)) { +- kfree(mac); + dev_info(dev, "Invalid mac address in nvmem (%pM)!\n", mac); ++ kfree(mac); + return -EINVAL; + } + +-- +2.35.1 + diff --git a/queue-6.0/eventfd-guard-wake_up-in-eventfd-fs-calls-as-well.patch b/queue-6.0/eventfd-guard-wake_up-in-eventfd-fs-calls-as-well.patch new file mode 100644 index 00000000000..9d420153220 --- /dev/null +++ b/queue-6.0/eventfd-guard-wake_up-in-eventfd-fs-calls-as-well.patch @@ -0,0 +1,121 @@ +From 58f101ef2a8891f0efc852fdd09657b681add687 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 06:59:59 -0700 +Subject: eventfd: guard wake_up in eventfd fs calls as well + +From: Dylan Yudaken + +[ Upstream commit 9f0deaa12d832f488500a5afe9b912e9b3cfc432 ] + +Guard wakeups that the user can trigger, and that may end up triggering a +call back into eventfd_signal. This is in addition to the current approach +that only guards in eventfd_signal. + +Rename in_eventfd_signal -> in_eventfd at the same time to reflect this. + +Without this there would be a deadlock in the following code using libaio: + +int main() +{ + struct io_context *ctx = NULL; + struct iocb iocb; + struct iocb *iocbs[] = { &iocb }; + int evfd; + uint64_t val = 1; + + evfd = eventfd(0, EFD_CLOEXEC); + assert(!io_setup(2, &ctx)); + io_prep_poll(&iocb, evfd, POLLIN); + io_set_eventfd(&iocb, evfd); + assert(1 == io_submit(ctx, 1, iocbs)); + write(evfd, &val, 8); +} + +Signed-off-by: Dylan Yudaken +Reviewed-by: Jens Axboe +Link: https://lore.kernel.org/r/20220816135959.1490641-1-dylany@fb.com +Signed-off-by: Jens Axboe +Stable-dep-of: 3b8fdd1dc35e ("io_uring/fdinfo: fix sqe dumping for IORING_SETUP_SQE128") +Signed-off-by: Sasha Levin +--- + fs/eventfd.c | 10 +++++++--- + include/linux/eventfd.h | 2 +- + include/linux/sched.h | 2 +- + 3 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/fs/eventfd.c b/fs/eventfd.c +index 3627dd7d25db..c0ffee99ad23 100644 +--- a/fs/eventfd.c ++++ b/fs/eventfd.c +@@ -69,17 +69,17 @@ __u64 eventfd_signal(struct eventfd_ctx *ctx, __u64 n) + * it returns false, the eventfd_signal() call should be deferred to a + * safe context. + */ +- if (WARN_ON_ONCE(current->in_eventfd_signal)) ++ if (WARN_ON_ONCE(current->in_eventfd)) + return 0; + + spin_lock_irqsave(&ctx->wqh.lock, flags); +- current->in_eventfd_signal = 1; ++ current->in_eventfd = 1; + if (ULLONG_MAX - ctx->count < n) + n = ULLONG_MAX - ctx->count; + ctx->count += n; + if (waitqueue_active(&ctx->wqh)) + wake_up_locked_poll(&ctx->wqh, EPOLLIN); +- current->in_eventfd_signal = 0; ++ current->in_eventfd = 0; + spin_unlock_irqrestore(&ctx->wqh.lock, flags); + + return n; +@@ -253,8 +253,10 @@ static ssize_t eventfd_read(struct kiocb *iocb, struct iov_iter *to) + __set_current_state(TASK_RUNNING); + } + eventfd_ctx_do_read(ctx, &ucnt); ++ current->in_eventfd = 1; + if (waitqueue_active(&ctx->wqh)) + wake_up_locked_poll(&ctx->wqh, EPOLLOUT); ++ current->in_eventfd = 0; + spin_unlock_irq(&ctx->wqh.lock); + if (unlikely(copy_to_iter(&ucnt, sizeof(ucnt), to) != sizeof(ucnt))) + return -EFAULT; +@@ -301,8 +303,10 @@ static ssize_t eventfd_write(struct file *file, const char __user *buf, size_t c + } + if (likely(res > 0)) { + ctx->count += ucnt; ++ current->in_eventfd = 1; + if (waitqueue_active(&ctx->wqh)) + wake_up_locked_poll(&ctx->wqh, EPOLLIN); ++ current->in_eventfd = 0; + } + spin_unlock_irq(&ctx->wqh.lock); + +diff --git a/include/linux/eventfd.h b/include/linux/eventfd.h +index 305d5f19093b..30eb30d6909b 100644 +--- a/include/linux/eventfd.h ++++ b/include/linux/eventfd.h +@@ -46,7 +46,7 @@ void eventfd_ctx_do_read(struct eventfd_ctx *ctx, __u64 *cnt); + + static inline bool eventfd_signal_allowed(void) + { +- return !current->in_eventfd_signal; ++ return !current->in_eventfd; + } + + #else /* CONFIG_EVENTFD */ +diff --git a/include/linux/sched.h b/include/linux/sched.h +index e7b2f8a5c711..8d82d6d32670 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -936,7 +936,7 @@ struct task_struct { + #endif + #ifdef CONFIG_EVENTFD + /* Recursion prevention for eventfd_signal() */ +- unsigned in_eventfd_signal:1; ++ unsigned in_eventfd:1; + #endif + #ifdef CONFIG_IOMMU_SVA + unsigned pasid_activated:1; +-- +2.35.1 + diff --git a/queue-6.0/ext2-use-kvmalloc-for-group-descriptor-array.patch b/queue-6.0/ext2-use-kvmalloc-for-group-descriptor-array.patch new file mode 100644 index 00000000000..d0fffa38673 --- /dev/null +++ b/queue-6.0/ext2-use-kvmalloc-for-group-descriptor-array.patch @@ -0,0 +1,55 @@ +From c69ecca73fec9524c5750e3929d466909dce2041 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 17:29:33 +0200 +Subject: ext2: Use kvmalloc() for group descriptor array + +From: Jan Kara + +[ Upstream commit e7c7fbb9a8574ebd89cc05db49d806c7476863ad ] + +Array of group descriptor block buffers can get rather large. In theory +in can reach 1MB for perfectly valid filesystem and even more for +maliciously crafted ones. Use kvmalloc() to allocate the array to avoid +straining memory allocator with large order allocations unnecessarily. + +Reported-by: syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/ext2/super.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/ext2/super.c b/fs/ext2/super.c +index afb31af9302d..03f2af98b1b4 100644 +--- a/fs/ext2/super.c ++++ b/fs/ext2/super.c +@@ -163,7 +163,7 @@ static void ext2_put_super (struct super_block * sb) + db_count = sbi->s_gdb_count; + for (i = 0; i < db_count; i++) + brelse(sbi->s_group_desc[i]); +- kfree(sbi->s_group_desc); ++ kvfree(sbi->s_group_desc); + kfree(sbi->s_debts); + percpu_counter_destroy(&sbi->s_freeblocks_counter); + percpu_counter_destroy(&sbi->s_freeinodes_counter); +@@ -1092,7 +1092,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) + } + db_count = (sbi->s_groups_count + EXT2_DESC_PER_BLOCK(sb) - 1) / + EXT2_DESC_PER_BLOCK(sb); +- sbi->s_group_desc = kmalloc_array(db_count, ++ sbi->s_group_desc = kvmalloc_array(db_count, + sizeof(struct buffer_head *), + GFP_KERNEL); + if (sbi->s_group_desc == NULL) { +@@ -1218,7 +1218,7 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) + for (i = 0; i < db_count; i++) + brelse(sbi->s_group_desc[i]); + failed_mount_group_desc: +- kfree(sbi->s_group_desc); ++ kvfree(sbi->s_group_desc); + kfree(sbi->s_debts); + failed_mount: + brelse(bh); +-- +2.35.1 + diff --git a/queue-6.0/ext4-continue-to-expand-file-system-when-the-target-.patch b/queue-6.0/ext4-continue-to-expand-file-system-when-the-target-.patch new file mode 100644 index 00000000000..6375acc3216 --- /dev/null +++ b/queue-6.0/ext4-continue-to-expand-file-system-when-the-target-.patch @@ -0,0 +1,66 @@ +From d92c21f858fefb7cb5b94b96a40cabd48d984fc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jul 2022 10:25:19 +0000 +Subject: ext4: continue to expand file system when the target size doesn't + reach +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jerry Lee 李修賢 + +[ Upstream commit df3cb754d13d2cd5490db9b8d536311f8413a92e ] + +When expanding a file system from (16TiB-2MiB) to 18TiB, the operation +exits early which leads to result inconsistency between resize2fs and +Ext4 kernel driver. + +=== before === +○ → resize2fs /dev/mapper/thin +resize2fs 1.45.5 (07-Jan-2020) +Filesystem at /dev/mapper/thin is mounted on /mnt/test; on-line resizing required +old_desc_blocks = 2048, new_desc_blocks = 2304 +The filesystem on /dev/mapper/thin is now 4831837696 (4k) blocks long. + +[ 865.186308] EXT4-fs (dm-5): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none. +[ 912.091502] dm-4: detected capacity change from 34359738368 to 38654705664 +[ 970.030550] dm-5: detected capacity change from 34359734272 to 38654701568 +[ 1000.012751] EXT4-fs (dm-5): resizing filesystem from 4294966784 to 4831837696 blocks +[ 1000.012878] EXT4-fs (dm-5): resized filesystem to 4294967296 + +=== after === +[ 129.104898] EXT4-fs (dm-5): mounted filesystem with ordered data mode. Opts: (null). Quota mode: none. +[ 143.773630] dm-4: detected capacity change from 34359738368 to 38654705664 +[ 198.203246] dm-5: detected capacity change from 34359734272 to 38654701568 +[ 207.918603] EXT4-fs (dm-5): resizing filesystem from 4294966784 to 4831837696 blocks +[ 207.918754] EXT4-fs (dm-5): resizing filesystem from 4294967296 to 4831837696 blocks +[ 207.918758] EXT4-fs (dm-5): Converting file system to meta_bg +[ 207.918790] EXT4-fs (dm-5): resizing filesystem from 4294967296 to 4831837696 blocks +[ 221.454050] EXT4-fs (dm-5): resized to 4658298880 blocks +[ 227.634613] EXT4-fs (dm-5): resized filesystem to 4831837696 + +Signed-off-by: Jerry Lee +Link: https://lore.kernel.org/r/PU1PR04MB22635E739BD21150DC182AC6A18C9@PU1PR04MB2263.apcprd04.prod.outlook.com +Signed-off-by: Theodore Ts'o +Stable-dep-of: 426d15ad1141 ("ext4: don't run ext4lazyinit for read-only filesystems") +Signed-off-by: Sasha Levin +--- + fs/ext4/resize.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c +index fea2a68d067b..6dfe9ccae0c5 100644 +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -2122,7 +2122,7 @@ int ext4_resize_fs(struct super_block *sb, ext4_fsblk_t n_blocks_count) + goto out; + } + +- if (ext4_blocks_count(es) == n_blocks_count) ++ if (ext4_blocks_count(es) == n_blocks_count && n_blocks_count_retry == 0) + goto out; + + err = ext4_alloc_flex_bg_array(sb, n_group + 1); +-- +2.35.1 + diff --git a/queue-6.0/ext4-don-t-run-ext4lazyinit-for-read-only-filesystem.patch b/queue-6.0/ext4-don-t-run-ext4lazyinit-for-read-only-filesystem.patch new file mode 100644 index 00000000000..5aacbc30a75 --- /dev/null +++ b/queue-6.0/ext4-don-t-run-ext4lazyinit-for-read-only-filesystem.patch @@ -0,0 +1,46 @@ +From 4d73901a7589cf662b6a771fd2746713c4cef252 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jul 2022 20:24:53 -0700 +Subject: ext4: don't run ext4lazyinit for read-only filesystems + +From: Josh Triplett + +[ Upstream commit 426d15ad11419066f7042ffa8fbf1b5c21a1ecbe ] + +On a read-only filesystem, we won't invoke the block allocator, so we +don't need to prefetch the block bitmaps. + +This avoids starting and running the ext4lazyinit thread at all on a +system with no read-write ext4 filesystems (for instance, a container VM +with read-only filesystems underneath an overlayfs). + +Fixes: 21175ca434c5 ("ext4: make prefetch_block_bitmaps default") +Signed-off-by: Josh Triplett +Reviewed-by: Lukas Czerner +Link: https://lore.kernel.org/r/48b41da1498fcac3287e2e06b660680646c1c050.1659323972.git.josh@joshtriplett.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/super.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fs/ext4/super.c b/fs/ext4/super.c +index 323dbcfd285c..091db733834e 100644 +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3962,9 +3962,9 @@ int ext4_register_li_request(struct super_block *sb, + goto out; + } + +- if (test_opt(sb, NO_PREFETCH_BLOCK_BITMAPS) && +- (first_not_zeroed == ngroups || sb_rdonly(sb) || +- !test_opt(sb, INIT_INODE_TABLE))) ++ if (sb_rdonly(sb) || ++ (test_opt(sb, NO_PREFETCH_BLOCK_BITMAPS) && ++ (first_not_zeroed == ngroups || !test_opt(sb, INIT_INODE_TABLE)))) + goto out; + + elr = ext4_li_request_new(sb, first_not_zeroed); +-- +2.35.1 + diff --git a/queue-6.0/f2fs-fix-race-condition-on-setting-fi_no_extent-flag.patch b/queue-6.0/f2fs-fix-race-condition-on-setting-fi_no_extent-flag.patch new file mode 100644 index 00000000000..feb7c44004b --- /dev/null +++ b/queue-6.0/f2fs-fix-race-condition-on-setting-fi_no_extent-flag.patch @@ -0,0 +1,55 @@ +From 4e24983b3bb9ac86917a91eab9add1f54fdb8061 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 12:59:17 +0800 +Subject: f2fs: fix race condition on setting FI_NO_EXTENT flag + +From: Zhang Qilong + +[ Upstream commit 07725adc55c0a414c10acb5c8c86cea34b95ddef ] + +The following scenarios exist. +process A: process B: +->f2fs_drop_extent_tree ->f2fs_update_extent_cache_range + ->f2fs_update_extent_tree_range + ->write_lock + ->set_inode_flag + ->is_inode_flag_set + ->__free_extent_tree // Shouldn't + // have been + // cleaned up + // here + ->write_lock + +In this case, the "FI_NO_EXTENT" flag is set between +f2fs_update_extent_tree_range and is_inode_flag_set +by other process. it leads to clearing the whole exten +tree which should not have happened. And we fix it by +move the setting it to the range of write_lock. + +Fixes:5f281fab9b9a3 ("f2fs: disable extent_cache for fcollapse/finsert inodes") +Signed-off-by: Zhang Qilong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/extent_cache.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c +index 866e72b29bd5..761fd42c93f2 100644 +--- a/fs/f2fs/extent_cache.c ++++ b/fs/f2fs/extent_cache.c +@@ -804,9 +804,8 @@ void f2fs_drop_extent_tree(struct inode *inode) + if (!f2fs_may_extent_tree(inode)) + return; + +- set_inode_flag(inode, FI_NO_EXTENT); +- + write_lock(&et->lock); ++ set_inode_flag(inode, FI_NO_EXTENT); + __free_extent_tree(sbi, et); + if (et->largest.len) { + et->largest.len = 0; +-- +2.35.1 + diff --git a/queue-6.0/f2fs-fix-to-account-fs_cp_data_io-correctly.patch b/queue-6.0/f2fs-fix-to-account-fs_cp_data_io-correctly.patch new file mode 100644 index 00000000000..0725556e803 --- /dev/null +++ b/queue-6.0/f2fs-fix-to-account-fs_cp_data_io-correctly.patch @@ -0,0 +1,138 @@ +From 28101df3d381150b3f0e541bea4c23e6f902c7db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 21:28:46 +0800 +Subject: f2fs: fix to account FS_CP_DATA_IO correctly + +From: Chao Yu + +[ Upstream commit d80afefb17e01aa0c46a8eebc01882e0ebd8b0f6 ] + +f2fs_inode_info.cp_task was introduced for FS_CP_DATA_IO accounting +since commit b0af6d491a6b ("f2fs: add app/fs io stat"). + +However, cp_task usage coverage has been increased due to below +commits: +commit 040d2bb318d1 ("f2fs: fix to avoid deadloop if data_flush is on") +commit 186857c5a14a ("f2fs: fix potential recursive call when enabling data_flush") + +So that, if data_flush mountoption is on, when data flush was +triggered from background, the IO from data flush will be accounted +as checkpoint IO type incorrectly. + +In order to fix this issue, this patch splits cp_task into two: +a) cp_task: used for IO accounting +b) wb_task: used to avoid deadlock + +Fixes: 040d2bb318d1 ("f2fs: fix to avoid deadloop if data_flush is on") +Fixes: 186857c5a14a ("f2fs: fix potential recursive call when enabling data_flush") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/checkpoint.c | 13 +++++++++---- + fs/f2fs/data.c | 4 ++-- + fs/f2fs/f2fs.h | 4 +++- + fs/f2fs/segment.c | 2 +- + 4 files changed, 15 insertions(+), 8 deletions(-) + +diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c +index f051a73e464a..e04ed60cc9e2 100644 +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -1061,7 +1061,8 @@ void f2fs_remove_dirty_inode(struct inode *inode) + spin_unlock(&sbi->inode_lock[type]); + } + +-int f2fs_sync_dirty_inodes(struct f2fs_sb_info *sbi, enum inode_type type) ++int f2fs_sync_dirty_inodes(struct f2fs_sb_info *sbi, enum inode_type type, ++ bool from_cp) + { + struct list_head *head; + struct inode *inode; +@@ -1096,11 +1097,15 @@ int f2fs_sync_dirty_inodes(struct f2fs_sb_info *sbi, enum inode_type type) + if (inode) { + unsigned long cur_ino = inode->i_ino; + +- F2FS_I(inode)->cp_task = current; ++ if (from_cp) ++ F2FS_I(inode)->cp_task = current; ++ F2FS_I(inode)->wb_task = current; + + filemap_fdatawrite(inode->i_mapping); + +- F2FS_I(inode)->cp_task = NULL; ++ F2FS_I(inode)->wb_task = NULL; ++ if (from_cp) ++ F2FS_I(inode)->cp_task = NULL; + + iput(inode); + /* We need to give cpu to another writers. */ +@@ -1229,7 +1234,7 @@ static int block_operations(struct f2fs_sb_info *sbi) + /* write all the dirty dentry pages */ + if (get_pages(sbi, F2FS_DIRTY_DENTS)) { + f2fs_unlock_all(sbi); +- err = f2fs_sync_dirty_inodes(sbi, DIR_INODE); ++ err = f2fs_sync_dirty_inodes(sbi, DIR_INODE, true); + if (err) + return err; + cond_resched(); +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index aa3ccddfa037..5e88272d94e4 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -2856,7 +2856,7 @@ int f2fs_write_single_data_page(struct page *page, int *submitted, + } + unlock_page(page); + if (!S_ISDIR(inode->i_mode) && !IS_NOQUOTA(inode) && +- !F2FS_I(inode)->cp_task && allow_balance) ++ !F2FS_I(inode)->wb_task && allow_balance) + f2fs_balance_fs(sbi, need_balance_fs); + + if (unlikely(f2fs_cp_error(sbi))) { +@@ -3156,7 +3156,7 @@ static inline bool __should_serialize_io(struct inode *inode, + struct writeback_control *wbc) + { + /* to avoid deadlock in path of data flush */ +- if (F2FS_I(inode)->cp_task) ++ if (F2FS_I(inode)->wb_task) + return false; + + if (!S_ISREG(inode->i_mode)) +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 30fdda714e95..1e57b11ffe2a 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -786,6 +786,7 @@ struct f2fs_inode_info { + unsigned int clevel; /* maximum level of given file name */ + struct task_struct *task; /* lookup and create consistency */ + struct task_struct *cp_task; /* separate cp/wb IO stats*/ ++ struct task_struct *wb_task; /* indicate inode is in context of writeback */ + nid_t i_xattr_nid; /* node id that contains xattrs */ + loff_t last_disk_size; /* lastly written file size */ + spinlock_t i_size_lock; /* protect last_disk_size */ +@@ -3741,7 +3742,8 @@ int f2fs_recover_orphan_inodes(struct f2fs_sb_info *sbi); + int f2fs_get_valid_checkpoint(struct f2fs_sb_info *sbi); + void f2fs_update_dirty_folio(struct inode *inode, struct folio *folio); + void f2fs_remove_dirty_inode(struct inode *inode); +-int f2fs_sync_dirty_inodes(struct f2fs_sb_info *sbi, enum inode_type type); ++int f2fs_sync_dirty_inodes(struct f2fs_sb_info *sbi, enum inode_type type, ++ bool from_cp); + void f2fs_wait_on_all_pages(struct f2fs_sb_info *sbi, int type); + u64 f2fs_get_sectors_written(struct f2fs_sb_info *sbi); + int f2fs_write_checkpoint(struct f2fs_sb_info *sbi, struct cp_control *cpc); +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 0de21f82d7bc..84bad18ce13d 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -476,7 +476,7 @@ void f2fs_balance_fs_bg(struct f2fs_sb_info *sbi, bool from_bg) + mutex_lock(&sbi->flush_lock); + + blk_start_plug(&plug); +- f2fs_sync_dirty_inodes(sbi, FILE_INODE); ++ f2fs_sync_dirty_inodes(sbi, FILE_INODE, false); + blk_finish_plug(&plug); + + mutex_unlock(&sbi->flush_lock); +-- +2.35.1 + diff --git a/queue-6.0/firmware-google-test-spinlock-on-panic-path-to-avoid.patch b/queue-6.0/firmware-google-test-spinlock-on-panic-path-to-avoid.patch new file mode 100644 index 00000000000..87d2b35dc97 --- /dev/null +++ b/queue-6.0/firmware-google-test-spinlock-on-panic-path-to-avoid.patch @@ -0,0 +1,59 @@ +From 3aad170adafdf3ce4aac4e0c9300efa1a98164ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 17:07:55 -0300 +Subject: firmware: google: Test spinlock on panic path to avoid lockups + +From: Guilherme G. Piccoli + +[ Upstream commit 3e081438b8e639cc76ef1a5ce0c1bd8a154082c7 ] + +Currently the gsmi driver registers a panic notifier as well as +reboot and die notifiers. The callbacks registered are called in +atomic and very limited context - for instance, panic disables +preemption and local IRQs, also all secondary CPUs (not executing +the panic path) are shutdown. + +With that said, taking a spinlock in this scenario is a dangerous +invitation for lockup scenarios. So, fix that by checking if the +spinlock is free to acquire in the panic notifier callback - if not, +bail-out and avoid a potential hang. + +Fixes: 74c5b31c6618 ("driver: Google EFI SMI") +Cc: Andrew Morton +Cc: Ard Biesheuvel +Cc: David Gow +Cc: Greg Kroah-Hartman +Cc: Julius Werner +Cc: Petr Mladek +Reviewed-by: Evan Green +Signed-off-by: Guilherme G. Piccoli +Link: https://lore.kernel.org/r/20220909200755.189679-1-gpiccoli@igalia.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/firmware/google/gsmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/firmware/google/gsmi.c b/drivers/firmware/google/gsmi.c +index adaa492c3d2d..4e2575dfeb90 100644 +--- a/drivers/firmware/google/gsmi.c ++++ b/drivers/firmware/google/gsmi.c +@@ -681,6 +681,15 @@ static struct notifier_block gsmi_die_notifier = { + static int gsmi_panic_callback(struct notifier_block *nb, + unsigned long reason, void *arg) + { ++ ++ /* ++ * Panic callbacks are executed with all other CPUs stopped, ++ * so we must not attempt to spin waiting for gsmi_dev.lock ++ * to be released. ++ */ ++ if (spin_is_locked(&gsmi_dev.lock)) ++ return NOTIFY_DONE; ++ + gsmi_shutdown_reason(GSMI_SHUTDOWN_PANIC); + return NOTIFY_DONE; + } +-- +2.35.1 + diff --git a/queue-6.0/flow_dissector-do-not-count-vlan-tags-inside-tunnel-.patch b/queue-6.0/flow_dissector-do-not-count-vlan-tags-inside-tunnel-.patch new file mode 100644 index 00000000000..dcc28f96eb3 --- /dev/null +++ b/queue-6.0/flow_dissector-do-not-count-vlan-tags-inside-tunnel-.patch @@ -0,0 +1,60 @@ +From a61433c38717635fde462b286e5e00db6b6b7b8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 15:48:08 +0800 +Subject: flow_dissector: Do not count vlan tags inside tunnel payload + +From: Qingqing Yang + +[ Upstream commit 9f87eb4246994e32a4e4ea88476b20ab3b412840 ] + +We've met the problem that when there is a vlan tag inside +GRE encapsulation, the match of num_of_vlans fails. +It is caused by the vlan tag inside GRE payload has been +counted into num_of_vlans, which is not expected. + +One example packet is like this: +Ethernet II, Src: Broadcom_68:56:07 (00:10:18:68:56:07) + Dst: Broadcom_68:56:08 (00:10:18:68:56:08) +802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 100 +Internet Protocol Version 4, Src: 192.168.1.4, Dst: 192.168.1.200 +Generic Routing Encapsulation (Transparent Ethernet bridging) +Ethernet II, Src: Broadcom_68:58:07 (00:10:18:68:58:07) + Dst: Broadcom_68:58:08 (00:10:18:68:58:08) +802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 200 +... +It should match the (num_of_vlans 1) rule, but it matches +the (num_of_vlans 2) rule. + +The vlan tags inside the GRE or other tunnel encapsulated payload +should not be taken into num_of_vlans. +The fix is to stop counting the vlan number when the encapsulation +bit is set. + +Fixes: 34951fcf26c5 ("flow_dissector: Add number of vlan tags dissector") +Signed-off-by: Qingqing Yang +Reviewed-by: Boris Sukholitko +Link: https://lore.kernel.org/r/20220919074808.136640-1-qingqing.yang@broadcom.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/flow_dissector.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c +index 5dc3860e9fc7..7105529abb0f 100644 +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -1173,8 +1173,8 @@ bool __skb_flow_dissect(const struct net *net, + nhoff += sizeof(*vlan); + } + +- if (dissector_uses_key(flow_dissector, +- FLOW_DISSECTOR_KEY_NUM_OF_VLANS)) { ++ if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_NUM_OF_VLANS) && ++ !(key_control->flags & FLOW_DIS_ENCAPSULATION)) { + struct flow_dissector_key_num_of_vlans *key_nvs; + + key_nvs = skb_flow_dissector_target(flow_dissector, +-- +2.35.1 + diff --git a/queue-6.0/fortify-fix-__compiletime_strlen-under-ubsan_bounds_.patch b/queue-6.0/fortify-fix-__compiletime_strlen-under-ubsan_bounds_.patch new file mode 100644 index 00000000000..ea4e6ebda01 --- /dev/null +++ b/queue-6.0/fortify-fix-__compiletime_strlen-under-ubsan_bounds_.patch @@ -0,0 +1,85 @@ +From fd78585902fa2ec8bbb9237154f862083d308048 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 13:02:26 -0700 +Subject: fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL + +From: Kees Cook + +[ Upstream commit d07c0acb4f41cc42a0d97530946965b3e4fa68c1 ] + +With CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe +a runtime panic while running Android's Compatibility Test Suite's (CTS) +android.hardware.input.cts.tests. This is stemming from a strlen() +call in hidinput_allocate(). + +__compiletime_strlen() is implemented in terms of __builtin_object_size(), +then does an array access to check for NUL-termination. A quirk of +__builtin_object_size() is that for strings whose values are runtime +dependent, __builtin_object_size(str, 1 or 0) returns the maximum size +of possible values when those sizes are determinable at compile time. +Example: + + static const char *v = "FOO BAR"; + static const char *y = "FOO BA"; + unsigned long x (int z) { + // Returns 8, which is: + // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1)) + return __builtin_object_size(z ? v : y, 1); + } + +So when FORTIFY_SOURCE is enabled, the current implementation of +__compiletime_strlen() will try to access beyond the end of y at runtime +using the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault. + +hidinput_allocate() has a local C string whose value is control flow +dependent on a switch statement, so __builtin_object_size(str, 1) +evaluates to the maximum string length, making all other cases fault on +the last character check. hidinput_allocate() could be cleaned up to +avoid runtime calls to strlen() since the local variable can only have +literal values, so there's no benefit to trying to fortify the strlen +call site there. + +Perform a __builtin_constant_p() check against index 0 earlier in the +macro to filter out the control-flow-dependant case. Add a KUnit test +for checking the expected behavioral characteristics of FORTIFY_SOURCE +internals. + +Cc: Nathan Chancellor +Cc: Tom Rix +Cc: Andrew Morton +Cc: Vlastimil Babka +Cc: "Steven Rostedt (Google)" +Cc: David Gow +Cc: Yury Norov +Cc: Masami Hiramatsu +Cc: Sander Vanheule +Cc: linux-hardening@vger.kernel.org +Cc: llvm@lists.linux.dev +Reviewed-by: Nick Desaulniers +Tested-by: Android Treehugger Robot +Link: https://android-review.googlesource.com/c/kernel/common/+/2206839 +Co-developed-by: Nick Desaulniers +Signed-off-by: Nick Desaulniers +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + include/linux/fortify-string.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h +index 3b401fa0f374..fce2fb2fc962 100644 +--- a/include/linux/fortify-string.h ++++ b/include/linux/fortify-string.h +@@ -19,7 +19,8 @@ void __write_overflow_field(size_t avail, size_t wanted) __compiletime_warning(" + unsigned char *__p = (unsigned char *)(p); \ + size_t __ret = (size_t)-1; \ + size_t __p_size = __builtin_object_size(p, 1); \ +- if (__p_size != (size_t)-1) { \ ++ if (__p_size != (size_t)-1 && \ ++ __builtin_constant_p(*__p)) { \ + size_t __p_len = __p_size - 1; \ + if (__builtin_constant_p(__p[__p_len]) && \ + __p[__p_len] == '\0') \ +-- +2.35.1 + diff --git a/queue-6.0/fpga-dfl-pci-add-ids-for-intel-n6000-n6001-and-c6100.patch b/queue-6.0/fpga-dfl-pci-add-ids-for-intel-n6000-n6001-and-c6100.patch new file mode 100644 index 00000000000..b9ef464aec3 --- /dev/null +++ b/queue-6.0/fpga-dfl-pci-add-ids-for-intel-n6000-n6001-and-c6100.patch @@ -0,0 +1,71 @@ +From a5aec5d372f898a6c261c9c84aee553fc1fc8b64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 07:56:44 -0700 +Subject: fpga: dfl-pci: Add IDs for Intel N6000, N6001 and C6100 cards + +From: Matthew Gerlach + +[ Upstream commit 65f5c01033ab85f8d385d65c4b51fe31459da603 ] + +Add pci_dev_table entries supporting the Intel N6000, N6001 +and C6100 cards to the dfl-pci driver. + +Signed-off-by: Matthew Gerlach +Signed-off-by: Tianfei Zhang +Tested-by: Marco Pagani +Reviewed-by: Tom Rix +Acked-by: Wu Hao +Acked-by: Xu Yilun +Link: https://lore.kernel.org/r/20220719145644.242481-1-matthew.gerlach@linux.intel.com +Signed-off-by: Xu Yilun +Stable-dep-of: 939bc5453b8c ("fpga: prevent integer overflow in dfl_feature_ioctl_set_irq()") +Signed-off-by: Sasha Levin +--- + drivers/fpga/dfl-pci.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/fpga/dfl-pci.c b/drivers/fpga/dfl-pci.c +index fd1fa55c9113..0914e7328b1a 100644 +--- a/drivers/fpga/dfl-pci.c ++++ b/drivers/fpga/dfl-pci.c +@@ -77,12 +77,18 @@ static void cci_pci_free_irq(struct pci_dev *pcidev) + #define PCIE_DEVICE_ID_INTEL_PAC_D5005 0x0B2B + #define PCIE_DEVICE_ID_SILICOM_PAC_N5010 0x1000 + #define PCIE_DEVICE_ID_SILICOM_PAC_N5011 0x1001 ++#define PCIE_DEVICE_ID_INTEL_DFL 0xbcce ++/* PCI Subdevice ID for PCIE_DEVICE_ID_INTEL_DFL */ ++#define PCIE_SUBDEVICE_ID_INTEL_N6000 0x1770 ++#define PCIE_SUBDEVICE_ID_INTEL_N6001 0x1771 ++#define PCIE_SUBDEVICE_ID_INTEL_C6100 0x17d4 + + /* VF Device */ + #define PCIE_DEVICE_ID_VF_INT_5_X 0xBCBF + #define PCIE_DEVICE_ID_VF_INT_6_X 0xBCC1 + #define PCIE_DEVICE_ID_VF_DSC_1_X 0x09C5 + #define PCIE_DEVICE_ID_INTEL_PAC_D5005_VF 0x0B2C ++#define PCIE_DEVICE_ID_INTEL_DFL_VF 0xbccf + + static struct pci_device_id cci_pcie_id_tbl[] = { + {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_PF_INT_5_X),}, +@@ -96,6 +102,18 @@ static struct pci_device_id cci_pcie_id_tbl[] = { + {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_PAC_D5005_VF),}, + {PCI_DEVICE(PCI_VENDOR_ID_SILICOM_DENMARK, PCIE_DEVICE_ID_SILICOM_PAC_N5010),}, + {PCI_DEVICE(PCI_VENDOR_ID_SILICOM_DENMARK, PCIE_DEVICE_ID_SILICOM_PAC_N5011),}, ++ {PCI_DEVICE_SUB(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_DFL, ++ PCI_VENDOR_ID_INTEL, PCIE_SUBDEVICE_ID_INTEL_N6000),}, ++ {PCI_DEVICE_SUB(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_DFL_VF, ++ PCI_VENDOR_ID_INTEL, PCIE_SUBDEVICE_ID_INTEL_N6000),}, ++ {PCI_DEVICE_SUB(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_DFL, ++ PCI_VENDOR_ID_INTEL, PCIE_SUBDEVICE_ID_INTEL_N6001),}, ++ {PCI_DEVICE_SUB(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_DFL_VF, ++ PCI_VENDOR_ID_INTEL, PCIE_SUBDEVICE_ID_INTEL_N6001),}, ++ {PCI_DEVICE_SUB(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_DFL, ++ PCI_VENDOR_ID_INTEL, PCIE_SUBDEVICE_ID_INTEL_C6100),}, ++ {PCI_DEVICE_SUB(PCI_VENDOR_ID_INTEL, PCIE_DEVICE_ID_INTEL_DFL_VF, ++ PCI_VENDOR_ID_INTEL, PCIE_SUBDEVICE_ID_INTEL_C6100),}, + {0,} + }; + MODULE_DEVICE_TABLE(pci, cci_pcie_id_tbl); +-- +2.35.1 + diff --git a/queue-6.0/fpga-prevent-integer-overflow-in-dfl_feature_ioctl_s.patch b/queue-6.0/fpga-prevent-integer-overflow-in-dfl_feature_ioctl_s.patch new file mode 100644 index 00000000000..9ff04fc8c19 --- /dev/null +++ b/queue-6.0/fpga-prevent-integer-overflow-in-dfl_feature_ioctl_s.patch @@ -0,0 +1,38 @@ +From 72018435d7553c2a39ede2b92b5c21b0ddc5f65d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 08:18:45 +0300 +Subject: fpga: prevent integer overflow in dfl_feature_ioctl_set_irq() + +From: Dan Carpenter + +[ Upstream commit 939bc5453b8cbdde9f1e5110ce8309aedb1b501a ] + +The "hdr.count * sizeof(s32)" multiplication can overflow on 32 bit +systems leading to memory corruption. Use array_size() to fix that. + +Fixes: 322b598be4d9 ("fpga: dfl: introduce interrupt trigger setting API") +Signed-off-by: Dan Carpenter +Acked-by: Xu Yilun +Link: https://lore.kernel.org/r/YxBAtYCM38dM7yzI@kili +Signed-off-by: Xu Yilun +Signed-off-by: Sasha Levin +--- + drivers/fpga/dfl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c +index 5498bc337f8b..b9aae85ba930 100644 +--- a/drivers/fpga/dfl.c ++++ b/drivers/fpga/dfl.c +@@ -1866,7 +1866,7 @@ long dfl_feature_ioctl_set_irq(struct platform_device *pdev, + return -EINVAL; + + fds = memdup_user((void __user *)(arg + sizeof(hdr)), +- hdr.count * sizeof(s32)); ++ array_size(hdr.count, sizeof(s32))); + if (IS_ERR(fds)) + return PTR_ERR(fds); + +-- +2.35.1 + diff --git a/queue-6.0/fs-dlm-fix-race-in-lowcomms.patch b/queue-6.0/fs-dlm-fix-race-in-lowcomms.patch new file mode 100644 index 00000000000..848b8c0830e --- /dev/null +++ b/queue-6.0/fs-dlm-fix-race-in-lowcomms.patch @@ -0,0 +1,95 @@ +From 250f1da0a9bfccfa97640a2da9996adac6d24815 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Aug 2022 15:43:13 -0400 +Subject: fs: dlm: fix race in lowcomms + +From: Alexander Aring + +[ Upstream commit 30ea3257e8766027c4d8d609dcbd256ff9a76073 ] + +This patch fixes a race between queue_work() in +_dlm_lowcomms_commit_msg() and srcu_read_unlock(). The queue_work() can +take the final reference of a dlm_msg and so msg->idx can contain +garbage which is signaled by the following warning: + +[ 676.237050] ------------[ cut here ]------------ +[ 676.237052] WARNING: CPU: 0 PID: 1060 at include/linux/srcu.h:189 dlm_lowcomms_commit_msg+0x41/0x50 +[ 676.238945] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common iTCO_wdt iTCO_vendor_support qxl kvm_intel drm_ttm_helper vmw_vsock_virtio_transport kvm vmw_vsock_virtio_transport_common ttm irqbypass crc32_pclmul joydev crc32c_intel serio_raw drm_kms_helper vsock virtio_scsi virtio_console virtio_balloon snd_pcm drm syscopyarea sysfillrect sysimgblt snd_timer fb_sys_fops i2c_i801 lpc_ich snd i2c_smbus soundcore pcspkr +[ 676.244227] CPU: 0 PID: 1060 Comm: lock_torture_wr Not tainted 5.19.0-rc3+ #1546 +[ 676.245216] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014 +[ 676.246460] RIP: 0010:dlm_lowcomms_commit_msg+0x41/0x50 +[ 676.247132] Code: fe ff ff ff 75 24 48 c7 c6 bd 0f 49 bb 48 c7 c7 38 7c 01 bd e8 00 e7 ca ff 89 de 48 c7 c7 60 78 01 bd e8 42 3d cd ff 5b 5d c3 <0f> 0b eb d8 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 +[ 676.249253] RSP: 0018:ffffa401c18ffc68 EFLAGS: 00010282 +[ 676.249855] RAX: 0000000000000001 RBX: 00000000ffff8b76 RCX: 0000000000000006 +[ 676.250713] RDX: 0000000000000000 RSI: ffffffffbccf3a10 RDI: ffffffffbcc7b62e +[ 676.251610] RBP: ffffa401c18ffc70 R08: 0000000000000001 R09: 0000000000000001 +[ 676.252481] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000005 +[ 676.253421] R13: ffff8b76786ec370 R14: ffff8b76786ec370 R15: ffff8b76786ec480 +[ 676.254257] FS: 0000000000000000(0000) GS:ffff8b7777800000(0000) knlGS:0000000000000000 +[ 676.255239] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 676.255897] CR2: 00005590205d88b8 CR3: 000000017656c003 CR4: 0000000000770ee0 +[ 676.256734] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 676.257567] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 676.258397] PKRU: 55555554 +[ 676.258729] Call Trace: +[ 676.259063] +[ 676.259354] dlm_midcomms_commit_mhandle+0xcc/0x110 +[ 676.259964] queue_bast+0x8b/0xb0 +[ 676.260423] grant_pending_locks+0x166/0x1b0 +[ 676.261007] _unlock_lock+0x75/0x90 +[ 676.261469] unlock_lock.isra.57+0x62/0xa0 +[ 676.262009] dlm_unlock+0x21e/0x330 +[ 676.262457] ? lock_torture_stats+0x80/0x80 [dlm_locktorture] +[ 676.263183] torture_unlock+0x5a/0x90 [dlm_locktorture] +[ 676.263815] ? preempt_count_sub+0xba/0x100 +[ 676.264361] ? complete+0x1d/0x60 +[ 676.264777] lock_torture_writer+0xb8/0x150 [dlm_locktorture] +[ 676.265555] kthread+0x10a/0x130 +[ 676.266007] ? kthread_complete_and_exit+0x20/0x20 +[ 676.266616] ret_from_fork+0x22/0x30 +[ 676.267097] +[ 676.267381] irq event stamp: 9579855 +[ 676.267824] hardirqs last enabled at (9579863): [] __up_console_sem+0x58/0x60 +[ 676.268896] hardirqs last disabled at (9579872): [] __up_console_sem+0x3d/0x60 +[ 676.270008] softirqs last enabled at (9579798): [] __do_softirq+0x349/0x4c7 +[ 676.271438] softirqs last disabled at (9579897): [] irq_exit_rcu+0xb0/0xf0 +[ 676.272796] ---[ end trace 0000000000000000 ]--- + +I reproduced this warning with dlm_locktorture test which is currently +not upstream. However this patch fix the issue by make a additional +refcount between dlm_lowcomms_new_msg() and dlm_lowcomms_commit_msg(). +In case of the race the kref_put() in dlm_lowcomms_commit_msg() will be +the final put. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lowcomms.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c +index a4e84e8d94c8..59f64c596233 100644 +--- a/fs/dlm/lowcomms.c ++++ b/fs/dlm/lowcomms.c +@@ -1336,6 +1336,8 @@ struct dlm_msg *dlm_lowcomms_new_msg(int nodeid, int len, gfp_t allocation, + return NULL; + } + ++ /* for dlm_lowcomms_commit_msg() */ ++ kref_get(&msg->ref); + /* we assume if successful commit must called */ + msg->idx = idx; + return msg; +@@ -1375,6 +1377,8 @@ void dlm_lowcomms_commit_msg(struct dlm_msg *msg) + { + _dlm_lowcomms_commit_msg(msg); + srcu_read_unlock(&connections_srcu, msg->idx); ++ /* because dlm_lowcomms_new_msg() */ ++ kref_put(&msg->ref, dlm_msg_release); + } + #endif + +-- +2.35.1 + diff --git a/queue-6.0/fscrypt-stop-using-keyrings-subsystem-for-fscrypt_ma.patch b/queue-6.0/fscrypt-stop-using-keyrings-subsystem-for-fscrypt_ma.patch new file mode 100644 index 00000000000..55f462e7a4d --- /dev/null +++ b/queue-6.0/fscrypt-stop-using-keyrings-subsystem-for-fscrypt_ma.patch @@ -0,0 +1,1304 @@ +From b85bdbcda08d53cc7429a2592980f006f3d7c4ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 12:32:06 -0700 +Subject: fscrypt: stop using keyrings subsystem for fscrypt_master_key + +From: Eric Biggers + +[ Upstream commit d7e7b9af104c7b389a0c21eb26532511bce4b510 ] + +The approach of fs/crypto/ internally managing the fscrypt_master_key +structs as the payloads of "struct key" objects contained in a +"struct key" keyring has outlived its usefulness. The original idea was +to simplify the code by reusing code from the keyrings subsystem. +However, several issues have arisen that can't easily be resolved: + +- When a master key struct is destroyed, blk_crypto_evict_key() must be + called on any per-mode keys embedded in it. (This started being the + case when inline encryption support was added.) Yet, the keyrings + subsystem can arbitrarily delay the destruction of keys, even past the + time the filesystem was unmounted. Therefore, currently there is no + easy way to call blk_crypto_evict_key() when a master key is + destroyed. Currently, this is worked around by holding an extra + reference to the filesystem's request_queue(s). But it was overlooked + that the request_queue reference is *not* guaranteed to pin the + corresponding blk_crypto_profile too; for device-mapper devices that + support inline crypto, it doesn't. This can cause a use-after-free. + +- When the last inode that was using an incompletely-removed master key + is evicted, the master key removal is completed by removing the key + struct from the keyring. Currently this is done via key_invalidate(). + Yet, key_invalidate() takes the key semaphore. This can deadlock when + called from the shrinker, since in fscrypt_ioctl_add_key(), memory is + allocated with GFP_KERNEL under the same semaphore. + +- More generally, the fact that the keyrings subsystem can arbitrarily + delay the destruction of keys (via garbage collection delay, or via + random processes getting temporary key references) is undesirable, as + it means we can't strictly guarantee that all secrets are ever wiped. + +- Doing the master key lookups via the keyrings subsystem results in the + key_permission LSM hook being called. fscrypt doesn't want this, as + all access control for encrypted files is designed to happen via the + files themselves, like any other files. The workaround which SELinux + users are using is to change their SELinux policy to grant key search + access to all domains. This works, but it is an odd extra step that + shouldn't really have to be done. + +The fix for all these issues is to change the implementation to what I +should have done originally: don't use the keyrings subsystem to keep +track of the filesystem's fscrypt_master_key structs. Instead, just +store them in a regular kernel data structure, and rework the reference +counting, locking, and lifetime accordingly. Retain support for +RCU-mode key lookups by using a hash table. Replace fscrypt_sb_free() +with fscrypt_sb_delete(), which releases the keys synchronously and runs +a bit earlier during unmount, so that block devices are still available. + +A side effect of this patch is that neither the master keys themselves +nor the filesystem keyrings will be listed in /proc/keys anymore. +("Master key users" and the master key users keyrings will still be +listed.) However, this was mostly an implementation detail, and it was +intended just for debugging purposes. I don't know of anyone using it. + +This patch does *not* change how "master key users" (->mk_users) works; +that still uses the keyrings subsystem. That is still needed for key +quotas, and changing that isn't necessary to solve the issues listed +above. If we decide to change that too, it would be a separate patch. + +I've marked this as fixing the original commit that added the fscrypt +keyring, but as noted above the most important issue that this patch +fixes wasn't introduced until the addition of inline encryption support. + +Fixes: 22d94f493bfb ("fscrypt: add FS_IOC_ADD_ENCRYPTION_KEY ioctl") +Signed-off-by: Eric Biggers +Link: https://lore.kernel.org/r/20220901193208.138056-2-ebiggers@kernel.org +Signed-off-by: Sasha Levin +--- + fs/crypto/fscrypt_private.h | 71 ++++-- + fs/crypto/hooks.c | 10 +- + fs/crypto/keyring.c | 486 +++++++++++++++++++----------------- + fs/crypto/keysetup.c | 81 +++--- + fs/crypto/policy.c | 8 +- + fs/super.c | 2 +- + include/linux/fs.h | 2 +- + include/linux/fscrypt.h | 4 +- + 8 files changed, 353 insertions(+), 311 deletions(-) + +diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h +index 3afdaa084773..577cae7facb0 100644 +--- a/fs/crypto/fscrypt_private.h ++++ b/fs/crypto/fscrypt_private.h +@@ -225,7 +225,7 @@ struct fscrypt_info { + * will be NULL if the master key was found in a process-subscribed + * keyring rather than in the filesystem-level keyring. + */ +- struct key *ci_master_key; ++ struct fscrypt_master_key *ci_master_key; + + /* + * Link in list of inodes that were unlocked with the master key. +@@ -436,6 +436,40 @@ struct fscrypt_master_key_secret { + */ + struct fscrypt_master_key { + ++ /* ++ * Back-pointer to the super_block of the filesystem to which this ++ * master key has been added. Only valid if ->mk_active_refs > 0. ++ */ ++ struct super_block *mk_sb; ++ ++ /* ++ * Link in ->mk_sb->s_master_keys->key_hashtable. ++ * Only valid if ->mk_active_refs > 0. ++ */ ++ struct hlist_node mk_node; ++ ++ /* Semaphore that protects ->mk_secret and ->mk_users */ ++ struct rw_semaphore mk_sem; ++ ++ /* ++ * Active and structural reference counts. An active ref guarantees ++ * that the struct continues to exist, continues to be in the keyring ++ * ->mk_sb->s_master_keys, and that any embedded subkeys (e.g. ++ * ->mk_direct_keys) that have been prepared continue to exist. ++ * A structural ref only guarantees that the struct continues to exist. ++ * ++ * There is one active ref associated with ->mk_secret being present, ++ * and one active ref for each inode in ->mk_decrypted_inodes. ++ * ++ * There is one structural ref associated with the active refcount being ++ * nonzero. Finding a key in the keyring also takes a structural ref, ++ * which is then held temporarily while the key is operated on. ++ */ ++ refcount_t mk_active_refs; ++ refcount_t mk_struct_refs; ++ ++ struct rcu_head mk_rcu_head; ++ + /* + * The secret key material. After FS_IOC_REMOVE_ENCRYPTION_KEY is + * executed, this is wiped and no new inodes can be unlocked with this +@@ -444,7 +478,10 @@ struct fscrypt_master_key { + * FS_IOC_REMOVE_ENCRYPTION_KEY can be retried, or + * FS_IOC_ADD_ENCRYPTION_KEY can add the secret again. + * +- * Locking: protected by this master key's key->sem. ++ * While ->mk_secret is present, one ref in ->mk_active_refs is held. ++ * ++ * Locking: protected by ->mk_sem. The manipulation of ->mk_active_refs ++ * associated with this field is protected by ->mk_sem as well. + */ + struct fscrypt_master_key_secret mk_secret; + +@@ -465,22 +502,12 @@ struct fscrypt_master_key { + * + * This is NULL for v1 policy keys; those can only be added by root. + * +- * Locking: in addition to this keyring's own semaphore, this is +- * protected by this master key's key->sem, so we can do atomic +- * search+insert. It can also be searched without taking any locks, but +- * in that case the returned key may have already been removed. ++ * Locking: protected by ->mk_sem. (We don't just rely on the keyrings ++ * subsystem semaphore ->mk_users->sem, as we need support for atomic ++ * search+insert along with proper synchronization with ->mk_secret.) + */ + struct key *mk_users; + +- /* +- * Length of ->mk_decrypted_inodes, plus one if mk_secret is present. +- * Once this goes to 0, the master key is removed from ->s_master_keys. +- * The 'struct fscrypt_master_key' will continue to live as long as the +- * 'struct key' whose payload it is, but we won't let this reference +- * count rise again. +- */ +- refcount_t mk_refcount; +- + /* + * List of inodes that were unlocked using this key. This allows the + * inodes to be evicted efficiently if the key is removed. +@@ -506,10 +533,10 @@ static inline bool + is_master_key_secret_present(const struct fscrypt_master_key_secret *secret) + { + /* +- * The READ_ONCE() is only necessary for fscrypt_drop_inode() and +- * fscrypt_key_describe(). These run in atomic context, so they can't +- * take the key semaphore and thus 'secret' can change concurrently +- * which would be a data race. But they only need to know whether the ++ * The READ_ONCE() is only necessary for fscrypt_drop_inode(). ++ * fscrypt_drop_inode() runs in atomic context, so it can't take the key ++ * semaphore and thus 'secret' can change concurrently which would be a ++ * data race. But fscrypt_drop_inode() only need to know whether the + * secret *was* present at the time of check, so READ_ONCE() suffices. + */ + return READ_ONCE(secret->size) != 0; +@@ -538,7 +565,11 @@ static inline int master_key_spec_len(const struct fscrypt_key_specifier *spec) + return 0; + } + +-struct key * ++void fscrypt_put_master_key(struct fscrypt_master_key *mk); ++ ++void fscrypt_put_master_key_activeref(struct fscrypt_master_key *mk); ++ ++struct fscrypt_master_key * + fscrypt_find_master_key(struct super_block *sb, + const struct fscrypt_key_specifier *mk_spec); + +diff --git a/fs/crypto/hooks.c b/fs/crypto/hooks.c +index 7c01025879b3..7b8c5a1104b5 100644 +--- a/fs/crypto/hooks.c ++++ b/fs/crypto/hooks.c +@@ -5,8 +5,6 @@ + * Encryption hooks for higher-level filesystem operations. + */ + +-#include +- + #include "fscrypt_private.h" + + /** +@@ -142,7 +140,6 @@ int fscrypt_prepare_setflags(struct inode *inode, + unsigned int oldflags, unsigned int flags) + { + struct fscrypt_info *ci; +- struct key *key; + struct fscrypt_master_key *mk; + int err; + +@@ -158,14 +155,13 @@ int fscrypt_prepare_setflags(struct inode *inode, + ci = inode->i_crypt_info; + if (ci->ci_policy.version != FSCRYPT_POLICY_V2) + return -EINVAL; +- key = ci->ci_master_key; +- mk = key->payload.data[0]; +- down_read(&key->sem); ++ mk = ci->ci_master_key; ++ down_read(&mk->mk_sem); + if (is_master_key_secret_present(&mk->mk_secret)) + err = fscrypt_derive_dirhash_key(ci, mk); + else + err = -ENOKEY; +- up_read(&key->sem); ++ up_read(&mk->mk_sem); + return err; + } + return 0; +diff --git a/fs/crypto/keyring.c b/fs/crypto/keyring.c +index caee9f8620dd..9b98d6a576e6 100644 +--- a/fs/crypto/keyring.c ++++ b/fs/crypto/keyring.c +@@ -18,6 +18,7 @@ + * information about these ioctls. + */ + ++#include + #include + #include + #include +@@ -25,6 +26,18 @@ + + #include "fscrypt_private.h" + ++/* The master encryption keys for a filesystem (->s_master_keys) */ ++struct fscrypt_keyring { ++ /* ++ * Lock that protects ->key_hashtable. It does *not* protect the ++ * fscrypt_master_key structs themselves. ++ */ ++ spinlock_t lock; ++ ++ /* Hash table that maps fscrypt_key_specifier to fscrypt_master_key */ ++ struct hlist_head key_hashtable[128]; ++}; ++ + static void wipe_master_key_secret(struct fscrypt_master_key_secret *secret) + { + fscrypt_destroy_hkdf(&secret->hkdf); +@@ -38,20 +51,70 @@ static void move_master_key_secret(struct fscrypt_master_key_secret *dst, + memzero_explicit(src, sizeof(*src)); + } + +-static void free_master_key(struct fscrypt_master_key *mk) ++static void fscrypt_free_master_key(struct rcu_head *head) ++{ ++ struct fscrypt_master_key *mk = ++ container_of(head, struct fscrypt_master_key, mk_rcu_head); ++ /* ++ * The master key secret and any embedded subkeys should have already ++ * been wiped when the last active reference to the fscrypt_master_key ++ * struct was dropped; doing it here would be unnecessarily late. ++ * Nevertheless, use kfree_sensitive() in case anything was missed. ++ */ ++ kfree_sensitive(mk); ++} ++ ++void fscrypt_put_master_key(struct fscrypt_master_key *mk) ++{ ++ if (!refcount_dec_and_test(&mk->mk_struct_refs)) ++ return; ++ /* ++ * No structural references left, so free ->mk_users, and also free the ++ * fscrypt_master_key struct itself after an RCU grace period ensures ++ * that concurrent keyring lookups can no longer find it. ++ */ ++ WARN_ON(refcount_read(&mk->mk_active_refs) != 0); ++ key_put(mk->mk_users); ++ mk->mk_users = NULL; ++ call_rcu(&mk->mk_rcu_head, fscrypt_free_master_key); ++} ++ ++void fscrypt_put_master_key_activeref(struct fscrypt_master_key *mk) + { ++ struct super_block *sb = mk->mk_sb; ++ struct fscrypt_keyring *keyring = sb->s_master_keys; + size_t i; + +- wipe_master_key_secret(&mk->mk_secret); ++ if (!refcount_dec_and_test(&mk->mk_active_refs)) ++ return; ++ /* ++ * No active references left, so complete the full removal of this ++ * fscrypt_master_key struct by removing it from the keyring and ++ * destroying any subkeys embedded in it. ++ */ ++ ++ spin_lock(&keyring->lock); ++ hlist_del_rcu(&mk->mk_node); ++ spin_unlock(&keyring->lock); ++ ++ /* ++ * ->mk_active_refs == 0 implies that ->mk_secret is not present and ++ * that ->mk_decrypted_inodes is empty. ++ */ ++ WARN_ON(is_master_key_secret_present(&mk->mk_secret)); ++ WARN_ON(!list_empty(&mk->mk_decrypted_inodes)); + + for (i = 0; i <= FSCRYPT_MODE_MAX; i++) { + fscrypt_destroy_prepared_key(&mk->mk_direct_keys[i]); + fscrypt_destroy_prepared_key(&mk->mk_iv_ino_lblk_64_keys[i]); + fscrypt_destroy_prepared_key(&mk->mk_iv_ino_lblk_32_keys[i]); + } ++ memzero_explicit(&mk->mk_ino_hash_key, ++ sizeof(mk->mk_ino_hash_key)); ++ mk->mk_ino_hash_key_initialized = false; + +- key_put(mk->mk_users); +- kfree_sensitive(mk); ++ /* Drop the structural ref associated with the active refs. */ ++ fscrypt_put_master_key(mk); + } + + static inline bool valid_key_spec(const struct fscrypt_key_specifier *spec) +@@ -61,44 +124,6 @@ static inline bool valid_key_spec(const struct fscrypt_key_specifier *spec) + return master_key_spec_len(spec) != 0; + } + +-static int fscrypt_key_instantiate(struct key *key, +- struct key_preparsed_payload *prep) +-{ +- key->payload.data[0] = (struct fscrypt_master_key *)prep->data; +- return 0; +-} +- +-static void fscrypt_key_destroy(struct key *key) +-{ +- free_master_key(key->payload.data[0]); +-} +- +-static void fscrypt_key_describe(const struct key *key, struct seq_file *m) +-{ +- seq_puts(m, key->description); +- +- if (key_is_positive(key)) { +- const struct fscrypt_master_key *mk = key->payload.data[0]; +- +- if (!is_master_key_secret_present(&mk->mk_secret)) +- seq_puts(m, ": secret removed"); +- } +-} +- +-/* +- * Type of key in ->s_master_keys. Each key of this type represents a master +- * key which has been added to the filesystem. Its payload is a +- * 'struct fscrypt_master_key'. The "." prefix in the key type name prevents +- * users from adding keys of this type via the keyrings syscalls rather than via +- * the intended method of FS_IOC_ADD_ENCRYPTION_KEY. +- */ +-static struct key_type key_type_fscrypt = { +- .name = "._fscrypt", +- .instantiate = fscrypt_key_instantiate, +- .destroy = fscrypt_key_destroy, +- .describe = fscrypt_key_describe, +-}; +- + static int fscrypt_user_key_instantiate(struct key *key, + struct key_preparsed_payload *prep) + { +@@ -131,32 +156,6 @@ static struct key_type key_type_fscrypt_user = { + .describe = fscrypt_user_key_describe, + }; + +-/* Search ->s_master_keys or ->mk_users */ +-static struct key *search_fscrypt_keyring(struct key *keyring, +- struct key_type *type, +- const char *description) +-{ +- /* +- * We need to mark the keyring reference as "possessed" so that we +- * acquire permission to search it, via the KEY_POS_SEARCH permission. +- */ +- key_ref_t keyref = make_key_ref(keyring, true /* possessed */); +- +- keyref = keyring_search(keyref, type, description, false); +- if (IS_ERR(keyref)) { +- if (PTR_ERR(keyref) == -EAGAIN || /* not found */ +- PTR_ERR(keyref) == -EKEYREVOKED) /* recently invalidated */ +- keyref = ERR_PTR(-ENOKEY); +- return ERR_CAST(keyref); +- } +- return key_ref_to_ptr(keyref); +-} +- +-#define FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE \ +- (CONST_STRLEN("fscrypt-") + sizeof_field(struct super_block, s_id)) +- +-#define FSCRYPT_MK_DESCRIPTION_SIZE (2 * FSCRYPT_KEY_IDENTIFIER_SIZE + 1) +- + #define FSCRYPT_MK_USERS_DESCRIPTION_SIZE \ + (CONST_STRLEN("fscrypt-") + 2 * FSCRYPT_KEY_IDENTIFIER_SIZE + \ + CONST_STRLEN("-users") + 1) +@@ -164,21 +163,6 @@ static struct key *search_fscrypt_keyring(struct key *keyring, + #define FSCRYPT_MK_USER_DESCRIPTION_SIZE \ + (2 * FSCRYPT_KEY_IDENTIFIER_SIZE + CONST_STRLEN(".uid.") + 10 + 1) + +-static void format_fs_keyring_description( +- char description[FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE], +- const struct super_block *sb) +-{ +- sprintf(description, "fscrypt-%s", sb->s_id); +-} +- +-static void format_mk_description( +- char description[FSCRYPT_MK_DESCRIPTION_SIZE], +- const struct fscrypt_key_specifier *mk_spec) +-{ +- sprintf(description, "%*phN", +- master_key_spec_len(mk_spec), (u8 *)&mk_spec->u); +-} +- + static void format_mk_users_keyring_description( + char description[FSCRYPT_MK_USERS_DESCRIPTION_SIZE], + const u8 mk_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]) +@@ -199,20 +183,15 @@ static void format_mk_user_description( + /* Create ->s_master_keys if needed. Synchronized by fscrypt_add_key_mutex. */ + static int allocate_filesystem_keyring(struct super_block *sb) + { +- char description[FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE]; +- struct key *keyring; ++ struct fscrypt_keyring *keyring; + + if (sb->s_master_keys) + return 0; + +- format_fs_keyring_description(description, sb); +- keyring = keyring_alloc(description, GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, +- current_cred(), KEY_POS_SEARCH | +- KEY_USR_SEARCH | KEY_USR_READ | KEY_USR_VIEW, +- KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); +- if (IS_ERR(keyring)) +- return PTR_ERR(keyring); +- ++ keyring = kzalloc(sizeof(*keyring), GFP_KERNEL); ++ if (!keyring) ++ return -ENOMEM; ++ spin_lock_init(&keyring->lock); + /* + * Pairs with the smp_load_acquire() in fscrypt_find_master_key(). + * I.e., here we publish ->s_master_keys with a RELEASE barrier so that +@@ -222,21 +201,75 @@ static int allocate_filesystem_keyring(struct super_block *sb) + return 0; + } + +-void fscrypt_sb_free(struct super_block *sb) ++/* ++ * This is called at unmount time to release all encryption keys that have been ++ * added to the filesystem, along with the keyring that contains them. ++ * ++ * Note that besides clearing and freeing memory, this might need to evict keys ++ * from the keyslots of an inline crypto engine. Therefore, this must be called ++ * while the filesystem's underlying block device(s) are still available. ++ */ ++void fscrypt_sb_delete(struct super_block *sb) + { +- key_put(sb->s_master_keys); ++ struct fscrypt_keyring *keyring = sb->s_master_keys; ++ size_t i; ++ ++ if (!keyring) ++ return; ++ ++ for (i = 0; i < ARRAY_SIZE(keyring->key_hashtable); i++) { ++ struct hlist_head *bucket = &keyring->key_hashtable[i]; ++ struct fscrypt_master_key *mk; ++ struct hlist_node *tmp; ++ ++ hlist_for_each_entry_safe(mk, tmp, bucket, mk_node) { ++ /* ++ * Since all inodes were already evicted, every key ++ * remaining in the keyring should have an empty inode ++ * list, and should only still be in the keyring due to ++ * the single active ref associated with ->mk_secret. ++ * There should be no structural refs beyond the one ++ * associated with the active ref. ++ */ ++ WARN_ON(refcount_read(&mk->mk_active_refs) != 1); ++ WARN_ON(refcount_read(&mk->mk_struct_refs) != 1); ++ WARN_ON(!is_master_key_secret_present(&mk->mk_secret)); ++ wipe_master_key_secret(&mk->mk_secret); ++ fscrypt_put_master_key_activeref(mk); ++ } ++ } ++ kfree_sensitive(keyring); + sb->s_master_keys = NULL; + } + ++static struct hlist_head * ++fscrypt_mk_hash_bucket(struct fscrypt_keyring *keyring, ++ const struct fscrypt_key_specifier *mk_spec) ++{ ++ /* ++ * Since key specifiers should be "random" values, it is sufficient to ++ * use a trivial hash function that just takes the first several bits of ++ * the key specifier. ++ */ ++ unsigned long i = get_unaligned((unsigned long *)&mk_spec->u); ++ ++ return &keyring->key_hashtable[i % ARRAY_SIZE(keyring->key_hashtable)]; ++} ++ + /* +- * Find the specified master key in ->s_master_keys. +- * Returns ERR_PTR(-ENOKEY) if not found. ++ * Find the specified master key struct in ->s_master_keys and take a structural ++ * ref to it. The structural ref guarantees that the key struct continues to ++ * exist, but it does *not* guarantee that ->s_master_keys continues to contain ++ * the key struct. The structural ref needs to be dropped by ++ * fscrypt_put_master_key(). Returns NULL if the key struct is not found. + */ +-struct key *fscrypt_find_master_key(struct super_block *sb, +- const struct fscrypt_key_specifier *mk_spec) ++struct fscrypt_master_key * ++fscrypt_find_master_key(struct super_block *sb, ++ const struct fscrypt_key_specifier *mk_spec) + { +- struct key *keyring; +- char description[FSCRYPT_MK_DESCRIPTION_SIZE]; ++ struct fscrypt_keyring *keyring; ++ struct hlist_head *bucket; ++ struct fscrypt_master_key *mk; + + /* + * Pairs with the smp_store_release() in allocate_filesystem_keyring(). +@@ -246,10 +279,38 @@ struct key *fscrypt_find_master_key(struct super_block *sb, + */ + keyring = smp_load_acquire(&sb->s_master_keys); + if (keyring == NULL) +- return ERR_PTR(-ENOKEY); /* No keyring yet, so no keys yet. */ +- +- format_mk_description(description, mk_spec); +- return search_fscrypt_keyring(keyring, &key_type_fscrypt, description); ++ return NULL; /* No keyring yet, so no keys yet. */ ++ ++ bucket = fscrypt_mk_hash_bucket(keyring, mk_spec); ++ rcu_read_lock(); ++ switch (mk_spec->type) { ++ case FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR: ++ hlist_for_each_entry_rcu(mk, bucket, mk_node) { ++ if (mk->mk_spec.type == ++ FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR && ++ memcmp(mk->mk_spec.u.descriptor, ++ mk_spec->u.descriptor, ++ FSCRYPT_KEY_DESCRIPTOR_SIZE) == 0 && ++ refcount_inc_not_zero(&mk->mk_struct_refs)) ++ goto out; ++ } ++ break; ++ case FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER: ++ hlist_for_each_entry_rcu(mk, bucket, mk_node) { ++ if (mk->mk_spec.type == ++ FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER && ++ memcmp(mk->mk_spec.u.identifier, ++ mk_spec->u.identifier, ++ FSCRYPT_KEY_IDENTIFIER_SIZE) == 0 && ++ refcount_inc_not_zero(&mk->mk_struct_refs)) ++ goto out; ++ } ++ break; ++ } ++ mk = NULL; ++out: ++ rcu_read_unlock(); ++ return mk; + } + + static int allocate_master_key_users_keyring(struct fscrypt_master_key *mk) +@@ -277,17 +338,30 @@ static int allocate_master_key_users_keyring(struct fscrypt_master_key *mk) + static struct key *find_master_key_user(struct fscrypt_master_key *mk) + { + char description[FSCRYPT_MK_USER_DESCRIPTION_SIZE]; ++ key_ref_t keyref; + + format_mk_user_description(description, mk->mk_spec.u.identifier); +- return search_fscrypt_keyring(mk->mk_users, &key_type_fscrypt_user, +- description); ++ ++ /* ++ * We need to mark the keyring reference as "possessed" so that we ++ * acquire permission to search it, via the KEY_POS_SEARCH permission. ++ */ ++ keyref = keyring_search(make_key_ref(mk->mk_users, true /*possessed*/), ++ &key_type_fscrypt_user, description, false); ++ if (IS_ERR(keyref)) { ++ if (PTR_ERR(keyref) == -EAGAIN || /* not found */ ++ PTR_ERR(keyref) == -EKEYREVOKED) /* recently invalidated */ ++ keyref = ERR_PTR(-ENOKEY); ++ return ERR_CAST(keyref); ++ } ++ return key_ref_to_ptr(keyref); + } + + /* + * Give the current user a "key" in ->mk_users. This charges the user's quota + * and marks the master key as added by the current user, so that it cannot be +- * removed by another user with the key. Either the master key's key->sem must +- * be held for write, or the master key must be still undergoing initialization. ++ * removed by another user with the key. Either ->mk_sem must be held for ++ * write, or the master key must be still undergoing initialization. + */ + static int add_master_key_user(struct fscrypt_master_key *mk) + { +@@ -309,7 +383,7 @@ static int add_master_key_user(struct fscrypt_master_key *mk) + + /* + * Remove the current user's "key" from ->mk_users. +- * The master key's key->sem must be held for write. ++ * ->mk_sem must be held for write. + * + * Returns 0 if removed, -ENOKEY if not found, or another -errno code. + */ +@@ -327,63 +401,49 @@ static int remove_master_key_user(struct fscrypt_master_key *mk) + } + + /* +- * Allocate a new fscrypt_master_key which contains the given secret, set it as +- * the payload of a new 'struct key' of type fscrypt, and link the 'struct key' +- * into the given keyring. Synchronized by fscrypt_add_key_mutex. ++ * Allocate a new fscrypt_master_key, transfer the given secret over to it, and ++ * insert it into sb->s_master_keys. + */ +-static int add_new_master_key(struct fscrypt_master_key_secret *secret, +- const struct fscrypt_key_specifier *mk_spec, +- struct key *keyring) ++static int add_new_master_key(struct super_block *sb, ++ struct fscrypt_master_key_secret *secret, ++ const struct fscrypt_key_specifier *mk_spec) + { ++ struct fscrypt_keyring *keyring = sb->s_master_keys; + struct fscrypt_master_key *mk; +- char description[FSCRYPT_MK_DESCRIPTION_SIZE]; +- struct key *key; + int err; + + mk = kzalloc(sizeof(*mk), GFP_KERNEL); + if (!mk) + return -ENOMEM; + ++ mk->mk_sb = sb; ++ init_rwsem(&mk->mk_sem); ++ refcount_set(&mk->mk_struct_refs, 1); + mk->mk_spec = *mk_spec; + +- move_master_key_secret(&mk->mk_secret, secret); +- +- refcount_set(&mk->mk_refcount, 1); /* secret is present */ + INIT_LIST_HEAD(&mk->mk_decrypted_inodes); + spin_lock_init(&mk->mk_decrypted_inodes_lock); + + if (mk_spec->type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) { + err = allocate_master_key_users_keyring(mk); + if (err) +- goto out_free_mk; ++ goto out_put; + err = add_master_key_user(mk); + if (err) +- goto out_free_mk; ++ goto out_put; + } + +- /* +- * Note that we don't charge this key to anyone's quota, since when +- * ->mk_users is in use those keys are charged instead, and otherwise +- * (when ->mk_users isn't in use) only root can add these keys. +- */ +- format_mk_description(description, mk_spec); +- key = key_alloc(&key_type_fscrypt, description, +- GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(), +- KEY_POS_SEARCH | KEY_USR_SEARCH | KEY_USR_VIEW, +- KEY_ALLOC_NOT_IN_QUOTA, NULL); +- if (IS_ERR(key)) { +- err = PTR_ERR(key); +- goto out_free_mk; +- } +- err = key_instantiate_and_link(key, mk, sizeof(*mk), keyring, NULL); +- key_put(key); +- if (err) +- goto out_free_mk; ++ move_master_key_secret(&mk->mk_secret, secret); ++ refcount_set(&mk->mk_active_refs, 1); /* ->mk_secret is present */ + ++ spin_lock(&keyring->lock); ++ hlist_add_head_rcu(&mk->mk_node, ++ fscrypt_mk_hash_bucket(keyring, mk_spec)); ++ spin_unlock(&keyring->lock); + return 0; + +-out_free_mk: +- free_master_key(mk); ++out_put: ++ fscrypt_put_master_key(mk); + return err; + } + +@@ -392,42 +452,34 @@ static int add_new_master_key(struct fscrypt_master_key_secret *secret, + static int add_existing_master_key(struct fscrypt_master_key *mk, + struct fscrypt_master_key_secret *secret) + { +- struct key *mk_user; +- bool rekey; + int err; + + /* + * If the current user is already in ->mk_users, then there's nothing to +- * do. (Not applicable for v1 policy keys, which have NULL ->mk_users.) ++ * do. Otherwise, we need to add the user to ->mk_users. (Neither is ++ * applicable for v1 policy keys, which have NULL ->mk_users.) + */ + if (mk->mk_users) { +- mk_user = find_master_key_user(mk); ++ struct key *mk_user = find_master_key_user(mk); ++ + if (mk_user != ERR_PTR(-ENOKEY)) { + if (IS_ERR(mk_user)) + return PTR_ERR(mk_user); + key_put(mk_user); + return 0; + } +- } +- +- /* If we'll be re-adding ->mk_secret, try to take the reference. */ +- rekey = !is_master_key_secret_present(&mk->mk_secret); +- if (rekey && !refcount_inc_not_zero(&mk->mk_refcount)) +- return KEY_DEAD; +- +- /* Add the current user to ->mk_users, if applicable. */ +- if (mk->mk_users) { + err = add_master_key_user(mk); +- if (err) { +- if (rekey && refcount_dec_and_test(&mk->mk_refcount)) +- return KEY_DEAD; ++ if (err) + return err; +- } + } + + /* Re-add the secret if needed. */ +- if (rekey) ++ if (!is_master_key_secret_present(&mk->mk_secret)) { ++ if (!refcount_inc_not_zero(&mk->mk_active_refs)) ++ return KEY_DEAD; + move_master_key_secret(&mk->mk_secret, secret); ++ } ++ + return 0; + } + +@@ -436,38 +488,36 @@ static int do_add_master_key(struct super_block *sb, + const struct fscrypt_key_specifier *mk_spec) + { + static DEFINE_MUTEX(fscrypt_add_key_mutex); +- struct key *key; ++ struct fscrypt_master_key *mk; + int err; + + mutex_lock(&fscrypt_add_key_mutex); /* serialize find + link */ +-retry: +- key = fscrypt_find_master_key(sb, mk_spec); +- if (IS_ERR(key)) { +- err = PTR_ERR(key); +- if (err != -ENOKEY) +- goto out_unlock; ++ ++ mk = fscrypt_find_master_key(sb, mk_spec); ++ if (!mk) { + /* Didn't find the key in ->s_master_keys. Add it. */ + err = allocate_filesystem_keyring(sb); +- if (err) +- goto out_unlock; +- err = add_new_master_key(secret, mk_spec, sb->s_master_keys); ++ if (!err) ++ err = add_new_master_key(sb, secret, mk_spec); + } else { + /* + * Found the key in ->s_master_keys. Re-add the secret if + * needed, and add the user to ->mk_users if needed. + */ +- down_write(&key->sem); +- err = add_existing_master_key(key->payload.data[0], secret); +- up_write(&key->sem); ++ down_write(&mk->mk_sem); ++ err = add_existing_master_key(mk, secret); ++ up_write(&mk->mk_sem); + if (err == KEY_DEAD) { +- /* Key being removed or needs to be removed */ +- key_invalidate(key); +- key_put(key); +- goto retry; ++ /* ++ * We found a key struct, but it's already been fully ++ * removed. Ignore the old struct and add a new one. ++ * fscrypt_add_key_mutex means we don't need to worry ++ * about concurrent adds. ++ */ ++ err = add_new_master_key(sb, secret, mk_spec); + } +- key_put(key); ++ fscrypt_put_master_key(mk); + } +-out_unlock: + mutex_unlock(&fscrypt_add_key_mutex); + return err; + } +@@ -771,19 +821,19 @@ int fscrypt_verify_key_added(struct super_block *sb, + const u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]) + { + struct fscrypt_key_specifier mk_spec; +- struct key *key, *mk_user; + struct fscrypt_master_key *mk; ++ struct key *mk_user; + int err; + + mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER; + memcpy(mk_spec.u.identifier, identifier, FSCRYPT_KEY_IDENTIFIER_SIZE); + +- key = fscrypt_find_master_key(sb, &mk_spec); +- if (IS_ERR(key)) { +- err = PTR_ERR(key); ++ mk = fscrypt_find_master_key(sb, &mk_spec); ++ if (!mk) { ++ err = -ENOKEY; + goto out; + } +- mk = key->payload.data[0]; ++ down_read(&mk->mk_sem); + mk_user = find_master_key_user(mk); + if (IS_ERR(mk_user)) { + err = PTR_ERR(mk_user); +@@ -791,7 +841,8 @@ int fscrypt_verify_key_added(struct super_block *sb, + key_put(mk_user); + err = 0; + } +- key_put(key); ++ up_read(&mk->mk_sem); ++ fscrypt_put_master_key(mk); + out: + if (err == -ENOKEY && capable(CAP_FOWNER)) + err = 0; +@@ -953,11 +1004,10 @@ static int do_remove_key(struct file *filp, void __user *_uarg, bool all_users) + struct super_block *sb = file_inode(filp)->i_sb; + struct fscrypt_remove_key_arg __user *uarg = _uarg; + struct fscrypt_remove_key_arg arg; +- struct key *key; + struct fscrypt_master_key *mk; + u32 status_flags = 0; + int err; +- bool dead; ++ bool inodes_remain; + + if (copy_from_user(&arg, uarg, sizeof(arg))) + return -EFAULT; +@@ -977,12 +1027,10 @@ static int do_remove_key(struct file *filp, void __user *_uarg, bool all_users) + return -EACCES; + + /* Find the key being removed. */ +- key = fscrypt_find_master_key(sb, &arg.key_spec); +- if (IS_ERR(key)) +- return PTR_ERR(key); +- mk = key->payload.data[0]; +- +- down_write(&key->sem); ++ mk = fscrypt_find_master_key(sb, &arg.key_spec); ++ if (!mk) ++ return -ENOKEY; ++ down_write(&mk->mk_sem); + + /* If relevant, remove current user's (or all users) claim to the key */ + if (mk->mk_users && mk->mk_users->keys.nr_leaves_on_tree != 0) { +@@ -991,7 +1039,7 @@ static int do_remove_key(struct file *filp, void __user *_uarg, bool all_users) + else + err = remove_master_key_user(mk); + if (err) { +- up_write(&key->sem); ++ up_write(&mk->mk_sem); + goto out_put_key; + } + if (mk->mk_users->keys.nr_leaves_on_tree != 0) { +@@ -1003,26 +1051,22 @@ static int do_remove_key(struct file *filp, void __user *_uarg, bool all_users) + status_flags |= + FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS; + err = 0; +- up_write(&key->sem); ++ up_write(&mk->mk_sem); + goto out_put_key; + } + } + + /* No user claims remaining. Go ahead and wipe the secret. */ +- dead = false; ++ err = -ENOKEY; + if (is_master_key_secret_present(&mk->mk_secret)) { + wipe_master_key_secret(&mk->mk_secret); +- dead = refcount_dec_and_test(&mk->mk_refcount); +- } +- up_write(&key->sem); +- if (dead) { +- /* +- * No inodes reference the key, and we wiped the secret, so the +- * key object is free to be removed from the keyring. +- */ +- key_invalidate(key); ++ fscrypt_put_master_key_activeref(mk); + err = 0; +- } else { ++ } ++ inodes_remain = refcount_read(&mk->mk_active_refs) > 0; ++ up_write(&mk->mk_sem); ++ ++ if (inodes_remain) { + /* Some inodes still reference this key; try to evict them. */ + err = try_to_lock_encrypted_files(sb, mk); + if (err == -EBUSY) { +@@ -1038,7 +1082,7 @@ static int do_remove_key(struct file *filp, void __user *_uarg, bool all_users) + * has been fully removed including all files locked. + */ + out_put_key: +- key_put(key); ++ fscrypt_put_master_key(mk); + if (err == 0) + err = put_user(status_flags, &uarg->removal_status_flags); + return err; +@@ -1085,7 +1129,6 @@ int fscrypt_ioctl_get_key_status(struct file *filp, void __user *uarg) + { + struct super_block *sb = file_inode(filp)->i_sb; + struct fscrypt_get_key_status_arg arg; +- struct key *key; + struct fscrypt_master_key *mk; + int err; + +@@ -1102,19 +1145,18 @@ int fscrypt_ioctl_get_key_status(struct file *filp, void __user *uarg) + arg.user_count = 0; + memset(arg.__out_reserved, 0, sizeof(arg.__out_reserved)); + +- key = fscrypt_find_master_key(sb, &arg.key_spec); +- if (IS_ERR(key)) { +- if (key != ERR_PTR(-ENOKEY)) +- return PTR_ERR(key); ++ mk = fscrypt_find_master_key(sb, &arg.key_spec); ++ if (!mk) { + arg.status = FSCRYPT_KEY_STATUS_ABSENT; + err = 0; + goto out; + } +- mk = key->payload.data[0]; +- down_read(&key->sem); ++ down_read(&mk->mk_sem); + + if (!is_master_key_secret_present(&mk->mk_secret)) { +- arg.status = FSCRYPT_KEY_STATUS_INCOMPLETELY_REMOVED; ++ arg.status = refcount_read(&mk->mk_active_refs) > 0 ? ++ FSCRYPT_KEY_STATUS_INCOMPLETELY_REMOVED : ++ FSCRYPT_KEY_STATUS_ABSENT /* raced with full removal */; + err = 0; + goto out_release_key; + } +@@ -1136,8 +1178,8 @@ int fscrypt_ioctl_get_key_status(struct file *filp, void __user *uarg) + } + err = 0; + out_release_key: +- up_read(&key->sem); +- key_put(key); ++ up_read(&mk->mk_sem); ++ fscrypt_put_master_key(mk); + out: + if (!err && copy_to_user(uarg, &arg, sizeof(arg))) + err = -EFAULT; +@@ -1149,13 +1191,9 @@ int __init fscrypt_init_keyring(void) + { + int err; + +- err = register_key_type(&key_type_fscrypt); +- if (err) +- return err; +- + err = register_key_type(&key_type_fscrypt_user); + if (err) +- goto err_unregister_fscrypt; ++ return err; + + err = register_key_type(&key_type_fscrypt_provisioning); + if (err) +@@ -1165,7 +1203,5 @@ int __init fscrypt_init_keyring(void) + + err_unregister_fscrypt_user: + unregister_key_type(&key_type_fscrypt_user); +-err_unregister_fscrypt: +- unregister_key_type(&key_type_fscrypt); + return err; + } +diff --git a/fs/crypto/keysetup.c b/fs/crypto/keysetup.c +index fbc71abdabe3..e037a7b8e9e4 100644 +--- a/fs/crypto/keysetup.c ++++ b/fs/crypto/keysetup.c +@@ -9,7 +9,6 @@ + */ + + #include +-#include + #include + + #include "fscrypt_private.h" +@@ -159,6 +158,7 @@ void fscrypt_destroy_prepared_key(struct fscrypt_prepared_key *prep_key) + { + crypto_free_skcipher(prep_key->tfm); + fscrypt_destroy_inline_crypt_key(prep_key); ++ memzero_explicit(prep_key, sizeof(*prep_key)); + } + + /* Given a per-file encryption key, set up the file's crypto transform object */ +@@ -412,20 +412,18 @@ static bool fscrypt_valid_master_key_size(const struct fscrypt_master_key *mk, + /* + * Find the master key, then set up the inode's actual encryption key. + * +- * If the master key is found in the filesystem-level keyring, then the +- * corresponding 'struct key' is returned in *master_key_ret with its semaphore +- * read-locked. This is needed to ensure that only one task links the +- * fscrypt_info into ->mk_decrypted_inodes (as multiple tasks may race to create +- * an fscrypt_info for the same inode), and to synchronize the master key being +- * removed with a new inode starting to use it. ++ * If the master key is found in the filesystem-level keyring, then it is ++ * returned in *mk_ret with its semaphore read-locked. This is needed to ensure ++ * that only one task links the fscrypt_info into ->mk_decrypted_inodes (as ++ * multiple tasks may race to create an fscrypt_info for the same inode), and to ++ * synchronize the master key being removed with a new inode starting to use it. + */ + static int setup_file_encryption_key(struct fscrypt_info *ci, + bool need_dirhash_key, +- struct key **master_key_ret) ++ struct fscrypt_master_key **mk_ret) + { +- struct key *key; +- struct fscrypt_master_key *mk = NULL; + struct fscrypt_key_specifier mk_spec; ++ struct fscrypt_master_key *mk; + int err; + + err = fscrypt_select_encryption_impl(ci); +@@ -436,11 +434,10 @@ static int setup_file_encryption_key(struct fscrypt_info *ci, + if (err) + return err; + +- key = fscrypt_find_master_key(ci->ci_inode->i_sb, &mk_spec); +- if (IS_ERR(key)) { +- if (key != ERR_PTR(-ENOKEY) || +- ci->ci_policy.version != FSCRYPT_POLICY_V1) +- return PTR_ERR(key); ++ mk = fscrypt_find_master_key(ci->ci_inode->i_sb, &mk_spec); ++ if (!mk) { ++ if (ci->ci_policy.version != FSCRYPT_POLICY_V1) ++ return -ENOKEY; + + /* + * As a legacy fallback for v1 policies, search for the key in +@@ -450,9 +447,7 @@ static int setup_file_encryption_key(struct fscrypt_info *ci, + */ + return fscrypt_setup_v1_file_key_via_subscribed_keyrings(ci); + } +- +- mk = key->payload.data[0]; +- down_read(&key->sem); ++ down_read(&mk->mk_sem); + + /* Has the secret been removed (via FS_IOC_REMOVE_ENCRYPTION_KEY)? */ + if (!is_master_key_secret_present(&mk->mk_secret)) { +@@ -480,18 +475,18 @@ static int setup_file_encryption_key(struct fscrypt_info *ci, + if (err) + goto out_release_key; + +- *master_key_ret = key; ++ *mk_ret = mk; + return 0; + + out_release_key: +- up_read(&key->sem); +- key_put(key); ++ up_read(&mk->mk_sem); ++ fscrypt_put_master_key(mk); + return err; + } + + static void put_crypt_info(struct fscrypt_info *ci) + { +- struct key *key; ++ struct fscrypt_master_key *mk; + + if (!ci) + return; +@@ -501,24 +496,18 @@ static void put_crypt_info(struct fscrypt_info *ci) + else if (ci->ci_owns_key) + fscrypt_destroy_prepared_key(&ci->ci_enc_key); + +- key = ci->ci_master_key; +- if (key) { +- struct fscrypt_master_key *mk = key->payload.data[0]; +- ++ mk = ci->ci_master_key; ++ if (mk) { + /* + * Remove this inode from the list of inodes that were unlocked +- * with the master key. +- * +- * In addition, if we're removing the last inode from a key that +- * already had its secret removed, invalidate the key so that it +- * gets removed from ->s_master_keys. ++ * with the master key. In addition, if we're removing the last ++ * inode from a master key struct that already had its secret ++ * removed, then complete the full removal of the struct. + */ + spin_lock(&mk->mk_decrypted_inodes_lock); + list_del(&ci->ci_master_key_link); + spin_unlock(&mk->mk_decrypted_inodes_lock); +- if (refcount_dec_and_test(&mk->mk_refcount)) +- key_invalidate(key); +- key_put(key); ++ fscrypt_put_master_key_activeref(mk); + } + memzero_explicit(ci, sizeof(*ci)); + kmem_cache_free(fscrypt_info_cachep, ci); +@@ -532,7 +521,7 @@ fscrypt_setup_encryption_info(struct inode *inode, + { + struct fscrypt_info *crypt_info; + struct fscrypt_mode *mode; +- struct key *master_key = NULL; ++ struct fscrypt_master_key *mk = NULL; + int res; + + res = fscrypt_initialize(inode->i_sb->s_cop->flags); +@@ -555,8 +544,7 @@ fscrypt_setup_encryption_info(struct inode *inode, + WARN_ON(mode->ivsize > FSCRYPT_MAX_IV_SIZE); + crypt_info->ci_mode = mode; + +- res = setup_file_encryption_key(crypt_info, need_dirhash_key, +- &master_key); ++ res = setup_file_encryption_key(crypt_info, need_dirhash_key, &mk); + if (res) + goto out; + +@@ -571,12 +559,9 @@ fscrypt_setup_encryption_info(struct inode *inode, + * We won the race and set ->i_crypt_info to our crypt_info. + * Now link it into the master key's inode list. + */ +- if (master_key) { +- struct fscrypt_master_key *mk = +- master_key->payload.data[0]; +- +- refcount_inc(&mk->mk_refcount); +- crypt_info->ci_master_key = key_get(master_key); ++ if (mk) { ++ crypt_info->ci_master_key = mk; ++ refcount_inc(&mk->mk_active_refs); + spin_lock(&mk->mk_decrypted_inodes_lock); + list_add(&crypt_info->ci_master_key_link, + &mk->mk_decrypted_inodes); +@@ -586,9 +571,9 @@ fscrypt_setup_encryption_info(struct inode *inode, + } + res = 0; + out: +- if (master_key) { +- up_read(&master_key->sem); +- key_put(master_key); ++ if (mk) { ++ up_read(&mk->mk_sem); ++ fscrypt_put_master_key(mk); + } + put_crypt_info(crypt_info); + return res; +@@ -753,7 +738,6 @@ EXPORT_SYMBOL(fscrypt_free_inode); + int fscrypt_drop_inode(struct inode *inode) + { + const struct fscrypt_info *ci = fscrypt_get_info(inode); +- const struct fscrypt_master_key *mk; + + /* + * If ci is NULL, then the inode doesn't have an encryption key set up +@@ -763,7 +747,6 @@ int fscrypt_drop_inode(struct inode *inode) + */ + if (!ci || !ci->ci_master_key) + return 0; +- mk = ci->ci_master_key->payload.data[0]; + + /* + * With proper, non-racy use of FS_IOC_REMOVE_ENCRYPTION_KEY, all inodes +@@ -782,6 +765,6 @@ int fscrypt_drop_inode(struct inode *inode) + * then the thread removing the key will either evict the inode itself + * or will correctly detect that it wasn't evicted due to the race. + */ +- return !is_master_key_secret_present(&mk->mk_secret); ++ return !is_master_key_secret_present(&ci->ci_master_key->mk_secret); + } + EXPORT_SYMBOL_GPL(fscrypt_drop_inode); +diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c +index 80b8ca0f340b..8485e7eaee2b 100644 +--- a/fs/crypto/policy.c ++++ b/fs/crypto/policy.c +@@ -744,12 +744,8 @@ int fscrypt_set_context(struct inode *inode, void *fs_data) + * delayed key setup that requires the inode number. + */ + if (ci->ci_policy.version == FSCRYPT_POLICY_V2 && +- (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) { +- const struct fscrypt_master_key *mk = +- ci->ci_master_key->payload.data[0]; +- +- fscrypt_hash_inode_number(ci, mk); +- } ++ (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) ++ fscrypt_hash_inode_number(ci, ci->ci_master_key); + + return inode->i_sb->s_cop->set_context(inode, &ctx, ctxsize, fs_data); + } +diff --git a/fs/super.c b/fs/super.c +index 734ed584a946..6a82660e1adb 100644 +--- a/fs/super.c ++++ b/fs/super.c +@@ -291,7 +291,6 @@ static void __put_super(struct super_block *s) + WARN_ON(s->s_inode_lru.node); + WARN_ON(!list_empty(&s->s_mounts)); + security_sb_free(s); +- fscrypt_sb_free(s); + put_user_ns(s->s_user_ns); + kfree(s->s_subtype); + call_rcu(&s->rcu, destroy_super_rcu); +@@ -480,6 +479,7 @@ void generic_shutdown_super(struct super_block *sb) + evict_inodes(sb); + /* only nonzero refcount inodes can have marks */ + fsnotify_sb_delete(sb); ++ fscrypt_sb_delete(sb); + security_sb_delete(sb); + + if (sb->s_dio_done_wq) { +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 56a4b4b02477..7203f5582fd4 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1472,7 +1472,7 @@ struct super_block { + const struct xattr_handler **s_xattr; + #ifdef CONFIG_FS_ENCRYPTION + const struct fscrypt_operations *s_cop; +- struct key *s_master_keys; /* master crypto keys in use */ ++ struct fscrypt_keyring *s_master_keys; /* master crypto keys in use */ + #endif + #ifdef CONFIG_FS_VERITY + const struct fsverity_operations *s_vop; +diff --git a/include/linux/fscrypt.h b/include/linux/fscrypt.h +index 7d2f1e0f23b1..d86f43bd9550 100644 +--- a/include/linux/fscrypt.h ++++ b/include/linux/fscrypt.h +@@ -312,7 +312,7 @@ fscrypt_free_dummy_policy(struct fscrypt_dummy_policy *dummy_policy) + } + + /* keyring.c */ +-void fscrypt_sb_free(struct super_block *sb); ++void fscrypt_sb_delete(struct super_block *sb); + int fscrypt_ioctl_add_key(struct file *filp, void __user *arg); + int fscrypt_add_test_dummy_key(struct super_block *sb, + const struct fscrypt_dummy_policy *dummy_policy); +@@ -526,7 +526,7 @@ fscrypt_free_dummy_policy(struct fscrypt_dummy_policy *dummy_policy) + } + + /* keyring.c */ +-static inline void fscrypt_sb_free(struct super_block *sb) ++static inline void fscrypt_sb_delete(struct super_block *sb) + { + } + +-- +2.35.1 + diff --git a/queue-6.0/fsi-core-check-error-number-after-calling-ida_simple.patch b/queue-6.0/fsi-core-check-error-number-after-calling-ida_simple.patch new file mode 100644 index 00000000000..b33281dade7 --- /dev/null +++ b/queue-6.0/fsi-core-check-error-number-after-calling-ida_simple.patch @@ -0,0 +1,41 @@ +From 9b88d0d2e3e07889b90f8cd007c2a68f7da52233 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jan 2022 15:34:11 +0800 +Subject: fsi: core: Check error number after calling ida_simple_get + +From: Jiasheng Jiang + +[ Upstream commit 35af9fb49bc5c6d61ef70b501c3a56fe161cce3e ] + +If allocation fails, the ida_simple_get() will return error number. +So master->idx could be error number and be used in dev_set_name(). +Therefore, it should be better to check it and return error if fails, +like the ida_simple_get() in __fsi_get_new_minor(). + +Fixes: 09aecfab93b8 ("drivers/fsi: Add fsi master definition") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Eddie James +Link: https://lore.kernel.org/r/20220111073411.614138-1-jiasheng@iscas.ac.cn +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + drivers/fsi/fsi-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c +index 3a7b78e36701..5858e6339a10 100644 +--- a/drivers/fsi/fsi-core.c ++++ b/drivers/fsi/fsi-core.c +@@ -1314,6 +1314,9 @@ int fsi_master_register(struct fsi_master *master) + + mutex_init(&master->scan_lock); + master->idx = ida_simple_get(&master_ida, 0, INT_MAX, GFP_KERNEL); ++ if (master->idx < 0) ++ return master->idx; ++ + dev_set_name(&master->dev, "fsi%d", master->idx); + master->dev.class = &fsi_master_class; + +-- +2.35.1 + diff --git a/queue-6.0/fsi-master-ast-cf-fix-missing-of_node_put-in-fsi_mas.patch b/queue-6.0/fsi-master-ast-cf-fix-missing-of_node_put-in-fsi_mas.patch new file mode 100644 index 00000000000..17c9be08066 --- /dev/null +++ b/queue-6.0/fsi-master-ast-cf-fix-missing-of_node_put-in-fsi_mas.patch @@ -0,0 +1,43 @@ +From 0e2d0ea45d17e526358fe2d168129f8922c2e68b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 08:59:11 +0000 +Subject: fsi: master-ast-cf: Fix missing of_node_put in fsi_master_acf_probe + +From: Lv Ruyi + +[ Upstream commit 182d98e00e4745fe253cb0c24c63bbac253464a2 ] + +of_parse_phandle returns node pointer with refcount incremented, use +of_node_put() on it when done. + +Reported-by: Zeal Robot +Signed-off-by: Lv Ruyi +Link: https://lore.kernel.org/r/20220407085911.2491719-1-lv.ruyi@zte.com.cn +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + drivers/fsi/fsi-master-ast-cf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/fsi/fsi-master-ast-cf.c b/drivers/fsi/fsi-master-ast-cf.c +index 24292acdbaf8..5f608ef8b53c 100644 +--- a/drivers/fsi/fsi-master-ast-cf.c ++++ b/drivers/fsi/fsi-master-ast-cf.c +@@ -1324,12 +1324,14 @@ static int fsi_master_acf_probe(struct platform_device *pdev) + } + master->cvic = devm_of_iomap(&pdev->dev, np, 0, NULL); + if (IS_ERR(master->cvic)) { ++ of_node_put(np); + rc = PTR_ERR(master->cvic); + dev_err(&pdev->dev, "Error %d mapping CVIC\n", rc); + goto err_free; + } + rc = of_property_read_u32(np, "copro-sw-interrupts", + &master->cvic_sw_irq); ++ of_node_put(np); + if (rc) { + dev_err(&pdev->dev, "Can't find coprocessor SW interrupt\n"); + goto err_free; +-- +2.35.1 + diff --git a/queue-6.0/fsi-occ-prevent-use-after-free.patch b/queue-6.0/fsi-occ-prevent-use-after-free.patch new file mode 100644 index 00000000000..267d0852e70 --- /dev/null +++ b/queue-6.0/fsi-occ-prevent-use-after-free.patch @@ -0,0 +1,84 @@ +From 38dd4dbcec2bc5c17635735dc807dfef21ddf22b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 May 2022 14:44:24 -0500 +Subject: fsi: occ: Prevent use after free + +From: Eddie James + +[ Upstream commit d3e1e24604031b0d83b6c2d38f54eeea265cfcc0 ] + +Use get_device and put_device in the open and close functions to +make sure the device doesn't get freed while a file descriptor is +open. +Also, lock around the freeing of the device buffer and check the +buffer before using it in the submit function. + +Signed-off-by: Eddie James +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20220513194424.53468-1-eajames@linux.ibm.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + drivers/fsi/fsi-occ.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/drivers/fsi/fsi-occ.c b/drivers/fsi/fsi-occ.c +index c9cc75fbdfb9..28c176d038a2 100644 +--- a/drivers/fsi/fsi-occ.c ++++ b/drivers/fsi/fsi-occ.c +@@ -94,6 +94,7 @@ static int occ_open(struct inode *inode, struct file *file) + client->occ = occ; + mutex_init(&client->lock); + file->private_data = client; ++ get_device(occ->dev); + + /* We allocate a 1-page buffer, make sure it all fits */ + BUILD_BUG_ON((OCC_CMD_DATA_BYTES + 3) > PAGE_SIZE); +@@ -197,6 +198,7 @@ static int occ_release(struct inode *inode, struct file *file) + { + struct occ_client *client = file->private_data; + ++ put_device(client->occ->dev); + free_page((unsigned long)client->buffer); + kfree(client); + +@@ -493,12 +495,19 @@ int fsi_occ_submit(struct device *dev, const void *request, size_t req_len, + for (i = 1; i < req_len - 2; ++i) + checksum += byte_request[i]; + +- mutex_lock(&occ->occ_lock); ++ rc = mutex_lock_interruptible(&occ->occ_lock); ++ if (rc) ++ return rc; + + occ->client_buffer = response; + occ->client_buffer_size = user_resp_len; + occ->client_response_size = 0; + ++ if (!occ->buffer) { ++ rc = -ENOENT; ++ goto done; ++ } ++ + /* + * Get a sequence number and update the counter. Avoid a sequence + * number of 0 which would pass the response check below even if the +@@ -671,10 +680,13 @@ static int occ_remove(struct platform_device *pdev) + { + struct occ *occ = platform_get_drvdata(pdev); + +- kvfree(occ->buffer); +- + misc_deregister(&occ->mdev); + ++ mutex_lock(&occ->occ_lock); ++ kvfree(occ->buffer); ++ occ->buffer = NULL; ++ mutex_unlock(&occ->occ_lock); ++ + device_for_each_child(&pdev->dev, NULL, occ_unregister_child); + + ida_simple_remove(&occ_ida, occ->idx); +-- +2.35.1 + diff --git a/queue-6.0/ftrace-fix-recursive-locking-direct_mutex-in-ftrace_.patch b/queue-6.0/ftrace-fix-recursive-locking-direct_mutex-in-ftrace_.patch new file mode 100644 index 00000000000..c84cf11fa2c --- /dev/null +++ b/queue-6.0/ftrace-fix-recursive-locking-direct_mutex-in-ftrace_.patch @@ -0,0 +1,128 @@ +From a88fe03cfa1c0412a5840ef0e70e445a1d4514d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 17:41:46 -0700 +Subject: ftrace: Fix recursive locking direct_mutex in + ftrace_modify_direct_caller + +From: Song Liu + +[ Upstream commit 9d2ce78ddcee159eb6a97449e9c68b6d60b9cec4 ] + +Naveen reported recursive locking of direct_mutex with sample +ftrace-direct-modify.ko: + +[ 74.762406] WARNING: possible recursive locking detected +[ 74.762887] 6.0.0-rc6+ #33 Not tainted +[ 74.763216] -------------------------------------------- +[ 74.763672] event-sample-fn/1084 is trying to acquire lock: +[ 74.764152] ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \ + register_ftrace_function+0x1f/0x180 +[ 74.764922] +[ 74.764922] but task is already holding lock: +[ 74.765421] ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \ + modify_ftrace_direct+0x34/0x1f0 +[ 74.766142] +[ 74.766142] other info that might help us debug this: +[ 74.766701] Possible unsafe locking scenario: +[ 74.766701] +[ 74.767216] CPU0 +[ 74.767437] ---- +[ 74.767656] lock(direct_mutex); +[ 74.767952] lock(direct_mutex); +[ 74.768245] +[ 74.768245] *** DEADLOCK *** +[ 74.768245] +[ 74.768750] May be due to missing lock nesting notation +[ 74.768750] +[ 74.769332] 1 lock held by event-sample-fn/1084: +[ 74.769731] #0: ffffffff86c9d6b0 (direct_mutex){+.+.}-{3:3}, at: \ + modify_ftrace_direct+0x34/0x1f0 +[ 74.770496] +[ 74.770496] stack backtrace: +[ 74.770884] CPU: 4 PID: 1084 Comm: event-sample-fn Not tainted ... +[ 74.771498] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), ... +[ 74.772474] Call Trace: +[ 74.772696] +[ 74.772896] dump_stack_lvl+0x44/0x5b +[ 74.773223] __lock_acquire.cold.74+0xac/0x2b7 +[ 74.773616] lock_acquire+0xd2/0x310 +[ 74.773936] ? register_ftrace_function+0x1f/0x180 +[ 74.774357] ? lock_is_held_type+0xd8/0x130 +[ 74.774744] ? my_tramp2+0x11/0x11 [ftrace_direct_modify] +[ 74.775213] __mutex_lock+0x99/0x1010 +[ 74.775536] ? register_ftrace_function+0x1f/0x180 +[ 74.775954] ? slab_free_freelist_hook.isra.43+0x115/0x160 +[ 74.776424] ? ftrace_set_hash+0x195/0x220 +[ 74.776779] ? register_ftrace_function+0x1f/0x180 +[ 74.777194] ? kfree+0x3e1/0x440 +[ 74.777482] ? my_tramp2+0x11/0x11 [ftrace_direct_modify] +[ 74.777941] ? __schedule+0xb40/0xb40 +[ 74.778258] ? register_ftrace_function+0x1f/0x180 +[ 74.778672] ? my_tramp1+0xf/0xf [ftrace_direct_modify] +[ 74.779128] register_ftrace_function+0x1f/0x180 +[ 74.779527] ? ftrace_set_filter_ip+0x33/0x70 +[ 74.779910] ? __schedule+0xb40/0xb40 +[ 74.780231] ? my_tramp1+0xf/0xf [ftrace_direct_modify] +[ 74.780678] ? my_tramp2+0x11/0x11 [ftrace_direct_modify] +[ 74.781147] ftrace_modify_direct_caller+0x5b/0x90 +[ 74.781563] ? 0xffffffffa0201000 +[ 74.781859] ? my_tramp1+0xf/0xf [ftrace_direct_modify] +[ 74.782309] modify_ftrace_direct+0x1b2/0x1f0 +[ 74.782690] ? __schedule+0xb40/0xb40 +[ 74.783014] ? simple_thread+0x2a/0xb0 [ftrace_direct_modify] +[ 74.783508] ? __schedule+0xb40/0xb40 +[ 74.783832] ? my_tramp2+0x11/0x11 [ftrace_direct_modify] +[ 74.784294] simple_thread+0x76/0xb0 [ftrace_direct_modify] +[ 74.784766] kthread+0xf5/0x120 +[ 74.785052] ? kthread_complete_and_exit+0x20/0x20 +[ 74.785464] ret_from_fork+0x22/0x30 +[ 74.785781] + +Fix this by using register_ftrace_function_nolock in +ftrace_modify_direct_caller. + +Link: https://lkml.kernel.org/r/20220927004146.1215303-1-song@kernel.org + +Fixes: 53cd885bc5c3 ("ftrace: Allow IPMODIFY and DIRECT ops on the same function") +Reported-and-tested-by: Naveen N. Rao +Signed-off-by: Song Liu +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ftrace.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index 2edda4962367..83362a155791 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -5439,6 +5439,8 @@ static struct ftrace_ops stub_ops = { + * it is safe to modify the ftrace record, where it should be + * currently calling @old_addr directly, to call @new_addr. + * ++ * This is called with direct_mutex locked. ++ * + * Safety checks should be made to make sure that the code at + * @rec->ip is currently calling @old_addr. And this must + * also update entry->direct to @new_addr. +@@ -5451,6 +5453,8 @@ int __weak ftrace_modify_direct_caller(struct ftrace_func_entry *entry, + unsigned long ip = rec->ip; + int ret; + ++ lockdep_assert_held(&direct_mutex); ++ + /* + * The ftrace_lock was used to determine if the record + * had more than one registered user to it. If it did, +@@ -5473,7 +5477,7 @@ int __weak ftrace_modify_direct_caller(struct ftrace_func_entry *entry, + if (ret) + goto out_lock; + +- ret = register_ftrace_function(&stub_ops); ++ ret = register_ftrace_function_nolock(&stub_ops); + if (ret) { + ftrace_set_filter_ip(&stub_ops, ip, 1, 0); + goto out_lock; +-- +2.35.1 + diff --git a/queue-6.0/gpu-lontium-lt9611-fix-null-pointer-dereference-in-l.patch b/queue-6.0/gpu-lontium-lt9611-fix-null-pointer-dereference-in-l.patch new file mode 100644 index 00000000000..fd2ee272d65 --- /dev/null +++ b/queue-6.0/gpu-lontium-lt9611-fix-null-pointer-dereference-in-l.patch @@ -0,0 +1,48 @@ +From 1e6acc9484262499cdc1df7b7051273c3341a80a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 15:31:19 +0800 +Subject: gpu: lontium-lt9611: Fix NULL pointer dereference in + lt9611_connector_init() + +From: Zeng Jingxiang + +[ Upstream commit ef8886f321c5dab8124b9153d25afa2a71d05323 ] + +A NULL check for bridge->encoder shows that it may be NULL, but it +already been dereferenced on all paths leading to the check. +812 if (!bridge->encoder) { + +Dereference the pointer bridge->encoder. +810 drm_connector_attach_encoder(<9611->connector, bridge->encoder); + +Signed-off-by: Zeng Jingxiang +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20220727073119.1578972-1-zengjx95@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/lontium-lt9611.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/lontium-lt9611.c b/drivers/gpu/drm/bridge/lontium-lt9611.c +index 8a60e83482a0..5fccacc159f0 100644 +--- a/drivers/gpu/drm/bridge/lontium-lt9611.c ++++ b/drivers/gpu/drm/bridge/lontium-lt9611.c +@@ -813,13 +813,14 @@ static int lt9611_connector_init(struct drm_bridge *bridge, struct lt9611 *lt961 + + drm_connector_helper_add(<9611->connector, + <9611_bridge_connector_helper_funcs); +- drm_connector_attach_encoder(<9611->connector, bridge->encoder); + + if (!bridge->encoder) { + DRM_ERROR("Parent encoder object not found"); + return -ENODEV; + } + ++ drm_connector_attach_encoder(<9611->connector, bridge->encoder); ++ + return 0; + } + +-- +2.35.1 + diff --git a/queue-6.0/habanalabs-ignore-eeprom-errors-during-boot.patch b/queue-6.0/habanalabs-ignore-eeprom-errors-during-boot.patch new file mode 100644 index 00000000000..b41cb2fb283 --- /dev/null +++ b/queue-6.0/habanalabs-ignore-eeprom-errors-during-boot.patch @@ -0,0 +1,74 @@ +From e067f3eae04f2cd15f85ad1aa5ec1126ed273d06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 16:23:56 +0300 +Subject: habanalabs: ignore EEPROM errors during boot + +From: Ofir Bitton + +[ Upstream commit d155df4f628a5312a485235aa8cc5ba78e11ea65 ] + +EEPROM errors reported by firmware are basically warnings and +should not fail the boot process. + +Signed-off-by: Ofir Bitton +Reviewed-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +--- + drivers/misc/habanalabs/common/firmware_if.c | 9 +++++++++ + drivers/misc/habanalabs/include/common/hl_boot_if.h | 5 +++++ + 2 files changed, 14 insertions(+) + +diff --git a/drivers/misc/habanalabs/common/firmware_if.c b/drivers/misc/habanalabs/common/firmware_if.c +index 608ca67527a5..4a3350ee87d3 100644 +--- a/drivers/misc/habanalabs/common/firmware_if.c ++++ b/drivers/misc/habanalabs/common/firmware_if.c +@@ -581,6 +581,15 @@ static bool fw_report_boot_dev0(struct hl_device *hdev, u32 err_val, + dev_dbg(hdev->dev, "Device status0 %#x\n", sts_val); + + /* All warnings should go here in order not to reach the unknown error validation */ ++ if (err_val & CPU_BOOT_ERR0_EEPROM_FAIL) { ++ dev_warn(hdev->dev, ++ "Device boot warning - EEPROM failure detected, default settings applied\n"); ++ /* This is a warning so we don't want it to disable the ++ * device ++ */ ++ err_val &= ~CPU_BOOT_ERR0_EEPROM_FAIL; ++ } ++ + if (err_val & CPU_BOOT_ERR0_DRAM_SKIPPED) { + dev_warn(hdev->dev, + "Device boot warning - Skipped DRAM initialization\n"); +diff --git a/drivers/misc/habanalabs/include/common/hl_boot_if.h b/drivers/misc/habanalabs/include/common/hl_boot_if.h +index a3594119bc51..3e705355c9cc 100644 +--- a/drivers/misc/habanalabs/include/common/hl_boot_if.h ++++ b/drivers/misc/habanalabs/include/common/hl_boot_if.h +@@ -34,6 +34,7 @@ enum cpu_boot_err { + CPU_BOOT_ERR_BINNING_FAIL = 19, + CPU_BOOT_ERR_TPM_FAIL = 20, + CPU_BOOT_ERR_TMP_THRESH_INIT_FAIL = 21, ++ CPU_BOOT_ERR_EEPROM_FAIL = 22, + CPU_BOOT_ERR_ENABLED = 31, + CPU_BOOT_ERR_SCND_EN = 63, + CPU_BOOT_ERR_LAST = 64 /* we have 2 registers of 32 bits */ +@@ -115,6 +116,9 @@ enum cpu_boot_err { + * CPU_BOOT_ERR0_TMP_THRESH_INIT_FAIL Failed to set threshold for tmperature + * sensor. + * ++ * CPU_BOOT_ERR_EEPROM_FAIL Failed reading EEPROM data. Defaults ++ * are used. ++ * + * CPU_BOOT_ERR0_ENABLED Error registers enabled. + * This is a main indication that the + * running FW populates the error +@@ -139,6 +143,7 @@ enum cpu_boot_err { + #define CPU_BOOT_ERR0_BINNING_FAIL (1 << CPU_BOOT_ERR_BINNING_FAIL) + #define CPU_BOOT_ERR0_TPM_FAIL (1 << CPU_BOOT_ERR_TPM_FAIL) + #define CPU_BOOT_ERR0_TMP_THRESH_INIT_FAIL (1 << CPU_BOOT_ERR_TMP_THRESH_INIT_FAIL) ++#define CPU_BOOT_ERR0_EEPROM_FAIL (1 << CPU_BOOT_ERR_EEPROM_FAIL) + #define CPU_BOOT_ERR0_ENABLED (1 << CPU_BOOT_ERR_ENABLED) + #define CPU_BOOT_ERR1_ENABLED (1 << CPU_BOOT_ERR_ENABLED) + +-- +2.35.1 + diff --git a/queue-6.0/habanalabs-remove-some-f-w-descriptor-validations.patch b/queue-6.0/habanalabs-remove-some-f-w-descriptor-validations.patch new file mode 100644 index 00000000000..bf7ec5b506b --- /dev/null +++ b/queue-6.0/habanalabs-remove-some-f-w-descriptor-validations.patch @@ -0,0 +1,108 @@ +From a928eb142a44c95f2afeca52d15c285ff4d4bce8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 13:01:03 +0300 +Subject: habanalabs: remove some f/w descriptor validations + +From: farah kassabri + +[ Upstream commit 6b9b9e244fdd0d6c5ee21b7b9d74282d9e43733a ] + +To be forward-backward compatible with the firmware in the initial +communication during preboot, we need to remove the validation of the +header size. This will allow us to add more fields to the +lkd_fw_comms_desc structure. + +Instead of the validation of the header size, we just print warning +when some mismatch in descriptor has been revealed, and we calculate +the CRC base on descriptor size reported by the firmware instead of +calculating it ourselves. + +Signed-off-by: farah kassabri +Reviewed-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +--- + drivers/misc/habanalabs/common/firmware_if.c | 43 +++++++------------- + 1 file changed, 14 insertions(+), 29 deletions(-) + +diff --git a/drivers/misc/habanalabs/common/firmware_if.c b/drivers/misc/habanalabs/common/firmware_if.c +index 4a3350ee87d3..b89a1e2c19d4 100644 +--- a/drivers/misc/habanalabs/common/firmware_if.c ++++ b/drivers/misc/habanalabs/common/firmware_if.c +@@ -1863,50 +1863,36 @@ static int hl_fw_dynamic_validate_descriptor(struct hl_device *hdev, + u64 addr; + int rc; + +- if (le32_to_cpu(fw_desc->header.magic) != HL_COMMS_DESC_MAGIC) { +- dev_err(hdev->dev, "Invalid magic for dynamic FW descriptor (%x)\n", ++ if (le32_to_cpu(fw_desc->header.magic) != HL_COMMS_DESC_MAGIC) ++ dev_warn(hdev->dev, "Invalid magic for dynamic FW descriptor (%x)\n", + fw_desc->header.magic); +- return -EIO; +- } + +- if (fw_desc->header.version != HL_COMMS_DESC_VER) { +- dev_err(hdev->dev, "Invalid version for dynamic FW descriptor (%x)\n", ++ if (fw_desc->header.version != HL_COMMS_DESC_VER) ++ dev_warn(hdev->dev, "Invalid version for dynamic FW descriptor (%x)\n", + fw_desc->header.version); +- return -EIO; +- } + + /* +- * calc CRC32 of data without header. ++ * Calc CRC32 of data without header. use the size of the descriptor ++ * reported by firmware, without calculating it ourself, to allow adding ++ * more fields to the lkd_fw_comms_desc structure. + * note that no alignment/stride address issues here as all structures +- * are 64 bit padded ++ * are 64 bit padded. + */ +- data_size = sizeof(struct lkd_fw_comms_desc) - +- sizeof(struct comms_desc_header); + data_ptr = (u8 *)fw_desc + sizeof(struct comms_desc_header); +- +- if (le16_to_cpu(fw_desc->header.size) != data_size) { +- dev_err(hdev->dev, +- "Invalid descriptor size 0x%x, expected size 0x%zx\n", +- le16_to_cpu(fw_desc->header.size), data_size); +- return -EIO; +- } ++ data_size = le16_to_cpu(fw_desc->header.size); + + data_crc32 = hl_fw_compat_crc32(data_ptr, data_size); +- + if (data_crc32 != le32_to_cpu(fw_desc->header.crc32)) { +- dev_err(hdev->dev, +- "CRC32 mismatch for dynamic FW descriptor (%x:%x)\n", +- data_crc32, fw_desc->header.crc32); ++ dev_err(hdev->dev, "CRC32 mismatch for dynamic FW descriptor (%x:%x)\n", ++ data_crc32, fw_desc->header.crc32); + return -EIO; + } + + /* find memory region to which to copy the image */ + addr = le64_to_cpu(fw_desc->img_addr); + region_id = hl_get_pci_memory_region(hdev, addr); +- if ((region_id != PCI_REGION_SRAM) && +- ((region_id != PCI_REGION_DRAM))) { +- dev_err(hdev->dev, +- "Invalid region to copy FW image address=%llx\n", addr); ++ if ((region_id != PCI_REGION_SRAM) && ((region_id != PCI_REGION_DRAM))) { ++ dev_err(hdev->dev, "Invalid region to copy FW image address=%llx\n", addr); + return -EIO; + } + +@@ -1923,8 +1909,7 @@ static int hl_fw_dynamic_validate_descriptor(struct hl_device *hdev, + fw_loader->dynamic_loader.fw_image_size, + region); + if (rc) { +- dev_err(hdev->dev, +- "invalid mem transfer request for FW image\n"); ++ dev_err(hdev->dev, "invalid mem transfer request for FW image\n"); + return rc; + } + +-- +2.35.1 + diff --git a/queue-6.0/hid-amd_sfh-change-dev_err-to-dev_dbg-for-additional.patch b/queue-6.0/hid-amd_sfh-change-dev_err-to-dev_dbg-for-additional.patch new file mode 100644 index 00000000000..cff3bb21183 --- /dev/null +++ b/queue-6.0/hid-amd_sfh-change-dev_err-to-dev_dbg-for-additional.patch @@ -0,0 +1,55 @@ +From 21ee5161576d2235be7c72cb1b1d65f38a4e7f1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 15:57:25 +0530 +Subject: HID: amd_sfh: Change dev_err to dev_dbg for additional debug info + +From: Basavaraj Natikar + +[ Upstream commit beb18bb22cd4fb88648bb2925d56f36131c1ac21 ] + +Users should only be notified at most one time on systems doesn't have +any sensors connected or non-supported systems. + +Check the return code and don't display error messages in those +conditions. + +Signed-off-by: Basavaraj Natikar +Signed-off-by: Jiri Kosina +Stable-dep-of: 68266bdcceec ("HID: amd_sfh: Handle condition of "no sensors" for SFH1.1") +Signed-off-by: Sasha Levin +--- + drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c +index 70436f9fad2f..d840efb4a2e2 100644 +--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c ++++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c +@@ -286,13 +286,13 @@ int amd_sfh1_1_init(struct amd_mp2_dev *mp2) + + phy_base <<= 21; + if (!devm_request_mem_region(dev, phy_base, 128 * 1024, "amd_sfh")) { +- dev_err(dev, "can't reserve mmio registers\n"); ++ dev_dbg(dev, "can't reserve mmio registers\n"); + return -ENOMEM; + } + + mp2->vsbase = devm_ioremap(dev, phy_base, 128 * 1024); + if (!mp2->vsbase) { +- dev_err(dev, "failed to remap vsbase\n"); ++ dev_dbg(dev, "failed to remap vsbase\n"); + return -ENOMEM; + } + +@@ -301,7 +301,7 @@ int amd_sfh1_1_init(struct amd_mp2_dev *mp2) + + memcpy_fromio(&binfo, mp2->vsbase, sizeof(struct sfh_base_info)); + if (binfo.sbase.fw_info.fw_ver == 0 || binfo.sbase.s_list.sl.sensors == 0) { +- dev_err(dev, "failed to get sensors\n"); ++ dev_dbg(dev, "failed to get sensors\n"); + return -EOPNOTSUPP; + } + dev_dbg(dev, "firmware version 0x%x\n", binfo.sbase.fw_info.fw_ver); +-- +2.35.1 + diff --git a/queue-6.0/hid-amd_sfh-handle-condition-of-no-sensors-for-sfh1..patch b/queue-6.0/hid-amd_sfh-handle-condition-of-no-sensors-for-sfh1..patch new file mode 100644 index 00000000000..ee1b5ad6e26 --- /dev/null +++ b/queue-6.0/hid-amd_sfh-handle-condition-of-no-sensors-for-sfh1..patch @@ -0,0 +1,42 @@ +From 545a737ffad47598f89345494d50b40dd0cfa611 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 15:57:26 +0530 +Subject: HID: amd_sfh: Handle condition of "no sensors" for SFH1.1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Basavaraj Natikar + +[ Upstream commit 68266bdcceec10ea364e62c63732cd6fe5a256a8 ] + +Based on num_hid_devices, each sensor device registers to HID. If +"no sensors" then amd_sfh work initialization and scheduling +doesn’t make sense and return ENODEV to stop driver probe. +Hence add a check for num_hid_devices to handle special +case in the situation of "no sensors" for SFH1.1. + +Fixes: 93ce5e0231d7 ("HID: amd_sfh: Implement SFH1.1 functionality") +Signed-off-by: Basavaraj Natikar +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c +index d840efb4a2e2..4da2f9f62aba 100644 +--- a/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c ++++ b/drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c +@@ -110,6 +110,8 @@ static int amd_sfh1_1_hid_client_init(struct amd_mp2_dev *privdata) + amd_sfh1_1_set_desc_ops(mp2_ops); + + cl_data->num_hid_devices = amd_sfh_get_sensor_num(privdata, &cl_data->sensor_idx[0]); ++ if (cl_data->num_hid_devices == 0) ++ return -ENODEV; + + INIT_DELAYED_WORK(&cl_data->work, amd_sfh_work); + INIT_DELAYED_WORK(&cl_data->work_buffer, amd_sfh_work_buffer); +-- +2.35.1 + diff --git a/queue-6.0/hid-nintendo-check-analog-user-calibration-for-plaus.patch b/queue-6.0/hid-nintendo-check-analog-user-calibration-for-plaus.patch new file mode 100644 index 00000000000..9cb099d0c04 --- /dev/null +++ b/queue-6.0/hid-nintendo-check-analog-user-calibration-for-plaus.patch @@ -0,0 +1,127 @@ +From bdc0c73db8ce523e726c171da05b07c375823bde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 10:55:57 +0000 +Subject: HID: nintendo: check analog user calibration for plausibility + +From: Johnothan King + +[ Upstream commit 50503e360eeb968a3d00234c9cc4057d774c3e9a ] + +Arne Wendt writes: + Cheap clone controllers may (falsely) report as having a user + calibration for the analog sticks in place, but return + wrong/impossible values for the actual calibration data. + In the present case at mine, the controller reports having a + user calibration in place and successfully executes the read + commands. The reported user calibration however is + min = center = max = 0. + + This pull request addresses problems of this kind by checking the + provided user calibration-data for plausibility (min < center < max) + and falling back to the default values if implausible. + +I'll note that I was experiencing a crash because of this bug when using +the GuliKit KingKong 2 controller. The crash manifests as a divide by +zero error in the kernel logs: +kernel: divide error: 0000 [#1] PREEMPT SMP NOPTI + +Link: https://github.com/nicman23/dkms-hid-nintendo/pull/25 +Link: https://github.com/DanielOgorchock/linux/issues/36 +Co-authored-by: Arne Wendt +Signed-off-by: Johnothan King +Signed-off-by: Benjamin Tissoires +Link: https://lore.kernel.org/r/gvpL2G6VwXGJPvxX5KRiu9pVjvTivgayug_jdKDY6zfuAaAqncP9BkKLosjwUXNlgVVTMfJSKfwPF1K79cKAkwGComyC21vCV3q9B3EXNkE=@protonmail.com +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-nintendo.c | 55 +++++++++++++++++++++----------------- + 1 file changed, 30 insertions(+), 25 deletions(-) + +diff --git a/drivers/hid/hid-nintendo.c b/drivers/hid/hid-nintendo.c +index 6028af3c3aae..c3774a468b22 100644 +--- a/drivers/hid/hid-nintendo.c ++++ b/drivers/hid/hid-nintendo.c +@@ -760,12 +760,31 @@ static int joycon_read_stick_calibration(struct joycon_ctlr *ctlr, u16 cal_addr, + cal_y->max = cal_y->center + y_max_above; + cal_y->min = cal_y->center - y_min_below; + +- return 0; ++ /* check if calibration values are plausible */ ++ if (cal_x->min >= cal_x->center || cal_x->center >= cal_x->max || ++ cal_y->min >= cal_y->center || cal_y->center >= cal_y->max) ++ ret = -EINVAL; ++ ++ return ret; + } + + static const u16 DFLT_STICK_CAL_CEN = 2000; + static const u16 DFLT_STICK_CAL_MAX = 3500; + static const u16 DFLT_STICK_CAL_MIN = 500; ++static void joycon_use_default_calibration(struct hid_device *hdev, ++ struct joycon_stick_cal *cal_x, ++ struct joycon_stick_cal *cal_y, ++ const char *stick, int ret) ++{ ++ hid_warn(hdev, ++ "Failed to read %s stick cal, using defaults; e=%d\n", ++ stick, ret); ++ ++ cal_x->center = cal_y->center = DFLT_STICK_CAL_CEN; ++ cal_x->max = cal_y->max = DFLT_STICK_CAL_MAX; ++ cal_x->min = cal_y->min = DFLT_STICK_CAL_MIN; ++} ++ + static int joycon_request_calibration(struct joycon_ctlr *ctlr) + { + u16 left_stick_addr = JC_CAL_FCT_DATA_LEFT_ADDR; +@@ -793,38 +812,24 @@ static int joycon_request_calibration(struct joycon_ctlr *ctlr) + &ctlr->left_stick_cal_x, + &ctlr->left_stick_cal_y, + true); +- if (ret) { +- hid_warn(ctlr->hdev, +- "Failed to read left stick cal, using dflts; e=%d\n", +- ret); +- +- ctlr->left_stick_cal_x.center = DFLT_STICK_CAL_CEN; +- ctlr->left_stick_cal_x.max = DFLT_STICK_CAL_MAX; +- ctlr->left_stick_cal_x.min = DFLT_STICK_CAL_MIN; + +- ctlr->left_stick_cal_y.center = DFLT_STICK_CAL_CEN; +- ctlr->left_stick_cal_y.max = DFLT_STICK_CAL_MAX; +- ctlr->left_stick_cal_y.min = DFLT_STICK_CAL_MIN; +- } ++ if (ret) ++ joycon_use_default_calibration(ctlr->hdev, ++ &ctlr->left_stick_cal_x, ++ &ctlr->left_stick_cal_y, ++ "left", ret); + + /* read the right stick calibration data */ + ret = joycon_read_stick_calibration(ctlr, right_stick_addr, + &ctlr->right_stick_cal_x, + &ctlr->right_stick_cal_y, + false); +- if (ret) { +- hid_warn(ctlr->hdev, +- "Failed to read right stick cal, using dflts; e=%d\n", +- ret); +- +- ctlr->right_stick_cal_x.center = DFLT_STICK_CAL_CEN; +- ctlr->right_stick_cal_x.max = DFLT_STICK_CAL_MAX; +- ctlr->right_stick_cal_x.min = DFLT_STICK_CAL_MIN; + +- ctlr->right_stick_cal_y.center = DFLT_STICK_CAL_CEN; +- ctlr->right_stick_cal_y.max = DFLT_STICK_CAL_MAX; +- ctlr->right_stick_cal_y.min = DFLT_STICK_CAL_MIN; +- } ++ if (ret) ++ joycon_use_default_calibration(ctlr->hdev, ++ &ctlr->right_stick_cal_x, ++ &ctlr->right_stick_cal_y, ++ "right", ret); + + hid_dbg(ctlr->hdev, "calibration:\n" + "l_x_c=%d l_x_max=%d l_x_min=%d\n" +-- +2.35.1 + diff --git a/queue-6.0/hid-roccat-fix-use-after-free-in-roccat_read.patch b/queue-6.0/hid-roccat-fix-use-after-free-in-roccat_read.patch new file mode 100644 index 00000000000..86d28730ba6 --- /dev/null +++ b/queue-6.0/hid-roccat-fix-use-after-free-in-roccat_read.patch @@ -0,0 +1,108 @@ +From 02c765f62c44f1eae17a0ad0a4428206099af84c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 12:31:15 -0700 +Subject: HID: roccat: Fix use-after-free in roccat_read() + +From: Hyunwoo Kim + +[ Upstream commit cacdb14b1c8d3804a3a7d31773bc7569837b71a4 ] + +roccat_report_event() is responsible for registering +roccat-related reports in struct roccat_device. + +int roccat_report_event(int minor, u8 const *data) +{ + struct roccat_device *device; + struct roccat_reader *reader; + struct roccat_report *report; + uint8_t *new_value; + + device = devices[minor]; + + new_value = kmemdup(data, device->report_size, GFP_ATOMIC); + if (!new_value) + return -ENOMEM; + + report = &device->cbuf[device->cbuf_end]; + + /* passing NULL is safe */ + kfree(report->value); + ... + +The registered report is stored in the struct roccat_device member +"struct roccat_report cbuf[ROCCAT_CBUF_SIZE];". +If more reports are received than the "ROCCAT_CBUF_SIZE" value, +kfree() the saved report from cbuf[0] and allocates a new reprot. +Since there is no lock when this kfree() is performed, +kfree() can be performed even while reading the saved report. + +static ssize_t roccat_read(struct file *file, char __user *buffer, + size_t count, loff_t *ppos) +{ + struct roccat_reader *reader = file->private_data; + struct roccat_device *device = reader->device; + struct roccat_report *report; + ssize_t retval = 0, len; + DECLARE_WAITQUEUE(wait, current); + + mutex_lock(&device->cbuf_lock); + + ... + + report = &device->cbuf[reader->cbuf_start]; + /* + * If report is larger than requested amount of data, rest of report + * is lost! + */ + len = device->report_size > count ? count : device->report_size; + + if (copy_to_user(buffer, report->value, len)) { + retval = -EFAULT; + goto exit_unlock; + } + ... + +The roccat_read() function receives the device->cbuf report and +delivers it to the user through copy_to_user(). +If the N+ROCCAT_CBUF_SIZE th report is received while copying of +the Nth report->value is in progress, the pointer that copy_to_user() +is working on is kfree()ed and UAF read may occur. (race condition) + +Since the device node of this driver does not set separate permissions, +this is not a security vulnerability, but because it is used for +requesting screen display of profile or dpi settings, +a user using the roccat device can apply udev to this device node or +There is a possibility to use it by giving. + +Signed-off-by: Hyunwoo Kim +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-roccat.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c +index 26373b82fe81..6da80e442fdd 100644 +--- a/drivers/hid/hid-roccat.c ++++ b/drivers/hid/hid-roccat.c +@@ -257,6 +257,8 @@ int roccat_report_event(int minor, u8 const *data) + if (!new_value) + return -ENOMEM; + ++ mutex_lock(&device->cbuf_lock); ++ + report = &device->cbuf[device->cbuf_end]; + + /* passing NULL is safe */ +@@ -276,6 +278,8 @@ int roccat_report_event(int minor, u8 const *data) + reader->cbuf_start = (reader->cbuf_start + 1) % ROCCAT_CBUF_SIZE; + } + ++ mutex_unlock(&device->cbuf_lock); ++ + wake_up_interruptible(&device->wait); + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/hid-topre-add-driver-fixing-report-descriptor.patch b/queue-6.0/hid-topre-add-driver-fixing-report-descriptor.patch new file mode 100644 index 00000000000..eb645b0cda7 --- /dev/null +++ b/queue-6.0/hid-topre-add-driver-fixing-report-descriptor.patch @@ -0,0 +1,139 @@ +From ac2d2e8d1e07410c57864cfe6c65a561fde9ecca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Sep 2022 20:36:13 -0400 +Subject: hid: topre: Add driver fixing report descriptor + +From: Harry Stern + +[ Upstream commit a109d5c45b3d6728b9430716b915afbe16eef27c ] + +The Topre REALFORCE R2 firmware incorrectly reports that interface +descriptor number 1, input report descriptor 2's events are array events +rather than variable events. That particular report descriptor is used +to report keypresses when there are more than 6 keys held at a time. +This bug prevents events from this interface from being registered +properly, so only 6 keypresses (from a different interface) can be +registered at once, rather than full n-key rollover. + +This commit fixes the bug by setting the correct value in a report_fixup +function. + +The original bug report can be found here: +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/804 + +Thanks to Benjamin Tissoires for diagnosing the issue with the report +descriptor. + +Signed-off-by: Harry Stern +Signed-off-by: Benjamin Tissoires +Link: https://lore.kernel.org/r/20220911003614.297613-1-harry@harrystern.net +Signed-off-by: Sasha Levin +--- + drivers/hid/Kconfig | 6 +++++ + drivers/hid/Makefile | 1 + + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-topre.c | 49 +++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 59 insertions(+) + create mode 100644 drivers/hid/hid-topre.c + +diff --git a/drivers/hid/Kconfig b/drivers/hid/Kconfig +index 6ce92830b5d1..c4308d4988dc 100644 +--- a/drivers/hid/Kconfig ++++ b/drivers/hid/Kconfig +@@ -1141,6 +1141,12 @@ config HID_TOPSEED + Say Y if you have a TopSeed Cyberlink or BTC Emprex or Conceptronic + CLLRCMCE remote control. + ++config HID_TOPRE ++ tristate "Topre REALFORCE keyboards" ++ depends on HID ++ help ++ Say Y for N-key rollover support on Topre REALFORCE R2 108 key keyboards. ++ + config HID_THINGM + tristate "ThingM blink(1) USB RGB LED" + depends on HID +diff --git a/drivers/hid/Makefile b/drivers/hid/Makefile +index b0bef8098139..bccaec0d77d3 100644 +--- a/drivers/hid/Makefile ++++ b/drivers/hid/Makefile +@@ -123,6 +123,7 @@ obj-$(CONFIG_HID_GREENASIA) += hid-gaff.o + obj-$(CONFIG_HID_THRUSTMASTER) += hid-tmff.o hid-thrustmaster.o + obj-$(CONFIG_HID_TIVO) += hid-tivo.o + obj-$(CONFIG_HID_TOPSEED) += hid-topseed.o ++obj-$(CONFIG_HID_TOPRE) += hid-topre.o + obj-$(CONFIG_HID_TWINHAN) += hid-twinhan.o + obj-$(CONFIG_HID_U2FZERO) += hid-u2fzero.o + hid-uclogic-objs := hid-uclogic-core.o \ +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index f80d6193fca6..50bab12d9476 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1231,6 +1231,9 @@ + #define USB_DEVICE_ID_TIVO_SLIDE 0x1201 + #define USB_DEVICE_ID_TIVO_SLIDE_PRO 0x1203 + ++#define USB_VENDOR_ID_TOPRE 0x0853 ++#define USB_DEVICE_ID_TOPRE_REALFORCE_R2_108 0x0148 ++ + #define USB_VENDOR_ID_TOPSEED 0x0766 + #define USB_DEVICE_ID_TOPSEED_CYBERLINK 0x0204 + +diff --git a/drivers/hid/hid-topre.c b/drivers/hid/hid-topre.c +new file mode 100644 +index 000000000000..88a91cdad5f8 +--- /dev/null ++++ b/drivers/hid/hid-topre.c +@@ -0,0 +1,49 @@ ++// SPDX-License-Identifier: GPL-2.0+ ++/* ++ * HID driver for Topre REALFORCE Keyboards ++ * ++ * Copyright (c) 2022 Harry Stern ++ * ++ * Based on the hid-macally driver ++ */ ++ ++#include ++#include ++ ++#include "hid-ids.h" ++ ++MODULE_AUTHOR("Harry Stern "); ++MODULE_DESCRIPTION("REALFORCE R2 Keyboard driver"); ++MODULE_LICENSE("GPL"); ++ ++/* ++ * Fix the REALFORCE R2's non-boot interface's report descriptor to match the ++ * events it's actually sending. It claims to send array events but is instead ++ * sending variable events. ++ */ ++static __u8 *topre_report_fixup(struct hid_device *hdev, __u8 *rdesc, ++ unsigned int *rsize) ++{ ++ if (*rsize >= 119 && rdesc[69] == 0x29 && rdesc[70] == 0xe7 && ++ rdesc[71] == 0x81 && rdesc[72] == 0x00) { ++ hid_info(hdev, ++ "fixing up Topre REALFORCE keyboard report descriptor\n"); ++ rdesc[72] = 0x02; ++ } ++ return rdesc; ++} ++ ++static const struct hid_device_id topre_id_table[] = { ++ { HID_USB_DEVICE(USB_VENDOR_ID_TOPRE, ++ USB_DEVICE_ID_TOPRE_REALFORCE_R2_108) }, ++ { } ++}; ++MODULE_DEVICE_TABLE(hid, topre_id_table); ++ ++static struct hid_driver topre_driver = { ++ .name = "topre", ++ .id_table = topre_id_table, ++ .report_fixup = topre_report_fixup, ++}; ++ ++module_hid_driver(topre_driver); +-- +2.35.1 + diff --git a/queue-6.0/hid-uclogic-add-missing-suffix-for-digitalizers.patch b/queue-6.0/hid-uclogic-add-missing-suffix-for-digitalizers.patch new file mode 100644 index 00000000000..aa83908347c --- /dev/null +++ b/queue-6.0/hid-uclogic-add-missing-suffix-for-digitalizers.patch @@ -0,0 +1,42 @@ +From 9247c978b0ba75d0b93089148db8f9136568aca4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Aug 2022 16:26:15 +0200 +Subject: HID: uclogic: Add missing suffix for digitalizers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit 0977fda0587cbc5403651ba169e264aa01e8a026 ] + +The Pen (0x02) application usage was changed to Digitalizer (0x01) in +commit f7d8e387d9ae ("HID: uclogic: Switch to Digitizer usage for +styluses"). However, a suffix was not selected for the new usage. + +Handle the digitalizer application usage in uclogic_input_configured() +and add the required suffix. + +Signed-off-by: José Expósito +Signed-off-by: Jiri Kosina +Stable-dep-of: 609174edeb75 ("HID: uclogic: Fix warning in uclogic_rdesc_template_apply") +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-uclogic-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-uclogic-core.c b/drivers/hid/hid-uclogic-core.c +index 47a17375c7fc..ff46604ef1d8 100644 +--- a/drivers/hid/hid-uclogic-core.c ++++ b/drivers/hid/hid-uclogic-core.c +@@ -153,6 +153,7 @@ static int uclogic_input_configured(struct hid_device *hdev, + suffix = "Pad"; + break; + case HID_DG_PEN: ++ case HID_DG_DIGITIZER: + suffix = "Pen"; + break; + case HID_CP_CONSUMER_CONTROL: +-- +2.35.1 + diff --git a/queue-6.0/hid-uclogic-fix-warning-in-uclogic_rdesc_template_ap.patch b/queue-6.0/hid-uclogic-fix-warning-in-uclogic_rdesc_template_ap.patch new file mode 100644 index 00000000000..e694aacd8f5 --- /dev/null +++ b/queue-6.0/hid-uclogic-fix-warning-in-uclogic_rdesc_template_ap.patch @@ -0,0 +1,44 @@ +From b6bc2cb4470651e2ac93080336dc181d543bf967 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Aug 2022 16:27:06 +0200 +Subject: HID: uclogic: Fix warning in uclogic_rdesc_template_apply +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit 609174edeb758d1e2d713e7ab4e09ea8d45aa4f7 ] + +Building with Sparse enabled prints this warning: + + warning: incorrect type in assignment (different base types) + expected signed int x + got restricted __le32 [usertype] + +Cast the return value of cpu_to_le32() to fix the warning. + +Fixes: 08177f4 ("HID: uclogic: merge hid-huion driver in hid-uclogic") +Signed-off-by: José Expósito +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-uclogic-rdesc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-uclogic-rdesc.c b/drivers/hid/hid-uclogic-rdesc.c +index 3d68e8b0784d..81ca22398ed5 100644 +--- a/drivers/hid/hid-uclogic-rdesc.c ++++ b/drivers/hid/hid-uclogic-rdesc.c +@@ -1113,7 +1113,7 @@ __u8 *uclogic_rdesc_template_apply(const __u8 *template_ptr, + memcmp(p, pen_head, sizeof(pen_head)) == 0 && + p[sizeof(pen_head)] < param_num) { + v = param_list[p[sizeof(pen_head)]]; +- put_unaligned(cpu_to_le32(v), (s32 *)p); ++ put_unaligned((__force u32)cpu_to_le32(v), (s32 *)p); + p += sizeof(pen_head) + 1; + } else if (memcmp(p, btn_head, sizeof(btn_head)) == 0 && + p[sizeof(btn_head)] < param_num) { +-- +2.35.1 + diff --git a/queue-6.0/hsi-omap_ssi-fix-refcount-leak-in-ssi_probe.patch b/queue-6.0/hsi-omap_ssi-fix-refcount-leak-in-ssi_probe.patch new file mode 100644 index 00000000000..6adaf8f2575 --- /dev/null +++ b/queue-6.0/hsi-omap_ssi-fix-refcount-leak-in-ssi_probe.patch @@ -0,0 +1,36 @@ +From 096c20b6592a2e541b7402cc6ed47dc0d48f5700 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Apr 2022 08:52:32 +0000 +Subject: HSI: omap_ssi: Fix refcount leak in ssi_probe + +From: Miaoqian Lin + +[ Upstream commit 9a2ea132df860177b33c9fd421b26c4e9a0a9396 ] + +When returning or breaking early from a +for_each_available_child_of_node() loop, we need to explicitly call +of_node_put() on the child node to possibly release the node. + +Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver") +Signed-off-by: Miaoqian Lin +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/controllers/omap_ssi_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c +index 44a3f5660c10..eb9820158318 100644 +--- a/drivers/hsi/controllers/omap_ssi_core.c ++++ b/drivers/hsi/controllers/omap_ssi_core.c +@@ -524,6 +524,7 @@ static int ssi_probe(struct platform_device *pd) + if (!childpdev) { + err = -ENODEV; + dev_err(&pd->dev, "failed to create ssi controller port\n"); ++ of_node_put(child); + goto out3; + } + } +-- +2.35.1 + diff --git a/queue-6.0/hsi-omap_ssi_port-fix-dma_map_sg-error-check.patch b/queue-6.0/hsi-omap_ssi_port-fix-dma_map_sg-error-check.patch new file mode 100644 index 00000000000..7816ac7d5db --- /dev/null +++ b/queue-6.0/hsi-omap_ssi_port-fix-dma_map_sg-error-check.patch @@ -0,0 +1,55 @@ +From 37d3acdd5c7489708717a3f3d0d6461473c93f43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 12:12:27 +0200 +Subject: HSI: omap_ssi_port: Fix dma_map_sg error check + +From: Jack Wang + +[ Upstream commit 551e325bbd3fb8b5a686ac1e6cf76e5641461cf2 ] + +dma_map_sg return 0 on error, in case of error return -EIO +to caller. + +Cc: Sebastian Reichel +Cc: linux-kernel@vger.kernel.org (open list) +Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver") +Signed-off-by: Jack Wang +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/controllers/omap_ssi_port.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/hsi/controllers/omap_ssi_port.c b/drivers/hsi/controllers/omap_ssi_port.c +index a0cb5be246e1..b9495b720f1b 100644 +--- a/drivers/hsi/controllers/omap_ssi_port.c ++++ b/drivers/hsi/controllers/omap_ssi_port.c +@@ -230,10 +230,10 @@ static int ssi_start_dma(struct hsi_msg *msg, int lch) + if (msg->ttype == HSI_MSG_READ) { + err = dma_map_sg(&ssi->device, msg->sgt.sgl, msg->sgt.nents, + DMA_FROM_DEVICE); +- if (err < 0) { ++ if (!err) { + dev_dbg(&ssi->device, "DMA map SG failed !\n"); + pm_runtime_put_autosuspend(omap_port->pdev); +- return err; ++ return -EIO; + } + csdp = SSI_DST_BURST_4x32_BIT | SSI_DST_MEMORY_PORT | + SSI_SRC_SINGLE_ACCESS0 | SSI_SRC_PERIPHERAL_PORT | +@@ -247,10 +247,10 @@ static int ssi_start_dma(struct hsi_msg *msg, int lch) + } else { + err = dma_map_sg(&ssi->device, msg->sgt.sgl, msg->sgt.nents, + DMA_TO_DEVICE); +- if (err < 0) { ++ if (!err) { + dev_dbg(&ssi->device, "DMA map SG failed !\n"); + pm_runtime_put_autosuspend(omap_port->pdev); +- return err; ++ return -EIO; + } + csdp = SSI_SRC_BURST_4x32_BIT | SSI_SRC_MEMORY_PORT | + SSI_DST_SINGLE_ACCESS0 | SSI_DST_PERIPHERAL_PORT | +-- +2.35.1 + diff --git a/queue-6.0/hsi-ssi_protocol-fix-potential-resource-leak-in-ssip.patch b/queue-6.0/hsi-ssi_protocol-fix-potential-resource-leak-in-ssip.patch new file mode 100644 index 00000000000..788ff7c10b9 --- /dev/null +++ b/queue-6.0/hsi-ssi_protocol-fix-potential-resource-leak-in-ssip.patch @@ -0,0 +1,37 @@ +From 7aac7a783bbf17adcbea2c42803466e9482cb63b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 15:48:01 +0800 +Subject: HSI: ssi_protocol: fix potential resource leak in ssip_pn_open() + +From: Jianglei Nie + +[ Upstream commit b28dbcb379e6a7f80262c2732a57681b1ee548ca ] + +ssip_pn_open() claims the HSI client's port with hsi_claim_port(). When +hsi_register_port_event() gets some error and returns a negetive value, +the HSI client's port should be released with hsi_release_port(). + +Fix it by calling hsi_release_port() when hsi_register_port_event() fails. + +Signed-off-by: Jianglei Nie +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/clients/ssi_protocol.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hsi/clients/ssi_protocol.c b/drivers/hsi/clients/ssi_protocol.c +index 21f11a5b965b..49ffd808d17f 100644 +--- a/drivers/hsi/clients/ssi_protocol.c ++++ b/drivers/hsi/clients/ssi_protocol.c +@@ -931,6 +931,7 @@ static int ssip_pn_open(struct net_device *dev) + if (err < 0) { + dev_err(&cl->device, "Register HSI port event failed (%d)\n", + err); ++ hsi_release_port(cl); + return err; + } + dev_dbg(&cl->device, "Configuring SSI port\n"); +-- +2.35.1 + diff --git a/queue-6.0/hwmon-occ-retry-for-checksum-failure.patch b/queue-6.0/hwmon-occ-retry-for-checksum-failure.patch new file mode 100644 index 00000000000..8a863ba804b --- /dev/null +++ b/queue-6.0/hwmon-occ-retry-for-checksum-failure.patch @@ -0,0 +1,68 @@ +From d515d9bff1ef1c51d9609c80f3cd56820d6147b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Apr 2022 10:49:56 -0500 +Subject: hwmon (occ): Retry for checksum failure + +From: Eddie James + +[ Upstream commit dbed963ed62c4c2b8870a02c8b7dcb0c2af3ee0b ] + +Due to the OCC communication design with a shared SRAM area, +checkum errors are expected due to corrupted buffer from OCC +communications with other system components. Therefore, retry +the command twice in the event of a checksum failure. + +Signed-off-by: Eddie James +Acked-by: Guenter Roeck +Link: https://lore.kernel.org/r/20220426154956.27205-3-eajames@linux.ibm.com +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +--- + drivers/hwmon/occ/p9_sbe.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/drivers/hwmon/occ/p9_sbe.c b/drivers/hwmon/occ/p9_sbe.c +index c1e0a1d96cd4..f3791a589b01 100644 +--- a/drivers/hwmon/occ/p9_sbe.c ++++ b/drivers/hwmon/occ/p9_sbe.c +@@ -14,6 +14,8 @@ + + #include "common.h" + ++#define OCC_CHECKSUM_RETRIES 3 ++ + struct p9_sbe_occ { + struct occ occ; + bool sbe_error; +@@ -80,18 +82,23 @@ static bool p9_sbe_occ_save_ffdc(struct p9_sbe_occ *ctx, const void *resp, + static int p9_sbe_occ_send_cmd(struct occ *occ, u8 *cmd, size_t len, + void *resp, size_t resp_len) + { ++ size_t original_resp_len = resp_len; + struct p9_sbe_occ *ctx = to_p9_sbe_occ(occ); +- int rc; ++ int rc, i; + +- rc = fsi_occ_submit(ctx->sbe, cmd, len, resp, &resp_len); +- if (rc < 0) { ++ for (i = 0; i < OCC_CHECKSUM_RETRIES; ++i) { ++ rc = fsi_occ_submit(ctx->sbe, cmd, len, resp, &resp_len); ++ if (rc >= 0) ++ break; + if (resp_len) { + if (p9_sbe_occ_save_ffdc(ctx, resp, resp_len)) + sysfs_notify(&occ->bus_dev->kobj, NULL, + bin_attr_ffdc.attr.name); ++ return rc; + } +- +- return rc; ++ if (rc != -EBADE) ++ return rc; ++ resp_len = original_resp_len; + } + + switch (((struct occ_response *)resp)->return_status) { +-- +2.35.1 + diff --git a/queue-6.0/hwmon-pmbus-mp2888-fix-sensors-readouts-for-mps-mult.patch b/queue-6.0/hwmon-pmbus-mp2888-fix-sensors-readouts-for-mps-mult.patch new file mode 100644 index 00000000000..b66a259ee3c --- /dev/null +++ b/queue-6.0/hwmon-pmbus-mp2888-fix-sensors-readouts-for-mps-mult.patch @@ -0,0 +1,81 @@ +From cd3f8926f9e8a763ff1d7972a5df2db6ba4723c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 15:16:42 +0300 +Subject: hwmon: (pmbus/mp2888) Fix sensors readouts for MPS Multi-phase mp2888 + controller + +From: Oleksandr Shamray + +[ Upstream commit 525dd5aed67a2f4f7278116fb92a24e6a53e2622 ] + +Fix scale factors for reading MPS Multi-phase mp2888 controller. +Fixed sensors: + - PIN/POUT: based on vendor documentation, set bscale factor 0.5W/LSB + - IOUT: based on vendor documentation, set scale factor 0.25 A/LSB + +Fixes: e4db7719d037 ("hwmon: (pmbus) Add support for MPS Multi-phase mp2888 controller") +Signed-off-by: Oleksandr Shamray +Reviewed-by: Vadim Pasternak +Link: https://lore.kernel.org/r/20220929121642.63051-1-oleksandrs@nvidia.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/mp2888.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/hwmon/pmbus/mp2888.c b/drivers/hwmon/pmbus/mp2888.c +index 8ecd4adfef40..24e5194706cf 100644 +--- a/drivers/hwmon/pmbus/mp2888.c ++++ b/drivers/hwmon/pmbus/mp2888.c +@@ -34,7 +34,7 @@ struct mp2888_data { + int curr_sense_gain; + }; + +-#define to_mp2888_data(x) container_of(x, struct mp2888_data, info) ++#define to_mp2888_data(x) container_of(x, struct mp2888_data, info) + + static int mp2888_read_byte_data(struct i2c_client *client, int page, int reg) + { +@@ -109,7 +109,7 @@ mp2888_read_phase(struct i2c_client *client, struct mp2888_data *data, int page, + * - Kcs is the DrMOS current sense gain of power stage, which is obtained from the + * register MP2888_MFR_VR_CONFIG1, bits 13-12 with the following selection of DrMOS + * (data->curr_sense_gain): +- * 00b - 5µA/A, 01b - 8.5µA/A, 10b - 9.7µA/A, 11b - 10µA/A. ++ * 00b - 8.5µA/A, 01b - 9.7µA/A, 1b - 10µA/A, 11b - 5µA/A. + * - Rcs is the internal phase current sense resistor. This parameter depends on hardware + * assembly. By default it is set to 1kΩ. In case of different assembly, user should + * scale this parameter by dividing it by Rcs. +@@ -118,10 +118,9 @@ mp2888_read_phase(struct i2c_client *client, struct mp2888_data *data, int page, + * because sampling of current occurrence of bit weight has a big deviation, especially for + * light load. + */ +- ret = DIV_ROUND_CLOSEST(ret * 100 - 9800, data->curr_sense_gain); +- ret = (data->phase_curr_resolution) ? ret * 2 : ret; ++ ret = DIV_ROUND_CLOSEST(ret * 200 - 19600, data->curr_sense_gain); + /* Scale according to total current resolution. */ +- ret = (data->total_curr_resolution) ? ret * 8 : ret * 4; ++ ret = (data->total_curr_resolution) ? ret * 2 : ret; + return ret; + } + +@@ -212,7 +211,7 @@ static int mp2888_read_word_data(struct i2c_client *client, int page, int phase, + ret = pmbus_read_word_data(client, page, phase, reg); + if (ret < 0) + return ret; +- ret = data->total_curr_resolution ? ret * 2 : ret; ++ ret = data->total_curr_resolution ? ret : DIV_ROUND_CLOSEST(ret, 2); + break; + case PMBUS_POUT_OP_WARN_LIMIT: + ret = pmbus_read_word_data(client, page, phase, reg); +@@ -223,7 +222,7 @@ static int mp2888_read_word_data(struct i2c_client *client, int page, int phase, + * set 1. Actual power is reported with 0.5W or 1W respectively resolution. Scaling + * is needed to match both. + */ +- ret = data->total_curr_resolution ? ret * 4 : ret * 2; ++ ret = data->total_curr_resolution ? ret * 2 : ret; + break; + /* + * The below registers are not implemented by device or implemented not according to the +-- +2.35.1 + diff --git a/queue-6.0/hwmon-sht4x-do-not-overflow-clamping-operation-on-32.patch b/queue-6.0/hwmon-sht4x-do-not-overflow-clamping-operation-on-32.patch new file mode 100644 index 00000000000..68be22f8ec0 --- /dev/null +++ b/queue-6.0/hwmon-sht4x-do-not-overflow-clamping-operation-on-32.patch @@ -0,0 +1,38 @@ +From 77cabc0788ee73c6911cda0dca43bb74255ef897 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Sep 2022 12:11:51 +0200 +Subject: hwmon: (sht4x) do not overflow clamping operation on 32-bit platforms + +From: Jason A. Donenfeld + +[ Upstream commit f9c0cf8f26de367c58e48b02b1cdb9c377626e6f ] + +On 32-bit platforms, long is 32 bits, so (long)UINT_MAX is less than +(long)SHT4X_MIN_POLL_INTERVAL, which means the clamping operation is +bogus. Fix this by clamping at INT_MAX, so that the upperbound is the +same on all platforms. + +Signed-off-by: Jason A. Donenfeld +Link: https://lore.kernel.org/r/20220924101151.4168414-1-Jason@zx2c4.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/sht4x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/sht4x.c b/drivers/hwmon/sht4x.c +index c19df3ade48e..13ac2d8f22c7 100644 +--- a/drivers/hwmon/sht4x.c ++++ b/drivers/hwmon/sht4x.c +@@ -129,7 +129,7 @@ static int sht4x_read_values(struct sht4x_data *data) + + static ssize_t sht4x_interval_write(struct sht4x_data *data, long val) + { +- data->update_interval = clamp_val(val, SHT4X_MIN_POLL_INTERVAL, UINT_MAX); ++ data->update_interval = clamp_val(val, SHT4X_MIN_POLL_INTERVAL, INT_MAX); + + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/hwrng-arm-smccc-trng-fix-no_entropy-handling.patch b/queue-6.0/hwrng-arm-smccc-trng-fix-no_entropy-handling.patch new file mode 100644 index 00000000000..4bf28f3f3fe --- /dev/null +++ b/queue-6.0/hwrng-arm-smccc-trng-fix-no_entropy-handling.patch @@ -0,0 +1,48 @@ +From 9c52effa02ba06cb6246e0f09614e1e726804243 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 20:04:18 +0000 +Subject: hwrng: arm-smccc-trng - fix NO_ENTROPY handling + +From: James Cowgill + +[ Upstream commit 042b4b169c6fb9d4df268d66282d7302dd73d37b ] + +The SMCCC_RET_TRNG_NO_ENTROPY switch arm is never used because the +NO_ENTROPY return value is negative and negative values are handled +above the switch by immediately returning. + +Fix by handling errors using a default arm in the switch. + +Fixes: 0888d04b47a1 ("hwrng: Add Arm SMCCC TRNG based driver") +Signed-off-by: James Cowgill +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/arm_smccc_trng.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/hw_random/arm_smccc_trng.c b/drivers/char/hw_random/arm_smccc_trng.c +index b24ac39a903b..e34c3ea692b6 100644 +--- a/drivers/char/hw_random/arm_smccc_trng.c ++++ b/drivers/char/hw_random/arm_smccc_trng.c +@@ -71,8 +71,6 @@ static int smccc_trng_read(struct hwrng *rng, void *data, size_t max, bool wait) + MAX_BITS_PER_CALL); + + arm_smccc_1_1_invoke(ARM_SMCCC_TRNG_RND, bits, &res); +- if ((int)res.a0 < 0) +- return (int)res.a0; + + switch ((int)res.a0) { + case SMCCC_RET_SUCCESS: +@@ -88,6 +86,8 @@ static int smccc_trng_read(struct hwrng *rng, void *data, size_t max, bool wait) + return copied; + cond_resched(); + break; ++ default: ++ return -EIO; + } + } + +-- +2.35.1 + diff --git a/queue-6.0/hwrng-imx-rngc-moving-irq-handler-registering-after-.patch b/queue-6.0/hwrng-imx-rngc-moving-irq-handler-registering-after-.patch new file mode 100644 index 00000000000..995c218a61a --- /dev/null +++ b/queue-6.0/hwrng-imx-rngc-moving-irq-handler-registering-after-.patch @@ -0,0 +1,61 @@ +From 7fb7f9362cb0f15ec030adaaac0351167046201a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 13:19:03 +0200 +Subject: hwrng: imx-rngc - Moving IRQ handler registering after + imx_rngc_irq_mask_clear() + +From: Kshitiz Varshney + +[ Upstream commit 10a2199caf437e893d9027d97700b3c6010048b7 ] + +Issue: +While servicing interrupt, if the IRQ happens to be because of a SEED_DONE +due to a previous boot stage, you end up completing the completion +prematurely, hence causing kernel to crash while booting. + +Fix: +Moving IRQ handler registering after imx_rngc_irq_mask_clear() + +Fixes: 1d5449445bd0 (hwrng: mx-rngc - add a driver for Freescale RNGC) +Signed-off-by: Kshitiz Varshney +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/imx-rngc.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/char/hw_random/imx-rngc.c b/drivers/char/hw_random/imx-rngc.c +index e32c52c10d4d..1d7ce7443586 100644 +--- a/drivers/char/hw_random/imx-rngc.c ++++ b/drivers/char/hw_random/imx-rngc.c +@@ -264,13 +264,6 @@ static int imx_rngc_probe(struct platform_device *pdev) + if (rng_type != RNGC_TYPE_RNGC && rng_type != RNGC_TYPE_RNGB) + return -ENODEV; + +- ret = devm_request_irq(&pdev->dev, +- irq, imx_rngc_irq, 0, pdev->name, (void *)rngc); +- if (ret) { +- dev_err(rngc->dev, "Can't get interrupt working.\n"); +- return ret; +- } +- + init_completion(&rngc->rng_op_done); + + rngc->rng.name = pdev->name; +@@ -284,6 +277,13 @@ static int imx_rngc_probe(struct platform_device *pdev) + + imx_rngc_irq_mask_clear(rngc); + ++ ret = devm_request_irq(&pdev->dev, ++ irq, imx_rngc_irq, 0, pdev->name, (void *)rngc); ++ if (ret) { ++ dev_err(rngc->dev, "Can't get interrupt working.\n"); ++ return ret; ++ } ++ + if (self_test) { + ret = imx_rngc_self_test(rngc); + if (ret) { +-- +2.35.1 + diff --git a/queue-6.0/hwrng-imx-rngc-use-devm_clk_get_enabled.patch b/queue-6.0/hwrng-imx-rngc-use-devm_clk_get_enabled.patch new file mode 100644 index 00000000000..187a4288b04 --- /dev/null +++ b/queue-6.0/hwrng-imx-rngc-use-devm_clk_get_enabled.patch @@ -0,0 +1,106 @@ +From 6bf7202da3cc61cc0cffc4683f26c628c2ef1337 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Aug 2022 21:37:42 +0200 +Subject: hwrng: imx-rngc - use devm_clk_get_enabled + +From: Martin Kaiser + +[ Upstream commit 6a2bc448423cea44e7dba0f72d7c82ae04ab201e ] + +Use the new devm_clk_get_enabled function to get our clock. + +We don't have to disable and unprepare the clock ourselves any more in +error paths and in the remove function. + +Signed-off-by: Martin Kaiser +Signed-off-by: Herbert Xu +Stable-dep-of: 10a2199caf43 ("hwrng: imx-rngc - Moving IRQ handler registering after imx_rngc_irq_mask_clear()") +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/imx-rngc.c | 25 ++++++------------------- + 1 file changed, 6 insertions(+), 19 deletions(-) + +diff --git a/drivers/char/hw_random/imx-rngc.c b/drivers/char/hw_random/imx-rngc.c +index b05d676ca814..e32c52c10d4d 100644 +--- a/drivers/char/hw_random/imx-rngc.c ++++ b/drivers/char/hw_random/imx-rngc.c +@@ -245,7 +245,7 @@ static int imx_rngc_probe(struct platform_device *pdev) + if (IS_ERR(rngc->base)) + return PTR_ERR(rngc->base); + +- rngc->clk = devm_clk_get(&pdev->dev, NULL); ++ rngc->clk = devm_clk_get_enabled(&pdev->dev, NULL); + if (IS_ERR(rngc->clk)) { + dev_err(&pdev->dev, "Can not get rng_clk\n"); + return PTR_ERR(rngc->clk); +@@ -255,26 +255,20 @@ static int imx_rngc_probe(struct platform_device *pdev) + if (irq < 0) + return irq; + +- ret = clk_prepare_enable(rngc->clk); +- if (ret) +- return ret; +- + ver_id = readl(rngc->base + RNGC_VER_ID); + rng_type = ver_id >> RNGC_TYPE_SHIFT; + /* + * This driver supports only RNGC and RNGB. (There's a different + * driver for RNGA.) + */ +- if (rng_type != RNGC_TYPE_RNGC && rng_type != RNGC_TYPE_RNGB) { +- ret = -ENODEV; +- goto err; +- } ++ if (rng_type != RNGC_TYPE_RNGC && rng_type != RNGC_TYPE_RNGB) ++ return -ENODEV; + + ret = devm_request_irq(&pdev->dev, + irq, imx_rngc_irq, 0, pdev->name, (void *)rngc); + if (ret) { + dev_err(rngc->dev, "Can't get interrupt working.\n"); +- goto err; ++ return ret; + } + + init_completion(&rngc->rng_op_done); +@@ -294,14 +288,14 @@ static int imx_rngc_probe(struct platform_device *pdev) + ret = imx_rngc_self_test(rngc); + if (ret) { + dev_err(rngc->dev, "self test failed\n"); +- goto err; ++ return ret; + } + } + + ret = hwrng_register(&rngc->rng); + if (ret) { + dev_err(&pdev->dev, "hwrng registration failed\n"); +- goto err; ++ return ret; + } + + dev_info(&pdev->dev, +@@ -309,11 +303,6 @@ static int imx_rngc_probe(struct platform_device *pdev) + rng_type == RNGC_TYPE_RNGB ? 'B' : 'C', + (ver_id >> RNGC_VER_MAJ_SHIFT) & 0xff, ver_id & 0xff); + return 0; +- +-err: +- clk_disable_unprepare(rngc->clk); +- +- return ret; + } + + static int __exit imx_rngc_remove(struct platform_device *pdev) +@@ -322,8 +311,6 @@ static int __exit imx_rngc_remove(struct platform_device *pdev) + + hwrng_unregister(&rngc->rng); + +- clk_disable_unprepare(rngc->clk); +- + return 0; + } + +-- +2.35.1 + diff --git a/queue-6.0/i2c-designware-pci-group-amd-navi-quirk-parts-togeth.patch b/queue-6.0/i2c-designware-pci-group-amd-navi-quirk-parts-togeth.patch new file mode 100644 index 00000000000..8eafc656a69 --- /dev/null +++ b/queue-6.0/i2c-designware-pci-group-amd-navi-quirk-parts-togeth.patch @@ -0,0 +1,97 @@ +From cf3fc2a30f6ac5cb40d8c265af3bb46dbe136868 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 12:42:14 +0300 +Subject: i2c: designware-pci: Group AMD NAVI quirk parts together + +From: Andy Shevchenko + +[ Upstream commit 65769162ae4b7f2d82e54998be446226b05fcd8f ] + +The code is ogranized in a way that all related parts +to the certain platform quirk go together. This is not +the case for AMD NAVI. Shuffle code to make it happen. + +While at it, drop the frequency definition and use +hard coded value as it's done for other platforms and +add a comment to the PCI ID list. + +Signed-off-by: Andy Shevchenko +Acked-by: Jarkko Nikula +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-designware-pcidrv.c | 30 +++++++++++----------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-designware-pcidrv.c b/drivers/i2c/busses/i2c-designware-pcidrv.c +index 608e61209455..ca368482b246 100644 +--- a/drivers/i2c/busses/i2c-designware-pcidrv.c ++++ b/drivers/i2c/busses/i2c-designware-pcidrv.c +@@ -27,7 +27,6 @@ + #include "i2c-ccgx-ucsi.h" + + #define DRIVER_NAME "i2c-designware-pci" +-#define AMD_CLK_RATE_HZ 100000 + + enum dw_pci_ctl_id_t { + medfield, +@@ -100,11 +99,6 @@ static u32 mfld_get_clk_rate_khz(struct dw_i2c_dev *dev) + return 25000; + } + +-static u32 navi_amd_get_clk_rate_khz(struct dw_i2c_dev *dev) +-{ +- return AMD_CLK_RATE_HZ; +-} +- + static int mfld_setup(struct pci_dev *pdev, struct dw_pci_controller *c) + { + struct dw_i2c_dev *dev = dev_get_drvdata(&pdev->dev); +@@ -126,15 +120,6 @@ static int mfld_setup(struct pci_dev *pdev, struct dw_pci_controller *c) + return -ENODEV; + } + +-static int navi_amd_setup(struct pci_dev *pdev, struct dw_pci_controller *c) +-{ +- struct dw_i2c_dev *dev = dev_get_drvdata(&pdev->dev); +- +- dev->flags |= MODEL_AMD_NAVI_GPU; +- dev->timings.bus_freq_hz = I2C_MAX_STANDARD_MODE_FREQ; +- return 0; +-} +- + static int mrfld_setup(struct pci_dev *pdev, struct dw_pci_controller *c) + { + /* +@@ -159,6 +144,20 @@ static u32 ehl_get_clk_rate_khz(struct dw_i2c_dev *dev) + return 100000; + } + ++static u32 navi_amd_get_clk_rate_khz(struct dw_i2c_dev *dev) ++{ ++ return 100000; ++} ++ ++static int navi_amd_setup(struct pci_dev *pdev, struct dw_pci_controller *c) ++{ ++ struct dw_i2c_dev *dev = dev_get_drvdata(&pdev->dev); ++ ++ dev->flags |= MODEL_AMD_NAVI_GPU; ++ dev->timings.bus_freq_hz = I2C_MAX_STANDARD_MODE_FREQ; ++ return 0; ++} ++ + static struct dw_pci_controller dw_pci_controllers[] = { + [medfield] = { + .bus_num = -1, +@@ -389,6 +388,7 @@ static const struct pci_device_id i2_designware_pci_ids[] = { + { PCI_VDEVICE(INTEL, 0x4bbe), elkhartlake }, + { PCI_VDEVICE(INTEL, 0x4bbf), elkhartlake }, + { PCI_VDEVICE(INTEL, 0x4bc0), elkhartlake }, ++ /* AMD NAVI */ + { PCI_VDEVICE(ATI, 0x7314), navi_amd }, + { PCI_VDEVICE(ATI, 0x73a4), navi_amd }, + { PCI_VDEVICE(ATI, 0x73e4), navi_amd }, +-- +2.35.1 + diff --git a/queue-6.0/i2c-mlxbf-support-lock-mechanism.patch b/queue-6.0/i2c-mlxbf-support-lock-mechanism.patch new file mode 100644 index 00000000000..4cb7d414275 --- /dev/null +++ b/queue-6.0/i2c-mlxbf-support-lock-mechanism.patch @@ -0,0 +1,121 @@ +From f7b69cfe17591f48a81873243efc339f9d187ea3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 15:45:04 -0400 +Subject: i2c: mlxbf: support lock mechanism + +From: Asmaa Mnebhi + +[ Upstream commit 86067ccfa1424a26491542d6f6d7546d40b61a10 ] + +Linux is not the only entity using the BlueField I2C busses so +support a lock mechanism provided by hardware to avoid issues +when multiple entities are trying to access the same bus. + +The lock is acquired whenever written explicitely or the lock +register is read. So make sure it is always released at the end +of a successful or failed transaction. + +Fixes: b5b5b32081cd206b (i2c: mlxbf: I2C SMBus driver for Mellanox BlueField SoC) +Reviewed-by: Khalil Blaiech +Signed-off-by: Asmaa Mnebhi +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-mlxbf.c | 44 ++++++++++++++++++++++++++++++---- + 1 file changed, 39 insertions(+), 5 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-mlxbf.c b/drivers/i2c/busses/i2c-mlxbf.c +index ad5efd7497d1..0e840eba4fd6 100644 +--- a/drivers/i2c/busses/i2c-mlxbf.c ++++ b/drivers/i2c/busses/i2c-mlxbf.c +@@ -306,6 +306,7 @@ static u64 mlxbf_i2c_corepll_frequency; + * exact. + */ + #define MLXBF_I2C_SMBUS_TIMEOUT (300 * 1000) /* 300ms */ ++#define MLXBF_I2C_SMBUS_LOCK_POLL_TIMEOUT (300 * 1000) /* 300ms */ + + /* Encapsulates timing parameters. */ + struct mlxbf_i2c_timings { +@@ -514,6 +515,25 @@ static bool mlxbf_smbus_master_wait_for_idle(struct mlxbf_i2c_priv *priv) + return false; + } + ++/* ++ * wait for the lock to be released before acquiring it. ++ */ ++static bool mlxbf_i2c_smbus_master_lock(struct mlxbf_i2c_priv *priv) ++{ ++ if (mlxbf_smbus_poll(priv->smbus->io, MLXBF_I2C_SMBUS_MASTER_GW, ++ MLXBF_I2C_MASTER_LOCK_BIT, true, ++ MLXBF_I2C_SMBUS_LOCK_POLL_TIMEOUT)) ++ return true; ++ ++ return false; ++} ++ ++static void mlxbf_i2c_smbus_master_unlock(struct mlxbf_i2c_priv *priv) ++{ ++ /* Clear the gw to clear the lock */ ++ writel(0, priv->smbus->io + MLXBF_I2C_SMBUS_MASTER_GW); ++} ++ + static bool mlxbf_i2c_smbus_transaction_success(u32 master_status, + u32 cause_status) + { +@@ -705,10 +725,19 @@ mlxbf_i2c_smbus_start_transaction(struct mlxbf_i2c_priv *priv, + slave = request->slave & GENMASK(6, 0); + addr = slave << 1; + +- /* First of all, check whether the HW is idle. */ +- if (WARN_ON(!mlxbf_smbus_master_wait_for_idle(priv))) ++ /* ++ * Try to acquire the smbus gw lock before any reads of the GW register since ++ * a read sets the lock. ++ */ ++ if (WARN_ON(!mlxbf_i2c_smbus_master_lock(priv))) + return -EBUSY; + ++ /* Check whether the HW is idle */ ++ if (WARN_ON(!mlxbf_smbus_master_wait_for_idle(priv))) { ++ ret = -EBUSY; ++ goto out_unlock; ++ } ++ + /* Set first byte. */ + data_desc[data_idx++] = addr; + +@@ -732,8 +761,10 @@ mlxbf_i2c_smbus_start_transaction(struct mlxbf_i2c_priv *priv, + write_en = 1; + write_len += operation->length; + if (data_idx + operation->length > +- MLXBF_I2C_MASTER_DATA_DESC_SIZE) +- return -ENOBUFS; ++ MLXBF_I2C_MASTER_DATA_DESC_SIZE) { ++ ret = -ENOBUFS; ++ goto out_unlock; ++ } + memcpy(data_desc + data_idx, + operation->buffer, operation->length); + data_idx += operation->length; +@@ -765,7 +796,7 @@ mlxbf_i2c_smbus_start_transaction(struct mlxbf_i2c_priv *priv, + ret = mlxbf_i2c_smbus_enable(priv, slave, write_len, block_en, + pec_en, 0); + if (ret) +- return ret; ++ goto out_unlock; + } + + if (read_en) { +@@ -792,6 +823,9 @@ mlxbf_i2c_smbus_start_transaction(struct mlxbf_i2c_priv *priv, + priv->smbus->io + MLXBF_I2C_SMBUS_MASTER_FSM); + } + ++out_unlock: ++ mlxbf_i2c_smbus_master_unlock(priv); ++ + return ret; + } + +-- +2.35.1 + diff --git a/queue-6.0/ia64-export-memory_add_physaddr_to_nid-to-fix-cxl-bu.patch b/queue-6.0/ia64-export-memory_add_physaddr_to_nid-to-fix-cxl-bu.patch new file mode 100644 index 00000000000..4c93d9cefaf --- /dev/null +++ b/queue-6.0/ia64-export-memory_add_physaddr_to_nid-to-fix-cxl-bu.patch @@ -0,0 +1,46 @@ +From 1ac62806a9689502211624b4e1c9edef9554e421 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Sep 2022 18:26:16 -0700 +Subject: ia64: export memory_add_physaddr_to_nid to fix cxl build error + +From: Randy Dunlap + +[ Upstream commit 97c318bfbe84efded246e80428054f300042f110 ] + +cxl_pmem.ko uses memory_add_physaddr_to_nid() but ia64 does not export it, +so this causes a build error: + +ERROR: modpost: "memory_add_physaddr_to_nid" [drivers/cxl/cxl_pmem.ko] undefined! + +Fix this by exporting that function. + +Fixes: 8c2676a5870a ("hot-add-mem x86_64: memory_add_physaddr_to_nid node fixup") +Reported-by: kernel test robot +Signed-off-by: Randy Dunlap +Cc: Dan Williams +Cc: Ben Widawsky +Cc: Jonathan Cameron +Cc: linux-ia64@vger.kernel.org +Cc: Arnd Bergmann +Cc: Keith Mannthey +Cc: Andrew Morton +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/ia64/mm/numa.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/ia64/mm/numa.c b/arch/ia64/mm/numa.c +index d6579ec3ea32..4c7b1f50e3b7 100644 +--- a/arch/ia64/mm/numa.c ++++ b/arch/ia64/mm/numa.c +@@ -75,5 +75,6 @@ int memory_add_physaddr_to_nid(u64 addr) + return 0; + return nid; + } ++EXPORT_SYMBOL(memory_add_physaddr_to_nid); + #endif + #endif +-- +2.35.1 + diff --git a/queue-6.0/iavf-fix-race-between-iavf_close-and-iavf_reset_task.patch b/queue-6.0/iavf-fix-race-between-iavf_close-and-iavf_reset_task.patch new file mode 100644 index 00000000000..54e0be91cec --- /dev/null +++ b/queue-6.0/iavf-fix-race-between-iavf_close-and-iavf_reset_task.patch @@ -0,0 +1,294 @@ +From aac6a4e7456ec430eb41701cffb68c66fc8fc1c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 13:32:33 +0200 +Subject: iavf: Fix race between iavf_close and iavf_reset_task + +From: Michal Jaron + +[ Upstream commit 11c12adcbc1598d91e73ab6ddfa41d25a01478ed ] + +During stress tests with adding VF to namespace and changing vf's +trust there was a race between iavf_reset_task and iavf_close. +Sometimes when IAVF_FLAG_AQ_DISABLE_QUEUES from iavf_close was sent +to PF after reset and before IAVF_AQ_GET_CONFIG was sent then PF +returns error IAVF_NOT_SUPPORTED to disable queues request and +following requests. There is need to get_config before other +aq_required will be send but iavf_close clears all flags, if +get_config was not sent before iavf_close, then it will not be send +at all. + +In case when IAVF_FLAG_AQ_GET_OFFLOAD_VLAN_V2_CAPS was sent before +IAVF_FLAG_AQ_DISABLE_QUEUES then there was rtnl_lock deadlock +between iavf_close and iavf_adminq_task until iavf_close timeouts +and disable queues was sent after iavf_close ends. + +There was also a problem with sending delete/add filters. +Sometimes when filters was not yet added to PF and in +iavf_close all filters was set to remove there might be a try +to remove nonexistent filters on PF. + +Add aq_required_tmp to save aq_required flags and send them after +disable_queues will be handled. Clear flags given to iavf_down +different than IAVF_FLAG_AQ_GET_CONFIG as this flag is necessary +to sent other aq_required. Remove some flags that we don't +want to send as we are in iavf_close and we want to disable +interface. Remove filters which was not yet sent and send del +filters flags only when there are filters to remove. + +Signed-off-by: Michal Jaron +Signed-off-by: Mateusz Palczewski +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 177 ++++++++++++++++---- + 1 file changed, 141 insertions(+), 36 deletions(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 0c89f16bf1e2..79fef8c59d65 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -1267,66 +1267,138 @@ static void iavf_up_complete(struct iavf_adapter *adapter) + } + + /** +- * iavf_down - Shutdown the connection processing ++ * iavf_clear_mac_vlan_filters - Remove mac and vlan filters not sent to PF ++ * yet and mark other to be removed. + * @adapter: board private structure +- * +- * Expects to be called while holding the __IAVF_IN_CRITICAL_TASK bit lock. + **/ +-void iavf_down(struct iavf_adapter *adapter) ++static void iavf_clear_mac_vlan_filters(struct iavf_adapter *adapter) + { +- struct net_device *netdev = adapter->netdev; +- struct iavf_vlan_filter *vlf; +- struct iavf_cloud_filter *cf; +- struct iavf_fdir_fltr *fdir; +- struct iavf_mac_filter *f; +- struct iavf_adv_rss *rss; +- +- if (adapter->state <= __IAVF_DOWN_PENDING) +- return; +- +- netif_carrier_off(netdev); +- netif_tx_disable(netdev); +- adapter->link_up = false; +- iavf_napi_disable_all(adapter); +- iavf_irq_disable(adapter); ++ struct iavf_vlan_filter *vlf, *vlftmp; ++ struct iavf_mac_filter *f, *ftmp; + + spin_lock_bh(&adapter->mac_vlan_list_lock); +- + /* clear the sync flag on all filters */ + __dev_uc_unsync(adapter->netdev, NULL); + __dev_mc_unsync(adapter->netdev, NULL); + + /* remove all MAC filters */ +- list_for_each_entry(f, &adapter->mac_filter_list, list) { +- f->remove = true; ++ list_for_each_entry_safe(f, ftmp, &adapter->mac_filter_list, ++ list) { ++ if (f->add) { ++ list_del(&f->list); ++ kfree(f); ++ } else { ++ f->remove = true; ++ } + } + + /* remove all VLAN filters */ +- list_for_each_entry(vlf, &adapter->vlan_filter_list, list) { +- vlf->remove = true; ++ list_for_each_entry_safe(vlf, vlftmp, &adapter->vlan_filter_list, ++ list) { ++ if (vlf->add) { ++ list_del(&vlf->list); ++ kfree(vlf); ++ } else { ++ vlf->remove = true; ++ } + } +- + spin_unlock_bh(&adapter->mac_vlan_list_lock); ++} ++ ++/** ++ * iavf_clear_cloud_filters - Remove cloud filters not sent to PF yet and ++ * mark other to be removed. ++ * @adapter: board private structure ++ **/ ++static void iavf_clear_cloud_filters(struct iavf_adapter *adapter) ++{ ++ struct iavf_cloud_filter *cf, *cftmp; + + /* remove all cloud filters */ + spin_lock_bh(&adapter->cloud_filter_list_lock); +- list_for_each_entry(cf, &adapter->cloud_filter_list, list) { +- cf->del = true; ++ list_for_each_entry_safe(cf, cftmp, &adapter->cloud_filter_list, ++ list) { ++ if (cf->add) { ++ list_del(&cf->list); ++ kfree(cf); ++ adapter->num_cloud_filters--; ++ } else { ++ cf->del = true; ++ } + } + spin_unlock_bh(&adapter->cloud_filter_list_lock); ++} ++ ++/** ++ * iavf_clear_fdir_filters - Remove fdir filters not sent to PF yet and mark ++ * other to be removed. ++ * @adapter: board private structure ++ **/ ++static void iavf_clear_fdir_filters(struct iavf_adapter *adapter) ++{ ++ struct iavf_fdir_fltr *fdir, *fdirtmp; + + /* remove all Flow Director filters */ + spin_lock_bh(&adapter->fdir_fltr_lock); +- list_for_each_entry(fdir, &adapter->fdir_list_head, list) { +- fdir->state = IAVF_FDIR_FLTR_DEL_REQUEST; ++ list_for_each_entry_safe(fdir, fdirtmp, &adapter->fdir_list_head, ++ list) { ++ if (fdir->state == IAVF_FDIR_FLTR_ADD_REQUEST) { ++ list_del(&fdir->list); ++ kfree(fdir); ++ adapter->fdir_active_fltr--; ++ } else { ++ fdir->state = IAVF_FDIR_FLTR_DEL_REQUEST; ++ } + } + spin_unlock_bh(&adapter->fdir_fltr_lock); ++} ++ ++/** ++ * iavf_clear_adv_rss_conf - Remove adv rss conf not sent to PF yet and mark ++ * other to be removed. ++ * @adapter: board private structure ++ **/ ++static void iavf_clear_adv_rss_conf(struct iavf_adapter *adapter) ++{ ++ struct iavf_adv_rss *rss, *rsstmp; + + /* remove all advance RSS configuration */ + spin_lock_bh(&adapter->adv_rss_lock); +- list_for_each_entry(rss, &adapter->adv_rss_list_head, list) +- rss->state = IAVF_ADV_RSS_DEL_REQUEST; ++ list_for_each_entry_safe(rss, rsstmp, &adapter->adv_rss_list_head, ++ list) { ++ if (rss->state == IAVF_ADV_RSS_ADD_REQUEST) { ++ list_del(&rss->list); ++ kfree(rss); ++ } else { ++ rss->state = IAVF_ADV_RSS_DEL_REQUEST; ++ } ++ } + spin_unlock_bh(&adapter->adv_rss_lock); ++} ++ ++/** ++ * iavf_down - Shutdown the connection processing ++ * @adapter: board private structure ++ * ++ * Expects to be called while holding the __IAVF_IN_CRITICAL_TASK bit lock. ++ **/ ++void iavf_down(struct iavf_adapter *adapter) ++{ ++ struct net_device *netdev = adapter->netdev; ++ ++ if (adapter->state <= __IAVF_DOWN_PENDING) ++ return; ++ ++ netif_carrier_off(netdev); ++ netif_tx_disable(netdev); ++ adapter->link_up = false; ++ iavf_napi_disable_all(adapter); ++ iavf_irq_disable(adapter); ++ ++ iavf_clear_mac_vlan_filters(adapter); ++ iavf_clear_cloud_filters(adapter); ++ iavf_clear_fdir_filters(adapter); ++ iavf_clear_adv_rss_conf(adapter); + + if (!(adapter->flags & IAVF_FLAG_PF_COMMS_FAILED)) { + /* cancel any current operation */ +@@ -1335,11 +1407,16 @@ void iavf_down(struct iavf_adapter *adapter) + * here for this to complete. The watchdog is still running + * and it will take care of this. + */ +- adapter->aq_required = IAVF_FLAG_AQ_DEL_MAC_FILTER; +- adapter->aq_required |= IAVF_FLAG_AQ_DEL_VLAN_FILTER; +- adapter->aq_required |= IAVF_FLAG_AQ_DEL_CLOUD_FILTER; +- adapter->aq_required |= IAVF_FLAG_AQ_DEL_FDIR_FILTER; +- adapter->aq_required |= IAVF_FLAG_AQ_DEL_ADV_RSS_CFG; ++ if (!list_empty(&adapter->mac_filter_list)) ++ adapter->aq_required |= IAVF_FLAG_AQ_DEL_MAC_FILTER; ++ if (!list_empty(&adapter->vlan_filter_list)) ++ adapter->aq_required |= IAVF_FLAG_AQ_DEL_VLAN_FILTER; ++ if (!list_empty(&adapter->cloud_filter_list)) ++ adapter->aq_required |= IAVF_FLAG_AQ_DEL_CLOUD_FILTER; ++ if (!list_empty(&adapter->fdir_list_head)) ++ adapter->aq_required |= IAVF_FLAG_AQ_DEL_FDIR_FILTER; ++ if (!list_empty(&adapter->adv_rss_list_head)) ++ adapter->aq_required |= IAVF_FLAG_AQ_DEL_ADV_RSS_CFG; + adapter->aq_required |= IAVF_FLAG_AQ_DISABLE_QUEUES; + } + +@@ -4178,6 +4255,7 @@ static int iavf_open(struct net_device *netdev) + static int iavf_close(struct net_device *netdev) + { + struct iavf_adapter *adapter = netdev_priv(netdev); ++ u64 aq_to_restore; + int status; + + mutex_lock(&adapter->crit_lock); +@@ -4190,6 +4268,29 @@ static int iavf_close(struct net_device *netdev) + set_bit(__IAVF_VSI_DOWN, adapter->vsi.state); + if (CLIENT_ENABLED(adapter)) + adapter->flags |= IAVF_FLAG_CLIENT_NEEDS_CLOSE; ++ /* We cannot send IAVF_FLAG_AQ_GET_OFFLOAD_VLAN_V2_CAPS before ++ * IAVF_FLAG_AQ_DISABLE_QUEUES because in such case there is rtnl ++ * deadlock with adminq_task() until iavf_close timeouts. We must send ++ * IAVF_FLAG_AQ_GET_CONFIG before IAVF_FLAG_AQ_DISABLE_QUEUES to make ++ * disable queues possible for vf. Give only necessary flags to ++ * iavf_down and save other to set them right before iavf_close() ++ * returns, when IAVF_FLAG_AQ_DISABLE_QUEUES will be already sent and ++ * iavf will be in DOWN state. ++ */ ++ aq_to_restore = adapter->aq_required; ++ adapter->aq_required &= IAVF_FLAG_AQ_GET_CONFIG; ++ ++ /* Remove flags which we do not want to send after close or we want to ++ * send before disable queues. ++ */ ++ aq_to_restore &= ~(IAVF_FLAG_AQ_GET_CONFIG | ++ IAVF_FLAG_AQ_ENABLE_QUEUES | ++ IAVF_FLAG_AQ_CONFIGURE_QUEUES | ++ IAVF_FLAG_AQ_ADD_VLAN_FILTER | ++ IAVF_FLAG_AQ_ADD_MAC_FILTER | ++ IAVF_FLAG_AQ_ADD_CLOUD_FILTER | ++ IAVF_FLAG_AQ_ADD_FDIR_FILTER | ++ IAVF_FLAG_AQ_ADD_ADV_RSS_CFG); + + iavf_down(adapter); + iavf_change_state(adapter, __IAVF_DOWN_PENDING); +@@ -4213,6 +4314,10 @@ static int iavf_close(struct net_device *netdev) + msecs_to_jiffies(500)); + if (!status) + netdev_warn(netdev, "Device resources not yet released\n"); ++ ++ mutex_lock(&adapter->crit_lock); ++ adapter->aq_required |= aq_to_restore; ++ mutex_unlock(&adapter->crit_lock); + return 0; + } + +-- +2.35.1 + diff --git a/queue-6.0/ib-mlx5-call-io_stop_wc-after-writing-to-wc-mmio.patch b/queue-6.0/ib-mlx5-call-io_stop_wc-after-writing-to-wc-mmio.patch new file mode 100644 index 00000000000..510176e53ba --- /dev/null +++ b/queue-6.0/ib-mlx5-call-io_stop_wc-after-writing-to-wc-mmio.patch @@ -0,0 +1,40 @@ +From da1aef13acaf3b266a51ff20baf2699f7caf334b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jul 2022 13:33:38 -0300 +Subject: IB/mlx5: Call io_stop_wc() after writing to WC MMIO + +From: Jason Gunthorpe + +[ Upstream commit 19d6214ad6dfffda1a5bdc2b34ea75ba45a1a60a ] + +This new function is defined only on ARM and serves to guarantee a barrier +in the WC operation. The barrier means that another run of this loop will +not combine with the stores this loop created. + +On x86 this is happening implicitly because of the spin_unlock(). + +Link: https://lore.kernel.org/r/0-v1-c5dade92f363+11-mlx5_io_stop_wc_jgg@nvidia.com +Suggested-by: Pavel Shamis +Signed-off-by: Jason Gunthorpe +Signed-off-by: Leon Romanovsky +Stable-dep-of: 13ad1125b941 ("RDMA/mlx5: Don't compare mkey tags in DEVX indirect mkey") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/mem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/mlx5/mem.c b/drivers/infiniband/hw/mlx5/mem.c +index 6191aa833ac2..6b29e9ca323e 100644 +--- a/drivers/infiniband/hw/mlx5/mem.c ++++ b/drivers/infiniband/hw/mlx5/mem.c +@@ -152,6 +152,7 @@ static int post_send_nop(struct mlx5_ib_dev *dev, struct ib_qp *ibqp, u64 wr_id, + for (i = 0; i < 8; i++) + mlx5_write64(&mmio_wqe[i * 2], + bf->bfreg->map + bf->offset + i * 8); ++ io_stop_wc(); + + bf->offset ^= bf->buf_size; + +-- +2.35.1 + diff --git a/queue-6.0/ib-rdmavt-add-__init-__exit-annotations-to-module-in.patch b/queue-6.0/ib-rdmavt-add-__init-__exit-annotations-to-module-in.patch new file mode 100644 index 00000000000..55e92eac285 --- /dev/null +++ b/queue-6.0/ib-rdmavt-add-__init-__exit-annotations-to-module-in.patch @@ -0,0 +1,45 @@ +From 07026237915f2a67e8a5a22b2430dc22905484e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Sep 2022 17:14:57 +0800 +Subject: IB/rdmavt: Add __init/__exit annotations to module init/exit funcs + +From: Xiu Jianfeng + +[ Upstream commit 78657a445ca7603024348781c921f8ecaee10a49 ] + +Add missing __init/__exit annotations to module init/exit funcs. + +Fixes: 0194621b2253 ("IB/rdmavt: Create module framework and handle driver registration") +Link: https://lore.kernel.org/r/20220924091457.52446-1-xiujianfeng@huawei.com +Signed-off-by: Xiu Jianfeng +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rdmavt/vt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/sw/rdmavt/vt.c b/drivers/infiniband/sw/rdmavt/vt.c +index 59481ae39505..d61f8de7f21c 100644 +--- a/drivers/infiniband/sw/rdmavt/vt.c ++++ b/drivers/infiniband/sw/rdmavt/vt.c +@@ -15,7 +15,7 @@ + MODULE_LICENSE("Dual BSD/GPL"); + MODULE_DESCRIPTION("RDMA Verbs Transport Library"); + +-static int rvt_init(void) ++static int __init rvt_init(void) + { + int ret = rvt_driver_cq_init(); + +@@ -26,7 +26,7 @@ static int rvt_init(void) + } + module_init(rvt_init); + +-static void rvt_cleanup(void) ++static void __exit rvt_cleanup(void) + { + rvt_cq_exit(); + } +-- +2.35.1 + diff --git a/queue-6.0/ib-set-iova-length-on-ib_mr-in-core-uverbs-layers.patch b/queue-6.0/ib-set-iova-length-on-ib_mr-in-core-uverbs-layers.patch new file mode 100644 index 00000000000..fcf05497b63 --- /dev/null +++ b/queue-6.0/ib-set-iova-length-on-ib_mr-in-core-uverbs-layers.patch @@ -0,0 +1,93 @@ +From 3e1ef5b52cf2c3bbdf55fa5b711fa438f640a988 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 17:08:43 +0900 +Subject: IB: Set IOVA/LENGTH on IB_MR in core/uverbs layers + +From: Daisuke Matsuda + +[ Upstream commit 241f9a27e0fc0eaf23e3d52c8450f10648cd11f1 ] + +Set 'iova' and 'length' on ib_mr in ib_uverbs and ib_core layers to let all +drivers have the members filled. Also, this commit removes redundancy in +the respective drivers. + +Previously, commit 04c0a5fcfcf65 ("IB/uverbs: Set IOVA on IB MR in uverbs +layer") changed to set 'iova', but seems to have missed 'length' and the +ib_core layer at that time. + +Fixes: 04c0a5fcfcf65 ("IB/uverbs: Set IOVA on IB MR in uverbs layer") +Signed-off-by: Daisuke Matsuda +Link: https://lore.kernel.org/r/20220921080844.1616883-1-matsuda-daisuke@fujitsu.