From: Sasha Levin Date: Sat, 18 Jun 2022 17:07:51 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.4.200~66 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=95f6fb031974827db3c74723ff681fc43cb510c2;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/asoc-cs42l52-correct-tlv-for-bypass-volume.patch b/queue-4.19/asoc-cs42l52-correct-tlv-for-bypass-volume.patch new file mode 100644 index 00000000000..67703104aac --- /dev/null +++ b/queue-4.19/asoc-cs42l52-correct-tlv-for-bypass-volume.patch @@ -0,0 +1,45 @@ +From aa7ed240f52c716c2b220ceb1a8786723942a911 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 17:21:17 +0100 +Subject: ASoC: cs42l52: Correct TLV for Bypass Volume + +From: Charles Keepax + +[ Upstream commit 91e90c712fade0b69cdff7cc6512f6099bd18ae5 ] + +The Bypass Volume is accidentally using a -6dB minimum TLV rather than +the correct -60dB minimum. Add a new TLV to correct this. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20220602162119.3393857-5-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l52.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/cs42l52.c b/sound/soc/codecs/cs42l52.c +index 9a3180e71bd8..de311299432b 100644 +--- a/sound/soc/codecs/cs42l52.c ++++ b/sound/soc/codecs/cs42l52.c +@@ -141,6 +141,8 @@ static DECLARE_TLV_DB_SCALE(mic_tlv, 1600, 100, 0); + + static DECLARE_TLV_DB_SCALE(pga_tlv, -600, 50, 0); + ++static DECLARE_TLV_DB_SCALE(pass_tlv, -6000, 50, 0); ++ + static DECLARE_TLV_DB_SCALE(mix_tlv, -5150, 50, 0); + + static DECLARE_TLV_DB_SCALE(beep_tlv, -56, 200, 0); +@@ -355,7 +357,7 @@ static const struct snd_kcontrol_new cs42l52_snd_controls[] = { + CS42L52_SPKB_VOL, 0, 0x40, 0xC0, hl_tlv), + + SOC_DOUBLE_R_SX_TLV("Bypass Volume", CS42L52_PASSTHRUA_VOL, +- CS42L52_PASSTHRUB_VOL, 0, 0x88, 0x90, pga_tlv), ++ CS42L52_PASSTHRUB_VOL, 0, 0x88, 0x90, pass_tlv), + + SOC_DOUBLE("Bypass Mute", CS42L52_MISC_CTL, 4, 5, 1, 0), + +-- +2.35.1 + diff --git a/queue-4.19/asoc-cs42l52-fix-tlv-scales-for-mixer-controls.patch b/queue-4.19/asoc-cs42l52-fix-tlv-scales-for-mixer-controls.patch new file mode 100644 index 00000000000..7a242d7c27c --- /dev/null +++ b/queue-4.19/asoc-cs42l52-fix-tlv-scales-for-mixer-controls.patch @@ -0,0 +1,45 @@ +From 3fa5ba34ae072eff244f0e85e136d394cf067611 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 17:21:14 +0100 +Subject: ASoC: cs42l52: Fix TLV scales for mixer controls + +From: Charles Keepax + +[ Upstream commit 8bf5aabf524eec61013e506f764a0b2652dc5665 ] + +The datasheet specifies the range of the mixer volumes as between +-51.5dB and 12dB with a 0.5dB step. Update the TLVs for this. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20220602162119.3393857-2-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l52.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/cs42l52.c b/sound/soc/codecs/cs42l52.c +index 3d83c1be1292..9a3180e71bd8 100644 +--- a/sound/soc/codecs/cs42l52.c ++++ b/sound/soc/codecs/cs42l52.c +@@ -141,7 +141,7 @@ static DECLARE_TLV_DB_SCALE(mic_tlv, 1600, 100, 0); + + static DECLARE_TLV_DB_SCALE(pga_tlv, -600, 50, 0); + +-static DECLARE_TLV_DB_SCALE(mix_tlv, -50, 50, 0); ++static DECLARE_TLV_DB_SCALE(mix_tlv, -5150, 50, 0); + + static DECLARE_TLV_DB_SCALE(beep_tlv, -56, 200, 0); + +@@ -368,7 +368,7 @@ static const struct snd_kcontrol_new cs42l52_snd_controls[] = { + CS42L52_ADCB_VOL, 0, 0xA0, 0x78, ipd_tlv), + SOC_DOUBLE_R_SX_TLV("ADC Mixer Volume", + CS42L52_ADCA_MIXER_VOL, CS42L52_ADCB_MIXER_VOL, +- 0, 0x19, 0x7F, ipd_tlv), ++ 0, 0x19, 0x7F, mix_tlv), + + SOC_DOUBLE("ADC Switch", CS42L52_ADC_MISC_CTL, 0, 1, 1, 0), + +-- +2.35.1 + diff --git a/queue-4.19/asoc-cs42l56-correct-typo-in-minimum-level-for-sx-vo.patch b/queue-4.19/asoc-cs42l56-correct-typo-in-minimum-level-for-sx-vo.patch new file mode 100644 index 00000000000..bb69844f25b --- /dev/null +++ b/queue-4.19/asoc-cs42l56-correct-typo-in-minimum-level-for-sx-vo.patch @@ -0,0 +1,41 @@ +From dd4ad9bde57330e612e59fa44d6b044c6c5bda8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 17:21:18 +0100 +Subject: ASoC: cs42l56: Correct typo in minimum level for SX volume controls + +From: Charles Keepax + +[ Upstream commit a8928ada9b96944cadd8b65d191e33199fd38782 ] + +A couple of the SX volume controls specify 0x84 as the lowest volume +value, however the correct value from the datasheet is 0x44. The +datasheet don't include spaces in the value it displays as binary so +this was almost certainly just a typo reading 1000100. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20220602162119.3393857-6-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l56.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/cs42l56.c b/sound/soc/codecs/cs42l56.c +index 04f89b751304..deaad703a7db 100644 +--- a/sound/soc/codecs/cs42l56.c ++++ b/sound/soc/codecs/cs42l56.c +@@ -403,9 +403,9 @@ static const struct snd_kcontrol_new cs42l56_snd_controls[] = { + SOC_DOUBLE("ADC Boost Switch", CS42L56_GAIN_BIAS_CTL, 3, 2, 1, 1), + + SOC_DOUBLE_R_SX_TLV("Headphone Volume", CS42L56_HPA_VOLUME, +- CS42L56_HPB_VOLUME, 0, 0x84, 0x48, hl_tlv), ++ CS42L56_HPB_VOLUME, 0, 0x44, 0x48, hl_tlv), + SOC_DOUBLE_R_SX_TLV("LineOut Volume", CS42L56_LOA_VOLUME, +- CS42L56_LOB_VOLUME, 0, 0x84, 0x48, hl_tlv), ++ CS42L56_LOB_VOLUME, 0, 0x44, 0x48, hl_tlv), + + SOC_SINGLE_TLV("Bass Shelving Volume", CS42L56_TONE_CTL, + 0, 0x00, 1, tone_tlv), +-- +2.35.1 + diff --git a/queue-4.19/asoc-cs53l30-correct-number-of-volume-levels-on-sx-c.patch b/queue-4.19/asoc-cs53l30-correct-number-of-volume-levels-on-sx-c.patch new file mode 100644 index 00000000000..7172cbfaacf --- /dev/null +++ b/queue-4.19/asoc-cs53l30-correct-number-of-volume-levels-on-sx-c.patch @@ -0,0 +1,59 @@ +From 860fda72f435057ca38f8e53285d03bc8a906f1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 17:21:16 +0100 +Subject: ASoC: cs53l30: Correct number of volume levels on SX controls + +From: Charles Keepax + +[ Upstream commit 7fbd6dd68127927e844912a16741016d432a0737 ] + +This driver specified the maximum value rather than the number of volume +levels on the SX controls, this is incorrect, so correct them. + +Reported-by: David Rhodes +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20220602162119.3393857-4-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs53l30.