From: Sasha Levin Date: Tue, 24 Jan 2023 11:21:59 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v5.10.166~97 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b78b05f6de94aa6de205d6cc2e815a533dd52e32;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/affs-initialize-fsdata-in-affs_truncate.patch b/queue-5.10/affs-initialize-fsdata-in-affs_truncate.patch new file mode 100644 index 00000000000..881e9d9b7f7 --- /dev/null +++ b/queue-5.10/affs-initialize-fsdata-in-affs_truncate.patch @@ -0,0 +1,40 @@ +From c94f13691b0983a2b24feefeaa91935108e327ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 13:49:30 +0100 +Subject: affs: initialize fsdata in affs_truncate() + +From: Alexander Potapenko + +[ Upstream commit eef034ac6690118c88f357b00e2b3239c9d8575d ] + +When aops->write_begin() does not initialize fsdata, KMSAN may report +an error passing the latter to aops->write_end(). + +Fix this by unconditionally initializing fsdata. + +Fixes: f2b6a16eb8f5 ("fs: affs convert to new aops") +Suggested-by: Eric Biggers +Signed-off-by: Alexander Potapenko +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/affs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/affs/file.c b/fs/affs/file.c +index d91b0133d95d..c3d89fa1bab7 100644 +--- a/fs/affs/file.c ++++ b/fs/affs/file.c +@@ -879,7 +879,7 @@ affs_truncate(struct inode *inode) + if (inode->i_size > AFFS_I(inode)->mmu_private) { + struct address_space *mapping = inode->i_mapping; + struct page *page; +- void *fsdata; ++ void *fsdata = NULL; + loff_t isize = inode->i_size; + int res; + +-- +2.39.0 + diff --git a/queue-5.10/amd-xgbe-delay-an-timeout-during-kr-training.patch b/queue-5.10/amd-xgbe-delay-an-timeout-during-kr-training.patch new file mode 100644 index 00000000000..b35e9dc18eb --- /dev/null +++ b/queue-5.10/amd-xgbe-delay-an-timeout-during-kr-training.patch @@ -0,0 +1,100 @@ +From 0fd492ffbb3d31582b30ff7e02a96e493241f8e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 22:58:52 +0530 +Subject: amd-xgbe: Delay AN timeout during KR training + +From: Raju Rangoju + +[ Upstream commit 926446ae24c03311a480fb96eb78f0ce7ea6d091 ] + +AN restart triggered during KR training not only aborts the KR training +process but also move the HW to unstable state. Driver has to wait upto +500ms or until the KR training is completed before restarting AN cycle. + +Fixes: 7c12aa08779c ("amd-xgbe: Move the PHY support into amd-xgbe") +Co-developed-by: Sudheesh Mavila +Signed-off-by: Sudheesh Mavila +Signed-off-by: Raju Rangoju +Acked-by: Shyam Sundar S K +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 24 +++++++++++++++++++++++ + drivers/net/ethernet/amd/xgbe/xgbe.h | 2 ++ + 2 files changed, 26 insertions(+) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +index 0c5c1b155683..43fdd111235a 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c +@@ -496,6 +496,7 @@ static enum xgbe_an xgbe_an73_tx_training(struct xgbe_prv_data *pdata, + reg |= XGBE_KR_TRAINING_ENABLE; + reg |= XGBE_KR_TRAINING_START; + XMDIO_WRITE(pdata, MDIO_MMD_PMAPMD, MDIO_PMA_10GBR_PMD_CTRL, reg); ++ pdata->kr_start_time = jiffies; + + netif_dbg(pdata, link, pdata->netdev, + "KR training initiated\n"); +@@ -632,6 +633,8 @@ static enum xgbe_an xgbe_an73_incompat_link(struct xgbe_prv_data *pdata) + + xgbe_switch_mode(pdata); + ++ pdata->an_result = XGBE_AN_READY; ++ + xgbe_an_restart(pdata); + + return XGBE_AN_INCOMPAT_LINK; +@@ -1275,9 +1278,30 @@ static bool xgbe_phy_aneg_done(struct xgbe_prv_data *pdata) + static void xgbe_check_link_timeout(struct xgbe_prv_data *pdata) + { + unsigned long link_timeout; ++ unsigned long kr_time; ++ int wait; + + link_timeout = pdata->link_check + (XGBE_LINK_TIMEOUT * HZ); + if (time_after(jiffies, link_timeout)) { ++ if ((xgbe_cur_mode(pdata) == XGBE_MODE_KR) && ++ pdata->phy.autoneg == AUTONEG_ENABLE) { ++ /* AN restart should not happen while KR training is in progress. ++ * The while loop ensures no AN restart during KR training, ++ * waits up to 500ms and AN restart is triggered only if KR ++ * training is failed. ++ */ ++ wait = XGBE_KR_TRAINING_WAIT_ITER; ++ while (wait--) { ++ kr_time = pdata->kr_start_time + ++ msecs_to_jiffies(XGBE_AN_MS_TIMEOUT); ++ if (time_after(jiffies, kr_time)) ++ break; ++ /* AN restart is not required, if AN result is COMPLETE */ ++ if (pdata->an_result == XGBE_AN_COMPLETE) ++ return; ++ usleep_range(10000, 11000); ++ } ++ } + netif_dbg(pdata, link, pdata->netdev, "AN link timeout\n"); + xgbe_phy_config_aneg(pdata); + } +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h +index 3305979a9f7c..e0b8f3c4cc0b 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h +@@ -289,6 +289,7 @@ + /* Auto-negotiation */ + #define XGBE_AN_MS_TIMEOUT 500 + #define XGBE_LINK_TIMEOUT 5 ++#define XGBE_KR_TRAINING_WAIT_ITER 50 + + #define XGBE_SGMII_AN_LINK_STATUS BIT(1) + #define XGBE_SGMII_AN_LINK_SPEED (BIT(2) | BIT(3)) +@@ -1253,6 +1254,7 @@ struct xgbe_prv_data { + unsigned int parallel_detect; + unsigned int fec_ability; + unsigned long an_start; ++ unsigned long kr_start_time; + enum xgbe_an_mode an_mode; + + /* I2C support */ +-- +2.39.0 + diff --git a/queue-5.10/amd-xgbe-tx-flow-ctrl-registers-are-h-w-ver-dependen.patch b/queue-5.10/amd-xgbe-tx-flow-ctrl-registers-are-h-w-ver-dependen.patch new file mode 100644 index 00000000000..51866e80da3 --- /dev/null +++ b/queue-5.10/amd-xgbe-tx-flow-ctrl-registers-are-h-w-ver-dependen.patch @@ -0,0 +1,89 @@ +From 351c106e48c48fc570a82bcf93b0a8bff239ee33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 22:58:51 +0530 +Subject: amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent + +From: Raju Rangoju + +[ Upstream commit 579923d84b04abb6cd4cd1fd9974096a2dd1832b ] + +There is difference in the TX Flow Control registers (TFCR) between the +revisions of the hardware. The older revisions of hardware used to have +single register per queue. Whereas, the newer revision of hardware (from +ver 30H onwards) have one register per priority. + +Update the driver to use the TFCR based on the reported version of the +hardware. + +Fixes: c5aa9e3b8156 ("amd-xgbe: Initial AMD 10GbE platform driver") +Co-developed-by: Ajith Nayak +Signed-off-by: Ajith Nayak +Signed-off-by: Raju Rangoju +Acked-by: Shyam Sundar S K +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +index d5fd49dd25f3..decc1c09a031 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c +@@ -524,19 +524,28 @@ static void xgbe_disable_vxlan(struct xgbe_prv_data *pdata) + netif_dbg(pdata, drv, pdata->netdev, "VXLAN acceleration disabled\n"); + } + ++static unsigned int xgbe_get_fc_queue_count(struct xgbe_prv_data *pdata) ++{ ++ unsigned int max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES; ++ ++ /* From MAC ver 30H the TFCR is per priority, instead of per queue */ ++ if (XGMAC_GET_BITS(pdata->hw_feat.version, MAC_VR, SNPSVER) >= 0x30) ++ return max_q_count; ++ else ++ return min_t(unsigned int, pdata->tx_q_count, max_q_count); ++} ++ + static int xgbe_disable_tx_flow_control(struct xgbe_prv_data *pdata) + { +- unsigned int max_q_count, q_count; + unsigned int reg, reg_val; +- unsigned int i; ++ unsigned int i, q_count; + + /* Clear MTL flow control */ + for (i = 0; i < pdata->rx_q_count; i++) + XGMAC_MTL_IOWRITE_BITS(pdata, i, MTL_Q_RQOMR, EHFC, 0); + + /* Clear MAC flow control */ +- max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES; +- q_count = min_t(unsigned int, pdata->tx_q_count, max_q_count); ++ q_count = xgbe_get_fc_queue_count(pdata); + reg = MAC_Q0TFCR; + for (i = 0; i < q_count; i++) { + reg_val = XGMAC_IOREAD(pdata, reg); +@@ -553,9 +562,8 @@ static int xgbe_enable_tx_flow_control(struct xgbe_prv_data *pdata) + { + struct ieee_pfc *pfc = pdata->pfc; + struct ieee_ets *ets = pdata->ets; +- unsigned int max_q_count, q_count; + unsigned int reg, reg_val; +- unsigned int i; ++ unsigned int i, q_count; + + /* Set MTL flow control */ + for (i = 0; i < pdata->rx_q_count; i++) { +@@ -579,8 +587,7 @@ static int xgbe_enable_tx_flow_control(struct xgbe_prv_data *pdata) + } + + /* Set MAC flow control */ +- max_q_count = XGMAC_MAX_FLOW_CONTROL_QUEUES; +- q_count = min_t(unsigned int, pdata->tx_q_count, max_q_count); ++ q_count = xgbe_get_fc_queue_count(pdata); + reg = MAC_Q0TFCR; + for (i = 0; i < q_count; i++) { + reg_val = XGMAC_IOREAD(pdata, reg); +-- +2.39.0 + diff --git a/queue-5.10/arm-dts-at91-sam9x60-fix-the-ddr-clock-for-sam9x60.patch b/queue-5.10/arm-dts-at91-sam9x60-fix-the-ddr-clock-for-sam9x60.patch new file mode 100644 index 00000000000..960f1f0c090 --- /dev/null +++ b/queue-5.10/arm-dts-at91-sam9x60-fix-the-ddr-clock-for-sam9x60.patch @@ -0,0 +1,36 @@ +From aeb1c727acac1d1a36b804b2f09b855d00825fff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 13:52:41 +0200 +Subject: ARM: dts: at91: sam9x60: fix the ddr clock for sam9x60 + +From: Claudiu Beznea + +[ Upstream commit 9bfa2544dbd1133f0b0af4e967de3bb9c1e3a497 ] + +The 2nd DDR clock for sam9x60 DDR controller is peripheral clock with +id 49. + +Fixes: 1e5f532c2737 ("ARM: dts: at91: sam9x60: add device tree for soc and board") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20221208115241.36312-1-claudiu.beznea@microchip.com +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/sam9x60.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/sam9x60.dtsi b/arch/arm/boot/dts/sam9x60.dtsi +index ec45ced3cde6..e1e0dec8cc1f 100644 +--- a/arch/arm/boot/dts/sam9x60.dtsi ++++ b/arch/arm/boot/dts/sam9x60.dtsi +@@ -567,7 +567,7 @@ pmecc: ecc-engine@ffffe000 { + mpddrc: mpddrc@ffffe800 { + compatible = "microchip,sam9x60-ddramc", "atmel,sama5d3-ddramc"; + reg = <0xffffe800 0x200>; +- clocks = <&pmc PMC_TYPE_SYSTEM 2>, <&pmc PMC_TYPE_CORE PMC_MCK>; ++ clocks = <&pmc PMC_TYPE_SYSTEM 2>, <&pmc PMC_TYPE_PERIPHERAL 49>; + clock-names = "ddrck", "mpddr"; + }; + +-- +2.39.0 + diff --git a/queue-5.10/arm-dts-imx6qdl-gw560x-remove-incorrect-uart-has-rts.patch b/queue-5.10/arm-dts-imx6qdl-gw560x-remove-incorrect-uart-has-rts.patch new file mode 100644 index 00000000000..94af1a6428b --- /dev/null +++ b/queue-5.10/arm-dts-imx6qdl-gw560x-remove-incorrect-uart-has-rts.patch @@ -0,0 +1,48 @@ +From 133f5e516716fc01ca08b6a874e28324997686ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 17:22:59 -0300 +Subject: ARM: dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts' + +From: Fabio Estevam + +[ Upstream commit 9dfbc72256b5de608ad10989bcbafdbbd1ac8d4e ] + +The following build warning is seen when running: + +make dtbs_check DT_SCHEMA_FILES=fsl-imx-uart.yaml + +arch/arm/boot/dts/imx6dl-gw560x.dtb: serial@2020000: rts-gpios: False schema does not allow [[20, 1, 0]] + From schema: Documentation/devicetree/bindings/serial/fsl-imx-uart.yaml + +The imx6qdl-gw560x board does not expose the UART RTS and CTS +as native UART pins, so 'uart-has-rtscts' should not be used. + +Using 'uart-has-rtscts' with 'rts-gpios' is an invalid combination +detected by serial.yaml. + +Fix the problem by removing the incorrect 'uart-has-rtscts' property. + +Fixes: b8a559feffb2 ("ARM: dts: imx: add Gateworks Ventana GW5600 support") +Signed-off-by: Fabio Estevam +Acked-by: Tim Harvey +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qdl-gw560x.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6qdl-gw560x.dtsi b/arch/arm/boot/dts/imx6qdl-gw560x.dtsi +index 093a219a77ae..f520e337698a 100644 +--- a/arch/arm/boot/dts/imx6qdl-gw560x.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-gw560x.dtsi +@@ -634,7 +634,6 @@ &ssi1 { + &uart1 { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_uart1>; +- uart-has-rtscts; + rts-gpios = <&gpio7 1 GPIO_ACTIVE_HIGH>; + status = "okay"; + }; +-- +2.39.0 + diff --git a/queue-5.10/arm-dts-imx6ul-pico-dwarf-use-clock-frequency.patch b/queue-5.10/arm-dts-imx6ul-pico-dwarf-use-clock-frequency.patch new file mode 100644 index 00000000000..367e35af9de --- /dev/null +++ b/queue-5.10/arm-dts-imx6ul-pico-dwarf-use-clock-frequency.patch @@ -0,0 +1,37 @@ +From eeb381fa528913e79c3b4f3cad3db246381ebe1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 13:31:23 -0300 +Subject: ARM: dts: imx6ul-pico-dwarf: Use 'clock-frequency' + +From: Fabio Estevam + +[ Upstream commit 94e2cf1e0db5b06c7a6ae0878c5cbec925819a8a ] + +'clock_frequency' is not a valid property. + +Use the correct 'clock-frequency' instead. + +Fixes: 47246fafef84 ("ARM: dts: imx6ul-pico: Add support for the dwarf baseboard") +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6ul-pico-dwarf.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx6ul-pico-dwarf.dts b/arch/arm/boot/dts/imx6ul-pico-dwarf.dts +index 162dc259edc8..5a74c7f68eb6 100644 +--- a/arch/arm/boot/dts/imx6ul-pico-dwarf.dts ++++ b/arch/arm/boot/dts/imx6ul-pico-dwarf.dts +@@ -32,7 +32,7 @@ sys_mclk: clock-sys-mclk { + }; + + &i2c2 { +- clock_frequency = <100000>; ++ clock-frequency = <100000>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_i2c2>; + status = "okay"; +-- +2.39.0 + diff --git a/queue-5.10/arm-dts-imx7d-pico-use-clock-frequency.patch b/queue-5.10/arm-dts-imx7d-pico-use-clock-frequency.patch new file mode 100644 index 00000000000..f6d2f4439c7 --- /dev/null +++ b/queue-5.10/arm-dts-imx7d-pico-use-clock-frequency.patch @@ -0,0 +1,70 @@ +From 51941977c24d7f85ed96ae7f9e1cd7ca65e691d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 13:31:24 -0300 +Subject: ARM: dts: imx7d-pico: Use 'clock-frequency' + +From: Fabio Estevam + +[ Upstream commit f4dd0845c4f1f5371f1e06fef0e4a1734a2db964 ] + +'clock_frequency' is not a valid property. + +Use the correct 'clock-frequency' instead. + +Fixes: 8b646cfb84c3 ("ARM: dts: imx7d-pico: Add support for the dwarf baseboard") +Fixes: 6418fd92417f ("ARM: dts: imx7d-pico: Add support for the nymph baseboard") +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx7d-pico-dwarf.dts | 4 ++-- + arch/arm/boot/dts/imx7d-pico-nymph.dts | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/boot/dts/imx7d-pico-dwarf.dts b/arch/arm/boot/dts/imx7d-pico-dwarf.dts +index 5162fe227d1e..fdc10563f147 100644 +--- a/arch/arm/boot/dts/imx7d-pico-dwarf.dts ++++ b/arch/arm/boot/dts/imx7d-pico-dwarf.dts +@@ -32,7 +32,7 @@ sys_mclk: clock-sys-mclk { + }; + + &i2c1 { +- clock_frequency = <100000>; ++ clock-frequency = <100000>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_i2c1>; + status = "okay"; +@@ -52,7 +52,7 @@ pressure-sensor@60 { + }; + + &i2c4 { +- clock_frequency = <100000>; ++ clock-frequency = <100000>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_i2c1>; + status = "okay"; +diff --git a/arch/arm/boot/dts/imx7d-pico-nymph.dts b/arch/arm/boot/dts/imx7d-pico-nymph.dts +index 104a85254adb..5afb1674e012 100644 +--- a/arch/arm/boot/dts/imx7d-pico-nymph.dts ++++ b/arch/arm/boot/dts/imx7d-pico-nymph.dts +@@ -43,7 +43,7 @@ sys_mclk: clock-sys-mclk { + }; + + &i2c1 { +- clock_frequency = <100000>; ++ clock-frequency = <100000>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_i2c1>; + status = "okay"; +@@ -64,7 +64,7 @@ adc@52 { + }; + + &i2c2 { +- clock_frequency = <100000>; ++ clock-frequency = <100000>; + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_i2c2>; + status = "okay"; +-- +2.39.0 + diff --git a/queue-5.10/arm-imx-add-missing-of_node_put.patch b/queue-5.10/arm-imx-add-missing-of_node_put.patch new file mode 100644 index 00000000000..51c56f5df77 --- /dev/null +++ b/queue-5.10/arm-imx-add-missing-of_node_put.patch @@ -0,0 +1,94 @@ +From 4f2eef13b03537b599e54f5a4c9a9763837e5862 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 17:54:03 +0100 +Subject: ARM: imx: add missing of_node_put() + +From: Dario Binacchi + +[ Upstream commit 87b30c4b0efb6a194a7b8eac2568a3da520d905f ] + +Calling of_find_compatible_node() returns a node pointer with refcount +incremented. Use of_node_put() on it when done. +The patch fixes the same problem on different i.MX platforms. + +Fixes: 8b88f7ef31dde ("ARM: mx25: Retrieve IIM base from dt") +Fixes: 94b2bec1b0e05 ("ARM: imx27: Retrieve the SYSCTRL base address from devicetree") +Fixes: 3172225d45bd9 ("ARM: imx31: Retrieve the IIM base address from devicetree") +Fixes: f68ea682d1da7 ("ARM: imx35: Retrieve the IIM base address from devicetree") +Fixes: ee18a7154ee08 ("ARM: imx5: retrieve iim base from device tree") +Signed-off-by: Dario Binacchi +Reviewed-by: Fabio Estevam +Reviewed-by: Martin Kaiser +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/mach-imx/cpu-imx25.c | 1 + + arch/arm/mach-imx/cpu-imx27.c | 1 + + arch/arm/mach-imx/cpu-imx31.c | 1 + + arch/arm/mach-imx/cpu-imx35.c | 1 + + arch/arm/mach-imx/cpu-imx5.c | 1 + + 5 files changed, 5 insertions(+) + +diff --git a/arch/arm/mach-imx/cpu-imx25.c b/arch/arm/mach-imx/cpu-imx25.c +index b2e1963f473d..2ee2d2813d57 100644 +--- a/arch/arm/mach-imx/cpu-imx25.c ++++ b/arch/arm/mach-imx/cpu-imx25.c +@@ -23,6 +23,7 @@ static int mx25_read_cpu_rev(void) + + np = of_find_compatible_node(NULL, NULL, "fsl,imx25-iim"); + iim_base = of_iomap(np, 0); ++ of_node_put(np); + BUG_ON(!iim_base); + rev = readl(iim_base + MXC_IIMSREV); + iounmap(iim_base); +diff --git a/arch/arm/mach-imx/cpu-imx27.c b/arch/arm/mach-imx/cpu-imx27.c +index bf70e13bbe9e..1d2893908368 100644 +--- a/arch/arm/mach-imx/cpu-imx27.c ++++ b/arch/arm/mach-imx/cpu-imx27.c +@@ -28,6 +28,7 @@ static int mx27_read_cpu_rev(void) + + np = of_find_compatible_node(NULL, NULL, "fsl,imx27-ccm"); + ccm_base = of_iomap(np, 0); ++ of_node_put(np); + BUG_ON(!ccm_base); + /* + * now we have access to the IO registers. As we need +diff --git a/arch/arm/mach-imx/cpu-imx31.c b/arch/arm/mach-imx/cpu-imx31.c +index b9c24b851d1a..35c544924e50 100644 +--- a/arch/arm/mach-imx/cpu-imx31.c ++++ b/arch/arm/mach-imx/cpu-imx31.c +@@ -39,6 +39,7 @@ static int mx31_read_cpu_rev(void) + + np = of_find_compatible_node(NULL, NULL, "fsl,imx31-iim"); + iim_base = of_iomap(np, 0); ++ of_node_put(np); + BUG_ON(!iim_base); + + /* read SREV register from IIM module */ +diff --git a/arch/arm/mach-imx/cpu-imx35.c b/arch/arm/mach-imx/cpu-imx35.c +index 80e7d8ab9f1b..1fe75b39c2d9 100644 +--- a/arch/arm/mach-imx/cpu-imx35.c ++++ b/arch/arm/mach-imx/cpu-imx35.c +@@ -21,6 +21,7 @@ static int mx35_read_cpu_rev(void) + + np = of_find_compatible_node(NULL, NULL, "fsl,imx35-iim"); + iim_base = of_iomap(np, 0); ++ of_node_put(np); + BUG_ON(!iim_base); + + rev = imx_readl(iim_base + MXC_IIMSREV); +diff --git a/arch/arm/mach-imx/cpu-imx5.c b/arch/arm/mach-imx/cpu-imx5.c +index ad56263778f9..a67c89bf155d 100644 +--- a/arch/arm/mach-imx/cpu-imx5.c ++++ b/arch/arm/mach-imx/cpu-imx5.c +@@ -28,6 +28,7 @@ static u32 imx5_read_srev_reg(const char *compat) + + np = of_find_compatible_node(NULL, NULL, compat); + iim_base = of_iomap(np, 0); ++ of_node_put(np); + WARN_ON(!iim_base); + + srev = readl(iim_base + IIM_SREV) & 0xff; +-- +2.39.0 + diff --git a/queue-5.10/arm64-dts-imx8mm-beacon-fix-ecspi2-pinmux.patch b/queue-5.10/arm64-dts-imx8mm-beacon-fix-ecspi2-pinmux.patch new file mode 100644 index 00000000000..16c58e90282 --- /dev/null +++ b/queue-5.10/arm64-dts-imx8mm-beacon-fix-ecspi2-pinmux.patch @@ -0,0 +1,48 @@ +From 1a3b4a99d51770c8d19d9adebeb1d2cf281fbb31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 13:10:37 -0600 +Subject: arm64: dts: imx8mm-beacon: Fix ecspi2 pinmux + +From: Adam Ford + +[ Upstream commit 5225ba9db112ec4ed67da5e4d8b72e618573955e ] + +Early hardware did not support hardware handshaking on the UART, but +final production hardware did. When the hardware was updated the chip +select was changed to facilitate hardware handshaking on UART3. Fix the +ecspi2 pin mux to eliminate a pin conflict with UART3 and allow the +EEPROM to operate again. + +Fixes: 4ce01ce36d77 ("arm64: dts: imx8mm-beacon: Enable RTS-CTS on UART3") +Signed-off-by: Adam Ford +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-beacon-baseboard.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-beacon-baseboard.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-beacon-baseboard.dtsi +index 5667009aae13..674a0ab8a539 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-beacon-baseboard.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-beacon-baseboard.dtsi +@@ -70,7 +70,7 @@ sound { + &ecspi2 { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_espi2>; +- cs-gpios = <&gpio5 9 GPIO_ACTIVE_LOW>; ++ cs-gpios = <&gpio5 13 GPIO_ACTIVE_LOW>; + status = "okay"; + + eeprom@0 { +@@ -187,7 +187,7 @@ pinctrl_espi2: espi2grp { + MX8MM_IOMUXC_ECSPI2_SCLK_ECSPI2_SCLK 0x82 + MX8MM_IOMUXC_ECSPI2_MOSI_ECSPI2_MOSI 0x82 + MX8MM_IOMUXC_ECSPI2_MISO_ECSPI2_MISO 0x82 +- MX8MM_IOMUXC_ECSPI1_SS0_GPIO5_IO9 0x41 ++ MX8MM_IOMUXC_ECSPI2_SS0_GPIO5_IO13 0x41 + >; + }; + +-- +2.39.0 + diff --git a/queue-5.10/asoc-fsl-asoc-card-fix-naming-of-ac-97-codec-widgets.patch b/queue-5.10/asoc-fsl-asoc-card-fix-naming-of-ac-97-codec-widgets.patch new file mode 100644 index 00000000000..a1ebefe9fb3 --- /dev/null +++ b/queue-5.10/asoc-fsl-asoc-card-fix-naming-of-ac-97-codec-widgets.patch @@ -0,0 +1,42 @@ +From edfcb5f39b1951b8ec22c098af602026e17270da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jan 2023 23:15:07 +0000 +Subject: ASoC: fsl-asoc-card: Fix naming of AC'97 CODEC widgets + +From: Mark Brown + +[ Upstream commit 242fc66ae6e1e2b8519daacc7590a73cd0e8a6e4 ] + +The fsl-asoc-card AC'97 support currently tries to route to Playback and +Capture widgets provided by the AC'97 CODEC. This doesn't work since the +generic AC'97 driver registers with an "AC97" at the front of the stream +and hence widget names, update to reflect reality. It's not clear to me +if or how this ever worked. + +Acked-by: Shengjiu Wang +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20230106-asoc-udoo-probe-v1-2-a5d7469d4f67@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl-asoc-card.