From: Sasha Levin Date: Mon, 10 Jan 2022 00:37:23 +0000 (-0500) Subject: Fixes for 5.15 X-Git-Tag: v4.4.299~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aeea7ed5a2d69dec284b5abe97db0fb1dd704bc7;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/arm-dts-gpio-ranges-property-is-now-required.patch b/queue-5.15/arm-dts-gpio-ranges-property-is-now-required.patch new file mode 100644 index 00000000000..0a1409ca5e1 --- /dev/null +++ b/queue-5.15/arm-dts-gpio-ranges-property-is-now-required.patch @@ -0,0 +1,64 @@ +From b987d4326df2f94a2c9f5e7c1088edaae0d1d0d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Jan 2022 18:02:47 +0100 +Subject: ARM: dts: gpio-ranges property is now required + +From: Phil Elwell + +[ Upstream commit c8013355ead68dce152cf426686f8a5f80d88b40 ] + +Since [1], added in 5.7, the absence of a gpio-ranges property has +prevented GPIOs from being restored to inputs when released. +Add those properties for BCM283x and BCM2711 devices. + +[1] commit 2ab73c6d8323 ("gpio: Support GPIO controllers without + pin-ranges") + +Link: https://lore.kernel.org/r/20220104170247.956760-1-linus.walleij@linaro.org +Fixes: 2ab73c6d8323 ("gpio: Support GPIO controllers without pin-ranges") +Fixes: 266423e60ea1 ("pinctrl: bcm2835: Change init order for gpio hogs") +Reported-by: Stefan Wahren +Reported-by: Florian Fainelli +Reported-by: Jan Kiszka +Signed-off-by: Phil Elwell +Acked-by: Florian Fainelli +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20211206092237.4105895-3-phil@raspberrypi.com +Signed-off-by: Linus Walleij +Acked-by: Florian Fainelli +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm2711.dtsi | 2 ++ + arch/arm/boot/dts/bcm283x.dtsi | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/arch/arm/boot/dts/bcm2711.dtsi b/arch/arm/boot/dts/bcm2711.dtsi +index 9e01dbca4a011..dff18fc9a9065 100644 +--- a/arch/arm/boot/dts/bcm2711.dtsi ++++ b/arch/arm/boot/dts/bcm2711.dtsi +@@ -582,6 +582,8 @@ + , + ; + ++ gpio-ranges = <&gpio 0 0 58>; ++ + gpclk0_gpio49: gpclk0_gpio49 { + pin-gpclk { + pins = "gpio49"; +diff --git a/arch/arm/boot/dts/bcm283x.dtsi b/arch/arm/boot/dts/bcm283x.dtsi +index a3e06b6809476..c113661a6668f 100644 +--- a/arch/arm/boot/dts/bcm283x.dtsi ++++ b/arch/arm/boot/dts/bcm283x.dtsi +@@ -126,6 +126,8 @@ + interrupt-controller; + #interrupt-cells = <2>; + ++ gpio-ranges = <&gpio 0 0 54>; ++ + /* Defines common pin muxing groups + * + * While each pin can have its mux selected +-- +2.34.1 + diff --git a/queue-5.15/atlantic-fix-buff_ring-oob-in-aq_ring_rx_clean.patch b/queue-5.15/atlantic-fix-buff_ring-oob-in-aq_ring_rx_clean.patch new file mode 100644 index 00000000000..f85db03d742 --- /dev/null +++ b/queue-5.15/atlantic-fix-buff_ring-oob-in-aq_ring_rx_clean.patch @@ -0,0 +1,83 @@ +From d893d998bc9ec1462bf01e7d075706ae99c6284e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Dec 2021 21:32:45 -0500 +Subject: atlantic: Fix buff_ring OOB in aq_ring_rx_clean + +From: Zekun Shen + +[ Upstream commit 5f50153288452e10b6edd69ec9112c49442b054a ] + +The function obtain the next buffer without boundary check. +We should return with I/O error code. + +The bug is found by fuzzing and the crash report is attached. +It is an OOB bug although reported as use-after-free. + +[ 4.804724] BUG: KASAN: use-after-free in aq_ring_rx_clean+0x1e88/0x2730 [atlantic] +[ 4.805661] Read of size 4 at addr ffff888034fe93a8 by task ksoftirqd/0/9 +[ 4.806505] +[ 4.806703] CPU: 0 PID: 9 Comm: ksoftirqd/0 Tainted: G W 5.6.0 #34 +[ 4.809030] Call Trace: +[ 4.809343] dump_stack+0x76/0xa0 +[ 4.809755] print_address_description.constprop.0+0x16/0x200 +[ 4.810455] ? aq_ring_rx_clean+0x1e88/0x2730 [atlantic] +[ 4.811234] ? aq_ring_rx_clean+0x1e88/0x2730 [atlantic] +[ 4.813183] __kasan_report.cold+0x37/0x7c +[ 4.813715] ? aq_ring_rx_clean+0x1e88/0x2730 [atlantic] +[ 4.814393] kasan_report+0xe/0x20 +[ 4.814837] aq_ring_rx_clean+0x1e88/0x2730 [atlantic] +[ 4.815499] ? hw_atl_b0_hw_ring_rx_receive+0x9a5/0xb90 [atlantic] +[ 4.816290] aq_vec_poll+0x179/0x5d0 [atlantic] +[ 4.816870] ? _GLOBAL__sub_I_65535_1_aq_pci_func_init+0x20/0x20 [atlantic] +[ 4.817746] ? __next_timer_interrupt+0xba/0xf0 +[ 4.818322] net_rx_action+0x363/0xbd0 +[ 4.818803] ? call_timer_fn+0x240/0x240 +[ 4.819302] ? __switch_to_asm+0x40/0x70 +[ 4.819809] ? napi_busy_loop+0x520/0x520 +[ 4.820324] __do_softirq+0x18c/0x634 +[ 4.820797] ? takeover_tasklets+0x5f0/0x5f0 +[ 4.821343] run_ksoftirqd+0x15/0x20 +[ 4.821804] smpboot_thread_fn+0x2f1/0x6b0 +[ 4.822331] ? smpboot_unregister_percpu_thread+0x160/0x160 +[ 4.823041] ? __kthread_parkme+0x80/0x100 +[ 4.823571] ? smpboot_unregister_percpu_thread+0x160/0x160 +[ 4.824301] kthread+0x2b5/0x3b0 +[ 4.824723] ? kthread_create_on_node+0xd0/0xd0 +[ 4.825304] ret_from_fork+0x35/0x40 + +Signed-off-by: Zekun Shen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aquantia/atlantic/aq_ring.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +index 24122ccda614c..72f8751784c31 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c +@@ -365,6 +365,10 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + if (!buff->is_eop) { + buff_ = buff; + do { ++ if (buff_->next >= self->size) { ++ err = -EIO; ++ goto err_exit; ++ } + next_ = buff_->next, + buff_ = &self->buff_ring[next_]; + is_rsc_completed = +@@ -388,6 +392,10 @@ int aq_ring_rx_clean(struct aq_ring_s *self, + (buff->is_lro && buff->is_cso_err)) { + buff_ = buff; + do { ++ if (buff_->next >= self->size) { ++ err = -EIO; ++ goto err_exit; ++ } + next_ = buff_->next, + buff_ = &self->buff_ring[next_]; + +-- +2.34.1 + diff --git a/queue-5.15/auxdisplay-charlcd-checking-for-pointer-reference-be.patch b/queue-5.15/auxdisplay-charlcd-checking-for-pointer-reference-be.patch new file mode 100644 index 00000000000..7cd4d0c8948 --- /dev/null +++ b/queue-5.15/auxdisplay-charlcd-checking-for-pointer-reference-be.patch @@ -0,0 +1,40 @@ +From b637f956500cf4fce047ab5fe998fe4c6d84c2be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Nov 2021 19:07:32 -0300 +Subject: auxdisplay: charlcd: checking for pointer reference before + dereferencing + +From: Luiz Sampaio + +[ Upstream commit 4daa9ff89ef27be43c15995412d6aee393a78200 ] + +Check if the pointer lcd->ops->init_display exists before dereferencing it. +If a driver called charlcd_init() without defining the ops, this would +return segmentation fault, as happened to me when implementing a charlcd +driver. Checking the pointer before dereferencing protects from +segmentation fault. + +Signed-off-by: Luiz Sampaio +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + drivers/auxdisplay/charlcd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/auxdisplay/charlcd.c b/drivers/auxdisplay/charlcd.c +index 304accde365c8..6c010d4efa4ae 100644 +--- a/drivers/auxdisplay/charlcd.c ++++ b/drivers/auxdisplay/charlcd.c +@@ -578,6 +578,9 @@ static int charlcd_init(struct charlcd *lcd) + * Since charlcd_init_display() needs to write data, we have to + * enable mark the LCD initialized just before. + */ ++ if (WARN_ON(!lcd->ops->init_display)) ++ return -EINVAL; ++ + ret = lcd->ops->init_display(lcd); + if (ret) + return ret; +-- +2.34.1 + diff --git a/queue-5.15/drm-amd-display-added-power-down-for-dcn10.patch b/queue-5.15/drm-amd-display-added-power-down-for-dcn10.patch new file mode 100644 index 00000000000..1071a3edfb6 --- /dev/null +++ b/queue-5.15/drm-amd-display-added-power-down-for-dcn10.patch @@ -0,0 +1,41 @@ +From c8e13f23ab483e530a4c35845d20157c41a2249e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 17:10:59 +0800 +Subject: drm/amd/display: Added power down for DCN10 + +From: Lai, Derek + +[ Upstream commit d97e631af2db84c8c9d63abf68d487d0bb559e4c ] + +[Why] +The change of setting a timer callback on boot for 10 seconds is still +working, just lacked power down for DCN10. + +[How] +Added power down for DCN10. + +Tested-by: Daniel Wheeler +Reviewed-by: Anthony Koo +Acked-by: Rodrigo Siqueira +Signed-off-by: Derek Lai +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_init.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_init.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_init.c +index 34001a30d449a..10e613ec7d24f 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_init.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_init.c +@@ -78,6 +78,7 @@ static const struct hw_sequencer_funcs dcn10_funcs = { + .get_clock = dcn10_get_clock, + .get_vupdate_offset_from_vsync = dcn10_get_vupdate_offset_from_vsync, + .calc_vupdate_position = dcn10_calc_vupdate_position, ++ .power_down = dce110_power_down, + .set_backlight_level = dce110_set_backlight_level, + .set_abm_immediate_disable = dce110_set_abm_immediate_disable, + .set_pipe = dce110_set_pipe, +-- +2.34.1 + diff --git a/queue-5.15/drm-amd-display-fix-b0-tmds-deepcolor-no-dislay-issu.patch b/queue-5.15/drm-amd-display-fix-b0-tmds-deepcolor-no-dislay-issu.patch new file mode 100644 index 00000000000..8d1678fddb1 --- /dev/null +++ b/queue-5.15/drm-amd-display-fix-b0-tmds-deepcolor-no-dislay-issu.patch @@ -0,0 +1,123 @@ +From a2742efb65aa2e5d985cb654c200782a04bbd46a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Dec 2021 21:19:30 -0500 +Subject: drm/amd/display: fix B0 TMDS deepcolor no dislay issue + +From: Charlene Liu + +[ Upstream commit 2eb82577a16d4c8eb31e4ed520649850bb95b223 ] + +[why] +B0 PHY C map to F, D map to G driver use logic instance, dmub does the +remap. Driver still need use the right PHY instance to access right HW. + +[how] +use phyical instance when program PHY register. + +[note] +could move resync_control programming to dmub next. + +Tested-by: Daniel Wheeler +Reviewed-by: Dmytro Laktyushkin +Reviewed-by: Jun Lei +Acked-by: Rodrigo Siqueira +Signed-off-by: Charlene Liu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/display/dc/dcn31/dcn31_resource.c | 25 +++++++++++++-- + .../drm/amd/display/dc/dcn31/dcn31_resource.h | 31 +++++++++++++++++++ + 2 files changed, 54 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c +index 6d8f26dada722..0fe570717ba01 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c +@@ -352,6 +352,14 @@ static const struct dce110_clk_src_regs clk_src_regs[] = { + clk_src_regs(3, D), + clk_src_regs(4, E) + }; ++/*pll_id being rempped in dmub, in driver it is logical instance*/ ++static const struct dce110_clk_src_regs clk_src_regs_b0[] = { ++ clk_src_regs(0, A), ++ clk_src_regs(1, B), ++ clk_src_regs(2, F), ++ clk_src_regs(3, G), ++ clk_src_regs(4, E) ++}; + + static const struct dce110_clk_src_shift cs_shift = { + CS_COMMON_MASK_SH_LIST_DCN2_0(__SHIFT) +@@ -2019,14 +2027,27 @@ static bool dcn31_resource_construct( + dcn30_clock_source_create(ctx, ctx->dc_bios, + CLOCK_SOURCE_COMBO_PHY_PLL1, + &clk_src_regs[1], false); +- pool->base.clock_sources[DCN31_CLK_SRC_PLL2] = ++ /*move phypllx_pixclk_resync to dmub next*/ ++ if (dc->ctx->asic_id.hw_internal_rev == YELLOW_CARP_B0) { ++ pool->base.clock_sources[DCN31_CLK_SRC_PLL2] = ++ dcn30_clock_source_create(ctx, ctx->dc_bios, ++ CLOCK_SOURCE_COMBO_PHY_PLL2, ++ &clk_src_regs_b0[2], false); ++ pool->base.clock_sources[DCN31_CLK_SRC_PLL3] = ++ dcn30_clock_source_create(ctx, ctx->dc_bios, ++ CLOCK_SOURCE_COMBO_PHY_PLL3, ++ &clk_src_regs_b0[3], false); ++ } else { ++ pool->base.clock_sources[DCN31_CLK_SRC_PLL2] = + dcn30_clock_source_create(ctx, ctx->dc_bios, + CLOCK_SOURCE_COMBO_PHY_PLL2, + &clk_src_regs[2], false); +- pool->base.clock_sources[DCN31_CLK_SRC_PLL3] = ++ pool->base.clock_sources[DCN31_CLK_SRC_PLL3] = + dcn30_clock_source_create(ctx, ctx->dc_bios, + CLOCK_SOURCE_COMBO_PHY_PLL3, + &clk_src_regs[3], false); ++ } ++ + pool->base.clock_sources[DCN31_CLK_SRC_PLL4] = + dcn30_clock_source_create(ctx, ctx->dc_bios, + CLOCK_SOURCE_COMBO_PHY_PLL4, +diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.h b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.h +index 93571c9769967..cc4bed675588c 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.h ++++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.h +@@ -39,4 +39,35 @@ struct resource_pool *dcn31_create_resource_pool( + const struct dc_init_data *init_data, + struct dc *dc); + ++/*temp: B0 specific before switch to dcn313 headers*/ ++#ifndef regPHYPLLF_PIXCLK_RESYNC_CNTL ++#define regPHYPLLF_PIXCLK_RESYNC_CNTL 0x007e ++#define regPHYPLLF_PIXCLK_RESYNC_CNTL_BASE_IDX 1 ++#define regPHYPLLG_PIXCLK_RESYNC_CNTL 0x005f ++#define regPHYPLLG_PIXCLK_RESYNC_CNTL_BASE_IDX 1 ++ ++//PHYPLLF_PIXCLK_RESYNC_CNTL ++#define PHYPLLF_PIXCLK_RESYNC_CNTL__PHYPLLF_PIXCLK_RESYNC_ENABLE__SHIFT 0x0 ++#define PHYPLLF_PIXCLK_RESYNC_CNTL__PHYPLLF_DEEP_COLOR_DTO_ENABLE_STATUS__SHIFT 0x1 ++#define PHYPLLF_PIXCLK_RESYNC_CNTL__PHYPLLF_DCCG_DEEP_COLOR_CNTL__SHIFT 0x4 ++#define PHYPLLF_PIXCLK_RESYNC_CNTL__PHYPLLF_PIXCLK_ENABLE__SHIFT 0x8 ++#define PHYPLLF_PIXCLK_RESYNC_CNTL__PHYPLLF_PIXCLK_DOUBLE_RATE_ENABLE__SHIFT 0x9 ++#define PHYPLLF_PIXCLK_RESYNC_CNTL__PHYPLLF_PIXCLK_RESYNC_ENABLE_MASK 0x00000001L ++#define PHYPLLF_PIXCLK_RESYNC_CNTL__PHYPLLF_DEEP_COLOR_DTO_ENABLE_STATUS_MASK 0x00000002L ++#define PHYPLLF_PIXCLK_RESYNC_CNTL__PHYPLLF_DCCG_DEEP_COLOR_CNTL_MASK 0x00000030L ++#define PHYPLLF_PIXCLK_RESYNC_CNTL__PHYPLLF_PIXCLK_ENABLE_MASK 0x00000100L ++#define PHYPLLF_PIXCLK_RESYNC_CNTL__PHYPLLF_PIXCLK_DOUBLE_RATE_ENABLE_MASK 0x00000200L ++ ++//PHYPLLG_PIXCLK_RESYNC_CNTL ++#define PHYPLLG_PIXCLK_RESYNC_CNTL__PHYPLLG_PIXCLK_RESYNC_ENABLE__SHIFT 0x0 ++#define PHYPLLG_PIXCLK_RESYNC_CNTL__PHYPLLG_DEEP_COLOR_DTO_ENABLE_STATUS__SHIFT 0x1 ++#define PHYPLLG_PIXCLK_RESYNC_CNTL__PHYPLLG_DCCG_DEEP_COLOR_CNTL__SHIFT 0x4 ++#define PHYPLLG_PIXCLK_RESYNC_CNTL__PHYPLLG_PIXCLK_ENABLE__SHIFT 0x8 ++#define PHYPLLG_PIXCLK_RESYNC_CNTL__PHYPLLG_PIXCLK_DOUBLE_RATE_ENABLE__SHIFT 0x9 ++#define PHYPLLG_PIXCLK_RESYNC_CNTL__PHYPLLG_PIXCLK_RESYNC_ENABLE_MASK 0x00000001L ++#define PHYPLLG_PIXCLK_RESYNC_CNTL__PHYPLLG_DEEP_COLOR_DTO_ENABLE_STATUS_MASK 0x00000002L ++#define PHYPLLG_PIXCLK_RESYNC_CNTL__PHYPLLG_DCCG_DEEP_COLOR_CNTL_MASK 0x00000030L ++#define PHYPLLG_PIXCLK_RESYNC_CNTL__PHYPLLG_PIXCLK_ENABLE_MASK 0x00000100L ++#define PHYPLLG_PIXCLK_RESYNC_CNTL__PHYPLLG_PIXCLK_DOUBLE_RATE_ENABLE_MASK 0x00000200L ++#endif + #endif /* _DCN31_RESOURCE_H_ */ +-- +2.34.1 + diff --git a/queue-5.15/drm-amd-pm-fix-xgmi-link-control-on-aldebaran.patch b/queue-5.15/drm-amd-pm-fix-xgmi-link-control-on-aldebaran.patch new file mode 100644 index 00000000000..14b5c41524e --- /dev/null +++ b/queue-5.15/drm-amd-pm-fix-xgmi-link-control-on-aldebaran.patch @@ -0,0 +1,37 @@ +From 6ad62ba5c803583d7c825ed53a0c59b876e8089f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 23:37:03 +0800 +Subject: drm/amd/pm: Fix xgmi link control on aldebaran + +From: Lijo Lazar + +[ Upstream commit 19e66d512e4182a0461530fa3159638e0f55d97e ] + +Fix the message argument. + 0: Allow power down + 1: Disallow power down + +Signed-off-by: Lijo Lazar +Reviewed-by: Hawking Zhang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c +index 5019903db492a..c9cfeb094750d 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/aldebaran_ppt.c +@@ -1619,7 +1619,7 @@ static int aldebaran_allow_xgmi_power_down(struct smu_context *smu, bool en) + { + return smu_cmn_send_smc_msg_with_param(smu, + SMU_MSG_GmiPwrDnControl, +- en ? 1 : 0, ++ en ? 0 : 1, + NULL); + } + +-- +2.34.1 + diff --git a/queue-5.15/drm-amd-pm-skip-setting-gfx-cgpg-in-the-s0ix-suspend.patch b/queue-5.15/drm-amd-pm-skip-setting-gfx-cgpg-in-the-s0ix-suspend.patch new file mode 100644 index 00000000000..a55c0f7a803 --- /dev/null +++ b/queue-5.15/drm-amd-pm-skip-setting-gfx-cgpg-in-the-s0ix-suspend.patch @@ -0,0 +1,65 @@ +From a15ca07ae280cf83131bede26a59165e3ec17f31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Dec 2021 16:17:02 +0800 +Subject: drm/amd/pm: skip setting gfx cgpg in the s0ix suspend-resume + +From: Prike Liang + +[ Upstream commit 8c45096c60d6ce6341c374636100ed1b2c1c33a1 ] + +In the s0ix entry need retain gfx in the gfxoff state,so here need't +set gfx cgpg in the S0ix suspend-resume process. Moreover move the S0ix +check into SMU12 can simplify the code condition check. + +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1712 +Signed-off-by: Prike Liang +Reviewed-by: Evan Quan +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 7 ++----- + drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c | 3 ++- + 2 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c +index 04863a7971155..30ee8819587e2 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c +@@ -1536,9 +1536,7 @@ static int smu_suspend(void *handle) + + smu->watermarks_bitmap &= ~(WATERMARKS_LOADED); + +- /* skip CGPG when in S0ix */ +- if (smu->is_apu && !adev->in_s0ix) +- smu_set_gfx_cgpg(&adev->smu, false); ++ smu_set_gfx_cgpg(&adev->smu, false); + + return 0; + } +@@ -1569,8 +1567,7 @@ static int smu_resume(void *handle) + return ret; + } + +- if (smu->is_apu) +- smu_set_gfx_cgpg(&adev->smu, true); ++ smu_set_gfx_cgpg(&adev->smu, true); + + smu->disable_uclk_switch = 0; + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c b/drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c +index 43028f2cd28b5..9c91e79c955fb 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c +@@ -120,7 +120,8 @@ int smu_v12_0_powergate_sdma(struct smu_context *smu, bool gate) + + int smu_v12_0_set_gfx_cgpg(struct smu_context *smu, bool enable) + { +- if (!(smu->adev->pg_flags & AMD_PG_SUPPORT_GFX_PG)) ++ /* Until now the SMU12 only implemented for Renoir series so here neen't do APU check. */ ++ if (!