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/codecs/cs53l30.c b/sound/soc/codecs/cs53l30.c +index 8995ea45b4ca..86e93904b001 100644 +--- a/sound/soc/codecs/cs53l30.c ++++ b/sound/soc/codecs/cs53l30.c +@@ -351,22 +351,22 @@ static const struct snd_kcontrol_new cs53l30_snd_controls[] = { + SOC_ENUM("ADC2 NG Delay", adc2_ng_delay_enum), + + SOC_SINGLE_SX_TLV("ADC1A PGA Volume", +- CS53L30_ADC1A_AFE_CTL, 0, 0x34, 0x18, pga_tlv), ++ CS53L30_ADC1A_AFE_CTL, 0, 0x34, 0x24, pga_tlv), + SOC_SINGLE_SX_TLV("ADC1B PGA Volume", +- CS53L30_ADC1B_AFE_CTL, 0, 0x34, 0x18, pga_tlv), ++ CS53L30_ADC1B_AFE_CTL, 0, 0x34, 0x24, pga_tlv), + SOC_SINGLE_SX_TLV("ADC2A PGA Volume", +- CS53L30_ADC2A_AFE_CTL, 0, 0x34, 0x18, pga_tlv), ++ CS53L30_ADC2A_AFE_CTL, 0, 0x34, 0x24, pga_tlv), + SOC_SINGLE_SX_TLV("ADC2B PGA Volume", +- CS53L30_ADC2B_AFE_CTL, 0, 0x34, 0x18, pga_tlv), ++ CS53L30_ADC2B_AFE_CTL, 0, 0x34, 0x24, pga_tlv), + + SOC_SINGLE_SX_TLV("ADC1A Digital Volume", +- CS53L30_ADC1A_DIG_VOL, 0, 0xA0, 0x0C, dig_tlv), ++ CS53L30_ADC1A_DIG_VOL, 0, 0xA0, 0x6C, dig_tlv), + SOC_SINGLE_SX_TLV("ADC1B Digital Volume", +- CS53L30_ADC1B_DIG_VOL, 0, 0xA0, 0x0C, dig_tlv), ++ CS53L30_ADC1B_DIG_VOL, 0, 0xA0, 0x6C, dig_tlv), + SOC_SINGLE_SX_TLV("ADC2A Digital Volume", +- CS53L30_ADC2A_DIG_VOL, 0, 0xA0, 0x0C, dig_tlv), ++ CS53L30_ADC2A_DIG_VOL, 0, 0xA0, 0x6C, dig_tlv), + SOC_SINGLE_SX_TLV("ADC2B Digital Volume", +- CS53L30_ADC2B_DIG_VOL, 0, 0xA0, 0x0C, dig_tlv), ++ CS53L30_ADC2B_DIG_VOL, 0, 0xA0, 0x6C, dig_tlv), + }; + + static const struct snd_soc_dapm_widget cs53l30_dapm_widgets[] = { +-- +2.35.1 + diff --git a/queue-4.19/asoc-es8328-fix-event-generation-for-deemphasis-cont.patch b/queue-4.19/asoc-es8328-fix-event-generation-for-deemphasis-cont.patch new file mode 100644 index 00000000000..462944d398e --- /dev/null +++ b/queue-4.19/asoc-es8328-fix-event-generation-for-deemphasis-cont.patch @@ -0,0 +1,47 @@ +From 581b1774ebe04839d9ee2e40c54a172c627756c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 14:39:37 +0200 +Subject: ASoC: es8328: Fix event generation for deemphasis control + +From: Mark Brown + +[ Upstream commit 8259610c2ec01c5cbfb61882ae176aabacac9c19 ] + +Currently the put() method for the deemphasis control returns 0 when a new +value is written to the control even if the value changed, meaning events +are not generated. Fix this, skip the work of updating the value when it is +unchanged and then return 1 after having done so. + +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20220603123937.4013603-1-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/es8328.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/es8328.c b/sound/soc/codecs/es8328.c +index 3afa163f7652..dcb01889e177 100644 +--- a/sound/soc/codecs/es8328.c ++++ b/sound/soc/codecs/es8328.c +@@ -165,13 +165,16 @@ static int es8328_put_deemph(struct snd_kcontrol *kcontrol, + if (deemph > 1) + return -EINVAL; + ++ if (es8328->deemph == deemph) ++ return 0; ++ + ret = es8328_set_deemph(component); + if (ret < 0) + return ret; + + es8328->deemph = deemph; + +- return 0; ++ return 1; + } + + +-- +2.35.1 + diff --git a/queue-4.19/asoc-wm8962-fix-suspend-while-playing-music.patch b/queue-4.19/asoc-wm8962-fix-suspend-while-playing-music.patch new file mode 100644 index 00000000000..ef47b9ac6c4 --- /dev/null +++ b/queue-4.19/asoc-wm8962-fix-suspend-while-playing-music.patch @@ -0,0 +1,42 @@ +From 93b5deba51f8498731e461d65eca0f4ede4d0bd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 May 2022 13:21:28 -0500 +Subject: ASoC: wm8962: Fix suspend while playing music + +From: Adam Ford + +[ Upstream commit d1f5272c0f7d2e53c6f2480f46725442776f5f78 ] + +If the audio CODEC is playing sound when the system is suspended, +it can be left in a state which throws the following error: + +wm8962 3-001a: ASoC: error at soc_component_read_no_lock on wm8962.3-001a: -16 + +Once this error has occurred, the audio will not work again until rebooted. + +Fix this by configuring SET_SYSTEM_SLEEP_PM_OPS. + +Signed-off-by: Adam Ford +Acked-by: Charles Keepax +Link: https://lore.kernel.org/r/20220526182129.538472-1-aford173@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm8962.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c +index dde015fd70a4..3f75cb3209ff 100644 +--- a/sound/soc/codecs/wm8962.c ++++ b/sound/soc/codecs/wm8962.c +@@ -3861,6 +3861,7 @@ static int wm8962_runtime_suspend(struct device *dev) + #endif + + static const struct dev_pm_ops wm8962_pm = { ++ SET_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, pm_runtime_force_resume) + SET_RUNTIME_PM_OPS(wm8962_runtime_suspend, wm8962_runtime_resume, NULL) + }; + +-- +2.35.1 + diff --git a/queue-4.19/asoc-wm_adsp-fix-event-generation-for-wm_adsp_fw_put.patch b/queue-4.19/asoc-wm_adsp-fix-event-generation-for-wm_adsp_fw_put.patch new file mode 100644 index 00000000000..faa12087732 --- /dev/null +++ b/queue-4.19/asoc-wm_adsp-fix-event-generation-for-wm_adsp_fw_put.patch @@ -0,0 +1,39 @@ +From 8ca7b0072bf8382ccd1f6612d93f0bd1652f4a6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 13:50:03 +0200 +Subject: ASoC: wm_adsp: Fix event generation for wm_adsp_fw_put() + +From: Mark Brown + +[ Upstream commit 2abdf9f80019e8244d3806ed0e1c9f725e50b452 ] + +Currently wm_adsp_fw_put() returns 0 rather than 1 when updating the value +of the control, meaning that no event is generated to userspace. Fix this +by setting the default return value to 1, the code already exits early with +a return value of 0 if the