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/uverbs_cmd.c | 5 ++++- + drivers/infiniband/core/verbs.c | 2 ++ + drivers/infiniband/hw/hns/hns_roce_mr.c | 1 - + drivers/infiniband/hw/mlx4/mr.c | 1 - + 4 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c +index 046376bd68e2..4796f6a8828c 100644 +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -739,6 +739,7 @@ static int ib_uverbs_reg_mr(struct uverbs_attr_bundle *attrs) + mr->uobject = uobj; + atomic_inc(&pd->usecnt); + mr->iova = cmd.hca_va; ++ mr->length = cmd.length; + + rdma_restrack_new(&mr->res, RDMA_RESTRACK_MR); + rdma_restrack_set_name(&mr->res, NULL); +@@ -861,8 +862,10 @@ static int ib_uverbs_rereg_mr(struct uverbs_attr_bundle *attrs) + mr->pd = new_pd; + atomic_inc(&new_pd->usecnt); + } +- if (cmd.flags & IB_MR_REREG_TRANS) ++ if (cmd.flags & IB_MR_REREG_TRANS) { + mr->iova = cmd.hca_va; ++ mr->length = cmd.length; ++ } + } + + memset(&resp, 0, sizeof(resp)); +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index e54b3f1b730e..f8964c8cf0ad 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -2149,6 +2149,8 @@ struct ib_mr *ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length, + mr->pd = pd; + mr->dm = NULL; + atomic_inc(&pd->usecnt); ++ mr->iova = virt_addr; ++ mr->length = length; + + rdma_restrack_new(&mr->res, RDMA_RESTRACK_MR); + rdma_restrack_parent_name(&mr->res, &pd->res); +diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c +index 867972c2a894..dedfa56f5773 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_mr.c ++++ b/drivers/infiniband/hw/hns/hns_roce_mr.c +@@ -249,7 +249,6 @@ struct ib_mr *hns_roce_reg_user_mr(struct ib_pd *pd, u64 start, u64 length, + goto err_alloc_pbl; + + mr->ibmr.rkey = mr->ibmr.lkey = mr->key; +- mr->ibmr.length = length; + + return &mr->ibmr; + +diff --git a/drivers/infiniband/hw/mlx4/mr.c b/drivers/infiniband/hw/mlx4/mr.c +index 04a67b481608..a40bf58bcdd3 100644 +--- a/drivers/infiniband/hw/mlx4/mr.c ++++ b/drivers/infiniband/hw/mlx4/mr.c +@@ -439,7 +439,6 @@ struct ib_mr *mlx4_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length, + goto err_mr; + + mr->ibmr.rkey = mr->ibmr.lkey = mr->mmr.key; +- mr->ibmr.length = length; + mr->ibmr.page_size = 1U << shift; + + return &mr->ibmr; +-- +2.35.1 + diff --git a/queue-6.0/ice-set-tx_tstamps-when-creating-new-tx-rings-via-et.patch b/queue-6.0/ice-set-tx_tstamps-when-creating-new-tx-rings-via-et.patch new file mode 100644 index 00000000000..80f9c5481fd --- /dev/null +++ b/queue-6.0/ice-set-tx_tstamps-when-creating-new-tx-rings-via-et.patch @@ -0,0 +1,39 @@ +From bf0389418811046e22c4d81561f33ffca444e28d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 16:15:57 -0700 +Subject: ice: set tx_tstamps when creating new Tx rings via ethtool + +From: Jacob Keller + +[ Upstream commit b3b173745c8cab1e24d6821488b60abed3acb24d ] + +When the user changes the number of queues via ethtool, the driver +allocates new rings. This allocation did not initialize tx_tstamps. This +results in the tx_tstamps field being zero (due to kcalloc allocation), and +would result in a NULL pointer dereference when attempting a transmit +timestamp on the new ring. + +Signed-off-by: Jacob Keller +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Stable-dep-of: fc5ae5b44eb2 ("Bluetooth: L2CAP: Fix build errors in some archs") +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ethtool.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c +index a6fff8ebaf9d..bbf6a300078e 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -2826,6 +2826,7 @@ ice_set_ringparam(struct net_device *netdev, struct ethtool_ringparam *ring, + tx_rings[i].count = new_tx_cnt; + tx_rings[i].desc = NULL; + tx_rings[i].tx_buf = NULL; ++ tx_rings[i].tx_tstamps = &pf->ptp.port.tx; + err = ice_setup_tx_ring(&tx_rings[i]); + if (err) { + while (i--) +-- +2.35.1 + diff --git a/queue-6.0/iio-abi-fix-wrong-format-of-differential-capacitance.patch b/queue-6.0/iio-abi-fix-wrong-format-of-differential-capacitance.patch new file mode 100644 index 00000000000..08b3569ee6a --- /dev/null +++ b/queue-6.0/iio-abi-fix-wrong-format-of-differential-capacitance.patch @@ -0,0 +1,36 @@ +From 21e39a94481018bb3394e11b54847c15528c6886 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Jun 2022 13:29:23 +0100 +Subject: iio: ABI: Fix wrong format of differential capacitance channel ABI. + +From: Jonathan Cameron + +[ Upstream commit 1efc41035f1841acf0af2bab153158e27ce94f10 ] + +in_ only occurs once in these attributes. + +Fixes: 0baf29d658c7 ("staging:iio:documentation Add abi docs for capacitance adcs.") +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220626122938.582107-3-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-bus-iio | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/ABI/testing/sysfs-bus-iio b/Documentation/ABI/testing/sysfs-bus-iio +index e81ba6f5e1c8..6e1b925f30bf 100644 +--- a/Documentation/ABI/testing/sysfs-bus-iio ++++ b/Documentation/ABI/testing/sysfs-bus-iio +@@ -196,7 +196,7 @@ Description: + Raw capacitance measurement from channel Y. Units after + application of scale and offset are nanofarads. + +-What: /sys/.../iio:deviceX/in_capacitanceY-in_capacitanceZ_raw ++What: /sys/.../iio:deviceX/in_capacitanceY-capacitanceZ_raw + KernelVersion: 3.2 + Contact: linux-iio@vger.kernel.org + Description: +-- +2.35.1 + diff --git a/queue-6.0/iio-adc-at91-sama5d2_adc-check-return-status-for-pre.patch b/queue-6.0/iio-adc-at91-sama5d2_adc-check-return-status-for-pre.patch new file mode 100644 index 00000000000..2caee758287 --- /dev/null +++ b/queue-6.0/iio-adc-at91-sama5d2_adc-check-return-status-for-pre.patch @@ -0,0 +1,53 @@ +From 9ce84831860835842e7a1118c99363db814789f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 13:28:38 +0300 +Subject: iio: adc: at91-sama5d2_adc: check return status for pressure and + touch + +From: Claudiu Beznea + +[ Upstream commit d84ace944a3b24529798dbae1340dea098473155 ] + +Check return status of at91_adc_read_position() and +at91_adc_read_pressure() in at91_adc_read_info_raw(). + +Fixes: 6794e23fa3fe ("iio: adc: at91-sama5d2_adc: add support for oversampling resolution") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220803102855.2191070-3-claudiu.beznea@microchip.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/at91-sama5d2_adc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c +index ac9ef89fba17..08d1f806c839 100644 +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -1544,8 +1544,10 @@ static int at91_adc_read_info_raw(struct iio_dev *indio_dev, + *val = tmp_val; + mutex_unlock(&st->lock); + iio_device_release_direct_mode(indio_dev); ++ if (ret > 0) ++ ret = at91_adc_adjust_val_osr(st, val); + +- return at91_adc_adjust_val_osr(st, val); ++ return ret; + } + if (chan->type == IIO_PRESSURE) { + ret = iio_device_claim_direct_mode(indio_dev); +@@ -1558,8 +1560,10 @@ static int at91_adc_read_info_raw(struct iio_dev *indio_dev, + *val = tmp_val; + mutex_unlock(&st->lock); + iio_device_release_direct_mode(indio_dev); ++ if (ret > 0) ++ ret = at91_adc_adjust_val_osr(st, val); + +- return at91_adc_adjust_val_osr(st, val); ++ return ret; + } + + /* in this case we have a voltage channel */ +-- +2.35.1 + diff --git a/queue-6.0/iio-adc-at91-sama5d2_adc-disable-prepare-buffer-on-s.patch b/queue-6.0/iio-adc-at91-sama5d2_adc-disable-prepare-buffer-on-s.patch new file mode 100644 index 00000000000..da2efb253e5 --- /dev/null +++ b/queue-6.0/iio-adc-at91-sama5d2_adc-disable-prepare-buffer-on-s.patch @@ -0,0 +1,62 @@ +From 4361b2a09799fd30f9b8bf98c8b0ac358fd715df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 13:28:40 +0300 +Subject: iio: adc: at91-sama5d2_adc: disable/prepare buffer on suspend/resume + +From: Claudiu Beznea + +[ Upstream commit 808175e21d9b7f866eda742e8970f27b78afe5db ] + +In case triggered buffers are enabled while system is suspended they will +not work anymore after resume. For this call at91_adc_buffer_postdisable() +on suspend and at91_adc_buffer_prepare() on resume. On tests it has been +seen that at91_adc_buffer_postdisable() call is not necessary but it has +been kept because it also does the book keeping for DMA. On resume path +there is no need to call at91_adc_configure_touch() as it is embedded in +at91_adc_buffer_prepare(). + +Fixes: 073c662017f2f ("iio: adc: at91-sama5d2_adc: add support for DMA") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220803102855.2191070-5-claudiu.beznea@microchip.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/at91-sama5d2_adc.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c +index 3734ddc82952..e2c82c5a2fac 100644 +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -2116,6 +2116,9 @@ static int at91_adc_suspend(struct device *dev) + struct iio_dev *indio_dev = dev_get_drvdata(dev); + struct at91_adc_state *st = iio_priv(indio_dev); + ++ if (iio_buffer_enabled(indio_dev)) ++ at91_adc_buffer_postdisable(indio_dev); ++ + /* + * Do a sofware reset of the ADC before we go to suspend. + * this will ensure that all pins are free from being muxed by the ADC +@@ -2159,14 +2162,11 @@ static int at91_adc_resume(struct device *dev) + if (!iio_buffer_enabled(indio_dev)) + return 0; + +- /* check if we are enabling triggered buffer or the touchscreen */ +- if (at91_adc_current_chan_is_touch(indio_dev)) +- return at91_adc_configure_touch(st, true); +- else +- return at91_adc_configure_trigger(st->trig, true); ++ ret = at91_adc_buffer_prepare(indio_dev); ++ if (ret) ++ goto vref_disable_resume; + +- /* not needed but more explicit */ +- return 0; ++ return at91_adc_configure_trigger(st->trig, true); + + vref_disable_resume: + regulator_disable(st->vref); +-- +2.35.1 + diff --git a/queue-6.0/iio-adc-at91-sama5d2_adc-fix-at91_sama5d2_mr_trackti.patch b/queue-6.0/iio-adc-at91-sama5d2_adc-fix-at91_sama5d2_mr_trackti.patch new file mode 100644 index 00000000000..eb906bb7fa4 --- /dev/null +++ b/queue-6.0/iio-adc-at91-sama5d2_adc-fix-at91_sama5d2_mr_trackti.patch @@ -0,0 +1,38 @@ +From 2f19037e7b7a2a466d28ff97e9e745d49a1fb739 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 13:28:37 +0300 +Subject: iio: adc: at91-sama5d2_adc: fix AT91_SAMA5D2_MR_TRACKTIM_MAX + +From: Claudiu Beznea + +[ Upstream commit bb73d5d9164c57c4bb916739a98e5cd8e0a5ed8c ] + +All ADC HW versions handled by this driver (SAMA5D2, SAM9X60, SAMA7G5) +have MR.TRACKTIM on 4 bits. Fix AT91_SAMA5D2_MR_TRACKTIM_MAX to reflect +this. + +Fixes: 27e177190891 ("iio:adc:at91_adc8xx: introduce new atmel adc driver") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220803102855.2191070-2-claudiu.beznea@microchip.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/at91-sama5d2_adc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c +index 279430c1d88c..ac9ef89fba17 100644 +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -77,7 +77,7 @@ struct at91_adc_reg_layout { + #define AT91_SAMA5D2_MR_ANACH BIT(23) + /* Tracking Time */ + #define AT91_SAMA5D2_MR_TRACKTIM(v) ((v) << 24) +-#define AT91_SAMA5D2_MR_TRACKTIM_MAX 0xff ++#define AT91_SAMA5D2_MR_TRACKTIM_MAX 0xf + /* Transfer Time */ + #define AT91_SAMA5D2_MR_TRANSFER(v) ((v) << 28) + #define AT91_SAMA5D2_MR_TRANSFER_MAX 0x3 +-- +2.35.1 + diff --git a/queue-6.0/iio-adc-at91-sama5d2_adc-lock-around-oversampling-an.patch b/queue-6.0/iio-adc-at91-sama5d2_adc-lock-around-oversampling-an.patch new file mode 100644 index 00000000000..dc2bf5fd689 --- /dev/null +++ b/queue-6.0/iio-adc-at91-sama5d2_adc-lock-around-oversampling-an.patch @@ -0,0 +1,79 @@ +From 9af51aa4738b2b47ff3d0ee32505018d75ea17a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 13:28:39 +0300 +Subject: iio: adc: at91-sama5d2_adc: lock around oversampling and sample freq + +From: Claudiu Beznea + +[ Upstream commit 9780a23ed5a0a0a63683e078f576719a98d4fb70 ] + +.read_raw()/.write_raw() could be called asynchronously from user space +or other in kernel drivers. Without locking on st->lock these could be +called asynchronously while there is a conversion in progress. Read will +be harmless but changing registers while conversion is in progress may +lead to inconsistent results. Thus, to avoid this lock st->lock. + +Fixes: 27e177190891 ("iio:adc:at91_adc8xx: introduce new atmel adc driver") +Fixes: 6794e23fa3fe ("iio: adc: at91-sama5d2_adc: add support for oversampling resolution") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220803102855.2191070-4-claudiu.beznea@microchip.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/at91-sama5d2_adc.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c +index 08d1f806c839..3734ddc82952 100644 +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -1542,10 +1542,10 @@ static int at91_adc_read_info_raw(struct iio_dev *indio_dev, + ret = at91_adc_read_position(st, chan->channel, + &tmp_val); + *val = tmp_val; +- mutex_unlock(&st->lock); +- iio_device_release_direct_mode(indio_dev); + if (ret > 0) + ret = at91_adc_adjust_val_osr(st, val); ++ mutex_unlock(&st->lock); ++ iio_device_release_direct_mode(indio_dev); + + return ret; + } +@@ -1558,10 +1558,10 @@ static int at91_adc_read_info_raw(struct iio_dev *indio_dev, + ret = at91_adc_read_pressure(st, chan->channel, + &tmp_val); + *val = tmp_val; +- mutex_unlock(&st->lock); +- iio_device_release_direct_mode(indio_dev); + if (ret > 0) + ret = at91_adc_adjust_val_osr(st, val); ++ mutex_unlock(&st->lock); ++ iio_device_release_direct_mode(indio_dev); + + return ret; + } +@@ -1650,16 +1650,20 @@ static int at91_adc_write_raw(struct iio_dev *indio_dev, + /* if no change, optimize out */ + if (val == st->oversampling_ratio) + return 0; ++ mutex_lock(&st->lock); + st->oversampling_ratio = val; + /* update ratio */ + at91_adc_config_emr(st); ++ mutex_unlock(&st->lock); + return 0; + case IIO_CHAN_INFO_SAMP_FREQ: + if (val < st->soc_info.min_sample_rate || + val > st->soc_info.max_sample_rate) + return -EINVAL; + ++ mutex_lock(&st->lock); + at91_adc_setup_samp_freq(indio_dev, val); ++ mutex_unlock(&st->lock); + return 0; + default: + return -EINVAL; +-- +2.35.1 + diff --git a/queue-6.0/iio-inkern-fix-return-value-in-devm_of_iio_channel_g.patch b/queue-6.0/iio-inkern-fix-return-value-in-devm_of_iio_channel_g.patch new file mode 100644 index 00000000000..3e3022ce1a3 --- /dev/null +++ b/queue-6.0/iio-inkern-fix-return-value-in-devm_of_iio_channel_g.patch @@ -0,0 +1,46 @@ +From c0d9294f9a2f4a4db3b52b1040bf686742b6a46d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 14:28:50 +0200 +Subject: iio: inkern: fix return value in devm_of_iio_channel_get_by_name() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +[ Upstream commit 9e878dbc0e8322f8b2f5ab0093c1e89926362dbe ] + +of_iio_channel_get_by_name() can either return NULL or an error pointer +so that only doing IS_ERR() is not enough. Fix it by checking the NULL +pointer case and return -ENODEV in that case. Note this is done like this +so that users of the function (which only check for error pointers) do +not need to be changed. This is not ideal since we are losing error codes +and as such, in a follow up change, things will be unified so that +of_iio_channel_get_by_name() only returns error codes. + +Fixes: 6e39b145cef7 ("iio: provide of_iio_channel_get_by_name() and devm_ version it") +Signed-off-by: Nuno Sá +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220715122903.332535-3-nuno.sa@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/inkern.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c +index 9d87057794fc..87fd2a0d44f2 100644 +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -412,6 +412,8 @@ struct iio_channel *devm_of_iio_channel_get_by_name(struct device *dev, + channel = of_iio_channel_get_by_name(np, channel_name); + if (IS_ERR(channel)) + return channel; ++ if (!channel) ++ return ERR_PTR(-ENODEV); + + ret = devm_add_action_or_reset(dev, devm_iio_channel_free, channel); + if (ret) +-- +2.35.1 + diff --git a/queue-6.0/iio-inkern-only-release-the-device-node-when-done-wi.patch b/queue-6.0/iio-inkern-only-release-the-device-node-when-done-wi.patch new file mode 100644 index 00000000000..9d8b18c6db8 --- /dev/null +++ b/queue-6.0/iio-inkern-only-release-the-device-node-when-done-wi.patch @@ -0,0 +1,60 @@ +From 8339554b725c988f0e806ab5830bf304b3d7d5da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 14:28:49 +0200 +Subject: iio: inkern: only release the device node when done with it +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +[ Upstream commit 79c3e84874c7d14f04ad58313b64955a0d2e9437 ] + +'of_node_put()' can potentially release the memory pointed to by +'iiospec.np' which would leave us with an invalid pointer (and we would +still pass it in 'of_xlate()'). Note that it is not guaranteed for the +of_node lifespan to be attached to the device (to which is attached) +lifespan so that there is (even though very unlikely) the possibility +for the node to be freed while the device is still around. Thus, as there +are indeed some of_xlate users which do access the node, a race is indeed +possible. + +As such, we can only release the node after we are done with it. + +Fixes: 17d82b47a215d ("iio: Add OF support") +Signed-off-by: Nuno Sá +Link: https://lore.kernel.org/r/20220715122903.332535-2-nuno.sa@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/inkern.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c +index df74765d33dc..9d87057794fc 100644 +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -165,9 +165,10 @@ static int __of_iio_channel_get(struct iio_channel *channel, + + idev = bus_find_device(&iio_bus_type, NULL, iiospec.np, + iio_dev_node_match); +- of_node_put(iiospec.np); +- if (idev == NULL) ++ if (idev == NULL) { ++ of_node_put(iiospec.np); + return -EPROBE_DEFER; ++ } + + indio_dev = dev_to_iio_dev(idev); + channel->indio_dev = indio_dev; +@@ -175,6 +176,7 @@ static int __of_iio_channel_get(struct iio_channel *channel, + index = indio_dev->info->of_xlate(indio_dev, &iiospec); + else + index = __of_iio_simple_xlate(indio_dev, &iiospec); ++ of_node_put(iiospec.np); + if (index < 0) + goto err_put; + channel->channel = &indio_dev->channels[index]; +-- +2.35.1 + diff --git a/queue-6.0/iio-magnetometer-yas530-change-data-type-of-hard_off.patch b/queue-6.0/iio-magnetometer-yas530-change-data-type-of-hard_off.patch new file mode 100644 index 00000000000..bf1b11e3bca --- /dev/null +++ b/queue-6.0/iio-magnetometer-yas530-change-data-type-of-hard_off.patch @@ -0,0 +1,43 @@ +From 93c189dda5a8d240380686014a6ab81f90f00ff8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Aug 2022 23:54:06 +0200 +Subject: iio: magnetometer: yas530: Change data type of hard_offsets to signed + +From: Jakob Hauser + +[ Upstream commit e137fafc8985cf152a4bb6f18ae83ebb06816df1 ] + +The "hard_offsets" are currently unsigned u8 but they should be signed as they +can get negative. They are signed in function yas5xx_meaure_offsets() and in the +Yamaha drivers [1][2]. + +[1] https://github.com/NovaFusion/android_kernel_samsung_golden/blob/cm-12.1/drivers/sensor/compass/yas.h#L156 +[2] https://github.com/msm8916-mainline/android_kernel_qcom_msm8916/blob/GT-I9195I/drivers/iio/magnetometer/yas_mag_drv-yas532.c#L91 + +Fixes: de8860b1ed47 ("iio: magnetometer: Add driver for Yamaha YAS530") +Signed-off-by: Jakob Hauser +Reviewed-by: Linus Walleij +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/40f052bf6491457d0c5c0ed4c3534dc6fa251c3c.1660337264.git.jahau@rocketmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/magnetometer/yamaha-yas530.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/magnetometer/yamaha-yas530.c b/drivers/iio/magnetometer/yamaha-yas530.c +index aeaa4da6923b..d1f16729c60e 100644 +--- a/drivers/iio/magnetometer/yamaha-yas530.c ++++ b/drivers/iio/magnetometer/yamaha-yas530.c +@@ -132,7 +132,7 @@ struct yas5xx { + unsigned int version; + char name[16]; + struct yas5xx_calibration calibration; +- u8 hard_offsets[3]; ++ s8 hard_offsets[3]; + struct iio_mount_matrix orientation; + struct regmap *map; + struct regulator_bulk_data regs[2]; +-- +2.35.1 + diff --git a/queue-6.0/iio-use-per-device-lockdep-class-for-mlock.patch b/queue-6.0/iio-use-per-device-lockdep-class-for-mlock.patch new file mode 100644 index 00000000000..86ed25bd537 --- /dev/null +++ b/queue-6.0/iio-use-per-device-lockdep-class-for-mlock.patch @@ -0,0 +1,111 @@ +From 21c1e34351ccc36a1b781c01e0f165f86ca9c282 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 11:18:40 +0200 +Subject: iio: Use per-device lockdep class for mlock + +From: Vincent Whitchurch + +[ Upstream commit 2bc9cd66eb25d0fefbb081421d6586495e25840e ] + +If an IIO driver uses callbacks from another IIO driver and calls +iio_channel_start_all_cb() from one of its buffer setup ops, then +lockdep complains due to the lock nesting, as in the below example with +lmp91000. + +Since the locks are being taken on different IIO devices, there is no +actual deadlock. Fix the warning by telling lockdep to use a different +class for each iio_device. + + ============================================ + WARNING: possible recursive locking detected + -------------------------------------------- + python3/23 is trying to acquire lock: + (&indio_dev->mlock){+.+.}-{3:3}, at: iio_update_buffers + + but task is already holding lock: + (&indio_dev->mlock){+.+.}-{3:3}, at: enable_store + + other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&indio_dev->mlock); + lock(&indio_dev->mlock); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + + 5 locks held by python3/23: + #0: (sb_writers#5){.+.+}-{0:0}, at: ksys_write + #1: (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter + #2: (kn->active#14){.+.+}-{0:0}, at: kernfs_fop_write_iter + #3: (&indio_dev->mlock){+.+.}-{3:3}, at: enable_store + #4: (&iio_dev_opaque->info_exist_lock){+.+.}-{3:3}, at: iio_update_buffers + + Call Trace: + __mutex_lock + iio_update_buffers + iio_channel_start_all_cb + lmp91000_buffer_postenable + __iio_update_buffers + enable_store + +Fixes: 67e17300dc1d76 ("iio: potentiostat: add LMP91000 support") +Signed-off-by: Vincent Whitchurch +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220829091840.2791846-1-vincent.whitchurch@axis.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/industrialio-core.c | 5 +++++ + include/linux/iio/iio-opaque.h | 2 ++ + 2 files changed, 7 insertions(+) + +diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c +index 0f4dbda3b9d3..921d8e8643a2 100644 +--- a/drivers/iio/industrialio-core.c ++++ b/drivers/iio/industrialio-core.c +@@ -1621,6 +1621,8 @@ static void iio_dev_release(struct device *device) + + iio_device_detach_buffers(indio_dev); + ++ lockdep_unregister_key(&iio_dev_opaque->mlock_key); ++ + ida_free(&iio_ida, iio_dev_opaque->id); + kfree(iio_dev_opaque); + } +@@ -1680,6 +1682,9 @@ struct iio_dev *iio_device_alloc(struct device *parent, int sizeof_priv) + INIT_LIST_HEAD(&iio_dev_opaque->buffer_list); + INIT_LIST_HEAD(&iio_dev_opaque->ioctl_handlers); + ++ lockdep_register_key(&iio_dev_opaque->mlock_key); ++ lockdep_set_class(&indio_dev->mlock, &iio_dev_opaque->mlock_key); ++ + return indio_dev; + } + EXPORT_SYMBOL(iio_device_alloc); +diff --git a/include/linux/iio/iio-opaque.h b/include/linux/iio/iio-opaque.h +index 6b3586b3f952..d1f8b30a7c8b 100644 +--- a/include/linux/iio/iio-opaque.h ++++ b/include/linux/iio/iio-opaque.h +@@ -11,6 +11,7 @@ + * checked by device drivers but should be considered + * read-only as this is a core internal bit + * @driver_module: used to make it harder to undercut users ++ * @mlock_key: lockdep class for iio_dev lock + * @info_exist_lock: lock to prevent use during removal + * @trig_readonly: mark the current trigger immutable + * @event_interface: event chrdevs associated with interrupt lines +@@ -42,6 +43,7 @@ struct iio_dev_opaque { + int currentmode; + int id; + struct module *driver_module; ++ struct lock_class_key mlock_key; + struct mutex info_exist_lock; + bool trig_readonly; + struct iio_event_interface *event_interface; +-- +2.35.1 + diff --git a/queue-6.0/ima-fix-blocking-of-security.ima-xattrs-of-unsupport.patch b/queue-6.0/ima-fix-blocking-of-security.ima-xattrs-of-unsupport.patch new file mode 100644 index 00000000000..63e9c2df540 --- /dev/null +++ b/queue-6.0/ima-fix-blocking-of-security.ima-xattrs-of-unsupport.patch @@ -0,0 +1,60 @@ +From 58cf095bc7cc3642d0c21d5cc90cd06bdb89751b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 17:18:42 -0400 +Subject: ima: fix blocking of security.ima xattrs of unsupported algorithms + +From: Mimi Zohar + +[ Upstream commit 5926586f291b53cb8a0c9631fc19489be1186e2d ] + +Limit validating the hash algorithm to just security.ima xattr, not +the security.evm xattr or any of the protected EVM security xattrs, +nor posix acls. + +Fixes: 50f742dd9147 ("IMA: block writes of the security.ima xattr with unsupported algorithms") +Reported-by: Christian Brauner +Acked-by: Christian Brauner (Microsoft) +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_appraise.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/security/integrity/ima/ima_appraise.c b/security/integrity/ima/ima_appraise.c +index bde74fcecee3..3e0fbbd99534 100644 +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -750,22 +750,26 @@ int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, + const struct evm_ima_xattr_data *xvalue = xattr_value; + int digsig = 0; + int result; ++ int err; + + result = ima_protect_xattr(dentry, xattr_name, xattr_value, + xattr_value_len); + if (result == 1) { + if (!xattr_value_len || (xvalue->type >= IMA_XATTR_LAST)) + return -EINVAL; ++ ++ err = validate_hash_algo(dentry, xvalue, xattr_value_len); ++ if (err) ++ return err; ++ + digsig = (xvalue->type == EVM_IMA_XATTR_DIGSIG); + } else if (!strcmp(xattr_name, XATTR_NAME_EVM) && xattr_value_len > 0) { + digsig = (xvalue->type == EVM_XATTR_PORTABLE_DIGSIG); + } + if (result == 1 || evm_revalidate_status(xattr_name)) { +- result = validate_hash_algo(dentry, xvalue, xattr_value_len); +- if (result) +- return result; +- + ima_reset_appraise_flags(d_backing_inode(dentry), digsig); ++ if (result == 1) ++ result = 0; + } + return result; + } +-- +2.35.1 + diff --git a/queue-6.0/io_uring-fdinfo-fix-sqe-dumping-for-ioring_setup_sqe.patch b/queue-6.0/io_uring-fdinfo-fix-sqe-dumping-for-ioring_setup_sqe.patch new file mode 100644 index 00000000000..d0f2e86e9bc --- /dev/null +++ b/queue-6.0/io_uring-fdinfo-fix-sqe-dumping-for-ioring_setup_sqe.patch @@ -0,0 +1,99 @@ +From e65be5ddabf3a6411b76762667ee91a896b849ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Sep 2022 06:40:37 -0600 +Subject: io_uring/fdinfo: fix sqe dumping for IORING_SETUP_SQE128 + +From: Jens Axboe + +[ Upstream commit 3b8fdd1dc35e395d19efbc8391a809a5b954ecf4 ] + +If we have doubly sized SQEs, then we need to shift the sq index by 1 +to account for using two entries for a single request. The CQE dumping +gets this right, but the SQE one does not. + +Improve the SQE dumping in general, the information dumped is pretty +sparse and doesn't even cover the whole basic part of the SQE. Include +information on the extended part of the SQE, if doubly sized SQEs are +in use. A typical dump now looks like the following: + +[...] +SQEs: 32 + 32: opcode:URING_CMD, fd:0, flags:1, off:3225964160, addr:0x0, rw_flags:0x0, buf_index:0 user_data:2721, e0:0x0, e1:0xffffb8041000, e2:0x100000000000, e3:0x5500, e4:0x7, e5:0x0, e6:0x0, e7:0x0 + 33: opcode:URING_CMD, fd:0, flags:1, off:3225964160, addr:0x0, rw_flags:0x0, buf_index:0 user_data:2722, e0:0x0, e1:0xffffb8043000, e2:0x100000000000, e3:0x5508, e4:0x7, e5:0x0, e6:0x0, e7:0x0 + 34: opcode:URING_CMD, fd:0, flags:1, off:3225964160, addr:0x0, rw_flags:0x0, buf_index:0 user_data:2723, e0:0x0, e1:0xffffb8045000, e2:0x100000000000, e3:0x5510, e4:0x7, e5:0x0, e6:0x0, e7:0x0 +[...] + +Fixes: ebdeb7c01d02 ("io_uring: add support for 128-byte SQEs") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/fdinfo.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +diff --git a/io_uring/fdinfo.c b/io_uring/fdinfo.c +index b29e2d02216f..6d4cc7a92724 100644 +--- a/io_uring/fdinfo.c ++++ b/io_uring/fdinfo.c +@@ -60,6 +60,7 @@ static __cold void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, + unsigned int cq_head = READ_ONCE(r->cq.head); + unsigned int cq_tail = READ_ONCE(r->cq.tail); + unsigned int cq_shift = 0; ++ unsigned int sq_shift = 0; + unsigned int sq_entries, cq_entries; + bool has_lock; + bool is_cqe32 = (ctx->flags & IORING_SETUP_CQE32); +@@ -67,6 +68,8 @@ static __cold void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, + + if (is_cqe32) + cq_shift = 1; ++ if (ctx->flags & IORING_SETUP_SQE128) ++ sq_shift = 1; + + /* + * we may get imprecise sqe and cqe info if uring is actively running +@@ -82,19 +85,36 @@ static __cold void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, + seq_printf(m, "CqHead:\t%u\n", cq_head); + seq_printf(m, "CqTail:\t%u\n", cq_tail); + seq_printf(m, "CachedCqTail:\t%u\n", ctx->cached_cq_tail); +- seq_printf(m, "SQEs:\t%u\n", sq_tail - ctx->cached_sq_head); ++ seq_printf(m, "SQEs:\t%u\n", sq_tail - sq_head); + sq_entries = min(sq_tail - sq_head, ctx->sq_entries); + for (i = 0; i < sq_entries; i++) { + unsigned int entry = i + sq_head; +- unsigned int sq_idx = READ_ONCE(ctx->sq_array[entry & sq_mask]); + struct io_uring_sqe *sqe; ++ unsigned int sq_idx; + ++ sq_idx = READ_ONCE(ctx->sq_array[entry & sq_mask]); + if (sq_idx > sq_mask) + continue; +- sqe = &ctx->sq_sqes[sq_idx]; +- seq_printf(m, "%5u: opcode:%d, fd:%d, flags:%x, user_data:%llu\n", +- sq_idx, sqe->opcode, sqe->fd, sqe->flags, +- sqe->user_data); ++ sqe = &ctx->sq_sqes[sq_idx << 1]; ++ seq_printf(m, "%5u: opcode:%s, fd:%d, flags:%x, off:%llu, " ++ "addr:0x%llx, rw_flags:0x%x, buf_index:%d " ++ "user_data:%llu", ++ sq_idx, io_uring_get_opcode(sqe->opcode), sqe->fd, ++ sqe->flags, (unsigned long long) sqe->off, ++ (unsigned long long) sqe->addr, sqe->rw_flags, ++ sqe->buf_index, sqe->user_data); ++ if (sq_shift) { ++ u64 *sqeb = (void *) (sqe + 1); ++ int size = sizeof(struct io_uring_sqe) / sizeof(u64); ++ int j; ++ ++ for (j = 0; j < size; j++) { ++ seq_printf(m, ", e%d:0x%llx", j, ++ (unsigned long long) *sqeb); ++ sqeb++; ++ } ++ } ++ seq_printf(m, "\n"); + } + seq_printf(m, "CQEs:\t%u\n", cq_tail - cq_head); + cq_entries = min(cq_tail - cq_head, ctx->cq_entries); +-- +2.35.1 + diff --git a/queue-6.0/io_uring-fix-cqe-reordering.patch b/queue-6.0/io_uring-fix-cqe-reordering.patch new file mode 100644 index 00000000000..093a6f70756 --- /dev/null +++ b/queue-6.0/io_uring-fix-cqe-reordering.patch @@ -0,0 +1,108 @@ +From 6643c46bbbe7a3476a150cb54de74a13592da1c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Sep 2022 14:53:25 +0100 +Subject: io_uring: fix CQE reordering + +From: Pavel Begunkov + +[ Upstream commit aa1df3a360a0c50e0f0086a785d75c2785c29967 ] + +Overflowing CQEs may result in reordering, which is buggy in case of +links, F_MORE and so on. If we guarantee that we don't reorder for +the unlikely event of a CQ ring overflow, then we can further extend +this to not have to terminate multishot requests if it happens. For +other operations, like zerocopy sends, we have no choice but to honor +CQE ordering. + +Reported-by: Dylan Yudaken +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/ec3bc55687b0768bbe20fb62d7d06cfced7d7e70.1663892031.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/io_uring.c | 12 ++++++++++-- + io_uring/io_uring.h | 12 +++++++++--- + 2 files changed, 19 insertions(+), 5 deletions(-) + +diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c +index a22a32acf590..c5dd483a7de2 100644 +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -567,7 +567,7 @@ static bool __io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force) + + io_cq_lock(ctx); + while (!list_empty(&ctx->cq_overflow_list)) { +- struct io_uring_cqe *cqe = io_get_cqe(ctx); ++ struct io_uring_cqe *cqe = io_get_cqe_overflow(ctx, true); + struct io_overflow_cqe *ocqe; + + if (!cqe && !force) +@@ -694,12 +694,19 @@ bool io_req_cqe_overflow(struct io_kiocb *req) + * control dependency is enough as we're using WRITE_ONCE to + * fill the cq entry + */ +-struct io_uring_cqe *__io_get_cqe(struct io_ring_ctx *ctx) ++struct io_uring_cqe *__io_get_cqe(struct io_ring_ctx *ctx, bool overflow) + { + struct io_rings *rings = ctx->rings; + unsigned int off = ctx->cached_cq_tail & (ctx->cq_entries - 1); + unsigned int free, queued, len; + ++ /* ++ * Posting into the CQ when there are pending overflowed CQEs may break ++ * ordering guarantees, which will affect links, F_MORE users and more. ++ * Force overflow the completion. ++ */ ++ if (!overflow && (ctx->check_cq & BIT(IO_CHECK_CQ_OVERFLOW_BIT))) ++ return NULL; + + /* userspace may cheat modifying the tail, be safe and do min */ + queued = min(__io_cqring_events(ctx), ctx->cq_entries); +@@ -2232,6 +2239,7 @@ static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events, + + do { + io_cqring_overflow_flush(ctx); ++ + if (io_cqring_events(ctx) >= min_events) + return 0; + if (!io_run_task_work()) +diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h +index 2f73f83af960..45809ae6f64e 100644 +--- a/io_uring/io_uring.h ++++ b/io_uring/io_uring.h +@@ -24,7 +24,7 @@ enum { + IOU_STOP_MULTISHOT = -ECANCELED, + }; + +-struct io_uring_cqe *__io_get_cqe(struct io_ring_ctx *ctx); ++struct io_uring_cqe *__io_get_cqe(struct io_ring_ctx *ctx, bool overflow); + bool io_req_cqe_overflow(struct io_kiocb *req); + int io_run_task_work_sig(void); + void io_req_complete_failed(struct io_kiocb *req, s32 res); +@@ -91,7 +91,8 @@ static inline void io_cq_lock(struct io_ring_ctx *ctx) + + void io_cq_unlock_post(struct io_ring_ctx *ctx); + +-static inline struct io_uring_cqe *io_get_cqe(struct io_ring_ctx *ctx) ++static inline struct io_uring_cqe *io_get_cqe_overflow(struct io_ring_ctx *ctx, ++ bool overflow) + { + if (likely(ctx->cqe_cached < ctx->cqe_sentinel)) { + struct io_uring_cqe *cqe = ctx->cqe_cached; +@@ -103,7 +104,12 @@ static inline struct io_uring_cqe *io_get_cqe(struct io_ring_ctx *ctx) + return cqe; + } + +- return __io_get_cqe(ctx); ++ return __io_get_cqe(ctx, overflow); ++} ++ ++static inline struct io_uring_cqe *io_get_cqe(struct io_ring_ctx *ctx) ++{ ++ return io_get_cqe_overflow(ctx, false); + } + + static inline bool __io_fill_cqe_req(struct io_ring_ctx *ctx, +-- +2.35.1 + diff --git a/queue-6.0/io_uring-rw-defer-fsnotify-calls-to-task-context.patch b/queue-6.0/io_uring-rw-defer-fsnotify-calls-to-task-context.patch new file mode 100644 index 00000000000..090ebfcc13a --- /dev/null +++ b/queue-6.0/io_uring-rw-defer-fsnotify-calls-to-task-context.patch @@ -0,0 +1,124 @@ +From 3cc946a1cb24a546b6bb91b08424e91e5b0b1c36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 10:57:05 -0600 +Subject: io_uring/rw: defer fsnotify calls to task context + +From: Jens Axboe + +[ Upstream commit b000145e9907809406d8164c3b2b8861d95aecd1 ] + +We can't call these off the kiocb completion as that might be off +soft/hard irq context. Defer the calls to when we process the +task_work for this request. That avoids valid complaints like: + +stack backtrace: +CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.0.0-rc6-syzkaller-00321-g105a36f3694e #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_usage_bug kernel/locking/lockdep.c:3961 [inline] + valid_state kernel/locking/lockdep.c:3973 [inline] + mark_lock_irq kernel/locking/lockdep.c:4176 [inline] + mark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632 + mark_lock kernel/locking/lockdep.c:4596 [inline] + mark_usage kernel/locking/lockdep.c:4527 [inline] + __lock_acquire+0x11d9/0x56d0 kernel/locking/lockdep.c:5007 + lock_acquire kernel/locking/lockdep.c:5666 [inline] + lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631 + __fs_reclaim_acquire mm/page_alloc.c:4674 [inline] + fs_reclaim_acquire+0x115/0x160 mm/page_alloc.c:4688 + might_alloc include/linux/sched/mm.h:271 [inline] + slab_pre_alloc_hook mm/slab.h:700 [inline] + slab_alloc mm/slab.c:3278 [inline] + __kmem_cache_alloc_lru mm/slab.c:3471 [inline] + kmem_cache_alloc+0x39/0x520 mm/slab.c:3491 + fanotify_alloc_fid_event fs/notify/fanotify/fanotify.c:580 [inline] + fanotify_alloc_event fs/notify/fanotify/fanotify.c:813 [inline] + fanotify_handle_event+0x1130/0x3f40 fs/notify/fanotify/fanotify.c:948 + send_to_group fs/notify/fsnotify.c:360 [inline] + fsnotify+0xafb/0x1680 fs/notify/fsnotify.c:570 + __fsnotify_parent+0x62f/0xa60 fs/notify/fsnotify.c:230 + fsnotify_parent include/linux/fsnotify.h:77 [inline] + fsnotify_file include/linux/fsnotify.h:99 [inline] + fsnotify_access include/linux/fsnotify.h:309 [inline] + __io_complete_rw_common+0x485/0x720 io_uring/rw.c:195 + io_complete_rw+0x1a/0x1f0 io_uring/rw.c:228 + iomap_dio_complete_work fs/iomap/direct-io.c:144 [inline] + iomap_dio_bio_end_io+0x438/0x5e0 fs/iomap/direct-io.c:178 + bio_endio+0x5f9/0x780 block/bio.c:1564 + req_bio_endio block/blk-mq.c:695 [inline] + blk_update_request+0x3fc/0x1300 block/blk-mq.c:825 + scsi_end_request+0x7a/0x9a0 drivers/scsi/scsi_lib.c:541 + scsi_io_completion+0x173/0x1f70 drivers/scsi/scsi_lib.c:971 + scsi_complete+0x122/0x3b0 drivers/scsi/scsi_lib.c:1438 + blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1022 + __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571 + invoke_softirq kernel/softirq.c:445 [inline] + __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650 + irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 + common_interrupt+0xa9/0xc0 arch/x86/kernel/irq.c:240 + +Fixes: f63cf5192fe3 ("io_uring: ensure that fsnotify is always called") +Link: https://lore.kernel.org/all/20220929135627.ykivmdks2w5vzrwg@quack3/ +Reported-by: syzbot+dfcc5f4da15868df7d4d@syzkaller.appspotmail.com +Reported-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + io_uring/rw.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +diff --git a/io_uring/rw.c b/io_uring/rw.c +index 295e3456d68e..eda14e8ec009 100644 +--- a/io_uring/rw.c ++++ b/io_uring/rw.c +@@ -186,14 +186,6 @@ static void kiocb_end_write(struct io_kiocb *req) + + static bool __io_complete_rw_common(struct io_kiocb *req, long res) + { +- struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw); +- +- if (rw->kiocb.ki_flags & IOCB_WRITE) { +- kiocb_end_write(req); +- fsnotify_modify(req->file); +- } else { +- fsnotify_access(req->file); +- } + if (unlikely(res != req->cqe.res)) { + if ((res == -EAGAIN || res == -EOPNOTSUPP) && + io_rw_should_reissue(req)) { +@@ -220,6 +212,20 @@ static inline int io_fixup_rw_res(struct io_kiocb *req, long res) + return res; + } + ++static void io_req_rw_complete(struct io_kiocb *req, bool *locked) ++{ ++ struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw); ++ ++ if (rw->kiocb.ki_flags & IOCB_WRITE) { ++ kiocb_end_write(req); ++ fsnotify_modify(req->file); ++ } else { ++ fsnotify_access(req->file); ++ } ++ ++ io_req_task_complete(req, locked); ++} ++ + static void io_complete_rw(struct kiocb *kiocb, long res) + { + struct io_rw *rw = container_of(kiocb, struct io_rw, kiocb); +@@ -228,7 +234,7 @@ static void io_complete_rw(struct kiocb *kiocb, long res) + if (__io_complete_rw_common(req, res)) + return; + io_req_set_res(req, io_fixup_rw_res(req, res), 0); +- req->io_task_work.func = io_req_task_complete; ++ req->io_task_work.func = io_req_rw_complete; + io_req_task_work_add(req); + } + +-- +2.35.1 + diff --git a/queue-6.0/iomap-iomap-fix-memory-corruption-when-recording-err.patch b/queue-6.0/iomap-iomap-fix-memory-corruption-when-recording-err.patch new file mode 100644 index 00000000000..f5b495d57df --- /dev/null +++ b/queue-6.0/iomap-iomap-fix-memory-corruption-when-recording-err.patch @@ -0,0 +1,143 @@ +From 83c385995f38d1fa70b8759e6c6a11cfb6bb3e55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 17:02:32 -0700 +Subject: iomap: iomap: fix memory corruption when recording errors during + writeback + +From: Darrick J. Wong + +[ Upstream commit 3d5f3ba1ac28059bdf7000cae2403e4e984308d2 ] + +Every now and then I see this crash on arm64: + +Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8 +Buffer I/O error on dev dm-0, logical block 8733687, async page read +Mem abort info: + ESR = 0x0000000096000006 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x06: level 2 translation fault +Data abort info: + ISV = 0, ISS = 0x00000006 + CM = 0, WnR = 0 +user pgtable: 64k pages, 42-bit VAs, pgdp=0000000139750000 +[00000000000000f8] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000, pmd=0000000000000000 +Internal error: Oops: 96000006 [#1] PREEMPT SMP +Buffer I/O error on dev dm-0, logical block 8733688, async page read +Dumping ftrace buffer: +Buffer I/O error on dev dm-0, logical block 8733689, async page read + (ftrace buffer empty) +XFS (dm-0): log I/O error -5 +Modules linked in: dm_thin_pool dm_persistent_data +XFS (dm-0): Metadata I/O Error (0x1) detected at xfs_trans_read_buf_map+0x1ec/0x590 [xfs] (fs/xfs/xfs_trans_buf.c:296). + dm_bio_prison +XFS (dm-0): Please unmount the filesystem and rectify the problem(s) +XFS (dm-0): xfs_imap_lookup: xfs_ialloc_read_agi() returned error -5, agno 0 + dm_bufio dm_log_writes xfs nft_chain_nat xt_REDIRECT nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip6t_REJECT +potentially unexpected fatal signal 6. + nf_reject_ipv6 +potentially unexpected fatal signal 6. + ipt_REJECT nf_reject_ipv4 +CPU: 1 PID: 122166 Comm: fsstress Tainted: G W 6.0.0-rc5-djwa #rc5 3004c9f1de887ebae86015f2677638ce51ee7 + rpcsec_gss_krb5 auth_rpcgss xt_tcpudp ip_set_hash_ip ip_set_hash_net xt_set nft_compat ip_set_hash_mac ip_set nf_tables +Hardware name: QEMU KVM Virtual Machine, BIOS 1.5.1 06/16/2021 +pstate: 60001000 (nZCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--) + ip_tables +pc : 000003fd6d7df200 + x_tables +lr : 000003fd6d7df1ec + overlay nfsv4 +CPU: 0 PID: 54031 Comm: u4:3 Tainted: G W 6.0.0-rc5-djwa #rc5 3004c9f1de887ebae86015f2677638ce51ee7405 +Hardware name: QEMU KVM Virtual Machine, BIOS 1.5.1 06/16/2021 +Workqueue: writeback wb_workfn +sp : 000003ffd9522fd0 + (flush-253:0) +pstate: 60401005 (nZCv daif +PAN -UAO -TCO -DIT +SSBS BTYPE=--) +pc : errseq_set+0x1c/0x100 +x29: 000003ffd9522fd0 x28: 0000000000000023 x27: 000002acefeb6780 +x26: 0000000000000005 x25: 0000000000000001 x24: 0000000000000000 +x23: 00000000ffffffff x22: 0000000000000005 +lr : __filemap_set_wb_err+0x24/0xe0 + x21: 0000000000000006 +sp : fffffe000f80f760 +x29: fffffe000f80f760 x28: 0000000000000003 x27: fffffe000f80f9f8 +x26: 0000000002523000 x25: 00000000fffffffb x24: fffffe000f80f868 +x23: fffffe000f80fbb0 x22: fffffc0180c26a78 x21: 0000000002530000 +x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000 + +x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 +x14: 0000000000000001 x13: 0000000000470af3 x12: fffffc0058f70000 +x11: 0000000000000040 x10: 0000000000001b20 x9 : fffffe000836b288 +x8 : fffffc00eb9fd480 x7 : 0000000000f83659 x6 : 0000000000000000 +x5 : 0000000000000869 x4 : 0000000000000005 x3 : 00000000000000f8 +x20: 000003fd6d740020 x19: 000000000001dd36 x18: 0000000000000001 +x17: 000003fd6d78704c x16: 0000000000000001 x15: 000002acfac87668 +x2 : 0000000000000ffa x1 : 00000000fffffffb x0 : 00000000000000f8 +Call trace: + errseq_set+0x1c/0x100 + __filemap_set_wb_err+0x24/0xe0 + iomap_do_writepage+0x5e4/0xd5c + write_cache_pages+0x208/0x674 + iomap_writepages+0x34/0x60 + xfs_vm_writepages+0x8c/0xcc [xfs 7a861f39c43631f15d3a5884246ba5035d4ca78b] +x14: 0000000000000000 x13: 2064656e72757465 x12: 0000000000002180 +x11: 000003fd6d8a82d0 x10: 0000000000000000 x9 : 000003fd6d8ae288 +x8 : 0000000000000083 x7 : 00000000ffffffff x6 : 00000000ffffffee +x5 : 00000000fbad2887 x4 : 000003fd6d9abb58 x3 : 000003fd6d740020 +x2 : 0000000000000006 x1 : 000000000001dd36 x0 : 0000000000000000 +CPU: 1 PID: 122167 Comm: fsstress Tainted: G W 6.0.0-rc5-djwa #rc5 3004c9f1de887ebae86015f2677638ce51ee7 + do_writepages+0x90/0x1c4 + __writeback_single_inode+0x4c/0x4ac +Hardware name: QEMU KVM Virtual Machine, BIOS 1.5.1 06/16/2021 + writeback_sb_inodes+0x214/0x4ac + wb_writeback+0xf4/0x3b0 +pstate: 60001000 (nZCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--) + wb_workfn+0xfc/0x580 + process_one_work+0x1e8/0x480 +pc : 000003fd6d7df200 + worker_thread+0x78/0x430 + +This crash is a result of iomap_writepage_map encountering some sort of +error during writeback and wanting to set that error code in the file +mapping so that fsync will report it. Unfortunately, the code +dereferences folio->mapping after unlocking the folio, which means that +another thread could have removed the page from the page cache +(writeback doesn't hold the invalidation lock) and give it to somebody +else. + +At best we crash the system like above; at worst, we corrupt memory or +set an error on some other unsuspecting file while failing to record the +problems with *this* file. Regardless, fix the problem by reporting the +error to the inode mapping. + +NOTE: Commit 598ecfbaa742 lifted the XFS writeback code to iomap, so +this fix should be backported to XFS in the 4.6-5.4 kernels in addition +to iomap in the 5.5-5.19 kernels. + +Fixes: e735c0079465 ("iomap: Convert iomap_add_to_ioend() to take a folio") # 5.17 onward +Fixes: 598ecfbaa742 ("iomap: lift the xfs writeback code to iomap") # 5.5-5.16, needs backporting +Fixes: 150d5be09ce4 ("xfs: remove xfs_cancel_ioend") # 4.6-5.4, needs backporting +Signed-off-by: Darrick J. Wong +Reviewed-by: Matthew Wilcox (Oracle) +Signed-off-by: Sasha Levin +--- + fs/iomap/buffered-io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c +index ca5c62901541..77d59c159248 100644 +--- a/fs/iomap/buffered-io.c ++++ b/fs/iomap/buffered-io.c +@@ -1421,7 +1421,7 @@ iomap_writepage_map(struct iomap_writepage_ctx *wpc, + if (!count) + folio_end_writeback(folio); + done: +- mapping_set_error(folio->mapping, error); ++ mapping_set_error(inode->i_mapping, error); + return error; + } + +-- +2.35.1 + diff --git a/queue-6.0/iommu-arm-smmu-v3-make-default-domain-type-of-hisili.patch b/queue-6.0/iommu-arm-smmu-v3-make-default-domain-type-of-hisili.patch new file mode 100644 index 00000000000..a4b6850d4c6 --- /dev/null +++ b/queue-6.0/iommu-arm-smmu-v3-make-default-domain-type-of-hisili.patch @@ -0,0 +1,66 @@ +From 04d1cca840b4aeb369f7ccdca87889575f8000c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 19:44:10 +0800 +Subject: iommu/arm-smmu-v3: Make default domain type of HiSilicon PTT device + to identity + +From: Yicong Yang + +[ Upstream commit 24b6c7798a0122012ca848ea0d25e973334266b0 ] + +The DMA operations of HiSilicon PTT device can only work properly with +identical mappings. So add a quirk for the device to force the domain +as passthrough. + +Acked-by: Will Deacon +Signed-off-by: Yicong Yang +Reviewed-by: John Garry +Link: https://lore.kernel.org/r/20220816114414.4092-2-yangyicong@huawei.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c +index d32b02336411..71f7edded9cf 100644 +--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c ++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c +@@ -2817,6 +2817,26 @@ static int arm_smmu_dev_disable_feature(struct device *dev, + } + } + ++/* ++ * HiSilicon PCIe tune and trace device can be used to trace TLP headers on the ++ * PCIe link and save the data to memory by DMA. The hardware is restricted to ++ * use identity mapping only. ++ */ ++#define IS_HISI_PTT_DEVICE(pdev) ((pdev)->vendor == PCI_VENDOR_ID_HUAWEI && \ ++ (pdev)->device == 0xa12e) ++ ++static int arm_smmu_def_domain_type(struct device *dev) ++{ ++ if (dev_is_pci(dev)) { ++ struct pci_dev *pdev = to_pci_dev(dev); ++ ++ if (IS_HISI_PTT_DEVICE(pdev)) ++ return IOMMU_DOMAIN_IDENTITY; ++ } ++ ++ return 0; ++} ++ + static struct iommu_ops arm_smmu_ops = { + .capable = arm_smmu_capable, + .domain_alloc = arm_smmu_domain_alloc, +@@ -2831,6 +2851,7 @@ static struct iommu_ops arm_smmu_ops = { + .sva_unbind = arm_smmu_sva_unbind, + .sva_get_pasid = arm_smmu_sva_get_pasid, + .page_response = arm_smmu_page_response, ++ .def_domain_type = arm_smmu_def_domain_type, + .pgsize_bitmap = -1UL, /* Restricted during device attach */ + .owner = THIS_MODULE, + .default_domain_ops = &(const struct iommu_domain_ops) { +-- +2.35.1 + diff --git a/queue-6.0/iommu-iova-fix-module-config-properly.patch b/queue-6.0/iommu-iova-fix-module-config-properly.patch new file mode 100644 index 00000000000..fc47044d574 --- /dev/null +++ b/queue-6.0/iommu-iova-fix-module-config-properly.patch @@ -0,0 +1,43 @@ +From cd25ba8f6185ac57756be4f6abb38ae8c006597c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 12:47:20 +0100 +Subject: iommu/iova: Fix module config properly + +From: Robin Murphy + +[ Upstream commit 4f58330fcc8482aa90674e1f40f601e82f18ed4a ] + +IOMMU_IOVA is intended to be an optional library for users to select as +and when they desire. Since it can be a module now, this means that +built-in code which has chosen not to select it should not fail to link +if it happens to have selected as a module by someone else. Replace +IS_ENABLED() with IS_REACHABLE() to do the right thing. + +CC: Thierry Reding +Reported-by: John Garry +Fixes: 15bbdec3931e ("iommu: Make the iova library a module") +Signed-off-by: Robin Murphy +Reviewed-by: Thierry Reding +Link: https://lore.kernel.org/r/548c2f683ca379aface59639a8f0cccc3a1ac050.1663069227.git.robin.murphy@arm.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + include/linux/iova.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/iova.h b/include/linux/iova.h +index c6ba6d95d79c..83c00fac2acb 100644 +--- a/include/linux/iova.h ++++ b/include/linux/iova.h +@@ -75,7 +75,7 @@ static inline unsigned long iova_pfn(struct iova_domain *iovad, dma_addr_t iova) + return iova >> iova_shift(iovad); + } + +-#if IS_ENABLED(CONFIG_IOMMU_IOVA) ++#if IS_REACHABLE(CONFIG_IOMMU_IOVA) + int iova_cache_get(void); + void iova_cache_put(void); + +-- +2.35.1 + diff --git a/queue-6.0/iommu-omap-fix-buffer-overflow-in-debugfs.patch b/queue-6.0/iommu-omap-fix-buffer-overflow-in-debugfs.patch new file mode 100644 index 00000000000..016b03278d3 --- /dev/null +++ b/queue-6.0/iommu-omap-fix-buffer-overflow-in-debugfs.patch @@ -0,0 +1,53 @@ +From 1b33868833d3b86abac214efcd94b73968189af9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 17:32:39 +0300 +Subject: iommu/omap: Fix buffer overflow in debugfs + +From: Dan Carpenter + +[ Upstream commit 184233a5202786b20220acd2d04ddf909ef18f29 ] + +There are two issues here: + +1) The "len" variable needs to be checked before the very first write. + Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a + buffer overflow. +2) The snprintf() function returns the number of bytes that *would* have + been copied if there were enough space. But we want to know the + number of bytes which were *actually* copied so use scnprintf() + instead. + +Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules") +Signed-off-by: Dan Carpenter +Reviewed-by: Robin Murphy +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/YuvYh1JbE3v+abd5@kili +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/omap-iommu-debug.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c +index a99afb5d9011..259f65291d90 100644 +--- a/drivers/iommu/omap-iommu-debug.c ++++ b/drivers/iommu/omap-iommu-debug.c +@@ -32,12 +32,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj) + ssize_t bytes; \ + const char *str = "%20s: %08x\n"; \ + const int maxcol = 32; \ +- bytes = snprintf(p, maxcol, str, __stringify(name), \ ++ if (len < maxcol) \ ++ goto out; \ ++ bytes = scnprintf(p, maxcol, str, __stringify(name), \ + iommu_read_reg(obj, MMU_##name)); \ + p += bytes; \ + len -= bytes; \ +- if (len < maxcol) \ +- goto out; \ + } while (0) + + static ssize_t +-- +2.35.1 + diff --git a/queue-6.0/ipc-mqueue-fix-possible-memory-leak-in-init_mqueue_f.patch b/queue-6.0/ipc-mqueue-fix-possible-memory-leak-in-init_mqueue_f.patch new file mode 100644 index 00000000000..17e5d99ce84 --- /dev/null +++ b/queue-6.0/ipc-mqueue-fix-possible-memory-leak-in-init_mqueue_f.patch @@ -0,0 +1,40 @@ +From 5cf2dd55d8c41d39e029a825eb232f4f50834a3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 14:23:01 +0800 +Subject: ipc: mqueue: fix possible memory leak in init_mqueue_fs() + +From: Hangyu Hua + +[ Upstream commit c579d60f0d0cd87552f64fdebe68b5d941d20309 ] + +commit db7cfc380900 ("ipc: Free mq_sysctls if ipc namespace creation +failed") + +Here's a similar memory leak to the one fixed by the patch above. +retire_mq_sysctls need to be called when init_mqueue_fs fails after +setup_mq_sysctls. + +Fixes: dc55e35f9e81 ("ipc: Store mqueue sysctls in the ipc namespace") +Signed-off-by: Hangyu Hua +Link: https://lkml.kernel.org/r/20220715062301.19311-1-hbh25y@gmail.com +Signed-off-by: Eric W. Biederman +Signed-off-by: Sasha Levin +--- + ipc/mqueue.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ipc/mqueue.c b/ipc/mqueue.c +index f98de32aeea1..9cf314b3f079 100644 +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -1746,6 +1746,7 @@ static int __init init_mqueue_fs(void) + unregister_filesystem(&mqueue_fs_type); + out_sysctl: + kmem_cache_destroy(mqueue_inode_cachep); ++ retire_mq_sysctls(&init_ipc_ns); + return error; + } + +-- +2.35.1 + diff --git a/queue-6.0/kbuild-remove-the-target-in-signal-traps-when-interr.patch b/queue-6.0/kbuild-remove-the-target-in-signal-traps-when-interr.patch new file mode 100644 index 00000000000..a3c09141e58 --- /dev/null +++ b/queue-6.0/kbuild-remove-the-target-in-signal-traps-when-interr.patch @@ -0,0 +1,172 @@ +From b65721e30e7753791f44c94c72095bfd7b055999 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Aug 2022 09:48:09 +0900 +Subject: kbuild: remove the target in signal traps when interrupted + +From: Masahiro Yamada + +[ Upstream commit a7f3257da8a86b96fb9bf1bba40ae0bbd7f1885a ] + +When receiving some signal, GNU Make automatically deletes the target if +it has already been changed by the interrupted recipe. + +If the target is possibly incomplete due to interruption, it must be +deleted so that it will be remade from scratch on the next run of make. +Otherwise, the target would remain corrupted permanently because its +timestamp had already been updated. + +Thanks to this behavior of Make, you can stop the build any time by +pressing Ctrl-C, and just run 'make' to resume it. + +Kbuild also relies on this feature, but it is equivalently important +for any build systems that make decisions based on timestamps (if you +want to support Ctrl-C reliably). + +However, this does not always work as claimed; Make immediately dies +with Ctrl-C if its stderr goes into a pipe. + + [Test Makefile] + + foo: + echo hello > $@ + sleep 3 + echo world >> $@ + + [Test Result] + + $ make # hit Ctrl-C + echo hello > foo + sleep 3 + ^Cmake: *** Deleting file 'foo' + make: *** [Makefile:3: foo] Interrupt + + $ make 2>&1 | cat # hit Ctrl-C + echo hello > foo + sleep 3 + ^C$ # 'foo' is often left-over + +The reason is because SIGINT is sent to the entire process group. +In this example, SIGINT kills 'cat', and 'make' writes the message to +the closed pipe, then dies with SIGPIPE before cleaning the target. + +A typical bad scenario (as reported by [1], [2]) is to save build log +by using the 'tee' command: + + $ make 2>&1 | tee log + +This can be problematic for any build systems based on Make, so I hope +it will be fixed in GNU Make. The maintainer of GNU Make stated this is +a long-standing issue and difficult to fix [3]. It has not been fixed +yet as of writing. + +So, we cannot rely on Make cleaning the target. We can do it by +ourselves, in signal traps. + +As far as I understand, Make takes care of SIGHUP, SIGINT, SIGQUIT, and +SITERM for the target removal. I added the traps for them, and also for +SIGPIPE just in case cmd_* rule prints something to stdout or stderr +(but I did not observe an actual case where SIGPIPE was triggered). + +[Note 1] + +The trap handler might be worth explaining. + + rm -f $@; trap - $(sig); kill -s $(sig) $$ + +This lets the shell kill itself by the signal it caught, so the parent +process can tell the child has exited on the signal. Generally, this is +a proper manner for handling signals, in case the calling program (like +Bash) may monitor WIFSIGNALED() and WTERMSIG() for WCE although this may +not be a big deal here because GNU Make handles SIGHUP, SIGINT, SIGQUIT +in WUE and SIGTERM in IUE. + + IUE - Immediate Unconditional Exit + WUE - Wait and Unconditional Exit + WCE - Wait and Cooperative Exit + +For details, see "Proper handling of SIGINT/SIGQUIT" [4]. + +[Note 2] + +Reverting 392885ee82d3 ("kbuild: let fixdep directly write to .*.cmd +files") would directly address [1], but it only saves if_changed_dep. +As reported in [2], all commands that use redirection can potentially +leave an empty (i.e. broken) target. + +[Note 3] + +Another (even safer) approach might be to always write to a temporary +file, and rename it to $@ at the end of the recipe. + + > $(tmp-target) + mv $(tmp-target) $@ + +It would require a lot of Makefile changes, and result in ugly code, +so I did not take it. + +[Note 4] + +A little more thoughts about a pattern rule with multiple targets (or +a grouped target). + + %.x %.y: %.z + + +When interrupted, GNU Make deletes both %.x and %.y, while this solution +only deletes $@. Probably, this is not a big deal. The next run of make +will execute the rule again to create $@ along with the other files. + +[1]: https://lore.kernel.org/all/YLeot94yAaM4xbMY@gmail.com/ +[2]: https://lore.kernel.org/all/20220510221333.2770571-1-robh@kernel.org/ +[3]: https://lists.gnu.org/archive/html/help-make/2021-06/msg00001.html +[4]: https://www.cons.org/cracauer/sigint.html + +Fixes: 392885ee82d3 ("kbuild: let fixdep directly write to .*.cmd files") +Reported-by: Ingo Molnar +Reported-by: Rob Herring +Signed-off-by: Masahiro Yamada +Tested-by: Ingo Molnar +Reviewed-by: Nicolas Schier +Signed-off-by: Sasha Levin +--- + scripts/Kbuild.include | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/scripts/Kbuild.include b/scripts/Kbuild.include +index ece44b735061..2bc08ace38a3 100644 +--- a/scripts/Kbuild.include ++++ b/scripts/Kbuild.include +@@ -100,8 +100,29 @@ echo-cmd = $(if $($(quiet)cmd_$(1)),\ + quiet_redirect := + silent_redirect := exec >/dev/null; + ++# Delete the target on interruption ++# ++# GNU Make automatically deletes the target if it has already been changed by ++# the interrupted recipe. So, you can safely stop the build by Ctrl-C (Make ++# will delete incomplete targets), and resume it later. ++# ++# However, this does not work when the stderr is piped to another program, like ++# $ make >&2 | tee log ++# Make dies with SIGPIPE before cleaning the targets. ++# ++# To address it, we clean the target in signal traps. ++# ++# Make deletes the target when it catches SIGHUP, SIGINT, SIGQUIT, SIGTERM. ++# So, we cover them, and also SIGPIPE just in case. ++# ++# Of course, this is unneeded for phony targets. ++delete-on-interrupt = \ ++ $(if $(filter-out $(PHONY), $@), \ ++ $(foreach sig, HUP INT QUIT TERM PIPE, \ ++ trap 'rm -f $@; trap - $(sig); kill -s $(sig) $$$$' $(sig);)) ++ + # printing commands +-cmd = @set -e; $(echo-cmd) $($(quiet)redirect) $(cmd_$(1)) ++cmd = @set -e; $(echo-cmd) $($(quiet)redirect) $(delete-on-interrupt) $(cmd_$(1)) + + ### + # if_changed - execute command if any prerequisite is newer than +-- +2.35.1 + diff --git a/queue-6.0/kbuild-rpm-pkg-fix-breakage-when-v-1-is-used.patch b/queue-6.0/kbuild-rpm-pkg-fix-breakage-when-v-1-is-used.patch new file mode 100644 index 00000000000..afafc3273c5 --- /dev/null +++ b/queue-6.0/kbuild-rpm-pkg-fix-breakage-when-v-1-is-used.patch @@ -0,0 +1,55 @@ +From b06e1bc54b575c3556c082e606e896081d469158 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 14:41:12 +0200 +Subject: kbuild: rpm-pkg: fix breakage when V=1 is used + +From: Janis Schoetterl-Glausch + +[ Upstream commit 2e07005f4813a9ff6e895787e0c2d1fea859b033 ] + +Doing make V=1 binrpm-pkg results in: + + Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.EgV6qJ + + umask 022 + + cd . + + /bin/rm -rf /home/scgl/rpmbuild/BUILDROOT/kernel-6.0.0_rc5+-1.s390x + + /bin/mkdir -p /home/scgl/rpmbuild/BUILDROOT + + /bin/mkdir /home/scgl/rpmbuild/BUILDROOT/kernel-6.0.0_rc5+-1.s390x + + mkdir -p /home/scgl/rpmbuild/BUILDROOT/kernel-6.0.0_rc5+-1.s390x/boot + + make -f ./Makefile image_name + + cp test -e include/generated/autoconf.h -a -e include/config/auto.conf || ( \ echo >&2; \ echo >&2 " ERROR: Kernel configuration is invalid."; \ echo >&2 " include/generated/autoconf.h or include/config/auto.conf are missing.";\ echo >&2 " Run 'make oldconfig && make prepare' on kernel src to fix it."; \ echo >&2 ; \ /bin/false) arch/s390/boot/bzImage /home/scgl/rpmbuild/BUILDROOT/kernel-6.0.0_rc5+-1.s390x/boot/vmlinuz-6.0.0-rc5+ + cp: invalid option -- 'e' + Try 'cp --help' for more information. + error: Bad exit status from /var/tmp/rpm-tmp.EgV6qJ (%install) + +Because the make call to get the image name is verbose and prints +additional information. + +Fixes: 993bdde94547 ("kbuild: add image_name to no-sync-config-targets") +Signed-off-by: Janis Schoetterl-Glausch +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/package/mkspec | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/scripts/package/mkspec b/scripts/package/mkspec +index 8fa7c5b8a1a1..c920c1b18e7a 100755 +--- a/scripts/package/mkspec ++++ b/scripts/package/mkspec +@@ -88,10 +88,10 @@ $S + mkdir -p %{buildroot}/boot + %ifarch ia64 + mkdir -p %{buildroot}/boot/efi +- cp \$($MAKE image_name) %{buildroot}/boot/efi/vmlinuz-$KERNELRELEASE ++ cp \$($MAKE -s image_name) %{buildroot}/boot/efi/vmlinuz-$KERNELRELEASE + ln -s efi/vmlinuz-$KERNELRELEASE %{buildroot}/boot/ + %else +- cp \$($MAKE image_name) %{buildroot}/boot/vmlinuz-$KERNELRELEASE ++ cp \$($MAKE -s image_name) %{buildroot}/boot/vmlinuz-$KERNELRELEASE + %endif + $M $MAKE %{?_smp_mflags} INSTALL_MOD_PATH=%{buildroot} modules_install + $MAKE %{?_smp_mflags} INSTALL_HDR_PATH=%{buildroot}/usr headers_install +-- +2.35.1 + diff --git a/queue-6.0/kselftest-arm64-fix-validatation-termination-record-.patch b/queue-6.0/kselftest-arm64-fix-validatation-termination-record-.patch new file mode 100644 index 00000000000..a08f24f1210 --- /dev/null +++ b/queue-6.0/kselftest-arm64-fix-validatation-termination-record-.patch @@ -0,0 +1,47 @@ +From e99b742f17dbde7a4ec125d0ff86b7485a3209d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 17:06:56 +0100 +Subject: kselftest/arm64: Fix validatation termination record after + EXTRA_CONTEXT + +From: Mark Brown + +[ Upstream commit 5c152c2f66f9368394b89ac90dc7483476ef7b88 ] + +When arm64 signal context data overflows the base struct sigcontext it gets +placed in an extra buffer pointed to by a record of type EXTRA_CONTEXT in +the base struct sigcontext which is required to be the last record in the +base struct sigframe. The current validation code attempts to check this +by using GET_RESV_NEXT_HEAD() to step forward from the current record to +the next but that is a macro which assumes it is being provided with a +struct _aarch64_ctx and uses the size there to skip forward to the next +record. Instead validate_extra_context() passes it a struct extra_context +which has a separate size field. This compiles but results in us trying +to validate a termination record in completely the wrong place, at best +failing validation and at worst just segfaulting. Fix this by passing +the struct _aarch64_ctx we meant to into the macro. + +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20220829160703.874492-4-broonie@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/arm64/signal/testcases/testcases.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/arm64/signal/testcases/testcases.c b/tools/testing/selftests/arm64/signal/testcases/testcases.c +index 84c36bee4d82..d98828cb542b 100644 +--- a/tools/testing/selftests/arm64/signal/testcases/testcases.c ++++ b/tools/testing/selftests/arm64/signal/testcases/testcases.c +@@ -33,7 +33,7 @@ bool validate_extra_context(struct extra_context *extra, char **err) + return false; + + fprintf(stderr, "Validating EXTRA...\n"); +- term = GET_RESV_NEXT_HEAD(extra); ++ term = GET_RESV_NEXT_HEAD(&extra->head); + if (!term || term->magic || term->size) { + *err = "Missing terminator after EXTRA context"; + return false; +-- +2.35.1 + diff --git a/queue-6.0/kvm-fix-memoryleak-in-kvm_init.patch b/queue-6.0/kvm-fix-memoryleak-in-kvm_init.patch new file mode 100644 index 00000000000..875f7c3c184 --- /dev/null +++ b/queue-6.0/kvm-fix-memoryleak-in-kvm_init.patch @@ -0,0 +1,51 @@ +From 6df6ee6aa80c0ffb1f45001da2e5e20f45440c03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 14:34:14 +0800 +Subject: KVM: fix memoryleak in kvm_init() + +From: Miaohe Lin + +[ Upstream commit 5a2a961be2ad6a16eb388a80442443b353c11d16 ] + +When alloc_cpumask_var_node() fails for a certain cpu, there might be some +allocated cpumasks for percpu cpu_kick_mask. We should free these cpumasks +or memoryleak will occur. + +Fixes: baff59ccdc65 ("KVM: Pre-allocate cpumasks for kvm_make_all_cpus_request_except()") +Signed-off-by: Miaohe Lin +Link: https://lore.kernel.org/r/20220823063414.59778-1-linmiaohe@huawei.com +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + virt/kvm/kvm_main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 584a5bab3af3..dcf47da44844 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -5881,7 +5881,7 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, + + r = kvm_async_pf_init(); + if (r) +- goto out_free_5; ++ goto out_free_4; + + kvm_chardev_ops.owner = module; + +@@ -5905,10 +5905,9 @@ int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align, + + out_unreg: + kvm_async_pf_deinit(); +-out_free_5: ++out_free_4: + for_each_possible_cpu(cpu) + free_cpumask_var(per_cpu(cpu_kick_mask, cpu)); +-out_free_4: + kmem_cache_destroy(kvm_vcpu_cache); + out_free_3: + unregister_reboot_notifier(&kvm_reboot_notifier); +-- +2.35.1 + diff --git a/queue-6.0/kvm-nvmx-add-a-helper-to-identify-low-priority-db-tr.patch b/queue-6.0/kvm-nvmx-add-a-helper-to-identify-low-priority-db-tr.patch new file mode 100644 index 00000000000..635d46ee951 --- /dev/null +++ b/queue-6.0/kvm-nvmx-add-a-helper-to-identify-low-priority-db-tr.patch @@ -0,0 +1,84 @@ +From a5026653be6ccf7dff187ec87d628ef4ba5d89c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 23:16:06 +0000 +Subject: KVM: nVMX: Add a helper to identify low-priority #DB traps + +From: Sean Christopherson + +[ Upstream commit 2b384165f4d15540f94998b751f50058642ad110 ] + +Add a helper to identify "low"-priority #DB traps, i.e. trap-like #DBs +that aren't TSS T flag #DBs, and tweak the related code to operate on any +queued exception. A future commit will separate exceptions that are +intercepted by L1, i.e. cause nested VM-Exit, from those that do NOT +trigger nested VM-Exit. I.e. there will be multiple exception structs +and multiple invocations of the helpers. + +No functional change intended. + +Signed-off-by: Sean Christopherson +Reviewed-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20220830231614.3580124-20-seanjc@google.com +Signed-off-by: Paolo Bonzini +Stable-dep-of: 7709aba8f716 ("KVM: x86: Morph pending exceptions to pending VM-Exits at queue time") +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/nested.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index 7655b5acbbcd..dfd5e13e5202 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -3871,14 +3871,24 @@ static void nested_vmx_inject_exception_vmexit(struct kvm_vcpu *vcpu, + * from the emulator (because such #DBs are fault-like and thus don't trigger + * actions that fire on instruction retire). + */ +-static inline unsigned long vmx_get_pending_dbg_trap(struct kvm_vcpu *vcpu) ++static unsigned long vmx_get_pending_dbg_trap(struct kvm_queued_exception *ex) + { +- if (!vcpu->arch.exception.pending || +- vcpu->arch.exception.vector != DB_VECTOR) ++ if (!ex->pending || ex->vector != DB_VECTOR) + return 0; + + /* General Detect #DBs are always fault-like. */ +- return vcpu->arch.exception.payload & ~DR6_BD; ++ return ex->payload & ~DR6_BD; ++} ++ ++/* ++ * Returns true if there's a pending #DB exception that is lower priority than ++ * a pending Monitor Trap Flag VM-Exit. TSS T-flag #DBs are not emulated by ++ * KVM, but could theoretically be injected by userspace. Note, this code is ++ * imperfect, see above. ++ */ ++static bool vmx_is_low_priority_db_trap(struct kvm_queued_exception *ex) ++{ ++ return vmx_get_pending_dbg_trap(ex) & ~DR6_BT; + } + + /* +@@ -3890,8 +3900,9 @@ static inline unsigned long vmx_get_pending_dbg_trap(struct kvm_vcpu *vcpu) + */ + static void nested_vmx_update_pending_dbg(struct kvm_vcpu *vcpu) + { +- unsigned long pending_dbg = vmx_get_pending_dbg_trap(vcpu); ++ unsigned long pending_dbg; + ++ pending_dbg = vmx_get_pending_dbg_trap(&vcpu->arch.exception); + if (pending_dbg) + vmcs_writel(GUEST_PENDING_DBG_EXCEPTIONS, pending_dbg); + } +@@ -3961,7 +3972,7 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) + * prioritize SMI over MTF and trap-like #DBs. + */ + if (vcpu->arch.exception.pending && +- !(vmx_get_pending_dbg_trap(vcpu) & ~DR6_BT)) { ++ !vmx_is_low_priority_db_trap(&vcpu->arch.exception)) { + if (block_nested_exceptions) + return -EBUSY; + if (!nested_vmx_check_exception(vcpu, &exit_qual)) +-- +2.35.1 + diff --git a/queue-6.0/kvm-nvmx-ignore-sipi-that-arrives-in-l2-when-vcpu-is.patch b/queue-6.0/kvm-nvmx-ignore-sipi-that-arrives-in-l2-when-vcpu-is.patch new file mode 100644 index 00000000000..a85c31b74ac --- /dev/null +++ b/queue-6.0/kvm-nvmx-ignore-sipi-that-arrives-in-l2-when-vcpu-is.patch @@ -0,0 +1,47 @@ +From 48c98fb5bd6fccc2492ce5f3b5e0e24ddd705383 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 23:15:57 +0000 +Subject: KVM: nVMX: Ignore SIPI that arrives in L2 when vCPU is not in WFS + +From: Sean Christopherson + +[ Upstream commit c2086eca86585bfd8132dd91e802497a202185c8 ] + +Fall through to handling other pending exception/events for L2 if SIPI +is pending while the CPU is not in Wait-for-SIPI. KVM correctly ignores +the event, but incorrectly returns immediately, e.g. a SIPI coincident +with another event could lead to KVM incorrectly routing the event to L1 +instead of L2. + +Fixes: bf0cd88ce363 ("KVM: x86: emulate wait-for-SIPI and SIPI-VMExit") +Signed-off-by: Sean Christopherson +Reviewed-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20220830231614.3580124-11-seanjc@google.com +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/nested.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index 93c34841e51e..c06c25fb9cbe 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -3937,10 +3937,12 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) + return -EBUSY; + + clear_bit(KVM_APIC_SIPI, &apic->pending_events); +- if (vcpu->arch.mp_state == KVM_MP_STATE_INIT_RECEIVED) ++ if (vcpu->arch.mp_state == KVM_MP_STATE_INIT_RECEIVED) { + nested_vmx_vmexit(vcpu, EXIT_REASON_SIPI_SIGNAL, 0, + apic->sipi_vector & 0xFFUL); +- return 0; ++ return 0; ++ } ++ /* Fallthrough, the SIPI is completely ignored. */ + } + + /* +-- +2.35.1 + diff --git a/queue-6.0/kvm-nvmx-prioritize-tss-t-flag-dbs-over-monitor-trap.patch b/queue-6.0/kvm-nvmx-prioritize-tss-t-flag-dbs-over-monitor-trap.patch new file mode 100644 index 00000000000..fa223ff6304 --- /dev/null +++ b/queue-6.0/kvm-nvmx-prioritize-tss-t-flag-dbs-over-monitor-trap.patch @@ -0,0 +1,58 @@ +From ce3c7cd86f3efdea63bb63bad636972751fe18fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 23:15:54 +0000 +Subject: KVM: nVMX: Prioritize TSS T-flag #DBs over Monitor Trap Flag + +From: Sean Christopherson + +[ Upstream commit b9d44f9091ac6c325fc2f7b7671b462fb36abbed ] + +Service TSS T-flag #DBs prior to pending MTFs, as such #DBs are higher +priority than MTF. KVM itself doesn't emulate TSS #DBs, and any such +exceptions injected from L1 will be handled by hardware (or morphed to +a fault-like exception if injection fails), but theoretically userspace +could pend a TSS T-flag #DB in conjunction with a pending MTF. + +Note, there's no known use case this fixes, it's purely to be technically +correct with respect to Intel's SDM. + +Cc: Oliver Upton +Cc: Peter Shier +Fixes: 5ef8acbdd687 ("KVM: nVMX: Emulate MTF when performing instruction emulation") +Signed-off-by: Sean Christopherson +Reviewed-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20220830231614.3580124-8-seanjc@google.com +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/nested.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index 4b96b5a25ba5..93c34841e51e 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -3944,15 +3944,17 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) + } + + /* +- * Process any exceptions that are not debug traps before MTF. ++ * Process exceptions that are higher priority than Monitor Trap Flag: ++ * fault-like exceptions, TSS T flag #DB (not emulated by KVM, but ++ * could theoretically come in from userspace), and ICEBP (INT1). + * + * Note that only a pending nested run can block a pending exception. + * Otherwise an injected NMI/interrupt should either be + * lost or delivered to the nested hypervisor in the IDT_VECTORING_INFO, + * while delivering the pending exception. + */ +- +- if (vcpu->arch.exception.pending && !vmx_get_pending_dbg_trap(vcpu)) { ++ if (vcpu->arch.exception.pending && ++ !(vmx_get_pending_dbg_trap(vcpu) & ~DR6_BT)) { + if (vmx->nested.nested_run_pending) + return -EBUSY; + if (!nested_vmx_check_exception(vcpu, &exit_qual)) +-- +2.35.1 + diff --git a/queue-6.0/kvm-nvmx-treat-general-detect-db-dr7.gd-1-as-fault-l.patch b/queue-6.0/kvm-nvmx-treat-general-detect-db-dr7.gd-1-as-fault-l.patch new file mode 100644 index 00000000000..cbe40b353af --- /dev/null +++ b/queue-6.0/kvm-nvmx-treat-general-detect-db-dr7.gd-1-as-fault-l.patch @@ -0,0 +1,95 @@ +From 74aca2738bdc8deee250f0cdc6dd4959c9dfac3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 23:15:53 +0000 +Subject: KVM: nVMX: Treat General Detect #DB (DR7.GD=1) as fault-like + +From: Sean Christopherson + +[ Upstream commit 8d178f460772ecdee8e6d72389b43a8d35a14ff5 ] + +Exclude General Detect #DBs, which have fault-like behavior but also have +a non-zero payload (DR6.BD=1), from nVMX's handling of pending debug +traps. Opportunistically rewrite the comment to better document what is +being checked, i.e. "has a non-zero payload" vs. "has a payload", and to +call out the many caveats surrounding #DBs that KVM dodges one way or +another. + +Cc: Oliver Upton +Cc: Peter Shier +Fixes: 684c0422da71 ("KVM: nVMX: Handle pending #DB when injecting INIT VM-exit") +Signed-off-by: Sean Christopherson +Reviewed-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20220830231614.3580124-7-seanjc@google.com +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/nested.c | 36 +++++++++++++++++++++++++----------- + 1 file changed, 25 insertions(+), 11 deletions(-) + +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index 03d348fa6485..4b96b5a25ba5 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -3858,16 +3858,29 @@ static void nested_vmx_inject_exception_vmexit(struct kvm_vcpu *vcpu, + } + + /* +- * Returns true if a debug trap is pending delivery. ++ * Returns true if a debug trap is (likely) pending delivery. Infer the class ++ * of a #DB (trap-like vs. fault-like) from the exception payload (to-be-DR6). ++ * Using the payload is flawed because code breakpoints (fault-like) and data ++ * breakpoints (trap-like) set the same bits in DR6 (breakpoint detected), i.e. ++ * this will return false positives if a to-be-injected code breakpoint #DB is ++ * pending (from KVM's perspective, but not "pending" across an instruction ++ * boundary). ICEBP, a.k.a. INT1, is also not reflected here even though it ++ * too is trap-like. + * +- * In KVM, debug traps bear an exception payload. As such, the class of a #DB +- * exception may be inferred from the presence of an exception payload. ++ * KVM "works" despite these flaws as ICEBP isn't currently supported by the ++ * emulator, Monitor Trap Flag is not marked pending on intercepted #DBs (the ++ * #DB has already happened), and MTF isn't marked pending on code breakpoints ++ * from the emulator (because such #DBs are fault-like and thus don't trigger ++ * actions that fire on instruction retire). + */ +-static inline bool vmx_pending_dbg_trap(struct kvm_vcpu *vcpu) ++static inline unsigned long vmx_get_pending_dbg_trap(struct kvm_vcpu *vcpu) + { +- return vcpu->arch.exception.pending && +- vcpu->arch.exception.nr == DB_VECTOR && +- vcpu->arch.exception.payload; ++ if (!vcpu->arch.exception.pending || ++ vcpu->arch.exception.nr != DB_VECTOR) ++ return 0; ++ ++ /* General Detect #DBs are always fault-like. */ ++ return vcpu->arch.exception.payload & ~DR6_BD; + } + + /* +@@ -3879,9 +3892,10 @@ static inline bool vmx_pending_dbg_trap(struct kvm_vcpu *vcpu) + */ + static void nested_vmx_update_pending_dbg(struct kvm_vcpu *vcpu) + { +- if (vmx_pending_dbg_trap(vcpu)) +- vmcs_writel(GUEST_PENDING_DBG_EXCEPTIONS, +- vcpu->arch.exception.payload); ++ unsigned long pending_dbg = vmx_get_pending_dbg_trap(vcpu); ++ ++ if (pending_dbg) ++ vmcs_writel(GUEST_PENDING_DBG_EXCEPTIONS, pending_dbg); + } + + static bool nested_vmx_preemption_timer_pending(struct kvm_vcpu *vcpu) +@@ -3938,7 +3952,7 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) + * while delivering the pending exception. + */ + +- if (vcpu->arch.exception.pending && !vmx_pending_dbg_trap(vcpu)) { ++ if (vcpu->arch.exception.pending && !vmx_get_pending_dbg_trap(vcpu)) { + if (vmx->nested.nested_run_pending) + return -EBUSY; + if (!nested_vmx_check_exception(vcpu, &exit_qual)) +-- +2.35.1 + diff --git a/queue-6.0/kvm-nvmx-unconditionally-clear-mtf_pending-on-nested.patch b/queue-6.0/kvm-nvmx-unconditionally-clear-mtf_pending-on-nested.patch new file mode 100644 index 00000000000..891d74e5b46 --- /dev/null +++ b/queue-6.0/kvm-nvmx-unconditionally-clear-mtf_pending-on-nested.patch @@ -0,0 +1,99 @@ +From 9960eda0640025a4b547fa5ca741bbb2ac8dc0c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 23:15:58 +0000 +Subject: KVM: nVMX: Unconditionally clear mtf_pending on nested VM-Exit + +From: Sean Christopherson + +[ Upstream commit 593a5c2e3c12a2f65967739267093255c47e9fe0 ] + +Clear mtf_pending on nested VM-Exit instead of handling the clear on a +case-by-case basis in vmx_check_nested_events(). The pending MTF should +never survive nested VM-Exit, as it is a property of KVM's run of the +current L2, i.e. should never affect the next L2 run by L1. In practice, +this is likely a nop as getting to L1 with nested_run_pending is +impossible, and KVM doesn't correctly handle morphing a pending exception +that occurs on a prior injected exception (need for re-injected exception +being the other case where MTF isn't cleared). However, KVM will +hopefully soon correctly deal with a pending exception on top of an +injected exception. + +Add a TODO to document that KVM has an inversion priority bug between +SMIs and MTF (and trap-like #DBS), and that KVM also doesn't properly +save/restore MTF across SMI/RSM. + +Signed-off-by: Sean Christopherson +Reviewed-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20220830231614.3580124-12-seanjc@google.com +Signed-off-by: Paolo Bonzini +Stable-dep-of: 7709aba8f716 ("KVM: x86: Morph pending exceptions to pending VM-Exits at queue time") +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/nested.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index c06c25fb9cbe..0aa40ea496a8 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -3910,16 +3910,8 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) + unsigned long exit_qual; + bool block_nested_events = + vmx->nested.nested_run_pending || kvm_event_needs_reinjection(vcpu); +- bool mtf_pending = vmx->nested.mtf_pending; + struct kvm_lapic *apic = vcpu->arch.apic; + +- /* +- * Clear the MTF state. If a higher priority VM-exit is delivered first, +- * this state is discarded. +- */ +- if (!block_nested_events) +- vmx->nested.mtf_pending = false; +- + if (lapic_in_kernel(vcpu) && + test_bit(KVM_APIC_INIT, &apic->pending_events)) { + if (block_nested_events) +@@ -3928,6 +3920,9 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) + clear_bit(KVM_APIC_INIT, &apic->pending_events); + if (vcpu->arch.mp_state != KVM_MP_STATE_INIT_RECEIVED) + nested_vmx_vmexit(vcpu, EXIT_REASON_INIT_SIGNAL, 0, 0); ++ ++ /* MTF is discarded if the vCPU is in WFS. */ ++ vmx->nested.mtf_pending = false; + return 0; + } + +@@ -3950,6 +3945,11 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) + * fault-like exceptions, TSS T flag #DB (not emulated by KVM, but + * could theoretically come in from userspace), and ICEBP (INT1). + * ++ * TODO: SMIs have higher priority than MTF and trap-like #DBs (except ++ * for TSS T flag #DBs). KVM also doesn't save/restore pending MTF ++ * across SMI/RSM as it should; that needs to be addressed in order to ++ * prioritize SMI over MTF and trap-like #DBs. ++ * + * Note that only a pending nested run can block a pending exception. + * Otherwise an injected NMI/interrupt should either be + * lost or delivered to the nested hypervisor in the IDT_VECTORING_INFO, +@@ -3965,7 +3965,7 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) + return 0; + } + +- if (mtf_pending) { ++ if (vmx->nested.mtf_pending) { + if (block_nested_events) + return -EBUSY; + nested_vmx_update_pending_dbg(vcpu); +@@ -4562,6 +4562,9 @@ void nested_vmx_vmexit(struct kvm_vcpu *vcpu, u32 vm_exit_reason, + struct vcpu_vmx *vmx = to_vmx(vcpu); + struct vmcs12 *vmcs12 = get_vmcs12(vcpu); + ++ /* Pending MTF traps are discarded on VM-Exit. */ ++ vmx->nested.mtf_pending = false; ++ + /* trying to cancel vmlaunch/vmresume is a bug */ + WARN_ON_ONCE(vmx->nested.nested_run_pending); + +-- +2.35.1 + diff --git a/queue-6.0/kvm-ppc-book3s-hv-fix-decrementer-migration.patch b/queue-6.0/kvm-ppc-book3s-hv-fix-decrementer-migration.patch new file mode 100644 index 00000000000..758501be885 --- /dev/null +++ b/queue-6.0/kvm-ppc-book3s-hv-fix-decrementer-migration.patch @@ -0,0 +1,83 @@ +From 890cdfadae6607769ae9504dec90df8e4cb95943 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 19:25:17 -0300 +Subject: KVM: PPC: Book3S HV: Fix decrementer migration + +From: Fabiano Rosas + +[ Upstream commit 0a5bfb824a6ea35e54b7e5ac6f881beea5e309d2 ] + +We used to have a workaround[1] for a hang during migration that was +made ineffective when we converted the decrementer expiry to be +relative to guest timebase. + +The point of the workaround was that in the absence of an explicit +decrementer expiry value provided by userspace during migration, KVM +needs to initialize dec_expires to a value that will result in an +expired decrementer after subtracting the current guest timebase. That +stops the vcpu from hanging after migration due to a decrementer +that's too large. + +If the dec_expires is now relative to guest timebase, its +initialization needs to be guest timebase-relative as well, otherwise +we end up with a decrementer expiry that is still larger than the +guest timebase. + +1- https://git.kernel.org/torvalds/c/5855564c8ab2 + +Fixes: 3c1a4322bba7 ("KVM: PPC: Book3S HV: Change dec_expires to be relative to guest timebase") +Signed-off-by: Fabiano Rosas +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220816222517.1916391-1-farosas@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv.c | 18 ++++++++++++++++-- + arch/powerpc/kvm/powerpc.c | 1 - + 2 files changed, 16 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 57d0835e56fd..917abda9e5ce 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -2517,10 +2517,24 @@ static int kvmppc_set_one_reg_hv(struct kvm_vcpu *vcpu, u64 id, + r = set_vpa(vcpu, &vcpu->arch.dtl, addr, len); + break; + case KVM_REG_PPC_TB_OFFSET: ++ { + /* round up to multiple of 2^24 */ +- vcpu->arch.vcore->tb_offset = +- ALIGN(set_reg_val(id, *val), 1UL << 24); ++ u64 tb_offset = ALIGN(set_reg_val(id, *val), 1UL << 24); ++ ++ /* ++ * Now that we know the timebase offset, update the ++ * decrementer expiry with a guest timebase value. If ++ * the userspace does not set DEC_EXPIRY, this ensures ++ * a migrated vcpu at least starts with an expired ++ * decrementer, which is better than a large one that ++ * causes a hang. ++ */ ++ if (!vcpu->arch.dec_expires && tb_offset) ++ vcpu->arch.dec_expires = get_tb() + tb_offset; ++ ++ vcpu->arch.vcore->tb_offset = tb_offset; + break; ++ } + case KVM_REG_PPC_LPCR: + kvmppc_set_lpcr(vcpu, set_reg_val(id, *val), true); + break; +diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c +index fb1490761c87..757491dd6b7b 100644 +--- a/arch/powerpc/kvm/powerpc.c ++++ b/arch/powerpc/kvm/powerpc.c +@@ -786,7 +786,6 @@ int kvm_arch_vcpu_create(struct kvm_vcpu *vcpu) + + hrtimer_init(&vcpu->arch.dec_timer, CLOCK_REALTIME, HRTIMER_MODE_ABS); + vcpu->arch.dec_timer.function = kvmppc_decrementer_wakeup; +- vcpu->arch.dec_expires = get_tb(); + + #ifdef CONFIG_KVM_EXIT_TIMING + mutex_init(&vcpu->arch.exit_timing_lock); +-- +2.35.1 + diff --git a/queue-6.0/kvm-ppc-book3s-hv-p9-clear-vcpu-cpu-fields-before-en.patch b/queue-6.0/kvm-ppc-book3s-hv-p9-clear-vcpu-cpu-fields-before-en.patch new file mode 100644 index 00000000000..654025b8bd7 --- /dev/null +++ b/queue-6.0/kvm-ppc-book3s-hv-p9-clear-vcpu-cpu-fields-before-en.patch @@ -0,0 +1,54 @@ +From 3f7b9afa2b8e5b655f45b72f75eadd94a2ece613 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 23:25:41 +1000 +Subject: KVM: PPC: Book3S HV P9: Clear vcpu cpu fields before enabling host + irqs + +From: Nicholas Piggin + +[ Upstream commit bc91c04bfff7cdf676011b97bb21b2861d7b21c9 ] + +On guest entry, vcpu->cpu and vcpu->arch.thread_cpu are set after +disabling host irqs. On guest exit there is a window whre tick time +accounting briefly enables irqs before these fields are cleared. + +Move them up to ensure they are cleared before host irqs are run. +This is possibly not a problem, but is more symmetric and makes the +fields less surprising. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220908132545.4085849-1-npiggin@gmail.com +Stable-dep-of: 1a5486b3c351 ("KVM: PPC: Book3S HV P9: Restore stolen time logging in dtl") +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index d72df696837d..0f8dee657336 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -4629,6 +4629,9 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit, + + set_irq_happened(trap); + ++ vcpu->cpu = -1; ++ vcpu->arch.thread_cpu = -1; ++ + context_tracking_guest_exit(); + if (!vtime_accounting_enabled_this_cpu()) { + powerpc_local_irq_pmu_restore(flags); +@@ -4644,9 +4647,6 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit, + } + vtime_account_guest_exit(); + +- vcpu->cpu = -1; +- vcpu->arch.thread_cpu = -1; +- + powerpc_local_irq_pmu_restore(flags); + + preempt_enable(); +-- +2.35.1 + diff --git a/queue-6.0/kvm-ppc-book3s-hv-p9-fix-irq-disabling-in-tick-accou.patch b/queue-6.0/kvm-ppc-book3s-hv-p9-fix-irq-disabling-in-tick-accou.patch new file mode 100644 index 00000000000..85f27bcf468 --- /dev/null +++ b/queue-6.0/kvm-ppc-book3s-hv-p9-fix-irq-disabling-in-tick-accou.patch @@ -0,0 +1,48 @@ +From 5d52e92c4206869cc55d9336d147dc0ed9e6b857 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 23:25:42 +1000 +Subject: KVM: PPC: Book3S HV P9: Fix irq disabling in tick accounting + +From: Nicholas Piggin + +[ Upstream commit c953f7500b65f2b157d1eb468ca8b86328834cce ] + +kvmhv_run_single_vcpu() disables PMIs as well as Linux irqs, +however the tick time accounting code enables and disables irqs and +not PMIs within this region. By chance this might not actually cause +a bug, but it is clearly an incorrect use of the APIs. + +Fixes: 2251fbe76395e ("KVM: PPC: Book3S HV P9: Improve mtmsrd scheduling by delaying MSR[EE] disable") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220908132545.4085849-2-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 917abda9e5ce..d72df696837d 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -4631,7 +4631,7 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit, + + context_tracking_guest_exit(); + if (!vtime_accounting_enabled_this_cpu()) { +- local_irq_enable(); ++ powerpc_local_irq_pmu_restore(flags); + /* + * Service IRQs here before vtime_account_guest_exit() so any + * ticks that occurred while running the guest are accounted to +@@ -4640,7 +4640,7 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit, + * interrupts here, which has the problem that it accounts + * interrupt processing overhead to the host. + */ +- local_irq_disable(); ++ powerpc_local_irq_pmu_save(flags); + } + vtime_account_guest_exit(); + +-- +2.35.1 + diff --git a/queue-6.0/kvm-ppc-book3s-hv-p9-restore-stolen-time-logging-in-.patch b/queue-6.0/kvm-ppc-book3s-hv-p9-restore-stolen-time-logging-in-.patch new file mode 100644 index 00000000000..767a53576a0 --- /dev/null +++ b/queue-6.0/kvm-ppc-book3s-hv-p9-restore-stolen-time-logging-in-.patch @@ -0,0 +1,150 @@ +From afe3395a6c00b7cb77f86640479cda6046f95a6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 23:25:44 +1000 +Subject: KVM: PPC: Book3S HV P9: Restore stolen time logging in dtl + +From: Nicholas Piggin + +[ Upstream commit 1a5486b3c3517aa1f608a10003ade4da122cb175 ] + +Stolen time logging in dtl was removed from the P9 path, so guests had +no stolen time accounting. Add it back in a simpler way that still +avoids locks and per-core accounting code. + +Fixes: ecb6a7207f92 ("KVM: PPC: Book3S HV P9: Remove most of the vcore logic") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220908132545.4085849-4-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv.c | 49 +++++++++++++++++++++++++++++++++--- + 1 file changed, 45 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 0f8dee657336..2feacb1ee9d9 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -249,6 +249,7 @@ static void kvmppc_fast_vcpu_kick_hv(struct kvm_vcpu *vcpu) + + /* + * We use the vcpu_load/put functions to measure stolen time. ++ * + * Stolen time is counted as time when either the vcpu is able to + * run as part of a virtual core, but the task running the vcore + * is preempted or sleeping, or when the vcpu needs something done +@@ -278,6 +279,12 @@ static void kvmppc_fast_vcpu_kick_hv(struct kvm_vcpu *vcpu) + * lock. The stolen times are measured in units of timebase ticks. + * (Note that the != TB_NIL checks below are purely defensive; + * they should never fail.) ++ * ++ * The POWER9 path is simpler, one vcpu per virtual core so the ++ * former case does not exist. If a vcpu is preempted when it is ++ * BUSY_IN_HOST and not ceded or otherwise blocked, then accumulate ++ * the stolen cycles in busy_stolen. RUNNING is not a preemptible ++ * state in the P9 path. + */ + + static void kvmppc_core_start_stolen(struct kvmppc_vcore *vc, u64 tb) +@@ -311,8 +318,14 @@ static void kvmppc_core_vcpu_load_hv(struct kvm_vcpu *vcpu, int cpu) + unsigned long flags; + u64 now; + +- if (cpu_has_feature(CPU_FTR_ARCH_300)) ++ if (cpu_has_feature(CPU_FTR_ARCH_300)) { ++ if (vcpu->arch.busy_preempt != TB_NIL) { ++ WARN_ON_ONCE(vcpu->arch.state != KVMPPC_VCPU_BUSY_IN_HOST); ++ vc->stolen_tb += mftb() - vcpu->arch.busy_preempt; ++ vcpu->arch.busy_preempt = TB_NIL; ++ } + return; ++ } + + now = mftb(); + +@@ -340,8 +353,21 @@ static void kvmppc_core_vcpu_put_hv(struct kvm_vcpu *vcpu) + unsigned long flags; + u64 now; + +- if (cpu_has_feature(CPU_FTR_ARCH_300)) ++ if (cpu_has_feature(CPU_FTR_ARCH_300)) { ++ /* ++ * In the P9 path, RUNNABLE is not preemptible ++ * (nor takes host interrupts) ++ */ ++ WARN_ON_ONCE(vcpu->arch.state == KVMPPC_VCPU_RUNNABLE); ++ /* ++ * Account stolen time when preempted while the vcpu task is ++ * running in the kernel (but not in qemu, which is INACTIVE). ++ */ ++ if (task_is_running(current) && ++ vcpu->arch.state == KVMPPC_VCPU_BUSY_IN_HOST) ++ vcpu->arch.busy_preempt = mftb(); + return; ++ } + + now = mftb(); + +@@ -740,6 +766,18 @@ static void __kvmppc_create_dtl_entry(struct kvm_vcpu *vcpu, + vcpu->arch.dtl.dirty = true; + } + ++static void kvmppc_create_dtl_entry_p9(struct kvm_vcpu *vcpu, ++ struct kvmppc_vcore *vc, ++ u64 now) ++{ ++ unsigned long stolen; ++ ++ stolen = vc->stolen_tb - vcpu->arch.stolen_logged; ++ vcpu->arch.stolen_logged = vc->stolen_tb; ++ ++ __kvmppc_create_dtl_entry(vcpu, vc->pcpu, now, stolen); ++} ++ + static void kvmppc_create_dtl_entry(struct kvm_vcpu *vcpu, + struct kvmppc_vcore *vc) + { +@@ -4534,7 +4572,6 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit, + vc = vcpu->arch.vcore; + vcpu->arch.ceded = 0; + vcpu->arch.run_task = current; +- vcpu->arch.state = KVMPPC_VCPU_RUNNABLE; + vcpu->arch.last_inst = KVM_INST_FETCH_FAILED; + + /* See if the MMU is ready to go */ +@@ -4561,6 +4598,8 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit, + /* flags save not required, but irq_pmu has no disable/enable API */ + powerpc_local_irq_pmu_save(flags); + ++ vcpu->arch.state = KVMPPC_VCPU_RUNNABLE; ++ + if (signal_pending(current)) + goto sigpend; + if (need_resched() || !kvm->arch.mmu_ready) +@@ -4605,7 +4644,7 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit, + + tb = mftb(); + +- __kvmppc_create_dtl_entry(vcpu, pcpu, tb + vc->tb_offset, 0); ++ kvmppc_create_dtl_entry_p9(vcpu, vc, tb + vc->tb_offset); + + trace_kvm_guest_enter(vcpu); + +@@ -4631,6 +4670,7 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit, + + vcpu->cpu = -1; + vcpu->arch.thread_cpu = -1; ++ vcpu->arch.state = KVMPPC_VCPU_BUSY_IN_HOST; + + context_tracking_guest_exit(); + if (!vtime_accounting_enabled_this_cpu()) { +@@ -4708,6 +4748,7 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit, + out: + vcpu->cpu = -1; + vcpu->arch.thread_cpu = -1; ++ vcpu->arch.state = KVMPPC_VCPU_BUSY_IN_HOST; + powerpc_local_irq_pmu_restore(flags); + preempt_enable(); + goto done; +-- +2.35.1 + diff --git a/queue-6.0/kvm-vmx-inject-pf-on-encls-as-emulated-pf.patch b/queue-6.0/kvm-vmx-inject-pf-on-encls-as-emulated-pf.patch new file mode 100644 index 00000000000..1488e3f7c7e --- /dev/null +++ b/queue-6.0/kvm-vmx-inject-pf-on-encls-as-emulated-pf.patch @@ -0,0 +1,41 @@ +From 60973cdaf3fd26815a9f305379f542e6f93b166a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 23:15:59 +0000 +Subject: KVM: VMX: Inject #PF on ENCLS as "emulated" #PF + +From: Sean Christopherson + +[ Upstream commit bfcb08a0b9e99b959814a329fabace22c3df046d ] + +Treat #PFs that occur during emulation of ENCLS as, wait for it, emulated +page faults. Practically speaking, this is a glorified nop as the +exception is never of the nested flavor, and it's extremely unlikely the +guest is relying on the side effect of an implicit INVLPG on the faulting +address. + +Fixes: 70210c044b4e ("KVM: VMX: Add SGX ENCLS[ECREATE] handler to enforce CPUID restrictions") +Signed-off-by: Sean Christopherson +Reviewed-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20220830231614.3580124-13-seanjc@google.com +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx/sgx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/vmx/sgx.c b/arch/x86/kvm/vmx/sgx.c +index aba8cebdc587..8f95c7c01433 100644 +--- a/arch/x86/kvm/vmx/sgx.c ++++ b/arch/x86/kvm/vmx/sgx.c +@@ -129,7 +129,7 @@ static int sgx_inject_fault(struct kvm_vcpu *vcpu, gva_t gva, int trapnr) + ex.address = gva; + ex.error_code_valid = true; + ex.nested_page_fault = false; +- kvm_inject_page_fault(vcpu, &ex); ++ kvm_inject_emulated_page_fault(vcpu, &ex); + } else { + kvm_inject_gp(vcpu, 0); + } +-- +2.35.1 + diff --git a/queue-6.0/kvm-x86-check-for-existing-hyper-v-vcpu-in-kvm_hv_vc.patch b/queue-6.0/kvm-x86-check-for-existing-hyper-v-vcpu-in-kvm_hv_vc.patch new file mode 100644 index 00000000000..b23938f76c5 --- /dev/null +++ b/queue-6.0/kvm-x86-check-for-existing-hyper-v-vcpu-in-kvm_hv_vc.patch @@ -0,0 +1,101 @@ +From 2af948a8e9becc744b8a2f1d0718d6e255df8b46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 15:37:08 +0200 +Subject: KVM: x86: Check for existing Hyper-V vCPU in kvm_hv_vcpu_init() + +From: Sean Christopherson + +[ Upstream commit 1cac8d9f6bd25df3713103e44e2d9ca0c2e03c33 ] + +When potentially allocating/initializing the Hyper-V vCPU struct, check +for an existing instance in kvm_hv_vcpu_init() instead of requiring +callers to perform the check. Relying on callers to do the check is +risky as it's all too easy for KVM to overwrite vcpu->arch.hyperv and +leak memory, and it adds additional burden on callers without much +benefit. + +No functional change intended. + +Signed-off-by: Sean Christopherson +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Sean Christopherson +Reviewed-by: Wei Liu +Link: https://lore.kernel.org/r/20220830133737.1539624-5-vkuznets@redhat.com +Signed-off-by: Paolo Bonzini +Stable-dep-of: 3be29eb7b525 ("KVM: x86: Report error when setting CPUID if Hyper-V allocation fails") +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/hyperv.c | 27 ++++++++++++--------------- + 1 file changed, 12 insertions(+), 15 deletions(-) + +diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c +index 611c349a08bf..8aadd31ed058 100644 +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -936,9 +936,12 @@ static void stimer_init(struct kvm_vcpu_hv_stimer *stimer, int timer_index) + + static int kvm_hv_vcpu_init(struct kvm_vcpu *vcpu) + { +- struct kvm_vcpu_hv *hv_vcpu; ++ struct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu); + int i; + ++ if (hv_vcpu) ++ return 0; ++ + hv_vcpu = kzalloc(sizeof(struct kvm_vcpu_hv), GFP_KERNEL_ACCOUNT); + if (!hv_vcpu) + return -ENOMEM; +@@ -962,11 +965,9 @@ int kvm_hv_activate_synic(struct kvm_vcpu *vcpu, bool dont_zero_synic_pages) + struct kvm_vcpu_hv_synic *synic; + int r; + +- if (!to_hv_vcpu(vcpu)) { +- r = kvm_hv_vcpu_init(vcpu); +- if (r) +- return r; +- } ++ r = kvm_hv_vcpu_init(vcpu); ++ if (r) ++ return r; + + synic = to_hv_synic(vcpu); + +@@ -1660,10 +1661,8 @@ int kvm_hv_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data, bool host) + if (!host && !vcpu->arch.hyperv_enabled) + return 1; + +- if (!to_hv_vcpu(vcpu)) { +- if (kvm_hv_vcpu_init(vcpu)) +- return 1; +- } ++ if (kvm_hv_vcpu_init(vcpu)) ++ return 1; + + if (kvm_hv_msr_partition_wide(msr)) { + int r; +@@ -1683,10 +1682,8 @@ int kvm_hv_get_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata, bool host) + if (!host && !vcpu->arch.hyperv_enabled) + return 1; + +- if (!to_hv_vcpu(vcpu)) { +- if (kvm_hv_vcpu_init(vcpu)) +- return 1; +- } ++ if (kvm_hv_vcpu_init(vcpu)) ++ return 1; + + if (kvm_hv_msr_partition_wide(msr)) { + int r; +@@ -2000,7 +1997,7 @@ void kvm_hv_set_cpuid(struct kvm_vcpu *vcpu) + return; + } + +- if (!to_hv_vcpu(vcpu) && kvm_hv_vcpu_init(vcpu)) ++ if (kvm_hv_vcpu_init(vcpu)) + return; + + hv_vcpu = to_hv_vcpu(vcpu); +-- +2.35.1 + diff --git a/queue-6.0/kvm-x86-do-proper-cleanup-if-kvm_x86_ops-vm_init-fai.patch b/queue-6.0/kvm-x86-do-proper-cleanup-if-kvm_x86_ops-vm_init-fai.patch new file mode 100644 index 00000000000..c5ec512cb3d --- /dev/null +++ b/queue-6.0/kvm-x86-do-proper-cleanup-if-kvm_x86_ops-vm_init-fai.patch @@ -0,0 +1,52 @@ +From e1f7f2457b1342553570bfcaeadae1496f75eec1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jul 2022 15:43:29 -0700 +Subject: kvm: x86: Do proper cleanup if kvm_x86_ops->vm_init() fails + +From: Junaid Shahid + +[ Upstream commit b24ede22538b4d984cbe20532bbcb303692e7f52 ] + +If vm_init() fails [which can happen, for instance, if a memory +allocation fails during avic_vm_init()], we need to cleanup some +state in order to avoid resource leaks. + +Signed-off-by: Junaid Shahid +Link: https://lore.kernel.org/r/20220729224329.323378-1-junaids@google.com +Signed-off-by: Sean Christopherson +Stable-dep-of: 5a2a961be2ad ("KVM: fix memoryleak in kvm_init()") +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index e2435090f225..14cb589683a1 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -12103,6 +12103,10 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type) + if (ret) + goto out_page_track; + ++ ret = static_call(kvm_x86_vm_init)(kvm); ++ if (ret) ++ goto out_uninit_mmu; ++ + INIT_HLIST_HEAD(&kvm->arch.mask_notifier_list); + INIT_LIST_HEAD(&kvm->arch.assigned_dev_head); + atomic_set(&kvm->arch.noncoherent_dma_count, 0); +@@ -12138,8 +12142,10 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type) + kvm_hv_init_vm(kvm); + kvm_xen_init_vm(kvm); + +- return static_call(kvm_x86_vm_init)(kvm); ++ return 0; + ++out_uninit_mmu: ++ kvm_mmu_uninit_vm(kvm); + out_page_track: + kvm_page_track_cleanup(kvm); + out: +-- +2.35.1 + diff --git a/queue-6.0/kvm-x86-evaluate-ability-to-inject-smi-nmi-irq-after.patch b/queue-6.0/kvm-x86-evaluate-ability-to-inject-smi-nmi-irq-after.patch new file mode 100644 index 00000000000..0b96b6678e5 --- /dev/null +++ b/queue-6.0/kvm-x86-evaluate-ability-to-inject-smi-nmi-irq-after.patch @@ -0,0 +1,57 @@ +From 37892c242b5293bddc508ec7fa3c598104fc29c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 23:16:05 +0000 +Subject: KVM: x86: Evaluate ability to inject SMI/NMI/IRQ after potential + VM-Exit + +From: Sean Christopherson + +[ Upstream commit 28360f88706837fc3f1ac8944b45b4a630a71c75 ] + +Determine whether or not new events can be injected after checking nested +events. If a VM-Exit occurred during nested event handling, any previous +event that needed re-injection is gone from's KVM perspective; the event +is captured in the vmc*12 VM-Exit information, but doesn't exist in terms +of what needs to be done for entry to L1. + +Signed-off-by: Sean Christopherson +Reviewed-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20220830231614.3580124-19-seanjc@google.com +Signed-off-by: Paolo Bonzini +Stable-dep-of: 7709aba8f716 ("KVM: x86: Morph pending exceptions to pending VM-Exits at queue time") +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 15229a5ad9ff..01d59f93d93e 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -9683,7 +9683,7 @@ static void kvm_inject_exception(struct kvm_vcpu *vcpu) + + static int inject_pending_event(struct kvm_vcpu *vcpu, bool *req_immediate_exit) + { +- bool can_inject = !kvm_event_needs_reinjection(vcpu); ++ bool can_inject; + int r; + + /* +@@ -9748,7 +9748,13 @@ static int inject_pending_event(struct kvm_vcpu *vcpu, bool *req_immediate_exit) + if (r < 0) + goto out; + +- /* try to inject new event if pending */ ++ /* ++ * New events, other than exceptions, cannot be injected if KVM needs ++ * to re-inject a previous event. See above comments on re-injecting ++ * for why pending exceptions get priority. ++ */ ++ can_inject = !kvm_event_needs_reinjection(vcpu); ++ + if (vcpu->arch.exception.pending) { + /* + * Fault-class exceptions, except #DBs, set RF=1 in the RFLAGS +-- +2.35.1 + diff --git a/queue-6.0/kvm-x86-formalize-blocking-of-nested-pending-excepti.patch b/queue-6.0/kvm-x86-formalize-blocking-of-nested-pending-excepti.patch new file mode 100644 index 00000000000..4b9e12576b8 --- /dev/null +++ b/queue-6.0/kvm-x86-formalize-blocking-of-nested-pending-excepti.patch @@ -0,0 +1,131 @@ +From 3b49b279b88de56dc9d042feb7b8bf101a21ea30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 23:16:02 +0000 +Subject: KVM: x86: Formalize blocking of nested pending exceptions + +From: Sean Christopherson + +[ Upstream commit 72c14e00bdc445e96045c28d04bba45cbe69cf95 ] + +Capture nested_run_pending as block_pending_exceptions so that the logic +of why exceptions are blocked only needs to be documented once instead of +at every place that employs the logic. + +No functional change intended. + +Signed-off-by: Sean Christopherson +Reviewed-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20220830231614.3580124-16-seanjc@google.com +Signed-off-by: Paolo Bonzini +Stable-dep-of: 7709aba8f716 ("KVM: x86: Morph pending exceptions to pending VM-Exits at queue time") +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm/nested.c | 26 ++++++++++++++++---------- + arch/x86/kvm/vmx/nested.c | 27 +++++++++++++++++---------- + 2 files changed, 33 insertions(+), 20 deletions(-) + +diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c +index 8f991592d277..a6111392985c 100644 +--- a/arch/x86/kvm/svm/nested.c ++++ b/arch/x86/kvm/svm/nested.c +@@ -1356,10 +1356,22 @@ static inline bool nested_exit_on_init(struct vcpu_svm *svm) + + static int svm_check_nested_events(struct kvm_vcpu *vcpu) + { +- struct vcpu_svm *svm = to_svm(vcpu); +- bool block_nested_events = +- kvm_event_needs_reinjection(vcpu) || svm->nested.nested_run_pending; + struct kvm_lapic *apic = vcpu->arch.apic; ++ struct vcpu_svm *svm = to_svm(vcpu); ++ /* ++ * Only a pending nested run blocks a pending exception. If there is a ++ * previously injected event, the pending exception occurred while said ++ * event was being delivered and thus needs to be handled. ++ */ ++ bool block_nested_exceptions = svm->nested.nested_run_pending; ++ /* ++ * New events (not exceptions) are only recognized at instruction ++ * boundaries. If an event needs reinjection, then KVM is handling a ++ * VM-Exit that occurred _during_ instruction execution; new events are ++ * blocked until the instruction completes. ++ */ ++ bool block_nested_events = block_nested_exceptions || ++ kvm_event_needs_reinjection(vcpu); + + if (lapic_in_kernel(vcpu) && + test_bit(KVM_APIC_INIT, &apic->pending_events)) { +@@ -1372,13 +1384,7 @@ static int svm_check_nested_events(struct kvm_vcpu *vcpu) + } + + if (vcpu->arch.exception.pending) { +- /* +- * Only a pending nested run can block a pending exception. +- * Otherwise an injected NMI/interrupt should either be +- * lost or delivered to the nested hypervisor in the EXITINTINFO +- * vmcb field, while delivering the pending exception. +- */ +- if (svm->nested.nested_run_pending) ++ if (block_nested_exceptions) + return -EBUSY; + if (!nested_exit_on_exception(svm)) + return 0; +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index 83239d47fc0f..7655b5acbbcd 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -3904,11 +3904,23 @@ static bool nested_vmx_preemption_timer_pending(struct kvm_vcpu *vcpu) + + static int vmx_check_nested_events(struct kvm_vcpu *vcpu) + { ++ struct kvm_lapic *apic = vcpu->arch.apic; + struct vcpu_vmx *vmx = to_vmx(vcpu); + unsigned long exit_qual; +- bool block_nested_events = +- vmx->nested.nested_run_pending || kvm_event_needs_reinjection(vcpu); +- struct kvm_lapic *apic = vcpu->arch.apic; ++ /* ++ * Only a pending nested run blocks a pending exception. If there is a ++ * previously injected event, the pending exception occurred while said ++ * event was being delivered and thus needs to be handled. ++ */ ++ bool block_nested_exceptions = vmx->nested.nested_run_pending; ++ /* ++ * New events (not exceptions) are only recognized at instruction ++ * boundaries. If an event needs reinjection, then KVM is handling a ++ * VM-Exit that occurred _during_ instruction execution; new events are ++ * blocked until the instruction completes. ++ */ ++ bool block_nested_events = block_nested_exceptions || ++ kvm_event_needs_reinjection(vcpu); + + if (lapic_in_kernel(vcpu) && + test_bit(KVM_APIC_INIT, &apic->pending_events)) { +@@ -3947,15 +3959,10 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) + * for TSS T flag #DBs). KVM also doesn't save/restore pending MTF + * across SMI/RSM as it should; that needs to be addressed in order to + * prioritize SMI over MTF and trap-like #DBs. +- * +- * Note that only a pending nested run can block a pending exception. +- * Otherwise an injected NMI/interrupt should either be +- * lost or delivered to the nested hypervisor in the IDT_VECTORING_INFO, +- * while delivering the pending exception. + */ + if (vcpu->arch.exception.pending && + !(vmx_get_pending_dbg_trap(vcpu) & ~DR6_BT)) { +- if (vmx->nested.nested_run_pending) ++ if (block_nested_exceptions) + return -EBUSY; + if (!nested_vmx_check_exception(vcpu, &exit_qual)) + goto no_vmexit; +@@ -3972,7 +3979,7 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) + } + + if (vcpu->arch.exception.pending) { +- if (vmx->nested.nested_run_pending) ++ if (block_nested_exceptions) + return -EBUSY; + if (!nested_vmx_check_exception(vcpu, &exit_qual)) + goto no_vmexit; +-- +2.35.1 + diff --git a/queue-6.0/kvm-x86-hoist-nested-event-checks-above-event-inject.patch b/queue-6.0/kvm-x86-hoist-nested-event-checks-above-event-inject.patch new file mode 100644 index 00000000000..420a0c2d487 --- /dev/null +++ b/queue-6.0/kvm-x86-hoist-nested-event-checks-above-event-inject.patch @@ -0,0 +1,149 @@ +From 7a5eb73b397d1336923a66280c1a818b1479792e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 23:16:04 +0000 +Subject: KVM: x86: Hoist nested event checks above event injection logic + +From: Sean Christopherson + +[ Upstream commit 6c593b5276e6ce411dcdf03e2f7d4b93c2e7138e ] + +Perform nested event checks before re-injecting exceptions/events into +L2. If a pending exception causes VM-Exit to L1, re-injecting events +into vmcs02 is premature and wasted effort. Take care to ensure events +that need to be re-injected are still re-injected if checking for nested +events "fails", i.e. if KVM needs to force an immediate entry+exit to +complete the to-be-re-injecteed event. + +Keep the "can_inject" logic the same for now; it too can be pushed below +the nested checks, but is a slightly riskier change (see past bugs about +events not being properly purged on nested VM-Exit). + +Add and/or modify comments to better document the various interactions. +Of note is the comment regarding "blocking" previously injected NMIs and +IRQs if an exception is pending. The old comment isn't wrong strictly +speaking, but it failed to capture the reason why the logic even exists. + +Signed-off-by: Sean Christopherson +Reviewed-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20220830231614.3580124-18-seanjc@google.com +Signed-off-by: Paolo Bonzini +Stable-dep-of: 7709aba8f716 ("KVM: x86: Morph pending exceptions to pending VM-Exits at queue time") +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 89 +++++++++++++++++++++++++++------------------- + 1 file changed, 53 insertions(+), 36 deletions(-) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 14182b5b2c93..15229a5ad9ff 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -9683,53 +9683,70 @@ static void kvm_inject_exception(struct kvm_vcpu *vcpu) + + static int inject_pending_event(struct kvm_vcpu *vcpu, bool *req_immediate_exit) + { ++ bool can_inject = !kvm_event_needs_reinjection(vcpu); + int r; +- bool can_inject = true; + +- /* try to reinject previous events if any */ ++ /* ++ * Process nested events first, as nested VM-Exit supercedes event ++ * re-injection. If there's an event queued for re-injection, it will ++ * be saved into the appropriate vmc{b,s}12 fields on nested VM-Exit. ++ */ ++ if (is_guest_mode(vcpu)) ++ r = kvm_check_nested_events(vcpu); ++ else ++ r = 0; + +- if (vcpu->arch.exception.injected) { +- kvm_inject_exception(vcpu); +- can_inject = false; +- } + /* +- * Do not inject an NMI or interrupt if there is a pending +- * exception. Exceptions and interrupts are recognized at +- * instruction boundaries, i.e. the start of an instruction. +- * Trap-like exceptions, e.g. #DB, have higher priority than +- * NMIs and interrupts, i.e. traps are recognized before an +- * NMI/interrupt that's pending on the same instruction. +- * Fault-like exceptions, e.g. #GP and #PF, are the lowest +- * priority, but are only generated (pended) during instruction +- * execution, i.e. a pending fault-like exception means the +- * fault occurred on the *previous* instruction and must be +- * serviced prior to recognizing any new events in order to +- * fully complete the previous instruction. ++ * Re-inject exceptions and events *especially* if immediate entry+exit ++ * to/from L2 is needed, as any event that has already been injected ++ * into L2 needs to complete its lifecycle before injecting a new event. ++ * ++ * Don't re-inject an NMI or interrupt if there is a pending exception. ++ * This collision arises if an exception occurred while vectoring the ++ * injected event, KVM intercepted said exception, and KVM ultimately ++ * determined the fault belongs to the guest and queues the exception ++ * for injection back into the guest. ++ * ++ * "Injected" interrupts can also collide with pending exceptions if ++ * userspace ignores the "ready for injection" flag and blindly queues ++ * an interrupt. In that case, prioritizing the exception is correct, ++ * as the exception "occurred" before the exit to userspace. Trap-like ++ * exceptions, e.g. most #DBs, have higher priority than interrupts. ++ * And while fault-like exceptions, e.g. #GP and #PF, are the lowest ++ * priority, they're only generated (pended) during instruction ++ * execution, and interrupts are recognized at instruction boundaries. ++ * Thus a pending fault-like exception means the fault occurred on the ++ * *previous* instruction and must be serviced prior to recognizing any ++ * new events in order to fully complete the previous instruction. + */ +- else if (!vcpu->arch.exception.pending) { +- if (vcpu->arch.nmi_injected) { +- static_call(kvm_x86_inject_nmi)(vcpu); +- can_inject = false; +- } else if (vcpu->arch.interrupt.injected) { +- static_call(kvm_x86_inject_irq)(vcpu, true); +- can_inject = false; +- } +- } ++ if (vcpu->arch.exception.injected) ++ kvm_inject_exception(vcpu); ++ else if (vcpu->arch.exception.pending) ++ ; /* see above */ ++ else if (vcpu->arch.nmi_injected) ++ static_call(kvm_x86_inject_nmi)(vcpu); ++ else if (vcpu->arch.interrupt.injected) ++ static_call(kvm_x86_inject_irq)(vcpu, true); + ++ /* ++ * Exceptions that morph to VM-Exits are handled above, and pending ++ * exceptions on top of injected exceptions that do not VM-Exit should ++ * either morph to #DF or, sadly, override the injected exception. ++ */ + WARN_ON_ONCE(vcpu->arch.exception.injected && + vcpu->arch.exception.pending); + + /* +- * Call check_nested_events() even if we reinjected a previous event +- * in order for caller to determine if it should require immediate-exit +- * from L2 to L1 due to pending L1 events which require exit +- * from L2 to L1. ++ * Bail if immediate entry+exit to/from the guest is needed to complete ++ * nested VM-Enter or event re-injection so that a different pending ++ * event can be serviced (or if KVM needs to exit to userspace). ++ * ++ * Otherwise, continue processing events even if VM-Exit occurred. The ++ * VM-Exit will have cleared exceptions that were meant for L2, but ++ * there may now be events that can be injected into L1. + */ +- if (is_guest_mode(vcpu)) { +- r = kvm_check_nested_events(vcpu); +- if (r < 0) +- goto out; +- } ++ if (r < 0) ++ goto out; + + /* try to inject new event if pending */ + if (vcpu->arch.exception.pending) { +-- +2.35.1 + diff --git a/queue-6.0/kvm-x86-make-kvm_queued_exception-a-properly-named-v.patch b/queue-6.0/kvm-x86-make-kvm_queued_exception-a-properly-named-v.patch new file mode 100644 index 00000000000..22701e9f97b --- /dev/null +++ b/queue-6.0/kvm-x86-make-kvm_queued_exception-a-properly-named-v.patch @@ -0,0 +1,555 @@ +From 35646ab067697782bc4fe48ae07c7b0515e6446d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 23:16:01 +0000 +Subject: KVM: x86: Make kvm_queued_exception a properly named, visible struct + +From: Sean Christopherson + +[ Upstream commit d4963e319f1f7851a098df6610a27f9f4cf6d42a ] + +Move the definition of "struct kvm_queued_exception" out of kvm_vcpu_arch +in anticipation of adding a second instance in kvm_vcpu_arch to handle +exceptions that occur when vectoring an injected exception and are +morphed to VM-Exit instead of leading to #DF. + +Opportunistically take advantage of the churn to rename "nr" to "vector". + +No functional change intended. + +Signed-off-by: Sean Christopherson +Reviewed-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20220830231614.3580124-15-seanjc@google.com +Signed-off-by: Paolo Bonzini +Stable-dep-of: 7709aba8f716 ("KVM: x86: Morph pending exceptions to pending VM-Exits at queue time") +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/kvm_host.h | 23 +++++----- + arch/x86/kvm/svm/nested.c | 47 ++++++++++--------- + arch/x86/kvm/svm/svm.c | 14 +++--- + arch/x86/kvm/vmx/nested.c | 42 +++++++++-------- + arch/x86/kvm/vmx/vmx.c | 20 ++++----- + arch/x86/kvm/x86.c | 80 ++++++++++++++++----------------- + arch/x86/kvm/x86.h | 3 +- + 7 files changed, 113 insertions(+), 116 deletions(-) + +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index aa381ab69a19..36e4fde359a7 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -639,6 +639,17 @@ struct kvm_vcpu_xen { + struct timer_list poll_timer; + }; + ++struct kvm_queued_exception { ++ bool pending; ++ bool injected; ++ bool has_error_code; ++ u8 vector; ++ u32 error_code; ++ unsigned long payload; ++ bool has_payload; ++ u8 nested_apf; ++}; ++ + struct kvm_vcpu_arch { + /* + * rip and regs accesses must go through +@@ -738,16 +749,8 @@ struct kvm_vcpu_arch { + + u8 event_exit_inst_len; + +- struct kvm_queued_exception { +- bool pending; +- bool injected; +- bool has_error_code; +- u8 nr; +- u32 error_code; +- unsigned long payload; +- bool has_payload; +- u8 nested_apf; +- } exception; ++ /* Exceptions to be injected to the guest. */ ++ struct kvm_queued_exception exception; + + struct kvm_queued_interrupt { + bool injected; +diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c +index 76dcc8a3e849..8f991592d277 100644 +--- a/arch/x86/kvm/svm/nested.c ++++ b/arch/x86/kvm/svm/nested.c +@@ -468,7 +468,7 @@ static void nested_save_pending_event_to_vmcb12(struct vcpu_svm *svm, + unsigned int nr; + + if (vcpu->arch.exception.injected) { +- nr = vcpu->arch.exception.nr; ++ nr = vcpu->arch.exception.vector; + exit_int_info = nr | SVM_EVTINJ_VALID | SVM_EVTINJ_TYPE_EXEPT; + + if (vcpu->arch.exception.has_error_code) { +@@ -1306,42 +1306,45 @@ int nested_svm_check_permissions(struct kvm_vcpu *vcpu) + + static bool nested_exit_on_exception(struct vcpu_svm *svm) + { +- unsigned int nr = svm->vcpu.arch.exception.nr; ++ unsigned int vector = svm->vcpu.arch.exception.vector; + +- return (svm->nested.ctl.intercepts[INTERCEPT_EXCEPTION] & BIT(nr)); ++ return (svm->nested.ctl.intercepts[INTERCEPT_EXCEPTION] & BIT(vector)); + } + +-static void nested_svm_inject_exception_vmexit(struct vcpu_svm *svm) ++static void nested_svm_inject_exception_vmexit(struct kvm_vcpu *vcpu) + { +- unsigned int nr = svm->vcpu.arch.exception.nr; ++ struct kvm_queued_exception *ex = &vcpu->arch.exception; ++ struct vcpu_svm *svm = to_svm(vcpu); + struct vmcb *vmcb = svm->vmcb; + +- vmcb->control.exit_code = SVM_EXIT_EXCP_BASE + nr; ++ vmcb->control.exit_code = SVM_EXIT_EXCP_BASE + ex->vector; + vmcb->control.exit_code_hi = 0; + +- if (svm->vcpu.arch.exception.has_error_code) +- vmcb->control.exit_info_1 = svm->vcpu.arch.exception.error_code; ++ if (ex->has_error_code) ++ vmcb->control.exit_info_1 = ex->error_code; + + /* + * EXITINFO2 is undefined for all exception intercepts other + * than #PF. + */ +- if (nr == PF_VECTOR) { +- if (svm->vcpu.arch.exception.nested_apf) +- vmcb->control.exit_info_2 = svm->vcpu.arch.apf.nested_apf_token; +- else if (svm->vcpu.arch.exception.has_payload) +- vmcb->control.exit_info_2 = svm->vcpu.arch.exception.payload; ++ if (ex->vector == PF_VECTOR) { ++ if (ex->nested_apf) ++ vmcb->control.exit_info_2 = vcpu->arch.apf.nested_apf_token; ++ else if (ex->has_payload) ++ vmcb->control.exit_info_2 = ex->payload; + else +- vmcb->control.exit_info_2 = svm->vcpu.arch.cr2; +- } else if (nr == DB_VECTOR) { ++ vmcb->control.exit_info_2 = vcpu->arch.cr2; ++ } else if (ex->vector == DB_VECTOR) { + /* See inject_pending_event. */ +- kvm_deliver_exception_payload(&svm->vcpu); +- if (svm->vcpu.arch.dr7 & DR7_GD) { +- svm->vcpu.arch.dr7 &= ~DR7_GD; +- kvm_update_dr7(&svm->vcpu); ++ kvm_deliver_exception_payload(vcpu, ex); ++ ++ if (vcpu->arch.dr7 & DR7_GD) { ++ vcpu->arch.dr7 &= ~DR7_GD; ++ kvm_update_dr7(vcpu); + } +- } else +- WARN_ON(svm->vcpu.arch.exception.has_payload); ++ } else { ++ WARN_ON(ex->has_payload); ++ } + + nested_svm_vmexit(svm); + } +@@ -1379,7 +1382,7 @@ static int svm_check_nested_events(struct kvm_vcpu *vcpu) + return -EBUSY; + if (!nested_exit_on_exception(svm)) + return 0; +- nested_svm_inject_exception_vmexit(svm); ++ nested_svm_inject_exception_vmexit(vcpu); + return 0; + } + +diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c +index f3813dbacb9f..b96c091f6c3d 100644 +--- a/arch/x86/kvm/svm/svm.c ++++ b/arch/x86/kvm/svm/svm.c +@@ -463,22 +463,20 @@ static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu) + + static void svm_queue_exception(struct kvm_vcpu *vcpu) + { ++ struct kvm_queued_exception *ex = &vcpu->arch.exception; + struct vcpu_svm *svm = to_svm(vcpu); +- unsigned nr = vcpu->arch.exception.nr; +- bool has_error_code = vcpu->arch.exception.has_error_code; +- u32 error_code = vcpu->arch.exception.error_code; + +- kvm_deliver_exception_payload(vcpu); ++ kvm_deliver_exception_payload(vcpu, ex); + +- if (kvm_exception_is_soft(nr) && ++ if (kvm_exception_is_soft(ex->vector) && + svm_update_soft_interrupt_rip(vcpu)) + return; + +- svm->vmcb->control.event_inj = nr ++ svm->vmcb->control.event_inj = ex->vector + | SVM_EVTINJ_VALID +- | (has_error_code ? SVM_EVTINJ_VALID_ERR : 0) ++ | (ex->has_error_code ? SVM_EVTINJ_VALID_ERR : 0) + | SVM_EVTINJ_TYPE_EXEPT; +- svm->vmcb->control.event_inj_err = error_code; ++ svm->vmcb->control.event_inj_err = ex->error_code; + } + + static void svm_init_erratum_383(void) +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index 0aa40ea496a8..83239d47fc0f 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -446,29 +446,27 @@ static bool nested_vmx_is_page_fault_vmexit(struct vmcs12 *vmcs12, + */ + static int nested_vmx_check_exception(struct kvm_vcpu *vcpu, unsigned long *exit_qual) + { ++ struct kvm_queued_exception *ex = &vcpu->arch.exception; + struct vmcs12 *vmcs12 = get_vmcs12(vcpu); +- unsigned int nr = vcpu->arch.exception.nr; +- bool has_payload = vcpu->arch.exception.has_payload; +- unsigned long payload = vcpu->arch.exception.payload; + +- if (nr == PF_VECTOR) { +- if (vcpu->arch.exception.nested_apf) { ++ if (ex->vector == PF_VECTOR) { ++ if (ex->nested_apf) { + *exit_qual = vcpu->arch.apf.nested_apf_token; + return 1; + } +- if (nested_vmx_is_page_fault_vmexit(vmcs12, +- vcpu->arch.exception.error_code)) { +- *exit_qual = has_payload ? payload : vcpu->arch.cr2; ++ if (nested_vmx_is_page_fault_vmexit(vmcs12, ex->error_code)) { ++ *exit_qual = ex->has_payload ? ex->payload : vcpu->arch.cr2; + return 1; + } +- } else if (vmcs12->exception_bitmap & (1u << nr)) { +- if (nr == DB_VECTOR) { +- if (!has_payload) { +- payload = vcpu->arch.dr6; +- payload &= ~DR6_BT; +- payload ^= DR6_ACTIVE_LOW; ++ } else if (vmcs12->exception_bitmap & (1u << ex->vector)) { ++ if (ex->vector == DB_VECTOR) { ++ if (ex->has_payload) { ++ *exit_qual = ex->payload; ++ } else { ++ *exit_qual = vcpu->arch.dr6; ++ *exit_qual &= ~DR6_BT; ++ *exit_qual ^= DR6_ACTIVE_LOW; + } +- *exit_qual = payload; + } else + *exit_qual = 0; + return 1; +@@ -3723,7 +3721,7 @@ static void vmcs12_save_pending_event(struct kvm_vcpu *vcpu, + is_double_fault(exit_intr_info))) { + vmcs12->idt_vectoring_info_field = 0; + } else if (vcpu->arch.exception.injected) { +- nr = vcpu->arch.exception.nr; ++ nr = vcpu->arch.exception.vector; + idt_vectoring = nr | VECTORING_INFO_VALID_MASK; + + if (kvm_exception_is_soft(nr)) { +@@ -3827,11 +3825,11 @@ static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu) + static void nested_vmx_inject_exception_vmexit(struct kvm_vcpu *vcpu, + unsigned long exit_qual) + { ++ struct kvm_queued_exception *ex = &vcpu->arch.exception; ++ u32 intr_info = ex->vector | INTR_INFO_VALID_MASK; + struct vmcs12 *vmcs12 = get_vmcs12(vcpu); +- unsigned int nr = vcpu->arch.exception.nr; +- u32 intr_info = nr | INTR_INFO_VALID_MASK; + +- if (vcpu->arch.exception.has_error_code) { ++ if (ex->has_error_code) { + /* + * Intel CPUs do not generate error codes with bits 31:16 set, + * and more importantly VMX disallows setting bits 31:16 in the +@@ -3841,11 +3839,11 @@ static void nested_vmx_inject_exception_vmexit(struct kvm_vcpu *vcpu, + * generate "full" 32-bit error codes, so KVM allows userspace + * to inject exception error codes with bits 31:16 set. + */ +- vmcs12->vm_exit_intr_error_code = (u16)vcpu->arch.exception.error_code; ++ vmcs12->vm_exit_intr_error_code = (u16)ex->error_code; + intr_info |= INTR_INFO_DELIVER_CODE_MASK; + } + +- if (kvm_exception_is_soft(nr)) ++ if (kvm_exception_is_soft(ex->vector)) + intr_info |= INTR_TYPE_SOFT_EXCEPTION; + else + intr_info |= INTR_TYPE_HARD_EXCEPTION; +@@ -3876,7 +3874,7 @@ static void nested_vmx_inject_exception_vmexit(struct kvm_vcpu *vcpu, + static inline unsigned long vmx_get_pending_dbg_trap(struct kvm_vcpu *vcpu) + { + if (!vcpu->arch.exception.pending || +- vcpu->arch.exception.nr != DB_VECTOR) ++ vcpu->arch.exception.vector != DB_VECTOR) + return 0; + + /* General Detect #DBs are always fault-like. */ +diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c +index 7f3581960eb5..0f68ed966944 100644 +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -1659,7 +1659,7 @@ static void vmx_update_emulated_instruction(struct kvm_vcpu *vcpu) + */ + if (nested_cpu_has_mtf(vmcs12) && + (!vcpu->arch.exception.pending || +- vcpu->arch.exception.nr == DB_VECTOR)) ++ vcpu->arch.exception.vector == DB_VECTOR)) + vmx->nested.mtf_pending = true; + else + vmx->nested.mtf_pending = false; +@@ -1686,15 +1686,13 @@ static void vmx_clear_hlt(struct kvm_vcpu *vcpu) + + static void vmx_queue_exception(struct kvm_vcpu *vcpu) + { ++ struct kvm_queued_exception *ex = &vcpu->arch.exception; ++ u32 intr_info = ex->vector | INTR_INFO_VALID_MASK; + struct vcpu_vmx *vmx = to_vmx(vcpu); +- unsigned nr = vcpu->arch.exception.nr; +- bool has_error_code = vcpu->arch.exception.has_error_code; +- u32 error_code = vcpu->arch.exception.error_code; +- u32 intr_info = nr | INTR_INFO_VALID_MASK; + +- kvm_deliver_exception_payload(vcpu); ++ kvm_deliver_exception_payload(vcpu, ex); + +- if (has_error_code) { ++ if (ex->has_error_code) { + /* + * Despite the error code being architecturally defined as 32 + * bits, and the VMCS field being 32 bits, Intel CPUs and thus +@@ -1705,21 +1703,21 @@ static void vmx_queue_exception(struct kvm_vcpu *vcpu) + * the upper bits to avoid VM-Fail, losing information that + * does't really exist is preferable to killing the VM. + */ +- vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE, (u16)error_code); ++ vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE, (u16)ex->error_code); + intr_info |= INTR_INFO_DELIVER_CODE_MASK; + } + + if (vmx->rmode.vm86_active) { + int inc_eip = 0; +- if (kvm_exception_is_soft(nr)) ++ if (kvm_exception_is_soft(ex->vector)) + inc_eip = vcpu->arch.event_exit_inst_len; +- kvm_inject_realmode_interrupt(vcpu, nr, inc_eip); ++ kvm_inject_realmode_interrupt(vcpu, ex->vector, inc_eip); + return; + } + + WARN_ON_ONCE(vmx->emulation_required); + +- if (kvm_exception_is_soft(nr)) { ++ if (kvm_exception_is_soft(ex->vector)) { + vmcs_write32(VM_ENTRY_INSTRUCTION_LEN, + vmx->vcpu.arch.event_exit_inst_len); + intr_info |= INTR_TYPE_SOFT_EXCEPTION; +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 14cb589683a1..14182b5b2c93 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -556,16 +556,13 @@ static int exception_type(int vector) + return EXCPT_FAULT; + } + +-void kvm_deliver_exception_payload(struct kvm_vcpu *vcpu) ++void kvm_deliver_exception_payload(struct kvm_vcpu *vcpu, ++ struct kvm_queued_exception *ex) + { +- unsigned nr = vcpu->arch.exception.nr; +- bool has_payload = vcpu->arch.exception.has_payload; +- unsigned long payload = vcpu->arch.exception.payload; +- +- if (!has_payload) ++ if (!ex->has_payload) + return; + +- switch (nr) { ++ switch (ex->vector) { + case DB_VECTOR: + /* + * "Certain debug exceptions may clear bit 0-3. The +@@ -590,8 +587,8 @@ void kvm_deliver_exception_payload(struct kvm_vcpu *vcpu) + * So they need to be flipped for DR6. + */ + vcpu->arch.dr6 |= DR6_ACTIVE_LOW; +- vcpu->arch.dr6 |= payload; +- vcpu->arch.dr6 ^= payload & DR6_ACTIVE_LOW; ++ vcpu->arch.dr6 |= ex->payload; ++ vcpu->arch.dr6 ^= ex->payload & DR6_ACTIVE_LOW; + + /* + * The #DB payload is defined as compatible with the 'pending +@@ -602,12 +599,12 @@ void kvm_deliver_exception_payload(struct kvm_vcpu *vcpu) + vcpu->arch.dr6 &= ~BIT(12); + break; + case PF_VECTOR: +- vcpu->arch.cr2 = payload; ++ vcpu->arch.cr2 = ex->payload; + break; + } + +- vcpu->arch.exception.has_payload = false; +- vcpu->arch.exception.payload = 0; ++ ex->has_payload = false; ++ ex->payload = 0; + } + EXPORT_SYMBOL_GPL(kvm_deliver_exception_payload); + +@@ -646,17 +643,18 @@ static void kvm_multiple_exception(struct kvm_vcpu *vcpu, + vcpu->arch.exception.injected = false; + } + vcpu->arch.exception.has_error_code = has_error; +- vcpu->arch.exception.nr = nr; ++ vcpu->arch.exception.vector = nr; + vcpu->arch.exception.error_code = error_code; + vcpu->arch.exception.has_payload = has_payload; + vcpu->arch.exception.payload = payload; + if (!is_guest_mode(vcpu)) +- kvm_deliver_exception_payload(vcpu); ++ kvm_deliver_exception_payload(vcpu, ++ &vcpu->arch.exception); + return; + } + + /* to check exception */ +- prev_nr = vcpu->arch.exception.nr; ++ prev_nr = vcpu->arch.exception.vector; + if (prev_nr == DF_VECTOR) { + /* triple fault -> shutdown */ + kvm_make_request(KVM_REQ_TRIPLE_FAULT, vcpu); +@@ -674,7 +672,7 @@ static void kvm_multiple_exception(struct kvm_vcpu *vcpu, + vcpu->arch.exception.pending = true; + vcpu->arch.exception.injected = false; + vcpu->arch.exception.has_error_code = true; +- vcpu->arch.exception.nr = DF_VECTOR; ++ vcpu->arch.exception.vector = DF_VECTOR; + vcpu->arch.exception.error_code = 0; + vcpu->arch.exception.has_payload = false; + vcpu->arch.exception.payload = 0; +@@ -5023,25 +5021,24 @@ static int kvm_vcpu_ioctl_x86_set_mce(struct kvm_vcpu *vcpu, + static void kvm_vcpu_ioctl_x86_get_vcpu_events(struct kvm_vcpu *vcpu, + struct kvm_vcpu_events *events) + { ++ struct kvm_queued_exception *ex = &vcpu->arch.exception; ++ + process_nmi(vcpu); + + if (kvm_check_request(KVM_REQ_SMI, vcpu)) + process_smi(vcpu); + + /* +- * In guest mode, payload delivery should be deferred, +- * so that the L1 hypervisor can intercept #PF before +- * CR2 is modified (or intercept #DB before DR6 is +- * modified under nVMX). Unless the per-VM capability, +- * KVM_CAP_EXCEPTION_PAYLOAD, is set, we may not defer the delivery of +- * an exception payload and handle after a KVM_GET_VCPU_EVENTS. Since we +- * opportunistically defer the exception payload, deliver it if the +- * capability hasn't been requested before processing a +- * KVM_GET_VCPU_EVENTS. ++ * In guest mode, payload delivery should be deferred if the exception ++ * will be intercepted by L1, e.g. KVM should not modifying CR2 if L1 ++ * intercepts #PF, ditto for DR6 and #DBs. If the per-VM capability, ++ * KVM_CAP_EXCEPTION_PAYLOAD, is not set, userspace may or may not ++ * propagate the payload and so it cannot be safely deferred. Deliver ++ * the payload if the capability hasn't been requested. + */ + if (!vcpu->kvm->arch.exception_payload_enabled && +- vcpu->arch.exception.pending && vcpu->arch.exception.has_payload) +- kvm_deliver_exception_payload(vcpu); ++ ex->pending && ex->has_payload) ++ kvm_deliver_exception_payload(vcpu, ex); + + /* + * The API doesn't provide the instruction length for software +@@ -5049,26 +5046,25 @@ static void kvm_vcpu_ioctl_x86_get_vcpu_events(struct kvm_vcpu *vcpu, + * isn't advanced, we should expect to encounter the exception + * again. + */ +- if (kvm_exception_is_soft(vcpu->arch.exception.nr)) { ++ if (kvm_exception_is_soft(ex->vector)) { + events->exception.injected = 0; + events->exception.pending = 0; + } else { +- events->exception.injected = vcpu->arch.exception.injected; +- events->exception.pending = vcpu->arch.exception.pending; ++ events->exception.injected = ex->injected; ++ events->exception.pending = ex->pending; + /* + * For ABI compatibility, deliberately conflate + * pending and injected exceptions when + * KVM_CAP_EXCEPTION_PAYLOAD isn't enabled. + */ + if (!vcpu->kvm->arch.exception_payload_enabled) +- events->exception.injected |= +- vcpu->arch.exception.pending; ++ events->exception.injected |= ex->pending; + } +- events->exception.nr = vcpu->arch.exception.nr; +- events->exception.has_error_code = vcpu->arch.exception.has_error_code; +- events->exception.error_code = vcpu->arch.exception.error_code; +- events->exception_has_payload = vcpu->arch.exception.has_payload; +- events->exception_payload = vcpu->arch.exception.payload; ++ events->exception.nr = ex->vector; ++ events->exception.has_error_code = ex->has_error_code; ++ events->exception.error_code = ex->error_code; ++ events->exception_has_payload = ex->has_payload; ++ events->exception_payload = ex->payload; + + events->interrupt.injected = + vcpu->arch.interrupt.injected && !vcpu->arch.interrupt.soft; +@@ -5140,7 +5136,7 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu, + process_nmi(vcpu); + vcpu->arch.exception.injected = events->exception.injected; + vcpu->arch.exception.pending = events->exception.pending; +- vcpu->arch.exception.nr = events->exception.nr; ++ vcpu->arch.exception.vector = events->exception.nr; + vcpu->arch.exception.has_error_code = events->exception.has_error_code; + vcpu->arch.exception.error_code = events->exception.error_code; + vcpu->arch.exception.has_payload = events->exception_has_payload; +@@ -9675,7 +9671,7 @@ int kvm_check_nested_events(struct kvm_vcpu *vcpu) + + static void kvm_inject_exception(struct kvm_vcpu *vcpu) + { +- trace_kvm_inj_exception(vcpu->arch.exception.nr, ++ trace_kvm_inj_exception(vcpu->arch.exception.vector, + vcpu->arch.exception.has_error_code, + vcpu->arch.exception.error_code, + vcpu->arch.exception.injected); +@@ -9747,12 +9743,12 @@ static int inject_pending_event(struct kvm_vcpu *vcpu, bool *req_immediate_exit) + * describe the behavior of General Detect #DBs, which are + * fault-like. They do _not_ set RF, a la code breakpoints. + */ +- if (exception_type(vcpu->arch.exception.nr) == EXCPT_FAULT) ++ if (exception_type(vcpu->arch.exception.vector) == EXCPT_FAULT) + __kvm_set_rflags(vcpu, kvm_get_rflags(vcpu) | + X86_EFLAGS_RF); + +- if (vcpu->arch.exception.nr == DB_VECTOR) { +- kvm_deliver_exception_payload(vcpu); ++ if (vcpu->arch.exception.vector == DB_VECTOR) { ++ kvm_deliver_exception_payload(vcpu, &vcpu->arch.exception); + if (vcpu->arch.dr7 & DR7_GD) { + vcpu->arch.dr7 &= ~DR7_GD; + kvm_update_dr7(vcpu); +diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h +index 1926d2cb8e79..4147d27f9fbc 100644 +--- a/arch/x86/kvm/x86.h ++++ b/arch/x86/kvm/x86.h +@@ -286,7 +286,8 @@ int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu, + + int handle_ud(struct kvm_vcpu *vcpu); + +-void kvm_deliver_exception_payload(struct kvm_vcpu *vcpu); ++void kvm_deliver_exception_payload(struct kvm_vcpu *vcpu, ++ struct kvm_queued_exception *ex); + + void kvm_vcpu_mtrr_init(struct kvm_vcpu *vcpu); + u8 kvm_mtrr_get_guest_memory_type(struct kvm_vcpu *vcpu, gfn_t gfn); +-- +2.35.1 + diff --git a/queue-6.0/kvm-x86-mmu-fix-memoryleak-in-kvm_mmu_vendor_module_.patch b/queue-6.0/kvm-x86-mmu-fix-memoryleak-in-kvm_mmu_vendor_module_.patch new file mode 100644 index 00000000000..6a72f1e54cc --- /dev/null +++ b/queue-6.0/kvm-x86-mmu-fix-memoryleak-in-kvm_mmu_vendor_module_.patch @@ -0,0 +1,44 @@ +From 80c076cb1e7ff649cd729910c9f9058780e124cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 14:32:37 +0800 +Subject: KVM: x86/mmu: fix memoryleak in kvm_mmu_vendor_module_init() + +From: Miaohe Lin + +[ Upstream commit d7c9bfb9caaffd496ae44b258ec7c793677d3eeb ] + +When register_shrinker() fails, KVM doesn't release the percpu counter +kvm_total_used_mmu_pages leading to memoryleak. Fix this issue by calling +percpu_counter_destroy() when register_shrinker() fails. + +Fixes: ab271bd4dfd5 ("x86: kvm: propagate register_shrinker return code") +Signed-off-by: Miaohe Lin +Link: https://lore.kernel.org/r/20220823063237.47299-1-linmiaohe@huawei.com +[sean: tweak shortlog and changelog] +Signed-off-by: Sean Christopherson +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/mmu/mmu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/mmu/mmu.c b/arch/x86/kvm/mmu/mmu.c +index 3552e6af3684..858bc53cfab4 100644 +--- a/arch/x86/kvm/mmu/mmu.c ++++ b/arch/x86/kvm/mmu/mmu.c +@@ -6704,10 +6704,12 @@ int kvm_mmu_vendor_module_init(void) + + ret = register_shrinker(&mmu_shrinker, "x86-mmu"); + if (ret) +- goto out; ++ goto out_shrinker; + + return 0; + ++out_shrinker: ++ percpu_counter_destroy(&kvm_total_used_mmu_pages); + out: + mmu_destroy_caches(); + return ret; +-- +2.35.1 + diff --git a/queue-6.0/kvm-x86-morph-pending-exceptions-to-pending-vm-exits.patch b/queue-6.0/kvm-x86-morph-pending-exceptions-to-pending-vm-exits.patch new file mode 100644 index 00000000000..bb4414f57a2 --- /dev/null +++ b/queue-6.0/kvm-x86-morph-pending-exceptions-to-pending-vm-exits.patch @@ -0,0 +1,754 @@ +From 2c2075dbd009341c0223762348ffd9d61e289200 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 23:16:08 +0000 +Subject: KVM: x86: Morph pending exceptions to pending VM-Exits at queue time + +From: Sean Christopherson + +[ Upstream commit 7709aba8f71613ae5d18d8c00adb54948e6bedb3 ] + +Morph pending exceptions to pending VM-Exits (due to interception) when +the exception is queued instead of waiting until nested events are +checked at VM-Entry. This fixes a longstanding bug where KVM fails to +handle an exception that occurs during delivery of a previous exception, +KVM (L0) and L1 both want to intercept the exception (e.g. #PF for shadow +paging), and KVM determines that the exception is in the guest's domain, +i.e. queues the new exception for L2. Deferring the interception check +causes KVM to esclate various combinations of injected+pending exceptions +to double fault (#DF) without consulting L1's interception desires, and +ends up injecting a spurious #DF into L2. + +KVM has fudged around the issue for #PF by special casing emulated #PF +injection for shadow paging, but the underlying issue is not unique to +shadow paging in L0, e.g. if KVM is intercepting #PF because the guest +has a smaller maxphyaddr and L1 (but not L0) is using shadow paging. +Other exceptions are affected as well, e.g. if KVM is intercepting #GP +for one of SVM's workaround or for the VMware backdoor emulation stuff. +The other cases have gone unnoticed because the #DF is spurious if and +only if L1 resolves the exception, e.g. KVM's goofs go unnoticed if L1 +would have injected #DF anyways. + +The hack-a-fix has also led to ugly code, e.g. bailing from the emulator +if #PF injection forced a nested VM-Exit and the emulator finds itself +back in L1. Allowing for direct-to-VM-Exit queueing also neatly solves +the async #PF in L2 mess; no need to set a magic flag and token, simply +queue a #PF nested VM-Exit. + +Deal with event migration by flagging that a pending exception was queued +by userspace and check for interception at the next KVM_RUN, e.g. so that +KVM does the right thing regardless of the order in which userspace +restores nested state vs. event state. + +When "getting" events from userspace, simply drop any pending excpetion +that is destined to be intercepted if there is also an injected exception +to be migrated. Ideally, KVM would migrate both events, but that would +require new ABI, and practically speaking losing the event is unlikely to +be noticed, let alone fatal. The injected exception is captured, RIP +still points at the original faulting instruction, etc... So either the +injection on the target will trigger the same intercepted exception, or +the source of the intercepted exception was transient and/or +non-deterministic, thus dropping it is ok-ish. + +Fixes: a04aead144fd ("KVM: nSVM: fix running nested guests when npt=0") +Fixes: feaf0c7dc473 ("KVM: nVMX: Do not generate #DF if #PF happens during exception delivery into L2") +Cc: Jim Mattson +Signed-off-by: Sean Christopherson +Reviewed-by: Maxim Levitsky +Link: https://lore.kernel.org/r/20220830231614.3580124-22-seanjc@google.com +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/kvm_host.h | 12 ++- + arch/x86/kvm/svm/nested.c | 45 +++------ + arch/x86/kvm/vmx/nested.c | 109 ++++++++++------------ + arch/x86/kvm/vmx/vmx.c | 6 +- + arch/x86/kvm/x86.c | 159 ++++++++++++++++++++++---------- + arch/x86/kvm/x86.h | 7 ++ + 6 files changed, 188 insertions(+), 150 deletions(-) + +diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h +index 36e4fde359a7..bad74c8fbc65 100644 +--- a/arch/x86/include/asm/kvm_host.h ++++ b/arch/x86/include/asm/kvm_host.h +@@ -647,7 +647,6 @@ struct kvm_queued_exception { + u32 error_code; + unsigned long payload; + bool has_payload; +- u8 nested_apf; + }; + + struct kvm_vcpu_arch { +@@ -749,8 +748,12 @@ struct kvm_vcpu_arch { + + u8 event_exit_inst_len; + ++ bool exception_from_userspace; ++ + /* Exceptions to be injected to the guest. */ + struct kvm_queued_exception exception; ++ /* Exception VM-Exits to be synthesized to L1. */ ++ struct kvm_queued_exception exception_vmexit; + + struct kvm_queued_interrupt { + bool injected; +@@ -861,7 +864,6 @@ struct kvm_vcpu_arch { + u32 id; + bool send_user_only; + u32 host_apf_flags; +- unsigned long nested_apf_token; + bool delivery_as_pf_vmexit; + bool pageready_pending; + } apf; +@@ -1637,9 +1639,9 @@ struct kvm_x86_ops { + + struct kvm_x86_nested_ops { + void (*leave_nested)(struct kvm_vcpu *vcpu); ++ bool (*is_exception_vmexit)(struct kvm_vcpu *vcpu, u8 vector, ++ u32 error_code); + int (*check_events)(struct kvm_vcpu *vcpu); +- bool (*handle_page_fault_workaround)(struct kvm_vcpu *vcpu, +- struct x86_exception *fault); + bool (*hv_timer_pending)(struct kvm_vcpu *vcpu); + void (*triple_fault)(struct kvm_vcpu *vcpu); + int (*get_state)(struct kvm_vcpu *vcpu, +@@ -1866,7 +1868,7 @@ void kvm_queue_exception_p(struct kvm_vcpu *vcpu, unsigned nr, unsigned long pay + void kvm_requeue_exception(struct kvm_vcpu *vcpu, unsigned nr); + void kvm_requeue_exception_e(struct kvm_vcpu *vcpu, unsigned nr, u32 error_code); + void kvm_inject_page_fault(struct kvm_vcpu *vcpu, struct x86_exception *fault); +-bool kvm_inject_emulated_page_fault(struct kvm_vcpu *vcpu, ++void kvm_inject_emulated_page_fault(struct kvm_vcpu *vcpu, + struct x86_exception *fault); + bool kvm_require_cpl(struct kvm_vcpu *vcpu, int required_cpl); + bool kvm_require_dr(struct kvm_vcpu *vcpu, int dr); +diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c +index a6111392985c..405075286965 100644 +--- a/arch/x86/kvm/svm/nested.c ++++ b/arch/x86/kvm/svm/nested.c +@@ -55,28 +55,6 @@ static void nested_svm_inject_npf_exit(struct kvm_vcpu *vcpu, + nested_svm_vmexit(svm); + } + +-static bool nested_svm_handle_page_fault_workaround(struct kvm_vcpu *vcpu, +- struct x86_exception *fault) +-{ +- struct vcpu_svm *svm = to_svm(vcpu); +- struct vmcb *vmcb = svm->vmcb; +- +- WARN_ON(!is_guest_mode(vcpu)); +- +- if (vmcb12_is_intercept(&svm->nested.ctl, +- INTERCEPT_EXCEPTION_OFFSET + PF_VECTOR) && +- !WARN_ON_ONCE(svm->nested.nested_run_pending)) { +- vmcb->control.exit_code = SVM_EXIT_EXCP_BASE + PF_VECTOR; +- vmcb->control.exit_code_hi = 0; +- vmcb->control.exit_info_1 = fault->error_code; +- vmcb->control.exit_info_2 = fault->address; +- nested_svm_vmexit(svm); +- return true; +- } +- +- return false; +-} +- + static u64 nested_svm_get_tdp_pdptr(struct kvm_vcpu *vcpu, int index) + { + struct vcpu_svm *svm = to_svm(vcpu); +@@ -1304,16 +1282,17 @@ int nested_svm_check_permissions(struct kvm_vcpu *vcpu) + return 0; + } + +-static bool nested_exit_on_exception(struct vcpu_svm *svm) ++static bool nested_svm_is_exception_vmexit(struct kvm_vcpu *vcpu, u8 vector, ++ u32 error_code) + { +- unsigned int vector = svm->vcpu.arch.exception.vector; ++ struct vcpu_svm *svm = to_svm(vcpu); + + return (svm->nested.ctl.intercepts[INTERCEPT_EXCEPTION] & BIT(vector)); + } + + static void nested_svm_inject_exception_vmexit(struct kvm_vcpu *vcpu) + { +- struct kvm_queued_exception *ex = &vcpu->arch.exception; ++ struct kvm_queued_exception *ex = &vcpu->arch.exception_vmexit; + struct vcpu_svm *svm = to_svm(vcpu); + struct vmcb *vmcb = svm->vmcb; + +@@ -1328,9 +1307,7 @@ static void nested_svm_inject_exception_vmexit(struct kvm_vcpu *vcpu) + * than #PF. + */ + if (ex->vector == PF_VECTOR) { +- if (ex->nested_apf) +- vmcb->control.exit_info_2 = vcpu->arch.apf.nested_apf_token; +- else if (ex->has_payload) ++ if (ex->has_payload) + vmcb->control.exit_info_2 = ex->payload; + else + vmcb->control.exit_info_2 = vcpu->arch.cr2; +@@ -1383,15 +1360,19 @@ static int svm_check_nested_events(struct kvm_vcpu *vcpu) + return 0; + } + +- if (vcpu->arch.exception.pending) { ++ if (vcpu->arch.exception_vmexit.pending) { + if (block_nested_exceptions) + return -EBUSY; +- if (!nested_exit_on_exception(svm)) +- return 0; + nested_svm_inject_exception_vmexit(vcpu); + return 0; + } + ++ if (vcpu->arch.exception.pending) { ++ if (block_nested_exceptions) ++ return -EBUSY; ++ return 0; ++ } ++ + if (vcpu->arch.smi_pending && !svm_smi_blocked(vcpu)) { + if (block_nested_events) + return -EBUSY; +@@ -1729,8 +1710,8 @@ static bool svm_get_nested_state_pages(struct kvm_vcpu *vcpu) + + struct kvm_x86_nested_ops svm_nested_ops = { + .leave_nested = svm_leave_nested, ++ .is_exception_vmexit = nested_svm_is_exception_vmexit, + .check_events = svm_check_nested_events, +- .handle_page_fault_workaround = nested_svm_handle_page_fault_workaround, + .triple_fault = nested_svm_triple_fault, + .get_nested_state_pages = svm_get_nested_state_pages, + .get_state = svm_get_nested_state, +diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c +index dfd5e13e5202..4bb3ccf82d63 100644 +--- a/arch/x86/kvm/vmx/nested.c ++++ b/arch/x86/kvm/vmx/nested.c +@@ -439,59 +439,22 @@ static bool nested_vmx_is_page_fault_vmexit(struct vmcs12 *vmcs12, + return inequality ^ bit; + } + +- +-/* +- * KVM wants to inject page-faults which it got to the guest. This function +- * checks whether in a nested guest, we need to inject them to L1 or L2. +- */ +-static int nested_vmx_check_exception(struct kvm_vcpu *vcpu, unsigned long *exit_qual) +-{ +- struct kvm_queued_exception *ex = &vcpu->arch.exception; +- struct vmcs12 *vmcs12 = get_vmcs12(vcpu); +- +- if (ex->vector == PF_VECTOR) { +- if (ex->nested_apf) { +- *exit_qual = vcpu->arch.apf.nested_apf_token; +- return 1; +- } +- if (nested_vmx_is_page_fault_vmexit(vmcs12, ex->error_code)) { +- *exit_qual = ex->has_payload ? ex->payload : vcpu->arch.cr2; +- return 1; +- } +- } else if (vmcs12->exception_bitmap & (1u << ex->vector)) { +- if (ex->vector == DB_VECTOR) { +- if (ex->has_payload) { +- *exit_qual = ex->payload; +- } else { +- *exit_qual = vcpu->arch.dr6; +- *exit_qual &= ~DR6_BT; +- *exit_qual ^= DR6_ACTIVE_LOW; +- } +- } else +- *exit_qual = 0; +- return 1; +- } +- +- return 0; +-} +- +-static bool nested_vmx_handle_page_fault_workaround(struct kvm_vcpu *vcpu, +- struct x86_exception *fault) ++static bool nested_vmx_is_exception_vmexit(struct kvm_vcpu *vcpu, u8 vector, ++ u32 error_code) + { + struct vmcs12 *vmcs12 = get_vmcs12(vcpu); + +- WARN_ON(!is_guest_mode(vcpu)); ++ /* ++ * Drop bits 31:16 of the error code when performing the #PF mask+match ++ * check. All VMCS fields involved are 32 bits, but Intel CPUs never ++ * set bits 31:16 and VMX disallows setting bits 31:16 in the injected ++ * error code. Including the to-be-dropped bits in the check might ++ * result in an "impossible" or missed exit from L1's perspective. ++ */ ++ if (vector == PF_VECTOR) ++ return nested_vmx_is_page_fault_vmexit(vmcs12, (u16)error_code); + +- if (nested_vmx_is_page_fault_vmexit(vmcs12, fault->error_code) && +- !WARN_ON_ONCE(to_vmx(vcpu)->nested.nested_run_pending)) { +- vmcs12->vm_exit_intr_error_code = fault->error_code; +- nested_vmx_vmexit(vcpu, EXIT_REASON_EXCEPTION_NMI, +- PF_VECTOR | INTR_TYPE_HARD_EXCEPTION | +- INTR_INFO_DELIVER_CODE_MASK | INTR_INFO_VALID_MASK, +- fault->address); +- return true; +- } +- return false; ++ return (vmcs12->exception_bitmap & (1u << vector)); + } + + static int nested_vmx_check_io_bitmap_controls(struct kvm_vcpu *vcpu, +@@ -3822,12 +3785,24 @@ static int vmx_complete_nested_posted_interrupt(struct kvm_vcpu *vcpu) + return -ENXIO; + } + +-static void nested_vmx_inject_exception_vmexit(struct kvm_vcpu *vcpu, +- unsigned long exit_qual) ++static void nested_vmx_inject_exception_vmexit(struct kvm_vcpu *vcpu) + { +- struct kvm_queued_exception *ex = &vcpu->arch.exception; ++ struct kvm_queued_exception *ex = &vcpu->arch.exception_vmexit; + u32 intr_info = ex->vector | INTR_INFO_VALID_MASK; + struct vmcs12 *vmcs12 = get_vmcs12(vcpu); ++ unsigned long exit_qual; ++ ++ if (ex->has_payload) { ++ exit_qual = ex->payload; ++ } else if (ex->vector == PF_VECTOR) { ++ exit_qual = vcpu->arch.cr2; ++ } else if (ex->vector == DB_VECTOR) { ++ exit_qual = vcpu->arch.dr6; ++ exit_qual &= ~DR6_BT; ++ exit_qual ^= DR6_ACTIVE_LOW; ++ } else { ++ exit_qual = 0; ++ } + + if (ex->has_error_code) { + /* +@@ -3917,7 +3892,6 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) + { + struct kvm_lapic *apic = vcpu->arch.apic; + struct vcpu_vmx *vmx = to_vmx(vcpu); +- unsigned long exit_qual; + /* + * Only a pending nested run blocks a pending exception. If there is a + * previously injected event, the pending exception occurred while said +@@ -3971,14 +3945,20 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) + * across SMI/RSM as it should; that needs to be addressed in order to + * prioritize SMI over MTF and trap-like #DBs. + */ ++ if (vcpu->arch.exception_vmexit.pending && ++ !vmx_is_low_priority_db_trap(&vcpu->arch.exception_vmexit)) { ++ if (block_nested_exceptions) ++ return -EBUSY; ++ ++ nested_vmx_inject_exception_vmexit(vcpu); ++ return 0; ++ } ++ + if (vcpu->arch.exception.pending && + !vmx_is_low_priority_db_trap(&vcpu->arch.exception)) { + if (block_nested_exceptions) + return -EBUSY; +- if (!nested_vmx_check_exception(vcpu, &exit_qual)) +- goto no_vmexit; +- nested_vmx_inject_exception_vmexit(vcpu, exit_qual); +- return 0; ++ goto no_vmexit; + } + + if (vmx->nested.mtf_pending) { +@@ -3989,15 +3969,20 @@ static int vmx_check_nested_events(struct kvm_vcpu *vcpu) + return 0; + } + +- if (vcpu->arch.exception.pending) { ++ if (vcpu->arch.exception_vmexit.pending) { + if (block_nested_exceptions) + return -EBUSY; +- if (!nested_vmx_check_exception(vcpu, &exit_qual)) +- goto no_vmexit; +- nested_vmx_inject_exception_vmexit(vcpu, exit_qual); ++ ++ nested_vmx_inject_exception_vmexit(vcpu); + return 0; + } + ++ if (vcpu->arch.exception.pending) { ++ if (block_nested_exceptions) ++ return -EBUSY; ++ goto no_vmexit; ++ } ++ + if (nested_vmx_preemption_timer_pending(vcpu)) { + if (block_nested_events) + return -EBUSY; +@@ -6868,8 +6853,8 @@ __init int nested_vmx_hardware_setup(int (*exit_handlers[])(struct kvm_vcpu *)) + + struct kvm_x86_nested_ops vmx_nested_ops = { + .leave_nested = vmx_leave_nested, ++ .is_exception_vmexit = nested_vmx_is_exception_vmexit, + .check_events = vmx_check_nested_events, +- .handle_page_fault_workaround = nested_vmx_handle_page_fault_workaround, + .hv_timer_pending = nested_vmx_preemption_timer_pending, + .triple_fault = nested_vmx_triple_fault, + .get_state = vmx_get_nested_state, +diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c +index 0f68ed966944..9c2b8e2b2a28 100644 +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -1659,7 +1659,9 @@ static void vmx_update_emulated_instruction(struct kvm_vcpu *vcpu) + */ + if (nested_cpu_has_mtf(vmcs12) && + (!vcpu->arch.exception.pending || +- vcpu->arch.exception.vector == DB_VECTOR)) ++ vcpu->arch.exception.vector == DB_VECTOR) && ++ (!vcpu->arch.exception_vmexit.pending || ++ vcpu->arch.exception_vmexit.vector == DB_VECTOR)) + vmx->nested.mtf_pending = true; + else + vmx->nested.mtf_pending = false; +@@ -5718,7 +5720,7 @@ static bool vmx_emulation_required_with_pending_exception(struct kvm_vcpu *vcpu) + struct vcpu_vmx *vmx = to_vmx(vcpu); + + return vmx->emulation_required && !vmx->rmode.vm86_active && +- (vcpu->arch.exception.pending || vcpu->arch.exception.injected); ++ (kvm_is_exception_pending(vcpu) || vcpu->arch.exception.injected); + } + + static int handle_invalid_guest_state(struct kvm_vcpu *vcpu) +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 01d59f93d93e..8264e41b4fea 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -608,6 +608,21 @@ void kvm_deliver_exception_payload(struct kvm_vcpu *vcpu, + } + EXPORT_SYMBOL_GPL(kvm_deliver_exception_payload); + ++static void kvm_queue_exception_vmexit(struct kvm_vcpu *vcpu, unsigned int vector, ++ bool has_error_code, u32 error_code, ++ bool has_payload, unsigned long payload) ++{ ++ struct kvm_queued_exception *ex = &vcpu->arch.exception_vmexit; ++ ++ ex->vector = vector; ++ ex->injected = false; ++ ex->pending = true; ++ ex->has_error_code = has_error_code; ++ ex->error_code = error_code; ++ ex->has_payload = has_payload; ++ ex->payload = payload; ++} ++ + static void kvm_multiple_exception(struct kvm_vcpu *vcpu, + unsigned nr, bool has_error, u32 error_code, + bool has_payload, unsigned long payload, bool reinject) +@@ -617,18 +632,31 @@ static void kvm_multiple_exception(struct kvm_vcpu *vcpu, + + kvm_make_request(KVM_REQ_EVENT, vcpu); + ++ /* ++ * If the exception is destined for L2 and isn't being reinjected, ++ * morph it to a VM-Exit if L1 wants to intercept the exception. A ++ * previously injected exception is not checked because it was checked ++ * when it was original queued, and re-checking is incorrect if _L1_ ++ * injected the exception, in which case it's exempt from interception. ++ */ ++ if (!reinject && is_guest_mode(vcpu) && ++ kvm_x86_ops.nested_ops->is_exception_vmexit(vcpu, nr, error_code)) { ++ kvm_queue_exception_vmexit(vcpu, nr, has_error, error_code, ++ has_payload, payload); ++ return; ++ } ++ + if (!vcpu->arch.exception.pending && !vcpu->arch.exception.injected) { + queue: + if (reinject) { + /* +- * On vmentry, vcpu->arch.exception.pending is only +- * true if an event injection was blocked by +- * nested_run_pending. In that case, however, +- * vcpu_enter_guest requests an immediate exit, +- * and the guest shouldn't proceed far enough to +- * need reinjection. ++ * On VM-Entry, an exception can be pending if and only ++ * if event injection was blocked by nested_run_pending. ++ * In that case, however, vcpu_enter_guest() requests an ++ * immediate exit, and the guest shouldn't proceed far ++ * enough to need reinjection. + */ +- WARN_ON_ONCE(vcpu->arch.exception.pending); ++ WARN_ON_ONCE(kvm_is_exception_pending(vcpu)); + vcpu->arch.exception.injected = true; + if (WARN_ON_ONCE(has_payload)) { + /* +@@ -734,20 +762,22 @@ static int complete_emulated_insn_gp(struct kvm_vcpu *vcpu, int err) + void kvm_inject_page_fault(struct kvm_vcpu *vcpu, struct x86_exception *fault) + { + ++vcpu->stat.pf_guest; +- vcpu->arch.exception.nested_apf = +- is_guest_mode(vcpu) && fault->async_page_fault; +- if (vcpu->arch.exception.nested_apf) { +- vcpu->arch.apf.nested_apf_token = fault->address; +- kvm_queue_exception_e(vcpu, PF_VECTOR, fault->error_code); +- } else { ++ ++ /* ++ * Async #PF in L2 is always forwarded to L1 as a VM-Exit regardless of ++ * whether or not L1 wants to intercept "regular" #PF. ++ */ ++ if (is_guest_mode(vcpu) && fault->async_page_fault) ++ kvm_queue_exception_vmexit(vcpu, PF_VECTOR, ++ true, fault->error_code, ++ true, fault->address); ++ else + kvm_queue_exception_e_p(vcpu, PF_VECTOR, fault->error_code, + fault->address); +- } + } + EXPORT_SYMBOL_GPL(kvm_inject_page_fault); + +-/* Returns true if the page fault was immediately morphed into a VM-Exit. */ +-bool kvm_inject_emulated_page_fault(struct kvm_vcpu *vcpu, ++void kvm_inject_emulated_page_fault(struct kvm_vcpu *vcpu, + struct x86_exception *fault) + { + struct kvm_mmu *fault_mmu; +@@ -765,26 +795,7 @@ bool kvm_inject_emulated_page_fault(struct kvm_vcpu *vcpu, + kvm_mmu_invalidate_gva(vcpu, fault_mmu, fault->address, + fault_mmu->root.hpa); + +- /* +- * A workaround for KVM's bad exception handling. If KVM injected an +- * exception into L2, and L2 encountered a #PF while vectoring the +- * injected exception, manually check to see if L1 wants to intercept +- * #PF, otherwise queuing the #PF will lead to #DF or a lost exception. +- * In all other cases, defer the check to nested_ops->check_events(), +- * which will correctly handle priority (this does not). Note, other +- * exceptions, e.g. #GP, are theoretically affected, #PF is simply the +- * most problematic, e.g. when L0 and L1 are both intercepting #PF for +- * shadow paging. +- * +- * TODO: Rewrite exception handling to track injected and pending +- * (VM-Exit) exceptions separately. +- */ +- if (unlikely(vcpu->arch.exception.injected && is_guest_mode(vcpu)) && +- kvm_x86_ops.nested_ops->handle_page_fault_workaround(vcpu, fault)) +- return true; +- + fault_mmu->inject_page_fault(vcpu, fault); +- return false; + } + EXPORT_SYMBOL_GPL(kvm_inject_emulated_page_fault); + +@@ -4846,7 +4857,7 @@ static int kvm_vcpu_ready_for_interrupt_injection(struct kvm_vcpu *vcpu) + return (kvm_arch_interrupt_allowed(vcpu) && + kvm_cpu_accept_dm_intr(vcpu) && + !kvm_event_needs_reinjection(vcpu) && +- !vcpu->arch.exception.pending); ++ !kvm_is_exception_pending(vcpu)); + } + + static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu, +@@ -5021,13 +5032,27 @@ static int kvm_vcpu_ioctl_x86_set_mce(struct kvm_vcpu *vcpu, + static void kvm_vcpu_ioctl_x86_get_vcpu_events(struct kvm_vcpu *vcpu, + struct kvm_vcpu_events *events) + { +- struct kvm_queued_exception *ex = &vcpu->arch.exception; ++ struct kvm_queued_exception *ex; + + process_nmi(vcpu); + + if (kvm_check_request(KVM_REQ_SMI, vcpu)) + process_smi(vcpu); + ++ /* ++ * KVM's ABI only allows for one exception to be migrated. Luckily, ++ * the only time there can be two queued exceptions is if there's a ++ * non-exiting _injected_ exception, and a pending exiting exception. ++ * In that case, ignore the VM-Exiting exception as it's an extension ++ * of the injected exception. ++ */ ++ if (vcpu->arch.exception_vmexit.pending && ++ !vcpu->arch.exception.pending && ++ !vcpu->arch.exception.injected) ++ ex = &vcpu->arch.exception_vmexit; ++ else ++ ex = &vcpu->arch.exception; ++ + /* + * In guest mode, payload delivery should be deferred if the exception + * will be intercepted by L1, e.g. KVM should not modifying CR2 if L1 +@@ -5134,6 +5159,19 @@ static int kvm_vcpu_ioctl_x86_set_vcpu_events(struct kvm_vcpu *vcpu, + return -EINVAL; + + process_nmi(vcpu); ++ ++ /* ++ * Flag that userspace is stuffing an exception, the next KVM_RUN will ++ * morph the exception to a VM-Exit if appropriate. Do this only for ++ * pending exceptions, already-injected exceptions are not subject to ++ * intercpetion. Note, userspace that conflates pending and injected ++ * is hosed, and will incorrectly convert an injected exception into a ++ * pending exception, which in turn may cause a spurious VM-Exit. ++ */ ++ vcpu->arch.exception_from_userspace = events->exception.pending; ++ ++ vcpu->arch.exception_vmexit.pending = false; ++ + vcpu->arch.exception.injected = events->exception.injected; + vcpu->arch.exception.pending = events->exception.pending; + vcpu->arch.exception.vector = events->exception.nr; +@@ -8164,18 +8202,17 @@ static void toggle_interruptibility(struct kvm_vcpu *vcpu, u32 mask) + } + } + +-static bool inject_emulated_exception(struct kvm_vcpu *vcpu) ++static void inject_emulated_exception(struct kvm_vcpu *vcpu) + { + struct x86_emulate_ctxt *ctxt = vcpu->arch.emulate_ctxt; +- if (ctxt->exception.vector == PF_VECTOR) +- return kvm_inject_emulated_page_fault(vcpu, &ctxt->exception); + +- if (ctxt->exception.error_code_valid) ++ if (ctxt->exception.vector == PF_VECTOR) ++ kvm_inject_emulated_page_fault(vcpu, &ctxt->exception); ++ else if (ctxt->exception.error_code_valid) + kvm_queue_exception_e(vcpu, ctxt->exception.vector, + ctxt->exception.error_code); + else + kvm_queue_exception(vcpu, ctxt->exception.vector); +- return false; + } + + static struct x86_emulate_ctxt *alloc_emulate_ctxt(struct kvm_vcpu *vcpu) +@@ -8773,8 +8810,7 @@ int x86_emulate_instruction(struct kvm_vcpu *vcpu, gpa_t cr2_or_gpa, + + if (ctxt->have_exception) { + r = 1; +- if (inject_emulated_exception(vcpu)) +- return r; ++ inject_emulated_exception(vcpu); + } else if (vcpu->arch.pio.count) { + if (!vcpu->arch.pio.in) { + /* FIXME: return into emulator if single-stepping. */ +@@ -9721,7 +9757,7 @@ static int inject_pending_event(struct kvm_vcpu *vcpu, bool *req_immediate_exit) + */ + if (vcpu->arch.exception.injected) + kvm_inject_exception(vcpu); +- else if (vcpu->arch.exception.pending) ++ else if (kvm_is_exception_pending(vcpu)) + ; /* see above */ + else if (vcpu->arch.nmi_injected) + static_call(kvm_x86_inject_nmi)(vcpu); +@@ -9748,6 +9784,14 @@ static int inject_pending_event(struct kvm_vcpu *vcpu, bool *req_immediate_exit) + if (r < 0) + goto out; + ++ /* ++ * A pending exception VM-Exit should either result in nested VM-Exit ++ * or force an immediate re-entry and exit to/from L2, and exception ++ * VM-Exits cannot be injected (flag should _never_ be set). ++ */ ++ WARN_ON_ONCE(vcpu->arch.exception_vmexit.injected || ++ vcpu->arch.exception_vmexit.pending); ++ + /* + * New events, other than exceptions, cannot be injected if KVM needs + * to re-inject a previous event. See above comments on re-injecting +@@ -9847,7 +9891,7 @@ static int inject_pending_event(struct kvm_vcpu *vcpu, bool *req_immediate_exit) + kvm_x86_ops.nested_ops->hv_timer_pending(vcpu)) + *req_immediate_exit = true; + +- WARN_ON(vcpu->arch.exception.pending); ++ WARN_ON(kvm_is_exception_pending(vcpu)); + return 0; + + out: +@@ -10866,6 +10910,7 @@ static void kvm_put_guest_fpu(struct kvm_vcpu *vcpu) + + int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu) + { ++ struct kvm_queued_exception *ex = &vcpu->arch.exception; + struct kvm_run *kvm_run = vcpu->run; + int r; + +@@ -10924,6 +10969,21 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu) + } + } + ++ /* ++ * If userspace set a pending exception and L2 is active, convert it to ++ * a pending VM-Exit if L1 wants to intercept the exception. ++ */ ++ if (vcpu->arch.exception_from_userspace && is_guest_mode(vcpu) && ++ kvm_x86_ops.nested_ops->is_exception_vmexit(vcpu, ex->vector, ++ ex->error_code)) { ++ kvm_queue_exception_vmexit(vcpu, ex->vector, ++ ex->has_error_code, ex->error_code, ++ ex->has_payload, ex->payload); ++ ex->injected = false; ++ ex->pending = false; ++ } ++ vcpu->arch.exception_from_userspace = false; ++ + if (unlikely(vcpu->arch.complete_userspace_io)) { + int (*cui)(struct kvm_vcpu *) = vcpu->arch.complete_userspace_io; + vcpu->arch.complete_userspace_io = NULL; +@@ -11030,6 +11090,7 @@ static void __set_regs(struct kvm_vcpu *vcpu, struct kvm_regs *regs) + kvm_set_rflags(vcpu, regs->rflags | X86_EFLAGS_FIXED); + + vcpu->arch.exception.pending = false; ++ vcpu->arch.exception_vmexit.pending = false; + + kvm_make_request(KVM_REQ_EVENT, vcpu); + } +@@ -11410,7 +11471,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(struct kvm_vcpu *vcpu, + + if (dbg->control & (KVM_GUESTDBG_INJECT_DB | KVM_GUESTDBG_INJECT_BP)) { + r = -EBUSY; +- if (vcpu->arch.exception.pending) ++ if (kvm_is_exception_pending(vcpu)) + goto out; + if (dbg->control & KVM_GUESTDBG_INJECT_DB) + kvm_queue_exception(vcpu, DB_VECTOR); +@@ -12643,7 +12704,7 @@ static inline bool kvm_vcpu_has_events(struct kvm_vcpu *vcpu) + if (vcpu->arch.pv.pv_unhalted) + return true; + +- if (vcpu->arch.exception.pending) ++ if (kvm_is_exception_pending(vcpu)) + return true; + + if (kvm_test_request(KVM_REQ_NMI, vcpu) || +@@ -12898,7 +12959,7 @@ bool kvm_can_do_async_pf(struct kvm_vcpu *vcpu) + { + if (unlikely(!lapic_in_kernel(vcpu) || + kvm_event_needs_reinjection(vcpu) || +- vcpu->arch.exception.pending)) ++ kvm_is_exception_pending(vcpu))) + return false; + + if (kvm_hlt_in_guest(vcpu->kvm) && !kvm_can_deliver_async_pf(vcpu)) +diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h +index 4147d27f9fbc..256745d1a2c3 100644 +--- a/arch/x86/kvm/x86.h ++++ b/arch/x86/kvm/x86.h +@@ -82,10 +82,17 @@ static inline unsigned int __shrink_ple_window(unsigned int val, + void kvm_service_local_tlb_flush_requests(struct kvm_vcpu *vcpu); + int kvm_check_nested_events(struct kvm_vcpu *vcpu); + ++static inline bool kvm_is_exception_pending(struct kvm_vcpu *vcpu) ++{ ++ return vcpu->arch.exception.pending || ++ vcpu->arch.exception_vmexit.pending; ++} ++ + static inline void kvm_clear_exception_queue(struct kvm_vcpu *vcpu) + { + vcpu->arch.exception.pending = false; + vcpu->arch.exception.injected = false; ++ vcpu->arch.exception_vmexit.pending = false; + } + + static inline void kvm_queue_interrupt(struct kvm_vcpu *vcpu, u8 vector, +-- +2.35.1 + diff --git a/queue-6.0/kvm-x86-report-error-when-setting-cpuid-if-hyper-v-a.patch b/queue-6.0/kvm-x86-report-error-when-setting-cpuid-if-hyper-v-a.patch new file mode 100644 index 00000000000..d30317e1bfa --- /dev/null +++ b/queue-6.0/kvm-x86-report-error-when-setting-cpuid-if-hyper-v-a.patch @@ -0,0 +1,173 @@ +From 1abbad519136449cb6a4dd537e30dbf56cb3ff9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 15:37:09 +0200 +Subject: KVM: x86: Report error when setting CPUID if Hyper-V allocation fails + +From: Sean Christopherson + +[ Upstream commit 3be29eb7b5251a772e2033761a9b67981fdfb0f7 ] + +Return -ENOMEM back to userspace if allocating the Hyper-V vCPU struct +fails when enabling Hyper-V in guest CPUID. Silently ignoring failure +means that KVM will not have an up-to-date CPUID cache if allocating the +struct succeeds later on, e.g. when activating SynIC. + +Rejecting the CPUID operation also guarantess that vcpu->arch.hyperv is +non-NULL if hyperv_enabled is true, which will allow for additional +cleanup, e.g. in the eVMCS code. + +Note, the initialization needs to be done before CPUID is set, and more +subtly before kvm_check_cpuid(), which potentially enables dynamic +XFEATURES. Sadly, there's no easy way to avoid exposing Hyper-V details +to CPUID or vice versa. Expose kvm_hv_vcpu_init() and the Hyper-V CPUID +signature to CPUID instead of exposing cpuid_entry2_find() outside of +CPUID code. It's hard to envision kvm_hv_vcpu_init() being misused, +whereas cpuid_entry2_find() absolutely shouldn't be used outside of core +CPUID code. + +Fixes: 10d7bf1e46dc ("KVM: x86: hyper-v: Cache guest CPUID leaves determining features availability") +Signed-off-by: Sean Christopherson +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Sean Christopherson +Link: https://lore.kernel.org/r/20220830133737.1539624-6-vkuznets@redhat.com +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/cpuid.c | 18 +++++++++++++++++- + arch/x86/kvm/hyperv.c | 30 ++++++++++++++---------------- + arch/x86/kvm/hyperv.h | 6 +++++- + 3 files changed, 36 insertions(+), 18 deletions(-) + +diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c +index 2796dde06302..7065462378e2 100644 +--- a/arch/x86/kvm/cpuid.c ++++ b/arch/x86/kvm/cpuid.c +@@ -311,6 +311,15 @@ void kvm_update_cpuid_runtime(struct kvm_vcpu *vcpu) + } + EXPORT_SYMBOL_GPL(kvm_update_cpuid_runtime); + ++static bool kvm_cpuid_has_hyperv(struct kvm_cpuid_entry2 *entries, int nent) ++{ ++ struct kvm_cpuid_entry2 *entry; ++ ++ entry = cpuid_entry2_find(entries, nent, HYPERV_CPUID_INTERFACE, ++ KVM_CPUID_INDEX_NOT_SIGNIFICANT); ++ return entry && entry->eax == HYPERV_CPUID_SIGNATURE_EAX; ++} ++ + static void kvm_vcpu_after_set_cpuid(struct kvm_vcpu *vcpu) + { + struct kvm_lapic *apic = vcpu->arch.apic; +@@ -346,7 +355,8 @@ static void kvm_vcpu_after_set_cpuid(struct kvm_vcpu *vcpu) + vcpu->arch.cr4_guest_rsvd_bits = + __cr4_reserved_bits(guest_cpuid_has, vcpu); + +- kvm_hv_set_cpuid(vcpu); ++ kvm_hv_set_cpuid(vcpu, kvm_cpuid_has_hyperv(vcpu->arch.cpuid_entries, ++ vcpu->arch.cpuid_nent)); + + /* Invoke the vendor callback only after the above state is updated. */ + static_call(kvm_x86_vcpu_after_set_cpuid)(vcpu); +@@ -409,6 +419,12 @@ static int kvm_set_cpuid(struct kvm_vcpu *vcpu, struct kvm_cpuid_entry2 *e2, + return 0; + } + ++ if (kvm_cpuid_has_hyperv(e2, nent)) { ++ r = kvm_hv_vcpu_init(vcpu); ++ if (r) ++ return r; ++ } ++ + r = kvm_check_cpuid(vcpu, e2, nent); + if (r) + return r; +diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c +index 8aadd31ed058..bf4729e8cc80 100644 +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -38,9 +38,6 @@ + #include "irq.h" + #include "fpu.h" + +-/* "Hv#1" signature */ +-#define HYPERV_CPUID_SIGNATURE_EAX 0x31237648 +- + #define KVM_HV_MAX_SPARSE_VCPU_SET_BITS DIV_ROUND_UP(KVM_MAX_VCPUS, 64) + + static void stimer_mark_pending(struct kvm_vcpu_hv_stimer *stimer, +@@ -934,7 +931,7 @@ static void stimer_init(struct kvm_vcpu_hv_stimer *stimer, int timer_index) + stimer_prepare_msg(stimer); + } + +-static int kvm_hv_vcpu_init(struct kvm_vcpu *vcpu) ++int kvm_hv_vcpu_init(struct kvm_vcpu *vcpu) + { + struct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu); + int i; +@@ -1984,26 +1981,27 @@ static u64 kvm_hv_send_ipi(struct kvm_vcpu *vcpu, struct kvm_hv_hcall *hc) + return HV_STATUS_SUCCESS; + } + +-void kvm_hv_set_cpuid(struct kvm_vcpu *vcpu) ++void kvm_hv_set_cpuid(struct kvm_vcpu *vcpu, bool hyperv_enabled) + { ++ struct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu); + struct kvm_cpuid_entry2 *entry; +- struct kvm_vcpu_hv *hv_vcpu; + +- entry = kvm_find_cpuid_entry(vcpu, HYPERV_CPUID_INTERFACE); +- if (entry && entry->eax == HYPERV_CPUID_SIGNATURE_EAX) { +- vcpu->arch.hyperv_enabled = true; +- } else { +- vcpu->arch.hyperv_enabled = false; +- return; +- } ++ vcpu->arch.hyperv_enabled = hyperv_enabled; + +- if (kvm_hv_vcpu_init(vcpu)) ++ if (!hv_vcpu) { ++ /* ++ * KVM should have already allocated kvm_vcpu_hv if Hyper-V is ++ * enabled in CPUID. ++ */ ++ WARN_ON_ONCE(vcpu->arch.hyperv_enabled); + return; +- +- hv_vcpu = to_hv_vcpu(vcpu); ++ } + + memset(&hv_vcpu->cpuid_cache, 0, sizeof(hv_vcpu->cpuid_cache)); + ++ if (!vcpu->arch.hyperv_enabled) ++ return; ++ + entry = kvm_find_cpuid_entry(vcpu, HYPERV_CPUID_FEATURES); + if (entry) { + hv_vcpu->cpuid_cache.features_eax = entry->eax; +diff --git a/arch/x86/kvm/hyperv.h b/arch/x86/kvm/hyperv.h +index da2737f2a956..1030b1b50552 100644 +--- a/arch/x86/kvm/hyperv.h ++++ b/arch/x86/kvm/hyperv.h +@@ -23,6 +23,9 @@ + + #include + ++/* "Hv#1" signature */ ++#define HYPERV_CPUID_SIGNATURE_EAX 0x31237648 ++ + /* + * The #defines related to the synthetic debugger are required by KDNet, but + * they are not documented in the Hyper-V TLFS because the synthetic debugger +@@ -141,7 +144,8 @@ void kvm_hv_request_tsc_page_update(struct kvm *kvm); + + void kvm_hv_init_vm(struct kvm *kvm); + void kvm_hv_destroy_vm(struct kvm *kvm); +-void kvm_hv_set_cpuid(struct kvm_vcpu *vcpu); ++int kvm_hv_vcpu_init(struct kvm_vcpu *vcpu); ++void kvm_hv_set_cpuid(struct kvm_vcpu *vcpu, bool hyperv_enabled); + int kvm_hv_set_enforce_cpuid(struct kvm_vcpu *vcpu, bool enforce); + int kvm_vm_ioctl_hv_eventfd(struct kvm *kvm, struct kvm_hyperv_eventfd *args); + int kvm_get_hv_cpuid(struct kvm_vcpu *vcpu, struct kvm_cpuid2 *cpuid, +-- +2.35.1 + diff --git a/queue-6.0/kvm-x86-zero-out-entire-hyper-v-cpuid-cache-before-p.patch b/queue-6.0/kvm-x86-zero-out-entire-hyper-v-cpuid-cache-before-p.patch new file mode 100644 index 00000000000..cc93598be0c --- /dev/null +++ b/queue-6.0/kvm-x86-zero-out-entire-hyper-v-cpuid-cache-before-p.patch @@ -0,0 +1,69 @@ +From 062c933fa4de64d23cc794af74f175ad605bc167 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 15:37:07 +0200 +Subject: KVM: x86: Zero out entire Hyper-V CPUID cache before processing + entries + +From: Vitaly Kuznetsov + +[ Upstream commit ce2196b831b1e9f8982b2904fc3e8658cc0e6573 ] + +Wipe the whole 'hv_vcpu->cpuid_cache' with memset() instead of having to +zero each particular member when the corresponding CPUID entry was not +found. + +No functional change intended. + +Signed-off-by: Vitaly Kuznetsov +[sean: split to separate patch] +Signed-off-by: Sean Christopherson +Reviewed-by: Wei Liu +Link: https://lore.kernel.org/r/20220830133737.1539624-4-vkuznets@redhat.com +Signed-off-by: Paolo Bonzini +Stable-dep-of: 3be29eb7b525 ("KVM: x86: Report error when setting CPUID if Hyper-V allocation fails") +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/hyperv.