(smu->adev->pg_flags & AMD_PG_SUPPORT_GFX_PG) || smu->adev->in_s0ix) + return 0; + + return smu_cmn_send_smc_msg_with_param(smu, +-- +2.34.1 + diff --git a/queue-5.15/drm-amdgpu-always-reset-the-asic-in-suspend-v2.patch b/queue-5.15/drm-amdgpu-always-reset-the-asic-in-suspend-v2.patch new file mode 100644 index 00000000000..ac1ecf92fc4 --- /dev/null +++ b/queue-5.15/drm-amdgpu-always-reset-the-asic-in-suspend-v2.patch @@ -0,0 +1,43 @@ +From 3a8295e89ba19a825d66f7203cf4e7856e8f5c35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 11:25:30 -0500 +Subject: drm/amdgpu: always reset the asic in suspend (v2) + +From: Alex Deucher + +[ Upstream commit daf8de0874ab5b74b38a38726fdd3d07ef98a7ee ] + +If the platform suspend happens to fail and the power rail +is not turned off, the GPU will be in an unknown state on +resume, so reset the asic so that it will be in a known +good state on resume even if the platform suspend failed. + +v2: handle s0ix + +Acked-by: Luben Tuikov +Acked-by: Evan Quan +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +index 70e8a86c3a69f..9dfd9d70812cb 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -1526,7 +1526,10 @@ static int amdgpu_pmops_suspend(struct device *dev) + adev->in_s3 = true; + r = amdgpu_device_suspend(drm_dev, true); + adev->in_s3 = false; +- ++ if (r) ++ return r; ++ if (!adev->in_s0ix) ++ r = amdgpu_asic_reset(adev); + return r; + } + +-- +2.34.1 + diff --git a/queue-5.15/drm-amdgpu-fix-dropped-backing-store-handling-in-amd.patch b/queue-5.15/drm-amdgpu-fix-dropped-backing-store-handling-in-amd.patch new file mode 100644 index 00000000000..017de02e747 --- /dev/null +++ b/queue-5.15/drm-amdgpu-fix-dropped-backing-store-handling-in-amd.patch @@ -0,0 +1,40 @@ +From 71ed39757c11d6d7be2eea0bf579aa57c6e1a3e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 09:39:27 +0100 +Subject: drm/amdgpu: fix dropped backing store handling in + amdgpu_dma_buf_move_notify +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christian König + +[ Upstream commit fc74881c28d314b10efac016ef49df4ff40b8b97 ] + +bo->tbo.resource can now be NULL. + +Signed-off-by: Christian König +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1811 +Acked-by: Alex Deucher +Link: https://patchwork.freedesktop.org/patch/msgid/20211210083927.1754-1-christian.koenig@amd.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c +index ae6ab93c868b8..7444484a12bf8 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_dma_buf.c +@@ -384,7 +384,7 @@ amdgpu_dma_buf_move_notify(struct dma_buf_attachment *attach) + struct amdgpu_vm_bo_base *bo_base; + int r; + +- if (bo->tbo.resource->mem_type == TTM_PL_SYSTEM) ++ if (!bo->tbo.resource || bo->tbo.resource->mem_type == TTM_PL_SYSTEM) + return; + + r = ttm_bo_validate(&bo->tbo, &placement, &ctx); +-- +2.34.1 + diff --git a/queue-5.15/drm-amdgpu-put-smu-into-proper-state-on-runpm-suspen.patch b/queue-5.15/drm-amdgpu-put-smu-into-proper-state-on-runpm-suspen.patch new file mode 100644 index 00000000000..43beb7cbb40 --- /dev/null +++ b/queue-5.15/drm-amdgpu-put-smu-into-proper-state-on-runpm-suspen.patch @@ -0,0 +1,59 @@ +From ccd265ce0e93615fbb69cfd5f16b36c48b11e9c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Dec 2021 19:05:06 +0800 +Subject: drm/amdgpu: put SMU into proper state on runpm suspending for BOCO + capable platform + +From: Evan Quan + +[ Upstream commit 7be3be2b027c12e84833b3dc9597d3bb7e4c5464 ] + +By setting mp1_state as PP_MP1_STATE_UNLOAD, MP1 will do some proper cleanups and +put itself into a state ready for PNP. That can workaround some random resuming +failure observed on BOCO capable platforms. + +Signed-off-by: Evan Quan +Acked-by: Alex Deucher +Reviewed-by: Guchun Chen +Reviewed-by: Lijo Lazar +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +index 9dfd9d70812cb..41677f99c67b1 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c +@@ -1606,12 +1606,27 @@ static int amdgpu_pmops_runtime_suspend(struct device *dev) + if (amdgpu_device_supports_px(drm_dev)) + drm_dev->switch_power_state = DRM_SWITCH_POWER_CHANGING; + ++ /* ++ * By setting mp1_state as PP_MP1_STATE_UNLOAD, MP1 will do some ++ * proper cleanups and put itself into a state ready for PNP. That ++ * can address some random resuming failure observed on BOCO capable ++ * platforms. ++ * TODO: this may be also needed for PX capable platform. ++ */ ++ if (amdgpu_device_supports_boco(drm_dev)) ++ adev->mp1_state = PP_MP1_STATE_UNLOAD; ++ + ret = amdgpu_device_suspend(drm_dev, false); + if (ret) { + adev->in_runpm = false; ++ if (amdgpu_device_supports_boco(drm_dev)) ++ adev->mp1_state = PP_MP1_STATE_NONE; + return ret; + } + ++ if (amdgpu_device_supports_boco(drm_dev)) ++ adev->mp1_state = PP_MP1_STATE_NONE; ++ + if (amdgpu_device_supports_px(drm_dev)) { + /* Only need to handle PCI state in the driver for ATPX + * PCI core handles it for _PR3. +-- +2.34.1 + diff --git a/queue-5.15/input-zinitix-make-sure-the-irq-is-allocated-before-.patch b/queue-5.15/input-zinitix-make-sure-the-irq-is-allocated-before-.patch new file mode 100644 index 00000000000..9549d24508d --- /dev/null +++ b/queue-5.15/input-zinitix-make-sure-the-irq-is-allocated-before-.patch @@ -0,0 +1,66 @@ +From 2443d65ca893ca41c9705214d3d0c18fb2523029 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jan 2022 23:19:19 -0800 +Subject: Input: zinitix - make sure the IRQ is allocated before it gets + enabled + +From: Nikita Travkin + +[ Upstream commit cf73ed894ee939d6706d65e0cd186e4a64e3af6d ] + +Since irq request is the last thing in the driver probe, it happens +later than the input device registration. This means that there is a +small time window where if the open method is called the driver will +attempt to enable not yet available irq. + +Fix that by moving the irq request before the input device registration. + +Reviewed-by: Linus Walleij +Fixes: 26822652c85e ("Input: add zinitix touchscreen driver") +Signed-off-by: Nikita Travkin +Link: https://lore.kernel.org/r/20220106072840.36851-2-nikita@trvn.ru +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/zinitix.