value is unchanged. + +Signed-off-by: Mark Brown +Reviewed-by: Richard Fitzgerald +Link: https://lore.kernel.org/r/20220603115003.3865834-1-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm_adsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c +index 02c557e1f779..c5b0b56d9c94 100644 +--- a/sound/soc/codecs/wm_adsp.c ++++ b/sound/soc/codecs/wm_adsp.c +@@ -697,7 +697,7 @@ int wm_adsp_fw_put(struct snd_kcontrol *kcontrol, + struct snd_soc_component *component = snd_soc_kcontrol_component(kcontrol); + struct soc_enum *e = (struct soc_enum *)kcontrol->private_value; + struct wm_adsp *dsp = snd_soc_component_get_drvdata(component); +- int ret = 0; ++ int ret = 1; + + if (ucontrol->value.enumerated.item[0] == dsp[e->shift_l].fw) + return 0; +-- +2.35.1 + diff --git a/queue-4.19/ata-libata-core-fix-null-pointer-deref-in-ata_host_a.patch b/queue-4.19/ata-libata-core-fix-null-pointer-deref-in-ata_host_a.patch new file mode 100644 index 00000000000..94050fa07d0 --- /dev/null +++ b/queue-4.19/ata-libata-core-fix-null-pointer-deref-in-ata_host_a.patch @@ -0,0 +1,50 @@ +From 006b51f670551b106fd4ef3240581f49705657b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 May 2022 23:34:10 +0300 +Subject: ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo() + +From: Sergey Shtylyov + +[ Upstream commit bf476fe22aa1851bab4728e0c49025a6a0bea307 ] + +In an unlikely (and probably wrong?) case that the 'ppi' parameter of +ata_host_alloc_pinfo() points to an array starting with a NULL pointer, +there's going to be a kernel oops as the 'pi' local variable won't get +reassigned from the initial value of NULL. Initialize 'pi' instead to +'&ata_dummy_port_info' to fix the possible kernel oops for good... + +Found by Linux Verification Center (linuxtesting.org) with the SVACE static +analysis tool. + +Signed-off-by: Sergey Shtylyov +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 0c10d9557754..b0dea0702c74 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -6253,7 +6253,7 @@ struct ata_host *ata_host_alloc_pinfo(struct device *dev, + const struct ata_port_info * const * ppi, + int n_ports) + { +- const struct ata_port_info *pi; ++ const struct ata_port_info *pi = &ata_dummy_port_info; + struct ata_host *host; + int i, j; + +@@ -6261,7 +6261,7 @@ struct ata_host *ata_host_alloc_pinfo(struct device *dev, + if (!host) + return NULL; + +- for (i = 0, j = 0, pi = NULL; i < host->n_ports; i++) { ++ for (i = 0, j = 0; i < host->n_ports; i++) { + struct ata_port *ap = host->ports[i]; + + if (ppi[j]) +-- +2.35.1 + diff --git a/queue-4.19/ipv6-fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch b/queue-4.19/ipv6-fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch new file mode 100644 index 00000000000..6c65272609f --- /dev/null +++ b/queue-4.19/ipv6-fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch @@ -0,0 +1,46 @@ +From 90fdffb348fb85dcc73509a79f0e47609542a47e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 20:00:28 +0800 +Subject: ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg + +From: Wang Yufen + +[ Upstream commit f638a84afef3dfe10554c51820c16e39a278c915 ] + +When len >= INT_MAX - transhdrlen, ulen = len + transhdrlen will be +overflow. To fix, we can follow what udpv6 does and subtract the +transhdrlen from the max. + +Signed-off-by: Wang Yufen +Link: https://lore.kernel.org/r/20220607120028.845916-2-wangyufen@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_ip6.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index 2ff25c445b82..9dae10d8880c 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -519,14 +519,15 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + struct ipcm6_cookie ipc6; + int addr_len = msg->msg_namelen; + int transhdrlen = 4; /* zero session-id */ +- int ulen = len + transhdrlen; ++ int ulen; + int err; + + /* Rough check on arithmetic overflow, + better check is made in ip6_append_data(). + */ +- if (len > INT_MAX) ++ if (len > INT_MAX - transhdrlen) + return -EMSGSIZE; ++ ulen = len + transhdrlen; + + /* Mirror BSD error message compatibility */ + if (msg->msg_flags & MSG_OOB) +-- +2.35.1 + diff --git a/queue-4.19/net-ethernet-mtk_eth_soc-fix-misuse-of-mem-alloc-int.patch b/queue-4.19/net-ethernet-mtk_eth_soc-fix-misuse-of-mem-alloc-int.patch new file mode 100644 index 00000000000..993f8f6d223 --- /dev/null +++ b/queue-4.19/net-ethernet-mtk_eth_soc-fix-misuse-of-mem-alloc-int.patch @@ -0,0 +1,74 @@ +From 85e67f6f764819e80a4f39c14357df1c39dddc6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 20:46:53 +0800 +Subject: net: ethernet: mtk_eth_soc: fix misuse of mem alloc interface + netdev[napi]_alloc_frag + +From: Chen Lin + +[ Upstream commit 2f2c0d2919a14002760f89f4e02960c735a316d2 ] + +When rx_flag == MTK_RX_FLAGS_HWLRO, +rx_data_len = MTK_MAX_LRO_RX_LENGTH(4096 * 3) > PAGE_SIZE. +netdev_alloc_frag is for alloction of page fragment only. +Reference to other drivers and Documentation/vm/page_frags.rst + +Branch to use __get_free_pages when ring->frag_size > PAGE_SIZE. + +Signed-off-by: Chen Lin +Link: https://lore.kernel.org/r/1654692413-2598-1-git-send-email-chen45464546@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index f2eaf8c13cc2..53cff913abf0 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -597,6 +597,17 @@ static inline void mtk_rx_get_desc(struct mtk_rx_dma *rxd, + rxd->rxd4 = READ_ONCE(dma_rxd->rxd4); + } + ++static void *mtk_max_lro_buf_alloc(gfp_t gfp_mask) ++{ ++ unsigned int size = mtk_max_frag_size(MTK_MAX_LRO_RX_LENGTH); ++ unsigned long data; ++ ++ data = __get_free_pages(gfp_mask | __GFP_COMP | __GFP_NOWARN, ++ get_order(size)); ++ ++ return (void *)data; ++} ++ + /* the qdma core needs scratch memory to be setup */ + static int mtk_init_fq_dma(struct mtk_eth *eth) + { +@@ -1005,7 +1016,10 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget, + goto release_desc; + + /* alloc new