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c +index ed804447589c..611c349a08bf 100644 +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -2005,31 +2005,24 @@ void kvm_hv_set_cpuid(struct kvm_vcpu *vcpu) + + hv_vcpu = to_hv_vcpu(vcpu); + ++ memset(&hv_vcpu->cpuid_cache, 0, sizeof(hv_vcpu->cpuid_cache)); ++ + entry = kvm_find_cpuid_entry(vcpu, HYPERV_CPUID_FEATURES); + if (entry) { + hv_vcpu->cpuid_cache.features_eax = entry->eax; + hv_vcpu->cpuid_cache.features_ebx = entry->ebx; + hv_vcpu->cpuid_cache.features_edx = entry->edx; +- } else { +- hv_vcpu->cpuid_cache.features_eax = 0; +- hv_vcpu->cpuid_cache.features_ebx = 0; +- hv_vcpu->cpuid_cache.features_edx = 0; + } + + entry = kvm_find_cpuid_entry(vcpu, HYPERV_CPUID_ENLIGHTMENT_INFO); + if (entry) { + hv_vcpu->cpuid_cache.enlightenments_eax = entry->eax; + hv_vcpu->cpuid_cache.enlightenments_ebx = entry->ebx; +- } else { +- hv_vcpu->cpuid_cache.enlightenments_eax = 0; +- hv_vcpu->cpuid_cache.enlightenments_ebx = 0; + } + + entry = kvm_find_cpuid_entry(vcpu, HYPERV_CPUID_SYNDBG_PLATFORM_CAPABILITIES); + if (entry) + hv_vcpu->cpuid_cache.syndbg_cap_eax = entry->eax; +- else +- hv_vcpu->cpuid_cache.syndbg_cap_eax = 0; + } + + int kvm_hv_set_enforce_cpuid(struct kvm_vcpu *vcpu, bool enforce) +-- +2.35.1 + diff --git a/queue-6.0/leds-lm3601x-don-t-use-mutex-after-it-was-destroyed.patch b/queue-6.0/leds-lm3601x-don-t-use-mutex-after-it-was-destroyed.patch new file mode 100644 index 00000000000..f803314598f --- /dev/null +++ b/queue-6.0/leds-lm3601x-don-t-use-mutex-after-it-was-destroyed.patch @@ -0,0 +1,41 @@ +From 000363787c80459b639749067d7c3bdfef20c0af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Aug 2022 10:02:27 +0200 +Subject: leds: lm3601x: Don't use mutex after it was destroyed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 32f7eed0c763a9b89f6b357ec54b48398fc7b99e ] + +The mutex might still be in use until the devm cleanup callback +devm_led_classdev_flash_release() is called. This only happens some time +after lm3601x_remove() completed. + +Fixes: e63a744871a3 ("leds: lm3601x: Convert class registration to device managed") +Acked-by: Pavel Machek +Signed-off-by: Uwe Kleine-König +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/leds/flash/leds-lm3601x.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/leds/flash/leds-lm3601x.c b/drivers/leds/flash/leds-lm3601x.c +index d0e1d4814042..3d1272748201 100644 +--- a/drivers/leds/flash/leds-lm3601x.c ++++ b/drivers/leds/flash/leds-lm3601x.c +@@ -444,8 +444,6 @@ static int lm3601x_remove(struct i2c_client *client) + { + struct lm3601x_led *led = i2c_get_clientdata(client); + +- mutex_destroy(&led->lock); +- + return regmap_update_bits(led->regmap, LM3601X_ENABLE_REG, + LM3601X_ENABLE_MASK, + LM3601X_MODE_STANDBY); +-- +2.35.1 + diff --git a/queue-6.0/libbpf-do-not-require-executable-permission-for-shar.patch b/queue-6.0/libbpf-do-not-require-executable-permission-for-shar.patch new file mode 100644 index 00000000000..858e9c60808 --- /dev/null +++ b/queue-6.0/libbpf-do-not-require-executable-permission-for-shar.patch @@ -0,0 +1,61 @@ +From f7db7d32eefc03d065d5a59ccfab999c65c1fee5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Aug 2022 18:20:21 +0800 +Subject: libbpf: Do not require executable permission for shared libraries + +From: Hengqi Chen + +[ Upstream commit 9e32084ef1c33a87a736d6ce3fcb95b60dac9aa1 ] + +Currently, resolve_full_path() requires executable permission for both +programs and shared libraries. This causes failures on distos like Debian +since the shared libraries are not installed executable and Linux is not +requiring shared libraries to have executable permissions. Let's remove +executable permission check for shared libraries. + +Reported-by: Goro Fuji +Signed-off-by: Hengqi Chen +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20220806102021.3867130-1-hengqi.chen@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index c0af210f1acd..6b40c8672ff9 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -10671,15 +10671,17 @@ static const char *arch_specific_lib_paths(void) + static int resolve_full_path(const char *file, char *result, size_t result_sz) + { + const char *search_paths[3] = {}; +- int i; ++ int i, perm; + + if (str_has_sfx(file, ".so") || strstr(file, ".so.")) { + search_paths[0] = getenv("LD_LIBRARY_PATH"); + search_paths[1] = "/usr/lib64:/usr/lib"; + search_paths[2] = arch_specific_lib_paths(); ++ perm = R_OK; + } else { + search_paths[0] = getenv("PATH"); + search_paths[1] = "/usr/bin:/usr/sbin"; ++ perm = R_OK | X_OK; + } + + for (i = 0; i < ARRAY_SIZE(search_paths); i++) { +@@ -10698,8 +10700,8 @@ static int resolve_full_path(const char *file, char *result, size_t result_sz) + if (!seg_len) + continue; + snprintf(result, result_sz, "%.*s/%s", seg_len, s, file); +- /* ensure it is an executable file/link */ +- if (access(result, R_OK | X_OK) < 0) ++ /* ensure it has required permissions */ ++ if (access(result, perm) < 0) + continue; + pr_debug("resolved '%s' to '%s'\n", file, result); + return 0; +-- +2.35.1 + diff --git a/queue-6.0/libbpf-don-t-require-full-struct-enum64-in-uapi-head.patch b/queue-6.0/libbpf-don-t-require-full-struct-enum64-in-uapi-head.patch new file mode 100644 index 00000000000..bdff1cef2fb --- /dev/null +++ b/queue-6.0/libbpf-don-t-require-full-struct-enum64-in-uapi-head.patch @@ -0,0 +1,85 @@ +From 60556600d27124f6e1fdd7ef5b9425be0e9d935e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 21:29:39 -0700 +Subject: libbpf: Don't require full struct enum64 in UAPI headers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Andrii Nakryiko + +[ Upstream commit 87dbdc230d162bf9ee1ac77c8ade178b6b1e199e ] + +Drop the requirement for system-wide kernel UAPI headers to provide full +struct btf_enum64 definition. This is an unexpected requirement that +slipped in libbpf 1.0 and put unnecessary pressure ([0]) on users to have +a bleeding-edge kernel UAPI header from unreleased Linux 6.0. + +To achieve this, we forward declare struct btf_enum64. But that's not +enough as there is btf_enum64_value() helper that expects to know the +layout of struct btf_enum64. So we get a bit creative with +reinterpreting memory layout as array of __u32 and accesing lo32/hi32 +fields as array elements. Alternative way would be to have a local +pointer variable for anonymous struct with exactly the same layout as +struct btf_enum64, but that gets us into C++ compiler errors complaining +about invalid type casts. So play it safe, if ugly. + + [0] Closes: https://github.com/libbpf/libbpf/issues/562 + +Fixes: d90ec262b35b ("libbpf: Add enum64 support for btf_dump") +Reported-by: Toke Høiland-Jørgensen +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Acked-by: Toke Høiland-Jørgensen +Link: https://lore.kernel.org/bpf/20220927042940.147185-1-andrii@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/btf.h | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/btf.h b/tools/lib/bpf/btf.h +index 583760df83b4..d421d656a076 100644 +--- a/tools/lib/bpf/btf.h ++++ b/tools/lib/bpf/btf.h +@@ -487,6 +487,8 @@ static inline struct btf_enum *btf_enum(const struct btf_type *t) + return (struct btf_enum *)(t + 1); + } + ++struct btf_enum64; ++ + static inline struct btf_enum64 *btf_enum64(const struct btf_type *t) + { + return (struct btf_enum64 *)(t + 1); +@@ -494,7 +496,28 @@ static inline struct btf_enum64 *btf_enum64(const struct btf_type *t) + + static inline __u64 btf_enum64_value(const struct btf_enum64 *e) + { +- return ((__u64)e->val_hi32 << 32) | e->val_lo32; ++ /* struct btf_enum64 is introduced in Linux 6.0, which is very ++ * bleeding-edge. Here we are avoiding relying on struct btf_enum64 ++ * definition coming from kernel UAPI headers to support wider range ++ * of system-wide kernel headers. ++ * ++ * Given this header can be also included from C++ applications, that ++ * further restricts C tricks we can use (like using compatible ++ * anonymous struct). So just treat struct btf_enum64 as ++ * a three-element array of u32 and access second (lo32) and third ++ * (hi32) elements directly. ++ * ++ * For reference, here is a struct btf_enum64 definition: ++ * ++ * const struct btf_enum64 { ++ * __u32 name_off; ++ * __u32 val_lo32; ++ * __u32 val_hi32; ++ * }; ++ */ ++ const __u32 *e64 = (const __u32 *)e; ++ ++ return ((__u64)e64[2] << 32) | e64[1]; + } + + static inline struct btf_member *btf_members(const struct btf_type *t) +-- +2.35.1 + diff --git a/queue-6.0/libbpf-ensure-functions-with-always_inline-attribute.patch b/queue-6.0/libbpf-ensure-functions-with-always_inline-attribute.patch new file mode 100644 index 00000000000..9c0fe3bf53b --- /dev/null +++ b/queue-6.0/libbpf-ensure-functions-with-always_inline-attribute.patch @@ -0,0 +1,124 @@ +From 84abc32390c2c7f95082274e2f99a4190311646c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 09:14:03 -0600 +Subject: libbpf: Ensure functions with always_inline attribute are inline +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: James Hilliard + +[ Upstream commit d25f40ff68aa61c838947bb9adee6c6b36e77453 ] + +GCC expects the always_inline attribute to only be set on inline +functions, as such we should make all functions with this attribute +use the __always_inline macro which makes the function inline and +sets the attribute. + +Fixes errors like: +/home/buildroot/bpf-next/tools/testing/selftests/bpf/tools/include/bpf/bpf_tracing.h:439:1: error: ‘always_inline’ function might not be inlinable [-Werror=attributes] + 439 | ____##name(unsigned long long *ctx, ##args) + | ^~~~ + +Signed-off-by: James Hilliard +Signed-off-by: Andrii Nakryiko +Acked-by: Jiri Olsa +Link: https://lore.kernel.org/bpf/20220803151403.793024-1-james.hilliard1@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf_tracing.h | 14 +++++++------- + tools/lib/bpf/usdt.bpf.h | 4 ++-- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/tools/lib/bpf/bpf_tracing.h b/tools/lib/bpf/bpf_tracing.h +index 43ca3aff2292..5fdb93da423b 100644 +--- a/tools/lib/bpf/bpf_tracing.h ++++ b/tools/lib/bpf/bpf_tracing.h +@@ -426,7 +426,7 @@ struct pt_regs; + */ + #define BPF_PROG(name, args...) \ + name(unsigned long long *ctx); \ +-static __attribute__((always_inline)) typeof(name(0)) \ ++static __always_inline typeof(name(0)) \ + ____##name(unsigned long long *ctx, ##args); \ + typeof(name(0)) name(unsigned long long *ctx) \ + { \ +@@ -435,7 +435,7 @@ typeof(name(0)) name(unsigned long long *ctx) \ + return ____##name(___bpf_ctx_cast(args)); \ + _Pragma("GCC diagnostic pop") \ + } \ +-static __attribute__((always_inline)) typeof(name(0)) \ ++static __always_inline typeof(name(0)) \ + ____##name(unsigned long long *ctx, ##args) + + struct pt_regs; +@@ -460,7 +460,7 @@ struct pt_regs; + */ + #define BPF_KPROBE(name, args...) \ + name(struct pt_regs *ctx); \ +-static __attribute__((always_inline)) typeof(name(0)) \ ++static __always_inline typeof(name(0)) \ + ____##name(struct pt_regs *ctx, ##args); \ + typeof(name(0)) name(struct pt_regs *ctx) \ + { \ +@@ -469,7 +469,7 @@ typeof(name(0)) name(struct pt_regs *ctx) \ + return ____##name(___bpf_kprobe_args(args)); \ + _Pragma("GCC diagnostic pop") \ + } \ +-static __attribute__((always_inline)) typeof(name(0)) \ ++static __always_inline typeof(name(0)) \ + ____##name(struct pt_regs *ctx, ##args) + + #define ___bpf_kretprobe_args0() ctx +@@ -484,7 +484,7 @@ ____##name(struct pt_regs *ctx, ##args) + */ + #define BPF_KRETPROBE(name, args...) \ + name(struct pt_regs *ctx); \ +-static __attribute__((always_inline)) typeof(name(0)) \ ++static __always_inline typeof(name(0)) \ + ____##name(struct pt_regs *ctx, ##args); \ + typeof(name(0)) name(struct pt_regs *ctx) \ + { \ +@@ -540,7 +540,7 @@ static __always_inline typeof(name(0)) ____##name(struct pt_regs *ctx, ##args) + #define BPF_KSYSCALL(name, args...) \ + name(struct pt_regs *ctx); \ + extern _Bool LINUX_HAS_SYSCALL_WRAPPER __kconfig; \ +-static __attribute__((always_inline)) typeof(name(0)) \ ++static __always_inline typeof(name(0)) \ + ____##name(struct pt_regs *ctx, ##args); \ + typeof(name(0)) name(struct pt_regs *ctx) \ + { \ +@@ -555,7 +555,7 @@ typeof(name(0)) name(struct pt_regs *ctx) \ + return ____##name(___bpf_syscall_args(args)); \ + _Pragma("GCC diagnostic pop") \ + } \ +-static __attribute__((always_inline)) typeof(name(0)) \ ++static __always_inline typeof(name(0)) \ + ____##name(struct pt_regs *ctx, ##args) + + #define BPF_KPROBE_SYSCALL BPF_KSYSCALL +diff --git a/tools/lib/bpf/usdt.bpf.h b/tools/lib/bpf/usdt.bpf.h +index 4f2adc0bd6ca..fdfd235e52c4 100644 +--- a/tools/lib/bpf/usdt.bpf.h ++++ b/tools/lib/bpf/usdt.bpf.h +@@ -232,7 +232,7 @@ long bpf_usdt_cookie(struct pt_regs *ctx) + */ + #define BPF_USDT(name, args...) \ + name(struct pt_regs *ctx); \ +-static __attribute__((always_inline)) typeof(name(0)) \ ++static __always_inline typeof(name(0)) \ + ____##name(struct pt_regs *ctx, ##args); \ + typeof(name(0)) name(struct pt_regs *ctx) \ + { \ +@@ -241,7 +241,7 @@ typeof(name(0)) name(struct pt_regs *ctx) \ + return ____##name(___bpf_usdt_args(args)); \ + _Pragma("GCC diagnostic pop") \ + } \ +-static __attribute__((always_inline)) typeof(name(0)) \ ++static __always_inline typeof(name(0)) \ + ____##name(struct pt_regs *ctx, ##args) + + #endif /* __USDT_BPF_H__ */ +-- +2.35.1 + diff --git a/queue-6.0/libbpf-fix-crash-if-sec-freplace-programs-don-t-have.patch b/queue-6.0/libbpf-fix-crash-if-sec-freplace-programs-don-t-have.patch new file mode 100644 index 00000000000..86ec5aab315 --- /dev/null +++ b/queue-6.0/libbpf-fix-crash-if-sec-freplace-programs-don-t-have.patch @@ -0,0 +1,64 @@ +From c50cfb75f3513d6e2ab5464306abb395f085b482 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 12:30:52 -0700 +Subject: libbpf: Fix crash if SEC("freplace") programs don't have + attach_prog_fd set + +From: Andrii Nakryiko + +[ Upstream commit 749c202cb6ea40f4d7ac95c4a1217a7b506f43a8 ] + +Fix SIGSEGV caused by libbpf trying to find attach type in vmlinux BTF +for freplace programs. It's wrong to search in vmlinux BTF and libbpf +doesn't even mark vmlinux BTF as required for freplace programs. So +trying to search anything in obj->vmlinux_btf might cause NULL +dereference if nothing else in BPF object requires vmlinux BTF. + +Instead, error out if freplace (EXT) program doesn't specify +attach_prog_fd during at the load time. + +Fixes: 91abb4a6d79d ("libbpf: Support attachment of BPF tracing programs to kernel modules") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20220909193053.577111-3-andrii@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 159f60a245c0..c0af210f1acd 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -9060,11 +9060,15 @@ static int libbpf_find_attach_btf_id(struct bpf_program *prog, const char *attac + int err = 0; + + /* BPF program's BTF ID */ +- if (attach_prog_fd) { ++ if (prog->type == BPF_PROG_TYPE_EXT || attach_prog_fd) { ++ if (!attach_prog_fd) { ++ pr_warn("prog '%s': attach program FD is not set\n", prog->name); ++ return -EINVAL; ++ } + err = libbpf_find_prog_btf_id(attach_name, attach_prog_fd); + if (err < 0) { +- pr_warn("failed to find BPF program (FD %d) BTF ID for '%s': %d\n", +- attach_prog_fd, attach_name, err); ++ pr_warn("prog '%s': failed to find BPF program (FD %d) BTF ID for '%s': %d\n", ++ prog->name, attach_prog_fd, attach_name, err); + return err; + } + *btf_obj_fd = 0; +@@ -9081,7 +9085,8 @@ static int libbpf_find_attach_btf_id(struct bpf_program *prog, const char *attac + err = find_kernel_btf_id(prog->obj, attach_name, attach_type, btf_obj_fd, btf_type_id); + } + if (err) { +- pr_warn("failed to find kernel BTF type ID of '%s': %d\n", attach_name, err); ++ pr_warn("prog '%s': failed to find kernel BTF type ID of '%s': %d\n", ++ prog->name, attach_name, err); + return err; + } + return 0; +-- +2.35.1 + diff --git a/queue-6.0/libbpf-fix-null-pointer-exception-in-api-btf_dump__d.patch b/queue-6.0/libbpf-fix-null-pointer-exception-in-api-btf_dump__d.patch new file mode 100644 index 00000000000..aaf8d490fc6 --- /dev/null +++ b/queue-6.0/libbpf-fix-null-pointer-exception-in-api-btf_dump__d.patch @@ -0,0 +1,40 @@ +From e14f6a13eb6ed84a7ae7b1ce4fd1e8580dd26f93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 16:48:09 +0800 +Subject: libbpf: Fix NULL pointer exception in API btf_dump__dump_type_data + +From: Xin Liu + +[ Upstream commit 7620bffbf72cd66a5d18e444a143b5b5989efa87 ] + +We found that function btf_dump__dump_type_data can be called by the +user as an API, but in this function, the `opts` parameter may be used +as a null pointer.This causes `opts->indent_str` to trigger a NULL +pointer exception. + +Fixes: 2ce8450ef5a3 ("libbpf: add bpf_object__open_{file, mem} w/ extensible opts") +Signed-off-by: Xin Liu +Signed-off-by: Weibin Kong +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20220917084809.30770-1-liuxin350@huawei.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/btf_dump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c +index 627edb5bb6de..4221f73a74d0 100644 +--- a/tools/lib/bpf/btf_dump.c ++++ b/tools/lib/bpf/btf_dump.c +@@ -2385,7 +2385,7 @@ int btf_dump__dump_type_data(struct btf_dump *d, __u32 id, + d->typed_dump->indent_lvl = OPTS_GET(opts, indent_level, 0); + + /* default indent string is a tab */ +- if (!opts->indent_str) ++ if (!OPTS_GET(opts, indent_str, NULL)) + d->typed_dump->indent_str[0] = '\t'; + else + libbpf_strlcpy(d->typed_dump->indent_str, opts->indent_str, +-- +2.35.1 + diff --git a/queue-6.0/libbpf-fix-overrun-in-netlink-attribute-iteration.patch b/queue-6.0/libbpf-fix-overrun-in-netlink-attribute-iteration.patch new file mode 100644 index 00000000000..4de26ebfb00 --- /dev/null +++ b/queue-6.0/libbpf-fix-overrun-in-netlink-attribute-iteration.patch @@ -0,0 +1,38 @@ +From fc507139c99490c30a4fdf361558432b6583cf97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 17:07:08 +0800 +Subject: libbpf: Fix overrun in netlink attribute iteration + +From: Xin Liu + +[ Upstream commit 51e05a8cf8eb34da7473823b7f236a77adfef0b4 ] + +I accidentally found that a change in commit 1045b03e07d8 ("netlink: fix +overrun in attribute iteration") was not synchronized to the function +`nla_ok` in tools/lib/bpf/nlattr.c, I think it is necessary to modify, +this patch will do it. + +Signed-off-by: Xin Liu +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20220930090708.62394-1-liuxin350@huawei.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/nlattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/nlattr.c b/tools/lib/bpf/nlattr.c +index f57e77a6e40f..3900d052ed19 100644 +--- a/tools/lib/bpf/nlattr.c ++++ b/tools/lib/bpf/nlattr.c +@@ -32,7 +32,7 @@ static struct nlattr *nla_next(const struct nlattr *nla, int *remaining) + + static int nla_ok(const struct nlattr *nla, int remaining) + { +- return remaining >= sizeof(*nla) && ++ return remaining >= (int)sizeof(*nla) && + nla->nla_len >= sizeof(*nla) && + nla->nla_len <= remaining; + } +-- +2.35.1 + diff --git a/queue-6.0/libbpf-fix-potential-null-dereference-when-parsing-e.patch b/queue-6.0/libbpf-fix-potential-null-dereference-when-parsing-e.patch new file mode 100644 index 00000000000..b4fbbbc9cbe --- /dev/null +++ b/queue-6.0/libbpf-fix-potential-null-dereference-when-parsing-e.patch @@ -0,0 +1,38 @@ +From 840907e2c3ddba191cce6d1dd2ba876e60d44cdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Aug 2022 17:19:26 -0700 +Subject: libbpf: Fix potential NULL dereference when parsing ELF + +From: Andrii Nakryiko + +[ Upstream commit d4e6d684f3bea46a2fc195765c77a3b26bcb080e ] + +Fix if condition filtering empty ELF sections to prevent NULL +dereference. + +Fixes: 47ea7417b074 ("libbpf: Skip empty sections in bpf_object__init_global_data_maps") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Acked-by: Hao Luo +Link: https://lore.kernel.org/bpf/20220816001929.369487-2-andrii@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 77e3797cf75a..159f60a245c0 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -1643,7 +1643,7 @@ static int bpf_object__init_global_data_maps(struct bpf_object *obj) + sec_desc = &obj->efile.secs[sec_idx]; + + /* Skip recognized sections with size 0. */ +- if (sec_desc->data && sec_desc->data->d_size == 0) ++ if (!sec_desc->data || sec_desc->data->d_size == 0) + continue; + + switch (sec_desc->sec_type) { +-- +2.35.1 + diff --git a/queue-6.0/libbpf-initialize-err-in-probe_map_create.patch b/queue-6.0/libbpf-initialize-err-in-probe_map_create.patch new file mode 100644 index 00000000000..e66fd361dba --- /dev/null +++ b/queue-6.0/libbpf-initialize-err-in-probe_map_create.patch @@ -0,0 +1,43 @@ +From b6158655e7cab61ffe665009fcb576e2add7bf26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jul 2022 19:51:09 -0700 +Subject: libbpf: Initialize err in probe_map_create + +From: Florian Fainelli + +[ Upstream commit 3045f42a64324d339125a8a1a1763bb9e1e08300 ] + +GCC-11 warns about the possibly unitialized err variable in +probe_map_create: + +libbpf_probes.c: In function 'probe_map_create': +libbpf_probes.c:361:38: error: 'err' may be used uninitialized in this function [-Werror=maybe-uninitialized] + 361 | return fd < 0 && err == exp_err ? 1 : 0; + | ~~~~^~~~~~~~~~ + +Fixes: 878d8def0603 ("libbpf: Rework feature-probing APIs") +Signed-off-by: Florian Fainelli +Signed-off-by: Andrii Nakryiko +Acked-by: Jiri Olsa +Link: https://lore.kernel.org/bpf/20220801025109.1206633-1-f.fainelli@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf_probes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf_probes.c b/tools/lib/bpf/libbpf_probes.c +index 0b5398786bf3..6d495656f554 100644 +--- a/tools/lib/bpf/libbpf_probes.c ++++ b/tools/lib/bpf/libbpf_probes.c +@@ -193,7 +193,7 @@ static int probe_map_create(enum bpf_map_type map_type) + LIBBPF_OPTS(bpf_map_create_opts, opts); + int key_size, value_size, max_entries; + __u32 btf_key_type_id = 0, btf_value_type_id = 0; +- int fd = -1, btf_fd = -1, fd_inner = -1, exp_err = 0, err; ++ int fd = -1, btf_fd = -1, fd_inner = -1, exp_err = 0, err = 0; + + key_size = sizeof(__u32); + value_size = sizeof(__u32); +-- +2.35.1 + diff --git a/queue-6.0/libbpf-restore-memory-layout-of-bpf_object_open_opts.patch b/queue-6.0/libbpf-restore-memory-layout-of-bpf_object_open_opts.patch new file mode 100644 index 00000000000..b8183afc3b7 --- /dev/null +++ b/queue-6.0/libbpf-restore-memory-layout-of-bpf_object_open_opts.patch @@ -0,0 +1,53 @@ +From 70ae7d459f840af450fc44645c14af71204894b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Sep 2022 16:05:59 -0700 +Subject: libbpf: restore memory layout of bpf_object_open_opts + +From: Andrii Nakryiko + +[ Upstream commit dbdea9b36fb61da3b9a1be0dd63542e2bfd3e5d7 ] + +When attach_prog_fd field was removed in libbpf 1.0 and replaced with +`long: 0` placeholder, it actually shifted all the subsequent fields by +8 byte. This is due to `long: 0` promising to adjust next field's offset +to long-aligned offset. But in this case we were already long-aligned +as pin_root_path is a pointer. So `long: 0` had no effect, and thus +didn't feel the gap created by removed attach_prog_fd. + +Non-zero bitfield should have been used instead. I validated using +pahole. Originally kconfig field was at offset 40. With `long: 0` it's +at offset 32, which is wrong. With this change it's back at offset 40. + +While technically libbpf 1.0 is allowed to break backwards +compatibility and applications should have been recompiled against +libbpf 1.0 headers, but given how trivial it is to preserve memory +layout, let's fix this. + +Reported-by: Grant Seltzer Richman +Fixes: 146bf811f5ac ("libbpf: remove most other deprecated high-level APIs") +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/r/20220923230559.666608-1-andrii@kernel.org +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf.h b/tools/lib/bpf/libbpf.h +index 61493c4cddac..9f956e6058ed 100644 +--- a/tools/lib/bpf/libbpf.h ++++ b/tools/lib/bpf/libbpf.h +@@ -118,7 +118,9 @@ struct bpf_object_open_opts { + * auto-pinned to that path on load; defaults to "/sys/fs/bpf". + */ + const char *pin_root_path; +- long :0; ++ ++ __u32 :32; /* stub out now removed attach_prog_fd */ ++ + /* Additional kernel config content that augments and overrides + * system Kconfig for CONFIG_xxx externs. + */ +-- +2.35.1 + diff --git a/queue-6.0/libbpf-skip-empty-sections-in-bpf_object__init_globa.patch b/queue-6.0/libbpf-skip-empty-sections-in-bpf_object__init_globa.patch new file mode 100644 index 00000000000..e3e2a13e5b6 --- /dev/null +++ b/queue-6.0/libbpf-skip-empty-sections-in-bpf_object__init_globa.patch @@ -0,0 +1,51 @@ +From 53cf72d08dd3e8e7e86b880f4355459ce35bcfe7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jul 2022 17:26:49 -0600 +Subject: libbpf: Skip empty sections in bpf_object__init_global_data_maps + +From: James Hilliard + +[ Upstream commit 47ea7417b0744324424405fc1207e266053237a9 ] + +The GNU assembler generates an empty .bss section. This is a well +established behavior in GAS that happens in all supported targets. + +The LLVM assembler doesn't generate an empty .bss section. + +bpftool chokes on the empty .bss section. + +Additionally in bpf_object__elf_collect the sec_desc->data is not +initialized when a section is not recognized. In this case, this +happens with .comment. + +So we must check that sec_desc->data is initialized before checking +if the size is 0. + +Signed-off-by: James Hilliard +Signed-off-by: Andrii Nakryiko +Acked-by: Jiri Olsa +Link: https://lore.kernel.org/bpf/20220731232649.4668-1-james.hilliard1@gmail.com +Stable-dep-of: 3045f42a6432 ("libbpf: Initialize err in probe_map_create") +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 50d41815f431..77e3797cf75a 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -1642,6 +1642,10 @@ static int bpf_object__init_global_data_maps(struct bpf_object *obj) + for (sec_idx = 1; sec_idx < obj->efile.sec_cnt; sec_idx++) { + sec_desc = &obj->efile.secs[sec_idx]; + ++ /* Skip recognized sections with size 0. */ ++ if (sec_desc->data && sec_desc->data->d_size == 0) ++ continue; ++ + switch (sec_desc->sec_type) { + case SEC_DATA: + sec_name = elf_sec_name(obj, elf_sec_by_idx(obj, sec_idx)); +-- +2.35.1 + diff --git a/queue-6.0/linux-export-use-inline-assembler-to-populate-symbol.patch b/queue-6.0/linux-export-use-inline-assembler-to-populate-symbol.patch new file mode 100644 index 00000000000..6a61e1705bc --- /dev/null +++ b/queue-6.0/linux-export-use-inline-assembler-to-populate-symbol.patch @@ -0,0 +1,52 @@ +From 76dfe5d873c9954917f856d204c65045553d6279 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 15:29:53 +0900 +Subject: linux/export: use inline assembler to populate symbol CRCs + +From: Masahiro Yamada + +[ Upstream commit f3304ecd7f060db1d4197fbdce5a503259f770d3 ] + +Since commit 7b4537199a4a ("kbuild: link symbol CRCs at final link, +removing CONFIG_MODULE_REL_CRCS"), the module versioning on the +(non-upstreamed-yet) kvx Linux port is broken due to unexpected padding +for __crc_* symbols. The kvx GCC adds padding so u32 gets 8-byte +alignment instead of 4. + +I do not know if this happens for upstream architectures in general, +but any compiler has the freedom to insert padding for faster access. + +Use the inline assembler to directly specify the wanted data layout. +This is how we previously did before the breakage. + +Link: https://lore.kernel.org/lkml/20220817161438.32039-1-ysionneau@kalray.eu/ +Link: https://lore.kernel.org/linux-kbuild/31ce5305-a76b-13d7-ea55-afca82c46cf2@kalray.eu/ +Fixes: 7b4537199a4a ("kbuild: link symbol CRCs at final link, removing CONFIG_MODULE_REL_CRCS") +Reported-by: Yann Sionneau +Signed-off-by: Masahiro Yamada +Tested-by: Yann Sionneau +Signed-off-by: Sasha Levin +--- + include/linux/export-internal.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/include/linux/export-internal.h b/include/linux/export-internal.h +index c2b1d4fd5987..fe7e6ba918f1 100644 +--- a/include/linux/export-internal.h ++++ b/include/linux/export-internal.h +@@ -10,8 +10,10 @@ + #include + #include + +-/* __used is needed to keep __crc_* for LTO */ + #define SYMBOL_CRC(sym, crc, sec) \ +- u32 __section("___kcrctab" sec "+" #sym) __used __crc_##sym = crc ++ asm(".section \"___kcrctab" sec "+" #sym "\",\"a\"" "\n" \ ++ "__crc_" #sym ":" "\n" \ ++ ".long " #crc "\n" \ ++ ".previous" "\n") + + #endif /* __LINUX_EXPORT_INTERNAL_H__ */ +-- +2.35.1 + diff --git a/queue-6.0/locks-fix-toctou-race-when-granting-write-lease.patch b/queue-6.0/locks-fix-toctou-race-when-granting-write-lease.patch new file mode 100644 index 00000000000..7ae4f44ba1e --- /dev/null +++ b/queue-6.0/locks-fix-toctou-race-when-granting-write-lease.patch @@ -0,0 +1,114 @@ +From caf760b893541c268b44b5d52ac9ea52c7e770ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 17:53:17 +0300 +Subject: locks: fix TOCTOU race when granting write lease + +From: Amir Goldstein + +[ Upstream commit d6da19c9cace63290ccfccb1fc35151ffefc0bec ] + +Thread A trying to acquire a write lease checks the value of i_readcount +and i_writecount in check_conflicting_open() to verify that its own fd +is the only fd referencing the file. + +Thread B trying to open the file for read will call break_lease() in +do_dentry_open() before incrementing i_readcount, which leaves a small +window where thread A can acquire the write lease and then thread B +completes the open of the file for read without breaking the write lease +that was acquired by thread A. + +Fix this race by incrementing i_readcount before checking for existing +leases, same as the case with i_writecount. + +Use a helper put_file_access() to decrement i_readcount or i_writecount +in do_dentry_open() and __fput(). + +Fixes: 387e3746d01c ("locks: eliminate false positive conflicts for write lease") +Reviewed-by: Jeff Layton +Signed-off-by: Amir Goldstein +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/file_table.c | 7 +------ + fs/internal.h | 10 ++++++++++ + fs/open.c | 11 ++++------- + 3 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/fs/file_table.c b/fs/file_table.c +index 99c6796c9f28..dd88701e54a9 100644 +--- a/fs/file_table.c ++++ b/fs/file_table.c +@@ -324,12 +324,7 @@ static void __fput(struct file *file) + } + fops_put(file->f_op); + put_pid(file->f_owner.pid); +- if ((mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) +- i_readcount_dec(inode); +- if (mode & FMODE_WRITER) { +- put_write_access(inode); +- __mnt_drop_write(mnt); +- } ++ put_file_access(file); + dput(dentry); + if (unlikely(mode & FMODE_NEED_UNMOUNT)) + dissolve_on_fput(mnt); +diff --git a/fs/internal.h b/fs/internal.h +index 3e206d3e317c..4372d67a3753 100644 +--- a/fs/internal.h ++++ b/fs/internal.h +@@ -102,6 +102,16 @@ extern void chroot_fs_refs(const struct path *, const struct path *); + extern struct file *alloc_empty_file(int, const struct cred *); + extern struct file *alloc_empty_file_noaccount(int, const struct cred *); + ++static inline void put_file_access(struct file *file) ++{ ++ if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) { ++ i_readcount_dec(file->f_inode); ++ } else if (file->f_mode & FMODE_WRITER) { ++ put_write_access(file->f_inode); ++ __mnt_drop_write(file->f_path.mnt); ++ } ++} ++ + /* + * super.c + */ +diff --git a/fs/open.c b/fs/open.c +index cf7e5c350a54..a81319b6177f 100644 +--- a/fs/open.c ++++ b/fs/open.c +@@ -842,7 +842,9 @@ static int do_dentry_open(struct file *f, + return 0; + } + +- if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) { ++ if ((f->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) { ++ i_readcount_inc(inode); ++ } else if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) { + error = get_write_access(inode); + if (unlikely(error)) + goto cleanup_file; +@@ -882,8 +884,6 @@ static int do_dentry_open(struct file *f, + goto cleanup_all; + } + f->f_mode |= FMODE_OPENED; +- if ((f->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ) +- i_readcount_inc(inode); + if ((f->f_mode & FMODE_READ) && + likely(f->f_op->read || f->f_op->read_iter)) + f->f_mode |= FMODE_CAN_READ; +@@ -937,10 +937,7 @@ static int do_dentry_open(struct file *f, + if (WARN_ON_ONCE(error > 0)) + error = -EINVAL; + fops_put(f->f_op); +- if (f->f_mode & FMODE_WRITER) { +- put_write_access(inode); +- __mnt_drop_write(f->f_path.mnt); +- } ++ put_file_access(f); + cleanup_file: + path_put(&f->f_path); + f->f_path.mnt = NULL; +-- +2.35.1 + diff --git a/queue-6.0/m68k-process-bootinfo-records-before-saving-them.patch b/queue-6.0/m68k-process-bootinfo-records-before-saving-them.patch new file mode 100644 index 00000000000..d36bf148e06 --- /dev/null +++ b/queue-6.0/m68k-process-bootinfo-records-before-saving-them.patch @@ -0,0 +1,52 @@ +From 8222dae4451abc1d5b3ff74e4efc132e2390f393 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 15:08:34 +0200 +Subject: m68k: Process bootinfo records before saving them + +From: Jason A. Donenfeld + +[ Upstream commit 7c236d93c6764dcaca7ab66d76768a044647876d ] + +The RNG seed boot record is memzeroed after processing, in order to +preserve forward secrecy. By saving the bootinfo for procfs prior to +that, forward secrecy is violated, since it becomes possible to recover +past states. So, save the bootinfo block only after first processing +them. + +Fixes: a1ee38ab1a75 ("m68k: virt: Use RNG seed from bootinfo block") +Signed-off-by: Jason A. Donenfeld +Link: https://lore.kernel.org/r/20220927130835.1629806-1-Jason@zx2c4.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/kernel/setup_mm.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/m68k/kernel/setup_mm.c b/arch/m68k/kernel/setup_mm.c +index e62fa8f2149b..7e7ef67cff8b 100644 +--- a/arch/m68k/kernel/setup_mm.c ++++ b/arch/m68k/kernel/setup_mm.c +@@ -109,10 +109,9 @@ extern void paging_init(void); + + static void __init m68k_parse_bootinfo(const struct bi_record *record) + { ++ const struct bi_record *first_record = record; + uint16_t tag; + +- save_bootinfo(record); +- + while ((tag = be16_to_cpu(record->tag)) != BI_LAST) { + int unknown = 0; + const void *data = record->data; +@@ -182,6 +181,8 @@ static void __init m68k_parse_bootinfo(const struct bi_record *record) + record = (struct bi_record *)((unsigned long)record + size); + } + ++ save_bootinfo(first_record); ++ + m68k_realnum_memory = m68k_num_memory; + #ifdef CONFIG_SINGLE_MEMORY_CHUNK + if (m68k_num_memory > 1) { +-- +2.35.1 + diff --git a/queue-6.0/mailbox-bcm-ferxrm-mailbox-fix-error-check-for-dma_m.patch b/queue-6.0/mailbox-bcm-ferxrm-mailbox-fix-error-check-for-dma_m.patch new file mode 100644 index 00000000000..a8455b5a66a --- /dev/null +++ b/queue-6.0/mailbox-bcm-ferxrm-mailbox-fix-error-check-for-dma_m.patch @@ -0,0 +1,47 @@ +From bcf3d547da7e59c431beaad0c7009275b32b2be7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 12:13:35 +0200 +Subject: mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg + +From: Jack Wang + +[ Upstream commit 6b207ce8a96a71e966831e3a13c38143ba9a73c1 ] + +dma_map_sg return 0 on error, fix the error check, and return -EIO +to caller. + +Fixes: dbc049eee730 ("mailbox: Add driver for Broadcom FlexRM ring manager") +Signed-off-by: Jack Wang +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/bcm-flexrm-mailbox.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/mailbox/bcm-flexrm-mailbox.c b/drivers/mailbox/bcm-flexrm-mailbox.c +index fda16f76401e..bf6e86b0ed09 100644 +--- a/drivers/mailbox/bcm-flexrm-mailbox.c ++++ b/drivers/mailbox/bcm-flexrm-mailbox.c +@@ -622,15 +622,15 @@ static int flexrm_spu_dma_map(struct device *dev, struct brcm_message *msg) + + rc = dma_map_sg(dev, msg->spu.src, sg_nents(msg->spu.src), + DMA_TO_DEVICE); +- if (rc < 0) +- return rc; ++ if (!rc) ++ return -EIO; + + rc = dma_map_sg(dev, msg->spu.dst, sg_nents(msg->spu.dst), + DMA_FROM_DEVICE); +- if (rc < 0) { ++ if (!rc) { + dma_unmap_sg(dev, msg->spu.src, sg_nents(msg->spu.src), + DMA_TO_DEVICE); +- return rc; ++ return -EIO; + } + + return 0; +-- +2.35.1 + diff --git a/queue-6.0/mailbox-imx-fix-rst-channel-support.patch b/queue-6.0/mailbox-imx-fix-rst-channel-support.patch new file mode 100644 index 00000000000..9429b8583fc --- /dev/null +++ b/queue-6.0/mailbox-imx-fix-rst-channel-support.patch @@ -0,0 +1,74 @@ +From 3ff61b23257ca9cc48e2440aa719e38d4e823982 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 11:01:36 +0800 +Subject: mailbox: imx: fix RST channel support + +From: Peng Fan + +[ Upstream commit 7e5cd064f73ccecd2ac1aadca078394bd25ea3ce ] + +Because IMX_MU_xCR_MAX was increased to 5, some mu cfgs were not updated +to include the CR register. Add the missed CR register to xcr array. + +Fixes: 82ab513baed5 ("mailbox: imx: support RST channel") +Reported-by: Liu Ying +Signed-off-by: Peng Fan +Tested-by: Liu Ying # i.MX8qm/qxp MEK boards boot +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/imx-mailbox.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/mailbox/imx-mailbox.c b/drivers/mailbox/imx-mailbox.c +index 02922073c9ef..20f2ec880ad6 100644 +--- a/drivers/mailbox/imx-mailbox.c ++++ b/drivers/mailbox/imx-mailbox.c +@@ -904,7 +904,7 @@ static const struct imx_mu_dcfg imx_mu_cfg_imx7ulp = { + .xTR = 0x20, + .xRR = 0x40, + .xSR = {0x60, 0x60, 0x60, 0x60}, +- .xCR = {0x64, 0x64, 0x64, 0x64}, ++ .xCR = {0x64, 0x64, 0x64, 0x64, 0x64}, + }; + + static const struct imx_mu_dcfg imx_mu_cfg_imx8ulp = { +@@ -927,7 +927,7 @@ static const struct imx_mu_dcfg imx_mu_cfg_imx8ulp_s4 = { + .xTR = 0x200, + .xRR = 0x280, + .xSR = {0xC, 0x118, 0x124, 0x12C}, +- .xCR = {0x110, 0x114, 0x120, 0x128}, ++ .xCR = {0x8, 0x110, 0x114, 0x120, 0x128}, + }; + + static const struct imx_mu_dcfg imx_mu_cfg_imx93_s4 = { +@@ -938,7 +938,7 @@ static const struct imx_mu_dcfg imx_mu_cfg_imx93_s4 = { + .xTR = 0x200, + .xRR = 0x280, + .xSR = {0xC, 0x118, 0x124, 0x12C}, +- .xCR = {0x110, 0x114, 0x120, 0x128}, ++ .xCR = {0x8, 0x110, 0x114, 0x120, 0x128}, + }; + + static const struct imx_mu_dcfg imx_mu_cfg_imx8_scu = { +@@ -949,7 +949,7 @@ static const struct imx_mu_dcfg imx_mu_cfg_imx8_scu = { + .xTR = 0x0, + .xRR = 0x10, + .xSR = {0x20, 0x20, 0x20, 0x20}, +- .xCR = {0x24, 0x24, 0x24, 0x24}, ++ .xCR = {0x24, 0x24, 0x24, 0x24, 0x24}, + }; + + static const struct imx_mu_dcfg imx_mu_cfg_imx8_seco = { +@@ -960,7 +960,7 @@ static const struct imx_mu_dcfg imx_mu_cfg_imx8_seco = { + .xTR = 0x0, + .xRR = 0x10, + .xSR = {0x20, 0x20, 0x20, 0x20}, +- .xCR = {0x24, 0x24, 0x24, 0x24}, ++ .xCR = {0x24, 0x24, 0x24, 0x24, 0x24}, + }; + + static const struct of_device_id imx_mu_dt_ids[] = { +-- +2.35.1 + diff --git a/queue-6.0/mailbox-mpfs-account-for-mbox-offsets-while-sending.patch b/queue-6.0/mailbox-mpfs-account-for-mbox-offsets-while-sending.patch new file mode 100644 index 00000000000..c1c0140d9f4 --- /dev/null +++ b/queue-6.0/mailbox-mpfs-account-for-mbox-offsets-while-sending.patch @@ -0,0 +1,60 @@ +From adddf0bead7936691fee4c19e970c429df2ee59f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 08:08:12 +0100 +Subject: mailbox: mpfs: account for mbox offsets while sending + +From: Conor Dooley + +[ Upstream commit 0d1aadfe10ba17ebdeb96abb9638eb0f623f9b55 ] + +The mailbox offset is not only used for receiving messages, but it is +also used by messages sent to the system controller by Linux that have a +payload, such as the "digital signature service". It is also overloaded +by certain other services (reprogramming of the FPGA fabric, see Link:) +to have a meaning other than the offset the system controller should +read from. +When the driver was written, no such services of the latter type were +in use & those of the former used an offset of zero so this has gone +un-noticed. + +Link: https://www.microsemi.com/document-portal/doc_download/1245815-polarfire-fpga-and-polarfire-soc-fpga-system-services-user-guide # Section 5.2 +Fixes: 83d7b1560810 ("mbox: add polarfire soc system controller mailbox") +Signed-off-by: Conor Dooley +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mailbox-mpfs.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/mailbox/mailbox-mpfs.c b/drivers/mailbox/mailbox-mpfs.c +index e432a8f0d148..cfacb3f320a6 100644 +--- a/drivers/mailbox/mailbox-mpfs.c ++++ b/drivers/mailbox/mailbox-mpfs.c +@@ -100,21 +100,20 @@ static int mpfs_mbox_send_data(struct mbox_chan *chan, void *data) + + for (index = 0; index < (msg->cmd_data_size / 4); index++) + writel_relaxed(word_buf[index], +- mbox->mbox_base + index * 0x4); ++ mbox->mbox_base + msg->mbox_offset + index * 0x4); + if (extra_bits) { + u8 i; + u8 byte_off = ALIGN_DOWN(msg->cmd_data_size, 4); + u8 *byte_buf = msg->cmd_data + byte_off; + +- val = readl_relaxed(mbox->mbox_base + index * 0x4); ++ val = readl_relaxed(mbox->mbox_base + msg->mbox_offset + index * 0x4); + + for (i = 0u; i < extra_bits; i++) { + val &= ~(0xffu << (i * 8u)); + val |= (byte_buf[i] << (i * 8u)); + } + +- writel_relaxed(val, +- mbox->mbox_base + index * 0x4); ++ writel_relaxed(val, mbox->mbox_base + msg->mbox_offset + index * 0x4); + } + } + +-- +2.35.1 + diff --git a/queue-6.0/mailbox-mpfs-fix-handling-of-the-reg-property.patch b/queue-6.0/mailbox-mpfs-fix-handling-of-the-reg-property.patch new file mode 100644 index 00000000000..4851207e30c --- /dev/null +++ b/queue-6.0/mailbox-mpfs-fix-handling-of-the-reg-property.patch @@ -0,0 +1,113 @@ +From 7e1421a24ad12b78a6431b5796f9e1f4fc190e80 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 08:08:11 +0100 +Subject: mailbox: mpfs: fix handling of the reg property + +From: Conor Dooley + +[ Upstream commit 2e10289d1f304f5082a4dda55a677b72b3bdb581 ] + +The "data" region of the PolarFire SoC's system controller mailbox is +not one continuous register space - the system controller's QSPI sits +between the control and data registers. Split the "data" reg into two +parts: "data" & "control". Optionally get the "data" register address +from the 3rd reg property in the devicetree & fall back to using the +old base + MAILBOX_REG_OFFSET that the current code uses. + +Fixes: 83d7b1560810 ("mbox: add polarfire soc system controller mailbox") +Signed-off-by: Conor Dooley +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mailbox-mpfs.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/drivers/mailbox/mailbox-mpfs.c b/drivers/mailbox/mailbox-mpfs.c +index 4e34854d1238..e432a8f0d148 100644 +--- a/drivers/mailbox/mailbox-mpfs.c ++++ b/drivers/mailbox/mailbox-mpfs.c +@@ -62,6 +62,7 @@ struct mpfs_mbox { + struct mbox_controller controller; + struct device *dev; + int irq; ++ void __iomem *ctrl_base; + void __iomem *mbox_base; + void __iomem *int_reg; + struct mbox_chan chans[1]; +@@ -73,7 +74,7 @@ static bool mpfs_mbox_busy(struct mpfs_mbox *mbox) + { + u32 status; + +- status = readl_relaxed(mbox->mbox_base + SERVICES_SR_OFFSET); ++ status = readl_relaxed(mbox->ctrl_base + SERVICES_SR_OFFSET); + + return status & SCB_STATUS_BUSY_MASK; + } +@@ -99,14 +100,13 @@ static int mpfs_mbox_send_data(struct mbox_chan *chan, void *data) + + for (index = 0; index < (msg->cmd_data_size / 4); index++) + writel_relaxed(word_buf[index], +- mbox->mbox_base + MAILBOX_REG_OFFSET + index * 0x4); ++ mbox->mbox_base + index * 0x4); + if (extra_bits) { + u8 i; + u8 byte_off = ALIGN_DOWN(msg->cmd_data_size, 4); + u8 *byte_buf = msg->cmd_data + byte_off; + +- val = readl_relaxed(mbox->mbox_base + +- MAILBOX_REG_OFFSET + index * 0x4); ++ val = readl_relaxed(mbox->mbox_base + index * 0x4); + + for (i = 0u; i < extra_bits; i++) { + val &= ~(0xffu << (i * 8u)); +@@ -114,14 +114,14 @@ static int mpfs_mbox_send_data(struct mbox_chan *chan, void *data) + } + + writel_relaxed(val, +- mbox->mbox_base + MAILBOX_REG_OFFSET + index * 0x4); ++ mbox->mbox_base + index * 0x4); + } + } + + opt_sel = ((msg->mbox_offset << 7u) | (msg->cmd_opcode & 0x7fu)); + tx_trigger = (opt_sel << SCB_CTRL_POS) & SCB_CTRL_MASK; + tx_trigger |= SCB_CTRL_REQ_MASK | SCB_STATUS_NOTIFY_MASK; +- writel_relaxed(tx_trigger, mbox->mbox_base + SERVICES_CR_OFFSET); ++ writel_relaxed(tx_trigger, mbox->ctrl_base + SERVICES_CR_OFFSET); + + return 0; + } +@@ -141,7 +141,7 @@ static void mpfs_mbox_rx_data(struct mbox_chan *chan) + if (!mpfs_mbox_busy(mbox)) { + for (i = 0; i < num_words; i++) { + response->resp_msg[i] = +- readl_relaxed(mbox->mbox_base + MAILBOX_REG_OFFSET ++ readl_relaxed(mbox->mbox_base + + mbox->resp_offset + i * 0x4); + } + } +@@ -200,14 +200,18 @@ static int mpfs_mbox_probe(struct platform_device *pdev) + if (!mbox) + return -ENOMEM; + +- mbox->mbox_base = devm_platform_get_and_ioremap_resource(pdev, 0, ®s); +- if (IS_ERR(mbox->mbox_base)) +- return PTR_ERR(mbox->mbox_base); ++ mbox->ctrl_base = devm_platform_get_and_ioremap_resource(pdev, 0, ®s); ++ if (IS_ERR(mbox->ctrl_base)) ++ return PTR_ERR(mbox->ctrl_base); + + mbox->int_reg = devm_platform_get_and_ioremap_resource(pdev, 1, ®s); + if (IS_ERR(mbox->int_reg)) + return PTR_ERR(mbox->int_reg); + ++ mbox->mbox_base = devm_platform_get_and_ioremap_resource(pdev, 2, ®s); ++ if (IS_ERR(mbox->mbox_base)) // account for the old dt-binding w/ 2 regs ++ mbox->mbox_base = mbox->ctrl_base + MAILBOX_REG_OFFSET; ++ + mbox->irq = platform_get_irq(pdev, 0); + if (mbox->irq < 0) + return mbox->irq; +-- +2.35.1 + diff --git a/queue-6.0/md-raid5-ensure-stripe_fill-happens-on-non-read-io-w.patch b/queue-6.0/md-raid5-ensure-stripe_fill-happens-on-non-read-io-w.patch new file mode 100644 index 00000000000..69c70d84f1f --- /dev/null +++ b/queue-6.0/md-raid5-ensure-stripe_fill-happens-on-non-read-io-w.patch @@ -0,0 +1,48 @@ +From 5562c10eace5dd5316dd87e06f53e2d147529e99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 09:46:27 -0600 +Subject: md/raid5: Ensure stripe_fill happens on non-read IO with journal + +From: Logan Gunthorpe + +[ Upstream commit e2eed85bc75138a9eeb63863d20f8904ac42a577 ] + +When doing degrade/recover tests using the journal a kernel BUG +is hit at drivers/md/raid5.c:4381 in handle_parity_checks5(): + + BUG_ON(!test_bit(R5_UPTODATE, &dev->flags)); + +This was found to occur because handle_stripe_fill() was skipped +for stripes in the journal due to a condition in that function. +Thus blocks were not fetched and R5_UPTODATE was not set when +the code reached handle_parity_checks5(). + +To fix this, don't skip handle_stripe_fill() unless the stripe is +for read. + +Fixes: 07e83364845e ("md/r5cache: shift complex rmw from read path to write path") +Link: https://lore.kernel.org/linux-raid/e05c4239-41a9-d2f7-3cfa-4aa9d2cea8c1@deltatee.com/ +Suggested-by: Song Liu +Signed-off-by: Logan Gunthorpe +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 31a0cbf63384..4ec33fd62018 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -4047,7 +4047,7 @@ static void handle_stripe_fill(struct stripe_head *sh, + * back cache (prexor with orig_page, and then xor with + * page) in the read path + */ +- if (s->injournal && s->failed) { ++ if (s->to_read && s->injournal && s->failed) { + if (test_bit(STRIPE_R5C_CACHING, &sh->state)) + r5c_make_stripe_write_out(sh); + goto out; +-- +2.35.1 + diff --git a/queue-6.0/md-raid5-remove-unnecessary-bio_put-in-raid5_read_on.patch b/queue-6.0/md-raid5-remove-unnecessary-bio_put-in-raid5_read_on.patch new file mode 100644 index 00000000000..f798b465099 --- /dev/null +++ b/queue-6.0/md-raid5-remove-unnecessary-bio_put-in-raid5_read_on.patch @@ -0,0 +1,116 @@ +From 76dd15d48183a9ad81881b8cb1f1d72d84e4cec8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 10:15:14 -0600 +Subject: md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk() + +From: David Sloan + +[ Upstream commit c66a6f41e09ad386fd2cce22b9cded837bbbc704 ] + +When running chunk-sized reads on disks with badblocks duplicate bio +free/puts are observed: + + ============================================================================= + BUG bio-200 (Not tainted): Object already free + ----------------------------------------------------------------------------- + Allocated in mempool_alloc_slab+0x17/0x20 age=3 cpu=2 pid=7504 + __slab_alloc.constprop.0+0x5a/0xb0 + kmem_cache_alloc+0x31e/0x330 + mempool_alloc_slab+0x17/0x20 + mempool_alloc+0x100/0x2b0 + bio_alloc_bioset+0x181/0x460 + do_mpage_readpage+0x776/0xd00 + mpage_readahead+0x166/0x320 + blkdev_readahead+0x15/0x20 + read_pages+0x13f/0x5f0 + page_cache_ra_unbounded+0x18d/0x220 + force_page_cache_ra+0x181/0x1c0 + page_cache_sync_ra+0x65/0xb0 + filemap_get_pages+0x1df/0xaf0 + filemap_read+0x1e1/0x700 + blkdev_read_iter+0x1e5/0x330 + vfs_read+0x42a/0x570 + Freed in mempool_free_slab+0x17/0x20 age=3 cpu=2 pid=7504 + kmem_cache_free+0x46d/0x490 + mempool_free_slab+0x17/0x20 + mempool_free+0x66/0x190 + bio_free+0x78/0x90 + bio_put+0x100/0x1a0 + raid5_make_request+0x2259/0x2450 + md_handle_request+0x402/0x600 + md_submit_bio+0xd9/0x120 + __submit_bio+0x11f/0x1b0 + submit_bio_noacct_nocheck+0x204/0x480 + submit_bio_noacct+0x32e/0xc70 + submit_bio+0x98/0x1a0 + mpage_readahead+0x250/0x320 + blkdev_readahead+0x15/0x20 + read_pages+0x13f/0x5f0 + page_cache_ra_unbounded+0x18d/0x220 + Slab 0xffffea000481b600 objects=21 used=0 fp=0xffff8881206d8940 flags=0x17ffffc0010201(locked|slab|head|node=0|zone=2|lastcpupid=0x1fffff) + CPU: 0 PID: 34525 Comm: kworker/u24:2 Not tainted 6.0.0-rc2-localyes-265166-gf11c5343fa3f #143 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 + Workqueue: raid5wq raid5_do_work + Call Trace: + + dump_stack_lvl+0x5a/0x78 + dump_stack+0x10/0x16 + print_trailer+0x158/0x165 + object_err+0x35/0x50 + free_debug_processing.cold+0xb7/0xbe + __slab_free+0x1ae/0x330 + kmem_cache_free+0x46d/0x490 + mempool_free_slab+0x17/0x20 + mempool_free+0x66/0x190 + bio_free+0x78/0x90 + bio_put+0x100/0x1a0 + mpage_end_io+0x36/0x150 + bio_endio+0x2fd/0x360 + md_end_io_acct+0x7e/0x90 + bio_endio+0x2fd/0x360 + handle_failed_stripe+0x960/0xb80 + handle_stripe+0x1348/0x3760 + handle_active_stripes.constprop.0+0x72a/0xaf0 + raid5_do_work+0x177/0x330 + process_one_work+0x616/0xb20 + worker_thread+0x2bd/0x6f0 + kthread+0x179/0x1b0 + ret_from_fork+0x22/0x30 + + +The double free is caused by an unnecessary bio_put() in the +if(is_badblock(...)) error path in raid5_read_one_chunk(). + +The error path was moved ahead of bio_alloc_clone() in c82aa1b76787c +("md/raid5: move checking badblock before clone bio in +raid5_read_one_chunk"). The previous code checked and freed align_bio +which required a bio_put. After the move that is no longer needed as +raid_bio is returned to the control of the common io path which +performs its own endio resulting in a double free on bad device blocks. + +Fixes: c82aa1b76787c ("md/raid5: move checking badblock before clone bio in raid5_read_one_chunk") +Signed-off-by: David Sloan +Signed-off-by: Logan Gunthorpe +Reviewed-by: Christoph Hellwig +Acked-by: Guoqing Jiang +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid5.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index 4ec33fd62018..db149d28f639 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -5542,7 +5542,6 @@ static int raid5_read_one_chunk(struct mddev *mddev, struct bio *raid_bio) + + if (is_badblock(rdev, sector, bio_sectors(raid_bio), &first_bad, + &bad_sectors)) { +- bio_put(raid_bio); + rdev_dec_pending(rdev, mddev); + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch b/queue-6.0/md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch new file mode 100644 index 00000000000..501ff7caffe --- /dev/null +++ b/queue-6.0/md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch @@ -0,0 +1,145 @@ +From e476a382cf4653808004a39becdb7dd8fb1f42d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 10:28:37 -0600 +Subject: md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d + +From: Logan Gunthorpe + +[ Upstream commit 5e2cf333b7bd5d3e62595a44d598a254c697cd74 ] + +A complicated deadlock exists when using the journal and an elevated +group_thrtead_cnt. It was found with loop devices, but its not clear +whether it can be seen with real disks. The deadlock can occur simply +by writing data with an fio script. + +When the deadlock occurs, multiple threads will hang in different ways: + + 1) The group threads will hang in the blk-wbt code with bios waiting to + be submitted to the block layer: + + io_schedule+0x70/0xb0 + rq_qos_wait+0x153/0x210 + wbt_wait+0x115/0x1b0 + io_schedule+0x70/0xb0 + rq_qos_wait+0x153/0x210 + wbt_wait+0x115/0x1b0 + __rq_qos_throttle+0x38/0x60 + blk_mq_submit_bio+0x589/0xcd0 + wbt_wait+0x115/0x1b0 + __rq_qos_throttle+0x38/0x60 + blk_mq_submit_bio+0x589/0xcd0 + __submit_bio+0xe6/0x100 + submit_bio_noacct_nocheck+0x42e/0x470 + submit_bio_noacct+0x4c2/0xbb0 + ops_run_io+0x46b/0x1a30 + handle_stripe+0xcd3/0x36b0 + handle_active_stripes.constprop.0+0x6f6/0xa60 + raid5_do_work+0x177/0x330 + + Or: + io_schedule+0x70/0xb0 + rq_qos_wait+0x153/0x210 + wbt_wait+0x115/0x1b0 + __rq_qos_throttle+0x38/0x60 + blk_mq_submit_bio+0x589/0xcd0 + __submit_bio+0xe6/0x100 + submit_bio_noacct_nocheck+0x42e/0x470 + submit_bio_noacct+0x4c2/0xbb0 + flush_deferred_bios+0x136/0x170 + raid5_do_work+0x262/0x330 + + 2) The r5l_reclaim thread will hang in the same way, submitting a + bio to the block layer: + + io_schedule+0x70/0xb0 + rq_qos_wait+0x153/0x210 + wbt_wait+0x115/0x1b0 + __rq_qos_throttle+0x38/0x60 + blk_mq_submit_bio+0x589/0xcd0 + __submit_bio+0xe6/0x100 + submit_bio_noacct_nocheck+0x42e/0x470 + submit_bio_noacct+0x4c2/0xbb0 + submit_bio+0x3f/0xf0 + md_super_write+0x12f/0x1b0 + md_update_sb.part.0+0x7c6/0xff0 + md_update_sb+0x30/0x60 + r5l_do_reclaim+0x4f9/0x5e0 + r5l_reclaim_thread+0x69/0x30b + + However, before hanging, the MD_SB_CHANGE_PENDING flag will be + set for sb_flags in r5l_write_super_and_discard_space(). This + flag will never be cleared because the submit_bio() call never + returns. + + 3) Due to the MD_SB_CHANGE_PENDING flag being set, handle_stripe() + will do no processing on any pending stripes and re-set + STRIPE_HANDLE. This will cause the raid5d thread to enter an + infinite loop, constantly trying to handle the same stripes + stuck in the queue. + + The raid5d thread has a blk_plug that holds a number of bios + that are also stuck waiting seeing the thread is in a loop + that never schedules. These bios have been accounted for by + blk-wbt thus preventing the other threads above from + continuing when they try to submit bios. --Deadlock. + +To fix this, add the same wait_event() that is used in raid5_do_work() +to raid5d() such that if MD_SB_CHANGE_PENDING is set, the thread will +schedule and wait until the flag is cleared. The schedule action will +flush the plug which will allow the r5l_reclaim thread to continue, +thus preventing the deadlock. + +However, md_check_recovery() calls can also clear MD_SB_CHANGE_PENDING +from the same thread and can thus deadlock if the thread is put to +sleep. So avoid waiting if md_check_recovery() is being called in the +loop. + +It's not clear when the deadlock was introduced, but the similar +wait_event() call in raid5_do_work() was added in 2017 by this +commit: + + 16d997b78b15 ("md/raid5: simplfy delaying of writes while metadata + is updated.") + +Link: https://lore.kernel.org/r/7f3b87b6-b52a-f737-51d7-a4eec5c44112@deltatee.com +Signed-off-by: Logan Gunthorpe +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid5.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c +index db149d28f639..caaae10e33f8 100644 +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -36,6 +36,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -6780,7 +6781,18 @@ static void raid5d(struct md_thread *thread) + spin_unlock_irq(&conf->device_lock); + md_check_recovery(mddev); + spin_lock_irq(&conf->device_lock); ++ ++ /* ++ * Waiting on MD_SB_CHANGE_PENDING below may deadlock ++ * seeing md_check_recovery() is needed to clear ++ * the flag when using mdmon. ++ */ ++ continue; + } ++ ++ wait_event_lock_irq(mddev->sb_wait, ++ !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags), ++ conf->device_lock); + } + pr_debug("%d stripes handled\n", handled); + +-- +2.35.1 + diff --git a/queue-6.0/md-remove-extra-mddev_get-in-md_seq_start.patch b/queue-6.0/md-remove-extra-mddev_get-in-md_seq_start.patch new file mode 100644 index 00000000000..8008a9f0acb --- /dev/null +++ b/queue-6.0/md-remove-extra-mddev_get-in-md_seq_start.patch @@ -0,0 +1,46 @@ +From 3966d808b3978d65615f8550be377cc6370a6775 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 10:15:15 -0600 +Subject: md: Remove extra mddev_get() in md_seq_start() + +From: Logan Gunthorpe + +[ Upstream commit 3bfc3bcd787c48aa31e4fde4a6dfcef4cd7ee2c2 ] + +A regression is seen where mddev devices stay permanently after they +are stopped due to an elevated reference count. + +This was tracked down to an extra mddev_get() in md_seq_start(). + +It only happened rarely because most of the time the md_seq_start() +is called with a zero offset. The path with an extra mddev_get() only +happens when it starts with a non-zero offset. + +The commit noted below changed an mddev_get() to check its success +but inadvertently left the original call in. Remove the extra call. + +Fixes: 12a6caf27324 ("md: only delete entries from all_mddevs when the disk is freed") +Signed-off-by: Logan Gunthorpe +Reviewed-by: Christoph Hellwig +Acked-by: Guoqing Jiang +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 729be2c5296c..470a975e4be9 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8156,7 +8156,6 @@ static void *md_seq_start(struct seq_file *seq, loff_t *pos) + list_for_each(tmp,&all_mddevs) + if (!l--) { + mddev = list_entry(tmp, struct mddev, all_mddevs); +- mddev_get(mddev); + if (!mddev_get(mddev)) + continue; + spin_unlock(&all_mddevs_lock); +-- +2.35.1 + diff --git a/queue-6.0/md-replace-snprintf-with-scnprintf.patch b/queue-6.0/md-replace-snprintf-with-scnprintf.patch new file mode 100644 index 00000000000..edb3a4e654b --- /dev/null +++ b/queue-6.0/md-replace-snprintf-with-scnprintf.patch @@ -0,0 +1,71 @@ +From 9f62ae13ee319ab4af07d741ef2ba9100c25cd6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 11:51:04 -0700 +Subject: md: Replace snprintf with scnprintf +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Saurabh Sengar + +[ Upstream commit 1727fd5015d8f93474148f94e34cda5aa6ad4a43 ] + +Current code produces a warning as shown below when total characters +in the constituent block device names plus the slashes exceeds 200. +snprintf() returns the number of characters generated from the given +input, which could cause the expression “200 – len” to wrap around +to a large positive number. Fix this by using scnprintf() instead, +which returns the actual number of characters written into the buffer. + +[ 1513.267938] ------------[ cut here ]------------ +[ 1513.267943] WARNING: CPU: 15 PID: 37247 at /lib/vsprintf.c:2509 vsnprintf+0x2c8/0x510 +[ 1513.267944] Modules linked in: +[ 1513.267969] CPU: 15 PID: 37247 Comm: mdadm Not tainted 5.4.0-1085-azure #90~18.04.1-Ubuntu +[ 1513.267969] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022 +[ 1513.267971] RIP: 0010:vsnprintf+0x2c8/0x510 +<-snip-> +[ 1513.267982] Call Trace: +[ 1513.267986] snprintf+0x45/0x70 +[ 1513.267990] ? disk_name+0x71/0xa0 +[ 1513.267993] dump_zones+0x114/0x240 [raid0] +[ 1513.267996] ? _cond_resched+0x19/0x40 +[ 1513.267998] raid0_run+0x19e/0x270 [raid0] +[ 1513.268000] md_run+0x5e0/0xc50 +[ 1513.268003] ? security_capable+0x3f/0x60 +[ 1513.268005] do_md_run+0x19/0x110 +[ 1513.268006] md_ioctl+0x195e/0x1f90 +[ 1513.268007] blkdev_ioctl+0x91f/0x9f0 +[ 1513.268010] block_ioctl+0x3d/0x50 +[ 1513.268012] do_vfs_ioctl+0xa9/0x640 +[ 1513.268014] ? __fput+0x162/0x260 +[ 1513.268016] ksys_ioctl+0x75/0x80 +[ 1513.268017] __x64_sys_ioctl+0x1a/0x20 +[ 1513.268019] do_syscall_64+0x5e/0x200 +[ 1513.268021] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 766038846e875 ("md/raid0: replace printk() with pr_*()") +Reviewed-by: Michael Kelley +Acked-by: Guoqing Jiang +Signed-off-by: Saurabh Sengar +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/raid0.c b/drivers/md/raid0.c +index 78addfe4a0c9..857c49399c28 100644 +--- a/drivers/md/raid0.c ++++ b/drivers/md/raid0.c +@@ -47,7 +47,7 @@ static void dump_zones(struct mddev *mddev) + int len = 0; + + for (k = 0; k < conf->strip_zone[j].nb_dev; k++) +- len += snprintf(line+len, 200-len, "%s%pg", k?"/":"", ++ len += scnprintf(line+len, 200-len, "%s%pg", k?"/":"", + conf->devlist[j * raid_disks + k]->bdev); + pr_debug("md: zone%d=[%s]\n", j, line); + +-- +2.35.1 + diff --git a/queue-6.0/media-airspy-fix-memory-leak-in-airspy-probe.patch b/queue-6.0/media-airspy-fix-memory-leak-in-airspy-probe.patch new file mode 100644 index 00000000000..e01465180e9 --- /dev/null +++ b/queue-6.0/media-airspy-fix-memory-leak-in-airspy-probe.patch @@ -0,0 +1,46 @@ +From a3421d2bbf87d08c0dd5157a7f887af4a20fe483 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Aug 2022 06:57:00 +0200 +Subject: media: airspy: fix memory leak in airspy probe + +From: Dongliang Mu + +[ Upstream commit 23bc5eb55f8c9607965c20d9ddcc13cb1ae59568 ] + +The commit ca9dc8d06ab6 ("media: airspy: respect the DMA coherency + rules") moves variable buf from stack to heap, however, it only frees +buf in the error handling code, missing deallocation in the success +path. + +Fix this by freeing buf in the success path since this variable does not +have any references in other code. + +Fixes: ca9dc8d06ab6 ("media: airspy: respect the DMA coherency rules") +Reported-by: syzbot+bb25f85e5aa482864dc0@syzkaller.appspotmail.com +Signed-off-by: Dongliang Mu +Reviewed-by: Tommaso Merciai +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/airspy/airspy.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/usb/airspy/airspy.c b/drivers/media/usb/airspy/airspy.c +index 240a7cc56777..7b1c40132555 100644 +--- a/drivers/media/usb/airspy/airspy.c ++++ b/drivers/media/usb/airspy/airspy.c +@@ -1070,6 +1070,10 @@ static int airspy_probe(struct usb_interface *intf, + ret); + goto err_free_controls; + } ++ ++ /* Free buf if success*/ ++ kfree(buf); ++ + dev_info(s->dev, "Registered as %s\n", + video_device_node_name(&s->vdev)); + dev_notice(s->dev, "SDR API is still slightly experimental and functionality changes may follow\n"); +-- +2.35.1 + diff --git a/queue-6.0/media-amphion-adjust-the-encoder-s-value-range-of-go.patch b/queue-6.0/media-amphion-adjust-the-encoder-s-value-range-of-go.patch new file mode 100644 index 00000000000..7180e786ce7 --- /dev/null +++ b/queue-6.0/media-amphion-adjust-the-encoder-s-value-range-of-go.patch @@ -0,0 +1,39 @@ +From af2157715c99b3c54c2e6bdfc3cb61286e6cb41f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 09:38:00 +0200 +Subject: media: amphion: adjust the encoder's value range of gop size + +From: Ming Qian + +[ Upstream commit 996f4e89fabe44ab9ac0aabb0697aeecbe717eca ] + +adjust the value range of gop size from [0, 65535] to [1, 8000]. +when the gop size is set to a too large value, +it may affect the encoded picture quality. +so constrain it to a reasonable range. + +Fixes: 0401e659c1f92 ("media: amphion: add v4l2 m2m vpu encoder stateful driver") +Signed-off-by: Ming Qian +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/amphion/venc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/amphion/venc.c b/drivers/media/platform/amphion/venc.c +index 461524dd1e44..37212f087fdd 100644 +--- a/drivers/media/platform/amphion/venc.c ++++ b/drivers/media/platform/amphion/venc.c +@@ -644,7 +644,7 @@ static int venc_ctrl_init(struct vpu_inst *inst) + BITRATE_DEFAULT_PEAK); + + v4l2_ctrl_new_std(&inst->ctrl_handler, &venc_ctrl_ops, +- V4L2_CID_MPEG_VIDEO_GOP_SIZE, 0, (1 << 16) - 1, 1, 30); ++ V4L2_CID_MPEG_VIDEO_GOP_SIZE, 1, 8000, 1, 30); + + v4l2_ctrl_new_std(&inst->ctrl_handler, &venc_ctrl_ops, + V4L2_CID_MPEG_VIDEO_B_FRAMES, 0, 4, 1, 0); +-- +2.35.1 + diff --git a/queue-6.0/media-amphion-don-t-change-the-colorspace-reported-b.patch b/queue-6.0/media-amphion-don-t-change-the-colorspace-reported-b.patch new file mode 100644 index 00000000000..039f73088d9 --- /dev/null +++ b/queue-6.0/media-amphion-don-t-change-the-colorspace-reported-b.patch @@ -0,0 +1,60 @@ +From bb581b61f56eeb6b90f7f4af357f510b13cced60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Jul 2022 05:02:29 +0200 +Subject: media: amphion: don't change the colorspace reported by decoder. + +From: Ming Qian + +[ Upstream commit 61c2698ee60630c6a7d2e99850fa81ff6450270a ] + +decoder will report the colorspace information +which is parsed from the sequence header, +if they are unspecified, just let application to determine it, +don't change it in driver. + +Fixes: 6de8d628df6ef ("media: amphion: add v4l2 m2m vpu decoder stateful driver") +Signed-off-by: Ming Qian +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/amphion/vdec.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/media/platform/amphion/vdec.c b/drivers/media/platform/amphion/vdec.c +index 9e64041cc1c1..feb75dc204de 100644 +--- a/drivers/media/platform/amphion/vdec.c ++++ b/drivers/media/platform/amphion/vdec.c +@@ -808,14 +808,6 @@ static void vdec_init_fmt(struct vpu_inst *inst) + inst->cap_format.field = V4L2_FIELD_NONE; + else + inst->cap_format.field = V4L2_FIELD_SEQ_TB; +- if (vdec->codec_info.color_primaries == V4L2_COLORSPACE_DEFAULT) +- vdec->codec_info.color_primaries = V4L2_COLORSPACE_REC709; +- if (vdec->codec_info.transfer_chars == V4L2_XFER_FUNC_DEFAULT) +- vdec->codec_info.transfer_chars = V4L2_XFER_FUNC_709; +- if (vdec->codec_info.matrix_coeffs == V4L2_YCBCR_ENC_DEFAULT) +- vdec->codec_info.matrix_coeffs = V4L2_YCBCR_ENC_709; +- if (vdec->codec_info.full_range == V4L2_QUANTIZATION_DEFAULT) +- vdec->codec_info.full_range = V4L2_QUANTIZATION_LIM_RANGE; + } + + static void vdec_init_crop(struct vpu_inst *inst) +@@ -1555,6 +1547,14 @@ static int vdec_get_debug_info(struct vpu_inst *inst, char *str, u32 size, u32 i + vdec->codec_info.frame_rate.numerator, + vdec->codec_info.frame_rate.denominator); + break; ++ case 9: ++ num = scnprintf(str, size, "colorspace: %d, %d, %d, %d (%d)\n", ++ vdec->codec_info.color_primaries, ++ vdec->codec_info.transfer_chars, ++ vdec->codec_info.matrix_coeffs, ++ vdec->codec_info.full_range, ++ vdec->codec_info.vui_present); ++ break; + default: + break; + } +-- +2.35.1 + diff --git a/queue-6.0/media-amphion-fix-a-bug-that-vpu-core-may-not-resume.patch b/queue-6.0/media-amphion-fix-a-bug-that-vpu-core-may-not-resume.patch new file mode 100644 index 00000000000..23f8b48b084 --- /dev/null +++ b/queue-6.0/media-amphion-fix-a-bug-that-vpu-core-may-not-resume.patch @@ -0,0 +1,264 @@ +From f7c07775ff147e8c46fe456d3d99329c795d37d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 05:18:21 +0200 +Subject: media: amphion: fix a bug that vpu core may not resume after suspend + +From: Ming Qian + +[ Upstream commit 0202a665bf17fbe98fed954944aabbcb4f14a4cc ] + +driver will enable the vpu core when request the first instance +on the core. +one vpu core can only support 8 streaming instances in the same +time, the instance won't be added to core's list before streamon. + +so the actual instance count may be greater then the number in +the core's list. + +in pm resume callback, driver will resume the core immediately if +core's list is not empty. +but this check is not accurate, +if suspend during one instance is requested, but not streamon, +then after suspend, the core won't be resume, and led to instance failure. + +use the request_count instead of the core's list to check +whether is the core needed to resume immediately after suspend. + +And it can make the pm suspend and resume callback more clear. + +Fixes: 9f599f351e86 ("media: amphion: add vpu core driver") +Signed-off-by: Ming Qian +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/amphion/vpu.h | 1 - + drivers/media/platform/amphion/vpu_core.c | 84 ++++++++++++----------- + drivers/media/platform/amphion/vpu_core.h | 1 + + drivers/media/platform/amphion/vpu_dbg.c | 9 ++- + 4 files changed, 51 insertions(+), 44 deletions(-) + +diff --git a/drivers/media/platform/amphion/vpu.h b/drivers/media/platform/amphion/vpu.h +index f914de6ed81e..beac0309ca8d 100644 +--- a/drivers/media/platform/amphion/vpu.h ++++ b/drivers/media/platform/amphion/vpu.h +@@ -119,7 +119,6 @@ struct vpu_mbox { + enum vpu_core_state { + VPU_CORE_DEINIT = 0, + VPU_CORE_ACTIVE, +- VPU_CORE_SNAPSHOT, + VPU_CORE_HANG + }; + +diff --git a/drivers/media/platform/amphion/vpu_core.c b/drivers/media/platform/amphion/vpu_core.c +index 73faa50d2865..f9ec1753f7c8 100644 +--- a/drivers/media/platform/amphion/vpu_core.c ++++ b/drivers/media/platform/amphion/vpu_core.c +@@ -89,7 +89,7 @@ static int vpu_core_boot_done(struct vpu_core *core) + core->supported_instance_count = min(core->supported_instance_count, count); + } + core->fw_version = fw_version; +- core->state = VPU_CORE_ACTIVE; ++ vpu_core_set_state(core, VPU_CORE_ACTIVE); + + return 0; + } +@@ -172,10 +172,26 @@ int vpu_alloc_dma(struct vpu_core *core, struct vpu_buffer *buf) + return __vpu_alloc_dma(core->dev, buf); + } + +-static void vpu_core_check_hang(struct vpu_core *core) ++void vpu_core_set_state(struct vpu_core *core, enum vpu_core_state state) + { +- if (core->hang_mask) +- core->state = VPU_CORE_HANG; ++ if (state != core->state) ++ vpu_trace(core->dev, "vpu core state change from %d to %d\n", core->state, state); ++ core->state = state; ++ if (core->state == VPU_CORE_DEINIT) ++ core->hang_mask = 0; ++} ++ ++static void vpu_core_update_state(struct vpu_core *core) ++{ ++ if (!vpu_iface_get_power_state(core)) { ++ if (core->request_count) ++ vpu_core_set_state(core, VPU_CORE_HANG); ++ else ++ vpu_core_set_state(core, VPU_CORE_DEINIT); ++ ++ } else if (core->state == VPU_CORE_ACTIVE && core->hang_mask) { ++ vpu_core_set_state(core, VPU_CORE_HANG); ++ } + } + + static struct vpu_core *vpu_core_find_proper_by_type(struct vpu_dev *vpu, u32 type) +@@ -188,11 +204,13 @@ static struct vpu_core *vpu_core_find_proper_by_type(struct vpu_dev *vpu, u32 ty + dev_dbg(c->dev, "instance_mask = 0x%lx, state = %d\n", c->instance_mask, c->state); + if (c->type != type) + continue; ++ mutex_lock(&c->lock); ++ vpu_core_update_state(c); ++ mutex_unlock(&c->lock); + if (c->state == VPU_CORE_DEINIT) { + core = c; + break; + } +- vpu_core_check_hang(c); + if (c->state != VPU_CORE_ACTIVE) + continue; + if (c->request_count < request_count) { +@@ -409,6 +427,12 @@ int vpu_inst_register(struct vpu_inst *inst) + } + + mutex_lock(&core->lock); ++ if (core->state != VPU_CORE_ACTIVE) { ++ dev_err(core->dev, "vpu core is not active, state = %d\n", core->state); ++ ret = -EINVAL; ++ goto exit; ++ } ++ + if (inst->id >= 0 && inst->id < core->supported_instance_count) + goto exit; + +@@ -450,7 +474,7 @@ int vpu_inst_unregister(struct vpu_inst *inst) + vpu_core_release_instance(core, inst->id); + inst->id = VPU_INST_NULL_ID; + } +- vpu_core_check_hang(core); ++ vpu_core_update_state(core); + if (core->state == VPU_CORE_HANG && !core->instance_mask) { + int err; + +@@ -459,7 +483,7 @@ int vpu_inst_unregister(struct vpu_inst *inst) + err = vpu_core_sw_reset(core); + mutex_lock(&core->lock); + if (!err) { +- core->state = VPU_CORE_ACTIVE; ++ vpu_core_set_state(core, VPU_CORE_ACTIVE); + core->hang_mask = 0; + } + } +@@ -609,7 +633,7 @@ static int vpu_core_probe(struct platform_device *pdev) + mutex_init(&core->cmd_lock); + init_completion(&core->cmp); + init_waitqueue_head(&core->ack_wq); +- core->state = VPU_CORE_DEINIT; ++ vpu_core_set_state(core, VPU_CORE_DEINIT); + + core->res = of_device_get_match_data(dev); + if (!core->res) +@@ -758,33 +782,18 @@ static int __maybe_unused vpu_core_resume(struct device *dev) + mutex_lock(&core->lock); + pm_runtime_resume_and_get(dev); + vpu_core_get_vpu(core); +- if (core->state != VPU_CORE_SNAPSHOT) +- goto exit; + +- if (!vpu_iface_get_power_state(core)) { +- if (!list_empty(&core->instances)) { ++ if (core->request_count) { ++ if (!vpu_iface_get_power_state(core)) + ret = vpu_core_boot(core, false); +- if (ret) { +- dev_err(core->dev, "%s boot fail\n", __func__); +- core->state = VPU_CORE_DEINIT; +- goto exit; +- } +- } else { +- core->state = VPU_CORE_DEINIT; +- } +- } else { +- if (!list_empty(&core->instances)) { ++ else + ret = vpu_core_sw_reset(core); +- if (ret) { +- dev_err(core->dev, "%s sw_reset fail\n", __func__); +- core->state = VPU_CORE_HANG; +- goto exit; +- } ++ if (ret) { ++ dev_err(core->dev, "resume fail\n"); ++ vpu_core_set_state(core, VPU_CORE_HANG); + } +- core->state = VPU_CORE_ACTIVE; + } +- +-exit: ++ vpu_core_update_state(core); + pm_runtime_put_sync(dev); + mutex_unlock(&core->lock); + +@@ -798,18 +807,11 @@ static int __maybe_unused vpu_core_suspend(struct device *dev) + int ret = 0; + + mutex_lock(&core->lock); +- if (core->state == VPU_CORE_ACTIVE) { +- if (!list_empty(&core->instances)) { +- ret = vpu_core_snapshot(core); +- if (ret) { +- mutex_unlock(&core->lock); +- return ret; +- } +- } +- +- core->state = VPU_CORE_SNAPSHOT; +- } ++ if (core->request_count) ++ ret = vpu_core_snapshot(core); + mutex_unlock(&core->lock); ++ if (ret) ++ return ret; + + vpu_core_cancel_work(core); + +diff --git a/drivers/media/platform/amphion/vpu_core.h b/drivers/media/platform/amphion/vpu_core.h +index 00a662997da4..65b562642603 100644 +--- a/drivers/media/platform/amphion/vpu_core.h ++++ b/drivers/media/platform/amphion/vpu_core.h +@@ -11,5 +11,6 @@ u32 csr_readl(struct vpu_core *core, u32 reg); + int vpu_alloc_dma(struct vpu_core *core, struct vpu_buffer *buf); + void vpu_free_dma(struct vpu_buffer *buf); + struct vpu_inst *vpu_core_find_instance(struct vpu_core *core, u32 index); ++void vpu_core_set_state(struct vpu_core *core, enum vpu_core_state state); + + #endif +diff --git a/drivers/media/platform/amphion/vpu_dbg.c b/drivers/media/platform/amphion/vpu_dbg.c +index f72c8a506b22..260f1c4b8f8d 100644 +--- a/drivers/media/platform/amphion/vpu_dbg.c ++++ b/drivers/media/platform/amphion/vpu_dbg.c +@@ -15,6 +15,7 @@ + #include + #include "vpu.h" + #include "vpu_defs.h" ++#include "vpu_core.h" + #include "vpu_helpers.h" + #include "vpu_cmds.h" + #include "vpu_rpc.h" +@@ -233,6 +234,10 @@ static int vpu_dbg_core(struct seq_file *s, void *data) + if (seq_write(s, str, num)) + return 0; + ++ num = scnprintf(str, sizeof(str), "power %s\n", ++ vpu_iface_get_power_state(core) ? "on" : "off"); ++ if (seq_write(s, str, num)) ++ return 0; + num = scnprintf(str, sizeof(str), "state = %d\n", core->state); + if (seq_write(s, str, num)) + return 0; +@@ -346,10 +351,10 @@ static ssize_t vpu_dbg_core_write(struct file *file, + + pm_runtime_resume_and_get(core->dev); + mutex_lock(&core->lock); +- if (core->state != VPU_CORE_DEINIT && !core->instance_mask) { ++ if (vpu_iface_get_power_state(core) && !core->request_count) { + dev_info(core->dev, "reset\n"); + if (!vpu_core_sw_reset(core)) { +- core->state = VPU_CORE_ACTIVE; ++ vpu_core_set_state(core, VPU_CORE_ACTIVE); + core->hang_mask = 0; + } + } +-- +2.35.1 + diff --git a/queue-6.0/media-amphion-insert-picture-startcode-after-seek-fo.patch b/queue-6.0/media-amphion-insert-picture-startcode-after-seek-fo.patch new file mode 100644 index 00000000000..5aae4a2ccdc --- /dev/null +++ b/queue-6.0/media-amphion-insert-picture-startcode-after-seek-fo.patch @@ -0,0 +1,46 @@ +From 5a49814b49f90536ac8284c3a94b20c8eb86e801 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 09:15:49 +0200 +Subject: media: amphion: insert picture startcode after seek for vc1g format + +From: Ming Qian + +[ Upstream commit f7fd6c318c8a5d06bf3fe611f30763d62eaaf7f0 ] + +For format vc1, the amphion vpu requires driver to +help insert some custom startcode before sequence and frame. +the startcode is different for vc1l and vc1g format. + +But the sequence startcode is only needed at the beginning, +and it's not expected after seek. +driver need to treat the codec header and the first frame after seek +as a normal frame, and insert picture startcode for it. + +In previous patch, I just fix it for vc1l format, +and should fix the similar issue for vc1g too. + +Fixes: e670f5d672ef (media: amphion: only insert the first sequence startcode for vc1l format) +Signed-off-by: Ming Qian +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/amphion/vpu_malone.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/amphion/vpu_malone.c b/drivers/media/platform/amphion/vpu_malone.c +index f4a488bf9880..51e0702f9ae1 100644 +--- a/drivers/media/platform/amphion/vpu_malone.c ++++ b/drivers/media/platform/amphion/vpu_malone.c +@@ -1293,7 +1293,7 @@ static int vpu_malone_insert_scode_vc1_g_pic(struct malone_scode_t *scode) + vbuf = to_vb2_v4l2_buffer(scode->vb); + data = vb2_plane_vaddr(scode->vb, 0); + +- if (vbuf->sequence == 0 || vpu_vb_is_codecconfig(vbuf)) ++ if (scode->inst->total_input_count == 0 || vpu_vb_is_codecconfig(vbuf)) + return 0; + if (MALONE_VC1_CONTAIN_NAL(*data)) + return 0; +-- +2.35.1 + diff --git a/queue-6.0/media-cx88-fix-a-null-ptr-deref-bug-in-buffer_prepar.patch b/queue-6.0/media-cx88-fix-a-null-ptr-deref-bug-in-buffer_prepar.patch new file mode 100644 index 00000000000..f32cb24b0e4 --- /dev/null +++ b/queue-6.0/media-cx88-fix-a-null-ptr-deref-bug-in-buffer_prepar.patch @@ -0,0 +1,141 @@ +From 8e50ca2ce60e569a0d55f0fdef05a9068e7cfe5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 04:23:38 +0200 +Subject: media: cx88: Fix a null-ptr-deref bug in buffer_prepare() + +From: Zheyu Ma + +[ Upstream commit 2b064d91440b33fba5b452f2d1b31f13ae911d71 ] + +When the driver calls cx88_risc_buffer() to prepare the buffer, the +function call may fail, resulting in a empty buffer and null-ptr-deref +later in buffer_queue(). + +The following log can reveal it: + +[ 41.822762] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI +[ 41.824488] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +[ 41.828027] RIP: 0010:buffer_queue+0xc2/0x500 +[ 41.836311] Call Trace: +[ 41.836945] __enqueue_in_driver+0x141/0x360 +[ 41.837262] vb2_start_streaming+0x62/0x4a0 +[ 41.838216] vb2_core_streamon+0x1da/0x2c0 +[ 41.838516] __vb2_init_fileio+0x981/0xbc0 +[ 41.839141] __vb2_perform_fileio+0xbf9/0x1120 +[ 41.840072] vb2_fop_read+0x20e/0x400 +[ 41.840346] v4l2_read+0x215/0x290 +[ 41.840603] vfs_read+0x162/0x4c0 + +Fix this by checking the return value of cx88_risc_buffer() + +[hverkuil: fix coding style issues] + +Signed-off-by: Zheyu Ma +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx88/cx88-vbi.c | 9 +++--- + drivers/media/pci/cx88/cx88-video.c | 43 +++++++++++++++-------------- + 2 files changed, 26 insertions(+), 26 deletions(-) + +diff --git a/drivers/media/pci/cx88/cx88-vbi.c b/drivers/media/pci/cx88/cx88-vbi.c +index a075788c64d4..469aeaa725ad 100644 +--- a/drivers/media/pci/cx88/cx88-vbi.c ++++ b/drivers/media/pci/cx88/cx88-vbi.c +@@ -144,11 +144,10 @@ static int buffer_prepare(struct vb2_buffer *vb) + return -EINVAL; + vb2_set_plane_payload(vb, 0, size); + +- cx88_risc_buffer(dev->pci, &buf->risc, sgt->sgl, +- 0, VBI_LINE_LENGTH * lines, +- VBI_LINE_LENGTH, 0, +- lines); +- return 0; ++ return cx88_risc_buffer(dev->pci, &buf->risc, sgt->sgl, ++ 0, VBI_LINE_LENGTH * lines, ++ VBI_LINE_LENGTH, 0, ++ lines); + } + + static void buffer_finish(struct vb2_buffer *vb) +diff --git a/drivers/media/pci/cx88/cx88-video.c b/drivers/media/pci/cx88/cx88-video.c +index d3729be89252..b509c2a03852 100644 +--- a/drivers/media/pci/cx88/cx88-video.c ++++ b/drivers/media/pci/cx88/cx88-video.c +@@ -431,6 +431,7 @@ static int queue_setup(struct vb2_queue *q, + + static int buffer_prepare(struct vb2_buffer *vb) + { ++ int ret; + struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb); + struct cx8800_dev *dev = vb->vb2_queue->drv_priv; + struct cx88_core *core = dev->core; +@@ -445,35 +446,35 @@ static int buffer_prepare(struct vb2_buffer *vb) + + switch (core->field) { + case V4L2_FIELD_TOP: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, 0, UNSET, +- buf->bpl, 0, core->height); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, 0, UNSET, ++ buf->bpl, 0, core->height); + break; + case V4L2_FIELD_BOTTOM: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, UNSET, 0, +- buf->bpl, 0, core->height); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, UNSET, 0, ++ buf->bpl, 0, core->height); + break; + case V4L2_FIELD_SEQ_TB: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, +- 0, buf->bpl * (core->height >> 1), +- buf->bpl, 0, +- core->height >> 1); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, ++ 0, buf->bpl * (core->height >> 1), ++ buf->bpl, 0, ++ core->height >> 1); + break; + case V4L2_FIELD_SEQ_BT: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, +- buf->bpl * (core->height >> 1), 0, +- buf->bpl, 0, +- core->height >> 1); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, ++ buf->bpl * (core->height >> 1), 0, ++ buf->bpl, 0, ++ core->height >> 1); + break; + case V4L2_FIELD_INTERLACED: + default: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, 0, buf->bpl, +- buf->bpl, buf->bpl, +- core->height >> 1); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, 0, buf->bpl, ++ buf->bpl, buf->bpl, ++ core->height >> 1); + break; + } + dprintk(2, +@@ -481,7 +482,7 @@ static int buffer_prepare(struct vb2_buffer *vb) + buf, buf->vb.vb2_buf.index, __func__, + core->width, core->height, dev->fmt->depth, dev->fmt->fourcc, + (unsigned long)buf->risc.dma); +- return 0; ++ return ret; + } + + static void buffer_finish(struct vb2_buffer *vb) +-- +2.35.1 + diff --git a/queue-6.0/media-exynos4-is-fimc-is-add-of_node_put-when-breaki.patch b/queue-6.0/media-exynos4-is-fimc-is-add-of_node_put-when-breaki.patch new file mode 100644 index 00000000000..18cbcb25412 --- /dev/null +++ b/queue-6.0/media-exynos4-is-fimc-is-add-of_node_put-when-breaki.patch @@ -0,0 +1,38 @@ +From f62652e3d1d152a9f0ad63ee20aa06e68e1460b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jul 2022 16:30:03 +0200 +Subject: media: exynos4-is: fimc-is: Add of_node_put() when breaking out of + loop + +From: Liang He + +[ Upstream commit 211f8304fa21aaedc2c247f0c9d6c7f1aaa61ad7 ] + +In fimc_is_register_subdevs(), we need to call of_node_put() for +the reference 'i2c_bus' when breaking out of the +for_each_compatible_node() which has increased the refcount. + +Fixes: 9a761e436843 ("[media] exynos4-is: Add Exynos4x12 FIMC-IS driver") +Signed-off-by: Liang He +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/samsung/exynos4-is/fimc-is.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/samsung/exynos4-is/fimc-is.c b/drivers/media/platform/samsung/exynos4-is/fimc-is.c +index e3072d69c49f..a7704ff069d6 100644 +--- a/drivers/media/platform/samsung/exynos4-is/fimc-is.c ++++ b/drivers/media/platform/samsung/exynos4-is/fimc-is.c +@@ -213,6 +213,7 @@ static int fimc_is_register_subdevs(struct fimc_is *is) + + if (ret < 0 || index >= FIMC_IS_SENSORS_NUM) { + of_node_put(child); ++ of_node_put(i2c_bus); + return ret; + } + index++; +-- +2.35.1 + diff --git a/queue-6.0/media-mediatek-vcodec-skip-non-cbr-bitrate-mode.patch b/queue-6.0/media-mediatek-vcodec-skip-non-cbr-bitrate-mode.patch new file mode 100644 index 00000000000..b008ec69d92 --- /dev/null +++ b/queue-6.0/media-mediatek-vcodec-skip-non-cbr-bitrate-mode.patch @@ -0,0 +1,40 @@ +From e22621567980decfb468f4838104a1f3c9df2aa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 06:42:42 +0200 +Subject: media: mediatek: vcodec: Skip non CBR bitrate mode + +From: Hirokazu Honda + +[ Upstream commit e7bfdf0a854037e8c0597f1f44f72651869c424d ] + +V4L2_MPEG_VIDEO_BITRATE_MODE_CBR is the only bitrate mode supported +by the mediatek driver. The other bitrates must be skipped in +QUERY_MENU. + +Fixes: d8e8aa866ed8 ("media: mediatek: vcodec: Report supported bitrate modes") +Signed-off-by: Hirokazu Honda +Reviewed-by: Chen-Yu Tsai +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc.c b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc.c +index 25e816863597..27c5fdaabed4 100644 +--- a/drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc.c ++++ b/drivers/media/platform/mediatek/vcodec/mtk_vcodec_enc.c +@@ -1403,7 +1403,8 @@ int mtk_vcodec_enc_ctrls_setup(struct mtk_vcodec_ctx *ctx) + V4L2_MPEG_VIDEO_VP8_PROFILE_0, 0, V4L2_MPEG_VIDEO_VP8_PROFILE_0); + v4l2_ctrl_new_std_menu(handler, ops, V4L2_CID_MPEG_VIDEO_BITRATE_MODE, + V4L2_MPEG_VIDEO_BITRATE_MODE_CBR, +- 0, V4L2_MPEG_VIDEO_BITRATE_MODE_CBR); ++ ~(1 << V4L2_MPEG_VIDEO_BITRATE_MODE_CBR), ++ V4L2_MPEG_VIDEO_BITRATE_MODE_CBR); + + + if (handler->error) { +-- +2.35.1 + diff --git a/queue-6.0/media-meson-vdec-add-missing-clk_disable_unprepare-o.patch b/queue-6.0/media-meson-vdec-add-missing-clk_disable_unprepare-o.patch new file mode 100644 index 00000000000..aa135eacb7f --- /dev/null +++ b/queue-6.0/media-meson-vdec-add-missing-clk_disable_unprepare-o.patch @@ -0,0 +1,47 @@ +From 4918b5705e47f23ed99098eb1d1d93900836bf32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 08:57:53 +0200 +Subject: media: meson: vdec: add missing clk_disable_unprepare on error in + vdec_hevc_start() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xu Qiang + +[ Upstream commit 4029372233e13e281f8c387f279f9f064ced3810 ] + +Add the missing clk_disable_unprepare() before return +from vdec_hevc_start() in the error handling case. + +Fixes: 823a7300340e (“media: meson: vdec: add common HEVC decoder support”) +Signed-off-by: Xu Qiang +Reviewed-by: Neil Armstrong +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/meson/vdec/vdec_hevc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/media/meson/vdec/vdec_hevc.c b/drivers/staging/media/meson/vdec/vdec_hevc.c +index 9530e580e57a..afced435c907 100644 +--- a/drivers/staging/media/meson/vdec/vdec_hevc.c ++++ b/drivers/staging/media/meson/vdec/vdec_hevc.c +@@ -167,8 +167,12 @@ static int vdec_hevc_start(struct amvdec_session *sess) + + clk_set_rate(core->vdec_hevc_clk, 666666666); + ret = clk_prepare_enable(core->vdec_hevc_clk); +- if (ret) ++ if (ret) { ++ if (core->platform->revision == VDEC_REVISION_G12A || ++ core->platform->revision == VDEC_REVISION_SM1) ++ clk_disable_unprepare(core->vdec_hevcf_clk); + return ret; ++ } + + if (core->platform->revision == VDEC_REVISION_SM1) + regmap_update_bits(core->regmap_ao, AO_RTI_GEN_PWR_SLEEP0, +-- +2.35.1 + diff --git a/queue-6.0/media-platform-fix-some-double-free-in-meson-ge2d-an.patch b/queue-6.0/media-platform-fix-some-double-free-in-meson-ge2d-an.patch new file mode 100644 index 00000000000..6bd8737e087 --- /dev/null +++ b/queue-6.0/media-platform-fix-some-double-free-in-meson-ge2d-an.patch @@ -0,0 +1,71 @@ +From 7cd98c16ec3f587045af136adb4fe88a991b9d7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 10:58:19 +0200 +Subject: media: platform: fix some double free in meson-ge2d and mtk-jpeg and + s5p-mfc + +From: Hangyu Hua + +[ Upstream commit c65c3f3a2cbf21ed429d9b9c725bdb5dc6abf4cf ] + +video_unregister_device will release device internally. There is no need to +call video_device_release after video_unregister_device. + +Signed-off-by: Hangyu Hua +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/amlogic/meson-ge2d/ge2d.c | 1 - + drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c | 1 - + drivers/media/platform/samsung/s5p-mfc/s5p_mfc.c | 3 +-- + 3 files changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/media/platform/amlogic/meson-ge2d/ge2d.c b/drivers/media/platform/amlogic/meson-ge2d/ge2d.c +index 5e7b319f300d..142d421a8d76 100644 +--- a/drivers/media/platform/amlogic/meson-ge2d/ge2d.c ++++ b/drivers/media/platform/amlogic/meson-ge2d/ge2d.c +@@ -1030,7 +1030,6 @@ static int ge2d_remove(struct platform_device *pdev) + + video_unregister_device(ge2d->vfd); + v4l2_m2m_release(ge2d->m2m_dev); +- video_device_release(ge2d->vfd); + v4l2_device_unregister(&ge2d->v4l2_dev); + clk_disable_unprepare(ge2d->clk); + +diff --git a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +index 87685a62a5c2..3071b61946c3 100644 +--- a/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c ++++ b/drivers/media/platform/mediatek/jpeg/mtk_jpeg_core.c +@@ -1414,7 +1414,6 @@ static int mtk_jpeg_remove(struct platform_device *pdev) + + pm_runtime_disable(&pdev->dev); + video_unregister_device(jpeg->vdev); +- video_device_release(jpeg->vdev); + v4l2_m2m_release(jpeg->m2m_dev); + v4l2_device_unregister(&jpeg->v4l2_dev); + +diff --git a/drivers/media/platform/samsung/s5p-mfc/s5p_mfc.c b/drivers/media/platform/samsung/s5p-mfc/s5p_mfc.c +index 761341934925..f85d1eebafac 100644 +--- a/drivers/media/platform/samsung/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/samsung/s5p-mfc/s5p_mfc.c +@@ -1399,6 +1399,7 @@ static int s5p_mfc_probe(struct platform_device *pdev) + /* Deinit MFC if probe had failed */ + err_enc_reg: + video_unregister_device(dev->vfd_dec); ++ dev->vfd_dec = NULL; + err_dec_reg: + video_device_release(dev->vfd_enc); + err_enc_alloc: +@@ -1444,8 +1445,6 @@ static int s5p_mfc_remove(struct platform_device *pdev) + + video_unregister_device(dev->vfd_enc); + video_unregister_device(dev->vfd_dec); +- video_device_release(dev->vfd_enc); +- video_device_release(dev->vfd_dec); + v4l2_device_unregister(&dev->v4l2_dev); + s5p_mfc_unconfigure_dma_memory(dev); + +-- +2.35.1 + diff --git a/queue-6.0/media-tm6000-fix-unused-value-in-vidioc_try_fmt_vid_.patch b/queue-6.0/media-tm6000-fix-unused-value-in-vidioc_try_fmt_vid_.patch new file mode 100644 index 00000000000..eb996f1610d --- /dev/null +++ b/queue-6.0/media-tm6000-fix-unused-value-in-vidioc_try_fmt_vid_.patch @@ -0,0 +1,46 @@ +From 3f152ebafc7baec42fe6e5e9bfca3a88e179f098 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 18:12:36 +0800 +Subject: media: tm6000: Fix unused value in vidioc_try_fmt_vid_cap() + +From: Zeng Jingxiang + +[ Upstream commit d682869daa23938b5e8919db45c4b5b227749712 ] + +Coverity warns of an unused value: + +assigned_value: Assign the value of the variable f->fmt.pix.field +to field here, but that stored value is overwritten. +before it can be used. +919 field = f->fmt.pix.field; +920 + +value_overwrite: Overwriting previous write to field with +the value of V4L2_FIELD_INTERLACED. +921 field = V4L2_FIELD_INTERLACED; + +Fixes: ed57256f6fe8 ("[media] tm6000: fix G/TRY_FMT") +Signed-off-by: Zeng Jingxiang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/tm6000/tm6000-video.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/media/usb/tm6000/tm6000-video.c b/drivers/media/usb/tm6000/tm6000-video.c +index d855a19551f3..e06ed21edbdd 100644 +--- a/drivers/media/usb/tm6000/tm6000-video.c ++++ b/drivers/media/usb/tm6000/tm6000-video.c +@@ -916,8 +916,6 @@ static int vidioc_try_fmt_vid_cap(struct file *file, void *priv, + return -EINVAL; + } + +- field = f->fmt.pix.field; +- + field = V4L2_FIELD_INTERLACED; + + tm6000_get_std_res(dev); +-- +2.35.1 + diff --git a/queue-6.0/media-uvcvideo-fix-memory-leak-in-uvc_gpio_parse.patch b/queue-6.0/media-uvcvideo-fix-memory-leak-in-uvc_gpio_parse.patch new file mode 100644 index 00000000000..50e9e7c76e1 --- /dev/null +++ b/queue-6.0/media-uvcvideo-fix-memory-leak-in-uvc_gpio_parse.patch @@ -0,0 +1,58 @@ +From 1642ee1d995e8e4b081fdecccd2480b586d9c900 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jan 2022 18:04:39 +0100 +Subject: media: uvcvideo: Fix memory leak in uvc_gpio_parse +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +[ Upstream commit f0f078457f18f10696888f8d0e6aba9deb9cde92 ] + +Previously the unit buffer was allocated before checking the IRQ for +privacy GPIO. In case of error, the unit buffer was leaked. + +Allocate the unit buffer after the IRQ to avoid it. + +Addresses-Coverity-ID: 1474639 ("Resource leak") + +Fixes: 2886477ff987 ("media: uvcvideo: Implement UVC_EXT_GPIO_UNIT") +Signed-off-by: José Expósito +Reviewed-by: Ricardo Ribalda +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_driver.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index d509a4a2f08e..822e9694f092 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -1553,10 +1553,6 @@ static int uvc_gpio_parse(struct uvc_device *dev) + if (IS_ERR_OR_NULL(gpio_privacy)) + return PTR_ERR_OR_ZERO(gpio_privacy); + +- unit = uvc_alloc_entity(UVC_EXT_GPIO_UNIT, UVC_EXT_GPIO_UNIT_ID, 0, 1); +- if (!unit) +- return -ENOMEM; +- + irq = gpiod_to_irq(gpio_privacy); + if (irq < 0) { + if (irq != EPROBE_DEFER) +@@ -1565,6 +1561,10 @@ static int uvc_gpio_parse(struct uvc_device *dev) + return irq; + } + ++ unit = uvc_alloc_entity(UVC_EXT_GPIO_UNIT, UVC_EXT_GPIO_UNIT_ID, 0, 1); ++ if (!unit) ++ return -ENOMEM; ++ + unit->gpio.gpio_privacy = gpio_privacy; + unit->gpio.irq = irq; + unit->gpio.bControlSize = 1; +-- +2.35.1 + diff --git a/queue-6.0/media-uvcvideo-use-entity-get_cur-in-uvc_ctrl_set.patch b/queue-6.0/media-uvcvideo-use-entity-get_cur-in-uvc_ctrl_set.patch new file mode 100644 index 00000000000..d2457e44ed9 --- /dev/null +++ b/queue-6.0/media-uvcvideo-use-entity-get_cur-in-uvc_ctrl_set.patch @@ -0,0 +1,134 @@ +From 5c46d011d820ebef7edac0471769df60e847210d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jul 2022 10:53:31 +0200 +Subject: media: uvcvideo: Use entity get_cur in uvc_ctrl_set + +From: Yunke Cao + +[ Upstream commit 5f36851c36b30f713f588ed2b60aa7b4512e2c76 ] + +Entity controls should get_cur using an entity-defined function +instead of via a query. Fix this in uvc_ctrl_set. + +Fixes: 65900c581d01 ("media: uvcvideo: Allow entity-defined get_info and get_cur") +Signed-off-by: Yunke Cao +Reviewed-by: Ricardo Ribalda +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_ctrl.c | 83 ++++++++++++++++++-------------- + 1 file changed, 46 insertions(+), 37 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_ctrl.c b/drivers/media/usb/uvc/uvc_ctrl.c +index 8c208db9600b..53250ea75dfb 100644 +--- a/drivers/media/usb/uvc/uvc_ctrl.c ++++ b/drivers/media/usb/uvc/uvc_ctrl.c +@@ -985,36 +985,56 @@ static s32 __uvc_ctrl_get_value(struct uvc_control_mapping *mapping, + return value; + } + +-static int __uvc_ctrl_get(struct uvc_video_chain *chain, +- struct uvc_control *ctrl, struct uvc_control_mapping *mapping, +- s32 *value) ++static int __uvc_ctrl_load_cur(struct uvc_video_chain *chain, ++ struct uvc_control *ctrl) + { ++ u8 *data; + int ret; + +- if ((ctrl->info.flags & UVC_CTRL_FLAG_GET_CUR) == 0) +- return -EACCES; ++ if (ctrl->loaded) ++ return 0; + +- if (!ctrl->loaded) { +- if (ctrl->entity->get_cur) { +- ret = ctrl->entity->get_cur(chain->dev, +- ctrl->entity, +- ctrl->info.selector, +- uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT), +- ctrl->info.size); +- } else { +- ret = uvc_query_ctrl(chain->dev, UVC_GET_CUR, +- ctrl->entity->id, +- chain->dev->intfnum, +- ctrl->info.selector, +- uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT), +- ctrl->info.size); +- } +- if (ret < 0) +- return ret; ++ data = uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT); + ++ if ((ctrl->info.flags & UVC_CTRL_FLAG_GET_CUR) == 0) { ++ memset(data, 0, ctrl->info.size); + ctrl->loaded = 1; ++ ++ return 0; + } + ++ if (ctrl->entity->get_cur) ++ ret = ctrl->entity->get_cur(chain->dev, ctrl->entity, ++ ctrl->info.selector, data, ++ ctrl->info.size); ++ else ++ ret = uvc_query_ctrl(chain->dev, UVC_GET_CUR, ++ ctrl->entity->id, chain->dev->intfnum, ++ ctrl->info.selector, data, ++ ctrl->info.size); ++ ++ if (ret < 0) ++ return ret; ++ ++ ctrl->loaded = 1; ++ ++ return ret; ++} ++ ++static int __uvc_ctrl_get(struct uvc_video_chain *chain, ++ struct uvc_control *ctrl, ++ struct uvc_control_mapping *mapping, ++ s32 *value) ++{ ++ int ret; ++ ++ if ((ctrl->info.flags & UVC_CTRL_FLAG_GET_CUR) == 0) ++ return -EACCES; ++ ++ ret = __uvc_ctrl_load_cur(chain, ctrl); ++ if (ret < 0) ++ return ret; ++ + *value = __uvc_ctrl_get_value(mapping, + uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT)); + +@@ -1810,21 +1830,10 @@ int uvc_ctrl_set(struct uvc_fh *handle, + * needs to be loaded from the device to perform the read-modify-write + * operation. + */ +- if (!ctrl->loaded && (ctrl->info.size * 8) != mapping->size) { +- if ((ctrl->info.flags & UVC_CTRL_FLAG_GET_CUR) == 0) { +- memset(uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT), +- 0, ctrl->info.size); +- } else { +- ret = uvc_query_ctrl(chain->dev, UVC_GET_CUR, +- ctrl->entity->id, chain->dev->intfnum, +- ctrl->info.selector, +- uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT), +- ctrl->info.size); +- if (ret < 0) +- return ret; +- } +- +- ctrl->loaded = 1; ++ if ((ctrl->info.size * 8) != mapping->size) { ++ ret = __uvc_ctrl_load_cur(chain, ctrl); ++ if (ret < 0) ++ return ret; + } + + /* Backup the current value in case we need to rollback later. */ +-- +2.35.1 + diff --git a/queue-6.0/media-v4l2-ctrls-allocate-space-for-arrays.patch b/queue-6.0/media-v4l2-ctrls-allocate-space-for-arrays.patch new file mode 100644 index 00000000000..6bc4fe56f2a --- /dev/null +++ b/queue-6.0/media-v4l2-ctrls-allocate-space-for-arrays.patch @@ -0,0 +1,191 @@ +From 5cc036de01c402cf40cccf04dcb95af5e18e8313 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 12:21:07 +0200 +Subject: media: v4l2-ctrls: allocate space for arrays + +From: Hans Verkuil + +[ Upstream commit 5f2c5c69a61dc5411d436c1a422f8a1ee195a924 ] + +Just like dynamic arrays, also allocate space for regular arrays. + +This is in preparation for allowing to change the array size from +a driver. + +Signed-off-by: Hans Verkuil +Reviewed-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Stable-dep-of: 211f8304fa21 ("media: exynos4-is: fimc-is: Add of_node_put() when breaking out of loop") +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/v4l2-ctrls-api.c | 8 +++--- + drivers/media/v4l2-core/v4l2-ctrls-core.c | 33 +++++++++++------------ + include/media/v4l2-ctrls.h | 17 ++++++------ + 3 files changed, 28 insertions(+), 30 deletions(-) + +diff --git a/drivers/media/v4l2-core/v4l2-ctrls-api.c b/drivers/media/v4l2-core/v4l2-ctrls-api.c +index 50d012ba3c02..1b90bd7c4010 100644 +--- a/drivers/media/v4l2-core/v4l2-ctrls-api.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls-api.c +@@ -105,8 +105,8 @@ static int user_to_new(struct v4l2_ext_control *c, struct v4l2_ctrl *ctrl) + + ctrl->is_new = 0; + if (ctrl->is_dyn_array && +- c->size > ctrl->p_dyn_alloc_elems * ctrl->elem_size) { +- void *old = ctrl->p_dyn; ++ c->size > ctrl->p_array_alloc_elems * ctrl->elem_size) { ++ void *old = ctrl->p_array; + void *tmp = kvzalloc(2 * c->size, GFP_KERNEL); + + if (!tmp) +@@ -115,8 +115,8 @@ static int user_to_new(struct v4l2_ext_control *c, struct v4l2_ctrl *ctrl) + memcpy(tmp + c->size, ctrl->p_cur.p, ctrl->elems * ctrl->elem_size); + ctrl->p_new.p = tmp; + ctrl->p_cur.p = tmp + c->size; +- ctrl->p_dyn = tmp; +- ctrl->p_dyn_alloc_elems = c->size / ctrl->elem_size; ++ ctrl->p_array = tmp; ++ ctrl->p_array_alloc_elems = c->size / ctrl->elem_size; + kvfree(old); + } + +diff --git a/drivers/media/v4l2-core/v4l2-ctrls-core.c b/drivers/media/v4l2-core/v4l2-ctrls-core.c +index 1f85828d6694..9871c77f559b 100644 +--- a/drivers/media/v4l2-core/v4l2-ctrls-core.c ++++ b/drivers/media/v4l2-core/v4l2-ctrls-core.c +@@ -1135,14 +1135,14 @@ int req_to_new(struct v4l2_ctrl_ref *ref) + + /* + * Check if the number of elements in the request is more than the +- * elements in ctrl->p_dyn. If so, attempt to realloc ctrl->p_dyn. +- * Note that p_dyn is allocated with twice the number of elements ++ * elements in ctrl->p_array. If so, attempt to realloc ctrl->p_array. ++ * Note that p_array is allocated with twice the number of elements + * in the dynamic array since it has to store both the current and + * new value of such a control. + */ +- if (ref->p_req_elems > ctrl->p_dyn_alloc_elems) { ++ if (ref->p_req_elems > ctrl->p_array_alloc_elems) { + unsigned int sz = ref->p_req_elems * ctrl->elem_size; +- void *old = ctrl->p_dyn; ++ void *old = ctrl->p_array; + void *tmp = kvzalloc(2 * sz, GFP_KERNEL); + + if (!tmp) +@@ -1151,8 +1151,8 @@ int req_to_new(struct v4l2_ctrl_ref *ref) + memcpy(tmp + sz, ctrl->p_cur.p, ctrl->elems * ctrl->elem_size); + ctrl->p_new.p = tmp; + ctrl->p_cur.p = tmp + sz; +- ctrl->p_dyn = tmp; +- ctrl->p_dyn_alloc_elems = ref->p_req_elems; ++ ctrl->p_array = tmp; ++ ctrl->p_array_alloc_elems = ref->p_req_elems; + kvfree(old); + } + +@@ -1252,7 +1252,7 @@ void v4l2_ctrl_handler_free(struct v4l2_ctrl_handler *hdl) + list_del(&ctrl->node); + list_for_each_entry_safe(sev, next_sev, &ctrl->ev_subs, node) + list_del(&sev->node); +- kvfree(ctrl->p_dyn); ++ kvfree(ctrl->p_array); + kvfree(ctrl); + } + kvfree(hdl->buckets); +@@ -1584,11 +1584,10 @@ static struct v4l2_ctrl *v4l2_ctrl_new(struct v4l2_ctrl_handler *hdl, + V4L2_CTRL_FLAG_EXECUTE_ON_WRITE; + else if (type == V4L2_CTRL_TYPE_CTRL_CLASS) + flags |= V4L2_CTRL_FLAG_READ_ONLY; +- else if (!(flags & V4L2_CTRL_FLAG_DYNAMIC_ARRAY) && ++ else if (!is_array && + (type == V4L2_CTRL_TYPE_INTEGER64 || + type == V4L2_CTRL_TYPE_STRING || +- type >= V4L2_CTRL_COMPOUND_TYPES || +- is_array)) ++ type >= V4L2_CTRL_COMPOUND_TYPES)) + sz_extra += 2 * tot_ctrl_size; + + if (type >= V4L2_CTRL_COMPOUND_TYPES && p_def.p_const) +@@ -1632,14 +1631,14 @@ static struct v4l2_ctrl *v4l2_ctrl_new(struct v4l2_ctrl_handler *hdl, + ctrl->cur.val = ctrl->val = def; + data = &ctrl[1]; + +- if (ctrl->is_dyn_array) { +- ctrl->p_dyn_alloc_elems = elems; +- ctrl->p_dyn = kvzalloc(2 * elems * elem_size, GFP_KERNEL); +- if (!ctrl->p_dyn) { ++ if (ctrl->is_array) { ++ ctrl->p_array_alloc_elems = elems; ++ ctrl->p_array = kvzalloc(2 * elems * elem_size, GFP_KERNEL); ++ if (!ctrl->p_array) { + kvfree(ctrl); + return NULL; + } +- data = ctrl->p_dyn; ++ data = ctrl->p_array; + } + + if (!ctrl->is_int) { +@@ -1651,7 +1650,7 @@ static struct v4l2_ctrl *v4l2_ctrl_new(struct v4l2_ctrl_handler *hdl, + } + + if (type >= V4L2_CTRL_COMPOUND_TYPES && p_def.p_const) { +- if (ctrl->is_dyn_array) ++ if (ctrl->is_array) + ctrl->p_def.p = &ctrl[1]; + else + ctrl->p_def.p = ctrl->p_cur.p + tot_ctrl_size; +@@ -1664,7 +1663,7 @@ static struct v4l2_ctrl *v4l2_ctrl_new(struct v4l2_ctrl_handler *hdl, + } + + if (handler_new_ref(hdl, ctrl, NULL, false, false)) { +- kvfree(ctrl->p_dyn); ++ kvfree(ctrl->p_array); + kvfree(ctrl); + return NULL; + } +diff --git a/include/media/v4l2-ctrls.h b/include/media/v4l2-ctrls.h +index 00828a4f9404..5ddd506ae7b9 100644 +--- a/include/media/v4l2-ctrls.h ++++ b/include/media/v4l2-ctrls.h +@@ -203,7 +203,7 @@ typedef void (*v4l2_ctrl_notify_fnc)(struct v4l2_ctrl *ctrl, void *priv); + * @elem_size: The size in bytes of the control. + * @new_elems: The number of elements in p_new. This is the same as @elems, + * except for dynamic arrays. In that case it is in the range of +- * 1 to @p_dyn_alloc_elems. ++ * 1 to @p_array_alloc_elems. + * @dims: The size of each dimension. + * @nr_of_dims:The number of dimensions in @dims. + * @menu_skip_mask: The control's skip mask for menu controls. This makes it +@@ -227,12 +227,11 @@ typedef void (*v4l2_ctrl_notify_fnc)(struct v4l2_ctrl *ctrl, void *priv); + * not freed when the control is deleted. Should this be needed + * then a new internal bitfield can be added to tell the framework + * to free this pointer. +- * @p_dyn: Pointer to the dynamically allocated array. Only valid if +- * @is_dyn_array is true. +- * @p_dyn_alloc_elems: The number of elements in the dynamically allocated +- * array for both the cur and new values. So @p_dyn is actually +- * sized for 2 * @p_dyn_alloc_elems * @elem_size. Only valid if +- * @is_dyn_array is true. ++ * @p_array: Pointer to the allocated array. Only valid if @is_array is true. ++ * @p_array_alloc_elems: The number of elements in the allocated ++ * array for both the cur and new values. So @p_array is actually ++ * sized for 2 * @p_array_alloc_elems * @elem_size. Only valid if ++ * @is_array is true. + * @cur: Structure to store the current value. + * @cur.val: The control's current value, if the @type is represented via + * a u32 integer (see &enum v4l2_ctrl_type). +@@ -291,8 +290,8 @@ struct v4l2_ctrl { + }; + unsigned long flags; + void *priv; +- void *p_dyn; +- u32 p_dyn_alloc_elems; ++ void *p_array; ++ u32 p_array_alloc_elems; + s32 val; + struct { + s32 val; +-- +2.35.1 + diff --git a/queue-6.0/media-xilinx-vipp-fix-refcount-leak-in-xvip_graph_dm.patch b/queue-6.0/media-xilinx-vipp-fix-refcount-leak-in-xvip_graph_dm.patch new file mode 100644 index 00000000000..44f2aab9e5d --- /dev/null +++ b/queue-6.0/media-xilinx-vipp-fix-refcount-leak-in-xvip_graph_dm.patch @@ -0,0 +1,56 @@ +From 8d2e9422c424812e64021d4cb26660e4dcb4e514 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 06:25:14 +0200 +Subject: media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init + +From: Miaoqian Lin + +[ Upstream commit 1c78f19c3a0ea312a8178a6bfd8934eb93e9b10a ] + +of_get_child_by_name() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: df3305156f98 ("[media] v4l: xilinx: Add Xilinx Video IP core") +Signed-off-by: Miaoqian Lin +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/xilinx/xilinx-vipp.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/platform/xilinx/xilinx-vipp.c b/drivers/media/platform/xilinx/xilinx-vipp.c +index f34f8b077e03..0a16c218a50a 100644 +--- a/drivers/media/platform/xilinx/xilinx-vipp.c ++++ b/drivers/media/platform/xilinx/xilinx-vipp.c +@@ -471,7 +471,7 @@ static int xvip_graph_dma_init(struct xvip_composite_device *xdev) + { + struct device_node *ports; + struct device_node *port; +- int ret; ++ int ret = 0; + + ports = of_get_child_by_name(xdev->dev->of_node, "ports"); + if (ports == NULL) { +@@ -481,13 +481,14 @@ static int xvip_graph_dma_init(struct xvip_composite_device *xdev) + + for_each_child_of_node(ports, port) { + ret = xvip_graph_dma_init_one(xdev, port); +- if (ret < 0) { ++ if (ret) { + of_node_put(port); +- return ret; ++ break; + } + } + +- return 0; ++ of_node_put(ports); ++ return ret; + } + + static void xvip_graph_cleanup(struct xvip_composite_device *xdev) +-- +2.35.1 + diff --git a/queue-6.0/memory-of-fix-refcount-leak-bug-in-of_get_ddr_timing.patch b/queue-6.0/memory-of-fix-refcount-leak-bug-in-of_get_ddr_timing.patch new file mode 100644 index 00000000000..14300e16ddb --- /dev/null +++ b/queue-6.0/memory-of-fix-refcount-leak-bug-in-of_get_ddr_timing.patch @@ -0,0 +1,37 @@ +From 158598f88778bd0ff79c9428121f3c44909cda52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 16:56:39 +0800 +Subject: memory: of: Fix refcount leak bug in of_get_ddr_timings() + +From: Liang He + +[ Upstream commit 05215fb32010d4afb68fbdbb4d237df6e2d4567b ] + +We should add the of_node_put() when breaking out of +for_each_child_of_node() as it will automatically increase +and decrease the refcount. + +Fixes: e6b42eb6a66c ("memory: emif: add device tree support to emif driver") +Signed-off-by: Liang He +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220719085640.1210583-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/memory/of_memory.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/memory/of_memory.c b/drivers/memory/of_memory.c +index dbdf87bc0b78..8e2ef4bf6b17 100644 +--- a/drivers/memory/of_memory.c ++++ b/drivers/memory/of_memory.c +@@ -134,6 +134,7 @@ const struct lpddr2_timings *of_get_ddr_timings(struct device_node *np_ddr, + for_each_child_of_node(np_ddr, np_tim) { + if (of_device_is_compatible(np_tim, tim_compat)) { + if (of_do_get_timings(np_tim, &timings[i])) { ++ of_node_put(np_tim); + devm_kfree(dev, timings); + goto default_timings; + } +-- +2.35.1 + diff --git a/queue-6.0/memory-of-fix-refcount-leak-bug-in-of_lpddr3_get_ddr.patch b/queue-6.0/memory-of-fix-refcount-leak-bug-in-of_lpddr3_get_ddr.patch new file mode 100644 index 00000000000..a363bffb1d7 --- /dev/null +++ b/queue-6.0/memory-of-fix-refcount-leak-bug-in-of_lpddr3_get_ddr.patch @@ -0,0 +1,37 @@ +From 1a2b6b0fdddc31b966d2c706ef283ba23156094e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 16:56:40 +0800 +Subject: memory: of: Fix refcount leak bug in of_lpddr3_get_ddr_timings() + +From: Liang He + +[ Upstream commit 48af14fb0eaa63d9aa68f59fb0b205ec55a95636 ] + +We should add the of_node_put() when breaking out of +for_each_child_of_node() as it will automatically increase +and decrease the refcount. + +Fixes: 976897dd96db ("memory: Extend of_memory with LPDDR3 support") +Signed-off-by: Liang He +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220719085640.1210583-2-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/memory/of_memory.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/memory/of_memory.c b/drivers/memory/of_memory.c +index 8e2ef4bf6b17..fcd20d85d385 100644 +--- a/drivers/memory/of_memory.c ++++ b/drivers/memory/of_memory.c +@@ -285,6 +285,7 @@ const struct lpddr3_timings + if (of_device_is_compatible(np_tim, tim_compat)) { + if (of_lpddr3_do_get_timings(np_tim, &timings[i])) { + devm_kfree(dev, timings); ++ of_node_put(np_tim); + goto default_timings; + } + i++; +-- +2.35.1 + diff --git a/queue-6.0/memory-pl353-smc-fix-refcount-leak-bug-in-pl353_smc_.patch b/queue-6.0/memory-pl353-smc-fix-refcount-leak-bug-in-pl353_smc_.patch new file mode 100644 index 00000000000..b739c53e6bb --- /dev/null +++ b/queue-6.0/memory-pl353-smc-fix-refcount-leak-bug-in-pl353_smc_.patch @@ -0,0 +1,41 @@ +From 50654083481c4da502da34080d7bf3df87c75088 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Jul 2022 11:13:24 +0800 +Subject: memory: pl353-smc: Fix refcount leak bug in pl353_smc_probe() + +From: Liang He + +[ Upstream commit 61b3c876c1cbdb1efd1f52a1f348580e6e14efb6 ] + +The break of for_each_available_child_of_node() needs a +corresponding of_node_put() when the reference 'child' is not +used anymore. Here we do not need to call of_node_put() in +fail path as '!match' means no break. + +While the of_platform_device_create() will created a new +reference by 'child' but it has considered the refcounting. + +Fixes: fee10bd22678 ("memory: pl353: Add driver for arm pl353 static memory controller") +Signed-off-by: Liang He +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220716031324.447680-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/memory/pl353-smc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/memory/pl353-smc.c b/drivers/memory/pl353-smc.c +index f84b98278745..d39ee7d06665 100644 +--- a/drivers/memory/pl353-smc.c ++++ b/drivers/memory/pl353-smc.c +@@ -122,6 +122,7 @@ static int pl353_smc_probe(struct amba_device *adev, const struct amba_id *id) + } + + of_platform_device_create(child, NULL, &adev->dev); ++ of_node_put(child); + + return 0; + +-- +2.35.1 + diff --git a/queue-6.0/mfd-da9061-fix-failed-to-set-two-wire-bus-mode.patch b/queue-6.0/mfd-da9061-fix-failed-to-set-two-wire-bus-mode.patch new file mode 100644 index 00000000000..975604e9276 --- /dev/null +++ b/queue-6.0/mfd-da9061-fix-failed-to-set-two-wire-bus-mode.patch @@ -0,0 +1,44 @@ +From 250bd62ebc28602bad88da1b9b7a2695314286f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 11:20:04 +0200 +Subject: mfd: da9061: Fix Failed to set Two-Wire Bus Mode. + +From: Jens Hillenstedt + +[ Upstream commit 834382ea32865a4bdeae83ec2dcb9321dc9489f2 ] + +In da9062_i2c_probe() regmap_clear_bits() tries to access CONFIG_J +register. As CONFIG_J is not present in da9061_aa_writeable_ranges[] probe +of da9061 fails: + + da9062 2-0058: Entering I2C mode! + da9062 2-0058: Failed to set Two-Wire Bus Mode. + da9062: probe of 2-0058 failed with error -5 + +Add CONFIG_J register to da9061_aa_writeable_ranges[]. + +Fixes: 5c6f0f456351 ("mfd: da9062: Support SMBus and I2C mode") +Signed-off-by: Jens Hillenstedt +Reviewed-by: Adam Ward +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20220915092004.168744-1-jens.hillenstedt@ise.de +Signed-off-by: Sasha Levin +--- + drivers/mfd/da9062-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/da9062-core.c b/drivers/mfd/da9062-core.c +index 2774b2cbaea6..c2acdbcd5d6b 100644 +--- a/drivers/mfd/da9062-core.c ++++ b/drivers/mfd/da9062-core.c +@@ -453,6 +453,7 @@ static const struct regmap_range da9061_aa_writeable_ranges[] = { + regmap_reg_range(DA9062AA_VBUCK1_B, DA9062AA_VBUCK4_B), + regmap_reg_range(DA9062AA_VBUCK3_B, DA9062AA_VBUCK3_B), + regmap_reg_range(DA9062AA_VLDO1_B, DA9062AA_VLDO4_B), ++ regmap_reg_range(DA9062AA_CONFIG_J, DA9062AA_CONFIG_J), + regmap_reg_range(DA9062AA_GP_ID_0, DA9062AA_GP_ID_19), + }; + +-- +2.35.1 + diff --git a/queue-6.0/mfd-fsl-imx25-fix-an-error-handling-path-in-mx25_tsa.patch b/queue-6.0/mfd-fsl-imx25-fix-an-error-handling-path-in-mx25_tsa.patch new file mode 100644 index 00000000000..1be886883b4 --- /dev/null +++ b/queue-6.0/mfd-fsl-imx25-fix-an-error-handling-path-in-mx25_tsa.patch @@ -0,0 +1,82 @@ +From c64188425c96b61bb38cdce6a18c758e37472936 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jul 2022 14:06:23 +0200 +Subject: mfd: fsl-imx25: Fix an error handling path in mx25_tsadc_setup_irq() + +From: Christophe JAILLET + +[ Upstream commit 3fa9e4cfb55da512ebfd57336fde468830719298 ] + +If devm_of_platform_populate() fails, some resources need to be +released. + +Introduce a mx25_tsadc_unset_irq() function that undoes +mx25_tsadc_setup_irq() and call it both from the new error handling path +of the probe and in the remove function. + +Fixes: a55196eff6d6 ("mfd: fsl-imx25: Use devm_of_platform_populate()") +Signed-off-by: Christophe JAILLET +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/d404e04828fc06bcfddf81f9f3e9b4babbe35415.1659269156.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/mfd/fsl-imx25-tsadc.c | 32 ++++++++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 8 deletions(-) + +diff --git a/drivers/mfd/fsl-imx25-tsadc.c b/drivers/mfd/fsl-imx25-tsadc.c +index 37e5e02a1d05..85f7982d26d2 100644 +--- a/drivers/mfd/fsl-imx25-tsadc.c ++++ b/drivers/mfd/fsl-imx25-tsadc.c +@@ -84,6 +84,19 @@ static int mx25_tsadc_setup_irq(struct platform_device *pdev, + return 0; + } + ++static int mx25_tsadc_unset_irq(struct platform_device *pdev) ++{ ++ struct mx25_tsadc *tsadc = platform_get_drvdata(pdev); ++ int irq = platform_get_irq(pdev, 0); ++ ++ if (irq) { ++ irq_set_chained_handler_and_data(irq, NULL, NULL); ++ irq_domain_remove(tsadc->domain); ++ } ++ ++ return 0; ++} ++ + static void mx25_tsadc_setup_clk(struct platform_device *pdev, + struct mx25_tsadc *tsadc) + { +@@ -171,18 +184,21 @@ static int mx25_tsadc_probe(struct platform_device *pdev) + + platform_set_drvdata(pdev, tsadc); + +- return devm_of_platform_populate(dev); ++ ret = devm_of_platform_populate(dev); ++ if (ret) ++ goto err_irq; ++ ++ return 0; ++ ++err_irq: ++ mx25_tsadc_unset_irq(pdev); ++ ++ return ret; + } + + static int mx25_tsadc_remove(struct platform_device *pdev) + { +- struct mx25_tsadc *tsadc = platform_get_drvdata(pdev); +- int irq = platform_get_irq(pdev, 0); +- +- if (irq) { +- irq_set_chained_handler_and_data(irq, NULL, NULL); +- irq_domain_remove(tsadc->domain); +- } ++ mx25_tsadc_unset_irq(pdev); + + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/mfd-fsl-imx25-fix-check-for-platform_get_irq-errors.patch b/queue-6.0/mfd-fsl-imx25-fix-check-for-platform_get_irq-errors.patch new file mode 100644 index 00000000000..8296e07ae68 --- /dev/null +++ b/queue-6.0/mfd-fsl-imx25-fix-check-for-platform_get_irq-errors.patch @@ -0,0 +1,49 @@ +From 9127497dea076f4bc8b4a75dac544e5eb1ea3e01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Aug 2022 13:53:05 +0300 +Subject: mfd: fsl-imx25: Fix check for platform_get_irq() errors + +From: Dan Carpenter + +[ Upstream commit 75db7907355ca5e2ff606e9dd3e86b6c3a455fe2 ] + +The mx25_tsadc_remove() function assumes all non-zero returns are success +but the platform_get_irq() function returns negative on error and +positive non-zero values on success. It never returns zero, but if it +did then treat that as a success. + +Fixes: 18f773937968 ("mfd: fsl-imx25: Clean up irq settings during removal") +Signed-off-by: Dan Carpenter +Reviewed-by: Martin Kaiser +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/YvTfkbVQWYKMKS/t@kili +Signed-off-by: Sasha Levin +--- + drivers/mfd/fsl-imx25-tsadc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mfd/fsl-imx25-tsadc.c b/drivers/mfd/fsl-imx25-tsadc.c +index 85f7982d26d2..823595bcc9b7 100644 +--- a/drivers/mfd/fsl-imx25-tsadc.c ++++ b/drivers/mfd/fsl-imx25-tsadc.c +@@ -69,7 +69,7 @@ static int mx25_tsadc_setup_irq(struct platform_device *pdev, + int irq; + + irq = platform_get_irq(pdev, 0); +- if (irq <= 0) ++ if (irq < 0) + return irq; + + tsadc->domain = irq_domain_add_simple(np, 2, 0, &mx25_tsadc_domain_ops, +@@ -89,7 +89,7 @@ static int mx25_tsadc_unset_irq(struct platform_device *pdev) + struct mx25_tsadc *tsadc = platform_get_drvdata(pdev); + int irq = platform_get_irq(pdev, 0); + +- if (irq) { ++ if (irq >= 0) { + irq_set_chained_handler_and_data(irq, NULL, NULL); + irq_domain_remove(tsadc->domain); + } +-- +2.35.1 + diff --git a/queue-6.0/mfd-intel_soc_pmic-fix-an-error-handling-path-in-int.patch b/queue-6.0/mfd-intel_soc_pmic-fix-an-error-handling-path-in-int.patch new file mode 100644 index 00000000000..b84673a9818 --- /dev/null +++ b/queue-6.0/mfd-intel_soc_pmic-fix-an-error-handling-path-in-int.patch @@ -0,0 +1,42 @@ +From 209b7e6b824cc7a4f5dd80a856f1c9891b011142 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 14:42:02 +0300 +Subject: mfd: intel_soc_pmic: Fix an error handling path in + intel_soc_pmic_i2c_probe() + +From: Christophe JAILLET + +[ Upstream commit 48749cabba109397b4e7dd556e85718ec0ec114d ] + +The commit in Fixes: has added a pwm_add_table() call in the probe() and +a pwm_remove_table() call in the remove(), but forget to update the error +handling path of the probe. + +Add the missing pwm_remove_table() call. + +Fixes: a3aa9a93df9f ("mfd: intel_soc_pmic_core: ADD PWM lookup table for CRC PMIC based PWM") +Signed-off-by: Christophe JAILLET +Signed-off-by: Andy Shevchenko +Reviewed-by: Hans de Goede +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20220801114211.36267-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/intel_soc_pmic_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/intel_soc_pmic_core.c b/drivers/mfd/intel_soc_pmic_core.c +index 5e8c94e008ed..85d070bce0e2 100644 +--- a/drivers/mfd/intel_soc_pmic_core.c ++++ b/drivers/mfd/intel_soc_pmic_core.c +@@ -77,6 +77,7 @@ static int intel_soc_pmic_i2c_probe(struct i2c_client *i2c, + return 0; + + err_del_irq_chip: ++ pwm_remove_table(crc_pwm_lookup, ARRAY_SIZE(crc_pwm_lookup)); + regmap_del_irq_chip(pmic->irq, pmic->irq_chip_data); + return ret; + } +-- +2.35.1 + diff --git a/queue-6.0/mfd-lp8788-fix-an-error-handling-path-in-lp8788_irq_.patch b/queue-6.0/mfd-lp8788-fix-an-error-handling-path-in-lp8788_irq_.patch new file mode 100644 index 00000000000..e8d76d0a8ee --- /dev/null +++ b/queue-6.0/mfd-lp8788-fix-an-error-handling-path-in-lp8788_irq_.patch @@ -0,0 +1,48 @@ +From ad97041bb2e4ef2188ed5e541fdb61b7246d5480 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jul 2022 11:55:38 +0200 +Subject: mfd: lp8788: Fix an error handling path in lp8788_irq_init() and + lp8788_irq_init() + +From: Christophe JAILLET + +[ Upstream commit 557244f6284f30613f2d61f14b579303165876c3 ] + +In lp8788_irq_init(), if an error occurs after a successful +irq_domain_add_linear() call, it must be undone by a corresponding +irq_domain_remove() call. + +irq_domain_remove() should also be called in lp8788_irq_exit() for the same +reason. + +Fixes: eea6b7cc53aa ("mfd: Add lp8788 mfd driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/bcd5a72c9c1c383dd6324680116426e32737655a.1659261275.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/mfd/lp8788-irq.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mfd/lp8788-irq.c b/drivers/mfd/lp8788-irq.c +index 348439a3fbbd..39006297f3d2 100644 +--- a/drivers/mfd/lp8788-irq.c ++++ b/drivers/mfd/lp8788-irq.c +@@ -175,6 +175,7 @@ int lp8788_irq_init(struct lp8788 *lp, int irq) + IRQF_TRIGGER_FALLING | IRQF_ONESHOT, + "lp8788-irq", irqd); + if (ret) { ++ irq_domain_remove(lp->irqdm); + dev_err(lp->dev, "failed to create a thread for IRQ_N\n"); + return ret; + } +@@ -188,4 +189,6 @@ void lp8788_irq_exit(struct lp8788 *lp) + { + if (lp->irq) + free_irq(lp->irq, lp->irqdm); ++ if (lp->irqdm) ++ irq_domain_remove(lp->irqdm); + } +-- +2.35.1 + diff --git a/queue-6.0/mfd-lp8788-fix-an-error-handling-path-in-lp8788_prob.patch b/queue-6.0/mfd-lp8788-fix-an-error-handling-path-in-lp8788_prob.patch new file mode 100644 index 00000000000..5f1c53eba76 --- /dev/null +++ b/queue-6.0/mfd-lp8788-fix-an-error-handling-path-in-lp8788_prob.patch @@ -0,0 +1,50 @@ +From c2fdb6a362335e829103e8036b285b3ae1a71593 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jul 2022 11:55:27 +0200 +Subject: mfd: lp8788: Fix an error handling path in lp8788_probe() + +From: Christophe JAILLET + +[ Upstream commit becfdcd75126b20b8ec10066c5e85b34f8994ad5 ] + +Should an error occurs in mfd_add_devices(), some resources need to be +released, as already done in the .remove() function. + +Add an error handling path and a lp8788_irq_exit() call to undo a previous +lp8788_irq_init(). + +Fixes: eea6b7cc53aa ("mfd: Add lp8788 mfd driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/18398722da9df9490722d853e4797350189ae79b.1659261275.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/mfd/lp8788.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/mfd/lp8788.c b/drivers/mfd/lp8788.c +index c223d2c6a363..998e8cc408a0 100644 +--- a/drivers/mfd/lp8788.c ++++ b/drivers/mfd/lp8788.c +@@ -195,8 +195,16 @@ static int lp8788_probe(struct i2c_client *cl, const struct i2c_device_id *id) + if (ret) + return ret; + +- return mfd_add_devices(lp->dev, -1, lp8788_devs, +- ARRAY_SIZE(lp8788_devs), NULL, 0, NULL); ++ ret = mfd_add_devices(lp->dev, -1, lp8788_devs, ++ ARRAY_SIZE(lp8788_devs), NULL, 0, NULL); ++ if (ret) ++ goto err_exit_irq; ++ ++ return 0; ++ ++err_exit_irq: ++ lp8788_irq_exit(lp); ++ return ret; + } + + static int lp8788_remove(struct i2c_client *cl) +-- +2.35.1 + diff --git a/queue-6.0/mfd-sm501-add-check-for-platform_driver_register.patch b/queue-6.0/mfd-sm501-add-check-for-platform_driver_register.patch new file mode 100644 index 00000000000..f9b0de8b416 --- /dev/null +++ b/queue-6.0/mfd-sm501-add-check-for-platform_driver_register.patch @@ -0,0 +1,43 @@ +From 63cc48c3c3418ddc312a12b79c637df8e701d9a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 17:11:12 +0800 +Subject: mfd: sm501: Add check for platform_driver_register() + +From: Jiasheng Jiang + +[ Upstream commit 8325a6c24ad78b8c1acc3c42b098ee24105d68e5 ] + +As platform_driver_register() can return error numbers, +it should be better to check platform_driver_register() +and deal with the exception. + +Fixes: b6d6454fdb66 ("[PATCH] mfd: SM501 core driver") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20220913091112.1739138-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/mfd/sm501.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c +index bc0a2c38653e..3ac4508a6742 100644 +--- a/drivers/mfd/sm501.c ++++ b/drivers/mfd/sm501.c +@@ -1720,7 +1720,12 @@ static struct platform_driver sm501_plat_driver = { + + static int __init sm501_base_init(void) + { +- platform_driver_register(&sm501_plat_driver); ++ int ret; ++ ++ ret = platform_driver_register(&sm501_plat_driver); ++ if (ret < 0) ++ return ret; ++ + return pci_register_driver(&sm501_pci_driver); + } + +-- +2.35.1 + diff --git a/queue-6.0/micrel-ksz8851-fixes-struct-pointer-issue.patch b/queue-6.0/micrel-ksz8851-fixes-struct-pointer-issue.patch new file mode 100644 index 00000000000..dae3b2f9fa8 --- /dev/null +++ b/queue-6.0/micrel-ksz8851-fixes-struct-pointer-issue.patch @@ -0,0 +1,54 @@ +From 96a488dd284292ddc68f071b4df751919cff1bea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 16:39:32 -0500 +Subject: micrel: ksz8851: fixes struct pointer issue + +From: Jerry Ray + +[ Upstream commit fef5de753ff01887cfa50990532c3890fccb9338 ] + +Issue found during code review. This bug has no impact as long as the +ks8851_net structure is the first element of the ks8851_net_spi structure. +As long as the offset to the ks8851_net struct is zero, the container_of() +macro is subtracting 0 and therefore no damage done. But if the +ks8851_net_spi struct is ever modified such that the ks8851_net struct +within it is no longer the first element of the struct, then the bug would +manifest itself and cause problems. + +struct ks8851_net is contained within ks8851_net_spi. +ks is contained within kss. +kss is the priv_data of the netdev structure. + +Signed-off-by: Jerry Ray +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/micrel/ks8851_spi.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/micrel/ks8851_spi.c b/drivers/net/ethernet/micrel/ks8851_spi.c +index 82d55fc27edc..70bc7253454f 100644 +--- a/drivers/net/ethernet/micrel/ks8851_spi.c ++++ b/drivers/net/ethernet/micrel/ks8851_spi.c +@@ -413,7 +413,8 @@ static int ks8851_probe_spi(struct spi_device *spi) + + spi->bits_per_word = 8; + +- ks = netdev_priv(netdev); ++ kss = netdev_priv(netdev); ++ ks = &kss->ks8851; + + ks->lock = ks8851_lock_spi; + ks->unlock = ks8851_unlock_spi; +@@ -433,8 +434,6 @@ static int ks8851_probe_spi(struct spi_device *spi) + IRQ_RXPSI) /* RX process stop */ + ks->rc_ier = STD_IRQ; + +- kss = to_ks8851_spi(ks); +- + kss->spidev = spi; + mutex_init(&kss->lock); + INIT_WORK(&kss->tx_work, ks8851_tx_work); +-- +2.35.1 + diff --git a/queue-6.0/mips-bcm47xx-cast-memcmp-of-function-to-void.patch b/queue-6.0/mips-bcm47xx-cast-memcmp-of-function-to-void.patch new file mode 100644 index 00000000000..116ec564a59 --- /dev/null +++ b/queue-6.0/mips-bcm47xx-cast-memcmp-of-function-to-void.patch @@ -0,0 +1,62 @@ +From 467d08e54d1cb28313222ac4e9d961b52e8ab630 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 16:05:56 -0700 +Subject: MIPS: BCM47XX: Cast memcmp() of function to (void *) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit 0dedcf6e3301836eb70cfa649052e7ce4fcd13ba ] + +Clang is especially sensitive about argument type matching when using +__overloaded functions (like memcmp(), etc). Help it see that function +pointers are just "void *". Avoids this error: + +arch/mips/bcm47xx/prom.c:89:8: error: no matching function for call to 'memcmp' + if (!memcmp(prom_init, prom_init + mem, 32)) + ^~~~~~ +include/linux/string.h:156:12: note: candidate function not viable: no known conversion from 'void (void)' to 'const void *' for 1st argument extern int memcmp(const void *,const void *,__kernel_size_t); + +Cc: Hauke Mehrtens +Cc: "Rafał Miłecki" +Cc: Thomas Bogendoerfer +Cc: linux-mips@vger.kernel.org +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: llvm@lists.linux.dev +Reported-by: kernel test robot +Link: https://lore.kernel.org/lkml/202209080652.sz2d68e5-lkp@intel.com +Signed-off-by: Kees Cook +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/bcm47xx/prom.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/bcm47xx/prom.c b/arch/mips/bcm47xx/prom.c +index ab203e66ba0d..a9bea411d928 100644 +--- a/arch/mips/bcm47xx/prom.c ++++ b/arch/mips/bcm47xx/prom.c +@@ -86,7 +86,7 @@ static __init void prom_init_mem(void) + pr_debug("Assume 128MB RAM\n"); + break; + } +- if (!memcmp(prom_init, prom_init + mem, 32)) ++ if (!memcmp((void *)prom_init, (void *)prom_init + mem, 32)) + break; + } + lowmem = mem; +@@ -159,7 +159,7 @@ void __init bcm47xx_prom_highmem_init(void) + + off = EXTVBASE + __pa(off); + for (extmem = 128 << 20; extmem < 512 << 20; extmem <<= 1) { +- if (!memcmp(prom_init, (void *)(off + extmem), 16)) ++ if (!memcmp((void *)prom_init, (void *)(off + extmem), 16)) + break; + } + extmem -= lowmem; +-- +2.35.1 + diff --git a/queue-6.0/mips-dts-ralink-mt7621-fix-external-phy-on-gb-pc2.patch b/queue-6.0/mips-dts-ralink-mt7621-fix-external-phy-on-gb-pc2.patch new file mode 100644 index 00000000000..329c1de8f57 --- /dev/null +++ b/queue-6.0/mips-dts-ralink-mt7621-fix-external-phy-on-gb-pc2.patch @@ -0,0 +1,47 @@ +From c0257ae10205020741c3df658b693ad492d47ff9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 20:25:55 +0300 +Subject: mips: dts: ralink: mt7621: fix external phy on GB-PC2 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arınç ÜNAL + +[ Upstream commit 247825f991b34440f9b9d4fe607502435a42ac7b ] + +The address of the external phy on the mdio bus is 5. Update the devicetree +for GB-PC2 accordingly. + +Fixes: 5bc148649cf3 ("staging: mt7621-dts: fix GB-PC2 devicetree") +Signed-off-by: Arınç ÜNAL +Reviewed-by: Sergio Paracuellos +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/mips/boot/dts/ralink/mt7621-gnubee-gb-pc2.dts | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/mips/boot/dts/ralink/mt7621-gnubee-gb-pc2.dts b/arch/mips/boot/dts/ralink/mt7621-gnubee-gb-pc2.dts +index 34006e667780..0d01e542a0a6 100644 +--- a/arch/mips/boot/dts/ralink/mt7621-gnubee-gb-pc2.dts ++++ b/arch/mips/boot/dts/ralink/mt7621-gnubee-gb-pc2.dts +@@ -83,12 +83,12 @@ + + &gmac1 { + status = "okay"; +- phy-handle = <ðphy7>; ++ phy-handle = <ðphy5>; + }; + + &mdio { +- ethphy7: ethernet-phy@7 { +- reg = <7>; ++ ethphy5: ethernet-phy@5 { ++ reg = <5>; + phy-mode = "rgmii-rxid"; + }; + }; +-- +2.35.1 + diff --git a/queue-6.0/mips-sgi-ip27-fix-platform-device-leak-in-bridge_pla.patch b/queue-6.0/mips-sgi-ip27-fix-platform-device-leak-in-bridge_pla.patch new file mode 100644 index 00000000000..58fc8b8a92b --- /dev/null +++ b/queue-6.0/mips-sgi-ip27-fix-platform-device-leak-in-bridge_pla.patch @@ -0,0 +1,141 @@ +From e4d4b8df16852bc548ec5794bc309c8208b25972 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 11:29:17 +0800 +Subject: MIPS: SGI-IP27: Fix platform-device leak in bridge_platform_create() + +From: Lin Yujun + +[ Upstream commit 11bec9cba4de06b3c0e9e4041453c2caaa1cbec1 ] + +In error case in bridge_platform_create after calling +platform_device_add()/platform_device_add_data()/ +platform_device_add_resources(), release the failed +'pdev' or it will be leak, call platform_device_put() +to fix this problem. + +Besides, 'pdev' is divided into 'pdev_wd' and 'pdev_bd', +use platform_device_unregister() to release sgi_w1 +resources when xtalk-bridge registration fails. + +Fixes: 5dc76a96e95a ("MIPS: PCI: use information from 1-wire PROM for IOC3 detection") +Signed-off-by: Lin Yujun +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/sgi-ip27/ip27-xtalk.c | 70 +++++++++++++++++++++++---------- + 1 file changed, 50 insertions(+), 20 deletions(-) + +diff --git a/arch/mips/sgi-ip27/ip27-xtalk.c b/arch/mips/sgi-ip27/ip27-xtalk.c +index e762886d1dda..5143d1cf8984 100644 +--- a/arch/mips/sgi-ip27/ip27-xtalk.c ++++ b/arch/mips/sgi-ip27/ip27-xtalk.c +@@ -27,15 +27,18 @@ static void bridge_platform_create(nasid_t nasid, int widget, int masterwid) + { + struct xtalk_bridge_platform_data *bd; + struct sgi_w1_platform_data *wd; +- struct platform_device *pdev; ++ struct platform_device *pdev_wd; ++ struct platform_device *pdev_bd; + struct resource w1_res; + unsigned long offset; + + offset = NODE_OFFSET(nasid); + + wd = kzalloc(sizeof(*wd), GFP_KERNEL); +- if (!wd) +- goto no_mem; ++ if (!wd) { ++ pr_warn("xtalk:n%d/%x bridge create out of memory\n", nasid, widget); ++ return; ++ } + + snprintf(wd->dev_id, sizeof(wd->dev_id), "bridge-%012lx", + offset + (widget << SWIN_SIZE_BITS)); +@@ -46,24 +49,35 @@ static void bridge_platform_create(nasid_t nasid, int widget, int masterwid) + w1_res.end = w1_res.start + 3; + w1_res.flags = IORESOURCE_MEM; + +- pdev = platform_device_alloc("sgi_w1", PLATFORM_DEVID_AUTO); +- if (!pdev) { +- kfree(wd); +- goto no_mem; ++ pdev_wd = platform_device_alloc("sgi_w1", PLATFORM_DEVID_AUTO); ++ if (!pdev_wd) { ++ pr_warn("xtalk:n%d/%x bridge create out of memory\n", nasid, widget); ++ goto err_kfree_wd; ++ } ++ if (platform_device_add_resources(pdev_wd, &w1_res, 1)) { ++ pr_warn("xtalk:n%d/%x bridge failed to add platform resources.\n", nasid, widget); ++ goto err_put_pdev_wd; ++ } ++ if (platform_device_add_data(pdev_wd, wd, sizeof(*wd))) { ++ pr_warn("xtalk:n%d/%x bridge failed to add platform data.\n", nasid, widget); ++ goto err_put_pdev_wd; ++ } ++ if (platform_device_add(pdev_wd)) { ++ pr_warn("xtalk:n%d/%x bridge failed to add platform device.\n", nasid, widget); ++ goto err_put_pdev_wd; + } +- platform_device_add_resources(pdev, &w1_res, 1); +- platform_device_add_data(pdev, wd, sizeof(*wd)); + /* platform_device_add_data() duplicates the data */ + kfree(wd); +- platform_device_add(pdev); + + bd = kzalloc(sizeof(*bd), GFP_KERNEL); +- if (!bd) +- goto no_mem; +- pdev = platform_device_alloc("xtalk-bridge", PLATFORM_DEVID_AUTO); +- if (!pdev) { +- kfree(bd); +- goto no_mem; ++ if (!bd) { ++ pr_warn("xtalk:n%d/%x bridge create out of memory\n", nasid, widget); ++ goto err_unregister_pdev_wd; ++ } ++ pdev_bd = platform_device_alloc("xtalk-bridge", PLATFORM_DEVID_AUTO); ++ if (!pdev_bd) { ++ pr_warn("xtalk:n%d/%x bridge create out of memory\n", nasid, widget); ++ goto err_kfree_bd; + } + + +@@ -84,15 +98,31 @@ static void bridge_platform_create(nasid_t nasid, int widget, int masterwid) + bd->io.flags = IORESOURCE_IO; + bd->io_offset = offset; + +- platform_device_add_data(pdev, bd, sizeof(*bd)); ++ if (platform_device_add_data(pdev_bd, bd, sizeof(*bd))) { ++ pr_warn("xtalk:n%d/%x bridge failed to add platform data.\n", nasid, widget); ++ goto err_put_pdev_bd; ++ } ++ if (platform_device_add(pdev_bd)) { ++ pr_warn("xtalk:n%d/%x bridge failed to add platform device.\n", nasid, widget); ++ goto err_put_pdev_bd; ++ } + /* platform_device_add_data() duplicates the data */ + kfree(bd); +- platform_device_add(pdev); + pr_info("xtalk:n%d/%x bridge widget\n", nasid, widget); + return; + +-no_mem: +- pr_warn("xtalk:n%d/%x bridge create out of memory\n", nasid, widget); ++err_put_pdev_bd: ++ platform_device_put(pdev_bd); ++err_kfree_bd: ++ kfree(bd); ++err_unregister_pdev_wd: ++ platform_device_unregister(pdev_wd); ++ return; ++err_put_pdev_wd: ++ platform_device_put(pdev_wd); ++err_kfree_wd: ++ kfree(wd); ++ return; + } + + static int probe_one_port(nasid_t nasid, int widget, int masterwid) +-- +2.35.1 + diff --git a/queue-6.0/mips-sgi-ip30-fix-platform-device-leak-in-bridge_pla.patch b/queue-6.0/mips-sgi-ip30-fix-platform-device-leak-in-bridge_pla.patch new file mode 100644 index 00000000000..cdf8799df1a --- /dev/null +++ b/queue-6.0/mips-sgi-ip30-fix-platform-device-leak-in-bridge_pla.patch @@ -0,0 +1,138 @@ +From 1e3e150b1e632b5095f3f822c10d7eb16f2d747e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 11:28:07 +0800 +Subject: MIPS: SGI-IP30: Fix platform-device leak in bridge_platform_create() + +From: Lin Yujun + +[ Upstream commit 1e6d11fe72e311c1989991ee318d239f650fa318 ] + +In error case in bridge_platform_create after calling +platform_device_add()/platform_device_add_data()/ +platform_device_add_resources(), release the failed +'pdev' or it will be leak, call platform_device_put() +to fix this problem. + +Besides, 'pdev' is divided into 'pdev_wd' and 'pdev_bd', +use platform_device_unregister() to release sgi_w1 +resources when xtalk-bridge registration fails. + +Fixes: fd27234f24ae ("MIPS: add support for SGI Octane (IP30)") +Signed-off-by: Lin Yujun +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/sgi-ip30/ip30-xtalk.c | 70 +++++++++++++++++++++++---------- + 1 file changed, 50 insertions(+), 20 deletions(-) + +diff --git a/arch/mips/sgi-ip30/ip30-xtalk.c b/arch/mips/sgi-ip30/ip30-xtalk.c +index 8129524421cb..7ceb2b23ea1c 100644 +--- a/arch/mips/sgi-ip30/ip30-xtalk.c ++++ b/arch/mips/sgi-ip30/ip30-xtalk.c +@@ -40,12 +40,15 @@ static void bridge_platform_create(int widget, int masterwid) + { + struct xtalk_bridge_platform_data *bd; + struct sgi_w1_platform_data *wd; +- struct platform_device *pdev; ++ struct platform_device *pdev_wd; ++ struct platform_device *pdev_bd; + struct resource w1_res; + + wd = kzalloc(sizeof(*wd), GFP_KERNEL); +- if (!wd) +- goto no_mem; ++ if (!wd) { ++ pr_warn("xtalk:%x bridge create out of memory\n", widget); ++ return; ++ } + + snprintf(wd->dev_id, sizeof(wd->dev_id), "bridge-%012lx", + IP30_SWIN_BASE(widget)); +@@ -56,24 +59,35 @@ static void bridge_platform_create(int widget, int masterwid) + w1_res.end = w1_res.start + 3; + w1_res.flags = IORESOURCE_MEM; + +- pdev = platform_device_alloc("sgi_w1", PLATFORM_DEVID_AUTO); +- if (!pdev) { +- kfree(wd); +- goto no_mem; ++ pdev_wd = platform_device_alloc("sgi_w1", PLATFORM_DEVID_AUTO); ++ if (!pdev_wd) { ++ pr_warn("xtalk:%x bridge create out of memory\n", widget); ++ goto err_kfree_wd; ++ } ++ if (platform_device_add_resources(pdev_wd, &w1_res, 1)) { ++ pr_warn("xtalk:%x bridge failed to add platform resources.\n", widget); ++ goto err_put_pdev_wd; ++ } ++ if (platform_device_add_data(pdev_wd, wd, sizeof(*wd))) { ++ pr_warn("xtalk:%x bridge failed to add platform data.\n", widget); ++ goto err_put_pdev_wd; ++ } ++ if (platform_device_add(pdev_wd)) { ++ pr_warn("xtalk:%x bridge failed to add platform device.\n", widget); ++ goto err_put_pdev_wd; + } +- platform_device_add_resources(pdev, &w1_res, 1); +- platform_device_add_data(pdev, wd, sizeof(*wd)); + /* platform_device_add_data() duplicates the data */ + kfree(wd); +- platform_device_add(pdev); + + bd = kzalloc(sizeof(*bd), GFP_KERNEL); +- if (!bd) +- goto no_mem; +- pdev = platform_device_alloc("xtalk-bridge", PLATFORM_DEVID_AUTO); +- if (!pdev) { +- kfree(bd); +- goto no_mem; ++ if (!bd) { ++ pr_warn("xtalk:%x bridge create out of memory\n", widget); ++ goto err_unregister_pdev_wd; ++ } ++ pdev_bd = platform_device_alloc("xtalk-bridge", PLATFORM_DEVID_AUTO); ++ if (!pdev_bd) { ++ pr_warn("xtalk:%x bridge create out of memory\n", widget); ++ goto err_kfree_bd; + } + + bd->bridge_addr = IP30_RAW_SWIN_BASE(widget); +@@ -93,15 +107,31 @@ static void bridge_platform_create(int widget, int masterwid) + bd->io.flags = IORESOURCE_IO; + bd->io_offset = IP30_SWIN_BASE(widget); + +- platform_device_add_data(pdev, bd, sizeof(*bd)); ++ if (platform_device_add_data(pdev_bd, bd, sizeof(*bd))) { ++ pr_warn("xtalk:%x bridge failed to add platform data.\n", widget); ++ goto err_put_pdev_bd; ++ } ++ if (platform_device_add(pdev_bd)) { ++ pr_warn("xtalk:%x bridge failed to add platform device.\n", widget); ++ goto err_put_pdev_bd; ++ } + /* platform_device_add_data() duplicates the data */ + kfree(bd); +- platform_device_add(pdev); + pr_info("xtalk:%x bridge widget\n", widget); + return; + +-no_mem: +- pr_warn("xtalk:%x bridge create out of memory\n", widget); ++err_put_pdev_bd: ++ platform_device_put(pdev_bd); ++err_kfree_bd: ++ kfree(bd); ++err_unregister_pdev_wd: ++ platform_device_unregister(pdev_wd); ++ return; ++err_put_pdev_wd: ++ platform_device_put(pdev_wd); ++err_kfree_wd: ++ kfree(wd); ++ return; + } + + static unsigned int __init xbow_widget_active(s8 wid) +-- +2.35.1 + diff --git a/queue-6.0/misc-ocxl-fix-possible-refcount-leak-in-afu_ioctl.patch b/queue-6.0/misc-ocxl-fix-possible-refcount-leak-in-afu_ioctl.patch new file mode 100644 index 00000000000..63573bfdc20 --- /dev/null +++ b/queue-6.0/misc-ocxl-fix-possible-refcount-leak-in-afu_ioctl.patch @@ -0,0 +1,38 @@ +From 19dec594dc54ffebe99cee9601ec7df645e97729 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 16:26:00 +0800 +Subject: misc: ocxl: fix possible refcount leak in afu_ioctl() + +From: Hangyu Hua + +[ Upstream commit c3b69ba5114c860d730870c03ab4ee45276e5e35 ] + +eventfd_ctx_put need to be called to put the refcount that gotten by +eventfd_ctx_fdget when ocxl_irq_set_handler fails. + +Fixes: 060146614643 ("ocxl: move event_fd handling to frontend") +Acked-by: Frederic Barrat +Signed-off-by: Hangyu Hua +Link: https://lore.kernel.org/r/20220824082600.36159-1-hbh25y@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/ocxl/file.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/misc/ocxl/file.c b/drivers/misc/ocxl/file.c +index 6777c419a8da..d46dba2df5a1 100644 +--- a/drivers/misc/ocxl/file.c ++++ b/drivers/misc/ocxl/file.c +@@ -257,6 +257,8 @@ static long afu_ioctl(struct file *file, unsigned int cmd, + if (IS_ERR(ev_ctx)) + return PTR_ERR(ev_ctx); + rc = ocxl_irq_set_handler(ctx, irq_id, irq_handler, irq_free, ev_ctx); ++ if (rc) ++ eventfd_ctx_put(ev_ctx); + break; + + case OCXL_IOCTL_GET_METADATA: +-- +2.35.1 + diff --git a/queue-6.0/misdn-fix-use-after-free-bugs-in-l1oip-timer-handler.patch b/queue-6.0/misdn-fix-use-after-free-bugs-in-l1oip-timer-handler.patch new file mode 100644 index 00000000000..69dbbe28e58 --- /dev/null +++ b/queue-6.0/misdn-fix-use-after-free-bugs-in-l1oip-timer-handler.patch @@ -0,0 +1,97 @@ +From 65169f2a6522325cef08da62ed9a6f907921fcda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Sep 2022 21:39:38 +0800 +Subject: mISDN: fix use-after-free bugs in l1oip timer handlers + +From: Duoming Zhou + +[ Upstream commit 2568a7e0832ee30b0a351016d03062ab4e0e0a3f ] + +The l1oip_cleanup() traverses the l1oip_ilist and calls +release_card() to cleanup module and stack. However, +release_card() calls del_timer() to delete the timers +such as keep_tl and timeout_tl. If the timer handler is +running, the del_timer() will not stop it and result in +UAF bugs. One of the processes is shown below: + + (cleanup routine) | (timer handler) +release_card() | l1oip_timeout() + ... | + del_timer() | ... + ... | + kfree(hc) //FREE | + | hc->timeout_on = 0 //USE + +Fix by calling del_timer_sync() in release_card(), which +makes sure the timer handlers have finished before the +resources, such as l1oip and so on, have been deallocated. + +What's more, the hc->workq and hc->socket_thread can kick +those timers right back in. We add a bool flag to show +if card is released. Then, check this flag in hc->workq +and hc->socket_thread. + +Fixes: 3712b42d4b1b ("Add layer1 over IP support") +Signed-off-by: Duoming Zhou +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/l1oip.h | 1 + + drivers/isdn/mISDN/l1oip_core.c | 13 +++++++------ + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/isdn/mISDN/l1oip.h b/drivers/isdn/mISDN/l1oip.h +index 7ea10db20e3a..48133d022812 100644 +--- a/drivers/isdn/mISDN/l1oip.h ++++ b/drivers/isdn/mISDN/l1oip.h +@@ -59,6 +59,7 @@ struct l1oip { + int bundle; /* bundle channels in one frm */ + int codec; /* codec to use for transmis. */ + int limit; /* limit number of bchannels */ ++ bool shutdown; /* if card is released */ + + /* timer */ + struct timer_list keep_tl; +diff --git a/drivers/isdn/mISDN/l1oip_core.c b/drivers/isdn/mISDN/l1oip_core.c +index 2c40412466e6..a77195e378b7 100644 +--- a/drivers/isdn/mISDN/l1oip_core.c ++++ b/drivers/isdn/mISDN/l1oip_core.c +@@ -275,7 +275,7 @@ l1oip_socket_send(struct l1oip *hc, u8 localcodec, u8 channel, u32 chanmask, + p = frame; + + /* restart timer */ +- if (time_before(hc->keep_tl.expires, jiffies + 5 * HZ)) ++ if (time_before(hc->keep_tl.expires, jiffies + 5 * HZ) && !hc->shutdown) + mod_timer(&hc->keep_tl, jiffies + L1OIP_KEEPALIVE * HZ); + else + hc->keep_tl.expires = jiffies + L1OIP_KEEPALIVE * HZ; +@@ -601,7 +601,9 @@ l1oip_socket_parse(struct l1oip *hc, struct sockaddr_in *sin, u8 *buf, int len) + goto multiframe; + + /* restart timer */ +- if (time_before(hc->timeout_tl.expires, jiffies + 5 * HZ) || !hc->timeout_on) { ++ if ((time_before(hc->timeout_tl.expires, jiffies + 5 * HZ) || ++ !hc->timeout_on) && ++ !hc->shutdown) { + hc->timeout_on = 1; + mod_timer(&hc->timeout_tl, jiffies + L1OIP_TIMEOUT * HZ); + } else /* only adjust timer */ +@@ -1232,11 +1234,10 @@ release_card(struct l1oip *hc) + { + int ch; + +- if (timer_pending(&hc->keep_tl)) +- del_timer(&hc->keep_tl); ++ hc->shutdown = true; + +- if (timer_pending(&hc->timeout_tl)) +- del_timer(&hc->timeout_tl); ++ del_timer_sync(&hc->keep_tl); ++ del_timer_sync(&hc->timeout_tl); + + cancel_work_sync(&hc->workq); + +-- +2.35.1 + diff --git a/queue-6.0/mmc-au1xmmc-fix-an-error-handling-path-in-au1xmmc_pr.patch b/queue-6.0/mmc-au1xmmc-fix-an-error-handling-path-in-au1xmmc_pr.patch new file mode 100644 index 00000000000..34d950a3aaa --- /dev/null +++ b/queue-6.0/mmc-au1xmmc-fix-an-error-handling-path-in-au1xmmc_pr.patch @@ -0,0 +1,41 @@ +From de8aa42b1490adac3a01f2156585bbabc416a199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 09:33:57 +0200 +Subject: mmc: au1xmmc: Fix an error handling path in au1xmmc_probe() + +From: Christophe JAILLET + +[ Upstream commit 5cbedf52608cc3cbc1c2a9a861fb671620427a20 ] + +If clk_prepare_enable() fails, there is no point in calling +clk_disable_unprepare() in the error handling path. + +Move the out_clk label at the right place. + +Fixes: b6507596dfd6 ("MIPS: Alchemy: au1xmmc: use clk framework") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/21d99886d07fa7fcbec74992657dabad98c935c4.1661412818.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/au1xmmc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/au1xmmc.c b/drivers/mmc/host/au1xmmc.c +index a9a0837153d8..c88b039dc9fb 100644 +--- a/drivers/mmc/host/au1xmmc.c ++++ b/drivers/mmc/host/au1xmmc.c +@@ -1097,8 +1097,9 @@ static int au1xmmc_probe(struct platform_device *pdev) + if (host->platdata && host->platdata->cd_setup && + !(mmc->caps & MMC_CAP_NEEDS_POLL)) + host->platdata->cd_setup(mmc, 0); +-out_clk: ++ + clk_disable_unprepare(host->clk); ++out_clk: + clk_put(host->clk); + out_irq: + free_irq(host->irq, host); +-- +2.35.1 + diff --git a/queue-6.0/mmc-sdhci-msm-add-compatible-string-check-for-sdm670.patch b/queue-6.0/mmc-sdhci-msm-add-compatible-string-check-for-sdm670.patch new file mode 100644 index 00000000000..18b5c852250 --- /dev/null +++ b/queue-6.0/mmc-sdhci-msm-add-compatible-string-check-for-sdm670.patch @@ -0,0 +1,38 @@ +From 57dae2b262de0c9a125d9033819cd0faa0232d05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 21:43:22 -0400 +Subject: mmc: sdhci-msm: add compatible string check for sdm670 + +From: Richard Acayan + +[ Upstream commit 4de95950d970c71a9e82a24573bb7a44fd95baa1 ] + +The Snapdragon 670 has the same quirk as Snapdragon 845 (needing to +restore the dll config). Add a compatible string check to detect the need +for this. + +Signed-off-by: Richard Acayan +Reviewed-by: Bhupesh Sharma +Acked-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220923014322.33620-3-mailingradian@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-msm.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c +index dc2991422a87..3a091a387ecb 100644 +--- a/drivers/mmc/host/sdhci-msm.c ++++ b/drivers/mmc/host/sdhci-msm.c +@@ -2441,6 +2441,7 @@ static const struct of_device_id sdhci_msm_dt_match[] = { + */ + {.compatible = "qcom,sdhci-msm-v4", .data = &sdhci_msm_mci_var}, + {.compatible = "qcom,sdhci-msm-v5", .data = &sdhci_msm_v5_var}, ++ {.compatible = "qcom,sdm670-sdhci", .data = &sdm845_sdhci_var}, + {.compatible = "qcom,sdm845-sdhci", .data = &sdm845_sdhci_var}, + {.compatible = "qcom,sc7180-sdhci", .data = &sdm845_sdhci_var}, + {}, +-- +2.35.1 + diff --git a/queue-6.0/mmc-wmt-sdmmc-fix-an-error-handling-path-in-wmt_mci_.patch b/queue-6.0/mmc-wmt-sdmmc-fix-an-error-handling-path-in-wmt_mci_.patch new file mode 100644 index 00000000000..125a479d302 --- /dev/null +++ b/queue-6.0/mmc-wmt-sdmmc-fix-an-error-handling-path-in-wmt_mci_.patch @@ -0,0 +1,48 @@ +From 1da113ee3b8aab295338b0a89fe717ec496bef32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 21:06:40 +0200 +Subject: mmc: wmt-sdmmc: Fix an error handling path in wmt_mci_probe() + +From: Christophe JAILLET + +[ Upstream commit cb58188ad90a61784a56a64f5107faaf2ad323e7 ] + +A dma_free_coherent() call is missing in the error handling path of the +probe, as already done in the remove function. + +Fixes: 3a96dff0f828 ("mmc: SD/MMC Host Controller for Wondermedia WM8505/WM8650") +Signed-off-by: Christophe JAILLET +Reviewed-by: Dan Carpenter +Link: https://lore.kernel.org/r/53fc6ffa5d1c428fefeae7d313cf4a669c3a1e98.1663873255.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/wmt-sdmmc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/wmt-sdmmc.c b/drivers/mmc/host/wmt-sdmmc.c +index 163ac9df8cca..9b5c503e3a3f 100644 +--- a/drivers/mmc/host/wmt-sdmmc.c ++++ b/drivers/mmc/host/wmt-sdmmc.c +@@ -846,7 +846,7 @@ static int wmt_mci_probe(struct platform_device *pdev) + if (IS_ERR(priv->clk_sdmmc)) { + dev_err(&pdev->dev, "Error getting clock\n"); + ret = PTR_ERR(priv->clk_sdmmc); +- goto fail5; ++ goto fail5_and_a_half; + } + + ret = clk_prepare_enable(priv->clk_sdmmc); +@@ -863,6 +863,9 @@ static int wmt_mci_probe(struct platform_device *pdev) + return 0; + fail6: + clk_put(priv->clk_sdmmc); ++fail5_and_a_half: ++ dma_free_coherent(&pdev->dev, mmc->max_blk_count * 16, ++ priv->dma_desc_buffer, priv->dma_desc_device_addr); + fail5: + free_irq(dma_irq, priv); + fail4: +-- +2.35.1 + diff --git a/queue-6.0/module-tracking-keep-a-record-of-tainted-unloaded-mo.patch b/queue-6.0/module-tracking-keep-a-record-of-tainted-unloaded-mo.patch new file mode 100644 index 00000000000..4e99d68e0e6 --- /dev/null +++ b/queue-6.0/module-tracking-keep-a-record-of-tainted-unloaded-mo.patch @@ -0,0 +1,39 @@ +From cf9280ef99923f38acbd3f559c9a38c3b42d0afc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Oct 2022 14:38:12 +0100 +Subject: module: tracking: Keep a record of tainted unloaded modules only + +From: Aaron Tomlin + +[ Upstream commit 47cc75aa92837a9d3f15157d6272ff285585d75d ] + +This ensures that no module record/or entry is added to the +unloaded_tainted_modules list if it does not carry a taint. + +Reported-by: Alexey Dobriyan +Fixes: 99bd9956551b ("module: Introduce module unload taint tracking") +Signed-off-by: Aaron Tomlin +Acked-by: Luis Chamberlain +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/module/tracking.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/module/tracking.c b/kernel/module/tracking.c +index 7f8133044d09..af52cabfe632 100644 +--- a/kernel/module/tracking.c ++++ b/kernel/module/tracking.c +@@ -21,6 +21,9 @@ int try_add_tainted_module(struct module *mod) + + module_assert_mutex_or_preempt(); + ++ if (!mod->taints) ++ goto out; ++ + list_for_each_entry_rcu(mod_taint, &unloaded_tainted_modules, list, + lockdep_is_held(&module_mutex)) { + if (!strcmp(mod_taint->name, mod->name) && +-- +2.35.1 + diff --git a/queue-6.0/mtd-devices-docg3-check-the-return-value-of-devm_ior.patch b/queue-6.0/mtd-devices-docg3-check-the-return-value-of-devm_ior.patch new file mode 100644 index 00000000000..8ec8c375667 --- /dev/null +++ b/queue-6.0/mtd-devices-docg3-check-the-return-value-of-devm_ior.patch @@ -0,0 +1,46 @@ +From a4595c946d935305ac80e2a97ec106fe784986d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jul 2022 17:16:44 +0800 +Subject: mtd: devices: docg3: check the return value of devm_ioremap() in the + probe + +From: William Dean + +[ Upstream commit 26e784433e6c65735cd6d93a8db52531970d9a60 ] + +The function devm_ioremap() in docg3_probe() can fail, so +its return value should be checked. + +Fixes: 82402aeb8c81e ("mtd: docg3: Use devm_*() functions") +Reported-by: Hacash Robot +Signed-off-by: William Dean +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220722091644.2937953-1-williamsukatube@163.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/devices/docg3.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mtd/devices/docg3.c b/drivers/mtd/devices/docg3.c +index 5b0ae5ddad74..27c08f22dec8 100644 +--- a/drivers/mtd/devices/docg3.c ++++ b/drivers/mtd/devices/docg3.c +@@ -1974,9 +1974,14 @@ static int __init docg3_probe(struct platform_device *pdev) + dev_err(dev, "No I/O memory resource defined\n"); + return ret; + } +- base = devm_ioremap(dev, ress->start, DOC_IOSPACE_SIZE); + + ret = -ENOMEM; ++ base = devm_ioremap(dev, ress->start, DOC_IOSPACE_SIZE); ++ if (!base) { ++ dev_err(dev, "devm_ioremap dev failed\n"); ++ return ret; ++ } ++ + cascade = devm_kcalloc(dev, DOC_MAX_NBFLOORS, sizeof(*cascade), + GFP_KERNEL); + if (!cascade) +-- +2.35.1 + diff --git a/queue-6.0/mtd-rawnand-fsl_elbc-fix-none-ecc-mode.patch b/queue-6.0/mtd-rawnand-fsl_elbc-fix-none-ecc-mode.patch new file mode 100644 index 00000000000..f5bb8140696 --- /dev/null +++ b/queue-6.0/mtd-rawnand-fsl_elbc-fix-none-ecc-mode.patch @@ -0,0 +1,98 @@ +From 02fae436c06c9beed745054fbdfd606201fc2f40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Jul 2022 20:43:28 +0200 +Subject: mtd: rawnand: fsl_elbc: Fix none ECC mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 049e43b9fd8fd2966940485da163d67e96ee3fea ] + +Commit f6424c22aa36 ("mtd: rawnand: fsl_elbc: Make SW ECC work") added +support for specifying ECC mode via DTS and skipping autodetection. + +But it broke explicit specification of HW ECC mode in DTS as correct +settings for HW ECC mode are applied only when NONE mode or nothing was +specified in DTS file. + +Also it started aliasing NONE mode to be same as when ECC mode was not +specified and disallowed usage of ON_DIE mode. + +Fix all these issues. Use autodetection of ECC mode only in case when mode +was really not specified in DTS file by checking that ecc value is invalid. +Set HW ECC settings either when HW ECC was specified in DTS or it was +autodetected. And do not fail when ON_DIE mode is set. + +Fixes: f6424c22aa36 ("mtd: rawnand: fsl_elbc: Make SW ECC work") +Signed-off-by: Pali Rohár +Reviewed-by: Marek Behún +Reviewed-by: Marek Behún +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220707184328.3845-1-pali@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/fsl_elbc_nand.c | 28 ++++++++++++++++------------ + 1 file changed, 16 insertions(+), 12 deletions(-) + +diff --git a/drivers/mtd/nand/raw/fsl_elbc_nand.c b/drivers/mtd/nand/raw/fsl_elbc_nand.c +index aab93b9e6052..a18d121396aa 100644 +--- a/drivers/mtd/nand/raw/fsl_elbc_nand.c ++++ b/drivers/mtd/nand/raw/fsl_elbc_nand.c +@@ -726,36 +726,40 @@ static int fsl_elbc_attach_chip(struct nand_chip *chip) + struct fsl_lbc_regs __iomem *lbc = ctrl->regs; + unsigned int al; + +- switch (chip->ecc.engine_type) { + /* + * if ECC was not chosen in DT, decide whether to use HW or SW ECC from + * CS Base Register + */ +- case NAND_ECC_ENGINE_TYPE_NONE: ++ if (chip->ecc.engine_type == NAND_ECC_ENGINE_TYPE_INVALID) { + /* If CS Base Register selects full hardware ECC then use it */ + if ((in_be32(&lbc->bank[priv->bank].br) & BR_DECC) == + BR_DECC_CHK_GEN) { +- chip->ecc.read_page = fsl_elbc_read_page; +- chip->ecc.write_page = fsl_elbc_write_page; +- chip->ecc.write_subpage = fsl_elbc_write_subpage; +- + chip->ecc.engine_type = NAND_ECC_ENGINE_TYPE_ON_HOST; +- mtd_set_ooblayout(mtd, &fsl_elbc_ooblayout_ops); +- chip->ecc.size = 512; +- chip->ecc.bytes = 3; +- chip->ecc.strength = 1; + } else { + /* otherwise fall back to default software ECC */ + chip->ecc.engine_type = NAND_ECC_ENGINE_TYPE_SOFT; + chip->ecc.algo = NAND_ECC_ALGO_HAMMING; + } ++ } ++ ++ switch (chip->ecc.engine_type) { ++ /* if HW ECC was chosen, setup ecc and oob layout */ ++ case NAND_ECC_ENGINE_TYPE_ON_HOST: ++ chip->ecc.read_page = fsl_elbc_read_page; ++ chip->ecc.write_page = fsl_elbc_write_page; ++ chip->ecc.write_subpage = fsl_elbc_write_subpage; ++ mtd_set_ooblayout(mtd, &fsl_elbc_ooblayout_ops); ++ chip->ecc.size = 512; ++ chip->ecc.bytes = 3; ++ chip->ecc.strength = 1; + break; + +- /* if SW ECC was chosen in DT, we do not need to set anything here */ ++ /* if none or SW ECC was chosen, we do not need to set anything here */ ++ case NAND_ECC_ENGINE_TYPE_NONE: + case NAND_ECC_ENGINE_TYPE_SOFT: ++ case NAND_ECC_ENGINE_TYPE_ON_DIE: + break; + +- /* should we also implement *_ECC_ENGINE_CONTROLLER to do as above? */ + default: + return -EINVAL; + } +-- +2.35.1 + diff --git a/queue-6.0/mtd-rawnand-intel-don-t-re-define-nand_data_iface_ch.patch b/queue-6.0/mtd-rawnand-intel-don-t-re-define-nand_data_iface_ch.patch new file mode 100644 index 00000000000..c692443dd34 --- /dev/null +++ b/queue-6.0/mtd-rawnand-intel-don-t-re-define-nand_data_iface_ch.patch @@ -0,0 +1,38 @@ +From 13b832c23c488548eeea4be050a9f5e454a82a9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Jul 2022 01:12:24 +0200 +Subject: mtd: rawnand: intel: Don't re-define NAND_DATA_IFACE_CHECK_ONLY + +From: Martin Blumenstingl + +[ Upstream commit ebe0cd60fcffd499f8020fde9b3b74acba9c22af ] + +NAND_DATA_IFACE_CHECK_ONLY is already defined in +include/linux/mtd/rawnand.h which is also included by the driver. Drop +the re-definition from the intel-nand-controller driver. + +Fixes: 0b1039f016e8a3 ("mtd: rawnand: Add NAND controller support on Intel LGM SoC") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220702231227.1579176-6-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/intel-nand-controller.