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/input/touchscreen/zinitix.c b/drivers/input/touchscreen/zinitix.c +index b8d901099378d..1e70b8d2a8d79 100644 +--- a/drivers/input/touchscreen/zinitix.c ++++ b/drivers/input/touchscreen/zinitix.c +@@ -488,6 +488,15 @@ static int zinitix_ts_probe(struct i2c_client *client) + return error; + } + ++ error = devm_request_threaded_irq(&client->dev, client->irq, ++ NULL, zinitix_ts_irq_handler, ++ IRQF_ONESHOT | IRQF_NO_AUTOEN, ++ client->name, bt541); ++ if (error) { ++ dev_err(&client->dev, "Failed to request IRQ: %d\n", error); ++ return error; ++ } ++ + error = zinitix_init_input_dev(bt541); + if (error) { + dev_err(&client->dev, +@@ -513,15 +522,6 @@ static int zinitix_ts_probe(struct i2c_client *client) + return -EINVAL; + } + +- error = devm_request_threaded_irq(&client->dev, client->irq, +- NULL, zinitix_ts_irq_handler, +- IRQF_ONESHOT | IRQF_NO_AUTOEN, +- client->name, bt541); +- if (error) { +- dev_err(&client->dev, "Failed to request IRQ: %d\n", error); +- return error; +- } +- + return 0; + } + +-- +2.34.1 + diff --git a/queue-5.15/ip6_vti-initialize-__ip6_tnl_parm-struct-in-vti6_sio.patch b/queue-5.15/ip6_vti-initialize-__ip6_tnl_parm-struct-in-vti6_sio.patch new file mode 100644 index 00000000000..4d27b691ff4 --- /dev/null +++ b/queue-5.15/ip6_vti-initialize-__ip6_tnl_parm-struct-in-vti6_sio.patch @@ -0,0 +1,110 @@ +From 6febf27a5f63371831b78c304641b80cadac3a99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Dec 2021 12:33:16 -0500 +Subject: ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate + +From: William Zhao + +[ Upstream commit c1833c3964d5bd8c163bd4e01736a38bc473cb8a ] + +The "__ip6_tnl_parm" struct was left uninitialized causing an invalid +load of random data when the "__ip6_tnl_parm" struct was used elsewhere. +As an example, in the function "ip6_tnl_xmit_ctl()", it tries to access +the "collect_md" member. With "__ip6_tnl_parm" being uninitialized and +containing random data, the UBSAN detected that "collect_md" held a +non-boolean value. + +The UBSAN issue is as follows: +=============================================================== +UBSAN: invalid-load in net/ipv6/ip6_tunnel.c:1025:14 +load of value 30 is not a valid value for type '_Bool' +CPU: 1 PID: 228 Comm: kworker/1:3 Not tainted 5.16.0-rc4+ #8 +Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 +Workqueue: ipv6_addrconf addrconf_dad_work +Call Trace: + +dump_stack_lvl+0x44/0x57 +ubsan_epilogue+0x5/0x40 +__ubsan_handle_load_invalid_value+0x66/0x70 +? __cpuhp_setup_state+0x1d3/0x210 +ip6_tnl_xmit_ctl.cold.52+0x2c/0x6f [ip6_tunnel] +vti6_tnl_xmit+0x79c/0x1e96 [ip6_vti] +? lock_is_held_type+0xd9/0x130 +? vti6_rcv+0x100/0x100 [ip6_vti] +? lock_is_held_type+0xd9/0x130 +? rcu_read_lock_bh_held+0xc0/0xc0 +? lock_acquired+0x262/0xb10 +dev_hard_start_xmit+0x1e6/0x820 +__dev_queue_xmit+0x2079/0x3340 +? mark_lock.part.52+0xf7/0x1050 +? netdev_core_pick_tx+0x290/0x290 +? kvm_clock_read+0x14/0x30 +? kvm_sched_clock_read+0x5/0x10 +? sched_clock_cpu+0x15/0x200 +? find_held_lock+0x3a/0x1c0 +? lock_release+0x42f/0xc90 +? lock_downgrade+0x6b0/0x6b0 +? mark_held_locks+0xb7/0x120 +? neigh_connected_output+0x31f/0x470 +? lockdep_hardirqs_on+0x79/0x100 +? neigh_connected_output+0x31f/0x470 +? ip6_finish_output2+0x9b0/0x1d90 +? rcu_read_lock_bh_held+0x62/0xc0 +? ip6_finish_output2+0x9b0/0x1d90 +ip6_finish_output2+0x9b0/0x1d90 +? ip6_append_data+0x330/0x330 +? ip6_mtu+0x166/0x370 +? __ip6_finish_output+0x1ad/0xfb0 +? nf_hook_slow+0xa6/0x170 +ip6_output+0x1fb/0x710 +? nf_hook.constprop.32+0x317/0x430 +? ip6_finish_output+0x180/0x180 +? __ip6_finish_output+0xfb0/0xfb0 +? lock_is_held_type+0xd9/0x130 +ndisc_send_skb+0xb33/0x1590 +? __sk_mem_raise_allocated+0x11cf/0x1560 +? dst_output+0x4a0/0x4a0 +? ndisc_send_rs+0x432/0x610 +addrconf_dad_completed+0x30c/0xbb0 +? addrconf_rs_timer+0x650/0x650 +? addrconf_dad_work+0x73c/0x10e0 +addrconf_dad_work+0x73c/0x10e0 +? addrconf_dad_completed+0xbb0/0xbb0 +? rcu_read_lock_sched_held+0xaf/0xe0 +? rcu_read_lock_bh_held+0xc0/0xc0 +process_one_work+0x97b/0x1740 +? pwq_dec_nr_in_flight+0x270/0x270 +worker_thread+0x87/0xbf0 +? process_one_work+0x1740/0x1740 +kthread+0x3ac/0x490 +? set_kthread_struct+0x100/0x100 +ret_from_fork+0x22/0x30 + +=============================================================== + +The solution is to initialize "__ip6_tnl_parm" struct to zeros in the +"vti6_siocdevprivate()" function. + +Signed-off-by: William Zhao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_vti.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c +index 1d8e3ffa225d8..42c37ec832f15 100644 +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -808,6 +808,8 @@ vti6_siocdevprivate(struct net_device *dev, struct ifreq *ifr, void __user *data + struct net *net = dev_net(dev); + struct vti6_net *ip6n = net_generic(net, vti6_net_id); + ++ memset(&p1, 0, sizeof(p1)); ++ + switch (cmd) { + case SIOCGETTUNNEL: + if (dev == ip6n->fb_tnl_dev) { +-- +2.34.1 + diff --git a/queue-5.15/ipv6-continue-processing-multipath-route-even-if-gat.patch b/queue-5.15/ipv6-continue-processing-multipath-route-even-if-gat.patch new file mode 100644 index 00000000000..46d4f2c2093 --- /dev/null +++ b/queue-5.15/ipv6-continue-processing-multipath-route-even-if-gat.patch @@ -0,0 +1,52 @@ +From f5c87ee8a24b10eef550da98ebb364ff96e4a535 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jan 2022 10:19:11 -0700 +Subject: ipv6: Continue processing multipath route even if gateway attribute + is invalid + +From: David Ahern + +[ Upstream commit e30a845b0376eb51c9c94f56bbd53b2e08ba822f ] + +ip6_route_multipath_del loop continues processing the multipath +attribute even if delete of a nexthop path fails. For consistency, +do the same if the gateway attribute is invalid. + +Fixes: 1ff15a710a86 ("ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route") +Signed-off-by: David Ahern +Acked-by: Nicolas Dichtel +Link: https://lore.kernel.org/r/20220103171911.94739-1-dsahern@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index d050e0f5baa46..0eceb0e88976b 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -5459,8 +5459,10 @@ static int ip6_route_multipath_del(struct fib6_config *cfg, + if (nla) { + err = fib6_gw_from_attr(&r_cfg.fc_gateway, nla, + extack); +- if (err) +- return err; ++ if (err) { ++ last_err = err; ++ goto next_rtnh; ++ } + + r_cfg.fc_flags |= RTF_GATEWAY; + } +@@ -5469,6 +5471,7 @@ static int