buffer */ +- new_data = napi_alloc_frag(ring->frag_size); ++ if (ring->frag_size <= PAGE_SIZE) ++ new_data = napi_alloc_frag(ring->frag_size); ++ else ++ new_data = mtk_max_lro_buf_alloc(GFP_ATOMIC); + if (unlikely(!new_data)) { + netdev->stats.rx_dropped++; + goto release_desc; +@@ -1312,7 +1326,10 @@ static int mtk_rx_alloc(struct mtk_eth *eth, int ring_no, int rx_flag) + return -ENOMEM; + + for (i = 0; i < rx_dma_size; i++) { +- ring->data[i] = netdev_alloc_frag(ring->frag_size); ++ if (ring->frag_size <= PAGE_SIZE) ++ ring->data[i] = netdev_alloc_frag(ring->frag_size); ++ else ++ ring->data[i] = mtk_max_lro_buf_alloc(GFP_KERNEL); + if (!ring->data[i]) + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-4.19/netfs-gcc-12-temporarily-disable-wattribute-warning-.patch b/queue-4.19/netfs-gcc-12-temporarily-disable-wattribute-warning-.patch new file mode 100644 index 00000000000..87716ba558d --- /dev/null +++ b/queue-4.19/netfs-gcc-12-temporarily-disable-wattribute-warning-.patch @@ -0,0 +1,110 @@ +From b28a7ad2c6e381340a4e3a51b45fe4279684f836 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Jun 2022 11:29:36 -0700 +Subject: netfs: gcc-12: temporarily disable '-Wattribute-warning' for now +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds + +[ Upstream commit 507160f46c55913955d272ebf559d63809a8e560 ] + +This is a pure band-aid so that I can continue merging stuff from people +while some of the gcc-12 fallout gets sorted out. + +In particular, gcc-12 is very unhappy about the kinds of pointer +arithmetic tricks that netfs does, and that makes the fortify checks +trigger in afs and ceph: + + In function ‘fortify_memset_chk’, + inlined from ‘netfs_i_context_init’ at include/linux/netfs.h:327:2, + inlined from ‘afs_set_netfs_context’ at fs/afs/inode.c:61:2, + inlined from ‘afs_root_iget’ at fs/afs/inode.c:543:2: + include/linux/fortify-string.h:258:25: warning: call to ‘__write_overflow_field’ declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Wattribute-warning] + 258 | __write_overflow_field(p_size_field, size); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +and the reason is that netfs_i_context_init() is passed a 'struct inode' +pointer, and then it does + + struct netfs_i_context *ctx = netfs_i_context(inode); + + memset(ctx, 0, sizeof(*ctx)); + +where that netfs_i_context() function just does pointer arithmetic on +the inode pointer, knowing that the netfs_i_context is laid out +immediately after it in memory. + +This is all truly disgusting, since the whole "netfs_i_context is laid +out immediately after it in memory" is not actually remotely true in +general, but is just made to be that way for afs and ceph. + +See for example fs/cifs/cifsglob.h: + + struct cifsInodeInfo { + struct { + /* These must be contiguous */ + struct inode vfs_inode; /* the VFS's inode record */ + struct netfs_i_context netfs_ctx; /* Netfslib context */ + }; + [...] + +and realize that this is all entirely wrong, and the pointer arithmetic +that netfs_i_context() is doing is also very very wrong and wouldn't +give the right answer if netfs_ctx had different alignment rules from a +'struct inode', for example). + +Anyway, that's just a long-winded way to say "the gcc-12 warning is +actually quite reasonable, and our code happens to work but is pretty +disgusting". + +This is getting fixed properly, but for now I made the mistake of +thinking "the week right after the merge window tends to be calm for me +as people take a breather" and I did a sustem upgrade. And I got gcc-12 +as a result, so to continue merging fixes from people and not have the +end result drown in warnings, I am fixing all these gcc-12 issues I hit. + +Including with these kinds of temporary fixes. + +Cc: Kees Cook +Cc: David Howells +Link: https://lore.kernel.org/all/AEEBCF5D-8402-441D-940B-105AA718C71F@chromium.org/ +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/inode.c | 3 +++ + fs/ceph/inode.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/fs/afs/inode.c b/fs/afs/inode.c +index a12ae3ef8fb4..4ed71605941d 100644 +--- a/fs/afs/inode.c ++++ b/fs/afs/inode.c +@@ -24,6 +24,9 @@ + #include + #include "internal.h" + ++// Temporary: netfs does disgusting things with inode pointers ++#pragma GCC diagnostic ignored "-Wattribute-warning" ++ + static const struct inode_operations afs_symlink_inode_operations = { + .get_link = page_get_link, + .listxattr = afs_listxattr, +diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c +index 5f041fede7aa..93ae3a912d8f 100644 +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -19,6 +19,9 @@ + #include "cache.h" + #include + ++// Temporary: netfs does disgusting things with inode pointers ++#pragma GCC diagnostic ignored "-Wattribute-warning" ++ + /* + * Ceph inode operations + * +-- +2.35.1 + diff --git a/queue-4.19/nfc-nfcmrvl-fix-memory-leak-in-nfcmrvl_play_deferred.patch b/queue-4.19/nfc-nfcmrvl-fix-memory-leak-in-nfcmrvl_play_deferred.patch new file mode 100644 index 00000000000..171379de135 --- /dev/null +++ b/queue-4.19/nfc-nfcmrvl-fix-memory-leak-in-nfcmrvl_play_deferred.patch @@ -0,0 +1,66 @@ +From 1ee72b6d2d00735edcb79b38b950fe06a742bfad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 16:32:30 +0800 +Subject: nfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred + +From: Xiaohui Zhang + +[ Upstream commit 8a4d480702b71184fabcf379b80bf7539716752e ] + +Similar to the handling of play_deferred in commit 19cfe912c37b +("Bluetooth: btusb: Fix memory leak in play_deferred"), we thought +a patch might be needed here as well. + +Currently usb_submit_urb is called directly to submit deferred tx +urbs after unanchor them. + +So the usb_giveback_urb_bh would failed to unref it in usb_unanchor_urb +and cause memory leak. + +Put those urbs in tx_anchor to avoid the leak, and also fix the error +handling. + +Signed-off-by: Xiaohui Zhang +Acked-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220607083230.6182-1-xiaohuizhang@ruc.