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/fsl/fsl-asoc-card.c b/sound/soc/fsl/fsl-asoc-card.c +index 8c976fde44f0..9a756d0a6032 100644 +--- a/sound/soc/fsl/fsl-asoc-card.c ++++ b/sound/soc/fsl/fsl-asoc-card.c +@@ -117,8 +117,8 @@ static const struct snd_soc_dapm_route audio_map[] = { + + static const struct snd_soc_dapm_route audio_map_ac97[] = { + /* 1st half -- Normal DAPM routes */ +- {"Playback", NULL, "CPU AC97 Playback"}, +- {"CPU AC97 Capture", NULL, "Capture"}, ++ {"AC97 Playback", NULL, "CPU AC97 Playback"}, ++ {"CPU AC97 Capture", NULL, "AC97 Capture"}, + /* 2nd half -- ASRC DAPM routes */ + {"CPU AC97 Playback", NULL, "ASRC-Playback"}, + {"ASRC-Capture", NULL, "CPU AC97 Capture"}, +-- +2.39.0 + diff --git a/queue-5.10/asoc-fsl_micfil-correct-the-number-of-steps-on-sx-co.patch b/queue-5.10/asoc-fsl_micfil-correct-the-number-of-steps-on-sx-co.patch new file mode 100644 index 00000000000..d46ffdb0f2a --- /dev/null +++ b/queue-5.10/asoc-fsl_micfil-correct-the-number-of-steps-on-sx-co.patch @@ -0,0 +1,59 @@ +From 3ba9804508fb8d01240595a6a89360e08643f72b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jan 2023 10:57:54 +0800 +Subject: ASoC: fsl_micfil: Correct the number of steps on SX controls + +From: Chancel Liu + +[ Upstream commit cdfa92eb90f5770b26a79824ef213ebdbbd988b1 ] + +The parameter "max" of SOC_SINGLE_SX_TLV() means the number of steps +rather than maximum value. This patch corrects the minimum value to -8 +and the number of steps to 15. + +Signed-off-by: Chancel Liu +Acked-by: Shengjiu Wang +Link: https://lore.kernel.org/r/20230104025754.3019235-1-chancel.liu@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_micfil.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/fsl/fsl_micfil.c b/sound/soc/fsl/fsl_micfil.c +index 6c794605e33c..97f83c63e765 100644 +--- a/sound/soc/fsl/fsl_micfil.c ++++ b/sound/soc/fsl/fsl_micfil.c +@@ -87,21 +87,21 @@ static DECLARE_TLV_DB_SCALE(gain_tlv, 0, 100, 0); + + static const struct snd_kcontrol_new fsl_micfil_snd_controls[] = { + SOC_SINGLE_SX_TLV("CH0 Volume", REG_MICFIL_OUT_CTRL, +- MICFIL_OUTGAIN_CHX_SHIFT(0), 0xF, 0x7, gain_tlv), ++ MICFIL_OUTGAIN_CHX_SHIFT(0), 0x8, 0xF, gain_tlv), + SOC_SINGLE_SX_TLV("CH1 Volume", REG_MICFIL_OUT_CTRL, +- MICFIL_OUTGAIN_CHX_SHIFT(1), 0xF, 0x7, gain_tlv), ++ MICFIL_OUTGAIN_CHX_SHIFT(1), 0x8, 0xF, gain_tlv), + SOC_SINGLE_SX_TLV("CH2 Volume", REG_MICFIL_OUT_CTRL, +- MICFIL_OUTGAIN_CHX_SHIFT(2), 0xF, 0x7, gain_tlv), ++ MICFIL_OUTGAIN_CHX_SHIFT(2), 0x8, 0xF, gain_tlv), + SOC_SINGLE_SX_TLV("CH3 Volume", REG_MICFIL_OUT_CTRL, +- MICFIL_OUTGAIN_CHX_SHIFT(3), 0xF, 0x7, gain_tlv), ++ MICFIL_OUTGAIN_CHX_SHIFT(3), 0x8, 0xF, gain_tlv), + SOC_SINGLE_SX_TLV("CH4 Volume", REG_MICFIL_OUT_CTRL, +- MICFIL_OUTGAIN_CHX_SHIFT(4), 0xF, 0x7, gain_tlv), ++ MICFIL_OUTGAIN_CHX_SHIFT(4), 0x8, 0xF, gain_tlv), + SOC_SINGLE_SX_TLV("CH5 Volume", REG_MICFIL_OUT_CTRL, +- MICFIL_OUTGAIN_CHX_SHIFT(5), 0xF, 0x7, gain_tlv), ++ MICFIL_OUTGAIN_CHX_SHIFT(5), 0x8, 0xF, gain_tlv), + SOC_SINGLE_SX_TLV("CH6 Volume", REG_MICFIL_OUT_CTRL, +- MICFIL_OUTGAIN_CHX_SHIFT(6), 0xF, 0x7, gain_tlv), ++ MICFIL_OUTGAIN_CHX_SHIFT(6), 0x8, 0xF, gain_tlv), + SOC_SINGLE_SX_TLV("CH7 Volume", REG_MICFIL_OUT_CTRL, +- MICFIL_OUTGAIN_CHX_SHIFT(7), 0xF, 0x7, gain_tlv), ++ MICFIL_OUTGAIN_CHX_SHIFT(7), 0x8, 0xF, gain_tlv), + SOC_ENUM_EXT("MICFIL Quality Select", + fsl_micfil_quality_enum, + snd_soc_get_enum_double, snd_soc_put_enum_double), +-- +2.39.0 + diff --git a/queue-5.10/asoc-fsl_ssi-rename-ac-97-streams-to-avoid-collision.patch b/queue-5.10/asoc-fsl_ssi-rename-ac-97-streams-to-avoid-collision.patch new file mode 100644 index 00000000000..47bc6dc3d70 --- /dev/null +++ b/queue-5.10/asoc-fsl_ssi-rename-ac-97-streams-to-avoid-collision.patch @@ -0,0 +1,70 @@ +From 3d996a5a33d5c8f921cddc453f0e32a2c55fca4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jan 2023 23:15:06 +0000 +Subject: ASoC: fsl_ssi: Rename AC'97 streams to avoid collisions with AC'97 + CODEC + +From: Mark Brown + +[ Upstream commit 8c6a42b5b0ed6f96624f56954e93eeae107440a6 ] + +The SSI driver calls the AC'97 playback and transmit streams "AC97 Playback" +and "AC97 Capture" respectively. This is the same name used by the generic +AC'97 CODEC driver in ASoC, creating confusion for the Freescale ASoC card +when it attempts to use these widgets in routing. Add a "CPU" in the name +like the regular DAIs registered by the driver to disambiguate. + +Acked-by: Shengjiu Wang +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20230106-asoc-udoo-probe-v1-1-a5d7469d4f67@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl-asoc-card.c | 8 ++++---- + sound/soc/fsl/fsl_ssi.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/sound/soc/fsl/fsl-asoc-card.c b/sound/soc/fsl/fsl-asoc-card.c +index 7cd14d6b9436..8c976fde44f0 100644 +--- a/sound/soc/fsl/fsl-asoc-card.c ++++ b/sound/soc/fsl/fsl-asoc-card.c +@@ -117,11 +117,11 @@ static const struct snd_soc_dapm_route audio_map[] = { + + static const struct snd_soc_dapm_route audio_map_ac97[] = { + /* 1st half -- Normal DAPM routes */ +- {"Playback", NULL, "AC97 Playback"}, +- {"AC97 Capture", NULL, "Capture"}, ++ {"Playback", NULL, "CPU AC97 Playback"}, ++ {"CPU AC97 Capture", NULL, "Capture"}, + /* 2nd half -- ASRC DAPM routes */ +- {"AC97 Playback", NULL, "ASRC-Playback"}, +- {"ASRC-Capture", NULL, "AC97 Capture"}, ++ {"CPU AC97 Playback", NULL, "ASRC-Playback"}, ++ {"ASRC-Capture", NULL, "CPU AC97 Capture"}, + }; + + static const struct snd_soc_dapm_route audio_map_tx[] = { +diff --git a/sound/soc/fsl/fsl_ssi.c b/sound/soc/fsl/fsl_ssi.c +index 1d774c876c52..94229ce1a30e 100644 +--- a/sound/soc/fsl/fsl_ssi.c ++++ b/sound/soc/fsl/fsl_ssi.c +@@ -1161,14 +1161,14 @@ static struct snd_soc_dai_driver fsl_ssi_ac97_dai = { + .symmetric_channels = 1, + .probe = fsl_ssi_dai_probe, + .playback = { +- .stream_name = "AC97 Playback", ++ .stream_name = "CPU AC97 Playback", + .channels_min = 2, + .channels_max = 2, + .rates = SNDRV_PCM_RATE_8000_48000, + .formats = SNDRV_PCM_FMTBIT_S16 | SNDRV_PCM_FMTBIT_S20, + }, + .capture = { +- .stream_name = "AC97 Capture", ++ .stream_name = "CPU AC97 Capture", + .channels_min = 2, + .channels_max = 2, + .rates = SNDRV_PCM_RATE_48000, +-- +2.39.0 + diff --git a/queue-5.10/bpf-fix-pointer-leak-due-to-insufficient-speculative.patch b/queue-5.10/bpf-fix-pointer-leak-due-to-insufficient-speculative.patch new file mode 100644 index 00000000000..c314f3fc733 --- /dev/null +++ b/queue-5.10/bpf-fix-pointer-leak-due-to-insufficient-speculative.patch @@ -0,0 +1,109 @@ +From e4da9b93e3c92fb6e546cbe1f4ee03674bd44fd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 16:05:46 +0100 +Subject: bpf: Fix pointer-leak due to insufficient speculative store bypass + mitigation + +From: Luis Gerhorst + +[ Upstream commit e4f4db47794c9f474b184ee1418f42e6a07412b6 ] + +To mitigate Spectre v4, 2039f26f3aca ("bpf: Fix leakage due to +insufficient speculative store bypass mitigation") inserts lfence +instructions after 1) initializing a stack slot and 2) spilling a +pointer to the stack. + +However, this does not cover cases where a stack slot is first +initialized with a pointer (subject to sanitization) but then +overwritten with a scalar (not subject to sanitization because +the slot was already initialized). In this case, the second write +may be subject to speculative store bypass (SSB) creating a +speculative pointer-as-scalar type confusion. This allows the +program to subsequently leak the numerical pointer value using, +for example, a branch-based cache side channel. + +To fix this, also sanitize scalars if they write a stack slot +that previously contained a pointer. Assuming that pointer-spills +are only generated by LLVM on register-pressure, the performance +impact on most real-world BPF programs should be small. + +The following unprivileged BPF bytecode drafts a minimal exploit +and the mitigation: + + [...] + // r6 = 0 or 1 (skalar, unknown user input) + // r7 = accessible ptr for side channel + // r10 = frame pointer (fp), to be leaked + // + r9 = r10 # fp alias to encourage ssb + *(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked + // lfence added here because of pointer spill to stack. + // + // Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor + // for no r9-r10 dependency. + // + *(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr + // 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID, + // store may be subject to SSB + // + // fix: also add an lfence when the slot contained a ptr + // + r8 = *(u64 *)(r9 - 8) + // r8 = architecturally a scalar, speculatively a ptr + // + // leak ptr using branch-based cache side channel: + r8 &= 1 // choose bit to leak + if r8 == 0 goto SLOW // no mispredict + // architecturally dead code if input r6 is 0, + // only executes speculatively iff ptr bit is 1 + r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast) +SLOW: + [...] + +After running this, the program can time the access to *(r7 + 0) to +determine whether the chosen pointer bit was 0 or 1. Repeat this 64 +times to recover the whole address on amd64. + +In summary, sanitization can only be skipped if one scalar is +overwritten with another scalar. Scalar-confusion due to speculative +store bypass can not lead to invalid accesses because the pointer +bounds deducted during verification are enforced using branchless +logic. See 979d63d50c0c ("bpf: prevent out of bounds speculation on +pointer arithmetic") for details. + +Do not make the mitigation depend on !env->allow_{uninit_stack,ptr_leaks} +because speculative leaks are likely unexpected if these were enabled. +For example, leaking the address to a protected log file may be acceptable +while disabling the mitigation might unintentionally leak the address +into the cached-state of a map that is accessible to unprivileged +processes. + +Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient speculative store bypass mitigation") +Signed-off-by: Luis Gerhorst +Signed-off-by: Daniel Borkmann +Acked-by: Henriette Hofmeier +Link: https://lore.kernel.org/bpf/edc95bad-aada-9cfc-ffe2-fa9bb206583c@cs.fau.de +Link: https://lore.kernel.org/bpf/20230109150544.41465-1-gerhorst@cs.fau.de +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 232c93357b90..a6c931fed39b 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2319,7 +2319,9 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, + bool sanitize = reg && is_spillable_regtype(reg->type); + + for (i = 0; i < size; i++) { +- if (state->stack[spi].slot_type[i] == STACK_INVALID) { ++ u8 type = state->stack[spi].slot_type[i]; ++ ++ if (type != STACK_MISC && type != STACK_ZERO) { + sanitize = true; + break; + } +-- +2.39.0 + diff --git a/queue-5.10/clk-generalize-devm_clk_get-a-bit.patch b/queue-5.10/clk-generalize-devm_clk_get-a-bit.patch new file mode 100644 index 00000000000..37fe3f71c79 --- /dev/null +++ b/queue-5.10/clk-generalize-devm_clk_get-a-bit.patch @@ -0,0 +1,124 @@ +From f201f3bcfbc211423ff996cd2cf2ee194194220d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 May 2022 09:57:35 +0200 +Subject: clk: generalize devm_clk_get() a bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit abae8e57e49aa75f6db76aa866c775721523908f ] + +Allow to add an exit hook to devm managed clocks. Also use +clk_get_optional() in devm_clk_get_optional instead of open coding it. +The generalisation will be used in the next commit to add some more +devm_clk helpers. + +Reviewed-by: Jonathan Cameron +Reviewed-by: Alexandru Ardelean +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20220520075737.758761-3-u.kleine-koenig@pengutronix.de +Signed-off-by: Stephen Boyd +Stable-dep-of: 340cb392a038 ("memory: atmel-sdramc: Fix missing clk_disable_unprepare in atmel_ramc_probe()") +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-devres.c | 66 +++++++++++++++++++++++++++++----------- + 1 file changed, 49 insertions(+), 17 deletions(-) + +diff --git a/drivers/clk/clk-devres.c b/drivers/clk/clk-devres.c +index f9d5b7334341..c822f4ef1584 100644 +--- a/drivers/clk/clk-devres.c ++++ b/drivers/clk/clk-devres.c +@@ -4,39 +4,71 @@ + #include + #include + ++struct devm_clk_state { ++ struct clk *clk; ++ void (*exit)(struct clk *clk); ++}; ++ + static void devm_clk_release(struct device *dev, void *res) + { +- clk_put(*(struct clk **)res); ++ struct devm_clk_state *state = *(struct devm_clk_state **)res; ++ ++ if (state->exit) ++ state->exit(state->clk); ++ ++ clk_put(state->clk); + } + +-struct clk *devm_clk_get(struct device *dev, const char *id) ++static struct clk *__devm_clk_get(struct device *dev, const char *id, ++ struct clk *(*get)(struct device *dev, const char *id), ++ int (*init)(struct clk *clk), ++ void (*exit)(struct clk *clk)) + { +- struct clk **ptr, *clk; ++ struct devm_clk_state *state; ++ struct clk *clk; ++ int ret; + +- ptr = devres_alloc(devm_clk_release, sizeof(*ptr), GFP_KERNEL); +- if (!ptr) ++ state = devres_alloc(devm_clk_release, sizeof(*state), GFP_KERNEL); ++ if (!state) + return ERR_PTR(-ENOMEM); + +- clk = clk_get(dev, id); +- if (!IS_ERR(clk)) { +- *ptr = clk; +- devres_add(dev, ptr); +- } else { +- devres_free(ptr); ++ clk = get(dev, id); ++ if (IS_ERR(clk)) { ++ ret = PTR_ERR(clk); ++ goto err_clk_get; + } + ++ if (init) { ++ ret = init(clk); ++ if (ret) ++ goto err_clk_init; ++ } ++ ++ state->clk = clk; ++ state->exit = exit; ++ ++ devres_add(dev, state); ++ + return clk; ++ ++err_clk_init: ++ ++ clk_put(clk); ++err_clk_get: ++ ++ devres_free(state); ++ return ERR_PTR(ret); ++} ++ ++struct clk *devm_clk_get(struct device *dev, const char *id) ++{ ++ return __devm_clk_get(dev, id, clk_get, NULL, NULL); + } + EXPORT_SYMBOL(devm_clk_get); + + struct clk *devm_clk_get_optional(struct device *dev, const char *id) + { +- struct clk *clk = devm_clk_get(dev, id); +- +- if (clk == ERR_PTR(-ENOENT)) +- return NULL; +- +- return clk; ++ return __devm_clk_get(dev, id, clk_get_optional, NULL, NULL); + } + EXPORT_SYMBOL(devm_clk_get_optional); + +-- +2.39.0 + diff --git a/queue-5.10/clk-provide-new-devm_clk-helpers-for-prepared-and-en.patch b/queue-5.10/clk-provide-new-devm_clk-helpers-for-prepared-and-en.patch new file mode 100644 index 00000000000..42924057798 --- /dev/null +++ b/queue-5.10/clk-provide-new-devm_clk-helpers-for-prepared-and-en.patch @@ -0,0 +1,214 @@ +From 2bb94184fe6c21fb66ca91cf054740580aab55c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 May 2022 09:57:36 +0200 +Subject: clk: Provide new devm_clk helpers for prepared and enabled clocks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 7ef9651e9792b08eb310c6beb202cbc947f43cab ] + +When a driver keeps a clock prepared (or enabled) during the whole +lifetime of the driver, these helpers allow to simplify the drivers. + +Reviewed-by: Jonathan Cameron +Reviewed-by: Alexandru Ardelean +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20220520075737.758761-4-u.kleine-koenig@pengutronix.de +Signed-off-by: Stephen Boyd +Stable-dep-of: 340cb392a038 ("memory: atmel-sdramc: Fix missing clk_disable_unprepare in atmel_ramc_probe()") +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-devres.c | 27 ++++++++++ + include/linux/clk.h | 109 +++++++++++++++++++++++++++++++++++++++ + 2 files changed, 136 insertions(+) + +diff --git a/drivers/clk/clk-devres.c b/drivers/clk/clk-devres.c +index c822f4ef1584..43ccd20e0298 100644 +--- a/drivers/clk/clk-devres.c ++++ b/drivers/clk/clk-devres.c +@@ -66,12 +66,39 @@ struct clk *devm_clk_get(struct device *dev, const char *id) + } + EXPORT_SYMBOL(devm_clk_get); + ++struct clk *devm_clk_get_prepared(struct device *dev, const char *id) ++{ ++ return __devm_clk_get(dev, id, clk_get, clk_prepare, clk_unprepare); ++} ++EXPORT_SYMBOL_GPL(devm_clk_get_prepared); ++ ++struct clk *devm_clk_get_enabled(struct device *dev, const char *id) ++{ ++ return __devm_clk_get(dev, id, clk_get, ++ clk_prepare_enable, clk_disable_unprepare); ++} ++EXPORT_SYMBOL_GPL(devm_clk_get_enabled); ++ + struct clk *devm_clk_get_optional(struct device *dev, const char *id) + { + return __devm_clk_get(dev, id, clk_get_optional, NULL, NULL); + } + EXPORT_SYMBOL(devm_clk_get_optional); + ++struct clk *devm_clk_get_optional_prepared(struct device *dev, const char *id) ++{ ++ return __devm_clk_get(dev, id, clk_get_optional, ++ clk_prepare, clk_unprepare); ++} ++EXPORT_SYMBOL_GPL(devm_clk_get_optional_prepared); ++ ++struct clk *devm_clk_get_optional_enabled(struct device *dev, const char *id) ++{ ++ return __devm_clk_get(dev, id, clk_get_optional, ++ clk_prepare_enable, clk_disable_unprepare); ++} ++EXPORT_SYMBOL_GPL(devm_clk_get_optional_enabled); ++ + struct clk_bulk_devres { + struct clk_bulk_data *clks; + int num_clks; +diff --git a/include/linux/clk.h b/include/linux/clk.h +index 7fd6a1febcf4..1814eabb7c20 100644 +--- a/include/linux/clk.h ++++ b/include/linux/clk.h +@@ -418,6 +418,47 @@ int __must_check devm_clk_bulk_get_all(struct device *dev, + */ + struct clk *devm_clk_get(struct device *dev, const char *id); + ++/** ++ * devm_clk_get_prepared - devm_clk_get() + clk_prepare() ++ * @dev: device for clock "consumer" ++ * @id: clock consumer ID ++ * ++ * Context: May sleep. ++ * ++ * Return: a struct clk corresponding to the clock producer, or ++ * valid IS_ERR() condition containing errno. The implementation ++ * uses @dev and @id to determine the clock consumer, and thereby ++ * the clock producer. (IOW, @id may be identical strings, but ++ * clk_get may return different clock producers depending on @dev.) ++ * ++ * The returned clk (if valid) is prepared. Drivers must however assume ++ * that the clock is not enabled. ++ * ++ * The clock will automatically be unprepared and freed when the device ++ * is unbound from the bus. ++ */ ++struct clk *devm_clk_get_prepared(struct device *dev, const char *id); ++ ++/** ++ * devm_clk_get_enabled - devm_clk_get() + clk_prepare_enable() ++ * @dev: device for clock "consumer" ++ * @id: clock consumer ID ++ * ++ * Context: May sleep. ++ * ++ * Return: a struct clk corresponding to the clock producer, or ++ * valid IS_ERR() condition containing errno. The implementation ++ * uses @dev and @id to determine the clock consumer, and thereby ++ * the clock producer. (IOW, @id may be identical strings, but ++ * clk_get may return different clock producers depending on @dev.) ++ * ++ * The returned clk (if valid) is prepared and enabled. ++ * ++ * The clock will automatically be disabled, unprepared and freed ++ * when the device is unbound from the bus. ++ */ ++struct clk *devm_clk_get_enabled(struct device *dev, const char *id); ++ + /** + * devm_clk_get_optional - lookup and obtain a managed reference to an optional + * clock producer. +@@ -429,6 +470,50 @@ struct clk *devm_clk_get(struct device *dev, const char *id); + */ + struct clk *devm_clk_get_optional(struct device *dev, const char *id); + ++/** ++ * devm_clk_get_optional_prepared - devm_clk_get_optional() + clk_prepare() ++ * @dev: device for clock "consumer" ++ * @id: clock consumer ID ++ * ++ * Context: May sleep. ++ * ++ * Return: a struct clk corresponding to the clock producer, or ++ * valid IS_ERR() condition containing errno. The implementation ++ * uses @dev and @id to determine the clock consumer, and thereby ++ * the clock producer. If no such clk is found, it returns NULL ++ * which serves as a dummy clk. That's the only difference compared ++ * to devm_clk_get_prepared(). ++ * ++ * The returned clk (if valid) is prepared. Drivers must however ++ * assume that the clock is not enabled. ++ * ++ * The clock will automatically be unprepared and freed when the ++ * device is unbound from the bus. ++ */ ++struct clk *devm_clk_get_optional_prepared(struct device *dev, const char *id); ++ ++/** ++ * devm_clk_get_optional_enabled - devm_clk_get_optional() + ++ * clk_prepare_enable() ++ * @dev: device for clock "consumer" ++ * @id: clock consumer ID ++ * ++ * Context: May sleep. ++ * ++ * Return: a struct clk corresponding to the clock producer, or ++ * valid IS_ERR() condition containing errno. The implementation ++ * uses @dev and @id to determine the clock consumer, and thereby ++ * the clock producer. If no such clk is found, it returns NULL ++ * which serves as a dummy clk. That's the only difference compared ++ * to devm_clk_get_enabled(). ++ * ++ * The returned clk (if valid) is prepared and enabled. ++ * ++ * The clock will automatically be disabled, unprepared and freed ++ * when the device is unbound from the bus. ++ */ ++struct clk *devm_clk_get_optional_enabled(struct device *dev, const char *id); ++ + /** + * devm_get_clk_from_child - lookup and obtain a managed reference to a + * clock producer from child node. +@@ -773,12 +858,36 @@ static inline struct clk *devm_clk_get(struct device *dev, const char *id) + return NULL; + } + ++static inline struct clk *devm_clk_get_prepared(struct device *dev, ++ const char *id) ++{ ++ return NULL; ++} ++ ++static inline struct clk *devm_clk_get_enabled(struct device *dev, ++ const char *id) ++{ ++ return NULL; ++} ++ + static inline struct clk *devm_clk_get_optional(struct device *dev, + const char *id) + { + return NULL; + } + ++static inline struct clk *devm_clk_get_optional_prepared(struct device *dev, ++ const char *id) ++{ ++ return NULL; ++} ++ ++static inline struct clk *devm_clk_get_optional_enabled(struct device *dev, ++ const char *id) ++{ ++ return NULL; ++} ++ + static inline int __must_check devm_clk_bulk_get(struct device *dev, int num_clks, + struct clk_bulk_data *clks) + { +-- +2.39.0 + diff --git a/queue-5.10/cpufreq-add-tegra234-to-cpufreq-dt-platdev-blocklist.patch b/queue-5.10/cpufreq-add-tegra234-to-cpufreq-dt-platdev-blocklist.patch new file mode 100644 index 00000000000..f8ebd61e3d2 --- /dev/null +++ b/queue-5.10/cpufreq-add-tegra234-to-cpufreq-dt-platdev-blocklist.patch @@ -0,0 +1,35 @@ +From 11eceb38c8063644b558c445131ae8bc948844ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Dec 2022 21:32:37 +0530 +Subject: cpufreq: Add Tegra234 to cpufreq-dt-platdev blocklist + +From: Sumit Gupta + +[ Upstream commit 01c5bb0cc2a39fbc56ff9a5ef28b79447f0c2351 ] + +Tegra234 platform uses the tegra194-cpufreq driver, so add it +to the blocklist in cpufreq-dt-platdev driver to avoid the cpufreq +driver registration from there. + +Signed-off-by: Sumit Gupta +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq-dt-platdev.