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/intel-nand-controller.c b/drivers/mtd/nand/raw/intel-nand-controller.c +index 056835fd4562..3df16d5ecae8 100644 +--- a/drivers/mtd/nand/raw/intel-nand-controller.c ++++ b/drivers/mtd/nand/raw/intel-nand-controller.c +@@ -100,8 +100,6 @@ + + #define HSNAND_ECC_OFFSET 0x008 + +-#define NAND_DATA_IFACE_CHECK_ONLY -1 +- + #define MAX_CS 2 + + #define USEC_PER_SEC 1000000L +-- +2.35.1 + diff --git a/queue-6.0/mtd-rawnand-intel-read-the-chip-select-line-from-the.patch b/queue-6.0/mtd-rawnand-intel-read-the-chip-select-line-from-the.patch new file mode 100644 index 00000000000..fbb6633a5d8 --- /dev/null +++ b/queue-6.0/mtd-rawnand-intel-read-the-chip-select-line-from-the.patch @@ -0,0 +1,68 @@ +From dee80ed0b8b6c845ba4bef42c89e08a76fd0fa74 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Jul 2022 01:12:22 +0200 +Subject: mtd: rawnand: intel: Read the chip-select line from the correct OF + node + +From: Martin Blumenstingl + +[ Upstream commit bfc618fcc3f167ad082053e81e9d664e724c6288 ] + +The chip select has to be read from the flash node which is a child node +of the NAND controller. + +Fixes: 0b1039f016e8a3 ("mtd: rawnand: Add NAND controller support on Intel LGM SoC") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220702231227.1579176-4-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/intel-nand-controller.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/intel-nand-controller.c b/drivers/mtd/nand/raw/intel-nand-controller.c +index e91b879b32bd..3df3f32423f9 100644 +--- a/drivers/mtd/nand/raw/intel-nand-controller.c ++++ b/drivers/mtd/nand/raw/intel-nand-controller.c +@@ -16,6 +16,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -580,6 +581,7 @@ static int ebu_nand_probe(struct platform_device *pdev) + { + struct device *dev = &pdev->dev; + struct ebu_nand_controller *ebu_host; ++ struct device_node *chip_np; + struct nand_chip *nand; + struct mtd_info *mtd; + struct resource *res; +@@ -604,7 +606,12 @@ static int ebu_nand_probe(struct platform_device *pdev) + if (IS_ERR(ebu_host->hsnand)) + return PTR_ERR(ebu_host->hsnand); + +- ret = device_property_read_u32(dev, "reg", &cs); ++ chip_np = of_get_next_child(dev->of_node, NULL); ++ if (!chip_np) ++ return dev_err_probe(dev, -EINVAL, ++ "Could not find child node for the NAND chip\n"); ++ ++ ret = of_property_read_u32(chip_np, "reg", &cs); + if (ret) { + dev_err(dev, "failed to get chip select: %d\n", ret); + return ret; +@@ -660,7 +667,7 @@ static int ebu_nand_probe(struct platform_device *pdev) + writel(ebu_host->cs[cs].addr_sel | EBU_ADDR_MASK(5) | EBU_ADDR_SEL_REGEN, + ebu_host->ebu + EBU_ADDR_SEL(cs)); + +- nand_set_flash_node(&ebu_host->chip, dev->of_node); ++ nand_set_flash_node(&ebu_host->chip, chip_np); + + mtd = nand_to_mtd(&ebu_host->chip); + if (!mtd->name) { +-- +2.35.1 + diff --git a/queue-6.0/mtd-rawnand-intel-remove-undocumented-compatible-str.patch b/queue-6.0/mtd-rawnand-intel-remove-undocumented-compatible-str.patch new file mode 100644 index 00000000000..8f827890051 --- /dev/null +++ b/queue-6.0/mtd-rawnand-intel-remove-undocumented-compatible-str.patch @@ -0,0 +1,37 @@ +From 835c107b208bc2ae6962b2409599d436dbfeb0e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Jul 2022 01:12:23 +0200 +Subject: mtd: rawnand: intel: Remove undocumented compatible string + +From: Martin Blumenstingl + +[ Upstream commit 68c02ebaa34d41063ccbbc789a352537ddc3cd8a ] + +The "intel,nand-controller" compatible string is not part of the +dt-bindings. Remove it from the driver as it's not supposed to be used +without any documentation for it. + +Fixes: 0b1039f016e8a3 ("mtd: rawnand: Add NAND controller support on Intel LGM SoC") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220702231227.1579176-5-martin.blumenstingl@googlemail.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/intel-nand-controller.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/intel-nand-controller.c b/drivers/mtd/nand/raw/intel-nand-controller.c +index 3df3f32423f9..056835fd4562 100644 +--- a/drivers/mtd/nand/raw/intel-nand-controller.c ++++ b/drivers/mtd/nand/raw/intel-nand-controller.c +@@ -723,7 +723,6 @@ static int ebu_nand_remove(struct platform_device *pdev) + } + + static const struct of_device_id ebu_nand_match[] = { +- { .compatible = "intel,nand-controller" }, + { .compatible = "intel,lgm-ebunand" }, + {} + }; +-- +2.35.1 + diff --git a/queue-6.0/mtd-rawnand-meson-fix-bit-map-use-in-meson_nfc_ecc_c.patch b/queue-6.0/mtd-rawnand-meson-fix-bit-map-use-in-meson_nfc_ecc_c.patch new file mode 100644 index 00000000000..20de431b4d9 --- /dev/null +++ b/queue-6.0/mtd-rawnand-meson-fix-bit-map-use-in-meson_nfc_ecc_c.patch @@ -0,0 +1,49 @@ +From 6320ed76c9c4e4339c5c797092627b4e7e498afe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 10:12:12 +0300 +Subject: mtd: rawnand: meson: fix bit map use in meson_nfc_ecc_correct() + +From: Dan Carpenter + +[ Upstream commit 3e4ad3212cf22687410b1e8f4e68feec50646113 ] + +The meson_nfc_ecc_correct() function accidentally does a right shift +instead of a left shift so it only works for BIT(0). Also use +BIT_ULL() because "correct_bitmap" is a u64 and we want to avoid +shift wrapping bugs. + +Fixes: 8fae856c5350 ("mtd: rawnand: meson: add support for Amlogic NAND flash controller") +Signed-off-by: Dan Carpenter +Acked-by: Liang Yang +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/YuI2zF1hP65+LE7r@kili +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/meson_nand.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/nand/raw/meson_nand.c b/drivers/mtd/nand/raw/meson_nand.c +index 829b76b303aa..ad2ffd0ca800 100644 +--- a/drivers/mtd/nand/raw/meson_nand.c ++++ b/drivers/mtd/nand/raw/meson_nand.c +@@ -454,7 +454,7 @@ static int meson_nfc_ecc_correct(struct nand_chip *nand, u32 *bitflips, + if (ECC_ERR_CNT(*info) != ECC_UNCORRECTABLE) { + mtd->ecc_stats.corrected += ECC_ERR_CNT(*info); + *bitflips = max_t(u32, *bitflips, ECC_ERR_CNT(*info)); +- *correct_bitmap |= 1 >> i; ++ *correct_bitmap |= BIT_ULL(i); + continue; + } + if ((nand->options & NAND_NEED_SCRAMBLING) && +@@ -800,7 +800,7 @@ static int meson_nfc_read_page_hwecc(struct nand_chip *nand, u8 *buf, + u8 *data = buf + i * ecc->size; + u8 *oob = nand->oob_poi + i * (ecc->bytes + 2); + +- if (correct_bitmap & (1 << i)) ++ if (correct_bitmap & BIT_ULL(i)) + continue; + ret = nand_check_erased_ecc_chunk(data, ecc->size, + oob, ecc->bytes + 2, +-- +2.35.1 + diff --git a/queue-6.0/mwifiex-fix-sleep-in-atomic-context-bugs-caused-by-d.patch b/queue-6.0/mwifiex-fix-sleep-in-atomic-context-bugs-caused-by-d.patch new file mode 100644 index 00000000000..ad0c86f4290 --- /dev/null +++ b/queue-6.0/mwifiex-fix-sleep-in-atomic-context-bugs-caused-by-d.patch @@ -0,0 +1,174 @@ +From 05f12e1eeb85a617f861fba401eaa985088f0454 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 19:21:27 +0800 +Subject: mwifiex: fix sleep in atomic context bugs caused by dev_coredumpv + +From: Duoming Zhou + +[ Upstream commit 551e4745c7f218da7070b36a06318592913676ff ] + +There are sleep in atomic context bugs when uploading device dump +data in mwifiex. The root cause is that dev_coredumpv could not +be used in atomic contexts, because it calls dev_set_name which +include operations that may sleep. The call tree shows execution +paths that could lead to bugs: + + (Interrupt context) +fw_dump_timer_fn + mwifiex_upload_device_dump + dev_coredumpv(..., GFP_KERNEL) + dev_coredumpm() + kzalloc(sizeof(*devcd), gfp); //may sleep + dev_set_name + kobject_set_name_vargs + kvasprintf_const(GFP_KERNEL, ...); //may sleep + kstrdup(s, GFP_KERNEL); //may sleep + +The corresponding fail log is shown below: + +[ 135.275938] usb 1-1: == mwifiex dump information to /sys/class/devcoredump start +[ 135.281029] BUG: sleeping function called from invalid context at include/linux/sched/mm.h:265 +... +[ 135.293613] Call Trace: +[ 135.293613] +[ 135.293613] dump_stack_lvl+0x57/0x7d +[ 135.293613] __might_resched.cold+0x138/0x173 +[ 135.293613] ? dev_coredumpm+0xca/0x2e0 +[ 135.293613] kmem_cache_alloc_trace+0x189/0x1f0 +[ 135.293613] ? devcd_match_failing+0x30/0x30 +[ 135.293613] dev_coredumpm+0xca/0x2e0 +[ 135.293613] ? devcd_freev+0x10/0x10 +[ 135.293613] dev_coredumpv+0x1c/0x20 +[ 135.293613] ? devcd_match_failing+0x30/0x30 +[ 135.293613] mwifiex_upload_device_dump+0x65/0xb0 +[ 135.293613] ? mwifiex_dnld_fw+0x1b0/0x1b0 +[ 135.293613] call_timer_fn+0x122/0x3d0 +[ 135.293613] ? msleep_interruptible+0xb0/0xb0 +[ 135.293613] ? lock_downgrade+0x3c0/0x3c0 +[ 135.293613] ? __next_timer_interrupt+0x13c/0x160 +[ 135.293613] ? lockdep_hardirqs_on_prepare+0xe/0x220 +[ 135.293613] ? mwifiex_dnld_fw+0x1b0/0x1b0 +[ 135.293613] __run_timers.part.0+0x3f8/0x540 +[ 135.293613] ? call_timer_fn+0x3d0/0x3d0 +[ 135.293613] ? arch_restore_msi_irqs+0x10/0x10 +[ 135.293613] ? lapic_next_event+0x31/0x40 +[ 135.293613] run_timer_softirq+0x4f/0xb0 +[ 135.293613] __do_softirq+0x1c2/0x651 +... +[ 135.293613] RIP: 0010:default_idle+0xb/0x10 +[ 135.293613] RSP: 0018:ffff888006317e68 EFLAGS: 00000246 +[ 135.293613] RAX: ffffffff82ad8d10 RBX: ffff888006301cc0 RCX: ffffffff82ac90e1 +[ 135.293613] RDX: ffffed100d9ff1b4 RSI: ffffffff831ad140 RDI: ffffffff82ad8f20 +[ 135.293613] RBP: 0000000000000003 R08: 0000000000000000 R09: ffff88806cff8d9b +[ 135.293613] R10: ffffed100d9ff1b3 R11: 0000000000000001 R12: ffffffff84593410 +[ 135.293613] R13: 0000000000000000 R14: 0000000000000000 R15: 1ffff11000c62fd2 +... +[ 135.389205] usb 1-1: == mwifiex dump information to /sys/class/devcoredump end + +This patch uses delayed work to replace timer and moves the operations +that may sleep into a delayed work in order to mitigate bugs, it was +tested on Marvell 88W8801 chip whose port is usb and the firmware is +usb8801_uapsta.bin. The following is the result after using delayed +work to replace timer. + +[ 134.936453] usb 1-1: == mwifiex dump information to /sys/class/devcoredump start +[ 135.043344] usb 1-1: == mwifiex dump information to /sys/class/devcoredump end + +As we can see, there is no bug now. + +Fixes: f5ecd02a8b20 ("mwifiex: device dump support for usb interface") +Signed-off-by: Duoming Zhou +Reviewed-by: Brian Norris +Acked-by: Greg Kroah-Hartman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/5cfa5c473ff6d069cb67760ffa04a2f84ef450a8.1661252818.git.duoming@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/init.c | 9 +++++---- + drivers/net/wireless/marvell/mwifiex/main.h | 3 ++- + drivers/net/wireless/marvell/mwifiex/sta_event.c | 6 +++--- + 3 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/init.c b/drivers/net/wireless/marvell/mwifiex/init.c +index fc77489cc511..7dddb4b5dea1 100644 +--- a/drivers/net/wireless/marvell/mwifiex/init.c ++++ b/drivers/net/wireless/marvell/mwifiex/init.c +@@ -51,9 +51,10 @@ static void wakeup_timer_fn(struct timer_list *t) + adapter->if_ops.card_reset(adapter); + } + +-static void fw_dump_timer_fn(struct timer_list *t) ++static void fw_dump_work(struct work_struct *work) + { +- struct mwifiex_adapter *adapter = from_timer(adapter, t, devdump_timer); ++ struct mwifiex_adapter *adapter = ++ container_of(work, struct mwifiex_adapter, devdump_work.work); + + mwifiex_upload_device_dump(adapter); + } +@@ -309,7 +310,7 @@ static void mwifiex_init_adapter(struct mwifiex_adapter *adapter) + adapter->active_scan_triggered = false; + timer_setup(&adapter->wakeup_timer, wakeup_timer_fn, 0); + adapter->devdump_len = 0; +- timer_setup(&adapter->devdump_timer, fw_dump_timer_fn, 0); ++ INIT_DELAYED_WORK(&adapter->devdump_work, fw_dump_work); + } + + /* +@@ -388,7 +389,7 @@ static void + mwifiex_adapter_cleanup(struct mwifiex_adapter *adapter) + { + del_timer(&adapter->wakeup_timer); +- del_timer_sync(&adapter->devdump_timer); ++ cancel_delayed_work_sync(&adapter->devdump_work); + mwifiex_cancel_all_pending_cmd(adapter); + wake_up_interruptible(&adapter->cmd_wait_q.wait); + wake_up_interruptible(&adapter->hs_activate_wait_q); +diff --git a/drivers/net/wireless/marvell/mwifiex/main.h b/drivers/net/wireless/marvell/mwifiex/main.h +index 87729d251fed..63f861e6b28a 100644 +--- a/drivers/net/wireless/marvell/mwifiex/main.h ++++ b/drivers/net/wireless/marvell/mwifiex/main.h +@@ -37,6 +37,7 @@ + #include + #include + #include ++#include + + #include "decl.h" + #include "ioctl.h" +@@ -1043,7 +1044,7 @@ struct mwifiex_adapter { + /* Device dump data/length */ + void *devdump_data; + int devdump_len; +- struct timer_list devdump_timer; ++ struct delayed_work devdump_work; + + bool ignore_btcoex_events; + }; +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_event.c b/drivers/net/wireless/marvell/mwifiex/sta_event.c +index b95e90a7d124..e80e372cce8c 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_event.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_event.c +@@ -611,8 +611,8 @@ mwifiex_fw_dump_info_event(struct mwifiex_private *priv, + * transmission event get lost, in this cornel case, + * user would still get partial of the dump. + */ +- mod_timer(&adapter->devdump_timer, +- jiffies + msecs_to_jiffies(MWIFIEX_TIMER_10S)); ++ schedule_delayed_work(&adapter->devdump_work, ++ msecs_to_jiffies(MWIFIEX_TIMER_10S)); + } + + /* Overflow check */ +@@ -631,7 +631,7 @@ mwifiex_fw_dump_info_event(struct mwifiex_private *priv, + return; + + upload_dump: +- del_timer_sync(&adapter->devdump_timer); ++ cancel_delayed_work_sync(&adapter->devdump_work); + mwifiex_upload_device_dump(adapter); + } + +-- +2.35.1 + diff --git a/queue-6.0/nbd-fix-hung-when-signal-interrupts-nbd_start_device.patch b/queue-6.0/nbd-fix-hung-when-signal-interrupts-nbd_start_device.patch new file mode 100644 index 00000000000..780c38cd4c4 --- /dev/null +++ b/queue-6.0/nbd-fix-hung-when-signal-interrupts-nbd_start_device.patch @@ -0,0 +1,69 @@ +From 44b09389c02e9029fe1bc7c5625923b0df97b8b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 01:35:02 +0900 +Subject: nbd: Fix hung when signal interrupts nbd_start_device_ioctl() + +From: Shigeru Yoshida + +[ Upstream commit 1de7c3cf48fc41cd95adb12bd1ea9033a917798a ] + +syzbot reported hung task [1]. The following program is a simplified +version of the reproducer: + +int main(void) +{ + int sv[2], fd; + + if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0) + return 1; + if ((fd = open("/dev/nbd0", 0)) < 0) + return 1; + if (ioctl(fd, NBD_SET_SIZE_BLOCKS, 0x81) < 0) + return 1; + if (ioctl(fd, NBD_SET_SOCK, sv[0]) < 0) + return 1; + if (ioctl(fd, NBD_DO_IT) < 0) + return 1; + return 0; +} + +When signal interrupt nbd_start_device_ioctl() waiting the condition +atomic_read(&config->recv_threads) == 0, the task can hung because it +waits the completion of the inflight IOs. + +This patch fixes the issue by clearing queue, not just shutdown, when +signal interrupt nbd_start_device_ioctl(). + +Link: https://syzkaller.appspot.com/bug?id=7d89a3ffacd2b83fdd39549bc4d8e0a89ef21239 [1] +Reported-by: syzbot+38e6c55d4969a14c1534@syzkaller.appspotmail.com +Signed-off-by: Shigeru Yoshida +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/r/20220907163502.577561-1-syoshida@redhat.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 2a709daefbc4..2a2a1d996a57 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1413,10 +1413,12 @@ static int nbd_start_device_ioctl(struct nbd_device *nbd) + mutex_unlock(&nbd->config_lock); + ret = wait_event_interruptible(config->recv_wq, + atomic_read(&config->recv_threads) == 0); +- if (ret) ++ if (ret) { + sock_shutdown(nbd); +- flush_workqueue(nbd->recv_workq); ++ nbd_clear_que(nbd); ++ } + ++ flush_workqueue(nbd->recv_workq); + mutex_lock(&nbd->config_lock); + nbd_bdev_reset(nbd); + /* user requested, ignore socket errors */ +-- +2.35.1 + diff --git a/queue-6.0/net-ax88796c-fix-return-type-of-ax88796c_start_xmit.patch b/queue-6.0/net-ax88796c-fix-return-type-of-ax88796c_start_xmit.patch new file mode 100644 index 00000000000..dbe37f177fc --- /dev/null +++ b/queue-6.0/net-ax88796c-fix-return-type-of-ax88796c_start_xmit.patch @@ -0,0 +1,46 @@ +From d56419e8549fe1ebe417cc28351ded4793000569 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 12:40:30 -0700 +Subject: net: ax88796c: Fix return type of ax88796c_start_xmit + +From: Nathan Huckleberry + +[ Upstream commit fcb7c210a24209ea8f6f32593580b57f52382ec2 ] + +The ndo_start_xmit field in net_device_ops is expected to be of type +netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev). + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of ax88796c_start_xmit should be changed from int to +netdev_tx_t. + +Reported-by: Dan Carpenter +Link: https://github.com/ClangBuiltLinux/linux/issues/1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Acked-by: Lukasz Stelmach +Link: https://lore.kernel.org/r/20220912194031.808425-1-nhuck@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/asix/ax88796c_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/asix/ax88796c_main.c b/drivers/net/ethernet/asix/ax88796c_main.c +index 6ba5b024a7be..f1d610efd69e 100644 +--- a/drivers/net/ethernet/asix/ax88796c_main.c ++++ b/drivers/net/ethernet/asix/ax88796c_main.c +@@ -381,7 +381,7 @@ static int ax88796c_hard_xmit(struct ax88796c_device *ax_local) + return 1; + } + +-static int ++static netdev_tx_t + ax88796c_start_xmit(struct sk_buff *skb, struct net_device *ndev) + { + struct ax88796c_device *ax_local = to_ax88796c_device(ndev); +-- +2.35.1 + diff --git a/queue-6.0/net-axienet-switch-to-64-bit-rx-tx-statistics.patch b/queue-6.0/net-axienet-switch-to-64-bit-rx-tx-statistics.patch new file mode 100644 index 00000000000..d37d98f8322 --- /dev/null +++ b/queue-6.0/net-axienet-switch-to-64-bit-rx-tx-statistics.patch @@ -0,0 +1,142 @@ +From f78032f1717f00c01413e94d527539165d15b35a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 17:39:01 -0600 +Subject: net: axienet: Switch to 64-bit RX/TX statistics + +From: Robert Hancock + +[ Upstream commit cb45a8bf4693965e89d115cd2c510f12bc127c37 ] + +The RX and TX byte/packet statistics in this driver could be overflowed +relatively quickly on a 32-bit platform. Switch these stats to use the +u64_stats infrastructure to avoid this. + +Signed-off-by: Robert Hancock +Link: https://lore.kernel.org/r/20220829233901.3429419-1-robert.hancock@calian.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_axienet.h | 12 ++++++ + .../net/ethernet/xilinx/xilinx_axienet_main.c | 37 +++++++++++++++++-- + 2 files changed, 45 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet.h b/drivers/net/ethernet/xilinx/xilinx_axienet.h +index f2e2261b4b7d..8ff4333de2ad 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet.h ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet.h +@@ -402,6 +402,9 @@ struct axidma_bd { + * @rx_bd_num: Size of RX buffer descriptor ring + * @rx_bd_ci: Stores the index of the Rx buffer descriptor in the ring being + * accessed currently. ++ * @rx_packets: RX packet count for statistics ++ * @rx_bytes: RX byte count for statistics ++ * @rx_stat_sync: Synchronization object for RX stats + * @napi_tx: NAPI TX control structure + * @tx_dma_cr: Nominal content of TX DMA control register + * @tx_bd_v: Virtual address of the TX buffer descriptor ring +@@ -411,6 +414,9 @@ struct axidma_bd { + * complete. Only updated at runtime by TX NAPI poll. + * @tx_bd_tail: Stores the index of the next Tx buffer descriptor in the ring + * to be populated. ++ * @tx_packets: TX packet count for statistics ++ * @tx_bytes: TX byte count for statistics ++ * @tx_stat_sync: Synchronization object for TX stats + * @dma_err_task: Work structure to process Axi DMA errors + * @tx_irq: Axidma TX IRQ number + * @rx_irq: Axidma RX IRQ number +@@ -458,6 +464,9 @@ struct axienet_local { + dma_addr_t rx_bd_p; + u32 rx_bd_num; + u32 rx_bd_ci; ++ u64_stats_t rx_packets; ++ u64_stats_t rx_bytes; ++ struct u64_stats_sync rx_stat_sync; + + struct napi_struct napi_tx; + u32 tx_dma_cr; +@@ -466,6 +475,9 @@ struct axienet_local { + u32 tx_bd_num; + u32 tx_bd_ci; + u32 tx_bd_tail; ++ u64_stats_t tx_packets; ++ u64_stats_t tx_bytes; ++ struct u64_stats_sync tx_stat_sync; + + struct work_struct dma_err_task; + +diff --git a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +index 1760930ec0c4..9262988d26a3 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_main.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_main.c +@@ -752,8 +752,10 @@ static int axienet_tx_poll(struct napi_struct *napi, int budget) + if (lp->tx_bd_ci >= lp->tx_bd_num) + lp->tx_bd_ci %= lp->tx_bd_num; + +- ndev->stats.tx_packets += packets; +- ndev->stats.tx_bytes += size; ++ u64_stats_update_begin(&lp->tx_stat_sync); ++ u64_stats_add(&lp->tx_packets, packets); ++ u64_stats_add(&lp->tx_bytes, size); ++ u64_stats_update_end(&lp->tx_stat_sync); + + /* Matches barrier in axienet_start_xmit */ + smp_mb(); +@@ -984,8 +986,10 @@ static int axienet_rx_poll(struct napi_struct *napi, int budget) + cur_p = &lp->rx_bd_v[lp->rx_bd_ci]; + } + +- lp->ndev->stats.rx_packets += packets; +- lp->ndev->stats.rx_bytes += size; ++ u64_stats_update_begin(&lp->rx_stat_sync); ++ u64_stats_add(&lp->rx_packets, packets); ++ u64_stats_add(&lp->rx_bytes, size); ++ u64_stats_update_end(&lp->rx_stat_sync); + + if (tail_p) + axienet_dma_out_addr(lp, XAXIDMA_RX_TDESC_OFFSET, tail_p); +@@ -1292,10 +1296,32 @@ static int axienet_ioctl(struct net_device *dev, struct ifreq *rq, int cmd) + return phylink_mii_ioctl(lp->phylink, rq, cmd); + } + ++static void ++axienet_get_stats64(struct net_device *dev, struct rtnl_link_stats64 *stats) ++{ ++ struct axienet_local *lp = netdev_priv(dev); ++ unsigned int start; ++ ++ netdev_stats_to_stats64(stats, &dev->stats); ++ ++ do { ++ start = u64_stats_fetch_begin_irq(&lp->rx_stat_sync); ++ stats->rx_packets = u64_stats_read(&lp->rx_packets); ++ stats->rx_bytes = u64_stats_read(&lp->rx_bytes); ++ } while (u64_stats_fetch_retry_irq(&lp->rx_stat_sync, start)); ++ ++ do { ++ start = u64_stats_fetch_begin_irq(&lp->tx_stat_sync); ++ stats->tx_packets = u64_stats_read(&lp->tx_packets); ++ stats->tx_bytes = u64_stats_read(&lp->tx_bytes); ++ } while (u64_stats_fetch_retry_irq(&lp->tx_stat_sync, start)); ++} ++ + static const struct net_device_ops axienet_netdev_ops = { + .ndo_open = axienet_open, + .ndo_stop = axienet_stop, + .ndo_start_xmit = axienet_start_xmit, ++ .ndo_get_stats64 = axienet_get_stats64, + .ndo_change_mtu = axienet_change_mtu, + .ndo_set_mac_address = netdev_set_mac_address, + .ndo_validate_addr = eth_validate_addr, +@@ -1850,6 +1876,9 @@ static int axienet_probe(struct platform_device *pdev) + lp->rx_bd_num = RX_BD_NUM_DEFAULT; + lp->tx_bd_num = TX_BD_NUM_DEFAULT; + ++ u64_stats_init(&lp->rx_stat_sync); ++ u64_stats_init(&lp->tx_stat_sync); ++ + netif_napi_add(ndev, &lp->napi_rx, axienet_rx_poll, NAPI_POLL_WEIGHT); + netif_napi_add(ndev, &lp->napi_tx, axienet_tx_poll, NAPI_POLL_WEIGHT); + +-- +2.35.1 + diff --git a/queue-6.0/net-broadcom-fix-return-type-for-implementation-of.patch b/queue-6.0/net-broadcom-fix-return-type-for-implementation-of.patch new file mode 100644 index 00000000000..cdcedc78299 --- /dev/null +++ b/queue-6.0/net-broadcom-fix-return-type-for-implementation-of.patch @@ -0,0 +1,41 @@ +From e055ac35c332080dacca622cc7c1795cca0077b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 15:54:07 +0800 +Subject: net: broadcom: Fix return type for implementation of + +From: GUO Zihua + +[ Upstream commit 12f7bd252221d4f9e000e20530e50129241e3a67 ] + +Since Linux now supports CFI, it will be a good idea to fix mismatched +return type for implementation of hooks. Otherwise this might get +cought out by CFI and cause a panic. + +bcm4908_enet_start_xmit() would return either NETDEV_TX_BUSY or +NETDEV_TX_OK, so change the return type to netdev_tx_t directly. + +Signed-off-by: GUO Zihua +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220902075407.52358-1-guozihua@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bcm4908_enet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bcm4908_enet.c b/drivers/net/ethernet/broadcom/bcm4908_enet.c +index c131d8118489..e5e17a182f9d 100644 +--- a/drivers/net/ethernet/broadcom/bcm4908_enet.c ++++ b/drivers/net/ethernet/broadcom/bcm4908_enet.c +@@ -507,7 +507,7 @@ static int bcm4908_enet_stop(struct net_device *netdev) + return 0; + } + +-static int bcm4908_enet_start_xmit(struct sk_buff *skb, struct net_device *netdev) ++static netdev_tx_t bcm4908_enet_start_xmit(struct sk_buff *skb, struct net_device *netdev) + { + struct bcm4908_enet *enet = netdev_priv(netdev); + struct bcm4908_enet_dma_ring *ring = &enet->tx_ring; +-- +2.35.1 + diff --git a/queue-6.0/net-davicom-fix-return-type-of-dm9000_start_xmit.patch b/queue-6.0/net-davicom-fix-return-type-of-dm9000_start_xmit.patch new file mode 100644 index 00000000000..6197f4b5df5 --- /dev/null +++ b/queue-6.0/net-davicom-fix-return-type-of-dm9000_start_xmit.patch @@ -0,0 +1,46 @@ +From 527b15e38c9887ae3ebbe0bdc0713478bfe98631 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 12:47:19 -0700 +Subject: net: davicom: Fix return type of dm9000_start_xmit + +From: Nathan Huckleberry + +[ Upstream commit 0191580b000d50089a0b351f7cdbec4866e3d0d2 ] + +The ndo_start_xmit field in net_device_ops is expected to be of type +netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev). + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of dm9000_start_xmit should be changed from int to +netdev_tx_t. + +Reported-by: Dan Carpenter +Link: https://github.com/ClangBuiltLinux/linux/issues/1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20220912194722.809525-1-nhuck@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/davicom/dm9000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/davicom/dm9000.c b/drivers/net/ethernet/davicom/dm9000.c +index 0985ab216566..186a5e0a7862 100644 +--- a/drivers/net/ethernet/davicom/dm9000.c ++++ b/drivers/net/ethernet/davicom/dm9000.c +@@ -1012,7 +1012,7 @@ static void dm9000_send_packet(struct net_device *dev, + * Hardware start transmission. + * Send a packet to media from the upper layer. + */ +-static int ++static netdev_tx_t + dm9000_start_xmit(struct sk_buff *skb, struct net_device *dev) + { + unsigned long flags; +-- +2.35.1 + diff --git a/queue-6.0/net-ethernet-litex-fix-return-type-of-liteeth_start_.patch b/queue-6.0/net-ethernet-litex-fix-return-type-of-liteeth_start_.patch new file mode 100644 index 00000000000..a939808c6e5 --- /dev/null +++ b/queue-6.0/net-ethernet-litex-fix-return-type-of-liteeth_start_.patch @@ -0,0 +1,48 @@ +From e8cc5416570c9a10d8011c96bb8ffa157ddf585b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 12:53:07 -0700 +Subject: net: ethernet: litex: Fix return type of liteeth_start_xmit + +From: Nathan Huckleberry + +[ Upstream commit 40662333dd7c64664247a6138bc33f3974e3a331 ] + +The ndo_start_xmit field in net_device_ops is expected to be of type +netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev). + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of liteeth_start_xmit should be changed from int to +netdev_tx_t. + +Reported-by: Dan Carpenter +Link: https://github.com/ClangBuiltLinux/linux/issues/1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Reviewed-by: Nathan Chancellor +Acked-by: Gabriel Somlo +Link: https://lore.kernel.org/r/20220912195307.812229-1-nhuck@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/litex/litex_liteeth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/litex/litex_liteeth.c b/drivers/net/ethernet/litex/litex_liteeth.c +index fdd99f0de424..35f24e0f0934 100644 +--- a/drivers/net/ethernet/litex/litex_liteeth.c ++++ b/drivers/net/ethernet/litex/litex_liteeth.c +@@ -152,7 +152,8 @@ static int liteeth_stop(struct net_device *netdev) + return 0; + } + +-static int liteeth_start_xmit(struct sk_buff *skb, struct net_device *netdev) ++static netdev_tx_t liteeth_start_xmit(struct sk_buff *skb, ++ struct net_device *netdev) + { + struct liteeth *priv = netdev_priv(netdev); + void __iomem *txbuffer; +-- +2.35.1 + diff --git a/queue-6.0/net-ethernet-ti-davinci_emac-fix-return-type-of-emac.patch b/queue-6.0/net-ethernet-ti-davinci_emac-fix-return-type-of-emac.patch new file mode 100644 index 00000000000..97e6b7184a6 --- /dev/null +++ b/queue-6.0/net-ethernet-ti-davinci_emac-fix-return-type-of-emac.patch @@ -0,0 +1,46 @@ +From 37936c71fe02e0748b89444dedda1c3cdbe3afd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 12:50:19 -0700 +Subject: net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit + +From: Nathan Huckleberry + +[ Upstream commit 5972ca946098487c5155fe13654743f9010f5ed5 ] + +The ndo_start_xmit field in net_device_ops is expected to be of type +netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev). + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of emac_dev_xmit should be changed from int to +netdev_tx_t. + +Reported-by: Dan Carpenter +Link: https://github.com/ClangBuiltLinux/linux/issues/1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20220912195023.810319-1-nhuck@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/davinci_emac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c +index 2a3e4e842fa5..e203a5984f03 100644 +--- a/drivers/net/ethernet/ti/davinci_emac.c ++++ b/drivers/net/ethernet/ti/davinci_emac.c +@@ -949,7 +949,7 @@ static void emac_tx_handler(void *token, int len, int status) + * + * Returns success(NETDEV_TX_OK) or error code (typically out of desc's) + */ +-static int emac_dev_xmit(struct sk_buff *skb, struct net_device *ndev) ++static netdev_tx_t emac_dev_xmit(struct sk_buff *skb, struct net_device *ndev) + { + struct device *emac_dev = &ndev->dev; + int ret_code; +-- +2.35.1 + diff --git a/queue-6.0/net-ethernet-ti-davinci_mdio-add-workaround-for-erra.patch b/queue-6.0/net-ethernet-ti-davinci_mdio-add-workaround-for-erra.patch new file mode 100644 index 00000000000..39a9abe9452 --- /dev/null +++ b/queue-6.0/net-ethernet-ti-davinci_mdio-add-workaround-for-erra.patch @@ -0,0 +1,399 @@ +From d8ecbd3673aa2e011ea6c195142c09032cf6d0e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 15:14:06 +0530 +Subject: net: ethernet: ti: davinci_mdio: Add workaround for errata i2329 + +From: Ravi Gunasekaran + +[ Upstream commit d04807b80691c6041ca8e3dcf1870d1bf1082c22 ] + +On the CPSW and ICSS peripherals, there is a possibility that the MDIO +interface returns corrupt data on MDIO reads or writes incorrect data +on MDIO writes. There is also a possibility for the MDIO interface to +become unavailable until the next peripheral reset. + +The workaround is to configure the MDIO in manual mode and disable the +MDIO state machine and emulate the MDIO protocol by reading and writing +appropriate fields in MDIO_MANUAL_IF_REG register of the MDIO controller +to manipulate the MDIO clock and data pins. + +More details about the errata i2329 and the workaround is available in: +https://www.ti.com/lit/er/sprz487a/sprz487a.pdf + +Add implementation to disable MDIO state machine, configure MDIO in manual +mode and achieve MDIO read and writes via MDIO Bitbanging + +Signed-off-by: Ravi Gunasekaran +Reported-by: kernel test robot +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/davinci_mdio.c | 242 +++++++++++++++++++++++-- + 1 file changed, 231 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/ti/davinci_mdio.c b/drivers/net/ethernet/ti/davinci_mdio.c +index ea3772618043..946b9753ccfb 100644 +--- a/drivers/net/ethernet/ti/davinci_mdio.c ++++ b/drivers/net/ethernet/ti/davinci_mdio.c +@@ -26,6 +26,8 @@ + #include + #include + #include ++#include ++#include + + /* + * This timeout definition is a worst-case ultra defensive measure against +@@ -41,6 +43,7 @@ + + struct davinci_mdio_of_param { + int autosuspend_delay_ms; ++ bool manual_mode; + }; + + struct davinci_mdio_regs { +@@ -49,6 +52,15 @@ struct davinci_mdio_regs { + #define CONTROL_IDLE BIT(31) + #define CONTROL_ENABLE BIT(30) + #define CONTROL_MAX_DIV (0xffff) ++#define CONTROL_CLKDIV GENMASK(15, 0) ++ ++#define MDIO_MAN_MDCLK_O BIT(2) ++#define MDIO_MAN_OE BIT(1) ++#define MDIO_MAN_PIN BIT(0) ++#define MDIO_MANUALMODE BIT(31) ++ ++#define MDIO_PIN 0 ++ + + u32 alive; + u32 link; +@@ -59,7 +71,9 @@ struct davinci_mdio_regs { + u32 userintmasked; + u32 userintmaskset; + u32 userintmaskclr; +- u32 __reserved_1[20]; ++ u32 manualif; ++ u32 poll; ++ u32 __reserved_1[18]; + + struct { + u32 access; +@@ -79,6 +93,7 @@ static const struct mdio_platform_data default_pdata = { + + struct davinci_mdio_data { + struct mdio_platform_data pdata; ++ struct mdiobb_ctrl bb_ctrl; + struct davinci_mdio_regs __iomem *regs; + struct clk *clk; + struct device *dev; +@@ -90,6 +105,7 @@ struct davinci_mdio_data { + */ + bool skip_scan; + u32 clk_div; ++ bool manual_mode; + }; + + static void davinci_mdio_init_clk(struct davinci_mdio_data *data) +@@ -128,9 +144,122 @@ static void davinci_mdio_enable(struct davinci_mdio_data *data) + writel(data->clk_div | CONTROL_ENABLE, &data->regs->control); + } + +-static int davinci_mdio_reset(struct mii_bus *bus) ++static void davinci_mdio_disable(struct davinci_mdio_data *data) ++{ ++ u32 reg; ++ ++ /* Disable MDIO state machine */ ++ reg = readl(&data->regs->control); ++ ++ reg &= ~CONTROL_CLKDIV; ++ reg |= data->clk_div; ++ ++ reg &= ~CONTROL_ENABLE; ++ writel(reg, &data->regs->control); ++} ++ ++static void davinci_mdio_enable_manual_mode(struct davinci_mdio_data *data) ++{ ++ u32 reg; ++ /* set manual mode */ ++ reg = readl(&data->regs->poll); ++ reg |= MDIO_MANUALMODE; ++ writel(reg, &data->regs->poll); ++} ++ ++static void davinci_set_mdc(struct mdiobb_ctrl *ctrl, int level) ++{ ++ struct davinci_mdio_data *data; ++ u32 reg; ++ ++ data = container_of(ctrl, struct davinci_mdio_data, bb_ctrl); ++ reg = readl(&data->regs->manualif); ++ ++ if (level) ++ reg |= MDIO_MAN_MDCLK_O; ++ else ++ reg &= ~MDIO_MAN_MDCLK_O; ++ ++ writel(reg, &data->regs->manualif); ++} ++ ++static void davinci_set_mdio_dir(struct mdiobb_ctrl *ctrl, int output) ++{ ++ struct davinci_mdio_data *data; ++ u32 reg; ++ ++ data = container_of(ctrl, struct davinci_mdio_data, bb_ctrl); ++ reg = readl(&data->regs->manualif); ++ ++ if (output) ++ reg |= MDIO_MAN_OE; ++ else ++ reg &= ~MDIO_MAN_OE; ++ ++ writel(reg, &data->regs->manualif); ++} ++ ++static void davinci_set_mdio_data(struct mdiobb_ctrl *ctrl, int value) ++{ ++ struct davinci_mdio_data *data; ++ u32 reg; ++ ++ data = container_of(ctrl, struct davinci_mdio_data, bb_ctrl); ++ reg = readl(&data->regs->manualif); ++ ++ if (value) ++ reg |= MDIO_MAN_PIN; ++ else ++ reg &= ~MDIO_MAN_PIN; ++ ++ writel(reg, &data->regs->manualif); ++} ++ ++static int davinci_get_mdio_data(struct mdiobb_ctrl *ctrl) ++{ ++ struct davinci_mdio_data *data; ++ unsigned long reg; ++ ++ data = container_of(ctrl, struct davinci_mdio_data, bb_ctrl); ++ reg = readl(&data->regs->manualif); ++ return test_bit(MDIO_PIN, ®); ++} ++ ++static int davinci_mdiobb_read(struct mii_bus *bus, int phy, int reg) ++{ ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(bus->parent); ++ if (ret < 0) ++ return ret; ++ ++ ret = mdiobb_read(bus, phy, reg); ++ ++ pm_runtime_mark_last_busy(bus->parent); ++ pm_runtime_put_autosuspend(bus->parent); ++ ++ return ret; ++} ++ ++static int davinci_mdiobb_write(struct mii_bus *bus, int phy, int reg, ++ u16 val) ++{ ++ int ret; ++ ++ ret = pm_runtime_resume_and_get(bus->parent); ++ if (ret < 0) ++ return ret; ++ ++ ret = mdiobb_write(bus, phy, reg, val); ++ ++ pm_runtime_mark_last_busy(bus->parent); ++ pm_runtime_put_autosuspend(bus->parent); ++ ++ return ret; ++} ++ ++static int davinci_mdio_common_reset(struct davinci_mdio_data *data) + { +- struct davinci_mdio_data *data = bus->priv; + u32 phy_mask, ver; + int ret; + +@@ -138,6 +267,11 @@ static int davinci_mdio_reset(struct mii_bus *bus) + if (ret < 0) + return ret; + ++ if (data->manual_mode) { ++ davinci_mdio_disable(data); ++ davinci_mdio_enable_manual_mode(data); ++ } ++ + /* wait for scan logic to settle */ + msleep(PHY_MAX_ADDR * data->access_time); + +@@ -171,6 +305,23 @@ static int davinci_mdio_reset(struct mii_bus *bus) + return 0; + } + ++static int davinci_mdio_reset(struct mii_bus *bus) ++{ ++ struct davinci_mdio_data *data = bus->priv; ++ ++ return davinci_mdio_common_reset(data); ++} ++ ++static int davinci_mdiobb_reset(struct mii_bus *bus) ++{ ++ struct mdiobb_ctrl *ctrl = bus->priv; ++ struct davinci_mdio_data *data; ++ ++ data = container_of(ctrl, struct davinci_mdio_data, bb_ctrl); ++ ++ return davinci_mdio_common_reset(data); ++} ++ + /* wait until hardware is ready for another user access */ + static inline int wait_for_user_access(struct davinci_mdio_data *data) + { +@@ -318,6 +469,28 @@ static int davinci_mdio_probe_dt(struct mdio_platform_data *data, + return 0; + } + ++struct k3_mdio_soc_data { ++ bool manual_mode; ++}; ++ ++static const struct k3_mdio_soc_data am65_mdio_soc_data = { ++ .manual_mode = true, ++}; ++ ++static const struct soc_device_attribute k3_mdio_socinfo[] = { ++ { .family = "AM62X", .revision = "SR1.0", .data = &am65_mdio_soc_data }, ++ { .family = "AM64X", .revision = "SR1.0", .data = &am65_mdio_soc_data }, ++ { .family = "AM64X", .revision = "SR2.0", .data = &am65_mdio_soc_data }, ++ { .family = "AM65X", .revision = "SR1.0", .data = &am65_mdio_soc_data }, ++ { .family = "AM65X", .revision = "SR2.0", .data = &am65_mdio_soc_data }, ++ { .family = "J7200", .revision = "SR1.0", .data = &am65_mdio_soc_data }, ++ { .family = "J7200", .revision = "SR2.0", .data = &am65_mdio_soc_data }, ++ { .family = "J721E", .revision = "SR1.0", .data = &am65_mdio_soc_data }, ++ { .family = "J721E", .revision = "SR2.0", .data = &am65_mdio_soc_data }, ++ { .family = "J721S2", .revision = "SR1.0", .data = &am65_mdio_soc_data}, ++ { /* sentinel */ }, ++}; ++ + #if IS_ENABLED(CONFIG_OF) + static const struct davinci_mdio_of_param of_cpsw_mdio_data = { + .autosuspend_delay_ms = 100, +@@ -331,6 +504,14 @@ static const struct of_device_id davinci_mdio_of_mtable[] = { + MODULE_DEVICE_TABLE(of, davinci_mdio_of_mtable); + #endif + ++static const struct mdiobb_ops davinci_mdiobb_ops = { ++ .owner = THIS_MODULE, ++ .set_mdc = davinci_set_mdc, ++ .set_mdio_dir = davinci_set_mdio_dir, ++ .set_mdio_data = davinci_set_mdio_data, ++ .get_mdio_data = davinci_get_mdio_data, ++}; ++ + static int davinci_mdio_probe(struct platform_device *pdev) + { + struct mdio_platform_data *pdata = dev_get_platdata(&pdev->dev); +@@ -345,7 +526,26 @@ static int davinci_mdio_probe(struct platform_device *pdev) + if (!data) + return -ENOMEM; + +- data->bus = devm_mdiobus_alloc(dev); ++ data->manual_mode = false; ++ data->bb_ctrl.ops = &davinci_mdiobb_ops; ++ ++ if (IS_ENABLED(CONFIG_OF) && dev->of_node) { ++ const struct soc_device_attribute *soc_match_data; ++ ++ soc_match_data = soc_device_match(k3_mdio_socinfo); ++ if (soc_match_data && soc_match_data->data) { ++ const struct k3_mdio_soc_data *socdata = ++ soc_match_data->data; ++ ++ data->manual_mode = socdata->manual_mode; ++ } ++ } ++ ++ if (data->manual_mode) ++ data->bus = alloc_mdio_bitbang(&data->bb_ctrl); ++ else ++ data->bus = devm_mdiobus_alloc(dev); ++ + if (!data->bus) { + dev_err(dev, "failed to alloc mii bus\n"); + return -ENOMEM; +@@ -371,11 +571,20 @@ static int davinci_mdio_probe(struct platform_device *pdev) + } + + data->bus->name = dev_name(dev); +- data->bus->read = davinci_mdio_read; +- data->bus->write = davinci_mdio_write; +- data->bus->reset = davinci_mdio_reset; ++ ++ if (data->manual_mode) { ++ data->bus->read = davinci_mdiobb_read; ++ data->bus->write = davinci_mdiobb_write; ++ data->bus->reset = davinci_mdiobb_reset; ++ ++ dev_info(dev, "Configuring MDIO in manual mode\n"); ++ } else { ++ data->bus->read = davinci_mdio_read; ++ data->bus->write = davinci_mdio_write; ++ data->bus->reset = davinci_mdio_reset; ++ data->bus->priv = data; ++ } + data->bus->parent = dev; +- data->bus->priv = data; + + data->clk = devm_clk_get(dev, "fck"); + if (IS_ERR(data->clk)) { +@@ -433,9 +642,13 @@ static int davinci_mdio_remove(struct platform_device *pdev) + { + struct davinci_mdio_data *data = platform_get_drvdata(pdev); + +- if (data->bus) ++ if (data->bus) { + mdiobus_unregister(data->bus); + ++ if (data->manual_mode) ++ free_mdio_bitbang(data->bus); ++ } ++ + pm_runtime_dont_use_autosuspend(&pdev->dev); + pm_runtime_disable(&pdev->dev); + +@@ -452,7 +665,9 @@ static int davinci_mdio_runtime_suspend(struct device *dev) + ctrl = readl(&data->regs->control); + ctrl &= ~CONTROL_ENABLE; + writel(ctrl, &data->regs->control); +- wait_for_idle(data); ++ ++ if (!data->manual_mode) ++ wait_for_idle(data); + + return 0; + } +@@ -461,7 +676,12 @@ static int davinci_mdio_runtime_resume(struct device *dev) + { + struct davinci_mdio_data *data = dev_get_drvdata(dev); + +- davinci_mdio_enable(data); ++ if (data->manual_mode) { ++ davinci_mdio_disable(data); ++ davinci_mdio_enable_manual_mode(data); ++ } else { ++ davinci_mdio_enable(data); ++ } + return 0; + } + #endif +-- +2.35.1 + diff --git a/queue-6.0/net-fs_enet-fix-wrong-check-in-do_pd_setup.patch b/queue-6.0/net-fs_enet-fix-wrong-check-in-do_pd_setup.patch new file mode 100644 index 00000000000..b59e3cbbde7 --- /dev/null +++ b/queue-6.0/net-fs_enet-fix-wrong-check-in-do_pd_setup.patch @@ -0,0 +1,36 @@ +From e19c9e2df1f0c811f0683c434047d90b95ca46de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 13:55:13 +0000 +Subject: net: fs_enet: Fix wrong check in do_pd_setup + +From: Zheng Yongjun + +[ Upstream commit ec3f06b542a960806a81345042e4eee3f8c5dec4 ] + +Should check of_iomap return value 'fep->fec.fecp' instead of 'fep->fcc.fccp' + +Fixes: 976de6a8c304 ("fs_enet: Be an of_platform device when CONFIG_PPC_CPM_NEW_BINDING is set.") +Signed-off-by: Zheng Yongjun +Reviewed-by: Christophe Leroy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fs_enet/mac-fec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fs_enet/mac-fec.c b/drivers/net/ethernet/freescale/fs_enet/mac-fec.c +index 99fe2c210d0f..61f4b6e50d29 100644 +--- a/drivers/net/ethernet/freescale/fs_enet/mac-fec.c ++++ b/drivers/net/ethernet/freescale/fs_enet/mac-fec.c +@@ -98,7 +98,7 @@ static int do_pd_setup(struct fs_enet_private *fep) + return -EINVAL; + + fep->fec.fecp = of_iomap(ofdev->dev.of_node, 0); +- if (!fep->fcc.fccp) ++ if (!fep->fec.fecp) + return -EINVAL; + + return 0; +-- +2.35.1 + diff --git a/queue-6.0/net-ftmac100-fix-endianness-related-issues-from-spar.patch b/queue-6.0/net-ftmac100-fix-endianness-related-issues-from-spar.patch new file mode 100644 index 00000000000..4b79faaaa77 --- /dev/null +++ b/queue-6.0/net-ftmac100-fix-endianness-related-issues-from-spar.patch @@ -0,0 +1,67 @@ +From c130eb6e82fc2e93b2b9e304d18aa1c08c6645f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 14:37:49 +0300 +Subject: net: ftmac100: fix endianness-related issues from 'sparse' + +From: Sergei Antonov + +[ Upstream commit 9df696b3b3a4c96c3219eb87c7bf03fb50e490b8 ] + +Sparse found a number of endianness-related issues of these kinds: + +.../ftmac100.c:192:32: warning: restricted __le32 degrades to integer + +.../ftmac100.c:208:23: warning: incorrect type in assignment (different base types) +.../ftmac100.c:208:23: expected unsigned int rxdes0 +.../ftmac100.c:208:23: got restricted __le32 [usertype] + +.../ftmac100.c:249:23: warning: invalid assignment: &= +.../ftmac100.c:249:23: left side has type unsigned int +.../ftmac100.c:249:23: right side has type restricted __le32 + +.../ftmac100.c:527:16: warning: cast to restricted __le32 + +Change type of some fields from 'unsigned int' to '__le32' to fix it. + +Signed-off-by: Sergei Antonov +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220902113749.1408562-1-saproj@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/faraday/ftmac100.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/faraday/ftmac100.h b/drivers/net/ethernet/faraday/ftmac100.h +index fe986f1673fc..8af32f9070f4 100644 +--- a/drivers/net/ethernet/faraday/ftmac100.h ++++ b/drivers/net/ethernet/faraday/ftmac100.h +@@ -122,9 +122,9 @@ + * Transmit descriptor, aligned to 16 bytes + */ + struct ftmac100_txdes { +- unsigned int txdes0; +- unsigned int txdes1; +- unsigned int txdes2; /* TXBUF_BADR */ ++ __le32 txdes0; ++ __le32 txdes1; ++ __le32 txdes2; /* TXBUF_BADR */ + unsigned int txdes3; /* not used by HW */ + } __attribute__ ((aligned(16))); + +@@ -143,9 +143,9 @@ struct ftmac100_txdes { + * Receive descriptor, aligned to 16 bytes + */ + struct ftmac100_rxdes { +- unsigned int rxdes0; +- unsigned int rxdes1; +- unsigned int rxdes2; /* RXBUF_BADR */ ++ __le32 rxdes0; ++ __le32 rxdes1; ++ __le32 rxdes2; /* RXBUF_BADR */ + unsigned int rxdes3; /* not used by HW */ + } __attribute__ ((aligned(16))); + +-- +2.35.1 + diff --git a/queue-6.0/net-ieee802154-reject-zero-sized-raw_sendmsg.patch b/queue-6.0/net-ieee802154-reject-zero-sized-raw_sendmsg.patch new file mode 100644 index 00000000000..c3adfbd87aa --- /dev/null +++ b/queue-6.0/net-ieee802154-reject-zero-sized-raw_sendmsg.patch @@ -0,0 +1,40 @@ +From 2df1fc309c650ff057f6df4ff02c08982afa253d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Oct 2022 01:43:44 +0900 +Subject: net/ieee802154: reject zero-sized raw_sendmsg() + +From: Tetsuo Handa + +[ Upstream commit 3a4d061c699bd3eedc80dc97a4b2a2e1af83c6f5 ] + +syzbot is hitting skb_assert_len() warning at raw_sendmsg() for ieee802154 +socket. What commit dc633700f00f726e ("net/af_packet: check len when +min_header_len equals to 0") does also applies to ieee802154 socket. + +Link: https://syzkaller.appspot.com/bug?extid=5ea725c25d06fb9114c4 +Reported-by: syzbot +Fixes: fd1894224407c484 ("bpf: Don't redirect packets with invalid pkt_len") +Signed-off-by: Tetsuo Handa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ieee802154/socket.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c +index 7889e1ef7fad..cbd0e2ac4ffe 100644 +--- a/net/ieee802154/socket.c ++++ b/net/ieee802154/socket.c +@@ -251,6 +251,9 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size) + return -EOPNOTSUPP; + } + ++ if (!size) ++ return -EINVAL; ++ + lock_sock(sk); + if (!sk->sk_bound_dev_if) + dev = dev_getfirstbyhwtype(sock_net(sk), ARPHRD_IEEE802154); +-- +2.35.1 + diff --git a/queue-6.0/net-if-sock-is-dead-don-t-access-sock-s-sk_wq-in-sk_.patch b/queue-6.0/net-if-sock-is-dead-don-t-access-sock-s-sk_wq-in-sk_.patch new file mode 100644 index 00000000000..6a89a8308d2 --- /dev/null +++ b/queue-6.0/net-if-sock-is-dead-don-t-access-sock-s-sk_wq-in-sk_.patch @@ -0,0 +1,107 @@ +From e26c761cbf0c9b8751c573719f0065bfbb659f6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 21:37:54 +0800 +Subject: net: If sock is dead don't access sock's sk_wq in + sk_stream_wait_memory + +From: Liu Jian + +[ Upstream commit 3f8ef65af927db247418d4e1db49164d7a158fc5 ] + +Fixes the below NULL pointer dereference: + + [...] + [ 14.471200] Call Trace: + [ 14.471562] + [ 14.471882] lock_acquire+0x245/0x2e0 + [ 14.472416] ? remove_wait_queue+0x12/0x50 + [ 14.473014] ? _raw_spin_lock_irqsave+0x17/0x50 + [ 14.473681] _raw_spin_lock_irqsave+0x3d/0x50 + [ 14.474318] ? remove_wait_queue+0x12/0x50 + [ 14.474907] remove_wait_queue+0x12/0x50 + [ 14.475480] sk_stream_wait_memory+0x20d/0x340 + [ 14.476127] ? do_wait_intr_irq+0x80/0x80 + [ 14.476704] do_tcp_sendpages+0x287/0x600 + [ 14.477283] tcp_bpf_push+0xab/0x260 + [ 14.477817] tcp_bpf_sendmsg_redir+0x297/0x500 + [ 14.478461] ? __local_bh_enable_ip+0x77/0xe0 + [ 14.479096] tcp_bpf_send_verdict+0x105/0x470 + [ 14.479729] tcp_bpf_sendmsg+0x318/0x4f0 + [ 14.480311] sock_sendmsg+0x2d/0x40 + [ 14.480822] ____sys_sendmsg+0x1b4/0x1c0 + [ 14.481390] ? copy_msghdr_from_user+0x62/0x80 + [ 14.482048] ___sys_sendmsg+0x78/0xb0 + [ 14.482580] ? vmf_insert_pfn_prot+0x91/0x150 + [ 14.483215] ? __do_fault+0x2a/0x1a0 + [ 14.483738] ? do_fault+0x15e/0x5d0 + [ 14.484246] ? __handle_mm_fault+0x56b/0x1040 + [ 14.484874] ? lock_is_held_type+0xdf/0x130 + [ 14.485474] ? find_held_lock+0x2d/0x90 + [ 14.486046] ? __sys_sendmsg+0x41/0x70 + [ 14.486587] __sys_sendmsg+0x41/0x70 + [ 14.487105] ? intel_pmu_drain_pebs_core+0x350/0x350 + [ 14.487822] do_syscall_64+0x34/0x80 + [ 14.488345] entry_SYSCALL_64_after_hwframe+0x63/0xcd + [...] + +The test scenario has the following flow: + +thread1 thread2 +----------- --------------- + tcp_bpf_sendmsg + tcp_bpf_send_verdict + tcp_bpf_sendmsg_redir sock_close + tcp_bpf_push_locked __sock_release + tcp_bpf_push //inet_release + do_tcp_sendpages sock->ops->release + sk_stream_wait_memory // tcp_close + sk_wait_event sk->sk_prot->close + release_sock(__sk); + *** + lock_sock(sk); + __tcp_close + sock_orphan(sk) + sk->sk_wq = NULL + release_sock + **** + lock_sock(__sk); + remove_wait_queue(sk_sleep(sk), &wait); + sk_sleep(sk) + //NULL pointer dereference + &rcu_dereference_raw(sk->sk_wq)->wait + +While waiting for memory in thread1, the socket is released with its wait +queue because thread2 has closed it. This caused by tcp_bpf_send_verdict +didn't increase the f_count of psock->sk_redir->sk_socket->file in thread1. + +We should check if SOCK_DEAD flag is set on wakeup in sk_stream_wait_memory +before accessing the wait queue. + +Suggested-by: Jakub Sitnicki +Signed-off-by: Liu Jian +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Cc: Eric Dumazet +Link: https://lore.kernel.org/bpf/20220823133755.314697-2-liujian56@huawei.com +Signed-off-by: Sasha Levin +--- + net/core/stream.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/core/stream.c b/net/core/stream.c +index ccc083cdef23..1105057ce00a 100644 +--- a/net/core/stream.c ++++ b/net/core/stream.c +@@ -159,7 +159,8 @@ int sk_stream_wait_memory(struct sock *sk, long *timeo_p) + *timeo_p = current_timeo; + } + out: +- remove_wait_queue(sk_sleep(sk), &wait); ++ if (!sock_flag(sk, SOCK_DEAD)) ++ remove_wait_queue(sk_sleep(sk), &wait); + return err; + + do_error: +-- +2.35.1 + diff --git a/queue-6.0/net-korina-fix-return-type-of-korina_send_packet.patch b/queue-6.0/net-korina-fix-return-type-of-korina_send_packet.patch new file mode 100644 index 00000000000..7d188700108 --- /dev/null +++ b/queue-6.0/net-korina-fix-return-type-of-korina_send_packet.patch @@ -0,0 +1,47 @@ +From a35eddc489c3abc2963121c4ef39508741336869 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 14:43:40 -0700 +Subject: net: korina: Fix return type of korina_send_packet + +From: Nathan Huckleberry + +[ Upstream commit 106c67ce46f3c82dd276e983668a91d6ed631173 ] + +The ndo_start_xmit field in net_device_ops is expected to be of type +netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev). + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of korina_send_packet should be changed from int to +netdev_tx_t. + +Reported-by: Dan Carpenter +Link: https://github.com/ClangBuiltLinux/linux/issues/1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20220912214344.928925-1-nhuck@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/korina.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c +index df9a8eefa007..eec6a9ec528b 100644 +--- a/drivers/net/ethernet/korina.c ++++ b/drivers/net/ethernet/korina.c +@@ -416,7 +416,8 @@ static void korina_abort_rx(struct net_device *dev) + } + + /* transmit packet */ +-static int korina_send_packet(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t korina_send_packet(struct sk_buff *skb, ++ struct net_device *dev) + { + struct korina_private *lp = netdev_priv(dev); + u32 chain_prev, chain_next; +-- +2.35.1 + diff --git a/queue-6.0/net-lan966x-fix-return-type-of-lan966x_port_xmit.patch b/queue-6.0/net-lan966x-fix-return-type-of-lan966x_port_xmit.patch new file mode 100644 index 00000000000..e68832916b6 --- /dev/null +++ b/queue-6.0/net-lan966x-fix-return-type-of-lan966x_port_xmit.patch @@ -0,0 +1,47 @@ +From 5a04b7109cf96397e17cb0f5ea7f50752ff95408 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 11:27:03 -0700 +Subject: net: lan966x: Fix return type of lan966x_port_xmit + +From: Nathan Huckleberry + +[ Upstream commit 450a580fc4b5e7f7fb8d9b1a0208bf0d1efc53a8 ] + +The ndo_start_xmit field in net_device_ops is expected to be of type +netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev). + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of lan966x_port_xmit should be changed from int to +netdev_tx_t. + +Reported-by: Dan Carpenter +Link: https://github.com/ClangBuiltLinux/linux/issues/1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20220929182704.64438-1-nhuck@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/lan966x/lan966x_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +index d928b75f3780..be40c6d3ec68 100644 +--- a/drivers/net/ethernet/microchip/lan966x/lan966x_main.c ++++ b/drivers/net/ethernet/microchip/lan966x/lan966x_main.c +@@ -344,7 +344,8 @@ static void lan966x_ifh_set_timestamp(void *ifh, u64 timestamp) + IFH_POS_TIMESTAMP, IFH_LEN * 4, PACK, 0); + } + +-static int lan966x_port_xmit(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t lan966x_port_xmit(struct sk_buff *skb, ++ struct net_device *dev) + { + struct lan966x_port *port = netdev_priv(dev); + struct lan966x *lan966x = port->lan966x; +-- +2.35.1 + diff --git a/queue-6.0/net-lantiq_etop-fix-return-type-for-implementation-o.patch b/queue-6.0/net-lantiq_etop-fix-return-type-for-implementation-o.patch new file mode 100644 index 00000000000..45f94874d8a --- /dev/null +++ b/queue-6.0/net-lantiq_etop-fix-return-type-for-implementation-o.patch @@ -0,0 +1,41 @@ +From b1edf9c6c525200301847cc2db144e155d16efb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 16:15:21 +0800 +Subject: net: lantiq_etop: Fix return type for implementation of + ndo_start_xmit + +From: GUO Zihua + +[ Upstream commit c8ef3c94bda0e21123202d057d4a299698fa0ed9 ] + +Since Linux now supports CFI, it will be a good idea to fix mismatched +return type for implementation of hooks. Otherwise this might get +cought out by CFI and cause a panic. + +ltq_etop_tx() would return either NETDEV_TX_BUSY or NETDEV_TX_OK, so +change the return type to netdev_tx_t directly. + +Signed-off-by: GUO Zihua +Link: https://lore.kernel.org/r/20220902081521.59867-1-guozihua@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/lantiq_etop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c +index 7cedbe1fdfd7..59aab4086dcc 100644 +--- a/drivers/net/ethernet/lantiq_etop.c ++++ b/drivers/net/ethernet/lantiq_etop.c +@@ -470,7 +470,7 @@ ltq_etop_stop(struct net_device *dev) + return 0; + } + +-static int ++static netdev_tx_t + ltq_etop_tx(struct sk_buff *skb, struct net_device *dev) + { + int queue = skb_get_queue_mapping(skb); +-- +2.35.1 + diff --git a/queue-6.0/net-mvpp2-fix-mvpp2-debugfs-leak.patch b/queue-6.0/net-mvpp2-fix-mvpp2-debugfs-leak.patch new file mode 100644 index 00000000000..e1cb6779c62 --- /dev/null +++ b/queue-6.0/net-mvpp2-fix-mvpp2-debugfs-leak.patch @@ -0,0 +1,108 @@ +From 45847cf03543af3731e79c59931bf874ae225766 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Oct 2022 17:19:27 +0100 +Subject: net: mvpp2: fix mvpp2 debugfs leak + +From: Russell King (Oracle) + +[ Upstream commit 0152dfee235e87660f52a117fc9f70dc55956bb4 ] + +When mvpp2 is unloaded, the driver specific debugfs directory is not +removed, which technically leads to a memory leak. However, this +directory is only created when the first device is probed, so the +hardware is present. Removing the module is only something a developer +would to when e.g. testing out changes, so the module would be +reloaded. So this memory leak is minor. + +The original attempt in commit fe2c9c61f668 ("net: mvpp2: debugfs: fix +memory leak when using debugfs_lookup()") that was labelled as a memory +leak fix was not, it fixed a refcount leak, but in doing so created a +problem when the module is reloaded - the directory already exists, but +mvpp2_root is NULL, so we lose all debugfs entries. This fix has been +reverted. + +This is the alternative fix, where we remove the offending directory +whenever the driver is unloaded. + +Fixes: 21da57a23125 ("net: mvpp2: add a debugfs interface for the Header Parser") +Signed-off-by: Russell King (Oracle) +Reviewed-by: Greg Kroah-Hartman +Reviewed-by: Marcin Wojtas +Link: https://lore.kernel.org/r/E1ofOAB-00CzkG-UO@rmk-PC.armlinux.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 1 + + drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c | 10 ++++++++-- + drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 13 ++++++++++++- + 3 files changed, 21 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +index ad73a488fc5f..11e603686a27 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h +@@ -1530,6 +1530,7 @@ u32 mvpp2_read(struct mvpp2 *priv, u32 offset); + void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name); + + void mvpp2_dbgfs_cleanup(struct mvpp2 *priv); ++void mvpp2_dbgfs_exit(void); + + void mvpp23_rx_fifo_fc_en(struct mvpp2 *priv, int port, bool en); + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +index 4a3baa7e0142..75e83ea2a926 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +@@ -691,6 +691,13 @@ static int mvpp2_dbgfs_port_init(struct dentry *parent, + return 0; + } + ++static struct dentry *mvpp2_root; ++ ++void mvpp2_dbgfs_exit(void) ++{ ++ debugfs_remove(mvpp2_root); ++} ++ + void mvpp2_dbgfs_cleanup(struct mvpp2 *priv) + { + debugfs_remove_recursive(priv->dbgfs_dir); +@@ -700,10 +707,9 @@ void mvpp2_dbgfs_cleanup(struct mvpp2 *priv) + + void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name) + { +- struct dentry *mvpp2_dir, *mvpp2_root; ++ struct dentry *mvpp2_dir; + int ret, i; + +- mvpp2_root = debugfs_lookup(MVPP2_DRIVER_NAME, NULL); + if (!mvpp2_root) + mvpp2_root = debugfs_create_dir(MVPP2_DRIVER_NAME, NULL); + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index b84128b549b4..eaa51cd7456b 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -7706,7 +7706,18 @@ static struct platform_driver mvpp2_driver = { + }, + }; + +-module_platform_driver(mvpp2_driver); ++static int __init mvpp2_driver_init(void) ++{ ++ return platform_driver_register(&mvpp2_driver); ++} ++module_init(mvpp2_driver_init); ++ ++static void __exit mvpp2_driver_exit(void) ++{ ++ platform_driver_unregister(&mvpp2_driver); ++ mvpp2_dbgfs_exit(); ++} ++module_exit(mvpp2_driver_exit); + + MODULE_DESCRIPTION("Marvell PPv2 Ethernet Driver - www.marvell.com"); + MODULE_AUTHOR("Marcin Wojtas "); +-- +2.35.1 + diff --git a/queue-6.0/net-next-fix-ip_unicast_if-option-behavior-for-conne.patch b/queue-6.0/net-next-fix-ip_unicast_if-option-behavior-for-conne.patch new file mode 100644 index 00000000000..606d8e1eae8 --- /dev/null +++ b/queue-6.0/net-next-fix-ip_unicast_if-option-behavior-for-conne.patch @@ -0,0 +1,221 @@ +From 65098f0d363207274c6ca9b2608090d1f226c8a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 13:18:51 +0200 +Subject: net-next: Fix IP_UNICAST_IF option behavior for connected sockets + +From: Richard Gobert + +[ Upstream commit 0e4d354762cefd3e16b4cff8988ff276e45effc4 ] + +The IP_UNICAST_IF socket option is used to set the outgoing interface +for outbound packets. + +The IP_UNICAST_IF socket option was added as it was needed by the +Wine project, since no other existing option (SO_BINDTODEVICE socket +option, IP_PKTINFO socket option or the bind function) provided the +needed characteristics needed by the IP_UNICAST_IF socket option. [1] +The IP_UNICAST_IF socket option works well for unconnected sockets, +that is, the interface specified by the IP_UNICAST_IF socket option +is taken into consideration in the route lookup process when a packet +is being sent. However, for connected sockets, the outbound interface +is chosen when connecting the socket, and in the route lookup process +which is done when a packet is being sent, the interface specified by +the IP_UNICAST_IF socket option is being ignored. + +This inconsistent behavior was reported and discussed in an issue +opened on systemd's GitHub project [2]. Also, a bug report was +submitted in the kernel's bugzilla [3]. + +To understand the problem in more detail, we can look at what happens +for UDP packets over IPv4 (The same analysis was done separately in +the referenced systemd issue). +When a UDP packet is sent the udp_sendmsg function gets called and +the following happens: + +1. The oif member of the struct ipcm_cookie ipc (which stores the +output interface of the packet) is initialized by the ipcm_init_sk +function to inet->sk.sk_bound_dev_if (the device set by the +SO_BINDTODEVICE socket option). + +2. If the IP_PKTINFO socket option was set, the oif member gets +overridden by the call to the ip_cmsg_send function. + +3. If no output interface was selected yet, the interface specified +by the IP_UNICAST_IF socket option is used. + +4. If the socket is connected and no destination address is +specified in the send function, the struct ipcm_cookie ipc is not +taken into consideration and the cached route, that was calculated in +the connect function is being used. + +Thus, for a connected socket, the IP_UNICAST_IF sockopt isn't taken +into consideration. + +This patch corrects the behavior of the IP_UNICAST_IF socket option +for connect()ed sockets by taking into consideration the +IP_UNICAST_IF sockopt when connecting the socket. + +In order to avoid reconnecting the socket, this option is still +ignored when applied on an already connected socket until connect() +is called again by the Richard Gobert. + +Change the __ip4_datagram_connect function, which is called during +socket connection, to take into consideration the interface set by +the IP_UNICAST_IF socket option, in a similar way to what is done in +the udp_sendmsg function. + +[1] https://lore.kernel.org/netdev/1328685717.4736.4.camel@edumazet-laptop/T/ +[2] https://github.com/systemd/systemd/issues/11935#issuecomment-618691018 +[3] https://bugzilla.kernel.org/show_bug.cgi?id=210255 + +Signed-off-by: Richard Gobert +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20220829111554.GA1771@debian +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/datagram.c | 2 ++ + tools/testing/selftests/net/fcnal-test.sh | 30 +++++++++++++++++++++++ + tools/testing/selftests/net/nettest.c | 16 ++++++++++-- + 3 files changed, 46 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c +index ffd57523331f..405a8c2aea64 100644 +--- a/net/ipv4/datagram.c ++++ b/net/ipv4/datagram.c +@@ -42,6 +42,8 @@ int __ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len + oif = inet->mc_index; + if (!saddr) + saddr = inet->mc_addr; ++ } else if (!oif) { ++ oif = inet->uc_index; + } + fl4 = &inet->cork.fl.u.ip4; + rt = ip_route_connect(fl4, usin->sin_addr.s_addr, saddr, oif, +diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh +index 03b586760164..31c3b6ebd388 100755 +--- a/tools/testing/selftests/net/fcnal-test.sh ++++ b/tools/testing/selftests/net/fcnal-test.sh +@@ -1466,6 +1466,13 @@ ipv4_udp_novrf() + run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} + log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" + ++ log_start ++ run_cmd_nsb nettest -D -s & ++ sleep 1 ++ run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U ++ log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()" ++ ++ + log_start + show_hint "Should fail 'Connection refused'" + run_cmd nettest -D -r ${a} +@@ -1525,6 +1532,13 @@ ipv4_udp_novrf() + run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} + log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" + ++ log_start ++ run_cmd nettest -s -D & ++ sleep 1 ++ run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U ++ log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" ++ ++ + # IPv4 with device bind has really weird behavior - it overrides the + # fib lookup, generates an rtable and tries to send the packet. This + # causes failures for local traffic at different places +@@ -1550,6 +1564,15 @@ ipv4_udp_novrf() + sleep 1 + run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S + log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" ++ ++ log_start ++ show_hint "Should fail since addresses on loopback are out of device scope" ++ run_cmd nettest -D -s & ++ sleep 1 ++ run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U ++ log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" ++ ++ + done + + a=${NSA_IP} +@@ -3157,6 +3180,13 @@ ipv6_udp_novrf() + sleep 1 + run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S + log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" ++ ++ log_start ++ show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" ++ run_cmd nettest -6 -D -s & ++ sleep 1 ++ run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U ++ log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" + done + + a=${NSA_IP6} +diff --git a/tools/testing/selftests/net/nettest.c b/tools/testing/selftests/net/nettest.c +index d9a6fd2cd9d3..7900fa98eccb 100644 +--- a/tools/testing/selftests/net/nettest.c ++++ b/tools/testing/selftests/net/nettest.c +@@ -127,6 +127,9 @@ struct sock_args { + + /* ESP in UDP encap test */ + int use_xfrm; ++ ++ /* use send() and connect() instead of sendto */ ++ int datagram_connect; + }; + + static int server_mode; +@@ -979,6 +982,11 @@ static int send_msg(int sd, void *addr, socklen_t alen, struct sock_args *args) + log_err_errno("write failed sending msg to peer"); + return 1; + } ++ } else if (args->datagram_connect) { ++ if (send(sd, msg, msglen, 0) < 0) { ++ log_err_errno("send failed sending msg to peer"); ++ return 1; ++ } + } else if (args->ifindex && args->use_cmsg) { + if (send_msg_cmsg(sd, addr, alen, args->ifindex, args->version)) + return 1; +@@ -1659,7 +1667,7 @@ static int connectsock(void *addr, socklen_t alen, struct sock_args *args) + if (args->has_local_ip && bind_socket(sd, args)) + goto err; + +- if (args->type != SOCK_STREAM) ++ if (args->type != SOCK_STREAM && !args->datagram_connect) + goto out; + + if (args->password && tcp_md5sig(sd, addr, alen, args)) +@@ -1854,7 +1862,7 @@ static int ipc_parent(int cpid, int fd, struct sock_args *args) + return client_status; + } + +-#define GETOPT_STR "sr:l:c:p:t:g:P:DRn:M:X:m:d:I:BN:O:SCi6xL:0:1:2:3:Fbqf" ++#define GETOPT_STR "sr:l:c:p:t:g:P:DRn:M:X:m:d:I:BN:O:SUCi6xL:0:1:2:3:Fbqf" + #define OPT_FORCE_BIND_KEY_IFINDEX 1001 + #define OPT_NO_BIND_KEY_IFINDEX 1002 + +@@ -1891,6 +1899,7 @@ static void print_usage(char *prog) + " -I dev bind socket to given device name - server mode\n" + " -S use setsockopt (IP_UNICAST_IF or IP_MULTICAST_IF)\n" + " to set device binding\n" ++ " -U Use connect() and send() for datagram sockets\n" + " -f bind socket with the IP[V6]_FREEBIND option\n" + " -C use cmsg and IP_PKTINFO to specify device binding\n" + "\n" +@@ -2074,6 +2083,9 @@ int main(int argc, char *argv[]) + case 'x': + args.use_xfrm = 1; + break; ++ case 'U': ++ args.datagram_connect = 1; ++ break; + default: + print_usage(argv[0]); + return 1; +-- +2.35.1 + diff --git a/queue-6.0/net-prestera-acl-add-check-for-kmemdup.patch b/queue-6.0/net-prestera-acl-add-check-for-kmemdup.patch new file mode 100644 index 00000000000..505dd6558ef --- /dev/null +++ b/queue-6.0/net-prestera-acl-add-check-for-kmemdup.patch @@ -0,0 +1,88 @@ +From 881f4b8eac0bd530be295707e9a05196d9bec952 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 12:48:43 +0800 +Subject: net: prestera: acl: Add check for kmemdup + +From: Jiasheng Jiang + +[ Upstream commit 9e6fd874c7bb47b6a4295abc4c81b2f41b97e970 ] + +As the kemdup could return NULL, it should be better to check the return +value and return error if fails. +Moreover, the return value of prestera_acl_ruleset_keymask_set() should +be checked by cascade. + +Fixes: 604ba230902d ("net: prestera: flower template support") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Taras Chornyi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/prestera/prestera_acl.c | 8 ++++++-- + drivers/net/ethernet/marvell/prestera/prestera_acl.h | 4 ++-- + drivers/net/ethernet/marvell/prestera/prestera_flower.c | 6 +++++- + 3 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_acl.c b/drivers/net/ethernet/marvell/prestera/prestera_acl.c +index 3d4b85f2d541..f6b2933859d0 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_acl.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_acl.c +@@ -178,10 +178,14 @@ prestera_acl_ruleset_create(struct prestera_acl *acl, + return ERR_PTR(err); + } + +-void prestera_acl_ruleset_keymask_set(struct prestera_acl_ruleset *ruleset, +- void *keymask) ++int prestera_acl_ruleset_keymask_set(struct prestera_acl_ruleset *ruleset, ++ void *keymask) + { + ruleset->keymask = kmemdup(keymask, ACL_KEYMASK_SIZE, GFP_KERNEL); ++ if (!ruleset->keymask) ++ return -ENOMEM; ++ ++ return 0; + } + + int prestera_acl_ruleset_offload(struct prestera_acl_ruleset *ruleset) +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_acl.h b/drivers/net/ethernet/marvell/prestera/prestera_acl.h +index 03fc5b9dc925..131bfbc87cd7 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_acl.h ++++ b/drivers/net/ethernet/marvell/prestera/prestera_acl.h +@@ -185,8 +185,8 @@ struct prestera_acl_ruleset * + prestera_acl_ruleset_lookup(struct prestera_acl *acl, + struct prestera_flow_block *block, + u32 chain_index); +-void prestera_acl_ruleset_keymask_set(struct prestera_acl_ruleset *ruleset, +- void *keymask); ++int prestera_acl_ruleset_keymask_set(struct prestera_acl_ruleset *ruleset, ++ void *keymask); + bool prestera_acl_ruleset_is_offload(struct prestera_acl_ruleset *ruleset); + int prestera_acl_ruleset_offload(struct prestera_acl_ruleset *ruleset); + void prestera_acl_ruleset_put(struct prestera_acl_ruleset *ruleset); +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_flower.c b/drivers/net/ethernet/marvell/prestera/prestera_flower.c +index 19d3b55c578e..cf551a8379ac 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_flower.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_flower.c +@@ -452,7 +452,9 @@ int prestera_flower_tmplt_create(struct prestera_flow_block *block, + } + + /* preserve keymask/template to this ruleset */ +- prestera_acl_ruleset_keymask_set(ruleset, rule.re_key.match.mask); ++ err = prestera_acl_ruleset_keymask_set(ruleset, rule.re_key.match.mask); ++ if (err) ++ goto err_ruleset_keymask_set; + + /* skip error, as it is not possible to reject template operation, + * so, keep the reference to the ruleset for rules to be added +@@ -468,6 +470,8 @@ int prestera_flower_tmplt_create(struct prestera_flow_block *block, + list_add_rcu(&template->list, &block->template_list); + return 0; + ++err_ruleset_keymask_set: ++ prestera_acl_ruleset_put(ruleset); + err_ruleset_get: + kfree(template); + err_malloc: +-- +2.35.1 + diff --git a/queue-6.0/net-prestera-cache-port-state-for-non-phylink-ports-.patch b/queue-6.0/net-prestera-cache-port-state-for-non-phylink-ports-.patch new file mode 100644 index 00000000000..155cffe363e --- /dev/null +++ b/queue-6.0/net-prestera-cache-port-state-for-non-phylink-ports-.patch @@ -0,0 +1,78 @@ +From 64196464d56d2147861ec90d37efd083bf3a4a08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 14:18:21 +0300 +Subject: net: prestera: cache port state for non-phylink ports too + +From: Maksym Glubokiy + +[ Upstream commit 704438dd4f030c1b3d28a2a9c8f182c32d9b6bc4 ] + +Port event data must stored to port-state cache regardless of whether +the port uses phylink or not since this data is used by ethtool. + +Fixes: 52323ef75414 ("net: marvell: prestera: add phylink support") +Signed-off-by: Oleksandr Mazur +Signed-off-by: Maksym Glubokiy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/prestera/prestera_main.c | 36 +++++++++---------- + 1 file changed, 17 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_main.c b/drivers/net/ethernet/marvell/prestera/prestera_main.c +index a895862b4821..a0ad0bcbf89f 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_main.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_main.c +@@ -799,32 +799,30 @@ static void prestera_port_handle_event(struct prestera_switch *sw, + + caching_dw = &port->cached_hw_stats.caching_dw; + +- if (port->phy_link) { +- memset(&smac, 0, sizeof(smac)); +- smac.valid = true; +- smac.oper = pevt->data.mac.oper; +- if (smac.oper) { +- smac.mode = pevt->data.mac.mode; +- smac.speed = pevt->data.mac.speed; +- smac.duplex = pevt->data.mac.duplex; +- smac.fc = pevt->data.mac.fc; +- smac.fec = pevt->data.mac.fec; +- phylink_mac_change(port->phy_link, true); +- } else { +- phylink_mac_change(port->phy_link, false); +- } +- prestera_port_mac_state_cache_write(port, &smac); ++ memset(&smac, 0, sizeof(smac)); ++ smac.valid = true; ++ smac.oper = pevt->data.mac.oper; ++ if (smac.oper) { ++ smac.mode = pevt->data.mac.mode; ++ smac.speed = pevt->data.mac.speed; ++ smac.duplex = pevt->data.mac.duplex; ++ smac.fc = pevt->data.mac.fc; ++ smac.fec = pevt->data.mac.fec; + } ++ prestera_port_mac_state_cache_write(port, &smac); + + if (port->state_mac.oper) { +- if (!port->phy_link) ++ if (port->phy_link) ++ phylink_mac_change(port->phy_link, true); ++ else + netif_carrier_on(port->dev); + + if (!delayed_work_pending(caching_dw)) + queue_delayed_work(prestera_wq, caching_dw, 0); +- } else if (netif_running(port->dev) && +- netif_carrier_ok(port->dev)) { +- if (!port->phy_link) ++ } else { ++ if (port->phy_link) ++ phylink_mac_change(port->phy_link, false); ++ else if (netif_running(port->dev) && netif_carrier_ok(port->dev)) + netif_carrier_off(port->dev); + + if (delayed_work_pending(caching_dw)) +-- +2.35.1 + diff --git a/queue-6.0/net-rds-don-t-hold-sock-lock-when-cancelling-work-fr.patch b/queue-6.0/net-rds-don-t-hold-sock-lock-when-cancelling-work-fr.patch new file mode 100644 index 00000000000..98417c0db91 --- /dev/null +++ b/queue-6.0/net-rds-don-t-hold-sock-lock-when-cancelling-work-fr.patch @@ -0,0 +1,54 @@ +From 355af3b6949bb1f98466970e72de164537fe2712 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 00:25:37 +0900 +Subject: net: rds: don't hold sock lock when cancelling work from + rds_tcp_reset_callbacks() + +From: Tetsuo Handa + +[ Upstream commit a91b750fd6629354460282bbf5146c01b05c4859 ] + +syzbot is reporting lockdep warning at rds_tcp_reset_callbacks() [1], for +commit ac3615e7f3cffe2a ("RDS: TCP: Reduce code duplication in +rds_tcp_reset_callbacks()") added cancel_delayed_work_sync() into a section +protected by lock_sock() without realizing that rds_send_xmit() might call +lock_sock(). + +We don't need to protect cancel_delayed_work_sync() using lock_sock(), for +even if rds_{send,recv}_worker() re-queued this work while __flush_work() + from cancel_delayed_work_sync() was waiting for this work to complete, +retried rds_{send,recv}_worker() is no-op due to the absence of RDS_CONN_UP +bit. + +Link: https://syzkaller.appspot.com/bug?extid=78c55c7bc6f66e53dce2 [1] +Reported-by: syzbot +Co-developed-by: Hillf Danton +Signed-off-by: Hillf Danton +Signed-off-by: Tetsuo Handa +Tested-by: syzbot +Fixes: ac3615e7f3cffe2a ("RDS: TCP: Reduce code duplication in rds_tcp_reset_callbacks()") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rds/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rds/tcp.c b/net/rds/tcp.c +index 73ee2771093d..d0ff413f697c 100644 +--- a/net/rds/tcp.c ++++ b/net/rds/tcp.c +@@ -166,10 +166,10 @@ void rds_tcp_reset_callbacks(struct socket *sock, + */ + atomic_set(&cp->cp_state, RDS_CONN_RESETTING); + wait_event(cp->cp_waitq, !test_bit(RDS_IN_XMIT, &cp->cp_flags)); +- lock_sock(osock->sk); + /* reset receive side state for rds_tcp_data_recv() for osock */ + cancel_delayed_work_sync(&cp->cp_send_w); + cancel_delayed_work_sync(&cp->cp_recv_w); ++ lock_sock(osock->sk); + if (tc->t_tinc) { + rds_inc_put(&tc->t_tinc->ti_inc); + tc->t_tinc = NULL; +-- +2.35.1 + diff --git a/queue-6.0/net-sched-cls_u32-avoid-memcpy-false-positive-warnin.patch b/queue-6.0/net-sched-cls_u32-avoid-memcpy-false-positive-warnin.patch new file mode 100644 index 00000000000..333f00477fa --- /dev/null +++ b/queue-6.0/net-sched-cls_u32-avoid-memcpy-false-positive-warnin.patch @@ -0,0 +1,52 @@ +From 78e364994951b79cf3885138b757a073b135c9fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 08:37:01 -0700 +Subject: net: sched: cls_u32: Avoid memcpy() false-positive warning + +From: Kees Cook + +[ Upstream commit 7cba18332e3635aaae60e4e7d4e52849de50d91b ] + +To work around a misbehavior of the compiler's ability to see into +composite flexible array structs (as detailed in the coming memcpy() +hardening series[1]), use unsafe_memcpy(), as the sizing, +bounds-checking, and allocation are all very tightly coupled here. +This silences the false-positive reported by syzbot: + + memcpy: detected field-spanning write (size 80) of single field "&n->sel" at net/sched/cls_u32.c:1043 (size 16) + +[1] https://lore.kernel.org/linux-hardening/20220901065914.1417829-2-keescook@chromium.org + +Cc: Cong Wang +Cc: Jiri Pirko +Reported-by: syzbot+a2c4601efc75848ba321@syzkaller.appspotmail.com +Link: https://lore.kernel.org/lkml/000000000000a96c0b05e97f0444@google.com/ +Signed-off-by: Kees Cook +Reviewed-by: Jamal Hadi Salim +Link: https://lore.kernel.org/r/20220927153700.3071688-1-keescook@chromium.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index 4d27300c287c..5f33472aad36 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -1040,7 +1040,11 @@ static int u32_change(struct net *net, struct sk_buff *in_skb, + } + #endif + +- memcpy(&n->sel, s, sel_size); ++ unsafe_memcpy(&n->sel, s, sel_size, ++ /* A composite flex-array structure destination, ++ * which was correctly sized with struct_size(), ++ * bounds-checked against nla_len(), and allocated ++ * above. */); + RCU_INIT_POINTER(n->ht_up, ht); + n->handle = handle; + n->fshift = s->hmask ? ffs(ntohl(s->hmask)) - 1 : 0; +-- +2.35.1 + diff --git a/queue-6.0/net-sparx5-fix-function-return-type-to-match-actual-.patch b/queue-6.0/net-sparx5-fix-function-return-type-to-match-actual-.patch new file mode 100644 index 00000000000..7f21d1f9e83 --- /dev/null +++ b/queue-6.0/net-sparx5-fix-function-return-type-to-match-actual-.patch @@ -0,0 +1,57 @@ +From 7f6115df332c9df1dcdef01c14f18cb24d90cfa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 08:58:15 +0200 +Subject: net: sparx5: fix function return type to match actual type + +From: Casper Andersson + +[ Upstream commit 75554fe00f941c3c3d9344e88708093a14d2b4b8 ] + +Function returns error integer, not bool. + +Does not have any impact on functionality. + +Reported-by: Dan Carpenter +Signed-off-by: Casper Andersson +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220906065815.3856323-1-casper.casan@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c | 4 ++-- + drivers/net/ethernet/microchip/sparx5/sparx5_main.h | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c b/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c +index a5837dbe0c7e..4af285918ea2 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c +@@ -186,8 +186,8 @@ bool sparx5_mact_getnext(struct sparx5 *sparx5, + return ret == 0; + } + +-bool sparx5_mact_find(struct sparx5 *sparx5, +- const unsigned char mac[ETH_ALEN], u16 vid, u32 *pcfg2) ++int sparx5_mact_find(struct sparx5 *sparx5, ++ const unsigned char mac[ETH_ALEN], u16 vid, u32 *pcfg2) + { + int ret; + u32 cfg2; +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_main.h b/drivers/net/ethernet/microchip/sparx5/sparx5_main.h +index b197129044b5..d071ac3b7106 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_main.h ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_main.h +@@ -307,8 +307,8 @@ int sparx5_mact_learn(struct sparx5 *sparx5, int port, + const unsigned char mac[ETH_ALEN], u16 vid); + bool sparx5_mact_getnext(struct sparx5 *sparx5, + unsigned char mac[ETH_ALEN], u16 *vid, u32 *pcfg2); +-bool sparx5_mact_find(struct sparx5 *sparx5, +- const unsigned char mac[ETH_ALEN], u16 vid, u32 *pcfg2); ++int sparx5_mact_find(struct sparx5 *sparx5, ++ const unsigned char mac[ETH_ALEN], u16 vid, u32 *pcfg2); + int sparx5_mact_forget(struct sparx5 *sparx5, + const unsigned char mac[ETH_ALEN], u16 vid); + int sparx5_add_mact_entry(struct sparx5 *sparx5, +-- +2.35.1 + diff --git a/queue-6.0/net-sparx5-fix-return-type-of-sparx5_port_xmit_impl.patch b/queue-6.0/net-sparx5-fix-return-type-of-sparx5_port_xmit_impl.patch new file mode 100644 index 00000000000..725462ccee4 --- /dev/null +++ b/queue-6.0/net-sparx5-fix-return-type-of-sparx5_port_xmit_impl.patch @@ -0,0 +1,65 @@ +From 70f967af58b8c3ff7ab499f30b55dc504c10afae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 11:19:47 -0700 +Subject: net: sparx5: Fix return type of sparx5_port_xmit_impl + +From: Nathan Huckleberry + +[ Upstream commit 73ea735073599430818e89b8901452287a15a718 ] + +The ndo_start_xmit field in net_device_ops is expected to be of type +netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev). + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of sparx5_port_xmit_impl should be changed from int to +netdev_tx_t. + +Reported-by: Dan Carpenter +Link: https://github.com/ClangBuiltLinux/linux/issues/1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/microchip/sparx5/sparx5_main.h | 2 +- + drivers/net/ethernet/microchip/sparx5/sparx5_packet.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_main.h b/drivers/net/ethernet/microchip/sparx5/sparx5_main.h +index d071ac3b7106..705d8852078f 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_main.h ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_main.h +@@ -291,7 +291,7 @@ struct frame_info { + void sparx5_xtr_flush(struct sparx5 *sparx5, u8 grp); + void sparx5_ifh_parse(u32 *ifh, struct frame_info *info); + irqreturn_t sparx5_xtr_handler(int irq, void *_priv); +-int sparx5_port_xmit_impl(struct sk_buff *skb, struct net_device *dev); ++netdev_tx_t sparx5_port_xmit_impl(struct sk_buff *skb, struct net_device *dev); + int sparx5_manual_injection_mode(struct sparx5 *sparx5); + void sparx5_port_inj_timer_setup(struct sparx5_port *port); + +diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c +index 21844beba72d..83c16ca5b30f 100644 +--- a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c ++++ b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c +@@ -222,13 +222,13 @@ static int sparx5_inject(struct sparx5 *sparx5, + return NETDEV_TX_OK; + } + +-int sparx5_port_xmit_impl(struct sk_buff *skb, struct net_device *dev) ++netdev_tx_t sparx5_port_xmit_impl(struct sk_buff *skb, struct net_device *dev) + { + struct net_device_stats *stats = &dev->stats; + struct sparx5_port *port = netdev_priv(dev); + struct sparx5 *sparx5 = port->sparx5; + u32 ifh[IFH_LEN]; +- int ret; ++ netdev_tx_t ret; + + memset(ifh, 0, IFH_LEN * 4); + sparx5_set_port_ifh(ifh, port->portno); +-- +2.35.1 + diff --git a/queue-6.0/net-sunplus-fix-return-type-for-implementation-of-nd.patch b/queue-6.0/net-sunplus-fix-return-type-for-implementation-of-nd.patch new file mode 100644 index 00000000000..d8e5fa33ba8 --- /dev/null +++ b/queue-6.0/net-sunplus-fix-return-type-for-implementation-of-nd.patch @@ -0,0 +1,41 @@ +From 53b71b192729b471bd8614c887877d8166b4f504 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 16:15:50 +0800 +Subject: net: sunplus: Fix return type for implementation of ndo_start_xmit + +From: GUO Zihua + +[ Upstream commit 7b620e156097028e4c9b6481a84ec1e1e72877ca ] + +Since Linux now supports CFI, it will be a good idea to fix mismatched +return type for implementation of hooks. Otherwise this might get +cought out by CFI and cause a panic. + +spl2sw_ethernet_start_xmit() would return either NETDEV_TX_BUSY or +NETDEV_TX_OK, so change the return type to netdev_tx_t directly. + +Signed-off-by: GUO Zihua +Link: https://lore.kernel.org/r/20220902081550.60095-1-guozihua@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sunplus/spl2sw_driver.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/sunplus/spl2sw_driver.c b/drivers/net/ethernet/sunplus/spl2sw_driver.c +index 61d1d07dc070..c9007b7dd832 100644 +--- a/drivers/net/ethernet/sunplus/spl2sw_driver.c ++++ b/drivers/net/ethernet/sunplus/spl2sw_driver.c +@@ -62,7 +62,8 @@ static int spl2sw_ethernet_stop(struct net_device *ndev) + return 0; + } + +-static int spl2sw_ethernet_start_xmit(struct sk_buff *skb, struct net_device *ndev) ++static netdev_tx_t spl2sw_ethernet_start_xmit(struct sk_buff *skb, ++ struct net_device *ndev) + { + struct spl2sw_mac *mac = netdev_priv(ndev); + struct spl2sw_common *comm = mac->comm; +-- +2.35.1 + diff --git a/queue-6.0/net-wwan-iosm-call-mutex_init-before-locking-it.patch b/queue-6.0/net-wwan-iosm-call-mutex_init-before-locking-it.patch new file mode 100644 index 00000000000..ff6466aa777 --- /dev/null +++ b/queue-6.0/net-wwan-iosm-call-mutex_init-before-locking-it.patch @@ -0,0 +1,50 @@ +From 58322d77a8b00572991f1ffdd1db142255915e34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Oct 2022 13:57:13 +0300 +Subject: net: wwan: iosm: Call mutex_init before locking it + +From: Maxim Mikityanskiy + +[ Upstream commit ba0fbdb95da5ddd8db457ce6ba09d16dd979a294 ] + +wwan_register_ops calls wwan_create_default_link, which ends up in the +ipc_wwan_newlink callback that locks ipc_wwan->if_mutex. However, this +mutex is not yet initialized by that point. Fix it by moving mutex_init +above the wwan_register_ops call. This also makes the order of +operations in ipc_wwan_init symmetric to ipc_wwan_deinit. + +Fixes: 83068395bbfc ("net: iosm: create default link via WWAN core") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: M Chetan Kumar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_wwan.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_wwan.c b/drivers/net/wwan/iosm/iosm_ipc_wwan.c +index 27151148c782..4712f01a7e33 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_wwan.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_wwan.c +@@ -323,15 +323,16 @@ struct iosm_wwan *ipc_wwan_init(struct iosm_imem *ipc_imem, struct device *dev) + ipc_wwan->dev = dev; + ipc_wwan->ipc_imem = ipc_imem; + ++ mutex_init(&ipc_wwan->if_mutex); ++ + /* WWAN core will create a netdev for the default IP MUX channel */ + if (wwan_register_ops(ipc_wwan->dev, &iosm_wwan_ops, ipc_wwan, + IP_MUX_SESSION_DEFAULT)) { ++ mutex_destroy(&ipc_wwan->if_mutex); + kfree(ipc_wwan); + return NULL; + } + +- mutex_init(&ipc_wwan->if_mutex); +- + return ipc_wwan; + } + +-- +2.35.1 + diff --git a/queue-6.0/net-wwan-iosm-fix-return-type-of-ipc_wwan_link_trans.patch b/queue-6.0/net-wwan-iosm-fix-return-type-of-ipc_wwan_link_trans.patch new file mode 100644 index 00000000000..0bf95677d5d --- /dev/null +++ b/queue-6.0/net-wwan-iosm-fix-return-type-of-ipc_wwan_link_trans.patch @@ -0,0 +1,48 @@ +From 2a230c1f35ea04d2ec7798c191a98e758cfa695a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 14:44:55 -0700 +Subject: net: wwan: iosm: Fix return type of ipc_wwan_link_transmit + +From: Nathan Huckleberry + +[ Upstream commit 0c9441c430104dcf2cd066aae74dbeefb9f9e1bf ] + +The ndo_start_xmit field in net_device_ops is expected to be of type +netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev). + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of ipc_wwan_link_transmit should be changed from int to +netdev_tx_t. + +Reported-by: Dan Carpenter +Link: https://github.com/ClangBuiltLinux/linux/issues/1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Acked-by: Sergey Ryazanov +Link: https://lore.kernel.org/r/20220912214455.929028-1-nhuck@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/iosm/iosm_ipc_wwan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wwan/iosm/iosm_ipc_wwan.c b/drivers/net/wwan/iosm/iosm_ipc_wwan.c +index 4712f01a7e33..2f1f8b5d5b59 100644 +--- a/drivers/net/wwan/iosm/iosm_ipc_wwan.c ++++ b/drivers/net/wwan/iosm/iosm_ipc_wwan.c +@@ -103,8 +103,8 @@ static int ipc_wwan_link_stop(struct net_device *netdev) + } + + /* Transmit a packet */ +-static int ipc_wwan_link_transmit(struct sk_buff *skb, +- struct net_device *netdev) ++static netdev_tx_t ipc_wwan_link_transmit(struct sk_buff *skb, ++ struct net_device *netdev) + { + struct iosm_netdev_priv *priv = wwan_netdev_drvpriv(netdev); + struct iosm_wwan *ipc_wwan = priv->ipc_wwan; +-- +2.35.1 + diff --git a/queue-6.0/net-wwan-t7xx-fix-return-type-of-t7xx_ccmni_start_xm.patch b/queue-6.0/net-wwan-t7xx-fix-return-type-of-t7xx_ccmni_start_xm.patch new file mode 100644 index 00000000000..0337bb6e73d --- /dev/null +++ b/queue-6.0/net-wwan-t7xx-fix-return-type-of-t7xx_ccmni_start_xm.patch @@ -0,0 +1,46 @@ +From c08ab8714d97020b2e528bd2b268a8474e9af9ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 14:45:10 -0700 +Subject: net: wwan: t7xx: Fix return type of t7xx_ccmni_start_xmit + +From: Nathan Huckleberry + +[ Upstream commit 73c99e26036529e633a0f2d628ad7ddff6594668 ] + +The ndo_start_xmit field in net_device_ops is expected to be of type +netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev). + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of t7xx_ccmni_start_xmit should be changed from int to +netdev_tx_t. + +Reported-by: Dan Carpenter +Link: https://github.com/ClangBuiltLinux/linux/issues/1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Acked-by: Sergey Ryazanov +Link: https://lore.kernel.org/r/20220912214510.929070-1-nhuck@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wwan/t7xx/t7xx_netdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wwan/t7xx/t7xx_netdev.c b/drivers/net/wwan/t7xx/t7xx_netdev.c +index c6b6547f2c6f..f71d3bc3b237 100644 +--- a/drivers/net/wwan/t7xx/t7xx_netdev.c ++++ b/drivers/net/wwan/t7xx/t7xx_netdev.c +@@ -74,7 +74,7 @@ static int t7xx_ccmni_send_packet(struct t7xx_ccmni *ccmni, struct sk_buff *skb, + return 0; + } + +-static int t7xx_ccmni_start_xmit(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t t7xx_ccmni_start_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct t7xx_ccmni *ccmni = wwan_netdev_drvpriv(dev); + int skb_len = skb->len; +-- +2.35.1 + diff --git a/queue-6.0/net-xscale-fix-return-type-for-implementation-of-ndo.patch b/queue-6.0/net-xscale-fix-return-type-for-implementation-of-ndo.patch new file mode 100644 index 00000000000..426c1fddad2 --- /dev/null +++ b/queue-6.0/net-xscale-fix-return-type-for-implementation-of-ndo.patch @@ -0,0 +1,40 @@ +From 7a6ce87e72ba0df668f59ab337670f25ec1ecd90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 16:16:12 +0800 +Subject: net: xscale: Fix return type for implementation of ndo_start_xmit + +From: GUO Zihua + +[ Upstream commit 0dbaf0fa62329d9fe452d9041a707a33f6274f1f ] + +Since Linux now supports CFI, it will be a good idea to fix mismatched +return type for implementation of hooks. Otherwise this might get +cought out by CFI and cause a panic. + +eth_xmit() would return either NETDEV_TX_BUSY or NETDEV_TX_OK, so +change the return type to netdev_tx_t directly. + +Signed-off-by: GUO Zihua +Link: https://lore.kernel.org/r/20220902081612.60405-1-guozihua@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xscale/ixp4xx_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xscale/ixp4xx_eth.c b/drivers/net/ethernet/xscale/ixp4xx_eth.c +index 3591b9edc9a1..3b05287b6889 100644 +--- a/drivers/net/ethernet/xscale/ixp4xx_eth.c ++++ b/drivers/net/ethernet/xscale/ixp4xx_eth.c +@@ -841,7 +841,7 @@ static void eth_txdone_irq(void *unused) + } + } + +-static int eth_xmit(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t eth_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct port *port = netdev_priv(dev); + unsigned int txreadyq = port->plat->txreadyq; +-- +2.35.1 + diff --git a/queue-6.0/netfilter-conntrack-fix-the-gc-rescheduling-delay.patch b/queue-6.0/netfilter-conntrack-fix-the-gc-rescheduling-delay.patch new file mode 100644 index 00000000000..5b3d63e12bb --- /dev/null +++ b/queue-6.0/netfilter-conntrack-fix-the-gc-rescheduling-delay.patch @@ -0,0 +1,111 @@ +From c6f1fba34415cf91d40f7476a793530d30ae3a48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 11:29:40 +0200 +Subject: netfilter: conntrack: fix the gc rescheduling delay + +From: Antoine Tenart + +[ Upstream commit 95eabdd207024312876d0ebed90b4c977e050e85 ] + +Commit 2cfadb761d3d ("netfilter: conntrack: revisit gc autotuning") +changed the eviction rescheduling to the use average expiry of scanned +entries (within 1-60s) by doing: + + for (...) { + expires = clamp(nf_ct_expires(tmp), ...); + next_run += expires; + next_run /= 2; + } + +The issue is the above will make the average ('next_run' here) more +dependent on the last expiration values than the firsts (for sets > 2). +Depending on the expiration values used to compute the average, the +result can be quite different than what's expected. To fix this we can +do the following: + + for (...) { + expires = clamp(nf_ct_expires(tmp), ...); + next_run += (expires - next_run) / ++count; + } + +Fixes: 2cfadb761d3d ("netfilter: conntrack: revisit gc autotuning") +Cc: Florian Westphal +Signed-off-by: Antoine Tenart +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 1357a2729a4b..2e6d5f1e6d63 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -67,6 +67,7 @@ struct conntrack_gc_work { + struct delayed_work dwork; + u32 next_bucket; + u32 avg_timeout; ++ u32 count; + u32 start_time; + bool exiting; + bool early_drop; +@@ -1466,6 +1467,7 @@ static void gc_worker(struct work_struct *work) + unsigned int expired_count = 0; + unsigned long next_run; + s32 delta_time; ++ long count; + + gc_work = container_of(work, struct conntrack_gc_work, dwork.work); + +@@ -1475,10 +1477,12 @@ static void gc_worker(struct work_struct *work) + + if (i == 0) { + gc_work->avg_timeout = GC_SCAN_INTERVAL_INIT; ++ gc_work->count = 1; + gc_work->start_time = start_time; + } + + next_run = gc_work->avg_timeout; ++ count = gc_work->count; + + end_time = start_time + GC_SCAN_MAX_DURATION; + +@@ -1498,8 +1502,8 @@ static void gc_worker(struct work_struct *work) + + hlist_nulls_for_each_entry_rcu(h, n, &ct_hash[i], hnnode) { + struct nf_conntrack_net *cnet; +- unsigned long expires; + struct net *net; ++ long expires; + + tmp = nf_ct_tuplehash_to_ctrack(h); + +@@ -1513,6 +1517,7 @@ static void gc_worker(struct work_struct *work) + + gc_work->next_bucket = i; + gc_work->avg_timeout = next_run; ++ gc_work->count = count; + + delta_time = nfct_time_stamp - gc_work->start_time; + +@@ -1528,8 +1533,8 @@ static void gc_worker(struct work_struct *work) + } + + expires = clamp(nf_ct_expires(tmp), GC_SCAN_INTERVAL_MIN, GC_SCAN_INTERVAL_CLAMP); ++ expires = (expires - (long)next_run) / ++count; + next_run += expires; +- next_run /= 2u; + + if (nf_conntrack_max95 == 0 || gc_worker_skip_ct(tmp)) + continue; +@@ -1570,6 +1575,7 @@ static void gc_worker(struct work_struct *work) + delta_time = nfct_time_stamp - end_time; + if (delta_time > 0 && i < hashsz) { + gc_work->avg_timeout = next_run; ++ gc_work->count = count; + gc_work->next_bucket = i; + next_run = 0; + goto early_exit; +-- +2.35.1 + diff --git a/queue-6.0/netfilter-conntrack-revisit-the-gc-initial-reschedul.patch b/queue-6.0/netfilter-conntrack-revisit-the-gc-initial-reschedul.patch new file mode 100644 index 00000000000..47dafea6b2f --- /dev/null +++ b/queue-6.0/netfilter-conntrack-revisit-the-gc-initial-reschedul.patch @@ -0,0 +1,65 @@ +From d5eec109e4a5b713437f4875e7aecf86721e00a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 11:29:41 +0200 +Subject: netfilter: conntrack: revisit the gc initial rescheduling bias + +From: Antoine Tenart + +[ Upstream commit 2aa192757005f130b2dd3547dda6e462e761199f ] + +The previous commit changed the way the rescheduling delay is computed +which has a side effect: the bias is now represented as much as the +other entries in the rescheduling delay which makes the logic to kick in +only with very large sets, as the initial interval is very large +(INT_MAX). + +Revisit the GC initial bias to allow more frequent GC for smaller sets +while still avoiding wakeups when a machine is mostly idle. We're moving +from a large initial value to pretending we have 100 entries expiring at +the upper bound. This way only a few entries having a small timeout +won't impact much the rescheduling delay and non-idle machines will have +enough entries to lower the delay when needed. This also improves +readability as the initial bias is now linked to what is computed +instead of being an arbitrary large value. + +Fixes: 2cfadb761d3d ("netfilter: conntrack: revisit gc autotuning") +Suggested-by: Florian Westphal +Signed-off-by: Antoine Tenart +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_core.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 2e6d5f1e6d63..8f261cd5b3a5 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -86,10 +86,12 @@ static DEFINE_MUTEX(nf_conntrack_mutex); + /* clamp timeouts to this value (TCP unacked) */ + #define GC_SCAN_INTERVAL_CLAMP (300ul * HZ) + +-/* large initial bias so that we don't scan often just because we have +- * three entries with a 1s timeout. ++/* Initial bias pretending we have 100 entries at the upper bound so we don't ++ * wakeup often just because we have three entries with a 1s timeout while still ++ * allowing non-idle machines to wakeup more often when needed. + */ +-#define GC_SCAN_INTERVAL_INIT INT_MAX ++#define GC_SCAN_INITIAL_COUNT 100 ++#define GC_SCAN_INTERVAL_INIT GC_SCAN_INTERVAL_MAX + + #define GC_SCAN_MAX_DURATION msecs_to_jiffies(10) + #define GC_SCAN_EXPIRED_MAX (64000u / HZ) +@@ -1477,7 +1479,7 @@ static void gc_worker(struct work_struct *work) + + if (i == 0) { + gc_work->avg_timeout = GC_SCAN_INTERVAL_INIT; +- gc_work->count = 1; ++ gc_work->count = GC_SCAN_INITIAL_COUNT; + gc_work->start_time = start_time; + } + +-- +2.35.1 + diff --git a/queue-6.0/netfilter-nft_fib-fix-for-rpath-check-with-vrf-devic.patch b/queue-6.0/netfilter-nft_fib-fix-for-rpath-check-with-vrf-devic.patch new file mode 100644 index 00000000000..480e699d2e0 --- /dev/null +++ b/queue-6.0/netfilter-nft_fib-fix-for-rpath-check-with-vrf-devic.patch @@ -0,0 +1,64 @@ +From b48ee32271fc1cf56e5d46bd82e4bfdecd748c7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 13:07:31 +0200 +Subject: netfilter: nft_fib: Fix for rpath check with VRF devices + +From: Phil Sutter + +[ Upstream commit 2a8a7c0eaa8747c16aa4a48d573aa920d5c00a5c ] + +Analogous to commit b575b24b8eee3 ("netfilter: Fix rpfilter +dropping vrf packets by mistake") but for nftables fib expression: +Add special treatment of VRF devices so that typical reverse path +filtering via 'fib saddr . iif oif' expression works as expected. + +Fixes: f6d0cbcf09c50 ("netfilter: nf_tables: add fib expression") +Signed-off-by: Phil Sutter +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/ipv4/netfilter/nft_fib_ipv4.c | 3 +++ + net/ipv6/netfilter/nft_fib_ipv6.c | 6 +++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c +index b75cac69bd7e..7ade04ff972d 100644 +--- a/net/ipv4/netfilter/nft_fib_ipv4.c ++++ b/net/ipv4/netfilter/nft_fib_ipv4.c +@@ -83,6 +83,9 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, + else + oif = NULL; + ++ if (priv->flags & NFTA_FIB_F_IIF) ++ fl4.flowi4_oif = l3mdev_master_ifindex_rcu(oif); ++ + if (nft_hook(pkt) == NF_INET_PRE_ROUTING && + nft_fib_is_loopback(pkt->skb, nft_in(pkt))) { + nft_fib_store_result(dest, priv, nft_in(pkt)); +diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c +index 8970d0b4faeb..1d7e520d9966 100644 +--- a/net/ipv6/netfilter/nft_fib_ipv6.c ++++ b/net/ipv6/netfilter/nft_fib_ipv6.c +@@ -41,6 +41,9 @@ static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv, + if (ipv6_addr_type(&fl6->daddr) & IPV6_ADDR_LINKLOCAL) { + lookup_flags |= RT6_LOOKUP_F_IFACE; + fl6->flowi6_oif = get_ifindex(dev ? dev : pkt->skb->dev); ++ } else if ((priv->flags & NFTA_FIB_F_IIF) && ++ (netif_is_l3_master(dev) || netif_is_l3_slave(dev))) { ++ fl6->flowi6_oif = dev->ifindex; + } + + if (ipv6_addr_type(&fl6->saddr) & IPV6_ADDR_UNICAST) +@@ -197,7 +200,8 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, + if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL)) + goto put_rt_err; + +- if (oif && oif != rt->rt6i_idev->dev) ++ if (oif && oif != rt->rt6i_idev->dev && ++ l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) != oif->ifindex) + goto put_rt_err; + + nft_fib_store_result(dest, priv, rt->rt6i_idev->dev); +-- +2.35.1 + diff --git a/queue-6.0/netlink-bounds-check-struct-nlmsgerr-creation.patch b/queue-6.0/netlink-bounds-check-struct-nlmsgerr-creation.patch new file mode 100644 index 00000000000..584db828b4f --- /dev/null +++ b/queue-6.0/netlink-bounds-check-struct-nlmsgerr-creation.patch @@ -0,0 +1,81 @@ +From 6149fbd4cbf5170fd911954d98385f53cbb7453e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 21:37:49 -0700 +Subject: netlink: Bounds-check struct nlmsgerr creation + +From: Kees Cook + +[ Upstream commit 710d21fdff9a98d621cd4e64167f3ef8af4e2fd1 ] + +In preparation for FORTIFY_SOURCE doing bounds-check on memcpy(), +switch from __nlmsg_put to nlmsg_put(), and explain the bounds check +for dealing with the memcpy() across a composite flexible array struct. +Avoids this future run-time warning: + + memcpy: detected field-spanning write (size 32) of single field "&errmsg->msg" at net/netlink/af_netlink.c:2447 (size 16) + +Cc: Jakub Kicinski +Cc: Pablo Neira Ayuso +Cc: Jozsef Kadlecsik +Cc: Florian Westphal +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Paolo Abeni +Cc: syzbot +Cc: netfilter-devel@vger.kernel.org +Cc: coreteam@netfilter.org +Cc: netdev@vger.kernel.org +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20220901071336.1418572-1-keescook@chromium.org +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netfilter/ipset/ip_set_core.c | 8 +++++--- + net/netlink/af_netlink.c | 8 +++++--- + 2 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c +index 16ae92054baa..6b31746f9be3 100644 +--- a/net/netfilter/ipset/ip_set_core.c ++++ b/net/netfilter/ipset/ip_set_core.c +@@ -1719,11 +1719,13 @@ call_ad(struct net *net, struct sock *ctnl, struct sk_buff *skb, + skb2 = nlmsg_new(payload, GFP_KERNEL); + if (!skb2) + return -ENOMEM; +- rep = __nlmsg_put(skb2, NETLINK_CB(skb).portid, +- nlh->nlmsg_seq, NLMSG_ERROR, payload, 0); ++ rep = nlmsg_put(skb2, NETLINK_CB(skb).portid, ++ nlh->nlmsg_seq, NLMSG_ERROR, payload, 0); + errmsg = nlmsg_data(rep); + errmsg->error = ret; +- memcpy(&errmsg->msg, nlh, nlh->nlmsg_len); ++ unsafe_memcpy(&errmsg->msg, nlh, nlh->nlmsg_len, ++ /* Bounds checked by the skb layer. */); ++ + cmdattr = (void *)&errmsg->msg + min_len; + + ret = nla_parse(cda, IPSET_ATTR_CMD_MAX, cmdattr, +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 0cd91f813a3b..d8d3ed2096a3 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2440,11 +2440,13 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err, + return; + } + +- rep = __nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq, +- NLMSG_ERROR, payload, flags); ++ rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq, ++ NLMSG_ERROR, payload, flags); + errmsg = nlmsg_data(rep); + errmsg->error = err; +- memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) ? nlh->nlmsg_len : sizeof(*nlh)); ++ unsafe_memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) ++ ? nlh->nlmsg_len : sizeof(*nlh), ++ /* Bounds checked by the skb layer. */); + + if (nlk_has_extack && extack) { + if (extack->_msg) { +-- +2.35.1 + diff --git a/queue-6.0/nfsd-fix-a-memory-leak-in-an-error-handling-path.patch b/queue-6.0/nfsd-fix-a-memory-leak-in-an-error-handling-path.patch new file mode 100644 index 00000000000..7c53b5aaf78 --- /dev/null +++ b/queue-6.0/nfsd-fix-a-memory-leak-in-an-error-handling-path.patch @@ -0,0 +1,40 @@ +From 68c21bc5454907c80c34f916b4a8924881e94e9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 07:27:04 +0200 +Subject: nfsd: Fix a memory leak in an error handling path + +From: Christophe JAILLET + +[ Upstream commit fd1ef88049de09bc70d60b549992524cfc0e66ff ] + +If this memdup_user() call fails, the memory allocated in a previous call +a few lines above should be freed. Otherwise it leaks. + +Fixes: 6ee95d1c8991 ("nfsd: add support for upcall version 2") +Signed-off-by: Christophe JAILLET +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4recover.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c +index c634483d85d2..8f24485e0f04 100644 +--- a/fs/nfsd/nfs4recover.c ++++ b/fs/nfsd/nfs4recover.c +@@ -815,8 +815,10 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg, + princhash.data = memdup_user( + &ci->cc_princhash.cp_data, + princhashlen); +- if (IS_ERR_OR_NULL(princhash.data)) ++ if (IS_ERR_OR_NULL(princhash.data)) { ++ kfree(name.data); + return -EFAULT; ++ } + princhash.len = princhashlen; + } else + princhash.len = 0; +-- +2.35.1 + diff --git a/queue-6.0/nfsd-fix-handling-of-oversized-nfsv4-compound-reques.patch b/queue-6.0/nfsd-fix-handling-of-oversized-nfsv4-compound-reques.patch new file mode 100644 index 00000000000..f7cc39b6931 --- /dev/null +++ b/queue-6.0/nfsd-fix-handling-of-oversized-nfsv4-compound-reques.patch @@ -0,0 +1,125 @@ +From c224f05fe1a686d4f0d7abdaa5935c359694ba15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 15:33:32 -0400 +Subject: NFSD: Fix handling of oversized NFSv4 COMPOUND requests + +From: Chuck Lever + +[ Upstream commit 7518a3dc5ea249d4112156ce71b8b184eb786151 ] + +If an NFS server returns NFS4ERR_RESOURCE on the first operation in +an NFSv4 COMPOUND, there's no way for a client to know where the +problem is and then simplify the compound to make forward progress. + +So instead, make NFSD process as many operations in an oversized +COMPOUND as it can and then return NFS4ERR_RESOURCE on the first +operation it did not process. + +pynfs NFSv4.0 COMP6 exercises this case, but checks only for the +COMPOUND status code, not whether the server has processed any +of the operations. + +pynfs NFSv4.1 SEQ6 and SEQ7 exercise the NFSv4.1 case, which detects +too many operations per COMPOUND by checking against the limits +negotiated when the session was created. + +Suggested-by: Bruce Fields +Fixes: 0078117c6d91 ("nfsd: return RESOURCE not GARBAGE_ARGS on too many ops") +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4proc.c | 19 +++++++++++++------ + fs/nfsd/nfs4xdr.c | 12 +++--------- + fs/nfsd/xdr4.h | 3 ++- + 3 files changed, 18 insertions(+), 16 deletions(-) + +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index 0437210b9898..22de5e0249ea 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -2633,9 +2633,6 @@ nfsd4_proc_compound(struct svc_rqst *rqstp) + status = nfserr_minor_vers_mismatch; + if (nfsd_minorversion(nn, args->minorversion, NFSD_TEST) <= 0) + goto out; +- status = nfserr_resource; +- if (args->opcnt > NFSD_MAX_OPS_PER_COMPOUND) +- goto out; + + status = nfs41_check_op_ordering(args); + if (status) { +@@ -2648,10 +2645,20 @@ nfsd4_proc_compound(struct svc_rqst *rqstp) + + rqstp->rq_lease_breaker = (void **)&cstate->clp; + +- trace_nfsd_compound(rqstp, args->opcnt); ++ trace_nfsd_compound(rqstp, args->client_opcnt); + while (!status && resp->opcnt < args->opcnt) { + op = &args->ops[resp->opcnt++]; + ++ if (unlikely(resp->opcnt == NFSD_MAX_OPS_PER_COMPOUND)) { ++ /* If there are still more operations to process, ++ * stop here and report NFS4ERR_RESOURCE. */ ++ if (cstate->minorversion == 0 && ++ args->client_opcnt > resp->opcnt) { ++ op->status = nfserr_resource; ++ goto encode_op; ++ } ++ } ++ + /* + * The XDR decode routines may have pre-set op->status; + * for example, if there is a miscellaneous XDR error +@@ -2727,8 +2734,8 @@ nfsd4_proc_compound(struct svc_rqst *rqstp) + status = op->status; + } + +- trace_nfsd_compound_status(args->opcnt, resp->opcnt, status, +- nfsd4_op_name(op->opnum)); ++ trace_nfsd_compound_status(args->client_opcnt, resp->opcnt, ++ status, nfsd4_op_name(op->opnum)); + + nfsd4_cstate_clear_replay(cstate); + nfsd4_increment_op_stats(op->opnum); +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index 1e9690a061ec..ac1b03cf05a5 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -2357,16 +2357,10 @@ nfsd4_decode_compound(struct nfsd4_compoundargs *argp) + + if (xdr_stream_decode_u32(argp->xdr, &argp->minorversion) < 0) + return false; +- if (xdr_stream_decode_u32(argp->xdr, &argp->opcnt) < 0) ++ if (xdr_stream_decode_u32(argp->xdr, &argp->client_opcnt) < 0) + return false; +- +- /* +- * NFS4ERR_RESOURCE is a more helpful error than GARBAGE_ARGS +- * here, so we return success at the xdr level so that +- * nfsd4_proc can handle this is an NFS-level error. +- */ +- if (argp->opcnt > NFSD_MAX_OPS_PER_COMPOUND) +- return true; ++ argp->opcnt = min_t(u32, argp->client_opcnt, ++ NFSD_MAX_OPS_PER_COMPOUND); + + if (argp->opcnt > ARRAY_SIZE(argp->iops)) { + argp->ops = kzalloc(argp->opcnt * sizeof(*argp->ops), GFP_KERNEL); +diff --git a/fs/nfsd/xdr4.h b/fs/nfsd/xdr4.h +index 96267258e629..466e2786fc97 100644 +--- a/fs/nfsd/xdr4.h ++++ b/fs/nfsd/xdr4.h +@@ -717,9 +717,10 @@ struct nfsd4_compoundargs { + struct svcxdr_tmpbuf *to_free; + struct svc_rqst *rqstp; + +- u32 taglen; + char * tag; ++ u32 taglen; + u32 minorversion; ++ u32 client_opcnt; + u32 opcnt; + struct nfsd4_op *ops; + struct nfsd4_op iops[8]; +-- +2.35.1 + diff --git a/queue-6.0/nfsd-fix-use-after-free-on-source-server-when-doing-.patch b/queue-6.0/nfsd-fix-use-after-free-on-source-server-when-doing-.patch new file mode 100644 index 00000000000..9ffa095fdba --- /dev/null +++ b/queue-6.0/nfsd-fix-use-after-free-on-source-server-when-doing-.patch @@ -0,0 +1,79 @@ +From a75cd659943f4f3f052c7b97bab4603bbf61c20a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 10:59:16 -0700 +Subject: NFSD: fix use-after-free on source server when doing inter-server + copy + +From: Dai Ngo + +[ Upstream commit 019805fea91599b22dfa62ffb29c022f35abeb06 ] + +Use-after-free occurred when the laundromat tried to free expired +cpntf_state entry on the s2s_cp_stateids list after inter-server +copy completed. The sc_cp_list that the expired copy state was +inserted on was already freed. + +When COPY completes, the Linux client normally sends LOCKU(lock_state x), +FREE_STATEID(lock_state x) and CLOSE(open_state y) to the source server. +The nfs4_put_stid call from nfsd4_free_stateid cleans up the copy state +from the s2s_cp_stateids list before freeing the lock state's stid. + +However, sometimes the CLOSE was sent before the FREE_STATEID request. +When this happens, the nfsd4_close_open_stateid call from nfsd4_close +frees all lock states on its st_locks list without cleaning up the copy +state on the sc_cp_list list. When the time the FREE_STATEID arrives the +server returns BAD_STATEID since the lock state was freed. This causes +the use-after-free error to occur when the laundromat tries to free +the expired cpntf_state. + +This patch adds a call to nfs4_free_cpntf_statelist in +nfsd4_close_open_stateid to clean up the copy state before calling +free_ol_stateid_reaplist to free the lock state's stid on the reaplist. + +Signed-off-by: Dai Ngo +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4state.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index c5d199d7e6b4..0bc36472f8b7 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -1049,6 +1049,7 @@ static struct nfs4_ol_stateid * nfs4_alloc_open_stateid(struct nfs4_client *clp) + + static void nfs4_free_deleg(struct nfs4_stid *stid) + { ++ WARN_ON(!list_empty(&stid->sc_cp_list)); + kmem_cache_free(deleg_slab, stid); + atomic_long_dec(&num_delegations); + } +@@ -1462,6 +1463,7 @@ static void nfs4_free_ol_stateid(struct nfs4_stid *stid) + release_all_access(stp); + if (stp->st_stateowner) + nfs4_put_stateowner(stp->st_stateowner); ++ WARN_ON(!list_empty(&stid->sc_cp_list)); + kmem_cache_free(stateid_slab, stid); + } + +@@ -6684,6 +6686,7 @@ static void nfsd4_close_open_stateid(struct nfs4_ol_stateid *s) + struct nfs4_client *clp = s->st_stid.sc_client; + bool unhashed; + LIST_HEAD(reaplist); ++ struct nfs4_ol_stateid *stp; + + spin_lock(&clp->cl_lock); + unhashed = unhash_open_stateid(s, &reaplist); +@@ -6692,6 +6695,8 @@ static void nfsd4_close_open_stateid(struct nfs4_ol_stateid *s) + if (unhashed) + put_ol_stateid_locked(s, &reaplist); + spin_unlock(&clp->cl_lock); ++ list_for_each_entry(stp, &reaplist, st_locks) ++ nfs4_free_cpntf_statelist(clp->net, &stp->st_stid); + free_ol_stateid_reaplist(&reaplist); + } else { + spin_unlock(&clp->cl_lock); +-- +2.35.1 + diff --git a/queue-6.0/nfsd-move-from-strlcpy-with-unused-retval-to-strscpy.patch b/queue-6.0/nfsd-move-from-strlcpy-with-unused-retval-to-strscpy.patch new file mode 100644 index 00000000000..797b03f8ab7 --- /dev/null +++ b/queue-6.0/nfsd-move-from-strlcpy-with-unused-retval-to-strscpy.patch @@ -0,0 +1,86 @@ +From 4908d8d5ca67c5281fd01a8e89c1e4eaa7fa7109 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 23:01:14 +0200 +Subject: NFSD: move from strlcpy with unused retval to strscpy + +From: Wolfram Sang + +[ Upstream commit 72f78ae00a8e5d7abe13abac8305a300f6afd74b ] + +Follow the advice of the below link and prefer 'strscpy' in this +subsystem. Conversion is 1:1 because the return value is not used. +Generated by a coccinelle script. + +Link: https://lore.kernel.org/r/CAHk-=wgfRnXz0W3D37d01q3JFkr_i_uTL=V6A6G1oUZcprmknw@mail.gmail.com/ +Signed-off-by: Wolfram Sang +Signed-off-by: Chuck Lever +Stable-dep-of: fd1ef88049de ("nfsd: Fix a memory leak in an error handling path") +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4idmap.c | 8 ++++---- + fs/nfsd/nfs4proc.c | 2 +- + fs/nfsd/nfssvc.c | 2 +- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/fs/nfsd/nfs4idmap.c b/fs/nfsd/nfs4idmap.c +index f92161ce1f97..e70a1a2999b7 100644 +--- a/fs/nfsd/nfs4idmap.c ++++ b/fs/nfsd/nfs4idmap.c +@@ -82,8 +82,8 @@ ent_init(struct cache_head *cnew, struct cache_head *citm) + new->id = itm->id; + new->type = itm->type; + +- strlcpy(new->name, itm->name, sizeof(new->name)); +- strlcpy(new->authname, itm->authname, sizeof(new->authname)); ++ strscpy(new->name, itm->name, sizeof(new->name)); ++ strscpy(new->authname, itm->authname, sizeof(new->authname)); + } + + static void +@@ -548,7 +548,7 @@ idmap_name_to_id(struct svc_rqst *rqstp, int type, const char *name, u32 namelen + return nfserr_badowner; + memcpy(key.name, name, namelen); + key.name[namelen] = '\0'; +- strlcpy(key.authname, rqst_authname(rqstp), sizeof(key.authname)); ++ strscpy(key.authname, rqst_authname(rqstp), sizeof(key.authname)); + ret = idmap_lookup(rqstp, nametoid_lookup, &key, nn->nametoid_cache, &item); + if (ret == -ENOENT) + return nfserr_badowner; +@@ -584,7 +584,7 @@ static __be32 idmap_id_to_name(struct xdr_stream *xdr, + int ret; + struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id); + +- strlcpy(key.authname, rqst_authname(rqstp), sizeof(key.authname)); ++ strscpy(key.authname, rqst_authname(rqstp), sizeof(key.authname)); + ret = idmap_lookup(rqstp, idtoname_lookup, &key, nn->idtoname_cache, &item); + if (ret == -ENOENT) + return encode_ascii_id(xdr, id); +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index a72ab97f77ef..0437210b9898 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1343,7 +1343,7 @@ static __be32 nfsd4_ssc_setup_dul(struct nfsd_net *nn, char *ipaddr, + return 0; + } + if (work) { +- strlcpy(work->nsui_ipaddr, ipaddr, sizeof(work->nsui_ipaddr) - 1); ++ strscpy(work->nsui_ipaddr, ipaddr, sizeof(work->nsui_ipaddr) - 1); + refcount_set(&work->nsui_refcnt, 2); + work->nsui_busy = true; + list_add_tail(&work->nsui_list, &nn->nfsd_ssc_mount_list); +diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c +index 4bb5baa17040..bfbd9f672f59 100644 +--- a/fs/nfsd/nfssvc.c ++++ b/fs/nfsd/nfssvc.c +@@ -799,7 +799,7 @@ nfsd_svc(int nrservs, struct net *net, const struct cred *cred) + if (nrservs == 0 && nn->nfsd_serv == NULL) + goto out; + +- strlcpy(nn->nfsd_name, utsname()->nodename, ++ strscpy(nn->nfsd_name, utsname()->nodename, + sizeof(nn->nfsd_name)); + + error = nfsd_create_serv(net); +-- +2.35.1 + diff --git a/queue-6.0/nfsd-protect-against-send-buffer-overflow-in-nfsv2-r.patch b/queue-6.0/nfsd-protect-against-send-buffer-overflow-in-nfsv2-r.patch new file mode 100644 index 00000000000..08e1d7b9d66 --- /dev/null +++ b/queue-6.0/nfsd-protect-against-send-buffer-overflow-in-nfsv2-r.patch @@ -0,0 +1,43 @@ +From 15c9774ccf60a6f49e62949d52db2910e714baad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 15:10:05 -0400 +Subject: NFSD: Protect against send buffer overflow in NFSv2 READDIR + +From: Chuck Lever + +[ Upstream commit 00b4492686e0497fdb924a9d4c8f6f99377e176c ] + +Restore the previous limit on the @count argument to prevent a +buffer overflow attack. + +Fixes: 53b1119a6e50 ("NFSD: Fix READDIR buffer overflow") +Signed-off-by: Chuck Lever +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfsproc.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/fs/nfsd/nfsproc.c b/fs/nfsd/nfsproc.c +index fcbf7e4083af..4b19cc727ea5 100644 +--- a/fs/nfsd/nfsproc.c ++++ b/fs/nfsd/nfsproc.c +@@ -568,12 +568,11 @@ static void nfsd_init_dirlist_pages(struct svc_rqst *rqstp, + struct xdr_buf *buf = &resp->dirlist; + struct xdr_stream *xdr = &resp->xdr; + +- count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp)); +- + memset(buf, 0, sizeof(*buf)); + + /* Reserve room for the NULL ptr & eof flag (-2 words) */ +- buf->buflen = count - XDR_UNIT * 2; ++ buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), (u32)PAGE_SIZE); ++ buf->buflen -= XDR_UNIT * 2; + buf->pages = rqstp->rq_next_page; + rqstp->rq_next_page++; + +-- +2.35.1 + diff --git a/queue-6.0/nfsd-return-nfserr_serverfault-if-splice_ok-but-buf-.patch b/queue-6.0/nfsd-return-nfserr_serverfault-if-splice_ok-but-buf-.patch new file mode 100644 index 00000000000..e73ad58fd9d --- /dev/null +++ b/queue-6.0/nfsd-return-nfserr_serverfault-if-splice_ok-but-buf-.patch @@ -0,0 +1,37 @@ +From 80ce5f6b71b64ff1d0c2292cbd84cc4200157573 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 14:01:50 -0400 +Subject: NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data + +From: Anna Schumaker + +[ Upstream commit 06981d560606ac48d61e5f4fff6738b925c93173 ] + +This was discussed with Chuck as part of this patch set. Returning +nfserr_resource was decided to not be the best error message here, and +he suggested changing to nfserr_serverfault instead. + +Signed-off-by: Anna Schumaker +Link: https://lore.kernel.org/linux-nfs/20220907195259.926736-1-anna@kernel.org/T/#t +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4xdr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c +index ac1b03cf05a5..2960d0a8e8f9 100644 +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -3988,7 +3988,7 @@ nfsd4_encode_read(struct nfsd4_compoundres *resp, __be32 nfserr, + } + if (resp->xdr->buf->page_len && splice_ok) { + WARN_ON_ONCE(1); +- return nfserr_resource; ++ return nfserr_serverfault; + } + xdr_commit_encode(xdr); + +-- +2.35.1 + diff --git a/queue-6.0/ntfs3-rework-xattr-handlers-and-switch-to-posix-acl-.patch b/queue-6.0/ntfs3-rework-xattr-handlers-and-switch-to-posix-acl-.patch new file mode 100644 index 00000000000..e636e464262 --- /dev/null +++ b/queue-6.0/ntfs3-rework-xattr-handlers-and-switch-to-posix-acl-.patch @@ -0,0 +1,189 @@ +From ed32e2a3a538600978b1081c0e3700cd189cf655 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 14:38:40 +0200 +Subject: ntfs3: rework xattr handlers and switch to POSIX ACL VFS helpers + +From: Christian Brauner + +[ Upstream commit a26aa12384158116c0d80d50e0bdc7b3323551e2 ] + +The xattr code in ntfs3 is currently a bit confused. For example, it +defines a POSIX ACL i_op->set_acl() method but instead of relying on the +generic POSIX ACL VFS helpers it defines its own set of xattr helpers +with the consequence that i_op->set_acl() is currently dead code. + +Switch ntfs3 to rely on the VFS POSIX ACL xattr handlers. Also remove +i_op->{g,s}et_acl() methods from symlink inode operations. Symlinks +don't support xattrs. + +This is a preliminary change for the following patches which move +handling idmapped mounts directly in posix_acl_xattr_set(). + +This survives POSIX ACL xfstests. + +Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations") +Signed-off-by: Christian Brauner (Microsoft) +Reviewed-by: Seth Forshee (DigitalOcean) > +Signed-off-by: Sasha Levin +--- + fs/ntfs3/inode.c | 2 - + fs/ntfs3/xattr.c | 102 +++-------------------------------------------- + 2 files changed, 6 insertions(+), 98 deletions(-) + +diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c +index 51363d4e8636..26a76ebfe58f 100644 +--- a/fs/ntfs3/inode.c ++++ b/fs/ntfs3/inode.c +@@ -1927,8 +1927,6 @@ const struct inode_operations ntfs_link_inode_operations = { + .setattr = ntfs3_setattr, + .listxattr = ntfs_listxattr, + .permission = ntfs_permission, +- .get_acl = ntfs_get_acl, +- .set_acl = ntfs_set_acl, + }; + + const struct address_space_operations ntfs_aops = { +diff --git a/fs/ntfs3/xattr.c b/fs/ntfs3/xattr.c +index 6ae1f56b7358..7de8718c68a9 100644 +--- a/fs/ntfs3/xattr.c ++++ b/fs/ntfs3/xattr.c +@@ -625,67 +625,6 @@ int ntfs_set_acl(struct user_namespace *mnt_userns, struct inode *inode, + return ntfs_set_acl_ex(mnt_userns, inode, acl, type, false); + } + +-static int ntfs_xattr_get_acl(struct user_namespace *mnt_userns, +- struct inode *inode, int type, void *buffer, +- size_t size) +-{ +- struct posix_acl *acl; +- int err; +- +- if (!(inode->i_sb->s_flags & SB_POSIXACL)) { +- ntfs_inode_warn(inode, "add mount option \"acl\" to use acl"); +- return -EOPNOTSUPP; +- } +- +- acl = ntfs_get_acl(inode, type, false); +- if (IS_ERR(acl)) +- return PTR_ERR(acl); +- +- if (!acl) +- return -ENODATA; +- +- err = posix_acl_to_xattr(&init_user_ns, acl, buffer, size); +- posix_acl_release(acl); +- +- return err; +-} +- +-static int ntfs_xattr_set_acl(struct user_namespace *mnt_userns, +- struct inode *inode, int type, const void *value, +- size_t size) +-{ +- struct posix_acl *acl; +- int err; +- +- if (!(inode->i_sb->s_flags & SB_POSIXACL)) { +- ntfs_inode_warn(inode, "add mount option \"acl\" to use acl"); +- return -EOPNOTSUPP; +- } +- +- if (!inode_owner_or_capable(mnt_userns, inode)) +- return -EPERM; +- +- if (!value) { +- acl = NULL; +- } else { +- acl = posix_acl_from_xattr(&init_user_ns, value, size); +- if (IS_ERR(acl)) +- return PTR_ERR(acl); +- +- if (acl) { +- err = posix_acl_valid(&init_user_ns, acl); +- if (err) +- goto release_and_out; +- } +- } +- +- err = ntfs_set_acl(mnt_userns, inode, acl, type); +- +-release_and_out: +- posix_acl_release(acl); +- return err; +-} +- + /* + * ntfs_init_acl - Initialize the ACLs of a new inode. + * +@@ -852,23 +791,6 @@ static int ntfs_getxattr(const struct xattr_handler *handler, struct dentry *de, + goto out; + } + +-#ifdef CONFIG_NTFS3_FS_POSIX_ACL +- if ((name_len == sizeof(XATTR_NAME_POSIX_ACL_ACCESS) - 1 && +- !memcmp(name, XATTR_NAME_POSIX_ACL_ACCESS, +- sizeof(XATTR_NAME_POSIX_ACL_ACCESS))) || +- (name_len == sizeof(XATTR_NAME_POSIX_ACL_DEFAULT) - 1 && +- !memcmp(name, XATTR_NAME_POSIX_ACL_DEFAULT, +- sizeof(XATTR_NAME_POSIX_ACL_DEFAULT)))) { +- /* TODO: init_user_ns? */ +- err = ntfs_xattr_get_acl( +- &init_user_ns, inode, +- name_len == sizeof(XATTR_NAME_POSIX_ACL_ACCESS) - 1 +- ? ACL_TYPE_ACCESS +- : ACL_TYPE_DEFAULT, +- buffer, size); +- goto out; +- } +-#endif + /* Deal with NTFS extended attribute. */ + err = ntfs_get_ea(inode, name, name_len, buffer, size, NULL); + +@@ -981,22 +903,6 @@ static noinline int ntfs_setxattr(const struct xattr_handler *handler, + goto out; + } + +-#ifdef CONFIG_NTFS3_FS_POSIX_ACL +- if ((name_len == sizeof(XATTR_NAME_POSIX_ACL_ACCESS) - 1 && +- !memcmp(name, XATTR_NAME_POSIX_ACL_ACCESS, +- sizeof(XATTR_NAME_POSIX_ACL_ACCESS))) || +- (name_len == sizeof(XATTR_NAME_POSIX_ACL_DEFAULT) - 1 && +- !memcmp(name, XATTR_NAME_POSIX_ACL_DEFAULT, +- sizeof(XATTR_NAME_POSIX_ACL_DEFAULT)))) { +- err = ntfs_xattr_set_acl( +- mnt_userns, inode, +- name_len == sizeof(XATTR_NAME_POSIX_ACL_ACCESS) - 1 +- ? ACL_TYPE_ACCESS +- : ACL_TYPE_DEFAULT, +- value, size); +- goto out; +- } +-#endif + /* Deal with NTFS extended attribute. */ + err = ntfs_set_ea(inode, name, name_len, value, size, flags, 0); + +@@ -1086,7 +992,7 @@ static bool ntfs_xattr_user_list(struct dentry *dentry) + } + + // clang-format off +-static const struct xattr_handler ntfs_xattr_handler = { ++static const struct xattr_handler ntfs_other_xattr_handler = { + .prefix = "", + .get = ntfs_getxattr, + .set = ntfs_setxattr, +@@ -1094,7 +1000,11 @@ static const struct xattr_handler ntfs_xattr_handler = { + }; + + const struct xattr_handler *ntfs_xattr_handlers[] = { +- &ntfs_xattr_handler, ++#ifdef CONFIG_NTFS3_FS_POSIX_ACL ++ &posix_acl_access_xattr_handler, ++ &posix_acl_default_xattr_handler, ++#endif ++ &ntfs_other_xattr_handler, + NULL, + }; + // clang-format on +-- +2.35.1 + diff --git a/queue-6.0/nvme-copy-firmware_rev-on-each-init.patch b/queue-6.0/nvme-copy-firmware_rev-on-each-init.patch new file mode 100644 index 00000000000..1e8c56bdd6a --- /dev/null +++ b/queue-6.0/nvme-copy-firmware_rev-on-each-init.patch @@ -0,0 +1,48 @@ +From a8fd19bb44b6aec880a0701103f5cf84034aa75d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 12:45:08 -0700 +Subject: nvme: copy firmware_rev on each init + +From: Keith Busch + +[ Upstream commit a8eb6c1ba48bddea82e8d74cbe6e119f006be97d ] + +The firmware revision can change on after a reset so copy the most +recent info each time instead of just the first time, otherwise the +sysfs firmware_rev entry may contain stale data. + +Reported-by: Jeff Lien +Signed-off-by: Keith Busch +Reviewed-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Chao Leng +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 7991d28e6a6a..59e4b188fc71 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2889,7 +2889,6 @@ static int nvme_init_subsystem(struct nvme_ctrl *ctrl, struct nvme_id_ctrl *id) + nvme_init_subnqn(subsys, ctrl, id); + memcpy(subsys->serial, id->sn, sizeof(subsys->serial)); + memcpy(subsys->model, id->mn, sizeof(subsys->model)); +- memcpy(subsys->firmware_rev, id->fr, sizeof(subsys->firmware_rev)); + subsys->vendor_id = le16_to_cpu(id->vid); + subsys->cmic = id->cmic; + +@@ -3108,6 +3107,8 @@ static int nvme_init_identify(struct nvme_ctrl *ctrl) + ctrl->quirks |= core_quirks[i].quirks; + } + } ++ memcpy(ctrl->subsys->firmware_rev, id->fr, ++ sizeof(ctrl->subsys->firmware_rev)); + + if (force_apst && (ctrl->quirks & NVME_QUIRK_NO_DEEPEST_PS)) { + dev_warn(ctrl->device, "forcibly allowing all power states due to nvme_core.force_apst -- use at your own risk\n"); +-- +2.35.1 + diff --git a/queue-6.0/nvme-handle-effects-after-freeing-the-request.patch b/queue-6.0/nvme-handle-effects-after-freeing-the-request.patch new file mode 100644 index 00000000000..dd2286df4e6 --- /dev/null +++ b/queue-6.0/nvme-handle-effects-after-freeing-the-request.patch @@ -0,0 +1,159 @@ +From 929be36a5bbb0d95856b8bb9f089f9a737519b08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 12:36:46 -0700 +Subject: nvme: handle effects after freeing the request + +From: Keith Busch + +[ Upstream commit bc8fb906b0ff9339b4286698cb7cd9cd5b8c53eb ] + +If a reset occurs after the scan work attempts to issue a command, the +reset may quisce the admin queue, which blocks the scan work's command +from dispatching. The scan work will not be able to complete while the +queue is quiesced. + +Meanwhile, the reset work will cancel all outstanding admin tags and +wait until all requests have transitioned to idle, which includes the +passthrough request. But the passthrough request won't be set to idle +until after the scan_work flushes, so we're deadlocked. + +Fix this by handling the end effects after the request has been freed. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216354 +Reported-by: Jonathan Derrick +Signed-off-by: Keith Busch +Reviewed-by: Sagi Grimberg +Reviewed-by: Chao Leng +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 17 ++++++----------- + drivers/nvme/host/ioctl.c | 9 ++++++++- + drivers/nvme/host/nvme.h | 4 +++- + drivers/nvme/target/passthru.c | 7 ++++++- + 4 files changed, 23 insertions(+), 14 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 8d5a7ae19844..7991d28e6a6a 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1111,8 +1111,8 @@ static u32 nvme_passthru_start(struct nvme_ctrl *ctrl, struct nvme_ns *ns, + return effects; + } + +-static void nvme_passthru_end(struct nvme_ctrl *ctrl, u32 effects, +- struct nvme_command *cmd, int status) ++void nvme_passthru_end(struct nvme_ctrl *ctrl, u32 effects, ++ struct nvme_command *cmd, int status) + { + if (effects & NVME_CMD_EFFECTS_CSE_MASK) { + nvme_unfreeze(ctrl); +@@ -1148,21 +1148,16 @@ static void nvme_passthru_end(struct nvme_ctrl *ctrl, u32 effects, + break; + } + } ++EXPORT_SYMBOL_NS_GPL(nvme_passthru_end, NVME_TARGET_PASSTHRU); + +-int nvme_execute_passthru_rq(struct request *rq) ++int nvme_execute_passthru_rq(struct request *rq, u32 *effects) + { + struct nvme_command *cmd = nvme_req(rq)->cmd; + struct nvme_ctrl *ctrl = nvme_req(rq)->ctrl; + struct nvme_ns *ns = rq->q->queuedata; +- u32 effects; +- int ret; + +- effects = nvme_passthru_start(ctrl, ns, cmd->common.opcode); +- ret = nvme_execute_rq(rq, false); +- if (effects) /* nothing to be done for zero cmd effects */ +- nvme_passthru_end(ctrl, effects, cmd, ret); +- +- return ret; ++ *effects = nvme_passthru_start(ctrl, ns, cmd->common.opcode); ++ return nvme_execute_rq(rq, false); + } + EXPORT_SYMBOL_NS_GPL(nvme_execute_passthru_rq, NVME_TARGET_PASSTHRU); + +diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c +index 27614bee7380..d3281f87cd6e 100644 +--- a/drivers/nvme/host/ioctl.c ++++ b/drivers/nvme/host/ioctl.c +@@ -136,9 +136,11 @@ static int nvme_submit_user_cmd(struct request_queue *q, + unsigned bufflen, void __user *meta_buffer, unsigned meta_len, + u32 meta_seed, u64 *result, unsigned timeout, bool vec) + { ++ struct nvme_ctrl *ctrl; + struct request *req; + void *meta = NULL; + struct bio *bio; ++ u32 effects; + int ret; + + req = nvme_alloc_user_request(q, cmd, ubuffer, bufflen, meta_buffer, +@@ -147,8 +149,9 @@ static int nvme_submit_user_cmd(struct request_queue *q, + return PTR_ERR(req); + + bio = req->bio; ++ ctrl = nvme_req(req)->ctrl; + +- ret = nvme_execute_passthru_rq(req); ++ ret = nvme_execute_passthru_rq(req, &effects); + + if (result) + *result = le64_to_cpu(nvme_req(req)->result.u64); +@@ -158,6 +161,10 @@ static int nvme_submit_user_cmd(struct request_queue *q, + if (bio) + blk_rq_unmap_user(bio); + blk_mq_free_request(req); ++ ++ if (effects) ++ nvme_passthru_end(ctrl, effects, cmd, ret); ++ + return ret; + } + +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index 1bdf714dcd9e..a0bf9560cf67 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -1023,7 +1023,9 @@ static inline void nvme_auth_free(struct nvme_ctrl *ctrl) {}; + + u32 nvme_command_effects(struct nvme_ctrl *ctrl, struct nvme_ns *ns, + u8 opcode); +-int nvme_execute_passthru_rq(struct request *rq); ++int nvme_execute_passthru_rq(struct request *rq, u32 *effects); ++void nvme_passthru_end(struct nvme_ctrl *ctrl, u32 effects, ++ struct nvme_command *cmd, int status); + struct nvme_ctrl *nvme_ctrl_from_file(struct file *file); + struct nvme_ns *nvme_find_get_ns(struct nvme_ctrl *ctrl, unsigned nsid); + void nvme_put_ns(struct nvme_ns *ns); +diff --git a/drivers/nvme/target/passthru.c b/drivers/nvme/target/passthru.c +index 6f39a29828b1..94d3153bae54 100644 +--- a/drivers/nvme/target/passthru.c ++++ b/drivers/nvme/target/passthru.c +@@ -215,9 +215,11 @@ static void nvmet_passthru_execute_cmd_work(struct work_struct *w) + { + struct nvmet_req *req = container_of(w, struct nvmet_req, p.work); + struct request *rq = req->p.rq; ++ struct nvme_ctrl *ctrl = nvme_req(rq)->ctrl; ++ u32 effects; + int status; + +- status = nvme_execute_passthru_rq(rq); ++ status = nvme_execute_passthru_rq(rq, &effects); + + if (status == NVME_SC_SUCCESS && + req->cmd->common.opcode == nvme_admin_identify) { +@@ -238,6 +240,9 @@ static void nvmet_passthru_execute_cmd_work(struct work_struct *w) + req->cqe->result = nvme_req(rq)->result; + nvmet_req_complete(req, status); + blk_mq_free_request(rq); ++ ++ if (effects) ++ nvme_passthru_end(ctrl, effects, req->cmd, status); + } + + static void nvmet_passthru_req_done(struct request *rq, +-- +2.35.1 + diff --git a/queue-6.0/nvmet-auth-clean-up-with-done_kfree.patch b/queue-6.0/nvmet-auth-clean-up-with-done_kfree.patch new file mode 100644 index 00000000000..0051991941c --- /dev/null +++ b/queue-6.0/nvmet-auth-clean-up-with-done_kfree.patch @@ -0,0 +1,43 @@ +From eb2bf72634a2cbb8f38caca20fdfd0c49f837916 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Aug 2022 11:12:30 +0800 +Subject: nvmet-auth: clean up with done_kfree + +From: Jackie Liu + +[ Upstream commit 42147981561c3344d2c6781fe7029e5900daa9fb ] + +Jump directly to done_kfree to release d, which is consistent with the +code style behind. + +Reported-by: Genjian Zhang +Signed-off-by: Jackie Liu +Reviewed-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Reviewed-by: Hannes Reinecke +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/fabrics-cmd-auth.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c +index 0c078b6b1447..2c265504b87c 100644 +--- a/drivers/nvme/target/fabrics-cmd-auth.c ++++ b/drivers/nvme/target/fabrics-cmd-auth.c +@@ -224,10 +224,8 @@ void nvmet_execute_auth_send(struct nvmet_req *req) + } + + status = nvmet_copy_from_sgl(req, 0, d, tl); +- if (status) { +- kfree(d); +- goto done; +- } ++ if (status) ++ goto done_kfree; + + data = d; + pr_debug("%s: ctrl %d qid %d type %d id %d step %x\n", __func__, +-- +2.35.1 + diff --git a/queue-6.0/nvmet-auth-don-t-try-to-cancel-a-non-initialized-wor.patch b/queue-6.0/nvmet-auth-don-t-try-to-cancel-a-non-initialized-wor.patch new file mode 100644 index 00000000000..26c7120ca05 --- /dev/null +++ b/queue-6.0/nvmet-auth-don-t-try-to-cancel-a-non-initialized-wor.patch @@ -0,0 +1,121 @@ +From b97ac5834797ad235bd506b91f4ce9d9a2cc1080 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 15:37:18 +0200 +Subject: nvmet-auth: don't try to cancel a non-initialized work_struct + +From: Christoph Hellwig + +[ Upstream commit 1befd944e05050d76950014f3dc04ed47faba2c3 ] + +Currently blktests nvme/002 trips up debugobjects if CONFIG_NVME_AUTH is +enabled, but authentication is not on a queue. This is because +nvmet_auth_sq_free cancels sq->auth_expired_work unconditionaly, while +auth_expired_work is only ever initialized if authentication is enabled +for a given controller. + +Fix this by calling most of what is nvmet_init_auth unconditionally +when initializing the SQ, and just do the setting of the result +field in the connect command handler. + +Fixes: db1312dd9548 ("nvmet: implement basic In-Band Authentication") +Signed-off-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Reviewed-by: Hannes Reinecke +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/core.c | 1 + + drivers/nvme/target/fabrics-cmd-auth.c | 13 ++++--------- + drivers/nvme/target/fabrics-cmd.c | 6 ++++-- + drivers/nvme/target/nvmet.h | 7 ++++--- + 4 files changed, 13 insertions(+), 14 deletions(-) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index 7f4083cf953a..14677145bbba 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -832,6 +832,7 @@ int nvmet_sq_init(struct nvmet_sq *sq) + } + init_completion(&sq->free_done); + init_completion(&sq->confirm_done); ++ nvmet_auth_sq_init(sq); + + return 0; + } +diff --git a/drivers/nvme/target/fabrics-cmd-auth.c b/drivers/nvme/target/fabrics-cmd-auth.c +index ebdf9aa81041..0c078b6b1447 100644 +--- a/drivers/nvme/target/fabrics-cmd-auth.c ++++ b/drivers/nvme/target/fabrics-cmd-auth.c +@@ -23,17 +23,12 @@ static void nvmet_auth_expired_work(struct work_struct *work) + sq->dhchap_tid = -1; + } + +-void nvmet_init_auth(struct nvmet_ctrl *ctrl, struct nvmet_req *req) ++void nvmet_auth_sq_init(struct nvmet_sq *sq) + { +- u32 result = le32_to_cpu(req->cqe->result.u32); +- + /* Initialize in-band authentication */ +- INIT_DELAYED_WORK(&req->sq->auth_expired_work, +- nvmet_auth_expired_work); +- req->sq->authenticated = false; +- req->sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE; +- result |= (u32)NVME_CONNECT_AUTHREQ_ATR << 16; +- req->cqe->result.u32 = cpu_to_le32(result); ++ INIT_DELAYED_WORK(&sq->auth_expired_work, nvmet_auth_expired_work); ++ sq->authenticated = false; ++ sq->dhchap_step = NVME_AUTH_DHCHAP_MESSAGE_NEGOTIATE; + } + + static u16 nvmet_auth_negotiate(struct nvmet_req *req, void *d) +diff --git a/drivers/nvme/target/fabrics-cmd.c b/drivers/nvme/target/fabrics-cmd.c +index f91a56180d3d..bd739d8b6991 100644 +--- a/drivers/nvme/target/fabrics-cmd.c ++++ b/drivers/nvme/target/fabrics-cmd.c +@@ -272,7 +272,8 @@ static void nvmet_execute_admin_connect(struct nvmet_req *req) + req->cqe->result.u16 = cpu_to_le16(ctrl->cntlid); + + if (nvmet_has_auth(ctrl)) +- nvmet_init_auth(ctrl, req); ++ req->cqe->result.u32 |= ++ cpu_to_le32((u32)NVME_CONNECT_AUTHREQ_ATR << 16); + out: + kfree(d); + complete: +@@ -334,7 +335,8 @@ static void nvmet_execute_io_connect(struct nvmet_req *req) + pr_debug("adding queue %d to ctrl %d.\n", qid, ctrl->cntlid); + req->cqe->result.u16 = cpu_to_le16(ctrl->cntlid); + if (nvmet_has_auth(ctrl)) +- nvmet_init_auth(ctrl, req); ++ req->cqe->result.u32 |= ++ cpu_to_le32((u32)NVME_CONNECT_AUTHREQ_ATR << 16); + + out: + kfree(d); +diff --git a/drivers/nvme/target/nvmet.h b/drivers/nvme/target/nvmet.h +index 6ffeeb0a1c49..dfe3894205aa 100644 +--- a/drivers/nvme/target/nvmet.h ++++ b/drivers/nvme/target/nvmet.h +@@ -704,7 +704,7 @@ int nvmet_auth_set_key(struct nvmet_host *host, const char *secret, + bool set_ctrl); + int nvmet_auth_set_host_hash(struct nvmet_host *host, const char *hash); + int nvmet_setup_auth(struct nvmet_ctrl *ctrl); +-void nvmet_init_auth(struct nvmet_ctrl *ctrl, struct nvmet_req *req); ++void nvmet_auth_sq_init(struct nvmet_sq *sq); + void nvmet_destroy_auth(struct nvmet_ctrl *ctrl); + void nvmet_auth_sq_free(struct nvmet_sq *sq); + int nvmet_setup_dhgroup(struct nvmet_ctrl *ctrl, u8 dhgroup_id); +@@ -726,8 +726,9 @@ static inline int nvmet_setup_auth(struct nvmet_ctrl *ctrl) + { + return 0; + } +-static inline void nvmet_init_auth(struct nvmet_ctrl *ctrl, +- struct nvmet_req *req) {}; ++static inline void nvmet_auth_sq_init(struct nvmet_sq *sq) ++{ ++} + static inline void nvmet_destroy_auth(struct nvmet_ctrl *ctrl) {}; + static inline void nvmet_auth_sq_free(struct nvmet_sq *sq) {}; + static inline bool nvmet_check_auth_status(struct nvmet_req *req) +-- +2.35.1 + diff --git a/queue-6.0/nvmet-don-t-look-at-the-request_queue-in-nvmet_bdev_.patch b/queue-6.0/nvmet-don-t-look-at-the-request_queue-in-nvmet_bdev_.patch new file mode 100644 index 00000000000..4afc8369aec --- /dev/null +++ b/queue-6.0/nvmet-don-t-look-at-the-request_queue-in-nvmet_bdev_.patch @@ -0,0 +1,45 @@ +From a4c740795541b913fb1a6faa4544e04e5a8713b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 10:24:07 +0200 +Subject: nvmet: don't look at the request_queue in + nvmet_bdev_zone_mgmt_emulate_all + +From: Christoph Hellwig + +[ Upstream commit 8df20252c06046ef4c68107bcaaca56c21028d8c ] + +nvmet is a consumer of the block layer and should not directly look at +the request_queue. Just use the NUMA node ID from the gendisk instead of +the request_queue. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/zns.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/nvme/target/zns.c b/drivers/nvme/target/zns.c +index 835bfda86fcf..1254cf57e008 100644 +--- a/drivers/nvme/target/zns.c ++++ b/drivers/nvme/target/zns.c +@@ -400,7 +400,6 @@ static u16 nvmet_bdev_zone_mgmt_emulate_all(struct nvmet_req *req) + { + struct block_device *bdev = req->ns->bdev; + unsigned int nr_zones = bdev_nr_zones(bdev); +- struct request_queue *q = bdev_get_queue(bdev); + struct bio *bio = NULL; + sector_t sector = 0; + int ret; +@@ -409,7 +408,7 @@ static u16 nvmet_bdev_zone_mgmt_emulate_all(struct nvmet_req *req) + }; + + d.zbitmap = kcalloc_node(BITS_TO_LONGS(nr_zones), sizeof(*(d.zbitmap)), +- GFP_NOIO, q->node); ++ GFP_NOIO, bdev->bd_disk->node_id); + if (!d.zbitmap) { + ret = -ENOMEM; + goto out; +-- +2.35.1 + diff --git a/queue-6.0/nvmet-don-t-look-at-the-request_queue-in-nvmet_bdev_.patch-7526 b/queue-6.0/nvmet-don-t-look-at-the-request_queue-in-nvmet_bdev_.patch-7526 new file mode 100644 index 00000000000..68569b43a8a --- /dev/null +++ b/queue-6.0/nvmet-don-t-look-at-the-request_queue-in-nvmet_bdev_.patch-7526 @@ -0,0 +1,56 @@ +From 80dde9422c812c4c9ec7d79131da0603b27a9a34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 10:26:26 +0200 +Subject: nvmet: don't look at the request_queue in nvmet_bdev_set_limits + +From: Christoph Hellwig + +[ Upstream commit 84fe64f898913ef69f70a8d91aea613b5722b63b ] + +nvmet is a consumer of the block layer and should not directly look at +the request_queue. Use the bdev_ helpers to retrieve the device limits +instead. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/io-cmd-bdev.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/nvme/target/io-cmd-bdev.c b/drivers/nvme/target/io-cmd-bdev.c +index 2dc1c1035626..77c20c0db9d5 100644 +--- a/drivers/nvme/target/io-cmd-bdev.c ++++ b/drivers/nvme/target/io-cmd-bdev.c +@@ -12,11 +12,9 @@ + + void nvmet_bdev_set_limits(struct block_device *bdev, struct nvme_id_ns *id) + { +- const struct queue_limits *ql = &bdev_get_queue(bdev)->limits; +- /* Number of logical blocks per physical block. */ +- const u32 lpp = ql->physical_block_size / ql->logical_block_size; + /* Logical blocks per physical block, 0's based. */ +- const __le16 lpp0b = to0based(lpp); ++ const __le16 lpp0b = to0based(bdev_physical_block_size(bdev) / ++ bdev_logical_block_size(bdev)); + + /* + * For NVMe 1.2 and later, bit 1 indicates that the fields NAWUN, +@@ -42,11 +40,12 @@ void nvmet_bdev_set_limits(struct block_device *bdev, struct nvme_id_ns *id) + /* NPWA = Namespace Preferred Write Alignment. 0's based */ + id->npwa = id->npwg; + /* NPDG = Namespace Preferred Deallocate Granularity. 0's based */ +- id->npdg = to0based(ql->discard_granularity / ql->logical_block_size); ++ id->npdg = to0based(bdev_discard_granularity(bdev) / ++ bdev_logical_block_size(bdev)); + /* NPDG = Namespace Preferred Deallocate Alignment */ + id->npda = id->npdg; + /* NOWS = Namespace Optimal Write Size */ +- id->nows = to0based(ql->io_opt / ql->logical_block_size); ++ id->nows = to0based(bdev_io_opt(bdev) / bdev_logical_block_size(bdev)); + } + + void nvmet_bdev_ns_disable(struct nvmet_ns *ns) +-- +2.35.1 + diff --git a/queue-6.0/nvmet-tcp-add-bounds-check-on-transfer-tag.patch b/queue-6.0/nvmet-tcp-add-bounds-check-on-transfer-tag.patch new file mode 100644 index 00000000000..64168538512 --- /dev/null +++ b/queue-6.0/nvmet-tcp-add-bounds-check-on-transfer-tag.patch @@ -0,0 +1,47 @@ +From cb9cdbabcede2f267ae525d0484dc98d733eb4f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 00:06:49 +0530 +Subject: nvmet-tcp: add bounds check on Transfer Tag + +From: Varun Prakash + +[ Upstream commit b6a545ffa2c192b1e6da4a7924edac5ba9f4ea2b ] + +ttag is used as an index to get cmd in nvmet_tcp_handle_h2c_data_pdu(), +add a bounds check to avoid out-of-bounds access. + +Signed-off-by: Varun Prakash +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index a3694a32f6d5..7dcf88cde189 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -935,10 +935,17 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue) + struct nvme_tcp_data_pdu *data = &queue->pdu.data; + struct nvmet_tcp_cmd *cmd; + +- if (likely(queue->nr_cmds)) ++ if (likely(queue->nr_cmds)) { ++ if (unlikely(data->ttag >= queue->nr_cmds)) { ++ pr_err("queue %d: received out of bound ttag %u, nr_cmds %u\n", ++ queue->idx, data->ttag, queue->nr_cmds); ++ nvmet_tcp_fatal_error(queue); ++ return -EPROTO; ++ } + cmd = &queue->cmds[data->ttag]; +- else ++ } else { + cmd = &queue->connect; ++ } + + if (le32_to_cpu(data->data_offset) != cmd->rbytes_done) { + pr_err("ttag %u unexpected data offset %u (expected %u)\n", +-- +2.35.1 + diff --git a/queue-6.0/objtool-preserve-special-st_shndx-indexes-in-elf_upd.patch b/queue-6.0/objtool-preserve-special-st_shndx-indexes-in-elf_upd.patch new file mode 100644 index 00000000000..3e0530fcda6 --- /dev/null +++ b/queue-6.0/objtool-preserve-special-st_shndx-indexes-in-elf_upd.patch @@ -0,0 +1,54 @@ +From 519bb84f1861d9f7dbd1316784fd3b1eed0345a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 14:54:58 -0700 +Subject: objtool: Preserve special st_shndx indexes in elf_update_symbol + +From: Sami Tolvanen + +[ Upstream commit 5141d3a06b2da1731ac82091298b766a1f95d3d8 ] + +elf_update_symbol fails to preserve the special st_shndx values +between [SHN_LORESERVE, SHN_HIRESERVE], which results in it +converting SHN_ABS entries into SHN_UNDEF, for example. Explicitly +check for the special indexes and ensure these symbols are not +marked undefined. + +Fixes: ead165fa1042 ("objtool: Fix symbol creation") +Signed-off-by: Sami Tolvanen +Acked-by: Peter Zijlstra (Intel) +Tested-by: Peter Zijlstra (Intel) +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20220908215504.3686827-17-samitolvanen@google.com +Signed-off-by: Sasha Levin +--- + tools/objtool/elf.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c +index c25e957c1e52..7e24b09b1163 100644 +--- a/tools/objtool/elf.c ++++ b/tools/objtool/elf.c +@@ -619,6 +619,11 @@ static int elf_update_symbol(struct elf *elf, struct section *symtab, + Elf64_Xword entsize = symtab->sh.sh_entsize; + int max_idx, idx = sym->idx; + Elf_Scn *s, *t = NULL; ++ bool is_special_shndx = sym->sym.st_shndx >= SHN_LORESERVE && ++ sym->sym.st_shndx != SHN_XINDEX; ++ ++ if (is_special_shndx) ++ shndx = sym->sym.st_shndx; + + s = elf_getscn(elf->elf, symtab->idx); + if (!s) { +@@ -704,7 +709,7 @@ static int elf_update_symbol(struct elf *elf, struct section *symtab, + } + + /* setup extended section index magic and write the symbol */ +- if (shndx >= SHN_UNDEF && shndx < SHN_LORESERVE) { ++ if ((shndx >= SHN_UNDEF && shndx < SHN_LORESERVE) || is_special_shndx) { + sym->sym.st_shndx = shndx; + if (!shndx_data) + shndx = 0; +-- +2.35.1 + diff --git a/queue-6.0/once-add-do_once_slow-for-sleepable-contexts.patch b/queue-6.0/once-add-do_once_slow-for-sleepable-contexts.patch new file mode 100644 index 00000000000..43c01f6a476 --- /dev/null +++ b/queue-6.0/once-add-do_once_slow-for-sleepable-contexts.patch @@ -0,0 +1,147 @@ +From 1243bd3a6d9acea2e68073df77ccf0757dc84916 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Oct 2022 13:51:02 -0700 +Subject: once: add DO_ONCE_SLOW() for sleepable contexts + +From: Eric Dumazet + +[ Upstream commit 62c07983bef9d3e78e71189441e1a470f0d1e653 ] + +Christophe Leroy reported a ~80ms latency spike +happening at first TCP connect() time. + +This is because __inet_hash_connect() uses get_random_once() +to populate a perturbation table which became quite big +after commit 4c2c8f03a5ab ("tcp: increase source port perturb table to 2^16") + +get_random_once() uses DO_ONCE(), which block hard irqs for the duration +of the operation. + +This patch adds DO_ONCE_SLOW() which uses a mutex instead of a spinlock +for operations where we prefer to stay in process context. + +Then __inet_hash_connect() can use get_random_slow_once() +to populate its perturbation table. + +Fixes: 4c2c8f03a5ab ("tcp: increase source port perturb table to 2^16") +Fixes: 190cc82489f4 ("tcp: change source port randomizarion at connect() time") +Reported-by: Christophe Leroy +Link: https://lore.kernel.org/netdev/CANn89iLAEYBaoYajy0Y9UmGFff5GPxDUoG-ErVB2jDdRNQ5Tug@mail.gmail.com/T/#t +Signed-off-by: Eric Dumazet +Cc: Willy Tarreau +Tested-by: Christophe Leroy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/once.h | 28 ++++++++++++++++++++++++++++ + lib/once.c | 30 ++++++++++++++++++++++++++++++ + net/ipv4/inet_hashtables.c | 4 ++-- + 3 files changed, 60 insertions(+), 2 deletions(-) + +diff --git a/include/linux/once.h b/include/linux/once.h +index b14d8b309d52..176ab75b42df 100644 +--- a/include/linux/once.h ++++ b/include/linux/once.h +@@ -5,10 +5,18 @@ + #include + #include + ++/* Helpers used from arbitrary contexts. ++ * Hard irqs are blocked, be cautious. ++ */ + bool __do_once_start(bool *done, unsigned long *flags); + void __do_once_done(bool *done, struct static_key_true *once_key, + unsigned long *flags, struct module *mod); + ++/* Variant for process contexts only. */ ++bool __do_once_slow_start(bool *done); ++void __do_once_slow_done(bool *done, struct static_key_true *once_key, ++ struct module *mod); ++ + /* Call a function exactly once. The idea of DO_ONCE() is to perform + * a function call such as initialization of random seeds, etc, only + * once, where DO_ONCE() can live in the fast-path. After @func has +@@ -52,7 +60,27 @@ void __do_once_done(bool *done, struct static_key_true *once_key, + ___ret; \ + }) + ++/* Variant of DO_ONCE() for process/sleepable contexts. */ ++#define DO_ONCE_SLOW(func, ...) \ ++ ({ \ ++ bool ___ret = false; \ ++ static bool __section(".data.once") ___done = false; \ ++ static DEFINE_STATIC_KEY_TRUE(___once_key); \ ++ if (static_branch_unlikely(&___once_key)) { \ ++ ___ret = __do_once_slow_start(&___done); \ ++ if (unlikely(___ret)) { \ ++ func(__VA_ARGS__); \ ++ __do_once_slow_done(&___done, &___once_key, \ ++ THIS_MODULE); \ ++ } \ ++ } \ ++ ___ret; \ ++ }) ++ + #define get_random_once(buf, nbytes) \ + DO_ONCE(get_random_bytes, (buf), (nbytes)) + ++#define get_random_slow_once(buf, nbytes) \ ++ DO_ONCE_SLOW(get_random_bytes, (buf), (nbytes)) ++ + #endif /* _LINUX_ONCE_H */ +diff --git a/lib/once.c b/lib/once.c +index 59149bf3bfb4..351f66aad310 100644 +--- a/lib/once.c ++++ b/lib/once.c +@@ -66,3 +66,33 @@ void __do_once_done(bool *done, struct static_key_true *once_key, + once_disable_jump(once_key, mod); + } + EXPORT_SYMBOL(__do_once_done); ++ ++static DEFINE_MUTEX(once_mutex); ++ ++bool __do_once_slow_start(bool *done) ++ __acquires(once_mutex) ++{ ++ mutex_lock(&once_mutex); ++ if (*done) { ++ mutex_unlock(&once_mutex); ++ /* Keep sparse happy by restoring an even lock count on ++ * this mutex. In case we return here, we don't call into ++ * __do_once_done but return early in the DO_ONCE_SLOW() macro. ++ */ ++ __acquire(once_mutex); ++ return false; ++ } ++ ++ return true; ++} ++EXPORT_SYMBOL(__do_once_slow_start); ++ ++void __do_once_slow_done(bool *done, struct static_key_true *once_key, ++ struct module *mod) ++ __releases(once_mutex) ++{ ++ *done = true; ++ mutex_unlock(&once_mutex); ++ once_disable_jump(once_key, mod); ++} ++EXPORT_SYMBOL(__do_once_slow_done); +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index b9d995b5ce24..f5950a7172d6 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -729,8 +729,8 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row, + if (likely(remaining > 1)) + remaining &= ~1U; + +- net_get_random_once(table_perturb, +- INET_TABLE_PERTURB_SIZE * sizeof(*table_perturb)); ++ get_random_slow_once(table_perturb, ++ INET_TABLE_PERTURB_SIZE * sizeof(*table_perturb)); + index = port_offset & (INET_TABLE_PERTURB_SIZE - 1); + + offset = READ_ONCE(table_perturb[index]) + (port_offset >> 32); +-- +2.35.1 + diff --git a/queue-6.0/openvswitch-fix-double-reporting-of-drops-in-dropwat.patch b/queue-6.0/openvswitch-fix-double-reporting-of-drops-in-dropwat.patch new file mode 100644 index 00000000000..5752708a976 --- /dev/null +++ b/queue-6.0/openvswitch-fix-double-reporting-of-drops-in-dropwat.patch @@ -0,0 +1,52 @@ +From 5eb80df706fbd840c1772eacd11f54247f890bfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 11:06:34 -0400 +Subject: openvswitch: Fix double reporting of drops in dropwatch + +From: Mike Pattrick + +[ Upstream commit 1100248a5c5ccd57059eb8d02ec077e839a23826 ] + +Frames sent to userspace can be reported as dropped in +ovs_dp_process_packet, however, if they are dropped in the netlink code +then netlink_attachskb will report the same frame as dropped. + +This patch checks for error codes which indicate that the frame has +already been freed. + +Signed-off-by: Mike Pattrick +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2109946 +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/openvswitch/datapath.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index 6c9d153afbee..b68ba3c72519 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -252,10 +252,17 @@ void ovs_dp_process_packet(struct sk_buff *skb, struct sw_flow_key *key) + + upcall.mru = OVS_CB(skb)->mru; + error = ovs_dp_upcall(dp, skb, key, &upcall, 0); +- if (unlikely(error)) +- kfree_skb(skb); +- else ++ switch (error) { ++ case 0: ++ case -EAGAIN: ++ case -ERESTARTSYS: ++ case -EINTR: + consume_skb(skb); ++ break; ++ default: ++ kfree_skb(skb); ++ break; ++ } + stats_counter = &stats->n_missed; + goto out; + } +-- +2.35.1 + diff --git a/queue-6.0/openvswitch-fix-overreporting-of-drops-in-dropwatch.patch b/queue-6.0/openvswitch-fix-overreporting-of-drops-in-dropwatch.patch new file mode 100644 index 00000000000..92a6e8b386d --- /dev/null +++ b/queue-6.0/openvswitch-fix-overreporting-of-drops-in-dropwatch.patch @@ -0,0 +1,42 @@ +From a989a37be16fd72e17fa51601f3aaf829470253e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 11:06:35 -0400 +Subject: openvswitch: Fix overreporting of drops in dropwatch + +From: Mike Pattrick + +[ Upstream commit c21ab2afa2c64896a7f0e3cbc6845ec63dcfad2e ] + +Currently queue_userspace_packet will call kfree_skb for all frames, +whether or not an error occurred. This can result in a single dropped +frame being reported as multiple drops in dropwatch. This functions +caller may also call kfree_skb in case of an error. This patch will +consume the skbs instead and allow caller's to use kfree_skb. + +Signed-off-by: Mike Pattrick +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2109957 +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/openvswitch/datapath.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index b68ba3c72519..93c596e3b22b 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -558,8 +558,9 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb, + out: + if (err) + skb_tx_error(skb); +- kfree_skb(user_skb); +- kfree_skb(nskb); ++ consume_skb(user_skb); ++ consume_skb(nskb); ++ + return err; + } + +-- +2.35.1 + diff --git a/queue-6.0/phy-amlogic-phy-meson-axg-mipi-pcie-analog-hold-refe.patch b/queue-6.0/phy-amlogic-phy-meson-axg-mipi-pcie-analog-hold-refe.patch new file mode 100644 index 00000000000..576c0aa3323 --- /dev/null +++ b/queue-6.0/phy-amlogic-phy-meson-axg-mipi-pcie-analog-hold-refe.patch @@ -0,0 +1,51 @@ +From 2420fabbb4e09ca542f3c29793d06dc54d1014cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 17:35:06 +0800 +Subject: phy: amlogic: phy-meson-axg-mipi-pcie-analog: Hold reference returned + by of_get_parent() + +From: Liang He + +[ Upstream commit c4c349be07aeec5f397a349046dc5fc0f2657691 ] + +As the of_get_parent() will increase the refcount of the node->parent +and the reference will be discarded, so we should hold the reference +with which we can decrease the refcount when done. + +Fixes: 8eff8b4e22d9 ("phy: amlogic: phy-meson-axg-mipi-pcie-analog: add support for MIPI DSI analog") +Signed-off-by: Liang He + +Link: https://lore.kernel.org/r/20220915093506.4009456-1-windhl@126.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/amlogic/phy-meson-axg-mipi-pcie-analog.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/phy/amlogic/phy-meson-axg-mipi-pcie-analog.c b/drivers/phy/amlogic/phy-meson-axg-mipi-pcie-analog.c +index 1027ece6ca12..a3e1108b736d 100644 +--- a/drivers/phy/amlogic/phy-meson-axg-mipi-pcie-analog.c ++++ b/drivers/phy/amlogic/phy-meson-axg-mipi-pcie-analog.c +@@ -197,7 +197,7 @@ static int phy_axg_mipi_pcie_analog_probe(struct platform_device *pdev) + struct phy_provider *phy; + struct device *dev = &pdev->dev; + struct phy_axg_mipi_pcie_analog_priv *priv; +- struct device_node *np = dev->of_node; ++ struct device_node *np = dev->of_node, *parent_np; + struct regmap *map; + int ret; + +@@ -206,7 +206,9 @@ static int phy_axg_mipi_pcie_analog_probe(struct platform_device *pdev) + return -ENOMEM; + + /* Get the hhi system controller node */ +- map = syscon_node_to_regmap(of_get_parent(dev->of_node)); ++ parent_np = of_get_parent(dev->of_node); ++ map = syscon_node_to_regmap(parent_np); ++ of_node_put(parent_np); + if (IS_ERR(map)) { + dev_err(dev, + "failed to get HHI regmap\n"); +-- +2.35.1 + diff --git a/queue-6.0/phy-phy-mtk-tphy-fix-the-phy-type-setting-issue.patch b/queue-6.0/phy-phy-mtk-tphy-fix-the-phy-type-setting-issue.patch new file mode 100644 index 00000000000..562fa58599a --- /dev/null +++ b/queue-6.0/phy-phy-mtk-tphy-fix-the-phy-type-setting-issue.patch @@ -0,0 +1,50 @@ +From 2eb1445d1ff0487c819d0008f90213095e0e048c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 14:07:46 +0800 +Subject: phy: phy-mtk-tphy: fix the phy type setting issue + +From: Chunfeng Yun + +[ Upstream commit 931c05a8cb1be029ef2fbc1e4af313d4cb297c47 ] + +The PHY type is not set if the index is non zero, prepare type +value according to the index, like as mask value. + +Fixes: 39099a443358 ("phy: phy-mtk-tphy: support type switch by pericfg") +Signed-off-by: Chunfeng Yun +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20220914060746.10004-7-chunfeng.yun@mediatek.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/mediatek/phy-mtk-tphy.