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/nfcmrvl/usb.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/nfc/nfcmrvl/usb.c b/drivers/nfc/nfcmrvl/usb.c +index 888e298f610b..f26986eb53f1 100644 +--- a/drivers/nfc/nfcmrvl/usb.c ++++ b/drivers/nfc/nfcmrvl/usb.c +@@ -401,13 +401,25 @@ static void nfcmrvl_play_deferred(struct nfcmrvl_usb_drv_data *drv_data) + int err; + + while ((urb = usb_get_from_anchor(&drv_data->deferred))) { ++ usb_anchor_urb(urb, &drv_data->tx_anchor); ++ + err = usb_submit_urb(urb, GFP_ATOMIC); +- if (err) ++ if (err) { ++ kfree(urb->setup_packet); ++ usb_unanchor_urb(urb); ++ usb_free_urb(urb); + break; ++ } + + drv_data->tx_in_flight++; ++ usb_free_urb(urb); ++ } ++ ++ /* Cleanup the rest deferred urbs. */ ++ while ((urb = usb_get_from_anchor(&drv_data->deferred))) { ++ kfree(urb->setup_packet); ++ usb_free_urb(urb); + } +- usb_scuttle_anchored_urbs(&drv_data->deferred); + } + + static int nfcmrvl_resume(struct usb_interface *intf) +-- +2.35.1 + diff --git a/queue-4.19/powerpc-kasan-silence-kasan-warnings-in-__get_wchan.patch b/queue-4.19/powerpc-kasan-silence-kasan-warnings-in-__get_wchan.patch new file mode 100644 index 00000000000..171d319cf10 --- /dev/null +++ b/queue-4.19/powerpc-kasan-silence-kasan-warnings-in-__get_wchan.patch @@ -0,0 +1,91 @@ +From 3145b40ab990347ef33e28735e14f181afda1b2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Jan 2022 20:44:18 -0500 +Subject: powerpc/kasan: Silence KASAN warnings in __get_wchan() + +From: He Ying + +[ Upstream commit a1b29ba2f2c171b9bea73be993bfdf0a62d37d15 ] + +The following KASAN warning was reported in our kernel. + + BUG: KASAN: stack-out-of-bounds in get_wchan+0x188/0x250 + Read of size 4 at addr d216f958 by task ps/14437 + + CPU: 3 PID: 14437 Comm: ps Tainted: G O 5.10.0 #1 + Call Trace: + [daa63858] [c0654348] dump_stack+0x9c/0xe4 (unreliable) + [daa63888] [c035cf0c] print_address_description.constprop.3+0x8c/0x570 + [daa63908] [c035d6bc] kasan_report+0x1ac/0x218 + [daa63948] [c00496e8] get_wchan+0x188/0x250 + [daa63978] [c0461ec8] do_task_stat+0xce8/0xe60 + [daa63b98] [c0455ac8] proc_single_show+0x98/0x170 + [daa63bc8] [c03cab8c] seq_read_iter+0x1ec/0x900 + [daa63c38] [c03cb47c] seq_read+0x1dc/0x290 + [daa63d68] [c037fc94] vfs_read+0x164/0x510 + [daa63ea8] [c03808e4] ksys_read+0x144/0x1d0 + [daa63f38] [c005b1dc] ret_from_syscall+0x0/0x38 + --- interrupt: c00 at 0x8fa8f4 + LR = 0x8fa8cc + + The buggy address belongs to the page: + page:98ebcdd2 refcount:0 mapcount:0 mapping:00000000 index:0x2 pfn:0x1216f + flags: 0x0() + raw: 00000000 00000000 01010122 00000000 00000002 00000000 ffffffff 00000000 + raw: 00000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + d216f800: 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 + d216f880: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + >d216f900: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 + ^ + d216f980: f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 + d216fa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +After looking into this issue, I find the buggy address belongs +to the task stack region. It seems KASAN has something wrong. +I look into the code of __get_wchan in x86 architecture and +find the same issue has been resolved by the commit +f7d27c35ddff ("x86/mm, kasan: Silence KASAN warnings in get_wchan()"). +The solution could be applied to powerpc architecture too. + +As Andrey Ryabinin said, get_wchan() is racy by design, it may +access volatile stack of running task, thus it may access +redzone in a stack frame and cause KASAN to warn about this. + +Use READ_ONCE_NOCHECK() to silence these warnings. + +Reported-by: Wanming Hu +Signed-off-by: He Ying +Signed-off-by: Chen Jingwen +Reviewed-by: Kees Cook +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220121014418.155675-1-heying24@huawei.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/process.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c +index 02b69a68139c..56c33285b1df 100644 +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -2017,12 +2017,12 @@ unsigned long get_wchan(struct task_struct *p) + return 0; + + do { +- sp = *(unsigned long *)sp; ++ sp = READ_ONCE_NOCHECK(*(unsigned long *)sp); + if (!validate_sp(sp, p, STACK_FRAME_OVERHEAD) || + p->state == TASK_RUNNING) + return 0; + if (count > 0) { +- ip = ((unsigned long *)sp)[STACK_FRAME_LR_SAVE]; ++ ip = READ_ONCE_NOCHECK(((unsigned long *)sp)[STACK_FRAME_LR_SAVE]); + if (!in_sched_functions(ip)) + return ip; + } +-- +2.35.1 + diff --git a/queue-4.19/random-credit-cpu-and-bootloader-seeds-by-default.patch b/queue-4.19/random-credit-cpu-and-bootloader-seeds-by-default.patch new file mode 100644 index 00000000000..64f9717fdd8 --- /dev/null +++ b/queue-4.19/random-credit-cpu-and-bootloader-seeds-by-default.patch @@ -0,0 +1,203 @@ +From ea50e548634b3f2d32970a12425a0557687f9f16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 22:07:01 -0400 +Subject: random: credit cpu and bootloader seeds by default + +From: Jason A. Donenfeld + +[ Upstream commit 846bb97e131d7938847963cca00657c995b1fce1 ] + +This commit changes the default Kconfig values of RANDOM_TRUST_CPU and +RANDOM_TRUST_BOOTLOADER to be Y by default. It does not change any +existing configs or change any kernel behavior. The reason for this is +several fold. + +As background, I recently had an email thread with the kernel +maintainers of Fedora/RHEL, Debian, Ubuntu, Gentoo, Arch, NixOS, Alpine, +SUSE, and Void as recipients. I noted that some distros trust RDRAND, +some trust EFI, and some trust both, and I asked why or why not. There +wasn't really much of a "debate" but rather an interesting discussion of +what the historical reasons have been for this, and it came up that some +distros just missed the