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/cpufreq/cpufreq-dt-platdev.c b/drivers/cpufreq/cpufreq-dt-platdev.c +index a3734014db47..aea285651fba 100644 +--- a/drivers/cpufreq/cpufreq-dt-platdev.c ++++ b/drivers/cpufreq/cpufreq-dt-platdev.c +@@ -130,6 +130,7 @@ static const struct of_device_id blacklist[] __initconst = { + { .compatible = "nvidia,tegra30", }, + { .compatible = "nvidia,tegra124", }, + { .compatible = "nvidia,tegra210", }, ++ { .compatible = "nvidia,tegra234", }, + + { .compatible = "qcom,apq8096", }, + { .compatible = "qcom,msm8996", }, +-- +2.39.0 + diff --git a/queue-5.10/cpufreq-armada-37xx-stop-using-0-as-null-pointer.patch b/queue-5.10/cpufreq-armada-37xx-stop-using-0-as-null-pointer.patch new file mode 100644 index 00000000000..ea29e79de45 --- /dev/null +++ b/queue-5.10/cpufreq-armada-37xx-stop-using-0-as-null-pointer.patch @@ -0,0 +1,35 @@ +From 46b7d9ddcf679f964809754ffde4cb327bb83f5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 11:12:52 +0800 +Subject: cpufreq: armada-37xx: stop using 0 as NULL pointer + +From: Miles Chen + +[ Upstream commit 08f0adb193c008de640fde34a2e00a666c01d77c ] + +Use NULL for NULL pointer to fix the following sparse warning: +drivers/cpufreq/armada-37xx-cpufreq.c:448:32: sparse: warning: Using plain integer as NULL pointer + +Signed-off-by: Miles Chen +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/armada-37xx-cpufreq.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/armada-37xx-cpufreq.c b/drivers/cpufreq/armada-37xx-cpufreq.c +index 2de7fd18f66a..f0be8a43ec49 100644 +--- a/drivers/cpufreq/armada-37xx-cpufreq.c ++++ b/drivers/cpufreq/armada-37xx-cpufreq.c +@@ -443,7 +443,7 @@ static int __init armada37xx_cpufreq_driver_init(void) + return -ENODEV; + } + +- clk = clk_get(cpu_dev, 0); ++ clk = clk_get(cpu_dev, NULL); + if (IS_ERR(clk)) { + dev_err(cpu_dev, "Cannot get clock for CPU0\n"); + return PTR_ERR(clk); +-- +2.39.0 + diff --git a/queue-5.10/dmaengine-fix-double-increment-of-client_count-in-dm.patch b/queue-5.10/dmaengine-fix-double-increment-of-client_count-in-dm.patch new file mode 100644 index 00000000000..a43108b6b08 --- /dev/null +++ b/queue-5.10/dmaengine-fix-double-increment-of-client_count-in-dm.patch @@ -0,0 +1,126 @@ +From 8f262c55f923380518e5f484b9ae5a7e2f227f9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 11:00:50 +0800 +Subject: dmaengine: Fix double increment of client_count in dma_chan_get() + +From: Koba Ko + +[ Upstream commit f3dc1b3b4750851a94212dba249703dd0e50bb20 ] + +The first time dma_chan_get() is called for a channel the channel +client_count is incorrectly incremented twice for public channels, +first in balance_ref_count(), and again prior to returning. This +results in an incorrect client count which will lead to the +channel resources not being freed when they should be. A simple + test of repeated module load and unload of async_tx on a Dell + Power Edge R7425 also shows this resulting in a kref underflow + warning. + +[ 124.329662] async_tx: api initialized (async) +[ 129.000627] async_tx: api initialized (async) +[ 130.047839] ------------[ cut here ]------------ +[ 130.052472] refcount_t: underflow; use-after-free. +[ 130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28 +refcount_warn_saturate+0xba/0x110 +[ 130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr +intel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm +mgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si +syscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops +k10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat +fat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul +libahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas +i40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash +dm_log dm_mod [last unloaded: async_tx] +[ 130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not +tainted 5.14.0-185.el9.x86_64 #1 +[ 130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS +1.18.0 01/17/2022 +[ 130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110 +[ 130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d +26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a +bd 55 00 <0f> 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff +48 c7 +[ 130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286 +[ 130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000 +[ 130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0 +[ 130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff +[ 130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970 +[ 130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 +[ 130.198739] FS: 00007f646435c740(0000) GS:ffff9daf9de00000(0000) +knlGS:0000000000000000 +[ 130.206832] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0 +[ 130.219729] Call Trace: +[ 130.222192] +[ 130.224305] dma_chan_put+0x10d/0x110 +[ 130.227988] dmaengine_put+0x7a/0xa0 +[ 130.231575] __do_sys_delete_module.constprop.0+0x178/0x280 +[ 130.237157] ? syscall_trace_enter.constprop.0+0x145/0x1d0 +[ 130.242652] do_syscall_64+0x5c/0x90 +[ 130.246240] ? exc_page_fault+0x62/0x150 +[ 130.250178] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[ 130.255243] RIP: 0033:0x7f6463a3f5ab +[ 130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48 +83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 +00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89 +01 48 +[ 130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX: +00000000000000b0 +[ 130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab +[ 130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8 +[ 130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000 +[ 130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8 +[ 130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8 +[ 130.320875] +[ 130.323081] ---[ end trace eff7156d56b5cf25 ]--- + +cat /sys/class/dma/dma0chan*/in_use would get the wrong result. +2 +2 +2 + +Fixes: d2f4f99db3e9 ("dmaengine: Rework dma_chan_get") +Signed-off-by: Koba Ko +Reviewed-by: Jie Hai +Test-by: Jie Hai +Reviewed-by: Jerry Snitselaar +Reviewed-by: Dave Jiang +Tested-by: Joel Savitz +Link: https://lore.kernel.org/r/20221201030050.978595-1-koba.ko@canonical.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dmaengine.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c +index af3ee288bc11..4ec7bb58c195 100644 +--- a/drivers/dma/dmaengine.c ++++ b/drivers/dma/dmaengine.c +@@ -451,7 +451,8 @@ static int dma_chan_get(struct dma_chan *chan) + /* The channel is already in use, update client count */ + if (chan->client_count) { + __module_get(owner); +- goto out; ++ chan->client_count++; ++ return 0; + } + + if (!try_module_get(owner)) +@@ -470,11 +471,11 @@ static int dma_chan_get(struct dma_chan *chan) + goto err_out; + } + ++ chan->client_count++; ++ + if (!dma_has_cap(DMA_PRIVATE, chan->device->cap_mask)) + balance_ref_count(chan); + +-out: +- chan->client_count++; + return 0; + + err_out: +-- +2.39.0 + diff --git a/queue-5.10/dmaengine-xilinx_dma-call-of_node_put-when-breaking-.patch b/queue-5.10/dmaengine-xilinx_dma-call-of_node_put-when-breaking-.patch new file mode 100644 index 00000000000..17a2bafcc5b --- /dev/null +++ b/queue-5.10/dmaengine-xilinx_dma-call-of_node_put-when-breaking-.patch @@ -0,0 +1,42 @@ +From a1a9d2c9e7b2adf0afdc796d7b1b1fa23c21e81b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 10:16:12 +0800 +Subject: dmaengine: xilinx_dma: call of_node_put() when breaking out of + for_each_child_of_node() + +From: Liu Shixin + +[ Upstream commit 596b53ccc36a546ab28e8897315c5b4d1d5a0200 ] + +Since for_each_child_of_node() will increase the refcount of node, we need +to call of_node_put() manually when breaking out of the iteration. + +Fixes: 9cd4360de609 ("dma: Add Xilinx AXI Video Direct Memory Access Engine driver support") +Signed-off-by: Liu Shixin +Acked-by: Peter Korsgaard +Link: https://lore.kernel.org/r/20221122021612.1908866-1-liushixin2@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/xilinx_dma.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c +index e76adc31ab66..12ad4bb3c5f2 100644 +--- a/drivers/dma/xilinx/xilinx_dma.c ++++ b/drivers/dma/xilinx/xilinx_dma.c +@@ -3119,8 +3119,10 @@ static int xilinx_dma_probe(struct platform_device *pdev) + /* Initialize the channels */ + for_each_child_of_node(node, child) { + err = xilinx_dma_child_probe(xdev, child); +- if (err < 0) ++ if (err < 0) { ++ of_node_put(child); + goto error; ++ } + } + + if (xdev->dma_config->dmatype == XDMA_TYPE_VDMA) { +-- +2.39.0 + diff --git a/queue-5.10/driver-core-fix-test_async_probe_init-saves-device-i.patch b/queue-5.10/driver-core-fix-test_async_probe_init-saves-device-i.patch new file mode 100644 index 00000000000..27a5bddfc0a --- /dev/null +++ b/queue-5.10/driver-core-fix-test_async_probe_init-saves-device-i.patch @@ -0,0 +1,46 @@ +From cf0b8a5b8af0b23655a9b9fef7caf6f29d3847ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 14:35:41 +0800 +Subject: driver core: Fix test_async_probe_init saves device in wrong array + +From: Chen Zhongjin + +[ Upstream commit 9be182da0a7526f1b9a3777a336f83baa2e64d23 ] + +In test_async_probe_init, second set of asynchronous devices are saved +in sync_dev[sync_id], which should be async_dev[async_id]. +This makes these devices not unregistered when exit. + +> modprobe test_async_driver_probe && \ +> modprobe -r test_async_driver_probe && \ +> modprobe test_async_driver_probe + ... +> sysfs: cannot create duplicate filename '/devices/platform/test_async_driver.4' +> kobject_add_internal failed for test_async_driver.4 with -EEXIST, + don't try to register things with the same name in the same directory. + +Fixes: 57ea974fb871 ("driver core: Rewrite test_async_driver_probe to cover serialization and NUMA affinity") +Signed-off-by: Chen Zhongjin +Link: https://lore.kernel.org/r/20221125063541.241328-1-chenzhongjin@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/test/test_async_driver_probe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/test/test_async_driver_probe.c b/drivers/base/test/test_async_driver_probe.c +index 3bb7beb127a9..c157a912d673 100644 +--- a/drivers/base/test/test_async_driver_probe.c ++++ b/drivers/base/test/test_async_driver_probe.c +@@ -146,7 +146,7 @@ static int __init test_async_probe_init(void) + calltime = ktime_get(); + for_each_online_cpu(cpu) { + nid = cpu_to_node(cpu); +- pdev = &sync_dev[sync_id]; ++ pdev = &async_dev[async_id]; + + *pdev = test_platform_device_register_node("test_async_driver", + async_id, +-- +2.39.0 + diff --git a/queue-5.10/drm-add-orientation-quirk-for-lenovo-ideapad-d330-10.patch b/queue-5.10/drm-add-orientation-quirk-for-lenovo-ideapad-d330-10.patch new file mode 100644 index 00000000000..ac39520b711 --- /dev/null +++ b/queue-5.10/drm-add-orientation-quirk-for-lenovo-ideapad-d330-10.patch @@ -0,0 +1,39 @@ +From 0ce4b7411ee8d9a09bbfe14f43fdcd5d2616680b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Dec 2022 15:58:26 -0500 +Subject: drm: Add orientation quirk for Lenovo ideapad D330-10IGL + +From: Patrick Thompson + +[ Upstream commit 0688773f0710528e1ab302c3d6317e269f2e2e6e ] + +Panel is 800x1280 but mounted on a detachable form factor sideways. + +Signed-off-by: Patrick Thompson +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20221220205826.178008-1-ptf@google.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index ca0fefeaab20..ce739ba45c55 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -272,6 +272,12 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad D330-10IGM"), + }, + .driver_data = (void *)&lcd1200x1920_rightside_up, ++ }, { /* Lenovo Ideapad D330-10IGL (HD) */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad D330-10IGL"), ++ }, ++ .driver_data = (void *)&lcd800x1280_rightside_up, + }, { /* Lenovo Yoga Book X90F / X91F / X91L */ + .matches = { + /* Non exact match to match all versions */ +-- +2.39.0 + diff --git a/queue-5.10/drm-panfrost-fix-generic_atomic64-dependency.patch b/queue-5.10/drm-panfrost-fix-generic_atomic64-dependency.patch new file mode 100644 index 00000000000..b3c5c3f83b4 --- /dev/null +++ b/queue-5.10/drm-panfrost-fix-generic_atomic64-dependency.patch @@ -0,0 +1,45 @@ +From 9b454168c443f0545dc0cdb8d9ea6394c53fa41f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 17:44:43 +0100 +Subject: drm/panfrost: fix GENERIC_ATOMIC64 dependency + +From: Arnd Bergmann + +[ Upstream commit 6437a549ae178a3f5a5c03e983f291ebcdc2bbc7 ] + +On ARMv5 and earlier, a randconfig build can still run into + +WARNING: unmet direct dependencies detected for IOMMU_IO_PGTABLE_LPAE + Depends on [n]: IOMMU_SUPPORT [=y] && (ARM [=y] || ARM64 || COMPILE_TEST [=y]) && !GENERIC_ATOMIC64 [=y] + Selected by [y]: + - DRM_PANFROST [=y] && HAS_IOMEM [=y] && DRM [=y] && (ARM [=y] || ARM64 || COMPILE_TEST [=y] && !GENERIC_ATOMIC64 [=y]) && MMU [=y] + +Rework the dependencies to always require a working cmpxchg64. + +Fixes: db594ba3fcf9 ("drm/panfrost: depend on !GENERIC_ATOMIC64 when using COMPILE_TEST") +Signed-off-by: Arnd Bergmann +Reviewed-by: Steven Price +Signed-off-by: Steven Price +Link: https://patchwork.freedesktop.org/patch/msgid/20230117164456.1591901-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panfrost/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panfrost/Kconfig b/drivers/gpu/drm/panfrost/Kconfig +index 86cdc0ce79e6..77f4d32e5204 100644 +--- a/drivers/gpu/drm/panfrost/Kconfig ++++ b/drivers/gpu/drm/panfrost/Kconfig +@@ -3,7 +3,8 @@ + config DRM_PANFROST + tristate "Panfrost (DRM support for ARM Mali Midgard/Bifrost GPUs)" + depends on DRM +- depends on ARM || ARM64 || (COMPILE_TEST && !GENERIC_ATOMIC64) ++ depends on ARM || ARM64 || COMPILE_TEST ++ depends on !GENERIC_ATOMIC64 # for IOMMU_IO_PGTABLE_LPAE + depends on MMU + select DRM_SCHED + select IOMMU_SUPPORT +-- +2.39.0 + diff --git a/queue-5.10/edac-highbank-fix-memory-leak-in-highbank_mc_probe.patch b/queue-5.10/edac-highbank-fix-memory-leak-in-highbank_mc_probe.patch new file mode 100644 index 00000000000..09890f934af --- /dev/null +++ b/queue-5.10/edac-highbank-fix-memory-leak-in-highbank_mc_probe.patch @@ -0,0 +1,54 @@ +From dcb71b03bff436843c2315b2fa6816bc7ff9c940 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Dec 2022 09:48:24 +0400 +Subject: EDAC/highbank: Fix memory leak in highbank_mc_probe() + +From: Miaoqian Lin + +[ Upstream commit e7a293658c20a7945014570e1921bf7d25d68a36 ] + +When devres_open_group() fails, it returns -ENOMEM without freeing memory +allocated by edac_mc_alloc(). + +Call edac_mc_free() on the error handling path to avoid a memory leak. + + [ bp: Massage commit message. ] + +Fixes: a1b01edb2745 ("edac: add support for Calxeda highbank memory controller") +Signed-off-by: Miaoqian Lin +Signed-off-by: Borislav Petkov (AMD) +Reviewed-by: Andre Przywara +Link: https://lore.kernel.org/r/20221229054825.1361993-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/edac/highbank_mc_edac.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/edac/highbank_mc_edac.c b/drivers/edac/highbank_mc_edac.c +index 61b76ec226af..19fba258ae10 100644 +--- a/drivers/edac/highbank_mc_edac.c ++++ b/drivers/edac/highbank_mc_edac.c +@@ -174,8 +174,10 @@ static int highbank_mc_probe(struct platform_device *pdev) + drvdata = mci->pvt_info; + platform_set_drvdata(pdev, mci); + +- if (!devres_open_group(&pdev->dev, NULL, GFP_KERNEL)) +- return -ENOMEM; ++ if (!devres_open_group(&pdev->dev, NULL, GFP_KERNEL)) { ++ res = -ENOMEM; ++ goto free; ++ } + + r = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (!r) { +@@ -243,6 +245,7 @@ static int highbank_mc_probe(struct platform_device *pdev) + edac_mc_del_mc(&pdev->dev); + err: + devres_release_group(&pdev->dev, NULL); ++free: + edac_mc_free(mci); + return res; + } +-- +2.39.0 + diff --git a/queue-5.10/firmware-arm_scmi-harden-shared-memory-access-in-fet.patch b/queue-5.10/firmware-arm_scmi-harden-shared-memory-access-in-fet.patch new file mode 100644 index 00000000000..9be4f5cb1e4 --- /dev/null +++ b/queue-5.10/firmware-arm_scmi-harden-shared-memory-access-in-fet.patch @@ -0,0 +1,44 @@ +From 73341820606bd442352a3189342d3c60c86955e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Dec 2022 18:38:20 +0000 +Subject: firmware: arm_scmi: Harden shared memory access in fetch_response + +From: Cristian Marussi + +[ Upstream commit ad78b81a1077f7d956952cd8bdfe1e61504e3eb8 ] + +A misbheaving SCMI platform firmware could reply with out-of-spec messages, +shorter than the mimimum size comprising a header and a status field. + +Harden shmem_fetch_response to properly truncate such a bad messages. + +Fixes: 5c8a47a5a91d ("firmware: arm_scmi: Make scmi core independent of the transport type") +Signed-off-by: Cristian Marussi +Link: https://lore.kernel.org/r/20221222183823.518856-3-cristian.marussi@arm.com +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/shmem.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/arm_scmi/shmem.c b/drivers/firmware/arm_scmi/shmem.c +index 0e3eaea5d852..415ef7df8fc3 100644 +--- a/drivers/firmware/arm_scmi/shmem.c ++++ b/drivers/firmware/arm_scmi/shmem.c +@@ -58,10 +58,11 @@ u32 shmem_read_header(struct scmi_shared_mem __iomem *shmem) + void shmem_fetch_response(struct scmi_shared_mem __iomem *shmem, + struct scmi_xfer *xfer) + { ++ size_t len = ioread32(&shmem->length); ++ + xfer->hdr.status = ioread32(shmem->msg_payload); + /* Skip the length of header and status in shmem area i.e 8 bytes */ +- xfer->rx.len = min_t(size_t, xfer->rx.len, +- ioread32(&shmem->length) - 8); ++ xfer->rx.len = min_t(size_t, xfer->rx.len, len > 8 ? len - 8 : 0); + + /* Take a copy to the rx buffer.. */ + memcpy_fromio(xfer->rx.buf, shmem->msg_payload + 4, xfer->rx.len); +-- +2.39.0 + diff --git a/queue-5.10/firmware-arm_scmi-harden-shared-memory-access-in-fet.patch-17789 b/queue-5.10/firmware-arm_scmi-harden-shared-memory-access-in-fet.patch-17789 new file mode 100644 index 00000000000..bf0e6897957 --- /dev/null +++ b/queue-5.10/firmware-arm_scmi-harden-shared-memory-access-in-fet.patch-17789 @@ -0,0 +1,40 @@ +From caab395e24b60ec6fc95a5d78f68f730457d7d7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Dec 2022 18:38:21 +0000 +Subject: firmware: arm_scmi: Harden shared memory access in fetch_notification + +From: Cristian Marussi + +[ Upstream commit 9bae076cd4e3e3c3dc185cae829d80b2dddec86e ] + +A misbheaving SCMI platform firmware could reply with out-of-spec +notifications, shorter than the mimimum size comprising a header. + +Fixes: d5141f37c42e ("firmware: arm_scmi: Add notifications support in transport layer") +Signed-off-by: Cristian Marussi +Link: https://lore.kernel.org/r/20221222183823.518856-4-cristian.marussi@arm.com +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + drivers/firmware/arm_scmi/shmem.