ip6_route_multipath_del(struct fib6_config *cfg, + if (err) + last_err = err; + ++next_rtnh: + rtnh = rtnh_next(rtnh, &remaining); + } + +-- +2.34.1 + diff --git a/queue-5.15/ipv6-do-cleanup-if-attribute-validation-fails-in-mul.patch b/queue-5.15/ipv6-do-cleanup-if-attribute-validation-fails-in-mul.patch new file mode 100644 index 00000000000..57700f5de8f --- /dev/null +++ b/queue-5.15/ipv6-do-cleanup-if-attribute-validation-fails-in-mul.patch @@ -0,0 +1,46 @@ +From 845cecf44f80fe356414160e802b01bf89fe98d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jan 2022 10:05:55 -0700 +Subject: ipv6: Do cleanup if attribute validation fails in multipath route + +From: David Ahern + +[ Upstream commit 95bdba23b5b4aa75fe3e6c84335e638641c707bb ] + +As Nicolas noted, if gateway validation fails walking the multipath +attribute the code should jump to the cleanup to free previously +allocated memory. + +Fixes: 1ff15a710a86 ("ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route") +Signed-off-by: David Ahern +Acked-by: Nicolas Dichtel +Link: https://lore.kernel.org/r/20220103170555.94638-1-dsahern@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/route.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 0eceb0e88976b..0632382a5427b 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -5277,12 +5277,10 @@ static int ip6_route_multipath_add(struct fib6_config *cfg, + + nla = nla_find(attrs, attrlen, RTA_GATEWAY); + if (nla) { +- int ret; +- +- ret = fib6_gw_from_attr(&r_cfg.fc_gateway, nla, ++ err = fib6_gw_from_attr(&r_cfg.fc_gateway, nla, + extack); +- if (ret) +- return ret; ++ if (err) ++ goto cleanup; + + r_cfg.fc_flags |= RTF_GATEWAY; + } +-- +2.34.1 + diff --git a/queue-5.15/ipv6-raw-check-passed-optlen-before-reading.patch b/queue-5.15/ipv6-raw-check-passed-optlen-before-reading.patch new file mode 100644 index 00000000000..193fae43803 --- /dev/null +++ b/queue-5.15/ipv6-raw-check-passed-optlen-before-reading.patch @@ -0,0 +1,44 @@ +From db62adfb22d2abddc3d8d7ffd246bdceeefcc79d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Dec 2021 15:09:47 -0500 +Subject: ipv6: raw: check passed optlen before reading + +From: Tamir Duberstein + +[ Upstream commit fb7bc9204095090731430c8921f9e629740c110a ] + +Add a check that the user-provided option is at least as long as the +number of bytes we intend to read. Before this patch we would blindly +read sizeof(int) bytes even in cases where the user passed +optlen +Signed-off-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20211229200947.2862255-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/raw.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +index 60f1e4f5be5aa..c51d5ce3711c2 100644 +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -1020,6 +1020,9 @@ static int do_rawv6_setsockopt(struct sock *sk, int level, int optname, + struct raw6_sock *rp = raw6_sk(sk); + int val; + ++ if (optlen < sizeof(val)) ++ return -EINVAL; ++ + if (copy_from_sockptr(&val, optval, sizeof(val))) + return -EFAULT; + +-- +2.34.1 + diff --git a/queue-5.15/misdn-change-function-names-to-avoid-conflicts.patch b/queue-5.15/misdn-change-function-names-to-avoid-conflicts.patch new file mode 100644 index 00000000000..5ac705f7146 --- /dev/null +++ b/queue-5.15/misdn-change-function-names-to-avoid-conflicts.patch @@ -0,0 +1,100 @@ +From c72a6929a93369c9c860762bd15e6c8f7d62cc31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Dec 2021 16:01:20 +0800 +Subject: mISDN: change function names to avoid conflicts + +From: wolfgang huang + +[ Upstream commit 8b5fdfc57cc2471179d1c51081424ded833c16c8 ] + +As we build for mips, we meet following error. l1_init error with +multiple definition. Some architecture devices usually marked with +l1, l2, lxx as the start-up phase. so we change the mISDN function +names, align with Isdnl2_xxx. + +mips-linux-gnu-ld: drivers/isdn/mISDN/layer1.o: in function `l1_init': +(.text+0x890): multiple definition of `l1_init'; \ +arch/mips/kernel/bmips_5xxx_init.o:(.text+0xf0): first defined here +make[1]: *** [home/mips/kernel-build/linux/Makefile:1161: vmlinux] Error 1 + +Signed-off-by: wolfgang huang +Reported-by: k2ci +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/core.c | 6 +++--- + drivers/isdn/mISDN/core.h | 4 ++-- + drivers/isdn/mISDN/layer1.c | 4 ++-- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/isdn/mISDN/core.c b/drivers/isdn/mISDN/core.c +index 55891e4204460..a41b4b2645941 100644 +--- a/drivers/isdn/mISDN/core.c ++++ b/drivers/isdn/mISDN/core.c +@@ -381,7 +381,7 @@ mISDNInit(void) + err = mISDN_inittimer(&debug); + if (err) + goto error2; +- err = l1_init(&debug); ++ err = Isdnl1_Init(&debug); + if (err) + goto error3; + err = Isdnl2_Init(&debug); +@@ -395,7 +395,7 @@ mISDNInit(void) + error5: + Isdnl2_cleanup(); + error4: +- l1_cleanup(); ++ Isdnl1_cleanup(); + error3: + mISDN_timer_cleanup(); + error2: +@@ -408,7 +408,7 @@ static void mISDN_cleanup(void) + { + misdn_sock_cleanup(); + Isdnl2_cleanup(); +- l1_cleanup(); ++ Isdnl1_cleanup(); + mISDN_timer_cleanup(); + class_unregister(&mISDN_class); + +diff --git a/drivers/isdn/mISDN/core.h b/drivers/isdn/mISDN/core.h +index 23b44d3033279..42599f49c189d 100644 +--- a/drivers/isdn/mISDN/core.h ++++ b/drivers/isdn/mISDN/core.h +@@ -60,8 +60,8 @@ struct Bprotocol *get_Bprotocol4id(u_int); + extern int mISDN_inittimer(u_int *); + extern void mISDN_timer_cleanup(void); + +-extern int l1_init(u_int *); +-extern void l1_cleanup(void); ++extern int Isdnl1_Init(u_int *); ++extern void Isdnl1_cleanup(void); + extern int Isdnl2_Init(u_int *); + extern void Isdnl2_cleanup(void); + +diff --git a/drivers/isdn/mISDN/layer1.c b/drivers/isdn/mISDN/layer1.c +index 98a3bc6c17009..7b31c25a550e3 100644 +--- a/drivers/isdn/mISDN/layer1.c ++++ b/drivers/isdn/mISDN/layer1.c +@@ -398,7 +398,7 @@ create_l1(struct dchannel *dch, dchannel_l1callback *dcb) { + EXPORT_SYMBOL(create_l1); + + int +-l1_init(u_int *deb) ++Isdnl1_Init(u_int *deb) + { + debug = deb; + l1fsm_s.state_count = L1S_STATE_COUNT; +@@ -409,7 +409,7 @@ l1_init(u_int *deb) + } + + void +-l1_cleanup(void) ++Isdnl1_cleanup(void) + { + mISDN_FsmFree(&l1fsm_s); + } +-- +2.34.1 + diff --git a/queue-5.15/net-udp-fix-alignment-problem-in-udp4_seq_show.patch b/queue-5.15/net-udp-fix-alignment-problem-in-udp4_seq_show.patch new file mode 100644 index 00000000000..cb9c9d40d8f --- /dev/null +++ b/queue-5.15/net-udp-fix-alignment-problem-in-udp4_seq_show.patch @@ -0,0 +1,48 @@ +From 1addc23f8512d448ceed05b8796113057f049b2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Dec 2021 16:29:51 +0800 +Subject: net: udp: fix alignment problem in udp4_seq_show() + +From: yangxingwu + +[ Upstream commit 6c25449e1a32c594d743df8e8258e8ef870b6a77 ] + +$ cat /pro/net/udp + +before: + + sl local_address rem_address st tx_queue rx_queue tr tm->when +26050: 0100007F:0035 00000000:0000 07 00000000:00000000 00:00000000 +26320: 0100007F:0143 00000000:0000 07 00000000:00000000 00:00000000 +27135: 00000000:8472 00000000:0000 07 00000000:00000000 00:00000000 + +after: + + sl local_address rem_address st tx_queue rx_queue tr tm->when +26050: 0100007F:0035 00000000:0000 07 00000000:00000000 00:00000000 +26320: 0100007F:0143 00000000:0000 07 00000000:00000000 00:00000000 +27135: 00000000:8472 00000000:0000 07 00000000:00000000 00:00000000 + +Signed-off-by: yangxingwu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index be07e3d2b77bc..835b9d6e4e686 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -3076,7 +3076,7 @@ int udp4_seq_show(struct seq_file *seq, void *v) + { + seq_setwidth(seq, 127); + if (v == SEQ_START_TOKEN) +- seq_puts(seq, " sl local_address rem_address st tx_queue " ++ seq_puts(seq, " sl local_address rem_address st tx_queue " + "rx_queue tr tm->when retrnsmt uid timeout " + "inode ref pointer drops"); + else { +-- +2.34.1 + diff --git a/queue-5.15/scsi-libiscsi-fix-uaf-in-iscsi_conn_get_param-iscsi_.patch b/queue-5.15/scsi-libiscsi-fix-uaf-in-iscsi_conn_get_param-iscsi_.patch new file mode 100644 index 00000000000..41ee83ecd0e --- /dev/null +++ b/queue-5.15/scsi-libiscsi-fix-uaf-in-iscsi_conn_get_param-iscsi_.patch @@ -0,0 +1,69 @@ +From 72131bd43c4a6162a414c5504e6bc01366b0ce64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 19:39:06 +0800 +Subject: scsi: libiscsi: Fix UAF in + iscsi_conn_get_param()/iscsi_conn_teardown() + +From: Lixiaokeng + +[ Upstream commit 1b8d0300a3e9f216ae4901bab886db7299899ec6 ] + +|- iscsi_if_destroy_conn |-dev_attr_show + |-iscsi_conn_teardown + |-spin_lock_bh |-iscsi_sw_tcp_conn_get_param + + |-kfree(conn->persistent_address) |-iscsi_conn_get_param + |-kfree(conn->local_ipaddr) + ==>|-read persistent_address + ==>|-read local_ipaddr + |-spin_unlock_bh + +When iscsi_conn_teardown() and iscsi_conn_get_param() happen in parallel, a +UAF may be triggered. + +Link: https://lore.kernel.org/r/046ec8a0-ce95-d3fc-3235-666a7c65b224@huawei.com +Reported-by: Lu Tixiong +Reviewed-by: Mike Christie +Reviewed-by: Lee Duncan +Signed-off-by: Lixiaokeng +Signed-off-by: Linfeilong +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libiscsi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index 5bc91d34df634..cbc263ec9d661 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -3101,6 +3101,8 @@ void iscsi_conn_teardown(struct iscsi_cls_conn *cls_conn) + { + struct iscsi_conn *conn = cls_conn->dd_data; + struct iscsi_session *session = conn->session; ++ char *tmp_persistent_address = conn->persistent_address; ++ char *tmp_local_ipaddr = conn->local_ipaddr; + + del_timer_sync(&conn->transport_timer); + +@@ -3122,8 +3124,6 @@ void iscsi_conn_teardown(struct iscsi_cls_conn *cls_conn) + spin_lock_bh(&session->frwd_lock); + free_pages((unsigned long) conn->data, + get_order(ISCSI_DEF_MAX_RECV_SEG_LEN)); +- kfree(conn->persistent_address); +- kfree(conn->local_ipaddr); + /* regular RX path uses back_lock */ + spin_lock_bh(&session->back_lock); + kfifo_in(&session->cmdpool.queue, (void*)&conn->login_task, +@@ -3135,6 +3135,8 @@ void iscsi_conn_teardown(struct iscsi_cls_conn *cls_conn) + mutex_unlock(&session->eh_mutex); + + iscsi_destroy_conn(cls_conn); ++ kfree(tmp_persistent_address); ++ kfree(tmp_local_ipaddr); + } + EXPORT_SYMBOL_GPL(iscsi_conn_teardown); + +-- +2.34.1 + diff --git a/queue-5.15/series b/queue-5.15/series index 302ba9a257e..409ff980c1b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -48,3 +48,23 @@ phonet-refcount-leak-in-pep_sock_accep.patch fbdev-fbmem-add-a-helper-to-determine-if-an-aperture-is-used-by-a-fw-fb.patch drm-amdgpu-disable-runpm-if-we-are-the-primary-adapter.patch power-bq25890-enable-continuous-conversion-for-adc-at-charging.patch +ipv6-continue-processing-multipath-route-even-if-gat.patch +ipv6-do-cleanup-if-attribute-validation-fails-in-mul.patch +auxdisplay-charlcd-checking-for-pointer-reference-be.patch +drm-amdgpu-fix-dropped-backing-store-handling-in-amd.patch +drm-amd-pm-fix-xgmi-link-control-on-aldebaran.patch +usb-mtu3-fix-interval-value-for-intr-and-isoc.patch +scsi-libiscsi-fix-uaf-in-iscsi_conn_get_param-iscsi_.patch +ip6_vti-initialize-__ip6_tnl_parm-struct-in-vti6_sio.patch +net-udp-fix-alignment-problem-in-udp4_seq_show.patch +atlantic-fix-buff_ring-oob-in-aq_ring_rx_clean.patch +drm-amd-pm-skip-setting-gfx-cgpg-in-the-s0ix-suspend.patch +drm-amdgpu-always-reset-the-asic-in-suspend-v2.patch +drm-amdgpu-put-smu-into-proper-state-on-runpm-suspen.patch +misdn-change-function-names-to-avoid-conflicts.patch +drm-amd-display-fix-b0-tmds-deepcolor-no-dislay-issu.patch +drm-amd-display-added-power-down-for-dcn10.patch +ipv6-raw-check-passed-optlen-before-reading.patch +userfaultfd-selftests-fix-hugetlb-area-allocations.patch +arm-dts-gpio-ranges-property-is-now-required.patch +input-zinitix-make-sure-the-irq-is-allocated-before-.patch diff --git a/queue-5.15/usb-mtu3-fix-interval-value-for-intr-and-isoc.patch b/queue-5.15/usb-mtu3-fix-interval-value-for-intr-and-isoc.patch new file mode 100644 index 00000000000..fac3be0510a --- /dev/null +++ b/queue-5.15/usb-mtu3-fix-interval-value-for-intr-and-isoc.patch @@ -0,0 +1,47 @@ +From 50e4fb636dba3e740660f5c705c184fd8c10dc5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Dec 2021 17:57:46 +0800 +Subject: usb: mtu3: fix interval value for intr and isoc + +From: Chunfeng Yun + +[ Upstream commit e3d4621c22f90c33321ae6a6baab60cdb8e5a77c ] + +Use the Interval value from isoc/intr endpoint descriptor, no need +minus one. The original code doesn't cause transfer error for +normal cases, but it may have side effect with respond time of ERDY +or tPingTimeout. + +Signed-off-by: Chunfeng Yun +Link: https://lore.kernel.org/r/20211218095749.6250-1-chunfeng.yun@mediatek.