introduction of the bootloader Kconfig knob, +while another didn't want to enable it until there was a boot time +switch to turn it off for more concerned users (which has since been +added). The result of the rather uneventful discussion is that every +major Linux distro enables these two options by default. + +While I didn't have really too strong of an opinion going into this +thread -- and I mostly wanted to learn what the distros' thinking was +one way or another -- ultimately I think their choice was a decent +enough one for a default option (which can be disabled at boot time). +I'll try to summarize the pros and cons: + +Pros: + +- The RNG machinery gets initialized super quickly, and there's no + messing around with subsequent blocking behavior. + +- The bootloader mechanism is used by kexec in order for the prior + kernel to initialize the RNG of the next kernel, which increases + the entropy available to early boot daemons of the next kernel. + +- Previous objections related to backdoors centered around + Dual_EC_DRBG-like kleptographic systems, in which observing some + amount of the output stream enables an adversary holding the right key + to determine the entire output stream. + + This used to be a partially justified concern, because RDRAND output + was mixed into the output stream in varying ways, some of which may + have lacked pre-image resistance (e.g. XOR or an LFSR). + + But this is no longer the case. Now, all usage of RDRAND and + bootloader seeds go through a cryptographic hash function. This means + that the CPU would have to compute a hash pre-image, which is not + considered to be feasible (otherwise the hash function would be + terribly broken). + +- More generally, if the CPU is backdoored, the RNG is probably not the + realistic vector of choice for an attacker. + +- These CPU or bootloader seeds are far from being the only source of + entropy. Rather, there is generally a pretty huge amount of entropy, + not all of which is credited, especially on CPUs that support + instructions like RDRAND. In other words, assuming RDRAND outputs all + zeros, an attacker would *still* have to accurately model every single + other entropy source also in use. + +- The RNG now reseeds itself quite rapidly during boot, starting at 2 + seconds, then 4, then 8, then 16, and so forth, so that other sources + of entropy get used without much delay. + +- Paranoid users can set random.trust_{cpu,bootloader}=no in the kernel + command line, and paranoid system builders can set the Kconfig options + to N, so there's no reduction or restriction of optionality. + +- It's a practical default. + +- All the distros have it set this way. Microsoft and Apple trust it + too. Bandwagon. + +Cons: + +- RDRAND *could* still be backdoored with something like a fixed key or + limited space serial number seed or another indexable scheme like + that. (However, it's hard to imagine threat models where the CPU is + backdoored like this, yet people are still okay making *any* + computations with it or connecting it to networks, etc.) + +- RDRAND *could* be defective, rather than backdoored, and produce + garbage that is in one way or another insufficient for crypto. + +- Suggesting a *reduction* in paranoia, as this commit effectively does, + may cause some to question my personal integrity as a "security + person". + +- Bootloader seeds and RDRAND are generally very difficult if not all + together impossible to audit. + +Keep in mind that this doesn't actually change any behavior. This +is just a change in the default Kconfig value. The distros already are +shipping kernels that set things this way. + +Ard made an additional argument in [1]: + + We're at the mercy of firmware and micro-architecture anyway, given + that we are also relying on it to ensure that every instruction in + the kernel's executable image has been faithfully copied to memory, + and that the CPU implements those instructions as documented. So I + don't think firmware or ISA bugs related to RNGs deserve special + treatment - if they are broken, we should quirk around them like we + usually do. So enabling these by default is a step in the right + direction IMHO. + +In [2], Phil pointed out that having this disabled masked a bug that CI +otherwise would have caught: + + A clean 5.15.45 boots cleanly, whereas a downstream kernel shows the + static key warning (but it does go on to boot). The significant + difference is that our defconfigs set CONFIG_RANDOM_TRUST_BOOTLOADER=y + defining that on top of multi_v7_defconfig demonstrates the issue on + a clean 5.15.45. Conversely, not setting that option in a + downstream kernel build avoids the warning + +[1] https://lore.kernel.org/lkml/CAMj1kXGi+ieviFjXv9zQBSaGyyzeGW_VpMpTLJK8PJb2QHEQ-w@mail.gmail.com/ +[2] https://lore.kernel.org/lkml/c47c42e3-1d56-5859-a6ad-976a1a3381c6@raspberrypi.com/ + +Cc: Theodore Ts'o +Reviewed-by: Ard Biesheuvel +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Sasha Levin +--- + drivers/char/Kconfig | 54 +++++++++++++++++++++++++++----------------- + 1 file changed, 33 insertions(+), 21 deletions(-) + +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index 094548183f8b..f55c9bbd58fb 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -552,29 +552,41 @@ config ADI + and SSM (Silicon Secured Memory). Intended consumers of this + driver include crash and makedumpfile. + +-endmenu +- + config RANDOM_TRUST_CPU +- bool "Trust the CPU manufacturer to initialize Linux's CRNG" +- depends on X86 || S390 || PPC +- default n ++ bool "Initialize RNG using CPU RNG instructions" ++ default y ++ depends on ARCH_RANDOM + help +- Assume that CPU manufacturer (e.g., Intel or AMD for RDSEED or +- RDRAND, IBM for the S390 and Power PC architectures) is trustworthy +- for the purposes of initializing Linux's CRNG. Since this is not +- something that can