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/firmware/arm_scmi/shmem.c b/drivers/firmware/arm_scmi/shmem.c +index 415ef7df8fc3..56a1f61aa3ff 100644 +--- a/drivers/firmware/arm_scmi/shmem.c ++++ b/drivers/firmware/arm_scmi/shmem.c +@@ -71,8 +71,10 @@ void shmem_fetch_response(struct scmi_shared_mem __iomem *shmem, + void shmem_fetch_notification(struct scmi_shared_mem __iomem *shmem, + size_t max_len, struct scmi_xfer *xfer) + { ++ size_t len = ioread32(&shmem->length); ++ + /* Skip only the length of header in shmem area i.e 4 bytes */ +- xfer->rx.len = min_t(size_t, max_len, ioread32(&shmem->length) - 4); ++ xfer->rx.len = min_t(size_t, max_len, len > 4 ? len - 4 : 0); + + /* Take a copy to the rx buffer.. */ + memcpy_fromio(xfer->rx.buf, shmem->msg_payload, xfer->rx.len); +-- +2.39.0 + diff --git a/queue-5.10/gpio-mxc-always-set-gpios-used-as-interrupt-source-t.patch b/queue-5.10/gpio-mxc-always-set-gpios-used-as-interrupt-source-t.patch new file mode 100644 index 00000000000..88ff6dfc32d --- /dev/null +++ b/queue-5.10/gpio-mxc-always-set-gpios-used-as-interrupt-source-t.patch @@ -0,0 +1,41 @@ +From 508fe8e67230529ec41daf5ec0e41bceb733e9c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jan 2023 10:49:57 +0100 +Subject: gpio: mxc: Always set GPIOs used as interrupt source to INPUT mode + +From: Marek Vasut + +[ Upstream commit 8e88a0feebb241cab0253698b2f7358b6ebec802 ] + +Always configure GPIO pins which are used as interrupt source as INPUTs. +In case the default pin configuration is OUTPUT, or the prior stage does +configure the pins as OUTPUT, then Linux will not reconfigure the pin as +INPUT and no interrupts are received. + +Always configure the interrupt source GPIO pin as input to fix the above case. + +Reviewed-by: Linus Walleij +Fixes: 07bd1a6cc7cbb ("MXC arch: Add gpio support for the whole platform") +Signed-off-by: Marek Vasut +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mxc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-mxc.c b/drivers/gpio/gpio-mxc.c +index ba6ed2a413f5..0d5a9fee3c70 100644 +--- a/drivers/gpio/gpio-mxc.c ++++ b/drivers/gpio/gpio-mxc.c +@@ -231,7 +231,7 @@ static int gpio_set_irq_type(struct irq_data *d, u32 type) + + writel(1 << gpio_idx, port->base + GPIO_ISR); + +- return 0; ++ return port->gc.direction_input(&port->gc, gpio_idx); + } + + static void mxc_flip_edge(struct mxc_gpio_port *port, u32 gpio) +-- +2.39.0 + diff --git a/queue-5.10/hid-betop-check-shape-of-output-reports.patch b/queue-5.10/hid-betop-check-shape-of-output-reports.patch new file mode 100644 index 00000000000..b1b69cf8a63 --- /dev/null +++ b/queue-5.10/hid-betop-check-shape-of-output-reports.patch @@ -0,0 +1,68 @@ +From ec87bec9f327297b83a9270e01a18562dcbc4711 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 18:12:16 +0000 +Subject: HID: betop: check shape of output reports + +From: Pietro Borrello + +[ Upstream commit 3782c0d6edf658b71354a64d60aa7a296188fc90 ] + +betopff_init() only checks the total sum of the report counts for each +report field to be at least 4, but hid_betopff_play() expects 4 report +fields. +A device advertising an output report with one field and 4 report counts +would pass the check but crash the kernel with a NULL pointer dereference +in hid_betopff_play(). + +Fixes: 52cd7785f3cd ("HID: betop: add drivers/hid/hid-betopff.c") +Signed-off-by: Pietro Borrello +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-betopff.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/hid/hid-betopff.c b/drivers/hid/hid-betopff.c +index 467d789f9bc2..25ed7b9a917e 100644 +--- a/drivers/hid/hid-betopff.c ++++ b/drivers/hid/hid-betopff.c +@@ -60,7 +60,6 @@ static int betopff_init(struct hid_device *hid) + struct list_head *report_list = + &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev; +- int field_count = 0; + int error; + int i, j; + +@@ -86,19 +85,21 @@ static int betopff_init(struct hid_device *hid) + * ----------------------------------------- + * Do init them with default value. + */ ++ if (report->maxfield < 4) { ++ hid_err(hid, "not enough fields in the report: %d\n", ++ report->maxfield); ++ return -ENODEV; ++ } + for (i = 0; i < report->maxfield; i++) { ++ if (report->field[i]->report_count < 1) { ++ hid_err(hid, "no values in the field\n"); ++ return -ENODEV; ++ } + for (j = 0; j < report->field[i]->report_count; j++) { + report->field[i]->value[j] = 0x00; +- field_count++; + } + } + +- if (field_count < 4) { +- hid_err(hid, "not enough fields in the report: %d\n", +- field_count); +- return -ENODEV; +- } +- + betopff = kzalloc(sizeof(*betopff), GFP_KERNEL); + if (!betopff) + return -ENOMEM; +-- +2.39.0 + diff --git a/queue-5.10/hid-check-empty-report_list-in-bigben_probe.patch b/queue-5.10/hid-check-empty-report_list-in-bigben_probe.patch new file mode 100644 index 00000000000..4028acb3538 --- /dev/null +++ b/queue-5.10/hid-check-empty-report_list-in-bigben_probe.patch @@ -0,0 +1,43 @@ +From 118522b7ead4720e091fb90614512d4872540623 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jan 2023 11:11:25 +0000 +Subject: HID: check empty report_list in bigben_probe() + +From: Pietro Borrello + +[ Upstream commit c7bf714f875531f227f2ef1fdcc8f4d44e7c7d9d ] + +Add a check for empty report_list in bigben_probe(). +The missing check causes a type confusion when issuing a list_entry() +on an empty report_list. +The problem is caused by the assumption that the device must +have valid report_list. While this will be true for all normal HID +devices, a suitably malicious device can violate the assumption. + +Fixes: 256a90ed9e46 ("HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad") +Signed-off-by: Pietro Borrello +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-bigbenff.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c +index e8c5e3ac9fff..e8b16665860d 100644 +--- a/drivers/hid/hid-bigbenff.c ++++ b/drivers/hid/hid-bigbenff.c +@@ -344,6 +344,11 @@ static int bigben_probe(struct hid_device *hid, + } + + report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; ++ if (list_empty(report_list)) { ++ hid_err(hid, "no output report found\n"); ++ error = -ENODEV; ++ goto error_hw_stop; ++ } + bigben->report = list_entry(report_list->next, + struct hid_report, list); + +-- +2.39.0 + diff --git a/queue-5.10/hid-check-empty-report_list-in-hid_validate_values.patch b/queue-5.10/hid-check-empty-report_list-in-hid_validate_values.patch new file mode 100644 index 00000000000..ecc4f487e78 --- /dev/null +++ b/queue-5.10/hid-check-empty-report_list-in-hid_validate_values.patch @@ -0,0 +1,42 @@ +From ed4aa7fa3321c6e74d85d81d55a7ef706bd7aa99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jan 2023 11:11:24 +0000 +Subject: HID: check empty report_list in hid_validate_values() + +From: Pietro Borrello + +[ Upstream commit b12fece4c64857e5fab4290bf01b2e0317a88456 ] + +Add a check for empty report_list in hid_validate_values(). +The missing check causes a type confusion when issuing a list_entry() +on an empty report_list. +The problem is caused by the assumption that the device must +have valid report_list. While this will be true for all normal HID +devices, a suitably malicious device can violate the assumption. + +Fixes: 1b15d2e5b807 ("HID: core: fix validation of report id 0") +Signed-off-by: Pietro Borrello +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index eaaf732f0630..baadead947c8 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -988,8 +988,8 @@ struct hid_report *hid_validate_values(struct hid_device *hid, + * Validating on id 0 means we should examine the first + * report in the list. + */ +- report = list_entry( +- hid->report_enum[type].report_list.next, ++ report = list_first_entry_or_null( ++ &hid->report_enum[type].report_list, + struct hid_report, list); + } else { + report = hid->report_enum[type].report_id_hash[id]; +-- +2.39.0 + diff --git a/queue-5.10/hid-intel_ish-hid-add-check-for-ishtp_dma_tx_map.patch b/queue-5.10/hid-intel_ish-hid-add-check-for-ishtp_dma_tx_map.patch new file mode 100644 index 00000000000..3ce13254ba5 --- /dev/null +++ b/queue-5.10/hid-intel_ish-hid-add-check-for-ishtp_dma_tx_map.patch @@ -0,0 +1,53 @@ +From df1fda87f067c1646b29911c84ad80eb24524663 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 21:48:23 +0800 +Subject: HID: intel_ish-hid: Add check for ishtp_dma_tx_map + +From: Jiasheng Jiang + +[ Upstream commit b3d40c3ec3dc4ad78017de6c3a38979f57aaaab8 ] + +As the kcalloc may return NULL pointer, +it should be better to check the ishtp_dma_tx_map +before use in order to avoid NULL pointer dereference. + +Fixes: 3703f53b99e4 ("HID: intel_ish-hid: ISH Transport layer") +Signed-off-by: Jiasheng Jiang +Acked-by: Srinivas Pandruvada +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/intel-ish-hid/ishtp/dma-if.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/hid/intel-ish-hid/ishtp/dma-if.c b/drivers/hid/intel-ish-hid/ishtp/dma-if.c +index 40554c8daca0..00046cbfd4ed 100644 +--- a/drivers/hid/intel-ish-hid/ishtp/dma-if.c ++++ b/drivers/hid/intel-ish-hid/ishtp/dma-if.c +@@ -104,6 +104,11 @@ void *ishtp_cl_get_dma_send_buf(struct ishtp_device *dev, + int required_slots = (size / DMA_SLOT_SIZE) + + 1 * (size % DMA_SLOT_SIZE != 0); + ++ if (!dev->ishtp_dma_tx_map) { ++ dev_err(dev->devc, "Fail to allocate Tx map\n"); ++ return NULL; ++ } ++ + spin_lock_irqsave(&dev->ishtp_dma_tx_lock, flags); + for (i = 0; i <= (dev->ishtp_dma_num_slots - required_slots); i++) { + free = 1; +@@ -150,6 +155,11 @@ void ishtp_cl_release_dma_acked_mem(struct ishtp_device *dev, + return; + } + ++ if (!dev->ishtp_dma_tx_map) { ++ dev_err(dev->devc, "Fail to allocate Tx map\n"); ++ return; ++ } ++ + i = (msg_addr - dev->ishtp_host_dma_tx_buf) / DMA_SLOT_SIZE; + spin_lock_irqsave(&dev->ishtp_dma_tx_lock, flags); + for (j = 0; j < acked_slots; j++) { +-- +2.39.0 + diff --git a/queue-5.10/hid-revert-cherry_mouse_000c-quirk.patch b/queue-5.10/hid-revert-cherry_mouse_000c-quirk.patch new file mode 100644 index 00000000000..7e5ac2e4492 --- /dev/null +++ b/queue-5.10/hid-revert-cherry_mouse_000c-quirk.patch @@ -0,0 +1,49 @@ +From 0e31253b67426ab8e23335ad8824df168ce1b5f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 15:41:40 +0100 +Subject: HID: revert CHERRY_MOUSE_000C quirk + +From: Jiri Kosina + +[ Upstream commit cbf44580ce6b310272a73e3e794233fd064330bd ] + +This partially reverts commit f6d910a89a2391 ("HID: usbhid: Add ALWAYS_POLL quirk +for some mice"), as it turns out to break reboot on some platforms for reason +yet to be understood. + +Fixes: f6d910a89a2391 ("HID: usbhid: Add ALWAYS_POLL quirk for some mice") +Reported-by: Christian Zigotzky +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 - + drivers/hid/hid-quirks.c | 1 - + 2 files changed, 2 deletions(-) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 09c3f30f10d3..1d1306a6004e 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -257,7 +257,6 @@ + #define USB_DEVICE_ID_CH_AXIS_295 0x001c + + #define USB_VENDOR_ID_CHERRY 0x046a +-#define USB_DEVICE_ID_CHERRY_MOUSE_000C 0x000c + #define USB_DEVICE_ID_CHERRY_CYMOTION 0x0023 + #define USB_DEVICE_ID_CHERRY_CYMOTION_SOLAR 0x0027 + +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 1efde40e5136..9f1fcbea19eb 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -54,7 +54,6 @@ static const struct hid_device_id hid_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_FLIGHT_SIM_YOKE), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_PEDALS), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_PRO_THROTTLE), HID_QUIRK_NOGET }, +- { HID_USB_DEVICE(USB_VENDOR_ID_CHERRY, USB_DEVICE_ID_CHERRY_MOUSE_000C), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K65RGB_RAPIDFIRE), HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_K70RGB), HID_QUIRK_NO_INIT_REPORTS }, +-- +2.39.0 + diff --git a/queue-5.10/ib-hfi1-fix-expected-receive-setup-error-exit-issues.patch b/queue-5.10/ib-hfi1-fix-expected-receive-setup-error-exit-issues.patch new file mode 100644 index 00000000000..78f137c15a6 --- /dev/null +++ b/queue-5.10/ib-hfi1-fix-expected-receive-setup-error-exit-issues.patch @@ -0,0 +1,170 @@ +From da51beabd99d536cc651f36cefc499419fcf4195 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 12:31:21 -0500 +Subject: IB/hfi1: Fix expected receive setup error exit issues + +From: Dean Luick + +[ Upstream commit e0c4a422f5246abefbf7c178ef99a1f2dc3c5f62 ] + +Fix three error exit issues in expected receive setup. +Re-arrange error exits to increase readability. + +Issues and fixes: +1. Possible missed page unpin if tidlist copyout fails and + not all pinned pages where made part of a TID. + Fix: Unpin the unused pages. + +2. Return success with unset return values tidcnt and length + when no pages were pinned. + Fix: Return -ENOSPC if no pages were pinned. + +3. Return success with unset return values tidcnt and length when + no rcvarray entries available. + Fix: Return -ENOSPC if no rcvarray entries are available. + +Fixes: 7e7a436ecb6e ("staging/hfi1: Add TID entry program function body") +Fixes: 97736f36dbeb ("IB/hfi1: Validate page aligned for a given virtual addres") +Fixes: f404ca4c7ea8 ("IB/hfi1: Refactor hfi_user_exp_rcv_setup() IOCTL") +Signed-off-by: Dean Luick +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/167328548150.1472310.1492305874804187634.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/user_exp_rcv.c | 83 ++++++++++++++--------- + 1 file changed, 50 insertions(+), 33 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +index 1278cd55a480..ba61d327a85d 100644 +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +@@ -310,15 +310,14 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + tidbuf->psets = kcalloc(uctxt->expected_count, sizeof(*tidbuf->psets), + GFP_KERNEL); + if (!tidbuf->psets) { +- kfree(tidbuf); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto fail_release_mem; + } + + pinned = pin_rcv_pages(fd, tidbuf); + if (pinned <= 0) { +- kfree(tidbuf->psets); +- kfree(tidbuf); +- return pinned; ++ ret = (pinned < 0) ? pinned : -ENOSPC; ++ goto fail_unpin; + } + + /* Find sets of physically contiguous pages */ +@@ -333,14 +332,16 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + fd->tid_used += pageset_count; + spin_unlock(&fd->tid_lock); + +- if (!pageset_count) +- goto bail; ++ if (!pageset_count) { ++ ret = -ENOSPC; ++ goto fail_unreserve; ++ } + + ngroups = pageset_count / dd->rcv_entries.group_size; + tidlist = kcalloc(pageset_count, sizeof(*tidlist), GFP_KERNEL); + if (!tidlist) { + ret = -ENOMEM; +- goto nomem; ++ goto fail_unreserve; + } + + tididx = 0; +@@ -436,44 +437,60 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + } + unlock: + mutex_unlock(&uctxt->exp_mutex); +-nomem: + hfi1_cdbg(TID, "total mapped: tidpairs:%u pages:%u (%d)", tididx, + mapped_pages, ret); ++ ++ /* fail if nothing was programmed, set error if none provided */ ++ if (tididx == 0) { ++ if (ret >= 0) ++ ret = -ENOSPC; ++ goto fail_unreserve; ++ } ++ + /* adjust reserved tid_used to actual count */ + spin_lock(&fd->tid_lock); + fd->tid_used -= pageset_count - tididx; + spin_unlock(&fd->tid_lock); +- if (tididx) { +- tinfo->tidcnt = tididx; +- tinfo->length = mapped_pages * PAGE_SIZE; + +- if (copy_to_user(u64_to_user_ptr(tinfo->tidlist), +- tidlist, sizeof(tidlist[0]) * tididx)) { +- /* +- * On failure to copy to the user level, we need to undo +- * everything done so far so we don't leak resources. +- */ +- tinfo->tidlist = (unsigned long)&tidlist; +- hfi1_user_exp_rcv_clear(fd, tinfo); +- tinfo->tidlist = 0; +- ret = -EFAULT; +- goto bail; +- } ++ /* unpin all pages not covered by a TID */ ++ unpin_rcv_pages(fd, tidbuf, NULL, mapped_pages, pinned - mapped_pages, ++ false); ++ ++ tinfo->tidcnt = tididx; ++ tinfo->length = mapped_pages * PAGE_SIZE; ++ ++ if (copy_to_user(u64_to_user_ptr(tinfo->tidlist), ++ tidlist, sizeof(tidlist[0]) * tididx)) { ++ ret = -EFAULT; ++ goto fail_unprogram; + } + +- /* +- * If not everything was mapped (due to insufficient RcvArray entries, +- * for example), unpin all unmapped pages so we can pin them nex time. +- */ +- if (mapped_pages != pinned) +- unpin_rcv_pages(fd, tidbuf, NULL, mapped_pages, +- (pinned - mapped_pages), false); +-bail: ++ kfree(tidbuf->pages); + kfree(tidbuf->psets); ++ kfree(tidbuf); + kfree(tidlist); ++ return 0; ++ ++fail_unprogram: ++ /* unprogram, unmap, and unpin all allocated TIDs */ ++ tinfo->tidlist = (unsigned long)tidlist; ++ hfi1_user_exp_rcv_clear(fd, tinfo); ++ tinfo->tidlist = 0; ++ pinned = 0; /* nothing left to unpin */ ++ pageset_count = 0; /* nothing left reserved */ ++fail_unreserve: ++ spin_lock(&fd->tid_lock); ++ fd->tid_used -= pageset_count; ++ spin_unlock(&fd->tid_lock); ++fail_unpin: ++ if (pinned > 0) ++ unpin_rcv_pages(fd, tidbuf, NULL, 0, pinned, false); ++fail_release_mem: + kfree(tidbuf->pages); ++ kfree(tidbuf->psets); + kfree(tidbuf); +- return ret > 0 ? 0 : ret; ++ kfree(tidlist); ++ return ret; + } + + int hfi1_user_exp_rcv_clear(struct hfi1_filedata *fd, +-- +2.39.0 + diff --git a/queue-5.10/ib-hfi1-immediately-remove-invalid-memory-from-hardw.patch b/queue-5.10/ib-hfi1-immediately-remove-invalid-memory-from-hardw.patch new file mode 100644 index 00000000000..7d0b5c12fee --- /dev/null +++ b/queue-5.10/ib-hfi1-immediately-remove-invalid-memory-from-hardw.patch @@ -0,0 +1,150 @@ +From b407826bb231de5a02028add9639a7baa3385297 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 12:31:26 -0500 +Subject: IB/hfi1: Immediately remove invalid memory from hardware + +From: Dean Luick + +[ Upstream commit 1c7edde1b5720ddb0aff5ca8c7f605a0f92526eb ] + +When a user expected receive page is unmapped, it should be +immediately removed from hardware rather than depend on a +reaction from user space. + +Fixes: 2677a7680e77 ("IB/hfi1: Fix memory leak during unexpected shutdown") +Signed-off-by: Dean Luick +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/167328548663.1472310.7871808081861622659.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/user_exp_rcv.c | 43 +++++++++++++++-------- + drivers/infiniband/hw/hfi1/user_exp_rcv.h | 1 + + 2 files changed, 30 insertions(+), 14 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +index ba61d327a85d..b70d1b135ee4 100644 +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +@@ -70,8 +70,9 @@ static int program_rcvarray(struct hfi1_filedata *fd, struct tid_user_buf *, + unsigned int start, u16 count, + u32 *tidlist, unsigned int *tididx, + unsigned int *pmapped); +-static int unprogram_rcvarray(struct hfi1_filedata *fd, u32 tidinfo, +- struct tid_group **grp); ++static int unprogram_rcvarray(struct hfi1_filedata *fd, u32 tidinfo); ++static void __clear_tid_node(struct hfi1_filedata *fd, ++ struct tid_rb_node *node); + static void clear_tid_node(struct hfi1_filedata *fd, struct tid_rb_node *node); + + static const struct mmu_interval_notifier_ops tid_mn_ops = { +@@ -511,7 +512,7 @@ int hfi1_user_exp_rcv_clear(struct hfi1_filedata *fd, + + mutex_lock(&uctxt->exp_mutex); + for (tididx = 0; tididx < tinfo->tidcnt; tididx++) { +- ret = unprogram_rcvarray(fd, tidinfo[tididx], NULL); ++ ret = unprogram_rcvarray(fd, tidinfo[tididx]); + if (ret) { + hfi1_cdbg(TID, "Failed to unprogram rcv array %d", + ret); +@@ -767,6 +768,7 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd, + } + + node->fdata = fd; ++ mutex_init(&node->invalidate_mutex); + node->phys = page_to_phys(pages[0]); + node->npages = npages; + node->rcventry = rcventry; +@@ -806,8 +808,7 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd, + return -EFAULT; + } + +-static int unprogram_rcvarray(struct hfi1_filedata *fd, u32 tidinfo, +- struct tid_group **grp) ++static int unprogram_rcvarray(struct hfi1_filedata *fd, u32 tidinfo) + { + struct hfi1_ctxtdata *uctxt = fd->uctxt; + struct hfi1_devdata *dd = uctxt->dd; +@@ -830,9 +831,6 @@ static int unprogram_rcvarray(struct hfi1_filedata *fd, u32 tidinfo, + if (!node || node->rcventry != (uctxt->expected_base + rcventry)) + return -EBADF; + +- if (grp) +- *grp = node->grp; +- + if (fd->use_mn) + mmu_interval_notifier_remove(&node->notifier); + cacheless_tid_rb_remove(fd, node); +@@ -840,23 +838,34 @@ static int unprogram_rcvarray(struct hfi1_filedata *fd, u32 tidinfo, + return 0; + } + +-static void clear_tid_node(struct hfi1_filedata *fd, struct tid_rb_node *node) ++static void __clear_tid_node(struct hfi1_filedata *fd, struct tid_rb_node *node) + { + struct hfi1_ctxtdata *uctxt = fd->uctxt; + struct hfi1_devdata *dd = uctxt->dd; + ++ mutex_lock(&node->invalidate_mutex); ++ if (node->freed) ++ goto done; ++ node->freed = true; ++ + trace_hfi1_exp_tid_unreg(uctxt->ctxt, fd->subctxt, node->rcventry, + node->npages, + node->notifier.interval_tree.start, node->phys, + node->dma_addr); + +- /* +- * Make sure device has seen the write before we unpin the +- * pages. +- */ ++ /* Make sure device has seen the write before pages are unpinned */ + hfi1_put_tid(dd, node->rcventry, PT_INVALID_FLUSH, 0, 0); + + unpin_rcv_pages(fd, NULL, node, 0, node->npages, true); ++done: ++ mutex_unlock(&node->invalidate_mutex); ++} ++ ++static void clear_tid_node(struct hfi1_filedata *fd, struct tid_rb_node *node) ++{ ++ struct hfi1_ctxtdata *uctxt = fd->uctxt; ++ ++ __clear_tid_node(fd, node); + + node->grp->used--; + node->grp->map &= ~(1 << (node->rcventry - node->grp->base)); +@@ -915,10 +924,16 @@ static bool tid_rb_invalidate(struct mmu_interval_notifier *mni, + if (node->freed) + return true; + ++ /* take action only if unmapping */ ++ if (range->event != MMU_NOTIFY_UNMAP) ++ return true; ++ + trace_hfi1_exp_tid_inval(uctxt->ctxt, fdata->subctxt, + node->notifier.interval_tree.start, + node->rcventry, node->npages, node->dma_addr); +- node->freed = true; ++ ++ /* clear the hardware rcvarray entry */ ++ __clear_tid_node(fdata, node); + + spin_lock(&fdata->invalid_lock); + if (fdata->invalid_tid_idx < uctxt->expected_count) { +diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.h b/drivers/infiniband/hw/hfi1/user_exp_rcv.h +index d45c7b6988d4..ba06ab3b4769 100644 +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.h ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.h +@@ -68,6 +68,7 @@ struct tid_user_buf { + struct tid_rb_node { + struct mmu_interval_notifier notifier; + struct hfi1_filedata *fdata; ++ struct mutex invalidate_mutex; /* covers hw removal */ + unsigned long phys; + struct tid_group *grp; + u32 rcventry; +-- +2.39.0 + diff --git a/queue-5.10/ib-hfi1-reject-a-zero-length-user-expected-buffer.patch b/queue-5.10/ib-hfi1-reject-a-zero-length-user-expected-buffer.patch new file mode 100644 index 00000000000..ec54e8275ee --- /dev/null +++ b/queue-5.10/ib-hfi1-reject-a-zero-length-user-expected-buffer.patch @@ -0,0 +1,39 @@ +From 6b04c057774d3db8ebce88a14d61e0422cfce126 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 12:31:11 -0500 +Subject: IB/hfi1: Reject a zero-length user expected buffer + +From: Dean Luick + +[ Upstream commit 0a0a6e80472c98947d73c3d13bcd7d101895f55d ] + +A zero length user buffer makes no sense and the code +does not handle it correctly. Instead, reject a +zero length as invalid. + +Fixes: 97736f36dbeb ("IB/hfi1: Validate page aligned for a given virtual addres") +Signed-off-by: Dean Luick +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/167328547120.1472310.6362802432127399257.