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/phy/mediatek/phy-mtk-tphy.c b/drivers/phy/mediatek/phy-mtk-tphy.c +index 8ee7682b8e93..bdffc21858f6 100644 +--- a/drivers/phy/mediatek/phy-mtk-tphy.c ++++ b/drivers/phy/mediatek/phy-mtk-tphy.c +@@ -906,7 +906,7 @@ static int phy_type_syscon_get(struct mtk_phy_instance *instance, + static int phy_type_set(struct mtk_phy_instance *instance) + { + int type; +- u32 mask; ++ u32 offset; + + if (!instance->type_sw) + return 0; +@@ -929,8 +929,9 @@ static int phy_type_set(struct mtk_phy_instance *instance) + return 0; + } + +- mask = RG_PHY_SW_TYPE << (instance->type_sw_index * BITS_PER_BYTE); +- regmap_update_bits(instance->type_sw, instance->type_sw_reg, mask, type); ++ offset = instance->type_sw_index * BITS_PER_BYTE; ++ regmap_update_bits(instance->type_sw, instance->type_sw_reg, ++ RG_PHY_SW_TYPE << offset, type << offset); + + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/phy-qcom-qmp-combo-disable-runtime-pm-on-unbind.patch b/queue-6.0/phy-qcom-qmp-combo-disable-runtime-pm-on-unbind.patch new file mode 100644 index 00000000000..3ca56977ba5 --- /dev/null +++ b/queue-6.0/phy-qcom-qmp-combo-disable-runtime-pm-on-unbind.patch @@ -0,0 +1,53 @@ +From 37c5dd64e85cd31a946e205b267272fa07c55e47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 13:07:13 +0200 +Subject: phy: qcom-qmp-combo: disable runtime PM on unbind + +From: Johan Hovold + +[ Upstream commit 4382d518d1887e62234560ea08a0203d11d28cc1 ] + +Make sure to disable runtime PM also on driver unbind. + +Fixes: ac0d239936bd ("phy: qcom-qmp: Add support for runtime PM"). +Signed-off-by: Johan Hovold +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20220907110728.19092-2-johan+linaro@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c +index 4b1828976104..bbdca263058c 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c +@@ -2537,7 +2537,9 @@ static int qcom_qmp_phy_combo_probe(struct platform_device *pdev) + return -ENOMEM; + + pm_runtime_set_active(dev); +- pm_runtime_enable(dev); ++ ret = devm_pm_runtime_enable(dev); ++ if (ret) ++ return ret; + /* + * Prevent runtime pm from being ON by default. Users can enable + * it using power/control in sysfs. +@@ -2594,13 +2596,10 @@ static int qcom_qmp_phy_combo_probe(struct platform_device *pdev) + phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate); + if (!IS_ERR(phy_provider)) + dev_info(dev, "Registered Qcom-QMP phy\n"); +- else +- pm_runtime_disable(dev); + + return PTR_ERR_OR_ZERO(phy_provider); + + err_node_put: +- pm_runtime_disable(dev); + of_node_put(child); + return ret; + } +-- +2.35.1 + diff --git a/queue-6.0/phy-qcom-qmp-combo-fix-memleak-on-probe-deferral.patch b/queue-6.0/phy-qcom-qmp-combo-fix-memleak-on-probe-deferral.patch new file mode 100644 index 00000000000..68bd0d5be6f --- /dev/null +++ b/queue-6.0/phy-qcom-qmp-combo-fix-memleak-on-probe-deferral.patch @@ -0,0 +1,92 @@ +From 054adeef4adf42533f3432c3503e8554592552a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 12:23:33 +0200 +Subject: phy: qcom-qmp-combo: fix memleak on probe deferral + +From: Johan Hovold + +[ Upstream commit 2de8a325b1084330ae500380cc27edc39f488c30 ] + +Switch to using the device-managed of_iomap helper to avoid leaking +memory on probe deferral and driver unbind. + +Note that this helper checks for already reserved regions and may fail +if there are multiple devices claiming the same memory. + +Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets") +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220916102340.11520-5-johan+linaro@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 32 ++++++++++++----------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c +index bbdca263058c..f089977c85bb 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c +@@ -2350,17 +2350,17 @@ int qcom_qmp_phy_combo_create(struct device *dev, struct device_node *np, int id + * For dual lane PHYs: tx2 -> 3, rx2 -> 4, pcs_misc (optional) -> 5 + * For single lane PHYs: pcs_misc (optional) -> 3. + */ +- qphy->tx = of_iomap(np, 0); +- if (!qphy->tx) +- return -ENOMEM; ++ qphy->tx = devm_of_iomap(dev, np, 0, NULL); ++ if (IS_ERR(qphy->tx)) ++ return PTR_ERR(qphy->tx); + +- qphy->rx = of_iomap(np, 1); +- if (!qphy->rx) +- return -ENOMEM; ++ qphy->rx = devm_of_iomap(dev, np, 1, NULL); ++ if (IS_ERR(qphy->rx)) ++ return PTR_ERR(qphy->rx); + +- qphy->pcs = of_iomap(np, 2); +- if (!qphy->pcs) +- return -ENOMEM; ++ qphy->pcs = devm_of_iomap(dev, np, 2, NULL); ++ if (IS_ERR(qphy->pcs)) ++ return PTR_ERR(qphy->pcs); + + if (cfg->pcs_usb_offset) + qphy->pcs_usb = qphy->pcs + cfg->pcs_usb_offset; +@@ -2372,9 +2372,9 @@ int qcom_qmp_phy_combo_create(struct device *dev, struct device_node *np, int id + * offset from the first lane. + */ + if (cfg->is_dual_lane_phy) { +- qphy->tx2 = of_iomap(np, 3); +- qphy->rx2 = of_iomap(np, 4); +- if (!qphy->tx2 || !qphy->rx2) { ++ qphy->tx2 = devm_of_iomap(dev, np, 3, NULL); ++ qphy->rx2 = devm_of_iomap(dev, np, 4, NULL); ++ if (IS_ERR(qphy->tx2) || IS_ERR(qphy->rx2)) { + dev_warn(dev, + "Underspecified device tree, falling back to legacy register regions\n"); + +@@ -2384,15 +2384,17 @@ int qcom_qmp_phy_combo_create(struct device *dev, struct device_node *np, int id + qphy->rx2 = qphy->rx + QMP_PHY_LEGACY_LANE_STRIDE; + + } else { +- qphy->pcs_misc = of_iomap(np, 5); ++ qphy->pcs_misc = devm_of_iomap(dev, np, 5, NULL); + } + + } else { +- qphy->pcs_misc = of_iomap(np, 3); ++ qphy->pcs_misc = devm_of_iomap(dev, np, 3, NULL); + } + +- if (!qphy->pcs_misc) ++ if (IS_ERR(qphy->pcs_misc)) { + dev_vdbg(dev, "PHY pcs_misc-reg not used\n"); ++ qphy->pcs_misc = NULL; ++ } + + /* + * Get PHY's Pipe clock, if any. USB3 and PCIe are PIPE3 +-- +2.35.1 + diff --git a/queue-6.0/phy-qcom-qmp-pcie-add-pcs_misc-sanity-check.patch b/queue-6.0/phy-qcom-qmp-pcie-add-pcs_misc-sanity-check.patch new file mode 100644 index 00000000000..b26afe56e4a --- /dev/null +++ b/queue-6.0/phy-qcom-qmp-pcie-add-pcs_misc-sanity-check.patch @@ -0,0 +1,45 @@ +From b0679c6500ea26c60063bcf4d02b8ebfa44747de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 12:23:30 +0200 +Subject: phy: qcom-qmp-pcie: add pcs_misc sanity check + +From: Johan Hovold + +[ Upstream commit ecd5507e72ea03659dc2cc3e4393fbf8f4e2e02a ] + +Make sure that the (otherwise) optional pcs_misc IO region has been +provided in case the configuration specifies a corresponding +initialisation table to avoid crashing with malformed device trees. + +Note that the related debug message is now superfluous as the region is +only used when the configuration has a pcs_misc table. + +Fixes: 421c9a0e9731 ("phy: qcom: qmp: Add SDM845 PCIe QMP PHY support") +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220916102340.11520-2-johan+linaro@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c +index 2d65e1f56bfc..0e0f2482827a 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c +@@ -2371,8 +2371,10 @@ int qcom_qmp_phy_pcie_create(struct device *dev, struct device_node *np, int id, + of_device_is_compatible(dev->of_node, "qcom,ipq6018-qmp-pcie-phy")) + qphy->pcs_misc = qphy->pcs + 0x400; + +- if (!qphy->pcs_misc) +- dev_vdbg(dev, "PHY pcs_misc-reg not used\n"); ++ if (!qphy->pcs_misc) { ++ if (cfg->pcs_misc_tbl || cfg->pcs_misc_tbl_sec) ++ return -EINVAL; ++ } + + snprintf(prop_name, sizeof(prop_name), "pipe%d", id); + qphy->pipe_clk = devm_get_clk_from_child(dev, np, prop_name); +-- +2.35.1 + diff --git a/queue-6.0/phy-qcom-qmp-pcie-fix-memleak-on-probe-deferral.patch b/queue-6.0/phy-qcom-qmp-pcie-fix-memleak-on-probe-deferral.patch new file mode 100644 index 00000000000..0829108f087 --- /dev/null +++ b/queue-6.0/phy-qcom-qmp-pcie-fix-memleak-on-probe-deferral.patch @@ -0,0 +1,97 @@ +From 904b84de86ab00f2be7d59265d3f042ed8c16866 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 12:23:31 +0200 +Subject: phy: qcom-qmp-pcie: fix memleak on probe deferral + +From: Johan Hovold + +[ Upstream commit 4be26f695ffa458b065b7942dbff9393bf0836ea ] + +Switch to using the device-managed of_iomap helper to avoid leaking +memory on probe deferral and driver unbind. + +Note that this helper checks for already reserved regions and may fail +if there are multiple devices claiming the same memory. + +Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets") +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220916102340.11520-3-johan+linaro@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 34 ++++++++++++------------ + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c +index 0e0f2482827a..819bcd975ba4 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c +@@ -2329,17 +2329,17 @@ int qcom_qmp_phy_pcie_create(struct device *dev, struct device_node *np, int id, + * For dual lane PHYs: tx2 -> 3, rx2 -> 4, pcs_misc (optional) -> 5 + * For single lane PHYs: pcs_misc (optional) -> 3. + */ +- qphy->tx = of_iomap(np, 0); +- if (!qphy->tx) +- return -ENOMEM; ++ qphy->tx = devm_of_iomap(dev, np, 0, NULL); ++ if (IS_ERR(qphy->tx)) ++ return PTR_ERR(qphy->tx); + +- qphy->rx = of_iomap(np, 1); +- if (!qphy->rx) +- return -ENOMEM; ++ qphy->rx = devm_of_iomap(dev, np, 1, NULL); ++ if (IS_ERR(qphy->rx)) ++ return PTR_ERR(qphy->rx); + +- qphy->pcs = of_iomap(np, 2); +- if (!qphy->pcs) +- return -ENOMEM; ++ qphy->pcs = devm_of_iomap(dev, np, 2, NULL); ++ if (IS_ERR(qphy->pcs)) ++ return PTR_ERR(qphy->pcs); + + /* + * If this is a dual-lane PHY, then there should be registers for the +@@ -2348,9 +2348,9 @@ int qcom_qmp_phy_pcie_create(struct device *dev, struct device_node *np, int id, + * offset from the first lane. + */ + if (cfg->is_dual_lane_phy) { +- qphy->tx2 = of_iomap(np, 3); +- qphy->rx2 = of_iomap(np, 4); +- if (!qphy->tx2 || !qphy->rx2) { ++ qphy->tx2 = devm_of_iomap(dev, np, 3, NULL); ++ qphy->rx2 = devm_of_iomap(dev, np, 4, NULL); ++ if (IS_ERR(qphy->tx2) || IS_ERR(qphy->rx2)) { + dev_warn(dev, + "Underspecified device tree, falling back to legacy register regions\n"); + +@@ -2360,20 +2360,20 @@ int qcom_qmp_phy_pcie_create(struct device *dev, struct device_node *np, int id, + qphy->rx2 = qphy->rx + QMP_PHY_LEGACY_LANE_STRIDE; + + } else { +- qphy->pcs_misc = of_iomap(np, 5); ++ qphy->pcs_misc = devm_of_iomap(dev, np, 5, NULL); + } + + } else { +- qphy->pcs_misc = of_iomap(np, 3); ++ qphy->pcs_misc = devm_of_iomap(dev, np, 3, NULL); + } + +- if (!qphy->pcs_misc && ++ if (IS_ERR(qphy->pcs_misc) && + of_device_is_compatible(dev->of_node, "qcom,ipq6018-qmp-pcie-phy")) + qphy->pcs_misc = qphy->pcs + 0x400; + +- if (!qphy->pcs_misc) { ++ if (IS_ERR(qphy->pcs_misc)) { + if (cfg->pcs_misc_tbl || cfg->pcs_misc_tbl_sec) +- return -EINVAL; ++ return PTR_ERR(qphy->pcs_misc); + } + + snprintf(prop_name, sizeof(prop_name), "pipe%d", id); +-- +2.35.1 + diff --git a/queue-6.0/phy-qcom-qmp-pcie-fix-resource-mapping-for-sdm845-qh.patch b/queue-6.0/phy-qcom-qmp-pcie-fix-resource-mapping-for-sdm845-qh.patch new file mode 100644 index 00000000000..1b64d847b5e --- /dev/null +++ b/queue-6.0/phy-qcom-qmp-pcie-fix-resource-mapping-for-sdm845-qh.patch @@ -0,0 +1,44 @@ +From 87a01c97154a568e1fd26c5466d20d876ff53227 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 20:25:14 +0300 +Subject: phy: qcom-qmp-pcie: fix resource mapping for SDM845 QHP PHY + +From: Dmitry Baryshkov + +[ Upstream commit 0a40891b83f257b25a2b983758f72f6813f361cb ] + +On SDM845 one of PCIe PHYs (the QHP one) has the same region for TX and +RX registers. Since the commit 4be26f695ffa ("phy: qcom-qmp-pcie: fix +memleak on probe deferral") added checking that resources are not +allocated beforehand, this PHY can not be probed anymore. Fix this by +skipping the map of ->rx resource on the QHP PHY and assign it manually. + +Fixes: 4be26f695ffa ("phy: qcom-qmp-pcie: fix memleak on probe deferral") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Johan Hovold +Link: https://lore.kernel.org/r/20220926172514.880776-1-dmitry.baryshkov@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c +index 819bcd975ba4..0baf62d80214 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcie.c +@@ -2333,7 +2333,10 @@ int qcom_qmp_phy_pcie_create(struct device *dev, struct device_node *np, int id, + if (IS_ERR(qphy->tx)) + return PTR_ERR(qphy->tx); + +- qphy->rx = devm_of_iomap(dev, np, 1, NULL); ++ if (of_device_is_compatible(dev->of_node, "qcom,sdm845-qhp-pcie-phy")) ++ qphy->rx = qphy->tx; ++ else ++ qphy->rx = devm_of_iomap(dev, np, 1, NULL); + if (IS_ERR(qphy->rx)) + return PTR_ERR(qphy->rx); + +-- +2.35.1 + diff --git a/queue-6.0/phy-qcom-qmp-pcie-msm8996-fix-memleak-on-probe-defer.patch b/queue-6.0/phy-qcom-qmp-pcie-msm8996-fix-memleak-on-probe-defer.patch new file mode 100644 index 00000000000..8173c10e12f --- /dev/null +++ b/queue-6.0/phy-qcom-qmp-pcie-msm8996-fix-memleak-on-probe-defer.patch @@ -0,0 +1,64 @@ +From a06ae0a9467f4f612888a2949003679fe7cc33e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 12:23:32 +0200 +Subject: phy: qcom-qmp-pcie-msm8996: fix memleak on probe deferral + +From: Johan Hovold + +[ Upstream commit 1f69ededf8e80c42352e7f1c165a003614de9cc2 ] + +Switch to using the device-managed of_iomap helper to avoid leaking +memory on probe deferral and driver unbind. + +Note that this helper checks for already reserved regions and may fail +if there are multiple devices claiming the same memory. + +Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets") +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220916102340.11520-4-johan+linaro@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + .../phy/qualcomm/phy-qcom-qmp-pcie-msm8996.c | 23 +++++++++---------- + 1 file changed, 11 insertions(+), 12 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-pcie-msm8996.c b/drivers/phy/qualcomm/phy-qcom-qmp-pcie-msm8996.c +index be6a94439b6c..14ea4ae95861 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qmp-pcie-msm8996.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcie-msm8996.c +@@ -875,21 +875,20 @@ int qcom_qmp_phy_pcie_msm8996_create(struct device *dev, struct device_node *np, + * For dual lane PHYs: tx2 -> 3, rx2 -> 4, pcs_misc (optional) -> 5 + * For single lane PHYs: pcs_misc (optional) -> 3. + */ +- qphy->tx = of_iomap(np, 0); +- if (!qphy->tx) +- return -ENOMEM; +- +- qphy->rx = of_iomap(np, 1); +- if (!qphy->rx) +- return -ENOMEM; ++ qphy->tx = devm_of_iomap(dev, np, 0, NULL); ++ if (IS_ERR(qphy->tx)) ++ return PTR_ERR(qphy->tx); + +- qphy->pcs = of_iomap(np, 2); +- if (!qphy->pcs) +- return -ENOMEM; ++ qphy->rx = devm_of_iomap(dev, np, 1, NULL); ++ if (IS_ERR(qphy->rx)) ++ return PTR_ERR(qphy->rx); + +- qphy->pcs_misc = of_iomap(np, 3); ++ qphy->pcs = devm_of_iomap(dev, np, 2, NULL); ++ if (IS_ERR(qphy->pcs)) ++ return PTR_ERR(qphy->pcs); + +- if (!qphy->pcs_misc) ++ qphy->pcs_misc = devm_of_iomap(dev, np, 3, NULL); ++ if (IS_ERR(qphy->pcs_misc)) + dev_vdbg(dev, "PHY pcs_misc-reg not used\n"); + + snprintf(prop_name, sizeof(prop_name), "pipe%d", id); +-- +2.35.1 + diff --git a/queue-6.0/phy-qcom-qmp-ufs-fix-memleak-on-probe-deferral.patch b/queue-6.0/phy-qcom-qmp-ufs-fix-memleak-on-probe-deferral.patch new file mode 100644 index 00000000000..f693356e169 --- /dev/null +++ b/queue-6.0/phy-qcom-qmp-ufs-fix-memleak-on-probe-deferral.patch @@ -0,0 +1,89 @@ +From 16c0bb2a08f3574308e6a40045da6c6bc5170e1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 12:23:34 +0200 +Subject: phy: qcom-qmp-ufs: fix memleak on probe deferral + +From: Johan Hovold + +[ Upstream commit ef74a97f0df8758efe4476b4645961286aa86f0d ] + +Switch to using the device-managed of_iomap helper to avoid leaking +memory on probe deferral and driver unbind. + +Note that this helper checks for already reserved regions and may fail +if there are multiple devices claiming the same memory. + +Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets") +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220916102340.11520-6-johan+linaro@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qmp-ufs.c | 30 ++++++++++++------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-ufs.c b/drivers/phy/qualcomm/phy-qcom-qmp-ufs.c +index c8583f5a54bd..f586e5260856 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qmp-ufs.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-ufs.c +@@ -1188,17 +1188,17 @@ int qcom_qmp_phy_ufs_create(struct device *dev, struct device_node *np, int id, + * For dual lane PHYs: tx2 -> 3, rx2 -> 4, pcs_misc (optional) -> 5 + * For single lane PHYs: pcs_misc (optional) -> 3. + */ +- qphy->tx = of_iomap(np, 0); +- if (!qphy->tx) +- return -ENOMEM; ++ qphy->tx = devm_of_iomap(dev, np, 0, NULL); ++ if (IS_ERR(qphy->tx)) ++ return PTR_ERR(qphy->tx); + +- qphy->rx = of_iomap(np, 1); +- if (!qphy->rx) +- return -ENOMEM; ++ qphy->rx = devm_of_iomap(dev, np, 1, NULL); ++ if (IS_ERR(qphy->rx)) ++ return PTR_ERR(qphy->rx); + +- qphy->pcs = of_iomap(np, 2); +- if (!qphy->pcs) +- return -ENOMEM; ++ qphy->pcs = devm_of_iomap(dev, np, 2, NULL); ++ if (IS_ERR(qphy->pcs)) ++ return PTR_ERR(qphy->pcs); + + /* + * If this is a dual-lane PHY, then there should be registers for the +@@ -1207,9 +1207,9 @@ int qcom_qmp_phy_ufs_create(struct device *dev, struct device_node *np, int id, + * offset from the first lane. + */ + if (cfg->is_dual_lane_phy) { +- qphy->tx2 = of_iomap(np, 3); +- qphy->rx2 = of_iomap(np, 4); +- if (!qphy->tx2 || !qphy->rx2) { ++ qphy->tx2 = devm_of_iomap(dev, np, 3, NULL); ++ qphy->rx2 = devm_of_iomap(dev, np, 4, NULL); ++ if (IS_ERR(qphy->tx2) || IS_ERR(qphy->rx2)) { + dev_warn(dev, + "Underspecified device tree, falling back to legacy register regions\n"); + +@@ -1219,14 +1219,14 @@ int qcom_qmp_phy_ufs_create(struct device *dev, struct device_node *np, int id, + qphy->rx2 = qphy->rx + QMP_PHY_LEGACY_LANE_STRIDE; + + } else { +- qphy->pcs_misc = of_iomap(np, 5); ++ qphy->pcs_misc = devm_of_iomap(dev, np, 5, NULL); + } + + } else { +- qphy->pcs_misc = of_iomap(np, 3); ++ qphy->pcs_misc = devm_of_iomap(dev, np, 3, NULL); + } + +- if (!qphy->pcs_misc) ++ if (IS_ERR(qphy->pcs_misc)) + dev_vdbg(dev, "PHY pcs_misc-reg not used\n"); + + generic_phy = devm_phy_create(dev, np, &qcom_qmp_ufs_ops); +-- +2.35.1 + diff --git a/queue-6.0/phy-qcom-qmp-usb-disable-runtime-pm-on-unbind.patch b/queue-6.0/phy-qcom-qmp-usb-disable-runtime-pm-on-unbind.patch new file mode 100644 index 00000000000..e184a38ceba --- /dev/null +++ b/queue-6.0/phy-qcom-qmp-usb-disable-runtime-pm-on-unbind.patch @@ -0,0 +1,53 @@ +From fa1b8e750de7697ed9d025ef5f6ba4ec827c10a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 13:07:21 +0200 +Subject: phy: qcom-qmp-usb: disable runtime PM on unbind + +From: Johan Hovold + +[ Upstream commit e57655e66806750785f9121c98a962404d02395b ] + +Make sure to disable runtime PM also on driver unbind. + +Fixes: ac0d239936bd ("phy: qcom-qmp: Add support for runtime PM"). +Signed-off-by: Johan Hovold +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20220907110728.19092-10-johan+linaro@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c +index 1d270356a97f..1eb4ec576361 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c +@@ -2704,7 +2704,9 @@ static int qcom_qmp_phy_usb_probe(struct platform_device *pdev) + return -ENOMEM; + + pm_runtime_set_active(dev); +- pm_runtime_enable(dev); ++ ret = devm_pm_runtime_enable(dev); ++ if (ret) ++ return ret; + /* + * Prevent runtime pm from being ON by default. Users can enable + * it using power/control in sysfs. +@@ -2738,13 +2740,10 @@ static int qcom_qmp_phy_usb_probe(struct platform_device *pdev) + phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate); + if (!IS_ERR(phy_provider)) + dev_info(dev, "Registered Qcom-QMP phy\n"); +- else +- pm_runtime_disable(dev); + + return PTR_ERR_OR_ZERO(phy_provider); + + err_node_put: +- pm_runtime_disable(dev); + of_node_put(child); + return ret; + } +-- +2.35.1 + diff --git a/queue-6.0/phy-qcom-qmp-usb-drop-pipe-clock-lane-suffix.patch b/queue-6.0/phy-qcom-qmp-usb-drop-pipe-clock-lane-suffix.patch new file mode 100644 index 00000000000..3e6bd829126 --- /dev/null +++ b/queue-6.0/phy-qcom-qmp-usb-drop-pipe-clock-lane-suffix.patch @@ -0,0 +1,51 @@ +From 73c530a52343ed1ac0209422c6b049e611f78561 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 13:29:23 +0200 +Subject: phy: qcom-qmp-usb: drop pipe clock lane suffix + +From: Johan Hovold + +[ Upstream commit c8c5d5e89ac52a462f48264863a7a32f0c76fa1d ] + +The pipe clock is defined in the "lane" node so there's no need to keep +adding a redundant lane-number suffix to the clock name. + +Update driver to support the new binding where the pipe clock name has +been deprecated by instead requesting the clock by index. + +Reviewed-by: Krzysztof Kozlowski +Reviewed-by: Dmitry Baryshkov +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220830112923.3725-31-johan+linaro@kernel.org +Signed-off-by: Vinod Koul +Stable-dep-of: a5d6b1ac56cb ("phy: qcom-qmp-usb: fix memleak on probe deferral") +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c +index 1eb4ec576361..9f2b6f33c2db 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c +@@ -2496,7 +2496,6 @@ int qcom_qmp_phy_usb_create(struct device *dev, struct device_node *np, int id, + struct qcom_qmp *qmp = dev_get_drvdata(dev); + struct phy *generic_phy; + struct qmp_phy *qphy; +- char prop_name[MAX_PROP_NAME]; + int ret; + + qphy = devm_kzalloc(dev, sizeof(*qphy), GFP_KERNEL); +@@ -2555,8 +2554,7 @@ int qcom_qmp_phy_usb_create(struct device *dev, struct device_node *np, int id, + if (!qphy->pcs_misc) + dev_vdbg(dev, "PHY pcs_misc-reg not used\n"); + +- snprintf(prop_name, sizeof(prop_name), "pipe%d", id); +- qphy->pipe_clk = devm_get_clk_from_child(dev, np, prop_name); ++ qphy->pipe_clk = devm_get_clk_from_child(dev, np, NULL); + if (IS_ERR(qphy->pipe_clk)) { + return dev_err_probe(dev, PTR_ERR(qphy->pipe_clk), + "failed to get lane%d pipe clock\n", id); +-- +2.35.1 + diff --git a/queue-6.0/phy-qcom-qmp-usb-fix-memleak-on-probe-deferral.patch b/queue-6.0/phy-qcom-qmp-usb-fix-memleak-on-probe-deferral.patch new file mode 100644 index 00000000000..b1a59580386 --- /dev/null +++ b/queue-6.0/phy-qcom-qmp-usb-fix-memleak-on-probe-deferral.patch @@ -0,0 +1,136 @@ +From e1c35c2f2b63651158f5c4744cf3b5cc3a1a2843 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 12:23:35 +0200 +Subject: phy: qcom-qmp-usb: fix memleak on probe deferral + +From: Johan Hovold + +[ Upstream commit a5d6b1ac56cbd6b5850a3a54e35f1cb71e8e8cdd ] + +Switch to using the device-managed of_iomap helper to avoid leaking +memory on probe deferral and driver unbind. + +Note that this helper checks for already reserved regions and may fail +if there are multiple devices claiming the same memory. + +Two bindings currently rely on overlapping mappings for the PCS region +so fallback to non-exclusive mappings for those for now. + +Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets") +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220916102340.11520-7-johan+linaro@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 57 ++++++++++++++++++------- + 1 file changed, 42 insertions(+), 15 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c +index 9f2b6f33c2db..d14481a501d6 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c +@@ -2489,6 +2489,21 @@ static const struct phy_ops qcom_qmp_phy_usb_ops = { + .owner = THIS_MODULE, + }; + ++static void __iomem *qmp_usb_iomap(struct device *dev, struct device_node *np, ++ int index, bool exclusive) ++{ ++ struct resource res; ++ ++ if (!exclusive) { ++ if (of_address_to_resource(np, index, &res)) ++ return IOMEM_ERR_PTR(-EINVAL); ++ ++ return devm_ioremap(dev, res.start, resource_size(&res)); ++ } ++ ++ return devm_of_iomap(dev, np, index, NULL); ++} ++ + static + int qcom_qmp_phy_usb_create(struct device *dev, struct device_node *np, int id, + void __iomem *serdes, const struct qmp_phy_cfg *cfg) +@@ -2496,8 +2511,18 @@ int qcom_qmp_phy_usb_create(struct device *dev, struct device_node *np, int id, + struct qcom_qmp *qmp = dev_get_drvdata(dev); + struct phy *generic_phy; + struct qmp_phy *qphy; ++ bool exclusive = true; + int ret; + ++ /* ++ * FIXME: These bindings should be fixed to not rely on overlapping ++ * mappings for PCS. ++ */ ++ if (of_device_is_compatible(dev->of_node, "qcom,sdx65-qmp-usb3-uni-phy")) ++ exclusive = false; ++ if (of_device_is_compatible(dev->of_node, "qcom,sm8350-qmp-usb3-uni-phy")) ++ exclusive = false; ++ + qphy = devm_kzalloc(dev, sizeof(*qphy), GFP_KERNEL); + if (!qphy) + return -ENOMEM; +@@ -2510,17 +2535,17 @@ int qcom_qmp_phy_usb_create(struct device *dev, struct device_node *np, int id, + * For dual lane PHYs: tx2 -> 3, rx2 -> 4, pcs_misc (optional) -> 5 + * For single lane PHYs: pcs_misc (optional) -> 3. + */ +- qphy->tx = of_iomap(np, 0); +- if (!qphy->tx) +- return -ENOMEM; ++ qphy->tx = devm_of_iomap(dev, np, 0, NULL); ++ if (IS_ERR(qphy->tx)) ++ return PTR_ERR(qphy->tx); + +- qphy->rx = of_iomap(np, 1); +- if (!qphy->rx) +- return -ENOMEM; ++ qphy->rx = devm_of_iomap(dev, np, 1, NULL); ++ if (IS_ERR(qphy->rx)) ++ return PTR_ERR(qphy->rx); + +- qphy->pcs = of_iomap(np, 2); +- if (!qphy->pcs) +- return -ENOMEM; ++ qphy->pcs = qmp_usb_iomap(dev, np, 2, exclusive); ++ if (IS_ERR(qphy->pcs)) ++ return PTR_ERR(qphy->pcs); + + if (cfg->pcs_usb_offset) + qphy->pcs_usb = qphy->pcs + cfg->pcs_usb_offset; +@@ -2532,9 +2557,9 @@ int qcom_qmp_phy_usb_create(struct device *dev, struct device_node *np, int id, + * offset from the first lane. + */ + if (cfg->is_dual_lane_phy) { +- qphy->tx2 = of_iomap(np, 3); +- qphy->rx2 = of_iomap(np, 4); +- if (!qphy->tx2 || !qphy->rx2) { ++ qphy->tx2 = devm_of_iomap(dev, np, 3, NULL); ++ qphy->rx2 = devm_of_iomap(dev, np, 4, NULL); ++ if (IS_ERR(qphy->tx2) || IS_ERR(qphy->rx2)) { + dev_warn(dev, + "Underspecified device tree, falling back to legacy register regions\n"); + +@@ -2544,15 +2569,17 @@ int qcom_qmp_phy_usb_create(struct device *dev, struct device_node *np, int id, + qphy->rx2 = qphy->rx + QMP_PHY_LEGACY_LANE_STRIDE; + + } else { +- qphy->pcs_misc = of_iomap(np, 5); ++ qphy->pcs_misc = devm_of_iomap(dev, np, 5, NULL); + } + + } else { +- qphy->pcs_misc = of_iomap(np, 3); ++ qphy->pcs_misc = devm_of_iomap(dev, np, 3, NULL); + } + +- if (!qphy->pcs_misc) ++ if (IS_ERR(qphy->pcs_misc)) { + dev_vdbg(dev, "PHY pcs_misc-reg not used\n"); ++ qphy->pcs_misc = NULL; ++ } + + qphy->pipe_clk = devm_get_clk_from_child(dev, np, NULL); + if (IS_ERR(qphy->pipe_clk)) { +-- +2.35.1 + diff --git a/queue-6.0/phy-qualcomm-call-clk_disable_unprepare-in-the-error.patch b/queue-6.0/phy-qualcomm-call-clk_disable_unprepare-in-the-error.patch new file mode 100644 index 00000000000..ddd99319003 --- /dev/null +++ b/queue-6.0/phy-qualcomm-call-clk_disable_unprepare-in-the-error.patch @@ -0,0 +1,53 @@ +From 3470bc3303710592e5428c3c5f2945b592a1fb45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 13:13:33 +0800 +Subject: phy: qualcomm: call clk_disable_unprepare in the error handling + +From: Dongliang Mu + +[ Upstream commit c3966ced8eb8dc53b6c8d7f97d32cc8a2107d83e ] + +Smatch reports the following error: + +drivers/phy/qualcomm/phy-qcom-usb-hsic.c:82 qcom_usb_hsic_phy_power_on() +warn: 'uphy->cal_clk' from clk_prepare_enable() not released on lines: +58. +drivers/phy/qualcomm/phy-qcom-usb-hsic.c:82 qcom_usb_hsic_phy_power_on() +warn: 'uphy->cal_sleep_clk' from clk_prepare_enable() not released on +lines: 58. +drivers/phy/qualcomm/phy-qcom-usb-hsic.c:82 qcom_usb_hsic_phy_power_on() +warn: 'uphy->phy_clk' from clk_prepare_enable() not released on lines: +58. + +Fix this by calling proper clk_disable_unprepare calls. + +Fixes: 0b56e9a7e835 ("phy: Group vendor specific phy drivers") +Signed-off-by: Dongliang Mu +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20220914051334.69282-1-dzm91@hust.edu.cn +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-usb-hsic.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-usb-hsic.c b/drivers/phy/qualcomm/phy-qcom-usb-hsic.c +index 716a77748ed8..20f6dd37c7c1 100644 +--- a/drivers/phy/qualcomm/phy-qcom-usb-hsic.c ++++ b/drivers/phy/qualcomm/phy-qcom-usb-hsic.c +@@ -54,8 +54,10 @@ static int qcom_usb_hsic_phy_power_on(struct phy *phy) + + /* Configure pins for HSIC functionality */ + pins_default = pinctrl_lookup_state(uphy->pctl, PINCTRL_STATE_DEFAULT); +- if (IS_ERR(pins_default)) +- return PTR_ERR(pins_default); ++ if (IS_ERR(pins_default)) { ++ ret = PTR_ERR(pins_default); ++ goto err_ulpi; ++ } + + ret = pinctrl_select_state(uphy->pctl, pins_default); + if (ret) +-- +2.35.1 + diff --git a/queue-6.0/phy-rockchip-inno-usb2-return-zero-after-otg-sync.patch b/queue-6.0/phy-rockchip-inno-usb2-return-zero-after-otg-sync.patch new file mode 100644 index 00000000000..e9e617df05d --- /dev/null +++ b/queue-6.0/phy-rockchip-inno-usb2-return-zero-after-otg-sync.patch @@ -0,0 +1,64 @@ +From 3330886c2775c9fe43a41bd793b4775bc5f4af81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 14:45:42 -0400 +Subject: phy: rockchip-inno-usb2: Return zero after otg sync + +From: Peter Geis + +[ Upstream commit f340ed8664a55a467850ec1689996e63d9ee971a ] + +The otg sync state patch reuses the ret variable, but fails to set it to +zero after use. This leads to a situation when the otg port is in +peripheral mode where the otg phy aborts halfway through setup. It also +fails to account for a failure to register the extcon notifier. Fix this +by using our own variable and skipping otg sync in case of failure. + +Fixes: 8dc60f8da22f ("phy: rockchip-inno-usb2: Sync initial otg state") +Reported-by: Markus Reichl +Reported-by: Michael Riesch +Signed-off-by: Peter Geis +Tested-by: Michael Riesch +Tested-by: Markus Reichl +Reviewed-by: Samuel Holland +Link: https://lore.kernel.org/r/20220902184543.1234835-1-pgwipeout@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c +index 0b1e9337ee8e..e6ededc51523 100644 +--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c ++++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c +@@ -1124,7 +1124,7 @@ static int rockchip_usb2phy_otg_port_init(struct rockchip_usb2phy *rphy, + struct rockchip_usb2phy_port *rport, + struct device_node *child_np) + { +- int ret; ++ int ret, id; + + rport->port_id = USB2PHY_PORT_OTG; + rport->port_cfg = &rphy->phy_cfg->port_cfgs[USB2PHY_PORT_OTG]; +@@ -1162,13 +1162,15 @@ static int rockchip_usb2phy_otg_port_init(struct rockchip_usb2phy *rphy, + + ret = devm_extcon_register_notifier(rphy->dev, rphy->edev, + EXTCON_USB_HOST, &rport->event_nb); +- if (ret) ++ if (ret) { + dev_err(rphy->dev, "register USB HOST notifier failed\n"); ++ goto out; ++ } + + if (!of_property_read_bool(rphy->dev->of_node, "extcon")) { + /* do initial sync of usb state */ +- ret = property_enabled(rphy->grf, &rport->port_cfg->utmi_id); +- extcon_set_state_sync(rphy->edev, EXTCON_USB_HOST, !ret); ++ id = property_enabled(rphy->grf, &rport->port_cfg->utmi_id); ++ extcon_set_state_sync(rphy->edev, EXTCON_USB_HOST, !id); + } + } + +-- +2.35.1 + diff --git a/queue-6.0/platform-chrome-cros_ec-notify-the-pm-of-wake-events.patch b/queue-6.0/platform-chrome-cros_ec-notify-the-pm-of-wake-events.patch new file mode 100644 index 00000000000..89147f52e31 --- /dev/null +++ b/queue-6.0/platform-chrome-cros_ec-notify-the-pm-of-wake-events.patch @@ -0,0 +1,55 @@ +From f3a3e583aed892490e99a724415bf34765986e3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 20:49:54 +0000 +Subject: platform/chrome: cros_ec: Notify the PM of wake events during resume + +From: Jameson Thies + +[ Upstream commit 8edd2752b0aa498b3a61f3caee8f79f7e0567fad ] + +cros_ec_handle_event in the cros_ec driver can notify the PM of wake +events. When a device is suspended, cros_ec_handle_event will not check +MKBP events. Instead, received MKBP events are checked during resume by +cros_ec_report_events_during_suspend. But +cros_ec_report_events_during_suspend cannot notify the PM if received +events are wake events, causing wake events to not be reported if +received while the device is suspended. + +Update cros_ec_report_events_during_suspend to notify the PM of wake +events during resume by calling pm_wakeup_event. + +Signed-off-by: Jameson Thies +Reviewed-by: Prashant Malani +Reviewed-by: Benson Leung +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20220913204954.2931042-1-jthies@google.com +Signed-off-by: Sasha Levin +--- + drivers/platform/chrome/cros_ec.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/chrome/cros_ec.c b/drivers/platform/chrome/cros_ec.c +index 8aace50d446d..110df0fd4b00 100644 +--- a/drivers/platform/chrome/cros_ec.c ++++ b/drivers/platform/chrome/cros_ec.c +@@ -349,10 +349,16 @@ EXPORT_SYMBOL(cros_ec_suspend); + + static void cros_ec_report_events_during_suspend(struct cros_ec_device *ec_dev) + { ++ bool wake_event; ++ + while (ec_dev->mkbp_event_supported && +- cros_ec_get_next_event(ec_dev, NULL, NULL) > 0) ++ cros_ec_get_next_event(ec_dev, &wake_event, NULL) > 0) { + blocking_notifier_call_chain(&ec_dev->event_notifier, + 1, ec_dev); ++ ++ if (wake_event && device_may_wakeup(ec_dev->dev)) ++ pm_wakeup_event(ec_dev->dev, 0); ++ } + } + + /** +-- +2.35.1 + diff --git a/queue-6.0/platform-chrome-cros_ec_typec-add-bit-offset-for-dp-.patch b/queue-6.0/platform-chrome-cros_ec_typec-add-bit-offset-for-dp-.patch new file mode 100644 index 00000000000..d5fbfe79d5e --- /dev/null +++ b/queue-6.0/platform-chrome-cros_ec_typec-add-bit-offset-for-dp-.patch @@ -0,0 +1,39 @@ +From 057befb2d9d9ecc9e296193e4a03a0f399bfc1c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 19:08:02 +0000 +Subject: platform/chrome: cros_ec_typec: Add bit offset for DP VDO + +From: Prashant Malani + +[ Upstream commit 1903adae0464c1e1c36b132db474cb3aff7bc727 ] + +Use the right macro while constructing the DP_PORT_VDO to ensure the Pin +Assignment offsets are correct. + +Fixes: 1ff5d97f070c ("platform/chrome: cros_ec_typec: Register port altmodes") +Signed-off-by: Prashant Malani +Acked-by: Heikki Krogerus +Reviewed-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20220819190807.1275937-2-pmalani@chromium.org +Signed-off-by: Sasha Levin +--- + drivers/platform/chrome/cros_ec_typec.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c +index de6ee0f926a6..4d81d8d45b73 100644 +--- a/drivers/platform/chrome/cros_ec_typec.c ++++ b/drivers/platform/chrome/cros_ec_typec.c +@@ -25,7 +25,8 @@ + + #define DRV_NAME "cros-ec-typec" + +-#define DP_PORT_VDO (BIT(DP_PIN_ASSIGN_C) | BIT(DP_PIN_ASSIGN_D) | DP_CAP_DFP_D) ++#define DP_PORT_VDO (DP_CONF_SET_PIN_ASSIGN(BIT(DP_PIN_ASSIGN_C) | BIT(DP_PIN_ASSIGN_D)) | \ ++ DP_CAP_DFP_D) + + /* Supported alt modes. */ + enum { +-- +2.35.1 + diff --git a/queue-6.0/platform-chrome-cros_ec_typec-correct-alt-mode-index.patch b/queue-6.0/platform-chrome-cros_ec_typec-correct-alt-mode-index.patch new file mode 100644 index 00000000000..5bda8c831d4 --- /dev/null +++ b/queue-6.0/platform-chrome-cros_ec_typec-correct-alt-mode-index.patch @@ -0,0 +1,40 @@ +From 1e4b6da45af5c301f1465f360a4a00b9f1647b72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 19:08:03 +0000 +Subject: platform/chrome: cros_ec_typec: Correct alt mode index + +From: Prashant Malani + +[ Upstream commit 4e477663e396f48c5cfc5f2d75d4b514f409516a ] + +Alt mode indices used by USB PD (Power Delivery) start with 1, not 0. + +Update the alt mdoe registration code to factor this in to the alt mode +descriptor. + +Fixes: de0f49487db3 ("platform/chrome: cros_ec_typec: Register partner altmodes") +Signed-off-by: Prashant Malani +Acked-by: Heikki Krogerus +Reviewed-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20220819190807.1275937-3-pmalani@chromium.org +Signed-off-by: Sasha Levin +--- + drivers/platform/chrome/cros_ec_typec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/chrome/cros_ec_typec.c b/drivers/platform/chrome/cros_ec_typec.c +index 4d81d8d45b73..dc5722db2066 100644 +--- a/drivers/platform/chrome/cros_ec_typec.c ++++ b/drivers/platform/chrome/cros_ec_typec.c +@@ -698,7 +698,7 @@ static int cros_typec_register_altmodes(struct cros_typec_data *typec, int port_ + for (j = 0; j < sop_disc->svids[i].mode_count; j++) { + memset(&desc, 0, sizeof(desc)); + desc.svid = sop_disc->svids[i].svid; +- desc.mode = j; ++ desc.mode = j + 1; + desc.vdo = sop_disc->svids[i].mode_vdo[j]; + + if (is_partner) +-- +2.35.1 + diff --git a/queue-6.0/platform-chrome-fix-double-free-in-chromeos_laptop_p.patch b/queue-6.0/platform-chrome-fix-double-free-in-chromeos_laptop_p.patch new file mode 100644 index 00000000000..46a913bd9b4 --- /dev/null +++ b/queue-6.0/platform-chrome-fix-double-free-in-chromeos_laptop_p.patch @@ -0,0 +1,88 @@ +From 6f715e58a37f994f72170c631b65b0c01551c792 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Aug 2022 01:08:43 +0300 +Subject: platform/chrome: fix double-free in chromeos_laptop_prepare() + +From: Rustam Subkhankulov + +[ Upstream commit 6ad4194d6a1e1d11b285989cd648ef695b4a93c0 ] + +If chromeos_laptop_prepare_i2c_peripherals() fails after allocating memory +for 'cros_laptop->i2c_peripherals', this memory is freed at 'err_out' label +and nonzero value is returned. Then chromeos_laptop_destroy() is called, +resulting in double-free error. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Signed-off-by: Rustam Subkhankulov +Fixes: 5020cd29d8bf ("platform/chrome: chromeos_laptop - supply properties for ACPI devices") +Reviewed-by: Dmitry Torokhov +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20220813220843.2373004-1-subkhankulov@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/platform/chrome/chromeos_laptop.c | 24 ++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/drivers/platform/chrome/chromeos_laptop.c b/drivers/platform/chrome/chromeos_laptop.c +index 4e14b4d6635d..a2cdbfbaeae6 100644 +--- a/drivers/platform/chrome/chromeos_laptop.c ++++ b/drivers/platform/chrome/chromeos_laptop.c +@@ -740,6 +740,7 @@ static int __init + chromeos_laptop_prepare_i2c_peripherals(struct chromeos_laptop *cros_laptop, + const struct chromeos_laptop *src) + { ++ struct i2c_peripheral *i2c_peripherals; + struct i2c_peripheral *i2c_dev; + struct i2c_board_info *info; + int i; +@@ -748,17 +749,15 @@ chromeos_laptop_prepare_i2c_peripherals(struct chromeos_laptop *cros_laptop, + if (!src->num_i2c_peripherals) + return 0; + +- cros_laptop->i2c_peripherals = kmemdup(src->i2c_peripherals, +- src->num_i2c_peripherals * +- sizeof(*src->i2c_peripherals), +- GFP_KERNEL); +- if (!cros_laptop->i2c_peripherals) ++ i2c_peripherals = kmemdup(src->i2c_peripherals, ++ src->num_i2c_peripherals * ++ sizeof(*src->i2c_peripherals), ++ GFP_KERNEL); ++ if (!i2c_peripherals) + return -ENOMEM; + +- cros_laptop->num_i2c_peripherals = src->num_i2c_peripherals; +- +- for (i = 0; i < cros_laptop->num_i2c_peripherals; i++) { +- i2c_dev = &cros_laptop->i2c_peripherals[i]; ++ for (i = 0; i < src->num_i2c_peripherals; i++) { ++ i2c_dev = &i2c_peripherals[i]; + info = &i2c_dev->board_info; + + error = chromeos_laptop_setup_irq(i2c_dev); +@@ -775,16 +774,19 @@ chromeos_laptop_prepare_i2c_peripherals(struct chromeos_laptop *cros_laptop, + } + } + ++ cros_laptop->i2c_peripherals = i2c_peripherals; ++ cros_laptop->num_i2c_peripherals = src->num_i2c_peripherals; ++ + return 0; + + err_out: + while (--i >= 0) { +- i2c_dev = &cros_laptop->i2c_peripherals[i]; ++ i2c_dev = &i2c_peripherals[i]; + info = &i2c_dev->board_info; + if (!IS_ERR_OR_NULL(info->fwnode)) + fwnode_remove_software_node(info->fwnode); + } +- kfree(cros_laptop->i2c_peripherals); ++ kfree(i2c_peripherals); + return error; + } + +-- +2.35.1 + diff --git a/queue-6.0/platform-chrome-fix-memory-corruption-in-ioctl.patch b/queue-6.0/platform-chrome-fix-memory-corruption-in-ioctl.patch new file mode 100644 index 00000000000..5ed22b4e44c --- /dev/null +++ b/queue-6.0/platform-chrome-fix-memory-corruption-in-ioctl.patch @@ -0,0 +1,39 @@ +From 30f64c441b7fdc11671b0c20a3ff899cc35f5ba7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 08:20:36 +0300 +Subject: platform/chrome: fix memory corruption in ioctl + +From: Dan Carpenter + +[ Upstream commit 8a07b45fd3c2dda24fad43639be5335a4595196a ] + +If "s_mem.bytes" is larger than the buffer size it leads to memory +corruption. + +Fixes: eda2e30c6684 ("mfd / platform: cros_ec: Miscellaneous character device to talk with the EC") +Signed-off-by: Dan Carpenter +Reviewed-by: Guenter Roeck +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/Yv8dpCFZJdbUT5ye@kili +Signed-off-by: Sasha Levin +--- + drivers/platform/chrome/cros_ec_chardev.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/platform/chrome/cros_ec_chardev.c b/drivers/platform/chrome/cros_ec_chardev.c +index fd33de546aee..0de7c255254e 100644 +--- a/drivers/platform/chrome/cros_ec_chardev.c ++++ b/drivers/platform/chrome/cros_ec_chardev.c +@@ -327,6 +327,9 @@ static long cros_ec_chardev_ioctl_readmem(struct cros_ec_dev *ec, + if (copy_from_user(&s_mem, arg, sizeof(s_mem))) + return -EFAULT; + ++ if (s_mem.bytes > sizeof(s_mem.buffer)) ++ return -EINVAL; ++ + num = ec_dev->cmd_readmem(ec_dev, s_mem.offset, s_mem.bytes, + s_mem.buffer); + if (num <= 0) +-- +2.35.1 + diff --git a/queue-6.0/platform-x86-hp-wmi-setting-thermal-profile-fails-wi.patch b/queue-6.0/platform-x86-hp-wmi-setting-thermal-profile-fails-wi.patch new file mode 100644 index 00000000000..cc667aeac14 --- /dev/null +++ b/queue-6.0/platform-x86-hp-wmi-setting-thermal-profile-fails-wi.patch @@ -0,0 +1,77 @@ +From f27d19d70c04728fe1717525173b18f20c8f762d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 14:26:03 -0500 +Subject: platform/x86: hp-wmi: Setting thermal profile fails with 0x06 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jorge Lopez + +[ Upstream commit 00b1829294b7c88ecba92c661fbe6fe347b364d2 ] + +Error 0x06 (invalid command parameter) is reported by hp-wmi module +when reading the current thermal profile and then proceed to set it +back. The failing condition occurs in Linux NixOS after user +configures the thermal profile to ‘quiet mode’ in Windows. Quiet Fan +Mode is supported in Windows but was not supported in hp-wmi module. + +This fix adds support for PLATFORM_PROFILE_QUIET in hp-wmi module for +HP notebooks other than HP Omen series. Quiet thermal profile is not +supported in HP Omen series notebooks. + +Signed-off-by: Jorge Lopez +Link: https://lore.kernel.org/r/20220912192603.4001-1-jorge.lopez2@hp.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/hp-wmi.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c +index bc7020e9df9e..fc8dbbd6fc7c 100644 +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -177,7 +177,8 @@ enum hp_thermal_profile_omen_v1 { + enum hp_thermal_profile { + HP_THERMAL_PROFILE_PERFORMANCE = 0x00, + HP_THERMAL_PROFILE_DEFAULT = 0x01, +- HP_THERMAL_PROFILE_COOL = 0x02 ++ HP_THERMAL_PROFILE_COOL = 0x02, ++ HP_THERMAL_PROFILE_QUIET = 0x03, + }; + + #define IS_HWBLOCKED(x) ((x & HPWMI_POWER_FW_OR_HW) != HPWMI_POWER_FW_OR_HW) +@@ -1194,6 +1195,9 @@ static int hp_wmi_platform_profile_get(struct platform_profile_handler *pprof, + case HP_THERMAL_PROFILE_COOL: + *profile = PLATFORM_PROFILE_COOL; + break; ++ case HP_THERMAL_PROFILE_QUIET: ++ *profile = PLATFORM_PROFILE_QUIET; ++ break; + default: + return -EINVAL; + } +@@ -1216,6 +1220,9 @@ static int hp_wmi_platform_profile_set(struct platform_profile_handler *pprof, + case PLATFORM_PROFILE_COOL: + tp = HP_THERMAL_PROFILE_COOL; + break; ++ case PLATFORM_PROFILE_QUIET: ++ tp = HP_THERMAL_PROFILE_QUIET; ++ break; + default: + return -EOPNOTSUPP; + } +@@ -1263,6 +1270,8 @@ static int thermal_profile_setup(void) + + platform_profile_handler.profile_get = hp_wmi_platform_profile_get; + platform_profile_handler.profile_set = hp_wmi_platform_profile_set; ++ ++ set_bit(PLATFORM_PROFILE_QUIET, platform_profile_handler.choices); + } + + set_bit(PLATFORM_PROFILE_COOL, platform_profile_handler.choices); +-- +2.35.1 + diff --git a/queue-6.0/platform-x86-msi-laptop-change-dmi-match-alias-strin.patch b/queue-6.0/platform-x86-msi-laptop-change-dmi-match-alias-strin.patch new file mode 100644 index 00000000000..52bc1ec9bdc --- /dev/null +++ b/queue-6.0/platform-x86-msi-laptop-change-dmi-match-alias-strin.patch @@ -0,0 +1,58 @@ +From 7132bb9907c654084b1f32be3bf834b8ae071374 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 23:04:07 +0200 +Subject: platform/x86: msi-laptop: Change DMI match / alias strings to fix + module autoloading + +From: Hans de Goede + +[ Upstream commit 2a2565272a3628e45d61625e36ef17af7af4e3de ] + +On a MSI S270 with Fedora 37 x86_64 / systemd-251.4 the module does not +properly autoload. + +This is likely caused by issues with how systemd-udevd handles the single +quote char (') which is part of the sys_vendor / chassis_vendor strings +on this laptop. As a workaround remove the single quote char + everything +behind it from the sys_vendor + chassis_vendor matches. This fixes +the module not autoloading. + +Link: https://github.com/systemd/systemd/issues/24715 +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20220917210407.647432-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/msi-laptop.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index 3e935303b143..0e804b6c2d24 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -596,11 +596,10 @@ static const struct dmi_system_id msi_dmi_table[] __initconst = { + { + .ident = "MSI S270", + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "MICRO-STAR INT'L CO.,LTD"), ++ DMI_MATCH(DMI_SYS_VENDOR, "MICRO-STAR INT"), + DMI_MATCH(DMI_PRODUCT_NAME, "MS-1013"), + DMI_MATCH(DMI_PRODUCT_VERSION, "0131"), +- DMI_MATCH(DMI_CHASSIS_VENDOR, +- "MICRO-STAR INT'L CO.,LTD") ++ DMI_MATCH(DMI_CHASSIS_VENDOR, "MICRO-STAR INT") + }, + .driver_data = &quirk_old_ec_model, + .callback = dmi_check_cb +@@ -633,8 +632,7 @@ static const struct dmi_system_id msi_dmi_table[] __initconst = { + DMI_MATCH(DMI_SYS_VENDOR, "NOTEBOOK"), + DMI_MATCH(DMI_PRODUCT_NAME, "SAM2000"), + DMI_MATCH(DMI_PRODUCT_VERSION, "0131"), +- DMI_MATCH(DMI_CHASSIS_VENDOR, +- "MICRO-STAR INT'L CO.,LTD") ++ DMI_MATCH(DMI_CHASSIS_VENDOR, "MICRO-STAR INT") + }, + .driver_data = &quirk_old_ec_model, + .callback = dmi_check_cb +-- +2.35.1 + diff --git a/queue-6.0/platform-x86-msi-laptop-fix-old-ec-check-for-backlig.patch b/queue-6.0/platform-x86-msi-laptop-fix-old-ec-check-for-backlig.patch new file mode 100644 index 00000000000..dae40335b7b --- /dev/null +++ b/queue-6.0/platform-x86-msi-laptop-fix-old-ec-check-for-backlig.patch @@ -0,0 +1,58 @@ +From ab4b36e9438cb3092d8093e0af2254224afdaae2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 16:13:34 +0200 +Subject: platform/x86: msi-laptop: Fix old-ec check for backlight registering + +From: Hans de Goede + +[ Upstream commit 83ac7a1c2ed5f17caa07cbbc84bad3c05dc3bf22 ] + +Commit 2cc6c717799f ("msi-laptop: Port to new backlight interface +selection API") replaced this check: + + if (!quirks->old_ec_model || acpi_video_backlight_support()) + pr_info("Brightness ignored, ..."); + else + do_register(); + +With: + + if (quirks->old_ec_model || + acpi_video_get_backlight_type() == acpi_backlight_vendor) + do_register(); + +But since the do_register() part was part of the else branch, the entire +condition should be inverted. So not only the 2 statements on either +side of the || should be inverted, but the || itself should be replaced +with a &&. + +In practice this has likely not been an issue because the new-ec models +(old_ec_model==false) likely all support ACPI video backlight control, +making acpi_video_get_backlight_type() return acpi_backlight_video +turning the second part of the || also false when old_ec_model == false. + +Fixes: 2cc6c717799f ("msi-laptop: Port to new backlight interface selection API") +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20220825141336.208597-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/msi-laptop.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index 24ffc8e2d2d1..0960205ee49f 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -1048,8 +1048,7 @@ static int __init msi_init(void) + return -EINVAL; + + /* Register backlight stuff */ +- +- if (quirks->old_ec_model || ++ if (quirks->old_ec_model && + acpi_video_get_backlight_type() == acpi_backlight_vendor) { + struct backlight_properties props; + memset(&props, 0, sizeof(struct backlight_properties)); +-- +2.35.1 + diff --git a/queue-6.0/platform-x86-msi-laptop-fix-resource-cleanup.patch b/queue-6.0/platform-x86-msi-laptop-fix-resource-cleanup.patch new file mode 100644 index 00000000000..8fd15671f20 --- /dev/null +++ b/queue-6.0/platform-x86-msi-laptop-fix-resource-cleanup.patch @@ -0,0 +1,45 @@ +From 989c12a00436de01f9bf52d0dd27b77007622dac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 16:13:36 +0200 +Subject: platform/x86: msi-laptop: Fix resource cleanup + +From: Hans de Goede + +[ Upstream commit 5523632aa10f906dfe2eb714ee748590dc7fc6b1 ] + +Fix the input-device not getting free-ed on probe-errors and +fix the msi_touchpad_dwork not getting cancelled on neither +probe-errors nor on remove. + +Fixes: 143a4c0284dc ("msi-laptop: send out touchpad on/off key") +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20220825141336.208597-3-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/msi-laptop.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index 0960205ee49f..3e935303b143 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -1116,6 +1116,8 @@ static int __init msi_init(void) + fail_create_group: + if (quirks->load_scm_model) { + i8042_remove_filter(msi_laptop_i8042_filter); ++ cancel_delayed_work_sync(&msi_touchpad_dwork); ++ input_unregister_device(msi_laptop_input_dev); + cancel_delayed_work_sync(&msi_rfkill_dwork); + cancel_work_sync(&msi_rfkill_work); + rfkill_cleanup(); +@@ -1136,6 +1138,7 @@ static void __exit msi_cleanup(void) + { + if (quirks->load_scm_model) { + i8042_remove_filter(msi_laptop_i8042_filter); ++ cancel_delayed_work_sync(&msi_touchpad_dwork); + input_unregister_device(msi_laptop_input_dev); + cancel_delayed_work_sync(&msi_rfkill_dwork); + cancel_work_sync(&msi_rfkill_work); +-- +2.35.1 + diff --git a/queue-6.0/platform-x86-pmc_atom-improve-quirk-message-to-be-le.patch b/queue-6.0/platform-x86-pmc_atom-improve-quirk-message-to-be-le.patch new file mode 100644 index 00000000000..38723e8819b --- /dev/null +++ b/queue-6.0/platform-x86-pmc_atom-improve-quirk-message-to-be-le.patch @@ -0,0 +1,37 @@ +From 9a7cf59e582ca5e1e1d7a0e7e3f1a385e75dc4e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 14:37:32 +0300 +Subject: platform/x86: pmc_atom: Improve quirk message to be less cryptic + +From: Andy Shevchenko + +[ Upstream commit 32c9b75640aeb1b144f9e2963c1640f4cef7c6f2 ] + +Not everyone can get what "critclks" means in the message, improve +it to make less cryptic. + +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220801113734.36131-2-andriy.shevchenko@linux.intel.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/pmc_atom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/pmc_atom.c b/drivers/platform/x86/pmc_atom.c +index 5c757c7f64de..f4046572a9fe 100644 +--- a/drivers/platform/x86/pmc_atom.c ++++ b/drivers/platform/x86/pmc_atom.c +@@ -354,7 +354,7 @@ static bool pmc_clk_is_critical = true; + + static int dmi_callback(const struct dmi_system_id *d) + { +- pr_info("%s critclks quirk enabled\n", d->ident); ++ pr_info("%s: PMC critical clocks quirk enabled\n", d->ident); + + return 1; + } +-- +2.35.1 + diff --git a/queue-6.0/power-supply-adp5061-fix-out-of-bounds-read-in-adp50.patch b/queue-6.0/power-supply-adp5061-fix-out-of-bounds-read-in-adp50.patch new file mode 100644 index 00000000000..92943531531 --- /dev/null +++ b/queue-6.0/power-supply-adp5061-fix-out-of-bounds-read-in-adp50.patch @@ -0,0 +1,44 @@ +From 35b63b7d8f3e3f3cee9b5bdce7473e9b1f7fe8e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Aug 2022 07:32:23 +0000 +Subject: power: supply: adp5061: fix out-of-bounds read in + adp5061_get_chg_type() + +From: Wei Yongjun + +[ Upstream commit 9d47e01b9d807808224347935562f7043a358054 ] + +ADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, which means a length +of 8, but adp5061_chg_type array size is 4, may end up reading 4 elements +beyond the end of the adp5061_chg_type[] array. + +Signed-off-by: Wei Yongjun +Acked-by: Michael Hennerich +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/adp5061.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/power/supply/adp5061.c b/drivers/power/supply/adp5061.c +index 003557043ab3..daee1161c305 100644 +--- a/drivers/power/supply/adp5061.c ++++ b/drivers/power/supply/adp5061.c +@@ -427,11 +427,11 @@ static int adp5061_get_chg_type(struct adp5061_state *st, + if (ret < 0) + return ret; + +- chg_type = adp5061_chg_type[ADP5061_CHG_STATUS_1_CHG_STATUS(status1)]; +- if (chg_type > ADP5061_CHG_FAST_CV) ++ chg_type = ADP5061_CHG_STATUS_1_CHG_STATUS(status1); ++ if (chg_type >= ARRAY_SIZE(adp5061_chg_type)) + val->intval = POWER_SUPPLY_STATUS_UNKNOWN; + else +- val->intval = chg_type; ++ val->intval = adp5061_chg_type[chg_type]; + + return ret; + } +-- +2.35.1 + diff --git a/queue-6.0/powercap-intel_rapl-fix-ubsan-shift-out-of-bounds-is.patch b/queue-6.0/powercap-intel_rapl-fix-ubsan-shift-out-of-bounds-is.patch new file mode 100644 index 00000000000..c07e2f7e3c8 --- /dev/null +++ b/queue-6.0/powercap-intel_rapl-fix-ubsan-shift-out-of-bounds-is.patch @@ -0,0 +1,45 @@ +From 0a5c2fa3a734cf21a4c8b93aca248ea1db02ba1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 14:08:26 +0800 +Subject: powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue + +From: Chao Qin + +[ Upstream commit 2d93540014387d1c73b9ccc4d7895320df66d01b ] + +When value < time_unit, the parameter of ilog2() will be zero and +the return value is -1. u64(-1) is too large for shift exponent +and then will trigger shift-out-of-bounds: + +shift exponent 18446744073709551615 is too large for 32-bit type 'int' +Call Trace: + rapl_compute_time_window_core + rapl_write_data_raw + set_time_window + store_constraint_time_window_us + +Signed-off-by: Chao Qin +Acked-by: Zhang Rui +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/powercap/intel_rapl_common.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/powercap/intel_rapl_common.c b/drivers/powercap/intel_rapl_common.c +index a2a2f4351463..33a3ca35cda0 100644 +--- a/drivers/powercap/intel_rapl_common.c ++++ b/drivers/powercap/intel_rapl_common.c +@@ -994,6 +994,9 @@ static u64 rapl_compute_time_window_core(struct rapl_package *rp, u64 value, + y = value & 0x1f; + value = (1 << y) * (4 + f) * rp->time_unit / 4; + } else { ++ if (value < rp->time_unit) ++ return 0; ++ + do_div(value, rp->time_unit); + y = ilog2(value); + f = div64_u64(4 * (value - (1 << y)), 1 << y); +-- +2.35.1 + diff --git a/queue-6.0/powerpc-64-interrupt-fix-false-warning-in-context-tr.patch b/queue-6.0/powerpc-64-interrupt-fix-false-warning-in-context-tr.patch new file mode 100644 index 00000000000..d0cdba419ab --- /dev/null +++ b/queue-6.0/powerpc-64-interrupt-fix-false-warning-in-context-tr.patch @@ -0,0 +1,40 @@ +From 33d326eb676d9a518f7981f765a8a12914a799d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 15:42:59 +1000 +Subject: powerpc/64/interrupt: Fix false warning in context tracking due to + idle state + +From: Nicholas Piggin + +[ Upstream commit 56adbb7a8b6cc7fc9b940829c38494e53c9e57d1 ] + +Commit 171476775d32 ("context_tracking: Convert state to atomic_t") +added a CONTEXT_IDLE state which can be encountered by interrupts from +kernel mode in the idle thread, causing a false positive warning. + +Fixes: 171476775d32 ("context_tracking: Convert state to atomic_t") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220926054305.2671436-2-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/interrupt.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/interrupt.h b/arch/powerpc/include/asm/interrupt.h +index 8069dbc4b8d1..b61555e30c7c 100644 +--- a/arch/powerpc/include/asm/interrupt.h ++++ b/arch/powerpc/include/asm/interrupt.h +@@ -195,7 +195,8 @@ static inline void interrupt_enter_prepare(struct pt_regs *regs) + * so avoid recursion. + */ + if (TRAP(regs) != INTERRUPT_PROGRAM) { +- CT_WARN_ON(ct_state() != CONTEXT_KERNEL); ++ CT_WARN_ON(ct_state() != CONTEXT_KERNEL && ++ ct_state() != CONTEXT_IDLE); + if (IS_ENABLED(CONFIG_PPC_IRQ_SOFT_MASK_DEBUG)) + BUG_ON(is_implicit_soft_masked(regs)); + } +-- +2.35.1 + diff --git a/queue-6.0/powerpc-64-interrupt-fix-return-to-masked-context-af.patch b/queue-6.0/powerpc-64-interrupt-fix-return-to-masked-context-af.patch new file mode 100644 index 00000000000..d794bbe8162 --- /dev/null +++ b/queue-6.0/powerpc-64-interrupt-fix-return-to-masked-context-af.patch @@ -0,0 +1,123 @@ +From efd9acb480290f3c06755909815e3ca47c79427e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 15:43:01 +1000 +Subject: powerpc/64/interrupt: Fix return to masked context after hard-mask + irq becomes pending + +From: Nicholas Piggin + +[ Upstream commit e485f6c751e0a969327336c635ca602feea117f0 ] + +If a synchronous interrupt (e.g., hash fault) is taken inside an +irqs-disabled region which has MSR[EE]=1, then an asynchronous interrupt +that is PACA_IRQ_MUST_HARD_MASK (e.g., PMI) is taken inside the +synchronous interrupt handler, then the synchronous interrupt will +return with MSR[EE]=1 and the asynchronous interrupt fires again. + +If the asynchronous interrupt is a PMI and the original context does not +have PMIs disabled (only Linux IRQs), the asynchronous interrupt will +fire despite having the PMI marked soft pending. This can confuse the +perf code and cause warnings. + +This patch changes the interrupt return so that irqs-disabled MSR[EE]=1 +contexts will be returned to with MSR[EE]=0 if a PACA_IRQ_MUST_HARD_MASK +interrupt has become pending in the meantime. + +The longer explanation for what happens: +1. local_irq_disable() +2. Hash fault interrupt fires, do_hash_fault handler runs +3. interrupt_enter_prepare() sets IRQS_ALL_DISABLED +4. interrupt_enter_prepare() sets MSR[EE]=1 +5. PMU interrupt fires, masked handler runs +6. Masked handler marks PMI pending +7. Masked handler returns with PACA_IRQ_HARD_DIS set, MSR[EE]=0 +8. do_hash_fault interrupt return handler runs +9. interrupt_exit_kernel_prepare() clears PACA_IRQ_HARD_DIS +10. interrupt returns with MSR[EE]=1 +11. PMU interrupt fires, perf handler runs + +Fixes: 4423eb5ae32e ("powerpc/64/interrupt: make normal synchronous interrupts enable MSR[EE] if possible") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220926054305.2671436-4-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/interrupt.c | 10 --------- + arch/powerpc/kernel/interrupt_64.S | 34 +++++++++++++++++++++++++++--- + 2 files changed, 31 insertions(+), 13 deletions(-) + +diff --git a/arch/powerpc/kernel/interrupt.c b/arch/powerpc/kernel/interrupt.c +index 0e75cb03244a..f9db0a172401 100644 +--- a/arch/powerpc/kernel/interrupt.c ++++ b/arch/powerpc/kernel/interrupt.c +@@ -431,16 +431,6 @@ notrace unsigned long interrupt_exit_kernel_prepare(struct pt_regs *regs) + + if (unlikely(stack_store)) + __hard_EE_RI_disable(); +- /* +- * Returning to a kernel context with local irqs disabled. +- * Here, if EE was enabled in the interrupted context, enable +- * it on return as well. A problem exists here where a soft +- * masked interrupt may have cleared MSR[EE] and set HARD_DIS +- * here, and it will still exist on return to the caller. This +- * will be resolved by the masked interrupt firing again. +- */ +- if (regs->msr & MSR_EE) +- local_paca->irq_happened &= ~PACA_IRQ_HARD_DIS; + #endif /* CONFIG_PPC64 */ + } + +diff --git a/arch/powerpc/kernel/interrupt_64.S b/arch/powerpc/kernel/interrupt_64.S +index ce25b28cf418..d76376ce7291 100644 +--- a/arch/powerpc/kernel/interrupt_64.S ++++ b/arch/powerpc/kernel/interrupt_64.S +@@ -559,15 +559,43 @@ _ASM_NOKPROBE_SYMBOL(interrupt_return_\srr\()_kernel) + ld r11,SOFTE(r1) + cmpwi r11,IRQS_ENABLED + stb r11,PACAIRQSOFTMASK(r13) +- bne 1f ++ beq .Linterrupt_return_\srr\()_soft_enabled ++ ++ /* ++ * Returning to soft-disabled context. ++ * Check if a MUST_HARD_MASK interrupt has become pending, in which ++ * case we need to disable MSR[EE] in the return context. ++ */ ++ ld r12,_MSR(r1) ++ andi. r10,r12,MSR_EE ++ beq .Lfast_kernel_interrupt_return_\srr\() // EE already disabled ++ lbz r11,PACAIRQHAPPENED(r13) ++ andi. r10,r11,PACA_IRQ_MUST_HARD_MASK ++ beq 1f // No HARD_MASK pending ++ ++ /* Must clear MSR_EE from _MSR */ ++#ifdef CONFIG_PPC_BOOK3S ++ li r10,0 ++ /* Clear valid before changing _MSR */ ++ .ifc \srr,srr ++ stb r10,PACASRR_VALID(r13) ++ .else ++ stb r10,PACAHSRR_VALID(r13) ++ .endif ++#endif ++ xori r12,r12,MSR_EE ++ std r12,_MSR(r1) ++ b .Lfast_kernel_interrupt_return_\srr\() ++ ++.Linterrupt_return_\srr\()_soft_enabled: + #ifdef CONFIG_PPC_BOOK3S + lbz r11,PACAIRQHAPPENED(r13) + andi. r11,r11,(~PACA_IRQ_HARD_DIS)@l + bne- interrupt_return_\srr\()_kernel_restart + #endif +- li r11,0 +- stb r11,PACAIRQHAPPENED(r13) # clear out possible HARD_DIS + 1: ++ li r11,0 ++ stb r11,PACAIRQHAPPENED(r13) // clear the possible HARD_DIS + + .Lfast_kernel_interrupt_return_\srr\(): + cmpdi cr1,r3,0 +-- +2.35.1 + diff --git a/queue-6.0/powerpc-64-mark-irqs-hard-disabled-in-boot-paca.patch b/queue-6.0/powerpc-64-mark-irqs-hard-disabled-in-boot-paca.patch new file mode 100644 index 00000000000..da25ac42f13 --- /dev/null +++ b/queue-6.0/powerpc-64-mark-irqs-hard-disabled-in-boot-paca.patch @@ -0,0 +1,41 @@ +From e8cce008bd595e971d1286fcd0fff23f68ac4002 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 15:43:00 +1000 +Subject: powerpc/64: mark irqs hard disabled in boot paca + +From: Nicholas Piggin + +[ Upstream commit 799f7063c7645f9a751d17f5dfd73b952f962cd2 ] + +This prevents interrupts in early boot (e.g., program check) from +enabling MSR[EE], potentially causing endian mismatch or other +crashes when reporting early boot traps. + +Fixes: 4423eb5ae32ec ("powerpc/64/interrupt: make normal synchronous interrupts enable MSR[EE] if possible") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220926054305.2671436-3-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/setup_64.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c +index 2b2d0b0fbb30..ce8fc6575eaa 100644 +--- a/arch/powerpc/kernel/setup_64.c ++++ b/arch/powerpc/kernel/setup_64.c +@@ -182,8 +182,10 @@ static void __init fixup_boot_paca(void) + get_paca()->cpu_start = 1; + /* Allow percpu accesses to work until we setup percpu data */ + get_paca()->data_offset = 0; +- /* Mark interrupts disabled in PACA */ ++ /* Mark interrupts soft and hard disabled in PACA */ + irq_soft_mask_set(IRQS_DISABLED); ++ get_paca()->irq_happened = PACA_IRQ_HARD_DIS; ++ WARN_ON(mfmsr() & MSR_EE); + } + + static void __init configure_exceptions(void) +-- +2.35.1 + diff --git a/queue-6.0/powerpc-64s-fix-generic_cpu-build-flags-for-ppc970-g.patch b/queue-6.0/powerpc-64s-fix-generic_cpu-build-flags-for-ppc970-g.patch new file mode 100644 index 00000000000..6e5c3967d8a --- /dev/null +++ b/queue-6.0/powerpc-64s-fix-generic_cpu-build-flags-for-ppc970-g.patch @@ -0,0 +1,41 @@ +From cba6333767a77153884e3769cf7f20e736f69f92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 11:41:02 +1000 +Subject: powerpc/64s: Fix GENERIC_CPU build flags for PPC970 / G5 + +From: Nicholas Piggin + +[ Upstream commit 58ec7f06b74e0d6e76c4110afce367c8b5f0837d ] + +Big-endian GENERIC_CPU supports 970, but builds with -mcpu=power5. +POWER5 is ISA v2.02 whereas 970 is v2.01 plus Altivec. 2.02 added +the popcntb instruction which a compiler might use. + +Use -mcpu=power4. + +Fixes: 471d7ff8b51b ("powerpc/64s: Remove POWER4 support") +Signed-off-by: Nicholas Piggin +Reviewed-by: Segher Boessenkool +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220921014103.587954-1-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile +index 02742facf895..140a5e6471fe 100644 +--- a/arch/powerpc/Makefile ++++ b/arch/powerpc/Makefile +@@ -152,7 +152,7 @@ CFLAGS-$(CONFIG_GENERIC_CPU) += -mcpu=power8 + CFLAGS-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mtune=power9,-mtune=power8) + else + CFLAGS-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mtune=power7,$(call cc-option,-mtune=power5)) +-CFLAGS-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mcpu=power5,-mcpu=power4) ++CFLAGS-$(CONFIG_GENERIC_CPU) += -mcpu=power4 + endif + else ifdef CONFIG_PPC_BOOK3E_64 + CFLAGS-$(CONFIG_GENERIC_CPU) += -mcpu=powerpc64 +-- +2.35.1 + diff --git a/queue-6.0/powerpc-configs-properly-enable-papr_scm-in-pseries_.patch b/queue-6.0/powerpc-configs-properly-enable-papr_scm-in-pseries_.patch new file mode 100644 index 00000000000..f01f5417dff --- /dev/null +++ b/queue-6.0/powerpc-configs-properly-enable-papr_scm-in-pseries_.patch @@ -0,0 +1,37 @@ +From 8ac2ac83400d09440865e3d80b377cebd1455cec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 11:42:53 +1000 +Subject: powerpc/configs: Properly enable PAPR_SCM in pseries_defconfig + +From: Michael Ellerman + +[ Upstream commit aa398d88aea4ec863bd7aea35d5035a37096dc59 ] + +My commit to add PAPR_SCM to pseries_defconfig failed to add the +required dependencies, meaning the driver doesn't get built. + +Add the required LIBNVDIMM=m. + +Fixes: d6481a7195df ("powerpc/configs: Add PAPR_SCM to pseries_defconfig") +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220901014253.252927-1-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/configs/pseries_defconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/configs/pseries_defconfig b/arch/powerpc/configs/pseries_defconfig +index b571d084c148..c05e37af9f1e 100644 +--- a/arch/powerpc/configs/pseries_defconfig ++++ b/arch/powerpc/configs/pseries_defconfig +@@ -40,6 +40,7 @@ CONFIG_PPC_SPLPAR=y + CONFIG_DTL=y + CONFIG_PPC_SMLPAR=y + CONFIG_IBMEBUS=y ++CONFIG_LIBNVDIMM=m + CONFIG_PAPR_SCM=m + CONFIG_PPC_SVM=y + # CONFIG_PPC_PMAC is not set +-- +2.35.1 + diff --git a/queue-6.0/powerpc-dts-turris1x.dts-fix-labels-in-dsa-cpu-port-.patch b/queue-6.0/powerpc-dts-turris1x.dts-fix-labels-in-dsa-cpu-port-.patch new file mode 100644 index 00000000000..194bcdcb7c5 --- /dev/null +++ b/queue-6.0/powerpc-dts-turris1x.dts-fix-labels-in-dsa-cpu-port-.patch @@ -0,0 +1,49 @@ +From 28c24e156f4fe101b68a532c628284ce26fb370d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Aug 2022 15:15:38 +0200 +Subject: powerpc: dts: turris1x.dts: Fix labels in DSA cpu port nodes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 8bf056f57f1d16c561e43f9af37301f23990cd21 ] + +DSA cpu port node has to be marked with "cpu" label. +So fix it for both cpu port nodes. + +Fixes: 54c15ec3b738 ("powerpc: dts: Add DTS file for CZ.NIC Turris 1.x routers") +Signed-off-by: Pali Rohár +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220827131538.14577-1-pali@kernel.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/boot/dts/turris1x.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/boot/dts/turris1x.dts b/arch/powerpc/boot/dts/turris1x.dts +index 47027b4cebb3..045af668e928 100644 +--- a/arch/powerpc/boot/dts/turris1x.dts ++++ b/arch/powerpc/boot/dts/turris1x.dts +@@ -147,7 +147,7 @@ + + port@0 { + reg = <0>; +- label = "cpu1"; ++ label = "cpu"; + ethernet = <&enet1>; + phy-mode = "rgmii-id"; + +@@ -184,7 +184,7 @@ + + port@6 { + reg = <6>; +- label = "cpu0"; ++ label = "cpu"; + ethernet = <&enet0>; + phy-mode = "rgmii-id"; + +-- +2.35.1 + diff --git a/queue-6.0/powerpc-dts-turris1x.dts-fix-nor-partitions-labels.patch b/queue-6.0/powerpc-dts-turris1x.dts-fix-nor-partitions-labels.patch new file mode 100644 index 00000000000..aae469e028e --- /dev/null +++ b/queue-6.0/powerpc-dts-turris1x.dts-fix-nor-partitions-labels.patch @@ -0,0 +1,62 @@ +From e2e4060e8c7de8c53905d2460d8b72b1d1defe23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 00:55:00 +0200 +Subject: powerpc: dts: turris1x.dts: Fix NOR partitions labels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit c9986f0aefd1ae22fe9cf794d49699643f1e268b ] + +Partition partition@20000 contains generic kernel image and it does not +have to be used only for rescue purposes. Partition partition@1c0000 +contains bootable rescue system and partition partition@340000 contains +factory image/data for restoring to NAND. So change partition labels to +better fit their purpose by removing possible misleading substring "rootfs" +from these labels. + +Fixes: 54c15ec3b738 ("powerpc: dts: Add DTS file for CZ.NIC Turris 1.x routers") +Signed-off-by: Pali Rohár +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220830225500.8856-1-pali@kernel.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/boot/dts/turris1x.dts | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/powerpc/boot/dts/turris1x.dts b/arch/powerpc/boot/dts/turris1x.dts +index 12e08271e61f..47027b4cebb3 100644 +--- a/arch/powerpc/boot/dts/turris1x.dts ++++ b/arch/powerpc/boot/dts/turris1x.dts +@@ -263,21 +263,21 @@ + }; + + partition@20000 { +- /* 1.7 MB for Rescue Linux Kernel Image */ ++ /* 1.7 MB for Linux Kernel Image */ + reg = <0x00020000 0x001a0000>; +- label = "rescue-kernel"; ++ label = "kernel"; + }; + + partition@1c0000 { + /* 1.5 MB for Rescue JFFS2 Root File System */ + reg = <0x001c0000 0x00180000>; +- label = "rescue-rootfs"; ++ label = "rescue"; + }; + + partition@340000 { +- /* 11 MB for TAR.XZ Backup with content of NAND Root File System */ ++ /* 11 MB for TAR.XZ Archive with Factory content of NAND Root File System */ + reg = <0x00340000 0x00b00000>; +- label = "backup-rootfs"; ++ label = "factory"; + }; + + partition@e40000 { +-- +2.35.1 + diff --git a/queue-6.0/powerpc-fix-fallocate-and-fadvise64_64-compat-parame.patch b/queue-6.0/powerpc-fix-fallocate-and-fadvise64_64-compat-parame.patch new file mode 100644 index 00000000000..294eea2b326 --- /dev/null +++ b/queue-6.0/powerpc-fix-fallocate-and-fadvise64_64-compat-parame.patch @@ -0,0 +1,110 @@ +From e216ab4a4d50f510836b5ef4f2740436c46e1322 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 16:55:48 +1000 +Subject: powerpc: Fix fallocate and fadvise64_64 compat parameter combination + +From: Rohan McLure + +[ Upstream commit 016ff72bd2090903715c0f9422a44afbb966f4ee ] + +As reported[1] by Arnd, the arch-specific fadvise64_64 and fallocate +compatibility handlers assume parameters are passed with 32-bit +big-endian ABI. This affects the assignment of odd-even parameter pairs +to the high or low words of a 64-bit syscall parameter. + +Fix fadvise64_64 fallocate compat handlers to correctly swap upper/lower +32 bits conditioned on endianness. + +A future patch will replace the arch-specific compat fallocate with an +asm-generic implementation. This patch is intended for ease of +back-port. + +[1]: https://lore.kernel.org/all/be29926f-226e-48dc-871a-e29a54e80583@www.fastmail.com/ + +Fixes: 57f48b4b74e7 ("powerpc/compat_sys: swap hi/lo parts of 64-bit syscall args in LE mode") +Reported-by: Arnd Bergmann +Signed-off-by: Rohan McLure +Reviewed-by: Arnd Bergmann +Reviewed-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220921065605.1051927-9-rmclure@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/syscalls.h | 12 ++++++++++++ + arch/powerpc/kernel/sys_ppc32.c | 14 +------------- + arch/powerpc/kernel/syscalls.c | 4 ++-- + 3 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/arch/powerpc/include/asm/syscalls.h b/arch/powerpc/include/asm/syscalls.h +index a2b13e55254f..da40219b303a 100644 +--- a/arch/powerpc/include/asm/syscalls.h ++++ b/arch/powerpc/include/asm/syscalls.h +@@ -8,6 +8,18 @@ + #include + #include + ++/* ++ * long long munging: ++ * The 32 bit ABI passes long longs in an odd even register pair. ++ * High and low parts are swapped depending on endian mode, ++ * so define a macro (similar to mips linux32) to handle that. ++ */ ++#ifdef __LITTLE_ENDIAN__ ++#define merge_64(low, high) (((u64)high << 32) | low) ++#else ++#define merge_64(high, low) (((u64)high << 32) | low) ++#endif ++ + struct rtas_args; + + asmlinkage long sys_mmap(unsigned long addr, size_t len, +diff --git a/arch/powerpc/kernel/sys_ppc32.c b/arch/powerpc/kernel/sys_ppc32.c +index 16ff0399a257..719bfc6d1e3f 100644 +--- a/arch/powerpc/kernel/sys_ppc32.c ++++ b/arch/powerpc/kernel/sys_ppc32.c +@@ -56,18 +56,6 @@ unsigned long compat_sys_mmap2(unsigned long addr, size_t len, + return sys_mmap(addr, len, prot, flags, fd, pgoff << 12); + } + +-/* +- * long long munging: +- * The 32 bit ABI passes long longs in an odd even register pair. +- * High and low parts are swapped depending on endian mode, +- * so define a macro (similar to mips linux32) to handle that. +- */ +-#ifdef __LITTLE_ENDIAN__ +-#define merge_64(low, high) ((u64)high << 32) | low +-#else +-#define merge_64(high, low) ((u64)high << 32) | low +-#endif +- + compat_ssize_t compat_sys_pread64(unsigned int fd, char __user *ubuf, compat_size_t count, + u32 reg6, u32 pos1, u32 pos2) + { +@@ -94,7 +82,7 @@ asmlinkage int compat_sys_truncate64(const char __user * path, u32 reg4, + asmlinkage long compat_sys_fallocate(int fd, int mode, u32 offset1, u32 offset2, + u32 len1, u32 len2) + { +- return ksys_fallocate(fd, mode, ((loff_t)offset1 << 32) | offset2, ++ return ksys_fallocate(fd, mode, merge_64(offset1, offset2), + merge_64(len1, len2)); + } + +diff --git a/arch/powerpc/kernel/syscalls.c b/arch/powerpc/kernel/syscalls.c +index fc999140bc27..abc3fbb3c490 100644 +--- a/arch/powerpc/kernel/syscalls.c ++++ b/arch/powerpc/kernel/syscalls.c +@@ -98,8 +98,8 @@ long ppc64_personality(unsigned long personality) + long ppc_fadvise64_64(int fd, int advice, u32 offset_high, u32 offset_low, + u32 len_high, u32 len_low) + { +- return ksys_fadvise64_64(fd, (u64)offset_high << 32 | offset_low, +- (u64)len_high << 32 | len_low, advice); ++ return ksys_fadvise64_64(fd, merge_64(offset_high, offset_low), ++ merge_64(len_high, len_low), advice); + } + + SYSCALL_DEFINE0(switch_endian) +-- +2.35.1 + diff --git a/queue-6.0/powerpc-fix-spe-power-isa-properties-for-e500v1-plat.patch b/queue-6.0/powerpc-fix-spe-power-isa-properties-for-e500v1-plat.patch new file mode 100644 index 00000000000..fd6c6ae6fe9 --- /dev/null +++ b/queue-6.0/powerpc-fix-spe-power-isa-properties-for-e500v1-plat.patch @@ -0,0 +1,150 @@ +From eebb0c3bd0d68173f82740bec46a564bcde6ac51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 23:21:02 +0200 +Subject: powerpc: Fix SPE Power ISA properties for e500v1 platforms +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 37b9345ce7f4ab17538ea62def6f6d430f091355 ] + +Commit 2eb28006431c ("powerpc/e500v2: Add Power ISA properties to comply +with ePAPR 1.1") introduced new include file e500v2_power_isa.dtsi and +should have used it for all e500v2 platforms. But apparently it was used +also for e500v1 platforms mpc8540, mpc8541, mpc8555 and mpc8560. + +e500v1 cores compared to e500v2 do not support double precision floating +point SPE instructions. Hence power-isa-sp.fd should not be set on e500v1 +platforms, which is in e500v2_power_isa.dtsi include file. + +Fix this issue by introducing a new e500v1_power_isa.dtsi include file and +use it in all e500v1 device tree files. + +Fixes: 2eb28006431c ("powerpc/e500v2: Add Power ISA properties to comply with ePAPR 1.1") +Signed-off-by: Pali Rohár +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220902212103.22534-1-pali@kernel.org +Signed-off-by: Sasha Levin +--- + .../boot/dts/fsl/e500v1_power_isa.dtsi | 51 +++++++++++++++++++ + arch/powerpc/boot/dts/fsl/mpc8540ads.dts | 2 +- + arch/powerpc/boot/dts/fsl/mpc8541cds.dts | 2 +- + arch/powerpc/boot/dts/fsl/mpc8555cds.dts | 2 +- + arch/powerpc/boot/dts/fsl/mpc8560ads.dts | 2 +- + 5 files changed, 55 insertions(+), 4 deletions(-) + create mode 100644 arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi + +diff --git a/arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi b/arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi +new file mode 100644 +index 000000000000..7e2a90cde72e +--- /dev/null ++++ b/arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi +@@ -0,0 +1,51 @@ ++/* ++ * e500v1 Power ISA Device Tree Source (include) ++ * ++ * Copyright 2012 Freescale Semiconductor Inc. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * * Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * * Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * * Neither the name of Freescale Semiconductor nor the ++ * names of its contributors may be used to endorse or promote products ++ * derived from this software without specific prior written permission. ++ * ++ * ++ * ALTERNATIVELY, this software may be distributed under the terms of the ++ * GNU General Public License ("GPL") as published by the Free Software ++ * Foundation, either version 2 of that License or (at your option) any ++ * later version. ++ * ++ * THIS SOFTWARE IS PROVIDED BY Freescale Semiconductor "AS IS" AND ANY ++ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED ++ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL Freescale Semiconductor BE LIABLE FOR ANY ++ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ++ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS ++ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++/ { ++ cpus { ++ power-isa-version = "2.03"; ++ power-isa-b; // Base ++ power-isa-e; // Embedded ++ power-isa-atb; // Alternate Time Base ++ power-isa-cs; // Cache Specification ++ power-isa-e.le; // Embedded.Little-Endian ++ power-isa-e.pm; // Embedded.Performance Monitor ++ power-isa-ecl; // Embedded Cache Locking ++ power-isa-mmc; // Memory Coherence ++ power-isa-sp; // Signal Processing Engine ++ power-isa-sp.fs; // SPE.Embedded Float Scalar Single ++ power-isa-sp.fv; // SPE.Embedded Float Vector ++ mmu-type = "power-embedded"; ++ }; ++}; +diff --git a/arch/powerpc/boot/dts/fsl/mpc8540ads.dts b/arch/powerpc/boot/dts/fsl/mpc8540ads.dts +index 18a885130538..e03ae130162b 100644 +--- a/arch/powerpc/boot/dts/fsl/mpc8540ads.dts ++++ b/arch/powerpc/boot/dts/fsl/mpc8540ads.dts +@@ -7,7 +7,7 @@ + + /dts-v1/; + +-/include/ "e500v2_power_isa.dtsi" ++/include/ "e500v1_power_isa.dtsi" + + / { + model = "MPC8540ADS"; +diff --git a/arch/powerpc/boot/dts/fsl/mpc8541cds.dts b/arch/powerpc/boot/dts/fsl/mpc8541cds.dts +index ac381e7b1c60..a2a6c5cf852e 100644 +--- a/arch/powerpc/boot/dts/fsl/mpc8541cds.dts ++++ b/arch/powerpc/boot/dts/fsl/mpc8541cds.dts +@@ -7,7 +7,7 @@ + + /dts-v1/; + +-/include/ "e500v2_power_isa.dtsi" ++/include/ "e500v1_power_isa.dtsi" + + / { + model = "MPC8541CDS"; +diff --git a/arch/powerpc/boot/dts/fsl/mpc8555cds.dts b/arch/powerpc/boot/dts/fsl/mpc8555cds.dts +index 9f58db2a7e66..901b6ff06dfb 100644 +--- a/arch/powerpc/boot/dts/fsl/mpc8555cds.dts ++++ b/arch/powerpc/boot/dts/fsl/mpc8555cds.dts +@@ -7,7 +7,7 @@ + + /dts-v1/; + +-/include/ "e500v2_power_isa.dtsi" ++/include/ "e500v1_power_isa.dtsi" + + / { + model = "MPC8555CDS"; +diff --git a/arch/powerpc/boot/dts/fsl/mpc8560ads.dts b/arch/powerpc/boot/dts/fsl/mpc8560ads.dts +index a24722ccaebf..c2f9aea78b29 100644 +--- a/arch/powerpc/boot/dts/fsl/mpc8560ads.dts ++++ b/arch/powerpc/boot/dts/fsl/mpc8560ads.dts +@@ -7,7 +7,7 @@ + + /dts-v1/; + +-/include/ "e500v2_power_isa.dtsi" ++/include/ "e500v1_power_isa.dtsi" + + / { + model = "MPC8560ADS"; +-- +2.35.1 + diff --git a/queue-6.0/powerpc-kprobes-fix-null-pointer-reference-in-arch_p.patch b/queue-6.0/powerpc-kprobes-fix-null-pointer-reference-in-arch_p.patch new file mode 100644 index 00000000000..6dc6bbfb1a5 --- /dev/null +++ b/queue-6.0/powerpc-kprobes-fix-null-pointer-reference-in-arch_p.patch @@ -0,0 +1,98 @@ +From ef6737784595fa093a220c56736953b75883e4b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Sep 2022 17:32:53 +0800 +Subject: powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe() + +From: Li Huafei + +[ Upstream commit 97f88a3d723162781d6cbfdc7b9617eefab55b19 ] + +I found a null pointer reference in arch_prepare_kprobe(): + + # echo 'p cmdline_proc_show' > kprobe_events + # echo 'p cmdline_proc_show+16' >> kprobe_events + Kernel attempted to read user page (0) - exploit attempt? (uid: 0) + BUG: Kernel NULL pointer dereference on read at 0x00000000 + Faulting instruction address: 0xc000000000050bfc + Oops: Kernel access of bad area, sig: 11 [#1] + LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV + Modules linked in: + CPU: 0 PID: 122 Comm: sh Not tainted 6.0.0-rc3-00007-gdcf8e5633e2e #10 + NIP: c000000000050bfc LR: c000000000050bec CTR: 0000000000005bdc + REGS: c0000000348475b0 TRAP: 0300 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) + MSR: 9000000000009033 CR: 88002444 XER: 20040006 + CFAR: c00000000022d100 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 0 + ... + NIP arch_prepare_kprobe+0x10c/0x2d0 + LR arch_prepare_kprobe+0xfc/0x2d0 + Call Trace: + 0xc0000000012f77a0 (unreliable) + register_kprobe+0x3c0/0x7a0 + __register_trace_kprobe+0x140/0x1a0 + __trace_kprobe_create+0x794/0x1040 + trace_probe_create+0xc4/0xe0 + create_or_delete_trace_kprobe+0x2c/0x80 + trace_parse_run_command+0xf0/0x210 + probes_write+0x20/0x40 + vfs_write+0xfc/0x450 + ksys_write+0x84/0x140 + system_call_exception+0x17c/0x3a0 + system_call_vectored_common+0xe8/0x278 + --- interrupt: 3000 at 0x7fffa5682de0 + NIP: 00007fffa5682de0 LR: 0000000000000000 CTR: 0000000000000000 + REGS: c000000034847e80 TRAP: 3000 Not tainted (6.0.0-rc3-00007-gdcf8e5633e2e) + MSR: 900000000280f033 CR: 44002408 XER: 00000000 + +The address being probed has some special: + + cmdline_proc_show: Probe based on ftrace + cmdline_proc_show+16: Probe for the next instruction at the ftrace location + +The ftrace-based kprobe does not generate kprobe::ainsn::insn, it gets +set to NULL. In arch_prepare_kprobe() it will check for: + + ... + prev = get_kprobe(p->addr - 1); + preempt_enable_no_resched(); + if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) { + ... + +If prev is based on ftrace, 'ppc_inst_read(prev->ainsn.insn)' will occur +with a null pointer reference. At this point prev->addr will not be a +prefixed instruction, so the check can be skipped. + +Check if prev is ftrace-based kprobe before reading 'prev->ainsn.insn' +to fix this problem. + +Fixes: b4657f7650ba ("powerpc/kprobes: Don't allow breakpoints on suffixes") +Signed-off-by: Li Huafei +[mpe: Trim oops] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220923093253.177298-1-lihuafei1@huawei.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/kprobes.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/kprobes.c b/arch/powerpc/kernel/kprobes.c +index 912d4f8a13be..bd7b1a035459 100644 +--- a/arch/powerpc/kernel/kprobes.c ++++ b/arch/powerpc/kernel/kprobes.c +@@ -161,7 +161,13 @@ int arch_prepare_kprobe(struct kprobe *p) + preempt_disable(); + prev = get_kprobe(p->addr - 1); + preempt_enable_no_resched(); +- if (prev && ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) { ++ ++ /* ++ * When prev is a ftrace-based kprobe, we don't have an insn, and it ++ * doesn't probe for prefixed instruction. ++ */ ++ if (prev && !kprobe_ftrace(prev) && ++ ppc_inst_prefixed(ppc_inst_read(prev->ainsn.insn))) { + printk("Cannot register a kprobe on the second word of prefixed instruction\n"); + ret = -EINVAL; + } +-- +2.35.1 + diff --git a/queue-6.0/powerpc-math_emu-efp-include-module.h.patch b/queue-6.0/powerpc-math_emu-efp-include-module.h.patch new file mode 100644 index 00000000000..59c8eabaf21 --- /dev/null +++ b/queue-6.0/powerpc-math_emu-efp-include-module.h.patch @@ -0,0 +1,53 @@ +From 91c3bb1848f8ec653be1fc7c61cfd77220f10aaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 18:00:08 +0200 +Subject: powerpc/math_emu/efp: Include module.h + +From: Nathan Chancellor + +[ Upstream commit cfe0d370e0788625ce0df3239aad07a2506c1796 ] + +When building with a recent version of clang, there are a couple of +errors around the call to module_init(): + + arch/powerpc/math-emu/math_efp.c:927:1: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int] + module_init(spe_mathemu_init); + ^ + int + arch/powerpc/math-emu/math_efp.c:927:13: error: a parameter list without types is only allowed in a function definition + module_init(spe_mathemu_init); + ^ + 2 errors generated. + +module_init() is a macro, which is not getting expanded because module.h +is not included in this file. Add the include so that the macro can +expand properly, clearing up the build failure. + +Fixes: ac6f120369ff ("powerpc/85xx: Workaroudn e500 CPU erratum A005") +[chleroy: added fixes tag] +Reported-by: kernel test robot +Signed-off-by: Nathan Chancellor +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Reviewed-by: Christophe Leroy +Link: https://lore.kernel.org/r/8403854a4c187459b2f4da3537f51227b70b9223.1662134272.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/math-emu/math_efp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/math-emu/math_efp.c b/arch/powerpc/math-emu/math_efp.c +index 39b84e7452e1..aa3bb8da1cb9 100644 +--- a/arch/powerpc/math-emu/math_efp.c ++++ b/arch/powerpc/math-emu/math_efp.c +@@ -17,6 +17,7 @@ + + #include + #include ++#include + + #include + #include +-- +2.35.1 + diff --git a/queue-6.0/powerpc-pci_dn-add-missing-of_node_put.patch b/queue-6.0/powerpc-pci_dn-add-missing-of_node_put.patch new file mode 100644 index 00000000000..25a768d27e8 --- /dev/null +++ b/queue-6.0/powerpc-pci_dn-add-missing-of_node_put.patch @@ -0,0 +1,38 @@ +From 5e48e56bbde2328d4b011b3c2be445c7731556d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 21:17:50 +0800 +Subject: powerpc/pci_dn: Add missing of_node_put() + +From: Liang He + +[ Upstream commit 110a1fcb6c4d55144d8179983a475f17a1d6f832 ] + +In pci_add_device_node_info(), use of_node_put() to drop the reference +to 'parent' returned by of_get_parent() to keep refcount balance. + +Fixes: cca87d303c85 ("powerpc/pci: Refactor pci_dn") +Co-authored-by: Miaoqian Lin +Signed-off-by: Liang He +Signed-off-by: Michael Ellerman +Reviewed-by: Tyrel Datwyler +Link: https://lore.kernel.org/r/20220701131750.240170-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/pci_dn.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/kernel/pci_dn.c b/arch/powerpc/kernel/pci_dn.c +index 7a35fc25a304..38561d6a2079 100644 +--- a/arch/powerpc/kernel/pci_dn.c ++++ b/arch/powerpc/kernel/pci_dn.c +@@ -330,6 +330,7 @@ struct pci_dn *pci_add_device_node_info(struct pci_controller *hose, + INIT_LIST_HEAD(&pdn->list); + parent = of_get_parent(dn); + pdn->parent = parent ? PCI_DN(parent) : NULL; ++ of_node_put(parent); + if (pdn->parent) + list_add_tail(&pdn->list, &pdn->parent->child_list); + +-- +2.35.1 + diff --git a/queue-6.0/powerpc-powernv-add-missing-of_node_put-in-opal_expo.patch b/queue-6.0/powerpc-powernv-add-missing-of_node_put-in-opal_expo.patch new file mode 100644 index 00000000000..6ef029c9242 --- /dev/null +++ b/queue-6.0/powerpc-powernv-add-missing-of_node_put-in-opal_expo.patch @@ -0,0 +1,36 @@ +From 07decc0cb07121b356d5b3b1a71a00615e5ccd69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 14:17:03 +0000 +Subject: powerpc/powernv: add missing of_node_put() in opal_export_attrs() + +From: Zheng Yongjun + +[ Upstream commit 71a92e99c47900cc164620948b3863382cec4f1a ] + +After using 'np' returned by of_find_node_by_path(), of_node_put() +need be called to decrease the refcount. + +Fixes: 11fe909d2362 ("powerpc/powernv: Add OPAL exports attributes to sysfs") +Signed-off-by: Zheng Yongjun +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220906141703.118192-1-zhengyongjun3@huawei.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/opal.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/powernv/opal.c b/arch/powerpc/platforms/powernv/opal.c +index 55a8fbfdb5b2..3510b55b36f8 100644 +--- a/arch/powerpc/platforms/powernv/opal.c ++++ b/arch/powerpc/platforms/powernv/opal.c +@@ -892,6 +892,7 @@ static void opal_export_attrs(void) + kobj = kobject_create_and_add("exports", opal_kobj); + if (!kobj) { + pr_warn("kobject_create_and_add() of exports failed\n"); ++ of_node_put(np); + return; + } + +-- +2.35.1 + diff --git a/queue-6.0/powerpc-pseries-vas-pass-hw_cpu_id-to-node-associati.patch b/queue-6.0/powerpc-pseries-vas-pass-hw_cpu_id-to-node-associati.patch new file mode 100644 index 00000000000..2cae2662572 --- /dev/null +++ b/queue-6.0/powerpc-pseries-vas-pass-hw_cpu_id-to-node-associati.patch @@ -0,0 +1,50 @@ +From 42e45ea93a4b6e8b26e52876f4778c18edaa510d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Sep 2022 18:57:33 -0700 +Subject: powerpc/pseries/vas: Pass hw_cpu_id to node associativity HCALL + +From: Haren Myneni + +[ Upstream commit f3e5d9e53e74d77e711a2c90a91a8b0836a9e0b3 ] + +Generally the hypervisor decides to allocate a window on different +VAS instances. But if user space wishes to allocate on the current VAS +instance where the process is executing, the kernel has to pass +associativity domain IDs to allocate VAS window HCALL. + +To determine the associativity domain IDs for the current CPU, +smp_processor_id() is passed to node associativity HCALL which may +return H_P2 (-55) error during DLPAR CPU event. This is because Linux +CPU numbers (smp_processor_id()) are not the same as the hypervisor's +view of CPU numbers. + +Fix the issue by passing hard_smp_processor_id() with +VPHN_FLAG_VCPU flag (PAPR 14.11.6.1 H_HOME_NODE_ASSOCIATIVITY). + +Fixes: b22f2d88e435 ("powerpc/pseries/vas: Integrate API with open/close windows") +Reviewed-by: Nathan Lynch +Signed-off-by: Haren Myneni +[mpe: Update change log to mention Linux vs HV CPU numbers] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/55380253ea0c11341824cd4c0fc6bbcfc5752689.camel@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/vas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/pseries/vas.c b/arch/powerpc/platforms/pseries/vas.c +index 7e6e6dd2e33e..1a2cbc156e8f 100644 +--- a/arch/powerpc/platforms/pseries/vas.c ++++ b/arch/powerpc/platforms/pseries/vas.c +@@ -333,7 +333,7 @@ static struct vas_window *vas_allocate_window(int vas_id, u64 flags, + * So no unpacking needs to be done. + */ + rc = plpar_hcall9(H_HOME_NODE_ASSOCIATIVITY, domain, +- VPHN_FLAG_VCPU, smp_processor_id()); ++ VPHN_FLAG_VCPU, hard_smp_processor_id()); + if (rc != H_SUCCESS) { + pr_err("H_HOME_NODE_ASSOCIATIVITY error: %d\n", rc); + goto out; +-- +2.35.1 + diff --git a/queue-6.0/powerpc-sysdev-fsl_msi-add-missing-of_node_put.patch b/queue-6.0/powerpc-sysdev-fsl_msi-add-missing-of_node_put.patch new file mode 100644 index 00000000000..35d2a6c9d94 --- /dev/null +++ b/queue-6.0/powerpc-sysdev-fsl_msi-add-missing-of_node_put.patch @@ -0,0 +1,40 @@ +From e857ac4a1ac0556f05f6feb144b3a6945e2fc94b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Jul 2022 22:52:33 +0800 +Subject: powerpc/sysdev/fsl_msi: Add missing of_node_put() + +From: Liang He + +[ Upstream commit def435c04ee984a5f9ed2711b2bfe946936c6a21 ] + +In fsl_setup_msi_irqs(), use of_node_put() to drop the reference +returned by of_parse_phandle(). + +Fixes: 895d603f945ba ("powerpc/fsl_msi: add support for the fsl, msi property in PCI nodes") +Co-authored-by: Miaoqian Lin +Signed-off-by: Liang He +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220704145233.278539-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/fsl_msi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/sysdev/fsl_msi.c b/arch/powerpc/sysdev/fsl_msi.c +index ef9a5999fa93..73c2d70706c0 100644 +--- a/arch/powerpc/sysdev/fsl_msi.c ++++ b/arch/powerpc/sysdev/fsl_msi.c +@@ -209,8 +209,10 @@ static int fsl_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type) + dev_err(&pdev->dev, + "node %pOF has an invalid fsl,msi phandle %u\n", + hose->dn, np->phandle); ++ of_node_put(np); + return -EINVAL; + } ++ of_node_put(np); + } + + msi_for_each_desc(entry, &pdev->dev, MSI_DESC_NOTASSOCIATED) { +-- +2.35.1 + diff --git a/queue-6.0/r8152-rate-limit-overflow-messages.patch b/queue-6.0/r8152-rate-limit-overflow-messages.patch new file mode 100644 index 00000000000..428d0826d35 --- /dev/null +++ b/queue-6.0/r8152-rate-limit-overflow-messages.patch @@ -0,0 +1,38 @@ +From d00004d07c6b878e989ea9d9aca753321a1e320a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Oct 2022 12:41:28 +0900 +Subject: r8152: Rate limit overflow messages + +From: Andrew Gaul + +[ Upstream commit 93e2be344a7db169b7119de21ac1bf253b8c6907 ] + +My system shows almost 10 million of these messages over a 24-hour +period which pollutes my logs. + +Signed-off-by: Andrew Gaul +Link: https://lore.kernel.org/r/20221002034128.2026653-1-gaul@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 688905ea0a6d..e7b0b59e2bc8 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -1874,7 +1874,9 @@ static void intr_callback(struct urb *urb) + "Stop submitting intr, status %d\n", status); + return; + case -EOVERFLOW: +- netif_info(tp, intr, tp->netdev, "intr status -EOVERFLOW\n"); ++ if (net_ratelimit()) ++ netif_info(tp, intr, tp->netdev, ++ "intr status -EOVERFLOW\n"); + goto resubmit; + /* -EPIPE: should clear the halt */ + default: +-- +2.35.1 + diff --git a/queue-6.0/random-schedule-jitter-credit-for-next-jiffy-not-in-.patch b/queue-6.0/random-schedule-jitter-credit-for-next-jiffy-not-in-.patch new file mode 100644 index 00000000000..384ec305cae --- /dev/null +++ b/queue-6.0/random-schedule-jitter-credit-for-next-jiffy-not-in-.patch @@ -0,0 +1,50 @@ +From 601cc0fab0de8b9f9e752ae3464b5951c9a684f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 Oct 2022 00:31:00 +0200 +Subject: random: schedule jitter credit for next jiffy, not in two jiffies + +From: Jason A. Donenfeld + +[ Upstream commit 122733471384be8c23f019fbbd46bdf7be561dcd ] + +Counterintuitively, mod_timer(..., jiffies + 1) will cause the timer to +fire not in the next jiffy, but in two jiffies. The way to cause +the timer to fire in the next jiffy is with mod_timer(..., jiffies). +Doing so then lets us bump the upper bound back up again. + +Fixes: 50ee7529ec45 ("random: try to actively add entropy rather than passively wait for it") +Fixes: 829d680e82a9 ("random: cap jitter samples per bit to factor of HZ") +Cc: Dominik Brodowski +Cc: Sebastian Andrzej Siewior +Cc: Sultan Alsawaf +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Sasha Levin +--- + drivers/char/random.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/random.c b/drivers/char/random.c +index 060f999dcffb..46d6100fa3a7 100644 +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1195,7 +1195,7 @@ static void __cold entropy_timer(struct timer_list *timer) + */ + static void __cold try_to_generate_entropy(void) + { +- enum { NUM_TRIAL_SAMPLES = 8192, MAX_SAMPLES_PER_BIT = HZ / 30 }; ++ enum { NUM_TRIAL_SAMPLES = 8192, MAX_SAMPLES_PER_BIT = HZ / 15 }; + struct entropy_timer_state stack; + unsigned int i, num_different = 0; + unsigned long last = random_get_entropy(); +@@ -1214,7 +1214,7 @@ static void __cold try_to_generate_entropy(void) + timer_setup_on_stack(&stack.timer, entropy_timer, 0); + while (!crng_ready() && !signal_pending(current)) { + if (!timer_pending(&stack.timer)) +- mod_timer(&stack.timer, jiffies + 1); ++ mod_timer(&stack.timer, jiffies); + mix_pool_bytes(&stack.entropy, sizeof(stack.entropy)); + schedule(); + stack.entropy = random_get_entropy(); +-- +2.35.1 + diff --git a/queue-6.0/rcu-avoid-triggering-strict-gp-irq-work-when-rcu-is-.patch b/queue-6.0/rcu-avoid-triggering-strict-gp-irq-work-when-rcu-is-.patch new file mode 100644 index 00000000000..577ec29cc31 --- /dev/null +++ b/queue-6.0/rcu-avoid-triggering-strict-gp-irq-work-when-rcu-is-.patch @@ -0,0 +1,77 @@ +From 49dfe0a6602665a61812ed179d2dd3ea96106053 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Aug 2022 10:26:26 +0800 +Subject: rcu: Avoid triggering strict-GP irq-work when RCU is idle + +From: Zqiang + +[ Upstream commit 621189a1fe93cb2b34d62c5cdb9e258bca044813 ] + +Kernels built with PREEMPT_RCU=y and RCU_STRICT_GRACE_PERIOD=y trigger +irq-work from rcu_read_unlock(), and the resulting irq-work handler +invokes rcu_preempt_deferred_qs_handle(). The point of this triggering +is to force grace periods to end quickly in order to give tools like KASAN +a better chance of detecting RCU usage bugs such as leaking RCU-protected +pointers out of an RCU read-side critical section. + +However, this irq-work triggering is unconditional. This works, but +there is no point in doing this irq-work unless the current grace period +is waiting on the running CPU or task, which is not the common case. +After all, in the common case there are many rcu_read_unlock() calls +per CPU per grace period. + +This commit therefore triggers the irq-work only when the current grace +period is waiting on the running CPU or task. + +This change was tested as follows on a four-CPU system: + + echo rcu_preempt_deferred_qs_handler > /sys/kernel/debug/tracing/set_ftrace_filter + echo 1 > /sys/kernel/debug/tracing/function_profile_enabled + insmod rcutorture.ko + sleep 20 + rmmod rcutorture.ko + echo 0 > /sys/kernel/debug/tracing/function_profile_enabled + echo > /sys/kernel/debug/tracing/set_ftrace_filter + +This procedure produces results in this per-CPU set of files: + + /sys/kernel/debug/tracing/trace_stat/function* + +Sample output from one of these files is as follows: + + Function Hit Time Avg s^2 + -------- --- ---- --- --- + rcu_preempt_deferred_qs_handle 838746 182650.3 us 0.217 us 0.004 us + +The baseline sum of the "Hit" values (the number of calls to this +function) was 3,319,015. With this commit, that sum was 1,140,359, +for a 2.9x reduction. The worst-case variance across the CPUs was less +than 25%, so this large effect size is statistically significant. + +The raw data is available in the Link: URL. + +Link: https://lore.kernel.org/all/20220808022626.12825-1-qiang1.zhang@intel.com/ +Signed-off-by: Zqiang +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_plugin.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h +index 438ecae6bd7e..49468b4d1b43 100644 +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -641,7 +641,8 @@ static void rcu_read_unlock_special(struct task_struct *t) + + expboost = (t->rcu_blocked_node && READ_ONCE(t->rcu_blocked_node->exp_tasks)) || + (rdp->grpmask & READ_ONCE(rnp->expmask)) || +- IS_ENABLED(CONFIG_RCU_STRICT_GRACE_PERIOD) || ++ (IS_ENABLED(CONFIG_RCU_STRICT_GRACE_PERIOD) && ++ ((rdp->grpmask & READ_ONCE(rnp->qsmask)) || t->rcu_blocked_node)) || + (IS_ENABLED(CONFIG_RCU_BOOST) && irqs_were_disabled && + t->rcu_blocked_node); + // Need to defer quiescent state until everything is enabled. +-- +2.35.1 + diff --git a/queue-6.0/rcu-back-off-upon-fill_page_cache_func-allocation-fa.patch b/queue-6.0/rcu-back-off-upon-fill_page_cache_func-allocation-fa.patch new file mode 100644 index 00000000000..5e2c452c244 --- /dev/null +++ b/queue-6.0/rcu-back-off-upon-fill_page_cache_func-allocation-fa.patch @@ -0,0 +1,89 @@ +From 5ccdfa91c9ef43eea71c265d18aac28208bf94b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jun 2022 13:47:11 +0200 +Subject: rcu: Back off upon fill_page_cache_func() allocation failure + +From: Michal Hocko + +[ Upstream commit 093590c16b447f53e66771c8579ae66c96f6ef61 ] + +The fill_page_cache_func() function allocates couple of pages to store +kvfree_rcu_bulk_data structures. This is a lightweight (GFP_NORETRY) +allocation which can fail under memory pressure. The function will, +however keep retrying even when the previous attempt has failed. + +This retrying is in theory correct, but in practice the allocation is +invoked from workqueue context, which means that if the memory reclaim +gets stuck, these retries can hog the worker for quite some time. +Although the workqueues subsystem automatically adjusts concurrency, such +adjustment is not guaranteed to happen until the worker context sleeps. +And the fill_page_cache_func() function's retry loop is not guaranteed +to sleep (see the should_reclaim_retry() function). + +And we have seen this function cause workqueue lockups: + +kernel: BUG: workqueue lockup - pool cpus=93 node=1 flags=0x1 nice=0 stuck for 32s! +[...] +kernel: pool 74: cpus=37 node=0 flags=0x1 nice=0 hung=32s workers=2 manager: 2146 +kernel: pwq 498: cpus=249 node=1 flags=0x1 nice=0 active=4/256 refcnt=5 +kernel: in-flight: 1917:fill_page_cache_func +kernel: pending: dbs_work_handler, free_work, kfree_rcu_monitor + +Originally, we thought that the root cause of this lockup was several +retries with direct reclaim, but this is not yet confirmed. Furthermore, +we have seen similar lockups without any heavy memory pressure. This +suggests that there are other factors contributing to these lockups. +However, it is not really clear that endless retries are desireable. + +So let's make the fill_page_cache_func() function back off after +allocation failure. + +Cc: Uladzislau Rezki (Sony) +Cc: "Paul E. McKenney" +Cc: Frederic Weisbecker +Cc: Neeraj Upadhyay +Cc: Josh Triplett +Cc: Steven Rostedt +Cc: Mathieu Desnoyers +Cc: Lai Jiangshan +Cc: Joel Fernandes +Signed-off-by: Michal Hocko +Reviewed-by: Uladzislau Rezki (Sony) +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index 79aea7df4345..eb435941e92f 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -3183,15 +3183,16 @@ static void fill_page_cache_func(struct work_struct *work) + bnode = (struct kvfree_rcu_bulk_data *) + __get_free_page(GFP_KERNEL | __GFP_NORETRY | __GFP_NOMEMALLOC | __GFP_NOWARN); + +- if (bnode) { +- raw_spin_lock_irqsave(&krcp->lock, flags); +- pushed = put_cached_bnode(krcp, bnode); +- raw_spin_unlock_irqrestore(&krcp->lock, flags); ++ if (!bnode) ++ break; + +- if (!pushed) { +- free_page((unsigned long) bnode); +- break; +- } ++ raw_spin_lock_irqsave(&krcp->lock, flags); ++ pushed = put_cached_bnode(krcp, bnode); ++ raw_spin_unlock_irqrestore(&krcp->lock, flags); ++ ++ if (!pushed) { ++ free_page((unsigned long) bnode); ++ break; + } + } + +-- +2.35.1 + diff --git a/queue-6.0/rcu-tasks-convert-rcu_lockdep_warn-to-warn_once.patch b/queue-6.0/rcu-tasks-convert-rcu_lockdep_warn-to-warn_once.patch new file mode 100644 index 00000000000..687aa1d1597 --- /dev/null +++ b/queue-6.0/rcu-tasks-convert-rcu_lockdep_warn-to-warn_once.patch @@ -0,0 +1,43 @@ +From 5ea920627369f7b4622ccfaf1915d502e6276ac8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Jul 2022 16:26:05 +0800 +Subject: rcu-tasks: Convert RCU_LOCKDEP_WARN() to WARN_ONCE() + +From: Zqiang + +[ Upstream commit fcd53c8a4dfa38bafb89efdd0b0f718f3a03f884 ] + +Kernels built with CONFIG_PROVE_RCU=y and CONFIG_DEBUG_LOCK_ALLOC=y +attempt to emit a warning when the synchronize_rcu_tasks_generic() +function is called during early boot while the rcu_scheduler_active +variable is RCU_SCHEDULER_INACTIVE. However the warnings is not +actually be printed because the debug_lockdep_rcu_enabled() returns +false, exactly because the rcu_scheduler_active variable is still equal +to RCU_SCHEDULER_INACTIVE. + +This commit therefore replaces RCU_LOCKDEP_WARN() with WARN_ONCE() +to force these warnings to actually be printed. + +Signed-off-by: Zqiang +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tasks.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h +index 83c7e6620d40..469bf2a3b505 100644 +--- a/kernel/rcu/tasks.h ++++ b/kernel/rcu/tasks.h +@@ -560,7 +560,7 @@ static int __noreturn rcu_tasks_kthread(void *arg) + static void synchronize_rcu_tasks_generic(struct rcu_tasks *rtp) + { + /* Complain if the scheduler has not started. */ +- RCU_LOCKDEP_WARN(rcu_scheduler_active == RCU_SCHEDULER_INACTIVE, ++ WARN_ONCE(rcu_scheduler_active == RCU_SCHEDULER_INACTIVE, + "synchronize_rcu_tasks called too soon"); + + // If the grace-period kthread is running, use it. +-- +2.35.1 + diff --git a/queue-6.0/rcu-tasks-ensure-rcu-tasks-trace-loops-have-quiescen.patch b/queue-6.0/rcu-tasks-ensure-rcu-tasks-trace-loops-have-quiescen.patch new file mode 100644 index 00000000000..76c9f034851 --- /dev/null +++ b/queue-6.0/rcu-tasks-ensure-rcu-tasks-trace-loops-have-quiescen.patch @@ -0,0 +1,53 @@ +From ba41f6aeaed9453a85aa206555611ad1c2218b62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jul 2022 10:57:26 -0700 +Subject: rcu-tasks: Ensure RCU Tasks Trace loops have quiescent states + +From: Paul E. McKenney + +[ Upstream commit d6ad60635cafe900bcd11ad588d8accb36c36b1b ] + +The RCU Tasks Trace grace-period kthread loops across all CPUs, and +there can be quite a few CPUs, with some commercially available systems +sporting well over a thousand of them. Some of these loops can feature +IPIs, which can take some time. This commit therefore places a call to +cond_resched_tasks_rcu_qs() in each such loop. + +Link: https://docs.google.com/document/d/1V0YnG1HTWMt9WHJjroiJL9lf-hMrud4v8Fn3fhyY0cI/edit?usp=sharing +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tasks.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h +index 469bf2a3b505..f5bf6fb430da 100644 +--- a/kernel/rcu/tasks.h ++++ b/kernel/rcu/tasks.h +@@ -1500,6 +1500,7 @@ static void rcu_tasks_trace_pregp_step(struct list_head *hop) + if (rcu_tasks_trace_pertask_prep(t, true)) + trc_add_holdout(t, hop); + rcu_read_unlock(); ++ cond_resched_tasks_rcu_qs(); + } + + // Only after all running tasks have been accounted for is it +@@ -1520,6 +1521,7 @@ static void rcu_tasks_trace_pregp_step(struct list_head *hop) + raw_spin_lock_irqsave_rcu_node(rtpcp, flags); + } + raw_spin_unlock_irqrestore_rcu_node(rtpcp, flags); ++ cond_resched_tasks_rcu_qs(); + } + + // Re-enable CPU hotplug now that the holdout list is populated. +@@ -1619,6 +1621,7 @@ static void check_all_holdout_tasks_trace(struct list_head *hop, + trc_del_holdout(t); + else if (needreport) + show_stalled_task_trace(t, firstreport); ++ cond_resched_tasks_rcu_qs(); + } + + // Re-enable CPU hotplug now that the holdout list scan has completed. +-- +2.35.1 + diff --git a/queue-6.0/rdma-cm-use-slid-in-the-work-completion-as-the-dlid-.patch b/queue-6.0/rdma-cm-use-slid-in-the-work-completion-as-the-dlid-.patch new file mode 100644 index 00000000000..ec0b70bd431 --- /dev/null +++ b/queue-6.0/rdma-cm-use-slid-in-the-work-completion-as-the-dlid-.patch @@ -0,0 +1,80 @@ +From 970e2d94ac799a56900c17048ed0120ef934bff5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 13:09:02 +0300 +Subject: RDMA/cm: Use SLID in the work completion as the DLID in responder + side + +From: Mark Zhang + +[ Upstream commit b7d95040c13f61a4a6a859c5355faf583eff9658 ] + +The responder should always use WC's SLID as the dlid, to follow the +IB SPEC section "13.5.4.2 COMMON RESPONSE ACTIONS": +A responder always takes the following actions in constructing a +response packet: +- The SLID of the received packet is used as the DLID in the response + packet. + +Fixes: ac3a949fb2ff ("IB/CM: Set appropriate slid and dlid when handling CM request") +Signed-off-by: Mark Zhang +Reviewed-by: Mark Bloch +Link: https://lore.kernel.org/r/cd17c240231e059d2fc07c17dfe555d548b917eb.1662631201.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/cm.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c +index b985e0d9bc05..5c910f5c01b3 100644 +--- a/drivers/infiniband/core/cm.c ++++ b/drivers/infiniband/core/cm.c +@@ -1632,14 +1632,13 @@ static void cm_path_set_rec_type(struct ib_device *ib_device, u32 port_num, + + static void cm_format_path_lid_from_req(struct cm_req_msg *req_msg, + struct sa_path_rec *primary_path, +- struct sa_path_rec *alt_path) ++ struct sa_path_rec *alt_path, ++ struct ib_wc *wc) + { + u32 lid; + + if (primary_path->rec_type != SA_PATH_REC_TYPE_OPA) { +- sa_path_set_dlid(primary_path, +- IBA_GET(CM_REQ_PRIMARY_LOCAL_PORT_LID, +- req_msg)); ++ sa_path_set_dlid(primary_path, wc->slid); + sa_path_set_slid(primary_path, + IBA_GET(CM_REQ_PRIMARY_REMOTE_PORT_LID, + req_msg)); +@@ -1676,7 +1675,8 @@ static void cm_format_path_lid_from_req(struct cm_req_msg *req_msg, + + static void cm_format_paths_from_req(struct cm_req_msg *req_msg, + struct sa_path_rec *primary_path, +- struct sa_path_rec *alt_path) ++ struct sa_path_rec *alt_path, ++ struct ib_wc *wc) + { + primary_path->dgid = + *IBA_GET_MEM_PTR(CM_REQ_PRIMARY_LOCAL_PORT_GID, req_msg); +@@ -1734,7 +1734,7 @@ static void cm_format_paths_from_req(struct cm_req_msg *req_msg, + if (sa_path_is_roce(alt_path)) + alt_path->roce.route_resolved = false; + } +- cm_format_path_lid_from_req(req_msg, primary_path, alt_path); ++ cm_format_path_lid_from_req(req_msg, primary_path, alt_path, wc); + } + + static u16 cm_get_bth_pkey(struct cm_work *work) +@@ -2148,7 +2148,7 @@ static int cm_req_handler(struct cm_work *work) + if (cm_req_has_alt_path(req_msg)) + work->path[1].rec_type = work->path[0].rec_type; + cm_format_paths_from_req(req_msg, &work->path[0], +- &work->path[1]); ++ &work->path[1], work->mad_recv_wc->wc); + if (cm_id_priv->av.ah_attr.type == RDMA_AH_ATTR_TYPE_ROCE) + sa_path_set_dmac(&work->path[0], + cm_id_priv->av.ah_attr.roce.dmac); +-- +2.35.1 + diff --git a/queue-6.0/rdma-irdma-align-ae-id-codes-to-correct-flush-code-a.patch b/queue-6.0/rdma-irdma-align-ae-id-codes-to-correct-flush-code-a.patch new file mode 100644 index 00000000000..0d62e9e16f1 --- /dev/null +++ b/queue-6.0/rdma-irdma-align-ae-id-codes-to-correct-flush-code-a.patch @@ -0,0 +1,191 @@ +From 998bd2019552f0f0af857467aa5afe731ce0fbce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 14:13:23 -0500 +Subject: RDMA/irdma: Align AE id codes to correct flush code and event + +From: Sindhu-Devale + +[ Upstream commit 7f51a961f8c6b84752a48e950074a8c4a0808d91 ] + +A number of asynchronous event (AE) ids were not aligned to the +correct flush_code and event_type. Fix these up so that the +correct IBV error and event codes are returned to application. + +Also, add handling for new AE ids like IRDMA_AE_INVALID_REQUEST to +return the correct WC error code. + +Fixes: 44d9e52977a1 ("RDMA/irdma: Implement device initialization definitions") +Signed-off-by: Sindhu-Devale +Signed-off-by: Shiraz Saleem +Link: https://lore.kernel.org/r/20220907191324.1173-2-shiraz.saleem@intel.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/defs.h | 1 + + drivers/infiniband/hw/irdma/hw.c | 51 +++++++++++++++++------------ + drivers/infiniband/hw/irdma/type.h | 1 + + drivers/infiniband/hw/irdma/user.h | 1 + + drivers/infiniband/hw/irdma/utils.c | 3 ++ + drivers/infiniband/hw/irdma/verbs.c | 2 ++ + 6 files changed, 38 insertions(+), 21 deletions(-) + +diff --git a/drivers/infiniband/hw/irdma/defs.h b/drivers/infiniband/hw/irdma/defs.h +index e03e03082a5f..c1906cab5c8a 100644 +--- a/drivers/infiniband/hw/irdma/defs.h ++++ b/drivers/infiniband/hw/irdma/defs.h +@@ -314,6 +314,7 @@ enum irdma_cqp_op_type { + #define IRDMA_AE_IB_REMOTE_ACCESS_ERROR 0x020d + #define IRDMA_AE_IB_REMOTE_OP_ERROR 0x020e + #define IRDMA_AE_WQE_LSMM_TOO_LONG 0x0220 ++#define IRDMA_AE_INVALID_REQUEST 0x0223 + #define IRDMA_AE_DDP_INVALID_MSN_GAP_IN_MSN 0x0301 + #define IRDMA_AE_DDP_UBE_DDP_MESSAGE_TOO_LONG_FOR_AVAILABLE_BUFFER 0x0303 + #define IRDMA_AE_DDP_UBE_INVALID_DDP_VERSION 0x0304 +diff --git a/drivers/infiniband/hw/irdma/hw.c b/drivers/infiniband/hw/irdma/hw.c +index 4f132c6fb653..ab246447520b 100644 +--- a/drivers/infiniband/hw/irdma/hw.c ++++ b/drivers/infiniband/hw/irdma/hw.c +@@ -138,59 +138,68 @@ static void irdma_set_flush_fields(struct irdma_sc_qp *qp, + qp->event_type = IRDMA_QP_EVENT_CATASTROPHIC; + + switch (info->ae_id) { +- case IRDMA_AE_AMP_UNALLOCATED_STAG: + case IRDMA_AE_AMP_BOUNDS_VIOLATION: + case IRDMA_AE_AMP_INVALID_STAG: +- qp->event_type = IRDMA_QP_EVENT_ACCESS_ERR; +- fallthrough; ++ case IRDMA_AE_AMP_RIGHTS_VIOLATION: ++ case IRDMA_AE_AMP_UNALLOCATED_STAG: + case IRDMA_AE_AMP_BAD_PD: +- case IRDMA_AE_UDA_XMIT_BAD_PD: ++ case IRDMA_AE_AMP_BAD_QP: ++ case IRDMA_AE_AMP_BAD_STAG_KEY: ++ case IRDMA_AE_AMP_BAD_STAG_INDEX: ++ case IRDMA_AE_AMP_TO_WRAP: ++ case IRDMA_AE_PRIV_OPERATION_DENIED: + qp->flush_code = FLUSH_PROT_ERR; ++ qp->event_type = IRDMA_QP_EVENT_ACCESS_ERR; + break; +- case IRDMA_AE_AMP_BAD_QP: ++ case IRDMA_AE_UDA_XMIT_BAD_PD: + case IRDMA_AE_WQE_UNEXPECTED_OPCODE: + qp->flush_code = FLUSH_LOC_QP_OP_ERR; ++ qp->event_type = IRDMA_QP_EVENT_CATASTROPHIC; ++ break; ++ case IRDMA_AE_UDA_XMIT_DGRAM_TOO_LONG: ++ case IRDMA_AE_UDA_XMIT_DGRAM_TOO_SHORT: ++ case IRDMA_AE_UDA_L4LEN_INVALID: ++ case IRDMA_AE_DDP_UBE_INVALID_MO: ++ case IRDMA_AE_DDP_UBE_DDP_MESSAGE_TOO_LONG_FOR_AVAILABLE_BUFFER: ++ qp->flush_code = FLUSH_LOC_LEN_ERR; ++ qp->event_type = IRDMA_QP_EVENT_CATASTROPHIC; + break; +- case IRDMA_AE_AMP_BAD_STAG_KEY: +- case IRDMA_AE_AMP_BAD_STAG_INDEX: +- case IRDMA_AE_AMP_TO_WRAP: +- case IRDMA_AE_AMP_RIGHTS_VIOLATION: + case IRDMA_AE_AMP_INVALIDATE_NO_REMOTE_ACCESS_RIGHTS: +- case IRDMA_AE_PRIV_OPERATION_DENIED: +- case IRDMA_AE_IB_INVALID_REQUEST: + case IRDMA_AE_IB_REMOTE_ACCESS_ERROR: + qp->flush_code = FLUSH_REM_ACCESS_ERR; + qp->event_type = IRDMA_QP_EVENT_ACCESS_ERR; + break; + case IRDMA_AE_LLP_SEGMENT_TOO_SMALL: +- case IRDMA_AE_DDP_UBE_DDP_MESSAGE_TOO_LONG_FOR_AVAILABLE_BUFFER: +- case IRDMA_AE_UDA_XMIT_DGRAM_TOO_LONG: +- case IRDMA_AE_UDA_XMIT_DGRAM_TOO_SHORT: +- case IRDMA_AE_UDA_L4LEN_INVALID: ++ case IRDMA_AE_LLP_RECEIVED_MPA_CRC_ERROR: + case IRDMA_AE_ROCE_RSP_LENGTH_ERROR: +- qp->flush_code = FLUSH_LOC_LEN_ERR; ++ case IRDMA_AE_IB_REMOTE_OP_ERROR: ++ qp->flush_code = FLUSH_REM_OP_ERR; ++ qp->event_type = IRDMA_QP_EVENT_CATASTROPHIC; + break; + case IRDMA_AE_LCE_QP_CATASTROPHIC: + qp->flush_code = FLUSH_FATAL_ERR; ++ qp->event_type = IRDMA_QP_EVENT_CATASTROPHIC; + break; +- case IRDMA_AE_DDP_UBE_INVALID_MO: + case IRDMA_AE_IB_RREQ_AND_Q1_FULL: +- case IRDMA_AE_LLP_RECEIVED_MPA_CRC_ERROR: + qp->flush_code = FLUSH_GENERAL_ERR; + break; + case IRDMA_AE_LLP_TOO_MANY_RETRIES: + qp->flush_code = FLUSH_RETRY_EXC_ERR; ++ qp->event_type = IRDMA_QP_EVENT_CATASTROPHIC; + break; + case IRDMA_AE_AMP_MWBIND_INVALID_RIGHTS: + case IRDMA_AE_AMP_MWBIND_BIND_DISABLED: + case IRDMA_AE_AMP_MWBIND_INVALID_BOUNDS: + qp->flush_code = FLUSH_MW_BIND_ERR; ++ qp->event_type = IRDMA_QP_EVENT_ACCESS_ERR; + break; +- case IRDMA_AE_IB_REMOTE_OP_ERROR: +- qp->flush_code = FLUSH_REM_OP_ERR; ++ case IRDMA_AE_IB_INVALID_REQUEST: ++ qp->flush_code = FLUSH_REM_INV_REQ_ERR; ++ qp->event_type = IRDMA_QP_EVENT_REQ_ERR; + break; + default: +- qp->flush_code = FLUSH_FATAL_ERR; ++ qp->flush_code = FLUSH_GENERAL_ERR; ++ qp->event_type = IRDMA_QP_EVENT_CATASTROPHIC; + break; + } + } +diff --git a/drivers/infiniband/hw/irdma/type.h b/drivers/infiniband/hw/irdma/type.h +index 9e7b8ecb137a..517d41a1c289 100644 +--- a/drivers/infiniband/hw/irdma/type.h ++++ b/drivers/infiniband/hw/irdma/type.h +@@ -98,6 +98,7 @@ enum irdma_term_mpa_errors { + enum irdma_qp_event_type { + IRDMA_QP_EVENT_CATASTROPHIC, + IRDMA_QP_EVENT_ACCESS_ERR, ++ IRDMA_QP_EVENT_REQ_ERR, + }; + + enum irdma_hw_stats_index_32b { +diff --git a/drivers/infiniband/hw/irdma/user.h b/drivers/infiniband/hw/irdma/user.h +index ddd0ebbdd7d5..2ef61923c926 100644 +--- a/drivers/infiniband/hw/irdma/user.h ++++ b/drivers/infiniband/hw/irdma/user.h +@@ -103,6 +103,7 @@ enum irdma_flush_opcode { + FLUSH_FATAL_ERR, + FLUSH_RETRY_EXC_ERR, + FLUSH_MW_BIND_ERR, ++ FLUSH_REM_INV_REQ_ERR, + }; + + enum irdma_cmpl_status { +diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c +index 075defaabee5..8dfc9e154d73 100644 +--- a/drivers/infiniband/hw/irdma/utils.c ++++ b/drivers/infiniband/hw/irdma/utils.c +@@ -2479,6 +2479,9 @@ void irdma_ib_qp_event(struct irdma_qp *iwqp, enum irdma_qp_event_type event) + case IRDMA_QP_EVENT_ACCESS_ERR: + ibevent.event = IB_EVENT_QP_ACCESS_ERR; + break; ++ case IRDMA_QP_EVENT_REQ_ERR: ++ ibevent.event = IB_EVENT_QP_REQ_ERR; ++ break; + } + ibevent.device = iwqp->ibqp.device; + ibevent.element.qp = &iwqp->ibqp; +diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c +index 9b207f5084eb..6f07a913ef88 100644 +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -3315,6 +3315,8 @@ static enum ib_wc_status irdma_flush_err_to_ib_wc_status(enum irdma_flush_opcode + return IB_WC_RETRY_EXC_ERR; + case FLUSH_MW_BIND_ERR: + return IB_WC_MW_BIND_ERR; ++ case FLUSH_REM_INV_REQ_ERR: ++ return IB_WC_REM_INV_REQ_ERR; + case FLUSH_FATAL_ERR: + default: + return IB_WC_FATAL_ERR; +-- +2.35.1 + diff --git a/queue-6.0/rdma-irdma-validate-udata-inlen-and-outlen.patch b/queue-6.0/rdma-irdma-validate-udata-inlen-and-outlen.patch new file mode 100644 index 00000000000..f309284e731 --- /dev/null +++ b/queue-6.0/rdma-irdma-validate-udata-inlen-and-outlen.patch @@ -0,0 +1,270 @@ +From 1ad1e92d41022f6130f5cff4dc3a37bdcb950290 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 14:13:24 -0500 +Subject: RDMA/irdma: Validate udata inlen and outlen + +From: Shiraz Saleem + +[ Upstream commit 34acb833cc83bdea912a160ff99b537e62bb4cf3 ] + +Currently ib_copy_from_udata and ib_copy_to_udata could underfill +the request and response buffer if the user-space passes an undersized +value for udata->inlen or udata->outlen respectively [1] +This could lead to undesirable behavior. + +Zero initing the buffer only goes as far as preventing using the buffer +uninitialized. + +Validate udata->inlen and udata->outlen passed from user-space to ensure +they are at least the required minimum size. + +[1] https://lore.kernel.org/linux-rdma/MWHPR11MB0029F37D40D9D4A993F8F549E9D79@MWHPR11MB0029.namprd11.prod.outlook.com/ + +Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") +Reported-by: Dan Carpenter +Signed-off-by: Shiraz Saleem +Link: https://lore.kernel.org/r/20220907191324.1173-3-shiraz.saleem@intel.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/irdma/verbs.c | 67 ++++++++++++++++++++++++++--- + 1 file changed, 60 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c +index 6f07a913ef88..a22afbb25bc5 100644 +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -299,13 +299,19 @@ static void irdma_alloc_push_page(struct irdma_qp *iwqp) + static int irdma_alloc_ucontext(struct ib_ucontext *uctx, + struct ib_udata *udata) + { ++#define IRDMA_ALLOC_UCTX_MIN_REQ_LEN offsetofend(struct irdma_alloc_ucontext_req, rsvd8) ++#define IRDMA_ALLOC_UCTX_MIN_RESP_LEN offsetofend(struct irdma_alloc_ucontext_resp, rsvd) + struct ib_device *ibdev = uctx->device; + struct irdma_device *iwdev = to_iwdev(ibdev); +- struct irdma_alloc_ucontext_req req; ++ struct irdma_alloc_ucontext_req req = {}; + struct irdma_alloc_ucontext_resp uresp = {}; + struct irdma_ucontext *ucontext = to_ucontext(uctx); + struct irdma_uk_attrs *uk_attrs; + ++ if (udata->inlen < IRDMA_ALLOC_UCTX_MIN_REQ_LEN || ++ udata->outlen < IRDMA_ALLOC_UCTX_MIN_RESP_LEN) ++ return -EINVAL; ++ + if (ib_copy_from_udata(&req, udata, min(sizeof(req), udata->inlen))) + return -EINVAL; + +@@ -317,7 +323,7 @@ static int irdma_alloc_ucontext(struct ib_ucontext *uctx, + + uk_attrs = &iwdev->rf->sc_dev.hw_attrs.uk_attrs; + /* GEN_1 legacy support with libi40iw */ +- if (udata->outlen < sizeof(uresp)) { ++ if (udata->outlen == IRDMA_ALLOC_UCTX_MIN_RESP_LEN) { + if (uk_attrs->hw_rev != IRDMA_GEN_1) + return -EOPNOTSUPP; + +@@ -389,6 +395,7 @@ static void irdma_dealloc_ucontext(struct ib_ucontext *context) + */ + static int irdma_alloc_pd(struct ib_pd *pd, struct ib_udata *udata) + { ++#define IRDMA_ALLOC_PD_MIN_RESP_LEN offsetofend(struct irdma_alloc_pd_resp, rsvd) + struct irdma_pd *iwpd = to_iwpd(pd); + struct irdma_device *iwdev = to_iwdev(pd->device); + struct irdma_sc_dev *dev = &iwdev->rf->sc_dev; +@@ -398,6 +405,9 @@ static int irdma_alloc_pd(struct ib_pd *pd, struct ib_udata *udata) + u32 pd_id = 0; + int err; + ++ if (udata && udata->outlen < IRDMA_ALLOC_PD_MIN_RESP_LEN) ++ return -EINVAL; ++ + err = irdma_alloc_rsrc(rf, rf->allocated_pds, rf->max_pd, &pd_id, + &rf->next_pd); + if (err) +@@ -814,12 +824,14 @@ static int irdma_create_qp(struct ib_qp *ibqp, + struct ib_qp_init_attr *init_attr, + struct ib_udata *udata) + { ++#define IRDMA_CREATE_QP_MIN_REQ_LEN offsetofend(struct irdma_create_qp_req, user_compl_ctx) ++#define IRDMA_CREATE_QP_MIN_RESP_LEN offsetofend(struct irdma_create_qp_resp, rsvd) + struct ib_pd *ibpd = ibqp->pd; + struct irdma_pd *iwpd = to_iwpd(ibpd); + struct irdma_device *iwdev = to_iwdev(ibpd->device); + struct irdma_pci_f *rf = iwdev->rf; + struct irdma_qp *iwqp = to_iwqp(ibqp); +- struct irdma_create_qp_req req; ++ struct irdma_create_qp_req req = {}; + struct irdma_create_qp_resp uresp = {}; + u32 qp_num = 0; + int err_code; +@@ -836,6 +848,10 @@ static int irdma_create_qp(struct ib_qp *ibqp, + if (err_code) + return err_code; + ++ if (udata && (udata->inlen < IRDMA_CREATE_QP_MIN_REQ_LEN || ++ udata->outlen < IRDMA_CREATE_QP_MIN_RESP_LEN)) ++ return -EINVAL; ++ + sq_size = init_attr->cap.max_send_wr; + rq_size = init_attr->cap.max_recv_wr; + +@@ -1120,6 +1136,8 @@ static int irdma_query_pkey(struct ib_device *ibdev, u32 port, u16 index, + int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr, + int attr_mask, struct ib_udata *udata) + { ++#define IRDMA_MODIFY_QP_MIN_REQ_LEN offsetofend(struct irdma_modify_qp_req, rq_flush) ++#define IRDMA_MODIFY_QP_MIN_RESP_LEN offsetofend(struct irdma_modify_qp_resp, push_valid) + struct irdma_pd *iwpd = to_iwpd(ibqp->pd); + struct irdma_qp *iwqp = to_iwqp(ibqp); + struct irdma_device *iwdev = iwqp->iwdev; +@@ -1138,6 +1156,13 @@ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr, + roce_info = &iwqp->roce_info; + udp_info = &iwqp->udp_info; + ++ if (udata) { ++ /* udata inlen/outlen can be 0 when supporting legacy libi40iw */ ++ if ((udata->inlen && udata->inlen < IRDMA_MODIFY_QP_MIN_REQ_LEN) || ++ (udata->outlen && udata->outlen < IRDMA_MODIFY_QP_MIN_RESP_LEN)) ++ return -EINVAL; ++ } ++ + if (attr_mask & ~IB_QP_ATTR_STANDARD_BITS) + return -EOPNOTSUPP; + +@@ -1374,7 +1399,7 @@ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr, + + if (iwqp->iwarp_state == IRDMA_QP_STATE_ERROR) { + spin_unlock_irqrestore(&iwqp->lock, flags); +- if (udata) { ++ if (udata && udata->inlen) { + if (ib_copy_from_udata(&ureq, udata, + min(sizeof(ureq), udata->inlen))) + return -EINVAL; +@@ -1426,7 +1451,7 @@ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr, + } else { + iwqp->ibqp_state = attr->qp_state; + } +- if (udata && dev->hw_attrs.uk_attrs.hw_rev >= IRDMA_GEN_2) { ++ if (udata && udata->outlen && dev->hw_attrs.uk_attrs.hw_rev >= IRDMA_GEN_2) { + struct irdma_ucontext *ucontext; + + ucontext = rdma_udata_to_drv_context(udata, +@@ -1466,6 +1491,8 @@ int irdma_modify_qp_roce(struct ib_qp *ibqp, struct ib_qp_attr *attr, + int irdma_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, int attr_mask, + struct ib_udata *udata) + { ++#define IRDMA_MODIFY_QP_MIN_REQ_LEN offsetofend(struct irdma_modify_qp_req, rq_flush) ++#define IRDMA_MODIFY_QP_MIN_RESP_LEN offsetofend(struct irdma_modify_qp_resp, push_valid) + struct irdma_qp *iwqp = to_iwqp(ibqp); + struct irdma_device *iwdev = iwqp->iwdev; + struct irdma_sc_dev *dev = &iwdev->rf->sc_dev; +@@ -1480,6 +1507,13 @@ int irdma_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, int attr_mask, + int err; + unsigned long flags; + ++ if (udata) { ++ /* udata inlen/outlen can be 0 when supporting legacy libi40iw */ ++ if ((udata->inlen && udata->inlen < IRDMA_MODIFY_QP_MIN_REQ_LEN) || ++ (udata->outlen && udata->outlen < IRDMA_MODIFY_QP_MIN_RESP_LEN)) ++ return -EINVAL; ++ } ++ + if (attr_mask & ~IB_QP_ATTR_STANDARD_BITS) + return -EOPNOTSUPP; + +@@ -1565,7 +1599,7 @@ int irdma_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, int attr_mask, + case IB_QPS_RESET: + if (iwqp->iwarp_state == IRDMA_QP_STATE_ERROR) { + spin_unlock_irqrestore(&iwqp->lock, flags); +- if (udata) { ++ if (udata && udata->inlen) { + if (ib_copy_from_udata(&ureq, udata, + min(sizeof(ureq), udata->inlen))) + return -EINVAL; +@@ -1662,7 +1696,7 @@ int irdma_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, int attr_mask, + } + } + } +- if (attr_mask & IB_QP_STATE && udata && ++ if (attr_mask & IB_QP_STATE && udata && udata->outlen && + dev->hw_attrs.uk_attrs.hw_rev >= IRDMA_GEN_2) { + struct irdma_ucontext *ucontext; + +@@ -1797,6 +1831,7 @@ static int irdma_destroy_cq(struct ib_cq *ib_cq, struct ib_udata *udata) + static int irdma_resize_cq(struct ib_cq *ibcq, int entries, + struct ib_udata *udata) + { ++#define IRDMA_RESIZE_CQ_MIN_REQ_LEN offsetofend(struct irdma_resize_cq_req, user_cq_buffer) + struct irdma_cq *iwcq = to_iwcq(ibcq); + struct irdma_sc_dev *dev = iwcq->sc_cq.dev; + struct irdma_cqp_request *cqp_request; +@@ -1819,6 +1854,9 @@ static int irdma_resize_cq(struct ib_cq *ibcq, int entries, + IRDMA_FEATURE_CQ_RESIZE)) + return -EOPNOTSUPP; + ++ if (udata && udata->inlen < IRDMA_RESIZE_CQ_MIN_REQ_LEN) ++ return -EINVAL; ++ + if (entries > rf->max_cqe) + return -EINVAL; + +@@ -1951,6 +1989,8 @@ static int irdma_create_cq(struct ib_cq *ibcq, + const struct ib_cq_init_attr *attr, + struct ib_udata *udata) + { ++#define IRDMA_CREATE_CQ_MIN_REQ_LEN offsetofend(struct irdma_create_cq_req, user_cq_buf) ++#define IRDMA_CREATE_CQ_MIN_RESP_LEN offsetofend(struct irdma_create_cq_resp, cq_size) + struct ib_device *ibdev = ibcq->device; + struct irdma_device *iwdev = to_iwdev(ibdev); + struct irdma_pci_f *rf = iwdev->rf; +@@ -1969,6 +2009,11 @@ static int irdma_create_cq(struct ib_cq *ibcq, + err_code = cq_validate_flags(attr->flags, dev->hw_attrs.uk_attrs.hw_rev); + if (err_code) + return err_code; ++ ++ if (udata && (udata->inlen < IRDMA_CREATE_CQ_MIN_REQ_LEN || ++ udata->outlen < IRDMA_CREATE_CQ_MIN_RESP_LEN)) ++ return -EINVAL; ++ + err_code = irdma_alloc_rsrc(rf, rf->allocated_cqs, rf->max_cq, &cq_num, + &rf->next_cq); + if (err_code) +@@ -2746,6 +2791,7 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len, + u64 virt, int access, + struct ib_udata *udata) + { ++#define IRDMA_MEM_REG_MIN_REQ_LEN offsetofend(struct irdma_mem_reg_req, sq_pages) + struct irdma_device *iwdev = to_iwdev(pd->device); + struct irdma_ucontext *ucontext; + struct irdma_pble_alloc *palloc; +@@ -2763,6 +2809,9 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len, + if (len > iwdev->rf->sc_dev.hw_attrs.max_mr_size) + return ERR_PTR(-EINVAL); + ++ if (udata->inlen < IRDMA_MEM_REG_MIN_REQ_LEN) ++ return ERR_PTR(-EINVAL); ++ + region = ib_umem_get(pd->device, start, len, access); + + if (IS_ERR(region)) { +@@ -4298,12 +4347,16 @@ static int irdma_create_user_ah(struct ib_ah *ibah, + struct rdma_ah_init_attr *attr, + struct ib_udata *udata) + { ++#define IRDMA_CREATE_AH_MIN_RESP_LEN offsetofend(struct irdma_create_ah_resp, rsvd) + struct irdma_ah *ah = container_of(ibah, struct irdma_ah, ibah); + struct irdma_device *iwdev = to_iwdev(ibah->pd->device); + struct irdma_create_ah_resp uresp; + struct irdma_ah *parent_ah; + int err; + ++ if (udata && udata->outlen < IRDMA_CREATE_AH_MIN_RESP_LEN) ++ return -EINVAL; ++ + err = irdma_setup_ah(ibah, attr); + if (err) + return err; +-- +2.35.1 + diff --git a/queue-6.0/rdma-mlx5-don-t-compare-mkey-tags-in-devx-indirect-m.patch b/queue-6.0/rdma-mlx5-don-t-compare-mkey-tags-in-devx-indirect-m.patch new file mode 100644 index 00000000000..1efc1c0d4cf --- /dev/null +++ b/queue-6.0/rdma-mlx5-don-t-compare-mkey-tags-in-devx-indirect-m.patch @@ -0,0 +1,77 @@ +From 11ae94d16207bf8df4c7256e26f4c587d7cdd095 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jul 2022 11:26:36 +0300 +Subject: RDMA/mlx5: Don't compare mkey tags in DEVX indirect mkey + +From: Aharon Landau + +[ Upstream commit 13ad1125b941a5f257d9d3ae70485773abd34792 ] + +According to the ib spec: +If the CI supports the Base Memory Management Extensions defined in this +specification, the L_Key format must consist of: +24 bit index in the most significant bits of the R_Key, and +8 bit key in the least significant bits of the R_Key +Through a successful Allocate L_Key verb invocation, the CI must let the +consumer own the key portion of the returned R_Key + +Therefore, when creating a mkey using DEVX, the consumer is allowed to +change the key part. The kernel should compare only the index part of a +R_Key to determine equality with another R_Key. + +Adding capability in order not to break backward compatibility. + +Fixes: 534fd7aac56a ("IB/mlx5: Manage indirection mkey upon DEVX flow for ODP") +Link: https://lore.kernel.org/r/3d669aacea85a3a15c3b3b953b3eaba3f80ef9be.1659255945.git.leonro@nvidia.com +Signed-off-by: Aharon Landau +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx5/main.c | 3 +++ + drivers/infiniband/hw/mlx5/odp.c | 3 ++- + include/uapi/rdma/mlx5-abi.h | 1 + + 3 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx5/main.c b/drivers/infiniband/hw/mlx5/main.c +index 883d7c60143e..1aa0c772b44d 100644 +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -1826,6 +1826,9 @@ static int set_ucontext_resp(struct ib_ucontext *uctx, + if (MLX5_CAP_GEN(dev->mdev, drain_sigerr)) + resp->comp_mask |= MLX5_IB_ALLOC_UCONTEXT_RESP_MASK_SQD2RTS; + ++ resp->comp_mask |= ++ MLX5_IB_ALLOC_UCONTEXT_RESP_MASK_MKEY_UPDATE_TAG; ++ + return 0; + } + +diff --git a/drivers/infiniband/hw/mlx5/odp.c b/drivers/infiniband/hw/mlx5/odp.c +index e305bf1dc6c2..901a8b030236 100644 +--- a/drivers/infiniband/hw/mlx5/odp.c ++++ b/drivers/infiniband/hw/mlx5/odp.c +@@ -795,7 +795,8 @@ static bool mkey_is_eq(struct mlx5_ib_mkey *mmkey, u32 key) + { + if (!mmkey) + return false; +- if (mmkey->type == MLX5_MKEY_MW) ++ if (mmkey->type == MLX5_MKEY_MW || ++ mmkey->type == MLX5_MKEY_INDIRECT_DEVX) + return mlx5_base_mkey(mmkey->key) == mlx5_base_mkey(key); + return mmkey->key == key; + } +diff --git a/include/uapi/rdma/mlx5-abi.h b/include/uapi/rdma/mlx5-abi.h +index 86be4a92b67b..a96b7d2770e1 100644 +--- a/include/uapi/rdma/mlx5-abi.h ++++ b/include/uapi/rdma/mlx5-abi.h +@@ -104,6 +104,7 @@ enum mlx5_ib_alloc_ucontext_resp_mask { + MLX5_IB_ALLOC_UCONTEXT_RESP_MASK_ECE = 1UL << 2, + MLX5_IB_ALLOC_UCONTEXT_RESP_MASK_SQD2RTS = 1UL << 3, + MLX5_IB_ALLOC_UCONTEXT_RESP_MASK_REAL_TIME_TS = 1UL << 4, ++ MLX5_IB_ALLOC_UCONTEXT_RESP_MASK_MKEY_UPDATE_TAG = 1UL << 5, + }; + + enum mlx5_user_cmds_supp_uhw { +-- +2.35.1 + diff --git a/queue-6.0/rdma-rxe-delete-error-messages-triggered-by-incoming.patch b/queue-6.0/rdma-rxe-delete-error-messages-triggered-by-incoming.patch new file mode 100644 index 00000000000..33d88232618 --- /dev/null +++ b/queue-6.0/rdma-rxe-delete-error-messages-triggered-by-incoming.patch @@ -0,0 +1,54 @@ +From 27488902d4aad25517d5466243aded74df1c54ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 16:12:18 +0900 +Subject: RDMA/rxe: Delete error messages triggered by incoming Read requests + +From: Daisuke Matsuda + +[ Upstream commit 2c02249fcbfc066bd33e2a7375c7006d4cb367f6 ] + +An incoming Read request causes multiple Read responses. If a user MR to +copy data from is unavailable or responder cannot send a reply, then the +error messages can be printed for each response attempt, resulting in +message overflow. + +Link: https://lore.kernel.org/r/20220829071218.1639065-1-matsuda-daisuke@fujitsu.com +Signed-off-by: Daisuke Matsuda +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_resp.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_resp.c b/drivers/infiniband/sw/rxe/rxe_resp.c +index b36ec5c4d5e0..7c336db5cb54 100644 +--- a/drivers/infiniband/sw/rxe/rxe_resp.c ++++ b/drivers/infiniband/sw/rxe/rxe_resp.c +@@ -809,10 +809,8 @@ static enum resp_states read_reply(struct rxe_qp *qp, + if (!skb) + return RESPST_ERR_RNR; + +- err = rxe_mr_copy(mr, res->read.va, payload_addr(&ack_pkt), +- payload, RXE_FROM_MR_OBJ); +- if (err) +- pr_err("Failed copying memory\n"); ++ rxe_mr_copy(mr, res->read.va, payload_addr(&ack_pkt), ++ payload, RXE_FROM_MR_OBJ); + if (mr) + rxe_put(mr); + +@@ -823,10 +821,8 @@ static enum resp_states read_reply(struct rxe_qp *qp, + } + + err = rxe_xmit_packet(qp, &ack_pkt, skb); +- if (err) { +- pr_err("Failed sending RDMA reply.\n"); ++ if (err) + return RESPST_ERR_RNR; +- } + + res->read.va += payload; + res->read.resid -= payload; +-- +2.35.1 + diff --git a/queue-6.0/rdma-rxe-fix-kernel-null-pointer-dereference-error.patch b/queue-6.0/rdma-rxe-fix-kernel-null-pointer-dereference-error.patch new file mode 100644 index 00000000000..c4afe3f7ad7 --- /dev/null +++ b/queue-6.0/rdma-rxe-fix-kernel-null-pointer-dereference-error.patch @@ -0,0 +1,48 @@ +From f73f62b760603bd2c4f03b4acfabd2259f5e95f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 21:16:13 -0400 +Subject: RDMA/rxe: Fix "kernel NULL pointer dereference" error + +From: Zhu Yanjun + +[ Upstream commit a625ca30eff806395175ebad3ac1399014bdb280 ] + +When rxe_queue_init in the function rxe_qp_init_req fails, +both qp->req.task.func and qp->req.task.arg are not initialized. + +Because of creation of qp fails, the function rxe_create_qp will +call rxe_qp_do_cleanup to handle allocated resource. + +Before calling __rxe_do_task, both qp->req.task.func and +qp->req.task.arg should be checked. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20220822011615.805603-2-yanjun.zhu@linux.dev +Reported-by: syzbot+ab99dc4c6e961eed8b8e@syzkaller.appspotmail.com +Signed-off-by: Zhu Yanjun +Reviewed-by: Li Zhijian +Reviewed-by: Bob Pearson +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index 516bf9b95e48..fda03f9f03ed 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -797,7 +797,9 @@ static void rxe_qp_do_cleanup(struct work_struct *work) + rxe_cleanup_task(&qp->comp.task); + + /* flush out any receive wr's or pending requests */ +- __rxe_do_task(&qp->req.task); ++ if (qp->req.task.func) ++ __rxe_do_task(&qp->req.task); ++ + if (qp->sq.queue) { + __rxe_do_task(&qp->comp.task); + __rxe_do_task(&qp->req.task); +-- +2.35.1 + diff --git a/queue-6.0/rdma-rxe-fix-resize_finish-in-rxe_queue.c.patch b/queue-6.0/rdma-rxe-fix-resize_finish-in-rxe_queue.c.patch new file mode 100644 index 00000000000..6f4380096f3 --- /dev/null +++ b/queue-6.0/rdma-rxe-fix-resize_finish-in-rxe_queue.c.patch @@ -0,0 +1,65 @@ +From 224fced3ab7cb52b154d13db5cfe75dd179f4c66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 17:14:47 -0500 +Subject: RDMA/rxe: Fix resize_finish() in rxe_queue.c + +From: Bob Pearson + +[ Upstream commit fda5d0cf8aef12f0a4f714a96a4b2fce039a3e55 ] + +Currently in resize_finish() in rxe_queue.c there is a loop which copies +the entries in the original queue into a newly allocated queue. The +termination logic for this loop is incorrect. The call to +queue_next_index() updates cons but has no effect on whether the queue is +empty. So if the queue starts out empty nothing is copied but if it is not +then the loop will run forever. This patch changes the loop to compare the +value of cons to the original producer index. + +Fixes: ae6e843fe08d0 ("RDMA/rxe: Add memory barriers to kernel queues") +Link: https://lore.kernel.org/r/20220825221446.6512-1-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Reviewed-by: Li Zhijian +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_queue.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_queue.c b/drivers/infiniband/sw/rxe/rxe_queue.c +index dbd4971039c0..d6dbf5a0058d 100644 +--- a/drivers/infiniband/sw/rxe/rxe_queue.c ++++ b/drivers/infiniband/sw/rxe/rxe_queue.c +@@ -112,23 +112,25 @@ static int resize_finish(struct rxe_queue *q, struct rxe_queue *new_q, + unsigned int num_elem) + { + enum queue_type type = q->type; ++ u32 new_prod; + u32 prod; + u32 cons; + + if (!queue_empty(q, q->type) && (num_elem < queue_count(q, type))) + return -EINVAL; + +- prod = queue_get_producer(new_q, type); ++ new_prod = queue_get_producer(new_q, type); ++ prod = queue_get_producer(q, type); + cons = queue_get_consumer(q, type); + +- while (!queue_empty(q, type)) { +- memcpy(queue_addr_from_index(new_q, prod), ++ while ((prod - cons) & q->index_mask) { ++ memcpy(queue_addr_from_index(new_q, new_prod), + queue_addr_from_index(q, cons), new_q->elem_size); +- prod = queue_next_index(new_q, prod); ++ new_prod = queue_next_index(new_q, new_prod); + cons = queue_next_index(q, cons); + } + +- new_q->buf->producer_index = prod; ++ new_q->buf->producer_index = new_prod; + q->buf->consumer_index = cons; + + /* update private index copies */ +-- +2.35.1 + diff --git a/queue-6.0/rdma-rxe-fix-the-error-caused-by-qp-sk.patch b/queue-6.0/rdma-rxe-fix-the-error-caused-by-qp-sk.patch new file mode 100644 index 00000000000..e46d2ad41d5 --- /dev/null +++ b/queue-6.0/rdma-rxe-fix-the-error-caused-by-qp-sk.patch @@ -0,0 +1,48 @@ +From a453d48b2a3b705fd877b9e9ba963c7b7c0ded1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 21:16:14 -0400 +Subject: RDMA/rxe: Fix the error caused by qp->sk + +From: Zhu Yanjun + +[ Upstream commit 548ce2e66725dcba4e27d1e8ac468d5dd17fd509 ] + +When sock_create_kern in the function rxe_qp_init_req fails, +qp->sk is set to NULL. + +Then the function rxe_create_qp will call rxe_qp_do_cleanup +to handle allocated resource. + +Before handling qp->sk, this variable should be checked. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20220822011615.805603-3-yanjun.zhu@linux.dev +Signed-off-by: Zhu Yanjun +Reviewed-by: Li Zhijian +Reviewed-by: Bob Pearson +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index fda03f9f03ed..d776dfda43b1 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -835,8 +835,10 @@ static void rxe_qp_do_cleanup(struct work_struct *work) + + free_rd_atomic_resources(qp); + +- kernel_sock_shutdown(qp->sk, SHUT_RDWR); +- sock_release(qp->sk); ++ if (qp->sk) { ++ kernel_sock_shutdown(qp->sk, SHUT_RDWR); ++ sock_release(qp->sk); ++ } + } + + /* called when the last reference to the qp is dropped */ +-- +2.35.1 + diff --git a/queue-6.0/rdma-rxe-set-pd-early-in-mr-alloc-routines.patch b/queue-6.0/rdma-rxe-set-pd-early-in-mr-alloc-routines.patch new file mode 100644 index 00000000000..e195fa08ca2 --- /dev/null +++ b/queue-6.0/rdma-rxe-set-pd-early-in-mr-alloc-routines.patch @@ -0,0 +1,157 @@ +From 3ca741f19f1ed4d57006a4ac5aa1ae94d68de06f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Aug 2022 13:31:54 -0500 +Subject: RDMA/rxe: Set pd early in mr alloc routines + +From: Bob Pearson + +[ Upstream commit 58651bbb30f87dab474eff31ab564391aa6ea1f3 ] + +Move setting of pd in mr objects ahead of any possible errors so that it +will always be set in rxe_mr_cleanup() to avoid seg faults when +rxe_put(mr_pd(mr)) is called. + +Fixes: cf40367961d8 ("RDMA/rxe: Move mr cleanup code to rxe_mr_cleanup()") +Link: https://lore.kernel.org/r/20220805183153.32007-2-rpearsonhpe@gmail.com +Signed-off-by: Bob Pearson +Reviewed-by: Li Zhijian +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_loc.h | 6 +++--- + drivers/infiniband/sw/rxe/rxe_mr.c | 11 ++++------- + drivers/infiniband/sw/rxe/rxe_verbs.c | 12 +++++++----- + 3 files changed, 14 insertions(+), 15 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_loc.h b/drivers/infiniband/sw/rxe/rxe_loc.h +index 22f6cc31d1d6..c2a5c8814a48 100644 +--- a/drivers/infiniband/sw/rxe/rxe_loc.h ++++ b/drivers/infiniband/sw/rxe/rxe_loc.h +@@ -64,10 +64,10 @@ int rxe_mmap(struct ib_ucontext *context, struct vm_area_struct *vma); + + /* rxe_mr.c */ + u8 rxe_get_next_key(u32 last_key); +-void rxe_mr_init_dma(struct rxe_pd *pd, int access, struct rxe_mr *mr); +-int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova, ++void rxe_mr_init_dma(int access, struct rxe_mr *mr); ++int rxe_mr_init_user(struct rxe_dev *rxe, u64 start, u64 length, u64 iova, + int access, struct rxe_mr *mr); +-int rxe_mr_init_fast(struct rxe_pd *pd, int max_pages, struct rxe_mr *mr); ++int rxe_mr_init_fast(int max_pages, struct rxe_mr *mr); + int rxe_mr_copy(struct rxe_mr *mr, u64 iova, void *addr, int length, + enum rxe_mr_copy_dir dir); + int copy_data(struct rxe_pd *pd, int access, struct rxe_dma_info *dma, +diff --git a/drivers/infiniband/sw/rxe/rxe_mr.c b/drivers/infiniband/sw/rxe/rxe_mr.c +index 850b80f5ad8b..af34f198e645 100644 +--- a/drivers/infiniband/sw/rxe/rxe_mr.c ++++ b/drivers/infiniband/sw/rxe/rxe_mr.c +@@ -103,17 +103,16 @@ static int rxe_mr_alloc(struct rxe_mr *mr, int num_buf) + return -ENOMEM; + } + +-void rxe_mr_init_dma(struct rxe_pd *pd, int access, struct rxe_mr *mr) ++void rxe_mr_init_dma(int access, struct rxe_mr *mr) + { + rxe_mr_init(access, mr); + +- mr->ibmr.pd = &pd->ibpd; + mr->access = access; + mr->state = RXE_MR_STATE_VALID; + mr->type = IB_MR_TYPE_DMA; + } + +-int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova, ++int rxe_mr_init_user(struct rxe_dev *rxe, u64 start, u64 length, u64 iova, + int access, struct rxe_mr *mr) + { + struct rxe_map **map; +@@ -125,7 +124,7 @@ int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova, + int err; + int i; + +- umem = ib_umem_get(pd->ibpd.device, start, length, access); ++ umem = ib_umem_get(&rxe->ib_dev, start, length, access); + if (IS_ERR(umem)) { + pr_warn("%s: Unable to pin memory region err = %d\n", + __func__, (int)PTR_ERR(umem)); +@@ -175,7 +174,6 @@ int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova, + } + } + +- mr->ibmr.pd = &pd->ibpd; + mr->umem = umem; + mr->access = access; + mr->length = length; +@@ -197,7 +195,7 @@ int rxe_mr_init_user(struct rxe_pd *pd, u64 start, u64 length, u64 iova, + return err; + } + +-int rxe_mr_init_fast(struct rxe_pd *pd, int max_pages, struct rxe_mr *mr) ++int rxe_mr_init_fast(int max_pages, struct rxe_mr *mr) + { + int err; + +@@ -208,7 +206,6 @@ int rxe_mr_init_fast(struct rxe_pd *pd, int max_pages, struct rxe_mr *mr) + if (err) + goto err1; + +- mr->ibmr.pd = &pd->ibpd; + mr->max_buf = max_pages; + mr->state = RXE_MR_STATE_FREE; + mr->type = IB_MR_TYPE_MEM_REG; +diff --git a/drivers/infiniband/sw/rxe/rxe_verbs.c b/drivers/infiniband/sw/rxe/rxe_verbs.c +index e264cf69bf55..f54a3eba652f 100644 +--- a/drivers/infiniband/sw/rxe/rxe_verbs.c ++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c +@@ -903,7 +903,9 @@ static struct ib_mr *rxe_get_dma_mr(struct ib_pd *ibpd, int access) + return ERR_PTR(-ENOMEM); + + rxe_get(pd); +- rxe_mr_init_dma(pd, access, mr); ++ mr->ibmr.pd = ibpd; ++ ++ rxe_mr_init_dma(access, mr); + rxe_finalize(mr); + + return &mr->ibmr; +@@ -928,8 +930,9 @@ static struct ib_mr *rxe_reg_user_mr(struct ib_pd *ibpd, + + + rxe_get(pd); ++ mr->ibmr.pd = ibpd; + +- err = rxe_mr_init_user(pd, start, length, iova, access, mr); ++ err = rxe_mr_init_user(rxe, start, length, iova, access, mr); + if (err) + goto err3; + +@@ -938,7 +941,6 @@ static struct ib_mr *rxe_reg_user_mr(struct ib_pd *ibpd, + return &mr->ibmr; + + err3: +- rxe_put(pd); + rxe_cleanup(mr); + err2: + return ERR_PTR(err); +@@ -962,8 +964,9 @@ static struct ib_mr *rxe_alloc_mr(struct ib_pd *ibpd, enum ib_mr_type mr_type, + } + + rxe_get(pd); ++ mr->ibmr.pd = ibpd; + +- err = rxe_mr_init_fast(pd, max_num_sg, mr); ++ err = rxe_mr_init_fast(max_num_sg, mr); + if (err) + goto err2; + +@@ -972,7 +975,6 @@ static struct ib_mr *rxe_alloc_mr(struct ib_pd *ibpd, enum ib_mr_type mr_type, + return &mr->ibmr; + + err2: +- rxe_put(pd); + rxe_cleanup(mr); + err1: + return ERR_PTR(err); +-- +2.35.1 + diff --git a/queue-6.0/rdma-siw-always-consume-all-skbuf-data-in-sk_data_re.patch b/queue-6.0/rdma-siw-always-consume-all-skbuf-data-in-sk_data_re.patch new file mode 100644 index 00000000000..3d0e8fddaec --- /dev/null +++ b/queue-6.0/rdma-siw-always-consume-all-skbuf-data-in-sk_data_re.patch @@ -0,0 +1,99 @@ +From 65e3fa458a4371e55042aef1f75db0e5556d1717 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 10:12:02 +0200 +Subject: RDMA/siw: Always consume all skbuf data in sk_data_ready() upcall. + +From: Bernard Metzler + +[ Upstream commit 754209850df8367c954ac1de7671c7430b1f342c ] + +For header and trailer/padding processing, siw did not consume new +skb data until minimum amount present to fill current header or trailer +structure, including potential payload padding. Not consuming any +data during upcall may cause a receive stall, since tcp_read_sock() +is not upcalling again if no new data arrive. +A NFSoRDMA client got stuck at RDMA Write reception of unaligned +payload, if the current skb did contain only the expected 3 padding +bytes, but not the 4 bytes CRC trailer. Expecting 4 more bytes already +arrived in another skb, and not consuming those 3 bytes in the current +upcall left the Write incomplete, waiting for the CRC forever. + +Fixes: 8b6a361b8c48 ("rdma/siw: receive path") +Reported-by: Olga Kornievskaia +Tested-by: Olga Kornievskaia +Signed-off-by: Bernard Metzler +Link: https://lore.kernel.org/r/20220920081202.223629-1-bmt@zurich.ibm.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/siw/siw_qp_rx.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/drivers/infiniband/sw/siw/siw_qp_rx.c b/drivers/infiniband/sw/siw/siw_qp_rx.c +index 875ea6f1b04a..fd721cc19682 100644 +--- a/drivers/infiniband/sw/siw/siw_qp_rx.c ++++ b/drivers/infiniband/sw/siw/siw_qp_rx.c +@@ -961,27 +961,28 @@ int siw_proc_terminate(struct siw_qp *qp) + static int siw_get_trailer(struct siw_qp *qp, struct siw_rx_stream *srx) + { + struct sk_buff *skb = srx->skb; ++ int avail = min(srx->skb_new, srx->fpdu_part_rem); + u8 *tbuf = (u8 *)&srx->trailer.crc - srx->pad; + __wsum crc_in, crc_own = 0; + + siw_dbg_qp(qp, "expected %d, available %d, pad %u\n", + srx->fpdu_part_rem, srx->skb_new, srx->pad); + +- if (srx->skb_new < srx->fpdu_part_rem) +- return -EAGAIN; +- +- skb_copy_bits(skb, srx->skb_offset, tbuf, srx->fpdu_part_rem); ++ skb_copy_bits(skb, srx->skb_offset, tbuf, avail); + +- if (srx->mpa_crc_hd && srx->pad) +- crypto_shash_update(srx->mpa_crc_hd, tbuf, srx->pad); ++ srx->skb_new -= avail; ++ srx->skb_offset += avail; ++ srx->skb_copied += avail; ++ srx->fpdu_part_rem -= avail; + +- srx->skb_new -= srx->fpdu_part_rem; +- srx->skb_offset += srx->fpdu_part_rem; +- srx->skb_copied += srx->fpdu_part_rem; ++ if (srx->fpdu_part_rem) ++ return -EAGAIN; + + if (!srx->mpa_crc_hd) + return 0; + ++ if (srx->pad) ++ crypto_shash_update(srx->mpa_crc_hd, tbuf, srx->pad); + /* + * CRC32 is computed, transmitted and received directly in NBO, + * so there's never a reason to convert byte order. +@@ -1083,10 +1084,9 @@ static int siw_get_hdr(struct siw_rx_stream *srx) + * completely received. + */ + if (iwarp_pktinfo[opcode].hdr_len > sizeof(struct iwarp_ctrl_tagged)) { +- bytes = iwarp_pktinfo[opcode].hdr_len - MIN_DDP_HDR; ++ int hdrlen = iwarp_pktinfo[opcode].hdr_len; + +- if (srx->skb_new < bytes) +- return -EAGAIN; ++ bytes = min_t(int, hdrlen - MIN_DDP_HDR, srx->skb_new); + + skb_copy_bits(skb, srx->skb_offset, + (char *)c_hdr + srx->fpdu_part_rcvd, bytes); +@@ -1096,6 +1096,9 @@ static int siw_get_hdr(struct siw_rx_stream *srx) + srx->skb_new -= bytes; + srx->skb_offset += bytes; + srx->skb_copied += bytes; ++ ++ if (srx->fpdu_part_rcvd < hdrlen) ++ return -EAGAIN; + } + + /* +-- +2.35.1 + diff --git a/queue-6.0/rdma-siw-fix-qp-destroy-to-wait-for-all-references-d.patch b/queue-6.0/rdma-siw-fix-qp-destroy-to-wait-for-all-references-d.patch new file mode 100644 index 00000000000..eeb4f81e184 --- /dev/null +++ b/queue-6.0/rdma-siw-fix-qp-destroy-to-wait-for-all-references-d.patch @@ -0,0 +1,78 @@ +From 0f57ba1989ed85cee73f0b5e1fb1751092326ac1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 10:25:03 +0200 +Subject: RDMA/siw: Fix QP destroy to wait for all references dropped. + +From: Bernard Metzler + +[ Upstream commit a3c278807a459e6f50afee6971cabe74cccfb490 ] + +Delay QP destroy completion until all siw references to QP are +dropped. The calling RDMA core will free QP structure after +successful return from siw_qp_destroy() call, so siw must not +hold any remaining reference to the QP upon return. +A use-after-free was encountered in xfstest generic/460, while +testing NFSoRDMA. Here, after a TCP connection drop by peer, +the triggered siw_cm_work_handler got delayed until after +QP destroy call, referencing a QP which has already freed. + +Fixes: 303ae1cdfdf7 ("rdma/siw: application interface") +Reported-by: Olga Kornievskaia +Signed-off-by: Bernard Metzler +Link: https://lore.kernel.org/r/20220920082503.224189-1-bmt@zurich.ibm.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/siw/siw.h | 1 + + drivers/infiniband/sw/siw/siw_qp.c | 2 +- + drivers/infiniband/sw/siw/siw_verbs.c | 3 +++ + 3 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/siw/siw.h b/drivers/infiniband/sw/siw/siw.h +index df03d84c6868..2f3a9cda3850 100644 +--- a/drivers/infiniband/sw/siw/siw.h ++++ b/drivers/infiniband/sw/siw/siw.h +@@ -418,6 +418,7 @@ struct siw_qp { + struct ib_qp base_qp; + struct siw_device *sdev; + struct kref ref; ++ struct completion qp_free; + struct list_head devq; + int tx_cpu; + struct siw_qp_attrs attrs; +diff --git a/drivers/infiniband/sw/siw/siw_qp.c b/drivers/infiniband/sw/siw/siw_qp.c +index 7e01f2438afc..e6f634971228 100644 +--- a/drivers/infiniband/sw/siw/siw_qp.c ++++ b/drivers/infiniband/sw/siw/siw_qp.c +@@ -1342,6 +1342,6 @@ void siw_free_qp(struct kref *ref) + vfree(qp->orq); + + siw_put_tx_cpu(qp->tx_cpu); +- ++ complete(&qp->qp_free); + atomic_dec(&sdev->num_qp); + } +diff --git a/drivers/infiniband/sw/siw/siw_verbs.c b/drivers/infiniband/sw/siw/siw_verbs.c +index 8dedae7ae79e..3e814cfb298c 100644 +--- a/drivers/infiniband/sw/siw/siw_verbs.c ++++ b/drivers/infiniband/sw/siw/siw_verbs.c +@@ -480,6 +480,8 @@ int siw_create_qp(struct ib_qp *ibqp, struct ib_qp_init_attr *attrs, + list_add_tail(&qp->devq, &sdev->qp_list); + spin_unlock_irqrestore(&sdev->lock, flags); + ++ init_completion(&qp->qp_free); ++ + return 0; + + err_out_xa: +@@ -624,6 +626,7 @@ int siw_destroy_qp(struct ib_qp *base_qp, struct ib_udata *udata) + qp->scq = qp->rcq = NULL; + + siw_qp_put(qp); ++ wait_for_completion(&qp->qp_free); + + return 0; + } +-- +2.35.1 + diff --git a/queue-6.0/rdma-srp-fix-srp_abort.patch b/queue-6.0/rdma-srp-fix-srp_abort.patch new file mode 100644 index 00000000000..8fdaa3d2b1e --- /dev/null +++ b/queue-6.0/rdma-srp-fix-srp_abort.patch @@ -0,0 +1,47 @@ +From c46fb848b696ced8e5906d67ec170e35490417e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 16:31:39 -0700 +Subject: RDMA/srp: Fix srp_abort() + +From: Bart Van Assche + +[ Upstream commit 6dbe4a8dead84de474483910b02ec9e6a10fc1a9 ] + +Fix the code for converting a SCSI command pointer into an SRP request +pointer. + +Cc: Xiao Yang +Fixes: ad215aaea4f9 ("RDMA/srp: Make struct scsi_cmnd and struct srp_request adjacent") +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20220908233139.3042628-1-bvanassche@acm.org +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srp/ib_srp.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c +index d7f69e593a63..9c9872868aee 100644 +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -2789,7 +2789,7 @@ static int srp_send_tsk_mgmt(struct srp_rdma_ch *ch, u64 req_tag, u64 lun, + static int srp_abort(struct scsi_cmnd *scmnd) + { + struct srp_target_port *target = host_to_target(scmnd->device->host); +- struct srp_request *req = (struct srp_request *) scmnd->host_scribble; ++ struct srp_request *req = scsi_cmd_priv(scmnd); + u32 tag; + u16 ch_idx; + struct srp_rdma_ch *ch; +@@ -2797,8 +2797,6 @@ static int srp_abort(struct scsi_cmnd *scmnd) + + shost_printk(KERN_ERR, target->scsi_host, "SRP abort called\n"); + +- if (!req) +- return SUCCESS; + tag = blk_mq_unique_tag(scsi_cmd_to_rq(scmnd)); + ch_idx = blk_mq_unique_tag_to_hwq(tag); + if (WARN_ON_ONCE(ch_idx >= target->ch_count)) +-- +2.35.1 + diff --git a/queue-6.0/rdma-srp-handle-dev_set_name-failure.patch b/queue-6.0/rdma-srp-handle-dev_set_name-failure.patch new file mode 100644 index 00000000000..c7558b65f2d --- /dev/null +++ b/queue-6.0/rdma-srp-handle-dev_set_name-failure.patch @@ -0,0 +1,48 @@ +From 81f04d43847d593097f0e855ff7c6e552f49aee5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 14:38:59 -0700 +Subject: RDMA/srp: Handle dev_set_name() failure + +From: Bart Van Assche + +[ Upstream commit 351e458f725da8106eba920f3cdecf39a0e31136 ] + +Instead of ignoring dev_set_name() failure, handle dev_set_name() +failure. Convert a device_register() call into device_initialize() and +device_add() calls. + +Link: https://lore.kernel.org/r/20220825213900.864587-4-bvanassche@acm.org +Reported-by: Bo Liu +Signed-off-by: Bart Van Assche +Signed-off-by: Leon Romanovsky +Stable-dep-of: b05398aff9ad ("RDMA/srp: Support more than 255 rdma ports") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srp/ib_srp.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c +index 4039cd744d03..fc4777f22fd3 100644 +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -3902,12 +3902,13 @@ static struct srp_host *srp_add_port(struct srp_device *device, u8 port) + host->srp_dev = device; + host->port = port; + ++ device_initialize(&host->dev); + host->dev.class = &srp_class; + host->dev.parent = device->dev->dev.parent; +- dev_set_name(&host->dev, "srp-%s-%d", dev_name(&device->dev->dev), +- port); +- +- if (device_register(&host->dev)) ++ if (dev_set_name(&host->dev, "srp-%s-%d", dev_name(&device->dev->dev), ++ port)) ++ goto put_host; ++ if (device_add(&host->dev)) + goto put_host; + if (device_create_file(&host->dev, &dev_attr_add_target)) + goto put_host; +-- +2.35.1 + diff --git a/queue-6.0/rdma-srp-rework-the-srp_add_port-error-path.patch b/queue-6.0/rdma-srp-rework-the-srp_add_port-error-path.patch new file mode 100644 index 00000000000..2bdd68ae94e --- /dev/null +++ b/queue-6.0/rdma-srp-rework-the-srp_add_port-error-path.patch @@ -0,0 +1,61 @@ +From dbbe4c253fcc084c7dd8c32b5696dc947b8fe98b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 14:38:57 -0700 +Subject: RDMA/srp: Rework the srp_add_port() error path + +From: Bart Van Assche + +[ Upstream commit c8e4c23976554fb9dda1658bd1a3914b202815cd ] + +device_register() always calls device_initialize() so calling device_del() +is safe even if device_register() fails. Implement the following advice +from the comment block above device_register(): "NOTE: _Never_ directly free +@dev after calling this function, even if it returned an error! Always use +put_device() to give up the reference initialized in this function instead." +Keep the kfree() call in the error path since srp_release_dev() does not +free the host. + +Link: https://lore.kernel.org/r/20220825213900.864587-2-bvanassche@acm.org +Signed-off-by: Bart Van Assche +Signed-off-by: Leon Romanovsky +Stable-dep-of: b05398aff9ad ("RDMA/srp: Support more than 255 rdma ports") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srp/ib_srp.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c +index 9c9872868aee..4039cd744d03 100644 +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -3908,20 +3908,19 @@ static struct srp_host *srp_add_port(struct srp_device *device, u8 port) + port); + + if (device_register(&host->dev)) +- goto free_host; ++ goto put_host; + if (device_create_file(&host->dev, &dev_attr_add_target)) +- goto err_class; ++ goto put_host; + if (device_create_file(&host->dev, &dev_attr_ibdev)) +- goto err_class; ++ goto put_host; + if (device_create_file(&host->dev, &dev_attr_port)) +- goto err_class; ++ goto put_host; + + return host; + +-err_class: +- device_unregister(&host->dev); +- +-free_host: ++put_host: ++ device_del(&host->dev); ++ put_device(&host->dev); + kfree(host); + + return NULL; +-- +2.35.1 + diff --git a/queue-6.0/rdma-srp-support-more-than-255-rdma-ports.patch b/queue-6.0/rdma-srp-support-more-than-255-rdma-ports.patch new file mode 100644 index 00000000000..fea5f324e6c --- /dev/null +++ b/queue-6.0/rdma-srp-support-more-than-255-rdma-ports.patch @@ -0,0 +1,98 @@ +From 110fa4325c2b91cb93eb2669c4c6640e43c580bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 11:03:07 +0300 +Subject: RDMA/srp: Support more than 255 rdma ports + +From: Mikhael Goikhman + +[ Upstream commit b05398aff9ad9dc701b261183a5d756165d28b51 ] + +Currently ib_srp module does not support devices with more than 256 +ports. Switch from u8 to u32 to fix the problem. + +Fixes: 1fb7f8973f51 ("RDMA: Support more than 255 rdma ports") +Reviewed-by: Shay Drory +Signed-off-by: Mikhael Goikhman +Link: https://lore.kernel.org/r/7d80d8844f1abb3a54170b7259f0a02be38080a6.1663747327.git.leonro@nvidia.com +Reviewed-by: Bart Van Assche +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srp/ib_srp.c | 12 ++++++------ + drivers/infiniband/ulp/srp/ib_srp.h | 2 +- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c +index 96be06e8635c..ecbdcad1c0be 100644 +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -2989,7 +2989,7 @@ static ssize_t local_ib_port_show(struct device *dev, + { + struct srp_target_port *target = host_to_target(class_to_shost(dev)); + +- return sysfs_emit(buf, "%d\n", target->srp_host->port); ++ return sysfs_emit(buf, "%u\n", target->srp_host->port); + } + + static DEVICE_ATTR_RO(local_ib_port); +@@ -3887,7 +3887,7 @@ static ssize_t port_show(struct device *dev, struct device_attribute *attr, + { + struct srp_host *host = container_of(dev, struct srp_host, dev); + +- return sysfs_emit(buf, "%d\n", host->port); ++ return sysfs_emit(buf, "%u\n", host->port); + } + + static DEVICE_ATTR_RO(port); +@@ -3899,7 +3899,7 @@ static struct attribute *srp_class_attrs[] = { + NULL + }; + +-static struct srp_host *srp_add_port(struct srp_device *device, u8 port) ++static struct srp_host *srp_add_port(struct srp_device *device, u32 port) + { + struct srp_host *host; + +@@ -3917,7 +3917,7 @@ static struct srp_host *srp_add_port(struct srp_device *device, u8 port) + device_initialize(&host->dev); + host->dev.class = &srp_class; + host->dev.parent = device->dev->dev.parent; +- if (dev_set_name(&host->dev, "srp-%s-%d", dev_name(&device->dev->dev), ++ if (dev_set_name(&host->dev, "srp-%s-%u", dev_name(&device->dev->dev), + port)) + goto put_host; + if (device_add(&host->dev)) +@@ -3941,7 +3941,7 @@ static void srp_rename_dev(struct ib_device *device, void *client_data) + list_for_each_entry_safe(host, tmp_host, &srp_dev->dev_list, list) { + char name[IB_DEVICE_NAME_MAX + 8]; + +- snprintf(name, sizeof(name), "srp-%s-%d", ++ snprintf(name, sizeof(name), "srp-%s-%u", + dev_name(&device->dev), host->port); + device_rename(&host->dev, name); + } +@@ -3953,7 +3953,7 @@ static int srp_add_one(struct ib_device *device) + struct ib_device_attr *attr = &device->attrs; + struct srp_host *host; + int mr_page_shift; +- unsigned int p; ++ u32 p; + u64 max_pages_per_mr; + unsigned int flags = 0; + +diff --git a/drivers/infiniband/ulp/srp/ib_srp.h b/drivers/infiniband/ulp/srp/ib_srp.h +index 55a575e2cace..c80709dfbe77 100644 +--- a/drivers/infiniband/ulp/srp/ib_srp.h ++++ b/drivers/infiniband/ulp/srp/ib_srp.h +@@ -120,7 +120,7 @@ struct srp_device { + */ + struct srp_host { + struct srp_device *srp_dev; +- u8 port; ++ u32 port; + struct device dev; + struct list_head target_list; + spinlock_t target_lock; +-- +2.35.1 + diff --git a/queue-6.0/rdma-srp-use-the-attribute-group-mechanism-for-sysfs.patch b/queue-6.0/rdma-srp-use-the-attribute-group-mechanism-for-sysfs.patch new file mode 100644 index 00000000000..2275bf0b97d --- /dev/null +++ b/queue-6.0/rdma-srp-use-the-attribute-group-mechanism-for-sysfs.patch @@ -0,0 +1,69 @@ +From 14ab55e56e4200b6aeb7b89243c0aadfcf3a16d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 14:39:00 -0700 +Subject: RDMA/srp: Use the attribute group mechanism for sysfs attributes + +From: Bart Van Assche + +[ Upstream commit b8a9c18c2f39bd84b8240b744b666114f7d62054 ] + +Simplify the SRP driver by using the attribute group mechanism instead +of calling device_create_file() explicitly. + +Link: https://lore.kernel.org/r/20220825213900.864587-5-bvanassche@acm.org +Signed-off-by: Bart Van Assche +Signed-off-by: Leon Romanovsky +Stable-dep-of: b05398aff9ad ("RDMA/srp: Support more than 255 rdma ports") +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srp/ib_srp.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c +index fc4777f22fd3..96be06e8635c 100644 +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -3180,8 +3180,13 @@ static void srp_release_dev(struct device *dev) + complete(&host->released); + } + ++static struct attribute *srp_class_attrs[]; ++ ++ATTRIBUTE_GROUPS(srp_class); ++ + static struct class srp_class = { + .name = "infiniband_srp", ++ .dev_groups = srp_class_groups, + .dev_release = srp_release_dev + }; + +@@ -3887,6 +3892,13 @@ static ssize_t port_show(struct device *dev, struct device_attribute *attr, + + static DEVICE_ATTR_RO(port); + ++static struct attribute *srp_class_attrs[] = { ++ &dev_attr_add_target.attr, ++ &dev_attr_ibdev.attr, ++ &dev_attr_port.attr, ++ NULL ++}; ++ + static struct srp_host *srp_add_port(struct srp_device *device, u8 port) + { + struct srp_host *host; +@@ -3910,12 +3922,6 @@ static struct srp_host *srp_add_port(struct srp_device *device, u8 port) + goto put_host; + if (device_add(&host->dev)) + goto put_host; +- if (device_create_file(&host->dev, &dev_attr_add_target)) +- goto put_host; +- if (device_create_file(&host->dev, &dev_attr_ibdev)) +- goto put_host; +- if (device_create_file(&host->dev, &dev_attr_port)) +- goto put_host; + + return host; + +-- +2.35.1 + diff --git a/queue-6.0/regulator-core-prevent-integer-underflow.patch b/queue-6.0/regulator-core-prevent-integer-underflow.patch new file mode 100644 index 00000000000..1e181ead4d3 --- /dev/null +++ b/queue-6.0/regulator-core-prevent-integer-underflow.patch @@ -0,0 +1,41 @@ +From d7740e912ea491036bcf05a82616b1a9448b7a93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 14:59:53 +0200 +Subject: regulator: core: Prevent integer underflow + +From: Patrick Rudolph + +[ Upstream commit 8d8e16592022c9650df8aedfe6552ed478d7135b ] + +By using a ratio of delay to poll_enabled_time that is not integer +time_remaining underflows and does not exit the loop as expected. +As delay could be derived from DT and poll_enabled_time is defined +in the driver this can easily happen. + +Use a signed iterator to make sure that the loop exits once +the remaining time is negative. + +Signed-off-by: Patrick Rudolph +Link: https://lore.kernel.org/r/20220909125954.577669-1-patrick.rudolph@9elements.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index d3e8dc32832d..c3871565fd7d 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -2681,7 +2681,7 @@ static int _regulator_do_enable(struct regulator_dev *rdev) + * return -ETIMEDOUT. + */ + if (rdev->desc->poll_enabled_time) { +- unsigned int time_remaining = delay; ++ int time_remaining = delay; + + while (time_remaining > 0) { + _regulator_delay_helper(rdev->desc->poll_enabled_time); +-- +2.35.1 + diff --git a/queue-6.0/remoteproc-harden-rproc_handle_vdev-against-integer-.patch b/queue-6.0/remoteproc-harden-rproc_handle_vdev-against-integer-.patch new file mode 100644 index 00000000000..975e51394f4 --- /dev/null +++ b/queue-6.0/remoteproc-harden-rproc_handle_vdev-against-integer-.patch @@ -0,0 +1,47 @@ +From 6b046c340977a92d1b58ca290047861d8d1f38b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 17:11:44 +0300 +Subject: remoteproc: Harden rproc_handle_vdev() against integer overflow + +From: Dan Carpenter + +[ Upstream commit 7d7f8fe4e399519cc9ac68a475fec6d3a996341b ] + +The struct_size() macro protects against integer overflows but adding +"+ rsc->config_len" introduces the risk of integer overflows again. +Use size_add() to be safe. + +Fixes: c87846571587 ("remoteproc: use struct_size() helper") +Signed-off-by: Dan Carpenter +Reviewed-by: Gustavo A. R. Silva +Reviewed-by: Mukesh Ojha +Link: https://lore.kernel.org/r/YyMyoPoGOJUcEpZT@kili +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/remoteproc_core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c +index e5279ed9a8d7..4fc5ce2187ac 100644 +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -520,12 +520,13 @@ static int rproc_handle_vdev(struct rproc *rproc, void *ptr, + struct fw_rsc_vdev *rsc = ptr; + struct device *dev = &rproc->dev; + struct rproc_vdev *rvdev; ++ size_t rsc_size; + int i, ret; + char name[16]; + + /* make sure resource isn't truncated */ +- if (struct_size(rsc, vring, rsc->num_of_vrings) + rsc->config_len > +- avail) { ++ rsc_size = struct_size(rsc, vring, rsc->num_of_vrings); ++ if (size_add(rsc_size, rsc->config_len) > avail) { + dev_err(dev, "vdev rsc is truncated\n"); + return -EINVAL; + } +-- +2.35.1 + diff --git a/queue-6.0/remoteproc-imx_dsp_rproc-fix-argument-2-of-rproc_mem.patch b/queue-6.0/remoteproc-imx_dsp_rproc-fix-argument-2-of-rproc_mem.patch new file mode 100644 index 00000000000..6ac94946520 --- /dev/null +++ b/queue-6.0/remoteproc-imx_dsp_rproc-fix-argument-2-of-rproc_mem.patch @@ -0,0 +1,53 @@ +From dc78c51c5ccdc9e4ff68f4795865d3ee0ffd40e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Aug 2022 20:43:18 +0800 +Subject: remoteproc: imx_dsp_rproc: fix argument 2 of rproc_mem_entry_init + +From: Shengjiu Wang + +[ Upstream commit 729c16326b7f3f4e83e4195f620a6ca0b7dfa25a ] + +There are sparse warning: +drivers/remoteproc/imx_dsp_rproc.c:602:49: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void *va @@ got void [noderef] __iomem *[assigned] cpu_addr @@ +drivers/remoteproc/imx_dsp_rproc.c:602:49: sparse: expected void *va +drivers/remoteproc/imx_dsp_rproc.c:602:49: sparse: got void [noderef] __iomem *[assigned] cpu_addr +drivers/remoteproc/imx_dsp_rproc.c:638:49: sparse: sparse: incorrect type in argument 2 (different address spaces) @@ expected void *va @@ got void [noderef] __iomem *[assigned] cpu_addr @@ +drivers/remoteproc/imx_dsp_rproc.c:638:49: sparse: expected void *va +drivers/remoteproc/imx_dsp_rproc.c:638:49: sparse: got void [noderef] __iomem *[assigned] cpu_addr + +Fixes: ec0e5549f358 ("remoteproc: imx_dsp_rproc: Add remoteproc driver for DSP on i.MX") +Reported-by: kernel test robot +Signed-off-by: Shengjiu Wang +Link: https://lore.kernel.org/r/1660567398-24495-1-git-send-email-shengjiu.wang@nxp.com +Acked-by: Mukesh Ojha +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/imx_dsp_rproc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/remoteproc/imx_dsp_rproc.c b/drivers/remoteproc/imx_dsp_rproc.c +index ca0817f8e41e..899aa8dd12f0 100644 +--- a/drivers/remoteproc/imx_dsp_rproc.c ++++ b/drivers/remoteproc/imx_dsp_rproc.c +@@ -599,7 +599,7 @@ static int imx_dsp_rproc_add_carveout(struct imx_dsp_rproc *priv) + } + + /* Register memory region */ +- mem = rproc_mem_entry_init(dev, cpu_addr, (dma_addr_t)att->sa, ++ mem = rproc_mem_entry_init(dev, (void __force *)cpu_addr, (dma_addr_t)att->sa, + att->size, da, NULL, NULL, "dsp_mem"); + + if (mem) +@@ -635,7 +635,7 @@ static int imx_dsp_rproc_add_carveout(struct imx_dsp_rproc *priv) + } + + /* Register memory region */ +- mem = rproc_mem_entry_init(dev, cpu_addr, (dma_addr_t)rmem->base, ++ mem = rproc_mem_entry_init(dev, (void __force *)cpu_addr, (dma_addr_t)rmem->base, + rmem->size, da, NULL, NULL, it.node->name); + + if (mem) +-- +2.35.1 + diff --git a/queue-6.0/remoteproc-imx_rproc-simplify-some-error-message.patch b/queue-6.0/remoteproc-imx_rproc-simplify-some-error-message.patch new file mode 100644 index 00000000000..5f63250ece7 --- /dev/null +++ b/queue-6.0/remoteproc-imx_rproc-simplify-some-error-message.patch @@ -0,0 +1,63 @@ +From fb4f6133d80c5e1147a18ba9ea303c71710d60ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Aug 2022 00:02:32 +0200 +Subject: remoteproc: imx_rproc: Simplify some error message + +From: Christophe JAILLET + +[ Upstream commit a1c3611dcfb08e62e165ab5c00122dd13f210166 ] + +dev_err_probe() already prints the error code in a human readable way, so +there is no need to duplicate it as a numerical value at the end of the +message. + +While at it, remove 'ret' that is mostly useless. + +Fixes: 2df7062002d0 ("remoteproc: imx_proc: enable virtio/mailbox") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/6b9343c2688117a340661d8ee491c2962c54a09a.1659736936.