be independently audited, this amounts to trusting +- that CPU manufacturer (perhaps with the insistence or mandate +- of a Nation State's intelligence or law enforcement agencies) +- has not installed a hidden back door to compromise the CPU's +- random number generation facilities. This can also be configured +- at boot with "random.trust_cpu=on/off". ++ Initialize the RNG using random numbers supplied by the CPU's ++ RNG instructions (e.g. RDRAND), if supported and available. These ++ random numbers are never used directly, but are rather hashed into ++ the main input pool, and this happens regardless of whether or not ++ this option is enabled. Instead, this option controls whether the ++ they are credited and hence can initialize the RNG. Additionally, ++ other sources of randomness are always used, regardless of this ++ setting. Enabling this implies trusting that the CPU can supply high ++ quality and non-backdoored random numbers. ++ ++ Say Y here unless you have reason to mistrust your CPU or believe ++ its RNG facilities may be faulty. This may also be configured at ++ boot time with "random.trust_cpu=on/off". + + config RANDOM_TRUST_BOOTLOADER +- bool "Trust the bootloader to initialize Linux's CRNG" ++ bool "Initialize RNG using bootloader-supplied seed" ++ default y + help +- Some bootloaders can provide entropy to increase the kernel's initial +- device randomness. Say Y here to assume the entropy provided by the +- booloader is trustworthy so it will be added to the kernel's entropy +- pool. Otherwise, say N here so it will be regarded as device input that +- only mixes the entropy pool. This can also be configured at boot with +- "random.trust_bootloader=on/off". ++ Initialize the RNG using a seed supplied by the bootloader or boot ++ environment (e.g. EFI or a bootloader-generated device tree). This ++ seed is not used directly, but is rather hashed into the main input ++ pool, and this happens regardless of whether or not this option is ++ enabled. Instead, this option controls whether the seed is credited ++ and hence can initialize the RNG. Additionally, other sources of ++ randomness are always used, regardless of this setting. Enabling ++ this implies trusting that the bootloader can supply high quality and ++ non-backdoored seeds. ++ ++ Say Y here unless you have reason to mistrust your bootloader or ++ believe its RNG facilities may be faulty. This may also be configured ++ at boot time with "random.trust_bootloader=on/off". ++ ++endmenu +-- +2.35.1 + diff --git a/queue-4.19/scsi-ipr-fix-missing-incorrect-resource-cleanup-in-e.patch b/queue-4.19/scsi-ipr-fix-missing-incorrect-resource-cleanup-in-e.patch new file mode 100644 index 00000000000..3f00f217c3d --- /dev/null +++ b/queue-4.19/scsi-ipr-fix-missing-incorrect-resource-cleanup-in-e.patch @@ -0,0 +1,49 @@ +From baaa9e79975ea1189c3cc703efdecf31dfc999f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 May 2022 23:34:53 +0800 +Subject: scsi: ipr: Fix missing/incorrect resource cleanup in error case + +From: Chengguang Xu + +[ Upstream commit d64c491911322af1dcada98e5b9ee0d87e8c8fee ] + +Fix missing resource cleanup (when '(--i) == 0') for error case in +ipr_alloc_mem() and skip incorrect resource cleanup (when '(--i) == 0') for +error case in ipr_request_other_msi_irqs() because variable i started from +1. + +Link: https://lore.kernel.org/r/20220529153456.4183738-4-cgxu519@mykernel.net +Reviewed-by: Dan Carpenter +Acked-by: Brian King +Signed-off-by: Chengguang Xu +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ipr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c +index 1b04a8223eb0..c6cde552b995 100644 +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -9783,7 +9783,7 @@ static int ipr_alloc_mem(struct ipr_ioa_cfg *ioa_cfg) + GFP_KERNEL); + + if (!ioa_cfg->hrrq[i].host_rrq) { +- while (--i > 0) ++ while (--i >= 0) + dma_free_coherent(&pdev->dev, + sizeof(u32) * ioa_cfg->hrrq[i].size, + ioa_cfg->hrrq[i].host_rrq, +@@ -10056,7 +10056,7 @@ static int ipr_request_other_msi_irqs(struct ipr_ioa_cfg *ioa_cfg, + ioa_cfg->vectors_info[i].desc, + &ioa_cfg->hrrq[i]); + if (rc) { +- while (--i >= 0) ++ while (--i > 0) + free_irq(pci_irq_vector(pdev, i), + &ioa_cfg->hrrq[i]); + return rc; +-- +2.35.1 + diff --git a/queue-4.19/scsi-lpfc-fix-port-stuck-in-bypassed-state-after-lip.patch b/queue-4.19/scsi-lpfc-fix-port-stuck-in-bypassed-state-after-lip.patch new file mode 100644 index 00000000000..04aa19efa53 --- /dev/null +++ b/queue-4.19/scsi-lpfc-fix-port-stuck-in-bypassed-state-after-lip.patch @@ -0,0 +1,50 @@ +From 4fe68fb6beb56f0a29e341622b4f657b062b420e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 10:43:26 -0700 +Subject: scsi: lpfc: Fix port stuck in bypassed state after LIP in PT2PT + topology + +From: James Smart + +[ Upstream commit 336d63615466b4c06b9401c987813fd19bdde39b ] + +After issuing a LIP, a specific target vendor does not ACC the FLOGI that +lpfc sends. However, it does send its own FLOGI that lpfc ACCs. The +target then establishes the port IDs by sending a PLOGI. lpfc PLOGI_ACCs +and starts the RPI registration for DID 0x000001. The target then sends a +LOGO to the fabric DID. lpfc is currently treating the LOGO from the +fabric DID as a link down and cleans up all the ndlps. The ndlp for DID +0x000001 is put back into NPR and discovery stops, leaving the port in +stuck in bypassed mode. + +Change lpfc behavior such that if a LOGO is received for the fabric DID in +PT2PT topology skip the lpfc_linkdown_port() routine and just move the +fabric DID back to NPR. + +Link: https://lore.kernel.org/r/20220603174329.63777-7-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nportdisc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index 9442fb30e7cd..f666518d84b0 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -662,7 +662,8 @@ lpfc_rcv_logo(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + else + lpfc_els_rsp_acc(vport, ELS_CMD_ACC, cmdiocb, ndlp, NULL); + if (ndlp->nlp_DID == Fabric_DID) { +- if (vport->port_state <= LPFC_FDISC) ++ if (vport->port_state <= LPFC_FDISC || ++ vport->fc_flag & FC_PT2PT) + goto out; + lpfc_linkdown_port(vport); + spin_lock_irq(shost->host_lock); +-- +2.35.1 + diff --git a/queue-4.19/scsi-pmcraid-fix-missing-resource-cleanup-in-error-c.patch b/queue-4.19/scsi-pmcraid-fix-missing-resource-cleanup-in-error-c.patch new file mode 100644 index 00000000000..276eee12c53 --- /dev/null +++ b/queue-4.19/scsi-pmcraid-fix-missing-resource-cleanup-in-error-c.patch @@ -0,0 +1,37 @@ +From d5d482af91f57c9dfc74868ed8f33b6cab813ed5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 May 2022 23:34:55 +0800 +Subject: scsi: pmcraid: Fix missing resource cleanup in error case + +From: Chengguang Xu + +[ Upstream commit ec1e8adcbdf661c57c395bca342945f4f815add7 ] + +Fix missing resource cleanup (when '(--i) == 0') for error case in +pmcraid_register_interrupt_handler(). + +Link: https://lore.kernel.org/r/20220529153456.4183738-6-cgxu519@mykernel.net +Reviewed-by: Dan Carpenter +Signed-off-by: Chengguang Xu +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pmcraid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c +index 4e86994e10e8..6e96229c58e0 100644 +--- a/drivers/scsi/pmcraid.c ++++ b/drivers/scsi/pmcraid.c +@@ -4559,7 +4559,7 @@ pmcraid_register_interrupt_handler(struct pmcraid_instance *pinstance) + return 0; + + out_unwind: +- while (--i > 0) ++ while (--i >= 0) + free_irq(pci_irq_vector(pdev, i), &pinstance->hrrq_vector[i]); + pci_free_irq_vectors(pdev); + return rc; +-- +2.35.1 + diff --git a/queue-4.19/scsi-vmw_pvscsi-expand-vcpuhint-to-16-bits.patch b/queue-4.19/scsi-vmw_pvscsi-expand-vcpuhint-to-16-bits.patch new file mode 100644 index 00000000000..6d7362717f1 --- /dev/null +++ b/queue-4.19/scsi-vmw_pvscsi-expand-vcpuhint-to-16-bits.patch @@ -0,0 +1,40 @@ +From 6667b4d17ff2a7d6a88aa81ed9def665f49796ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 08:57:00 +0000 +Subject: scsi: vmw_pvscsi: Expand vcpuHint to 16 bits + +From: Wentao Wang + +[ Upstream commit cf71d59c2eceadfcde0fb52e237990a0909880d7 ] + +vcpuHint has been expanded to 16 bit on host to enable routing to more +CPUs. Guest side should align with the change. This change has been tested +with hosts with 8-bit and 16-bit vcpuHint, on both platforms host side can +get correct value. + +Link: https://lore.kernel.org/r/EF35F4D5-5DCC-42C5-BCC4-29DF1729B24C@vmware.com +Signed-off-by: Wentao Wang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/vmw_pvscsi.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/vmw_pvscsi.h b/drivers/scsi/vmw_pvscsi.h +index 75966d3f326e..d87c12324c03 100644 +--- a/drivers/scsi/vmw_pvscsi.h ++++ b/drivers/scsi/vmw_pvscsi.h +@@ -333,8 +333,8 @@ struct PVSCSIRingReqDesc { + u8 tag; + u8 bus; + u8 target; +- u8 vcpuHint; +- u8 unused[59]; ++ u16 vcpuHint; ++ u8 unused[58]; + } __packed; + + /* +-- +2.35.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 2a2fd21beff..21e47daade0 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -178,3 +178,22 @@ crypto-drbg-make-reseeding-from-get_random_bytes-synchronous.patch random-avoid-checking-crng_ready-twice-in-random_init.patch random-mark-bootloader-randomness-code-as-__init.patch random-account-for-arch-randomness-in-bits.patch +powerpc-kasan-silence-kasan-warnings-in-__get_wchan.patch +asoc-cs42l52-fix-tlv-scales-for-mixer-controls.patch +asoc-cs53l30-correct-number-of-volume-levels-on-sx-c.patch +asoc-cs42l52-correct-tlv-for-bypass-volume.patch +asoc-cs42l56-correct-typo-in-minimum-level-for-sx-vo.patch +ata-libata-core-fix-null-pointer-deref-in-ata_host_a.patch +asoc-wm8962-fix-suspend-while-playing-music.patch +asoc-es8328-fix-event-generation-for-deemphasis-cont.patch +asoc-wm_adsp-fix-event-generation-for-wm_adsp_fw_put.patch +scsi-vmw_pvscsi-expand-vcpuhint-to-16-bits.patch +scsi-lpfc-fix-port-stuck-in-bypassed-state-after-lip.patch +scsi-ipr-fix-missing-incorrect-resource-cleanup-in-e.patch +scsi-pmcraid-fix-missing-resource-cleanup-in-error-c.patch +virtio-mmio-fix-missing-put_device-when-vm_cmdline_p.patch +nfc-nfcmrvl-fix-memory-leak-in-nfcmrvl_play_deferred.patch +ipv6-fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch +net-ethernet-mtk_eth_soc-fix-misuse-of-mem-alloc-int.patch +netfs-gcc-12-temporarily-disable-wattribute-warning-.patch +random-credit-cpu-and-bootloader-seeds-by-default.patch diff --git a/queue-4.19/virtio-mmio-fix-missing-put_device-when-vm_cmdline_p.patch b/queue-4.19/virtio-mmio-fix-missing-put_device-when-vm_cmdline_p.patch new file mode 100644 index 00000000000..844b6f1d042 --- /dev/null +++ b/queue-4.19/virtio-mmio-fix-missing-put_device-when-vm_cmdline_p.patch @@ -0,0 +1,37 @@ +From f1669b2ff43175c7d75030a364ce911c2aaf236a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 08:55:42 +0800 +Subject: virtio-mmio: fix missing put_device() when vm_cmdline_parent + registration failed + +From: chengkaitao + +[ Upstream commit a58a7f97ba11391d2d0d408e0b24f38d86ae748e ] + +The reference must be released when device_register(&vm_cmdline_parent) +failed. Add the corresponding 'put_device()' in the error handling path. + +Signed-off-by: chengkaitao +Message-Id: <20220602005542.16489-1-chengkaitao@didiglobal.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/virtio/virtio_mmio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c +index 4cd9ea5c75be..c69c755bf553 100644 +--- a/drivers/virtio/virtio_mmio.c ++++ b/drivers/virtio/virtio_mmio.c +@@ -663,6 +663,7 @@ static int vm_cmdline_set(const char *device, + if (!vm_cmdline_parent_registered) { + err = device_register(&vm_cmdline_parent); + if (err) { ++ put_device(&vm_cmdline_parent); + pr_err("Failed to register parent device!\n"); + return err; + } +-- +2.35.1 +