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/user_exp_rcv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +index b94fc7fd75a9..dd8ce2a62d2b 100644 +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +@@ -298,6 +298,8 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + + if (!PAGE_ALIGNED(tinfo->vaddr)) + return -EINVAL; ++ if (tinfo->length == 0) ++ return -EINVAL; + + tidbuf = kzalloc(sizeof(*tidbuf), GFP_KERNEL); + if (!tidbuf) +-- +2.39.0 + diff --git a/queue-5.10/ib-hfi1-remove-user-expected-buffer-invalidate-race.patch b/queue-5.10/ib-hfi1-remove-user-expected-buffer-invalidate-race.patch new file mode 100644 index 00000000000..7fa90e142ac --- /dev/null +++ b/queue-5.10/ib-hfi1-remove-user-expected-buffer-invalidate-race.patch @@ -0,0 +1,174 @@ +From 111a62e955d0ef9812f09f8da401f84735756e5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 12:31:31 -0500 +Subject: IB/hfi1: Remove user expected buffer invalidate race + +From: Dean Luick + +[ Upstream commit b3deec25847bda34e34d5d7be02f633caf000bd8 ] + +During setup, there is a possible race between a page invalidate +and hardware programming. Add a covering invalidate over the user +target range during setup. If anything within that range is +invalidated during setup, fail the setup. Once set up, each +TID will have its own invalidate callback and invalidate. + +Fixes: 3889551db212 ("RDMA/hfi1: Use mmu_interval_notifier_insert for user_exp_rcv") +Signed-off-by: Dean Luick +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/167328549178.1472310.9867497376936699488.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/user_exp_rcv.c | 58 +++++++++++++++++++++-- + drivers/infiniband/hw/hfi1/user_exp_rcv.h | 2 + + 2 files changed, 55 insertions(+), 5 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +index b70d1b135ee4..897923981855 100644 +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +@@ -65,6 +65,9 @@ static void cacheless_tid_rb_remove(struct hfi1_filedata *fdata, + static bool tid_rb_invalidate(struct mmu_interval_notifier *mni, + const struct mmu_notifier_range *range, + unsigned long cur_seq); ++static bool tid_cover_invalidate(struct mmu_interval_notifier *mni, ++ const struct mmu_notifier_range *range, ++ unsigned long cur_seq); + static int program_rcvarray(struct hfi1_filedata *fd, struct tid_user_buf *, + struct tid_group *grp, + unsigned int start, u16 count, +@@ -78,6 +81,9 @@ static void clear_tid_node(struct hfi1_filedata *fd, struct tid_rb_node *node); + static const struct mmu_interval_notifier_ops tid_mn_ops = { + .invalidate = tid_rb_invalidate, + }; ++static const struct mmu_interval_notifier_ops tid_cover_ops = { ++ .invalidate = tid_cover_invalidate, ++}; + + /* + * Initialize context and file private data needed for Expected +@@ -296,6 +302,7 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + tididx = 0, mapped, mapped_pages = 0; + u32 *tidlist = NULL; + struct tid_user_buf *tidbuf; ++ unsigned long mmu_seq = 0; + + if (!PAGE_ALIGNED(tinfo->vaddr)) + return -EINVAL; +@@ -306,6 +313,7 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + if (!tidbuf) + return -ENOMEM; + ++ mutex_init(&tidbuf->cover_mutex); + tidbuf->vaddr = tinfo->vaddr; + tidbuf->length = tinfo->length; + tidbuf->psets = kcalloc(uctxt->expected_count, sizeof(*tidbuf->psets), +@@ -315,6 +323,16 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + goto fail_release_mem; + } + ++ if (fd->use_mn) { ++ ret = mmu_interval_notifier_insert( ++ &tidbuf->notifier, current->mm, ++ tidbuf->vaddr, tidbuf->npages * PAGE_SIZE, ++ &tid_cover_ops); ++ if (ret) ++ goto fail_release_mem; ++ mmu_seq = mmu_interval_read_begin(&tidbuf->notifier); ++ } ++ + pinned = pin_rcv_pages(fd, tidbuf); + if (pinned <= 0) { + ret = (pinned < 0) ? pinned : -ENOSPC; +@@ -457,6 +475,20 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + unpin_rcv_pages(fd, tidbuf, NULL, mapped_pages, pinned - mapped_pages, + false); + ++ if (fd->use_mn) { ++ /* check for an invalidate during setup */ ++ bool fail = false; ++ ++ mutex_lock(&tidbuf->cover_mutex); ++ fail = mmu_interval_read_retry(&tidbuf->notifier, mmu_seq); ++ mutex_unlock(&tidbuf->cover_mutex); ++ ++ if (fail) { ++ ret = -EBUSY; ++ goto fail_unprogram; ++ } ++ } ++ + tinfo->tidcnt = tididx; + tinfo->length = mapped_pages * PAGE_SIZE; + +@@ -466,6 +498,8 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + goto fail_unprogram; + } + ++ if (fd->use_mn) ++ mmu_interval_notifier_remove(&tidbuf->notifier); + kfree(tidbuf->pages); + kfree(tidbuf->psets); + kfree(tidbuf); +@@ -484,6 +518,8 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + fd->tid_used -= pageset_count; + spin_unlock(&fd->tid_lock); + fail_unpin: ++ if (fd->use_mn) ++ mmu_interval_notifier_remove(&tidbuf->notifier); + if (pinned > 0) + unpin_rcv_pages(fd, tidbuf, NULL, 0, pinned, false); + fail_release_mem: +@@ -784,11 +820,6 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd, + &tid_mn_ops); + if (ret) + goto out_unmap; +- /* +- * FIXME: This is in the wrong order, the notifier should be +- * established before the pages are pinned by pin_rcv_pages. +- */ +- mmu_interval_read_begin(&node->notifier); + } + fd->entry_to_rb[node->rcventry - uctxt->expected_base] = node; + +@@ -963,6 +994,23 @@ static bool tid_rb_invalidate(struct mmu_interval_notifier *mni, + return true; + } + ++static bool tid_cover_invalidate(struct mmu_interval_notifier *mni, ++ const struct mmu_notifier_range *range, ++ unsigned long cur_seq) ++{ ++ struct tid_user_buf *tidbuf = ++ container_of(mni, struct tid_user_buf, notifier); ++ ++ /* take action only if unmapping */ ++ if (range->event == MMU_NOTIFY_UNMAP) { ++ mutex_lock(&tidbuf->cover_mutex); ++ mmu_interval_set_seq(mni, cur_seq); ++ mutex_unlock(&tidbuf->cover_mutex); ++ } ++ ++ return true; ++} ++ + static void cacheless_tid_rb_remove(struct hfi1_filedata *fdata, + struct tid_rb_node *tnode) + { +diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.h b/drivers/infiniband/hw/hfi1/user_exp_rcv.h +index ba06ab3b4769..849f265f2f11 100644 +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.h ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.h +@@ -57,6 +57,8 @@ struct tid_pageset { + }; + + struct tid_user_buf { ++ struct mmu_interval_notifier notifier; ++ struct mutex cover_mutex; + unsigned long vaddr; + unsigned long length; + unsigned int npages; +-- +2.39.0 + diff --git a/queue-5.10/ib-hfi1-reserve-user-expected-tids.patch b/queue-5.10/ib-hfi1-reserve-user-expected-tids.patch new file mode 100644 index 00000000000..e474890b477 --- /dev/null +++ b/queue-5.10/ib-hfi1-reserve-user-expected-tids.patch @@ -0,0 +1,63 @@ +From 5fc25f511c716f4a8a91570328a0901622e0edc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 12:31:16 -0500 +Subject: IB/hfi1: Reserve user expected TIDs + +From: Dean Luick + +[ Upstream commit ecf91551cdd2925ed6d9a9d99074fa5f67b90596 ] + +To avoid a race, reserve the number of user expected +TIDs before setup. + +Fixes: 7e7a436ecb6e ("staging/hfi1: Add TID entry program function body") +Signed-off-by: Dean Luick +Signed-off-by: Dennis Dalessandro +Link: https://lore.kernel.org/r/167328547636.1472310.7419712824785353905.stgit@awfm-02.cornelisnetworks.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/user_exp_rcv.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +index dd8ce2a62d2b..1278cd55a480 100644 +--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c ++++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c +@@ -324,16 +324,13 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + /* Find sets of physically contiguous pages */ + tidbuf->n_psets = find_phys_blocks(tidbuf, pinned); + +- /* +- * We don't need to access this under a lock since tid_used is per +- * process and the same process cannot be in hfi1_user_exp_rcv_clear() +- * and hfi1_user_exp_rcv_setup() at the same time. +- */ ++ /* Reserve the number of expected tids to be used. */ + spin_lock(&fd->tid_lock); + if (fd->tid_used + tidbuf->n_psets > fd->tid_limit) + pageset_count = fd->tid_limit - fd->tid_used; + else + pageset_count = tidbuf->n_psets; ++ fd->tid_used += pageset_count; + spin_unlock(&fd->tid_lock); + + if (!pageset_count) +@@ -442,10 +439,11 @@ int hfi1_user_exp_rcv_setup(struct hfi1_filedata *fd, + nomem: + hfi1_cdbg(TID, "total mapped: tidpairs:%u pages:%u (%d)", tididx, + mapped_pages, ret); ++ /* adjust reserved tid_used to actual count */ ++ spin_lock(&fd->tid_lock); ++ fd->tid_used -= pageset_count - tididx; ++ spin_unlock(&fd->tid_lock); + if (tididx) { +- spin_lock(&fd->tid_lock); +- fd->tid_used += tididx; +- spin_unlock(&fd->tid_lock); + tinfo->tidcnt = tididx; + tinfo->length = mapped_pages * PAGE_SIZE; + +-- +2.39.0 + diff --git a/queue-5.10/kcsan-test-don-t-put-the-expect-array-on-the-stack.patch b/queue-5.10/kcsan-test-don-t-put-the-expect-array-on-the-stack.patch new file mode 100644 index 00000000000..36af2319bb8 --- /dev/null +++ b/queue-5.10/kcsan-test-don-t-put-the-expect-array-on-the-stack.patch @@ -0,0 +1,64 @@ +From 90d8adcb6d7c4a3817008ee44fc0f28db2922b89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Dec 2022 23:28:21 -0800 +Subject: kcsan: test: don't put the expect array on the stack + +From: Max Filippov + +[ Upstream commit 5b24ac2dfd3eb3e36f794af3aa7f2828b19035bd ] + +Size of the 'expect' array in the __report_matches is 1536 bytes, which +is exactly the default frame size warning limit of the xtensa +architecture. +As a result allmodconfig xtensa kernel builds with the gcc that does not +support the compiler plugins (which otherwise would push the said +warning limit to 2K) fail with the following message: + + kernel/kcsan/kcsan_test.c:257:1: error: the frame size of 1680 bytes + is larger than 1536 bytes + +Fix it by dynamically allocating the 'expect' array. + +Signed-off-by: Max Filippov +Reviewed-by: Marco Elver +Tested-by: Marco Elver +Signed-off-by: Sasha Levin +--- + kernel/kcsan/kcsan-test.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/kernel/kcsan/kcsan-test.c b/kernel/kcsan/kcsan-test.c +index ebe7fd245104..8a8ccaf4f38f 100644 +--- a/kernel/kcsan/kcsan-test.c ++++ b/kernel/kcsan/kcsan-test.c +@@ -149,7 +149,7 @@ static bool report_matches(const struct expect_report *r) + const bool is_assert = (r->access[0].type | r->access[1].type) & KCSAN_ACCESS_ASSERT; + bool ret = false; + unsigned long flags; +- typeof(observed.lines) expect; ++ typeof(*observed.lines) *expect; + const char *end; + char *cur; + int i; +@@ -158,6 +158,10 @@ static bool report_matches(const struct expect_report *r) + if (!report_available()) + return false; + ++ expect = kmalloc(sizeof(observed.lines), GFP_KERNEL); ++ if (WARN_ON(!expect)) ++ return false; ++ + /* Generate expected report contents. */ + + /* Title */ +@@ -241,6 +245,7 @@ static bool report_matches(const struct expect_report *r) + strstr(observed.lines[2], expect[1]))); + out: + spin_unlock_irqrestore(&observed.lock, flags); ++ kfree(expect); + return ret; + } + +-- +2.39.0 + diff --git a/queue-5.10/kvm-s390-interrupt-use-read_once-before-cmpxchg.patch b/queue-5.10/kvm-s390-interrupt-use-read_once-before-cmpxchg.patch new file mode 100644 index 00000000000..b1937ce4ea1 --- /dev/null +++ b/queue-5.10/kvm-s390-interrupt-use-read_once-before-cmpxchg.patch @@ -0,0 +1,72 @@ +From 78d3dbe76783d3d7c4069b546dfae9f1c5c83e8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 15:54:56 +0100 +Subject: KVM: s390: interrupt: use READ_ONCE() before cmpxchg() + +From: Heiko Carstens + +[ Upstream commit 42400d99e9f0728c17240edb9645637ead40f6b9 ] + +Use READ_ONCE() before cmpxchg() to prevent that the compiler generates +code that fetches the to be compared old value several times from memory. + +Reviewed-by: Christian Borntraeger +Acked-by: Christian Borntraeger +Reviewed-by: Claudio Imbrenda +Link: https://lore.kernel.org/r/20230109145456.2895385-1-hca@linux.ibm.com +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/interrupt.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c +index b51ab19eb972..64d1dfe6dca5 100644 +--- a/arch/s390/kvm/interrupt.c ++++ b/arch/s390/kvm/interrupt.c +@@ -81,8 +81,9 @@ static int sca_inject_ext_call(struct kvm_vcpu *vcpu, int src_id) + struct esca_block *sca = vcpu->kvm->arch.sca; + union esca_sigp_ctrl *sigp_ctrl = + &(sca->cpu[vcpu->vcpu_id].sigp_ctrl); +- union esca_sigp_ctrl new_val = {0}, old_val = *sigp_ctrl; ++ union esca_sigp_ctrl new_val = {0}, old_val; + ++ old_val = READ_ONCE(*sigp_ctrl); + new_val.scn = src_id; + new_val.c = 1; + old_val.c = 0; +@@ -93,8 +94,9 @@ static int sca_inject_ext_call(struct kvm_vcpu *vcpu, int src_id) + struct bsca_block *sca = vcpu->kvm->arch.sca; + union bsca_sigp_ctrl *sigp_ctrl = + &(sca->cpu[vcpu->vcpu_id].sigp_ctrl); +- union bsca_sigp_ctrl new_val = {0}, old_val = *sigp_ctrl; ++ union bsca_sigp_ctrl new_val = {0}, old_val; + ++ old_val = READ_ONCE(*sigp_ctrl); + new_val.scn = src_id; + new_val.c = 1; + old_val.c = 0; +@@ -124,16 +126,18 @@ static void sca_clear_ext_call(struct kvm_vcpu *vcpu) + struct esca_block *sca = vcpu->kvm->arch.sca; + union esca_sigp_ctrl *sigp_ctrl = + &(sca->cpu[vcpu->vcpu_id].sigp_ctrl); +- union esca_sigp_ctrl old = *sigp_ctrl; ++ union esca_sigp_ctrl old; + ++ old = READ_ONCE(*sigp_ctrl); + expect = old.value; + rc = cmpxchg(&sigp_ctrl->value, old.value, 0); + } else { + struct bsca_block *sca = vcpu->kvm->arch.sca; + union bsca_sigp_ctrl *sigp_ctrl = + &(sca->cpu[vcpu->vcpu_id].sigp_ctrl); +- union bsca_sigp_ctrl old = *sigp_ctrl; ++ union bsca_sigp_ctrl old; + ++ old = READ_ONCE(*sigp_ctrl); + expect = old.value; + rc = cmpxchg(&sigp_ctrl->value, old.value, 0); + } +-- +2.39.0 + diff --git a/queue-5.10/l2tp-close-all-race-conditions-in-l2tp_tunnel_regist.patch b/queue-5.10/l2tp-close-all-race-conditions-in-l2tp_tunnel_regist.patch new file mode 100644 index 00000000000..15d0527b4be --- /dev/null +++ b/queue-5.10/l2tp-close-all-race-conditions-in-l2tp_tunnel_regist.patch @@ -0,0 +1,111 @@ +From b952250f0eee00e0b6b10b4a840d2e9bc87e344c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jan 2023 19:01:37 -0800 +Subject: l2tp: close all race conditions in l2tp_tunnel_register() + +From: Cong Wang + +[ Upstream commit 0b2c59720e65885a394a017d0cf9cab118914682 ] + +The code in l2tp_tunnel_register() is racy in several ways: + +1. It modifies the tunnel socket _after_ publishing it. + +2. It calls setup_udp_tunnel_sock() on an existing socket without + locking. + +3. It changes sock lock class on fly, which triggers many syzbot + reports. + +This patch amends all of them by moving socket initialization code +before publishing and under sock lock. As suggested by Jakub, the +l2tp lockdep class is not necessary as we can just switch to +bh_lock_sock_nested(). + +Fixes: 37159ef2c1ae ("l2tp: fix a lockdep splat") +Fixes: 6b9f34239b00 ("l2tp: fix races in tunnel creation") +Reported-by: syzbot+52866e24647f9a23403f@syzkaller.appspotmail.com +Reported-by: syzbot+94cc2a66fc228b23f360@syzkaller.appspotmail.com +Reported-by: Tetsuo Handa +Cc: Guillaume Nault +Cc: Jakub Sitnicki +Cc: Eric Dumazet +Cc: Tom Parkin +Signed-off-by: Cong Wang +Reviewed-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 1bd52b8bb29f..386510a93696 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1041,7 +1041,7 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, uns + IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED | IPSKB_REROUTED); + nf_reset_ct(skb); + +- bh_lock_sock(sk); ++ bh_lock_sock_nested(sk); + if (sock_owned_by_user(sk)) { + kfree_skb(skb); + ret = NET_XMIT_DROP; +@@ -1387,8 +1387,6 @@ static int l2tp_tunnel_sock_create(struct net *net, + return err; + } + +-static struct lock_class_key l2tp_socket_class; +- + int l2tp_tunnel_create(int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, + struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp) + { +@@ -1484,21 +1482,16 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + } + + sk = sock->sk; ++ lock_sock(sk); + write_lock_bh(&sk->sk_callback_lock); + ret = l2tp_validate_socket(sk, net, tunnel->encap); +- if (ret < 0) ++ if (ret < 0) { ++ release_sock(sk); + goto err_inval_sock; ++ } + rcu_assign_sk_user_data(sk, tunnel); + write_unlock_bh(&sk->sk_callback_lock); + +- sock_hold(sk); +- tunnel->sock = sk; +- tunnel->l2tp_net = net; +- +- spin_lock_bh(&pn->l2tp_tunnel_idr_lock); +- idr_replace(&pn->l2tp_tunnel_idr, tunnel, tunnel->tunnel_id); +- spin_unlock_bh(&pn->l2tp_tunnel_idr_lock); +- + if (tunnel->encap == L2TP_ENCAPTYPE_UDP) { + struct udp_tunnel_sock_cfg udp_cfg = { + .sk_user_data = tunnel, +@@ -1512,9 +1505,16 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + + tunnel->old_sk_destruct = sk->sk_destruct; + sk->sk_destruct = &l2tp_tunnel_destruct; +- lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, +- "l2tp_sock"); + sk->sk_allocation = GFP_ATOMIC; ++ release_sock(sk); ++ ++ sock_hold(sk); ++ tunnel->sock = sk; ++ tunnel->l2tp_net = net; ++ ++ spin_lock_bh(&pn->l2tp_tunnel_idr_lock); ++ idr_replace(&pn->l2tp_tunnel_idr, tunnel, tunnel->tunnel_id); ++ spin_unlock_bh(&pn->l2tp_tunnel_idr_lock); + + trace_register_tunnel(tunnel); + +-- +2.39.0 + diff --git a/queue-5.10/l2tp-convert-l2tp_tunnel_list-to-idr.patch b/queue-5.10/l2tp-convert-l2tp_tunnel_list-to-idr.patch new file mode 100644 index 00000000000..c1b64ca2a64 --- /dev/null +++ b/queue-5.10/l2tp-convert-l2tp_tunnel_list-to-idr.patch @@ -0,0 +1,229 @@ +From 9e0cfc6551532ec494dfa9d607869c3274c6ba35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jan 2023 19:01:36 -0800 +Subject: l2tp: convert l2tp_tunnel_list to idr + +From: Cong Wang + +[ Upstream commit c4d48a58f32c5972174a1d01c33b296fe378cce0 ] + +l2tp uses l2tp_tunnel_list to track all registered tunnels and +to allocate tunnel ID's. IDR can do the same job. + +More importantly, with IDR we can hold the ID before a successful +registration so that we don't need to worry about late error +handling, it is not easy to rollback socket changes. + +This is a preparation for the following fix. + +Cc: Tetsuo Handa +Cc: Guillaume Nault +Cc: Jakub Sitnicki +Cc: Eric Dumazet +Cc: Tom Parkin +Signed-off-by: Cong Wang +Reviewed-by: Guillaume Nault +Signed-off-by: David S. Miller +Stable-dep-of: 0b2c59720e65 ("l2tp: close all race conditions in l2tp_tunnel_register()") +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 85 ++++++++++++++++++++++---------------------- + 1 file changed, 42 insertions(+), 43 deletions(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index