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/imx_rproc.c | 14 +++++--------- + 1 file changed, 5 insertions(+), 9 deletions(-) + +diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c +index 38383e7de3c1..7cc4fd207e2d 100644 +--- a/drivers/remoteproc/imx_rproc.c ++++ b/drivers/remoteproc/imx_rproc.c +@@ -646,7 +646,6 @@ static int imx_rproc_xtr_mbox_init(struct rproc *rproc) + struct imx_rproc *priv = rproc->priv; + struct device *dev = priv->dev; + struct mbox_client *cl; +- int ret; + + if (!of_get_property(dev->of_node, "mbox-names", NULL)) + return 0; +@@ -659,18 +658,15 @@ static int imx_rproc_xtr_mbox_init(struct rproc *rproc) + cl->rx_callback = imx_rproc_rx_callback; + + priv->tx_ch = mbox_request_channel_byname(cl, "tx"); +- if (IS_ERR(priv->tx_ch)) { +- ret = PTR_ERR(priv->tx_ch); +- return dev_err_probe(cl->dev, ret, +- "failed to request tx mailbox channel: %d\n", ret); +- } ++ if (IS_ERR(priv->tx_ch)) ++ return dev_err_probe(cl->dev, PTR_ERR(priv->tx_ch), ++ "failed to request tx mailbox channel\n"); + + priv->rx_ch = mbox_request_channel_byname(cl, "rx"); + if (IS_ERR(priv->rx_ch)) { + mbox_free_channel(priv->tx_ch); +- ret = PTR_ERR(priv->rx_ch); +- return dev_err_probe(cl->dev, ret, +- "failed to request rx mailbox channel: %d\n", ret); ++ return dev_err_probe(cl->dev, PTR_ERR(priv->rx_ch), ++ "failed to request rx mailbox channel\n"); + } + + return 0; +-- +2.35.1 + diff --git a/queue-6.0/revert-usb-storage-add-quirk-for-samsung-fit-flash.patch b/queue-6.0/revert-usb-storage-add-quirk-for-samsung-fit-flash.patch new file mode 100644 index 00000000000..a71d9516fb8 --- /dev/null +++ b/queue-6.0/revert-usb-storage-add-quirk-for-samsung-fit-flash.patch @@ -0,0 +1,59 @@ +From 48a03a33580d690a1159d8278f6b5f5f12a3c213 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 20:49:13 +0900 +Subject: Revert "usb: storage: Add quirk for Samsung Fit flash" + +From: sunghwan jung + +[ Upstream commit ad5dbfc123e6ffbbde194e2a4603323e09f741ee ] + +This reverts commit 86d92f5465958752481269348d474414dccb1552, +which fix the timeout issue for "Samsung Fit Flash". + +But the commit affects not only "Samsung Fit Flash" but also other usb +storages that use the same controller and causes severe performance +regression. + + # hdparm -t /dev/sda (without the quirk) + Timing buffered disk reads: 622 MB in 3.01 seconds = 206.66 MB/sec + + # hdparm -t /dev/sda (with the quirk) + Timing buffered disk reads: 220 MB in 3.00 seconds = 73.32 MB/sec + +The commit author mentioned that "Issue was reproduced after device has +bad block", so this quirk should be applied when we have the timeout +issue with a device that has bad blocks. + +We revert the commit so that we apply this quirk by adding kernel +paramters using a bootloader or other ways when we really need it, +without the performance regression with devices that don't have the +issue. + +Signed-off-by: sunghwan jung +Link: https://lore.kernel.org/r/20220913114913.3073-1-onenowy@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/storage/unusual_devs.h | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h +index 4993227ab293..20dcbccb290b 100644 +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -1275,12 +1275,6 @@ UNUSUAL_DEV( 0x090a, 0x1200, 0x0000, 0x9999, + USB_SC_RBC, USB_PR_BULK, NULL, + 0 ), + +-UNUSUAL_DEV(0x090c, 0x1000, 0x1100, 0x1100, +- "Samsung", +- "Flash Drive FIT", +- USB_SC_DEVICE, USB_PR_DEVICE, NULL, +- US_FL_MAX_SECTORS_64), +- + /* aeb */ + UNUSUAL_DEV( 0x090c, 0x1132, 0x0000, 0xffff, + "Feiya", +-- +2.35.1 + diff --git a/queue-6.0/rtw89-ser-leave-lps-with-mutex.patch b/queue-6.0/rtw89-ser-leave-lps-with-mutex.patch new file mode 100644 index 00000000000..bf8b171488c --- /dev/null +++ b/queue-6.0/rtw89-ser-leave-lps-with-mutex.patch @@ -0,0 +1,39 @@ +From fb97874fd0929937a4719f37eaa2c1f82c6fff16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Jul 2022 10:34:51 +0800 +Subject: rtw89: ser: leave lps with mutex + +From: Zong-Zhe Yang + +[ Upstream commit 8676031bae1c91037d06341214f4150b33707c68 ] + +Calling rtw89_leave_lps() should hold rtwdev::mutex. +So, fix it. + +Signed-off-by: Zong-Zhe Yang +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220704023453.19935-5-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/ser.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtw89/ser.c b/drivers/net/wireless/realtek/rtw89/ser.c +index 726223f25dc6..7240364e8f7d 100644 +--- a/drivers/net/wireless/realtek/rtw89/ser.c ++++ b/drivers/net/wireless/realtek/rtw89/ser.c +@@ -152,7 +152,10 @@ static void ser_state_run(struct rtw89_ser *ser, u8 evt) + rtw89_debug(rtwdev, RTW89_DBG_SER, "ser: %s receive %s\n", + ser_st_name(ser), ser_ev_name(ser, evt)); + ++ mutex_lock(&rtwdev->mutex); + rtw89_leave_lps(rtwdev); ++ mutex_unlock(&rtwdev->mutex); ++ + ser->st_tbl[ser->state].st_func(ser, evt); + } + +-- +2.35.1 + diff --git a/queue-6.0/rv-monitor-add-__init-__exit-annotations-to-module-i.patch b/queue-6.0/rv-monitor-add-__init-__exit-annotations-to-module-i.patch new file mode 100644 index 00000000000..5256a4ac280 --- /dev/null +++ b/queue-6.0/rv-monitor-add-__init-__exit-annotations-to-module-i.patch @@ -0,0 +1,131 @@ +From c88269924fc3dfa0317019b48fb96586bbf2a351 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 18:32:08 +0800 +Subject: rv/monitor: Add __init/__exit annotations to module init/exit funcs + +From: Xiu Jianfeng + +[ Upstream commit 834168fb2ce57681dee86a405ec560f54417830c ] + +Add missing __init/__exit annotations to module init/exit funcs. + +Link: https://lkml.kernel.org/r/20220922103208.162869-1-xiujianfeng@huawei.com + +Fixes: 24bce201d798 ("tools/rv: Add dot2k") +Fixes: 8812d21219b9 ("rv/monitor: Add the wip monitor skeleton created by dot2k") +Fixes: ccc319dcb450 ("rv/monitor: Add the wwnr monitor") +Signed-off-by: Xiu Jianfeng +Acked-by: Daniel Bristot de Oliveira +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/rv/monitors/wip/wip.c | 4 ++-- + kernel/trace/rv/monitors/wwnr/wwnr.c | 4 ++-- + tools/verification/dot2/dot2k_templates/main_global.c | 4 ++-- + tools/verification/dot2/dot2k_templates/main_per_cpu.c | 4 ++-- + tools/verification/dot2/dot2k_templates/main_per_task.c | 4 ++-- + 5 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/kernel/trace/rv/monitors/wip/wip.c b/kernel/trace/rv/monitors/wip/wip.c +index 83cace53b9fa..6be876e2f405 100644 +--- a/kernel/trace/rv/monitors/wip/wip.c ++++ b/kernel/trace/rv/monitors/wip/wip.c +@@ -69,13 +69,13 @@ struct rv_monitor rv_wip = { + .enabled = 0, + }; + +-static int register_wip(void) ++static int __init register_wip(void) + { + rv_register_monitor(&rv_wip); + return 0; + } + +-static void unregister_wip(void) ++static void __exit unregister_wip(void) + { + rv_unregister_monitor(&rv_wip); + } +diff --git a/kernel/trace/rv/monitors/wwnr/wwnr.c b/kernel/trace/rv/monitors/wwnr/wwnr.c +index 599225d9cf38..c1fac4808b02 100644 +--- a/kernel/trace/rv/monitors/wwnr/wwnr.c ++++ b/kernel/trace/rv/monitors/wwnr/wwnr.c +@@ -68,13 +68,13 @@ struct rv_monitor rv_wwnr = { + .enabled = 0, + }; + +-static int register_wwnr(void) ++static int __init register_wwnr(void) + { + rv_register_monitor(&rv_wwnr); + return 0; + } + +-static void unregister_wwnr(void) ++static void __exit unregister_wwnr(void) + { + rv_unregister_monitor(&rv_wwnr); + } +diff --git a/tools/verification/dot2/dot2k_templates/main_global.c b/tools/verification/dot2/dot2k_templates/main_global.c +index f4b712dbc92e..45fc6709701b 100644 +--- a/tools/verification/dot2/dot2k_templates/main_global.c ++++ b/tools/verification/dot2/dot2k_templates/main_global.c +@@ -72,13 +72,13 @@ struct rv_monitor rv_MODEL_NAME = { + .enabled = 0, + }; + +-static int register_MODEL_NAME(void) ++static int __init register_MODEL_NAME(void) + { + rv_register_monitor(&rv_MODEL_NAME); + return 0; + } + +-static void unregister_MODEL_NAME(void) ++static void __exit unregister_MODEL_NAME(void) + { + rv_unregister_monitor(&rv_MODEL_NAME); + } +diff --git a/tools/verification/dot2/dot2k_templates/main_per_cpu.c b/tools/verification/dot2/dot2k_templates/main_per_cpu.c +index 4080d1ca3354..9014c9ef657b 100644 +--- a/tools/verification/dot2/dot2k_templates/main_per_cpu.c ++++ b/tools/verification/dot2/dot2k_templates/main_per_cpu.c +@@ -72,13 +72,13 @@ struct rv_monitor rv_MODEL_NAME = { + .enabled = 0, + }; + +-static int register_MODEL_NAME(void) ++static int __init register_MODEL_NAME(void) + { + rv_register_monitor(&rv_MODEL_NAME); + return 0; + } + +-static void unregister_MODEL_NAME(void) ++static void __exit unregister_MODEL_NAME(void) + { + rv_unregister_monitor(&rv_MODEL_NAME); + } +diff --git a/tools/verification/dot2/dot2k_templates/main_per_task.c b/tools/verification/dot2/dot2k_templates/main_per_task.c +index 89197175384f..13d11620d19f 100644 +--- a/tools/verification/dot2/dot2k_templates/main_per_task.c ++++ b/tools/verification/dot2/dot2k_templates/main_per_task.c +@@ -72,13 +72,13 @@ struct rv_monitor rv_MODEL_NAME = { + .enabled = 0, + }; + +-static int register_MODEL_NAME(void) ++static int __init register_MODEL_NAME(void) + { + rv_register_monitor(&rv_MODEL_NAME); + return 0; + } + +-static void unregister_MODEL_NAME(void) ++static void __exit unregister_MODEL_NAME(void) + { + rv_unregister_monitor(&rv_MODEL_NAME); + } +-- +2.35.1 + diff --git a/queue-6.0/sbitmap-avoid-leaving-waitqueue-in-invalid-state-in-.patch b/queue-6.0/sbitmap-avoid-leaving-waitqueue-in-invalid-state-in-.patch new file mode 100644 index 00000000000..bbb0fa0665a --- /dev/null +++ b/queue-6.0/sbitmap-avoid-leaving-waitqueue-in-invalid-state-in-.patch @@ -0,0 +1,77 @@ +From 67e50b0c78052157df4c79c8ba8ad177ca45f0a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 15:09:37 +0200 +Subject: sbitmap: Avoid leaving waitqueue in invalid state in __sbq_wake_up() + +From: Jan Kara + +[ Upstream commit 48c033314f372478548203c583529f53080fd078 ] + +When __sbq_wake_up() decrements wait_cnt to 0 but races with someone +else waking the waiter on the waitqueue (so the waitqueue becomes +empty), it exits without reseting wait_cnt to wake_batch number. Once +wait_cnt is 0, nobody will ever reset the wait_cnt or wake the new +waiters resulting in possible deadlocks or busyloops. Fix the problem by +making sure we reset wait_cnt even if we didn't wake up anybody in the +end. + +Fixes: 040b83fcecfb ("sbitmap: fix possible io hung due to lost wakeup") +Reported-by: Keith Busch +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20220908130937.2795-1-jack@suse.cz +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + lib/sbitmap.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/lib/sbitmap.c b/lib/sbitmap.c +index 1f31147872e6..bb1970ad4875 100644 +--- a/lib/sbitmap.c ++++ b/lib/sbitmap.c +@@ -605,6 +605,7 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq) + struct sbq_wait_state *ws; + unsigned int wake_batch; + int wait_cnt; ++ bool ret; + + ws = sbq_wake_ptr(sbq); + if (!ws) +@@ -615,12 +616,23 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq) + * For concurrent callers of this, callers should call this function + * again to wakeup a new batch on a different 'ws'. + */ +- if (wait_cnt < 0 || !waitqueue_active(&ws->wait)) ++ if (wait_cnt < 0) + return true; + ++ /* ++ * If we decremented queue without waiters, retry to avoid lost ++ * wakeups. ++ */ + if (wait_cnt > 0) +- return false; ++ return !waitqueue_active(&ws->wait); + ++ /* ++ * When wait_cnt == 0, we have to be particularly careful as we are ++ * responsible to reset wait_cnt regardless whether we've actually ++ * woken up anybody. But in case we didn't wakeup anybody, we still ++ * need to retry. ++ */ ++ ret = !waitqueue_active(&ws->wait); + wake_batch = READ_ONCE(sbq->wake_batch); + + /* +@@ -649,7 +661,7 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq) + sbq_index_atomic_inc(&sbq->wake_index); + atomic_set(&ws->wait_cnt, wake_batch); + +- return false; ++ return ret; + } + + void sbitmap_queue_wake_up(struct sbitmap_queue *sbq) +-- +2.35.1 + diff --git a/queue-6.0/sbitmap-fix-possible-io-hung-due-to-lost-wakeup.patch b/queue-6.0/sbitmap-fix-possible-io-hung-due-to-lost-wakeup.patch new file mode 100644 index 00000000000..86216b79298 --- /dev/null +++ b/queue-6.0/sbitmap-fix-possible-io-hung-due-to-lost-wakeup.patch @@ -0,0 +1,141 @@ +From 6a6fe39fb947ccbe768f23442c2bf11596c4e1dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 20:15:04 +0800 +Subject: sbitmap: fix possible io hung due to lost wakeup + +From: Yu Kuai + +[ Upstream commit 040b83fcecfb86f3225d3a5de7fd9b3fbccf83b4 ] + +There are two problems can lead to lost wakeup: + +1) invalid wakeup on the wrong waitqueue: + +For example, 2 * wake_batch tags are put, while only wake_batch threads +are woken: + +__sbq_wake_up + atomic_cmpxchg -> reset wait_cnt + __sbq_wake_up -> decrease wait_cnt + ... + __sbq_wake_up -> wait_cnt is decreased to 0 again + atomic_cmpxchg + sbq_index_atomic_inc -> increase wake_index + wake_up_nr -> wake up and waitqueue might be empty + sbq_index_atomic_inc -> increase again, one waitqueue is skipped + wake_up_nr -> invalid wake up because old wakequeue might be empty + +To fix the problem, increasing 'wake_index' before resetting 'wait_cnt'. + +2) 'wait_cnt' can be decreased while waitqueue is empty + +As pointed out by Jan Kara, following race is possible: + +CPU1 CPU2 +__sbq_wake_up __sbq_wake_up + sbq_wake_ptr() sbq_wake_ptr() -> the same + wait_cnt = atomic_dec_return() + /* decreased to 0 */ + sbq_index_atomic_inc() + /* move to next waitqueue */ + atomic_set() + /* reset wait_cnt */ + wake_up_nr() + /* wake up on the old waitqueue */ + wait_cnt = atomic_dec_return() + /* + * decrease wait_cnt in the old + * waitqueue, while it can be + * empty. + */ + +Fix the problem by waking up before updating 'wake_index' and +'wait_cnt'. + +With this patch, noted that 'wait_cnt' is still decreased in the old +empty waitqueue, however, the wakeup is redirected to a active waitqueue, +and the extra decrement on the old empty waitqueue is not handled. + +Fixes: 88459642cba4 ("blk-mq: abstract tag allocation out into sbitmap library") +Signed-off-by: Yu Kuai +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20220803121504.212071-1-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + lib/sbitmap.c | 55 ++++++++++++++++++++++++++++++--------------------- + 1 file changed, 33 insertions(+), 22 deletions(-) + +diff --git a/lib/sbitmap.c b/lib/sbitmap.c +index 29eb0484215a..1f31147872e6 100644 +--- a/lib/sbitmap.c ++++ b/lib/sbitmap.c +@@ -611,32 +611,43 @@ static bool __sbq_wake_up(struct sbitmap_queue *sbq) + return false; + + wait_cnt = atomic_dec_return(&ws->wait_cnt); +- if (wait_cnt <= 0) { +- int ret; ++ /* ++ * For concurrent callers of this, callers should call this function ++ * again to wakeup a new batch on a different 'ws'. ++ */ ++ if (wait_cnt < 0 || !waitqueue_active(&ws->wait)) ++ return true; + +- wake_batch = READ_ONCE(sbq->wake_batch); ++ if (wait_cnt > 0) ++ return false; + +- /* +- * Pairs with the memory barrier in sbitmap_queue_resize() to +- * ensure that we see the batch size update before the wait +- * count is reset. +- */ +- smp_mb__before_atomic(); ++ wake_batch = READ_ONCE(sbq->wake_batch); + +- /* +- * For concurrent callers of this, the one that failed the +- * atomic_cmpxhcg() race should call this function again +- * to wakeup a new batch on a different 'ws'. +- */ +- ret = atomic_cmpxchg(&ws->wait_cnt, wait_cnt, wake_batch); +- if (ret == wait_cnt) { +- sbq_index_atomic_inc(&sbq->wake_index); +- wake_up_nr(&ws->wait, wake_batch); +- return false; +- } ++ /* ++ * Wake up first in case that concurrent callers decrease wait_cnt ++ * while waitqueue is empty. ++ */ ++ wake_up_nr(&ws->wait, wake_batch); + +- return true; +- } ++ /* ++ * Pairs with the memory barrier in sbitmap_queue_resize() to ++ * ensure that we see the batch size update before the wait ++ * count is reset. ++ * ++ * Also pairs with the implicit barrier between decrementing wait_cnt ++ * and checking for waitqueue_active() to make sure waitqueue_active() ++ * sees result of the wakeup if atomic_dec_return() has seen the result ++ * of atomic_set(). ++ */ ++ smp_mb__before_atomic(); ++ ++ /* ++ * Increase wake_index before updating wait_cnt, otherwise concurrent ++ * callers can see valid wait_cnt in old waitqueue, which can cause ++ * invalid wakeup on the old waitqueue. ++ */ ++ sbq_index_atomic_inc(&sbq->wake_index); ++ atomic_set(&ws->wait_cnt, wake_batch); + + return false; + } +-- +2.35.1 + diff --git a/queue-6.0/scsi-3w-9xxx-avoid-disabling-device-if-failing-to-en.patch b/queue-6.0/scsi-3w-9xxx-avoid-disabling-device-if-failing-to-en.patch new file mode 100644 index 00000000000..b84c6413383 --- /dev/null +++ b/queue-6.0/scsi-3w-9xxx-avoid-disabling-device-if-failing-to-en.patch @@ -0,0 +1,42 @@ +From ac371312b04d6dcfbfc833ac34da12774f1ff70a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 19:01:15 +0800 +Subject: scsi: 3w-9xxx: Avoid disabling device if failing to enable it + +From: Letu Ren + +[ Upstream commit 7eff437b5ee1309b34667844361c6bbb5c97df05 ] + +The original code will "goto out_disable_device" and call +pci_disable_device() if pci_enable_device() fails. The kernel will generate +a warning message like "3w-9xxx 0000:00:05.0: disabling already-disabled +device". + +We shouldn't disable a device that failed to be enabled. A simple return is +fine. + +Link: https://lore.kernel.org/r/20220829110115.38789-1-fantasquex@gmail.com +Reported-by: Zheyu Ma +Signed-off-by: Letu Ren +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/3w-9xxx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c +index cd823ff5deab..6cb9cca9565b 100644 +--- a/drivers/scsi/3w-9xxx.c ++++ b/drivers/scsi/3w-9xxx.c +@@ -2006,7 +2006,7 @@ static int twa_probe(struct pci_dev *pdev, const struct pci_device_id *dev_id) + retval = pci_enable_device(pdev); + if (retval) { + TW_PRINTK(host, TW_DRIVER, 0x34, "Failed to enable pci device"); +- goto out_disable_device; ++ return -ENODEV; + } + + pci_set_master(pdev); +-- +2.35.1 + diff --git a/queue-6.0/scsi-iscsi-iscsi_tcp-fix-null-ptr-deref-while-callin.patch b/queue-6.0/scsi-iscsi-iscsi_tcp-fix-null-ptr-deref-while-callin.patch new file mode 100644 index 00000000000..6c0a0ca147f --- /dev/null +++ b/queue-6.0/scsi-iscsi-iscsi_tcp-fix-null-ptr-deref-while-callin.patch @@ -0,0 +1,225 @@ +From f38b702e919ff2dd98cc5d6f1d9c434705e1b1ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 17:17:00 -0500 +Subject: scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling + getpeername() + +From: Mike Christie + +[ Upstream commit 57569c37f0add1b6489e1a1563c71519daf732cf ] + +Fix a NULL pointer crash that occurs when we are freeing the socket at the +same time we access it via sysfs. + +The problem is that: + + 1. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() take + the frwd_lock and do sock_hold() then drop the frwd_lock. sock_hold() + does a get on the "struct sock". + + 2. iscsi_sw_tcp_release_conn() does sockfd_put() which does the last put + on the "struct socket" and that does __sock_release() which sets the + sock->ops to NULL. + + 3. iscsi_sw_tcp_conn_get_param() and iscsi_sw_tcp_host_get_param() then + call kernel_getpeername() which accesses the NULL sock->ops. + +Above we do a get on the "struct sock", but we needed a get on the "struct +socket". Originally, we just held the frwd_lock the entire time but in +commit bcf3a2953d36 ("scsi: iscsi: iscsi_tcp: Avoid holding spinlock while +calling getpeername()") we switched to refcount based because the network +layer changed and started taking a mutex in that path, so we could no +longer hold the frwd_lock. + +Instead of trying to maintain multiple refcounts, this just has us use a +mutex for accessing the socket in the interface code paths. + +Link: https://lore.kernel.org/r/20220907221700.10302-1-michael.christie@oracle.com +Fixes: bcf3a2953d36 ("scsi: iscsi: iscsi_tcp: Avoid holding spinlock while calling getpeername()") +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/iscsi_tcp.c | 73 ++++++++++++++++++++++++++++------------ + drivers/scsi/iscsi_tcp.h | 3 ++ + 2 files changed, 55 insertions(+), 21 deletions(-) + +diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c +index 29b1bd755afe..5fb1f364e815 100644 +--- a/drivers/scsi/iscsi_tcp.c ++++ b/drivers/scsi/iscsi_tcp.c +@@ -595,6 +595,8 @@ iscsi_sw_tcp_conn_create(struct iscsi_cls_session *cls_session, + INIT_WORK(&conn->recvwork, iscsi_sw_tcp_recv_data_work); + tcp_sw_conn->queue_recv = iscsi_recv_from_iscsi_q; + ++ mutex_init(&tcp_sw_conn->sock_lock); ++ + tfm = crypto_alloc_ahash("crc32c", 0, CRYPTO_ALG_ASYNC); + if (IS_ERR(tfm)) + goto free_conn; +@@ -629,11 +631,15 @@ iscsi_sw_tcp_conn_create(struct iscsi_cls_session *cls_session, + + static void iscsi_sw_tcp_release_conn(struct iscsi_conn *conn) + { +- struct iscsi_session *session = conn->session; + struct iscsi_tcp_conn *tcp_conn = conn->dd_data; + struct iscsi_sw_tcp_conn *tcp_sw_conn = tcp_conn->dd_data; + struct socket *sock = tcp_sw_conn->sock; + ++ /* ++ * The iscsi transport class will make sure we are not called in ++ * parallel with start, stop, bind and destroys. However, this can be ++ * called twice if userspace does a stop then a destroy. ++ */ + if (!sock) + return; + +@@ -649,9 +655,9 @@ static void iscsi_sw_tcp_release_conn(struct iscsi_conn *conn) + + iscsi_suspend_rx(conn); + +- spin_lock_bh(&session->frwd_lock); ++ mutex_lock(&tcp_sw_conn->sock_lock); + tcp_sw_conn->sock = NULL; +- spin_unlock_bh(&session->frwd_lock); ++ mutex_unlock(&tcp_sw_conn->sock_lock); + sockfd_put(sock); + } + +@@ -703,7 +709,6 @@ iscsi_sw_tcp_conn_bind(struct iscsi_cls_session *cls_session, + struct iscsi_cls_conn *cls_conn, uint64_t transport_eph, + int is_leading) + { +- struct iscsi_session *session = cls_session->dd_data; + struct iscsi_conn *conn = cls_conn->dd_data; + struct iscsi_tcp_conn *tcp_conn = conn->dd_data; + struct iscsi_sw_tcp_conn *tcp_sw_conn = tcp_conn->dd_data; +@@ -723,10 +728,10 @@ iscsi_sw_tcp_conn_bind(struct iscsi_cls_session *cls_session, + if (err) + goto free_socket; + +- spin_lock_bh(&session->frwd_lock); ++ mutex_lock(&tcp_sw_conn->sock_lock); + /* bind iSCSI connection and socket */ + tcp_sw_conn->sock = sock; +- spin_unlock_bh(&session->frwd_lock); ++ mutex_unlock(&tcp_sw_conn->sock_lock); + + /* setup Socket parameters */ + sk = sock->sk; +@@ -763,8 +768,15 @@ static int iscsi_sw_tcp_conn_set_param(struct iscsi_cls_conn *cls_conn, + break; + case ISCSI_PARAM_DATADGST_EN: + iscsi_set_param(cls_conn, param, buf, buflen); ++ ++ mutex_lock(&tcp_sw_conn->sock_lock); ++ if (!tcp_sw_conn->sock) { ++ mutex_unlock(&tcp_sw_conn->sock_lock); ++ return -ENOTCONN; ++ } + tcp_sw_conn->sendpage = conn->datadgst_en ? + sock_no_sendpage : tcp_sw_conn->sock->ops->sendpage; ++ mutex_unlock(&tcp_sw_conn->sock_lock); + break; + case ISCSI_PARAM_MAX_R2T: + return iscsi_tcp_set_max_r2t(conn, buf); +@@ -779,8 +791,8 @@ static int iscsi_sw_tcp_conn_get_param(struct iscsi_cls_conn *cls_conn, + enum iscsi_param param, char *buf) + { + struct iscsi_conn *conn = cls_conn->dd_data; +- struct iscsi_tcp_conn *tcp_conn = conn->dd_data; +- struct iscsi_sw_tcp_conn *tcp_sw_conn = tcp_conn->dd_data; ++ struct iscsi_sw_tcp_conn *tcp_sw_conn; ++ struct iscsi_tcp_conn *tcp_conn; + struct sockaddr_in6 addr; + struct socket *sock; + int rc; +@@ -790,21 +802,36 @@ static int iscsi_sw_tcp_conn_get_param(struct iscsi_cls_conn *cls_conn, + case ISCSI_PARAM_CONN_ADDRESS: + case ISCSI_PARAM_LOCAL_PORT: + spin_lock_bh(&conn->session->frwd_lock); +- if (!tcp_sw_conn || !tcp_sw_conn->sock) { ++ if (!conn->session->leadconn) { + spin_unlock_bh(&conn->session->frwd_lock); + return -ENOTCONN; + } +- sock = tcp_sw_conn->sock; +- sock_hold(sock->sk); ++ /* ++ * The conn has been setup and bound, so just grab a ref ++ * incase a destroy runs while we are in the net layer. ++ */ ++ iscsi_get_conn(conn->cls_conn); + spin_unlock_bh(&conn->session->frwd_lock); + ++ tcp_conn = conn->dd_data; ++ tcp_sw_conn = tcp_conn->dd_data; ++ ++ mutex_lock(&tcp_sw_conn->sock_lock); ++ sock = tcp_sw_conn->sock; ++ if (!sock) { ++ rc = -ENOTCONN; ++ goto sock_unlock; ++ } ++ + if (param == ISCSI_PARAM_LOCAL_PORT) + rc = kernel_getsockname(sock, + (struct sockaddr *)&addr); + else + rc = kernel_getpeername(sock, + (struct sockaddr *)&addr); +- sock_put(sock->sk); ++sock_unlock: ++ mutex_unlock(&tcp_sw_conn->sock_lock); ++ iscsi_put_conn(conn->cls_conn); + if (rc < 0) + return rc; + +@@ -842,17 +869,21 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost, + } + tcp_conn = conn->dd_data; + tcp_sw_conn = tcp_conn->dd_data; +- sock = tcp_sw_conn->sock; +- if (!sock) { +- spin_unlock_bh(&session->frwd_lock); +- return -ENOTCONN; +- } +- sock_hold(sock->sk); ++ /* ++ * The conn has been setup and bound, so just grab a ref ++ * incase a destroy runs while we are in the net layer. ++ */ ++ iscsi_get_conn(conn->cls_conn); + spin_unlock_bh(&session->frwd_lock); + +- rc = kernel_getsockname(sock, +- (struct sockaddr *)&addr); +- sock_put(sock->sk); ++ mutex_lock(&tcp_sw_conn->sock_lock); ++ sock = tcp_sw_conn->sock; ++ if (!sock) ++ rc = -ENOTCONN; ++ else ++ rc = kernel_getsockname(sock, (struct sockaddr *)&addr); ++ mutex_unlock(&tcp_sw_conn->sock_lock); ++ iscsi_put_conn(conn->cls_conn); + if (rc < 0) + return rc; + +diff --git a/drivers/scsi/iscsi_tcp.h b/drivers/scsi/iscsi_tcp.h +index 850a018aefb9..68e14a344904 100644 +--- a/drivers/scsi/iscsi_tcp.h ++++ b/drivers/scsi/iscsi_tcp.h +@@ -28,6 +28,9 @@ struct iscsi_sw_tcp_send { + + struct iscsi_sw_tcp_conn { + struct socket *sock; ++ /* Taken when accessing the sock from the netlink/sysfs interface */ ++ struct mutex sock_lock; ++ + struct work_struct recvwork; + bool queue_recv; + +-- +2.35.1 + diff --git a/queue-6.0/scsi-libsas-fix-use-after-free-bug-in-smp_execute_ta.patch b/queue-6.0/scsi-libsas-fix-use-after-free-bug-in-smp_execute_ta.patch new file mode 100644 index 00000000000..2a8dc487286 --- /dev/null +++ b/queue-6.0/scsi-libsas-fix-use-after-free-bug-in-smp_execute_ta.patch @@ -0,0 +1,54 @@ +From f55d7807bfb9223f699cf25a496da4a2e174e1a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 22:42:13 +0800 +Subject: scsi: libsas: Fix use-after-free bug in smp_execute_task_sg() + +From: Duoming Zhou + +[ Upstream commit 46ba53c30666717cb06c2b3c5d896301cd00d0c0 ] + +When executing SMP task failed, the smp_execute_task_sg() calls del_timer() +to delete "slow_task->timer". However, if the timer handler +sas_task_internal_timedout() is running, the del_timer() in +smp_execute_task_sg() will not stop it and a UAF will happen. The process +is shown below: + + (thread 1) | (thread 2) +smp_execute_task_sg() | sas_task_internal_timedout() + ... | + del_timer() | + ... | ... + sas_free_task(task) | + kfree(task->slow_task) //FREE| + | task->slow_task->... //USE + +Fix by calling del_timer_sync() in smp_execute_task_sg(), which makes sure +the timer handler have finished before the "task->slow_task" is +deallocated. + +Link: https://lore.kernel.org/r/20220920144213.10536-1-duoming@zju.edu.cn +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Reviewed-by: Jason Yan +Signed-off-by: Duoming Zhou +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libsas/sas_expander.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index fa2209080cc2..5ce251830104 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -67,7 +67,7 @@ static int smp_execute_task_sg(struct domain_device *dev, + res = i->dft->lldd_execute_task(task, GFP_KERNEL); + + if (res) { +- del_timer(&task->slow_task->timer); ++ del_timer_sync(&task->slow_task->timer); + pr_notice("executing SMP task failed:%d\n", res); + break; + } +-- +2.35.1 + diff --git a/queue-6.0/scsi-lpfc-fix-null-ndlp-ptr-dereference-in-abnormal-.patch b/queue-6.0/scsi-lpfc-fix-null-ndlp-ptr-dereference-in-abnormal-.patch new file mode 100644 index 00000000000..bcbf9fcdf68 --- /dev/null +++ b/queue-6.0/scsi-lpfc-fix-null-ndlp-ptr-dereference-in-abnormal-.patch @@ -0,0 +1,59 @@ +From 722dd5a92bdad00eb9db5c4b0a36c33084b9cb29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 18:17:31 -0700 +Subject: scsi: lpfc: Fix null ndlp ptr dereference in abnormal exit path for + GFT_ID + +From: James Smart + +[ Upstream commit 59b7e210a522b836a01516c71ee85d1d92c1f075 ] + +An error case exit from lpfc_cmpl_ct_cmd_gft_id() results in a call to +lpfc_nlp_put() with a null pointer to a nodelist structure. + +Changed lpfc_cmpl_ct_cmd_gft_id() to initialize nodelist pointer upon +entry. + +Link: https://lore.kernel.org/r/20220819011736.14141-3-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_ct.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c +index 13dfe285493d..b555ccb5ae34 100644 +--- a/drivers/scsi/lpfc/lpfc_ct.c ++++ b/drivers/scsi/lpfc/lpfc_ct.c +@@ -1509,7 +1509,7 @@ lpfc_cmpl_ct_cmd_gft_id(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + struct lpfc_sli_ct_request *CTrsp; + int did; + struct lpfc_nodelist *ndlp = NULL; +- struct lpfc_nodelist *ns_ndlp = NULL; ++ struct lpfc_nodelist *ns_ndlp = cmdiocb->ndlp; + uint32_t fc4_data_0, fc4_data_1; + u32 ulp_status = get_job_ulpstatus(phba, rspiocb); + u32 ulp_word4 = get_job_word4(phba, rspiocb); +@@ -1522,15 +1522,12 @@ lpfc_cmpl_ct_cmd_gft_id(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + ulp_status, ulp_word4, did); + + /* Ignore response if link flipped after this request was made */ +- if ((uint32_t) cmdiocb->event_tag != phba->fc_eventTag) { ++ if ((uint32_t)cmdiocb->event_tag != phba->fc_eventTag) { + lpfc_printf_vlog(vport, KERN_INFO, LOG_DISCOVERY, + "9046 Event tag mismatch. Ignoring NS rsp\n"); + goto out; + } + +- /* Preserve the nameserver node to release the reference. */ +- ns_ndlp = cmdiocb->ndlp; +- + if (ulp_status == IOSTAT_SUCCESS) { + /* Good status, continue checking */ + CTrsp = (struct lpfc_sli_ct_request *)outp->virt; +-- +2.35.1 + diff --git a/queue-6.0/scsi-lpfc-fix-various-issues-reported-by-tools.patch b/queue-6.0/scsi-lpfc-fix-various-issues-reported-by-tools.patch new file mode 100644 index 00000000000..630bb2cb763 --- /dev/null +++ b/queue-6.0/scsi-lpfc-fix-various-issues-reported-by-tools.patch @@ -0,0 +1,525 @@ +From 95778c6a95b6a1bf3e1930c5c3d3fb8364a33838 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Sep 2022 15:15:04 -0700 +Subject: scsi: lpfc: Fix various issues reported by tools + +From: James Smart + +[ Upstream commit a4de8356b68e54149ebdbe6e748e2726152b650c ] + +This patch fixes below Smatch reported issues: + + 1. lpfc_hbadisc.c:3020 lpfc_mbx_cmpl_fcf_rr_read_fcf_rec() + error: uninitialized symbol 'vlan_id'. + + 2. lpfc_hbadisc.c:3121 lpfc_mbx_cmpl_read_fcf_rec() + error: uninitialized symbol 'vlan_id'. + + 3. lpfc_init.c:335 lpfc_dump_wakeup_param_cmpl() + warn: always true condition '(prg->dist < 4) => (0-3 < 4)' + + 4. lpfc_init.c:2419 lpfc_parse_vpd() + warn: inconsistent indenting. + + 5. lpfc_init.c:13248 lpfc_sli4_enable_msi() + warn: 'phba->pcidev->irq' 2147483648 can't fit into 65535 + 'eqhdl->irq' + + 6. lpfc_debugfs.c:5300 lpfc_idiag_extacc_avail_get() + error: uninitialized symbol 'ext_cnt' + + 7. lpfc_debugfs.c:5300 lpfc_idiag_extacc_avail_get() + error: uninitialized symbol 'ext_size' + + 8. lpfc_vmid.c:248 lpfc_vmid_get_appid() + warn: sleeping in atomic context. + + 9. lpfc_init.c:8342 lpfc_sli4_driver_resource_setup() + warn: missing error code 'rc'. + +10. lpfc_init.c:13573 lpfc_sli4_hba_unset() + warn: variable dereferenced before check 'phba->pport' (see + line 13546) + +11. lpfc_auth.c:1923 lpfc_auth_handle_dhchap_reply() + error: double free of 'hash_value' + +Fixes: + + 1. Initialize vlan_id to LPFC_FCOE_NULL_VID. + + 2. Initialize vlan_id to LPFC_FCOE_NULL_VID. + + 3. prg->dist is a 2 bit field. Its value can only be between 0-3. + Remove redundent check 'if (prg->dist < 4)'. + + 4. Fix inconsistent indenting. Moved logic into helper function + lpfc_fill_vpd(). + + 5. Define 'eqhdl->irq' as int value as pci_irq_vector() returns int. + Also, check for return value of pci_irq_vector() and log message in + case of failure. + + 6. Initialize 'ext_cnt' to 0. + + 7. Initialize 'ext_size' to 0. + + 8. Use alloc_percpu_gfp() with GFP_ATOMIC flag. + + 9. 'rc' was not updated when dma_pool_create() fails. Update 'rc = + -ENOMEM' when dma_pool_create() fails before calling goto statement. + +10. Add check for 'phba->pport' in lpfc_cpuhp_remove(). + +11. Initialize 'hash_value' to NULL, same like 'aug_chal' variable. + +Link: https://lore.kernel.org/r/20220911221505.117655-13-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_debugfs.c | 2 +- + drivers/scsi/lpfc/lpfc_hbadisc.c | 4 +- + drivers/scsi/lpfc/lpfc_init.c | 249 +++++++++++++++++-------------- + drivers/scsi/lpfc/lpfc_sli.c | 3 + + drivers/scsi/lpfc/lpfc_sli4.h | 4 +- + drivers/scsi/lpfc/lpfc_vmid.c | 4 +- + 6 files changed, 148 insertions(+), 118 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c +index e37b028eae5f..f5252e45a48a 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.c ++++ b/drivers/scsi/lpfc/lpfc_debugfs.c +@@ -5156,7 +5156,7 @@ lpfc_idiag_mbxacc_write(struct file *file, const char __user *buf, + static int + lpfc_idiag_extacc_avail_get(struct lpfc_hba *phba, char *pbuffer, int len) + { +- uint16_t ext_cnt, ext_size; ++ uint16_t ext_cnt = 0, ext_size = 0; + + len += scnprintf(pbuffer+len, LPFC_EXT_ACC_BUF_SIZE-len, + "\nAvailable Extents Information:\n"); +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index 2645def612e6..a488d00894ae 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -2964,7 +2964,7 @@ lpfc_mbx_cmpl_fcf_rr_read_fcf_rec(struct lpfc_hba *phba, LPFC_MBOXQ_t *mboxq) + uint32_t boot_flag, addr_mode; + uint16_t next_fcf_index, fcf_index; + uint16_t current_fcf_index; +- uint16_t vlan_id; ++ uint16_t vlan_id = LPFC_FCOE_NULL_VID; + int rc; + + /* If link state is not up, stop the roundrobin failover process */ +@@ -3069,7 +3069,7 @@ lpfc_mbx_cmpl_read_fcf_rec(struct lpfc_hba *phba, LPFC_MBOXQ_t *mboxq) + struct fcf_record *new_fcf_record; + uint32_t boot_flag, addr_mode; + uint16_t fcf_index, next_fcf_index; +- uint16_t vlan_id; ++ uint16_t vlan_id = LPFC_FCOE_NULL_VID; + int rc; + + /* If link state is not up, no need to proceed */ +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index a76f2a120d9d..1a02134438fc 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -325,8 +325,7 @@ lpfc_dump_wakeup_param_cmpl(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmboxq) + prog_id_word = pmboxq->u.mb.un.varWords[7]; + + /* Decode the Option rom version word to a readable string */ +- if (prg->dist < 4) +- dist = dist_char[prg->dist]; ++ dist = dist_char[prg->dist]; + + if ((prg->dist == 3) && (prg->num == 0)) + snprintf(phba->OptionROMVersion, 32, "%d.%d%d", +@@ -2258,6 +2257,101 @@ lpfc_handle_latt(struct lpfc_hba *phba) + return; + } + ++static void ++lpfc_fill_vpd(struct lpfc_hba *phba, uint8_t *vpd, int length, int *pindex) ++{ ++ int i, j; ++ ++ while (length > 0) { ++ /* Look for Serial Number */ ++ if ((vpd[*pindex] == 'S') && (vpd[*pindex + 1] == 'N')) { ++ *pindex += 2; ++ i = vpd[*pindex]; ++ *pindex += 1; ++ j = 0; ++ length -= (3+i); ++ while (i--) { ++ phba->SerialNumber[j++] = vpd[(*pindex)++]; ++ if (j == 31) ++ break; ++ } ++ phba->SerialNumber[j] = 0; ++ continue; ++ } else if ((vpd[*pindex] == 'V') && (vpd[*pindex + 1] == '1')) { ++ phba->vpd_flag |= VPD_MODEL_DESC; ++ *pindex += 2; ++ i = vpd[*pindex]; ++ *pindex += 1; ++ j = 0; ++ length -= (3+i); ++ while (i--) { ++ phba->ModelDesc[j++] = vpd[(*pindex)++]; ++ if (j == 255) ++ break; ++ } ++ phba->ModelDesc[j] = 0; ++ continue; ++ } else if ((vpd[*pindex] == 'V') && (vpd[*pindex + 1] == '2')) { ++ phba->vpd_flag |= VPD_MODEL_NAME; ++ *pindex += 2; ++ i = vpd[*pindex]; ++ *pindex += 1; ++ j = 0; ++ length -= (3+i); ++ while (i--) { ++ phba->ModelName[j++] = vpd[(*pindex)++]; ++ if (j == 79) ++ break; ++ } ++ phba->ModelName[j] = 0; ++ continue; ++ } else if ((vpd[*pindex] == 'V') && (vpd[*pindex + 1] == '3')) { ++ phba->vpd_flag |= VPD_PROGRAM_TYPE; ++ *pindex += 2; ++ i = vpd[*pindex]; ++ *pindex += 1; ++ j = 0; ++ length -= (3+i); ++ while (i--) { ++ phba->ProgramType[j++] = vpd[(*pindex)++]; ++ if (j == 255) ++ break; ++ } ++ phba->ProgramType[j] = 0; ++ continue; ++ } else if ((vpd[*pindex] == 'V') && (vpd[*pindex + 1] == '4')) { ++ phba->vpd_flag |= VPD_PORT; ++ *pindex += 2; ++ i = vpd[*pindex]; ++ *pindex += 1; ++ j = 0; ++ length -= (3 + i); ++ while (i--) { ++ if ((phba->sli_rev == LPFC_SLI_REV4) && ++ (phba->sli4_hba.pport_name_sta == ++ LPFC_SLI4_PPNAME_GET)) { ++ j++; ++ (*pindex)++; ++ } else ++ phba->Port[j++] = vpd[(*pindex)++]; ++ if (j == 19) ++ break; ++ } ++ if ((phba->sli_rev != LPFC_SLI_REV4) || ++ (phba->sli4_hba.pport_name_sta == ++ LPFC_SLI4_PPNAME_NON)) ++ phba->Port[j] = 0; ++ continue; ++ } else { ++ *pindex += 2; ++ i = vpd[*pindex]; ++ *pindex += 1; ++ *pindex += i; ++ length -= (3 + i); ++ } ++ } ++} ++ + /** + * lpfc_parse_vpd - Parse VPD (Vital Product Data) + * @phba: pointer to lpfc hba data structure. +@@ -2277,7 +2371,7 @@ lpfc_parse_vpd(struct lpfc_hba *phba, uint8_t *vpd, int len) + { + uint8_t lenlo, lenhi; + int Length; +- int i, j; ++ int i; + int finished = 0; + int index = 0; + +@@ -2310,101 +2404,10 @@ lpfc_parse_vpd(struct lpfc_hba *phba, uint8_t *vpd, int len) + Length = ((((unsigned short)lenhi) << 8) + lenlo); + if (Length > len - index) + Length = len - index; +- while (Length > 0) { +- /* Look for Serial Number */ +- if ((vpd[index] == 'S') && (vpd[index+1] == 'N')) { +- index += 2; +- i = vpd[index]; +- index += 1; +- j = 0; +- Length -= (3+i); +- while(i--) { +- phba->SerialNumber[j++] = vpd[index++]; +- if (j == 31) +- break; +- } +- phba->SerialNumber[j] = 0; +- continue; +- } +- else if ((vpd[index] == 'V') && (vpd[index+1] == '1')) { +- phba->vpd_flag |= VPD_MODEL_DESC; +- index += 2; +- i = vpd[index]; +- index += 1; +- j = 0; +- Length -= (3+i); +- while(i--) { +- phba->ModelDesc[j++] = vpd[index++]; +- if (j == 255) +- break; +- } +- phba->ModelDesc[j] = 0; +- continue; +- } +- else if ((vpd[index] == 'V') && (vpd[index+1] == '2')) { +- phba->vpd_flag |= VPD_MODEL_NAME; +- index += 2; +- i = vpd[index]; +- index += 1; +- j = 0; +- Length -= (3+i); +- while(i--) { +- phba->ModelName[j++] = vpd[index++]; +- if (j == 79) +- break; +- } +- phba->ModelName[j] = 0; +- continue; +- } +- else if ((vpd[index] == 'V') && (vpd[index+1] == '3')) { +- phba->vpd_flag |= VPD_PROGRAM_TYPE; +- index += 2; +- i = vpd[index]; +- index += 1; +- j = 0; +- Length -= (3+i); +- while(i--) { +- phba->ProgramType[j++] = vpd[index++]; +- if (j == 255) +- break; +- } +- phba->ProgramType[j] = 0; +- continue; +- } +- else if ((vpd[index] == 'V') && (vpd[index+1] == '4')) { +- phba->vpd_flag |= VPD_PORT; +- index += 2; +- i = vpd[index]; +- index += 1; +- j = 0; +- Length -= (3+i); +- while(i--) { +- if ((phba->sli_rev == LPFC_SLI_REV4) && +- (phba->sli4_hba.pport_name_sta == +- LPFC_SLI4_PPNAME_GET)) { +- j++; +- index++; +- } else +- phba->Port[j++] = vpd[index++]; +- if (j == 19) +- break; +- } +- if ((phba->sli_rev != LPFC_SLI_REV4) || +- (phba->sli4_hba.pport_name_sta == +- LPFC_SLI4_PPNAME_NON)) +- phba->Port[j] = 0; +- continue; +- } +- else { +- index += 2; +- i = vpd[index]; +- index += 1; +- index += i; +- Length -= (3 + i); +- } +- } +- finished = 0; +- break; ++ ++ lpfc_fill_vpd(phba, vpd, Length, &index); ++ finished = 0; ++ break; + case 0x78: + finished = 1; + break; +@@ -8278,8 +8281,10 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba) + &phba->pcidev->dev, + phba->cfg_sg_dma_buf_size, + i, 0); +- if (!phba->lpfc_sg_dma_buf_pool) ++ if (!phba->lpfc_sg_dma_buf_pool) { ++ rc = -ENOMEM; + goto out_free_bsmbx; ++ } + + phba->lpfc_cmd_rsp_buf_pool = + dma_pool_create("lpfc_cmd_rsp_buf_pool", +@@ -8287,8 +8292,10 @@ lpfc_sli4_driver_resource_setup(struct lpfc_hba *phba) + sizeof(struct fcp_cmnd) + + sizeof(struct fcp_rsp), + i, 0); +- if (!phba->lpfc_cmd_rsp_buf_pool) ++ if (!phba->lpfc_cmd_rsp_buf_pool) { ++ rc = -ENOMEM; + goto out_free_sg_dma_buf; ++ } + + mempool_free(mboxq, phba->mbox_mem_pool); + +@@ -12379,7 +12386,7 @@ lpfc_hba_eq_hdl_array_init(struct lpfc_hba *phba) + + for (i = 0; i < phba->cfg_irq_chann; i++) { + eqhdl = lpfc_get_eq_hdl(i); +- eqhdl->irq = LPFC_VECTOR_MAP_EMPTY; ++ eqhdl->irq = LPFC_IRQ_EMPTY; + eqhdl->phba = phba; + } + } +@@ -12752,7 +12759,7 @@ static void __lpfc_cpuhp_remove(struct lpfc_hba *phba) + + static void lpfc_cpuhp_remove(struct lpfc_hba *phba) + { +- if (phba->pport->fc_flag & FC_OFFLINE_MODE) ++ if (phba->pport && (phba->pport->fc_flag & FC_OFFLINE_MODE)) + return; + + __lpfc_cpuhp_remove(phba); +@@ -13016,9 +13023,17 @@ lpfc_sli4_enable_msix(struct lpfc_hba *phba) + LPFC_DRIVER_HANDLER_NAME"%d", index); + + eqhdl->idx = index; +- rc = request_irq(pci_irq_vector(phba->pcidev, index), +- &lpfc_sli4_hba_intr_handler, 0, +- name, eqhdl); ++ rc = pci_irq_vector(phba->pcidev, index); ++ if (rc < 0) { ++ lpfc_printf_log(phba, KERN_WARNING, LOG_INIT, ++ "0489 MSI-X fast-path (%d) " ++ "pci_irq_vec failed (%d)\n", index, rc); ++ goto cfg_fail_out; ++ } ++ eqhdl->irq = rc; ++ ++ rc = request_irq(eqhdl->irq, &lpfc_sli4_hba_intr_handler, 0, ++ name, eqhdl); + if (rc) { + lpfc_printf_log(phba, KERN_WARNING, LOG_INIT, + "0486 MSI-X fast-path (%d) " +@@ -13026,8 +13041,6 @@ lpfc_sli4_enable_msix(struct lpfc_hba *phba) + goto cfg_fail_out; + } + +- eqhdl->irq = pci_irq_vector(phba->pcidev, index); +- + if (aff_mask) { + /* If found a neighboring online cpu, set affinity */ + if (cpu_select < nr_cpu_ids) +@@ -13144,7 +13157,14 @@ lpfc_sli4_enable_msi(struct lpfc_hba *phba) + } + + eqhdl = lpfc_get_eq_hdl(0); +- eqhdl->irq = pci_irq_vector(phba->pcidev, 0); ++ rc = pci_irq_vector(phba->pcidev, 0); ++ if (rc < 0) { ++ pci_free_irq_vectors(phba->pcidev); ++ lpfc_printf_log(phba, KERN_WARNING, LOG_INIT, ++ "0496 MSI pci_irq_vec failed (%d)\n", rc); ++ return rc; ++ } ++ eqhdl->irq = rc; + + cpu = cpumask_first(cpu_present_mask); + lpfc_assign_eq_map_info(phba, 0, LPFC_CPU_FIRST_IRQ, cpu); +@@ -13171,8 +13191,8 @@ lpfc_sli4_enable_msi(struct lpfc_hba *phba) + * MSI-X -> MSI -> IRQ. + * + * Return codes +- * 0 - successful +- * other values - error ++ * Interrupt mode (2, 1, 0) - successful ++ * LPFC_INTR_ERROR - error + **/ + static uint32_t + lpfc_sli4_enable_intr(struct lpfc_hba *phba, uint32_t cfg_mode) +@@ -13217,7 +13237,14 @@ lpfc_sli4_enable_intr(struct lpfc_hba *phba, uint32_t cfg_mode) + intr_mode = 0; + + eqhdl = lpfc_get_eq_hdl(0); +- eqhdl->irq = pci_irq_vector(phba->pcidev, 0); ++ retval = pci_irq_vector(phba->pcidev, 0); ++ if (retval < 0) { ++ lpfc_printf_log(phba, KERN_WARNING, LOG_INIT, ++ "0502 INTR pci_irq_vec failed (%d)\n", ++ retval); ++ return LPFC_INTR_ERROR; ++ } ++ eqhdl->irq = retval; + + cpu = cpumask_first(cpu_present_mask); + lpfc_assign_eq_map_info(phba, 0, LPFC_CPU_FIRST_IRQ, +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index 55c9eb39ea19..03c21167fc85 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -6202,6 +6202,9 @@ lpfc_sli4_get_avail_extnt_rsrc(struct lpfc_hba *phba, uint16_t type, + struct lpfc_mbx_get_rsrc_extent_info *rsrc_info; + LPFC_MBOXQ_t *mbox; + ++ *extnt_count = 0; ++ *extnt_size = 0; ++ + mbox = (LPFC_MBOXQ_t *) mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL); + if (!mbox) + return -ENOMEM; +diff --git a/drivers/scsi/lpfc/lpfc_sli4.h b/drivers/scsi/lpfc/lpfc_sli4.h +index 1ddad5b170a6..cbb1aa1cf025 100644 +--- a/drivers/scsi/lpfc/lpfc_sli4.h ++++ b/drivers/scsi/lpfc/lpfc_sli4.h +@@ -489,7 +489,7 @@ struct lpfc_hba; + #define LPFC_SLI4_HANDLER_NAME_SZ 16 + struct lpfc_hba_eq_hdl { + uint32_t idx; +- uint16_t irq; ++ int irq; + char handler_name[LPFC_SLI4_HANDLER_NAME_SZ]; + struct lpfc_hba *phba; + struct lpfc_queue *eq; +@@ -611,6 +611,8 @@ struct lpfc_vector_map_info { + }; + #define LPFC_VECTOR_MAP_EMPTY 0xffff + ++#define LPFC_IRQ_EMPTY 0xffffffff ++ + /* Multi-XRI pool */ + #define XRI_BATCH 8 + +diff --git a/drivers/scsi/lpfc/lpfc_vmid.c b/drivers/scsi/lpfc/lpfc_vmid.c +index f64ced04b912..ed1d7f7b88a3 100644 +--- a/drivers/scsi/lpfc/lpfc_vmid.c ++++ b/drivers/scsi/lpfc/lpfc_vmid.c +@@ -245,9 +245,7 @@ int lpfc_vmid_get_appid(struct lpfc_vport *vport, char *uuid, + /* allocate the per cpu variable for holding */ + /* the last access time stamp only if VMID is enabled */ + if (!vmp->last_io_time) +- vmp->last_io_time = __alloc_percpu(sizeof(u64), +- __alignof__(struct +- lpfc_vmid)); ++ vmp->last_io_time = alloc_percpu_gfp(u64, GFP_ATOMIC); + if (!vmp->last_io_time) { + hash_del(&vmp->hnode); + vmp->flag = LPFC_VMID_SLOT_FREE; +-- +2.35.1 + diff --git a/queue-6.0/scsi-pm8001-fix-running_req-for-internal-abort-comma.patch b/queue-6.0/scsi-pm8001-fix-running_req-for-internal-abort-comma.patch new file mode 100644 index 00000000000..72ac3aed263 --- /dev/null +++ b/queue-6.0/scsi-pm8001-fix-running_req-for-internal-abort-comma.patch @@ -0,0 +1,78 @@ +From 38ca8d5f01ce90c749aaf3d406508c6d14e54037 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 21:51:04 +0800 +Subject: scsi: pm8001: Fix running_req for internal abort commands + +From: John Garry + +[ Upstream commit d8c22c4697c11ed28062afe3c2b377025be11a23 ] + +Disabling the remote phy for a SATA disk causes a hang: + +root@(none)$ more /sys/class/sas_phy/phy-0:0:8/target_port_protocols +sata +root@(none)$ echo 0 > sys/class/sas_phy/phy-0:0:8/enable +root@(none)$ [ 67.855950] sas: ex 500e004aaaaaaa1f phy08 change count has changed +[ 67.920585] sd 0:0:2:0: [sdc] Synchronizing SCSI cache +[ 67.925780] sd 0:0:2:0: [sdc] Synchronize Cache(10) failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK +[ 67.935094] sd 0:0:2:0: [sdc] Stopping disk +[ 67.939305] sd 0:0:2:0: [sdc] Start/Stop Unit failed: Result: hostbyte=0x04 driverbyte=DRIVER_OK +... +[ 123.998998] INFO: task kworker/u192:1:642 blocked for more than 30 seconds. +[ 124.005960] Not tainted 6.0.0-rc1-205202-gf26f8f761e83 #218 +[ 124.012049] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[ 124.019872] task:kworker/u192:1 state:D stack:0 pid: 642 ppid: 2 flags:0x00000008 +[ 124.028223] Workqueue: 0000:04:00.0_event_q sas_port_event_worker +[ 124.034319] Call trace: +[ 124.036758] __switch_to+0x128/0x278 +[ 124.040333] __schedule+0x434/0xa58 +[ 124.043820] schedule+0x94/0x138 +[ 124.047045] schedule_timeout+0x2fc/0x368 +[ 124.051052] wait_for_completion+0xdc/0x200 +[ 124.055234] __flush_workqueue+0x1a8/0x708 +[ 124.059328] sas_porte_broadcast_rcvd+0xa8/0xc0 +[ 124.063858] sas_port_event_worker+0x60/0x98 +[ 124.068126] process_one_work+0x3f8/0x660 +[ 124.072134] worker_thread+0x70/0x700 +[ 124.075793] kthread+0x1a4/0x1b8 +[ 124.079014] ret_from_fork+0x10/0x20 + +The issue is that the per-device running_req read in +pm8001_dev_gone_notify() never goes to zero and we never make progress. +This is caused by missing accounting for running_req for when an internal +abort command completes. + +In commit 2cbbf489778e ("scsi: pm8001: Use libsas internal abort support") +we started to send internal abort commands as a proper sas_task. In this +when we deliver a sas_task to HW the per-device running_req is incremented +in pm8001_queue_command(). However it is never decremented for internal +abort commnds, so decrement in pm8001_mpi_task_abort_resp(). + +Link: https://lore.kernel.org/r/1663854664-76165-1-git-send-email-john.garry@huawei.com +Fixes: 2cbbf489778e ("scsi: pm8001: Use libsas internal abort support") +Acked-by: Jack Wang +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pm8001/pm8001_hwi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_hwi.c +index 91d78d0a38fe..628b08ba6770 100644 +--- a/drivers/scsi/pm8001/pm8001_hwi.c ++++ b/drivers/scsi/pm8001/pm8001_hwi.c +@@ -3612,6 +3612,10 @@ int pm8001_mpi_task_abort_resp(struct pm8001_hba_info *pm8001_ha, void *piomb) + pm8001_dbg(pm8001_ha, FAIL, " TASK NULL. RETURNING !!!\n"); + return -1; + } ++ ++ if (t->task_proto == SAS_PROTOCOL_INTERNAL_ABORT) ++ atomic_dec(&pm8001_dev->running_req); ++ + ts = &t->task_status; + if (status != 0) + pm8001_dbg(pm8001_ha, FAIL, "task abort failed status 0x%x ,tag = 0x%x, scp= 0x%x\n", +-- +2.35.1 + diff --git a/queue-6.0/scsi-tracing-fix-compile-error-in-trace_array-calls-.patch b/queue-6.0/scsi-tracing-fix-compile-error-in-trace_array-calls-.patch new file mode 100644 index 00000000000..98bfa6c44e1 --- /dev/null +++ b/queue-6.0/scsi-tracing-fix-compile-error-in-trace_array-calls-.patch @@ -0,0 +1,100 @@ +From 7c941da1629502ebb7a3b62955d954bd8d1c4bfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 16:33:08 -0700 +Subject: scsi: tracing: Fix compile error in trace_array calls when TRACING is + disabled + +From: Arun Easi + +[ Upstream commit 1a77dd1c2bb5d4a58c16d198cf593720787c02e4 ] + +Fix this compilation error seen when CONFIG_TRACING is not enabled: + +drivers/scsi/qla2xxx/qla_os.c: In function 'qla_trace_init': +drivers/scsi/qla2xxx/qla_os.c:2854:25: error: implicit declaration of function +'trace_array_get_by_name'; did you mean 'trace_array_set_clr_event'? +[-Werror=implicit-function-declaration] + 2854 | qla_trc_array = trace_array_get_by_name("qla2xxx"); + | ^~~~~~~~~~~~~~~~~~~~~~~ + | trace_array_set_clr_event + +drivers/scsi/qla2xxx/qla_os.c: In function 'qla_trace_uninit': +drivers/scsi/qla2xxx/qla_os.c:2869:9: error: implicit declaration of function +'trace_array_put' [-Werror=implicit-function-declaration] + 2869 | trace_array_put(qla_trc_array); + | ^~~~~~~~~~~~~~~ + +Link: https://lore.kernel.org/r/20220907233308.4153-2-aeasi@marvell.com +Reported-by: kernel test robot +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Arun Easi +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + include/linux/trace.h | 36 ++++++++++++++++++++++++++++++++++-- + 1 file changed, 34 insertions(+), 2 deletions(-) + +diff --git a/include/linux/trace.h b/include/linux/trace.h +index bf169612ffe1..b5e16e438448 100644 +--- a/include/linux/trace.h ++++ b/include/linux/trace.h +@@ -2,8 +2,6 @@ + #ifndef _LINUX_TRACE_H + #define _LINUX_TRACE_H + +-#ifdef CONFIG_TRACING +- + #define TRACE_EXPORT_FUNCTION BIT(0) + #define TRACE_EXPORT_EVENT BIT(1) + #define TRACE_EXPORT_MARKER BIT(2) +@@ -28,6 +26,8 @@ struct trace_export { + int flags; + }; + ++#ifdef CONFIG_TRACING ++ + int register_ftrace_export(struct trace_export *export); + int unregister_ftrace_export(struct trace_export *export); + +@@ -48,6 +48,38 @@ void osnoise_arch_unregister(void); + void osnoise_trace_irq_entry(int id); + void osnoise_trace_irq_exit(int id, const char *desc); + ++#else /* CONFIG_TRACING */ ++static inline int register_ftrace_export(struct trace_export *export) ++{ ++ return -EINVAL; ++} ++static inline int unregister_ftrace_export(struct trace_export *export) ++{ ++ return 0; ++} ++static inline void trace_printk_init_buffers(void) ++{ ++} ++static inline int trace_array_printk(struct trace_array *tr, unsigned long ip, ++ const char *fmt, ...) ++{ ++ return 0; ++} ++static inline int trace_array_init_printk(struct trace_array *tr) ++{ ++ return -EINVAL; ++} ++static inline void trace_array_put(struct trace_array *tr) ++{ ++} ++static inline struct trace_array *trace_array_get_by_name(const char *name) ++{ ++ return NULL; ++} ++static inline int trace_array_destroy(struct trace_array *tr) ++{ ++ return 0; ++} + #endif /* CONFIG_TRACING */ + + #endif /* _LINUX_TRACE_H */ +-- +2.35.1 + diff --git a/queue-6.0/sctp-handle-the-error-returned-from-sctp_auth_asoc_i.patch b/queue-6.0/sctp-handle-the-error-returned-from-sctp_auth_asoc_i.patch new file mode 100644 index 00000000000..e5cf635618c --- /dev/null +++ b/queue-6.0/sctp-handle-the-error-returned-from-sctp_auth_asoc_i.patch @@ -0,0 +1,79 @@ +From 5ba0fd9222b646e08d75aa1af243f7d1f0f55e8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Sep 2022 14:10:13 -0400 +Subject: sctp: handle the error returned from sctp_auth_asoc_init_active_key + +From: Xin Long + +[ Upstream commit 022152aaebe116a25c39818a07e175a8cd3c1e11 ] + +When it returns an error from sctp_auth_asoc_init_active_key(), the +active_key is actually not updated. The old sh_key will be freeed +while it's still used as active key in asoc. Then an use-after-free +will be triggered when sending patckets, as found by syzbot: + + sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 + sctp_set_owner_w net/sctp/socket.c:132 [inline] + sctp_sendmsg_to_asoc+0xbd5/0x1a20 net/sctp/socket.c:1863 + sctp_sendmsg+0x1053/0x1d50 net/sctp/socket.c:2025 + inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg+0xcf/0x120 net/socket.c:734 + +This patch is to fix it by not replacing the sh_key when it returns +errors from sctp_auth_asoc_init_active_key() in sctp_auth_set_key(). +For sctp_auth_set_active_key(), old active_key_id will be set back +to asoc->active_key_id when the same thing happens. + +Fixes: 58acd1009226 ("sctp: update active_key for asoc when old key is being replaced") +Reported-by: syzbot+a236dd8e9622ed8954a3@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/auth.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/net/sctp/auth.c b/net/sctp/auth.c +index db6b7373d16c..34964145514e 100644 +--- a/net/sctp/auth.c ++++ b/net/sctp/auth.c +@@ -863,12 +863,17 @@ int sctp_auth_set_key(struct sctp_endpoint *ep, + } + + list_del_init(&shkey->key_list); +- sctp_auth_shkey_release(shkey); + list_add(&cur_key->key_list, sh_keys); + +- if (asoc && asoc->active_key_id == auth_key->sca_keynumber) +- sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL); ++ if (asoc && asoc->active_key_id == auth_key->sca_keynumber && ++ sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL)) { ++ list_del_init(&cur_key->key_list); ++ sctp_auth_shkey_release(cur_key); ++ list_add(&shkey->key_list, sh_keys); ++ return -ENOMEM; ++ } + ++ sctp_auth_shkey_release(shkey); + return 0; + } + +@@ -902,8 +907,13 @@ int sctp_auth_set_active_key(struct sctp_endpoint *ep, + return -EINVAL; + + if (asoc) { ++ __u16 active_key_id = asoc->active_key_id; ++ + asoc->active_key_id = key_id; +- sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL); ++ if (sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL)) { ++ asoc->active_key_id = active_key_id; ++ return -ENOMEM; ++ } + } else + ep->active_key_id = key_id; + +-- +2.35.1 + diff --git a/queue-6.0/selftest-tpm2-add-client.__del__-to-close-dev-tpm-ha.patch b/queue-6.0/selftest-tpm2-add-client.__del__-to-close-dev-tpm-ha.patch new file mode 100644 index 00000000000..f7178c80d8b --- /dev/null +++ b/queue-6.0/selftest-tpm2-add-client.__del__-to-close-dev-tpm-ha.patch @@ -0,0 +1,49 @@ +From fb9cc305a00a3aca92bd52434ab0b78accf0937f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 09:15:18 -0400 +Subject: selftest: tpm2: Add Client.__del__() to close /dev/tpm* handle + +From: Stefan Berger + +[ Upstream commit 2d869f0b458547386fbcd8cf3004b271b7347b7f ] + +The following output can bee seen when the test is executed: + + test_flush_context (tpm2_tests.SpaceTest) ... \ + /usr/lib64/python3.6/unittest/case.py:605: ResourceWarning: \ + unclosed file <_io.FileIO name='/dev/tpmrm0' mode='rb+' closefd=True> + +An instance of Client does not implicitly close /dev/tpm* handle, once it +gets destroyed. Close the file handle in the class destructor +Client.__del__(). + +Fixes: 6ea3dfe1e0732 ("selftests: add TPM 2.0 tests") +Cc: Shuah Khan +Cc: linux-kselftest@vger.kernel.org +Cc: Jarkko Sakkinen +Signed-off-by: Stefan Berger +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/tpm2/tpm2.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/tpm2/tpm2.py b/tools/testing/selftests/tpm2/tpm2.py +index 057a4f49c79d..c7363c6764fc 100644 +--- a/tools/testing/selftests/tpm2/tpm2.py ++++ b/tools/testing/selftests/tpm2/tpm2.py +@@ -371,6 +371,10 @@ class Client: + fcntl.fcntl(self.tpm, fcntl.F_SETFL, flags) + self.tpm_poll = select.poll() + ++ def __del__(self): ++ if self.tpm: ++ self.tpm.close() ++ + def close(self): + self.tpm.close() + +-- +2.35.1 + diff --git a/queue-6.0/selftests-bpf-adapt-cgroup-effective-query-uapi-chan.patch b/queue-6.0/selftests-bpf-adapt-cgroup-effective-query-uapi-chan.patch new file mode 100644 index 00000000000..1b0877b44c9 --- /dev/null +++ b/queue-6.0/selftests-bpf-adapt-cgroup-effective-query-uapi-chan.patch @@ -0,0 +1,65 @@ +From bf4d2cb995fafcda7f5bca658be117d2dd835d0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 10:46:04 +0000 +Subject: selftests/bpf: Adapt cgroup effective query uapi change + +From: Pu Lehui + +[ Upstream commit d2aa993b7d9de6deeb1df6c9a6b9b6193c337cc6 ] + +The attach flags is meaningless for effective query and +its value will always be set as 0 during effective query. +Root cg's effective progs is always its attached progs, +so we use non-effective query to get its progs count and +attach flags. And we don't need the remain attach flags +check. + +Fixes: b79c9fc9551b ("bpf: implement BPF_PROG_QUERY for BPF_LSM_CGROUP") +Signed-off-by: Pu Lehui +Link: https://lore.kernel.org/r/20220921104604.2340580-4-pulehui@huaweicloud.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/cgroup_link.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/cgroup_link.c b/tools/testing/selftests/bpf/prog_tests/cgroup_link.c +index 9e6e6aad347c..15093a69510e 100644 +--- a/tools/testing/selftests/bpf/prog_tests/cgroup_link.c ++++ b/tools/testing/selftests/bpf/prog_tests/cgroup_link.c +@@ -71,10 +71,9 @@ void serial_test_cgroup_link(void) + + ping_and_check(cg_nr, 0); + +- /* query the number of effective progs and attach flags in root cg */ ++ /* query the number of attached progs and attach flags in root cg */ + err = bpf_prog_query(cgs[0].fd, BPF_CGROUP_INET_EGRESS, +- BPF_F_QUERY_EFFECTIVE, &attach_flags, NULL, +- &prog_cnt); ++ 0, &attach_flags, NULL, &prog_cnt); + CHECK_FAIL(err); + CHECK_FAIL(attach_flags != BPF_F_ALLOW_MULTI); + if (CHECK(prog_cnt != 1, "effect_cnt", "exp %d, got %d\n", 1, prog_cnt)) +@@ -85,17 +84,15 @@ void serial_test_cgroup_link(void) + BPF_F_QUERY_EFFECTIVE, NULL, NULL, + &prog_cnt); + CHECK_FAIL(err); +- CHECK_FAIL(attach_flags != BPF_F_ALLOW_MULTI); + if (CHECK(prog_cnt != cg_nr, "effect_cnt", "exp %d, got %d\n", + cg_nr, prog_cnt)) + goto cleanup; + + /* query the effective prog IDs in last cg */ + err = bpf_prog_query(cgs[last_cg].fd, BPF_CGROUP_INET_EGRESS, +- BPF_F_QUERY_EFFECTIVE, &attach_flags, +- prog_ids, &prog_cnt); ++ BPF_F_QUERY_EFFECTIVE, NULL, prog_ids, ++ &prog_cnt); + CHECK_FAIL(err); +- CHECK_FAIL(attach_flags != BPF_F_ALLOW_MULTI); + if (CHECK(prog_cnt != cg_nr, "effect_cnt", "exp %d, got %d\n", + cg_nr, prog_cnt)) + goto cleanup; +-- +2.35.1 + diff --git a/queue-6.0/selftests-bpf-free-the-allocated-resources-after-tes.patch b/queue-6.0/selftests-bpf-free-the-allocated-resources-after-tes.patch new file mode 100644 index 00000000000..1a36a02c068 --- /dev/null +++ b/queue-6.0/selftests-bpf-free-the-allocated-resources-after-tes.patch @@ -0,0 +1,196 @@ +From 6ff592adc24a9b58e2b12520cef230f24d59d689 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 15:00:35 +0800 +Subject: selftests/bpf: Free the allocated resources after test case succeeds + +From: Hou Tao + +[ Upstream commit 103d002fb7d548fb1187e350f2b73788558128b9 ] + +Free the created fd or allocated bpf_object after test case succeeds, +else there will be resource leaks. + +Spotted by using address sanitizer and checking the content of +/proc/$pid/fd directory. + +Signed-off-by: Hou Tao +Link: https://lore.kernel.org/r/20220921070035.2016413-3-houtao@huaweicloud.com +Signed-off-by: Martin KaFai Lau +Signed-off-by: Sasha Levin +--- + .../bpf/map_tests/array_map_batch_ops.c | 2 ++ + .../bpf/map_tests/htab_map_batch_ops.c | 2 ++ + .../bpf/map_tests/lpm_trie_map_batch_ops.c | 2 ++ + tools/testing/selftests/bpf/test_maps.c | 24 ++++++++++++------- + 4 files changed, 21 insertions(+), 9 deletions(-) + +diff --git a/tools/testing/selftests/bpf/map_tests/array_map_batch_ops.c b/tools/testing/selftests/bpf/map_tests/array_map_batch_ops.c +index 78c76496b14a..b595556315bc 100644 +--- a/tools/testing/selftests/bpf/map_tests/array_map_batch_ops.c ++++ b/tools/testing/selftests/bpf/map_tests/array_map_batch_ops.c +@@ -3,6 +3,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -137,6 +138,7 @@ static void __test_map_lookup_and_update_batch(bool is_pcpu) + free(keys); + free(values); + free(visited); ++ close(map_fd); + } + + static void array_map_batch_ops(void) +diff --git a/tools/testing/selftests/bpf/map_tests/htab_map_batch_ops.c b/tools/testing/selftests/bpf/map_tests/htab_map_batch_ops.c +index f807d53fd8dd..1230ccf90128 100644 +--- a/tools/testing/selftests/bpf/map_tests/htab_map_batch_ops.c ++++ b/tools/testing/selftests/bpf/map_tests/htab_map_batch_ops.c +@@ -3,6 +3,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -255,6 +256,7 @@ void __test_map_lookup_and_delete_batch(bool is_pcpu) + free(visited); + if (!is_pcpu) + free(values); ++ close(map_fd); + } + + void htab_map_batch_ops(void) +diff --git a/tools/testing/selftests/bpf/map_tests/lpm_trie_map_batch_ops.c b/tools/testing/selftests/bpf/map_tests/lpm_trie_map_batch_ops.c +index 87d07b596e17..b66d56ddb7ef 100644 +--- a/tools/testing/selftests/bpf/map_tests/lpm_trie_map_batch_ops.c ++++ b/tools/testing/selftests/bpf/map_tests/lpm_trie_map_batch_ops.c +@@ -7,6 +7,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -150,4 +151,5 @@ void test_lpm_trie_map_batch_ops(void) + free(keys); + free(values); + free(visited); ++ close(map_fd); + } +diff --git a/tools/testing/selftests/bpf/test_maps.c b/tools/testing/selftests/bpf/test_maps.c +index cbebfaa7c1e8..4d42ffea0038 100644 +--- a/tools/testing/selftests/bpf/test_maps.c ++++ b/tools/testing/selftests/bpf/test_maps.c +@@ -658,13 +658,13 @@ static void test_sockmap(unsigned int tasks, void *data) + { + struct bpf_map *bpf_map_rx, *bpf_map_tx, *bpf_map_msg, *bpf_map_break; + int map_fd_msg = 0, map_fd_rx = 0, map_fd_tx = 0, map_fd_break; ++ struct bpf_object *parse_obj, *verdict_obj, *msg_obj; + int ports[] = {50200, 50201, 50202, 50204}; + int err, i, fd, udp, sfd[6] = {0xdeadbeef}; + u8 buf[20] = {0x0, 0x5, 0x3, 0x2, 0x1, 0x0}; + int parse_prog, verdict_prog, msg_prog; + struct sockaddr_in addr; + int one = 1, s, sc, rc; +- struct bpf_object *obj; + struct timeval to; + __u32 key, value; + pid_t pid[tasks]; +@@ -760,6 +760,7 @@ static void test_sockmap(unsigned int tasks, void *data) + i, udp); + goto out_sockmap; + } ++ close(udp); + + /* Test update without programs */ + for (i = 0; i < 6; i++) { +@@ -822,27 +823,27 @@ static void test_sockmap(unsigned int tasks, void *data) + + /* Load SK_SKB program and Attach */ + err = bpf_prog_test_load(SOCKMAP_PARSE_PROG, +- BPF_PROG_TYPE_SK_SKB, &obj, &parse_prog); ++ BPF_PROG_TYPE_SK_SKB, &parse_obj, &parse_prog); + if (err) { + printf("Failed to load SK_SKB parse prog\n"); + goto out_sockmap; + } + + err = bpf_prog_test_load(SOCKMAP_TCP_MSG_PROG, +- BPF_PROG_TYPE_SK_MSG, &obj, &msg_prog); ++ BPF_PROG_TYPE_SK_MSG, &msg_obj, &msg_prog); + if (err) { + printf("Failed to load SK_SKB msg prog\n"); + goto out_sockmap; + } + + err = bpf_prog_test_load(SOCKMAP_VERDICT_PROG, +- BPF_PROG_TYPE_SK_SKB, &obj, &verdict_prog); ++ BPF_PROG_TYPE_SK_SKB, &verdict_obj, &verdict_prog); + if (err) { + printf("Failed to load SK_SKB verdict prog\n"); + goto out_sockmap; + } + +- bpf_map_rx = bpf_object__find_map_by_name(obj, "sock_map_rx"); ++ bpf_map_rx = bpf_object__find_map_by_name(verdict_obj, "sock_map_rx"); + if (!bpf_map_rx) { + printf("Failed to load map rx from verdict prog\n"); + goto out_sockmap; +@@ -854,7 +855,7 @@ static void test_sockmap(unsigned int tasks, void *data) + goto out_sockmap; + } + +- bpf_map_tx = bpf_object__find_map_by_name(obj, "sock_map_tx"); ++ bpf_map_tx = bpf_object__find_map_by_name(verdict_obj, "sock_map_tx"); + if (!bpf_map_tx) { + printf("Failed to load map tx from verdict prog\n"); + goto out_sockmap; +@@ -866,7 +867,7 @@ static void test_sockmap(unsigned int tasks, void *data) + goto out_sockmap; + } + +- bpf_map_msg = bpf_object__find_map_by_name(obj, "sock_map_msg"); ++ bpf_map_msg = bpf_object__find_map_by_name(verdict_obj, "sock_map_msg"); + if (!bpf_map_msg) { + printf("Failed to load map msg from msg_verdict prog\n"); + goto out_sockmap; +@@ -878,7 +879,7 @@ static void test_sockmap(unsigned int tasks, void *data) + goto out_sockmap; + } + +- bpf_map_break = bpf_object__find_map_by_name(obj, "sock_map_break"); ++ bpf_map_break = bpf_object__find_map_by_name(verdict_obj, "sock_map_break"); + if (!bpf_map_break) { + printf("Failed to load map tx from verdict prog\n"); + goto out_sockmap; +@@ -1124,7 +1125,9 @@ static void test_sockmap(unsigned int tasks, void *data) + } + close(fd); + close(map_fd_rx); +- bpf_object__close(obj); ++ bpf_object__close(parse_obj); ++ bpf_object__close(msg_obj); ++ bpf_object__close(verdict_obj); + return; + out: + for (i = 0; i < 6; i++) +@@ -1282,8 +1285,11 @@ static void test_map_in_map(void) + printf("Inner map mim.inner was not destroyed\n"); + goto out_map_in_map; + } ++ ++ close(fd); + } + ++ bpf_object__close(obj); + return; + + out_map_in_map: +-- +2.35.1 + diff --git a/queue-6.0/selftests-cpu-hotplug-delete-fault-injection-related.patch b/queue-6.0/selftests-cpu-hotplug-delete-fault-injection-related.patch new file mode 100644 index 00000000000..6b0a6ba0cfd --- /dev/null +++ b/queue-6.0/selftests-cpu-hotplug-delete-fault-injection-related.patch @@ -0,0 +1,168 @@ +From de533dd26d836c4341d8ed0c72a628d3f45764d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 21:36:13 +0800 +Subject: selftests/cpu-hotplug: Delete fault injection related code + +From: Zhao Gongyi + +[ Upstream commit 195d74be717af14e5991f818f73f067367bfc1ed ] + +Delete fault injection related code since the module has been deleted. + +Signed-off-by: Zhao Gongyi +Signed-off-by: Shuah Khan +Stable-dep-of: 51d4c851465c ("selftests/cpu-hotplug: Reserve one cpu online at least") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/cpu-hotplug/config | 1 - + .../selftests/cpu-hotplug/cpu-on-off-test.sh | 87 ++----------------- + 2 files changed, 6 insertions(+), 82 deletions(-) + delete mode 100644 tools/testing/selftests/cpu-hotplug/config + +diff --git a/tools/testing/selftests/cpu-hotplug/config b/tools/testing/selftests/cpu-hotplug/config +deleted file mode 100644 +index d4aca2ad5069..000000000000 +--- a/tools/testing/selftests/cpu-hotplug/config ++++ /dev/null +@@ -1 +0,0 @@ +-CONFIG_NOTIFIER_ERROR_INJECTION=y +diff --git a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh +index 940b68c940bb..32ec7e4489ee 100755 +--- a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh ++++ b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh +@@ -116,10 +116,10 @@ online_cpu_expect_fail() + + if online_cpu $cpu 2> /dev/null; then + echo $FUNCNAME $cpu: unexpected success >&2 +- exit 1 ++ retval=1 + elif ! cpu_is_offline $cpu; then + echo $FUNCNAME $cpu: unexpected online >&2 +- exit 1 ++ retval=1 + fi + } + +@@ -142,16 +142,14 @@ offline_cpu_expect_fail() + + if offline_cpu $cpu 2> /dev/null; then + echo $FUNCNAME $cpu: unexpected success >&2 +- exit 1 ++ retval=1 + elif ! cpu_is_online $cpu; then + echo $FUNCNAME $cpu: unexpected offline >&2 +- exit 1 ++ retval=1 + fi + } + +-error=-12 + allcpus=0 +-priority=0 + online_cpus=0 + online_max=0 + offline_cpus=0 +@@ -159,31 +157,20 @@ offline_max=0 + present_cpus=0 + present_max=0 + +-while getopts e:ahp: opt; do ++while getopts ah opt; do + case $opt in +- e) +- error=$OPTARG +- ;; + a) + allcpus=1 + ;; + h) +- echo "Usage $0 [ -a ] [ -e errno ] [ -p notifier-priority ]" ++ echo "Usage $0 [ -a ]" + echo -e "\t default offline one cpu" + echo -e "\t run with -a option to offline all cpus" + exit + ;; +- p) +- priority=$OPTARG +- ;; + esac + done + +-if ! [ "$error" -ge -4095 -a "$error" -lt 0 ]; then +- echo "error code must be -4095 <= errno < 0" >&2 +- exit 1 +-fi +- + prerequisite + + # +@@ -231,66 +218,4 @@ for cpu in `hotplaggable_offline_cpus`; do + online_cpu_expect_success $cpu + done + +-# +-# Test with cpu notifier error injection +-# +- +-DEBUGFS=`mount -t debugfs | head -1 | awk '{ print $3 }'` +-NOTIFIER_ERR_INJECT_DIR=$DEBUGFS/notifier-error-inject/cpu +- +-prerequisite_extra() +-{ +- msg="skip extra tests:" +- +- /sbin/modprobe -q -r cpu-notifier-error-inject +- /sbin/modprobe -q cpu-notifier-error-inject priority=$priority +- +- if [ ! -d "$DEBUGFS" ]; then +- echo $msg debugfs is not mounted >&2 +- exit $ksft_skip +- fi +- +- if [ ! -d $NOTIFIER_ERR_INJECT_DIR ]; then +- echo $msg cpu-notifier-error-inject module is not available >&2 +- exit $ksft_skip +- fi +-} +- +-prerequisite_extra +- +-# +-# Offline all hot-pluggable CPUs +-# +-echo 0 > $NOTIFIER_ERR_INJECT_DIR/actions/CPU_DOWN_PREPARE/error +-for cpu in `hotpluggable_online_cpus`; do +- offline_cpu_expect_success $cpu +-done +- +-# +-# Test CPU hot-add error handling (offline => online) +-# +-echo $error > $NOTIFIER_ERR_INJECT_DIR/actions/CPU_UP_PREPARE/error +-for cpu in `hotplaggable_offline_cpus`; do +- online_cpu_expect_fail $cpu +-done +- +-# +-# Online all hot-pluggable CPUs +-# +-echo 0 > $NOTIFIER_ERR_INJECT_DIR/actions/CPU_UP_PREPARE/error +-for cpu in `hotplaggable_offline_cpus`; do +- online_cpu_expect_success $cpu +-done +- +-# +-# Test CPU hot-remove error handling (online => offline) +-# +-echo $error > $NOTIFIER_ERR_INJECT_DIR/actions/CPU_DOWN_PREPARE/error +-for cpu in `hotpluggable_online_cpus`; do +- offline_cpu_expect_fail $cpu +-done +- +-echo 0 > $NOTIFIER_ERR_INJECT_DIR/actions/CPU_DOWN_PREPARE/error +-/sbin/modprobe -q -r cpu-notifier-error-inject +- + exit $retval +-- +2.35.1 + diff --git a/queue-6.0/selftests-cpu-hotplug-reserve-one-cpu-online-at-leas.patch b/queue-6.0/selftests-cpu-hotplug-reserve-one-cpu-online-at-leas.patch new file mode 100644 index 00000000000..8646ac0cf7a --- /dev/null +++ b/queue-6.0/selftests-cpu-hotplug-reserve-one-cpu-online-at-leas.patch @@ -0,0 +1,84 @@ +From 2a82b1166fcfd1a445e2a9afc5d6a1f498747df5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 21:36:14 +0800 +Subject: selftests/cpu-hotplug: Reserve one cpu online at least + +From: Zhao Gongyi + +[ Upstream commit 51d4c851465c32143d9c7b1cfb46fc581922b116 ] + +Considering that we can not offline all cpus in any cases, +we need to reserve one cpu online when the test offline all +hotpluggable online cpus, otherwise the test will fail forever. + +Fixes: d89dffa976bc ("fault-injection: add selftests for cpu and memory hotplug") + +Signed-off-by: Zhao Gongyi +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../selftests/cpu-hotplug/cpu-on-off-test.sh | 40 ++++++++++--------- + 1 file changed, 22 insertions(+), 18 deletions(-) + +diff --git a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh +index 32ec7e4489ee..4c1d6d9abecc 100755 +--- a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh ++++ b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh +@@ -149,6 +149,25 @@ offline_cpu_expect_fail() + fi + } + ++online_all_hot_pluggable_cpus() ++{ ++ for cpu in `hotplaggable_offline_cpus`; do ++ online_cpu_expect_success $cpu ++ done ++} ++ ++offline_all_hot_pluggable_cpus() ++{ ++ local reserve_cpu=$online_max ++ for cpu in `hotpluggable_online_cpus`; do ++ # Reserve one cpu oneline at least. ++ if [ $cpu -eq $reserve_cpu ];then ++ continue ++ fi ++ offline_cpu_expect_success $cpu ++ done ++} ++ + allcpus=0 + online_cpus=0 + online_max=0 +@@ -197,25 +216,10 @@ else + echo -e "\t online all offline cpus" + fi + +-# +-# Online all hot-pluggable CPUs +-# +-for cpu in `hotplaggable_offline_cpus`; do +- online_cpu_expect_success $cpu +-done ++online_all_hot_pluggable_cpus + +-# +-# Offline all hot-pluggable CPUs +-# +-for cpu in `hotpluggable_online_cpus`; do +- offline_cpu_expect_success $cpu +-done ++offline_all_hot_pluggable_cpus + +-# +-# Online all hot-pluggable CPUs again +-# +-for cpu in `hotplaggable_offline_cpus`; do +- online_cpu_expect_success $cpu +-done ++online_all_hot_pluggable_cpus + + exit $retval +-- +2.35.1 + diff --git a/queue-6.0/selftests-cpu-hotplug-use-return-instead-of-exit.patch b/queue-6.0/selftests-cpu-hotplug-use-return-instead-of-exit.patch new file mode 100644 index 00000000000..41f2d34c1c2 --- /dev/null +++ b/queue-6.0/selftests-cpu-hotplug-use-return-instead-of-exit.patch @@ -0,0 +1,77 @@ +From 4a91b8f907ddb37984a66b44a8a6f20dfb155db7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 21:36:12 +0800 +Subject: selftests/cpu-hotplug: Use return instead of exit + +From: Zhao Gongyi + +[ Upstream commit 972cf4ce51ef5532d56822af17defb148aac0ccb ] + +Some cpus will be left in offline state when online +function exits in some error conditions. Use return +instead of exit to fix it. + +Signed-off-by: Zhao Gongyi +Signed-off-by: Shuah Khan +Stable-dep-of: 51d4c851465c ("selftests/cpu-hotplug: Reserve one cpu online at least") +Signed-off-by: Sasha Levin +--- + .../selftests/cpu-hotplug/cpu-on-off-test.sh | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh +index 0d26b5e3f966..940b68c940bb 100755 +--- a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh ++++ b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh +@@ -4,6 +4,7 @@ + SYSFS= + # Kselftest framework requirement - SKIP code is 4. + ksft_skip=4 ++retval=0 + + prerequisite() + { +@@ -102,10 +103,10 @@ online_cpu_expect_success() + + if ! online_cpu $cpu; then + echo $FUNCNAME $cpu: unexpected fail >&2 +- exit 1 ++ retval=1 + elif ! cpu_is_online $cpu; then + echo $FUNCNAME $cpu: unexpected offline >&2 +- exit 1 ++ retval=1 + fi + } + +@@ -128,10 +129,10 @@ offline_cpu_expect_success() + + if ! offline_cpu $cpu; then + echo $FUNCNAME $cpu: unexpected fail >&2 +- exit 1 ++ retval=1 + elif ! cpu_is_offline $cpu; then + echo $FUNCNAME $cpu: unexpected offline >&2 +- exit 1 ++ retval=1 + fi + } + +@@ -201,7 +202,7 @@ if [ $allcpus -eq 0 ]; then + offline_cpu_expect_success $present_max + online_cpu $present_max + fi +- exit 0 ++ exit $retval + else + echo "Full scope test: all hotplug cpus" + echo -e "\t online all offline cpus" +@@ -291,3 +292,5 @@ done + + echo 0 > $NOTIFIER_ERR_INJECT_DIR/actions/CPU_DOWN_PREPARE/error + /sbin/modprobe -q -r cpu-notifier-error-inject ++ ++exit $retval +-- +2.35.1 + diff --git a/queue-6.0/selftests-vm-use-top_srcdir-instead-of-recomputing-r.patch b/queue-6.0/selftests-vm-use-top_srcdir-instead-of-recomputing-r.patch new file mode 100644 index 00000000000..0ea1b70d4bc --- /dev/null +++ b/queue-6.0/selftests-vm-use-top_srcdir-instead-of-recomputing-r.patch @@ -0,0 +1,85 @@ +From 785bb909c3ea8e8a4e94cbf9c2a338ff0a31e6d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 12:19:29 -0700 +Subject: selftests/vm: use top_srcdir instead of recomputing relative paths + +From: Axel Rasmussen + +[ Upstream commit 0e29bc0ebaabf4e5270a23fd5ccce06fac3e140d ] + +In various places both in t/t/s/v/Makefile as well as some of the test +sources, we were referring to headers or directories using some fairly +long relative paths. + +Since we have a working top_srcdir variable though, which refers to the +root of the kernel tree, we can clean up all of these "up and over" +relative paths, just relying on the single variable instead. + +Signed-off-by: Axel Rasmussen +Signed-off-by: Shuah Khan +Stable-dep-of: 51d4c851465c ("selftests/cpu-hotplug: Reserve one cpu online at least") +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vm/Makefile | 2 +- + tools/testing/selftests/vm/gup_test.c | 2 +- + tools/testing/selftests/vm/hmm-tests.c | 4 ++-- + tools/testing/selftests/vm/ksm_tests.c | 2 +- + 4 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/tools/testing/selftests/vm/Makefile b/tools/testing/selftests/vm/Makefile +index d9fa6a9ea584..d516b8c38eed 100644 +--- a/tools/testing/selftests/vm/Makefile ++++ b/tools/testing/selftests/vm/Makefile +@@ -25,7 +25,7 @@ MACHINE ?= $(shell echo $(uname_M) | sed -e 's/aarch64.*/arm64/' -e 's/ppc64.*/p + # LDLIBS. + MAKEFLAGS += --no-builtin-rules + +-CFLAGS = -Wall -I ../../../../usr/include $(EXTRA_CFLAGS) $(KHDR_INCLUDES) ++CFLAGS = -Wall -I $(top_srcdir) -I $(top_srcdir)/usr/include $(EXTRA_CFLAGS) $(KHDR_INCLUDES) + LDLIBS = -lrt -lpthread + TEST_GEN_FILES = compaction_test + TEST_GEN_FILES += gup_test +diff --git a/tools/testing/selftests/vm/gup_test.c b/tools/testing/selftests/vm/gup_test.c +index a309876d832f..e43879291dac 100644 +--- a/tools/testing/selftests/vm/gup_test.c ++++ b/tools/testing/selftests/vm/gup_test.c +@@ -10,7 +10,7 @@ + #include + #include + #include +-#include "../../../../mm/gup_test.h" ++#include + #include "../kselftest.h" + + #include "util.h" +diff --git a/tools/testing/selftests/vm/hmm-tests.c b/tools/testing/selftests/vm/hmm-tests.c +index 529f53b40296..98b949c279be 100644 +--- a/tools/testing/selftests/vm/hmm-tests.c ++++ b/tools/testing/selftests/vm/hmm-tests.c +@@ -35,8 +35,8 @@ + * This is a private UAPI to the kernel test module so it isn't exported + * in the usual include/uapi/... directory. + */ +-#include "../../../../lib/test_hmm_uapi.h" +-#include "../../../../mm/gup_test.h" ++#include ++#include + + struct hmm_buffer { + void *ptr; +diff --git a/tools/testing/selftests/vm/ksm_tests.c b/tools/testing/selftests/vm/ksm_tests.c +index f5e4e0bbd081..0d85be2350fa 100644 +--- a/tools/testing/selftests/vm/ksm_tests.c ++++ b/tools/testing/selftests/vm/ksm_tests.c +@@ -11,7 +11,7 @@ + #include + + #include "../kselftest.h" +-#include "../../../../include/vdso/time64.h" ++#include + #include "util.h" + + #define KSM_SYSFS_PATH "/sys/kernel/mm/ksm/" +-- +2.35.1 + diff --git a/queue-6.0/selftests-xsk-add-missing-close-on-netns-fd.patch b/queue-6.0/selftests-xsk-add-missing-close-on-netns-fd.patch new file mode 100644 index 00000000000..26b6e75029a --- /dev/null +++ b/queue-6.0/selftests-xsk-add-missing-close-on-netns-fd.patch @@ -0,0 +1,47 @@ +From 5cc397acdb0bb8ad4f18bf8e1526cabd291e3085 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 15:39:05 +0200 +Subject: selftests/xsk: Add missing close() on netns fd + +From: Maciej Fijalkowski + +[ Upstream commit 8a7d61bdc2fac2c460a2f32a062f5c6dbd21a764 ] + +Commit 1034b03e54ac ("selftests: xsk: Simplify cleanup of ifobjects") +removed close on netns fd, which is not correct, so let us restore it. + +Fixes: 1034b03e54ac ("selftests: xsk: Simplify cleanup of ifobjects") +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Daniel Borkmann +Acked-by: Magnus Karlsson +Link: https://lore.kernel.org/bpf/20220830133905.9945-1-maciej.fijalkowski@intel.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/xskxceiver.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tools/testing/selftests/bpf/xskxceiver.c b/tools/testing/selftests/bpf/xskxceiver.c +index 74d56d971baf..091402dc5390 100644 +--- a/tools/testing/selftests/bpf/xskxceiver.c ++++ b/tools/testing/selftests/bpf/xskxceiver.c +@@ -1606,6 +1606,8 @@ static struct ifobject *ifobject_create(void) + if (!ifobj->umem) + goto out_umem; + ++ ifobj->ns_fd = -1; ++ + return ifobj; + + out_umem: +@@ -1617,6 +1619,8 @@ static struct ifobject *ifobject_create(void) + + static void ifobject_delete(struct ifobject *ifobj) + { ++ if (ifobj->ns_fd != -1) ++ close(ifobj->ns_fd); + free(ifobj->umem); + free(ifobj->xsk_arr); + free(ifobj); +-- +2.35.1 + diff --git a/queue-6.0/selftests-xsk-avoid-use-after-free-on-ctx.patch b/queue-6.0/selftests-xsk-avoid-use-after-free-on-ctx.patch new file mode 100644 index 00000000000..96dc5c77d3f --- /dev/null +++ b/queue-6.0/selftests-xsk-avoid-use-after-free-on-ctx.patch @@ -0,0 +1,49 @@ +From a51727d28f1f646ecee1bdfd00a477cdf9f36952 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 13:26:45 -0700 +Subject: selftests/xsk: Avoid use-after-free on ctx + +From: Ian Rogers + +[ Upstream commit af515a5587b8f45f19e11657746e0c89411b0380 ] + +The put lowers the reference count to 0 and frees ctx, reading it +afterwards is invalid. Move the put after the uses and determine the +last use by the reference count being 1. + +Fixes: 39e940d4abfa ("selftests/xsk: Destroy BPF resources only when ctx refcount drops to 0") +Signed-off-by: Ian Rogers +Signed-off-by: Daniel Borkmann +Acked-by: Magnus Karlsson +Link: https://lore.kernel.org/bpf/20220901202645.1463552-1-irogers@google.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/xsk.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/bpf/xsk.c b/tools/testing/selftests/bpf/xsk.c +index f2721a4ae7c5..0b3ff49c740d 100644 +--- a/tools/testing/selftests/bpf/xsk.c ++++ b/tools/testing/selftests/bpf/xsk.c +@@ -1237,15 +1237,15 @@ void xsk_socket__delete(struct xsk_socket *xsk) + ctx = xsk->ctx; + umem = ctx->umem; + +- xsk_put_ctx(ctx, true); +- +- if (!ctx->refcount) { ++ if (ctx->refcount == 1) { + xsk_delete_bpf_maps(xsk); + close(ctx->prog_fd); + if (ctx->has_bpf_link) + close(ctx->link_fd); + } + ++ xsk_put_ctx(ctx, true); ++ + err = xsk_get_mmap_offsets(xsk->fd, &off); + if (!err) { + if (xsk->rx) { +-- +2.35.1 + diff --git a/queue-6.0/serial-8250-fix-restoring-termios-speed-after-suspen.patch b/queue-6.0/serial-8250-fix-restoring-termios-speed-after-suspen.patch new file mode 100644 index 00000000000..ddbd1033ee6 --- /dev/null +++ b/queue-6.0/serial-8250-fix-restoring-termios-speed-after-suspen.patch @@ -0,0 +1,54 @@ +From 4cbe76b02ec6f46cb4bfd40391dc00f7dd7ca181 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Sep 2022 12:43:24 +0200 +Subject: serial: 8250: Fix restoring termios speed after suspend +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 379a33786d489ab81885ff0b3935cfeb36137fea ] + +Since commit edc6afc54968 ("tty: switch to ktermios and new framework") +termios speed is no longer stored only in c_cflag member but also in new +additional c_ispeed and c_ospeed members. If BOTHER flag is set in c_cflag +then termios speed is stored only in these new members. + +Since commit 027b57170bf8 ("serial: core: Fix initializing and restoring +termios speed") termios speed is available also in struct console. + +So properly restore also c_ispeed and c_ospeed members after suspend to fix +restoring termios speed which is not represented by Bnnn constant. + +Fixes: 4516d50aabed ("serial: 8250: Use canary to restart console after suspend") +Signed-off-by: Pali Rohár +Link: https://lore.kernel.org/r/20220924104324.4035-1-pali@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_port.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index ec7dca43619f..2030a92ac66e 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -3319,8 +3319,13 @@ static void serial8250_console_restore(struct uart_8250_port *up) + unsigned int baud, quot, frac = 0; + + termios.c_cflag = port->cons->cflag; +- if (port->state->port.tty && termios.c_cflag == 0) ++ termios.c_ispeed = port->cons->ispeed; ++ termios.c_ospeed = port->cons->ospeed; ++ if (port->state->port.tty && termios.c_cflag == 0) { + termios.c_cflag = port->state->port.tty->termios.c_cflag; ++ termios.c_ispeed = port->state->port.tty->termios.c_ispeed; ++ termios.c_ospeed = port->state->port.tty->termios.c_ospeed; ++ } + + baud = serial8250_get_baud_rate(port, &termios, NULL); + quot = serial8250_get_divisor(port, baud, &frac); +-- +2.35.1 + diff --git a/queue-6.0/serial-8250-toggle-ier-bits-on-only-after-irq-has-be.patch b/queue-6.0/serial-8250-toggle-ier-bits-on-only-after-irq-has-be.patch new file mode 100644 index 00000000000..f46c13a7391 --- /dev/null +++ b/queue-6.0/serial-8250-toggle-ier-bits-on-only-after-irq-has-be.patch @@ -0,0 +1,143 @@ +From 70fbb4f9862b8c4b6ce38ec20aba7420f6248e92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 10:00:05 +0300 +Subject: serial: 8250: Toggle IER bits on only after irq has been set up +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 039d4926379b1d1c17b51cf21c500a5eed86899e ] + +Invoking TIOCVHANGUP on 8250_mid port on Ice Lake-D and then reopening +the port triggers these faults during serial8250_do_startup(): + + DMAR: DRHD: handling fault status reg 3 + DMAR: [DMA Write NO_PASID] Request device [00:1a.0] fault addr 0x0 [fault reason 0x05] PTE Write access is not set + +If the IRQ hasn't been set up yet, the UART will have zeroes in its MSI +address/data registers. Disabling the IRQ at the interrupt controller +won't stop the UART from performing a DMA write to the address programmed +in its MSI address register (zero) when it wants to signal an interrupt. + +The UARTs (in Ice Lake-D) implement PCI 2.1 style MSI without masking +capability, so there is no way to mask the interrupt at the source PCI +function level, except disabling the MSI capability entirely, but that +would cause it to fall back to INTx# assertion, and the PCI specification +prohibits disabling the MSI capability as a way to mask a function's +interrupt service request. + +The MSI address register is zeroed by the hangup as the irq is freed. +The interrupt is signalled during serial8250_do_startup() performing a +THRE test that temporarily toggles THRI in IER. The THRE test currently +occurs before UART's irq (and MSI address) is properly set up. + +Refactor serial8250_do_startup() such that irq is set up before the +THRE test. The current irq setup code is intermixed with the timer +setup code. As THRE test must be performed prior to the timer setup, +extract it into own function and call it only after the THRE test. + +The ->setup_timer() needs to be part of the struct uart_8250_ops in +order to not create circular dependency between 8250 and 8250_base +modules. + +Fixes: 40b36daad0ac ("[PATCH] 8250 UART backup timer") +Reported-by: Lennert Buytenhek +Tested-by: Lennert Buytenhek +Reviewed-by: Andy Shevchenko +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20220922070005.2965-1-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_core.c | 16 +++++++++++----- + drivers/tty/serial/8250/8250_port.c | 8 +++++--- + include/linux/serial_8250.h | 1 + + 3 files changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c +index 2e83e7367441..94fbf0add2ce 100644 +--- a/drivers/tty/serial/8250/8250_core.c ++++ b/drivers/tty/serial/8250/8250_core.c +@@ -298,10 +298,9 @@ static void serial8250_backup_timeout(struct timer_list *t) + jiffies + uart_poll_timeout(&up->port) + HZ / 5); + } + +-static int univ8250_setup_irq(struct uart_8250_port *up) ++static void univ8250_setup_timer(struct uart_8250_port *up) + { + struct uart_port *port = &up->port; +- int retval = 0; + + /* + * The above check will only give an accurate result the first time +@@ -322,10 +321,16 @@ static int univ8250_setup_irq(struct uart_8250_port *up) + */ + if (!port->irq) + mod_timer(&up->timer, jiffies + uart_poll_timeout(port)); +- else +- retval = serial_link_irq_chain(up); ++} + +- return retval; ++static int univ8250_setup_irq(struct uart_8250_port *up) ++{ ++ struct uart_port *port = &up->port; ++ ++ if (port->irq) ++ return serial_link_irq_chain(up); ++ ++ return 0; + } + + static void univ8250_release_irq(struct uart_8250_port *up) +@@ -381,6 +386,7 @@ static struct uart_ops univ8250_port_ops; + static const struct uart_8250_ops univ8250_driver_ops = { + .setup_irq = univ8250_setup_irq, + .release_irq = univ8250_release_irq, ++ .setup_timer = univ8250_setup_timer, + }; + + static struct uart_8250_port serial8250_ports[UART_NR]; +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index 6a9d3c8ffa56..ec7dca43619f 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2300,6 +2300,10 @@ int serial8250_do_startup(struct uart_port *port) + if (port->irq && (up->port.flags & UPF_SHARE_IRQ)) + up->port.irqflags |= IRQF_SHARED; + ++ retval = up->ops->setup_irq(up); ++ if (retval) ++ goto out; ++ + if (port->irq && !(up->port.flags & UPF_NO_THRE_TEST)) { + unsigned char iir1; + +@@ -2342,9 +2346,7 @@ int serial8250_do_startup(struct uart_port *port) + } + } + +- retval = up->ops->setup_irq(up); +- if (retval) +- goto out; ++ up->ops->setup_timer(up); + + /* + * Now, initialize the UART +diff --git a/include/linux/serial_8250.h b/include/linux/serial_8250.h +index 8c7b793aa4d7..16e3d75a324c 100644 +--- a/include/linux/serial_8250.h ++++ b/include/linux/serial_8250.h +@@ -74,6 +74,7 @@ struct uart_8250_port; + struct uart_8250_ops { + int (*setup_irq)(struct uart_8250_port *); + void (*release_irq)(struct uart_8250_port *); ++ void (*setup_timer)(struct uart_8250_port *); + }; + + struct uart_8250_em485 { +-- +2.35.1 + diff --git a/queue-6.0/series b/queue-6.0/series index 48896af8394..bf83632fa59 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -200,3 +200,734 @@ drm-amdgpu-enable-vcn-pg-on-gc11_0_1.patch drm-amdgpu-enable-f32_wptr_poll_enable-in-mqd.patch smb3-must-initialize-two-acl-struct-fields-to-zero.patch selinux-use-grep-e-instead-of-egrep.patch +ima-fix-blocking-of-security.ima-xattrs-of-unsupport.patch +userfaultfd-open-userfaultfds-with-o_rdonly.patch +ntfs3-rework-xattr-handlers-and-switch-to-posix-acl-.patch +acl-return-eopnotsupp-in-posix_acl_fix_xattr_common.patch +thermal-cpufreq_cooling-check-the-policy-first-in-cp.patch +cpufreq-amd-pstate-fix-initial-highest_perf-value.patch +sh-machvec-use-char-for-section-boundaries.patch +mips-sgi-ip30-fix-platform-device-leak-in-bridge_pla.patch +mips-sgi-ip27-fix-platform-device-leak-in-bridge_pla.patch +erofs-fix-order-max_order-warning-due-to-crafted-neg.patch +erofs-use-kill_anon_super-to-kill-super-in-fscache-m.patch +fscrypt-stop-using-keyrings-subsystem-for-fscrypt_ma.patch +arm-9243-1-riscpc-unbreak-the-build.patch +arm-9244-1-dump-fix-wrong-pg_level-in-walk_pmd.patch +arm-9247-1-mm-set-readonly-for-mt_memory_ro-with-arm.patch +acpi-pcc-release-resources-on-address-space-setup-fa.patch +acpi-pcc-replace-wait_for_completion.patch +acpi-pcc-fix-tx-acknowledge-in-the-pcc-address-space.patch +objtool-preserve-special-st_shndx-indexes-in-elf_upd.patch +nfsd-move-from-strlcpy-with-unused-retval-to-strscpy.patch +nfsd-fix-a-memory-leak-in-an-error-handling-path.patch +sunrpc-fix-svcxdr_init_decode-s-end-of-buffer-calcul.patch +sunrpc-fix-svcxdr_init_encode-s-buflen-calculation.patch +nfsd-protect-against-send-buffer-overflow-in-nfsv2-r.patch +nfsd-fix-handling-of-oversized-nfsv4-compound-reques.patch +x86-paravirt-add-extra-clobbers-with-zero_call_used_.patch +m68k-process-bootinfo-records-before-saving-them.patch +libbpf-skip-empty-sections-in-bpf_object__init_globa.patch +libbpf-initialize-err-in-probe_map_create.patch +wifi-rtw88-8822c-extend-supported-probe-request-size.patch +wifi-rtlwifi-8192de-correct-checking-of-iqk-reload.patch +wifi-ath10k-set-tx-credit-to-one-for-wcn3990-snoc-ba.patch +wifi-ath10k-add-peer-map-clean-up-for-peer-delete-in.patch +bpf-cleanup-check_refcount_ok.patch +bpf-fix-ref_obj_id-for-dynptr-data-slices-in-verifie.patch +spi-s3c64xx-correct-dma_chan-pointer-initialization.patch +leds-lm3601x-don-t-use-mutex-after-it-was-destroyed.patch +libbpf-fix-potential-null-dereference-when-parsing-e.patch +tsnep-fix-tsnep_info_tx_time-register-define.patch +net-prestera-cache-port-state-for-non-phylink-ports-.patch +bpf-fix-reference-state-management-for-synchronous-c.patch +wifi-mac80211-properly-set-old_links-when-removing-a.patch +wifi-cfg80211-get-correct-ap-link-chandef.patch +wifi-mac80211-fix-use-after-free.patch +wifi-mac80211-mlme-don-t-add-empty-eml-capabilities.patch +wifi-mac80211_hwsim-fix-link-change-handling.patch +wifi-mac80211-allow-bw-change-during-channel-switch-.patch +bpftool-fix-a-wrong-type-cast-in-btf_dumper_int.patch +ice-set-tx_tstamps-when-creating-new-tx-rings-via-et.patch +audit-explicitly-check-audit_context-context-enum-va.patch +audit-free-audit_proctitle-only-on-task-exit.patch +esp-choose-the-correct-inner-protocol-for-gso-on-int.patch +spi-mt7621-fix-an-error-message-in-mt7621_spi_probe.patch +x86-resctrl-fix-to-restore-to-original-value-when-re.patch +xsk-fix-backpressure-mechanism-on-tx.patch +selftests-xsk-add-missing-close-on-netns-fd.patch +bpf-disable-preemption-when-increasing-per-cpu-map_l.patch +bpf-propagate-error-from-htab_lock_bucket-to-userspa.patch +wifi-ath11k-fix-incorrect-qmi-message-id-mappings.patch +bpf-use-this_cpu_-inc-dec-inc_return-for-bpf_task_st.patch +bpf-use-this_cpu_-inc_return-dec-for-prog-active.patch +bluetooth-btusb-mediatek-fix-wmt-failure-during-runt.patch +bpf-only-add-btf-ids-for-socket-security-hooks-when-.patch +wifi-rtw89-pci-fix-interrupt-stuck-after-leaving-low.patch +wifi-rtw89-pci-correct-tx-resource-checking-in-low-p.patch +wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch +wifi-wfx-prevent-underflow-in-wfx_send_pds.patch +wifi-rtw88-add-missing-destroy_workqueue-on-error-pa.patch +selftests-xsk-avoid-use-after-free-on-ctx.patch +wifi-mac80211-mlme-assign-link-address-correctly.patch +spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch +spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch-31329 +can-rx-offload-can_rx_offload_init_queue-fix-typo.patch +wifi-rtl8xxxu-fix-skb-misuse-in-tx-queue-selection.patch +spi-meson-spicc-do-not-rely-on-busy-flag-in-pow2-clk.patch +bpf-btf-fix-truncated-last_member_type_id-in-btf_str.patch +wifi-rtl8xxxu-gen2-fix-mistake-in-path-b-iq-calibrat.patch +wifi-rtl8xxxu-remove-copy-paste-leftover-in-gen2_upd.patch +bluetooth-avoid-hci_dev_test_and_set_flag-in-mgmt_in.patch +wifi-mt76-mt7921e-fix-race-issue-between-reset-and-s.patch +wifi-mt76-mt7921s-fix-race-issue-between-reset-and-s.patch +wifi-mt76-mt7921u-fix-race-issue-between-reset-and-s.patch +wifi-mt76-sdio-fix-the-deadlock-caused-by-sdio-stat_.patch +wifi-mt76-sdio-poll-sta-stat-when-device-transmits-d.patch +wifi-mt76-mt7915-fix-an-uninitialized-variable-bug.patch +wifi-mt76-mt7921-fix-use-after-free-in-mt7921_acpi_r.patch +wifi-mt76-sdio-fix-transmitting-packet-hangs.patch +wifi-mt76-mt7615-add-mt7615_mutex_acquire-release-in.patch +wifi-mt76-mt7915-fix-possible-unaligned-access-in-mt.patch +wifi-mt76-connac-fix-possible-unaligned-access-in-mt.patch +wifi-mt76-mt7921-add-mt7921_mutex_acquire-at-mt7921_.patch +wifi-mt76-mt7921-add-mt7921_mutex_acquire-at-mt7921_.patch-31950 +wifi-mt76-mt7921-fix-the-firmware-version-report.patch +wifi-mt76-mt7915-fix-mcs-value-in-ht-mode.patch +wifi-mt76-fix-uninitialized-pointer-in-mt7921_mac_fi.patch +wifi-mt76-mt7915-do-not-check-state-before-configuri.patch +wifi-mt76-mt7921e-fix-rmmod-crash-in-driver-reload-t.patch +bluetooth-rfcomm-fix-possible-deadlock-on-socket-shu.patch +net-fs_enet-fix-wrong-check-in-do_pd_setup.patch +bpf-ensure-correct-locking-around-vulnerable-functio.patch +libbpf-fix-crash-if-sec-freplace-programs-don-t-have.patch +wifi-ath11k-include-sta_keepalive_arp_response-tlv-h.patch +bluetooth-hci_-ldisc-serdev-check-percpu_init_rwsem-.patch +libbpf-fix-null-pointer-exception-in-api-btf_dump__d.patch +netfilter-conntrack-fix-the-gc-rescheduling-delay.patch +netfilter-conntrack-revisit-the-gc-initial-reschedul.patch +bpf-cgroup-reject-prog_attach_flags-array-when-effec.patch +bpftool-fix-wrong-cgroup-attach-flags-being-assigned.patch +selftests-bpf-adapt-cgroup-effective-query-uapi-chan.patch +flow_dissector-do-not-count-vlan-tags-inside-tunnel-.patch +mwifiex-fix-sleep-in-atomic-context-bugs-caused-by-d.patch +wifi-ath11k-fix-failed-to-find-the-peer-with-peer_id.patch +wifi-ath11k-fix-number-of-vht-beamformee-spatial-str.patch +mips-dts-ralink-mt7621-fix-external-phy-on-gb-pc2.patch +x86-microcode-amd-track-patch-allocation-size-explic.patch +libbpf-restore-memory-layout-of-bpf_object_open_opts.patch +wifi-ath11k-fix-peer-addition-deletion-error-on-sta-.patch +x86-boot-remove-superfluous-type-casting-from-arch-x.patch +x86-cpu-include-the-header-of-init_ia32_feat_ctl-s-p.patch +spi-cadence-quadspi-fix-pm-disable-depth-imbalance-i.patch +spi-dw-fix-pm-disable-depth-imbalance-in-dw_spi_bt1_.patch +spi-omap100k-fix-pm-disable-depth-imbalance-in-omap1.patch +skmsg-schedule-psock-work-if-the-cached-skb-exists-o.patch +cw1200-fix-incorrect-check-to-determine-if-no-elemen.patch +libbpf-don-t-require-full-struct-enum64-in-uapi-head.patch +i2c-mlxbf-support-lock-mechanism.patch +bluetooth-hci_core-fix-not-handling-link-timeouts-pr.patch +xfrm-reinject-transport-mode-packets-through-workque.patch +netfilter-nft_fib-fix-for-rpath-check-with-vrf-devic.patch +spi-s3c64xx-fix-large-transfers-with-dma.patch +bluetooth-prevent-double-register-of-suspend.patch +wifi-rtl8xxxu-gen2-enable-40-mhz-channel-width.patch +wifi-rtl8xxxu-fix-aifs-written-to-reg_edca_-_param.patch +vhost-vsock-use-kvmalloc-kvfree-for-larger-packets.patch +eth-alx-take-rtnl_lock-on-resume.patch +misdn-fix-use-after-free-bugs-in-l1oip-timer-handler.patch +sctp-handle-the-error-returned-from-sctp_auth_asoc_i.patch +tcp-fix-tcp_cwnd_validate-to-not-forget-is_cwnd_limi.patch +spi-ensure-that-sg_table-won-t-be-used-after-being-f.patch +bluetooth-hci_sync-fix-not-indicating-power-state.patch +hwmon-pmbus-mp2888-fix-sensors-readouts-for-mps-mult.patch +net-rds-don-t-hold-sock-lock-when-cancelling-work-fr.patch +af_unix-fix-memory-leaks-of-the-whole-sk-due-to-oob-.patch +net-prestera-acl-add-check-for-kmemdup.patch +eth-lan743x-reject-extts-for-non-pci11x1x-devices.patch +bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch +eth-sp7021-fix-use-after-free-bug-in-spl2sw_nvmem_ge.patch +net-wwan-iosm-call-mutex_init-before-locking-it.patch +net-ieee802154-reject-zero-sized-raw_sendmsg.patch +once-add-do_once_slow-for-sleepable-contexts.patch +net-mvpp2-fix-mvpp2-debugfs-leak.patch +drm-bridge-adv7511-fix-cec-power-down-control-regist.patch +drm-bridge-adv7511-unregister-cec-i2c-device-after-c.patch +drm-bridge-avoid-uninitialized-variable-warning.patch +drm-mipi-dsi-detach-devices-when-removing-the-host.patch +drm-vc4-drv-call-component_unbind_all.patch +drm-bridge-it6505-power-on-downstream-device-in-.ato.patch +video-aperture-disable-and-unregister-sysfb-devices-.patch +drm-virtio-correct-drm_gem_shmem_get_sg_table-error-.patch +drm-bridge-anx7625-fix-refcount-bug-in-anx7625_parse.patch +drm-bridge-tc358767-add-of_node_put-when-breaking-ou.patch +drm-i915-reset-handle-reset-timeouts-under-unrelated.patch +drm-bridge-parade-ps8640-fix-regulator-supply-order.patch +drm-format-helper-fix-test-on-big-endian-architectur.patch +drm-dp_mst-fix-drm_dp_dpcd_read-return-value-checks.patch +drm-pl111-add-of_node_put-when-breaking-out-of-for_e.patch +asoc-mt6359-fix-tests-for-platform_get_irq-failure.patch +asoc-amd-acp-add-missing-platform_device_unregister-.patch +drm-msm-make-.remove-and-.shutdown-hw-shutdown-consi.patch +platform-chrome-fix-double-free-in-chromeos_laptop_p.patch +platform-chrome-fix-memory-corruption-in-ioctl.patch +drm-i915-dg2-bump-up-cdclk-for-dg2.patch +drm-vc4-txp-protect-device-resources.patch +drm-virtio-fix-same-context-optimization.patch +asoc-soc-pcm.c-call-__soc_pcm_close-in-soc_pcm_close.patch +asoc-tas2764-allow-mono-streams.patch +asoc-tas2764-drop-conflicting-set_bias_level-power-s.patch +asoc-tas2764-fix-mute-unmute.patch +platform-x86-msi-laptop-fix-old-ec-check-for-backlig.patch +platform-x86-msi-laptop-fix-resource-cleanup.patch +drm-panel-use-select-for-ili9341-panel-driver-helper.patch +drm-fix-drm_mipi_dbi-build-errors.patch +platform-chrome-cros_ec_typec-add-bit-offset-for-dp-.patch +platform-chrome-cros_ec_typec-correct-alt-mode-index.patch +drm-amdgpu-add-missing-pci_disable_device-in-amdgpu_.patch +drm-bridge-megachips-fix-a-null-pointer-dereference-.patch +drm-bridge-it6505-fix-the-order-of-dp_set_power-comm.patch +asoc-rsnd-add-check-for-rsnd_mod_power_on.patch +asoc-wm_adsp-handle-optional-legacy-support.patch +alsa-hda-beep-simplify-keep-power-at-enable-behavior.patch +drm-virtio-set-fb_modifiers_not_supported.patch +drm-bochs-fix-blanking.patch +asoc-mediatek-mt8195-mt6359-properly-register-sound-.patch +asoc-sof-mediatek-mt8195-import-namespace-snd_soc_so.patch +drm-omap-dss-fix-refcount-leak-bugs.patch +drm-amdgpu-fix-memory-leak-in-hpd_rx_irq_create_work.patch +asoc-rockchip-i2s-use-regmap_read_poll_timeout-to-po.patch +mmc-au1xmmc-fix-an-error-handling-path-in-au1xmmc_pr.patch +asoc-eureka-tlv320-hold-reference-returned-from-of_f.patch +drm-msm-lookup-the-icc-paths-in-both-mdp5-dpu-and-md.patch +drm-msm-dpu-index-dpu_kms-hw_vbif-using-vbif_idx.patch +drm-msm-dp-correct-1.62g-link-rate-at-dp_catalog_ctr.patch +alsa-hda-hdmi-change-type-for-the-assigned-variable.patch +alsa-hda-hdmi-fix-the-converter-allocation-for-the-s.patch +alsa-usb-audio-split-endpoint-setups-for-hw_params-a.patch +alsa-usb-audio-properly-refcounting-clock-rate.patch +asoc-sof-ipc4-topology-free-the-ida-when-ipc-fails-i.patch +drm-vmwgfx-fix-memory-leak-in-vmw_mksstat_add_ioctl.patch +virtio-gpu-fix-shift-wrapping-bug-in-virtio_gpu_fenc.patch +asoc-codecs-tx-macro-fix-kcontrol-put.patch +asoc-da7219-fix-an-error-handling-path-in-da7219_reg.patch +alsa-dmaengine-increment-buffer-pointer-atomically.patch +mmc-wmt-sdmmc-fix-an-error-handling-path-in-wmt_mci_.patch +asoc-stm32-dfsdm-fix-pm-disable-depth-imbalance-in-s.patch +asoc-stm32-spdifrx-fix-pm-disable-depth-imbalance-in.patch +asoc-stm-fix-pm-disable-depth-imbalance-in-stm32_i2s.patch +asoc-es8316-fix-register-sync-error-in-suspend-resum.patch +asoc-wcd-mbhc-v2-revert-asoc-wcd-mbhc-v2-use-pm_runt.patch +asoc-wm8997-fix-pm-disable-depth-imbalance-in-wm8997.patch +asoc-wm5110-fix-pm-disable-depth-imbalance-in-wm5110.patch +asoc-wm5102-fix-pm-disable-depth-imbalance-in-wm5102.patch +asoc-mt6660-fix-pm-disable-depth-imbalance-in-mt6660.patch +asoc-rockchip-i2s-use-regmap_read_poll_timeout_atomi.patch +alsa-hda-hdmi-don-t-skip-notification-handling-durin.patch +memory-pl353-smc-fix-refcount-leak-bug-in-pl353_smc_.patch +memory-of-fix-refcount-leak-bug-in-of_get_ddr_timing.patch +memory-of-fix-refcount-leak-bug-in-of_lpddr3_get_ddr.patch +locks-fix-toctou-race-when-granting-write-lease.patch +soc-qcom-smsm-fix-refcount-leak-bugs-in-qcom_smsm_pr.patch +soc-qcom-smem_state-add-refcounting-for-the-state-of.patch +arm-dts-imx6dl-yapp4-bind-the-backlight-controller-t.patch +arm-dts-imx6qdl-kontron-samx6i-hook-up-ddc-i2c-bus.patch +arm64-dts-renesas-r9a07g044-fix-sci-rx-tx-interrupt-.patch +arm64-dts-renesas-r9a07g054-fix-sci-rx-tx-interrupt-.patch +arm64-dts-renesas-r9a07g043-fix-sci-rx-tx-interrupt-.patch +dt-bindings-clock-exynosautov9-correct-clock-numberi.patch +arm64-dts-qcom-sdm845-narrow-llcc-address-space.patch +arm64-dts-qcom-sdm845-xiaomi-polaris-fix-sde_dsi_act.patch +arm64-dts-qcom-sc7280-cleanup-the-lpasscc-node.patch +arm64-dts-qcom-sc7280-update-lpasscore-node.patch +arm64-dts-qcom-sc8280xp-crd-disallow-regulator-mode-.patch +arm64-dts-qcom-sc8280xp-lenovo-thinkpad-x13s-disallo.patch +arm64-dts-qcom-sa8295p-adp-disallow-regulator-mode-s.patch +arm64-dts-qcom-pm8350c-drop-pwm-reg-declaration.patch +arm64-dts-qcom-sc7180-trogdor-keep-pm6150_adc-enable.patch +arm-dts-turris-omnia-fix-mpp26-pin-name-and-comment.patch +arm-dts-kirkwood-lsxl-fix-serial-line.patch +arm-dts-kirkwood-lsxl-remove-first-ethernet-port.patch +arm64-dts-marvell-98dx25xx-use-correct-property-for-.patch +arm64-dts-qcom-sc8280xp-pmics-remove-reg-entry-use-c.patch +ia64-export-memory_add_physaddr_to_nid-to-fix-cxl-bu.patch +arm64-dts-qcom-sm8350-sagami-correct-ts-pin-property.patch +soc-tegra-fuse-add-missing-of_node_put-in-tegra_init.patch +soc-tegra-fuse-drop-kconfig-dependency-on-tegra20_ap.patch +arm64-dts-qcom-ipq8074-fix-pcie-phy-serdes-size.patch +arm64-dts-qcom-sm8450-fix-ufs-phy-serdes-size.patch +dt-bindings-arm-ti-k3-sort-the-am654-board-enums.patch +arm64-dts-ti-k3-j7200-fix-main-pinmux-range.patch +arm-dts-exynos-correct-s5k6a3-reset-polarity-on-mida.patch +arm-drop-cmdline_-dependency-on-atags.patch +ext4-continue-to-expand-file-system-when-the-target-.patch +ext4-don-t-run-ext4lazyinit-for-read-only-filesystem.patch +arm64-ftrace-fix-module-plts-with-mcount.patch +arm64-dts-exynos-fix-polarity-of-enable-line-of-nfc-.patch +arm-dts-exynos-fix-polarity-of-vbus-gpio-of-origen.patch +iomap-iomap-fix-memory-corruption-when-recording-err.patch +selftests-vm-use-top_srcdir-instead-of-recomputing-r.patch +selftests-cpu-hotplug-use-return-instead-of-exit.patch +selftests-cpu-hotplug-delete-fault-injection-related.patch +selftests-cpu-hotplug-reserve-one-cpu-online-at-leas.patch +iio-adc-at91-sama5d2_adc-fix-at91_sama5d2_mr_trackti.patch +iio-adc-at91-sama5d2_adc-check-return-status-for-pre.patch +iio-adc-at91-sama5d2_adc-lock-around-oversampling-an.patch +iio-adc-at91-sama5d2_adc-disable-prepare-buffer-on-s.patch +iio-inkern-only-release-the-device-node-when-done-wi.patch +iio-inkern-fix-return-value-in-devm_of_iio_channel_g.patch +iio-abi-fix-wrong-format-of-differential-capacitance.patch +iio-magnetometer-yas530-change-data-type-of-hard_off.patch +ib-mlx5-call-io_stop_wc-after-writing-to-wc-mmio.patch +rdma-mlx5-don-t-compare-mkey-tags-in-devx-indirect-m.patch +usb-common-usb-conn-gpio-simplify-some-error-message.patch +usb-common-debug-check-non-standard-control-requests.patch +clk-nomadik-add-missing-of_node_put.patch +clk-meson-hold-reference-returned-by-of_get_parent.patch +clk-st-hold-reference-returned-by-of_get_parent.patch +clk-oxnas-hold-reference-returned-by-of_get_parent.patch +clk-qoriq-hold-reference-returned-by-of_get_parent.patch +clk-berlin-add-of_node_put-for-of_get_parent.patch +clk-sprd-hold-reference-returned-by-of_get_parent.patch +coresight-trbe-fix-kconfig-its-grammar.patch +coresight-docs-fix-a-broken-reference.patch +clk-tegra-fix-refcount-leak-in-tegra210_clock_init.patch +clk-tegra-fix-refcount-leak-in-tegra114_clock_init.patch +clk-tegra20-fix-refcount-leak-in-tegra20_clock_init.patch +clk-samsung-exynosautov9-correct-register-offsets-of.patch +block-sed-opal-add-ioctl-to-return-device-status.patch +sbitmap-fix-possible-io-hung-due-to-lost-wakeup.patch +remoteproc-imx_rproc-simplify-some-error-message.patch +remoteproc-imx_dsp_rproc-fix-argument-2-of-rproc_mem.patch +hid-uclogic-add-missing-suffix-for-digitalizers.patch +hid-uclogic-fix-warning-in-uclogic_rdesc_template_ap.patch +hsi-omap_ssi-fix-refcount-leak-in-ssi_probe.patch +hsi-omap_ssi_port-fix-dma_map_sg-error-check.patch +clk-gcc-sc8280xp-keep-pcie-power-domains-always-on.patch +clk-qcom-gcc-sdm660-use-floor-ops-for-sdcc1-clock.patch +media-v4l2-ctrls-allocate-space-for-arrays.patch +media-exynos4-is-fimc-is-add-of_node_put-when-breaki.patch +media-tm6000-fix-unused-value-in-vidioc_try_fmt_vid_.patch +media-airspy-fix-memory-leak-in-airspy-probe.patch +tty-xilinx_uartps-check-clk_enable-return-value.patch +tty-xilinx_uartps-fix-the-ignore_status.patch +media-mediatek-vcodec-skip-non-cbr-bitrate-mode.patch +media-amphion-insert-picture-startcode-after-seek-fo.patch +media-amphion-adjust-the-encoder-s-value-range-of-go.patch +media-amphion-don-t-change-the-colorspace-reported-b.patch +media-amphion-fix-a-bug-that-vpu-core-may-not-resume.patch +media-meson-vdec-add-missing-clk_disable_unprepare-o.patch +media-uvcvideo-fix-memory-leak-in-uvc_gpio_parse.patch +media-uvcvideo-use-entity-get_cur-in-uvc_ctrl_set.patch +media-xilinx-vipp-fix-refcount-leak-in-xvip_graph_dm.patch +rdma-rxe-fix-kernel-null-pointer-dereference-error.patch +rdma-rxe-fix-the-error-caused-by-qp-sk.patch +clk-mediatek-clk-mt8195-vdo0-set-rate-on-vdo0_dp_int.patch +clk-mediatek-clk-mt8195-vdo1-reparent-and-set-rate-o.patch +clk-mediatek-mt8195-infra_ao-set-pwrmcu-clocks-as-cr.patch +misc-ocxl-fix-possible-refcount-leak-in-afu_ioctl.patch +fpga-dfl-pci-add-ids-for-intel-n6000-n6001-and-c6100.patch +fpga-prevent-integer-overflow-in-dfl_feature_ioctl_s.patch +phy-rockchip-inno-usb2-return-zero-after-otg-sync.patch +dmaengine-idxd-avoid-deadlock-in-process_misc_interr.patch +dmaengine-hisilicon-disable-channels-when-unregister.patch +dmaengine-hisilicon-fix-cq-head-update.patch +dmaengine-hisilicon-add-multi-thread-support-for-a-d.patch +iio-use-per-device-lockdep-class-for-mlock.patch +usb-gadget-f_fs-stricter-integer-overflow-checks.patch +dyndbg-fix-static_branch-manipulation.patch +dyndbg-fix-module.dyndbg-handling.patch +dyndbg-let-query-modname-override-actual-module-name.patch +dyndbg-drop-exported-dynamic_debug_exec_queries.patch +sbitmap-avoid-leaving-waitqueue-in-invalid-state-in-.patch +clk-qcom-sm6115-select-qcom_gdsc.patch +scsi-lpfc-fix-various-issues-reported-by-tools.patch +usb-serial-console-move-mutex_unlock-before-usb_seri.patch +mtd-devices-docg3-check-the-return-value-of-devm_ior.patch +remoteproc-harden-rproc_handle_vdev-against-integer-.patch +phy-qcom-qmp-combo-disable-runtime-pm-on-unbind.patch +phy-qcom-qmp-usb-disable-runtime-pm-on-unbind.patch +phy-qcom-qmp-pcie-add-pcs_misc-sanity-check.patch +phy-qcom-qmp-pcie-fix-memleak-on-probe-deferral.patch +phy-qcom-qmp-pcie-msm8996-fix-memleak-on-probe-defer.patch +phy-qcom-qmp-combo-fix-memleak-on-probe-deferral.patch +phy-qcom-qmp-ufs-fix-memleak-on-probe-deferral.patch +phy-qcom-qmp-usb-drop-pipe-clock-lane-suffix.patch +phy-qcom-qmp-usb-fix-memleak-on-probe-deferral.patch +phy-amlogic-phy-meson-axg-mipi-pcie-analog-hold-refe.patch +phy-phy-mtk-tphy-fix-the-phy-type-setting-issue.patch +mtd-rawnand-intel-read-the-chip-select-line-from-the.patch +mtd-rawnand-intel-remove-undocumented-compatible-str.patch +mtd-rawnand-intel-don-t-re-define-nand_data_iface_ch.patch +mtd-rawnand-fsl_elbc-fix-none-ecc-mode.patch +rdma-irdma-align-ae-id-codes-to-correct-flush-code-a.patch +rdma-irdma-validate-udata-inlen-and-outlen.patch +rdma-srp-fix-srp_abort.patch +rdma-siw-always-consume-all-skbuf-data-in-sk_data_re.patch +rdma-siw-fix-qp-destroy-to-wait-for-all-references-d.patch +ata-fix-ata_id_sense_reporting_enabled-and-ata_id_ha.patch +ata-fix-ata_id_has_devslp.patch +ata-fix-ata_id_has_ncq_autosense.patch +ata-fix-ata_id_has_dipm.patch +mtd-rawnand-meson-fix-bit-map-use-in-meson_nfc_ecc_c.patch +block-fix-the-enum-blk_eh_timer_return-documentation.patch +eventfd-guard-wake_up-in-eventfd-fs-calls-as-well.patch +io_uring-fdinfo-fix-sqe-dumping-for-ioring_setup_sqe.patch +md-replace-snprintf-with-scnprintf.patch +md-raid5-ensure-stripe_fill-happens-on-non-read-io-w.patch +md-raid5-remove-unnecessary-bio_put-in-raid5_read_on.patch +md-remove-extra-mddev_get-in-md_seq_start.patch +rdma-cm-use-slid-in-the-work-completion-as-the-dlid-.patch +ib-set-iova-length-on-ib_mr-in-core-uverbs-layers.patch +rdma-srp-rework-the-srp_add_port-error-path.patch +rdma-srp-handle-dev_set_name-failure.patch +rdma-srp-use-the-attribute-group-mechanism-for-sysfs.patch +rdma-srp-support-more-than-255-rdma-ports.patch +xhci-don-t-show-warning-for-reinit-on-known-broken-s.patch +usb-gadget-function-fix-dangling-pnp_string-in-f_pri.patch +usb-typec-anx7411-use-of_get_child_by_name-instead-o.patch +usb-dwc3-core-fix-some-leaks-in-probe.patch +drivers-serial-jsm-fix-some-leaks-in-probe.patch +serial-8250-toggle-ier-bits-on-only-after-irq-has-be.patch +tty-serial-fsl_lpuart-disable-dma-rx-tx-use-flags-in.patch +phy-qualcomm-call-clk_disable_unprepare-in-the-error.patch +staging-vt6655-fix-some-erroneous-memory-clean-up-lo.patch +slimbus-qcom-ngd-add-error-handling-in-of_qcom_slim_.patch +firmware-google-test-spinlock-on-panic-path-to-avoid.patch +serial-8250-fix-restoring-termios-speed-after-suspen.patch +scsi-libsas-fix-use-after-free-bug-in-smp_execute_ta.patch +scsi-pm8001-fix-running_req-for-internal-abort-comma.patch +scsi-iscsi-iscsi_tcp-fix-null-ptr-deref-while-callin.patch +clk-qcom-apss-ipq6018-mark-apcs_alias0_core_clk-as-c.patch +clk-qcom-gcc-sm6115-override-default-alpha-pll-regs.patch +nvmet-auth-don-t-try-to-cancel-a-non-initialized-wor.patch +rdma-rxe-set-pd-early-in-mr-alloc-routines.patch +rdma-rxe-fix-resize_finish-in-rxe_queue.c.patch +ib-rdmavt-add-__init-__exit-annotations-to-module-in.patch +fsi-core-check-error-number-after-calling-ida_simple.patch +mfd-intel_soc_pmic-fix-an-error-handling-path-in-int.patch +mfd-fsl-imx25-fix-an-error-handling-path-in-mx25_tsa.patch +mfd-lp8788-fix-an-error-handling-path-in-lp8788_prob.patch +mfd-lp8788-fix-an-error-handling-path-in-lp8788_irq_.patch +mfd-fsl-imx25-fix-check-for-platform_get_irq-errors.patch +mfd-sm501-add-check-for-platform_driver_register.patch +mfd-da9061-fix-failed-to-set-two-wire-bus-mode.patch +clk-mediatek-mt8183-mfgcfg-propagate-rate-changes-to.patch +clk-mediatek-clk-mt8195-mfg-reparent-mfg_bg3d-and-pr.patch +clk-mediatek-fix-unregister-function-in-mtk_clk_regi.patch +clk-mediatek-migrate-remaining-clk_unregister_-to-cl.patch +phy-qcom-qmp-pcie-fix-resource-mapping-for-sdm845-qh.patch +io_uring-rw-defer-fsnotify-calls-to-task-context.patch +dmaengine-ioat-stop-mod_timer-from-resurrecting-dele.patch +hid-amd_sfh-change-dev_err-to-dev_dbg-for-additional.patch +hid-amd_sfh-handle-condition-of-no-sensors-for-sfh1..patch +usb-mtu3-fix-failed-runtime-suspend-in-host-only-mod.patch +spmi-pmic-arb-correct-duplicate-apid-to-ppid-mapping.patch +clk-vc5-fix-5p49v6901-outputs-disabling-when-enablin.patch +clk-baikal-t1-fix-invalid-xgmac-ptp-clock-divider.patch +clk-baikal-t1-add-shared-xgmac-ref-ptp-clocks-intern.patch +clk-baikal-t1-add-sata-internal-ref-clock-buffer.patch +clk-bcm2835-make-peripheral-pllc-critical.patch +clk-bcm2835-fix-bcm2835_clock_rate_from_divisor-decl.patch +clk-imx8mp-tune-the-order-of-enet_qos_root_clk.patch +clk-imx-scu-fix-memleak-on-platform_device_add-fails.patch +clk-ti-balance-of_node_get-calls-for-of_find_node_by.patch +clk-move-from-strlcpy-with-unused-retval-to-strscpy.patch +clk-ti-dra7-atl-fix-reference-leak-in-of_dra7_atl_cl.patch +clk-ast2600-bclk-comes-from-epll.patch +mailbox-imx-fix-rst-channel-support.patch +mailbox-mpfs-fix-handling-of-the-reg-property.patch +mailbox-mpfs-account-for-mbox-offsets-while-sending.patch +mailbox-bcm-ferxrm-mailbox-fix-error-check-for-dma_m.patch +ipc-mqueue-fix-possible-memory-leak-in-init_mqueue_f.patch +kvm-x86-mmu-fix-memoryleak-in-kvm_mmu_vendor_module_.patch +powerpc-configs-properly-enable-papr_scm-in-pseries_.patch +powerpc-math_emu-efp-include-module.h.patch +powerpc-sysdev-fsl_msi-add-missing-of_node_put.patch +powerpc-pci_dn-add-missing-of_node_put.patch +powerpc-powernv-add-missing-of_node_put-in-opal_expo.patch +cpuidle-riscv-sbi-fix-cpu_pm_cpu_idle_enter_xyz-macr.patch +powerpc-dts-turris1x.dts-fix-nor-partitions-labels.patch +powerpc-dts-turris1x.dts-fix-labels-in-dsa-cpu-port-.patch +powerpc-fix-fallocate-and-fadvise64_64-compat-parame.patch +kvm-x86-do-proper-cleanup-if-kvm_x86_ops-vm_init-fai.patch +kvm-fix-memoryleak-in-kvm_init.patch +x86-hyperv-fix-struct-hv_enlightened_vmcs-definition.patch +kvm-x86-zero-out-entire-hyper-v-cpuid-cache-before-p.patch +kvm-x86-check-for-existing-hyper-v-vcpu-in-kvm_hv_vc.patch +kvm-x86-report-error-when-setting-cpuid-if-hyper-v-a.patch +kvm-nvmx-treat-general-detect-db-dr7.gd-1-as-fault-l.patch +kvm-nvmx-prioritize-tss-t-flag-dbs-over-monitor-trap.patch +kvm-nvmx-ignore-sipi-that-arrives-in-l2-when-vcpu-is.patch +kvm-vmx-inject-pf-on-encls-as-emulated-pf.patch +kvm-nvmx-unconditionally-clear-mtf_pending-on-nested.patch +kvm-x86-make-kvm_queued_exception-a-properly-named-v.patch +kvm-x86-formalize-blocking-of-nested-pending-excepti.patch +kvm-x86-hoist-nested-event-checks-above-event-inject.patch +kvm-x86-evaluate-ability-to-inject-smi-nmi-irq-after.patch +kvm-nvmx-add-a-helper-to-identify-low-priority-db-tr.patch +kvm-x86-morph-pending-exceptions-to-pending-vm-exits.patch +kvm-ppc-book3s-hv-fix-decrementer-migration.patch +kvm-ppc-book3s-hv-p9-fix-irq-disabling-in-tick-accou.patch +kvm-ppc-book3s-hv-p9-clear-vcpu-cpu-fields-before-en.patch +kvm-ppc-book3s-hv-p9-restore-stolen-time-logging-in-.patch +powerpc-64s-fix-generic_cpu-build-flags-for-ppc970-g.patch +powerpc-64-interrupt-fix-false-warning-in-context-tr.patch +powerpc-64-mark-irqs-hard-disabled-in-boot-paca.patch +powerpc-64-interrupt-fix-return-to-masked-context-af.patch +powerpc-fix-spe-power-isa-properties-for-e500v1-plat.patch +powerpc-kprobes-fix-null-pointer-reference-in-arch_p.patch +powerpc-pseries-vas-pass-hw_cpu_id-to-node-associati.patch +crypto-sahara-don-t-sleep-when-in-softirq.patch +crypto-hisilicon-zip-fix-mismatch-in-get-set-sgl_sge.patch +hwrng-arm-smccc-trng-fix-no_entropy-handling.patch +crypto-ccp-fail-the-psp-initialization-when-writing-.patch +cgroup-honor-caller-s-cgroup-ns-when-resolving-path.patch +hwrng-imx-rngc-use-devm_clk_get_enabled.patch +hwrng-imx-rngc-moving-irq-handler-registering-after-.patch +crypto-qat-fix-default-value-of-wdt-timer.patch +crypto-hisilicon-qm-fix-missing-put-dfx-access.patch +cgroup-cpuset-enable-update_tasks_cpumask-on-top_cpu.patch +iommu-omap-fix-buffer-overflow-in-debugfs.patch +crypto-akcipher-default-implementation-for-setting-a.patch +crypto-ccp-release-dma-channels-before-dmaengine-unr.patch +crypto-inside-secure-change-swab-to-swab32.patch +crypto-qat-fix-dma-transfer-direction.patch +clocksource-drivers-arm_arch_timer-fix-handling-of-a.patch +clocksource-drivers-timer-gxp-add-missing-error-hand.patch +cifs-return-correct-error-in-calc_signature.patch +iommu-iova-fix-module-config-properly.patch +tracing-kprobe-fix-kprobe-event-gen-test-module-on-e.patch +tracing-kprobe-make-gen-test-module-work-in-arm-and-.patch +tracing-osnoise-fix-possible-recursive-locking-in-st.patch +rv-monitor-add-__init-__exit-annotations-to-module-i.patch +ftrace-fix-recursive-locking-direct_mutex-in-ftrace_.patch +kbuild-remove-the-target-in-signal-traps-when-interr.patch +linux-export-use-inline-assembler-to-populate-symbol.patch +kbuild-rpm-pkg-fix-breakage-when-v-1-is-used.patch +crypto-marvell-octeontx-prevent-integer-overflows.patch +crypto-cavium-prevent-integer-overflow-loading-firmw.patch +random-schedule-jitter-credit-for-next-jiffy-not-in-.patch +thermal-drivers-qcom-tsens-v0_1-fix-msm8939-fourth-s.patch +acpi-apei-do-not-add-task_work-to-kernel-thread-to-a.patch +f2fs-fix-race-condition-on-setting-fi_no_extent-flag.patch +f2fs-fix-to-account-fs_cp_data_io-correctly.patch +tools-power-turbostat-use-standard-energy-unit-for-s.patch +selftest-tpm2-add-client.__del__-to-close-dev-tpm-ha.patch +arm-dma-mapp-ng-don-t-override-dma_coherent-when-set.patch +module-tracking-keep-a-record-of-tainted-unloaded-mo.patch +fs-dlm-fix-race-in-lowcomms.patch +rcu-avoid-triggering-strict-gp-irq-work-when-rcu-is-.patch +rcu-back-off-upon-fill_page_cache_func-allocation-fa.patch +rcu-tasks-convert-rcu_lockdep_warn-to-warn_once.patch +rcu-tasks-ensure-rcu-tasks-trace-loops-have-quiescen.patch +cpufreq-amd_pstate-fix-wrong-lowest-perf-fetch.patch +acpi-video-add-toshiba-satellite-portege-z830-quirk.patch +fortify-fix-__compiletime_strlen-under-ubsan_bounds_.patch +acpi-tables-fpdt-don-t-call-acpi_os_map_memory-on-in.patch +cpufreq-intel_pstate-add-tigerlake-support-in-no-hwp.patch +mips-bcm47xx-cast-memcmp-of-function-to-void.patch +powercap-intel_rapl-fix-ubsan-shift-out-of-bounds-is.patch +thermal-intel_powerclamp-use-get_cpu-instead-of-smp_.patch +arm-decompressor-include-.data.rel.ro.local.patch +acpi-x86-add-a-quirk-for-dell-inspiron-14-2-in-1-for.patch +x86-entry-work-around-clang-__bdos-bug.patch +nfsd-return-nfserr_serverfault-if-splice_ok-but-buf-.patch +nfsd-fix-use-after-free-on-source-server-when-doing-.patch +libbpf-ensure-functions-with-always_inline-attribute.patch +libbpf-do-not-require-executable-permission-for-shar.patch +wifi-rtw88-phy-fix-warning-of-possible-buffer-overfl.patch +wifi-brcmfmac-fix-invalid-address-access-when-enabli.patch +bpftool-clear-errno-after-libcap-s-checks.patch +net-ethernet-ti-davinci_mdio-add-workaround-for-erra.patch +openvswitch-fix-double-reporting-of-drops-in-dropwat.patch +openvswitch-fix-overreporting-of-drops-in-dropwatch.patch +tcp-annotate-data-race-around-tcp_md5sig_pool_popula.patch +micrel-ksz8851-fixes-struct-pointer-issue.patch +wifi-mac80211-accept-sta-changes-without-link-change.patch +x86-mce-retrieve-poison-range-from-hardware.patch +wifi-ath9k-avoid-uninit-memory-read-in-ath9k_htc_rx_.patch +thunderbolt-add-back-intel-falcon-ridge-end-to-end-f.patch +x86-apic-don-t-disable-x2apic-if-locked.patch +net-axienet-switch-to-64-bit-rx-tx-statistics.patch +net-next-fix-ip_unicast_if-option-behavior-for-conne.patch +xfrm-update-ipcomp_scratches-with-null-when-freed.patch +wifi-ath11k-register-shutdown-handler-for-wcn6750.patch +rtw89-ser-leave-lps-with-mutex.patch +net-broadcom-fix-return-type-for-implementation-of.patch +net-xscale-fix-return-type-for-implementation-of-ndo.patch +net-sunplus-fix-return-type-for-implementation-of-nd.patch +net-lantiq_etop-fix-return-type-for-implementation-o.patch +netlink-bounds-check-struct-nlmsgerr-creation.patch +net-ftmac100-fix-endianness-related-issues-from-spar.patch +iavf-fix-race-between-iavf_close-and-iavf_reset_task.patch +wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch +net-sparx5-fix-function-return-type-to-match-actual-.patch +bluetooth-btintel-mark-intel-controller-to-support-l.patch +regulator-core-prevent-integer-underflow.patch +wifi-ath11k-mhi-fix-potential-memory-leak-in-ath11k_.patch +wifi-mt76-mt7921-reset-msta-airtime_ac-while-clearin.patch +wifi-rtw89-free-unused-skb-to-prevent-memory-leak.patch +wifi-rtw89-fix-rx-filter-after-scan.patch +bluetooth-l2cap-initialize-delayed-works-at-l2cap_ch.patch +net-ax88796c-fix-return-type-of-ax88796c_start_xmit.patch +net-davicom-fix-return-type-of-dm9000_start_xmit.patch +net-ethernet-ti-davinci_emac-fix-return-type-of-emac.patch +net-ethernet-litex-fix-return-type-of-liteeth_start_.patch +net-korina-fix-return-type-of-korina_send_packet.patch +net-wwan-iosm-fix-return-type-of-ipc_wwan_link_trans.patch +net-wwan-t7xx-fix-return-type-of-t7xx_ccmni_start_xm.patch +bluetooth-hci_sysfs-fix-attempting-to-call-device_ad.patch +bluetooth-hci_event-make-sure-iso-events-don-t-affec.patch +wifi-ath10k-reset-pointer-after-memory-free-to-avoid.patch +bnxt_en-replace-reset-with-config-timestamps.patch +selftests-bpf-free-the-allocated-resources-after-tes.patch +can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch +wifi-rt2x00-don-t-run-rt5592-iq-calibration-on-mt762.patch +wifi-rt2x00-set-correct-tx_sw_cfg1-mac-register-for-.patch +wifi-rt2x00-set-vgc-gain-for-both-chains-of-mt7620.patch +wifi-rt2x00-set-soc-wmac-clock-register.patch +wifi-rt2x00-correctly-set-bbp-register-86-for-mt7620.patch +hwmon-sht4x-do-not-overflow-clamping-operation-on-32.patch +net-if-sock-is-dead-don-t-access-sock-s-sk_wq-in-sk_.patch +bpf-adjust-kprobe_multi-entry_ip-for-config_x86_kern.patch +bpf-use-bpf_prog_pack-for-bpf_dispatcher.patch +bluetooth-l2cap-fix-user-after-free.patch +net-sched-cls_u32-avoid-memcpy-false-positive-warnin.patch +libbpf-fix-overrun-in-netlink-attribute-iteration.patch +i2c-designware-pci-group-amd-navi-quirk-parts-togeth.patch +r8152-rate-limit-overflow-messages.patch +drm-nouveau-nouveau_bo-fix-potential-memory-leak-in-.patch +drm-use-size_t-type-for-len-variable-in-drm_copy_fie.patch +drm-prevent-drm_copy_field-to-attempt-copying-a-null.patch +drm-komeda-fix-handling-of-atomic-commits-in-the-ato.patch +gpu-lontium-lt9611-fix-null-pointer-dereference-in-l.patch +drm-amd-display-fix-overflow-on-min_i64-definition.patch +alsa-hda-fix-page-fault-in-snd_hda_codec_shutdown.patch +alsa-usb-audio-add-quirk-to-enable-avid-mbox-3-suppo.patch +udmabuf-set-ubuf-sg-null-if-the-creation-of-sg-table.patch +platform-x86-pmc_atom-improve-quirk-message-to-be-le.patch +drm-amd-fix-potential-memory-leak.patch +drm-bridge-dw_hdmi-only-trigger-hotplug-event-on-lin.patch +drm-amd-display-fix-variable-dereferenced-before-che.patch +drm-amdgpu-skip-the-program-of-mmmc_vm_agp_-in-sriov.patch +drm-admgpu-skip-cg-pg-on-soc21-under-sriov-vf.patch +alsa-usb-audio-register-card-at-the-last-interface.patch +drm-vc4-vec-fix-timings-for-vec-modes.patch +drm-panel-orientation-quirks-add-quirk-for-anbernic-.patch +drm-panel-orientation-quirks-add-quirk-for-aya-neo-a.patch +platform-chrome-cros_ec-notify-the-pm-of-wake-events.patch +platform-x86-hp-wmi-setting-thermal-profile-fails-wi.patch +platform-x86-msi-laptop-change-dmi-match-alias-strin.patch +alsa-intel-dspconfig-add-es8336-support-for-alderlak.patch +asoc-sof-pci-change-dmi-match-info-to-support-all-ch.patch +asoc-sunxi-sun4i-codec-set-debugfs_prefix-for-cpu-da.patch +asoc-sof-add-quirk-to-override-topology-mclk_id.patch +drm-amdgpu-sdma-update-use-unlocked-iterator.patch +drm-amd-display-fix-urgent-latency-override-for-dcn3.patch +drm-amd-display-correct-hostvm-flag.patch +drm-amdgpu-fix-initial-connector-audio-value.patch +asoc-amd-yc-add-asus-um5302ta-into-dmi-table.patch +asoc-amd-yc-add-lenovo-yoga-slim-7-pro-x-to-quirks-t.patch +drm-meson-reorder-driver-deinit-sequence-to-fix-use-.patch +drm-meson-explicitly-remove-aggregate-driver-at-modu.patch +drm-meson-remove-drm-bridges-at-aggregate-driver-unb.patch +drm-exynos-fix-return-type-for-mixer_mode_valid-and-.patch +mmc-sdhci-msm-add-compatible-string-check-for-sdm670.patch +drm-dp-don-t-rewrite-link-config-when-setting-phy-te.patch +drm-amd-display-remove-interface-for-periodic-interr.patch +drm-amd-display-polling-vid-stream-status-in-hpo-dp-.patch +drm-amd-display-fix-array-bounds-error-in-dc_stream_.patch +drm-amdkfd-fix-ubsan-shift-out-of-bounds-warning.patch +arm-dts-imx6-delete-interrupts-property-if-interrupt.patch +arm-dts-imx7d-sdb-config-the-max-pressure-for-tsc204.patch +arm64-dts-qcom-sc7280-idp-correct-adc-channel-node-n.patch +arm-dts-imx6q-add-missing-properties-for-sram.patch +arm-dts-imx6dl-add-missing-properties-for-sram.patch +arm-dts-imx6qp-add-missing-properties-for-sram.patch +arm-dts-imx6sl-add-missing-properties-for-sram.patch +arm-dts-imx6sll-add-missing-properties-for-sram.patch +arm-dts-imx6sx-add-missing-properties-for-sram.patch +arm-dts-imx6sl-use-tabs-for-code-indent.patch +arm-dts-imx6sx-udoo-neo-don-t-use-multiple-blank-lin.patch +kselftest-arm64-fix-validatation-termination-record-.patch +sparc-fix-the-generic-io-helpers.patch +arm64-run-softirqs-on-the-per-cpu-irq-stack.patch +arm64-dts-imx8mm-kontron-use-the-vselect-signal-to-s.patch +arm64-dts-imx8ulp-no-executable-source-file-permissi.patch +arm64-dts-imx8mq-librem5-add-bq25895-as-max17055-s-p.patch +arm-orion-fix-include-path.patch +btrfs-dump-extra-info-if-one-free-space-cache-has-mo.patch +btrfs-add-macros-for-annotating-wait-events-with-loc.patch +btrfs-add-lockdep-annotations-for-num_writers-wait-e.patch +btrfs-add-lockdep-annotations-for-num_extwriters-wai.patch +btrfs-add-lockdep-annotations-for-transaction-states.patch +btrfs-add-lockdep-annotations-for-pending_ordered-wa.patch +btrfs-change-the-lockdep-class-of-free-space-inode-s.patch +btrfs-add-lockdep-annotations-for-the-ordered-extent.patch +btrfs-scrub-properly-report-super-block-errors-in-sy.patch +btrfs-scrub-try-to-fix-super-block-errors.patch +btrfs-don-t-print-information-about-space-cache-or-t.patch +btrfs-call-__btrfs_remove_free_space_cache_locked-on.patch +btrfs-check-superblock-to-ensure-the-fs-was-not-modi.patch +btrfs-add-kcsan-annotations-for-unlocked-access-to-b.patch +btrfs-separate-out-the-eb-and-extent-state-leak-help.patch +arm64-dts-uniphier-add-usb-device-support-for-pxs3-r.patch +arm-9233-1-stacktrace-skip-frame-pointer-boundary-ch.patch +arm-9234-1-stacktrace-avoid-duplicate-saving-of-exce.patch +arm-9242-1-kasan-only-map-modules-if-config_kasan_vm.patch +clk-zynqmp-fix-stack-out-of-bounds-in-strncpy.patch +media-cx88-fix-a-null-ptr-deref-bug-in-buffer_prepar.patch +media-platform-fix-some-double-free-in-meson-ge2d-an.patch +clk-zynqmp-pll-rectify-rate-rounding-in-zynqmp_pll_r.patch +rdma-rxe-delete-error-messages-triggered-by-incoming.patch +usb-host-xhci-plat-suspend-and-resume-clocks.patch +usb-host-xhci-plat-suspend-resume-clks-for-brcm.patch +scsi-lpfc-fix-null-ndlp-ptr-dereference-in-abnormal-.patch +dmaengine-ti-k3-udma-reset-udma_chan_rt-byte-counter.patch +scsi-3w-9xxx-avoid-disabling-device-if-failing-to-en.patch +nbd-fix-hung-when-signal-interrupts-nbd_start_device.patch +iommu-arm-smmu-v3-make-default-domain-type-of-hisili.patch +usb-gadget-uvc-increase-worker-prio-to-wq_highpri.patch +power-supply-adp5061-fix-out-of-bounds-read-in-adp50.patch +staging-vt6655-fix-potential-memory-leak.patch +blk-throttle-prevent-overflow-while-calculating-wait.patch +ata-libahci_platform-sanity-check-the-dt-child-nodes.patch +habanalabs-ignore-eeprom-errors-during-boot.patch +nvmet-auth-clean-up-with-done_kfree.patch +bcache-fix-set_at_max_writeback_rate-for-multiple-at.patch +soundwire-cadence-don-t-overwrite-msg-buf-during-wri.patch +soundwire-intel-fix-error-handling-on-dai-registrati.patch +hid-topre-add-driver-fixing-report-descriptor.patch +habanalabs-remove-some-f-w-descriptor-validations.patch +hid-roccat-fix-use-after-free-in-roccat_read.patch +hsi-ssi_protocol-fix-potential-resource-leak-in-ssip.patch +hid-nintendo-check-analog-user-calibration-for-plaus.patch +md-raid5-wait-for-md_sb_change_pending-in-raid5d.patch +usb-host-xhci-fix-potential-memory-leak-in-xhci_allo.patch +usb-musb-fix-musb_gadget.c-rxstate-overflow-bug.patch +usb-dwc3-core-add-gfladj_refclk_lpm_sel-quirk.patch +arm64-dts-imx8mp-add-snps-gfladj-refclk-lpm-sel-quir.patch +usb-dwc3-core-enable-guctl1-bit-10-for-fixing-termin.patch +revert-usb-storage-add-quirk-for-samsung-fit-flash.patch +io_uring-fix-cqe-reordering.patch +staging-rtl8723bs-fix-potential-memory-leak-in-rtw_i.patch +staging-rtl8723bs-fix-a-potential-memory-leak-in-rtw.patch +scsi-tracing-fix-compile-error-in-trace_array-calls-.patch +ext2-use-kvmalloc-for-group-descriptor-array.patch +nvme-handle-effects-after-freeing-the-request.patch +nvme-copy-firmware_rev-on-each-init.patch +nvmet-tcp-add-bounds-check-on-transfer-tag.patch +usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch +block-replace-blk_queue_nowait-with-bdev_nowait.patch +blk-mq-use-quiesced-elevator-switch-when-reinitializ.patch +nvmet-don-t-look-at-the-request_queue-in-nvmet_bdev_.patch +nvmet-don-t-look-at-the-request_queue-in-nvmet_bdev_.patch-7526 +hwmon-occ-retry-for-checksum-failure.patch +fsi-occ-prevent-use-after-free.patch +fsi-master-ast-cf-fix-missing-of_node_put-in-fsi_mas.patch +dmaengine-dw-edma-remove-runtime-pm-support.patch +usb-typec-ucsi-don-t-warn-on-probe-deferral.patch +clk-bcm2835-round-uart-input-clock-up.patch +net-lan966x-fix-return-type-of-lan966x_port_xmit.patch +net-sparx5-fix-return-type-of-sparx5_port_xmit_impl.patch diff --git a/queue-6.0/sh-machvec-use-char-for-section-boundaries.patch b/queue-6.0/sh-machvec-use-char-for-section-boundaries.patch new file mode 100644 index 00000000000..49f2c907e4a --- /dev/null +++ b/queue-6.0/sh-machvec-use-char-for-section-boundaries.patch @@ -0,0 +1,82 @@ +From 20fb98b0d4d9d2794534ff407f1dff6df5d15903 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 16:40:44 -0700 +Subject: sh: machvec: Use char[] for section boundaries + +From: Kees Cook + +[ Upstream commit c5783af354688b24abd359f7086c282ec74de993 ] + +As done for other sections, define the extern as a character array, +which relaxes many of the compiler-time object size checks, which would +otherwise assume it's a single long. Solves the following build error: + +arch/sh/kernel/machvec.c: error: array subscript 'struct sh_machine_vector[0]' is partly outside array bounds of 'long int[1]' [-Werror=array-bounds]: => 105:33 + +Cc: Yoshinori Sato +Cc: Rich Felker +Cc: linux-sh@vger.kernel.org +Reported-by: Geert Uytterhoeven +Link: https://lore.kernel.org/lkml/alpine.DEB.2.22.394.2209050944290.964530@ramsan.of.borg/ +Fixes: 9655ad03af2d ("sh: Fixup machvec support.") +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Gustavo A. R. Silva +Acked-by: Rich Felker +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + arch/sh/include/asm/sections.h | 2 +- + arch/sh/kernel/machvec.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/sh/include/asm/sections.h b/arch/sh/include/asm/sections.h +index 8edb824049b9..0cb0ca149ac3 100644 +--- a/arch/sh/include/asm/sections.h ++++ b/arch/sh/include/asm/sections.h +@@ -4,7 +4,7 @@ + + #include + +-extern long __machvec_start, __machvec_end; ++extern char __machvec_start[], __machvec_end[]; + extern char __uncached_start, __uncached_end; + extern char __start_eh_frame[], __stop_eh_frame[]; + +diff --git a/arch/sh/kernel/machvec.c b/arch/sh/kernel/machvec.c +index d606679a211e..57efaf5b82ae 100644 +--- a/arch/sh/kernel/machvec.c ++++ b/arch/sh/kernel/machvec.c +@@ -20,8 +20,8 @@ + #define MV_NAME_SIZE 32 + + #define for_each_mv(mv) \ +- for ((mv) = (struct sh_machine_vector *)&__machvec_start; \ +- (mv) && (unsigned long)(mv) < (unsigned long)&__machvec_end; \ ++ for ((mv) = (struct sh_machine_vector *)__machvec_start; \ ++ (mv) && (unsigned long)(mv) < (unsigned long)__machvec_end; \ + (mv)++) + + static struct sh_machine_vector * __init get_mv_byname(const char *name) +@@ -87,8 +87,8 @@ void __init sh_mv_setup(void) + if (!machvec_selected) { + unsigned long machvec_size; + +- machvec_size = ((unsigned long)&__machvec_end - +- (unsigned long)&__machvec_start); ++ machvec_size = ((unsigned long)__machvec_end - ++ (unsigned long)__machvec_start); + + /* + * Sanity check for machvec section alignment. Ensure +@@ -102,7 +102,7 @@ void __init sh_mv_setup(void) + * vector (usually the only one) from .machvec.init. + */ + if (machvec_size >= sizeof(struct sh_machine_vector)) +- sh_mv = *(struct sh_machine_vector *)&__machvec_start; ++ sh_mv = *(struct sh_machine_vector *)__machvec_start; + } + + pr_notice("Booting machvec: %s\n", get_system_type()); +-- +2.35.1 + diff --git a/queue-6.0/skmsg-schedule-psock-work-if-the-cached-skb-exists-o.patch b/queue-6.0/skmsg-schedule-psock-work-if-the-cached-skb-exists-o.patch new file mode 100644 index 00000000000..35f62af20b1 --- /dev/null +++ b/queue-6.0/skmsg-schedule-psock-work-if-the-cached-skb-exists-o.patch @@ -0,0 +1,65 @@ +From acd6eefaeec42e581ed618c690fb27e92f0ffccf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 15:13:11 +0800 +Subject: skmsg: Schedule psock work if the cached skb exists on the psock + +From: Liu Jian + +[ Upstream commit bec217197b412d74168c6a42fc0f76d0cc9cad00 ] + +In sk_psock_backlog function, for ingress direction skb, if no new data +packet arrives after the skb is cached, the cached skb does not have a +chance to be added to the receive queue of psock. As a result, the cached +skb cannot be received by the upper-layer application. Fix this by reschedule +the psock work to dispose the cached skb in sk_msg_recvmsg function. + +Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") +Signed-off-by: Liu Jian +Signed-off-by: Daniel Borkmann +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20220907071311.60534-1-liujian56@huawei.com +Signed-off-by: Sasha Levin +--- + net/core/skmsg.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index 188f8558d27d..ca70525621c7 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -434,8 +434,10 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg, + if (copied + copy > len) + copy = len - copied; + copy = copy_page_to_iter(page, sge->offset, copy, iter); +- if (!copy) +- return copied ? copied : -EFAULT; ++ if (!copy) { ++ copied = copied ? copied : -EFAULT; ++ goto out; ++ } + + copied += copy; + if (likely(!peek)) { +@@ -455,7 +457,7 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg, + * didn't copy the entire length lets just break. + */ + if (copy != sge->length) +- return copied; ++ goto out; + sk_msg_iter_var_next(i); + } + +@@ -477,7 +479,9 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg, + } + msg_rx = sk_psock_peek_msg(psock); + } +- ++out: ++ if (psock->work_state.skb && copied > 0) ++ schedule_work(&psock->work); + return copied; + } + EXPORT_SYMBOL_GPL(sk_msg_recvmsg); +-- +2.35.1 + diff --git a/queue-6.0/slimbus-qcom-ngd-add-error-handling-in-of_qcom_slim_.patch b/queue-6.0/slimbus-qcom-ngd-add-error-handling-in-of_qcom_slim_.patch new file mode 100644 index 00000000000..d0adaacc6b0 --- /dev/null +++ b/queue-6.0/slimbus-qcom-ngd-add-error-handling-in-of_qcom_slim_.patch @@ -0,0 +1,45 @@ +From 563eee02ace07d4306ee43abbcbca85c4ca0e5b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 11:19:53 +0800 +Subject: slimbus: qcom-ngd: Add error handling in of_qcom_slim_ngd_register + +From: Lin Yujun + +[ Upstream commit 42992cf187e4e4bcfe3c58f8fc7b1832c5652d9f ] + +No error handling is performed when platform_device_add() +return fails. Refer to the error handling of driver_set_override(), +add error handling for platform_device_add(). + +Fixes: 917809e2280b ("slimbus: ngd: Add qcom SLIMBus NGD driver") +Reviewed-by: Neil Armstrong +Signed-off-by: Lin Yujun +Link: https://lore.kernel.org/r/20220914031953.94061-1-linyujun809@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/slimbus/qcom-ngd-ctrl.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/slimbus/qcom-ngd-ctrl.c b/drivers/slimbus/qcom-ngd-ctrl.c +index bacc6af1d51e..d29a1a9cf12f 100644 +--- a/drivers/slimbus/qcom-ngd-ctrl.c ++++ b/drivers/slimbus/qcom-ngd-ctrl.c +@@ -1470,7 +1470,13 @@ static int of_qcom_slim_ngd_register(struct device *parent, + ngd->pdev->dev.of_node = node; + ctrl->ngd = ngd; + +- platform_device_add(ngd->pdev); ++ ret = platform_device_add(ngd->pdev); ++ if (ret) { ++ platform_device_put(ngd->pdev); ++ kfree(ngd); ++ of_node_put(node); ++ return ret; ++ } + ngd->base = ctrl->base + ngd->id * data->offset + + (ngd->id - 1) * data->size; + +-- +2.35.1 + diff --git a/queue-6.0/soc-qcom-smem_state-add-refcounting-for-the-state-of.patch b/queue-6.0/soc-qcom-smem_state-add-refcounting-for-the-state-of.patch new file mode 100644 index 00000000000..3658d3b00af --- /dev/null +++ b/queue-6.0/soc-qcom-smem_state-add-refcounting-for-the-state-of.patch @@ -0,0 +1,46 @@ +From 2d6a810b5caf8d3871558668715308523ba11e53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jul 2022 21:52:17 +0800 +Subject: soc: qcom: smem_state: Add refcounting for the 'state->of_node' + +From: Liang He + +[ Upstream commit 90681f53b9381c23ff7762a3b13826d620c272de ] + +In qcom_smem_state_register() and qcom_smem_state_release(), we +should better use of_node_get() and of_node_put() for the reference +creation and destruction of 'device_node'. + +Fixes: 9460ae2ff308 ("soc: qcom: Introduce common SMEM state machine code") +Signed-off-by: Liang He +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220721135217.1301039-2-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/smem_state.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/soc/qcom/smem_state.c b/drivers/soc/qcom/smem_state.c +index 31faf4aa868e..e848cc9a3cf8 100644 +--- a/drivers/soc/qcom/smem_state.c ++++ b/drivers/soc/qcom/smem_state.c +@@ -136,6 +136,7 @@ static void qcom_smem_state_release(struct kref *ref) + struct qcom_smem_state *state = container_of(ref, struct qcom_smem_state, refcount); + + list_del(&state->list); ++ of_node_put(state->of_node); + kfree(state); + } + +@@ -205,7 +206,7 @@ struct qcom_smem_state *qcom_smem_state_register(struct device_node *of_node, + + kref_init(&state->refcount); + +- state->of_node = of_node; ++ state->of_node = of_node_get(of_node); + state->ops = *ops; + state->priv = priv; + +-- +2.35.1 + diff --git a/queue-6.0/soc-qcom-smsm-fix-refcount-leak-bugs-in-qcom_smsm_pr.patch b/queue-6.0/soc-qcom-smsm-fix-refcount-leak-bugs-in-qcom_smsm_pr.patch new file mode 100644 index 00000000000..742f8bff4d5 --- /dev/null +++ b/queue-6.0/soc-qcom-smsm-fix-refcount-leak-bugs-in-qcom_smsm_pr.patch @@ -0,0 +1,107 @@ +From 79c3edd2f396a39560b92e1f9b84c7978cf7a091 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jul 2022 21:52:16 +0800 +Subject: soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() + +From: Liang He + +[ Upstream commit af8f6f39b8afd772fda4f8e61823ef8c021bf382 ] + +There are two refcount leak bugs in qcom_smsm_probe(): + +(1) The 'local_node' is escaped out from for_each_child_of_node() as +the break of iteration, we should call of_node_put() for it in error +path or when it is not used anymore. +(2) The 'node' is escaped out from for_each_available_child_of_node() +as the 'goto', we should call of_node_put() for it in goto target. + +Fixes: c97c4090ff72 ("soc: qcom: smsm: Add driver for Qualcomm SMSM") +Signed-off-by: Liang He +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220721135217.1301039-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/smsm.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/soc/qcom/smsm.c b/drivers/soc/qcom/smsm.c +index 9df9bba242f3..3e8994d6110e 100644 +--- a/drivers/soc/qcom/smsm.c ++++ b/drivers/soc/qcom/smsm.c +@@ -526,7 +526,7 @@ static int qcom_smsm_probe(struct platform_device *pdev) + for (id = 0; id < smsm->num_hosts; id++) { + ret = smsm_parse_ipc(smsm, id); + if (ret < 0) +- return ret; ++ goto out_put; + } + + /* Acquire the main SMSM state vector */ +@@ -534,13 +534,14 @@ static int qcom_smsm_probe(struct platform_device *pdev) + smsm->num_entries * sizeof(u32)); + if (ret < 0 && ret != -EEXIST) { + dev_err(&pdev->dev, "unable to allocate shared state entry\n"); +- return ret; ++ goto out_put; + } + + states = qcom_smem_get(QCOM_SMEM_HOST_ANY, SMEM_SMSM_SHARED_STATE, NULL); + if (IS_ERR(states)) { + dev_err(&pdev->dev, "Unable to acquire shared state entry\n"); +- return PTR_ERR(states); ++ ret = PTR_ERR(states); ++ goto out_put; + } + + /* Acquire the list of interrupt mask vectors */ +@@ -548,13 +549,14 @@ static int qcom_smsm_probe(struct platform_device *pdev) + ret = qcom_smem_alloc(QCOM_SMEM_HOST_ANY, SMEM_SMSM_CPU_INTR_MASK, size); + if (ret < 0 && ret != -EEXIST) { + dev_err(&pdev->dev, "unable to allocate smsm interrupt mask\n"); +- return ret; ++ goto out_put; + } + + intr_mask = qcom_smem_get(QCOM_SMEM_HOST_ANY, SMEM_SMSM_CPU_INTR_MASK, NULL); + if (IS_ERR(intr_mask)) { + dev_err(&pdev->dev, "unable to acquire shared memory interrupt mask\n"); +- return PTR_ERR(intr_mask); ++ ret = PTR_ERR(intr_mask); ++ goto out_put; + } + + /* Setup the reference to the local state bits */ +@@ -565,7 +567,8 @@ static int qcom_smsm_probe(struct platform_device *pdev) + smsm->state = qcom_smem_state_register(local_node, &smsm_state_ops, smsm); + if (IS_ERR(smsm->state)) { + dev_err(smsm->dev, "failed to register qcom_smem_state\n"); +- return PTR_ERR(smsm->state); ++ ret = PTR_ERR(smsm->state); ++ goto out_put; + } + + /* Register handlers for remote processor entries of interest. */ +@@ -595,16 +598,19 @@ static int qcom_smsm_probe(struct platform_device *pdev) + } + + platform_set_drvdata(pdev, smsm); ++ of_node_put(local_node); + + return 0; + + unwind_interfaces: ++ of_node_put(node); + for (id = 0; id < smsm->num_entries; id++) + if (smsm->entries[id].domain) + irq_domain_remove(smsm->entries[id].domain); + + qcom_smem_state_unregister(smsm->state); +- ++out_put: ++ of_node_put(local_node); + return ret; + } + +-- +2.35.1 + diff --git a/queue-6.0/soc-tegra-fuse-add-missing-of_node_put-in-tegra_init.patch b/queue-6.0/soc-tegra-fuse-add-missing-of_node_put-in-tegra_init.patch new file mode 100644 index 00000000000..4e11f865081 --- /dev/null +++ b/queue-6.0/soc-tegra-fuse-add-missing-of_node_put-in-tegra_init.patch @@ -0,0 +1,36 @@ +From ea2d1487d35de1bfd699724457f26e2d1aaf349e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jun 2022 09:46:36 +0800 +Subject: soc/tegra: fuse: Add missing of_node_put() in tegra_init_fuse() + +From: Liang He + +[ Upstream commit e941712cccab8a96f03b5d3274159c1ed338efee ] + +In this function, of_find_matching_node() will return a node pointer +with refcount incremented. We should use of_node_put() when the "np" +pointer is not used anymore. + +Signed-off-by: Liang He +Signed-off-by: Thierry Reding +Stable-dep-of: 2254182807fc ("soc/tegra: fuse: Drop Kconfig dependency on TEGRA20_APB_DMA") +Signed-off-by: Sasha Levin +--- + drivers/soc/tegra/fuse/fuse-tegra.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c b/drivers/soc/tegra/fuse/fuse-tegra.c +index b0a8405dbdb1..6542267a224d 100644 +--- a/drivers/soc/tegra/fuse/fuse-tegra.c ++++ b/drivers/soc/tegra/fuse/fuse-tegra.c +@@ -568,6 +568,7 @@ static int __init tegra_init_fuse(void) + np = of_find_matching_node(NULL, car_match); + if (np) { + void __iomem *base = of_iomap(np, 0); ++ of_node_put(np); + if (base) { + tegra_enable_fuse_clk(base); + iounmap(base); +-- +2.35.1 + diff --git a/queue-6.0/soc-tegra-fuse-drop-kconfig-dependency-on-tegra20_ap.patch b/queue-6.0/soc-tegra-fuse-drop-kconfig-dependency-on-tegra20_ap.patch new file mode 100644 index 00000000000..27a55202bed --- /dev/null +++ b/queue-6.0/soc-tegra-fuse-drop-kconfig-dependency-on-tegra20_ap.patch @@ -0,0 +1,45 @@ +From 0ad403d70be3cace2365b70fd612a2208b0ef75f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Sep 2020 03:34:21 +0300 +Subject: soc/tegra: fuse: Drop Kconfig dependency on TEGRA20_APB_DMA + +From: Dmitry Osipenko + +[ Upstream commit 2254182807fc09ba9dec9a42ef239e373796f1b2 ] + +The DMA subsystem could be entirely disabled in Kconfig and then the +TEGRA20_APB_DMA option isn't available too. Hence kernel configuration +fails if DMADEVICES Kconfig option is disabled due to the unsatisfiable +dependency. + +The FUSE driver isn't a critical driver and currently it only provides +NVMEM interface to userspace which isn't known to be widely used, and +thus, it's fine if FUSE driver fails to load. + +Let's remove the erroneous Kconfig dependency and let the FUSE driver to +fail the probing if DMA is unavailable. + +Fixes: 19d41e5e9c68 ("soc/tegra: fuse: Add APB DMA dependency for Tegra20") +Reported-by: Necip Fazil Yildiran +Link: https://bugzilla.kernel.org/show_bug.cgi?id=209301 +Signed-off-by: Dmitry Osipenko +Signed-off-by: Sasha Levin +--- + drivers/soc/tegra/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/soc/tegra/Kconfig b/drivers/soc/tegra/Kconfig +index 5725c8ef0406..6f601227da3c 100644 +--- a/drivers/soc/tegra/Kconfig ++++ b/drivers/soc/tegra/Kconfig +@@ -136,7 +136,6 @@ config SOC_TEGRA_FUSE + def_bool y + depends on ARCH_TEGRA + select SOC_BUS +- select TEGRA20_APB_DMA if ARCH_TEGRA_2x_SOC + + config SOC_TEGRA_FLOWCTRL + bool +-- +2.35.1 + diff --git a/queue-6.0/soundwire-cadence-don-t-overwrite-msg-buf-during-wri.patch b/queue-6.0/soundwire-cadence-don-t-overwrite-msg-buf-during-wri.patch new file mode 100644 index 00000000000..1e8e733c01c --- /dev/null +++ b/queue-6.0/soundwire-cadence-don-t-overwrite-msg-buf-during-wri.patch @@ -0,0 +1,49 @@ +From 0e9a227d22fdc333a5575693f496b56f483584a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 11:35:05 +0100 +Subject: soundwire: cadence: Don't overwrite msg->buf during write commands + +From: Richard Fitzgerald + +[ Upstream commit ba05b39d265bdd16913f7684600d9d41e2796745 ] + +The buf passed in struct sdw_msg must only be written for a READ, +in that case the RDATA part of the response is the data value of the +register. + +For a write command there is no RDATA, and buf should be assumed to +be const and unmodifable. The original caller should not expect its data +buffer to be corrupted by an sdw_nwrite(). + +Signed-off-by: Richard Fitzgerald +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20220916103505.1562210-1-rf@opensource.cirrus.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/cadence_master.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c +index 4fbb19557f5e..42c5fae80efb 100644 +--- a/drivers/soundwire/cadence_master.c ++++ b/drivers/soundwire/cadence_master.c +@@ -544,9 +544,12 @@ cdns_fill_msg_resp(struct sdw_cdns *cdns, + return SDW_CMD_IGNORED; + } + +- /* fill response */ +- for (i = 0; i < count; i++) +- msg->buf[i + offset] = FIELD_GET(CDNS_MCP_RESP_RDATA, cdns->response_buf[i]); ++ if (msg->flags == SDW_MSG_FLAG_READ) { ++ /* fill response */ ++ for (i = 0; i < count; i++) ++ msg->buf[i + offset] = FIELD_GET(CDNS_MCP_RESP_RDATA, ++ cdns->response_buf[i]); ++ } + + return SDW_CMD_OK; + } +-- +2.35.1 + diff --git a/queue-6.0/soundwire-intel-fix-error-handling-on-dai-registrati.patch b/queue-6.0/soundwire-intel-fix-error-handling-on-dai-registrati.patch new file mode 100644 index 00000000000..cf9fd6e168d --- /dev/null +++ b/queue-6.0/soundwire-intel-fix-error-handling-on-dai-registrati.patch @@ -0,0 +1,39 @@ +From 4ae4fe2e8ac7c310d3ecef843e6f90bb0a8f9926 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 01:57:11 +0800 +Subject: soundwire: intel: fix error handling on dai registration issues + +From: Pierre-Louis Bossart + +[ Upstream commit c6867cda906aadbce5e71efde9c78a26108b2bad ] + +The call to intel_register_dai() may fail because of memory allocation +issues or problems reported by the ASoC core. In all cases, when a +error is thrown the component is not registered, it's invalid to +unregister it. + +Signed-off-by: Pierre-Louis Bossart +Reviewed-by: Rander Wang +Signed-off-by: Bard Liao +Link: https://lore.kernel.org/r/20220919175721.354679-2-yung-chuan.liao@linux.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/intel.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/soundwire/intel.c b/drivers/soundwire/intel.c +index 89d1d0d021fc..af6c1a93372d 100644 +--- a/drivers/soundwire/intel.c ++++ b/drivers/soundwire/intel.c +@@ -1429,7 +1429,6 @@ int intel_link_startup(struct auxiliary_device *auxdev) + ret = intel_register_dai(sdw); + if (ret) { + dev_err(dev, "DAI registration failed: %d\n", ret); +- snd_soc_unregister_component(dev); + goto err_interrupt; + } + +-- +2.35.1 + diff --git a/queue-6.0/sparc-fix-the-generic-io-helpers.patch b/queue-6.0/sparc-fix-the-generic-io-helpers.patch new file mode 100644 index 00000000000..273fe7364bd --- /dev/null +++ b/queue-6.0/sparc-fix-the-generic-io-helpers.patch @@ -0,0 +1,165 @@ +From 7c9150bb93734ff3ffe5ba2fd3970707a7431416 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 21:55:53 +0200 +Subject: sparc: Fix the generic IO helpers + +From: Linus Walleij + +[ Upstream commit 2c230431e1e809270178905974f57cf3878939f5 ] + +This enables the Sparc to use to fill in the +missing (undefined) [read|write]sq I/O accessor functions. + +This is needed if Sparc[64] ever wants to uses CONFIG_REGMAP_MMIO +which has been patches to use accelerated _noinc accessors +such as readsq/writesq that Sparc64, while being a 64bit platform, +as of now not yet provide. + +This comes with the requirement that everything the architecture +already provides needs to be defined, rather than just being, +say, static inline functions. + +Bite the bullet and just provide the definitions and make it work. +Compile-tested on sparc32 and sparc64. + +Reported-by: kernel test robot +Signed-off-by: Linus Walleij +Cc: David S. Miller +Cc: sparclinux@vger.kernel.org +Cc: linux-arch@vger.kernel.org +Cc: Mark Brown +Cc: Arnd Bergmann +Link: https://lore.kernel.org/linux-arm-kernel/202208201639.HXye3ke4-lkp@intel.com/ +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/sparc/include/asm/io.h | 2 ++ + arch/sparc/include/asm/io_64.h | 22 ++++++++++++++++++++++ + 2 files changed, 24 insertions(+) + +diff --git a/arch/sparc/include/asm/io.h b/arch/sparc/include/asm/io.h +index 2eefa526b38f..2dad9be9ec75 100644 +--- a/arch/sparc/include/asm/io.h ++++ b/arch/sparc/include/asm/io.h +@@ -19,4 +19,6 @@ + #define writel_be(__w, __addr) __raw_writel(__w, __addr) + #define writew_be(__l, __addr) __raw_writew(__l, __addr) + ++#include ++ + #endif +diff --git a/arch/sparc/include/asm/io_64.h b/arch/sparc/include/asm/io_64.h +index 5ffa820dcd4d..9303270b22f3 100644 +--- a/arch/sparc/include/asm/io_64.h ++++ b/arch/sparc/include/asm/io_64.h +@@ -9,6 +9,7 @@ + #include /* IO address mapping routines need this */ + #include + #include ++#define pci_iomap pci_iomap + + /* BIO layer definitions. */ + extern unsigned long kern_base, kern_size; +@@ -239,38 +240,51 @@ static inline void outl(u32 l, unsigned long addr) + void outsb(unsigned long, const void *, unsigned long); + void outsw(unsigned long, const void *, unsigned long); + void outsl(unsigned long, const void *, unsigned long); ++#define outsb outsb ++#define outsw outsw ++#define outsl outsl + void insb(unsigned long, void *, unsigned long); + void insw(unsigned long, void *, unsigned long); + void insl(unsigned long, void *, unsigned long); ++#define insb insb ++#define insw insw ++#define insl insl + + static inline void readsb(void __iomem *port, void *buf, unsigned long count) + { + insb((unsigned long __force)port, buf, count); + } ++#define readsb readsb ++ + static inline void readsw(void __iomem *port, void *buf, unsigned long count) + { + insw((unsigned long __force)port, buf, count); + } ++#define readsw readsw + + static inline void readsl(void __iomem *port, void *buf, unsigned long count) + { + insl((unsigned long __force)port, buf, count); + } ++#define readsl readsl + + static inline void writesb(void __iomem *port, const void *buf, unsigned long count) + { + outsb((unsigned long __force)port, buf, count); + } ++#define writesb writesb + + static inline void writesw(void __iomem *port, const void *buf, unsigned long count) + { + outsw((unsigned long __force)port, buf, count); + } ++#define writesw writesw + + static inline void writesl(void __iomem *port, const void *buf, unsigned long count) + { + outsl((unsigned long __force)port, buf, count); + } ++#define writesl writesl + + #define ioread8_rep(p,d,l) readsb(p,d,l) + #define ioread16_rep(p,d,l) readsw(p,d,l) +@@ -344,6 +358,7 @@ static inline void memset_io(volatile void __iomem *dst, int c, __kernel_size_t + d++; + } + } ++#define memset_io memset_io + + static inline void sbus_memcpy_fromio(void *dst, const volatile void __iomem *src, + __kernel_size_t n) +@@ -369,6 +384,7 @@ static inline void memcpy_fromio(void *dst, const volatile void __iomem *src, + src++; + } + } ++#define memcpy_fromio memcpy_fromio + + static inline void sbus_memcpy_toio(volatile void __iomem *dst, const void *src, + __kernel_size_t n) +@@ -395,6 +411,7 @@ static inline void memcpy_toio(volatile void __iomem *dst, const void *src, + d++; + } + } ++#define memcpy_toio memcpy_toio + + #ifdef __KERNEL__ + +@@ -412,7 +429,9 @@ static inline void __iomem *ioremap(unsigned long offset, unsigned long size) + static inline void __iomem *ioremap_np(unsigned long offset, unsigned long size) + { + return NULL; ++ + } ++#define ioremap_np ioremap_np + + static inline void iounmap(volatile void __iomem *addr) + { +@@ -432,10 +451,13 @@ static inline void iounmap(volatile void __iomem *addr) + /* Create a virtual mapping cookie for an IO port range */ + void __iomem *ioport_map(unsigned long port, unsigned int nr); + void ioport_unmap(void __iomem *); ++#define ioport_map ioport_map ++#define ioport_unmap ioport_unmap + + /* Create a virtual mapping cookie for a PCI BAR (memory or IO) */ + struct pci_dev; + void pci_iounmap(struct pci_dev *dev, void __iomem *); ++#define pci_iounmap pci_iounmap + + static inline int sbus_can_dma_64bit(void) + { +-- +2.35.1 + diff --git a/queue-6.0/spi-cadence-quadspi-fix-pm-disable-depth-imbalance-i.patch b/queue-6.0/spi-cadence-quadspi-fix-pm-disable-depth-imbalance-i.patch new file mode 100644 index 00000000000..bedba294a02 --- /dev/null +++ b/queue-6.0/spi-cadence-quadspi-fix-pm-disable-depth-imbalance-i.patch @@ -0,0 +1,47 @@ +From d108e8df36f6c9ac4fb6f21e3fd0b4bcf27353aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Sep 2022 20:13:07 +0800 +Subject: spi: cadence-quadspi: Fix PM disable depth imbalance in cqspi_probe + +From: Zhang Qilong + +[ Upstream commit 4d0ef0a1c35189a6e8377d8ee8310ea5ef22c5f3 ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. + +Fixes:73d5fe0462702 ("spi: cadence-quadspi: Remove spi_master_put() in probe failure path") + +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20220924121310.78331-2-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-cadence-quadspi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c +index e12ab5b43f34..447230547945 100644 +--- a/drivers/spi/spi-cadence-quadspi.c ++++ b/drivers/spi/spi-cadence-quadspi.c +@@ -1645,7 +1645,7 @@ static int cqspi_probe(struct platform_device *pdev) + pm_runtime_enable(dev); + ret = pm_runtime_resume_and_get(dev); + if (ret < 0) +- return ret; ++ goto probe_pm_failed; + + ret = clk_prepare_enable(cqspi->clk); + if (ret) { +@@ -1740,6 +1740,7 @@ static int cqspi_probe(struct platform_device *pdev) + clk_disable_unprepare(cqspi->clk); + probe_clk_failed: + pm_runtime_put_sync(dev); ++probe_pm_failed: + pm_runtime_disable(dev); + return ret; + } +-- +2.35.1 + diff --git a/queue-6.0/spi-dw-fix-pm-disable-depth-imbalance-in-dw_spi_bt1_.patch b/queue-6.0/spi-dw-fix-pm-disable-depth-imbalance-in-dw_spi_bt1_.patch new file mode 100644 index 00000000000..7732b3dfd3f --- /dev/null +++ b/queue-6.0/spi-dw-fix-pm-disable-depth-imbalance-in-dw_spi_bt1_.patch @@ -0,0 +1,42 @@ +From 3bcc980549ae16e55a22eb252aad00d57156de96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Sep 2022 20:13:08 +0800 +Subject: spi: dw: Fix PM disable depth imbalance in dw_spi_bt1_probe + +From: Zhang Qilong + +[ Upstream commit 618d815fc93477b1675878f3c04ff32657cc18b4 ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. + +Fixes:abf00907538e2 ("spi: dw: Add Baikal-T1 SPI Controller glue driver") + +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20220924121310.78331-3-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-dw-bt1.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-dw-bt1.c b/drivers/spi/spi-dw-bt1.c +index c06553416123..3fb89dee595e 100644 +--- a/drivers/spi/spi-dw-bt1.c ++++ b/drivers/spi/spi-dw-bt1.c +@@ -293,8 +293,10 @@ static int dw_spi_bt1_probe(struct platform_device *pdev) + pm_runtime_enable(&pdev->dev); + + ret = dw_spi_add_host(&pdev->dev, dws); +- if (ret) ++ if (ret) { ++ pm_runtime_disable(&pdev->dev); + goto err_disable_clk; ++ } + + platform_set_drvdata(pdev, dwsbt1); + +-- +2.35.1 + diff --git a/queue-6.0/spi-ensure-that-sg_table-won-t-be-used-after-being-f.patch b/queue-6.0/spi-ensure-that-sg_table-won-t-be-used-after-being-f.patch new file mode 100644 index 00000000000..2d89dd858e8 --- /dev/null +++ b/queue-6.0/spi-ensure-that-sg_table-won-t-be-used-after-being-f.patch @@ -0,0 +1,39 @@ +From b04beefde50774130c1122d7c291fcff35853338 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 13:34:08 +0200 +Subject: spi: Ensure that sg_table won't be used after being freed + +From: Marek Szyprowski + +[ Upstream commit 8e9204cddcc3fea9affcfa411715ba4f66e97587 ] + +SPI code checks for non-zero sgt->orig_nents to determine if the buffer +has been DMA-mapped. Ensure that sg_table is really zeroed after free to +avoid potential NULL pointer dereference if the given SPI xfer object is +reused again without being DMA-mapped. + +Fixes: 0c17ba73c08f ("spi: Fix cache corruption due to DMA/PIO overlap") +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20220930113408.19720-1-m.szyprowski@samsung.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index 32c01e684af3..4b42f2302a8a 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -1097,6 +1097,8 @@ void spi_unmap_buf(struct spi_controller *ctlr, struct device *dev, + if (sgt->orig_nents) { + dma_unmap_sg(dev, sgt->sgl, sgt->orig_nents, dir); + sg_free_table(sgt); ++ sgt->orig_nents = 0; ++ sgt->nents = 0; + } + } + +-- +2.35.1 + diff --git a/queue-6.0/spi-meson-spicc-do-not-rely-on-busy-flag-in-pow2-clk.patch b/queue-6.0/spi-meson-spicc-do-not-rely-on-busy-flag-in-pow2-clk.patch new file mode 100644 index 00000000000..e0aac9e1cc0 --- /dev/null +++ b/queue-6.0/spi-meson-spicc-do-not-rely-on-busy-flag-in-pow2-clk.patch @@ -0,0 +1,66 @@ +From e6f5bae89f1da98e9e1c73763ffe5fb23b24d496 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 14:18:03 +0200 +Subject: spi: meson-spicc: do not rely on busy flag in pow2 clk ops + +From: Neil Armstrong + +[ Upstream commit 36acf80fc0c4b5ebe6fa010b524d442ee7f08fd3 ] + +Since [1], controller's busy flag isn't set anymore when the +__spi_transfer_message_noqueue() is used instead of the +__spi_pump_transfer_message() logic for spi_sync transfers. + +Since the pow2 clock ops were limited to only be available when a +transfer is ongoing (between prepare_transfer_hardware and +unprepare_transfer_hardware callbacks), the only way to track this +down is to check for the controller cur_msg. + +[1] ae7d2346dc89 ("spi: Don't use the message queue if possible in spi_sync") + +Fixes: 09992025dacd ("spi: meson-spicc: add local pow2 clock ops to preserve rate between messages") +Fixes: ae7d2346dc89 ("spi: Don't use the message queue if possible in spi_sync") +Reported-by: Markus Schneider-Pargmann +Signed-off-by: Neil Armstrong +Tested-by: Markus Schneider-Pargmann +Link: https://lore.kernel.org/r/20220908121803.919943-1-narmstrong@baylibre.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-meson-spicc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-meson-spicc.c b/drivers/spi/spi-meson-spicc.c +index e4cb52e1fe26..6974a1c947aa 100644 +--- a/drivers/spi/spi-meson-spicc.c ++++ b/drivers/spi/spi-meson-spicc.c +@@ -537,7 +537,7 @@ static unsigned long meson_spicc_pow2_recalc_rate(struct clk_hw *hw, + struct clk_divider *divider = to_clk_divider(hw); + struct meson_spicc_device *spicc = pow2_clk_to_spicc(divider); + +- if (!spicc->master->cur_msg || !spicc->master->busy) ++ if (!spicc->master->cur_msg) + return 0; + + return clk_divider_ops.recalc_rate(hw, parent_rate); +@@ -549,7 +549,7 @@ static int meson_spicc_pow2_determine_rate(struct clk_hw *hw, + struct clk_divider *divider = to_clk_divider(hw); + struct meson_spicc_device *spicc = pow2_clk_to_spicc(divider); + +- if (!spicc->master->cur_msg || !spicc->master->busy) ++ if (!spicc->master->cur_msg) + return -EINVAL; + + return clk_divider_ops.determine_rate(hw, req); +@@ -561,7 +561,7 @@ static int meson_spicc_pow2_set_rate(struct clk_hw *hw, unsigned long rate, + struct clk_divider *divider = to_clk_divider(hw); + struct meson_spicc_device *spicc = pow2_clk_to_spicc(divider); + +- if (!spicc->master->cur_msg || !spicc->master->busy) ++ if (!spicc->master->cur_msg) + return -EINVAL; + + return clk_divider_ops.set_rate(hw, rate, parent_rate); +-- +2.35.1 + diff --git a/queue-6.0/spi-mt7621-fix-an-error-message-in-mt7621_spi_probe.patch b/queue-6.0/spi-mt7621-fix-an-error-message-in-mt7621_spi_probe.patch new file mode 100644 index 00000000000..3b8de50e50e --- /dev/null +++ b/queue-6.0/spi-mt7621-fix-an-error-message-in-mt7621_spi_probe.patch @@ -0,0 +1,48 @@ +From efd1237ec9a857a18d4bfe22225443e181c034b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Aug 2022 13:42:07 +0200 +Subject: spi: mt7621: Fix an error message in mt7621_spi_probe() + +From: Christophe JAILLET + +[ Upstream commit 2b2bf6b7faa9010fae10dc7de76627a3fdb525b3 ] + +'status' is known to be 0 at this point. The expected error code is +PTR_ERR(clk). + +Switch to dev_err_probe() in order to display the expected error code (in a +human readable way). +This also filters -EPROBE_DEFER cases, should it happen. + +Fixes: 1ab7f2a43558 ("staging: mt7621-spi: add mt7621 support") +Signed-off-by: Christophe JAILLET +Reviewed-by: Matthias Brugger +Link: https://lore.kernel.org/r/928f3fb507d53ba0774df27cea0bbba4b055993b.1661599671.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-mt7621.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/spi/spi-mt7621.c b/drivers/spi/spi-mt7621.c +index b4b9b7309b5e..351b0ef52bbc 100644 +--- a/drivers/spi/spi-mt7621.c ++++ b/drivers/spi/spi-mt7621.c +@@ -340,11 +340,9 @@ static int mt7621_spi_probe(struct platform_device *pdev) + return PTR_ERR(base); + + clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(clk)) { +- dev_err(&pdev->dev, "unable to get SYS clock, err=%d\n", +- status); +- return PTR_ERR(clk); +- } ++ if (IS_ERR(clk)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(clk), ++ "unable to get SYS clock\n"); + + status = clk_prepare_enable(clk); + if (status) +-- +2.35.1 + diff --git a/queue-6.0/spi-omap100k-fix-pm-disable-depth-imbalance-in-omap1.patch b/queue-6.0/spi-omap100k-fix-pm-disable-depth-imbalance-in-omap1.patch new file mode 100644 index 00000000000..f61b85ec96d --- /dev/null +++ b/queue-6.0/spi-omap100k-fix-pm-disable-depth-imbalance-in-omap1.patch @@ -0,0 +1,38 @@ +From 8cabefc42979a1721e7066cf3372b600852c614e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Sep 2022 20:13:09 +0800 +Subject: spi/omap100k:Fix PM disable depth imbalance in omap1_spi100k_probe + +From: Zhang Qilong + +[ Upstream commit 29f65f2171c85a9633daa380df14009a365f42f2 ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. + +Fixes:db91841b58f9a ("spi/omap100k: Convert to runtime PM") + +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20220924121310.78331-4-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-omap-100k.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c +index 20b047172965..061f7394e5b9 100644 +--- a/drivers/spi/spi-omap-100k.c ++++ b/drivers/spi/spi-omap-100k.c +@@ -412,6 +412,7 @@ static int omap1_spi100k_probe(struct platform_device *pdev) + return status; + + err_fck: ++ pm_runtime_disable(&pdev->dev); + clk_disable_unprepare(spi100k->fck); + err_ick: + clk_disable_unprepare(spi100k->ick); +-- +2.35.1 + diff --git a/queue-6.0/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch b/queue-6.0/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch new file mode 100644 index 00000000000..43ece3b8301 --- /dev/null +++ b/queue-6.0/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch @@ -0,0 +1,61 @@ +From ecc1c6665d0405f56358f77954e4944c42abf2d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 06:53:23 +0000 +Subject: spi: qup: add missing clk_disable_unprepare on error in + spi_qup_resume() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xu Qiang + +[ Upstream commit 70034320fdc597b8f58b4a43bb547f17c4c5557a ] + +Add the missing clk_disable_unprepare() before return +from spi_qup_resume() in the error handling case. + +Fixes: 64ff247a978f (“spi: Add Qualcomm QUP SPI controller support”) +Signed-off-by: Xu Qiang +Link: https://lore.kernel.org/r/20220825065324.68446-1-xuqiang36@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-qup.