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/mtu3/mtu3_gadget.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c +index 0b21da4ee1836..9977600616d7e 100644 +--- a/drivers/usb/mtu3/mtu3_gadget.c ++++ b/drivers/usb/mtu3/mtu3_gadget.c +@@ -77,7 +77,7 @@ static int mtu3_ep_enable(struct mtu3_ep *mep) + if (usb_endpoint_xfer_int(desc) || + usb_endpoint_xfer_isoc(desc)) { + interval = desc->bInterval; +- interval = clamp_val(interval, 1, 16) - 1; ++ interval = clamp_val(interval, 1, 16); + if (usb_endpoint_xfer_isoc(desc) && comp_desc) + mult = comp_desc->bmAttributes; + } +@@ -89,7 +89,7 @@ static int mtu3_ep_enable(struct mtu3_ep *mep) + if (usb_endpoint_xfer_isoc(desc) || + usb_endpoint_xfer_int(desc)) { + interval = desc->bInterval; +- interval = clamp_val(interval, 1, 16) - 1; ++ interval = clamp_val(interval, 1, 16); + mult = usb_endpoint_maxp_mult(desc) - 1; + } + break; +-- +2.34.1 + diff --git a/queue-5.15/userfaultfd-selftests-fix-hugetlb-area-allocations.patch b/queue-5.15/userfaultfd-selftests-fix-hugetlb-area-allocations.patch new file mode 100644 index 00000000000..d19ac282b62 --- /dev/null +++ b/queue-5.15/userfaultfd-selftests-fix-hugetlb-area-allocations.patch @@ -0,0 +1,110 @@ +From 4fa34242c1451b24c9b94a9e5292e00aca9b9ce3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Dec 2021 20:12:31 -0800 +Subject: userfaultfd/selftests: fix hugetlb area allocations + +From: Mike Kravetz + +[ Upstream commit f5c73297181c6b3ad76537bad98eaad6d29b9333 ] + +Currently, userfaultfd selftest for hugetlb as run from run_vmtests.sh +or any environment where there are 'just enough' hugetlb pages will +always fail with: + + testing events (fork, remap, remove): + ERROR: UFFDIO_COPY error: -12 (errno=12, line=616) + +The ENOMEM error code implies there are not enough hugetlb pages. +However, there are free hugetlb pages but they are all reserved. There +is a basic problem with the way the test allocates hugetlb pages which +has existed since the test was originally written. + +Due to the way 'cleanup' was done between different phases of the test, +this issue was masked until recently. The issue was uncovered by commit +8ba6e8640844 ("userfaultfd/selftests: reinitialize test context in each +test"). + +For the hugetlb test, src and dst areas are allocated as PRIVATE +mappings of a hugetlb file. This means that at mmap time, pages are +reserved for the src and dst areas. At the start of event testing (and +other tests) the src area is populated which results in allocation of +huge pages to fill the area and consumption of reserves associated with +the area. Then, a child is forked to fault in the dst area. Note that +the dst area was allocated in the parent and hence the parent owns the +reserves associated with the mapping. The child has normal access to +the dst area, but can not use the reserves created/owned by the parent. +Thus, if there are no other huge pages available allocation of a page +for the dst by the child will fail. + +Fix by not creating reserves for the dst area. In this way the child +can use free (non-reserved) pages. + +Also, MAP_PRIVATE of a file only makes sense if you are interested in +the contents of the file before making a COW copy. The test does not do +this. So, just use MAP_ANONYMOUS | MAP_HUGETLB to create an anonymous +hugetlb mapping. There is no need to create a hugetlb file in the +non-shared case. + +Link: https://lkml.kernel.org/r/20211217172919.7861-1-mike.kravetz@oracle.com +Signed-off-by: Mike Kravetz +Cc: Axel Rasmussen +Cc: Peter Xu +Cc: Andrea Arcangeli +Cc: Mina Almasry +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/vm/userfaultfd.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/vm/userfaultfd.c b/tools/testing/selftests/vm/userfaultfd.c +index 60aa1a4fc69b6..81690f1737c80 100644 +--- a/tools/testing/selftests/vm/userfaultfd.c ++++ b/tools/testing/selftests/vm/userfaultfd.c +@@ -86,7 +86,7 @@ static bool test_uffdio_minor = false; + + static bool map_shared; + static int shm_fd; +-static int huge_fd; ++static int huge_fd = -1; /* only used for hugetlb_shared test */ + static char *huge_fd_off0; + static unsigned long long *count_verify; + static int uffd = -1; +@@ -222,6 +222,9 @@ static void noop_alias_mapping(__u64 *start, size_t len, unsigned long offset) + + static void hugetlb_release_pages(char *rel_area) + { ++ if (huge_fd == -1) ++ return; ++ + if (fallocate(huge_fd, FALLOC_FL_PUNCH_HOLE | FALLOC_FL_KEEP_SIZE, + rel_area == huge_fd_off0 ? 0 : nr_pages * page_size, + nr_pages * page_size)) +@@ -234,16 +237,17 @@ static void hugetlb_allocate_area(void **alloc_area) + char **alloc_area_alias; + + *alloc_area = mmap(NULL, nr_pages * page_size, PROT_READ | PROT_WRITE, +- (map_shared ? MAP_SHARED : MAP_PRIVATE) | +- MAP_HUGETLB, +- huge_fd, *alloc_area == area_src ? 0 : +- nr_pages * page_size); ++ map_shared ? MAP_SHARED : ++ MAP_PRIVATE | MAP_HUGETLB | ++ (*alloc_area == area_src ? 0 : MAP_NORESERVE), ++ huge_fd, ++ *alloc_area == area_src ? 0 : nr_pages * page_size); + if (*alloc_area == MAP_FAILED) + err("mmap of hugetlbfs file failed"); + + if (map_shared) { + area_alias = mmap(NULL, nr_pages * page_size, PROT_READ | PROT_WRITE, +- MAP_SHARED | MAP_HUGETLB, ++ MAP_SHARED, + huge_fd, *alloc_area == area_src ? 0 : + nr_pages * page_size); + if (area_alias == MAP_FAILED) +-- +2.34.1 +