d6bb1795329a..1bd52b8bb29f 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -104,9 +104,9 @@ static struct workqueue_struct *l2tp_wq; + /* per-net private data for this module */ + static unsigned int l2tp_net_id; + struct l2tp_net { +- struct list_head l2tp_tunnel_list; +- /* Lock for write access to l2tp_tunnel_list */ +- spinlock_t l2tp_tunnel_list_lock; ++ /* Lock for write access to l2tp_tunnel_idr */ ++ spinlock_t l2tp_tunnel_idr_lock; ++ struct idr l2tp_tunnel_idr; + struct hlist_head l2tp_session_hlist[L2TP_HASH_SIZE_2]; + /* Lock for write access to l2tp_session_hlist */ + spinlock_t l2tp_session_hlist_lock; +@@ -208,13 +208,10 @@ struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id) + struct l2tp_tunnel *tunnel; + + rcu_read_lock_bh(); +- list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { +- if (tunnel->tunnel_id == tunnel_id && +- refcount_inc_not_zero(&tunnel->ref_count)) { +- rcu_read_unlock_bh(); +- +- return tunnel; +- } ++ tunnel = idr_find(&pn->l2tp_tunnel_idr, tunnel_id); ++ if (tunnel && refcount_inc_not_zero(&tunnel->ref_count)) { ++ rcu_read_unlock_bh(); ++ return tunnel; + } + rcu_read_unlock_bh(); + +@@ -224,13 +221,14 @@ EXPORT_SYMBOL_GPL(l2tp_tunnel_get); + + struct l2tp_tunnel *l2tp_tunnel_get_nth(const struct net *net, int nth) + { +- const struct l2tp_net *pn = l2tp_pernet(net); ++ struct l2tp_net *pn = l2tp_pernet(net); ++ unsigned long tunnel_id, tmp; + struct l2tp_tunnel *tunnel; + int count = 0; + + rcu_read_lock_bh(); +- list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { +- if (++count > nth && ++ idr_for_each_entry_ul(&pn->l2tp_tunnel_idr, tunnel, tmp, tunnel_id) { ++ if (tunnel && ++count > nth && + refcount_inc_not_zero(&tunnel->ref_count)) { + rcu_read_unlock_bh(); + return tunnel; +@@ -1229,6 +1227,15 @@ static void l2tp_udp_encap_destroy(struct sock *sk) + l2tp_tunnel_delete(tunnel); + } + ++static void l2tp_tunnel_remove(struct net *net, struct l2tp_tunnel *tunnel) ++{ ++ struct l2tp_net *pn = l2tp_pernet(net); ++ ++ spin_lock_bh(&pn->l2tp_tunnel_idr_lock); ++ idr_remove(&pn->l2tp_tunnel_idr, tunnel->tunnel_id); ++ spin_unlock_bh(&pn->l2tp_tunnel_idr_lock); ++} ++ + /* Workqueue tunnel deletion function */ + static void l2tp_tunnel_del_work(struct work_struct *work) + { +@@ -1236,7 +1243,6 @@ static void l2tp_tunnel_del_work(struct work_struct *work) + del_work); + struct sock *sk = tunnel->sock; + struct socket *sock = sk->sk_socket; +- struct l2tp_net *pn; + + l2tp_tunnel_closeall(tunnel); + +@@ -1250,12 +1256,7 @@ static void l2tp_tunnel_del_work(struct work_struct *work) + } + } + +- /* Remove the tunnel struct from the tunnel list */ +- pn = l2tp_pernet(tunnel->l2tp_net); +- spin_lock_bh(&pn->l2tp_tunnel_list_lock); +- list_del_rcu(&tunnel->list); +- spin_unlock_bh(&pn->l2tp_tunnel_list_lock); +- ++ l2tp_tunnel_remove(tunnel->l2tp_net, tunnel); + /* drop initial ref */ + l2tp_tunnel_dec_refcount(tunnel); + +@@ -1457,12 +1458,19 @@ static int l2tp_validate_socket(const struct sock *sk, const struct net *net, + int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + struct l2tp_tunnel_cfg *cfg) + { +- struct l2tp_tunnel *tunnel_walk; +- struct l2tp_net *pn; ++ struct l2tp_net *pn = l2tp_pernet(net); ++ u32 tunnel_id = tunnel->tunnel_id; + struct socket *sock; + struct sock *sk; + int ret; + ++ spin_lock_bh(&pn->l2tp_tunnel_idr_lock); ++ ret = idr_alloc_u32(&pn->l2tp_tunnel_idr, NULL, &tunnel_id, tunnel_id, ++ GFP_ATOMIC); ++ spin_unlock_bh(&pn->l2tp_tunnel_idr_lock); ++ if (ret) ++ return ret == -ENOSPC ? -EEXIST : ret; ++ + if (tunnel->fd < 0) { + ret = l2tp_tunnel_sock_create(net, tunnel->tunnel_id, + tunnel->peer_tunnel_id, cfg, +@@ -1483,23 +1491,13 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + rcu_assign_sk_user_data(sk, tunnel); + write_unlock_bh(&sk->sk_callback_lock); + +- tunnel->l2tp_net = net; +- pn = l2tp_pernet(net); +- + sock_hold(sk); + tunnel->sock = sk; ++ tunnel->l2tp_net = net; + +- spin_lock_bh(&pn->l2tp_tunnel_list_lock); +- list_for_each_entry(tunnel_walk, &pn->l2tp_tunnel_list, list) { +- if (tunnel_walk->tunnel_id == tunnel->tunnel_id) { +- spin_unlock_bh(&pn->l2tp_tunnel_list_lock); +- sock_put(sk); +- ret = -EEXIST; +- goto err_sock; +- } +- } +- list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list); +- spin_unlock_bh(&pn->l2tp_tunnel_list_lock); ++ spin_lock_bh(&pn->l2tp_tunnel_idr_lock); ++ idr_replace(&pn->l2tp_tunnel_idr, tunnel, tunnel->tunnel_id); ++ spin_unlock_bh(&pn->l2tp_tunnel_idr_lock); + + if (tunnel->encap == L2TP_ENCAPTYPE_UDP) { + struct udp_tunnel_sock_cfg udp_cfg = { +@@ -1525,9 +1523,6 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + + return 0; + +-err_sock: +- write_lock_bh(&sk->sk_callback_lock); +- rcu_assign_sk_user_data(sk, NULL); + err_inval_sock: + write_unlock_bh(&sk->sk_callback_lock); + +@@ -1536,6 +1531,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + else + sockfd_put(sock); + err: ++ l2tp_tunnel_remove(net, tunnel); + return ret; + } + EXPORT_SYMBOL_GPL(l2tp_tunnel_register); +@@ -1649,8 +1645,8 @@ static __net_init int l2tp_init_net(struct net *net) + struct l2tp_net *pn = net_generic(net, l2tp_net_id); + int hash; + +- INIT_LIST_HEAD(&pn->l2tp_tunnel_list); +- spin_lock_init(&pn->l2tp_tunnel_list_lock); ++ idr_init(&pn->l2tp_tunnel_idr); ++ spin_lock_init(&pn->l2tp_tunnel_idr_lock); + + for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) + INIT_HLIST_HEAD(&pn->l2tp_session_hlist[hash]); +@@ -1664,11 +1660,13 @@ static __net_exit void l2tp_exit_net(struct net *net) + { + struct l2tp_net *pn = l2tp_pernet(net); + struct l2tp_tunnel *tunnel = NULL; ++ unsigned long tunnel_id, tmp; + int hash; + + rcu_read_lock_bh(); +- list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { +- l2tp_tunnel_delete(tunnel); ++ idr_for_each_entry_ul(&pn->l2tp_tunnel_idr, tunnel, tmp, tunnel_id) { ++ if (tunnel) ++ l2tp_tunnel_delete(tunnel); + } + rcu_read_unlock_bh(); + +@@ -1678,6 +1676,7 @@ static __net_exit void l2tp_exit_net(struct net *net) + + for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) + WARN_ON_ONCE(!hlist_empty(&pn->l2tp_session_hlist[hash])); ++ idr_destroy(&pn->l2tp_tunnel_idr); + } + + static struct pernet_operations l2tp_net_ops = { +-- +2.39.0 + diff --git a/queue-5.10/l2tp-don-t-sleep-and-disable-bh-under-writer-side-sk.patch b/queue-5.10/l2tp-don-t-sleep-and-disable-bh-under-writer-side-sk.patch new file mode 100644 index 00000000000..9f4a52955fc --- /dev/null +++ b/queue-5.10/l2tp-don-t-sleep-and-disable-bh-under-writer-side-sk.patch @@ -0,0 +1,128 @@ +From 016acade1391e025922cd0eb5dfc7c9e45f478e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 09:54:26 +0100 +Subject: l2tp: Don't sleep and disable BH under writer-side sk_callback_lock + +From: Jakub Sitnicki + +[ Upstream commit af295e854a4e3813ffbdef26dbb6a4d6226c3ea1 ] + +When holding a reader-writer spin lock we cannot sleep. Calling +setup_udp_tunnel_sock() with write lock held violates this rule, because we +end up calling percpu_down_read(), which might sleep, as syzbot reports +[1]: + + __might_resched.cold+0x222/0x26b kernel/sched/core.c:9890 + percpu_down_read include/linux/percpu-rwsem.h:49 [inline] + cpus_read_lock+0x1b/0x140 kernel/cpu.c:310 + static_key_slow_inc+0x12/0x20 kernel/jump_label.c:158 + udp_tunnel_encap_enable include/net/udp_tunnel.h:187 [inline] + setup_udp_tunnel_sock+0x43d/0x550 net/ipv4/udp_tunnel_core.c:81 + l2tp_tunnel_register+0xc51/0x1210 net/l2tp/l2tp_core.c:1509 + pppol2tp_connect+0xcdc/0x1a10 net/l2tp/l2tp_ppp.c:723 + +Trim the writer-side critical section for sk_callback_lock down to the +minimum, so that it covers only operations on sk_user_data. + +Also, when grabbing the sk_callback_lock, we always need to disable BH, as +Eric points out. Failing to do so leads to deadlocks because we acquire +sk_callback_lock in softirq context, which can get stuck waiting on us if: + +1) it runs on the same CPU, or + + CPU0 + ---- + lock(clock-AF_INET6); + + lock(clock-AF_INET6); + +2) lock ordering leads to priority inversion + + CPU0 CPU1 + ---- ---- + lock(clock-AF_INET6); + local_irq_disable(); + lock(&tcp_hashinfo.bhash[i].lock); + lock(clock-AF_INET6); + + lock(&tcp_hashinfo.bhash[i].lock); + +... as syzbot reports [2,3]. Use the _bh variants for write_(un)lock. + +[1] https://lore.kernel.org/netdev/0000000000004e78ec05eda79749@google.com/ +[2] https://lore.kernel.org/netdev/000000000000e38b6605eda76f98@google.com/ +[3] https://lore.kernel.org/netdev/000000000000dfa31e05eda76f75@google.com/ + +v2: +- Check and set sk_user_data while holding sk_callback_lock for both + L2TP encapsulation types (IP and UDP) (Tetsuo) + +Cc: Tom Parkin +Cc: Tetsuo Handa +Fixes: b68777d54fac ("l2tp: Serialize access to sk_user_data with sk_callback_lock") +Reported-by: Eric Dumazet +Reported-by: syzbot+703d9e154b3b58277261@syzkaller.appspotmail.com +Reported-by: syzbot+50680ced9e98a61f7698@syzkaller.appspotmail.com +Reported-by: syzbot+de987172bb74a381879b@syzkaller.appspotmail.com +Signed-off-by: Jakub Sitnicki +Signed-off-by: David S. Miller +Stable-dep-of: 0b2c59720e65 ("l2tp: close all race conditions in l2tp_tunnel_register()") +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index e89852bc5309..d6bb1795329a 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1476,11 +1476,12 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + } + + sk = sock->sk; +- write_lock(&sk->sk_callback_lock); +- ++ write_lock_bh(&sk->sk_callback_lock); + ret = l2tp_validate_socket(sk, net, tunnel->encap); + if (ret < 0) +- goto err_sock; ++ goto err_inval_sock; ++ rcu_assign_sk_user_data(sk, tunnel); ++ write_unlock_bh(&sk->sk_callback_lock); + + tunnel->l2tp_net = net; + pn = l2tp_pernet(net); +@@ -1509,8 +1510,6 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + }; + + setup_udp_tunnel_sock(net, sock, &udp_cfg); +- } else { +- rcu_assign_sk_user_data(sk, tunnel); + } + + tunnel->old_sk_destruct = sk->sk_destruct; +@@ -1524,16 +1523,18 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + if (tunnel->fd >= 0) + sockfd_put(sock); + +- write_unlock(&sk->sk_callback_lock); + return 0; + + err_sock: ++ write_lock_bh(&sk->sk_callback_lock); ++ rcu_assign_sk_user_data(sk, NULL); ++err_inval_sock: ++ write_unlock_bh(&sk->sk_callback_lock); ++ + if (tunnel->fd < 0) + sock_release(sock); + else + sockfd_put(sock); +- +- write_unlock(&sk->sk_callback_lock); + err: + return ret; + } +-- +2.39.0 + diff --git a/queue-5.10/l2tp-prevent-lockdep-issue-in-l2tp_tunnel_register.patch b/queue-5.10/l2tp-prevent-lockdep-issue-in-l2tp_tunnel_register.patch new file mode 100644 index 00000000000..9081108ef45 --- /dev/null +++ b/queue-5.10/l2tp-prevent-lockdep-issue-in-l2tp_tunnel_register.patch @@ -0,0 +1,58 @@ +From 75231560895eb461bf7d18b2f5657553f2600453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 11:01:31 +0000 +Subject: l2tp: prevent lockdep issue in l2tp_tunnel_register() + +From: Eric Dumazet + +[ Upstream commit b9fb10d131b8c84af9bb14e2078d5c63600c7dea ] + +lockdep complains with the following lock/unlock sequence: + + lock_sock(sk); + write_lock_bh(&sk->sk_callback_lock); +[1] release_sock(sk); +[2] write_unlock_bh(&sk->sk_callback_lock); + +We need to swap [1] and [2] to fix this issue. + +Fixes: 0b2c59720e65 ("l2tp: close all race conditions in l2tp_tunnel_register()") +Reported-by: syzbot+bbd35b345c7cab0d9a08@syzkaller.appspotmail.com +Signed-off-by: Eric Dumazet +Link: https://lore.kernel.org/netdev/20230114030137.672706-1-xiyou.wangcong@gmail.com/T/#m1164ff20628671b0f326a24cb106ab3239c70ce3 +Cc: Cong Wang +Cc: Guillaume Nault +Reviewed-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index 386510a93696..a4b793d1b7d7 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1485,10 +1485,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + lock_sock(sk); + write_lock_bh(&sk->sk_callback_lock); + ret = l2tp_validate_socket(sk, net, tunnel->encap); +- if (ret < 0) { +- release_sock(sk); ++ if (ret < 0) + goto err_inval_sock; +- } + rcu_assign_sk_user_data(sk, tunnel); + write_unlock_bh(&sk->sk_callback_lock); + +@@ -1525,6 +1523,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + + err_inval_sock: + write_unlock_bh(&sk->sk_callback_lock); ++ release_sock(sk); + + if (tunnel->fd < 0) + sock_release(sock); +-- +2.39.0 + diff --git a/queue-5.10/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch b/queue-5.10/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch new file mode 100644 index 00000000000..f41661142f5 --- /dev/null +++ b/queue-5.10/l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch @@ -0,0 +1,123 @@ +From c5d4db521618e699d0cfb54a344b3094c414e813 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 20:16:19 +0100 +Subject: l2tp: Serialize access to sk_user_data with sk_callback_lock + +From: Jakub Sitnicki + +[ Upstream commit b68777d54fac21fc833ec26ea1a2a84f975ab035 ] + +sk->sk_user_data has multiple users, which are not compatible with each +other. Writers must synchronize by grabbing the sk->sk_callback_lock. + +l2tp currently fails to grab the lock when modifying the underlying tunnel +socket fields. Fix it by adding appropriate locking. + +We err on the side of safety and grab the sk_callback_lock also inside the +sk_destruct callback overridden by l2tp, even though there should be no +refs allowing access to the sock at the time when sk_destruct gets called. + +v4: +- serialize write to sk_user_data in l2tp sk_destruct + +v3: +- switch from sock lock to sk_callback_lock +- document write-protection for sk_user_data + +v2: +- update Fixes to point to origin of the bug +- use real names in Reported/Tested-by tags + +Cc: Tom Parkin +Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") +Reported-by: Haowei Yan +Signed-off-by: Jakub Sitnicki +Signed-off-by: David S. Miller +Stable-dep-of: 0b2c59720e65 ("l2tp: close all race conditions in l2tp_tunnel_register()") +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 2 +- + net/l2tp/l2tp_core.c | 19 +++++++++++++------ + 2 files changed, 14 insertions(+), 7 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 90a8b8b26a20..69bbbe8bbf34 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -315,7 +315,7 @@ struct bpf_local_storage; + * @sk_tskey: counter to disambiguate concurrent tstamp requests + * @sk_zckey: counter to order MSG_ZEROCOPY notifications + * @sk_socket: Identd and reporting IO signals +- * @sk_user_data: RPC layer private data ++ * @sk_user_data: RPC layer private data. Write-protected by @sk_callback_lock. + * @sk_frag: cached page frag + * @sk_peek_off: current peek_offset value + * @sk_send_head: front of stuff to transmit +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index dc8987ed08ad..e89852bc5309 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -1150,8 +1150,10 @@ static void l2tp_tunnel_destruct(struct sock *sk) + } + + /* Remove hooks into tunnel socket */ ++ write_lock_bh(&sk->sk_callback_lock); + sk->sk_destruct = tunnel->old_sk_destruct; + sk->sk_user_data = NULL; ++ write_unlock_bh(&sk->sk_callback_lock); + + /* Call the original destructor */ + if (sk->sk_destruct) +@@ -1471,16 +1473,18 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + sock = sockfd_lookup(tunnel->fd, &ret); + if (!sock) + goto err; +- +- ret = l2tp_validate_socket(sock->sk, net, tunnel->encap); +- if (ret < 0) +- goto err_sock; + } + ++ sk = sock->sk; ++ write_lock(&sk->sk_callback_lock); ++ ++ ret = l2tp_validate_socket(sk, net, tunnel->encap); ++ if (ret < 0) ++ goto err_sock; ++ + tunnel->l2tp_net = net; + pn = l2tp_pernet(net); + +- sk = sock->sk; + sock_hold(sk); + tunnel->sock = sk; + +@@ -1506,7 +1510,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + + setup_udp_tunnel_sock(net, sock, &udp_cfg); + } else { +- sk->sk_user_data = tunnel; ++ rcu_assign_sk_user_data(sk, tunnel); + } + + tunnel->old_sk_destruct = sk->sk_destruct; +@@ -1520,6 +1524,7 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + if (tunnel->fd >= 0) + sockfd_put(sock); + ++ write_unlock(&sk->sk_callback_lock); + return 0; + + err_sock: +@@ -1527,6 +1532,8 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + sock_release(sock); + else + sockfd_put(sock); ++ ++ write_unlock(&sk->sk_callback_lock); + err: + return ret; + } +-- +2.39.0 + diff --git a/queue-5.10/lockref-stop-doing-cpu_relax-in-the-cmpxchg-loop.patch b/queue-5.10/lockref-stop-doing-cpu_relax-in-the-cmpxchg-loop.patch new file mode 100644 index 00000000000..8639f91961e --- /dev/null +++ b/queue-5.10/lockref-stop-doing-cpu_relax-in-the-cmpxchg-loop.patch @@ -0,0 +1,107 @@ +From 7475019defa26e4bd1b49b5e9b8c0b8fbe800a0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jan 2023 19:44:47 +0100 +Subject: lockref: stop doing cpu_relax in the cmpxchg loop + +From: Mateusz Guzik + +[ Upstream commit f5fe24ef17b5fbe6db49534163e77499fb10ae8c ] + +On the x86-64 architecture even a failing cmpxchg grants exclusive +access to the cacheline, making it preferable to retry the failed op +immediately instead of stalling with the pause instruction. + +To illustrate the impact, below are benchmark results obtained by +running various will-it-scale tests on top of the 6.2-rc3 kernel and +Cascade Lake (2 sockets * 24 cores * 2 threads) CPU. + +All results in ops/s. Note there is some variance in re-runs, but the +code is consistently faster when contention is present. + + open3 ("Same file open/close"): + proc stock no-pause + 1 805603 814942 (+%1) + 2 1054980 1054781 (-0%) + 8 1544802 1822858 (+18%) + 24 1191064 2199665 (+84%) + 48 851582 1469860 (+72%) + 96 609481 1427170 (+134%) + + fstat2 ("Same file fstat"): + proc stock no-pause + 1 3013872 3047636 (+1%) + 2 4284687 4400421 (+2%) + 8 3257721 5530156 (+69%) + 24 2239819 5466127 (+144%) + 48 1701072 5256609 (+209%) + 96 1269157 6649326 (+423%) + +Additionally, a kernel with a private patch to help access() scalability: +access2 ("Same file access"): + + proc stock patched patched + +nopause + 24 2378041 2005501 5370335 (-15% / +125%) + +That is, fixing the problems in access itself *reduces* scalability +after the cacheline ping-pong only happens in lockref with the pause +instruction. + +Note that fstat and access benchmarks are not currently integrated into +will-it-scale, but interested parties can find them in pull requests to +said project. + +Code at hand has a rather tortured history. First modification showed +up in commit d472d9d98b46 ("lockref: Relax in cmpxchg loop"), written +with Itanium in mind. Later it got patched up to use an arch-dependent +macro to stop doing it on s390 where it caused a significant regression. +Said macro had undergone revisions and was ultimately eliminated later, +going back to cpu_relax. + +While I intended to only remove cpu_relax for x86-64, I got the +following comment from Linus: + + I would actually prefer just removing it entirely and see if + somebody else hollers. You have the numbers to prove it hurts on + real hardware, and I don't think we have any numbers to the + contrary. + + So I think it's better to trust the numbers and remove it as a + failure, than say "let's just remove it on x86-64 and leave + everybody else with the potentially broken code" + +Additionally, Will Deacon (maintainer of the arm64 port, one of the +architectures previously benchmarked): + + So, from the arm64 side of the fence, I'm perfectly happy just + removing the cpu_relax() calls from lockref. + +As such, come back full circle in history and whack it altogether. + +Signed-off-by: Mateusz Guzik +Link: https://lore.kernel.org/all/CAGudoHHx0Nqg6DE70zAVA75eV-HXfWyhVMWZ-aSeOofkA_=WdA@mail.gmail.com/ +Acked-by: Tony Luck # ia64 +Acked-by: Nicholas Piggin # powerpc +Acked-by: Will Deacon # arm64 +Acked-by: Peter Zijlstra +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/lockref.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/lib/lockref.c b/lib/lockref.c +index 5b34bbd3eba8..81ac5f355242 100644 +--- a/lib/lockref.c ++++ b/lib/lockref.c +@@ -24,7 +24,6 @@ + } \ + if (!--retry) \ + break; \ +- cpu_relax(); \ + } \ + } while (0) + +-- +2.39.0 + diff --git a/queue-5.10/memory-atmel-sdramc-fix-missing-clk_disable_unprepar.patch b/queue-5.10/memory-atmel-sdramc-fix-missing-clk_disable_unprepar.patch new file mode 100644 index 00000000000..9dd1f9d0337 --- /dev/null +++ b/queue-5.10/memory-atmel-sdramc-fix-missing-clk_disable_unprepar.patch @@ -0,0 +1,52 @@ +From 2ddca0ad733da32c6de3bf5c37c0a6b08de01d91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 15:37:57 +0800 +Subject: memory: atmel-sdramc: Fix missing clk_disable_unprepare in + atmel_ramc_probe() + +From: Gaosheng Cui + +[ Upstream commit 340cb392a038cf70540a4cdf2e98a247c66b6df4 ] + +The clk_disable_unprepare() should be called in the error handling +of caps->has_mpddr_clk, fix it by replacing devm_clk_get and +clk_prepare_enable by devm_clk_get_enabled. + +Fixes: e81b6abebc87 ("memory: add a driver for atmel ram controllers") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221125073757.3535219-1-cuigaosheng1@huawei.