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-qup.c b/drivers/spi/spi-qup.c +index 00d6084306b4..ae4e67f152ec 100644 +--- a/drivers/spi/spi-qup.c ++++ b/drivers/spi/spi-qup.c +@@ -1245,14 +1245,25 @@ static int spi_qup_resume(struct device *device) + return ret; + + ret = clk_prepare_enable(controller->cclk); +- if (ret) ++ if (ret) { ++ clk_disable_unprepare(controller->iclk); + return ret; ++ } + + ret = spi_qup_set_state(controller, QUP_STATE_RESET); + if (ret) +- return ret; ++ goto disable_clk; ++ ++ ret = spi_master_resume(master); ++ if (ret) ++ goto disable_clk; + +- return spi_master_resume(master); ++ return 0; ++ ++disable_clk: ++ clk_disable_unprepare(controller->cclk); ++ clk_disable_unprepare(controller->iclk); ++ return ret; + } + #endif /* CONFIG_PM_SLEEP */ + +-- +2.35.1 + diff --git a/queue-6.0/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch-31329 b/queue-6.0/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch-31329 new file mode 100644 index 00000000000..13cbcd8c456 --- /dev/null +++ b/queue-6.0/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch-31329 @@ -0,0 +1,44 @@ +From f1514e2afc452f93b5cced3d920d4e4c63bc89bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 06:53:24 +0000 +Subject: spi: qup: add missing clk_disable_unprepare on error in + spi_qup_pm_resume_runtime() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xu Qiang + +[ Upstream commit 494a22765ce479c9f8ad181c5d24cffda9f534bb ] + +Add the missing clk_disable_unprepare() before return +from spi_qup_pm_resume_runtime() in the error handling case. + +Fixes: dae1a7700b34 (“spi: qup: Handle clocks in pm_runtime suspend and resume”) +Signed-off-by: Xu Qiang +Link: https://lore.kernel.org/r/20220825065324.68446-2-xuqiang36@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-qup.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-qup.c b/drivers/spi/spi-qup.c +index ae4e67f152ec..7d89510dc3f0 100644 +--- a/drivers/spi/spi-qup.c ++++ b/drivers/spi/spi-qup.c +@@ -1198,8 +1198,10 @@ static int spi_qup_pm_resume_runtime(struct device *device) + return ret; + + ret = clk_prepare_enable(controller->cclk); +- if (ret) ++ if (ret) { ++ clk_disable_unprepare(controller->iclk); + return ret; ++ } + + /* Disable clocks auto gaiting */ + config = readl_relaxed(controller->base + QUP_CONFIG); +-- +2.35.1 + diff --git a/queue-6.0/spi-s3c64xx-correct-dma_chan-pointer-initialization.patch b/queue-6.0/spi-s3c64xx-correct-dma_chan-pointer-initialization.patch new file mode 100644 index 00000000000..8e02226dabe --- /dev/null +++ b/queue-6.0/spi-s3c64xx-correct-dma_chan-pointer-initialization.patch @@ -0,0 +1,46 @@ +From 2f0cd3195ee34088aea2f7664de5f06697523565 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Aug 2022 09:48:51 +0900 +Subject: spi: s3c64xx: correct dma_chan pointer initialization + +From: Chanho Park + +[ Upstream commit dad57a510db9423a4128ae6565854e999cebac51 ] + +Use NULL for dma channel pointer initialization instead of plain integer. + +sparse warnings: (new ones prefixed by >>) +>> drivers/spi/spi-s3c64xx.c:387:34: sparse: sparse: Using plain integer as NULL pointer + drivers/spi/spi-s3c64xx.c:388:34: sparse: sparse: Using plain integer as NULL pointer + +Reported-by: kernel test robot +Fixes: 82295bc0d192 ("spi: s3c64xx: move dma_release_channel to unprepare") +Fixes: f52b03c70744 ("spi: s3c64xx: requests spi-dma channel only during data transfer") +Signed-off-by: Chanho Park +Reviewed-by: Andi Shyti +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220808004851.25122-1-chanho61.park@samsung.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-s3c64xx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c +index 7f346866614a..651c35dd9124 100644 +--- a/drivers/spi/spi-s3c64xx.c ++++ b/drivers/spi/spi-s3c64xx.c +@@ -389,8 +389,8 @@ static int s3c64xx_spi_unprepare_transfer(struct spi_master *spi) + if (sdd->rx_dma.ch && sdd->tx_dma.ch) { + dma_release_channel(sdd->rx_dma.ch); + dma_release_channel(sdd->tx_dma.ch); +- sdd->rx_dma.ch = 0; +- sdd->tx_dma.ch = 0; ++ sdd->rx_dma.ch = NULL; ++ sdd->tx_dma.ch = NULL; + } + + return 0; +-- +2.35.1 + diff --git a/queue-6.0/spi-s3c64xx-fix-large-transfers-with-dma.patch b/queue-6.0/spi-s3c64xx-fix-large-transfers-with-dma.patch new file mode 100644 index 00000000000..3163271c8da --- /dev/null +++ b/queue-6.0/spi-s3c64xx-fix-large-transfers-with-dma.patch @@ -0,0 +1,60 @@ +From cde7e24cc4452eab5cee13d31e4829d76b19a519 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 13:21:17 +0200 +Subject: spi: s3c64xx: Fix large transfers with DMA + +From: Vincent Whitchurch + +[ Upstream commit 1224e29572f655facfcd850cf0f0a4784f36a903 ] + +The COUNT_VALUE in the PACKET_CNT register is 16-bit so the maximum +value is 65535. Asking the driver to transfer a larger size currently +leads to the DMA transfer timing out. Implement ->max_transfer_size() +and have the core split the transfer as needed. + +Fixes: 230d42d422e7 ("spi: Add s3c64xx SPI Controller driver") +Signed-off-by: Vincent Whitchurch +Link: https://lore.kernel.org/r/20220927112117.77599-5-vincent.whitchurch@axis.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-s3c64xx.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c +index 651c35dd9124..71d324ec9a70 100644 +--- a/drivers/spi/spi-s3c64xx.c ++++ b/drivers/spi/spi-s3c64xx.c +@@ -84,6 +84,7 @@ + #define S3C64XX_SPI_ST_TX_FIFORDY (1<<0) + + #define S3C64XX_SPI_PACKET_CNT_EN (1<<16) ++#define S3C64XX_SPI_PACKET_CNT_MASK GENMASK(15, 0) + + #define S3C64XX_SPI_PND_TX_UNDERRUN_CLR (1<<4) + #define S3C64XX_SPI_PND_TX_OVERRUN_CLR (1<<3) +@@ -711,6 +712,13 @@ static int s3c64xx_spi_prepare_message(struct spi_master *master, + return 0; + } + ++static size_t s3c64xx_spi_max_transfer_size(struct spi_device *spi) ++{ ++ struct spi_controller *ctlr = spi->controller; ++ ++ return ctlr->can_dma ? S3C64XX_SPI_PACKET_CNT_MASK : SIZE_MAX; ++} ++ + static int s3c64xx_spi_transfer_one(struct spi_master *master, + struct spi_device *spi, + struct spi_transfer *xfer) +@@ -1152,6 +1160,7 @@ static int s3c64xx_spi_probe(struct platform_device *pdev) + master->unprepare_transfer_hardware = s3c64xx_spi_unprepare_transfer; + master->prepare_message = s3c64xx_spi_prepare_message; + master->transfer_one = s3c64xx_spi_transfer_one; ++ master->max_transfer_size = s3c64xx_spi_max_transfer_size; + master->num_chipselect = sci->num_cs; + master->use_gpio_descriptors = true; + master->dma_alignment = 8; +-- +2.35.1 + diff --git a/queue-6.0/spmi-pmic-arb-correct-duplicate-apid-to-ppid-mapping.patch b/queue-6.0/spmi-pmic-arb-correct-duplicate-apid-to-ppid-mapping.patch new file mode 100644 index 00000000000..310929bf6bf --- /dev/null +++ b/queue-6.0/spmi-pmic-arb-correct-duplicate-apid-to-ppid-mapping.patch @@ -0,0 +1,65 @@ +From e1bbad80860dcffa56423bd9fafb55d31adf6381 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 17:50:16 -0700 +Subject: spmi: pmic-arb: correct duplicate APID to PPID mapping logic + +From: David Collins + +[ Upstream commit 1f1693118c2476cb1666ad357edcf3cf48bf9b16 ] + +Correct the way that duplicate PPID mappings are handled for PMIC +arbiter v5. The final APID mapped to a given PPID should be the +one which has write owner = APPS EE, if it exists, or if not +that, then the first APID mapped to the PPID, if it exists. + +Fixes: 40f318f0ed67 ("spmi: pmic-arb: add support for HW version 5") +Signed-off-by: David Collins +Signed-off-by: Fenglin Wu +Link: https://lore.kernel.org/r/1655004286-11493-7-git-send-email-quic_fenglinw@quicinc.com +Signed-off-by: Stephen Boyd +Link: https://lore.kernel.org/r/20220930005019.2663064-8-sboyd@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/spmi/spmi-pmic-arb.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/spmi/spmi-pmic-arb.c b/drivers/spmi/spmi-pmic-arb.c +index 2113be40b5a9..58f580e7aacc 100644 +--- a/drivers/spmi/spmi-pmic-arb.c ++++ b/drivers/spmi/spmi-pmic-arb.c +@@ -992,7 +992,8 @@ static int pmic_arb_read_apid_map_v5(struct spmi_pmic_arb *pmic_arb) + * version 5, there is more than one APID mapped to each PPID. + * The owner field for each of these mappings specifies the EE which is + * allowed to write to the APID. The owner of the last (highest) APID +- * for a given PPID will receive interrupts from the PPID. ++ * which has the IRQ owner bit set for a given PPID will receive ++ * interrupts from the PPID. + */ + for (i = 0; ; i++, apidd++) { + offset = pmic_arb->ver_ops->apid_map_offset(i); +@@ -1015,16 +1016,16 @@ static int pmic_arb_read_apid_map_v5(struct spmi_pmic_arb *pmic_arb) + apid = pmic_arb->ppid_to_apid[ppid] & ~PMIC_ARB_APID_VALID; + prev_apidd = &pmic_arb->apid_data[apid]; + +- if (valid && is_irq_ee && +- prev_apidd->write_ee == pmic_arb->ee) { ++ if (!valid || apidd->write_ee == pmic_arb->ee) { ++ /* First PPID mapping or one for this EE */ ++ pmic_arb->ppid_to_apid[ppid] = i | PMIC_ARB_APID_VALID; ++ } else if (valid && is_irq_ee && ++ prev_apidd->write_ee == pmic_arb->ee) { + /* + * Duplicate PPID mapping after the one for this EE; + * override the irq owner + */ + prev_apidd->irq_ee = apidd->irq_ee; +- } else if (!valid || is_irq_ee) { +- /* First PPID mapping or duplicate for another EE */ +- pmic_arb->ppid_to_apid[ppid] = i | PMIC_ARB_APID_VALID; + } + + apidd->ppid = ppid; +-- +2.35.1 + diff --git a/queue-6.0/staging-rtl8723bs-fix-a-potential-memory-leak-in-rtw.patch b/queue-6.0/staging-rtl8723bs-fix-a-potential-memory-leak-in-rtw.patch new file mode 100644 index 00000000000..0aafff515d4 --- /dev/null +++ b/queue-6.0/staging-rtl8723bs-fix-a-potential-memory-leak-in-rtw.patch @@ -0,0 +1,79 @@ +From bca877a24d78c72ef0431de3443a3cad87858df6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 19:27:21 +0800 +Subject: staging: rtl8723bs: fix a potential memory leak in + rtw_init_cmd_priv() + +From: Xiaoke Wang + +[ Upstream commit 708056fba733a73d926772ea4ce9a42d240345da ] + +In rtw_init_cmd_priv(), if `pcmdpriv->rsp_allocated_buf` is allocated +in failure, then `pcmdpriv->cmd_allocated_buf` will be not properly +released. Besides, considering there are only two error paths and the +first one can directly return, so we do not need implicitly jump to the +`exit` tag to execute the error handler. + +So this patch added `kfree(pcmdpriv->cmd_allocated_buf);` on the error +path to release the resource and simplified the return logic of +rtw_init_cmd_priv(). As there is no proper device to test with, no runtime +testing was performed. + +Signed-off-by: Xiaoke Wang +Link: https://lore.kernel.org/r/tencent_2B7931B79BA38E22205C5A09EFDF11E48805@qq.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8723bs/core/rtw_cmd.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/drivers/staging/rtl8723bs/core/rtw_cmd.c b/drivers/staging/rtl8723bs/core/rtw_cmd.c +index b4170f64d118..03c2c66dbf66 100644 +--- a/drivers/staging/rtl8723bs/core/rtw_cmd.c ++++ b/drivers/staging/rtl8723bs/core/rtw_cmd.c +@@ -161,8 +161,6 @@ static struct cmd_hdl wlancmds[] = { + + int rtw_init_cmd_priv(struct cmd_priv *pcmdpriv) + { +- int res = 0; +- + init_completion(&pcmdpriv->cmd_queue_comp); + init_completion(&pcmdpriv->terminate_cmdthread_comp); + +@@ -175,18 +173,16 @@ int rtw_init_cmd_priv(struct cmd_priv *pcmdpriv) + + pcmdpriv->cmd_allocated_buf = rtw_zmalloc(MAX_CMDSZ + CMDBUFF_ALIGN_SZ); + +- if (!pcmdpriv->cmd_allocated_buf) { +- res = -ENOMEM; +- goto exit; +- } ++ if (!pcmdpriv->cmd_allocated_buf) ++ return -ENOMEM; + + pcmdpriv->cmd_buf = pcmdpriv->cmd_allocated_buf + CMDBUFF_ALIGN_SZ - ((SIZE_PTR)(pcmdpriv->cmd_allocated_buf) & (CMDBUFF_ALIGN_SZ-1)); + + pcmdpriv->rsp_allocated_buf = rtw_zmalloc(MAX_RSPSZ + 4); + + if (!pcmdpriv->rsp_allocated_buf) { +- res = -ENOMEM; +- goto exit; ++ kfree(pcmdpriv->cmd_allocated_buf); ++ return -ENOMEM; + } + + pcmdpriv->rsp_buf = pcmdpriv->rsp_allocated_buf + 4 - ((SIZE_PTR)(pcmdpriv->rsp_allocated_buf) & 3); +@@ -196,8 +192,8 @@ int rtw_init_cmd_priv(struct cmd_priv *pcmdpriv) + pcmdpriv->rsp_cnt = 0; + + mutex_init(&pcmdpriv->sctx_mutex); +-exit: +- return res; ++ ++ return 0; + } + + static void c2h_wk_callback(struct work_struct *work); +-- +2.35.1 + diff --git a/queue-6.0/staging-rtl8723bs-fix-potential-memory-leak-in-rtw_i.patch b/queue-6.0/staging-rtl8723bs-fix-potential-memory-leak-in-rtw_i.patch new file mode 100644 index 00000000000..dee9fe7ce01 --- /dev/null +++ b/queue-6.0/staging-rtl8723bs-fix-potential-memory-leak-in-rtw_i.patch @@ -0,0 +1,128 @@ +From 37f8f9c1f47be33ced5919367a8a0873104af028 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 18:39:35 +0800 +Subject: staging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw() + +From: Xiaoke Wang + +[ Upstream commit 5a5aa9cce621e2c0e25a1e5d72d6be1749167cc0 ] + +In rtw_init_drv_sw(), there are various init functions are called to +populate the padapter structure and some checks for their return value. +However, except for the first one error path, the other five error paths +do not properly release the previous allocated resources, which leads to +various memory leaks. + +This patch fixes them and keeps the success and error separate. +Note that these changes keep the form of `rtw_init_drv_sw()` in +"drivers/staging/r8188eu/os_dep/os_intfs.c". As there is no proper device +to test with, no runtime testing was performed. + +Signed-off-by: Xiaoke Wang +Link: https://lore.kernel.org/r/tencent_C3B899D2FC3F1BC827F3552E0B0734056006@qq.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8723bs/os_dep/os_intfs.c | 60 +++++++++++---------- + 1 file changed, 31 insertions(+), 29 deletions(-) + +diff --git a/drivers/staging/rtl8723bs/os_dep/os_intfs.c b/drivers/staging/rtl8723bs/os_dep/os_intfs.c +index 380d8c9e1239..68bba3c0e757 100644 +--- a/drivers/staging/rtl8723bs/os_dep/os_intfs.c ++++ b/drivers/staging/rtl8723bs/os_dep/os_intfs.c +@@ -664,51 +664,36 @@ void rtw_reset_drv_sw(struct adapter *padapter) + + u8 rtw_init_drv_sw(struct adapter *padapter) + { +- u8 ret8 = _SUCCESS; +- + rtw_init_default_value(padapter); + + rtw_init_hal_com_default_value(padapter); + +- if (rtw_init_cmd_priv(&padapter->cmdpriv)) { +- ret8 = _FAIL; +- goto exit; +- } ++ if (rtw_init_cmd_priv(&padapter->cmdpriv)) ++ return _FAIL; + + padapter->cmdpriv.padapter = padapter; + +- if (rtw_init_evt_priv(&padapter->evtpriv)) { +- ret8 = _FAIL; +- goto exit; +- } ++ if (rtw_init_evt_priv(&padapter->evtpriv)) ++ goto free_cmd_priv; + +- +- if (rtw_init_mlme_priv(padapter) == _FAIL) { +- ret8 = _FAIL; +- goto exit; +- } ++ if (rtw_init_mlme_priv(padapter) == _FAIL) ++ goto free_evt_priv; + + init_mlme_ext_priv(padapter); + +- if (_rtw_init_xmit_priv(&padapter->xmitpriv, padapter) == _FAIL) { +- ret8 = _FAIL; +- goto exit; +- } ++ if (_rtw_init_xmit_priv(&padapter->xmitpriv, padapter) == _FAIL) ++ goto free_mlme_ext; + +- if (_rtw_init_recv_priv(&padapter->recvpriv, padapter) == _FAIL) { +- ret8 = _FAIL; +- goto exit; +- } ++ if (_rtw_init_recv_priv(&padapter->recvpriv, padapter) == _FAIL) ++ goto free_xmit_priv; + /* add for CONFIG_IEEE80211W, none 11w also can use */ + spin_lock_init(&padapter->security_key_mutex); + + /* We don't need to memset padapter->XXX to zero, because adapter is allocated by vzalloc(). */ + /* memset((unsigned char *)&padapter->securitypriv, 0, sizeof (struct security_priv)); */ + +- if (_rtw_init_sta_priv(&padapter->stapriv) == _FAIL) { +- ret8 = _FAIL; +- goto exit; +- } ++ if (_rtw_init_sta_priv(&padapter->stapriv) == _FAIL) ++ goto free_recv_priv; + + padapter->stapriv.padapter = padapter; + padapter->setband = GHZ24_50; +@@ -719,9 +704,26 @@ u8 rtw_init_drv_sw(struct adapter *padapter) + + rtw_hal_dm_init(padapter); + +-exit: ++ return _SUCCESS; ++ ++free_recv_priv: ++ _rtw_free_recv_priv(&padapter->recvpriv); ++ ++free_xmit_priv: ++ _rtw_free_xmit_priv(&padapter->xmitpriv); ++ ++free_mlme_ext: ++ free_mlme_ext_priv(&padapter->mlmeextpriv); + +- return ret8; ++ rtw_free_mlme_priv(&padapter->mlmepriv); ++ ++free_evt_priv: ++ rtw_free_evt_priv(&padapter->evtpriv); ++ ++free_cmd_priv: ++ rtw_free_cmd_priv(&padapter->cmdpriv); ++ ++ return _FAIL; + } + + void rtw_cancel_all_timer(struct adapter *padapter) +-- +2.35.1 + diff --git a/queue-6.0/staging-vt6655-fix-potential-memory-leak.patch b/queue-6.0/staging-vt6655-fix-potential-memory-leak.patch new file mode 100644 index 00000000000..a1db2d099e3 --- /dev/null +++ b/queue-6.0/staging-vt6655-fix-potential-memory-leak.patch @@ -0,0 +1,42 @@ +From c8487920a6c54e9b05c223e704a5febdea1b9e0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 16:13:39 +0200 +Subject: staging: vt6655: fix potential memory leak + +From: Nam Cao + +[ Upstream commit c8ff91535880d41b49699b3829fb6151942de29e ] + +In function device_init_td0_ring, memory is allocated for member +td_info of priv->apTD0Rings[i], with i increasing from 0. In case of +allocation failure, the memory is freed in reversed order, with i +decreasing to 0. However, the case i=0 is left out and thus memory is +leaked. + +Modify the memory freeing loop to include the case i=0. + +Tested-by: Philipp Hortmann +Signed-off-by: Nam Cao +Link: https://lore.kernel.org/r/20220909141338.19343-1-namcaov@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/vt6655/device_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c +index d76f65756db8..ec7c991e745b 100644 +--- a/drivers/staging/vt6655/device_main.c ++++ b/drivers/staging/vt6655/device_main.c +@@ -694,7 +694,7 @@ static int device_init_td0_ring(struct vnt_private *priv) + return 0; + + err_free_desc: +- while (--i) { ++ while (i--) { + desc = &priv->apTD0Rings[i]; + kfree(desc->td_info); + } +-- +2.35.1 + diff --git a/queue-6.0/staging-vt6655-fix-some-erroneous-memory-clean-up-lo.patch b/queue-6.0/staging-vt6655-fix-some-erroneous-memory-clean-up-lo.patch new file mode 100644 index 00000000000..60da2678912 --- /dev/null +++ b/queue-6.0/staging-vt6655-fix-some-erroneous-memory-clean-up-lo.patch @@ -0,0 +1,68 @@ +From 4c0af0c9600806b596fb5a2212ace4f3b0c551d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 19:04:31 +0200 +Subject: staging: vt6655: fix some erroneous memory clean-up loops + +From: Nam Cao + +[ Upstream commit 2a2db520e3ca5aafba7c211abfd397666c9b5f9d ] + +In some initialization functions of this driver, memory is allocated with +'i' acting as an index variable and increasing from 0. The commit in +"Fixes" introduces some clean-up codes in case of allocation failure, +which free memory in reverse order with 'i' decreasing to 0. However, +there are some problems: + - The case i=0 is left out. Thus memory is leaked. + - In case memory allocation fails right from the start, the memory + freeing loops will start with i=-1 and invalid memory locations will + be accessed. + +One of these loops has been fixed in commit c8ff91535880 ("staging: +vt6655: fix potential memory leak"). Fix the remaining erroneous loops. + +Link: https://lore.kernel.org/linux-staging/Yx9H1zSpxmNqx6Xc@kadam/ +Fixes: 5341ee0adb17 ("staging: vt6655: check for memory allocation failures") +Reported-by: Dan Carpenter +Tested-by: Philipp Hortmann +Signed-off-by: Nam Cao +Link: https://lore.kernel.org/r/20220912170429.29852-1-namcaov@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/vt6655/device_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c +index bab08a40fe66..d76f65756db8 100644 +--- a/drivers/staging/vt6655/device_main.c ++++ b/drivers/staging/vt6655/device_main.c +@@ -583,7 +583,7 @@ static int device_init_rd0_ring(struct vnt_private *priv) + kfree(desc->rd_info); + + err_free_desc: +- while (--i) { ++ while (i--) { + desc = &priv->aRD0Ring[i]; + device_free_rx_buf(priv, desc); + kfree(desc->rd_info); +@@ -629,7 +629,7 @@ static int device_init_rd1_ring(struct vnt_private *priv) + kfree(desc->rd_info); + + err_free_desc: +- while (--i) { ++ while (i--) { + desc = &priv->aRD1Ring[i]; + device_free_rx_buf(priv, desc); + kfree(desc->rd_info); +@@ -734,7 +734,7 @@ static int device_init_td1_ring(struct vnt_private *priv) + return 0; + + err_free_desc: +- while (--i) { ++ while (i--) { + desc = &priv->apTD1Rings[i]; + kfree(desc->td_info); + } +-- +2.35.1 + diff --git a/queue-6.0/sunrpc-fix-svcxdr_init_decode-s-end-of-buffer-calcul.patch b/queue-6.0/sunrpc-fix-svcxdr_init_decode-s-end-of-buffer-calcul.patch new file mode 100644 index 00000000000..14d230f2ed9 --- /dev/null +++ b/queue-6.0/sunrpc-fix-svcxdr_init_decode-s-end-of-buffer-calcul.patch @@ -0,0 +1,71 @@ +From f5388e33056c69ca851e75de0784d75bdbae9423 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 15:09:53 -0400 +Subject: SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation + +From: Chuck Lever + +[ Upstream commit 90bfc37b5ab91c1a6165e3e5cfc49bf04571b762 ] + +Ensure that stream-based argument decoding can't go past the actual +end of the receive buffer. xdr_init_decode's calculation of the +value of xdr->end over-estimates the end of the buffer because the +Linux kernel RPC server code does not remove the size of the RPC +header from rqstp->rq_arg before calling the upper layer's +dispatcher. + +The server-side still uses the svc_getnl() macros to decode the +RPC call header. These macros reduce the length of the head iov +but do not update the total length of the message in the buffer +(buf->len). + +A proper fix for this would be to replace the use of svc_getnl() and +friends in the RPC header decoder, but that would be a large and +invasive change that would be difficult to backport. + +Fixes: 5191955d6fc6 ("SUNRPC: Prepare for xdr_stream-style decoding on the server-side") +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + include/linux/sunrpc/svc.h | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h +index daecb009c05b..5a830b66f059 100644 +--- a/include/linux/sunrpc/svc.h ++++ b/include/linux/sunrpc/svc.h +@@ -544,16 +544,27 @@ static inline void svc_reserve_auth(struct svc_rqst *rqstp, int space) + } + + /** +- * svcxdr_init_decode - Prepare an xdr_stream for svc Call decoding ++ * svcxdr_init_decode - Prepare an xdr_stream for Call decoding + * @rqstp: controlling server RPC transaction context + * ++ * This function currently assumes the RPC header in rq_arg has ++ * already been decoded. Upon return, xdr->p points to the ++ * location of the upper layer header. + */ + static inline void svcxdr_init_decode(struct svc_rqst *rqstp) + { + struct xdr_stream *xdr = &rqstp->rq_arg_stream; +- struct kvec *argv = rqstp->rq_arg.head; ++ struct xdr_buf *buf = &rqstp->rq_arg; ++ struct kvec *argv = buf->head; + +- xdr_init_decode(xdr, &rqstp->rq_arg, argv->iov_base, NULL); ++ /* ++ * svc_getnl() and friends do not keep the xdr_buf's ::len ++ * field up to date. Refresh that field before initializing ++ * the argument decoding stream. ++ */ ++ buf->len = buf->head->iov_len + buf->page_len + buf->tail->iov_len; ++ ++ xdr_init_decode(xdr, buf, argv->iov_base, NULL); + xdr_set_scratch_page(xdr, rqstp->rq_scratch_page); + } + +-- +2.35.1 + diff --git a/queue-6.0/sunrpc-fix-svcxdr_init_encode-s-buflen-calculation.patch b/queue-6.0/sunrpc-fix-svcxdr_init_encode-s-buflen-calculation.patch new file mode 100644 index 00000000000..efd9ea2852e --- /dev/null +++ b/queue-6.0/sunrpc-fix-svcxdr_init_encode-s-buflen-calculation.patch @@ -0,0 +1,42 @@ +From 1e3d4348aa0aedec145e2595135248563eee484f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 15:09:59 -0400 +Subject: SUNRPC: Fix svcxdr_init_encode's buflen calculation + +From: Chuck Lever + +[ Upstream commit 1242a87da0d8cd2a428e96ca68e7ea899b0f4624 ] + +Commit 2825a7f90753 ("nfsd4: allow encoding across page boundaries") +added an explicit computation of the remaining length in the rq_res +XDR buffer. + +The computation appears to suffer from an "off-by-one" bug. Because +buflen is too large by one page, XDR encoding can run off the end of +the send buffer by eventually trying to use the struct page address +in rq_page_end, which always contains NULL. + +Fixes: bddfdbcddbe2 ("NFSD: Extract the svcxdr_init_encode() helper") +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + include/linux/sunrpc/svc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h +index 5a830b66f059..0ca8a8ffb47e 100644 +--- a/include/linux/sunrpc/svc.h ++++ b/include/linux/sunrpc/svc.h +@@ -587,7 +587,7 @@ static inline void svcxdr_init_encode(struct svc_rqst *rqstp) + xdr->end = resv->iov_base + PAGE_SIZE - rqstp->rq_auth_slack; + buf->len = resv->iov_len; + xdr->page_ptr = buf->pages - 1; +- buf->buflen = PAGE_SIZE * (1 + rqstp->rq_page_end - buf->pages); ++ buf->buflen = PAGE_SIZE * (rqstp->rq_page_end - buf->pages); + buf->buflen -= rqstp->rq_auth_slack; + xdr->rqst = NULL; + } +-- +2.35.1 + diff --git a/queue-6.0/tcp-annotate-data-race-around-tcp_md5sig_pool_popula.patch b/queue-6.0/tcp-annotate-data-race-around-tcp_md5sig_pool_popula.patch new file mode 100644 index 00000000000..bba4a274c43 --- /dev/null +++ b/queue-6.0/tcp-annotate-data-race-around-tcp_md5sig_pool_popula.patch @@ -0,0 +1,72 @@ +From 55d43b1ef1b92ffb59958359dd2fc03252cc62dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 21:15:28 +0000 +Subject: tcp: annotate data-race around tcp_md5sig_pool_populated + +From: Eric Dumazet + +[ Upstream commit aacd467c0a576e5e44d2de4205855dc0fe43f6fb ] + +tcp_md5sig_pool_populated can be read while another thread +changes its value. + +The race has no consequence because allocations +are protected with tcp_md5sig_mutex. + +This patch adds READ_ONCE() and WRITE_ONCE() to document +the race and silence KCSAN. + +Reported-by: Abhishek Shah +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 997a80ce1e13..5f1d84d901c7 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -4444,12 +4444,16 @@ static void __tcp_alloc_md5sig_pool(void) + * to memory. See smp_rmb() in tcp_get_md5sig_pool() + */ + smp_wmb(); +- tcp_md5sig_pool_populated = true; ++ /* Paired with READ_ONCE() from tcp_alloc_md5sig_pool() ++ * and tcp_get_md5sig_pool(). ++ */ ++ WRITE_ONCE(tcp_md5sig_pool_populated, true); + } + + bool tcp_alloc_md5sig_pool(void) + { +- if (unlikely(!tcp_md5sig_pool_populated)) { ++ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */ ++ if (unlikely(!READ_ONCE(tcp_md5sig_pool_populated))) { + mutex_lock(&tcp_md5sig_mutex); + + if (!tcp_md5sig_pool_populated) { +@@ -4460,7 +4464,8 @@ bool tcp_alloc_md5sig_pool(void) + + mutex_unlock(&tcp_md5sig_mutex); + } +- return tcp_md5sig_pool_populated; ++ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */ ++ return READ_ONCE(tcp_md5sig_pool_populated); + } + EXPORT_SYMBOL(tcp_alloc_md5sig_pool); + +@@ -4476,7 +4481,8 @@ struct tcp_md5sig_pool *tcp_get_md5sig_pool(void) + { + local_bh_disable(); + +- if (tcp_md5sig_pool_populated) { ++ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */ ++ if (READ_ONCE(tcp_md5sig_pool_populated)) { + /* coupled with smp_wmb() in __tcp_alloc_md5sig_pool() */ + smp_rmb(); + return this_cpu_ptr(&tcp_md5sig_pool); +-- +2.35.1 + diff --git a/queue-6.0/tcp-fix-tcp_cwnd_validate-to-not-forget-is_cwnd_limi.patch b/queue-6.0/tcp-fix-tcp_cwnd_validate-to-not-forget-is_cwnd_limi.patch new file mode 100644 index 00000000000..28b03483bcc --- /dev/null +++ b/queue-6.0/tcp-fix-tcp_cwnd_validate-to-not-forget-is_cwnd_limi.patch @@ -0,0 +1,150 @@ +From 2f8affa4c0e724f0c05c3e212f4a0d2033428c33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Sep 2022 16:03:31 -0400 +Subject: tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limited + +From: Neal Cardwell + +[ Upstream commit f4ce91ce12a7c6ead19b128ffa8cff6e3ded2a14 ] + +This commit fixes a bug in the tracking of max_packets_out and +is_cwnd_limited. This bug can cause the connection to fail to remember +that is_cwnd_limited is true, causing the connection to fail to grow +cwnd when it should, causing throughput to be lower than it should be. + +The following event sequence is an example that triggers the bug: + + (a) The connection is cwnd_limited, but packets_out is not at its + peak due to TSO deferral deciding not to send another skb yet. + In such cases the connection can advance max_packets_seq and set + tp->is_cwnd_limited to true and max_packets_out to a small + number. + +(b) Then later in the round trip the connection is pacing-limited (not + cwnd-limited), and packets_out is larger. In such cases the + connection would raise max_packets_out to a bigger number but + (unexpectedly) flip tp->is_cwnd_limited from true to false. + +This commit fixes that bug. + +One straightforward fix would be to separately track (a) the next +window after max_packets_out reaches a maximum, and (b) the next +window after tp->is_cwnd_limited is set to true. But this would +require consuming an extra u32 sequence number. + +Instead, to save space we track only the most important +information. Specifically, we track the strongest available signal of +the degree to which the cwnd is fully utilized: + +(1) If the connection is cwnd-limited then we remember that fact for +the current window. + +(2) If the connection not cwnd-limited then we track the maximum +number of outstanding packets in the current window. + +In particular, note that the new logic cannot trigger the buggy +(a)/(b) sequence above because with the new logic a condition where +tp->packets_out > tp->max_packets_out can only trigger an update of +tp->is_cwnd_limited if tp->is_cwnd_limited is false. + +This first showed up in a testing of a BBRv2 dev branch, but this +buggy behavior highlighted a general issue with the +tcp_cwnd_validate() logic that can cause cwnd to fail to increase at +the proper rate for any TCP congestion control, including Reno or +CUBIC. + +Fixes: ca8a22634381 ("tcp: make cwnd-limited checks measurement-based, and gentler") +Signed-off-by: Neal Cardwell +Signed-off-by: Kevin(Yudong) Yang +Signed-off-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/tcp.h | 2 +- + include/net/tcp.h | 5 ++++- + net/ipv4/tcp.c | 2 ++ + net/ipv4/tcp_output.c | 19 ++++++++++++------- + 4 files changed, 19 insertions(+), 9 deletions(-) + +diff --git a/include/linux/tcp.h b/include/linux/tcp.h +index a9fbe22732c3..4791fd801945 100644 +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -295,7 +295,7 @@ struct tcp_sock { + u32 packets_out; /* Packets which are "in flight" */ + u32 retrans_out; /* Retransmitted packets out */ + u32 max_packets_out; /* max packets_out in last window */ +- u32 max_packets_seq; /* right edge of max_packets_out flight */ ++ u32 cwnd_usage_seq; /* right edge of cwnd usage tracking flight */ + + u16 urg_data; /* Saved octet of OOB data and control flags */ + u8 ecn_flags; /* ECN status bits. */ +diff --git a/include/net/tcp.h b/include/net/tcp.h +index d10962b9f0d0..95c1d51393ac 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1295,11 +1295,14 @@ static inline bool tcp_is_cwnd_limited(const struct sock *sk) + { + const struct tcp_sock *tp = tcp_sk(sk); + ++ if (tp->is_cwnd_limited) ++ return true; ++ + /* If in slow start, ensure cwnd grows to twice what was ACKed. */ + if (tcp_in_slow_start(tp)) + return tcp_snd_cwnd(tp) < 2 * tp->max_packets_out; + +- return tp->is_cwnd_limited; ++ return false; + } + + /* BBR congestion control needs pacing. +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index e373dde1f46f..997a80ce1e13 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3137,6 +3137,8 @@ int tcp_disconnect(struct sock *sk, int flags) + tp->snd_ssthresh = TCP_INFINITE_SSTHRESH; + tcp_snd_cwnd_set(tp, TCP_INIT_CWND); + tp->snd_cwnd_cnt = 0; ++ tp->is_cwnd_limited = 0; ++ tp->max_packets_out = 0; + tp->window_clamp = 0; + tp->delivered = 0; + tp->delivered_ce = 0; +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 290019de766d..c69f4d966024 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1875,15 +1875,20 @@ static void tcp_cwnd_validate(struct sock *sk, bool is_cwnd_limited) + const struct tcp_congestion_ops *ca_ops = inet_csk(sk)->icsk_ca_ops; + struct tcp_sock *tp = tcp_sk(sk); + +- /* Track the maximum number of outstanding packets in each +- * window, and remember whether we were cwnd-limited then. ++ /* Track the strongest available signal of the degree to which the cwnd ++ * is fully utilized. If cwnd-limited then remember that fact for the ++ * current window. If not cwnd-limited then track the maximum number of ++ * outstanding packets in the current window. (If cwnd-limited then we ++ * chose to not update tp->max_packets_out to avoid an extra else ++ * clause with no functional impact.) + */ +- if (!before(tp->snd_una, tp->max_packets_seq) || +- tp->packets_out > tp->max_packets_out || +- is_cwnd_limited) { +- tp->max_packets_out = tp->packets_out; +- tp->max_packets_seq = tp->snd_nxt; ++ if (!before(tp->snd_una, tp->cwnd_usage_seq) || ++ is_cwnd_limited || ++ (!tp->is_cwnd_limited && ++ tp->packets_out > tp->max_packets_out)) { + tp->is_cwnd_limited = is_cwnd_limited; ++ tp->max_packets_out = tp->packets_out; ++ tp->cwnd_usage_seq = tp->snd_nxt; + } + + if (tcp_is_cwnd_limited(sk)) { +-- +2.35.1 + diff --git a/queue-6.0/thermal-cpufreq_cooling-check-the-policy-first-in-cp.patch b/queue-6.0/thermal-cpufreq_cooling-check-the-policy-first-in-cp.patch new file mode 100644 index 00000000000..f354c205b18 --- /dev/null +++ b/queue-6.0/thermal-cpufreq_cooling-check-the-policy-first-in-cp.patch @@ -0,0 +1,52 @@ +From 2c543193aa13a5248682cc02278e9fbb51dee66a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 19:40:17 +0800 +Subject: thermal: cpufreq_cooling: Check the policy first in + cpufreq_cooling_register() + +From: Xuewen Yan + +[ Upstream commit cff895277c8558221ba180aefe26799dcb4eec86 ] + +Since the policy needs to be accessed first when obtaining cpu devices, +first check whether the policy is legal before this. + +Fixes: 5130802ddbb1 ("thermal: cpu_cooling: Switch to QoS requests for freq limits") +Signed-off-by: Xuewen Yan +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/cpufreq_cooling.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/thermal/cpufreq_cooling.c b/drivers/thermal/cpufreq_cooling.c +index b76293cc989c..7838b6e2dba5 100644 +--- a/drivers/thermal/cpufreq_cooling.c ++++ b/drivers/thermal/cpufreq_cooling.c +@@ -501,17 +501,17 @@ __cpufreq_cooling_register(struct device_node *np, + struct thermal_cooling_device_ops *cooling_ops; + char *name; + ++ if (IS_ERR_OR_NULL(policy)) { ++ pr_err("%s: cpufreq policy isn't valid: %p\n", __func__, policy); ++ return ERR_PTR(-EINVAL); ++ } ++ + dev = get_cpu_device(policy->cpu); + if (unlikely(!dev)) { + pr_warn("No cpu device for cpu %d\n", policy->cpu); + return ERR_PTR(-ENODEV); + } + +- if (IS_ERR_OR_NULL(policy)) { +- pr_err("%s: cpufreq policy isn't valid: %p\n", __func__, policy); +- return ERR_PTR(-EINVAL); +- } +- + i = cpufreq_table_count_valid_entries(policy); + if (!i) { + pr_debug("%s: CPUFreq table not found or has no valid entries\n", +-- +2.35.1 + diff --git a/queue-6.0/thermal-drivers-qcom-tsens-v0_1-fix-msm8939-fourth-s.patch b/queue-6.0/thermal-drivers-qcom-tsens-v0_1-fix-msm8939-fourth-s.patch new file mode 100644 index 00000000000..27f22f0db35 --- /dev/null +++ b/queue-6.0/thermal-drivers-qcom-tsens-v0_1-fix-msm8939-fourth-s.patch @@ -0,0 +1,44 @@ +From c8b73cbae1a06ac74603c19e69269b40607deec2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Aug 2022 12:50:14 +0200 +Subject: thermal/drivers/qcom/tsens-v0_1: Fix MSM8939 fourth sensor hw_id + +From: Vincent Knecht + +[ Upstream commit b0c883e900702f408d62cf92b0ef01303ed69be9 ] + +Reading temperature from this sensor fails with 'Invalid argument'. + +Looking at old vendor dts [1], its hw_id should be 3 instead of 4. +Change this hw_id accordingly. + +[1] https://github.com/msm8916-mainline/android_kernel_qcom_msm8916/blob/master/arch/arm/boot/dts/qcom/msm8939-common.dtsi#L511 + +Fixes: 332bc8ebab2c ("thermal: qcom: tsens-v0_1: Add support for MSM8939") +Signed-off-by: Vincent Knecht +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Bjorn Andersson +Reviewed-by: Bryan O'Donoghue +Link: https://lore.kernel.org/r/20220811105014.7194-1-vincent.knecht@mailoo.org +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/thermal/qcom/tsens-v0_1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thermal/qcom/tsens-v0_1.c b/drivers/thermal/qcom/tsens-v0_1.c +index f136cb350238..327f37202c69 100644 +--- a/drivers/thermal/qcom/tsens-v0_1.c ++++ b/drivers/thermal/qcom/tsens-v0_1.c +@@ -604,7 +604,7 @@ static const struct tsens_ops ops_8939 = { + struct tsens_plat_data data_8939 = { + .num_sensors = 10, + .ops = &ops_8939, +- .hw_ids = (unsigned int []){ 0, 1, 2, 4, 5, 6, 7, 8, 9, 10 }, ++ .hw_ids = (unsigned int []){ 0, 1, 2, 3, 5, 6, 7, 8, 9, 10 }, + + .feat = &tsens_v0_1_feat, + .fields = tsens_v0_1_regfields, +-- +2.35.1 + diff --git a/queue-6.0/thermal-intel_powerclamp-use-get_cpu-instead-of-smp_.patch b/queue-6.0/thermal-intel_powerclamp-use-get_cpu-instead-of-smp_.patch new file mode 100644 index 00000000000..18e18500967 --- /dev/null +++ b/queue-6.0/thermal-intel_powerclamp-use-get_cpu-instead-of-smp_.patch @@ -0,0 +1,61 @@ +From 6a426b935640cefbc23dd425023ff1832cfc6c77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 04:06:57 -0700 +Subject: thermal: intel_powerclamp: Use get_cpu() instead of + smp_processor_id() to avoid crash + +From: Srinivas Pandruvada + +[ Upstream commit 68b99e94a4a2db6ba9b31fe0485e057b9354a640 ] + +When CPU 0 is offline and intel_powerclamp is used to inject +idle, it generates kernel BUG: + +BUG: using smp_processor_id() in preemptible [00000000] code: bash/15687 +caller is debug_smp_processor_id+0x17/0x20 +CPU: 4 PID: 15687 Comm: bash Not tainted 5.19.0-rc7+ #57 +Call Trace: + +dump_stack_lvl+0x49/0x63 +dump_stack+0x10/0x16 +check_preemption_disabled+0xdd/0xe0 +debug_smp_processor_id+0x17/0x20 +powerclamp_set_cur_state+0x7f/0xf9 [intel_powerclamp] +... +... + +Here CPU 0 is the control CPU by default and changed to the current CPU, +if CPU 0 offlined. This check has to be performed under cpus_read_lock(), +hence the above warning. + +Use get_cpu() instead of smp_processor_id() to avoid this BUG. + +Suggested-by: Chen Yu +Signed-off-by: Srinivas Pandruvada +[ rjw: Subject edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/intel/intel_powerclamp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/thermal/intel/intel_powerclamp.c b/drivers/thermal/intel/intel_powerclamp.c +index c841ab37e7c6..46cd799af148 100644 +--- a/drivers/thermal/intel/intel_powerclamp.c ++++ b/drivers/thermal/intel/intel_powerclamp.c +@@ -532,8 +532,10 @@ static int start_power_clamp(void) + + /* prefer BSP */ + control_cpu = 0; +- if (!cpu_online(control_cpu)) +- control_cpu = smp_processor_id(); ++ if (!cpu_online(control_cpu)) { ++ control_cpu = get_cpu(); ++ put_cpu(); ++ } + + clamping = true; + schedule_delayed_work(&poll_pkg_cstate_work, 0); +-- +2.35.1 + diff --git a/queue-6.0/thunderbolt-add-back-intel-falcon-ridge-end-to-end-f.patch b/queue-6.0/thunderbolt-add-back-intel-falcon-ridge-end-to-end-f.patch new file mode 100644 index 00000000000..5edda13f887 --- /dev/null +++ b/queue-6.0/thunderbolt-add-back-intel-falcon-ridge-end-to-end-f.patch @@ -0,0 +1,129 @@ +From 10bea513b4e205a07b4e5abf919e086269722fef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 18:32:48 +0300 +Subject: thunderbolt: Add back Intel Falcon Ridge end-to-end flow control + workaround + +From: Mika Westerberg + +[ Upstream commit 54669e2f17cb5a4c41ade89427f074dc22cecb17 ] + +As we are now enabling full end-to-end flow control to the Thunderbolt +networking driver, in order for it to work properly on second generation +Thunderbolt hardware (Falcon Ridge), we need to add back the workaround +that was removed with commit 53f13319d131 ("thunderbolt: Get rid of E2E +workaround"). However, this time we only apply it for Falcon Ridge +controllers as a form of an additional quirk. For non-Falcon Ridge this +does nothing. + +While there fix a typo 'reqister' -> 'register' in the comment. + +Signed-off-by: Mika Westerberg +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/thunderbolt/nhi.c | 49 +++++++++++++++++++++++++++++++++------ + 1 file changed, 42 insertions(+), 7 deletions(-) + +diff --git a/drivers/thunderbolt/nhi.c b/drivers/thunderbolt/nhi.c +index cb8c9c4ae93a..b5cd9673e15d 100644 +--- a/drivers/thunderbolt/nhi.c ++++ b/drivers/thunderbolt/nhi.c +@@ -28,7 +28,11 @@ + #define RING_TYPE(ring) ((ring)->is_tx ? "TX ring" : "RX ring") + + #define RING_FIRST_USABLE_HOPID 1 +- ++/* ++ * Used with QUIRK_E2E to specify an unused HopID the Rx credits are ++ * transferred. ++ */ ++#define RING_E2E_RESERVED_HOPID RING_FIRST_USABLE_HOPID + /* + * Minimal number of vectors when we use MSI-X. Two for control channel + * Rx/Tx and the rest four are for cross domain DMA paths. +@@ -38,7 +42,9 @@ + + #define NHI_MAILBOX_TIMEOUT 500 /* ms */ + ++/* Host interface quirks */ + #define QUIRK_AUTO_CLEAR_INT BIT(0) ++#define QUIRK_E2E BIT(1) + + static int ring_interrupt_index(struct tb_ring *ring) + { +@@ -458,8 +464,18 @@ static void ring_release_msix(struct tb_ring *ring) + + static int nhi_alloc_hop(struct tb_nhi *nhi, struct tb_ring *ring) + { ++ unsigned int start_hop = RING_FIRST_USABLE_HOPID; + int ret = 0; + ++ if (nhi->quirks & QUIRK_E2E) { ++ start_hop = RING_FIRST_USABLE_HOPID + 1; ++ if (ring->flags & RING_FLAG_E2E && !ring->is_tx) { ++ dev_dbg(&nhi->pdev->dev, "quirking E2E TX HopID %u -> %u\n", ++ ring->e2e_tx_hop, RING_E2E_RESERVED_HOPID); ++ ring->e2e_tx_hop = RING_E2E_RESERVED_HOPID; ++ } ++ } ++ + spin_lock_irq(&nhi->lock); + + if (ring->hop < 0) { +@@ -469,7 +485,7 @@ static int nhi_alloc_hop(struct tb_nhi *nhi, struct tb_ring *ring) + * Automatically allocate HopID from the non-reserved + * range 1 .. hop_count - 1. + */ +- for (i = RING_FIRST_USABLE_HOPID; i < nhi->hop_count; i++) { ++ for (i = start_hop; i < nhi->hop_count; i++) { + if (ring->is_tx) { + if (!nhi->tx_rings[i]) { + ring->hop = i; +@@ -484,6 +500,11 @@ static int nhi_alloc_hop(struct tb_nhi *nhi, struct tb_ring *ring) + } + } + ++ if (ring->hop > 0 && ring->hop < start_hop) { ++ dev_warn(&nhi->pdev->dev, "invalid hop: %d\n", ring->hop); ++ ret = -EINVAL; ++ goto err_unlock; ++ } + if (ring->hop < 0 || ring->hop >= nhi->hop_count) { + dev_warn(&nhi->pdev->dev, "invalid hop: %d\n", ring->hop); + ret = -EINVAL; +@@ -1097,12 +1118,26 @@ static void nhi_shutdown(struct tb_nhi *nhi) + + static void nhi_check_quirks(struct tb_nhi *nhi) + { +- /* +- * Intel hardware supports auto clear of the interrupt status +- * reqister right after interrupt is being issued. +- */ +- if (nhi->pdev->vendor == PCI_VENDOR_ID_INTEL) ++ if (nhi->pdev->vendor == PCI_VENDOR_ID_INTEL) { ++ /* ++ * Intel hardware supports auto clear of the interrupt ++ * status register right after interrupt is being ++ * issued. ++ */ + nhi->quirks |= QUIRK_AUTO_CLEAR_INT; ++ ++ switch (nhi->pdev->device) { ++ case PCI_DEVICE_ID_INTEL_FALCON_RIDGE_2C_NHI: ++ case PCI_DEVICE_ID_INTEL_FALCON_RIDGE_4C_NHI: ++ /* ++ * Falcon Ridge controller needs the end-to-end ++ * flow control workaround to avoid losing Rx ++ * packets when RING_FLAG_E2E is set. ++ */ ++ nhi->quirks |= QUIRK_E2E; ++ break; ++ } ++ } + } + + static int nhi_check_iommu_pdev(struct pci_dev *pdev, void *data) +-- +2.35.1 + diff --git a/queue-6.0/tools-power-turbostat-use-standard-energy-unit-for-s.patch b/queue-6.0/tools-power-turbostat-use-standard-energy-unit-for-s.patch new file mode 100644 index 00000000000..2b3ad72eb69 --- /dev/null +++ b/queue-6.0/tools-power-turbostat-use-standard-energy-unit-for-s.patch @@ -0,0 +1,40 @@ +From 84866fd39ab744e2cfd96fac83a860c9ba641f3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Sep 2022 13:47:38 +0800 +Subject: tools/power turbostat: Use standard Energy Unit for SPR Dram RAPL + domain + +From: Zhang Rui + +[ Upstream commit b2d433ae637626d44c9d4a75dd3330cf68fed9de ] + +Intel Xeon servers used to use a fixed energy resolution (15.3uj) for +Dram RAPL domain. But on SPR, Dram RAPL domain follows the standard +energy resolution as described in MSR_RAPL_POWER_UNIT. + +Remove the SPR rapl_dram_energy_units quirk. + +Fixes: e7af1ed3fa47 ("tools/power turbostat: Support additional CPU model numbers") +Signed-off-by: Zhang Rui +Tested-by: Wang Wendy +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +--- + tools/power/x86/turbostat/turbostat.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c +index 831dc32d45fa..b7d2a0cd0ac2 100644 +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -4560,7 +4560,6 @@ static double rapl_dram_energy_units_probe(int model, double rapl_energy_units) + case INTEL_FAM6_SKYLAKE_X: /* SKX */ + case INTEL_FAM6_XEON_PHI_KNL: /* KNL */ + case INTEL_FAM6_ICELAKE_X: /* ICX */ +- case INTEL_FAM6_SAPPHIRERAPIDS_X: /* SPR */ + return (rapl_dram_energy_units = 15.3 / 1000000); + default: + return (rapl_energy_units); +-- +2.35.1 + diff --git a/queue-6.0/tracing-kprobe-fix-kprobe-event-gen-test-module-on-e.patch b/queue-6.0/tracing-kprobe-fix-kprobe-event-gen-test-module-on-e.patch new file mode 100644 index 00000000000..a57ae758492 --- /dev/null +++ b/queue-6.0/tracing-kprobe-fix-kprobe-event-gen-test-module-on-e.patch @@ -0,0 +1,47 @@ +From 8818f3ba1ac28fe3739c3d46830116b634e4838e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 20:56:28 +0800 +Subject: tracing: kprobe: Fix kprobe event gen test module on exit + +From: Yipeng Zou + +[ Upstream commit ac48e189527fae87253ef2bf58892e782fb36874 ] + +Correct gen_kretprobe_test clr event para on module exit. +This will make it can't to delete. + +Link: https://lkml.kernel.org/r/20220919125629.238242-2-zouyipeng@huawei.com + +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Fixes: 64836248dda2 ("tracing: Add kprobe event command generation test module") +Signed-off-by: Yipeng Zou +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/kprobe_event_gen_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/kprobe_event_gen_test.c b/kernel/trace/kprobe_event_gen_test.c +index 18b0f1cbb947..e023154be0f8 100644 +--- a/kernel/trace/kprobe_event_gen_test.c ++++ b/kernel/trace/kprobe_event_gen_test.c +@@ -206,7 +206,7 @@ static void __exit kprobe_event_gen_test_exit(void) + WARN_ON(kprobe_event_delete("gen_kprobe_test")); + + /* Disable the event or you can't remove it */ +- WARN_ON(trace_array_set_clr_event(gen_kprobe_test->tr, ++ WARN_ON(trace_array_set_clr_event(gen_kretprobe_test->tr, + "kprobes", + "gen_kretprobe_test", false)); + +-- +2.35.1 + diff --git a/queue-6.0/tracing-kprobe-make-gen-test-module-work-in-arm-and-.patch b/queue-6.0/tracing-kprobe-make-gen-test-module-work-in-arm-and-.patch new file mode 100644 index 00000000000..e7357daf59f --- /dev/null +++ b/queue-6.0/tracing-kprobe-make-gen-test-module-work-in-arm-and-.patch @@ -0,0 +1,113 @@ +From 4259316a2ec24a2964c55e6d96172d4509282e9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 20:56:29 +0800 +Subject: tracing: kprobe: Make gen test module work in arm and riscv + +From: Yipeng Zou + +[ Upstream commit d8ef45d66c01425ff748e13ef7dd1da7a91cc93c ] + +For now, this selftest module can only work in x86 because of the +kprobe cmd was fixed use of x86 registers. +This patch adapted to register names under arm and riscv, So that +this module can be worked on those platform. + +Link: https://lkml.kernel.org/r/20220919125629.238242-3-zouyipeng@huawei.com + +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Cc: +Fixes: 64836248dda2 ("tracing: Add kprobe event command generation test module") +Signed-off-by: Yipeng Zou +Acked-by: Masami Hiramatsu (Google) +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/kprobe_event_gen_test.c | 47 +++++++++++++++++++++++++--- + 1 file changed, 43 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/kprobe_event_gen_test.c b/kernel/trace/kprobe_event_gen_test.c +index e023154be0f8..80e04a1e1977 100644 +--- a/kernel/trace/kprobe_event_gen_test.c ++++ b/kernel/trace/kprobe_event_gen_test.c +@@ -35,6 +35,45 @@ + static struct trace_event_file *gen_kprobe_test; + static struct trace_event_file *gen_kretprobe_test; + ++#define KPROBE_GEN_TEST_FUNC "do_sys_open" ++ ++/* X86 */ ++#if defined(CONFIG_X86_64) || defined(CONFIG_X86_32) ++#define KPROBE_GEN_TEST_ARG0 "dfd=%ax" ++#define KPROBE_GEN_TEST_ARG1 "filename=%dx" ++#define KPROBE_GEN_TEST_ARG2 "flags=%cx" ++#define KPROBE_GEN_TEST_ARG3 "mode=+4($stack)" ++ ++/* ARM64 */ ++#elif defined(CONFIG_ARM64) ++#define KPROBE_GEN_TEST_ARG0 "dfd=%x0" ++#define KPROBE_GEN_TEST_ARG1 "filename=%x1" ++#define KPROBE_GEN_TEST_ARG2 "flags=%x2" ++#define KPROBE_GEN_TEST_ARG3 "mode=%x3" ++ ++/* ARM */ ++#elif defined(CONFIG_ARM) ++#define KPROBE_GEN_TEST_ARG0 "dfd=%r0" ++#define KPROBE_GEN_TEST_ARG1 "filename=%r1" ++#define KPROBE_GEN_TEST_ARG2 "flags=%r2" ++#define KPROBE_GEN_TEST_ARG3 "mode=%r3" ++ ++/* RISCV */ ++#elif defined(CONFIG_RISCV) ++#define KPROBE_GEN_TEST_ARG0 "dfd=%a0" ++#define KPROBE_GEN_TEST_ARG1 "filename=%a1" ++#define KPROBE_GEN_TEST_ARG2 "flags=%a2" ++#define KPROBE_GEN_TEST_ARG3 "mode=%a3" ++ ++/* others */ ++#else ++#define KPROBE_GEN_TEST_ARG0 NULL ++#define KPROBE_GEN_TEST_ARG1 NULL ++#define KPROBE_GEN_TEST_ARG2 NULL ++#define KPROBE_GEN_TEST_ARG3 NULL ++#endif ++ ++ + /* + * Test to make sure we can create a kprobe event, then add more + * fields. +@@ -58,14 +97,14 @@ static int __init test_gen_kprobe_cmd(void) + * fields. + */ + ret = kprobe_event_gen_cmd_start(&cmd, "gen_kprobe_test", +- "do_sys_open", +- "dfd=%ax", "filename=%dx"); ++ KPROBE_GEN_TEST_FUNC, ++ KPROBE_GEN_TEST_ARG0, KPROBE_GEN_TEST_ARG1); + if (ret) + goto free; + + /* Use kprobe_event_add_fields to add the rest of the fields */ + +- ret = kprobe_event_add_fields(&cmd, "flags=%cx", "mode=+4($stack)"); ++ ret = kprobe_event_add_fields(&cmd, KPROBE_GEN_TEST_ARG2, KPROBE_GEN_TEST_ARG3); + if (ret) + goto free; + +@@ -128,7 +167,7 @@ static int __init test_gen_kretprobe_cmd(void) + * Define the kretprobe event. + */ + ret = kretprobe_event_gen_cmd_start(&cmd, "gen_kretprobe_test", +- "do_sys_open", ++ KPROBE_GEN_TEST_FUNC, + "$retval"); + if (ret) + goto free; +-- +2.35.1 + diff --git a/queue-6.0/tracing-osnoise-fix-possible-recursive-locking-in-st.patch b/queue-6.0/tracing-osnoise-fix-possible-recursive-locking-in-st.patch new file mode 100644 index 00000000000..e690d1ee092 --- /dev/null +++ b/queue-6.0/tracing-osnoise-fix-possible-recursive-locking-in-st.patch @@ -0,0 +1,78 @@ +From 8b5eefd720b128a14b6c5d65a3b4dbb59823ff10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 08:49:32 -0600 +Subject: tracing/osnoise: Fix possible recursive locking in + stop_per_cpu_kthreads + +From: Nico Pache + +[ Upstream commit 99ee9317a1305cd5626736785c8cb38b0e47686c ] + +There is a recursive lock on the cpu_hotplug_lock. + +In kernel/trace/trace_osnoise.c:_per_cpu_kthreads: + - start_per_cpu_kthreads calls cpus_read_lock() and if + start_kthreads returns a error it will call stop_per_cpu_kthreads. + - stop_per_cpu_kthreads then calls cpus_read_lock() again causing + deadlock. + +Fix this by calling cpus_read_unlock() before calling +stop_per_cpu_kthreads. This behavior can also be seen in commit +f46b16520a08 ("trace/hwlat: Implement the per-cpu mode"). + +This error was noticed during the LTP ftrace-stress-test: + +WARNING: possible recursive locking detected +-------------------------------------------- +sh/275006 is trying to acquire lock: +ffffffffb02f5400 (cpu_hotplug_lock){++++}-{0:0}, at: stop_per_cpu_kthreads + +but task is already holding lock: +ffffffffb02f5400 (cpu_hotplug_lock){++++}-{0:0}, at: start_per_cpu_kthreads + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(cpu_hotplug_lock); + lock(cpu_hotplug_lock); + + *** DEADLOCK *** + +May be due to missing lock nesting notation + +3 locks held by sh/275006: + #0: ffff8881023f0470 (sb_writers#24){.+.+}-{0:0}, at: ksys_write + #1: ffffffffb084f430 (trace_types_lock){+.+.}-{3:3}, at: rb_simple_write + #2: ffffffffb02f5400 (cpu_hotplug_lock){++++}-{0:0}, at: start_per_cpu_kthreads + +Link: https://lkml.kernel.org/r/20220919144932.3064014-1-npache@redhat.com + +Fixes: c8895e271f79 ("trace/osnoise: Support hotplug operations") +Signed-off-by: Nico Pache +Acked-by: Daniel Bristot de Oliveira +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_osnoise.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_osnoise.c b/kernel/trace/trace_osnoise.c +index 313439920a8c..78d536d3ff3d 100644 +--- a/kernel/trace/trace_osnoise.c ++++ b/kernel/trace/trace_osnoise.c +@@ -1786,8 +1786,9 @@ static int start_per_cpu_kthreads(void) + for_each_cpu(cpu, current_mask) { + retval = start_kthread(cpu); + if (retval) { ++ cpus_read_unlock(); + stop_per_cpu_kthreads(); +- break; ++ return retval; + } + } + +-- +2.35.1 + diff --git a/queue-6.0/tsnep-fix-tsnep_info_tx_time-register-define.patch b/queue-6.0/tsnep-fix-tsnep_info_tx_time-register-define.patch new file mode 100644 index 00000000000..bf114b1ed51 --- /dev/null +++ b/queue-6.0/tsnep-fix-tsnep_info_tx_time-register-define.patch @@ -0,0 +1,37 @@ +From 41964b2285f98f8542908fe0147b4b63611d35d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 21:30:13 +0200 +Subject: tsnep: Fix TSNEP_INFO_TX_TIME register define + +From: Gerhard Engleder + +[ Upstream commit 7d8dd6b5cd1d67dd96c132f91d7ad29c49ed3c59 ] + +Fixed register define is not used, but register definition shall be kept +in sync. + +Fixes: 403f69bbdbad ("tsnep: Add TSN endpoint Ethernet MAC driver") +Signed-off-by: Gerhard Engleder +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/engleder/tsnep_hw.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/engleder/tsnep_hw.h b/drivers/net/ethernet/engleder/tsnep_hw.h +index 916ceac3ada2..e03aaafab559 100644 +--- a/drivers/net/ethernet/engleder/tsnep_hw.h ++++ b/drivers/net/ethernet/engleder/tsnep_hw.h +@@ -92,8 +92,7 @@ + + /* tsnep register */ + #define TSNEP_INFO 0x0100 +-#define TSNEP_INFO_RX_ASSIGN 0x00010000 +-#define TSNEP_INFO_TX_TIME 0x00020000 ++#define TSNEP_INFO_TX_TIME 0x00010000 + #define TSNEP_CONTROL 0x0108 + #define TSNEP_CONTROL_TX_RESET 0x00000001 + #define TSNEP_CONTROL_TX_ENABLE 0x00000002 +-- +2.35.1 + diff --git a/queue-6.0/tty-serial-fsl_lpuart-disable-dma-rx-tx-use-flags-in.patch b/queue-6.0/tty-serial-fsl_lpuart-disable-dma-rx-tx-use-flags-in.patch new file mode 100644 index 00000000000..57fab7a293c --- /dev/null +++ b/queue-6.0/tty-serial-fsl_lpuart-disable-dma-rx-tx-use-flags-in.patch @@ -0,0 +1,103 @@ +From 4a1e152b8fac0a99716ee38215e0d440096788f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 19:17:03 +0800 +Subject: tty: serial: fsl_lpuart: disable dma rx/tx use flags in + lpuart_dma_shutdown +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sherry Sun + +[ Upstream commit 316ae95c175a7d770d1bfe4c011192712f57aa4a ] + +lpuart_dma_shutdown tears down lpuart dma, but lpuart_flush_buffer can +still occur which in turn tries to access dma apis if lpuart_dma_tx_use +flag is true. At this point since dma is torn down, these dma apis can +abort. Set lpuart_dma_tx_use and the corresponding rx flag +lpuart_dma_rx_use to false in lpuart_dma_shutdown so that dmas are not +accessed after they are relinquished. + +Otherwise, when try to kill btattach, kernel may panic. This patch may +fix this issue. +root@imx8ulpevk:~# btattach -B /dev/ttyLP2 -S 115200 +^C[ 90.182296] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP +[ 90.189806] Modules linked in: moal(O) mlan(O) +[ 90.194258] CPU: 0 PID: 503 Comm: btattach Tainted: G O 5.15.32-06136-g34eecdf2f9e4 #37 +[ 90.203554] Hardware name: NXP i.MX8ULP 9X9 EVK (DT) +[ 90.208513] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ 90.215470] pc : fsl_edma3_disable_request+0x8/0x60 +[ 90.220358] lr : fsl_edma3_terminate_all+0x34/0x20c +[ 90.225237] sp : ffff800013f0bac0 +[ 90.228548] x29: ffff800013f0bac0 x28: 0000000000000001 x27: ffff000008404800 +[ 90.235681] x26: ffff000008404960 x25: ffff000008404a08 x24: ffff000008404a00 +[ 90.242813] x23: ffff000008404a60 x22: 0000000000000002 x21: 0000000000000000 +[ 90.249946] x20: ffff800013f0baf8 x19: ffff00000559c800 x18: 0000000000000000 +[ 90.257078] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 +[ 90.264211] x14: 0000000000000003 x13: 0000000000000000 x12: 0000000000000040 +[ 90.271344] x11: ffff00000600c248 x10: ffff800013f0bb10 x9 : ffff000057bcb090 +[ 90.278477] x8 : fffffc0000241a08 x7 : ffff00000534ee00 x6 : ffff000008404804 +[ 90.285609] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff0000055b3480 +[ 90.292742] x2 : ffff8000135c0000 x1 : ffff00000534ee00 x0 : ffff00000559c800 +[ 90.299876] Call trace: +[ 90.302321] fsl_edma3_disable_request+0x8/0x60 +[ 90.306851] lpuart_flush_buffer+0x40/0x160 +[ 90.311037] uart_flush_buffer+0x88/0x120 +[ 90.315050] tty_driver_flush_buffer+0x20/0x30 +[ 90.319496] hci_uart_flush+0x44/0x90 +[ 90.323162] +0x34/0x12c +[ 90.327253] tty_ldisc_close+0x38/0x70 +[ 90.331005] tty_ldisc_release+0xa8/0x190 +[ 90.335018] tty_release_struct+0x24/0x8c +[ 90.339022] tty_release+0x3ec/0x4c0 +[ 90.342593] __fput+0x70/0x234 +[ 90.345652] ____fput+0x14/0x20 +[ 90.348790] task_work_run+0x84/0x17c +[ 90.352455] do_exit+0x310/0x96c +[ 90.355688] do_group_exit+0x3c/0xa0 +[ 90.359259] __arm64_sys_exit_group+0x1c/0x20 +[ 90.363609] invoke_syscall+0x48/0x114 +[ 90.367362] el0_svc_common.constprop.0+0xd4/0xfc +[ 90.372068] do_el0_svc+0x2c/0x94 +[ 90.375379] el0_svc+0x28/0x80 +[ 90.378438] el0t_64_sync_handler+0xa8/0x130 +[ 90.382711] el0t_64_sync+0x1a0/0x1a4 +[ 90.386376] Code: 17ffffda d503201f d503233f f9409802 (b9400041) +[ 90.392467] ---[ end trace 2f60524b4a43f1f6 ]--- +[ 90.397073] note: btattach[503] exited with preempt_count 1 +[ 90.402636] Fixing recursive fault but reboot is needed! + +Fixes: 6250cc30c4c4 ("tty: serial: fsl_lpuart: Use scatter/gather DMA for Tx") +Reviewed-by: Ilpo Järvinen +Signed-off-by: Thara Gopinath +Signed-off-by: Sherry Sun +Link: https://lore.kernel.org/r/20220920111703.1532-1-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/fsl_lpuart.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index 6eb3d6c62458..34990901c805 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1776,6 +1776,7 @@ static void lpuart_dma_shutdown(struct lpuart_port *sport) + if (sport->lpuart_dma_rx_use) { + del_timer_sync(&sport->lpuart_timer); + lpuart_dma_rx_free(&sport->port); ++ sport->lpuart_dma_rx_use = false; + } + + if (sport->lpuart_dma_tx_use) { +@@ -1784,6 +1785,7 @@ static void lpuart_dma_shutdown(struct lpuart_port *sport) + sport->dma_tx_in_progress = false; + dmaengine_terminate_all(sport->dma_tx_chan); + } ++ sport->lpuart_dma_tx_use = false; + } + + if (sport->dma_tx_chan) +-- +2.35.1 + diff --git a/queue-6.0/tty-xilinx_uartps-check-clk_enable-return-value.patch b/queue-6.0/tty-xilinx_uartps-check-clk_enable-return-value.patch new file mode 100644 index 00000000000..b364f5761f9 --- /dev/null +++ b/queue-6.0/tty-xilinx_uartps-check-clk_enable-return-value.patch @@ -0,0 +1,51 @@ +From 31fd5c63792320bddb19fe67ea3cbb4cf3c9391e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jul 2022 17:17:42 +0530 +Subject: tty: xilinx_uartps: Check clk_enable return value + +From: Shubhrajyoti Datta + +[ Upstream commit 957e8c047bf25bd24271ab049f06dc47f382973f ] + +If clocks are not enabled the register access may hang the system. +Check for the clock enable return value and bail out if not enabled. + +Signed-off-by: Shubhrajyoti Datta +Link: https://lore.kernel.org/r/20220729114748.18332-2-shubhrajyoti.datta@xilinx.com +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: b8a6c3b3d465 ("tty: xilinx_uartps: Fix the ignore_status") +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/xilinx_uartps.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c +index 9e01fe6c0ab8..51fd09e14eda 100644 +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -1329,12 +1329,20 @@ static int cdns_uart_resume(struct device *device) + unsigned long flags; + u32 ctrl_reg; + int may_wake; ++ int ret; + + may_wake = device_may_wakeup(device); + + if (console_suspend_enabled && uart_console(port) && !may_wake) { +- clk_enable(cdns_uart->pclk); +- clk_enable(cdns_uart->uartclk); ++ ret = clk_enable(cdns_uart->pclk); ++ if (ret) ++ return ret; ++ ++ ret = clk_enable(cdns_uart->uartclk); ++ if (ret) { ++ clk_disable(cdns_uart->pclk); ++ return ret; ++ } + + spin_lock_irqsave(&port->lock, flags); + +-- +2.35.1 + diff --git a/queue-6.0/tty-xilinx_uartps-fix-the-ignore_status.patch b/queue-6.0/tty-xilinx_uartps-fix-the-ignore_status.patch new file mode 100644 index 00000000000..82a145f8ea8 --- /dev/null +++ b/queue-6.0/tty-xilinx_uartps-fix-the-ignore_status.patch @@ -0,0 +1,37 @@ +From d6d948bb8d03bbcaef9f26e7bf511dc7d15a2947 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jul 2022 17:17:45 +0530 +Subject: tty: xilinx_uartps: Fix the ignore_status + +From: Shubhrajyoti Datta + +[ Upstream commit b8a6c3b3d4654fba19881cc77da61eac29f57cae ] + +Currently the ignore_status is not considered in the isr. +Add a check to add the ignore_status. + +Fixes: 61ec9016988f ("tty/serial: add support for Xilinx PS UART") +Signed-off-by: Shubhrajyoti Datta +Link: https://lore.kernel.org/r/20220729114748.18332-5-shubhrajyoti.datta@xilinx.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/xilinx_uartps.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c +index 51fd09e14eda..769044dfe990 100644 +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -361,6 +361,8 @@ static irqreturn_t cdns_uart_isr(int irq, void *dev_id) + isrstatus &= ~CDNS_UART_IXR_TXEMPTY; + } + ++ isrstatus &= port->read_status_mask; ++ isrstatus &= ~port->ignore_status_mask; + /* + * Skip RX processing if RX is disabled as RXEMPTY will never be set + * as read bytes will not be removed from the FIFO. +-- +2.35.1 + diff --git a/queue-6.0/udmabuf-set-ubuf-sg-null-if-the-creation-of-sg-table.patch b/queue-6.0/udmabuf-set-ubuf-sg-null-if-the-creation-of-sg-table.patch new file mode 100644 index 00000000000..6ce1a1699b3 --- /dev/null +++ b/queue-6.0/udmabuf-set-ubuf-sg-null-if-the-creation-of-sg-table.patch @@ -0,0 +1,115 @@ +From ebdc8c91a21afd55cdd52fb3daf1199b1fa3f4a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 23:35:22 -0700 +Subject: udmabuf: Set ubuf->sg = NULL if the creation of sg table fails + +From: Vivek Kasireddy + +[ Upstream commit d9c04a1b7a15b5e74b2977461d9511e497f05d8f ] + +When userspace tries to map the dmabuf and if for some reason +(e.g. OOM) the creation of the sg table fails, ubuf->sg needs to be +set to NULL. Otherwise, when the userspace subsequently closes the +dmabuf fd, we'd try to erroneously free the invalid sg table from +release_udmabuf resulting in the following crash reported by syzbot: + +general protection fault, probably for non-canonical address +0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +CPU: 0 PID: 3609 Comm: syz-executor487 Not tainted +5.19.0-syzkaller-13930-g7ebfc85e2cd7 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 07/22/2022 +RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline] +RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline] +RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114 +Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 04 00 00 48 8d 7d 0c 4c +8b 63 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 +02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 e2 +RSP: 0018:ffffc900037efd30 EFLAGS: 00010246 +RAX: dffffc0000000000 RBX: ffffffff8cb67800 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffffffff84ad27e0 RDI: 0000000000000000 +RBP: fffffffffffffff4 R08: 0000000000000005 R09: 0000000000000000 +R10: 0000000000000000 R11: 000000000008c07c R12: ffff88801fa05000 +R13: ffff888073db07e8 R14: ffff888025c25440 R15: 0000000000000000 +FS: 0000555555fc4300(0000) GS:ffff8880b9a00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fc1c0ce06e4 CR3: 00000000715e6000 CR4: 00000000003506f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + dma_buf_release+0x157/0x2d0 drivers/dma-buf/dma-buf.c:78 + __dentry_kill+0x42b/0x640 fs/dcache.c:612 + dentry_kill fs/dcache.c:733 [inline] + dput+0x806/0xdb0 fs/dcache.c:913 + __fput+0x39c/0x9d0 fs/file_table.c:333 + task_work_run+0xdd/0x1a0 kernel/task_work.c:177 + ptrace_notify+0x114/0x140 kernel/signal.c:2353 + ptrace_report_syscall include/linux/ptrace.h:420 [inline] + ptrace_report_syscall_exit include/linux/ptrace.h:482 [inline] + syscall_exit_work kernel/entry/common.c:249 [inline] + syscall_exit_to_user_mode_prepare+0x129/0x280 kernel/entry/common.c:276 + __syscall_exit_to_user_mode_work kernel/entry/common.c:281 [inline] + syscall_exit_to_user_mode+0x9/0x50 kernel/entry/common.c:294 + do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 + entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7fc1c0c35b6b +Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 +0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 +f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 +RSP: 002b:00007ffd78a06090 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 +RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fc1c0c35b6b +RDX: 0000000020000280 RSI: 0000000040086200 RDI: 0000000000000006 +RBP: 0000000000000007 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000000c +R13: 0000000000000003 R14: 00007fc1c0cfe4a0 R15: 00007ffd78a06140 + +Modules linked in: +---[ end trace 0000000000000000 ]--- +RIP: 0010:dma_unmap_sgtable include/linux/dma-mapping.h:378 [inline] +RIP: 0010:put_sg_table drivers/dma-buf/udmabuf.c:89 [inline] +RIP: 0010:release_udmabuf+0xcb/0x4f0 drivers/dma-buf/udmabuf.c:114 + +Reported-by: syzbot+c80e9ef5d8bb45894db0@syzkaller.appspotmail.com +Cc: Gerd Hoffmann +Signed-off-by: Vivek Kasireddy +Link: http://patchwork.freedesktop.org/patch/msgid/20220825063522.801264-1-vivek.kasireddy@intel.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/dma-buf/udmabuf.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c +index 38e8767ec371..bf11d32205f3 100644 +--- a/drivers/dma-buf/udmabuf.c ++++ b/drivers/dma-buf/udmabuf.c +@@ -124,17 +124,20 @@ static int begin_cpu_udmabuf(struct dma_buf *buf, + { + struct udmabuf *ubuf = buf->priv; + struct device *dev = ubuf->device->this_device; ++ int ret = 0; + + if (!ubuf->sg) { + ubuf->sg = get_sg_table(dev, buf, direction); +- if (IS_ERR(ubuf->sg)) +- return PTR_ERR(ubuf->sg); ++ if (IS_ERR(ubuf->sg)) { ++ ret = PTR_ERR(ubuf->sg); ++ ubuf->sg = NULL; ++ } + } else { + dma_sync_sg_for_cpu(dev, ubuf->sg->sgl, ubuf->sg->nents, + direction); + } + +- return 0; ++ return ret; + } + + static int end_cpu_udmabuf(struct dma_buf *buf, +-- +2.35.1 + diff --git a/queue-6.0/usb-common-debug-check-non-standard-control-requests.patch b/queue-6.0/usb-common-debug-check-non-standard-control-requests.patch new file mode 100644 index 00000000000..29df5d370f6 --- /dev/null +++ b/queue-6.0/usb-common-debug-check-non-standard-control-requests.patch @@ -0,0 +1,139 @@ +From 1b944c30eadb91f89dc630dc0f6bc50b17503b62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 18:38:01 -0700 +Subject: usb: common: debug: Check non-standard control requests + +From: Thinh Nguyen + +[ Upstream commit b6155eaf6b05e558218b44b88a6cad03f15a586c ] + +Previously usb_decode_ctrl() only decodes standard control requests, but +it was used for non-standard requests also. If it's non-standard or +unknown standard bRequest, print the Setup data values. + +Fixes: af32423a2d86 ("usb: dwc3: trace: decode ctrl request") +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/8d6a30f2f2f953eff833a5bc5aac640a4cc2fc9f.1658971571.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/common/debug.c | 96 +++++++++++++++++++++++++------------- + 1 file changed, 64 insertions(+), 32 deletions(-) + +diff --git a/drivers/usb/common/debug.c b/drivers/usb/common/debug.c +index 075f6b1b2a1a..f204cec8d380 100644 +--- a/drivers/usb/common/debug.c ++++ b/drivers/usb/common/debug.c +@@ -208,30 +208,28 @@ static void usb_decode_set_isoch_delay(__u8 wValue, char *str, size_t size) + snprintf(str, size, "Set Isochronous Delay(Delay = %d ns)", wValue); + } + +-/** +- * usb_decode_ctrl - Returns human readable representation of control request. +- * @str: buffer to return a human-readable representation of control request. +- * This buffer should have about 200 bytes. +- * @size: size of str buffer. +- * @bRequestType: matches the USB bmRequestType field +- * @bRequest: matches the USB bRequest field +- * @wValue: matches the USB wValue field (CPU byte order) +- * @wIndex: matches the USB wIndex field (CPU byte order) +- * @wLength: matches the USB wLength field (CPU byte order) +- * +- * Function returns decoded, formatted and human-readable description of +- * control request packet. +- * +- * The usage scenario for this is for tracepoints, so function as a return +- * use the same value as in parameters. This approach allows to use this +- * function in TP_printk +- * +- * Important: wValue, wIndex, wLength parameters before invoking this function +- * should be processed by le16_to_cpu macro. +- */ +-const char *usb_decode_ctrl(char *str, size_t size, __u8 bRequestType, +- __u8 bRequest, __u16 wValue, __u16 wIndex, +- __u16 wLength) ++static void usb_decode_ctrl_generic(char *str, size_t size, __u8 bRequestType, ++ __u8 bRequest, __u16 wValue, __u16 wIndex, ++ __u16 wLength) ++{ ++ u8 recip = bRequestType & USB_RECIP_MASK; ++ u8 type = bRequestType & USB_TYPE_MASK; ++ ++ snprintf(str, size, ++ "Type=%s Recipient=%s Dir=%s bRequest=%u wValue=%u wIndex=%u wLength=%u", ++ (type == USB_TYPE_STANDARD) ? "Standard" : ++ (type == USB_TYPE_VENDOR) ? "Vendor" : ++ (type == USB_TYPE_CLASS) ? "Class" : "Unknown", ++ (recip == USB_RECIP_DEVICE) ? "Device" : ++ (recip == USB_RECIP_INTERFACE) ? "Interface" : ++ (recip == USB_RECIP_ENDPOINT) ? "Endpoint" : "Unknown", ++ (bRequestType & USB_DIR_IN) ? "IN" : "OUT", ++ bRequest, wValue, wIndex, wLength); ++} ++ ++static void usb_decode_ctrl_standard(char *str, size_t size, __u8 bRequestType, ++ __u8 bRequest, __u16 wValue, __u16 wIndex, ++ __u16 wLength) + { + switch (bRequest) { + case USB_REQ_GET_STATUS: +@@ -272,14 +270,48 @@ const char *usb_decode_ctrl(char *str, size_t size, __u8 bRequestType, + usb_decode_set_isoch_delay(wValue, str, size); + break; + default: +- snprintf(str, size, "%02x %02x %02x %02x %02x %02x %02x %02x", +- bRequestType, bRequest, +- (u8)(cpu_to_le16(wValue) & 0xff), +- (u8)(cpu_to_le16(wValue) >> 8), +- (u8)(cpu_to_le16(wIndex) & 0xff), +- (u8)(cpu_to_le16(wIndex) >> 8), +- (u8)(cpu_to_le16(wLength) & 0xff), +- (u8)(cpu_to_le16(wLength) >> 8)); ++ usb_decode_ctrl_generic(str, size, bRequestType, bRequest, ++ wValue, wIndex, wLength); ++ break; ++ } ++} ++ ++/** ++ * usb_decode_ctrl - Returns human readable representation of control request. ++ * @str: buffer to return a human-readable representation of control request. ++ * This buffer should have about 200 bytes. ++ * @size: size of str buffer. ++ * @bRequestType: matches the USB bmRequestType field ++ * @bRequest: matches the USB bRequest field ++ * @wValue: matches the USB wValue field (CPU byte order) ++ * @wIndex: matches the USB wIndex field (CPU byte order) ++ * @wLength: matches the USB wLength field (CPU byte order) ++ * ++ * Function returns decoded, formatted and human-readable description of ++ * control request packet. ++ * ++ * The usage scenario for this is for tracepoints, so function as a return ++ * use the same value as in parameters. This approach allows to use this ++ * function in TP_printk ++ * ++ * Important: wValue, wIndex, wLength parameters before invoking this function ++ * should be processed by le16_to_cpu macro. ++ */ ++const char *usb_decode_ctrl(char *str, size_t size, __u8 bRequestType, ++ __u8 bRequest, __u16 wValue, __u16 wIndex, ++ __u16 wLength) ++{ ++ switch (bRequestType & USB_TYPE_MASK) { ++ case USB_TYPE_STANDARD: ++ usb_decode_ctrl_standard(str, size, bRequestType, bRequest, ++ wValue, wIndex, wLength); ++ break; ++ case USB_TYPE_VENDOR: ++ case USB_TYPE_CLASS: ++ default: ++ usb_decode_ctrl_generic(str, size, bRequestType, bRequest, ++ wValue, wIndex, wLength); ++ break; + } + + return str; +-- +2.35.1 + diff --git a/queue-6.0/usb-common-usb-conn-gpio-simplify-some-error-message.patch b/queue-6.0/usb-common-usb-conn-gpio-simplify-some-error-message.patch new file mode 100644 index 00000000000..c620a5dacb6 --- /dev/null +++ b/queue-6.0/usb-common-usb-conn-gpio-simplify-some-error-message.patch @@ -0,0 +1,43 @@ +From 44a19fe0f32b8c79eed67728c1a204499a5968e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Aug 2022 22:28:42 +0200 +Subject: usb: common: usb-conn-gpio: Simplify some error message + +From: Christophe JAILLET + +[ Upstream commit d80f4ecb95270d0ecd6646aca44f4c180d3140b0 ] + +dev_err_probe() already prints the error code in a human readable way, so +there is no need to duplicate it as a numerical value at the end of the +message. + +Reviewed-by: Chunfeng Yun +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/7505a9dfa1e097070c492d6f6f84afa2a490b040.1659763173.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: b6155eaf6b05 ("usb: common: debug: Check non-standard control requests") +Signed-off-by: Sasha Levin +--- + drivers/usb/common/usb-conn-gpio.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/common/usb-conn-gpio.c b/drivers/usb/common/usb-conn-gpio.c +index b39c9f1c375d..e20874caba36 100644 +--- a/drivers/usb/common/usb-conn-gpio.c ++++ b/drivers/usb/common/usb-conn-gpio.c +@@ -208,10 +208,8 @@ static int usb_conn_probe(struct platform_device *pdev) + if (PTR_ERR(info->vbus) == -ENODEV) + info->vbus = NULL; + +- if (IS_ERR(info->vbus)) { +- ret = PTR_ERR(info->vbus); +- return dev_err_probe(dev, ret, "failed to get vbus :%d\n", ret); +- } ++ if (IS_ERR(info->vbus)) ++ return dev_err_probe(dev, PTR_ERR(info->vbus), "failed to get vbus\n"); + + info->role_sw = usb_role_switch_get(dev); + if (IS_ERR(info->role_sw)) +-- +2.35.1 + diff --git a/queue-6.0/usb-dwc3-core-add-gfladj_refclk_lpm_sel-quirk.patch b/queue-6.0/usb-dwc3-core-add-gfladj_refclk_lpm_sel-quirk.patch new file mode 100644 index 00000000000..a3b90895e62 --- /dev/null +++ b/queue-6.0/usb-dwc3-core-add-gfladj_refclk_lpm_sel-quirk.patch @@ -0,0 +1,78 @@ +From bb04be067cfc73f9448745e893f4da16984be4d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 08:28:53 +0200 +Subject: usb: dwc3: core: add gfladj_refclk_lpm_sel quirk + +From: Alexander Stein + +[ Upstream commit a6fc2f1b092787e9d7dbe472d720cede81680315 ] + +This selects the SOF/ITP counter be running on ref_clk. As documented +U2_FREECLK_EXISTS has to be set to 0 as well. + +Reviewed-by: Li Jun +Signed-off-by: Alexander Stein +Link: https://lore.kernel.org/r/20220915062855.751881-3-alexander.stein@ew.tq-group.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.c | 8 +++++++- + drivers/usb/dwc3/core.h | 2 ++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 919d36fd0298..f7f1952b2901 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -407,6 +407,10 @@ static void dwc3_ref_clk_period(struct dwc3 *dwc) + reg |= FIELD_PREP(DWC3_GFLADJ_REFCLK_FLADJ_MASK, fladj) + | FIELD_PREP(DWC3_GFLADJ_240MHZDECR, decr >> 1) + | FIELD_PREP(DWC3_GFLADJ_240MHZDECR_PLS1, decr & 1); ++ ++ if (dwc->gfladj_refclk_lpm_sel) ++ reg |= DWC3_GFLADJ_REFCLK_LPM_SEL; ++ + dwc3_writel(dwc->regs, DWC3_GFLADJ, reg); + } + +@@ -788,7 +792,7 @@ static int dwc3_phy_setup(struct dwc3 *dwc) + else + reg |= DWC3_GUSB2PHYCFG_ENBLSLPM; + +- if (dwc->dis_u2_freeclk_exists_quirk) ++ if (dwc->dis_u2_freeclk_exists_quirk || dwc->gfladj_refclk_lpm_sel) + reg &= ~DWC3_GUSB2PHYCFG_U2_FREECLK_EXISTS; + + dwc3_writel(dwc->regs, DWC3_GUSB2PHYCFG(0), reg); +@@ -1524,6 +1528,8 @@ static void dwc3_get_properties(struct dwc3 *dwc) + "snps,dis-tx-ipgap-linecheck-quirk"); + dwc->parkmode_disable_ss_quirk = device_property_read_bool(dev, + "snps,parkmode-disable-ss-quirk"); ++ dwc->gfladj_refclk_lpm_sel = device_property_read_bool(dev, ++ "snps,gfladj-refclk-lpm-sel-quirk"); + + dwc->tx_de_emphasis_quirk = device_property_read_bool(dev, + "snps,tx_de_emphasis_quirk"); +diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h +index 4fe4287dc934..11975a03316f 100644 +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -391,6 +391,7 @@ + #define DWC3_GFLADJ_30MHZ_SDBND_SEL BIT(7) + #define DWC3_GFLADJ_30MHZ_MASK 0x3f + #define DWC3_GFLADJ_REFCLK_FLADJ_MASK GENMASK(21, 8) ++#define DWC3_GFLADJ_REFCLK_LPM_SEL BIT(23) + #define DWC3_GFLADJ_240MHZDECR GENMASK(30, 24) + #define DWC3_GFLADJ_240MHZDECR_PLS1 BIT(31) + +@@ -1312,6 +1313,7 @@ struct dwc3 { + unsigned dis_del_phy_power_chg_quirk:1; + unsigned dis_tx_ipgap_linecheck_quirk:1; + unsigned parkmode_disable_ss_quirk:1; ++ unsigned gfladj_refclk_lpm_sel:1; + + unsigned tx_de_emphasis_quirk:1; + unsigned tx_de_emphasis:2; +-- +2.35.1 + diff --git a/queue-6.0/usb-dwc3-core-enable-guctl1-bit-10-for-fixing-termin.patch b/queue-6.0/usb-dwc3-core-enable-guctl1-bit-10-for-fixing-termin.patch new file mode 100644 index 00000000000..10971d1c470 --- /dev/null +++ b/queue-6.0/usb-dwc3-core-enable-guctl1-bit-10-for-fixing-termin.patch @@ -0,0 +1,98 @@ +From 753ac3ad6d455fc5fb9aec351010d3cf699e6c8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 10:52:35 +0530 +Subject: usb: dwc3: core: Enable GUCTL1 bit 10 for fixing termination error + after resume bug + +From: Piyush Mehta + +[ Upstream commit 63d7f9810a38102cdb8cad214fac98682081e1a7 ] + +When configured in HOST mode, after issuing U3/L2 exit controller fails +to send proper CRC checksum in CRC5 field. Because of this behavior +Transaction Error is generated, resulting in reset and re-enumeration of +usb device attached. Enabling chicken bit 10 of GUCTL1 will correct this +problem. + +When this bit is set to '1', the UTMI/ULPI opmode will be changed to +"normal" along with HS terminations, term, and xcvr signals after EOR. +This option is to support certain legacy UTMI/ULPI PHYs. + +Added "snps,resume-hs-terminations" quirk to resolved the above issue. + +Signed-off-by: Piyush Mehta +Link: https://lore.kernel.org/r/20220920052235.194272-3-piyush.mehta@amd.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.c | 17 +++++++++++++++++ + drivers/usb/dwc3/core.h | 4 ++++ + 2 files changed, 21 insertions(+) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index f7f1952b2901..68d986361c49 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1183,6 +1183,21 @@ static int dwc3_core_init(struct dwc3 *dwc) + dwc3_writel(dwc->regs, DWC3_GUCTL2, reg); + } + ++ /* ++ * When configured in HOST mode, after issuing U3/L2 exit controller ++ * fails to send proper CRC checksum in CRC5 feild. Because of this ++ * behaviour Transaction Error is generated, resulting in reset and ++ * re-enumeration of usb device attached. All the termsel, xcvrsel, ++ * opmode becomes 0 during end of resume. Enabling bit 10 of GUCTL1 ++ * will correct this problem. This option is to support certain ++ * legacy ULPI PHYs. ++ */ ++ if (dwc->resume_hs_terminations) { ++ reg = dwc3_readl(dwc->regs, DWC3_GUCTL1); ++ reg |= DWC3_GUCTL1_RESUME_OPMODE_HS_HOST; ++ dwc3_writel(dwc->regs, DWC3_GUCTL1, reg); ++ } ++ + if (!DWC3_VER_IS_PRIOR(DWC3, 250A)) { + reg = dwc3_readl(dwc->regs, DWC3_GUCTL1); + +@@ -1526,6 +1541,8 @@ static void dwc3_get_properties(struct dwc3 *dwc) + "snps,dis-del-phy-power-chg-quirk"); + dwc->dis_tx_ipgap_linecheck_quirk = device_property_read_bool(dev, + "snps,dis-tx-ipgap-linecheck-quirk"); ++ dwc->resume_hs_terminations = device_property_read_bool(dev, ++ "snps,resume-hs-terminations"); + dwc->parkmode_disable_ss_quirk = device_property_read_bool(dev, + "snps,parkmode-disable-ss-quirk"); + dwc->gfladj_refclk_lpm_sel = device_property_read_bool(dev, +diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h +index 11975a03316f..3ac9313e66f9 100644 +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -263,6 +263,7 @@ + #define DWC3_GUCTL1_DEV_FORCE_20_CLK_FOR_30_CLK BIT(26) + #define DWC3_GUCTL1_DEV_L1_EXIT_BY_HW BIT(24) + #define DWC3_GUCTL1_PARKMODE_DISABLE_SS BIT(17) ++#define DWC3_GUCTL1_RESUME_OPMODE_HS_HOST BIT(10) + + /* Global Status Register */ + #define DWC3_GSTS_OTG_IP BIT(10) +@@ -1097,6 +1098,8 @@ struct dwc3_scratchpad_array { + * change quirk. + * @dis_tx_ipgap_linecheck_quirk: set if we disable u2mac linestate + * check during HS transmit. ++ * @resume-hs-terminations: Set if we enable quirk for fixing improper crc ++ * generation after resume from suspend. + * @parkmode_disable_ss_quirk: set if we need to disable all SuperSpeed + * instances in park mode. + * @tx_de_emphasis_quirk: set if we enable Tx de-emphasis quirk +@@ -1312,6 +1315,7 @@ struct dwc3 { + unsigned dis_u2_freeclk_exists_quirk:1; + unsigned dis_del_phy_power_chg_quirk:1; + unsigned dis_tx_ipgap_linecheck_quirk:1; ++ unsigned resume_hs_terminations:1; + unsigned parkmode_disable_ss_quirk:1; + unsigned gfladj_refclk_lpm_sel:1; + +-- +2.35.1 + diff --git a/queue-6.0/usb-dwc3-core-fix-some-leaks-in-probe.patch b/queue-6.0/usb-dwc3-core-fix-some-leaks-in-probe.patch new file mode 100644 index 00000000000..06f8d7ca09f --- /dev/null +++ b/queue-6.0/usb-dwc3-core-fix-some-leaks-in-probe.patch @@ -0,0 +1,130 @@ +From 79da24c1cf16cf64d85519846982486308b2a130 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 14:22:08 +0300 +Subject: usb: dwc3: core: fix some leaks in probe + +From: Dan Carpenter + +[ Upstream commit 2a735e4b5580a2a6bbd6572109b4c4f163c57462 ] + +The dwc3_get_properties() function calls: + + dwc->usb_psy = power_supply_get_by_name(usb_psy_name); + +so there is some additional clean up required on these error paths. + +Fixes: 6f0764b5adea ("usb: dwc3: add a power supply for current control") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YyxFYFnP53j9sCg+@kili +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.c | 58 +++++++++++++++++++++++++---------------- + 1 file changed, 36 insertions(+), 22 deletions(-) + +diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c +index 219d797e2230..919d36fd0298 100644 +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1712,8 +1712,10 @@ static int dwc3_probe(struct platform_device *pdev) + dwc3_get_properties(dwc); + + dwc->reset = devm_reset_control_array_get_optional_shared(dev); +- if (IS_ERR(dwc->reset)) +- return PTR_ERR(dwc->reset); ++ if (IS_ERR(dwc->reset)) { ++ ret = PTR_ERR(dwc->reset); ++ goto put_usb_psy; ++ } + + if (dev->of_node) { + /* +@@ -1723,45 +1725,57 @@ static int dwc3_probe(struct platform_device *pdev) + * check for them to retain backwards compatibility. + */ + dwc->bus_clk = devm_clk_get_optional(dev, "bus_early"); +- if (IS_ERR(dwc->bus_clk)) +- return dev_err_probe(dev, PTR_ERR(dwc->bus_clk), +- "could not get bus clock\n"); ++ if (IS_ERR(dwc->bus_clk)) { ++ ret = dev_err_probe(dev, PTR_ERR(dwc->bus_clk), ++ "could not get bus clock\n"); ++ goto put_usb_psy; ++ } + + if (dwc->bus_clk == NULL) { + dwc->bus_clk = devm_clk_get_optional(dev, "bus_clk"); +- if (IS_ERR(dwc->bus_clk)) +- return dev_err_probe(dev, PTR_ERR(dwc->bus_clk), +- "could not get bus clock\n"); ++ if (IS_ERR(dwc->bus_clk)) { ++ ret = dev_err_probe(dev, PTR_ERR(dwc->bus_clk), ++ "could not get bus clock\n"); ++ goto put_usb_psy; ++ } + } + + dwc->ref_clk = devm_clk_get_optional(dev, "ref"); +- if (IS_ERR(dwc->ref_clk)) +- return dev_err_probe(dev, PTR_ERR(dwc->ref_clk), +- "could not get ref clock\n"); ++ if (IS_ERR(dwc->ref_clk)) { ++ ret = dev_err_probe(dev, PTR_ERR(dwc->ref_clk), ++ "could not get ref clock\n"); ++ goto put_usb_psy; ++ } + + if (dwc->ref_clk == NULL) { + dwc->ref_clk = devm_clk_get_optional(dev, "ref_clk"); +- if (IS_ERR(dwc->ref_clk)) +- return dev_err_probe(dev, PTR_ERR(dwc->ref_clk), +- "could not get ref clock\n"); ++ if (IS_ERR(dwc->ref_clk)) { ++ ret = dev_err_probe(dev, PTR_ERR(dwc->ref_clk), ++ "could not get ref clock\n"); ++ goto put_usb_psy; ++ } + } + + dwc->susp_clk = devm_clk_get_optional(dev, "suspend"); +- if (IS_ERR(dwc->susp_clk)) +- return dev_err_probe(dev, PTR_ERR(dwc->susp_clk), +- "could not get suspend clock\n"); ++ if (IS_ERR(dwc->susp_clk)) { ++ ret = dev_err_probe(dev, PTR_ERR(dwc->susp_clk), ++ "could not get suspend clock\n"); ++ goto put_usb_psy; ++ } + + if (dwc->susp_clk == NULL) { + dwc->susp_clk = devm_clk_get_optional(dev, "suspend_clk"); +- if (IS_ERR(dwc->susp_clk)) +- return dev_err_probe(dev, PTR_ERR(dwc->susp_clk), +- "could not get suspend clock\n"); ++ if (IS_ERR(dwc->susp_clk)) { ++ ret = dev_err_probe(dev, PTR_ERR(dwc->susp_clk), ++ "could not get suspend clock\n"); ++ goto put_usb_psy; ++ } + } + } + + ret = reset_control_deassert(dwc->reset); + if (ret) +- return ret; ++ goto put_usb_psy; + + ret = dwc3_clk_enable(dwc); + if (ret) +@@ -1861,7 +1875,7 @@ static int dwc3_probe(struct platform_device *pdev) + dwc3_clk_disable(dwc); + assert_reset: + reset_control_assert(dwc->reset); +- ++put_usb_psy: + if (dwc->usb_psy) + power_supply_put(dwc->usb_psy); + +-- +2.35.1 + diff --git a/queue-6.0/usb-gadget-f_fs-stricter-integer-overflow-checks.patch b/queue-6.0/usb-gadget-f_fs-stricter-integer-overflow-checks.patch new file mode 100644 index 00000000000..f214a22bb0c --- /dev/null +++ b/queue-6.0/usb-gadget-f_fs-stricter-integer-overflow-checks.patch @@ -0,0 +1,47 @@ +From 18be4ff72889aac6dbf973007463ab3752c0f680 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 17:59:42 +0300 +Subject: usb: gadget: f_fs: stricter integer overflow checks + +From: Dan Carpenter + +[ Upstream commit f57004b9d96755cd6a243b51c267be4016b4563c ] + +This from static analysis. The vla_item() takes a size and adds it to +the total. It has a built in integer overflow check so if it encounters +an integer overflow anywhere then it records the total as SIZE_MAX. + +However there is an issue here because the "lang_count*(needed_count+1)" +multiplication can overflow. Technically the "lang_count + 1" addition +could overflow too, but that would be detected and is harmless. Fix +both using the new size_add() and size_mul() functions. + +Fixes: e6f3862fa1ec ("usb: gadget: FunctionFS: Remove VLAIS usage from gadget code") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YxDI3lMYomE7WCjn@kili +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index e0fa4b186ec6..36184a762527 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -2645,10 +2645,10 @@ static int __ffs_data_got_strings(struct ffs_data *ffs, + unsigned i = 0; + vla_group(d); + vla_item(d, struct usb_gadget_strings *, stringtabs, +- lang_count + 1); ++ size_add(lang_count, 1)); + vla_item(d, struct usb_gadget_strings, stringtab, lang_count); + vla_item(d, struct usb_string, strings, +- lang_count*(needed_count+1)); ++ size_mul(lang_count, (needed_count + 1))); + + char *vlabuf = kmalloc(vla_group_size(d), GFP_KERNEL); + +-- +2.35.1 + diff --git a/queue-6.0/usb-gadget-function-fix-dangling-pnp_string-in-f_pri.patch b/queue-6.0/usb-gadget-function-fix-dangling-pnp_string-in-f_pri.patch new file mode 100644 index 00000000000..80015db622a --- /dev/null +++ b/queue-6.0/usb-gadget-function-fix-dangling-pnp_string-in-f_pri.patch @@ -0,0 +1,76 @@ +From 08bd3a5008b5a902f4167652503df541c5ecb0c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 11 Sep 2022 15:37:55 -0700 +Subject: usb: gadget: function: fix dangling pnp_string in f_printer.c + +From: Albert Briscoe + +[ Upstream commit 24b7ba2f88e04800b54d462f376512e8c41b8a3c ] + +When opts->pnp_string is changed with configfs, new memory is allocated for +the string. It does not, however, update dev->pnp_string, even though the +memory is freed. When rquesting the string, the host then gets old or +corrupted data rather than the new string. The ieee 1284 id string should +be allowed to change while the device is connected. + +The bug was introduced in commit fdc01cc286be ("usb: gadget: printer: +Remove pnp_string static buffer"), which changed opts->pnp_string from a +char[] to a char*. +This patch changes dev->pnp_string from a char* to a char** pointing to +opts->pnp_string. + +Fixes: fdc01cc286be ("usb: gadget: printer: Remove pnp_string static buffer") +Signed-off-by: Albert Briscoe +Link: https://lore.kernel.org/r/20220911223753.20417-1-albertsbriscoe@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_printer.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c +index abec5c58f525..a881c69b1f2b 100644 +--- a/drivers/usb/gadget/function/f_printer.c ++++ b/drivers/usb/gadget/function/f_printer.c +@@ -89,7 +89,7 @@ struct printer_dev { + u8 printer_cdev_open; + wait_queue_head_t wait; + unsigned q_len; +- char *pnp_string; /* We don't own memory! */ ++ char **pnp_string; /* We don't own memory! */ + struct usb_function function; + }; + +@@ -1000,16 +1000,16 @@ static int printer_func_setup(struct usb_function *f, + if ((wIndex>>8) != dev->interface) + break; + +- if (!dev->pnp_string) { ++ if (!*dev->pnp_string) { + value = 0; + break; + } +- value = strlen(dev->pnp_string); ++ value = strlen(*dev->pnp_string); + buf[0] = (value >> 8) & 0xFF; + buf[1] = value & 0xFF; +- memcpy(buf + 2, dev->pnp_string, value); ++ memcpy(buf + 2, *dev->pnp_string, value); + DBG(dev, "1284 PNP String: %x %s\n", value, +- dev->pnp_string); ++ *dev->pnp_string); + break; + + case GET_PORT_STATUS: /* Get Port Status */ +@@ -1475,7 +1475,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi) + kref_init(&dev->kref); + ++opts->refcnt; + dev->minor = opts->minor; +- dev->pnp_string = opts->pnp_string; ++ dev->pnp_string = &opts->pnp_string; + dev->q_len = opts->q_len; + mutex_unlock(&opts->lock); + +-- +2.35.1 + diff --git a/queue-6.0/usb-gadget-uvc-increase-worker-prio-to-wq_highpri.patch b/queue-6.0/usb-gadget-uvc-increase-worker-prio-to-wq_highpri.patch new file mode 100644 index 00000000000..8e8d8d386ab --- /dev/null +++ b/queue-6.0/usb-gadget-uvc-increase-worker-prio-to-wq_highpri.patch @@ -0,0 +1,107 @@ +From f669a688899690c90edc4056b2bfc41248324c72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 23:58:18 +0200 +Subject: usb: gadget: uvc: increase worker prio to WQ_HIGHPRI + +From: Michael Grzeschik + +[ Upstream commit 9b91a65230784a9ef644b8bdbb82a79ba4ae9456 ] + +This patch is changing the simple workqueue in the gadget driver to be +allocated as async_wq with a higher priority. The pump worker, that is +filling the usb requests, will have a higher priority and will not be +scheduled away so often while the video stream is handled. This will +lead to fewer streaming underruns. + +Signed-off-by: Michael Grzeschik +Link: https://lore.kernel.org/r/20220907215818.2670097-1-m.grzeschik@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_uvc.c | 4 ++++ + drivers/usb/gadget/function/uvc.h | 1 + + drivers/usb/gadget/function/uvc_v4l2.c | 2 +- + drivers/usb/gadget/function/uvc_video.c | 9 +++++++-- + 4 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_uvc.c b/drivers/usb/gadget/function/f_uvc.c +index 86bb0098fb66..7ec223849d94 100644 +--- a/drivers/usb/gadget/function/f_uvc.c ++++ b/drivers/usb/gadget/function/f_uvc.c +@@ -897,10 +897,14 @@ static void uvc_function_unbind(struct usb_configuration *c, + { + struct usb_composite_dev *cdev = c->cdev; + struct uvc_device *uvc = to_uvc(f); ++ struct uvc_video *video = &uvc->video; + long wait_ret = 1; + + uvcg_info(f, "%s()\n", __func__); + ++ if (video->async_wq) ++ destroy_workqueue(video->async_wq); ++ + /* + * If we know we're connected via v4l2, then there should be a cleanup + * of the device from userspace either via UVC_EVENT_DISCONNECT or +diff --git a/drivers/usb/gadget/function/uvc.h b/drivers/usb/gadget/function/uvc.h +index 58e383afdd44..1a31e6c6a5ff 100644 +--- a/drivers/usb/gadget/function/uvc.h ++++ b/drivers/usb/gadget/function/uvc.h +@@ -88,6 +88,7 @@ struct uvc_video { + struct usb_ep *ep; + + struct work_struct pump; ++ struct workqueue_struct *async_wq; + + /* Frame parameters */ + u8 bpp; +diff --git a/drivers/usb/gadget/function/uvc_v4l2.c b/drivers/usb/gadget/function/uvc_v4l2.c +index fd8f73bb726d..fddc392b8ab9 100644 +--- a/drivers/usb/gadget/function/uvc_v4l2.c ++++ b/drivers/usb/gadget/function/uvc_v4l2.c +@@ -170,7 +170,7 @@ uvc_v4l2_qbuf(struct file *file, void *fh, struct v4l2_buffer *b) + return ret; + + if (uvc->state == UVC_STATE_STREAMING) +- schedule_work(&video->pump); ++ queue_work(video->async_wq, &video->pump); + + return ret; + } +diff --git a/drivers/usb/gadget/function/uvc_video.c b/drivers/usb/gadget/function/uvc_video.c +index c00ce0e91f5d..bb037fcc90e6 100644 +--- a/drivers/usb/gadget/function/uvc_video.c ++++ b/drivers/usb/gadget/function/uvc_video.c +@@ -277,7 +277,7 @@ uvc_video_complete(struct usb_ep *ep, struct usb_request *req) + spin_unlock_irqrestore(&video->req_lock, flags); + + if (uvc->state == UVC_STATE_STREAMING) +- schedule_work(&video->pump); ++ queue_work(video->async_wq, &video->pump); + } + + static int +@@ -485,7 +485,7 @@ int uvcg_video_enable(struct uvc_video *video, int enable) + + video->req_int_count = 0; + +- schedule_work(&video->pump); ++ queue_work(video->async_wq, &video->pump); + + return ret; + } +@@ -499,6 +499,11 @@ int uvcg_video_init(struct uvc_video *video, struct uvc_device *uvc) + spin_lock_init(&video->req_lock); + INIT_WORK(&video->pump, uvcg_video_pump); + ++ /* Allocate a work queue for asynchronous video pump handler. */ ++ video->async_wq = alloc_workqueue("uvcgadget", WQ_UNBOUND | WQ_HIGHPRI, 0); ++ if (!video->async_wq) ++ return -EINVAL; ++ + video->uvc = uvc; + video->fcc = V4L2_PIX_FMT_YUYV; + video->bpp = 16; +-- +2.35.1 + diff --git a/queue-6.0/usb-host-xhci-fix-potential-memory-leak-in-xhci_allo.patch b/queue-6.0/usb-host-xhci-fix-potential-memory-leak-in-xhci_allo.patch new file mode 100644 index 00000000000..20cfbb987b5 --- /dev/null +++ b/queue-6.0/usb-host-xhci-fix-potential-memory-leak-in-xhci_allo.patch @@ -0,0 +1,56 @@ +From 84fc8643fc3e092c3a08ff50e671e6c3aa60b698 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 15:34:45 +0300 +Subject: usb: host: xhci: Fix potential memory leak in + xhci_alloc_stream_info() + +From: Jianglei Nie + +[ Upstream commit 7e271f42a5cc3768cd2622b929ba66859ae21f97 ] + +xhci_alloc_stream_info() allocates stream context array for stream_info +->stream_ctx_array with xhci_alloc_stream_ctx(). When some error occurs, +stream_info->stream_ctx_array is not released, which will lead to a +memory leak. + +We can fix it by releasing the stream_info->stream_ctx_array with +xhci_free_stream_ctx() on the error path to avoid the potential memory +leak. + +Signed-off-by: Jianglei Nie +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20220921123450.671459-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-mem.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 8c19e151a945..9e56aa28efcd 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -641,7 +641,7 @@ struct xhci_stream_info *xhci_alloc_stream_info(struct xhci_hcd *xhci, + num_stream_ctxs, &stream_info->ctx_array_dma, + mem_flags); + if (!stream_info->stream_ctx_array) +- goto cleanup_ctx; ++ goto cleanup_ring_array; + memset(stream_info->stream_ctx_array, 0, + sizeof(struct xhci_stream_ctx)*num_stream_ctxs); + +@@ -702,6 +702,11 @@ struct xhci_stream_info *xhci_alloc_stream_info(struct xhci_hcd *xhci, + } + xhci_free_command(xhci, stream_info->free_streams_command); + cleanup_ctx: ++ xhci_free_stream_ctx(xhci, ++ stream_info->num_stream_ctxs, ++ stream_info->stream_ctx_array, ++ stream_info->ctx_array_dma); ++cleanup_ring_array: + kfree(stream_info->stream_rings); + cleanup_info: + kfree(stream_info); +-- +2.35.1 + diff --git a/queue-6.0/usb-host-xhci-plat-suspend-and-resume-clocks.patch b/queue-6.0/usb-host-xhci-plat-suspend-and-resume-clocks.patch new file mode 100644 index 00000000000..ecf8e9df548 --- /dev/null +++ b/queue-6.0/usb-host-xhci-plat-suspend-and-resume-clocks.patch @@ -0,0 +1,72 @@ +From 9958da207b8b5599c33a61510cc0efbd1acde3a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Aug 2022 15:27:34 -0700 +Subject: usb: host: xhci-plat: suspend and resume clocks + +From: Justin Chen + +[ Upstream commit 8bd954c56197caf5e3a804d989094bc3fe6329aa ] + +Introduce XHCI_SUSPEND_RESUME_CLKS quirk as a means to suspend and resume +clocks if the hardware is capable of doing so. We assume that clocks will +be needed if the device may wake. + +Reviewed-by: Florian Fainelli +Signed-off-by: Justin Chen +Link: https://lore.kernel.org/r/1660170455-15781-2-git-send-email-justinpopo6@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-plat.c | 16 +++++++++++++++- + drivers/usb/host/xhci.h | 1 + + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c +index a8641b6536ee..ef10982ad482 100644 +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -437,7 +437,16 @@ static int __maybe_unused xhci_plat_suspend(struct device *dev) + * xhci_suspend() needs `do_wakeup` to know whether host is allowed + * to do wakeup during suspend. + */ +- return xhci_suspend(xhci, device_may_wakeup(dev)); ++ ret = xhci_suspend(xhci, device_may_wakeup(dev)); ++ if (ret) ++ return ret; ++ ++ if (!device_may_wakeup(dev) && (xhci->quirks & XHCI_SUSPEND_RESUME_CLKS)) { ++ clk_disable_unprepare(xhci->clk); ++ clk_disable_unprepare(xhci->reg_clk); ++ } ++ ++ return 0; + } + + static int __maybe_unused xhci_plat_resume(struct device *dev) +@@ -446,6 +455,11 @@ static int __maybe_unused xhci_plat_resume(struct device *dev) + struct xhci_hcd *xhci = hcd_to_xhci(hcd); + int ret; + ++ if (!device_may_wakeup(dev) && (xhci->quirks & XHCI_SUSPEND_RESUME_CLKS)) { ++ clk_prepare_enable(xhci->clk); ++ clk_prepare_enable(xhci->reg_clk); ++ } ++ + ret = xhci_priv_resume_quirk(hcd); + if (ret) + return ret; +diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h +index 7caa0db5e826..6dfbf73ee840 100644 +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1899,6 +1899,7 @@ struct xhci_hcd { + #define XHCI_NO_SOFT_RETRY BIT_ULL(40) + #define XHCI_BROKEN_D3COLD BIT_ULL(41) + #define XHCI_EP_CTX_BROKEN_DCS BIT_ULL(42) ++#define XHCI_SUSPEND_RESUME_CLKS BIT_ULL(43) + + unsigned int num_active_eps; + unsigned int limit_active_eps; +-- +2.35.1 + diff --git a/queue-6.0/usb-host-xhci-plat-suspend-resume-clks-for-brcm.patch b/queue-6.0/usb-host-xhci-plat-suspend-resume-clks-for-brcm.patch new file mode 100644 index 00000000000..3e860e019c3 --- /dev/null +++ b/queue-6.0/usb-host-xhci-plat-suspend-resume-clks-for-brcm.patch @@ -0,0 +1,38 @@ +From 7b0faa3780c9c002b5387faf1b8e6a5bd19ce7cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Aug 2022 15:27:35 -0700 +Subject: usb: host: xhci-plat: suspend/resume clks for brcm + +From: Justin Chen + +[ Upstream commit c69400b09e471a3f1167adead55a808f0da6534a ] + +The xhci_plat_brcm xhci block can enter suspend with clock disabled to save +power and re-enable them on resume. Make use of the XHCI_SUSPEND_RESUME_CLKS +quirk to do so. + +Reviewed-by: Florian Fainelli +Signed-off-by: Justin Chen +Link: https://lore.kernel.org/r/1660170455-15781-3-git-send-email-justinpopo6@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-plat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-plat.c b/drivers/usb/host/xhci-plat.c +index ef10982ad482..5fb55bf19493 100644 +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -123,7 +123,7 @@ static const struct xhci_plat_priv xhci_plat_renesas_rcar_gen3 = { + }; + + static const struct xhci_plat_priv xhci_plat_brcm = { +- .quirks = XHCI_RESET_ON_RESUME, ++ .quirks = XHCI_RESET_ON_RESUME | XHCI_SUSPEND_RESUME_CLKS, + }; + + static const struct of_device_id usb_xhci_of_match[] = { +-- +2.35.1 + diff --git a/queue-6.0/usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch b/queue-6.0/usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch new file mode 100644 index 00000000000..702db62e9fa --- /dev/null +++ b/queue-6.0/usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch @@ -0,0 +1,59 @@ +From d007c87fdddb8f1d68b2f3035401aaeb979e5977 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 21:48:44 +0800 +Subject: usb: idmouse: fix an uninit-value in idmouse_open + +From: Dongliang Mu + +[ Upstream commit bce2b0539933e485d22d6f6f076c0fcd6f185c4c ] + +In idmouse_create_image, if any ftip_command fails, it will +go to the reset label. However, this leads to the data in +bulk_in_buffer[HEADER..IMGSIZE] uninitialized. And the check +for valid image incurs an uninitialized dereference. + +Fix this by moving the check before reset label since this +check only be valid if the data after bulk_in_buffer[HEADER] +has concrete data. + +Note that this is found by KMSAN, so only kernel compilation +is tested. + +Reported-by: syzbot+79832d33eb89fb3cd092@syzkaller.appspotmail.com +Signed-off-by: Dongliang Mu +Link: https://lore.kernel.org/r/20220922134847.1101921-1-dzm91@hust.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/idmouse.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/misc/idmouse.c b/drivers/usb/misc/idmouse.c +index e9437a176518..ea39243efee3 100644 +--- a/drivers/usb/misc/idmouse.c ++++ b/drivers/usb/misc/idmouse.c +@@ -177,10 +177,6 @@ static int idmouse_create_image(struct usb_idmouse *dev) + bytes_read += bulk_read; + } + +- /* reset the device */ +-reset: +- ftip_command(dev, FTIP_RELEASE, 0, 0); +- + /* check for valid image */ + /* right border should be black (0x00) */ + for (bytes_read = sizeof(HEADER)-1 + WIDTH-1; bytes_read < IMGSIZE; bytes_read += WIDTH) +@@ -192,6 +188,10 @@ static int idmouse_create_image(struct usb_idmouse *dev) + if (dev->bulk_in_buffer[bytes_read] != 0xFF) + return -EAGAIN; + ++ /* reset the device */ ++reset: ++ ftip_command(dev, FTIP_RELEASE, 0, 0); ++ + /* should be IMGSIZE == 65040 */ + dev_dbg(&dev->interface->dev, "read %d bytes fingerprint data\n", + bytes_read); +-- +2.35.1 + diff --git a/queue-6.0/usb-mtu3-fix-failed-runtime-suspend-in-host-only-mod.patch b/queue-6.0/usb-mtu3-fix-failed-runtime-suspend-in-host-only-mod.patch new file mode 100644 index 00000000000..a696f32fb3e --- /dev/null +++ b/queue-6.0/usb-mtu3-fix-failed-runtime-suspend-in-host-only-mod.patch @@ -0,0 +1,55 @@ +From d71b492dfe2411f8e8b21a17c6609f847ddc96cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 14:44:59 +0800 +Subject: usb: mtu3: fix failed runtime suspend in host only mode + +From: Chunfeng Yun + +[ Upstream commit 1c703e29da5efac6180e4c189029fa34b7e48e97 ] + +When the dr_mode is "host", after the host enter runtime suspend, +the mtu3 can't do it, because the mtu3's device wakeup function is +not enabled, instead it's enabled in gadget init function, to fix +the issue, init wakeup early in mtu3's probe() + +Fixes: 6b587394c65c ("usb: mtu3: support suspend/resume for dual-role mode") +Reviewed-by: AngeloGioacchino Del Regno +Reported-by: Tianping Fang +Signed-off-by: Chunfeng Yun +Link: https://lore.kernel.org/r/20220929064459.32522-1-chunfeng.yun@mediatek.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/mtu3/mtu3_core.c | 2 -- + drivers/usb/mtu3/mtu3_plat.c | 2 ++ + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/mtu3/mtu3_core.c b/drivers/usb/mtu3/mtu3_core.c +index 0ca173af87bb..a3a6282893d0 100644 +--- a/drivers/usb/mtu3/mtu3_core.c ++++ b/drivers/usb/mtu3/mtu3_core.c +@@ -978,8 +978,6 @@ int ssusb_gadget_init(struct ssusb_mtk *ssusb) + goto irq_err; + } + +- device_init_wakeup(dev, true); +- + /* power down device IP for power saving by default */ + mtu3_stop(mtu); + +diff --git a/drivers/usb/mtu3/mtu3_plat.c b/drivers/usb/mtu3/mtu3_plat.c +index 4cb65346789d..d78ae52b4e26 100644 +--- a/drivers/usb/mtu3/mtu3_plat.c ++++ b/drivers/usb/mtu3/mtu3_plat.c +@@ -356,6 +356,8 @@ static int mtu3_probe(struct platform_device *pdev) + pm_runtime_enable(dev); + pm_runtime_get_sync(dev); + ++ device_init_wakeup(dev, true); ++ + ret = ssusb_rscs_init(ssusb); + if (ret) + goto comm_init_err; +-- +2.35.1 + diff --git a/queue-6.0/usb-musb-fix-musb_gadget.c-rxstate-overflow-bug.patch b/queue-6.0/usb-musb-fix-musb_gadget.c-rxstate-overflow-bug.patch new file mode 100644 index 00000000000..87fa8dcc2f6 --- /dev/null +++ b/queue-6.0/usb-musb-fix-musb_gadget.c-rxstate-overflow-bug.patch @@ -0,0 +1,42 @@ +From 2be5741f350b7c131469b1a703e30f872b96da2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 10:21:19 +0800 +Subject: usb: musb: Fix musb_gadget.c rxstate overflow bug + +From: Robin Guo + +[ Upstream commit eea4c860c3b366369eff0489d94ee4f0571d467d ] + +The usb function device call musb_gadget_queue() adds the passed +request to musb_ep::req_list,If the (request->length > musb_ep->packet_sz) +and (is_buffer_mapped(req) return false),the rxstate() will copy all data +in fifo to request->buf which may cause request->buf out of bounds. + +Fix it by add the length check : +fifocnt = min_t(unsigned, request->length - request->actual, fifocnt); + +Signed-off-by: Robin Guo +Link: https://lore.kernel.org/r/20220906102119.1b071d07a8391ff115e6d1ef@inspur.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/musb/musb_gadget.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c +index daada4b66a92..6704a62a1665 100644 +--- a/drivers/usb/musb/musb_gadget.c ++++ b/drivers/usb/musb/musb_gadget.c +@@ -760,6 +760,9 @@ static void rxstate(struct musb *musb, struct musb_request *req) + musb_writew(epio, MUSB_RXCSR, csr); + + buffer_aint_mapped: ++ fifo_count = min_t(unsigned int, ++ request->length - request->actual, ++ (unsigned int)fifo_count); + musb_read_fifo(musb_ep->hw_ep, fifo_count, (u8 *) + (request->buf + request->actual)); + request->actual += fifo_count; +-- +2.35.1 + diff --git a/queue-6.0/usb-serial-console-move-mutex_unlock-before-usb_seri.patch b/queue-6.0/usb-serial-console-move-mutex_unlock-before-usb_seri.patch new file mode 100644 index 00000000000..c556358a0ce --- /dev/null +++ b/queue-6.0/usb-serial-console-move-mutex_unlock-before-usb_seri.patch @@ -0,0 +1,39 @@ +From a6a2b086047b4f69ed056e84e9448502d96e3af7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 18:48:24 +0800 +Subject: USB: serial: console: move mutex_unlock() before usb_serial_put() + +From: Liang He + +[ Upstream commit 61dfa797c731754642d1ac500a6ac42f9b47f920 ] + +While in current version there is no use-after-free as USB serial +core holds another reference when the console is registered, we +should better unlock before dropping the reference in +usb_console_setup(). + +Fixes: 7bd032dc2793 ("USB serial: update the console driver") +Signed-off-by: Liang He +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +--- + drivers/usb/serial/console.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c +index b97aa40ca4d1..da19a5fa414f 100644 +--- a/drivers/usb/serial/console.c ++++ b/drivers/usb/serial/console.c +@@ -189,8 +189,8 @@ static int usb_console_setup(struct console *co, char *options) + info->port = NULL; + usb_autopm_put_interface(serial->interface); + error_get_interface: +- usb_serial_put(serial); + mutex_unlock(&serial->disc_mutex); ++ usb_serial_put(serial); + return retval; + } + +-- +2.35.1 + diff --git a/queue-6.0/usb-typec-anx7411-use-of_get_child_by_name-instead-o.patch b/queue-6.0/usb-typec-anx7411-use-of_get_child_by_name-instead-o.patch new file mode 100644 index 00000000000..2f2e00bee9f --- /dev/null +++ b/queue-6.0/usb-typec-anx7411-use-of_get_child_by_name-instead-o.patch @@ -0,0 +1,49 @@ +From e64d7d945a5094c90201cefea3de272b2ccae657 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 17:22:09 +0800 +Subject: usb: typec: anx7411: Use of_get_child_by_name() instead of + of_find_node_by_name() + +From: Liang He + +[ Upstream commit e45d7337dc0e4f7f1c2876e1b22c71a544ad12fd ] + +In anx7411_typec_switch_probe(), we should call of_get_child_by_name() +instead of of_find_node_by_name() as of_find_xxx API will decrease the +refcount of the 'from' argument. + +Fixes: fe6d8a9c8e64 ("usb: typec: anx7411: Add Analogix PD ANX7411 support") +Acked-by: Heikki Krogerus +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220915092209.4009273-1-windhl@126.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/anx7411.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/typec/anx7411.c b/drivers/usb/typec/anx7411.c +index c0f0842d443c..f178d0eb47b1 100644 +--- a/drivers/usb/typec/anx7411.c ++++ b/drivers/usb/typec/anx7411.c +@@ -1105,7 +1105,7 @@ static int anx7411_typec_switch_probe(struct anx7411_data *ctx, + int ret; + struct device_node *node; + +- node = of_find_node_by_name(dev->of_node, "orientation_switch"); ++ node = of_get_child_by_name(dev->of_node, "orientation_switch"); + if (!node) + return 0; + +@@ -1115,7 +1115,7 @@ static int anx7411_typec_switch_probe(struct anx7411_data *ctx, + return ret; + } + +- node = of_find_node_by_name(dev->of_node, "mode_switch"); ++ node = of_get_child_by_name(dev->of_node, "mode_switch"); + if (!node) { + dev_err(dev, "no typec mux exist"); + ret = -ENODEV; +-- +2.35.1 + diff --git a/queue-6.0/usb-typec-ucsi-don-t-warn-on-probe-deferral.patch b/queue-6.0/usb-typec-ucsi-don-t-warn-on-probe-deferral.patch new file mode 100644 index 00000000000..aee24971f4d --- /dev/null +++ b/queue-6.0/usb-typec-ucsi-don-t-warn-on-probe-deferral.patch @@ -0,0 +1,50 @@ +From 18d701f246f3b9822e3f95eca78bdd5d9b887a4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 21:45:12 +0800 +Subject: usb: typec: ucsi: Don't warn on probe deferral + +From: Wayne Chang + +[ Upstream commit fce703a991b7e8c7e1371de95b9abaa832ecf9c3 ] + +Deferred probe is an expected return value for fwnode_usb_role_switch_get(). +Given that the driver deals with it properly, there's no need to output a +warning that may potentially confuse users. + +-- +V2 -> V3: remove the Fixes and Cc +V1 -> V2: adjust the coding style for better reading format. + drivers/usb/typec/ucsi/ucsi.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +Signed-off-by: Wayne Chang +Acked-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20220927134512.2651067-1-waynec@nvidia.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/ucsi/ucsi.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c +index 6364f0d467ea..74fb5a4c6f21 100644 +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -1067,11 +1067,9 @@ static int ucsi_register_port(struct ucsi *ucsi, int index) + + cap->fwnode = ucsi_find_fwnode(con); + con->usb_role_sw = fwnode_usb_role_switch_get(cap->fwnode); +- if (IS_ERR(con->usb_role_sw)) { +- dev_err(ucsi->dev, "con%d: failed to get usb role switch\n", +- con->num); +- return PTR_ERR(con->usb_role_sw); +- } ++ if (IS_ERR(con->usb_role_sw)) ++ return dev_err_probe(ucsi->dev, PTR_ERR(con->usb_role_sw), ++ "con%d: failed to get usb role switch\n", con->num); + + /* Delay other interactions with the con until registration is complete */ + mutex_lock(&con->lock); +-- +2.35.1 + diff --git a/queue-6.0/userfaultfd-open-userfaultfds-with-o_rdonly.patch b/queue-6.0/userfaultfd-open-userfaultfds-with-o_rdonly.patch new file mode 100644 index 00000000000..e6d663db97d --- /dev/null +++ b/queue-6.0/userfaultfd-open-userfaultfds-with-o_rdonly.patch @@ -0,0 +1,57 @@ +From 89de16ed4de5d674bcc12d82ecc05e060ea1f1f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Jul 2022 11:34:51 +0200 +Subject: userfaultfd: open userfaultfds with O_RDONLY + +From: Ondrej Mosnacek + +[ Upstream commit abec3d015fdfb7c63105c7e1c956188bf381aa55 ] + +Since userfaultfd doesn't implement a write operation, it is more +appropriate to open it read-only. + +When userfaultfds are opened read-write like it is now, and such fd is +passed from one process to another, SELinux will check both read and +write permissions for the target process, even though it can't actually +do any write operation on the fd later. + +Inspired by the following bug report, which has hit the SELinux scenario +described above: +https://bugzilla.redhat.com/show_bug.cgi?id=1974559 + +Reported-by: Robert O'Callahan +Fixes: 86039bd3b4e6 ("userfaultfd: add new syscall to provide memory externalization") +Signed-off-by: Ondrej Mosnacek +Acked-by: Peter Xu +Acked-by: Christian Brauner (Microsoft) +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + fs/userfaultfd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c +index 175de70e3adf..0c1d33c4f74c 100644 +--- a/fs/userfaultfd.c ++++ b/fs/userfaultfd.c +@@ -991,7 +991,7 @@ static int resolve_userfault_fork(struct userfaultfd_ctx *new, + int fd; + + fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, new, +- O_RDWR | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode); ++ O_RDONLY | (new->flags & UFFD_SHARED_FCNTL_FLAGS), inode); + if (fd < 0) + return fd; + +@@ -2094,7 +2094,7 @@ SYSCALL_DEFINE1(userfaultfd, int, flags) + mmgrab(ctx->mm); + + fd = anon_inode_getfd_secure("[userfaultfd]", &userfaultfd_fops, ctx, +- O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL); ++ O_RDONLY | (flags & UFFD_SHARED_FCNTL_FLAGS), NULL); + if (fd < 0) { + mmdrop(ctx->mm); + kmem_cache_free(userfaultfd_ctx_cachep, ctx); +-- +2.35.1 + diff --git a/queue-6.0/vhost-vsock-use-kvmalloc-kvfree-for-larger-packets.patch b/queue-6.0/vhost-vsock-use-kvmalloc-kvfree-for-larger-packets.patch new file mode 100644 index 00000000000..a200399726b --- /dev/null +++ b/queue-6.0/vhost-vsock-use-kvmalloc-kvfree-for-larger-packets.patch @@ -0,0 +1,73 @@ +From 304ff12caade1f81acf2d5c2086750054fcaceb1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Sep 2022 15:45:38 +0900 +Subject: vhost/vsock: Use kvmalloc/kvfree for larger packets. + +From: Junichi Uekawa + +[ Upstream commit 0e3f72931fc47bb81686020cc643cde5d9cd0bb8 ] + +When copying a large file over sftp over vsock, data size is usually 32kB, +and kmalloc seems to fail to try to allocate 32 32kB regions. + + vhost-5837: page allocation failure: order:4, mode:0x24040c0 + Call Trace: + [] dump_stack+0x97/0xdb + [] warn_alloc_failed+0x10f/0x138 + [] ? __alloc_pages_direct_compact+0x38/0xc8 + [] __alloc_pages_nodemask+0x84c/0x90d + [] alloc_kmem_pages+0x17/0x19 + [] kmalloc_order_trace+0x2b/0xdb + [] __kmalloc+0x177/0x1f7 + [] ? copy_from_iter+0x8d/0x31d + [] vhost_vsock_handle_tx_kick+0x1fa/0x301 [vhost_vsock] + [] vhost_worker+0xf7/0x157 [vhost] + [] kthread+0xfd/0x105 + [] ? vhost_dev_set_owner+0x22e/0x22e [vhost] + [] ? flush_kthread_worker+0xf3/0xf3 + [] ret_from_fork+0x4e/0x80 + [] ? flush_kthread_worker+0xf3/0xf3 + +Work around by doing kvmalloc instead. + +Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko") +Signed-off-by: Junichi Uekawa +Reviewed-by: Stefano Garzarella +Acked-by: Michael S. Tsirkin +Link: https://lore.kernel.org/r/20220928064538.667678-1-uekawa@chromium.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/vhost/vsock.c | 2 +- + net/vmw_vsock/virtio_transport_common.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c +index 368330417bde..5703775af129 100644 +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -393,7 +393,7 @@ vhost_vsock_alloc_pkt(struct vhost_virtqueue *vq, + return NULL; + } + +- pkt->buf = kmalloc(pkt->len, GFP_KERNEL); ++ pkt->buf = kvmalloc(pkt->len, GFP_KERNEL); + if (!pkt->buf) { + kfree(pkt); + return NULL; +diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c +index ec2c2afbf0d0..3a12aee33e92 100644 +--- a/net/vmw_vsock/virtio_transport_common.c ++++ b/net/vmw_vsock/virtio_transport_common.c +@@ -1342,7 +1342,7 @@ EXPORT_SYMBOL_GPL(virtio_transport_recv_pkt); + + void virtio_transport_free_pkt(struct virtio_vsock_pkt *pkt) + { +- kfree(pkt->buf); ++ kvfree(pkt->buf); + kfree(pkt); + } + EXPORT_SYMBOL_GPL(virtio_transport_free_pkt); +-- +2.35.1 + diff --git a/queue-6.0/video-aperture-disable-and-unregister-sysfb-devices-.patch b/queue-6.0/video-aperture-disable-and-unregister-sysfb-devices-.patch new file mode 100644 index 00000000000..b8ba7b30fe6 --- /dev/null +++ b/queue-6.0/video-aperture-disable-and-unregister-sysfb-devices-.patch @@ -0,0 +1,102 @@ +From d3e0d92fc3e193198a27b5248afc722a580443f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Jul 2022 09:23:18 +0200 +Subject: video/aperture: Disable and unregister sysfb devices via aperture + helpers + +From: Thomas Zimmermann + +[ Upstream commit 5e01376124309b4dbd30d413f43c0d9c2f60edea ] + +Call sysfb_disable() before removing conflicting devices in aperture +helpers. Fixes sysfb state if fbdev has been disabled. + +Signed-off-by: Thomas Zimmermann +Reviewed-by: Javier Martinez Canillas +Fixes: fb84efa28a48 ("drm/aperture: Run fbdev removal before internal helpers") +Cc: Zack Rusin +Cc: Thomas Zimmermann +Cc: Javier Martinez Canillas +Cc: Daniel Vetter +Cc: Daniel Vetter +Cc: Sam Ravnborg +Cc: Helge Deller +Cc: Alex Deucher +Cc: Zhen Lei +Cc: Changcheng Deng +Cc: Maarten Lankhorst +Cc: Maxime Ripard +Cc: dri-devel@lists.freedesktop.org +Link: https://patchwork.freedesktop.org/patch/msgid/20220718072322.8927-8-tzimmermann@suse.de +Signed-off-by: Sasha Levin +--- + drivers/video/aperture.c | 14 ++++++++++++++ + drivers/video/fbdev/core/fbmem.c | 12 ------------ + 2 files changed, 14 insertions(+), 12 deletions(-) + +diff --git a/drivers/video/aperture.c b/drivers/video/aperture.c +index 538f2d40acda..d245826a9324 100644 +--- a/drivers/video/aperture.c ++++ b/drivers/video/aperture.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -286,7 +287,20 @@ int aperture_remove_conflicting_devices(resource_size_t base, resource_size_t si + #if IS_REACHABLE(CONFIG_FB) + struct apertures_struct *a; + int ret; ++#endif ++ ++ /* ++ * If a driver asked to unregister a platform device registered by ++ * sysfb, then can be assumed that this is a driver for a display ++ * that is set up by the system firmware and has a generic driver. ++ * ++ * Drivers for devices that don't have a generic driver will never ++ * ask for this, so let's assume that a real driver for the display ++ * was already probed and prevent sysfb to register devices later. ++ */ ++ sysfb_disable(); + ++#if IS_REACHABLE(CONFIG_FB) + a = alloc_apertures(1); + if (!a) + return -ENOMEM; +diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c +index 02b0cf2cfafe..bda4d304feb6 100644 +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -19,7 +19,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -1777,17 +1776,6 @@ int remove_conflicting_framebuffers(struct apertures_struct *a, + do_free = true; + } + +- /* +- * If a driver asked to unregister a platform device registered by +- * sysfb, then can be assumed that this is a driver for a display +- * that is set up by the system firmware and has a generic driver. +- * +- * Drivers for devices that don't have a generic driver will never +- * ask for this, so let's assume that a real driver for the display +- * was already probed and prevent sysfb to register devices later. +- */ +- sysfb_disable(); +- + mutex_lock(®istration_lock); + do_remove_conflicting_framebuffers(a, name, primary); + mutex_unlock(®istration_lock); +-- +2.35.1 + diff --git a/queue-6.0/virtio-gpu-fix-shift-wrapping-bug-in-virtio_gpu_fenc.patch b/queue-6.0/virtio-gpu-fix-shift-wrapping-bug-in-virtio_gpu_fenc.patch new file mode 100644 index 00000000000..6b2b1b38a97 --- /dev/null +++ b/queue-6.0/virtio-gpu-fix-shift-wrapping-bug-in-virtio_gpu_fenc.patch @@ -0,0 +1,41 @@ +From e5c15f1eb76463cd6e82d028369d4298157f2ad9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 09:36:30 +0300 +Subject: virtio-gpu: fix shift wrapping bug in virtio_gpu_fence_event_create() + +From: Dan Carpenter + +[ Upstream commit 37a78445763a5921bb54e9bad01937d0dfa521c1 ] + +The ->ring_idx_mask variable is a u64 so static checkers, Smatch in +this case, complain if the BIT() is not also a u64. + +drivers/gpu/drm/virtio/virtgpu_ioctl.c:50 virtio_gpu_fence_event_create() +warn: should '(1 << ring_idx)' be a 64 bit type? + +Fixes: cd7f5ca33585 ("drm/virtio: implement context init: add virtio_gpu_fence_event") +Signed-off-by: Dan Carpenter +Reviewed-by: Chia-I Wu +Link: http://patchwork.freedesktop.org/patch/msgid/YygN7jY0GdUSQSy0@kili +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_ioctl.c b/drivers/gpu/drm/virtio/virtgpu_ioctl.c +index 3b1701607aae..5d05093014ac 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c ++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c +@@ -47,7 +47,7 @@ static int virtio_gpu_fence_event_create(struct drm_device *dev, + struct virtio_gpu_fence_event *e = NULL; + int ret; + +- if (!(vfpriv->ring_idx_mask & (1 << ring_idx))) ++ if (!(vfpriv->ring_idx_mask & BIT_ULL(ring_idx))) + return 0; + + e = kzalloc(sizeof(*e), GFP_KERNEL); +-- +2.35.1 + diff --git a/queue-6.0/wifi-ath10k-add-peer-map-clean-up-for-peer-delete-in.patch b/queue-6.0/wifi-ath10k-add-peer-map-clean-up-for-peer-delete-in.patch new file mode 100644 index 00000000000..ab0cfcc21ae --- /dev/null +++ b/queue-6.0/wifi-ath10k-add-peer-map-clean-up-for-peer-delete-in.patch @@ -0,0 +1,206 @@ +From 06592ddb5a729956d0d0867d200261e541691a99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 10:19:30 -0400 +Subject: wifi: ath10k: add peer map clean up for peer delete in + ath10k_sta_state() + +From: Wen Gong + +[ Upstream commit f020d9570a04df0762a2ac5c50cf1d8c511c9164 ] + +When peer delete failed in a disconnect operation, use-after-free +detected by KFENCE in below log. It is because for each vdev_id and +address, it has only one struct ath10k_peer, it is allocated in +ath10k_peer_map_event(). When connected to an AP, it has more than +one HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the +array peer_map of struct ath10k will be set muti-elements to the +same ath10k_peer in ath10k_peer_map_event(). When peer delete failed +in ath10k_sta_state(), the ath10k_peer will be free for the 1st peer +id in array peer_map of struct ath10k, and then use-after-free happened +for the 2nd peer id because they map to the same ath10k_peer. + +And clean up all peers in array peer_map for the ath10k_peer, then +user-after-free disappeared + +peer map event log: +[ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e +[ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33 +[ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246 +[ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198 +[ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166 + +peer unmap event log: +[ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING) +[ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone) +[ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246 +[ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198 +[ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166 + +use-after-free log: +[21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING) +[21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110 +[21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed +[21713.799968] ================================================================== +[21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core] +[21713.799991] +[21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69): +[21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core] +[21713.800041] drv_sta_state+0x115/0x677 [mac80211] +[21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211] +[21713.800076] __sta_info_flush+0x11d/0x162 [mac80211] +[21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211] +[21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211] +[21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211] +[21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211] +[21713.800161] genl_rcv_msg+0x38e/0x3be +[21713.800166] netlink_rcv_skb+0x89/0xf7 +[21713.800171] genl_rcv+0x28/0x36 +[21713.800176] netlink_unicast+0x179/0x24b +[21713.800181] netlink_sendmsg+0x3a0/0x40e +[21713.800187] sock_sendmsg+0x72/0x76 +[21713.800192] ____sys_sendmsg+0x16d/0x1e3 +[21713.800196] ___sys_sendmsg+0x95/0xd1 +[21713.800200] __sys_sendmsg+0x85/0xbf +[21713.800205] do_syscall_64+0x43/0x55 +[21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[21713.800213] +[21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k +[21713.800219] +[21713.800224] allocated by task 13 on cpu 0 at 21705.501373s: +[21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core] +[21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core] +[21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core] +[21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core] +[21713.800283] ath10k_pci_process_rx_cb+0x195/0x1df [ath10k_pci] +[21713.800294] ath10k_ce_per_engine_service+0x55/0x74 [ath10k_core] +[21713.800305] ath10k_ce_per_engine_service_any+0x76/0x84 [ath10k_core] +[21713.800310] ath10k_pci_napi_poll+0x49/0x144 [ath10k_pci] +[21713.800316] net_rx_action+0xdc/0x361 +[21713.800320] __do_softirq+0x163/0x29a +[21713.800325] asm_call_irq_on_stack+0x12/0x20 +[21713.800331] do_softirq_own_stack+0x3c/0x48 +[21713.800337] __irq_exit_rcu+0x9b/0x9d +[21713.800342] common_interrupt+0xc9/0x14d +[21713.800346] asm_common_interrupt+0x1e/0x40 +[21713.800351] ksoftirqd_should_run+0x5/0x16 +[21713.800357] smpboot_thread_fn+0x148/0x211 +[21713.800362] kthread+0x150/0x15f +[21713.800367] ret_from_fork+0x22/0x30 +[21713.800370] +[21713.800374] freed by task 708 on cpu 1 at 21713.799953s: +[21713.800498] ath10k_sta_state+0x2c6/0xb8a [ath10k_core] +[21713.800515] drv_sta_state+0x115/0x677 [mac80211] +[21713.800532] __sta_info_destroy_part2+0xb1/0x133 [mac80211] +[21713.800548] __sta_info_flush+0x11d/0x162 [mac80211] +[21713.800565] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211] +[21713.800581] ieee80211_mgd_deauth+0x26c/0x29b [mac80211] +[21713.800598] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211] +[21713.800614] nl80211_deauthenticate+0xf8/0x121 [cfg80211] +[21713.800619] genl_rcv_msg+0x38e/0x3be +[21713.800623] netlink_rcv_skb+0x89/0xf7 +[21713.800628] genl_rcv+0x28/0x36 +[21713.800632] netlink_unicast+0x179/0x24b +[21713.800637] netlink_sendmsg+0x3a0/0x40e +[21713.800642] sock_sendmsg+0x72/0x76 +[21713.800646] ____sys_sendmsg+0x16d/0x1e3 +[21713.800651] ___sys_sendmsg+0x95/0xd1 +[21713.800655] __sys_sendmsg+0x85/0xbf +[21713.800659] do_syscall_64+0x43/0x55 +[21713.800663] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1 + +Fixes: d0eeafad1189 ("ath10k: Clean up peer when sta goes away.") +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220801141930.16794-1-quic_wgong@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 54 ++++++++++++++------------- + 1 file changed, 29 insertions(+), 25 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 9dd3b8fba4b0..23381a9db6ae 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -864,11 +864,36 @@ static int ath10k_peer_delete(struct ath10k *ar, u32 vdev_id, const u8 *addr) + return 0; + } + ++static void ath10k_peer_map_cleanup(struct ath10k *ar, struct ath10k_peer *peer) ++{ ++ int peer_id, i; ++ ++ lockdep_assert_held(&ar->conf_mutex); ++ ++ for_each_set_bit(peer_id, peer->peer_ids, ++ ATH10K_MAX_NUM_PEER_IDS) { ++ ar->peer_map[peer_id] = NULL; ++ } ++ ++ /* Double check that peer is properly un-referenced from ++ * the peer_map ++ */ ++ for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) { ++ if (ar->peer_map[i] == peer) { ++ ath10k_warn(ar, "removing stale peer_map entry for %pM (ptr %pK idx %d)\n", ++ peer->addr, peer, i); ++ ar->peer_map[i] = NULL; ++ } ++ } ++ ++ list_del(&peer->list); ++ kfree(peer); ++ ar->num_peers--; ++} ++ + static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id) + { + struct ath10k_peer *peer, *tmp; +- int peer_id; +- int i; + + lockdep_assert_held(&ar->conf_mutex); + +@@ -880,25 +905,7 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id) + ath10k_warn(ar, "removing stale peer %pM from vdev_id %d\n", + peer->addr, vdev_id); + +- for_each_set_bit(peer_id, peer->peer_ids, +- ATH10K_MAX_NUM_PEER_IDS) { +- ar->peer_map[peer_id] = NULL; +- } +- +- /* Double check that peer is properly un-referenced from +- * the peer_map +- */ +- for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) { +- if (ar->peer_map[i] == peer) { +- ath10k_warn(ar, "removing stale peer_map entry for %pM (ptr %pK idx %d)\n", +- peer->addr, peer, i); +- ar->peer_map[i] = NULL; +- } +- } +- +- list_del(&peer->list); +- kfree(peer); +- ar->num_peers--; ++ ath10k_peer_map_cleanup(ar, peer); + } + spin_unlock_bh(&ar->data_lock); + } +@@ -7621,10 +7628,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw, + /* Clean up the peer object as well since we + * must have failed to do this above. + */ +- list_del(&peer->list); +- ar->peer_map[i] = NULL; +- kfree(peer); +- ar->num_peers--; ++ ath10k_peer_map_cleanup(ar, peer); + } + } + spin_unlock_bh(&ar->data_lock); +-- +2.35.1 + diff --git a/queue-6.0/wifi-ath10k-reset-pointer-after-memory-free-to-avoid.patch b/queue-6.0/wifi-ath10k-reset-pointer-after-memory-free-to-avoid.patch new file mode 100644 index 00000000000..18a54b1e3cd --- /dev/null +++ b/queue-6.0/wifi-ath10k-reset-pointer-after-memory-free-to-avoid.patch @@ -0,0 +1,64 @@ +From 3c40c49b26b3d3270cda809d326aa0b2a82eef63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 18:23:54 +0300 +Subject: wifi: ath10k: reset pointer after memory free to avoid potential + use-after-free + +From: Wen Gong + +[ Upstream commit 1e1cb8e0b73e6f39a9d4a7a15d940b1265387eb5 ] + +When running suspend test, kernel crash happened in ath10k, and it is +fixed by commit b72a4aff947b ("ath10k: skip ath10k_halt during suspend +for driver state RESTARTING"). + +Currently the crash is fixed, but as a common code style, it is better +to set the pointer to NULL after memory is free. + +This is to address the code style and it will avoid potential bug of +use-after-free. + +Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220505092248.787-1-quic_wgong@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c +index 8a075a711b71..f84f6c4c2a7a 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -301,12 +301,16 @@ void ath10k_htt_rx_free(struct ath10k_htt *htt) + ath10k_htt_get_vaddr_ring(htt), + htt->rx_ring.base_paddr); + ++ ath10k_htt_config_paddrs_ring(htt, NULL); ++ + dma_free_coherent(htt->ar->dev, + sizeof(*htt->rx_ring.alloc_idx.vaddr), + htt->rx_ring.alloc_idx.vaddr, + htt->rx_ring.alloc_idx.paddr); ++ htt->rx_ring.alloc_idx.vaddr = NULL; + + kfree(htt->rx_ring.netbufs_ring); ++ htt->rx_ring.netbufs_ring = NULL; + } + + static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt) +@@ -846,8 +850,10 @@ int ath10k_htt_rx_alloc(struct ath10k_htt *htt) + ath10k_htt_get_rx_ring_size(htt), + vaddr_ring, + htt->rx_ring.base_paddr); ++ ath10k_htt_config_paddrs_ring(htt, NULL); + err_dma_ring: + kfree(htt->rx_ring.netbufs_ring); ++ htt->rx_ring.netbufs_ring = NULL; + err_netbuf: + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-6.0/wifi-ath10k-set-tx-credit-to-one-for-wcn3990-snoc-ba.patch b/queue-6.0/wifi-ath10k-set-tx-credit-to-one-for-wcn3990-snoc-ba.patch new file mode 100644 index 00000000000..167765744aa --- /dev/null +++ b/queue-6.0/wifi-ath10k-set-tx-credit-to-one-for-wcn3990-snoc-ba.patch @@ -0,0 +1,211 @@ +From f46af31f230371153133c822311ab4d69d8bc1cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 19:19:41 +0530 +Subject: wifi: ath10k: Set tx credit to one for WCN3990 snoc based devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Youghandhar Chintala + +[ Upstream commit d81bbb684c250a637186d9286d75b1cb04d2986c ] + +Currently host can send two WMI commands at once. There is possibility to +cause SMMU issues or corruption, if host wants to initiate 2 DMA +transfers, it is possible when copy complete interrupt for first DMA +reaches host, CE has already updated SRRI (Source ring read index) for +both DMA transfers and is in the middle of 2nd DMA. Host uses SRRI +(Source ring read index) to interpret how many DMA’s have been completed +and tries to unmap/free both the DMA entries. Hence now it is limiting to +one.Because CE is still in the middle of 2nd DMA which can cause these +issues when handling two DMA transfers. + +This change will not impact other targets, as it is only for WCN3990. + +Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1 + +Signed-off-by: Youghandhar Chintala +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220801134941.15216-1-quic_youghand@quicinc.com +Stable-dep-of: f020d9570a04 ("wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/core.c | 16 ++++++++++++++++ + drivers/net/wireless/ath/ath10k/htc.c | 11 ++++++++--- + drivers/net/wireless/ath/ath10k/hw.h | 2 ++ + 3 files changed, 26 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c +index 276954b70d63..d1ac64026cb3 100644 +--- a/drivers/net/wireless/ath/ath10k/core.c ++++ b/drivers/net/wireless/ath/ath10k/core.c +@@ -98,6 +98,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .tx_stats_over_pktlog = true, + .dynamic_sar_support = false, + .hw_restart_disconnect = false, ++ .use_fw_tx_credits = true, + }, + { + .id = QCA988X_HW_2_0_VERSION, +@@ -136,6 +137,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .tx_stats_over_pktlog = true, + .dynamic_sar_support = false, + .hw_restart_disconnect = false, ++ .use_fw_tx_credits = true, + }, + { + .id = QCA9887_HW_1_0_VERSION, +@@ -175,6 +177,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .tx_stats_over_pktlog = false, + .dynamic_sar_support = false, + .hw_restart_disconnect = false, ++ .use_fw_tx_credits = true, + }, + { + .id = QCA6174_HW_3_2_VERSION, +@@ -209,6 +212,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .supports_peer_stats_info = true, + .dynamic_sar_support = true, + .hw_restart_disconnect = false, ++ .use_fw_tx_credits = true, + }, + { + .id = QCA6174_HW_2_1_VERSION, +@@ -247,6 +251,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .tx_stats_over_pktlog = false, + .dynamic_sar_support = false, + .hw_restart_disconnect = false, ++ .use_fw_tx_credits = true, + }, + { + .id = QCA6174_HW_2_1_VERSION, +@@ -285,6 +290,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .tx_stats_over_pktlog = false, + .dynamic_sar_support = false, + .hw_restart_disconnect = false, ++ .use_fw_tx_credits = true, + }, + { + .id = QCA6174_HW_3_0_VERSION, +@@ -323,6 +329,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .tx_stats_over_pktlog = false, + .dynamic_sar_support = false, + .hw_restart_disconnect = false, ++ .use_fw_tx_credits = true, + }, + { + .id = QCA6174_HW_3_2_VERSION, +@@ -365,6 +372,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .supports_peer_stats_info = true, + .dynamic_sar_support = true, + .hw_restart_disconnect = false, ++ .use_fw_tx_credits = true, + }, + { + .id = QCA99X0_HW_2_0_DEV_VERSION, +@@ -409,6 +417,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .tx_stats_over_pktlog = false, + .dynamic_sar_support = false, + .hw_restart_disconnect = false, ++ .use_fw_tx_credits = true, + }, + { + .id = QCA9984_HW_1_0_DEV_VERSION, +@@ -460,6 +469,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .tx_stats_over_pktlog = false, + .dynamic_sar_support = false, + .hw_restart_disconnect = false, ++ .use_fw_tx_credits = true, + }, + { + .id = QCA9888_HW_2_0_DEV_VERSION, +@@ -508,6 +518,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .tx_stats_over_pktlog = false, + .dynamic_sar_support = false, + .hw_restart_disconnect = false, ++ .use_fw_tx_credits = true, + }, + { + .id = QCA9377_HW_1_0_DEV_VERSION, +@@ -546,6 +557,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .tx_stats_over_pktlog = false, + .dynamic_sar_support = false, + .hw_restart_disconnect = false, ++ .use_fw_tx_credits = true, + }, + { + .id = QCA9377_HW_1_1_DEV_VERSION, +@@ -586,6 +598,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .tx_stats_over_pktlog = false, + .dynamic_sar_support = false, + .hw_restart_disconnect = false, ++ .use_fw_tx_credits = true, + }, + { + .id = QCA9377_HW_1_1_DEV_VERSION, +@@ -617,6 +630,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .credit_size_workaround = true, + .dynamic_sar_support = false, + .hw_restart_disconnect = false, ++ .use_fw_tx_credits = true, + }, + { + .id = QCA4019_HW_1_0_DEV_VERSION, +@@ -662,6 +676,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .tx_stats_over_pktlog = false, + .dynamic_sar_support = false, + .hw_restart_disconnect = false, ++ .use_fw_tx_credits = true, + }, + { + .id = WCN3990_HW_1_0_DEV_VERSION, +@@ -693,6 +708,7 @@ static const struct ath10k_hw_params ath10k_hw_params_list[] = { + .tx_stats_over_pktlog = false, + .dynamic_sar_support = true, + .hw_restart_disconnect = true, ++ .use_fw_tx_credits = false, + }, + }; + +diff --git a/drivers/net/wireless/ath/ath10k/htc.c b/drivers/net/wireless/ath/ath10k/htc.c +index fab398046a3f..6d1784f74bea 100644 +--- a/drivers/net/wireless/ath/ath10k/htc.c ++++ b/drivers/net/wireless/ath/ath10k/htc.c +@@ -947,13 +947,18 @@ int ath10k_htc_wait_target(struct ath10k_htc *htc) + return -ECOMM; + } + +- htc->total_transmit_credits = __le16_to_cpu(msg->ready.credit_count); ++ if (ar->hw_params.use_fw_tx_credits) ++ htc->total_transmit_credits = __le16_to_cpu(msg->ready.credit_count); ++ else ++ htc->total_transmit_credits = 1; ++ + htc->target_credit_size = __le16_to_cpu(msg->ready.credit_size); + + ath10k_dbg(ar, ATH10K_DBG_HTC, +- "Target ready! transmit resources: %d size:%d\n", ++ "Target ready! transmit resources: %d size:%d actual credits:%d\n", + htc->total_transmit_credits, +- htc->target_credit_size); ++ htc->target_credit_size, ++ msg->ready.credit_count); + + if ((htc->total_transmit_credits == 0) || + (htc->target_credit_size == 0)) { +diff --git a/drivers/net/wireless/ath/ath10k/hw.h b/drivers/net/wireless/ath/ath10k/hw.h +index 93acf0dd580a..1b99f3a39a11 100644 +--- a/drivers/net/wireless/ath/ath10k/hw.h ++++ b/drivers/net/wireless/ath/ath10k/hw.h +@@ -635,6 +635,8 @@ struct ath10k_hw_params { + bool dynamic_sar_support; + + bool hw_restart_disconnect; ++ ++ bool use_fw_tx_credits; + }; + + struct htt_resp; +-- +2.35.1 + diff --git a/queue-6.0/wifi-ath11k-fix-failed-to-find-the-peer-with-peer_id.patch b/queue-6.0/wifi-ath11k-fix-failed-to-find-the-peer-with-peer_id.patch new file mode 100644 index 00000000000..4809d97b821 --- /dev/null +++ b/queue-6.0/wifi-ath11k-fix-failed-to-find-the-peer-with-peer_id.patch @@ -0,0 +1,98 @@ +From 6d59ad459497739b0d17be84e0a298dd75d8f8b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 18:23:41 +0300 +Subject: wifi: ath11k: fix failed to find the peer with peer_id 0 when + disconnected + +From: Wen Gong + +[ Upstream commit a20ed60bb357776301c2dad7b4a4f0db97e143e9 ] + +It has a fail log which is ath11k_dbg in ath11k_dp_rx_process_mon_status(), +as below, it will not print when debug_mask is not set ATH11K_DBG_DATA. + ath11k_dbg(ab, ATH11K_DBG_DATA, + "failed to find the peer with peer_id %d\n", + ppdu_info.peer_id); + +When run scan with station disconnected, the peer_id is 0 for case +HAL_RX_MPDU_START in ath11k_hal_rx_parse_mon_status_tlv() which called +from ath11k_dp_rx_process_mon_status(), and the peer_id of ppdu_info is +reset to 0 in the while loop, so it does not match condition of the +check "if (ppdu_info->peer_id == HAL_INVALID_PEERID" in the loop, and +then the log "failed to find the peer with peer_id 0" print after the +check in the loop, it is below call stack when debug_mask is set +ATH11K_DBG_DATA. + +The reason is this commit 01d2f285e3e5 ("ath11k: decode HE status tlv") +add "memset(ppdu_info, 0, sizeof(struct hal_rx_mon_ppdu_info))" in +ath11k_dp_rx_process_mon_status(), but the commit does not initialize +the peer_id to HAL_INVALID_PEERID, then lead the check mis-match. + +Callstack of the failed log: +[12335.689072] RIP: 0010:ath11k_dp_rx_process_mon_status+0x9ea/0x1020 [ath11k] +[12335.689157] Code: 89 ff e8 f9 10 00 00 be 01 00 00 00 4c 89 f7 e8 dc 4b 4e de 48 8b 85 38 ff ff ff c7 80 e4 07 00 00 01 00 00 00 e9 20 f8 ff ff <0f> 0b 41 0f b7 96 be 06 00 00 48 c7 c6 b8 50 44 c1 4c 89 ff e8 fd +[12335.689180] RSP: 0018:ffffb874001a4ca0 EFLAGS: 00010246 +[12335.689210] RAX: 0000000000000000 RBX: ffff995642cbd100 RCX: 0000000000000000 +[12335.689229] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99564212cd18 +[12335.689248] RBP: ffffb874001a4dc0 R08: 0000000000000001 R09: 0000000000000000 +[12335.689268] R10: 0000000000000220 R11: ffffb874001a48e8 R12: ffff995642473d40 +[12335.689286] R13: ffff99564212c5b8 R14: ffff9956424736a0 R15: ffff995642120000 +[12335.689303] FS: 0000000000000000(0000) GS:ffff995739000000(0000) knlGS:0000000000000000 +[12335.689323] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[12335.689341] CR2: 00007f43c5d5e039 CR3: 000000011c012005 CR4: 00000000000606e0 +[12335.689360] Call Trace: +[12335.689377] +[12335.689418] ? rcu_read_lock_held_common+0x12/0x50 +[12335.689447] ? rcu_read_lock_sched_held+0x25/0x80 +[12335.689471] ? rcu_read_lock_held_common+0x12/0x50 +[12335.689504] ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k] +[12335.689578] ? ath11k_dp_rx_process_mon_rings+0x8d/0x4f0 [ath11k] +[12335.689653] ? lock_acquire+0xef/0x360 +[12335.689681] ? rcu_read_lock_sched_held+0x25/0x80 +[12335.689713] ath11k_dp_service_mon_ring+0x38/0x60 [ath11k] +[12335.689784] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k] +[12335.689860] call_timer_fn+0xb2/0x2f0 +[12335.689897] ? ath11k_dp_rx_process_mon_rings+0x4f0/0x4f0 [ath11k] +[12335.689970] run_timer_softirq+0x21f/0x540 +[12335.689999] ? ktime_get+0xad/0x160 +[12335.690025] ? lapic_next_deadline+0x2c/0x40 +[12335.690053] ? clockevents_program_event+0x82/0x100 +[12335.690093] __do_softirq+0x151/0x4a8 +[12335.690135] irq_exit_rcu+0xc9/0x100 +[12335.690165] sysvec_apic_timer_interrupt+0xa8/0xd0 +[12335.690189] +[12335.690204] +[12335.690225] asm_sysvec_apic_timer_interrupt+0x12/0x20 + +Reset the default value to HAL_INVALID_PEERID each time after memset +of ppdu_info as well as others memset which existed in function +ath11k_dp_rx_process_mon_status(), then the failed log disappeared. + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 + +Fixes: 01d2f285e3e5 ("ath11k: decode HE status tlv") +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220518033556.31940-1-quic_wgong@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/dp_rx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c +index 2148acf37071..e9c56ad1ec9d 100644 +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -5197,7 +5197,8 @@ int ath11k_dp_rx_process_mon_status(struct ath11k_base *ab, int mac_id, + if (log_type != ATH11K_PKTLOG_TYPE_INVALID) + trace_ath11k_htt_rxdesc(ar, skb->data, log_type, rx_buf_sz); + +- memset(ppdu_info, 0, sizeof(struct hal_rx_mon_ppdu_info)); ++ memset(ppdu_info, 0, sizeof(*ppdu_info)); ++ ppdu_info->peer_id = HAL_INVALID_PEERID; + hal_status = ath11k_hal_rx_parse_mon_status(ab, ppdu_info, skb); + + if (test_bit(ATH11K_FLAG_MONITOR_STARTED, &ar->monitor_flags) && +-- +2.35.1 + diff --git a/queue-6.0/wifi-ath11k-fix-incorrect-qmi-message-id-mappings.patch b/queue-6.0/wifi-ath11k-fix-incorrect-qmi-message-id-mappings.patch new file mode 100644 index 00000000000..625e420fd4d --- /dev/null +++ b/queue-6.0/wifi-ath11k-fix-incorrect-qmi-message-id-mappings.patch @@ -0,0 +1,152 @@ +From 65b187c2c43c721d9084e7f3538b1e3aa664276e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 09:04:19 +0300 +Subject: wifi: ath11k: Fix incorrect QMI message ID mappings + +From: Manikanta Pubbisetty + +[ Upstream commit b3ca32308e46b6384fdcb7e64b3fca4f61aff14b ] + +QMI message IDs for some of the QMI messages were incorrectly +defined in the original implementation. These have to be corrected +to enable cold boot support on WCN6750. These corrections are +applicable for all chipsets and will not impact them. Refactor the +code accordingly. + +Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.1.0.1-00887-QCAMSLSWPLZ-1 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Manikanta Pubbisetty +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220720134909.15626-2-quic_mpubbise@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/qmi.c | 38 ++++++++++++++++++++++++--- + drivers/net/wireless/ath/ath11k/qmi.h | 10 +++++-- + 2 files changed, 43 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/qmi.c b/drivers/net/wireless/ath/ath11k/qmi.c +index 00136601cb7d..e6ced8597e1d 100644 +--- a/drivers/net/wireless/ath/ath11k/qmi.c ++++ b/drivers/net/wireless/ath/ath11k/qmi.c +@@ -1696,6 +1696,13 @@ static struct qmi_elem_info qmi_wlanfw_wlan_ini_resp_msg_v01_ei[] = { + }, + }; + ++static struct qmi_elem_info qmi_wlfw_fw_init_done_ind_msg_v01_ei[] = { ++ { ++ .data_type = QMI_EOTI, ++ .array_type = NO_ARRAY, ++ }, ++}; ++ + static int ath11k_qmi_host_cap_send(struct ath11k_base *ab) + { + struct qmi_wlanfw_host_cap_req_msg_v01 req; +@@ -3006,6 +3013,10 @@ static void ath11k_qmi_msg_fw_ready_cb(struct qmi_handle *qmi_hdl, + struct ath11k_base *ab = qmi->ab; + + ath11k_dbg(ab, ATH11K_DBG_QMI, "qmi firmware ready\n"); ++ ++ ab->qmi.cal_done = 1; ++ wake_up(&ab->qmi.cold_boot_waitq); ++ + ath11k_qmi_driver_event_post(qmi, ATH11K_QMI_EVENT_FW_READY, NULL); + } + +@@ -3018,11 +3029,22 @@ static void ath11k_qmi_msg_cold_boot_cal_done_cb(struct qmi_handle *qmi_hdl, + struct ath11k_qmi, handle); + struct ath11k_base *ab = qmi->ab; + +- ab->qmi.cal_done = 1; +- wake_up(&ab->qmi.cold_boot_waitq); + ath11k_dbg(ab, ATH11K_DBG_QMI, "qmi cold boot calibration done\n"); + } + ++static void ath11k_qmi_msg_fw_init_done_cb(struct qmi_handle *qmi_hdl, ++ struct sockaddr_qrtr *sq, ++ struct qmi_txn *txn, ++ const void *decoded) ++{ ++ struct ath11k_qmi *qmi = container_of(qmi_hdl, ++ struct ath11k_qmi, handle); ++ struct ath11k_base *ab = qmi->ab; ++ ++ ath11k_qmi_driver_event_post(qmi, ATH11K_QMI_EVENT_FW_INIT_DONE, NULL); ++ ath11k_dbg(ab, ATH11K_DBG_QMI, "qmi firmware init done\n"); ++} ++ + static const struct qmi_msg_handler ath11k_qmi_msg_handlers[] = { + { + .type = QMI_INDICATION, +@@ -3053,6 +3075,14 @@ static const struct qmi_msg_handler ath11k_qmi_msg_handlers[] = { + sizeof(struct qmi_wlanfw_fw_cold_cal_done_ind_msg_v01), + .fn = ath11k_qmi_msg_cold_boot_cal_done_cb, + }, ++ { ++ .type = QMI_INDICATION, ++ .msg_id = QMI_WLFW_FW_INIT_DONE_IND_V01, ++ .ei = qmi_wlfw_fw_init_done_ind_msg_v01_ei, ++ .decoded_size = ++ sizeof(struct qmi_wlfw_fw_init_done_ind_msg_v01), ++ .fn = ath11k_qmi_msg_fw_init_done_cb, ++ }, + }; + + static int ath11k_qmi_ops_new_server(struct qmi_handle *qmi_hdl, +@@ -3145,7 +3175,7 @@ static void ath11k_qmi_driver_event_work(struct work_struct *work) + } + + break; +- case ATH11K_QMI_EVENT_FW_READY: ++ case ATH11K_QMI_EVENT_FW_INIT_DONE: + clear_bit(ATH11K_FLAG_QMI_FAIL, &ab->dev_flags); + if (test_bit(ATH11K_FLAG_REGISTERED, &ab->dev_flags)) { + ath11k_hal_dump_srng_stats(ab); +@@ -3168,6 +3198,8 @@ static void ath11k_qmi_driver_event_work(struct work_struct *work) + set_bit(ATH11K_FLAG_REGISTERED, &ab->dev_flags); + } + ++ break; ++ case ATH11K_QMI_EVENT_FW_READY: + break; + case ATH11K_QMI_EVENT_COLD_BOOT_CAL_DONE: + break; +diff --git a/drivers/net/wireless/ath/ath11k/qmi.h b/drivers/net/wireless/ath/ath11k/qmi.h +index c83cf822be81..2ec56a34fa81 100644 +--- a/drivers/net/wireless/ath/ath11k/qmi.h ++++ b/drivers/net/wireless/ath/ath11k/qmi.h +@@ -31,8 +31,9 @@ + + #define QMI_WLFW_REQUEST_MEM_IND_V01 0x0035 + #define QMI_WLFW_FW_MEM_READY_IND_V01 0x0037 +-#define QMI_WLFW_COLD_BOOT_CAL_DONE_IND_V01 0x0021 +-#define QMI_WLFW_FW_READY_IND_V01 0x0038 ++#define QMI_WLFW_COLD_BOOT_CAL_DONE_IND_V01 0x003E ++#define QMI_WLFW_FW_READY_IND_V01 0x0021 ++#define QMI_WLFW_FW_INIT_DONE_IND_V01 0x0038 + + #define QMI_WLANFW_MAX_DATA_SIZE_V01 6144 + #define ATH11K_FIRMWARE_MODE_OFF 4 +@@ -69,6 +70,7 @@ enum ath11k_qmi_event_type { + ATH11K_QMI_EVENT_FORCE_FW_ASSERT, + ATH11K_QMI_EVENT_POWER_UP, + ATH11K_QMI_EVENT_POWER_DOWN, ++ ATH11K_QMI_EVENT_FW_INIT_DONE, + ATH11K_QMI_EVENT_MAX, + }; + +@@ -291,6 +293,10 @@ struct qmi_wlanfw_fw_cold_cal_done_ind_msg_v01 { + char placeholder; + }; + ++struct qmi_wlfw_fw_init_done_ind_msg_v01 { ++ char placeholder; ++}; ++ + #define QMI_WLANFW_CAP_REQ_MSG_V01_MAX_LEN 0 + #define QMI_WLANFW_CAP_RESP_MSG_V01_MAX_LEN 235 + #define QMI_WLANFW_CAP_REQ_V01 0x0024 +-- +2.35.1 + diff --git a/queue-6.0/wifi-ath11k-fix-number-of-vht-beamformee-spatial-str.patch b/queue-6.0/wifi-ath11k-fix-number-of-vht-beamformee-spatial-str.patch new file mode 100644 index 00000000000..31424d6c421 --- /dev/null +++ b/queue-6.0/wifi-ath11k-fix-number-of-vht-beamformee-spatial-str.patch @@ -0,0 +1,101 @@ +From da1e634a6f41104b5bee569bca27f16e6d1ae73d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 10:35:14 +0300 +Subject: wifi: ath11k: fix number of VHT beamformee spatial streams + +From: Jesus Fernandez Manzano + +[ Upstream commit 55b5ee3357d7bb98ee578cf9b84a652e7a1bc199 ] + +The number of spatial streams used when acting as a beamformee in VHT +mode are reported by the firmware as 7 (8 sts - 1) both in IPQ6018 and +IPQ8074 which respectively have 2 and 4 sts each. So the firmware should +report 1 (2 - 1) and 3 (4 - 1). + +Fix this by checking that the number of VHT beamformee sts reported by +the firmware is not greater than the number of receiving antennas - 1. +The fix is based on the same approach used in this same function for +sanitizing the number of sounding dimensions reported by the firmware. + +Without this change, acting as a beamformee in VHT mode is not working +properly. + +Tested-on: IPQ6018 hw1.0 AHB WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1 +Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Jesus Fernandez Manzano +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220616173947.21901-1-jesus.manzano@galgus.net +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 7e91e347c9ff..7f6521314b2d 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -4954,6 +4954,8 @@ static int ath11k_mac_set_txbf_conf(struct ath11k_vif *arvif) + if (vht_cap & (IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE)) { + nsts = vht_cap & IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK; + nsts >>= IEEE80211_VHT_CAP_BEAMFORMEE_STS_SHIFT; ++ if (nsts > (ar->num_rx_chains - 1)) ++ nsts = ar->num_rx_chains - 1; + value |= SM(nsts, WMI_TXBF_STS_CAP_OFFSET); + } + +@@ -4994,7 +4996,7 @@ static int ath11k_mac_set_txbf_conf(struct ath11k_vif *arvif) + static void ath11k_set_vht_txbf_cap(struct ath11k *ar, u32 *vht_cap) + { + bool subfer, subfee; +- int sound_dim = 0; ++ int sound_dim = 0, nsts = 0; + + subfer = !!(*vht_cap & (IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE)); + subfee = !!(*vht_cap & (IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE)); +@@ -5004,6 +5006,11 @@ static void ath11k_set_vht_txbf_cap(struct ath11k *ar, u32 *vht_cap) + subfer = false; + } + ++ if (ar->num_rx_chains < 2) { ++ *vht_cap &= ~(IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE); ++ subfee = false; ++ } ++ + /* If SU Beaformer is not set, then disable MU Beamformer Capability */ + if (!subfer) + *vht_cap &= ~(IEEE80211_VHT_CAP_MU_BEAMFORMER_CAPABLE); +@@ -5016,7 +5023,9 @@ static void ath11k_set_vht_txbf_cap(struct ath11k *ar, u32 *vht_cap) + sound_dim >>= IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_SHIFT; + *vht_cap &= ~IEEE80211_VHT_CAP_SOUNDING_DIMENSIONS_MASK; + +- /* TODO: Need to check invalid STS and Sound_dim values set by FW? */ ++ nsts = (*vht_cap & IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK); ++ nsts >>= IEEE80211_VHT_CAP_BEAMFORMEE_STS_SHIFT; ++ *vht_cap &= ~IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK; + + /* Enable Sounding Dimension Field only if SU BF is enabled */ + if (subfer) { +@@ -5028,9 +5037,15 @@ static void ath11k_set_vht_txbf_cap(struct ath11k *ar, u32 *vht_cap) + *vht_cap |= sound_dim; + } + +- /* Use the STS advertised by FW unless SU Beamformee is not supported*/ +- if (!subfee) +- *vht_cap &= ~(IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK); ++ /* Enable Beamformee STS Field only if SU BF is enabled */ ++ if (subfee) { ++ if (nsts > (ar->num_rx_chains - 1)) ++ nsts = ar->num_rx_chains - 1; ++ ++ nsts <<= IEEE80211_VHT_CAP_BEAMFORMEE_STS_SHIFT; ++ nsts &= IEEE80211_VHT_CAP_BEAMFORMEE_STS_MASK; ++ *vht_cap |= nsts; ++ } + } + + static struct ieee80211_sta_vht_cap +-- +2.35.1 + diff --git a/queue-6.0/wifi-ath11k-fix-peer-addition-deletion-error-on-sta-.patch b/queue-6.0/wifi-ath11k-fix-peer-addition-deletion-error-on-sta-.patch new file mode 100644 index 00000000000..6cbc97c1d6d --- /dev/null +++ b/queue-6.0/wifi-ath11k-fix-peer-addition-deletion-error-on-sta-.patch @@ -0,0 +1,119 @@ +From 3738b2b0a7b0b4153a0467768b2827fbedb2a531 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 10:35:14 +0300 +Subject: wifi: ath11k: fix peer addition/deletion error on sta band migration + +From: Christian 'Ansuel' Marangi + +[ Upstream commit d673cb6fe6c03b2be157cc6c5db40481828d282d ] + +This patch try to fix the following error. + +Wed Jun 1 22:19:30 2022 kern.warn kernel: [ 119.561227] ath11k c000000.wifi: peer already added vdev id 0 req, vdev id 1 present +Wed Jun 1 22:19:30 2022 kern.warn kernel: [ 119.561282] ath11k c000000.wifi: Failed to add peer: 28:c2:1f:xx:xx:xx for VDEV: 0 +Wed Jun 1 22:19:30 2022 kern.warn kernel: [ 119.568053] ath11k c000000.wifi: Failed to add station: 28:c2:1f:xx:xx:xx for VDEV: 0 +Wed Jun 1 22:19:31 2022 daemon.notice hostapd: wlan2: STA 28:c2:1f:xx:xx:xx IEEE 802.11: Could not add STA to kernel driver +Wed Jun 1 22:19:31 2022 daemon.notice hostapd: wlan2: STA 28:c2:1f:xx:xx:xx IEEE 802.11: did not acknowledge authentication response +Wed Jun 1 22:19:31 2022 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED 28:c2:1f:xx:xx:xx +Wed Jun 1 22:19:31 2022 daemon.info hostapd: wlan1: STA 28:c2:1f:xx:xx:xx IEEE 802.11: disassociated due to inactivity +Wed Jun 1 22:19:32 2022 daemon.info hostapd: wlan1: STA 28:c2:1f:xx:xx:xx IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE) + +To repro this: +- Have 2 Wifi with the same bssid and pass on different band (2.4 and +5GHz) +- Enable 802.11r Fast Transaction with same mobility domain +- FT Protocol: FT over the Air +From a openwrt system issue the command (with the correct mac) +ubus call hostapd.wlan1 wnm_disassoc_imminent '{"addr":"28:C2:1F:xx:xx:xx"}' +Notice the log printing the errors. + +The cause of this error has been investigated and we found that this is +related to the WiFi Fast Transaction feature. We observed that this is +triggered when the router tells the device to change band. In this case +the device first auth to the other band and then the disconnect path +from the prev band is triggered. +This is problematic with the current rhash implementation since the +addrs is used as key and the logic of "adding first, delete later" +conflicts with the rhash logic. +In fact peer addition will fail since the peer is already added and with +that fixed a peer deletion will cause unitended effect by removing the +peer just added. + +Current solution to this is to add additional logic to the peer delete, +make sure we are deleting the correct peer taken from the rhash +table (and fallback to the peer list) and for the peer add logic delete +the peer entry for the rhash list before adding the new one (counting as +an error only when a peer with the same vlan_id is asked to be added). + +With this change, a sta can correctly transition from 2.4GHz and 5GHZ +with no drop and no error are printed. + +Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01208-QCAHKSWPL_SILICONZ-1 + +Fixes: 7b0c70d92a43 ("ath11k: Add peer rhash table support") +Signed-off-by: Christian 'Ansuel' Marangi +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220603164559.27769-1-ansuelsmth@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/peer.c | 30 ++++++++++++++++++++++---- + 1 file changed, 26 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/peer.c b/drivers/net/wireless/ath/ath11k/peer.c +index 9e22aaf34b88..1ae7af02c364 100644 +--- a/drivers/net/wireless/ath/ath11k/peer.c ++++ b/drivers/net/wireless/ath/ath11k/peer.c +@@ -302,6 +302,21 @@ static int __ath11k_peer_delete(struct ath11k *ar, u32 vdev_id, const u8 *addr) + spin_lock_bh(&ab->base_lock); + + peer = ath11k_peer_find_by_addr(ab, addr); ++ /* Check if the found peer is what we want to remove. ++ * While the sta is transitioning to another band we may ++ * have 2 peer with the same addr assigned to different ++ * vdev_id. Make sure we are deleting the correct peer. ++ */ ++ if (peer && peer->vdev_id == vdev_id) ++ ath11k_peer_rhash_delete(ab, peer); ++ ++ /* Fallback to peer list search if the correct peer can't be found. ++ * Skip the deletion of the peer from the rhash since it has already ++ * been deleted in peer add. ++ */ ++ if (!peer) ++ peer = ath11k_peer_find(ab, vdev_id, addr); ++ + if (!peer) { + spin_unlock_bh(&ab->base_lock); + mutex_unlock(&ab->tbl_mtx_lock); +@@ -312,8 +327,6 @@ static int __ath11k_peer_delete(struct ath11k *ar, u32 vdev_id, const u8 *addr) + return -EINVAL; + } + +- ath11k_peer_rhash_delete(ab, peer); +- + spin_unlock_bh(&ab->base_lock); + mutex_unlock(&ab->tbl_mtx_lock); + +@@ -372,8 +385,17 @@ int ath11k_peer_create(struct ath11k *ar, struct ath11k_vif *arvif, + spin_lock_bh(&ar->ab->base_lock); + peer = ath11k_peer_find_by_addr(ar->ab, param->peer_addr); + if (peer) { +- spin_unlock_bh(&ar->ab->base_lock); +- return -EINVAL; ++ if (peer->vdev_id == param->vdev_id) { ++ spin_unlock_bh(&ar->ab->base_lock); ++ return -EINVAL; ++ } ++ ++ /* Assume sta is transitioning to another band. ++ * Remove here the peer from rhash. ++ */ ++ mutex_lock(&ar->ab->tbl_mtx_lock); ++ ath11k_peer_rhash_delete(ar->ab, peer); ++ mutex_unlock(&ar->ab->tbl_mtx_lock); + } + spin_unlock_bh(&ar->ab->base_lock); + +-- +2.35.1 + diff --git a/queue-6.0/wifi-ath11k-include-sta_keepalive_arp_response-tlv-h.patch b/queue-6.0/wifi-ath11k-include-sta_keepalive_arp_response-tlv-h.patch new file mode 100644 index 00000000000..72d1e0e5721 --- /dev/null +++ b/queue-6.0/wifi-ath11k-include-sta_keepalive_arp_response-tlv-h.patch @@ -0,0 +1,71 @@ +From 6bbc3c9483c3cc8e2200ce31e35ba0bed5cc6896 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 12:43:58 +0800 +Subject: wifi: ath11k: Include STA_KEEPALIVE_ARP_RESPONSE TLV header by + default + +From: Baochen Qiang + +[ Upstream commit b7b6f86149a7e06269d61a7a5206360f5b642f80 ] + +In current code STA_KEEPALIVE_ARP_RESPONSE TLV header is included only +when ARP method is used, this causes firmware always to crash when wowlan +is enabled because firmware needs it to be present no matter ARP method +is used or not. + +Fix this issue by including STA_KEEPALIVE_ARP_RESPONSE TLV header by +default. + +Also fix below typo: + s/WMI_TAG_STA_KEEPALVE_ARP_RESPONSE/WMI_TAG_STA_KEEPALIVE_ARP_RESPONSE/ + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3 + +Fixes: 0f84a156aa3b ("ath11k: Handle keepalive during WoWLAN suspend and resume") +Signed-off-by: Baochen Qiang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220913044358.2037-1-quic_bqiang@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/wmi.c | 9 +++++---- + drivers/net/wireless/ath/ath11k/wmi.h | 2 +- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c +index 88ee4f9d19da..b658ea60dcf7 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -8962,12 +8962,13 @@ int ath11k_wmi_sta_keepalive(struct ath11k *ar, + cmd->interval = arg->interval; + cmd->method = arg->method; + ++ arp = (struct wmi_sta_keepalive_arp_resp *)(cmd + 1); ++ arp->tlv_header = FIELD_PREP(WMI_TLV_TAG, ++ WMI_TAG_STA_KEEPALIVE_ARP_RESPONSE) | ++ FIELD_PREP(WMI_TLV_LEN, sizeof(*arp) - TLV_HDR_SIZE); ++ + if (arg->method == WMI_STA_KEEPALIVE_METHOD_UNSOLICITED_ARP_RESPONSE || + arg->method == WMI_STA_KEEPALIVE_METHOD_GRATUITOUS_ARP_REQUEST) { +- arp = (struct wmi_sta_keepalive_arp_resp *)(cmd + 1); +- arp->tlv_header = FIELD_PREP(WMI_TLV_TAG, +- WMI_TAG_STA_KEEPALVE_ARP_RESPONSE) | +- FIELD_PREP(WMI_TLV_LEN, sizeof(*arp) - TLV_HDR_SIZE); + arp->src_ip4_addr = arg->src_ip4_addr; + arp->dest_ip4_addr = arg->dest_ip4_addr; + ether_addr_copy(arp->dest_mac_addr.addr, arg->dest_mac_addr); +diff --git a/drivers/net/wireless/ath/ath11k/wmi.h b/drivers/net/wireless/ath/ath11k/wmi.h +index 4da248ffa318..ba5343a3411f 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.h ++++ b/drivers/net/wireless/ath/ath11k/wmi.h +@@ -1214,7 +1214,7 @@ enum wmi_tlv_tag { + WMI_TAG_NS_OFFLOAD_TUPLE, + WMI_TAG_FTM_INTG_CMD, + WMI_TAG_STA_KEEPALIVE_CMD, +- WMI_TAG_STA_KEEPALVE_ARP_RESPONSE, ++ WMI_TAG_STA_KEEPALIVE_ARP_RESPONSE, + WMI_TAG_P2P_SET_VENDOR_IE_DATA_CMD, + WMI_TAG_AP_PS_PEER_CMD, + WMI_TAG_PEER_RATE_RETRY_SCHED_CMD, +-- +2.35.1 + diff --git a/queue-6.0/wifi-ath11k-mhi-fix-potential-memory-leak-in-ath11k_.patch b/queue-6.0/wifi-ath11k-mhi-fix-potential-memory-leak-in-ath11k_.patch new file mode 100644 index 00000000000..028effdefe7 --- /dev/null +++ b/queue-6.0/wifi-ath11k-mhi-fix-potential-memory-leak-in-ath11k_.patch @@ -0,0 +1,79 @@ +From 3fe6993dca341f3625a59ef548a931b4aa415e7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 15:37:04 +0800 +Subject: wifi: ath11k: mhi: fix potential memory leak in ath11k_mhi_register() + +From: Jianglei Nie + +[ Upstream commit 43e7c3505ec70db3d3c6458824d5fa40f62e3e7b ] + +mhi_alloc_controller() allocates a memory space for mhi_ctrl. When gets +some error, mhi_ctrl should be freed with mhi_free_controller(). But +when ath11k_mhi_read_addr_from_dt() fails, the function returns without +calling mhi_free_controller(), which will lead to a memory leak. + +We can fix it by calling mhi_free_controller() when +ath11k_mhi_read_addr_from_dt() fails. + +Signed-off-by: Jianglei Nie +Reviewed-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220907073704.58806-1-niejianglei2021@163.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mhi.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mhi.c b/drivers/net/wireless/ath/ath11k/mhi.c +index c44df17719f6..86995e8dc913 100644 +--- a/drivers/net/wireless/ath/ath11k/mhi.c ++++ b/drivers/net/wireless/ath/ath11k/mhi.c +@@ -402,8 +402,7 @@ int ath11k_mhi_register(struct ath11k_pci *ab_pci) + ret = ath11k_mhi_get_msi(ab_pci); + if (ret) { + ath11k_err(ab, "failed to get msi for mhi\n"); +- mhi_free_controller(mhi_ctrl); +- return ret; ++ goto free_controller; + } + + if (!test_bit(ATH11K_FLAG_MULTI_MSI_VECTORS, &ab->dev_flags)) +@@ -412,7 +411,7 @@ int ath11k_mhi_register(struct ath11k_pci *ab_pci) + if (test_bit(ATH11K_FLAG_FIXED_MEM_RGN, &ab->dev_flags)) { + ret = ath11k_mhi_read_addr_from_dt(mhi_ctrl); + if (ret < 0) +- return ret; ++ goto free_controller; + } else { + mhi_ctrl->iova_start = 0; + mhi_ctrl->iova_stop = 0xFFFFFFFF; +@@ -440,18 +439,22 @@ int ath11k_mhi_register(struct ath11k_pci *ab_pci) + default: + ath11k_err(ab, "failed assign mhi_config for unknown hw rev %d\n", + ab->hw_rev); +- mhi_free_controller(mhi_ctrl); +- return -EINVAL; ++ ret = -EINVAL; ++ goto free_controller; + } + + ret = mhi_register_controller(mhi_ctrl, ath11k_mhi_config); + if (ret) { + ath11k_err(ab, "failed to register to mhi bus, err = %d\n", ret); +- mhi_free_controller(mhi_ctrl); +- return ret; ++ goto free_controller; + } + + return 0; ++ ++free_controller: ++ mhi_free_controller(mhi_ctrl); ++ ab_pci->mhi_ctrl = NULL; ++ return ret; + } + + void ath11k_mhi_unregister(struct ath11k_pci *ab_pci) +-- +2.35.1 + diff --git a/queue-6.0/wifi-ath11k-register-shutdown-handler-for-wcn6750.patch b/queue-6.0/wifi-ath11k-register-shutdown-handler-for-wcn6750.patch new file mode 100644 index 00000000000..41189e7d2a8 --- /dev/null +++ b/queue-6.0/wifi-ath11k-register-shutdown-handler-for-wcn6750.patch @@ -0,0 +1,148 @@ +From 7edf6c127b4246b92565e9f5040ca40108d998a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 09:04:19 +0300 +Subject: wifi: ath11k: Register shutdown handler for WCN6750 + +From: Manikanta Pubbisetty + +[ Upstream commit ac41c2b642b136a1e633379fcb87a9db0ee07f5b ] + +When the system shuts down, SMMU driver will be stopped and +will not assist in IOVA translations. SMMU driver expects all +of its consumers to shutdown before shutting down itself. +WCN6750 being one of the consumer device should not perform any +DMA operations after the SMMU has shutdown which will otherwise +result in SMMU faults. + +SMMU driver will call the shutdown() callback of all its +consumer devices and the consumers shall stop further DMA +activity after the invocation of their respective shutdown() +callbacks. + +Register the shutdown() callback to the platform core for WCN6750. +Change will not impact other AHB ath11k devices. + +Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.1.0.1-00887-QCAMSLSWPLZ-1 + +Signed-off-by: Manikanta Pubbisetty +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220720134710.15523-1-quic_mpubbise@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/ahb.c | 58 ++++++++++++++++++++------ + drivers/net/wireless/ath/ath11k/core.c | 2 + + 2 files changed, 47 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/ahb.c b/drivers/net/wireless/ath/ath11k/ahb.c +index c47414710138..911eee9646a4 100644 +--- a/drivers/net/wireless/ath/ath11k/ahb.c ++++ b/drivers/net/wireless/ath/ath11k/ahb.c +@@ -1088,20 +1088,10 @@ static int ath11k_ahb_probe(struct platform_device *pdev) + return ret; + } + +-static int ath11k_ahb_remove(struct platform_device *pdev) ++static void ath11k_ahb_remove_prepare(struct ath11k_base *ab) + { +- struct ath11k_base *ab = platform_get_drvdata(pdev); + unsigned long left; + +- if (test_bit(ATH11K_FLAG_QMI_FAIL, &ab->dev_flags)) { +- ath11k_ahb_power_down(ab); +- ath11k_debugfs_soc_destroy(ab); +- ath11k_qmi_deinit_service(ab); +- goto qmi_fail; +- } +- +- reinit_completion(&ab->driver_recovery); +- + if (test_bit(ATH11K_FLAG_RECOVERY, &ab->dev_flags)) { + left = wait_for_completion_timeout(&ab->driver_recovery, + ATH11K_AHB_RECOVERY_TIMEOUT); +@@ -1111,19 +1101,60 @@ static int ath11k_ahb_remove(struct platform_device *pdev) + + set_bit(ATH11K_FLAG_UNREGISTERING, &ab->dev_flags); + cancel_work_sync(&ab->restart_work); ++ cancel_work_sync(&ab->qmi.event_work); ++} ++ ++static void ath11k_ahb_free_resources(struct ath11k_base *ab) ++{ ++ struct platform_device *pdev = ab->pdev; + +- ath11k_core_deinit(ab); +-qmi_fail: + ath11k_ahb_free_irq(ab); + ath11k_hal_srng_deinit(ab); + ath11k_ahb_fw_resource_deinit(ab); + ath11k_ce_free_pipes(ab); + ath11k_core_free(ab); + platform_set_drvdata(pdev, NULL); ++} ++ ++static int ath11k_ahb_remove(struct platform_device *pdev) ++{ ++ struct ath11k_base *ab = platform_get_drvdata(pdev); ++ ++ if (test_bit(ATH11K_FLAG_QMI_FAIL, &ab->dev_flags)) { ++ ath11k_ahb_power_down(ab); ++ ath11k_debugfs_soc_destroy(ab); ++ ath11k_qmi_deinit_service(ab); ++ goto qmi_fail; ++ } ++ ++ ath11k_ahb_remove_prepare(ab); ++ ath11k_core_deinit(ab); ++ ++qmi_fail: ++ ath11k_ahb_free_resources(ab); + + return 0; + } + ++static void ath11k_ahb_shutdown(struct platform_device *pdev) ++{ ++ struct ath11k_base *ab = platform_get_drvdata(pdev); ++ ++ /* platform shutdown() & remove() are mutually exclusive. ++ * remove() is invoked during rmmod & shutdown() during ++ * system reboot/shutdown. ++ */ ++ ath11k_ahb_remove_prepare(ab); ++ ++ if (!(test_bit(ATH11K_FLAG_REGISTERED, &ab->dev_flags))) ++ goto free_resources; ++ ++ ath11k_core_deinit(ab); ++ ++free_resources: ++ ath11k_ahb_free_resources(ab); ++} ++ + static struct platform_driver ath11k_ahb_driver = { + .driver = { + .name = "ath11k", +@@ -1131,6 +1162,7 @@ static struct platform_driver ath11k_ahb_driver = { + }, + .probe = ath11k_ahb_probe, + .remove = ath11k_ahb_remove, ++ .shutdown = ath11k_ahb_shutdown, + }; + + static int ath11k_ahb_init(void) +diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c +index c3e9e4f7bc24..9df6aaae8a44 100644 +--- a/drivers/net/wireless/ath/ath11k/core.c ++++ b/drivers/net/wireless/ath/ath11k/core.c +@@ -1563,6 +1563,8 @@ static void ath11k_core_pre_reconfigure_recovery(struct ath11k_base *ab) + + wake_up(&ab->wmi_ab.tx_credits_wq); + wake_up(&ab->peer_mapping_wq); ++ ++ reinit_completion(&ab->driver_recovery); + } + + static void ath11k_core_post_reconfigure_recovery(struct ath11k_base *ab) +-- +2.35.1 + diff --git a/queue-6.0/wifi-ath9k-avoid-uninit-memory-read-in-ath9k_htc_rx_.patch b/queue-6.0/wifi-ath9k-avoid-uninit-memory-read-in-ath9k_htc_rx_.patch new file mode 100644 index 00000000000..dc6366755cb --- /dev/null +++ b/queue-6.0/wifi-ath9k-avoid-uninit-memory-read-in-ath9k_htc_rx_.patch @@ -0,0 +1,152 @@ +From 830af93456cf13ac30145e210ea00e9813fac94b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 23:46:13 +0900 +Subject: wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tetsuo Handa + +[ Upstream commit b383e8abed41cc6ff1a3b34de75df9397fa4878c ] + +syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for +ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with +pkt_len = 0 but ath9k_hif_usb_rx_stream() uses +__dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that +pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb +with uninitialized memory and ath9k_htc_rx_msg() is reading from +uninitialized memory. + +Since bytes accessed by ath9k_htc_rx_msg() is not known until +ath9k_htc_rx_msg() is called, it would be difficult to check minimal valid +pkt_len at "if (pkt_len > 2 * MAX_RX_BUF_SIZE) {" line in +ath9k_hif_usb_rx_stream(). + +We have two choices. One is to workaround by adding __GFP_ZERO so that +ath9k_htc_rx_msg() sees 0 if pkt_len is invalid. The other is to let +ath9k_htc_rx_msg() validate pkt_len before accessing. This patch chose +the latter. + +Note that I'm not sure threshold condition is correct, for I can't find +details on possible packet length used by this protocol. + +Link: https://syzkaller.appspot.com/bug?extid=2ca247c2d60c7023de7f [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/7acfa1be-4b5c-b2ce-de43-95b0593fb3e5@I-love.SAKURA.ne.jp +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 43 +++++++++++++++--------- + 1 file changed, 28 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index 994ec48b2f66..ca05b07a45e6 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -364,33 +364,27 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle, + } + + static void ath9k_htc_fw_panic_report(struct htc_target *htc_handle, +- struct sk_buff *skb) ++ struct sk_buff *skb, u32 len) + { + uint32_t *pattern = (uint32_t *)skb->data; + +- switch (*pattern) { +- case 0x33221199: +- { ++ if (*pattern == 0x33221199 && len >= sizeof(struct htc_panic_bad_vaddr)) { + struct htc_panic_bad_vaddr *htc_panic; + htc_panic = (struct htc_panic_bad_vaddr *) skb->data; + dev_err(htc_handle->dev, "ath: firmware panic! " + "exccause: 0x%08x; pc: 0x%08x; badvaddr: 0x%08x.\n", + htc_panic->exccause, htc_panic->pc, + htc_panic->badvaddr); +- break; +- } +- case 0x33221299: +- { ++ return; ++ } ++ if (*pattern == 0x33221299) { + struct htc_panic_bad_epid *htc_panic; + htc_panic = (struct htc_panic_bad_epid *) skb->data; + dev_err(htc_handle->dev, "ath: firmware panic! " + "bad epid: 0x%08x\n", htc_panic->epid); +- break; +- } +- default: +- dev_err(htc_handle->dev, "ath: unknown panic pattern!\n"); +- break; ++ return; + } ++ dev_err(htc_handle->dev, "ath: unknown panic pattern!\n"); + } + + /* +@@ -411,16 +405,26 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle, + if (!htc_handle || !skb) + return; + ++ /* A valid message requires len >= 8. ++ * ++ * sizeof(struct htc_frame_hdr) == 8 ++ * sizeof(struct htc_ready_msg) == 8 ++ * sizeof(struct htc_panic_bad_vaddr) == 16 ++ * sizeof(struct htc_panic_bad_epid) == 8 ++ */ ++ if (unlikely(len < sizeof(struct htc_frame_hdr))) ++ goto invalid; + htc_hdr = (struct htc_frame_hdr *) skb->data; + epid = htc_hdr->endpoint_id; + + if (epid == 0x99) { +- ath9k_htc_fw_panic_report(htc_handle, skb); ++ ath9k_htc_fw_panic_report(htc_handle, skb, len); + kfree_skb(skb); + return; + } + + if (epid < 0 || epid >= ENDPOINT_MAX) { ++invalid: + if (pipe_id != USB_REG_IN_PIPE) + dev_kfree_skb_any(skb); + else +@@ -432,21 +436,30 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle, + + /* Handle trailer */ + if (htc_hdr->flags & HTC_FLAGS_RECV_TRAILER) { +- if (be32_to_cpu(*(__be32 *) skb->data) == 0x00C60000) ++ if (be32_to_cpu(*(__be32 *) skb->data) == 0x00C60000) { + /* Move past the Watchdog pattern */ + htc_hdr = (struct htc_frame_hdr *)(skb->data + 4); ++ len -= 4; ++ } + } + + /* Get the message ID */ ++ if (unlikely(len < sizeof(struct htc_frame_hdr) + sizeof(__be16))) ++ goto invalid; + msg_id = (__be16 *) ((void *) htc_hdr + + sizeof(struct htc_frame_hdr)); + + /* Now process HTC messages */ + switch (be16_to_cpu(*msg_id)) { + case HTC_MSG_READY_ID: ++ if (unlikely(len < sizeof(struct htc_ready_msg))) ++ goto invalid; + htc_process_target_rdy(htc_handle, htc_hdr); + break; + case HTC_MSG_CONNECT_SERVICE_RESPONSE_ID: ++ if (unlikely(len < sizeof(struct htc_frame_hdr) + ++ sizeof(struct htc_conn_svc_rspmsg))) ++ goto invalid; + htc_process_conn_rsp(htc_handle, htc_hdr); + break; + default: +-- +2.35.1 + diff --git a/queue-6.0/wifi-brcmfmac-fix-invalid-address-access-when-enabli.patch b/queue-6.0/wifi-brcmfmac-fix-invalid-address-access-when-enabli.patch new file mode 100644 index 00000000000..fa8f49cba59 --- /dev/null +++ b/queue-6.0/wifi-brcmfmac-fix-invalid-address-access-when-enabli.patch @@ -0,0 +1,110 @@ +From c288ce30690d1881d71f00d00f25f423e65dbe5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jul 2022 13:56:28 +0200 +Subject: wifi: brcmfmac: fix invalid address access when enabling SCAN log + level +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wright Feng + +[ Upstream commit aa666b68e73fc06d83c070d96180b9010cf5a960 ] + +The variable i is changed when setting random MAC address and causes +invalid address access when printing the value of pi->reqs[i]->reqid. + +We replace reqs index with ri to fix the issue. + +[ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 +[ 136.737365] Mem abort info: +[ 136.740172] ESR = 0x96000004 +[ 136.743359] Exception class = DABT (current EL), IL = 32 bits +[ 136.749294] SET = 0, FnV = 0 +[ 136.752481] EA = 0, S1PTW = 0 +[ 136.755635] Data abort info: +[ 136.758514] ISV = 0, ISS = 0x00000004 +[ 136.762487] CM = 0, WnR = 0 +[ 136.765522] user pgtable: 4k pages, 48-bit VAs, pgdp = 000000005c4e2577 +[ 136.772265] [0000000000000000] pgd=0000000000000000 +[ 136.777160] Internal error: Oops: 96000004 [#1] PREEMPT SMP +[ 136.782732] Modules linked in: brcmfmac(O) brcmutil(O) cfg80211(O) compat(O) +[ 136.789788] Process wificond (pid: 3175, stack limit = 0x00000000053048fb) +[ 136.796664] CPU: 3 PID: 3175 Comm: wificond Tainted: G O 4.19.42-00001-g531a5f5 #1 +[ 136.805532] Hardware name: Freescale i.MX8MQ EVK (DT) +[ 136.810584] pstate: 60400005 (nZCv daif +PAN -UAO) +[ 136.815429] pc : brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] +[ 136.821811] lr : brcmf_pno_config_sched_scans+0x67c/0xa80 [brcmfmac] +[ 136.828162] sp : ffff00000e9a3880 +[ 136.831475] x29: ffff00000e9a3890 x28: ffff800020543400 +[ 136.836786] x27: ffff8000b1008880 x26: ffff0000012bf6a0 +[ 136.842098] x25: ffff80002054345c x24: ffff800088d22400 +[ 136.847409] x23: ffff0000012bf638 x22: ffff0000012bf6d8 +[ 136.852721] x21: ffff8000aced8fc0 x20: ffff8000ac164400 +[ 136.858032] x19: ffff00000e9a3946 x18: 0000000000000000 +[ 136.863343] x17: 0000000000000000 x16: 0000000000000000 +[ 136.868655] x15: ffff0000093f3b37 x14: 0000000000000050 +[ 136.873966] x13: 0000000000003135 x12: 0000000000000000 +[ 136.879277] x11: 0000000000000000 x10: ffff000009a61888 +[ 136.884589] x9 : 000000000000000f x8 : 0000000000000008 +[ 136.889900] x7 : 303a32303d726464 x6 : ffff00000a1f957d +[ 136.895211] x5 : 0000000000000000 x4 : ffff00000e9a3942 +[ 136.900523] x3 : 0000000000000000 x2 : ffff0000012cead8 +[ 136.905834] x1 : ffff0000012bf6d8 x0 : 0000000000000000 +[ 136.911146] Call trace: +[ 136.913623] brcmf_pno_config_sched_scans+0x6cc/0xa80 [brcmfmac] +[ 136.919658] brcmf_pno_start_sched_scan+0xa4/0x118 [brcmfmac] +[ 136.925430] brcmf_cfg80211_sched_scan_start+0x80/0xe0 [brcmfmac] +[ 136.931636] nl80211_start_sched_scan+0x140/0x308 [cfg80211] +[ 136.937298] genl_rcv_msg+0x358/0x3f4 +[ 136.940960] netlink_rcv_skb+0xb4/0x118 +[ 136.944795] genl_rcv+0x34/0x48 +[ 136.947935] netlink_unicast+0x264/0x300 +[ 136.951856] netlink_sendmsg+0x2e4/0x33c +[ 136.955781] __sys_sendto+0x120/0x19c + +Signed-off-by: Wright Feng +Signed-off-by: Chi-hsien Lin +Signed-off-by: Ahmad Fatoum +Signed-off-by: Alvin Å ipraga +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220722115632.620681-4-alvin@pqrs.dk +Signed-off-by: Sasha Levin +--- + .../net/wireless/broadcom/brcm80211/brcmfmac/pno.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c +index fabfbb0b40b0..d0a7465be586 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pno.c +@@ -158,12 +158,12 @@ static int brcmf_pno_set_random(struct brcmf_if *ifp, struct brcmf_pno_info *pi) + struct brcmf_pno_macaddr_le pfn_mac; + u8 *mac_addr = NULL; + u8 *mac_mask = NULL; +- int err, i; ++ int err, i, ri; + +- for (i = 0; i < pi->n_reqs; i++) +- if (pi->reqs[i]->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) { +- mac_addr = pi->reqs[i]->mac_addr; +- mac_mask = pi->reqs[i]->mac_addr_mask; ++ for (ri = 0; ri < pi->n_reqs; ri++) ++ if (pi->reqs[ri]->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) { ++ mac_addr = pi->reqs[ri]->mac_addr; ++ mac_mask = pi->reqs[ri]->mac_addr_mask; + break; + } + +@@ -185,7 +185,7 @@ static int brcmf_pno_set_random(struct brcmf_if *ifp, struct brcmf_pno_info *pi) + pfn_mac.mac[0] |= 0x02; + + brcmf_dbg(SCAN, "enabling random mac: reqid=%llu mac=%pM\n", +- pi->reqs[i]->reqid, pfn_mac.mac); ++ pi->reqs[ri]->reqid, pfn_mac.mac); + err = brcmf_fil_iovar_data_set(ifp, "pfn_macaddr", &pfn_mac, + sizeof(pfn_mac)); + if (err) +-- +2.35.1 + diff --git a/queue-6.0/wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch b/queue-6.0/wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch new file mode 100644 index 00000000000..8d5bb7da81b --- /dev/null +++ b/queue-6.0/wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch @@ -0,0 +1,140 @@ +From fc59bf61a9371ab16ebbfcf22c960ea6ce10f2f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Aug 2022 10:49:26 -0700 +Subject: wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() + +From: Alexander Coffin + +[ Upstream commit 3f42faf6db431e04bf942d2ebe3ae88975723478 ] + +> ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb); + +may be schedule, and then complete before the line + +> ndev->stats.tx_bytes += skb->len; + +[ 46.912801] ================================================================== +[ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] +[ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328 +[ 46.935991] +[ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1 +[ 46.947255] Hardware name: [REDACTED] +[ 46.954568] Call trace: +[ 46.957037] dump_backtrace+0x0/0x2b8 +[ 46.960719] show_stack+0x24/0x30 +[ 46.964052] dump_stack+0x128/0x194 +[ 46.967557] print_address_description.isra.0+0x64/0x380 +[ 46.972877] __kasan_report+0x1d4/0x240 +[ 46.976723] kasan_report+0xc/0x18 +[ 46.980138] __asan_report_load4_noabort+0x18/0x20 +[ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] +[ 46.990613] dev_hard_start_xmit+0x1bc/0xda0 +[ 46.994894] sch_direct_xmit+0x198/0xd08 +[ 46.998827] __qdisc_run+0x37c/0x1dc0 +[ 47.002500] __dev_queue_xmit+0x1528/0x21f8 +[ 47.006692] dev_queue_xmit+0x24/0x30 +[ 47.010366] neigh_resolve_output+0x37c/0x678 +[ 47.014734] ip_finish_output2+0x598/0x2458 +[ 47.018927] __ip_finish_output+0x300/0x730 +[ 47.023118] ip_output+0x2e0/0x430 +[ 47.026530] ip_local_out+0x90/0x140 +[ 47.030117] igmpv3_sendpack+0x14c/0x228 +[ 47.034049] igmpv3_send_cr+0x384/0x6b8 +[ 47.037895] igmp_ifc_timer_expire+0x4c/0x118 +[ 47.042262] call_timer_fn+0x1cc/0xbe8 +[ 47.046021] __run_timers+0x4d8/0xb28 +[ 47.049693] run_timer_softirq+0x24/0x40 +[ 47.053626] __do_softirq+0x2c0/0x117c +[ 47.057387] irq_exit+0x2dc/0x388 +[ 47.060715] __handle_domain_irq+0xb4/0x158 +[ 47.064908] gic_handle_irq+0x58/0xb0 +[ 47.068581] el0_irq_naked+0x50/0x5c +[ 47.072162] +[ 47.073665] Allocated by task 328: +[ 47.077083] save_stack+0x24/0xb0 +[ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0 +[ 47.084776] kasan_slab_alloc+0x14/0x20 +[ 47.088622] kmem_cache_alloc+0x15c/0x468 +[ 47.092643] __alloc_skb+0xa4/0x498 +[ 47.096142] igmpv3_newpack+0x158/0xd78 +[ 47.099987] add_grhead+0x210/0x288 +[ 47.103485] add_grec+0x6b0/0xb70 +[ 47.106811] igmpv3_send_cr+0x2e0/0x6b8 +[ 47.110657] igmp_ifc_timer_expire+0x4c/0x118 +[ 47.115027] call_timer_fn+0x1cc/0xbe8 +[ 47.118785] __run_timers+0x4d8/0xb28 +[ 47.122457] run_timer_softirq+0x24/0x40 +[ 47.126389] __do_softirq+0x2c0/0x117c +[ 47.130142] +[ 47.131643] Freed by task 180: +[ 47.134712] save_stack+0x24/0xb0 +[ 47.138041] __kasan_slab_free+0x108/0x180 +[ 47.142146] kasan_slab_free+0x10/0x18 +[ 47.145904] slab_free_freelist_hook+0xa4/0x1b0 +[ 47.150444] kmem_cache_free+0x8c/0x528 +[ 47.154292] kfree_skbmem+0x94/0x108 +[ 47.157880] consume_skb+0x10c/0x5a8 +[ 47.161466] __dev_kfree_skb_any+0x88/0xa0 +[ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil] +[ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac] +[ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac] +[ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac] +[ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac] +[ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac] +[ 47.197859] process_one_work+0x7fc/0x1a80 +[ 47.201965] worker_thread+0x31c/0xc40 +[ 47.205726] kthread+0x2d8/0x370 +[ 47.208967] ret_from_fork+0x10/0x18 +[ 47.212546] +[ 47.214051] The buggy address belongs to the object at ffffff803f588280 +[ 47.214051] which belongs to the cache skbuff_head_cache of size 208 +[ 47.227086] The buggy address is located 104 bytes inside of +[ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350) +[ 47.238814] The buggy address belongs to the page: +[ 47.243618] page:ffffffff00dd6200 refcount:1 mapcount:0 mapping:ffffff804b6bf800 index:0xffffff803f589900 compound_mapcount: 0 +[ 47.255007] flags: 0x10200(slab|head) +[ 47.258689] raw: 0000000000010200 ffffffff00dfa980 0000000200000002 ffffff804b6bf800 +[ 47.266439] raw: ffffff803f589900 0000000080190018 00000001ffffffff 0000000000000000 +[ 47.274180] page dumped because: kasan: bad access detected +[ 47.279752] +[ 47.281251] Memory state around the buggy address: +[ 47.286051] ffffff803f588180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 47.293277] ffffff803f588200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 47.300502] >ffffff803f588280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 47.307723] ^ +[ 47.314343] ffffff803f588300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc +[ 47.321569] ffffff803f588380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb +[ 47.328789] ================================================================== + +Signed-off-by: Alexander Coffin +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220808174925.3922558-1-alex.coffin@matician.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +index bd164a0821f9..ca95b02962ef 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -292,6 +292,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, + struct brcmf_pub *drvr = ifp->drvr; + struct ethhdr *eh; + int head_delta; ++ unsigned int tx_bytes = skb->len; + + brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx); + +@@ -366,7 +367,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, + ndev->stats.tx_dropped++; + } else { + ndev->stats.tx_packets++; +- ndev->stats.tx_bytes += skb->len; ++ ndev->stats.tx_bytes += tx_bytes; + } + + /* Return ok: we always eat the packet */ +-- +2.35.1 + diff --git a/queue-6.0/wifi-cfg80211-get-correct-ap-link-chandef.patch b/queue-6.0/wifi-cfg80211-get-correct-ap-link-chandef.patch new file mode 100644 index 00000000000..3292d21f2f9 --- /dev/null +++ b/queue-6.0/wifi-cfg80211-get-correct-ap-link-chandef.patch @@ -0,0 +1,38 @@ +From 8461960a390b586a16cb00d1b470120ce3982e92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 14:12:29 +0300 +Subject: wifi: cfg80211: get correct AP link chandef + +From: Shaul Triebitz + +[ Upstream commit bc1857619cc7612117d2ee1ed05b5bfeb638614b ] + +When checking for channel regulatory validity, use the +AP link chandef (and not mesh's chandef). + +Fixes: 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link APIs") +Signed-off-by: Shaul Triebitz +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index c7383ede794f..d5c7a5aa6853 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2389,6 +2389,10 @@ static bool reg_wdev_chan_valid(struct wiphy *wiphy, struct wireless_dev *wdev) + switch (iftype) { + case NL80211_IFTYPE_AP: + case NL80211_IFTYPE_P2P_GO: ++ if (!wdev->links[link].ap.beacon_interval) ++ continue; ++ chandef = wdev->links[link].ap.chandef; ++ break; + case NL80211_IFTYPE_MESH_POINT: + if (!wdev->u.mesh.beacon_interval) + continue; +-- +2.35.1 + diff --git a/queue-6.0/wifi-mac80211-accept-sta-changes-without-link-change.patch b/queue-6.0/wifi-mac80211-accept-sta-changes-without-link-change.patch new file mode 100644 index 00000000000..1cfdac78942 --- /dev/null +++ b/queue-6.0/wifi-mac80211-accept-sta-changes-without-link-change.patch @@ -0,0 +1,56 @@ +From 88ca627854dce49af679eb97d3f70fbcebcc6506 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Jul 2022 22:08:49 +0200 +Subject: wifi: mac80211: accept STA changes without link changes + +From: Johannes Berg + +[ Upstream commit b303835dabe0340f932ebb4e260d2229f79b0684 ] + +If there's no link ID, then check that there are no changes to +the link, and if so accept them, unless a new link is created. +While at it, reject creating a new link without an address. + +This fixes authorizing an MLD (peer) that has no link 0. + +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index e5239a17a875..65f34945a767 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1610,6 +1610,18 @@ static int sta_link_apply_parameters(struct ieee80211_local *local, + rcu_dereference_protected(sta->link[link_id], + lockdep_is_held(&local->sta_mtx)); + ++ /* ++ * If there are no changes, then accept a link that doesn't exist, ++ * unless it's a new link. ++ */ ++ if (params->link_id < 0 && !new_link && ++ !params->link_mac && !params->txpwr_set && ++ !params->supported_rates_len && ++ !params->ht_capa && !params->vht_capa && ++ !params->he_capa && !params->eht_capa && ++ !params->opmode_notif_used) ++ return 0; ++ + if (!link || !link_sta) + return -EINVAL; + +@@ -1625,6 +1637,8 @@ static int sta_link_apply_parameters(struct ieee80211_local *local, + params->link_mac)) { + return -EINVAL; + } ++ } else if (new_link) { ++ return -EINVAL; + } + + if (params->txpwr_set) { +-- +2.35.1 + diff --git a/queue-6.0/wifi-mac80211-allow-bw-change-during-channel-switch-.patch b/queue-6.0/wifi-mac80211-allow-bw-change-during-channel-switch-.patch new file mode 100644 index 00000000000..1a375596490 --- /dev/null +++ b/queue-6.0/wifi-mac80211-allow-bw-change-during-channel-switch-.patch @@ -0,0 +1,47 @@ +From a805fd59db4ce2bd04b319623a1b8cffbc8148cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 12:02:29 +0530 +Subject: wifi: mac80211: allow bw change during channel switch in mesh + +From: Hari Chandrakanthan + +[ Upstream commit 6b75f133fe05c36c52d691ff21545d5757fff721 ] + +From 'IEEE Std 802.11-2020 section 11.8.8.4.1': + The mesh channel switch may be triggered by the need to avoid + interference to a detected radar signal, or to reassign mesh STA + channels to ensure the MBSS connectivity. + + A 20/40 MHz MBSS may be changed to a 20 MHz MBSS and a 20 MHz + MBSS may be changed to a 20/40 MHz MBSS. + +Since the standard allows the change of bandwidth during +the channel switch in mesh, remove the bandwidth check present in +ieee80211_set_csa_beacon. + +Fixes: c6da674aff94 ("{nl,cfg,mac}80211: enable the triggering of CSA frame in mesh") +Signed-off-by: Hari Chandrakanthan +Link: https://lore.kernel.org/r/1658903549-21218-1-git-send-email-quic_haric@quicinc.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index a4f6971b7a19..e5239a17a875 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -3597,9 +3597,6 @@ static int ieee80211_set_csa_beacon(struct ieee80211_sub_if_data *sdata, + case NL80211_IFTYPE_MESH_POINT: { + struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; + +- if (params->chandef.width != sdata->vif.bss_conf.chandef.width) +- return -EINVAL; +- + /* changes into another band are not supported */ + if (sdata->vif.bss_conf.chandef.chan->band != + params->chandef.chan->band) +-- +2.35.1 + diff --git a/queue-6.0/wifi-mac80211-fix-use-after-free.patch b/queue-6.0/wifi-mac80211-fix-use-after-free.patch new file mode 100644 index 00000000000..e33cb20c5b9 --- /dev/null +++ b/queue-6.0/wifi-mac80211-fix-use-after-free.patch @@ -0,0 +1,35 @@ +From 8ea3b436eb75972d44ba5126a3a3833048119a94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 10:44:05 +0200 +Subject: wifi: mac80211: fix use-after-free + +From: Johannes Berg + +[ Upstream commit 40fb87129049ec5876dabf4a4d4aed6642b31f1a ] + +We've already freed the assoc_data at this point, so need +to use another copy of the AP (MLD) address instead. + +Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index fc764984d687..1e9cb4be6ed3 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -5122,7 +5122,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata, + resp.req_ies = ifmgd->assoc_req_ies; + resp.req_ies_len = ifmgd->assoc_req_ies_len; + if (sdata->vif.valid_links) +- resp.ap_mld_addr = assoc_data->ap_addr; ++ resp.ap_mld_addr = sdata->vif.cfg.ap_addr; + cfg80211_rx_assoc_resp(sdata->dev, &resp); + notify_driver: + drv_mgd_complete_tx(sdata->local, sdata, &info); +-- +2.35.1 + diff --git a/queue-6.0/wifi-mac80211-mlme-assign-link-address-correctly.patch b/queue-6.0/wifi-mac80211-mlme-assign-link-address-correctly.patch new file mode 100644 index 00000000000..76064532560 --- /dev/null +++ b/queue-6.0/wifi-mac80211-mlme-assign-link-address-correctly.patch @@ -0,0 +1,51 @@ +From 66eed272ee2cec3f127486d798be4460e73fffd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 16:12:38 +0200 +Subject: wifi: mac80211: mlme: assign link address correctly + +From: Johannes Berg + +[ Upstream commit acdc3e47881d86dc1cb89d4603e3fed90ab150db ] + +Right now, we assign the link address only after we add +the link to the driver, which is quite obviously wrong. +It happens to work in many cases because it gets updated +immediately, and then link_conf updates may update it, +but it's clearly not really right. + +Set the link address during ieee80211_mgd_setup_link() +so it's set before telling the driver about the link. + +Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 76ae6f03d77e..654414caeb71 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -6291,6 +6291,8 @@ void ieee80211_mgd_setup_link(struct ieee80211_link_data *link) + if (sdata->u.mgd.assoc_data) + ether_addr_copy(link->conf->addr, + sdata->u.mgd.assoc_data->link[link_id].addr); ++ else if (!is_valid_ether_addr(link->conf->addr)) ++ eth_random_addr(link->conf->addr); + } + + /* scan finished notification */ +@@ -6378,9 +6380,6 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata, + goto out_err; + } + +- if (mlo && !is_valid_ether_addr(link->conf->addr)) +- eth_random_addr(link->conf->addr); +- + if (WARN_ON(!ifmgd->auth_data && !ifmgd->assoc_data)) { + err = -EINVAL; + goto out_err; +-- +2.35.1 + diff --git a/queue-6.0/wifi-mac80211-mlme-don-t-add-empty-eml-capabilities.patch b/queue-6.0/wifi-mac80211-mlme-don-t-add-empty-eml-capabilities.patch new file mode 100644 index 00000000000..0959c90f229 --- /dev/null +++ b/queue-6.0/wifi-mac80211-mlme-don-t-add-empty-eml-capabilities.patch @@ -0,0 +1,53 @@ +From 1edae81ab0bfff1e407804fae28f0ba0a4bbb9a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Jul 2022 03:51:08 +0300 +Subject: wifi: mac80211: mlme: don't add empty EML capabilities + +From: Mordechay Goodstein + +[ Upstream commit 1cb3cf372abe4a0d16620d2b1201de0e291a6c58 ] + +Draft P802.11be_D2.1, section 35.3.17 states that the EML Capabilities +Field shouldn't be included in case the device doesn't have support for +EMLSR or EMLMR. + +Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link") +Signed-off-by: Mordechay Goodstein +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mlme.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 1e9cb4be6ed3..76ae6f03d77e 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1220,14 +1220,21 @@ static void ieee80211_assoc_add_ml_elem(struct ieee80211_sub_if_data *sdata, + ml_elem = skb_put(skb, sizeof(*ml_elem)); + ml_elem->control = + cpu_to_le16(IEEE80211_ML_CONTROL_TYPE_BASIC | +- IEEE80211_MLC_BASIC_PRES_EML_CAPA | + IEEE80211_MLC_BASIC_PRES_MLD_CAPA_OP); + common = skb_put(skb, sizeof(*common)); + common->len = sizeof(*common) + +- 2 + /* EML capabilities */ + 2; /* MLD capa/ops */ + memcpy(common->mld_mac_addr, sdata->vif.addr, ETH_ALEN); +- skb_put_data(skb, &eml_capa, sizeof(eml_capa)); ++ ++ /* add EML_CAPA only if needed, see Draft P802.11be_D2.1, 35.3.17 */ ++ if (eml_capa & ++ cpu_to_le16((IEEE80211_EML_CAP_EMLSR_SUPP | ++ IEEE80211_EML_CAP_EMLMR_SUPPORT))) { ++ common->len += 2; /* EML capabilities */ ++ ml_elem->control |= ++ cpu_to_le16(IEEE80211_MLC_BASIC_PRES_EML_CAPA); ++ skb_put_data(skb, &eml_capa, sizeof(eml_capa)); ++ } + /* need indication from userspace to support this */ + mld_capa_ops &= ~cpu_to_le16(IEEE80211_MLD_CAP_OP_TID_TO_LINK_MAP_NEG_SUPP); + skb_put_data(skb, &mld_capa_ops, sizeof(mld_capa_ops)); +-- +2.35.1 + diff --git a/queue-6.0/wifi-mac80211-properly-set-old_links-when-removing-a.patch b/queue-6.0/wifi-mac80211-properly-set-old_links-when-removing-a.patch new file mode 100644 index 00000000000..1f00f8fc245 --- /dev/null +++ b/queue-6.0/wifi-mac80211-properly-set-old_links-when-removing-a.patch @@ -0,0 +1,46 @@ +From 71725a05f1988dc73636e9c685fb9ac549f82fda Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Jul 2022 11:07:32 +0300 +Subject: wifi: mac80211: properly set old_links when removing a link + +From: Shaul Triebitz + +[ Upstream commit a8f62399daa6917e7f9efeb79bce4dd2cd494a1e ] + +In ieee80211_sta_remove_link, valid_links is set to +the new_links before calling drv_change_sta_links, but +is used for the old_links. + +Fixes: cb71f1d136a6 ("wifi: mac80211: add sta link addition/removal") +Signed-off-by: Shaul Triebitz +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 58998d821778..9d7b238a6737 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -2799,6 +2799,7 @@ int ieee80211_sta_activate_link(struct sta_info *sta, unsigned int link_id) + void ieee80211_sta_remove_link(struct sta_info *sta, unsigned int link_id) + { + struct ieee80211_sub_if_data *sdata = sta->sdata; ++ u16 old_links = sta->sta.valid_links; + + lockdep_assert_held(&sdata->local->sta_mtx); + +@@ -2806,8 +2807,7 @@ void ieee80211_sta_remove_link(struct sta_info *sta, unsigned int link_id) + + if (test_sta_flag(sta, WLAN_STA_INSERTED)) + drv_change_sta_links(sdata->local, sdata, &sta->sta, +- sta->sta.valid_links, +- sta->sta.valid_links & ~BIT(link_id)); ++ old_links, sta->sta.valid_links); + + sta_remove_link(sta, link_id, true); + } +-- +2.35.1 + diff --git a/queue-6.0/wifi-mac80211_hwsim-fix-link-change-handling.patch b/queue-6.0/wifi-mac80211_hwsim-fix-link-change-handling.patch new file mode 100644 index 00000000000..563353388c8 --- /dev/null +++ b/queue-6.0/wifi-mac80211_hwsim-fix-link-change-handling.patch @@ -0,0 +1,45 @@ +From 003854d4eac177f1914bf0ae4a171a3f346919b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 14:58:42 +0200 +Subject: wifi: mac80211_hwsim: fix link change handling + +From: Johannes Berg + +[ Upstream commit 65f7052b6c38f767d95ebfa4ae4b389b6da6a421 ] + +The code for determining which links to update in wmediumd +or virtio was wrong, fix it to remove the deflink only if +there were no old links, and also add the deflink if there +are no other new links. + +Fixes: c204d9df0202 ("wifi: mac80211_hwsim: handle links for wmediumd/virtio") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index ee34814bd12b..a074552bcec3 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2995,10 +2995,15 @@ static int mac80211_hwsim_change_vif_links(struct ieee80211_hw *hw, + u16 old_links, u16 new_links, + struct ieee80211_bss_conf *old[IEEE80211_MLD_MAX_NUM_LINKS]) + { +- unsigned long rem = old_links & ~new_links ?: BIT(0); ++ unsigned long rem = old_links & ~new_links; + unsigned long add = new_links & ~old_links; + int i; + ++ if (!old_links) ++ rem |= BIT(0); ++ if (!new_links) ++ add |= BIT(0); ++ + for_each_set_bit(i, &rem, IEEE80211_MLD_MAX_NUM_LINKS) + mac80211_hwsim_config_mac_nl(hw, old[i]->addr, false); + +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-connac-fix-possible-unaligned-access-in-mt.patch b/queue-6.0/wifi-mt76-connac-fix-possible-unaligned-access-in-mt.patch new file mode 100644 index 00000000000..2be0bf410d6 --- /dev/null +++ b/queue-6.0/wifi-mt76-connac-fix-possible-unaligned-access-in-mt.patch @@ -0,0 +1,42 @@ +From b665a4648121042fc95533d75fc0509d527d47d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 16:12:06 +0200 +Subject: wifi: mt76: connac: fix possible unaligned access in + mt76_connac_mcu_add_nested_tlv + +From: Lorenzo Bianconi + +[ Upstream commit 0a4860f627f1f2b2b777f54f993de1638a79da9f ] + +Fix possible unaligned pointer in mt76_connac_mcu_add_nested_tlv +routine. + +Reported-by: kernel test robot +Fixes: 25702d9c55dc5 ("mt76: connac: rely on le16_add_cpu in mt76_connac_mcu_add_nested_tlv") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +index 9b17bd97ec09..13d4722e4186 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +@@ -260,8 +260,10 @@ mt76_connac_mcu_add_nested_tlv(struct sk_buff *skb, int tag, int len, + ntlv = le16_to_cpu(ntlv_hdr->tlv_num); + ntlv_hdr->tlv_num = cpu_to_le16(ntlv + 1); + +- if (sta_hdr) +- le16_add_cpu(&sta_hdr->len, len); ++ if (sta_hdr) { ++ len += le16_to_cpu(sta_hdr->len); ++ sta_hdr->len = cpu_to_le16(len); ++ } + + return ptlv; + } +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-fix-uninitialized-pointer-in-mt7921_mac_fi.patch b/queue-6.0/wifi-mt76-fix-uninitialized-pointer-in-mt7921_mac_fi.patch new file mode 100644 index 00000000000..2780ae3c29b --- /dev/null +++ b/queue-6.0/wifi-mt76-fix-uninitialized-pointer-in-mt7921_mac_fi.patch @@ -0,0 +1,36 @@ +From 933d81365b4850a527d6e19166780328d41e19c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 12:32:12 +0200 +Subject: wifi: mt76: fix uninitialized pointer in mt7921_mac_fill_rx + +From: Lorenzo Bianconi + +[ Upstream commit 9be57ad73984545d594ed359dac19457bcb9fc27 ] + +Initialize msta pointer to NULL in mt7921_mac_fill_rx() in order to not +dereference a uninitialized pointer. + +Fixes: 0880d40871d1d ("mt76: connac: move mt76_connac2_reverse_frag0_hdr_trans in mt76-connac module") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c +index 6bd9fc9228a2..e8a7a5831782 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c +@@ -235,7 +235,7 @@ mt7921_mac_fill_rx(struct mt7921_dev *dev, struct sk_buff *skb) + u32 rxd2 = le32_to_cpu(rxd[2]); + u32 rxd3 = le32_to_cpu(rxd[3]); + u32 rxd4 = le32_to_cpu(rxd[4]); +- struct mt7921_sta *msta; ++ struct mt7921_sta *msta = NULL; + u16 seq_ctrl = 0; + __le16 fc = 0; + u8 mode = 0; +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-mt7615-add-mt7615_mutex_acquire-release-in.patch b/queue-6.0/wifi-mt76-mt7615-add-mt7615_mutex_acquire-release-in.patch new file mode 100644 index 00000000000..21e843a284c --- /dev/null +++ b/queue-6.0/wifi-mt76-mt7615-add-mt7615_mutex_acquire-release-in.patch @@ -0,0 +1,46 @@ +From 771d203235eb140d75693a37d3d152a8e93a8616 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 10:26:40 +0200 +Subject: wifi: mt76: mt7615: add mt7615_mutex_acquire/release in + mt7615_sta_set_decap_offload + +From: Lorenzo Bianconi + +[ Upstream commit 765c69d477a44c088e5d19e7758dfa4db418e3ba ] + +Similar to mt7921 driver, introduce mt7615_mutex_acquire/release in +mt7615_sta_set_decap_offload in order to avoid sending mcu commands +while the device is in low-power state. + +Fixes: d4b98c63d7a77 ("mt76: mt7615: add support for rx decapsulation offload") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7615/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/main.c b/drivers/net/wireless/mediatek/mt76/mt7615/main.c +index 9bf8545c8c17..8d4733f87cda 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/main.c +@@ -1195,12 +1195,16 @@ static void mt7615_sta_set_decap_offload(struct ieee80211_hw *hw, + struct mt7615_dev *dev = mt7615_hw_dev(hw); + struct mt7615_sta *msta = (struct mt7615_sta *)sta->drv_priv; + ++ mt7615_mutex_acquire(dev); ++ + if (enabled) + set_bit(MT_WCID_FLAG_HDR_TRANS, &msta->wcid.flags); + else + clear_bit(MT_WCID_FLAG_HDR_TRANS, &msta->wcid.flags); + + mt7615_mcu_set_sta_decap_offload(dev, vif, sta); ++ ++ mt7615_mutex_release(dev); + } + + #ifdef CONFIG_PM +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-mt7915-do-not-check-state-before-configuri.patch b/queue-6.0/wifi-mt76-mt7915-do-not-check-state-before-configuri.patch new file mode 100644 index 00000000000..2244ffa5ce6 --- /dev/null +++ b/queue-6.0/wifi-mt76-mt7915-do-not-check-state-before-configuri.patch @@ -0,0 +1,43 @@ +From e8c216a396d04cde9ce36af7dc8d2557c6bb6d57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 10:44:07 +0800 +Subject: wifi: mt76: mt7915: do not check state before configuring implicit + beamform + +From: Howard Hsu + +[ Upstream commit d2b5bb6dfab29fe32bedefaade88dcd182c03a00 ] + +Do not need to check running state before configuring implicit Tx +beamform. It is okay to configure implicit Tx beamform in run time. +Noted that the existing connected stations will be applied for new +configuration only if they reconnected to the interface. + +Fixes: 6d6dc980e07d ("mt76: mt7915: add implicit Tx beamforming support") +Signed-off-by: Howard Hsu +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c b/drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c +index fd76db8f5269..6ef3431cad64 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/debugfs.c +@@ -23,9 +23,9 @@ mt7915_implicit_txbf_set(void *data, u64 val) + { + struct mt7915_dev *dev = data; + +- if (test_bit(MT76_STATE_RUNNING, &dev->mphy.state)) +- return -EBUSY; +- ++ /* The existing connected stations shall reconnect to apply ++ * new implicit txbf configuration. ++ */ + dev->ibf = !!val; + + return mt7915_mcu_set_txbf(dev, MT_BF_TYPE_UPDATE); +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-mt7915-fix-an-uninitialized-variable-bug.patch b/queue-6.0/wifi-mt76-mt7915-fix-an-uninitialized-variable-bug.patch new file mode 100644 index 00000000000..8280c8ff875 --- /dev/null +++ b/queue-6.0/wifi-mt76-mt7915-fix-an-uninitialized-variable-bug.patch @@ -0,0 +1,40 @@ +From 45e38ab6f43c033ab661e5ea0941367e4417fe29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jul 2022 09:34:55 +0300 +Subject: wifi: mt76: mt7915: fix an uninitialized variable bug + +From: Dan Carpenter + +[ Upstream commit b5ee771c84082b4e54cc39d9d9a2dd239e4f6b86 ] + +Smatch complains that: + + drivers/net/wireless/mediatek/mt76/mt7915/mac.c:428 mt7915_mac_fill_rx() + error: uninitialized symbol 'msta'. + +It looks like this was supposed to be initialized to NULL. + +Fixes: 0880d40871d1 ("mt76: connac: move mt76_connac2_reverse_frag0_hdr_trans in mt76-connac module") +Signed-off-by: Dan Carpenter +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c +index 60ae834d95a6..4ddcd3afa428 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c +@@ -232,7 +232,7 @@ mt7915_mac_fill_rx(struct mt7915_dev *dev, struct sk_buff *skb) + bool unicast, insert_ccmp_hdr = false; + u8 remove_pad, amsdu_info; + u8 mode = 0, qos_ctl = 0; +- struct mt7915_sta *msta; ++ struct mt7915_sta *msta = NULL; + bool hdr_trans; + u16 hdr_gap; + u16 seq_ctrl = 0; +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-mt7915-fix-mcs-value-in-ht-mode.patch b/queue-6.0/wifi-mt76-mt7915-fix-mcs-value-in-ht-mode.patch new file mode 100644 index 00000000000..0832fec4c2a --- /dev/null +++ b/queue-6.0/wifi-mt76-mt7915-fix-mcs-value-in-ht-mode.patch @@ -0,0 +1,56 @@ +From c7839fcb782b954b6213ff5e228aae2d487774af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Aug 2022 11:29:31 +0800 +Subject: wifi: mt76: mt7915: fix mcs value in ht mode + +From: Howard Hsu + +[ Upstream commit c6d3e16ad4362502e804a6ca01e955612f3b8222 ] + +Fix the error that mcs will be reduced to a range of 0 to 7 in ht mode. + +Fixes: 70fd1333cd32 ("mt76: mt7915: rework .set_bitrate_mask() to support more options") +Signed-off-by: Howard Hsu +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +index f83067961945..e99fdacc11ce 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +@@ -1360,7 +1360,7 @@ mt7915_mcu_add_rate_ctrl_fixed(struct mt7915_dev *dev, + struct sta_phy phy = {}; + int ret, nrates = 0; + +-#define __sta_phy_bitrate_mask_check(_mcs, _gi, _he) \ ++#define __sta_phy_bitrate_mask_check(_mcs, _gi, _ht, _he) \ + do { \ + u8 i, gi = mask->control[band]._gi; \ + gi = (_he) ? gi : gi == NL80211_TXRATE_FORCE_SGI; \ +@@ -1373,15 +1373,17 @@ mt7915_mcu_add_rate_ctrl_fixed(struct mt7915_dev *dev, + continue; \ + nrates += hweight16(mask->control[band]._mcs[i]); \ + phy.mcs = ffs(mask->control[band]._mcs[i]) - 1; \ ++ if (_ht) \ ++ phy.mcs += 8 * i; \ + } \ + } while (0) + + if (sta->deflink.he_cap.has_he) { +- __sta_phy_bitrate_mask_check(he_mcs, he_gi, 1); ++ __sta_phy_bitrate_mask_check(he_mcs, he_gi, 0, 1); + } else if (sta->deflink.vht_cap.vht_supported) { +- __sta_phy_bitrate_mask_check(vht_mcs, gi, 0); ++ __sta_phy_bitrate_mask_check(vht_mcs, gi, 0, 0); + } else if (sta->deflink.ht_cap.ht_supported) { +- __sta_phy_bitrate_mask_check(ht_mcs, gi, 0); ++ __sta_phy_bitrate_mask_check(ht_mcs, gi, 1, 0); + } else { + nrates = hweight32(mask->control[band].legacy); + phy.mcs = ffs(mask->control[band].legacy) - 1; +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-mt7915-fix-possible-unaligned-access-in-mt.patch b/queue-6.0/wifi-mt76-mt7915-fix-possible-unaligned-access-in-mt.patch new file mode 100644 index 00000000000..54be4196456 --- /dev/null +++ b/queue-6.0/wifi-mt76-mt7915-fix-possible-unaligned-access-in-mt.patch @@ -0,0 +1,52 @@ +From b42b38b5f635b92b370dbf546bf30f4986def847 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 11:50:03 +0200 +Subject: wifi: mt76: mt7915: fix possible unaligned access in + mt7915_mac_add_twt_setup + +From: Lorenzo Bianconi + +[ Upstream commit 3d9aa54355d863e5412a7e08180f50a8f1827b7f ] + +Fix possible unaligned pointer in mt7915_mac_add_twt_setup routine. + +Reported-by: kernel test robot +Fixes: 3782b69d03e71 ("mt76: mt7915: introduce mt7915_mac_add_twt_setup routine") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c +index 4ddcd3afa428..49aa5c056063 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c +@@ -2071,8 +2071,9 @@ void mt7915_mac_add_twt_setup(struct ieee80211_hw *hw, + } + + flowid = ffs(~msta->twt.flowid_mask) - 1; +- le16p_replace_bits(&twt_agrt->req_type, flowid, +- IEEE80211_TWT_REQTYPE_FLOWID); ++ twt_agrt->req_type &= ~cpu_to_le16(IEEE80211_TWT_REQTYPE_FLOWID); ++ twt_agrt->req_type |= le16_encode_bits(flowid, ++ IEEE80211_TWT_REQTYPE_FLOWID); + + table_id = ffs(~dev->twt.table_mask) - 1; + exp = FIELD_GET(IEEE80211_TWT_REQTYPE_WAKE_INT_EXP, req_type); +@@ -2122,8 +2123,9 @@ void mt7915_mac_add_twt_setup(struct ieee80211_hw *hw, + unlock: + mutex_unlock(&dev->mt76.mutex); + out: +- le16p_replace_bits(&twt_agrt->req_type, setup_cmd, +- IEEE80211_TWT_REQTYPE_SETUP_CMD); ++ twt_agrt->req_type &= ~cpu_to_le16(IEEE80211_TWT_REQTYPE_SETUP_CMD); ++ twt_agrt->req_type |= ++ le16_encode_bits(setup_cmd, IEEE80211_TWT_REQTYPE_SETUP_CMD); + twt->control = (twt->control & IEEE80211_TWT_CONTROL_WAKE_DUR_UNIT) | + (twt->control & IEEE80211_TWT_CONTROL_RX_DISABLED); + } +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-mt7921-add-mt7921_mutex_acquire-at-mt7921_.patch b/queue-6.0/wifi-mt76-mt7921-add-mt7921_mutex_acquire-at-mt7921_.patch new file mode 100644 index 00000000000..cd0d1f18982 --- /dev/null +++ b/queue-6.0/wifi-mt76-mt7921-add-mt7921_mutex_acquire-at-mt7921_.patch @@ -0,0 +1,77 @@ +From 89ebf9e2de0aa551a606ddb7e92703fc3019a142 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jul 2022 22:44:56 +0800 +Subject: wifi: mt76: mt7921: add mt7921_mutex_acquire at mt7921_[start, + stop]_ap + +From: Sean Wang + +[ Upstream commit 52b44015f031f629f1ce1d73415a2017593c7ade ] + +Add mt7921_mutex_acquire at mt7921_[start, stop]_ap to fix the race +with the context holding dev->muxtex and the driver might access the +device in low power state. + +Fixes: 9d958b60ebc2 ("mt76: mt7921: fix command timeout in AP stop period") +Tested-by: AngeloGioacchino Del Regno +Signed-off-by: Sean Wang +Acked-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt7921/main.c | 21 ++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +index 1438a9f8d1fd..63fd33dcd3af 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +@@ -1526,17 +1526,23 @@ mt7921_start_ap(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + struct mt7921_dev *dev = mt7921_hw_dev(hw); + int err; + ++ mt7921_mutex_acquire(dev); ++ + err = mt76_connac_mcu_uni_add_bss(phy->mt76, vif, &mvif->sta.wcid, + true); + if (err) +- return err; ++ goto out; + + err = mt7921_mcu_set_bss_pm(dev, vif, true); + if (err) +- return err; ++ goto out; ++ ++ err = mt7921_mcu_sta_update(dev, NULL, vif, true, ++ MT76_STA_INFO_STATE_NONE); ++out: ++ mt7921_mutex_release(dev); + +- return mt7921_mcu_sta_update(dev, NULL, vif, true, +- MT76_STA_INFO_STATE_NONE); ++ return err; + } + + static void +@@ -1548,11 +1554,16 @@ mt7921_stop_ap(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + struct mt7921_dev *dev = mt7921_hw_dev(hw); + int err; + ++ mt7921_mutex_acquire(dev); ++ + err = mt7921_mcu_set_bss_pm(dev, vif, false); + if (err) +- return; ++ goto out; + + mt76_connac_mcu_uni_add_bss(phy->mt76, vif, &mvif->sta.wcid, false); ++ ++out: ++ mt7921_mutex_release(dev); + } + + const struct ieee80211_ops mt7921_ops = { +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-mt7921-add-mt7921_mutex_acquire-at-mt7921_.patch-31950 b/queue-6.0/wifi-mt76-mt7921-add-mt7921_mutex_acquire-at-mt7921_.patch-31950 new file mode 100644 index 00000000000..27ecd922b53 --- /dev/null +++ b/queue-6.0/wifi-mt76-mt7921-add-mt7921_mutex_acquire-at-mt7921_.patch-31950 @@ -0,0 +1,49 @@ +From 05c98abafd3fb7d442376f5f0e89a99c1a6c809b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jul 2022 22:44:57 +0800 +Subject: wifi: mt76: mt7921: add mt7921_mutex_acquire at + mt7921_sta_set_decap_offload + +From: Sean Wang + +[ Upstream commit 59c20b91786d5f140ee7be2f24c242b5f8986046 ] + +Add mt7921_mutex_acquire at mt7921_[start, stop]_ap to fix the race +with the context holding dev->muxtex and the driver might access the +device in low power state. + +Fixes: 24299fc869f7 ("mt76: mt7921: enable rx header traslation offload") +Tested-by: AngeloGioacchino Del Regno +Acked-by: Lorenzo Bianconi +Signed-off-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +index 63fd33dcd3af..7214735011d0 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +@@ -1404,6 +1404,8 @@ static void mt7921_sta_set_decap_offload(struct ieee80211_hw *hw, + struct mt7921_sta *msta = (struct mt7921_sta *)sta->drv_priv; + struct mt7921_dev *dev = mt7921_hw_dev(hw); + ++ mt7921_mutex_acquire(dev); ++ + if (enabled) + set_bit(MT_WCID_FLAG_HDR_TRANS, &msta->wcid.flags); + else +@@ -1411,6 +1413,8 @@ static void mt7921_sta_set_decap_offload(struct ieee80211_hw *hw, + + mt76_connac_mcu_sta_update_hdr_trans(&dev->mt76, vif, &msta->wcid, + MCU_UNI_CMD(STA_REC_UPDATE)); ++ ++ mt7921_mutex_release(dev); + } + + #if IS_ENABLED(CONFIG_IPV6) +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-mt7921-fix-the-firmware-version-report.patch b/queue-6.0/wifi-mt76-mt7921-fix-the-firmware-version-report.patch new file mode 100644 index 00000000000..28155971e8f --- /dev/null +++ b/queue-6.0/wifi-mt76-mt7921-fix-the-firmware-version-report.patch @@ -0,0 +1,39 @@ +From d2ce305bb06bb4cf81fed54a808b5a5db90e39ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 06:45:51 +0800 +Subject: wifi: mt76: mt7921: fix the firmware version report + +From: Sean Wang + +[ Upstream commit 00be84d6dfc8319ed1864d3ca8658569d36a1882 ] + +Fix the regression of the firmware version report since +'b9ec27102ac0 ('mt76: connac: move mt76_connac2_load_ram in connac +module')'. + +Fixes: b9ec27102ac0 ("mt76: connac: move mt76_connac2_load_ram in connac module") +Signed-off-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +index 13d4722e4186..7cac7b126e59 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +@@ -2888,6 +2888,10 @@ int mt76_connac2_load_ram(struct mt76_dev *dev, const char *fw_wm, + goto out; + } + ++ snprintf(dev->hw->wiphy->fw_version, ++ sizeof(dev->hw->wiphy->fw_version), ++ "%.10s-%.15s", hdr->fw_ver, hdr->build_date); ++ + release_firmware(fw); + + if (!fw_wa) +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-mt7921-fix-use-after-free-in-mt7921_acpi_r.patch b/queue-6.0/wifi-mt76-mt7921-fix-use-after-free-in-mt7921_acpi_r.patch new file mode 100644 index 00000000000..ab406edf7c8 --- /dev/null +++ b/queue-6.0/wifi-mt76-mt7921-fix-use-after-free-in-mt7921_acpi_r.patch @@ -0,0 +1,47 @@ +From 41f699b5355a8f0b978b8575f9339bbc085bb4a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jul 2022 09:37:07 +0300 +Subject: wifi: mt76: mt7921: fix use after free in mt7921_acpi_read() + +From: Dan Carpenter + +[ Upstream commit e7de4b4979bd8d313ec837931dde936653ca82ea ] + +Don't dereference "sar_root" after it has been freed. + +Fixes: f965333e491e ("mt76: mt7921: introduce ACPI SAR support") +Signed-off-by: Dan Carpenter +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c b/drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c +index be4f07ad3af9..47e034a9b003 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/acpi_sar.c +@@ -13,6 +13,7 @@ mt7921_acpi_read(struct mt7921_dev *dev, u8 *method, u8 **tbl, u32 *len) + acpi_handle root, handle; + acpi_status status; + u32 i = 0; ++ int ret; + + root = ACPI_HANDLE(mdev->dev); + if (!root) +@@ -52,9 +53,11 @@ mt7921_acpi_read(struct mt7921_dev *dev, u8 *method, u8 **tbl, u32 *len) + *(*tbl + i) = (u8)sar_unit->integer.value; + } + free: ++ ret = (i == sar_root->package.count) ? 0 : -EINVAL; ++ + kfree(sar_root); + +- return (i == sar_root->package.count) ? 0 : -EINVAL; ++ return ret; + } + + /* MTCL : Country List Table for 6G band */ +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-mt7921-reset-msta-airtime_ac-while-clearin.patch b/queue-6.0/wifi-mt76-mt7921-reset-msta-airtime_ac-while-clearin.patch new file mode 100644 index 00000000000..09bb96961e0 --- /dev/null +++ b/queue-6.0/wifi-mt76-mt7921-reset-msta-airtime_ac-while-clearin.patch @@ -0,0 +1,37 @@ +From 05f3ff4db54af1c4fa5e433d745504729af7e02c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 06:57:44 +0800 +Subject: wifi: mt76: mt7921: reset msta->airtime_ac while clearing up hw value + +From: Sean Wang + +[ Upstream commit 1bf66dc31032ff5292f4d5b76436653f269fcfbd ] + +We should reset mstat->airtime_ac along with clear up the entries in the +hardware WLAN table for the Rx and Rx accumulative airtime. Otherwsie, the +value msta->airtime_ac - [tx, rx]_last may be a negative and that is not +the actual airtime the device took in the last run. + +Reported-by: YN Chen +Signed-off-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +index 7214735011d0..c9e9a533289f 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +@@ -752,6 +752,7 @@ void mt7921_mac_sta_assoc(struct mt76_dev *mdev, struct ieee80211_vif *vif, + + mt7921_mac_wtbl_update(dev, msta->wcid.idx, + MT_WTBL_UPDATE_ADM_COUNT_CLEAR); ++ memset(msta->airtime_ac, 0, sizeof(msta->airtime_ac)); + + mt7921_mcu_sta_update(dev, sta, vif, true, MT76_STA_INFO_STATE_ASSOC); + +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-mt7921e-fix-race-issue-between-reset-and-s.patch b/queue-6.0/wifi-mt76-mt7921e-fix-race-issue-between-reset-and-s.patch new file mode 100644 index 00000000000..4636f8d17c7 --- /dev/null +++ b/queue-6.0/wifi-mt76-mt7921e-fix-race-issue-between-reset-and-s.patch @@ -0,0 +1,106 @@ +From 617fa5efdead03358f770598a3d7b46561f77de1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jul 2022 06:25:37 +0800 +Subject: wifi: mt76: mt7921e: fix race issue between reset and suspend/resume + +From: Sean Wang + +[ Upstream commit ff6c4a6449793e9718ef2e9ad46864b63022648e ] + +It is unexpected that the reset work is running simultaneously with +the suspend or resume context and it is possible that reset work is still +running even after mt7921 is suspended if we don't fix the race issue. + +Thus, the suspend procedure should be waiting until the reset is completed +at the beginning and ignore the subsequent the reset requests. + +In case there is an error that happens during either suspend or resume +handler, we will schedule a reset task to recover the error before +returning the error code to ensure we can immediately fix the error there. + +Fixes: 0c1ce9884607 ("mt76: mt7921: add wifi reset support") +Co-developed-by: YN Chen +Signed-off-by: YN Chen +Signed-off-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 5 +++++ + drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 13 +++++++++---- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c +index 47f0aa81ab02..6bd9fc9228a2 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c +@@ -780,6 +780,7 @@ void mt7921_mac_reset_work(struct work_struct *work) + void mt7921_reset(struct mt76_dev *mdev) + { + struct mt7921_dev *dev = container_of(mdev, struct mt7921_dev, mt76); ++ struct mt76_connac_pm *pm = &dev->pm; + + if (!dev->hw_init_done) + return; +@@ -787,8 +788,12 @@ void mt7921_reset(struct mt76_dev *mdev) + if (dev->hw_full_reset) + return; + ++ if (pm->suspended) ++ return; ++ + queue_work(dev->mt76.wq, &dev->reset_work); + } ++EXPORT_SYMBOL_GPL(mt7921_reset); + + void mt7921_mac_update_mib_stats(struct mt7921_phy *phy) + { +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c +index ea3069d18c35..2b015dacbba2 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c +@@ -367,6 +367,7 @@ static int mt7921_pci_suspend(struct device *device) + int i, err; + + pm->suspended = true; ++ flush_work(&dev->reset_work); + cancel_delayed_work_sync(&pm->ps_work); + cancel_work_sync(&pm->wake_work); + +@@ -428,6 +429,9 @@ static int mt7921_pci_suspend(struct device *device) + restore_suspend: + pm->suspended = false; + ++ if (err < 0) ++ mt7921_reset(&dev->mt76); ++ + return err; + } + +@@ -441,7 +445,7 @@ static int mt7921_pci_resume(struct device *device) + + err = mt7921_mcu_drv_pmctrl(dev); + if (err < 0) +- return err; ++ goto failed; + + mt7921_wpdma_reinit_cond(dev); + +@@ -471,11 +475,12 @@ static int mt7921_pci_resume(struct device *device) + mt76_connac_mcu_set_deep_sleep(&dev->mt76, false); + + err = mt76_connac_mcu_set_hif_suspend(mdev, false); +- if (err) +- return err; +- ++failed: + pm->suspended = false; + ++ if (err < 0) ++ mt7921_reset(&dev->mt76); ++ + return err; + } + +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-mt7921e-fix-rmmod-crash-in-driver-reload-t.patch b/queue-6.0/wifi-mt76-mt7921e-fix-rmmod-crash-in-driver-reload-t.patch new file mode 100644 index 00000000000..946f3cef018 --- /dev/null +++ b/queue-6.0/wifi-mt76-mt7921e-fix-rmmod-crash-in-driver-reload-t.patch @@ -0,0 +1,70 @@ +From a2583aa12bd016c6ba736d599e5cf9b0ce841d5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 20:39:43 +0800 +Subject: wifi: mt76: mt7921e: fix rmmod crash in driver reload test + +From: Deren Wu + +[ Upstream commit b5a62d612b7baf6e09884e4de94decb6391d6a9d ] + +In insmod/rmmod stress test, the following crash dump shows up immediately. +The problem is caused by missing mt76_dev in mt7921_pci_remove(). We +should make sure the drvdata is ready before probe() finished. + +[168.862789] ================================================================== +[168.862797] BUG: KASAN: user-memory-access in try_to_grab_pending+0x59/0x480 +[168.862805] Write of size 8 at addr 0000000000006df0 by task rmmod/5361 +[168.862812] CPU: 7 PID: 5361 Comm: rmmod Tainted: G OE 5.19.0-rc6 #1 +[168.862816] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, 05/04/2020 +[168.862820] Call Trace: +[168.862822] +[168.862825] dump_stack_lvl+0x49/0x63 +[168.862832] print_report.cold+0x493/0x6b7 +[168.862845] kasan_report+0xa7/0x120 +[168.862857] kasan_check_range+0x163/0x200 +[168.862861] __kasan_check_write+0x14/0x20 +[168.862866] try_to_grab_pending+0x59/0x480 +[168.862870] __cancel_work_timer+0xbb/0x340 +[168.862898] cancel_work_sync+0x10/0x20 +[168.862902] mt7921_pci_remove+0x61/0x1c0 [mt7921e] +[168.862909] pci_device_remove+0xa3/0x1d0 +[168.862914] device_remove+0xc4/0x170 +[168.862920] device_release_driver_internal+0x163/0x300 +[168.862925] driver_detach+0xc7/0x1a0 +[168.862930] bus_remove_driver+0xeb/0x2d0 +[168.862935] driver_unregister+0x71/0xb0 +[168.862939] pci_unregister_driver+0x30/0x230 +[168.862944] mt7921_pci_driver_exit+0x10/0x1b [mt7921e] +[168.862949] __x64_sys_delete_module+0x2f9/0x4b0 +[168.862968] do_syscall_64+0x38/0x90 +[168.862973] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Test steps: +1. insmode +2. do not ifup +3. rmmod quickly (within 1 second) + +Fixes: 1c71e03afe4b ("mt76: mt7921: move mt7921_init_hw in a dedicated work") +Signed-off-by: Deren Wu +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c +index 2b015dacbba2..e5b1f6249763 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c +@@ -288,6 +288,8 @@ static int mt7921_pci_probe(struct pci_dev *pdev, + goto err_free_pci_vec; + } + ++ pci_set_drvdata(pdev, mdev); ++ + dev = container_of(mdev, struct mt7921_dev, mt76); + dev->hif_ops = &mt7921_pcie_ops; + +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-mt7921s-fix-race-issue-between-reset-and-s.patch b/queue-6.0/wifi-mt76-mt7921s-fix-race-issue-between-reset-and-s.patch new file mode 100644 index 00000000000..ef4aae55570 --- /dev/null +++ b/queue-6.0/wifi-mt76-mt7921s-fix-race-issue-between-reset-and-s.patch @@ -0,0 +1,80 @@ +From 2489b930fc68b5d5d58bc07a968d70e80d7bf9ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jul 2022 06:25:38 +0800 +Subject: wifi: mt76: mt7921s: fix race issue between reset and suspend/resume + +From: Sean Wang + +[ Upstream commit e86f10e6809add9132ecc2c6b3184ed59db7ca71 ] + +It is unexpected that the reset work is running simultaneously with +the suspend or resume context and it is possible that reset work is still +running even after mt7921 is suspended if we don't fix the race issue. + +Thus, the suspend procedure should be waiting until the reset is completed +at the beginning and ignore the subsequent the reset requests. + +In case there is an error that happens during either suspend or resume +handler, we will schedule a reset task to recover the error before +returning the error code to ensure we can immediately fix the error there. + +Fixes: ca74b9b907f9 ("mt76: mt7921s: add reset support") +Co-developed-by: YN Chen +Signed-off-by: YN Chen +Signed-off-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/sdio.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c +index 487acd6e2be8..2face849fb4f 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c +@@ -206,6 +206,7 @@ static int mt7921s_suspend(struct device *__dev) + pm->suspended = true; + set_bit(MT76_STATE_SUSPEND, &mdev->phy.state); + ++ flush_work(&dev->reset_work); + cancel_delayed_work_sync(&pm->ps_work); + cancel_work_sync(&pm->wake_work); + +@@ -261,6 +262,9 @@ static int mt7921s_suspend(struct device *__dev) + clear_bit(MT76_STATE_SUSPEND, &mdev->phy.state); + pm->suspended = false; + ++ if (err < 0) ++ mt7921_reset(&dev->mt76); ++ + return err; + } + +@@ -276,7 +280,7 @@ static int mt7921s_resume(struct device *__dev) + + err = mt7921_mcu_drv_pmctrl(dev); + if (err < 0) +- return err; ++ goto failed; + + mt76_worker_enable(&mdev->tx_worker); + mt76_worker_enable(&mdev->sdio.txrx_worker); +@@ -288,11 +292,12 @@ static int mt7921s_resume(struct device *__dev) + mt76_connac_mcu_set_deep_sleep(mdev, false); + + err = mt76_connac_mcu_set_hif_suspend(mdev, false); +- if (err) +- return err; +- ++failed: + pm->suspended = false; + ++ if (err < 0) ++ mt7921_reset(&dev->mt76); ++ + return err; + } + +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-mt7921u-fix-race-issue-between-reset-and-s.patch b/queue-6.0/wifi-mt76-mt7921u-fix-race-issue-between-reset-and-s.patch new file mode 100644 index 00000000000..e200031caa0 --- /dev/null +++ b/queue-6.0/wifi-mt76-mt7921u-fix-race-issue-between-reset-and-s.patch @@ -0,0 +1,102 @@ +From a51ae5e7f75ea1db5f27504dc6c1e11bb55978e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jul 2022 06:25:39 +0800 +Subject: wifi: mt76: mt7921u: fix race issue between reset and suspend/resume + +From: Sean Wang + +[ Upstream commit 86f15d043ba7f13211d5c3e41961c3381fb12880 ] + +It is unexpected that the reset work is running simultaneously with +the suspend or resume context and it is possible that reset work is still +running even after mt7921 is suspended if we don't fix the race issue. + +Thus, the suspend procedure should be waiting until the reset is completed +at the beginning and ignore the subsequent the reset requests. + +In case there is an error that happens during either suspend or resume +handler, we will schedule a reset task to recover the error before +returning the error code to ensure we can immediately fix the error there. + +Fixes: df3e4143ba8a ("mt76: mt7921u: add suspend/resume support") +Co-developed-by: YN Chen +Signed-off-by: YN Chen +Signed-off-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt7921/usb.c | 28 ++++++++++++++++--- + 1 file changed, 24 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/usb.c b/drivers/net/wireless/mediatek/mt76/mt7921/usb.c +index dd3b8884e162..613d5cefffc7 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/usb.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/usb.c +@@ -300,11 +300,15 @@ static void mt7921u_disconnect(struct usb_interface *usb_intf) + static int mt7921u_suspend(struct usb_interface *intf, pm_message_t state) + { + struct mt7921_dev *dev = usb_get_intfdata(intf); ++ struct mt76_connac_pm *pm = &dev->pm; + int err; + ++ pm->suspended = true; ++ flush_work(&dev->reset_work); ++ + err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, true); + if (err) +- return err; ++ goto failed; + + mt76u_stop_rx(&dev->mt76); + mt76u_stop_tx(&dev->mt76); +@@ -312,11 +316,20 @@ static int mt7921u_suspend(struct usb_interface *intf, pm_message_t state) + set_bit(MT76_STATE_SUSPEND, &dev->mphy.state); + + return 0; ++ ++failed: ++ pm->suspended = false; ++ ++ if (err < 0) ++ mt7921_reset(&dev->mt76); ++ ++ return err; + } + + static int mt7921u_resume(struct usb_interface *intf) + { + struct mt7921_dev *dev = usb_get_intfdata(intf); ++ struct mt76_connac_pm *pm = &dev->pm; + bool reinit = true; + int err, i; + +@@ -338,16 +351,23 @@ static int mt7921u_resume(struct usb_interface *intf) + if (reinit || mt7921_dma_need_reinit(dev)) { + err = mt7921u_dma_init(dev, true); + if (err) +- return err; ++ goto failed; + } + + clear_bit(MT76_STATE_SUSPEND, &dev->mphy.state); + + err = mt76u_resume_rx(&dev->mt76); + if (err < 0) +- return err; ++ goto failed; ++ ++ err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, false); ++failed: ++ pm->suspended = false; ++ ++ if (err < 0) ++ mt7921_reset(&dev->mt76); + +- return mt76_connac_mcu_set_hif_suspend(&dev->mt76, false); ++ return err; + } + #endif /* CONFIG_PM */ + +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-sdio-fix-the-deadlock-caused-by-sdio-stat_.patch b/queue-6.0/wifi-mt76-sdio-fix-the-deadlock-caused-by-sdio-stat_.patch new file mode 100644 index 00000000000..a4e793c5fc6 --- /dev/null +++ b/queue-6.0/wifi-mt76-sdio-fix-the-deadlock-caused-by-sdio-stat_.patch @@ -0,0 +1,51 @@ +From cd1f9d0cebf0866328f784031fcc288a4043b7f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jul 2022 06:39:35 +0800 +Subject: wifi: mt76: sdio: fix the deadlock caused by sdio->stat_work + +From: Sean Wang + +[ Upstream commit e5d78fd998be94fb459a3d625df7367849b997b8 ] + +Because wake_work and sdio->stat_work share the same workqueue mt76->wq, +if sdio->stat_work cannot acquire the mutex lock such as that was possibly +held up by [mt7615, mt7921]_mutex_acquire. Additionally, if +[mt7615, mt7921]_mutex_acquire was called by sdio->stat_work self, the wake +would be blocked by itself. Thus, we move the stat_work into +ieee80211_workqueue instead to break the deadlock. + +Fixes: d39b52e31aa6 ("mt76: introduce mt76_sdio module") +Co-developed-by: YN Chen +Signed-off-by: YN Chen +Signed-off-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/sdio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/sdio.c b/drivers/net/wireless/mediatek/mt76/sdio.c +index aba2a9865821..fb2caeae6dba 100644 +--- a/drivers/net/wireless/mediatek/mt76/sdio.c ++++ b/drivers/net/wireless/mediatek/mt76/sdio.c +@@ -481,7 +481,7 @@ static void mt76s_status_worker(struct mt76_worker *w) + if (dev->drv->tx_status_data && + !test_and_set_bit(MT76_READING_STATS, &dev->phy.state) && + !test_bit(MT76_STATE_SUSPEND, &dev->phy.state)) +- queue_work(dev->wq, &dev->sdio.stat_work); ++ ieee80211_queue_work(dev->hw, &dev->sdio.stat_work); + } while (nframes > 0); + + if (resched) +@@ -508,7 +508,7 @@ static void mt76s_tx_status_data(struct work_struct *work) + } + + if (count && test_bit(MT76_STATE_RUNNING, &dev->phy.state)) +- queue_work(dev->wq, &sdio->stat_work); ++ ieee80211_queue_work(dev->hw, &sdio->stat_work); + else + clear_bit(MT76_READING_STATS, &dev->phy.state); + } +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-sdio-fix-transmitting-packet-hangs.patch b/queue-6.0/wifi-mt76-sdio-fix-transmitting-packet-hangs.patch new file mode 100644 index 00000000000..0ec2fcf7eac --- /dev/null +++ b/queue-6.0/wifi-mt76-sdio-fix-transmitting-packet-hangs.patch @@ -0,0 +1,37 @@ +From 26a99f125586ce5bc0b73b30f9b3c1f482fcbdc1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Jul 2022 05:59:23 +0800 +Subject: wifi: mt76: sdio: fix transmitting packet hangs + +From: YN Chen + +[ Upstream commit 250b1827205846ff346a76044955cb79d4963f70 ] + +Fix transmitting packets hangs with continuing to pull the pending packet +from mac80211 queues when receiving Tx status notification from the device. + +Fixes: aac5104bf631 ("mt76: sdio: do not run mt76_txq_schedule directly") +Acked-by: Sean Wang +Signed-off-by: YN Chen +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/sdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/sdio.c b/drivers/net/wireless/mediatek/mt76/sdio.c +index ece4e4bb94a1..0ec308f99af5 100644 +--- a/drivers/net/wireless/mediatek/mt76/sdio.c ++++ b/drivers/net/wireless/mediatek/mt76/sdio.c +@@ -485,7 +485,7 @@ static void mt76s_status_worker(struct mt76_worker *w) + } while (nframes > 0); + + if (resched) +- mt76_worker_schedule(&dev->sdio.txrx_worker); ++ mt76_worker_schedule(&dev->tx_worker); + } + + static void mt76s_tx_status_data(struct work_struct *work) +-- +2.35.1 + diff --git a/queue-6.0/wifi-mt76-sdio-poll-sta-stat-when-device-transmits-d.patch b/queue-6.0/wifi-mt76-sdio-poll-sta-stat-when-device-transmits-d.patch new file mode 100644 index 00000000000..f98e325b196 --- /dev/null +++ b/queue-6.0/wifi-mt76-sdio-poll-sta-stat-when-device-transmits-d.patch @@ -0,0 +1,41 @@ +From f9f76db16aa67fbb851570f11ccef4ac1548f52e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jul 2022 06:39:36 +0800 +Subject: wifi: mt76: sdio: poll sta stat when device transmits data + +From: Sean Wang + +[ Upstream commit a323e5f041dd11af5e3de19ed7ea95a97d588c11 ] + +It is not meaningful to poll sta stat when there is no data traffic. +So polling sta stat when the device has transmitted data instead to save +CPU power. + +That implies that it is unallowed the stat_work to work while MCU is being +initialized in the really early stage to fix the possible time to time MCU +initialization failure. + +Fixes: d39b52e31aa6 ("mt76: introduce mt76_sdio module") +Signed-off-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/sdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/sdio.c b/drivers/net/wireless/mediatek/mt76/sdio.c +index fb2caeae6dba..ece4e4bb94a1 100644 +--- a/drivers/net/wireless/mediatek/mt76/sdio.c ++++ b/drivers/net/wireless/mediatek/mt76/sdio.c +@@ -478,7 +478,7 @@ static void mt76s_status_worker(struct mt76_worker *w) + if (ndata_frames > 0) + resched = true; + +- if (dev->drv->tx_status_data && ++ if (dev->drv->tx_status_data && ndata_frames > 0 && + !test_and_set_bit(MT76_READING_STATS, &dev->phy.state) && + !test_bit(MT76_STATE_SUSPEND, &dev->phy.state)) + ieee80211_queue_work(dev->hw, &dev->sdio.stat_work); +-- +2.35.1 + diff --git a/queue-6.0/wifi-rt2x00-correctly-set-bbp-register-86-for-mt7620.patch b/queue-6.0/wifi-rt2x00-correctly-set-bbp-register-86-for-mt7620.patch new file mode 100644 index 00000000000..bac1f534b85 --- /dev/null +++ b/queue-6.0/wifi-rt2x00-correctly-set-bbp-register-86-for-mt7620.patch @@ -0,0 +1,40 @@ +From af89e09717e917d68b7bafcb6804643f1856711c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 21:30:09 +0100 +Subject: wifi: rt2x00: correctly set BBP register 86 for MT7620 + +From: Daniel Golle + +[ Upstream commit c9aada64fe6493461127f1522d7e2f01792d2424 ] + +Instead of 0 set the correct value for BBP register 86 for MT7620. + +Reported-by: Serge Vasilugin +Signed-off-by: Daniel Golle +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/257267247ee4fa7ebc6a5d0c4948b3f8119c0d77.1663445157.git.daniel@makrotopia.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +index b30b062243bb..1a9e27a6d636 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -4164,7 +4164,10 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev, + rt2800_bbp_write(rt2x00dev, 62, 0x37 - rt2x00dev->lna_gain); + rt2800_bbp_write(rt2x00dev, 63, 0x37 - rt2x00dev->lna_gain); + rt2800_bbp_write(rt2x00dev, 64, 0x37 - rt2x00dev->lna_gain); +- rt2800_bbp_write(rt2x00dev, 86, 0); ++ if (rt2x00_rt(rt2x00dev, RT6352)) ++ rt2800_bbp_write(rt2x00dev, 86, 0x38); ++ else ++ rt2800_bbp_write(rt2x00dev, 86, 0); + } + + if (rf->channel <= 14) { +-- +2.35.1 + diff --git a/queue-6.0/wifi-rt2x00-don-t-run-rt5592-iq-calibration-on-mt762.patch b/queue-6.0/wifi-rt2x00-don-t-run-rt5592-iq-calibration-on-mt762.patch new file mode 100644 index 00000000000..cdb15cfe1f6 --- /dev/null +++ b/queue-6.0/wifi-rt2x00-don-t-run-rt5592-iq-calibration-on-mt762.patch @@ -0,0 +1,38 @@ +From 483d060d8bc047be0de3361018c8ec5777f9e707 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 21:28:29 +0100 +Subject: wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 + +From: Daniel Golle + +[ Upstream commit d3aad83d05aec0cfd7670cf0028f2ad4b81de92e ] + +The function rt2800_iq_calibrate is intended for Rt5592 only. +Don't call it for MT7620 which has it's own calibration functions. + +Reported-by: Serge Vasilugin +Signed-off-by: Daniel Golle +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/31a1c34ddbd296b82f38c18c9ae7339059215fdc.1663445157.git.daniel@makrotopia.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +index 18102fbe36d6..de81b6060359 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -4365,7 +4365,8 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev, + reg = (rf->channel <= 14 ? 0x1c : 0x24) + 2*rt2x00dev->lna_gain; + rt2800_bbp_write_with_rx_chain(rt2x00dev, 66, reg); + +- rt2800_iq_calibrate(rt2x00dev, rf->channel); ++ if (rt2x00_rt(rt2x00dev, RT5592)) ++ rt2800_iq_calibrate(rt2x00dev, rf->channel); + } + + bbp = rt2800_bbp_read(rt2x00dev, 4); +-- +2.35.1 + diff --git a/queue-6.0/wifi-rt2x00-set-correct-tx_sw_cfg1-mac-register-for-.patch b/queue-6.0/wifi-rt2x00-set-correct-tx_sw_cfg1-mac-register-for-.patch new file mode 100644 index 00000000000..e5b8bb10c0b --- /dev/null +++ b/queue-6.0/wifi-rt2x00-set-correct-tx_sw_cfg1-mac-register-for-.patch @@ -0,0 +1,39 @@ +From 120a1786799aafb72b2fd6cd718c10a8ba52ffba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 21:29:26 +0100 +Subject: wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 + +From: Daniel Golle + +[ Upstream commit eeb50acf15762b61921f9df18663f839f387c054 ] + +Set correct TX_SW_CFG1 MAC register as it is done also in v3 of the +vendor driver[1]. + +[1]: https://gitlab.com/dm38/padavan-ng/-/blob/master/trunk/proprietary/rt_wifi/rtpci/3.0.X.X/mt76x2/chips/rt6352.c#L531 +Reported-by: Serge Vasilugin +Signed-off-by: Daniel Golle +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/4be38975ce600a34249e12d09a3cb758c6e71071.1663445157.git.daniel@makrotopia.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +index de81b6060359..5e7bca935dd4 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -5868,7 +5868,7 @@ static int rt2800_init_registers(struct rt2x00_dev *rt2x00dev) + rt2800_register_write(rt2x00dev, TX_SW_CFG0, 0x00000404); + } else if (rt2x00_rt(rt2x00dev, RT6352)) { + rt2800_register_write(rt2x00dev, TX_SW_CFG0, 0x00000401); +- rt2800_register_write(rt2x00dev, TX_SW_CFG1, 0x000C0000); ++ rt2800_register_write(rt2x00dev, TX_SW_CFG1, 0x000C0001); + rt2800_register_write(rt2x00dev, TX_SW_CFG2, 0x00000000); + rt2800_register_write(rt2x00dev, TX_ALC_VGA3, 0x00000000); + rt2800_register_write(rt2x00dev, TX0_BB_GAIN_ATTEN, 0x0); +-- +2.35.1 + diff --git a/queue-6.0/wifi-rt2x00-set-soc-wmac-clock-register.patch b/queue-6.0/wifi-rt2x00-set-soc-wmac-clock-register.patch new file mode 100644 index 00000000000..5ea38cb740c --- /dev/null +++ b/queue-6.0/wifi-rt2x00-set-soc-wmac-clock-register.patch @@ -0,0 +1,58 @@ +From 4e3cb2e6489e0b194793021af5f7a89b113cd8c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 21:29:55 +0100 +Subject: wifi: rt2x00: set SoC wmac clock register + +From: Daniel Golle + +[ Upstream commit cbde6ed406a51092d9e8a2df058f5f8490f27443 ] + +Instead of using the default value 33 (pci), set US_CYC_CNT init based +on Programming guide: +If available, set chipset bus clock with fallback to cpu clock/3. + +Reported-by: Serge Vasilugin +Signed-off-by: Daniel Golle +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/3e275d259f476f597dab91a9c395015ef3fe3284.1663445157.git.daniel@makrotopia.org +Signed-off-by: Sasha Levin +--- + .../net/wireless/ralink/rt2x00/rt2800lib.c | 21 +++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +index fec85db7dbc7..b30b062243bb 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -6131,6 +6131,27 @@ static int rt2800_init_registers(struct rt2x00_dev *rt2x00dev) + reg = rt2800_register_read(rt2x00dev, US_CYC_CNT); + rt2x00_set_field32(®, US_CYC_CNT_CLOCK_CYCLE, 125); + rt2800_register_write(rt2x00dev, US_CYC_CNT, reg); ++ } else if (rt2x00_is_soc(rt2x00dev)) { ++ struct clk *clk = clk_get_sys("bus", NULL); ++ int rate; ++ ++ if (IS_ERR(clk)) { ++ clk = clk_get_sys("cpu", NULL); ++ ++ if (IS_ERR(clk)) { ++ rate = 125; ++ } else { ++ rate = clk_get_rate(clk) / 3000000; ++ clk_put(clk); ++ } ++ } else { ++ rate = clk_get_rate(clk) / 1000000; ++ clk_put(clk); ++ } ++ ++ reg = rt2800_register_read(rt2x00dev, US_CYC_CNT); ++ rt2x00_set_field32(®, US_CYC_CNT_CLOCK_CYCLE, rate); ++ rt2800_register_write(rt2x00dev, US_CYC_CNT, reg); + } + + reg = rt2800_register_read(rt2x00dev, HT_FBK_CFG0); +-- +2.35.1 + diff --git a/queue-6.0/wifi-rt2x00-set-vgc-gain-for-both-chains-of-mt7620.patch b/queue-6.0/wifi-rt2x00-set-vgc-gain-for-both-chains-of-mt7620.patch new file mode 100644 index 00000000000..a6ea7153088 --- /dev/null +++ b/queue-6.0/wifi-rt2x00-set-vgc-gain-for-both-chains-of-mt7620.patch @@ -0,0 +1,38 @@ +From db8adef3052f568ca848b5c7e1a6eb7f52e52c7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 21:29:40 +0100 +Subject: wifi: rt2x00: set VGC gain for both chains of MT7620 + +From: Daniel Golle + +[ Upstream commit 0e09768c085709e10ece3b68f6ac921d3f6a9caa ] + +Set bbp66 for all chains of the MT7620. + +Reported-by: Serge Vasilugin +Signed-off-by: Daniel Golle +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/29e161397e5c9d9399da0fe87d44458aa2b90a78.1663445157.git.daniel@makrotopia.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +index 5e7bca935dd4..fec85db7dbc7 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -5645,7 +5645,8 @@ static inline void rt2800_set_vgc(struct rt2x00_dev *rt2x00dev, + if (qual->vgc_level != vgc_level) { + if (rt2x00_rt(rt2x00dev, RT3572) || + rt2x00_rt(rt2x00dev, RT3593) || +- rt2x00_rt(rt2x00dev, RT3883)) { ++ rt2x00_rt(rt2x00dev, RT3883) || ++ rt2x00_rt(rt2x00dev, RT6352)) { + rt2800_bbp_write_with_rx_chain(rt2x00dev, 66, + vgc_level); + } else if (rt2x00_rt(rt2x00dev, RT5592)) { +-- +2.35.1 + diff --git a/queue-6.0/wifi-rtl8xxxu-fix-aifs-written-to-reg_edca_-_param.patch b/queue-6.0/wifi-rtl8xxxu-fix-aifs-written-to-reg_edca_-_param.patch new file mode 100644 index 00000000000..927feac7833 --- /dev/null +++ b/queue-6.0/wifi-rtl8xxxu-fix-aifs-written-to-reg_edca_-_param.patch @@ -0,0 +1,98 @@ +From ed1fa85228fb956d8c3ae323ca9e8a78f1a647ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Sep 2022 15:42:25 +0300 +Subject: wifi: rtl8xxxu: Fix AIFS written to REG_EDCA_*_PARAM + +From: Bitterblue Smith + +[ Upstream commit 5574d3290449916397f3092dcd2bac92415498e1 ] + +ieee80211_tx_queue_params.aifs is not supposed to be written directly +to the REG_EDCA_*_PARAM registers. Instead process it like the vendor +drivers do. It's kinda hacky but it works. + +This change boosts the download speed and makes it more stable. + +Tested with RTL8188FU but all the other supported chips should also +benefit. + +Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") +Signed-off-by: Bitterblue Smith +Acked-by: Jes Sorensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/038cc03f-3567-77ba-a7bd-c4930e3b2fad@gmail.com +Signed-off-by: Sasha Levin +--- + .../wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 49 +++++++++++++++++++ + 1 file changed, 49 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index d8f5b4bb1fa9..08f9d17dce12 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -4560,6 +4560,53 @@ rtl8xxxu_wireless_mode(struct ieee80211_hw *hw, struct ieee80211_sta *sta) + return network_type; + } + ++static void rtl8xxxu_set_aifs(struct rtl8xxxu_priv *priv, u8 slot_time) ++{ ++ u32 reg_edca_param[IEEE80211_NUM_ACS] = { ++ [IEEE80211_AC_VO] = REG_EDCA_VO_PARAM, ++ [IEEE80211_AC_VI] = REG_EDCA_VI_PARAM, ++ [IEEE80211_AC_BE] = REG_EDCA_BE_PARAM, ++ [IEEE80211_AC_BK] = REG_EDCA_BK_PARAM, ++ }; ++ u32 val32; ++ u16 wireless_mode = 0; ++ u8 aifs, aifsn, sifs; ++ int i; ++ ++ if (priv->vif) { ++ struct ieee80211_sta *sta; ++ ++ rcu_read_lock(); ++ sta = ieee80211_find_sta(priv->vif, priv->vif->bss_conf.bssid); ++ if (sta) ++ wireless_mode = rtl8xxxu_wireless_mode(priv->hw, sta); ++ rcu_read_unlock(); ++ } ++ ++ if (priv->hw->conf.chandef.chan->band == NL80211_BAND_5GHZ || ++ (wireless_mode & WIRELESS_MODE_N_24G)) ++ sifs = 16; ++ else ++ sifs = 10; ++ ++ for (i = 0; i < IEEE80211_NUM_ACS; i++) { ++ val32 = rtl8xxxu_read32(priv, reg_edca_param[i]); ++ ++ /* It was set in conf_tx. */ ++ aifsn = val32 & 0xff; ++ ++ /* aifsn not set yet or already fixed */ ++ if (aifsn < 2 || aifsn > 15) ++ continue; ++ ++ aifs = aifsn * slot_time + sifs; ++ ++ val32 &= ~0xff; ++ val32 |= aifs; ++ rtl8xxxu_write32(priv, reg_edca_param[i], val32); ++ } ++} ++ + static void + rtl8xxxu_bss_info_changed(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + struct ieee80211_bss_conf *bss_conf, u64 changed) +@@ -4679,6 +4726,8 @@ rtl8xxxu_bss_info_changed(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + else + val8 = 20; + rtl8xxxu_write8(priv, REG_SLOT, val8); ++ ++ rtl8xxxu_set_aifs(priv, val8); + } + + if (changed & BSS_CHANGED_BSSID) { +-- +2.35.1 + diff --git a/queue-6.0/wifi-rtl8xxxu-fix-skb-misuse-in-tx-queue-selection.patch b/queue-6.0/wifi-rtl8xxxu-fix-skb-misuse-in-tx-queue-selection.patch new file mode 100644 index 00000000000..32d62e4174f --- /dev/null +++ b/queue-6.0/wifi-rtl8xxxu-fix-skb-misuse-in-tx-queue-selection.patch @@ -0,0 +1,47 @@ +From 74038ea74d58188139245ee85c7670c2af84b362 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 19:12:36 +0300 +Subject: wifi: rtl8xxxu: Fix skb misuse in TX queue selection + +From: Bitterblue Smith + +[ Upstream commit edd5747aa12ed61a5ecbfa58d3908623fddbf1e8 ] + +rtl8xxxu_queue_select() selects the wrong TX queues because it's +reading memory from the wrong address. It expects to find ieee80211_hdr +at skb->data, but that's not the case after skb_push(). Move the call +to rtl8xxxu_queue_select() before the call to skb_push(). + +Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") +Signed-off-by: Bitterblue Smith +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/7fa4819a-4f20-b2af-b7a6-8ee01ac49295@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index f3a107f19cf5..02b7bc57d217 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5062,6 +5062,8 @@ static void rtl8xxxu_tx(struct ieee80211_hw *hw, + if (control && control->sta) + sta = control->sta; + ++ queue = rtl8xxxu_queue_select(hw, skb); ++ + tx_desc = skb_push(skb, tx_desc_size); + + memset(tx_desc, 0, tx_desc_size); +@@ -5074,7 +5076,6 @@ static void rtl8xxxu_tx(struct ieee80211_hw *hw, + is_broadcast_ether_addr(ieee80211_get_DA(hdr))) + tx_desc->txdw0 |= TXDESC_BROADMULTICAST; + +- queue = rtl8xxxu_queue_select(hw, skb); + tx_desc->txdw1 = cpu_to_le32(queue << TXDESC_QUEUE_SHIFT); + + if (tx_info->control.hw_key) { +-- +2.35.1 + diff --git a/queue-6.0/wifi-rtl8xxxu-gen2-enable-40-mhz-channel-width.patch b/queue-6.0/wifi-rtl8xxxu-gen2-enable-40-mhz-channel-width.patch new file mode 100644 index 00000000000..6309bf9f28c --- /dev/null +++ b/queue-6.0/wifi-rtl8xxxu-gen2-enable-40-mhz-channel-width.patch @@ -0,0 +1,123 @@ +From e872830a8c184cc567178ba2f08c63e9f74e91a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Sep 2022 15:40:56 +0300 +Subject: wifi: rtl8xxxu: gen2: Enable 40 MHz channel width + +From: Bitterblue Smith + +[ Upstream commit a8b5aef2cca15b7fa533421d462e4e0a3429bd6f ] + +The module parameter ht40_2g was supposed to enable 40 MHz operation, +but it didn't. + +Tell the firmware about the channel width when updating the rate mask. +This makes it work with my gen 2 chip RTL8188FU. + +I'm not sure if anything needs to be done for the gen 1 chips, if 40 +MHz channel width already works or not. They update the rate mask with +a different structure which doesn't have a field for the channel width. + +Also set the channel width correctly for sta_statistics. + +Fixes: f653e69009c6 ("rtl8xxxu: Implement basic 8723b specific update_rate_mask() function") +Fixes: bd917b3d28c9 ("rtl8xxxu: fill up txrate info for gen1 chips") +Signed-off-by: Bitterblue Smith +Acked-by: Jes Sorensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/3a950997-7580-8a6b-97a0-e0a81a135456@gmail.com +Signed-off-by: Sasha Levin +--- + .../net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 6 +++--- + .../wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 21 +++++++++++++------ + 2 files changed, 18 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h +index 7ddce3c3f0c4..782b089a2e1b 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h +@@ -1425,7 +1425,7 @@ struct rtl8xxxu_fileops { + void (*set_tx_power) (struct rtl8xxxu_priv *priv, int channel, + bool ht40); + void (*update_rate_mask) (struct rtl8xxxu_priv *priv, +- u32 ramask, u8 rateid, int sgi); ++ u32 ramask, u8 rateid, int sgi, int txbw_40mhz); + void (*report_connect) (struct rtl8xxxu_priv *priv, + u8 macid, bool connect); + void (*fill_txdesc) (struct ieee80211_hw *hw, struct ieee80211_hdr *hdr, +@@ -1511,9 +1511,9 @@ void rtl8xxxu_gen2_config_channel(struct ieee80211_hw *hw); + void rtl8xxxu_gen1_usb_quirks(struct rtl8xxxu_priv *priv); + void rtl8xxxu_gen2_usb_quirks(struct rtl8xxxu_priv *priv); + void rtl8xxxu_update_rate_mask(struct rtl8xxxu_priv *priv, +- u32 ramask, u8 rateid, int sgi); ++ u32 ramask, u8 rateid, int sgi, int txbw_40mhz); + void rtl8xxxu_gen2_update_rate_mask(struct rtl8xxxu_priv *priv, +- u32 ramask, u8 rateid, int sgi); ++ u32 ramask, u8 rateid, int sgi, int txbw_40mhz); + void rtl8xxxu_gen1_report_connect(struct rtl8xxxu_priv *priv, + u8 macid, bool connect); + void rtl8xxxu_gen2_report_connect(struct rtl8xxxu_priv *priv, +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 41d46c54444f..d8f5b4bb1fa9 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -4320,7 +4320,7 @@ static void rtl8xxxu_sw_scan_complete(struct ieee80211_hw *hw, + } + + void rtl8xxxu_update_rate_mask(struct rtl8xxxu_priv *priv, +- u32 ramask, u8 rateid, int sgi) ++ u32 ramask, u8 rateid, int sgi, int txbw_40mhz) + { + struct h2c_cmd h2c; + +@@ -4340,10 +4340,15 @@ void rtl8xxxu_update_rate_mask(struct rtl8xxxu_priv *priv, + } + + void rtl8xxxu_gen2_update_rate_mask(struct rtl8xxxu_priv *priv, +- u32 ramask, u8 rateid, int sgi) ++ u32 ramask, u8 rateid, int sgi, int txbw_40mhz) + { + struct h2c_cmd h2c; +- u8 bw = RTL8XXXU_CHANNEL_WIDTH_20; ++ u8 bw; ++ ++ if (txbw_40mhz) ++ bw = RTL8XXXU_CHANNEL_WIDTH_40; ++ else ++ bw = RTL8XXXU_CHANNEL_WIDTH_20; + + memset(&h2c, 0, sizeof(struct h2c_cmd)); + +@@ -4621,7 +4626,11 @@ rtl8xxxu_bss_info_changed(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + RATE_INFO_FLAGS_SHORT_GI; + } + +- rarpt->txrate.bw |= RATE_INFO_BW_20; ++ if (rtl8xxxu_ht40_2g && ++ (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40)) ++ rarpt->txrate.bw = RATE_INFO_BW_40; ++ else ++ rarpt->txrate.bw = RATE_INFO_BW_20; + } + bit_rate = cfg80211_calculate_bitrate(&rarpt->txrate); + rarpt->bit_rate = bit_rate; +@@ -4630,7 +4639,7 @@ rtl8xxxu_bss_info_changed(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + priv->vif = vif; + priv->rssi_level = RTL8XXXU_RATR_STA_INIT; + +- priv->fops->update_rate_mask(priv, ramask, 0, sgi); ++ priv->fops->update_rate_mask(priv, ramask, 0, sgi, rarpt->txrate.bw == RATE_INFO_BW_40); + + rtl8xxxu_write8(priv, REG_BCN_MAX_ERR, 0xff); + +@@ -6344,7 +6353,7 @@ static void rtl8xxxu_refresh_rate_mask(struct rtl8xxxu_priv *priv, + } + + priv->rssi_level = rssi_level; +- priv->fops->update_rate_mask(priv, rate_bitmap, ratr_idx, sgi); ++ priv->fops->update_rate_mask(priv, rate_bitmap, ratr_idx, sgi, txbw_40mhz); + } + } + +-- +2.35.1 + diff --git a/queue-6.0/wifi-rtl8xxxu-gen2-fix-mistake-in-path-b-iq-calibrat.patch b/queue-6.0/wifi-rtl8xxxu-gen2-fix-mistake-in-path-b-iq-calibrat.patch new file mode 100644 index 00000000000..e98ab92e9fa --- /dev/null +++ b/queue-6.0/wifi-rtl8xxxu-gen2-fix-mistake-in-path-b-iq-calibrat.patch @@ -0,0 +1,46 @@ +From f08338a135c216d1353dab11d70e97711f674645 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 14:48:32 +0300 +Subject: wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration + +From: Bitterblue Smith + +[ Upstream commit e963a19c64ac0d2f8785d36a27391abd91ac77aa ] + +Found by comparing with the vendor driver. Currently this affects +only the RTL8192EU, which is the only gen2 chip with 2 TX paths +supported by this driver. It's unclear what kind of effect the +mistake had in practice, since I don't have any RTL8192EU devices +to test it. + +Fixes: e1547c535ede ("rtl8xxxu: First stab at adding IQK calibration for 8723bu parts") +Signed-off-by: Bitterblue Smith +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/30a59f3a-cfa9-8379-7af0-78a8f4c77cfd@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 02b7bc57d217..7a1ea4a59569 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -2929,12 +2929,12 @@ bool rtl8xxxu_gen2_simularity_compare(struct rtl8xxxu_priv *priv, + } + + if (!(simubitmap & 0x30) && priv->tx_paths > 1) { +- /* path B RX OK */ ++ /* path B TX OK */ + for (i = 4; i < 6; i++) + result[3][i] = result[c1][i]; + } + +- if (!(simubitmap & 0x30) && priv->tx_paths > 1) { ++ if (!(simubitmap & 0xc0) && priv->tx_paths > 1) { + /* path B RX OK */ + for (i = 6; i < 8; i++) + result[3][i] = result[c1][i]; +-- +2.35.1 + diff --git a/queue-6.0/wifi-rtl8xxxu-remove-copy-paste-leftover-in-gen2_upd.patch b/queue-6.0/wifi-rtl8xxxu-remove-copy-paste-leftover-in-gen2_upd.patch new file mode 100644 index 00000000000..ce5a73f5983 --- /dev/null +++ b/queue-6.0/wifi-rtl8xxxu-remove-copy-paste-leftover-in-gen2_upd.patch @@ -0,0 +1,49 @@ +From da0576df6efa52f31550560f25ef97e26690eeaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 16:15:30 +0300 +Subject: wifi: rtl8xxxu: Remove copy-paste leftover in gen2_update_rate_mask + +From: Bitterblue Smith + +[ Upstream commit d5350756c03cdf18696295c6b11d7acc4dbf825c ] + +It looks like a leftover from copying rtl8xxxu_update_rate_mask, +which is used with the gen1 chips. + +It wasn't causing any problems for my RTL8188FU test device, but it's +clearly a mistake, so remove it. + +Fixes: f653e69009c6 ("rtl8xxxu: Implement basic 8723b specific update_rate_mask() function") +Signed-off-by: Bitterblue Smith +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/d5544fe8-9798-28f1-54bd-6839a1974b10@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 7a1ea4a59569..41d46c54444f 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -4353,15 +4353,14 @@ void rtl8xxxu_gen2_update_rate_mask(struct rtl8xxxu_priv *priv, + h2c.b_macid_cfg.ramask2 = (ramask >> 16) & 0xff; + h2c.b_macid_cfg.ramask3 = (ramask >> 24) & 0xff; + +- h2c.ramask.arg = 0x80; + h2c.b_macid_cfg.data1 = rateid; + if (sgi) + h2c.b_macid_cfg.data1 |= BIT(7); + + h2c.b_macid_cfg.data2 = bw; + +- dev_dbg(&priv->udev->dev, "%s: rate mask %08x, arg %02x, size %zi\n", +- __func__, ramask, h2c.ramask.arg, sizeof(h2c.b_macid_cfg)); ++ dev_dbg(&priv->udev->dev, "%s: rate mask %08x, rateid %02x, sgi %d, size %zi\n", ++ __func__, ramask, rateid, sgi, sizeof(h2c.b_macid_cfg)); + rtl8xxxu_gen2_h2c_cmd(priv, &h2c, sizeof(h2c.b_macid_cfg)); + } + +-- +2.35.1 + diff --git a/queue-6.0/wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch b/queue-6.0/wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch new file mode 100644 index 00000000000..43e2165a56f --- /dev/null +++ b/queue-6.0/wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch @@ -0,0 +1,59 @@ +From f9aefe877b8bfc82e0e45eacca953e624d45f3b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 08:22:32 +0300 +Subject: wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse() + +From: Dan Carpenter + +[ Upstream commit 620d5eaeb9059636864bda83ca1c68c20ede34a5 ] + +There some bounds checking to ensure that "map_addr" is not out of +bounds before the start of the loop. But the checking needs to be +done as we iterate through the loop because "map_addr" gets larger as +we iterate. + +Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") +Signed-off-by: Dan Carpenter +Acked-by: Jes Sorensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/Yv8eGLdBslLAk3Ct@kili +Signed-off-by: Sasha Levin +--- + .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index c66f0726b253..f3a107f19cf5 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -1878,13 +1878,6 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv) + + /* We have 8 bits to indicate validity */ + map_addr = offset * 8; +- if (map_addr >= EFUSE_MAP_LEN) { +- dev_warn(dev, "%s: Illegal map_addr (%04x), " +- "efuse corrupt!\n", +- __func__, map_addr); +- ret = -EINVAL; +- goto exit; +- } + for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) { + /* Check word enable condition in the section */ + if (word_mask & BIT(i)) { +@@ -1895,6 +1888,13 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv) + ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8); + if (ret) + goto exit; ++ if (map_addr >= EFUSE_MAP_LEN - 1) { ++ dev_warn(dev, "%s: Illegal map_addr (%04x), " ++ "efuse corrupt!\n", ++ __func__, map_addr); ++ ret = -EINVAL; ++ goto exit; ++ } + priv->efuse_wifi.raw[map_addr++] = val8; + + ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8); +-- +2.35.1 + diff --git a/queue-6.0/wifi-rtlwifi-8192de-correct-checking-of-iqk-reload.patch b/queue-6.0/wifi-rtlwifi-8192de-correct-checking-of-iqk-reload.patch new file mode 100644 index 00000000000..53988337bc6 --- /dev/null +++ b/queue-6.0/wifi-rtlwifi-8192de-correct-checking-of-iqk-reload.patch @@ -0,0 +1,52 @@ +From b2f2a1b602690f1ec6327441da1f192e92160647 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 19:33:45 +0800 +Subject: wifi: rtlwifi: 8192de: correct checking of IQK reload + +From: Ping-Ke Shih + +[ Upstream commit 93fbc1ebd978cf408ef5765e9c1630fce9a8621b ] + +Since IQK could spend time, we make a cache of IQK result matrix that looks +like iqk_matrix[channel_idx].val[x][y], and we can reload the matrix if we +have made a cache. To determine a cache is made, we check +iqk_matrix[channel_idx].val[0][0]. + +The initial commit 7274a8c22980 ("rtlwifi: rtl8192de: Merge phy routines") +make a mistake that checks incorrect iqk_matrix[channel_idx].val[0] that +is always true, and this mistake is found by commit ee3db469dd31 +("wifi: rtlwifi: remove always-true condition pointed out by GCC 12"), so +I recall the vendor driver to find fix and apply the correctness. + +Fixes: 7274a8c22980 ("rtlwifi: rtl8192de: Merge phy routines") +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220801113345.42016-1-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c +index 15e6a6aded31..d18c092b6142 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c +@@ -2386,11 +2386,10 @@ void rtl92d_phy_reload_iqk_setting(struct ieee80211_hw *hw, u8 channel) + rtl_dbg(rtlpriv, COMP_SCAN, DBG_LOUD, + "Just Read IQK Matrix reg for channel:%d....\n", + channel); +- _rtl92d_phy_patha_fill_iqk_matrix(hw, true, +- rtlphy->iqk_matrix[ +- indexforchannel].value, 0, +- (rtlphy->iqk_matrix[ +- indexforchannel].value[0][2] == 0)); ++ if (rtlphy->iqk_matrix[indexforchannel].value[0][0] != 0) ++ _rtl92d_phy_patha_fill_iqk_matrix(hw, true, ++ rtlphy->iqk_matrix[indexforchannel].value, 0, ++ rtlphy->iqk_matrix[indexforchannel].value[0][2] == 0); + if (IS_92D_SINGLEPHY(rtlhal->version)) { + if ((rtlphy->iqk_matrix[ + indexforchannel].value[0][4] != 0) +-- +2.35.1 + diff --git a/queue-6.0/wifi-rtw88-8822c-extend-supported-probe-request-size.patch b/queue-6.0/wifi-rtw88-8822c-extend-supported-probe-request-size.patch new file mode 100644 index 00000000000..44f6a154d85 --- /dev/null +++ b/queue-6.0/wifi-rtw88-8822c-extend-supported-probe-request-size.patch @@ -0,0 +1,298 @@ +From 76796c3a455019ab150b83d9eddbbc1a48611759 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 14:50:00 +0800 +Subject: wifi: rtw88: 8822c: extend supported probe request size + +From: Po-Hao Huang + +[ Upstream commit d2eb7cb97c7df25df3e3e0f590b5bbf00c66d4c9 ] + +Some WSC IEs require size larger than we current supports. Extend size +to fit those demands. Separate the registered scan IE length by IC so +settings can be independent. + +Since old firmware uses fewer page number, define a firmware feature to +be compatible with various firmware version. + +Signed-off-by: Po-Hao Huang +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220727065003.28340-2-pkshih@realtek.com +Stable-dep-of: 93fbc1ebd978 ("wifi: rtlwifi: 8192de: correct checking of IQK reload") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/fw.c | 15 +++++++++---- + drivers/net/wireless/realtek/rtw88/fw.h | 18 +++++++++++++++- + drivers/net/wireless/realtek/rtw88/main.c | 21 ++++++++++++++++++- + drivers/net/wireless/realtek/rtw88/main.h | 4 +++- + drivers/net/wireless/realtek/rtw88/rtw8723d.c | 3 ++- + drivers/net/wireless/realtek/rtw88/rtw8821c.c | 3 ++- + drivers/net/wireless/realtek/rtw88/rtw8822b.c | 3 ++- + drivers/net/wireless/realtek/rtw88/rtw8822c.c | 3 ++- + 8 files changed, 59 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/fw.c b/drivers/net/wireless/realtek/rtw88/fw.c +index 4fdab0329695..efa51b2f5302 100644 +--- a/drivers/net/wireless/realtek/rtw88/fw.c ++++ b/drivers/net/wireless/realtek/rtw88/fw.c +@@ -1844,13 +1844,20 @@ static int _rtw_hw_scan_update_probe_req(struct rtw_dev *rtwdev, u8 num_probes, + struct rtw_chip_info *chip = rtwdev->chip; + struct sk_buff *skb, *tmp; + u8 page_offset = 1, *buf, page_size = chip->page_size; +- u8 pages = page_offset + num_probes * RTW_PROBE_PG_CNT; + u16 pg_addr = rtwdev->fifo.rsvd_h2c_info_addr, loc; + u16 buf_offset = page_size * page_offset; + u8 tx_desc_sz = chip->tx_pkt_desc_sz; ++ u8 page_cnt, pages; + unsigned int pkt_len; + int ret; + ++ if (rtw_fw_feature_ext_check(&rtwdev->fw, FW_FEATURE_EXT_OLD_PAGE_NUM)) ++ page_cnt = RTW_OLD_PROBE_PG_CNT; ++ else ++ page_cnt = RTW_PROBE_PG_CNT; ++ ++ pages = page_offset + num_probes * page_cnt; ++ + buf = kzalloc(page_size * pages, GFP_KERNEL); + if (!buf) + return -ENOMEM; +@@ -1859,7 +1866,7 @@ static int _rtw_hw_scan_update_probe_req(struct rtw_dev *rtwdev, u8 num_probes, + skb_queue_walk_safe(probe_req_list, skb, tmp) { + skb_unlink(skb, probe_req_list); + rtw_fill_rsvd_page_desc(rtwdev, skb, RSVD_PROBE_REQ); +- if (skb->len > page_size * RTW_PROBE_PG_CNT) { ++ if (skb->len > page_size * page_cnt) { + ret = -EINVAL; + goto out; + } +@@ -1869,8 +1876,8 @@ static int _rtw_hw_scan_update_probe_req(struct rtw_dev *rtwdev, u8 num_probes, + loc = pg_addr - rtwdev->fifo.rsvd_boundary + page_offset; + __rtw_fw_update_pkt(rtwdev, RTW_PACKET_PROBE_REQ, pkt_len, loc); + +- buf_offset += RTW_PROBE_PG_CNT * page_size; +- page_offset += RTW_PROBE_PG_CNT; ++ buf_offset += page_cnt * page_size; ++ page_offset += page_cnt; + kfree_skb(skb); + } + +diff --git a/drivers/net/wireless/realtek/rtw88/fw.h b/drivers/net/wireless/realtek/rtw88/fw.h +index 7a37675c61e8..bd3b9318b243 100644 +--- a/drivers/net/wireless/realtek/rtw88/fw.h ++++ b/drivers/net/wireless/realtek/rtw88/fw.h +@@ -41,7 +41,8 @@ + #define RTW_EX_CH_INFO_HDR_SIZE 2 + #define RTW_SCAN_WIDTH 0 + #define RTW_PRI_CH_IDX 1 +-#define RTW_PROBE_PG_CNT 2 ++#define RTW_OLD_PROBE_PG_CNT 2 ++#define RTW_PROBE_PG_CNT 4 + + enum rtw_c2h_cmd_id { + C2H_CCX_TX_RPT = 0x03, +@@ -120,6 +121,10 @@ enum rtw_fw_feature { + FW_FEATURE_MAX = BIT(31), + }; + ++enum rtw_fw_feature_ext { ++ FW_FEATURE_EXT_OLD_PAGE_NUM = BIT(0), ++}; ++ + enum rtw_beacon_filter_offload_mode { + BCN_FILTER_OFFLOAD_MODE_0 = 0, + BCN_FILTER_OFFLOAD_MODE_1, +@@ -323,6 +328,11 @@ struct rtw_fw_hdr_legacy { + __le32 rsvd5; + } __packed; + ++#define RTW_FW_VER_CODE(ver, sub_ver, idx) \ ++ (((ver) << 16) | ((sub_ver) << 8) | (idx)) ++#define RTW_FW_SUIT_VER_CODE(s) \ ++ RTW_FW_VER_CODE((s).version, (s).sub_version, (s).sub_index) ++ + /* C2H */ + #define GET_CCX_REPORT_SEQNUM_V0(c2h_payload) (c2h_payload[6] & 0xfc) + #define GET_CCX_REPORT_STATUS_V0(c2h_payload) (c2h_payload[0] & 0xc0) +@@ -770,6 +780,12 @@ static inline bool rtw_fw_feature_check(struct rtw_fw_state *fw, + return !!(fw->feature & feature); + } + ++static inline bool rtw_fw_feature_ext_check(struct rtw_fw_state *fw, ++ enum rtw_fw_feature_ext feature) ++{ ++ return !!(fw->feature_ext & feature); ++} ++ + void rtw_fw_c2h_cmd_rx_irqsafe(struct rtw_dev *rtwdev, u32 pkt_offset, + struct sk_buff *skb); + void rtw_fw_c2h_cmd_handle(struct rtw_dev *rtwdev, struct sk_buff *skb); +diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c +index 76dc9da88f6c..41458dff5422 100644 +--- a/drivers/net/wireless/realtek/rtw88/main.c ++++ b/drivers/net/wireless/realtek/rtw88/main.c +@@ -1552,6 +1552,21 @@ static void rtw_init_vht_cap(struct rtw_dev *rtwdev, + vht_cap->vht_mcs.tx_highest = highest; + } + ++static u16 rtw_get_max_scan_ie_len(struct rtw_dev *rtwdev) ++{ ++ u16 len; ++ ++ len = rtwdev->chip->max_scan_ie_len; ++ ++ if (!rtw_fw_feature_check(&rtwdev->fw, FW_FEATURE_SCAN_OFFLOAD) && ++ rtwdev->chip->id == RTW_CHIP_TYPE_8822C) ++ len = IEEE80211_MAX_DATA_LEN; ++ else if (rtw_fw_feature_ext_check(&rtwdev->fw, FW_FEATURE_EXT_OLD_PAGE_NUM)) ++ len -= RTW_OLD_PROBE_PG_CNT * TX_PAGE_SIZE; ++ ++ return len; ++} ++ + static void rtw_set_supported_band(struct ieee80211_hw *hw, + struct rtw_chip_info *chip) + { +@@ -1631,6 +1646,10 @@ static void __update_firmware_feature(struct rtw_dev *rtwdev, + + feature = le32_to_cpu(fw_hdr->feature); + fw->feature = feature & FW_FEATURE_SIG ? feature : 0; ++ ++ if (rtwdev->chip->id == RTW_CHIP_TYPE_8822C && ++ RTW_FW_SUIT_VER_CODE(rtwdev->fw) < RTW_FW_VER_CODE(9, 9, 13)) ++ fw->feature_ext |= FW_FEATURE_EXT_OLD_PAGE_NUM; + } + + static void __update_firmware_info(struct rtw_dev *rtwdev, +@@ -2136,7 +2155,7 @@ int rtw_register_hw(struct rtw_dev *rtwdev, struct ieee80211_hw *hw) + + hw->wiphy->features |= NL80211_FEATURE_SCAN_RANDOM_MAC_ADDR; + hw->wiphy->max_scan_ssids = RTW_SCAN_MAX_SSIDS; +- hw->wiphy->max_scan_ie_len = RTW_SCAN_MAX_IE_LEN; ++ hw->wiphy->max_scan_ie_len = rtw_get_max_scan_ie_len(rtwdev); + + wiphy_ext_feature_set(hw->wiphy, NL80211_EXT_FEATURE_CAN_REPLACE_PTK0); + wiphy_ext_feature_set(hw->wiphy, NL80211_EXT_FEATURE_SCAN_RANDOM_SN); +diff --git a/drivers/net/wireless/realtek/rtw88/main.h b/drivers/net/wireless/realtek/rtw88/main.h +index 7db627fc26be..69d0a700c2ae 100644 +--- a/drivers/net/wireless/realtek/rtw88/main.h ++++ b/drivers/net/wireless/realtek/rtw88/main.h +@@ -22,7 +22,6 @@ + #define MAX_PG_CAM_BACKUP_NUM 8 + + #define RTW_SCAN_MAX_SSIDS 4 +-#define RTW_SCAN_MAX_IE_LEN 128 + + #define RTW_MAX_PATTERN_NUM 12 + #define RTW_MAX_PATTERN_MASK_SIZE 16 +@@ -33,6 +32,7 @@ + #define RFREG_MASK 0xfffff + #define INV_RF_DATA 0xffffffff + #define TX_PAGE_SIZE_SHIFT 7 ++#define TX_PAGE_SIZE (1 << TX_PAGE_SIZE_SHIFT) + + #define RTW_CHANNEL_WIDTH_MAX 3 + #define RTW_RF_PATH_MAX 4 +@@ -1232,6 +1232,7 @@ struct rtw_chip_info { + const char *wow_fw_name; + const struct wiphy_wowlan_support *wowlan_stub; + const u8 max_sched_scan_ssids; ++ const u16 max_scan_ie_len; + + /* coex paras */ + u32 coex_para_ver; +@@ -1853,6 +1854,7 @@ struct rtw_fw_state { + u8 sub_index; + u16 h2c_version; + u32 feature; ++ u32 feature_ext; + }; + + enum rtw_sar_sources { +diff --git a/drivers/net/wireless/realtek/rtw88/rtw8723d.c b/drivers/net/wireless/realtek/rtw88/rtw8723d.c +index 993bd6b1d723..0a4f770fcbb7 100644 +--- a/drivers/net/wireless/realtek/rtw88/rtw8723d.c ++++ b/drivers/net/wireless/realtek/rtw88/rtw8723d.c +@@ -2720,7 +2720,7 @@ const struct rtw_chip_info rtw8723d_hw_spec = { + .max_power_index = 0x3f, + .csi_buf_pg_num = 0, + .band = RTW_BAND_2G, +- .page_size = 128, ++ .page_size = TX_PAGE_SIZE, + .dig_min = 0x20, + .ht_supported = true, + .vht_supported = false, +@@ -2748,6 +2748,7 @@ const struct rtw_chip_info rtw8723d_hw_spec = { + .pwr_track_tbl = &rtw8723d_rtw_pwr_track_tbl, + .iqk_threshold = 8, + .ampdu_density = IEEE80211_HT_MPDU_DENSITY_16, ++ .max_scan_ie_len = IEEE80211_MAX_DATA_LEN, + + .coex_para_ver = 0x2007022f, + .bt_desired_ver = 0x2f, +diff --git a/drivers/net/wireless/realtek/rtw88/rtw8821c.c b/drivers/net/wireless/realtek/rtw88/rtw8821c.c +index 025262a8970e..9afdc5ce86b4 100644 +--- a/drivers/net/wireless/realtek/rtw88/rtw8821c.c ++++ b/drivers/net/wireless/realtek/rtw88/rtw8821c.c +@@ -1898,7 +1898,7 @@ const struct rtw_chip_info rtw8821c_hw_spec = { + .max_power_index = 0x3f, + .csi_buf_pg_num = 0, + .band = RTW_BAND_2G | RTW_BAND_5G, +- .page_size = 128, ++ .page_size = TX_PAGE_SIZE, + .dig_min = 0x1c, + .ht_supported = true, + .vht_supported = true, +@@ -1926,6 +1926,7 @@ const struct rtw_chip_info rtw8821c_hw_spec = { + .bfer_su_max_num = 2, + .bfer_mu_max_num = 1, + .ampdu_density = IEEE80211_HT_MPDU_DENSITY_2, ++ .max_scan_ie_len = IEEE80211_MAX_DATA_LEN, + + .coex_para_ver = 0x19092746, + .bt_desired_ver = 0x46, +diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822b.c b/drivers/net/wireless/realtek/rtw88/rtw8822b.c +index 321848870561..690e35c98f6e 100644 +--- a/drivers/net/wireless/realtek/rtw88/rtw8822b.c ++++ b/drivers/net/wireless/realtek/rtw88/rtw8822b.c +@@ -2517,7 +2517,7 @@ const struct rtw_chip_info rtw8822b_hw_spec = { + .max_power_index = 0x3f, + .csi_buf_pg_num = 0, + .band = RTW_BAND_2G | RTW_BAND_5G, +- .page_size = 128, ++ .page_size = TX_PAGE_SIZE, + .dig_min = 0x1c, + .ht_supported = true, + .vht_supported = true, +@@ -2549,6 +2549,7 @@ const struct rtw_chip_info rtw8822b_hw_spec = { + .l2h_th_ini_cs = 10 + EDCCA_IGI_BASE, + .l2h_th_ini_ad = -14 + EDCCA_IGI_BASE, + .ampdu_density = IEEE80211_HT_MPDU_DENSITY_2, ++ .max_scan_ie_len = IEEE80211_MAX_DATA_LEN, + + .coex_para_ver = 0x20070206, + .bt_desired_ver = 0x6, +diff --git a/drivers/net/wireless/realtek/rtw88/rtw8822c.c b/drivers/net/wireless/realtek/rtw88/rtw8822c.c +index 09f9e4adcf34..fccb15dfb959 100644 +--- a/drivers/net/wireless/realtek/rtw88/rtw8822c.c ++++ b/drivers/net/wireless/realtek/rtw88/rtw8822c.c +@@ -5330,7 +5330,7 @@ const struct rtw_chip_info rtw8822c_hw_spec = { + .max_power_index = 0x7f, + .csi_buf_pg_num = 50, + .band = RTW_BAND_2G | RTW_BAND_5G, +- .page_size = 128, ++ .page_size = TX_PAGE_SIZE, + .dig_min = 0x20, + .default_1ss_tx_path = BB_PATH_A, + .path_div_supported = true, +@@ -5375,6 +5375,7 @@ const struct rtw_chip_info rtw8822c_hw_spec = { + .wowlan_stub = &rtw_wowlan_stub_8822c, + .max_sched_scan_ssids = 4, + #endif ++ .max_scan_ie_len = (RTW_PROBE_PG_CNT - 1) * TX_PAGE_SIZE, + .coex_para_ver = 0x22020720, + .bt_desired_ver = 0x20, + .scbd_support = true, +-- +2.35.1 + diff --git a/queue-6.0/wifi-rtw88-add-missing-destroy_workqueue-on-error-pa.patch b/queue-6.0/wifi-rtw88-add-missing-destroy_workqueue-on-error-pa.patch new file mode 100644 index 00000000000..b91b0237ca1 --- /dev/null +++ b/queue-6.0/wifi-rtw88-add-missing-destroy_workqueue-on-error-pa.patch @@ -0,0 +1,56 @@ +From 84a4efbfb4c0a1f51090a048d38287f912c36218 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 10:38:17 +0800 +Subject: wifi: rtw88: add missing destroy_workqueue() on error path in + rtw_core_init() + +From: Yang Yingliang + +[ Upstream commit b0ea758b30bbdf7c4323c78b7c50c05d2e1224d5 ] + +Add the missing destroy_workqueue() before return from rtw_core_init() +in error path. + +Fixes: fe101716c7c9 ("rtw88: replace tx tasklet with work queue") +Signed-off-by: Yang Yingliang +Reviewed-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220826023817.3908255-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/main.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c +index 41458dff5422..65897993e75d 100644 +--- a/drivers/net/wireless/realtek/rtw88/main.c ++++ b/drivers/net/wireless/realtek/rtw88/main.c +@@ -2064,7 +2064,7 @@ int rtw_core_init(struct rtw_dev *rtwdev) + ret = rtw_load_firmware(rtwdev, RTW_NORMAL_FW); + if (ret) { + rtw_warn(rtwdev, "no firmware loaded\n"); +- return ret; ++ goto out; + } + + if (chip->wow_fw_name) { +@@ -2074,11 +2074,15 @@ int rtw_core_init(struct rtw_dev *rtwdev) + wait_for_completion(&rtwdev->fw.completion); + if (rtwdev->fw.firmware) + release_firmware(rtwdev->fw.firmware); +- return ret; ++ goto out; + } + } + + return 0; ++ ++out: ++ destroy_workqueue(rtwdev->tx_wq); ++ return ret; + } + EXPORT_SYMBOL(rtw_core_init); + +-- +2.35.1 + diff --git a/queue-6.0/wifi-rtw88-phy-fix-warning-of-possible-buffer-overfl.patch b/queue-6.0/wifi-rtw88-phy-fix-warning-of-possible-buffer-overfl.patch new file mode 100644 index 00000000000..fc0afb17161 --- /dev/null +++ b/queue-6.0/wifi-rtw88-phy-fix-warning-of-possible-buffer-overfl.patch @@ -0,0 +1,68 @@ +From 2714944b5a876ccb56cd7ddd6462e949a4087a90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 14:50:03 +0800 +Subject: wifi: rtw88: phy: fix warning of possible buffer overflow + +From: Zong-Zhe Yang + +[ Upstream commit 86331c7e0cd819bf0c1d0dcf895e0c90b0aa9a6f ] + +reported by smatch + +phy.c:854 rtw_phy_linear_2_db() error: buffer overflow 'db_invert_table[i]' +8 <= 8 (assuming for loop doesn't break) + +However, it seems to be a false alarm because we prevent it originally via + if (linear >= db_invert_table[11][7]) + return 96; /* maximum 96 dB */ + +Still, we adjust the code to be more readable and avoid smatch warning. + +Signed-off-by: Zong-Zhe Yang +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220727065003.28340-5-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/phy.c | 21 ++++++++------------- + 1 file changed, 8 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/phy.c b/drivers/net/wireless/realtek/rtw88/phy.c +index 8982e0c98dac..da1efec0aa85 100644 +--- a/drivers/net/wireless/realtek/rtw88/phy.c ++++ b/drivers/net/wireless/realtek/rtw88/phy.c +@@ -816,23 +816,18 @@ static u8 rtw_phy_linear_2_db(u64 linear) + u8 j; + u32 dB; + +- if (linear >= db_invert_table[11][7]) +- return 96; /* maximum 96 dB */ +- + for (i = 0; i < 12; i++) { +- if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][7]) +- break; +- else if (i > 2 && linear <= db_invert_table[i][7]) +- break; ++ for (j = 0; j < 8; j++) { ++ if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][j]) ++ goto cnt; ++ else if (i > 2 && linear <= db_invert_table[i][j]) ++ goto cnt; ++ } + } + +- for (j = 0; j < 8; j++) { +- if (i <= 2 && (linear << FRAC_BITS) <= db_invert_table[i][j]) +- break; +- else if (i > 2 && linear <= db_invert_table[i][j]) +- break; +- } ++ return 96; /* maximum 96 dB */ + ++cnt: + if (j == 0 && i == 0) + goto end; + +-- +2.35.1 + diff --git a/queue-6.0/wifi-rtw89-fix-rx-filter-after-scan.patch b/queue-6.0/wifi-rtw89-fix-rx-filter-after-scan.patch new file mode 100644 index 00000000000..cf2fd4a34ff --- /dev/null +++ b/queue-6.0/wifi-rtw89-fix-rx-filter-after-scan.patch @@ -0,0 +1,65 @@ +From 47768720a8cd2146ab89d082738927720285be59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 11:38:10 +0800 +Subject: wifi: rtw89: fix rx filter after scan + +From: Po-Hao Huang + +[ Upstream commit 812825c2b204c491f1a5586c602e4ac75060493a ] + +In monitor mode we should be able to received all packets even if it's not +destined to us. But after scan, the configuration was wrongly set, so we +fix it. + +Signed-off-by: Po-Hao Huang +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220916033811.13862-7-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/fw.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c +index 6473015a6b2a..c993fe9cf6b4 100644 +--- a/drivers/net/wireless/realtek/rtw89/fw.c ++++ b/drivers/net/wireless/realtek/rtw89/fw.c +@@ -2289,6 +2289,7 @@ void rtw89_hw_scan_start(struct rtw89_dev *rtwdev, struct ieee80211_vif *vif, + { + struct rtw89_vif *rtwvif = (struct rtw89_vif *)vif->drv_priv; + struct cfg80211_scan_request *req = &scan_req->req; ++ u32 rx_fltr = rtwdev->hal.rx_fltr; + u8 mac_addr[ETH_ALEN]; + + rtwdev->scan_info.scanning_vif = vif; +@@ -2303,13 +2304,13 @@ void rtw89_hw_scan_start(struct rtw89_dev *rtwdev, struct ieee80211_vif *vif, + ether_addr_copy(mac_addr, vif->addr); + rtw89_core_scan_start(rtwdev, rtwvif, mac_addr, true); + +- rtwdev->hal.rx_fltr &= ~B_AX_A_BCN_CHK_EN; +- rtwdev->hal.rx_fltr &= ~B_AX_A_BC; +- rtwdev->hal.rx_fltr &= ~B_AX_A_A1_MATCH; ++ rx_fltr &= ~B_AX_A_BCN_CHK_EN; ++ rx_fltr &= ~B_AX_A_BC; ++ rx_fltr &= ~B_AX_A_A1_MATCH; + rtw89_write32_mask(rtwdev, + rtw89_mac_reg_by_idx(R_AX_RX_FLTR_OPT, RTW89_MAC_0), + B_AX_RX_FLTR_CFG_MASK, +- rtwdev->hal.rx_fltr); ++ rx_fltr); + } + + void rtw89_hw_scan_complete(struct rtw89_dev *rtwdev, struct ieee80211_vif *vif, +@@ -2323,9 +2324,6 @@ void rtw89_hw_scan_complete(struct rtw89_dev *rtwdev, struct ieee80211_vif *vif, + if (!vif) + return; + +- rtwdev->hal.rx_fltr |= B_AX_A_BCN_CHK_EN; +- rtwdev->hal.rx_fltr |= B_AX_A_BC; +- rtwdev->hal.rx_fltr |= B_AX_A_A1_MATCH; + rtw89_write32_mask(rtwdev, + rtw89_mac_reg_by_idx(R_AX_RX_FLTR_OPT, RTW89_MAC_0), + B_AX_RX_FLTR_CFG_MASK, +-- +2.35.1 + diff --git a/queue-6.0/wifi-rtw89-free-unused-skb-to-prevent-memory-leak.patch b/queue-6.0/wifi-rtw89-free-unused-skb-to-prevent-memory-leak.patch new file mode 100644 index 00000000000..992cf83b7c6 --- /dev/null +++ b/queue-6.0/wifi-rtw89-free-unused-skb-to-prevent-memory-leak.patch @@ -0,0 +1,35 @@ +From e6763722ccee86e9781f06e29abaafe893054529 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 11:38:09 +0800 +Subject: wifi: rtw89: free unused skb to prevent memory leak + +From: Po-Hao Huang + +[ Upstream commit eae672f386049146058b9e5d3d33e9e4af9dca1d ] + +This avoid potential memory leak under power saving mode. + +Signed-off-by: Po-Hao Huang +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220916033811.13862-6-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/realtek/rtw89/core.c b/drivers/net/wireless/realtek/rtw89/core.c +index a5880a54812e..8b338e5ce364 100644 +--- a/drivers/net/wireless/realtek/rtw89/core.c ++++ b/drivers/net/wireless/realtek/rtw89/core.c +@@ -872,6 +872,7 @@ int rtw89_h2c_tx(struct rtw89_dev *rtwdev, + rtw89_debug(rtwdev, RTW89_DBG_FW, + "ignore h2c due to power is off with firmware state=%d\n", + test_bit(RTW89_FLAG_FW_RDY, rtwdev->flags)); ++ dev_kfree_skb(skb); + return 0; + } + +-- +2.35.1 + diff --git a/queue-6.0/wifi-rtw89-pci-correct-tx-resource-checking-in-low-p.patch b/queue-6.0/wifi-rtw89-pci-correct-tx-resource-checking-in-low-p.patch new file mode 100644 index 00000000000..d4d2595a42a --- /dev/null +++ b/queue-6.0/wifi-rtw89-pci-correct-tx-resource-checking-in-low-p.patch @@ -0,0 +1,41 @@ +From 580b74c7195568f0103fdb5622505d63b04fdb83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 14:33:12 +0800 +Subject: wifi: rtw89: pci: correct TX resource checking in low power mode + +From: Ping-Ke Shih + +[ Upstream commit 4a29213cd775cabcbe395229d175903accedbb9d ] + +Number of TX resource must be minimum of TX_BD and TX_WD. Only considering +TX_BD could drop TX packets pulled from mac80211 if TX_WD is unavailable. + +Fixes: 52edbb9fb78a ("rtw89: ps: access TX/RX rings via another registers in low power mode") +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220824063312.15784-2-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c +index 8a093e1cb328..7bb1b494c5d1 100644 +--- a/drivers/net/wireless/realtek/rtw89/pci.c ++++ b/drivers/net/wireless/realtek/rtw89/pci.c +@@ -926,10 +926,12 @@ u32 __rtw89_pci_check_and_reclaim_tx_resource_noio(struct rtw89_dev *rtwdev, + { + struct rtw89_pci *rtwpci = (struct rtw89_pci *)rtwdev->priv; + struct rtw89_pci_tx_ring *tx_ring = &rtwpci->tx_rings[txch]; ++ struct rtw89_pci_tx_wd_ring *wd_ring = &tx_ring->wd_ring; + u32 cnt; + + spin_lock_bh(&rtwpci->trx_lock); + cnt = rtw89_pci_get_avail_txbd_num(tx_ring); ++ cnt = min(cnt, wd_ring->curr_num); + spin_unlock_bh(&rtwpci->trx_lock); + + return cnt; +-- +2.35.1 + diff --git a/queue-6.0/wifi-rtw89-pci-fix-interrupt-stuck-after-leaving-low.patch b/queue-6.0/wifi-rtw89-pci-fix-interrupt-stuck-after-leaving-low.patch new file mode 100644 index 00000000000..13d7f14ac8c --- /dev/null +++ b/queue-6.0/wifi-rtw89-pci-fix-interrupt-stuck-after-leaving-low.patch @@ -0,0 +1,42 @@ +From 260653f7fb9228d7d844848220c7fb0af9dd4ac5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 14:33:11 +0800 +Subject: wifi: rtw89: pci: fix interrupt stuck after leaving low power mode + +From: Ping-Ke Shih + +[ Upstream commit b7e715d3dcd2e9fa3a689ba0dd7ab85f8aaf6e9a ] + +We turn off interrupt in ISR, and re-enable interrupt in threadfn or +napi_poll according to the mode it stays. If we are turning off interrupt, +rtwpci->running flag is unset and interrupt handler stop processing even +if it was called, so disallow to re-enable interrupt in this situation. +Or, wifi chip doesn't trigger interrupt events anymore because interrupt +status (ISR) isn't clear by interrupt handler anymore. + +Fixes: c83dcd0508e2 ("rtw89: pci: add a separate interrupt handler for low power mode") +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220824063312.15784-1-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw89/pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtw89/pci.c b/drivers/net/wireless/realtek/rtw89/pci.c +index c68fec9eb5a6..8a093e1cb328 100644 +--- a/drivers/net/wireless/realtek/rtw89/pci.c ++++ b/drivers/net/wireless/realtek/rtw89/pci.c +@@ -760,7 +760,8 @@ static irqreturn_t rtw89_pci_interrupt_threadfn(int irq, void *dev) + + enable_intr: + spin_lock_irqsave(&rtwpci->irq_lock, flags); +- rtw89_chip_enable_intr(rtwdev, rtwpci); ++ if (likely(rtwpci->running)) ++ rtw89_chip_enable_intr(rtwdev, rtwpci); + spin_unlock_irqrestore(&rtwpci->irq_lock, flags); + return IRQ_HANDLED; + } +-- +2.35.1 + diff --git a/queue-6.0/wifi-wfx-prevent-underflow-in-wfx_send_pds.patch b/queue-6.0/wifi-wfx-prevent-underflow-in-wfx_send_pds.patch new file mode 100644 index 00000000000..b35fe4fb042 --- /dev/null +++ b/queue-6.0/wifi-wfx-prevent-underflow-in-wfx_send_pds.patch @@ -0,0 +1,44 @@ +From 64ac376757a3629154d7e6d06832ff6990c1eb43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 08:23:43 +0300 +Subject: wifi: wfx: prevent underflow in wfx_send_pds() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +[ Upstream commit f97c81f5b7f8047810b0d79a8f759a83951210a0 ] + +This does a "chunk_len - 4" subtraction later when it calls: + + ret = wfx_hif_configuration(wdev, buf + 4, chunk_len - 4); + +so check for "chunk_len" is less than 4. + +Fixes: dcbecb497908 ("staging: wfx: allow new PDS format") +Signed-off-by: Dan Carpenter +Reviewed-by: Jérôme Pouiller +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/Yv8eX7Xv2ubUOvW7@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/silabs/wfx/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/silabs/wfx/main.c b/drivers/net/wireless/silabs/wfx/main.c +index e015bfb8d221..84d82ddded56 100644 +--- a/drivers/net/wireless/silabs/wfx/main.c ++++ b/drivers/net/wireless/silabs/wfx/main.c +@@ -181,7 +181,7 @@ int wfx_send_pds(struct wfx_dev *wdev, u8 *buf, size_t len) + while (len > 0) { + chunk_type = get_unaligned_le16(buf + 0); + chunk_len = get_unaligned_le16(buf + 2); +- if (chunk_len > len) { ++ if (chunk_len < 4 || chunk_len > len) { + dev_err(wdev->dev, "PDS:%d: corrupted file\n", chunk_num); + return -EINVAL; + } +-- +2.35.1 + diff --git a/queue-6.0/x86-apic-don-t-disable-x2apic-if-locked.patch b/queue-6.0/x86-apic-don-t-disable-x2apic-if-locked.patch new file mode 100644 index 00000000000..4ecef84bfbe --- /dev/null +++ b/queue-6.0/x86-apic-don-t-disable-x2apic-if-locked.patch @@ -0,0 +1,227 @@ +From 4e0757b5c11356b26506eb8f2743f856363dc66c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 16:19:42 -0700 +Subject: x86/apic: Don't disable x2APIC if locked + +From: Daniel Sneddon + +[ Upstream commit b8d1d163604bd1e600b062fb00de5dc42baa355f ] + +The APIC supports two modes, legacy APIC (or xAPIC), and Extended APIC +(or x2APIC). X2APIC mode is mostly compatible with legacy APIC, but +it disables the memory-mapped APIC interface in favor of one that uses +MSRs. The APIC mode is controlled by the EXT bit in the APIC MSR. + +The MMIO/xAPIC interface has some problems, most notably the APIC LEAK +[1]. This bug allows an attacker to use the APIC MMIO interface to +extract data from the SGX enclave. + +Introduce support for a new feature that will allow the BIOS to lock +the APIC in x2APIC mode. If the APIC is locked in x2APIC mode and the +kernel tries to disable the APIC or revert to legacy APIC mode a GP +fault will occur. + +Introduce support for a new MSR (IA32_XAPIC_DISABLE_STATUS) and handle +the new locked mode when the LEGACY_XAPIC_DISABLED bit is set by +preventing the kernel from trying to disable the x2APIC. + +On platforms with the IA32_XAPIC_DISABLE_STATUS MSR, if SGX or TDX are +enabled the LEGACY_XAPIC_DISABLED will be set by the BIOS. If +legacy APIC is required, then it SGX and TDX need to be disabled in the +BIOS. + +[1]: https://aepicleak.com/aepicleak.pdf + +Signed-off-by: Daniel Sneddon +Signed-off-by: Dave Hansen +Acked-by: Dave Hansen +Tested-by: Neelima Krishnan +Link: https://lkml.kernel.org/r/20220816231943.1152579-1-daniel.sneddon@linux.intel.com +Signed-off-by: Sasha Levin +--- + .../admin-guide/kernel-parameters.txt | 4 ++ + arch/x86/Kconfig | 7 ++- + arch/x86/include/asm/cpu.h | 2 + + arch/x86/include/asm/msr-index.h | 13 ++++++ + arch/x86/kernel/apic/apic.c | 44 +++++++++++++++++-- + 5 files changed, 65 insertions(+), 5 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index 426fa892d311..2bc11a61c4d0 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -3805,6 +3805,10 @@ + + nox2apic [X86-64,APIC] Do not enable x2APIC mode. + ++ NOTE: this parameter will be ignored on systems with the ++ LEGACY_XAPIC_DISABLED bit set in the ++ IA32_XAPIC_DISABLE_STATUS MSR. ++ + nps_mtm_hs_ctr= [KNL,ARC] + This parameter sets the maximum duration, in + cycles, each HW thread of the CTOP can run +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index f9920f1341c8..159c025ebb03 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -448,6 +448,11 @@ config X86_X2APIC + This allows 32-bit apic IDs (so it can support very large systems), + and accesses the local apic via MSRs not via mmio. + ++ Some Intel systems circa 2022 and later are locked into x2APIC mode ++ and can not fall back to the legacy APIC modes if SGX or TDX are ++ enabled in the BIOS. They will be unable to boot without enabling ++ this option. ++ + If you don't know what to do here, say N. + + config X86_MPPARSE +@@ -1919,7 +1924,7 @@ endchoice + + config X86_SGX + bool "Software Guard eXtensions (SGX)" +- depends on X86_64 && CPU_SUP_INTEL ++ depends on X86_64 && CPU_SUP_INTEL && X86_X2APIC + depends on CRYPTO=y + depends on CRYPTO_SHA256=y + select SRCU +diff --git a/arch/x86/include/asm/cpu.h b/arch/x86/include/asm/cpu.h +index 8cbf623f0ecf..b472ef76826a 100644 +--- a/arch/x86/include/asm/cpu.h ++++ b/arch/x86/include/asm/cpu.h +@@ -94,4 +94,6 @@ static inline bool intel_cpu_signatures_match(unsigned int s1, unsigned int p1, + return p1 & p2; + } + ++extern u64 x86_read_arch_cap_msr(void); ++ + #endif /* _ASM_X86_CPU_H */ +diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h +index 6674bdb096f3..1e086b37a307 100644 +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -155,6 +155,11 @@ + * Return Stack Buffer Predictions. + */ + ++#define ARCH_CAP_XAPIC_DISABLE BIT(21) /* ++ * IA32_XAPIC_DISABLE_STATUS MSR ++ * supported ++ */ ++ + #define MSR_IA32_FLUSH_CMD 0x0000010b + #define L1D_FLUSH BIT(0) /* + * Writeback and invalidate the +@@ -1054,4 +1059,12 @@ + #define MSR_IA32_HW_FEEDBACK_PTR 0x17d0 + #define MSR_IA32_HW_FEEDBACK_CONFIG 0x17d1 + ++/* x2APIC locked status */ ++#define MSR_IA32_XAPIC_DISABLE_STATUS 0xBD ++#define LEGACY_XAPIC_DISABLED BIT(0) /* ++ * x2APIC mode is locked and ++ * disabling x2APIC will cause ++ * a #GP ++ */ ++ + #endif /* _ASM_X86_MSR_INDEX_H */ +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index 6d303d1d276c..c6876d3ea4b1 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -61,6 +61,7 @@ + #include + #include + #include ++#include + + unsigned int num_processors; + +@@ -1751,11 +1752,26 @@ EXPORT_SYMBOL_GPL(x2apic_mode); + + enum { + X2APIC_OFF, +- X2APIC_ON, + X2APIC_DISABLED, ++ /* All states below here have X2APIC enabled */ ++ X2APIC_ON, ++ X2APIC_ON_LOCKED + }; + static int x2apic_state; + ++static bool x2apic_hw_locked(void) ++{ ++ u64 ia32_cap; ++ u64 msr; ++ ++ ia32_cap = x86_read_arch_cap_msr(); ++ if (ia32_cap & ARCH_CAP_XAPIC_DISABLE) { ++ rdmsrl(MSR_IA32_XAPIC_DISABLE_STATUS, msr); ++ return (msr & LEGACY_XAPIC_DISABLED); ++ } ++ return false; ++} ++ + static void __x2apic_disable(void) + { + u64 msr; +@@ -1793,6 +1809,10 @@ static int __init setup_nox2apic(char *str) + apicid); + return 0; + } ++ if (x2apic_hw_locked()) { ++ pr_warn("APIC locked in x2apic mode, can't disable\n"); ++ return 0; ++ } + pr_warn("x2apic already enabled.\n"); + __x2apic_disable(); + } +@@ -1807,10 +1827,18 @@ early_param("nox2apic", setup_nox2apic); + void x2apic_setup(void) + { + /* +- * If x2apic is not in ON state, disable it if already enabled ++ * Try to make the AP's APIC state match that of the BSP, but if the ++ * BSP is unlocked and the AP is locked then there is a state mismatch. ++ * Warn about the mismatch in case a GP fault occurs due to a locked AP ++ * trying to be turned off. ++ */ ++ if (x2apic_state != X2APIC_ON_LOCKED && x2apic_hw_locked()) ++ pr_warn("x2apic lock mismatch between BSP and AP.\n"); ++ /* ++ * If x2apic is not in ON or LOCKED state, disable it if already enabled + * from BIOS. + */ +- if (x2apic_state != X2APIC_ON) { ++ if (x2apic_state < X2APIC_ON) { + __x2apic_disable(); + return; + } +@@ -1831,6 +1859,11 @@ static __init void x2apic_disable(void) + if (x2apic_id >= 255) + panic("Cannot disable x2apic, id: %08x\n", x2apic_id); + ++ if (x2apic_hw_locked()) { ++ pr_warn("Cannot disable locked x2apic, id: %08x\n", x2apic_id); ++ return; ++ } ++ + __x2apic_disable(); + register_lapic_address(mp_lapic_addr); + } +@@ -1889,7 +1922,10 @@ void __init check_x2apic(void) + if (x2apic_enabled()) { + pr_info("x2apic: enabled by BIOS, switching to x2apic ops\n"); + x2apic_mode = 1; +- x2apic_state = X2APIC_ON; ++ if (x2apic_hw_locked()) ++ x2apic_state = X2APIC_ON_LOCKED; ++ else ++ x2apic_state = X2APIC_ON; + } else if (!boot_cpu_has(X86_FEATURE_X2APIC)) { + x2apic_state = X2APIC_DISABLED; + } +-- +2.35.1 + diff --git a/queue-6.0/x86-boot-remove-superfluous-type-casting-from-arch-x.patch b/queue-6.0/x86-boot-remove-superfluous-type-casting-from-arch-x.patch new file mode 100644 index 00000000000..3a3cd514d82 --- /dev/null +++ b/queue-6.0/x86-boot-remove-superfluous-type-casting-from-arch-x.patch @@ -0,0 +1,47 @@ +From a40bc07edf5c31315fcce431a19217799f69ec28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 12:23:58 +0800 +Subject: x86/boot: Remove superfluous type casting from arch/x86/boot/bitops.h + +From: Li kunyu + +[ Upstream commit 039f0e054a29d06970892240d70143150d2aaec2 ] + +'const void *' will auto-type-convert to just about any other const +pointer type, no need to force it. + + [ mingo: Rewrote the changelog. ] + +Signed-off-by: Li kunyu +Signed-off-by: Ingo Molnar +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20220725042358.3377-1-kunyu@nfschina.com +Stable-dep-of: 30ea703a38ef ("x86/cpu: Include the header of init_ia32_feat_ctl()'s prototype") +Signed-off-by: Sasha Levin +--- + arch/x86/boot/bitops.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/boot/bitops.h b/arch/x86/boot/bitops.h +index 02e1dea11d94..8518ae214c9b 100644 +--- a/arch/x86/boot/bitops.h ++++ b/arch/x86/boot/bitops.h +@@ -19,13 +19,13 @@ + + static inline bool constant_test_bit(int nr, const void *addr) + { +- const u32 *p = (const u32 *)addr; ++ const u32 *p = addr; + return ((1UL << (nr & 31)) & (p[nr >> 5])) != 0; + } + static inline bool variable_test_bit(int nr, const void *addr) + { + bool v; +- const u32 *p = (const u32 *)addr; ++ const u32 *p = addr; + + asm("btl %2,%1" CC_SET(c) : CC_OUT(c) (v) : "m" (*p), "Ir" (nr)); + return v; +-- +2.35.1 + diff --git a/queue-6.0/x86-cpu-include-the-header-of-init_ia32_feat_ctl-s-p.patch b/queue-6.0/x86-cpu-include-the-header-of-init_ia32_feat_ctl-s-p.patch new file mode 100644 index 00000000000..260cf9b8fbb --- /dev/null +++ b/queue-6.0/x86-cpu-include-the-header-of-init_ia32_feat_ctl-s-p.patch @@ -0,0 +1,66 @@ +From 4b1bb99504a8f5b4c69eef6739dc76a11e19b1eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 17:00:54 -0300 +Subject: x86/cpu: Include the header of init_ia32_feat_ctl()'s prototype +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Luciano Leão + +[ Upstream commit 30ea703a38ef76ca119673cd8bdd05c6e068e2ac ] + +Include the header containing the prototype of init_ia32_feat_ctl(), +solving the following warning: + + $ make W=1 arch/x86/kernel/cpu/feat_ctl.o + arch/x86/kernel/cpu/feat_ctl.c:112:6: warning: no previous prototype for ‘init_ia32_feat_ctl’ [-Wmissing-prototypes] + 112 | void init_ia32_feat_ctl(struct cpuinfo_x86 *c) + +This warning appeared after commit + + 5d5103595e9e5 ("x86/cpu: Reinitialize IA32_FEAT_CTL MSR on BSP during wakeup") + +had moved the function init_ia32_feat_ctl()'s prototype from +arch/x86/kernel/cpu/cpu.h to arch/x86/include/asm/cpu.h. + +Note that, before the commit mentioned above, the header include "cpu.h" +(arch/x86/kernel/cpu/cpu.h) was added by commit + + 0e79ad863df43 ("x86/cpu: Fix a -Wmissing-prototypes warning for init_ia32_feat_ctl()") + +solely to fix init_ia32_feat_ctl()'s missing prototype. So, the header +include "cpu.h" is no longer necessary. + + [ bp: Massage commit message. ] + +Fixes: 5d5103595e9e5 ("x86/cpu: Reinitialize IA32_FEAT_CTL MSR on BSP during wakeup") +Signed-off-by: Luciano Leão +Signed-off-by: Borislav Petkov +Reviewed-by: Nícolas F. R. A. Prado +Link: https://lore.kernel.org/r/20220922200053.1357470-1-lucianorsleao@gmail.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/feat_ctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/feat_ctl.c b/arch/x86/kernel/cpu/feat_ctl.c +index 993697e71854..03851240c3e3 100644 +--- a/arch/x86/kernel/cpu/feat_ctl.c ++++ b/arch/x86/kernel/cpu/feat_ctl.c +@@ -1,11 +1,11 @@ + // SPDX-License-Identifier: GPL-2.0 + #include + ++#include + #include + #include + #include + #include +-#include "cpu.h" + + #undef pr_fmt + #define pr_fmt(fmt) "x86/cpu: " fmt +-- +2.35.1 + diff --git a/queue-6.0/x86-entry-work-around-clang-__bdos-bug.patch b/queue-6.0/x86-entry-work-around-clang-__bdos-bug.patch new file mode 100644 index 00000000000..c41e0f9361c --- /dev/null +++ b/queue-6.0/x86-entry-work-around-clang-__bdos-bug.patch @@ -0,0 +1,66 @@ +From 6a2d2a27856a84f318e3b1aeead82ef1bc1c4f03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 19:45:14 -0700 +Subject: x86/entry: Work around Clang __bdos() bug + +From: Kees Cook + +[ Upstream commit 3e1730842f142add55dc658929221521a9ea62b6 ] + +Clang produces a false positive when building with CONFIG_FORTIFY_SOURCE=y +and CONFIG_UBSAN_BOUNDS=y when operating on an array with a dynamic +offset. Work around this by using a direct assignment of an empty +instance. Avoids this warning: + +../include/linux/fortify-string.h:309:4: warning: call to __write_overflow_field declared with 'warn +ing' attribute: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wat +tribute-warning] + __write_overflow_field(p_size_field, size); + ^ + +which was isolated to the memset() call in xen_load_idt(). + +Note that this looks very much like another bug that was worked around: +https://github.com/ClangBuiltLinux/linux/issues/1592 + +Cc: Juergen Gross +Cc: Boris Ostrovsky +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: x86@kernel.org +Cc: "H. Peter Anvin" +Cc: xen-devel@lists.xenproject.org +Reviewed-by: Boris Ostrovsky +Link: https://lore.kernel.org/lkml/41527d69-e8ab-3f86-ff37-6b298c01d5bc@oracle.com +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + arch/x86/xen/enlighten_pv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c +index 0ed2e487a693..9b1a58dda935 100644 +--- a/arch/x86/xen/enlighten_pv.c ++++ b/arch/x86/xen/enlighten_pv.c +@@ -765,6 +765,7 @@ static void xen_load_idt(const struct desc_ptr *desc) + { + static DEFINE_SPINLOCK(lock); + static struct trap_info traps[257]; ++ static const struct trap_info zero = { }; + unsigned out; + + trace_xen_cpu_load_idt(desc); +@@ -774,7 +775,7 @@ static void xen_load_idt(const struct desc_ptr *desc) + memcpy(this_cpu_ptr(&idt_desc), desc, sizeof(idt_desc)); + + out = xen_convert_trap_info(desc, traps, false); +- memset(&traps[out], 0, sizeof(traps[0])); ++ traps[out] = zero; + + xen_mc_flush(); + if (HYPERVISOR_set_trap_table(traps)) +-- +2.35.1 + diff --git a/queue-6.0/x86-hyperv-fix-struct-hv_enlightened_vmcs-definition.patch b/queue-6.0/x86-hyperv-fix-struct-hv_enlightened_vmcs-definition.patch new file mode 100644 index 00000000000..a13fd065c48 --- /dev/null +++ b/queue-6.0/x86-hyperv-fix-struct-hv_enlightened_vmcs-definition.patch @@ -0,0 +1,68 @@ +From a7e55ce6f57b985e84eef1de9895b13c9c3dd815 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 15:37:05 +0200 +Subject: x86/hyperv: Fix 'struct hv_enlightened_vmcs' definition + +From: Vitaly Kuznetsov + +[ Upstream commit ea9da788a61e47e7ab9cbad397453e51cd82ac0d ] + +Section 1.9 of TLFS v6.0b says: + +"All structures are padded in such a way that fields are aligned +naturally (that is, an 8-byte field is aligned to an offset of 8 bytes +and so on)". + +'struct enlightened_vmcs' has a glitch: + +... + struct { + u32 nested_flush_hypercall:1; /* 836: 0 4 */ + u32 msr_bitmap:1; /* 836: 1 4 */ + u32 reserved:30; /* 836: 2 4 */ + } hv_enlightenments_control; /* 836 4 */ + u32 hv_vp_id; /* 840 4 */ + u64 hv_vm_id; /* 844 8 */ + u64 partition_assist_page; /* 852 8 */ +... + +And the observed values in 'partition_assist_page' make no sense at +all. Fix the layout by padding the structure properly. + +Fixes: 68d1eb72ee99 ("x86/hyper-v: define struct hv_enlightened_vmcs and clean field bits") +Reviewed-by: Maxim Levitsky +Reviewed-by: Michael Kelley +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Sean Christopherson +Link: https://lore.kernel.org/r/20220830133737.1539624-2-vkuznets@redhat.com +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/hyperv-tlfs.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/include/asm/hyperv-tlfs.h b/arch/x86/include/asm/hyperv-tlfs.h +index 0a9407dc0859..6f0acc45e67a 100644 +--- a/arch/x86/include/asm/hyperv-tlfs.h ++++ b/arch/x86/include/asm/hyperv-tlfs.h +@@ -546,7 +546,7 @@ struct hv_enlightened_vmcs { + u64 guest_rip; + + u32 hv_clean_fields; +- u32 hv_padding_32; ++ u32 padding32_1; + u32 hv_synthetic_controls; + struct { + u32 nested_flush_hypercall:1; +@@ -554,7 +554,7 @@ struct hv_enlightened_vmcs { + u32 reserved:30; + } __packed hv_enlightenments_control; + u32 hv_vp_id; +- ++ u32 padding32_2; + u64 hv_vm_id; + u64 partition_assist_page; + u64 padding64_4[4]; +-- +2.35.1 + diff --git a/queue-6.0/x86-mce-retrieve-poison-range-from-hardware.patch b/queue-6.0/x86-mce-retrieve-poison-range-from-hardware.patch new file mode 100644 index 00000000000..31a19a268f9 --- /dev/null +++ b/queue-6.0/x86-mce-retrieve-poison-range-from-hardware.patch @@ -0,0 +1,72 @@ +From ea6e74d108bd1eef0d7d8b1ab7b60326e1e2e36b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 17:38:51 -0600 +Subject: x86/mce: Retrieve poison range from hardware + +From: Jane Chu + +[ Upstream commit f9781bb18ed828e7b83b7bac4a4ad7cd497ee7d7 ] + +When memory poison consumption machine checks fire, MCE notifier +handlers like nfit_handle_mce() record the impacted physical address +range which is reported by the hardware in the MCi_MISC MSR. The error +information includes data about blast radius, i.e. how many cachelines +did the hardware determine are impacted. A recent change + + 7917f9cdb503 ("acpi/nfit: rely on mce->misc to determine poison granularity") + +updated nfit_handle_mce() to stop hard coding the blast radius value of +1 cacheline, and instead rely on the blast radius reported in 'struct +mce' which can be up to 4K (64 cachelines). + +It turns out that apei_mce_report_mem_error() had a similar problem in +that it hard coded a blast radius of 4K rather than reading the blast +radius from the error information. Fix apei_mce_report_mem_error() to +convey the proper poison granularity. + +Signed-off-by: Jane Chu +Signed-off-by: Borislav Petkov +Reviewed-by: Dan Williams +Reviewed-by: Ingo Molnar +Link: https://lore.kernel.org/r/7ed50fd8-521e-cade-77b1-738b8bfb8502@oracle.com +Link: https://lore.kernel.org/r/20220826233851.1319100-1-jane.chu@oracle.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/mce/apei.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/cpu/mce/apei.c b/arch/x86/kernel/cpu/mce/apei.c +index 717192915f28..8ed341714686 100644 +--- a/arch/x86/kernel/cpu/mce/apei.c ++++ b/arch/x86/kernel/cpu/mce/apei.c +@@ -29,15 +29,26 @@ + void apei_mce_report_mem_error(int severity, struct cper_sec_mem_err *mem_err) + { + struct mce m; ++ int lsb; + + if (!(mem_err->validation_bits & CPER_MEM_VALID_PA)) + return; + ++ /* ++ * Even if the ->validation_bits are set for address mask, ++ * to be extra safe, check and reject an error radius '0', ++ * and fall back to the default page size. ++ */ ++ if (mem_err->validation_bits & CPER_MEM_VALID_PA_MASK) ++ lsb = find_first_bit((void *)&mem_err->physical_addr_mask, PAGE_SHIFT); ++ else ++ lsb = PAGE_SHIFT; ++ + mce_setup(&m); + m.bank = -1; + /* Fake a memory read error with unknown channel */ + m.status = MCI_STATUS_VAL | MCI_STATUS_EN | MCI_STATUS_ADDRV | MCI_STATUS_MISCV | 0x9f; +- m.misc = (MCI_MISC_ADDR_PHYS << 6) | PAGE_SHIFT; ++ m.misc = (MCI_MISC_ADDR_PHYS << 6) | lsb; + + if (severity >= GHES_SEV_RECOVERABLE) + m.status |= MCI_STATUS_UC; +-- +2.35.1 + diff --git a/queue-6.0/x86-microcode-amd-track-patch-allocation-size-explic.patch b/queue-6.0/x86-microcode-amd-track-patch-allocation-size-explic.patch new file mode 100644 index 00000000000..99ab4589e10 --- /dev/null +++ b/queue-6.0/x86-microcode-amd-track-patch-allocation-size-explic.patch @@ -0,0 +1,64 @@ +From 79c6924938095a74bda7709fe9cc1b50492d8da9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 20:10:10 -0700 +Subject: x86/microcode/AMD: Track patch allocation size explicitly + +From: Kees Cook + +[ Upstream commit 712f210a457d9c32414df246a72781550bc23ef6 ] + +In preparation for reducing the use of ksize(), record the actual +allocation size for later memcpy(). This avoids copying extra +(uninitialized!) bytes into the patch buffer when the requested +allocation size isn't exactly the size of a kmalloc bucket. +Additionally, fix potential future issues where runtime bounds checking +will notice that the buffer was allocated to a smaller value than +returned by ksize(). + +Fixes: 757885e94a22 ("x86, microcode, amd: Early microcode patch loading support for AMD") +Suggested-by: Daniel Micay +Signed-off-by: Kees Cook +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/lkml/CA+DvKQ+bp7Y7gmaVhacjv9uF6Ar-o4tet872h4Q8RPYPJjcJQA@mail.gmail.com/ +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/microcode.h | 1 + + arch/x86/kernel/cpu/microcode/amd.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/microcode.h b/arch/x86/include/asm/microcode.h +index 0c3d3440fe27..aa675783412f 100644 +--- a/arch/x86/include/asm/microcode.h ++++ b/arch/x86/include/asm/microcode.h +@@ -9,6 +9,7 @@ + struct ucode_patch { + struct list_head plist; + void *data; /* Intel uses only this one */ ++ unsigned int size; + u32 patch_id; + u16 equiv_cpu; + }; +diff --git a/arch/x86/kernel/cpu/microcode/amd.c b/arch/x86/kernel/cpu/microcode/amd.c +index 8b2fcdfa6d31..615bc6efa1dd 100644 +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -788,6 +788,7 @@ static int verify_and_add_patch(u8 family, u8 *fw, unsigned int leftover, + kfree(patch); + return -EINVAL; + } ++ patch->size = *patch_size; + + mc_hdr = (struct microcode_header_amd *)(fw + SECTION_HDR_SIZE); + proc_id = mc_hdr->processor_rev_id; +@@ -869,7 +870,7 @@ load_microcode_amd(bool save, u8 family, const u8 *data, size_t size) + return ret; + + memset(amd_ucode_patch, 0, PATCH_MAX_SIZE); +- memcpy(amd_ucode_patch, p->data, min_t(u32, ksize(p->data), PATCH_MAX_SIZE)); ++ memcpy(amd_ucode_patch, p->data, min_t(u32, p->size, PATCH_MAX_SIZE)); + + return ret; + } +-- +2.35.1 + diff --git a/queue-6.0/x86-paravirt-add-extra-clobbers-with-zero_call_used_.patch b/queue-6.0/x86-paravirt-add-extra-clobbers-with-zero_call_used_.patch new file mode 100644 index 00000000000..641f2e87eba --- /dev/null +++ b/queue-6.0/x86-paravirt-add-extra-clobbers-with-zero_call_used_.patch @@ -0,0 +1,108 @@ +From fd0fc221ded82c1b2b8cc32bd577d681e01c5fec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 21:37:50 +0000 +Subject: x86/paravirt: add extra clobbers with ZERO_CALL_USED_REGS enabled + +From: Bill Wendling + +[ Upstream commit 8c86f29bfb18465d15b05cfd26a6454ec787b793 ] + +The ZERO_CALL_USED_REGS feature may zero out caller-saved registers +before returning. + +In spurious_kernel_fault(), the "pte_offset_kernel()" call results in +this assembly code: + +.Ltmp151: + #APP + # ALT: oldnstr +.Ltmp152: +.Ltmp153: +.Ltmp154: + .section .discard.retpoline_safe,"",@progbits + .quad .Ltmp154 + .text + + callq *pv_ops+536(%rip) + +.Ltmp155: + .section .parainstructions,"a",@progbits + .p2align 3, 0x0 + .quad .Ltmp153 + .byte 67 + .byte .Ltmp155-.Ltmp153 + .short 1 + .text +.Ltmp156: + # ALT: padding + .zero (-(((.Ltmp157-.Ltmp158)-(.Ltmp156-.Ltmp152))>0))*((.Ltmp157-.Ltmp158)-(.Ltmp156-.Ltmp152)),144 +.Ltmp159: + .section .altinstructions,"a",@progbits +.Ltmp160: + .long .Ltmp152-.Ltmp160 +.Ltmp161: + .long .Ltmp158-.Ltmp161 + .short 33040 + .byte .Ltmp159-.Ltmp152 + .byte .Ltmp157-.Ltmp158 + .text + + .section .altinstr_replacement,"ax",@progbits + # ALT: replacement 1 +.Ltmp158: + movq %rdi, %rax +.Ltmp157: + .text + #NO_APP +.Ltmp162: + testb $-128, %dil + +The "testb" here is using %dil, but the %rdi register was cleared before +returning from "callq *pv_ops+536(%rip)". Adding the proper constraints +results in the use of a different register: + + movq %r11, %rdi + + # Similar to above. + + testb $-128, %r11b + +Link: https://github.com/KSPP/linux/issues/192 +Signed-off-by: Bill Wendling +Reported-and-tested-by: Nathan Chancellor +Fixes: 035f7f87b729 ("randstruct: Enable Clang support") +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/lkml/fa6df43b-8a1a-8ad1-0236-94d2a0b588fa@suse.com/ +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20220902213750.1124421-3-morbo@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/paravirt_types.h | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/paravirt_types.h b/arch/x86/include/asm/paravirt_types.h +index 89df6c6617f5..bc2e1b67319d 100644 +--- a/arch/x86/include/asm/paravirt_types.h ++++ b/arch/x86/include/asm/paravirt_types.h +@@ -414,8 +414,17 @@ int paravirt_disable_iospace(void); + "=c" (__ecx) + #define PVOP_CALL_CLOBBERS PVOP_VCALL_CLOBBERS, "=a" (__eax) + +-/* void functions are still allowed [re]ax for scratch */ ++/* ++ * void functions are still allowed [re]ax for scratch. ++ * ++ * The ZERO_CALL_USED REGS feature may end up zeroing out callee-saved ++ * registers. Make sure we model this with the appropriate clobbers. ++ */ ++#ifdef CONFIG_ZERO_CALL_USED_REGS ++#define PVOP_VCALLEE_CLOBBERS "=a" (__eax), PVOP_VCALL_CLOBBERS ++#else + #define PVOP_VCALLEE_CLOBBERS "=a" (__eax) ++#endif + #define PVOP_CALLEE_CLOBBERS PVOP_VCALLEE_CLOBBERS + + #define EXTRA_CLOBBERS , "r8", "r9", "r10", "r11" +-- +2.35.1 + diff --git a/queue-6.0/x86-resctrl-fix-to-restore-to-original-value-when-re.patch b/queue-6.0/x86-resctrl-fix-to-restore-to-original-value-when-re.patch new file mode 100644 index 00000000000..b7255d0acd1 --- /dev/null +++ b/queue-6.0/x86-resctrl-fix-to-restore-to-original-value-when-re.patch @@ -0,0 +1,108 @@ +From c6345d8a0c91af37be7f27d8681facb0c94ac7f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 09:44:10 -0700 +Subject: x86/resctrl: Fix to restore to original value when re-enabling + hardware prefetch register + +From: Kohei Tarumizu + +[ Upstream commit 499c8bb4693d1c8d8f3d6dd38e5bdde3ff5bd906 ] + +The current pseudo_lock.c code overwrites the value of the +MSR_MISC_FEATURE_CONTROL to 0 even if the original value is not 0. +Therefore, modify it to save and restore the original values. + +Fixes: 018961ae5579 ("x86/intel_rdt: Pseudo-lock region creation/removal core") +Fixes: 443810fe6160 ("x86/intel_rdt: Create debugfs files for pseudo-locking testing") +Fixes: 8a2fc0e1bc0c ("x86/intel_rdt: More precise L2 hit/miss measurements") +Signed-off-by: Kohei Tarumizu +Signed-off-by: Dave Hansen +Acked-by: Reinette Chatre +Link: https://lkml.kernel.org/r/eb660f3c2010b79a792c573c02d01e8e841206ad.1661358182.git.reinette.chatre@intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/cpu/resctrl/pseudo_lock.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/cpu/resctrl/pseudo_lock.c b/arch/x86/kernel/cpu/resctrl/pseudo_lock.c +index db813f819ad6..4d8398986f78 100644 +--- a/arch/x86/kernel/cpu/resctrl/pseudo_lock.c ++++ b/arch/x86/kernel/cpu/resctrl/pseudo_lock.c +@@ -420,6 +420,7 @@ static int pseudo_lock_fn(void *_rdtgrp) + struct pseudo_lock_region *plr = rdtgrp->plr; + u32 rmid_p, closid_p; + unsigned long i; ++ u64 saved_msr; + #ifdef CONFIG_KASAN + /* + * The registers used for local register variables are also used +@@ -463,6 +464,7 @@ static int pseudo_lock_fn(void *_rdtgrp) + * the buffer and evict pseudo-locked memory read earlier from the + * cache. + */ ++ saved_msr = __rdmsr(MSR_MISC_FEATURE_CONTROL); + __wrmsr(MSR_MISC_FEATURE_CONTROL, prefetch_disable_bits, 0x0); + closid_p = this_cpu_read(pqr_state.cur_closid); + rmid_p = this_cpu_read(pqr_state.cur_rmid); +@@ -514,7 +516,7 @@ static int pseudo_lock_fn(void *_rdtgrp) + __wrmsr(IA32_PQR_ASSOC, rmid_p, closid_p); + + /* Re-enable the hardware prefetcher(s) */ +- wrmsr(MSR_MISC_FEATURE_CONTROL, 0x0, 0x0); ++ wrmsrl(MSR_MISC_FEATURE_CONTROL, saved_msr); + local_irq_enable(); + + plr->thread_done = 1; +@@ -871,6 +873,7 @@ bool rdtgroup_pseudo_locked_in_hierarchy(struct rdt_domain *d) + static int measure_cycles_lat_fn(void *_plr) + { + struct pseudo_lock_region *plr = _plr; ++ u32 saved_low, saved_high; + unsigned long i; + u64 start, end; + void *mem_r; +@@ -879,6 +882,7 @@ static int measure_cycles_lat_fn(void *_plr) + /* + * Disable hardware prefetchers. + */ ++ rdmsr(MSR_MISC_FEATURE_CONTROL, saved_low, saved_high); + wrmsr(MSR_MISC_FEATURE_CONTROL, prefetch_disable_bits, 0x0); + mem_r = READ_ONCE(plr->kmem); + /* +@@ -895,7 +899,7 @@ static int measure_cycles_lat_fn(void *_plr) + end = rdtsc_ordered(); + trace_pseudo_lock_mem_latency((u32)(end - start)); + } +- wrmsr(MSR_MISC_FEATURE_CONTROL, 0x0, 0x0); ++ wrmsr(MSR_MISC_FEATURE_CONTROL, saved_low, saved_high); + local_irq_enable(); + plr->thread_done = 1; + wake_up_interruptible(&plr->lock_thread_wq); +@@ -940,6 +944,7 @@ static int measure_residency_fn(struct perf_event_attr *miss_attr, + u64 hits_before = 0, hits_after = 0, miss_before = 0, miss_after = 0; + struct perf_event *miss_event, *hit_event; + int hit_pmcnum, miss_pmcnum; ++ u32 saved_low, saved_high; + unsigned int line_size; + unsigned int size; + unsigned long i; +@@ -973,6 +978,7 @@ static int measure_residency_fn(struct perf_event_attr *miss_attr, + /* + * Disable hardware prefetchers. + */ ++ rdmsr(MSR_MISC_FEATURE_CONTROL, saved_low, saved_high); + wrmsr(MSR_MISC_FEATURE_CONTROL, prefetch_disable_bits, 0x0); + + /* Initialize rest of local variables */ +@@ -1031,7 +1037,7 @@ static int measure_residency_fn(struct perf_event_attr *miss_attr, + */ + rmb(); + /* Re-enable hardware prefetchers */ +- wrmsr(MSR_MISC_FEATURE_CONTROL, 0x0, 0x0); ++ wrmsr(MSR_MISC_FEATURE_CONTROL, saved_low, saved_high); + local_irq_enable(); + out_hit: + perf_event_release_kernel(hit_event); +-- +2.35.1 + diff --git a/queue-6.0/xfrm-reinject-transport-mode-packets-through-workque.patch b/queue-6.0/xfrm-reinject-transport-mode-packets-through-workque.patch new file mode 100644 index 00000000000..52cdb4faf43 --- /dev/null +++ b/queue-6.0/xfrm-reinject-transport-mode-packets-through-workque.patch @@ -0,0 +1,210 @@ +From c44d3336c2e998ae6e8687cc23f54f327f81ee14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Sep 2022 16:01:57 +0800 +Subject: xfrm: Reinject transport-mode packets through workqueue + +From: Liu Jian + +[ Upstream commit 4f4920669d21e1060b7243e5118dc3b71ced1276 ] + +The following warning is displayed when the tcp6-multi-diffip11 stress +test case of the LTP test suite is tested: + +watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [ns-tcpserver:48198] +CPU: 0 PID: 48198 Comm: ns-tcpserver Kdump: loaded Not tainted 6.0.0-rc6+ #39 +Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 +pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : des3_ede_encrypt+0x27c/0x460 [libdes] +lr : 0x3f +sp : ffff80000ceaa1b0 +x29: ffff80000ceaa1b0 x28: ffff0000df056100 x27: ffff0000e51e5280 +x26: ffff80004df75030 x25: ffff0000e51e4600 x24: 000000000000003b +x23: 0000000000802080 x22: 000000000000003d x21: 0000000000000038 +x20: 0000000080000020 x19: 000000000000000a x18: 0000000000000033 +x17: ffff0000e51e4780 x16: ffff80004e2d1448 x15: ffff80004e2d1248 +x14: ffff0000e51e4680 x13: ffff80004e2d1348 x12: ffff80004e2d1548 +x11: ffff80004e2d1848 x10: ffff80004e2d1648 x9 : ffff80004e2d1748 +x8 : ffff80004e2d1948 x7 : 000000000bcaf83d x6 : 000000000000001b +x5 : ffff80004e2d1048 x4 : 00000000761bf3bf x3 : 000000007f1dd0a3 +x2 : ffff0000e51e4780 x1 : ffff0000e3b9a2f8 x0 : 00000000db44e872 +Call trace: + des3_ede_encrypt+0x27c/0x460 [libdes] + crypto_des3_ede_encrypt+0x1c/0x30 [des_generic] + crypto_cbc_encrypt+0x148/0x190 + crypto_skcipher_encrypt+0x2c/0x40 + crypto_authenc_encrypt+0xc8/0xfc [authenc] + crypto_aead_encrypt+0x2c/0x40 + echainiv_encrypt+0x144/0x1a0 [echainiv] + crypto_aead_encrypt+0x2c/0x40 + esp6_output_tail+0x1c8/0x5d0 [esp6] + esp6_output+0x120/0x278 [esp6] + xfrm_output_one+0x458/0x4ec + xfrm_output_resume+0x6c/0x1f0 + xfrm_output+0xac/0x4ac + __xfrm6_output+0x130/0x270 + xfrm6_output+0x60/0xec + ip6_xmit+0x2ec/0x5bc + inet6_csk_xmit+0xbc/0x10c + __tcp_transmit_skb+0x460/0x8c0 + tcp_write_xmit+0x348/0x890 + __tcp_push_pending_frames+0x44/0x110 + tcp_rcv_established+0x3c8/0x720 + tcp_v6_do_rcv+0xdc/0x4a0 + tcp_v6_rcv+0xc24/0xcb0 + ip6_protocol_deliver_rcu+0xf0/0x574 + ip6_input_finish+0x48/0x7c + ip6_input+0x48/0xc0 + ip6_rcv_finish+0x80/0x9c + xfrm_trans_reinject+0xb0/0xf4 + tasklet_action_common.constprop.0+0xf8/0x134 + tasklet_action+0x30/0x3c + __do_softirq+0x128/0x368 + do_softirq+0xb4/0xc0 + __local_bh_enable_ip+0xb0/0xb4 + put_cpu_fpsimd_context+0x40/0x70 + kernel_neon_end+0x20/0x40 + sha1_base_do_update.constprop.0.isra.0+0x11c/0x140 [sha1_ce] + sha1_ce_finup+0x94/0x110 [sha1_ce] + crypto_shash_finup+0x34/0xc0 + hmac_finup+0x48/0xe0 + crypto_shash_finup+0x34/0xc0 + shash_digest_unaligned+0x74/0x90 + crypto_shash_digest+0x4c/0x9c + shash_ahash_digest+0xc8/0xf0 + shash_async_digest+0x28/0x34 + crypto_ahash_digest+0x48/0xcc + crypto_authenc_genicv+0x88/0xcc [authenc] + crypto_authenc_encrypt+0xd8/0xfc [authenc] + crypto_aead_encrypt+0x2c/0x40 + echainiv_encrypt+0x144/0x1a0 [echainiv] + crypto_aead_encrypt+0x2c/0x40 + esp6_output_tail+0x1c8/0x5d0 [esp6] + esp6_output+0x120/0x278 [esp6] + xfrm_output_one+0x458/0x4ec + xfrm_output_resume+0x6c/0x1f0 + xfrm_output+0xac/0x4ac + __xfrm6_output+0x130/0x270 + xfrm6_output+0x60/0xec + ip6_xmit+0x2ec/0x5bc + inet6_csk_xmit+0xbc/0x10c + __tcp_transmit_skb+0x460/0x8c0 + tcp_write_xmit+0x348/0x890 + __tcp_push_pending_frames+0x44/0x110 + tcp_push+0xb4/0x14c + tcp_sendmsg_locked+0x71c/0xb64 + tcp_sendmsg+0x40/0x6c + inet6_sendmsg+0x4c/0x80 + sock_sendmsg+0x5c/0x6c + __sys_sendto+0x128/0x15c + __arm64_sys_sendto+0x30/0x40 + invoke_syscall+0x50/0x120 + el0_svc_common.constprop.0+0x170/0x194 + do_el0_svc+0x38/0x4c + el0_svc+0x28/0xe0 + el0t_64_sync_handler+0xbc/0x13c + el0t_64_sync+0x180/0x184 + +Get softirq info by bcc tool: +./softirqs -NT 10 +Tracing soft irq event time... Hit Ctrl-C to end. + +15:34:34 +SOFTIRQ TOTAL_nsecs +block 158990 +timer 20030920 +sched 46577080 +net_rx 676746820 +tasklet 9906067650 + +15:34:45 +SOFTIRQ TOTAL_nsecs +block 86100 +sched 38849790 +net_rx 676532470 +timer 1163848790 +tasklet 9409019620 + +15:34:55 +SOFTIRQ TOTAL_nsecs +sched 58078450 +net_rx 475156720 +timer 533832410 +tasklet 9431333300 + +The tasklet software interrupt takes too much time. Therefore, the +xfrm_trans_reinject executor is changed from tasklet to workqueue. Add add +spin lock to protect the queue. This reduces the processing flow of the +tcp_sendmsg function in this scenario. + +Fixes: acf568ee859f0 ("xfrm: Reinject transport-mode packets through tasklet") +Signed-off-by: Liu Jian +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_input.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c +index b2f4ec9c537f..aa5220565763 100644 +--- a/net/xfrm/xfrm_input.c ++++ b/net/xfrm/xfrm_input.c +@@ -24,7 +24,8 @@ + #include "xfrm_inout.h" + + struct xfrm_trans_tasklet { +- struct tasklet_struct tasklet; ++ struct work_struct work; ++ spinlock_t queue_lock; + struct sk_buff_head queue; + }; + +@@ -760,18 +761,22 @@ int xfrm_input_resume(struct sk_buff *skb, int nexthdr) + } + EXPORT_SYMBOL(xfrm_input_resume); + +-static void xfrm_trans_reinject(struct tasklet_struct *t) ++static void xfrm_trans_reinject(struct work_struct *work) + { +- struct xfrm_trans_tasklet *trans = from_tasklet(trans, t, tasklet); ++ struct xfrm_trans_tasklet *trans = container_of(work, struct xfrm_trans_tasklet, work); + struct sk_buff_head queue; + struct sk_buff *skb; + + __skb_queue_head_init(&queue); ++ spin_lock_bh(&trans->queue_lock); + skb_queue_splice_init(&trans->queue, &queue); ++ spin_unlock_bh(&trans->queue_lock); + ++ local_bh_disable(); + while ((skb = __skb_dequeue(&queue))) + XFRM_TRANS_SKB_CB(skb)->finish(XFRM_TRANS_SKB_CB(skb)->net, + NULL, skb); ++ local_bh_enable(); + } + + int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb, +@@ -789,8 +794,10 @@ int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb, + + XFRM_TRANS_SKB_CB(skb)->finish = finish; + XFRM_TRANS_SKB_CB(skb)->net = net; ++ spin_lock_bh(&trans->queue_lock); + __skb_queue_tail(&trans->queue, skb); +- tasklet_schedule(&trans->tasklet); ++ spin_unlock_bh(&trans->queue_lock); ++ schedule_work(&trans->work); + return 0; + } + EXPORT_SYMBOL(xfrm_trans_queue_net); +@@ -817,7 +824,8 @@ void __init xfrm_input_init(void) + struct xfrm_trans_tasklet *trans; + + trans = &per_cpu(xfrm_trans_tasklet, i); ++ spin_lock_init(&trans->queue_lock); + __skb_queue_head_init(&trans->queue); +- tasklet_setup(&trans->tasklet, xfrm_trans_reinject); ++ INIT_WORK(&trans->work, xfrm_trans_reinject); + } + } +-- +2.35.1 + diff --git a/queue-6.0/xfrm-update-ipcomp_scratches-with-null-when-freed.patch b/queue-6.0/xfrm-update-ipcomp_scratches-with-null-when-freed.patch new file mode 100644 index 00000000000..103b6949cc5 --- /dev/null +++ b/queue-6.0/xfrm-update-ipcomp_scratches-with-null-when-freed.patch @@ -0,0 +1,72 @@ +From 21ecfe6097ff8a0911a1bde8e94905d05c2640fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 13:12:10 +0600 +Subject: xfrm: Update ipcomp_scratches with NULL when freed + +From: Khalid Masum + +[ Upstream commit 8a04d2fc700f717104bfb95b0f6694e448a4537f ] + +Currently if ipcomp_alloc_scratches() fails to allocate memory +ipcomp_scratches holds obsolete address. So when we try to free the +percpu scratches using ipcomp_free_scratches() it tries to vfree non +existent vm area. Described below: + +static void * __percpu *ipcomp_alloc_scratches(void) +{ + ... + scratches = alloc_percpu(void *); + if (!scratches) + return NULL; +ipcomp_scratches does not know about this allocation failure. +Therefore holding the old obsolete address. + ... +} + +So when we free, + +static void ipcomp_free_scratches(void) +{ + ... + scratches = ipcomp_scratches; +Assigning obsolete address from ipcomp_scratches + + if (!scratches) + return; + + for_each_possible_cpu(i) + vfree(*per_cpu_ptr(scratches, i)); +Trying to free non existent page, causing warning: trying to vfree +existent vm area. + ... +} + +Fix this breakage by updating ipcomp_scrtches with NULL when scratches +is freed + +Suggested-by: Herbert Xu +Reported-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com +Tested-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com +Signed-off-by: Khalid Masum +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_ipcomp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c +index cb40ff0ff28d..92ad336a83ab 100644 +--- a/net/xfrm/xfrm_ipcomp.c ++++ b/net/xfrm/xfrm_ipcomp.c +@@ -203,6 +203,7 @@ static void ipcomp_free_scratches(void) + vfree(*per_cpu_ptr(scratches, i)); + + free_percpu(scratches); ++ ipcomp_scratches = NULL; + } + + static void * __percpu *ipcomp_alloc_scratches(void) +-- +2.35.1 + diff --git a/queue-6.0/xhci-don-t-show-warning-for-reinit-on-known-broken-s.patch b/queue-6.0/xhci-don-t-show-warning-for-reinit-on-known-broken-s.patch new file mode 100644 index 00000000000..95045834bb9 --- /dev/null +++ b/queue-6.0/xhci-don-t-show-warning-for-reinit-on-known-broken-s.patch @@ -0,0 +1,48 @@ +From 06eadc0e436a2e1e086329fd3081825fe728bea6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 15:34:47 +0300 +Subject: xhci: Don't show warning for reinit on known broken suspend + +From: Mario Limonciello + +[ Upstream commit 484d6f7aa3283d082c87654b7fe7a7f725423dfb ] + +commit 8b328f8002bc ("xhci: re-initialize the HC during resume if HCE was +set") introduced a new warning message when the host controller error +was set and re-initializing. + +This is expected behavior on some designs which already set +`xhci->broken_suspend` so the new warning is alarming to some users. + +Modify the code to only show the warning if this was a surprising behavior +to the XHCI driver. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216470 +Fixes: 8b328f8002bc ("xhci: re-initialize the HC during resume if HCE was set") +Reported-by: Artem S. Tashkinov +Signed-off-by: Mario Limonciello +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20220921123450.671459-4-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c +index 38649284ff88..a7ef675f00fd 100644 +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -1183,7 +1183,8 @@ int xhci_resume(struct xhci_hcd *xhci, bool hibernated) + /* re-initialize the HC on Restore Error, or Host Controller Error */ + if (temp & (STS_SRE | STS_HCE)) { + reinit_xhc = true; +- xhci_warn(xhci, "xHC error in resume, USBSTS 0x%x, Reinit\n", temp); ++ if (!xhci->broken_suspend) ++ xhci_warn(xhci, "xHC error in resume, USBSTS 0x%x, Reinit\n", temp); + } + + if (reinit_xhc) { +-- +2.35.1 + diff --git a/queue-6.0/xsk-fix-backpressure-mechanism-on-tx.patch b/queue-6.0/xsk-fix-backpressure-mechanism-on-tx.patch new file mode 100644 index 00000000000..531f2903831 --- /dev/null +++ b/queue-6.0/xsk-fix-backpressure-mechanism-on-tx.patch @@ -0,0 +1,171 @@ +From 79e7b475017ae7f5742857b436a1a743505a88e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 14:17:05 +0200 +Subject: xsk: Fix backpressure mechanism on Tx + +From: Maciej Fijalkowski + +[ Upstream commit c00c4461689e15ac2cc3b9a595a54e4d8afd3d77 ] + +Commit d678cbd2f867 ("xsk: Fix handling of invalid descriptors in XSK TX +batching API") fixed batch API usage against set of descriptors with +invalid ones but introduced a problem when AF_XDP SW rings are smaller +than HW ones. Mismatch of reported Tx'ed frames between HW generator and +user space app was observed. It turned out that backpressure mechanism +became a bottleneck when the amount of produced descriptors to CQ is +lower than what we grabbed from XSK Tx ring. + +Say that 512 entries had been taken from XSK Tx ring but we had only 490 +free entries in CQ. Then callsite (ZC driver) will produce only 490 +entries onto HW Tx ring but 512 entries will be released from Tx ring +and this is what will be seen by the user space. + +In order to fix this case, mix XSK Tx/CQ ring interractions by moving +around internal functions and changing call order: + +* pull out xskq_prod_nb_free() from xskq_prod_reserve_addr_batch() + up to xsk_tx_peek_release_desc_batch(); +** move xskq_cons_release_n() into xskq_cons_read_desc_batch() + +After doing so, algorithm can be described as follows: + +1. lookup Tx entries +2. use value from 1. to reserve space in CQ (*) +3. Read from Tx ring as much descriptors as value from 2 + 3a. release descriptors from XSK Tx ring (**) +4. Finally produce addresses to CQ + +Fixes: d678cbd2f867 ("xsk: Fix handling of invalid descriptors in XSK TX batching API") +Signed-off-by: Magnus Karlsson +Signed-off-by: Maciej Fijalkowski +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20220830121705.8618-1-maciej.fijalkowski@intel.com +Signed-off-by: Sasha Levin +--- + net/xdp/xsk.c | 22 +++++++++++----------- + net/xdp/xsk_queue.h | 22 ++++++++++------------ + 2 files changed, 21 insertions(+), 23 deletions(-) + +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index 7bada4e8460b..9f0561b67c12 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -355,16 +355,15 @@ static u32 xsk_tx_peek_release_fallback(struct xsk_buff_pool *pool, u32 max_entr + return nb_pkts; + } + +-u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 max_entries) ++u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 nb_pkts) + { + struct xdp_sock *xs; +- u32 nb_pkts; + + rcu_read_lock(); + if (!list_is_singular(&pool->xsk_tx_list)) { + /* Fallback to the non-batched version */ + rcu_read_unlock(); +- return xsk_tx_peek_release_fallback(pool, max_entries); ++ return xsk_tx_peek_release_fallback(pool, nb_pkts); + } + + xs = list_first_or_null_rcu(&pool->xsk_tx_list, struct xdp_sock, tx_list); +@@ -373,12 +372,7 @@ u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 max_entries) + goto out; + } + +- max_entries = xskq_cons_nb_entries(xs->tx, max_entries); +- nb_pkts = xskq_cons_read_desc_batch(xs->tx, pool, max_entries); +- if (!nb_pkts) { +- xs->tx->queue_empty_descs++; +- goto out; +- } ++ nb_pkts = xskq_cons_nb_entries(xs->tx, nb_pkts); + + /* This is the backpressure mechanism for the Tx path. Try to + * reserve space in the completion queue for all packets, but +@@ -386,12 +380,18 @@ u32 xsk_tx_peek_release_desc_batch(struct xsk_buff_pool *pool, u32 max_entries) + * packets. This avoids having to implement any buffering in + * the Tx path. + */ +- nb_pkts = xskq_prod_reserve_addr_batch(pool->cq, pool->tx_descs, nb_pkts); ++ nb_pkts = xskq_prod_nb_free(pool->cq, nb_pkts); + if (!nb_pkts) + goto out; + +- xskq_cons_release_n(xs->tx, max_entries); ++ nb_pkts = xskq_cons_read_desc_batch(xs->tx, pool, nb_pkts); ++ if (!nb_pkts) { ++ xs->tx->queue_empty_descs++; ++ goto out; ++ } ++ + __xskq_cons_release(xs->tx); ++ xskq_prod_write_addr_batch(pool->cq, pool->tx_descs, nb_pkts); + xs->sk.sk_write_space(&xs->sk); + + out: +diff --git a/net/xdp/xsk_queue.h b/net/xdp/xsk_queue.h +index fb20bf7207cf..c6fb6b763658 100644 +--- a/net/xdp/xsk_queue.h ++++ b/net/xdp/xsk_queue.h +@@ -205,6 +205,11 @@ static inline bool xskq_cons_read_desc(struct xsk_queue *q, + return false; + } + ++static inline void xskq_cons_release_n(struct xsk_queue *q, u32 cnt) ++{ ++ q->cached_cons += cnt; ++} ++ + static inline u32 xskq_cons_read_desc_batch(struct xsk_queue *q, struct xsk_buff_pool *pool, + u32 max) + { +@@ -226,6 +231,8 @@ static inline u32 xskq_cons_read_desc_batch(struct xsk_queue *q, struct xsk_buff + cached_cons++; + } + ++ /* Release valid plus any invalid entries */ ++ xskq_cons_release_n(q, cached_cons - q->cached_cons); + return nb_entries; + } + +@@ -291,11 +298,6 @@ static inline void xskq_cons_release(struct xsk_queue *q) + q->cached_cons++; + } + +-static inline void xskq_cons_release_n(struct xsk_queue *q, u32 cnt) +-{ +- q->cached_cons += cnt; +-} +- + static inline u32 xskq_cons_present_entries(struct xsk_queue *q) + { + /* No barriers needed since data is not accessed */ +@@ -350,21 +352,17 @@ static inline int xskq_prod_reserve_addr(struct xsk_queue *q, u64 addr) + return 0; + } + +-static inline u32 xskq_prod_reserve_addr_batch(struct xsk_queue *q, struct xdp_desc *descs, +- u32 max) ++static inline void xskq_prod_write_addr_batch(struct xsk_queue *q, struct xdp_desc *descs, ++ u32 nb_entries) + { + struct xdp_umem_ring *ring = (struct xdp_umem_ring *)q->ring; +- u32 nb_entries, i, cached_prod; +- +- nb_entries = xskq_prod_nb_free(q, max); ++ u32 i, cached_prod; + + /* A, matches D */ + cached_prod = q->cached_prod; + for (i = 0; i < nb_entries; i++) + ring->desc[cached_prod++ & q->ring_mask] = descs[i].addr; + q->cached_prod = cached_prod; +- +- return nb_entries; + } + + static inline int xskq_prod_reserve_desc(struct xsk_queue *q, +-- +2.35.1 +