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/atmel-sdramc.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/memory/atmel-sdramc.c b/drivers/memory/atmel-sdramc.c +index 9c49d00c2a96..ea6e9e1eaf04 100644 +--- a/drivers/memory/atmel-sdramc.c ++++ b/drivers/memory/atmel-sdramc.c +@@ -47,19 +47,17 @@ static int atmel_ramc_probe(struct platform_device *pdev) + caps = of_device_get_match_data(&pdev->dev); + + if (caps->has_ddrck) { +- clk = devm_clk_get(&pdev->dev, "ddrck"); ++ clk = devm_clk_get_enabled(&pdev->dev, "ddrck"); + if (IS_ERR(clk)) + return PTR_ERR(clk); +- clk_prepare_enable(clk); + } + + if (caps->has_mpddr_clk) { +- clk = devm_clk_get(&pdev->dev, "mpddr"); ++ clk = devm_clk_get_enabled(&pdev->dev, "mpddr"); + if (IS_ERR(clk)) { + pr_err("AT91 RAMC: couldn't get mpddr clock\n"); + return PTR_ERR(clk); + } +- clk_prepare_enable(clk); + } + + return 0; +-- +2.39.0 + diff --git a/queue-5.10/memory-mvebu-devbus-fix-missing-clk_disable_unprepar.patch b/queue-5.10/memory-mvebu-devbus-fix-missing-clk_disable_unprepar.patch new file mode 100644 index 00000000000..a54957b974e --- /dev/null +++ b/queue-5.10/memory-mvebu-devbus-fix-missing-clk_disable_unprepar.patch @@ -0,0 +1,42 @@ +From 6ea8d35280697c84c2173773a64695195643a5c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Nov 2022 12:49:11 +0800 +Subject: memory: mvebu-devbus: Fix missing clk_disable_unprepare in + mvebu_devbus_probe() + +From: Gaosheng Cui + +[ Upstream commit cb8fd6f75775165390ededea8799b60d93d9fe3e ] + +The clk_disable_unprepare() should be called in the error handling +of devbus_get_timing_params() and of_platform_populate(), fix it by +replacing devm_clk_get and clk_prepare_enable by devm_clk_get_enabled. + +Fixes: e81b6abebc87 ("memory: add a driver for atmel ram controllers") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221126044911.7226-1-cuigaosheng1@huawei.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/mvebu-devbus.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/memory/mvebu-devbus.c b/drivers/memory/mvebu-devbus.c +index 8450638e8670..efc6c08db2b7 100644 +--- a/drivers/memory/mvebu-devbus.c ++++ b/drivers/memory/mvebu-devbus.c +@@ -280,10 +280,9 @@ static int mvebu_devbus_probe(struct platform_device *pdev) + if (IS_ERR(devbus->base)) + return PTR_ERR(devbus->base); + +- clk = devm_clk_get(&pdev->dev, NULL); ++ clk = devm_clk_get_enabled(&pdev->dev, NULL); + if (IS_ERR(clk)) + return PTR_ERR(clk); +- clk_prepare_enable(clk); + + /* + * Obtain clock period in picoseconds, +-- +2.39.0 + diff --git a/queue-5.10/net-dsa-microchip-ksz9477-port-map-correction-in-alu.patch b/queue-5.10/net-dsa-microchip-ksz9477-port-map-correction-in-alu.patch new file mode 100644 index 00000000000..8e4869ae67a --- /dev/null +++ b/queue-5.10/net-dsa-microchip-ksz9477-port-map-correction-in-alu.patch @@ -0,0 +1,56 @@ +From e242385f8cdb358ec4c70576b948d0f27a316cd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 23:17:35 +0530 +Subject: net: dsa: microchip: ksz9477: port map correction in ALU table entry + register + +From: Rakesh Sankaranarayanan + +[ Upstream commit 6c977c5c2e4c5d8ad1b604724cc344e38f96fe9b ] + +ALU table entry 2 register in KSZ9477 have bit positions reserved for +forwarding port map. This field is referred in ksz9477_fdb_del() for +clearing forward port map and alu table. + +But current fdb_del refer ALU table entry 3 register for accessing forward +port map. Update ksz9477_fdb_del() to get forward port map from correct +alu table entry register. + +With this bug, issue can be observed while deleting static MAC entries. +Delete any specific MAC entry using "bridge fdb del" command. This should +clear all the specified MAC entries. But it is observed that entries with +self static alone are retained. + +Tested on LAN9370 EVB since ksz9477_fdb_del() is used common across +LAN937x and KSZ series. + +Fixes: b987e98e50ab ("dsa: add DSA switch driver for Microchip KSZ9477") +Signed-off-by: Rakesh Sankaranarayanan +Reviewed-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20230118174735.702377-1-rakesh.sankaranarayanan@microchip.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/microchip/ksz9477.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/dsa/microchip/ksz9477.c b/drivers/net/dsa/microchip/ksz9477.c +index ece4c0512ee2..f42f2f4e4b60 100644 +--- a/drivers/net/dsa/microchip/ksz9477.c ++++ b/drivers/net/dsa/microchip/ksz9477.c +@@ -678,10 +678,10 @@ static int ksz9477_port_fdb_del(struct dsa_switch *ds, int port, + ksz_read32(dev, REG_SW_ALU_VAL_D, &alu_table[3]); + + /* clear forwarding port */ +- alu_table[2] &= ~BIT(port); ++ alu_table[1] &= ~BIT(port); + + /* if there is no port to forward, clear table */ +- if ((alu_table[2] & ALU_V_PORT_MAP) == 0) { ++ if ((alu_table[1] & ALU_V_PORT_MAP) == 0) { + alu_table[0] = 0; + alu_table[1] = 0; + alu_table[2] = 0; +-- +2.39.0 + diff --git a/queue-5.10/net-macb-fix-ptp-tx-timestamp-failure-due-to-packet-.patch b/queue-5.10/net-macb-fix-ptp-tx-timestamp-failure-due-to-packet-.patch new file mode 100644 index 00000000000..b4210a86d96 --- /dev/null +++ b/queue-5.10/net-macb-fix-ptp-tx-timestamp-failure-due-to-packet-.patch @@ -0,0 +1,77 @@ +From ffc74250d3112d08bcc3632d17b1a96eb6df7905 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jan 2023 15:41:33 -0600 +Subject: net: macb: fix PTP TX timestamp failure due to packet padding + +From: Robert Hancock + +[ Upstream commit 7b90f5a665acd46efbbfa677a3a3a18d01ad6487 ] + +PTP TX timestamp handling was observed to be broken with this driver +when using the raw Layer 2 PTP encapsulation. ptp4l was not receiving +the expected TX timestamp after transmitting a packet, causing it to +enter a failure state. + +The problem appears to be due to the way that the driver pads packets +which are smaller than the Ethernet minimum of 60 bytes. If headroom +space was available in the SKB, this caused the driver to move the data +back to utilize it. However, this appears to cause other data references +in the SKB to become inconsistent. In particular, this caused the +ptp_one_step_sync function to later (in the TX completion path) falsely +detect the packet as a one-step SYNC packet, even when it was not, which +caused the TX timestamp to not be processed when it should be. + +Using the headroom for this purpose seems like an unnecessary complexity +as this is not a hot path in the driver, and in most cases it appears +that there is sufficient tailroom to not require using the headroom +anyway. Remove this usage of headroom to prevent this inconsistency from +occurring and causing other problems. + +Fixes: 653e92a9175e ("net: macb: add support for padding and fcs computation") +Signed-off-by: Robert Hancock +Reviewed-by: Jacob Keller +Tested-by: Claudiu Beznea # on SAMA7G5 +Reviewed-by: Claudiu Beznea +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 792c8147c2c4..e0d62e251387 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -1963,7 +1963,6 @@ static int macb_pad_and_fcs(struct sk_buff **skb, struct net_device *ndev) + bool cloned = skb_cloned(*skb) || skb_header_cloned(*skb) || + skb_is_nonlinear(*skb); + int padlen = ETH_ZLEN - (*skb)->len; +- int headroom = skb_headroom(*skb); + int tailroom = skb_tailroom(*skb); + struct sk_buff *nskb; + u32 fcs; +@@ -1977,9 +1976,6 @@ static int macb_pad_and_fcs(struct sk_buff **skb, struct net_device *ndev) + /* FCS could be appeded to tailroom. */ + if (tailroom >= ETH_FCS_LEN) + goto add_fcs; +- /* FCS could be appeded by moving data to headroom. */ +- else if (!cloned && headroom + tailroom >= ETH_FCS_LEN) +- padlen = 0; + /* No room for FCS, need to reallocate skb. */ + else + padlen = ETH_FCS_LEN; +@@ -1988,10 +1984,7 @@ static int macb_pad_and_fcs(struct sk_buff **skb, struct net_device *ndev) + padlen += ETH_FCS_LEN; + } + +- if (!cloned && headroom + tailroom >= padlen) { +- (*skb)->data = memmove((*skb)->head, (*skb)->data, (*skb)->len); +- skb_set_tail_pointer(*skb, (*skb)->len); +- } else { ++ if (cloned || tailroom < padlen) { + nskb = skb_copy_expand(*skb, 0, padlen, GFP_ATOMIC); + if (!nskb) + return -ENOMEM; +-- +2.39.0 + diff --git a/queue-5.10/net-mdio-validate-parameter-addr-in-mdiobus_get_phy.patch b/queue-5.10/net-mdio-validate-parameter-addr-in-mdiobus_get_phy.patch new file mode 100644 index 00000000000..ebd105cbb34 --- /dev/null +++ b/queue-5.10/net-mdio-validate-parameter-addr-in-mdiobus_get_phy.patch @@ -0,0 +1,44 @@ +From bd79dcbde0345ec2a1799b65107414903fe0120f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jan 2023 11:54:06 +0100 +Subject: net: mdio: validate parameter addr in mdiobus_get_phy() + +From: Heiner Kallweit + +[ Upstream commit 867dbe784c5010a466f00a7d1467c1c5ea569c75 ] + +The caller may pass any value as addr, what may result in an out-of-bounds +access to array mdio_map. One existing case is stmmac_init_phy() that +may pass -1 as addr. Therefore validate addr before using it. + +Fixes: 7f854420fbfe ("phy: Add API for {un}registering an mdio device to a bus.") +Signed-off-by: Heiner Kallweit +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/cdf664ea-3312-e915-73f8-021678d08887@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mdio_bus.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c +index 77ba6c3c7a09..e9303be48655 100644 +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -108,7 +108,12 @@ EXPORT_SYMBOL(mdiobus_unregister_device); + + struct phy_device *mdiobus_get_phy(struct mii_bus *bus, int addr) + { +- struct mdio_device *mdiodev = bus->mdio_map[addr]; ++ struct mdio_device *mdiodev; ++ ++ if (addr < 0 || addr >= ARRAY_SIZE(bus->mdio_map)) ++ return NULL; ++ ++ mdiodev = bus->mdio_map[addr]; + + if (!mdiodev) + return NULL; +-- +2.39.0 + diff --git a/queue-5.10/net-mlx5-eliminate-anonymous-module_init-module_exit.patch b/queue-5.10/net-mlx5-eliminate-anonymous-module_init-module_exit.patch new file mode 100644 index 00000000000..180abf6d160 --- /dev/null +++ b/queue-5.10/net-mlx5-eliminate-anonymous-module_init-module_exit.patch @@ -0,0 +1,76 @@ +From 7a8b5aaa830963c666974c61b536284551af17c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Aug 2022 20:12:29 -0700 +Subject: net: mlx5: eliminate anonymous module_init & module_exit + +From: Randy Dunlap + +[ Upstream commit 2c1e1b949024989e20907b84e11a731a50778416 ] + +Eliminate anonymous module_init() and module_exit(), which can lead to +confusion or ambiguity when reading System.map, crashes/oops/bugs, +or an initcall_debug log. + +Give each of these init and exit functions unique driver-specific +names to eliminate the anonymous names. + +Example 1: (System.map) + ffffffff832fc78c t init + ffffffff832fc79e t init + ffffffff832fc8f8 t init + +Example 2: (initcall_debug log) + calling init+0x0/0x12 @ 1 + initcall init+0x0/0x12 returned 0 after 15 usecs + calling init+0x0/0x60 @ 1 + initcall init+0x0/0x60 returned 0 after 2 usecs + calling init+0x0/0x9a @ 1 + initcall init+0x0/0x9a returned 0 after 74 usecs + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: Randy Dunlap +Cc: Eli Cohen +Cc: Saeed Mahameed +Cc: Leon Romanovsky +Cc: linux-rdma@vger.kernel.org +Reviewed-by: Ira Weiny +Reviewed-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 29bc1df28aeb..112eaef186e1 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1642,7 +1642,7 @@ static void mlx5_core_verify_params(void) + } + } + +-static int __init init(void) ++static int __init mlx5_init(void) + { + int err; + +@@ -1667,7 +1667,7 @@ static int __init init(void) + return err; + } + +-static void __exit cleanup(void) ++static void __exit mlx5_cleanup(void) + { + #ifdef CONFIG_MLX5_CORE_EN + mlx5e_cleanup(); +@@ -1676,5 +1676,5 @@ static void __exit cleanup(void) + mlx5_unregister_debugfs(); + } + +-module_init(init); +-module_exit(cleanup); ++module_init(mlx5_init); ++module_exit(mlx5_cleanup); +-- +2.39.0 + diff --git a/queue-5.10/net-nfc-fix-use-after-free-in-local_cleanup.patch b/queue-5.10/net-nfc-fix-use-after-free-in-local_cleanup.patch new file mode 100644 index 00000000000..d3f66a896f6 --- /dev/null +++ b/queue-5.10/net-nfc-fix-use-after-free-in-local_cleanup.patch @@ -0,0 +1,112 @@ +From 6b090b4d3907d3b6c325ae1dc1e846bba7d69891 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 22:19:14 +0900 +Subject: net: nfc: Fix use-after-free in local_cleanup() + +From: Jisoo Jang + +[ Upstream commit 4bb4db7f3187c6e3de6b229ffc87cdb30a2d22b6 ] + +Fix a use-after-free that occurs in kfree_skb() called from +local_cleanup(). This could happen when killing nfc daemon (e.g. neard) +after detaching an nfc device. +When detaching an nfc device, local_cleanup() called from +nfc_llcp_unregister_device() frees local->rx_pending and decreases +local->ref by kref_put() in nfc_llcp_local_put(). +In the terminating process, nfc daemon releases all sockets and it leads +to decreasing local->ref. After the last release of local->ref, +local_cleanup() called from local_release() frees local->rx_pending +again, which leads to the bug. + +Setting local->rx_pending to NULL in local_cleanup() could prevent +use-after-free when local_cleanup() is called twice. + +Found by a modified version of syzkaller. + +BUG: KASAN: use-after-free in kfree_skb() + +Call Trace: +dump_stack_lvl (lib/dump_stack.c:106) +print_address_description.constprop.0.cold (mm/kasan/report.c:306) +kasan_check_range (mm/kasan/generic.c:189) +kfree_skb (net/core/skbuff.c:955) +local_cleanup (net/nfc/llcp_core.c:159) +nfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172) +nfc_llcp_local_put (net/nfc/llcp_core.c:181) +llcp_sock_destruct (net/nfc/llcp_sock.c:959) +__sk_destruct (net/core/sock.c:2133) +sk_destruct (net/core/sock.c:2181) +__sk_free (net/core/sock.c:2192) +sk_free (net/core/sock.c:2203) +llcp_sock_release (net/nfc/llcp_sock.c:646) +__sock_release (net/socket.c:650) +sock_close (net/socket.c:1365) +__fput (fs/file_table.c:306) +task_work_run (kernel/task_work.c:179) +ptrace_notify (kernel/signal.c:2354) +syscall_exit_to_user_mode_prepare (kernel/entry/common.c:278) +syscall_exit_to_user_mode (kernel/entry/common.c:296) +do_syscall_64 (arch/x86/entry/common.c:86) +entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106) + +Allocated by task 4719: +kasan_save_stack (mm/kasan/common.c:45) +__kasan_slab_alloc (mm/kasan/common.c:325) +slab_post_alloc_hook (mm/slab.h:766) +kmem_cache_alloc_node (mm/slub.c:3497) +__alloc_skb (net/core/skbuff.c:552) +pn533_recv_response (drivers/nfc/pn533/usb.c:65) +__usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671) +usb_giveback_urb_bh (drivers/usb/core/hcd.c:1704) +tasklet_action_common.isra.0 (kernel/softirq.c:797) +__do_softirq (kernel/softirq.c:571) + +Freed by task 1901: +kasan_save_stack (mm/kasan/common.c:45) +kasan_set_track (mm/kasan/common.c:52) +kasan_save_free_info (mm/kasan/genericdd.c:518) +__kasan_slab_free (mm/kasan/common.c:236) +kmem_cache_free (mm/slub.c:3809) +kfree_skbmem (net/core/skbuff.c:874) +kfree_skb (net/core/skbuff.c:931) +local_cleanup (net/nfc/llcp_core.c:159) +nfc_llcp_unregister_device (net/nfc/llcp_core.c:1617) +nfc_unregister_device (net/nfc/core.c:1179) +pn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846) +pn533_usb_disconnect (drivers/nfc/pn533/usb.c:579) +usb_unbind_interface (drivers/usb/core/driver.c:458) +device_release_driver_internal (drivers/base/dd.c:1279) +bus_remove_device (drivers/base/bus.c:529) +device_del (drivers/base/core.c:3665) +usb_disable_device (drivers/usb/core/message.c:1420) +usb_disconnect (drivers/usb/core.c:2261) +hub_event (drivers/usb/core/hub.c:5833) +process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281) +worker_thread (include/linux/list.h:282 kernel/workqueue.c:2423) +kthread (kernel/kthread.c:319) +ret_from_fork (arch/x86/entry/entry_64.S:301) + +Fixes: 3536da06db0b ("NFC: llcp: Clean local timers and works when removing a device") +Signed-off-by: Jisoo Jang +Link: https://lore.kernel.org/r/20230111131914.3338838-1-jisoo.jang@yonsei.ac.kr +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/nfc/llcp_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/nfc/llcp_core.c b/net/nfc/llcp_core.c +index cc997518f79d..edadebb3efd2 100644 +--- a/net/nfc/llcp_core.c ++++ b/net/nfc/llcp_core.c +@@ -159,6 +159,7 @@ static void local_cleanup(struct nfc_llcp_local *local) + cancel_work_sync(&local->rx_work); + cancel_work_sync(&local->timeout_work); + kfree_skb(local->rx_pending); ++ local->rx_pending = NULL; + del_timer_sync(&local->sdreq_timer); + cancel_work_sync(&local->sdreq_timeout_work); + nfc_llcp_free_sdp_tlv_list(&local->pending_sdreqs); +-- +2.39.0 + diff --git a/queue-5.10/net-sched-sch_taprio-fix-possible-use-after-free.patch b/queue-5.10/net-sched-sch_taprio-fix-possible-use-after-free.patch new file mode 100644 index 00000000000..23603058b2c --- /dev/null +++ b/queue-5.10/net-sched-sch_taprio-fix-possible-use-after-free.patch @@ -0,0 +1,128 @@ +From 13ab9e2969f9d139039a1240b4dea6b20f0c5c91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jan 2023 16:48:49 +0000 +Subject: net/sched: sch_taprio: fix possible use-after-free + +From: Eric Dumazet + +[ Upstream commit 3a415d59c1dbec9d772dbfab2d2520d98360caae ] + +syzbot reported a nasty crash [1] in net_tx_action() which +made little sense until we got a repro. + +This repro installs a taprio qdisc, but providing an +invalid TCA_RATE attribute. + +qdisc_create() has to destroy the just initialized +taprio qdisc, and taprio_destroy() is called. + +However, the hrtimer used by taprio had already fired, +therefore advance_sched() called __netif_schedule(). + +Then net_tx_action was trying to use a destroyed qdisc. + +We can not undo the __netif_schedule(), so we must wait +until one cpu serviced the qdisc before we can proceed. + +Many thanks to Alexander Potapenko for his help. + +[1] +BUG: KMSAN: uninit-value in queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline] +BUG: KMSAN: uninit-value in do_raw_spin_trylock include/linux/spinlock.h:191 [inline] +BUG: KMSAN: uninit-value in __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline] +BUG: KMSAN: uninit-value in _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138 + queued_spin_trylock include/asm-generic/qspinlock.h:94 [inline] + do_raw_spin_trylock include/linux/spinlock.h:191 [inline] + __raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline] + _raw_spin_trylock+0x92/0xa0 kernel/locking/spinlock.c:138 + spin_trylock include/linux/spinlock.h:359 [inline] + qdisc_run_begin include/net/sch_generic.h:187 [inline] + qdisc_run+0xee/0x540 include/net/pkt_sched.h:125 + net_tx_action+0x77c/0x9a0 net/core/dev.c:5086 + __do_softirq+0x1cc/0x7fb kernel/softirq.c:571 + run_ksoftirqd+0x2c/0x50 kernel/softirq.c:934 + smpboot_thread_fn+0x554/0x9f0 kernel/smpboot.c:164 + kthread+0x31b/0x430 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:732 [inline] + slab_alloc_node mm/slub.c:3258 [inline] + __kmalloc_node_track_caller+0x814/0x1250 mm/slub.c:4970 + kmalloc_reserve net/core/skbuff.c:358 [inline] + __alloc_skb+0x346/0xcf0 net/core/skbuff.c:430 + alloc_skb include/linux/skbuff.h:1257 [inline] + nlmsg_new include/net/netlink.h:953 [inline] + netlink_ack+0x5f3/0x12b0 net/netlink/af_netlink.c:2436 + netlink_rcv_skb+0x55d/0x6c0 net/netlink/af_netlink.c:2507 + rtnetlink_rcv+0x30/0x40 net/core/rtnetlink.c:6108 + netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] + netlink_unicast+0xf3b/0x1270 net/netlink/af_netlink.c:1345 + netlink_sendmsg+0x1288/0x1440 net/netlink/af_netlink.c:1921 + sock_sendmsg_nosec net/socket.c:714 [inline] + sock_sendmsg net/socket.c:734 [inline] + ____sys_sendmsg+0xabc/0xe90 net/socket.c:2482 + ___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2536 + __sys_sendmsg net/socket.c:2565 [inline] + __do_sys_sendmsg net/socket.c:2574 [inline] + __se_sys_sendmsg net/socket.c:2572 [inline] + __x64_sys_sendmsg+0x367/0x540 net/socket.c:2572 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 6.0.0-rc2-syzkaller-47461-gac3859c02d7f #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 + +Fixes: 5a781ccbd19e ("tc: Add support for configuring the taprio scheduler") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: Alexander Potapenko +Cc: Vinicius Costa Gomes +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 7 +++++++ + net/sched/sch_taprio.c | 3 +++ + 2 files changed, 10 insertions(+) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index e7e8c318925d..61cd19ee51f4 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -1325,4 +1325,11 @@ static inline int skb_tc_reinsert(struct sk_buff *skb, struct tcf_result *res) + return res->ingress ? netif_receive_skb(skb) : dev_queue_xmit(skb); + } + ++/* Make sure qdisc is no longer in SCHED state. */ ++static inline void qdisc_synchronize(const struct Qdisc *q) ++{ ++ while (test_bit(__QDISC_STATE_SCHED, &q->state)) ++ msleep(1); ++} ++ + #endif +diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c +index 7f33b31c7b8b..5411bb4cdfc8 100644 +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -1621,6 +1621,8 @@ static void taprio_reset(struct Qdisc *sch) + int i; + + hrtimer_cancel(&q->advance_timer); ++ qdisc_synchronize(sch); ++ + if (q->qdiscs) { + for (i = 0; i < dev->num_tx_queues; i++) + if (q->qdiscs[i]) +@@ -1642,6 +1644,7 @@ static void taprio_destroy(struct Qdisc *sch) + * happens in qdisc_create(), after taprio_init() has been called. + */ + hrtimer_cancel(&q->advance_timer); ++ qdisc_synchronize(sch); + + taprio_disable_offload(dev, q, NULL); + +-- +2.39.0 + diff --git a/queue-5.10/net-stmmac-fix-invalid-call-to-mdiobus_get_phy.patch b/queue-5.10/net-stmmac-fix-invalid-call-to-mdiobus_get_phy.patch new file mode 100644 index 00000000000..ffe7448464f --- /dev/null +++ b/queue-5.10/net-stmmac-fix-invalid-call-to-mdiobus_get_phy.patch @@ -0,0 +1,42 @@ +From 06efcd076ef508c2fc357307c6ab8f04f8e14ef7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 15 Jan 2023 18:24:08 +0100 +Subject: net: stmmac: fix invalid call to mdiobus_get_phy() + +From: Heiner Kallweit + +[ Upstream commit 1f3bd64ad921f051254591fbed04fd30b306cde6 ] + +In a number of cases the driver assigns a default value of -1 to +priv->plat->phy_addr. This may result in calling mdiobus_get_phy() +with addr parameter being -1. Therefore check for this scenario and +bail out before calling mdiobus_get_phy(). + +Fixes: 42e87024f727 ("net: stmmac: Fix case when PHY handle is not present") +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/669f9671-ecd1-a41b-2727-7b73e3003985@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +index 14ea0168b548..b52ca2fe04d8 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -1125,6 +1125,11 @@ static int stmmac_init_phy(struct net_device *dev) + int addr = priv->plat->phy_addr; + struct phy_device *phydev; + ++ if (addr < 0) { ++ netdev_err(priv->dev, "no phy found\n"); ++ return -ENODEV; ++ } ++ + phydev = mdiobus_get_phy(priv->mii, addr); + if (!phydev) { + netdev_err(priv->dev, "no phy at addr %d\n", addr); +-- +2.39.0 + diff --git a/queue-5.10/net-usb-sr9700-handle-negative-len.patch b/queue-5.10/net-usb-sr9700-handle-negative-len.patch new file mode 100644 index 00000000000..1c8b2907577 --- /dev/null +++ b/queue-5.10/net-usb-sr9700-handle-negative-len.patch @@ -0,0 +1,41 @@ +From 8f8332ec8383f5273bed0f435b57a4c44e7a98c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jan 2023 19:23:26 +0100 +Subject: net: usb: sr9700: Handle negative len + +From: Szymon Heidrich + +[ Upstream commit ecf7cf8efb59789e2b21d2f9ab926142579092b2 ] + +Packet len computed as difference of length word extracted from +skb data and four may result in a negative value. In such case +processing of the buffer should be interrupted rather than +setting sr_skb->len to an unexpectedly large value (due to cast +from signed to unsigned integer) and passing sr_skb to +usbnet_skb_return. + +Fixes: e9da0b56fe27 ("sr9700: sanity check for packet length") +Signed-off-by: Szymon Heidrich +Link: https://lore.kernel.org/r/20230114182326.30479-1-szymon.heidrich@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/sr9700.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c +index fce6713e970b..811c8751308c 100644 +--- a/drivers/net/usb/sr9700.c ++++ b/drivers/net/usb/sr9700.c +@@ -410,7 +410,7 @@ static int sr9700_rx_fixup(struct usbnet *dev, struct sk_buff *skb) + /* ignore the CRC length */ + len = (skb->data[1] | (skb->data[2] << 8)) - 4; + +- if (len > ETH_FRAME_LEN || len > skb->len) ++ if (len > ETH_FRAME_LEN || len > skb->len || len < 0) + return 0; + + /* the last packet of current skb */ +-- +2.39.0 + diff --git a/queue-5.10/net-wan-add-checks-for-null-for-utdm-in-undo_uhdlc_i.patch b/queue-5.10/net-wan-add-checks-for-null-for-utdm-in-undo_uhdlc_i.patch new file mode 100644 index 00000000000..3e2f9de7fd3 --- /dev/null +++ b/queue-5.10/net-wan-add-checks-for-null-for-utdm-in-undo_uhdlc_i.patch @@ -0,0 +1,47 @@ +From 5b926926da3b94c24afa369f2d2d67abe8c5d2cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 10:47:03 +0300 +Subject: net: wan: Add checks for NULL for utdm in undo_uhdlc_init and + unmap_si_regs + +From: Esina Ekaterina + +[ Upstream commit 488e0bf7f34af3d42d1d5e56f7a5a7beaff188a3 ] + +If uhdlc_priv_tsa != 1 then utdm is not initialized. +And if ret != NULL then goto undo_uhdlc_init, where +utdm is dereferenced. Same if dev == NULL. + +Found by Astra Linux on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: 8d68100ab4ad ("soc/fsl/qe: fix err handling of ucc_of_parse_tdm") +Signed-off-by: Esina Ekaterina +Link: https://lore.kernel.org/r/20230112074703.13558-1-eesina@astralinux.ru +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/wan/fsl_ucc_hdlc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wan/fsl_ucc_hdlc.c b/drivers/net/wan/fsl_ucc_hdlc.c +index 7eac6a3e1cde..ae1ae65e7f90 100644 +--- a/drivers/net/wan/fsl_ucc_hdlc.c ++++ b/drivers/net/wan/fsl_ucc_hdlc.c +@@ -1245,9 +1245,11 @@ static int ucc_hdlc_probe(struct platform_device *pdev) + free_dev: + free_netdev(dev); + undo_uhdlc_init: +- iounmap(utdm->siram); ++ if (utdm) ++ iounmap(utdm->siram); + unmap_si_regs: +- iounmap(utdm->si_regs); ++ if (utdm) ++ iounmap(utdm->si_regs); + free_utdm: + if (uhdlc_priv->tsa) + kfree(utdm); +-- +2.39.0 + diff --git a/queue-5.10/nvme-pci-fix-timeout-request-state-check.patch b/queue-5.10/nvme-pci-fix-timeout-request-state-check.patch new file mode 100644 index 00000000000..8ae9e337a43 --- /dev/null +++ b/queue-5.10/nvme-pci-fix-timeout-request-state-check.patch @@ -0,0 +1,42 @@ +From 21fbad7630a1eb3d13c1043c82816b61501bc6c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 08:44:16 -0800 +Subject: nvme-pci: fix timeout request state check + +From: Keith Busch + +[ Upstream commit 1c5842085851f786eba24a39ecd02650ad892064 ] + +Polling the completion can progress the request state to IDLE, either +inline with the completion, or through softirq. Either way, the state +may not be COMPLETED, so don't check for that. We only care if the state +isn't IN_FLIGHT. + +This is fixing an issue where the driver aborts an IO that we just +completed. Seeing the "aborting" message instead of "polled" is very +misleading as to where the timeout problem resides. + +Fixes: bf392a5dc02a9b ("nvme-pci: Remove tag from process cq") +Signed-off-by: Keith Busch +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 67dd68462b81..c47512da9872 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1292,7 +1292,7 @@ static enum blk_eh_timer_return nvme_timeout(struct request *req, bool reserved) + else + nvme_poll_irqdisable(nvmeq); + +- if (blk_mq_request_completed(req)) { ++ if (blk_mq_rq_state(req) != MQ_RQ_IN_FLIGHT) { + dev_warn(dev->ctrl.device, + "I/O %d QID %d timeout, completion polled\n", + req->tag, nvmeq->qid); +-- +2.39.0 + diff --git a/queue-5.10/phy-rockchip-inno-usb2-fix-missing-clk_disable_unpre.patch b/queue-5.10/phy-rockchip-inno-usb2-fix-missing-clk_disable_unpre.patch new file mode 100644 index 00000000000..4291ed1ddc8 --- /dev/null +++ b/queue-5.10/phy-rockchip-inno-usb2-fix-missing-clk_disable_unpre.patch @@ -0,0 +1,41 @@ +From ff26ea4a9690c743d99a81e3619c23e478d4c3de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 19:58:23 +0800 +Subject: phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in + rockchip_usb2phy_power_on() + +From: Shang XiaoJing + +[ Upstream commit 5daba914da0e48950e9407ea4d75fa57029c9adc ] + +The clk_disable_unprepare() should be called in the error handling of +rockchip_usb2phy_power_on(). + +Fixes: 0e08d2a727e6 ("phy: rockchip-inno-usb2: add a new driver for Rockchip usb2phy") +Signed-off-by: Shang XiaoJing +Link: https://lore.kernel.org/r/20221205115823.16957-1-shangxiaojing@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c +index 46ebdb1460a3..cab6a94bf161 100644 +--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c ++++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c +@@ -467,8 +467,10 @@ static int rockchip_usb2phy_power_on(struct phy *phy) + return ret; + + ret = property_enable(base, &rport->port_cfg->phy_sus, false); +- if (ret) ++ if (ret) { ++ clk_disable_unprepare(rphy->clk480m); + return ret; ++ } + + /* waiting for the utmi_clk to become stable */ + usleep_range(1500, 2000); +-- +2.39.0 + diff --git a/queue-5.10/phy-ti-fix-kconfig-warning-and-operator-precedence.patch b/queue-5.10/phy-ti-fix-kconfig-warning-and-operator-precedence.patch new file mode 100644 index 00000000000..c73348ac08d --- /dev/null +++ b/queue-5.10/phy-ti-fix-kconfig-warning-and-operator-precedence.patch @@ -0,0 +1,55 @@ +From 9d09a2527ab655ce650ce09add2b0bc04a140f1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 22:25:29 -0800 +Subject: phy: ti: fix Kconfig warning and operator precedence + +From: Randy Dunlap + +[ Upstream commit 7124c93887cc4e6c5b48920f83115e4a5892e870 ] + +Fix Kconfig depends operator precedence to prevent a Kconfig warning: + +WARNING: unmet direct dependencies detected for MUX_MMIO + Depends on [n]: MULTIPLEXER [=m] && OF [=n] + Selected by [m]: + - PHY_AM654_SERDES [=m] && (OF [=n] && ARCH_K3 || COMPILE_TEST [=y]) && COMMON_CLK [=y] + +Fixes: 71e2f5c5c224 ("phy: ti: Add a new SERDES driver for TI's AM654x SoC") +Fixes: 091876cc355d ("phy: ti: j721e-wiz: Add support for WIZ module present in TI J721E SoC") +Signed-off-by: Randy Dunlap +Cc: Vinod Koul +Cc: Kishon Vijay Abraham I +Cc: linux-phy@lists.infradead.org +Cc: Arnd Bergmann +Link: https://lore.kernel.org/r/20230110062529.22668-1-rdunlap@infradead.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/ti/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/phy/ti/Kconfig b/drivers/phy/ti/Kconfig +index 15a3bcf32308..b905902d5750 100644 +--- a/drivers/phy/ti/Kconfig ++++ b/drivers/phy/ti/Kconfig +@@ -23,7 +23,7 @@ config PHY_DM816X_USB + + config PHY_AM654_SERDES + tristate "TI AM654 SERDES support" +- depends on OF && ARCH_K3 || COMPILE_TEST ++ depends on OF && (ARCH_K3 || COMPILE_TEST) + depends on COMMON_CLK + select GENERIC_PHY + select MULTIPLEXER +@@ -35,7 +35,7 @@ config PHY_AM654_SERDES + + config PHY_J721E_WIZ + tristate "TI J721E WIZ (SERDES Wrapper) support" +- depends on OF && ARCH_K3 || COMPILE_TEST ++ depends on OF && (ARCH_K3 || COMPILE_TEST) + depends on HAS_IOMEM && OF_ADDRESS + depends on COMMON_CLK + select GENERIC_PHY +-- +2.39.0 + diff --git a/queue-5.10/platform-x86-asus-nb-wmi-add-alternate-mapping-for-k.patch b/queue-5.10/platform-x86-asus-nb-wmi-add-alternate-mapping-for-k.patch new file mode 100644 index 00000000000..8b41cf4a1f8 --- /dev/null +++ b/queue-5.10/platform-x86-asus-nb-wmi-add-alternate-mapping-for-k.patch @@ -0,0 +1,34 @@ +From 24cf678e7605eaa61aed3cafe8fa556297b574fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 19:18:41 +0100 +Subject: platform/x86: asus-nb-wmi: Add alternate mapping for KEY_SCREENLOCK + +From: Hans de Goede + +[ Upstream commit db9494895b405bf318dc7e563dee6daa51b3b6ed ] + +The 0x33 keycode is emitted by Fn + F6 on a ASUS FX705GE laptop. + +Reported-by: Nemcev Aleksey +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20230112181841.84652-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-nb-wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c +index 949ddeb673bc..74637bd0433e 100644 +--- a/drivers/platform/x86/asus-nb-wmi.c ++++ b/drivers/platform/x86/asus-nb-wmi.c +@@ -478,6 +478,7 @@ static const struct key_entry asus_nb_wmi_keymap[] = { + { KE_KEY, 0x30, { KEY_VOLUMEUP } }, + { KE_KEY, 0x31, { KEY_VOLUMEDOWN } }, + { KE_KEY, 0x32, { KEY_MUTE } }, ++ { KE_KEY, 0x33, { KEY_SCREENLOCK } }, + { KE_KEY, 0x35, { KEY_SCREENLOCK } }, + { KE_KEY, 0x40, { KEY_PREVIOUSSONG } }, + { KE_KEY, 0x41, { KEY_NEXTSONG } }, +-- +2.39.0 + diff --git a/queue-5.10/platform-x86-touchscreen_dmi-add-info-for-the-csl-pa.patch b/queue-5.10/platform-x86-touchscreen_dmi-add-info-for-the-csl-pa.patch new file mode 100644 index 00000000000..64e54e84d40 --- /dev/null +++ b/queue-5.10/platform-x86-touchscreen_dmi-add-info-for-the-csl-pa.patch @@ -0,0 +1,66 @@ +From 43404424ac07c25e0dbb510e3a3af915ebee5ee7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Dec 2022 13:11:03 +0100 +Subject: platform/x86: touchscreen_dmi: Add info for the CSL Panther Tab HD + +From: Michael Klein + +[ Upstream commit 36c2b9d6710427f802494ba070621cb415198293 ] + +Add touchscreen info for the CSL Panther Tab HD. + +Signed-off-by: Michael Klein +Link: https://lore.kernel.org/r/20221220121103.uiwn5l7fii2iggct@LLGMVZLB-0037 +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/touchscreen_dmi.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/drivers/platform/x86/touchscreen_dmi.c b/drivers/platform/x86/touchscreen_dmi.c +index 110ff1e6ef81..bc26acace2c3 100644 +--- a/drivers/platform/x86/touchscreen_dmi.c ++++ b/drivers/platform/x86/touchscreen_dmi.c +@@ -255,6 +255,23 @@ static const struct ts_dmi_data connect_tablet9_data = { + .properties = connect_tablet9_props, + }; + ++static const struct property_entry csl_panther_tab_hd_props[] = { ++ PROPERTY_ENTRY_U32("touchscreen-min-x", 1), ++ PROPERTY_ENTRY_U32("touchscreen-min-y", 20), ++ PROPERTY_ENTRY_U32("touchscreen-size-x", 1980), ++ PROPERTY_ENTRY_U32("touchscreen-size-y", 1526), ++ PROPERTY_ENTRY_BOOL("touchscreen-inverted-y"), ++ PROPERTY_ENTRY_BOOL("touchscreen-swapped-x-y"), ++ PROPERTY_ENTRY_STRING("firmware-name", "gsl1680-csl-panther-tab-hd.fw"), ++ PROPERTY_ENTRY_U32("silead,max-fingers", 10), ++ { } ++}; ++ ++static const struct ts_dmi_data csl_panther_tab_hd_data = { ++ .acpi_name = "MSSL1680:00", ++ .properties = csl_panther_tab_hd_props, ++}; ++ + static const struct property_entry cube_iwork8_air_props[] = { + PROPERTY_ENTRY_U32("touchscreen-min-x", 1), + PROPERTY_ENTRY_U32("touchscreen-min-y", 3), +@@ -1057,6 +1074,14 @@ const struct dmi_system_id touchscreen_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "Tablet 9"), + }, + }, ++ { ++ /* CSL Panther Tab HD */ ++ .driver_data = (void *)&csl_panther_tab_hd_data, ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "CSL Computer GmbH & Co. KG"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "CSL Panther Tab HD"), ++ }, ++ }, + { + /* CUBE iwork8 Air */ + .driver_data = (void *)&cube_iwork8_air_data, +-- +2.39.0 + diff --git a/queue-5.10/pm-avs-qcom-cpr-fix-an-error-handling-path-in-cpr_pr.patch b/queue-5.10/pm-avs-qcom-cpr-fix-an-error-handling-path-in-cpr_pr.patch new file mode 100644 index 00000000000..d16773c0926 --- /dev/null +++ b/queue-5.10/pm-avs-qcom-cpr-fix-an-error-handling-path-in-cpr_pr.patch @@ -0,0 +1,50 @@ +From d8e9984c3d0ff410761a2284d4ead9f9fc45c4be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Dec 2022 17:05:41 +0100 +Subject: PM: AVS: qcom-cpr: Fix an error handling path in cpr_probe() + +From: Christophe JAILLET + +[ Upstream commit 6049aae52392539e505bfb8ccbcff3c26f1d2f0b ] + +If an error occurs after a successful pm_genpd_init() call, it should be +undone by a corresponding pm_genpd_remove(). + +Add the missing call in the error handling path, as already done in the +remove function. + +Fixes: bf6910abf548 ("power: avs: Add support for CPR (Core Power Reduction)") +Signed-off-by: Christophe JAILLET +Reviewed-by: Ulf Hansson +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/0f520597dbad89ab99c217c8986912fa53eaf5f9.1671293108.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/cpr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/soc/qcom/cpr.c b/drivers/soc/qcom/cpr.c +index 6298561bc29c..fac0414c3731 100644 +--- a/drivers/soc/qcom/cpr.c ++++ b/drivers/soc/qcom/cpr.c +@@ -1743,12 +1743,16 @@ static int cpr_probe(struct platform_device *pdev) + + ret = of_genpd_add_provider_simple(dev->of_node, &drv->pd); + if (ret) +- return ret; ++ goto err_remove_genpd; + + platform_set_drvdata(pdev, drv); + cpr_debugfs_init(drv); + + return 0; ++ ++err_remove_genpd: ++ pm_genpd_remove(&drv->pd); ++ return ret; + } + + static int cpr_remove(struct platform_device *pdev) +-- +2.39.0 + diff --git a/queue-5.10/rdma-core-fix-ib-block-iterator-counter-overflow.patch b/queue-5.10/rdma-core-fix-ib-block-iterator-counter-overflow.patch new file mode 100644 index 00000000000..9cbf12c5d86 --- /dev/null +++ b/queue-5.10/rdma-core-fix-ib-block-iterator-counter-overflow.patch @@ -0,0 +1,79 @@ +From f53e4667348046d4088b015594acf35e07689bab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 13:37:11 +0000 +Subject: RDMA/core: Fix ib block iterator counter overflow + +From: Yonatan Nachum + +[ Upstream commit 0afec5e9cea732cb47014655685a2a47fb180c31 ] + +When registering a new DMA MR after selecting the best aligned page size +for it, we iterate over the given sglist to split each entry to smaller, +aligned to the selected page size, DMA blocks. + +In given circumstances where the sg entry and page size fit certain +sizes and the sg entry is not aligned to the selected page size, the +total size of the aligned pages we need to cover the sg entry is >= 4GB. +Under this circumstances, while iterating page aligned blocks, the +counter responsible for counting how much we advanced from the start of +the sg entry is overflowed because its type is u32 and we pass 4GB in +size. This can lead to an infinite loop inside the iterator function +because the overflow prevents the counter to be larger +than the size of the sg entry. + +Fix the presented problem by changing the advancement condition to +eliminate overflow. + +Backtrace: +[ 192.374329] efa_reg_user_mr_dmabuf +[ 192.376783] efa_register_mr +[ 192.382579] pgsz_bitmap 0xfffff000 rounddown 0x80000000 +[ 192.386423] pg_sz [0x80000000] umem_length[0xc0000000] +[ 192.392657] start 0x0 length 0xc0000000 params.page_shift 31 params.page_num 3 +[ 192.399559] hp_cnt[3], pages_in_hp[524288] +[ 192.403690] umem->sgt_append.sgt.nents[1] +[ 192.407905] number entries: [1], pg_bit: [31] +[ 192.411397] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8] +[ 192.415601] biter->__sg_advance [665837568] sg_dma_len[3221225472] +[ 192.419823] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8] +[ 192.423976] biter->__sg_advance [2813321216] sg_dma_len[3221225472] +[ 192.428243] biter->__sg_nents [1] biter->__sg [0000000008b0c5d8] +[ 192.432397] biter->__sg_advance [665837568] sg_dma_len[3221225472] + +Fixes: a808273a495c ("RDMA/verbs: Add a DMA iterator to return aligned contiguous memory blocks") +Signed-off-by: Yonatan Nachum +Link: https://lore.kernel.org/r/20230109133711.13678-1-ynachum@amazon.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/verbs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c +index 5889639e90a1..5123be0ab02f 100644 +--- a/drivers/infiniband/core/verbs.c ++++ b/drivers/infiniband/core/verbs.c +@@ -2911,15 +2911,18 @@ EXPORT_SYMBOL(__rdma_block_iter_start); + bool __rdma_block_iter_next(struct ib_block_iter *biter) + { + unsigned int block_offset; ++ unsigned int sg_delta; + + if (!biter->__sg_nents || !biter->__sg) + return false; + + biter->__dma_addr = sg_dma_address(biter->__sg) + biter->__sg_advance; + block_offset = biter->__dma_addr & (BIT_ULL(biter->__pg_bit) - 1); +- biter->__sg_advance += BIT_ULL(biter->__pg_bit) - block_offset; ++ sg_delta = BIT_ULL(biter->__pg_bit) - block_offset; + +- if (biter->__sg_advance >= sg_dma_len(biter->__sg)) { ++ if (sg_dma_len(biter->__sg) - biter->__sg_advance > sg_delta) { ++ biter->__sg_advance += sg_delta; ++ } else { + biter->__sg_advance = 0; + biter->__sg = sg_next(biter->__sg); + biter->__sg_nents--; +-- +2.39.0 + diff --git a/queue-5.10/s390-debug-add-_asm_s390_-prefix-to-header-guard.patch b/queue-5.10/s390-debug-add-_asm_s390_-prefix-to-header-guard.patch new file mode 100644 index 00000000000..fd41a9ca75b --- /dev/null +++ b/queue-5.10/s390-debug-add-_asm_s390_-prefix-to-header-guard.patch @@ -0,0 +1,46 @@ +From cba512813f5481ac1c91a9b18d2adae3a79359f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jan 2023 15:11:07 +0100 +Subject: s390/debug: add _ASM_S390_ prefix to header guard + +From: Niklas Schnelle + +[ Upstream commit 0d4d52361b6c29bf771acd4fa461f06d78fb2fac ] + +Using DEBUG_H without a prefix is very generic and inconsistent with +other header guards in arch/s390/include/asm. In fact it collides with +the same name in the ath9k wireless driver though that depends on !S390 +via disabled wireless support. Let's just use a consistent header guard +name and prevent possible future trouble. + +Signed-off-by: Niklas Schnelle +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/include/asm/debug.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/s390/include/asm/debug.h b/arch/s390/include/asm/debug.h +index c1b82bcc017c..29a1badbe2f5 100644 +--- a/arch/s390/include/asm/debug.h ++++ b/arch/s390/include/asm/debug.h +@@ -4,8 +4,8 @@ + * + * Copyright IBM Corp. 1999, 2020 + */ +-#ifndef DEBUG_H +-#define DEBUG_H ++#ifndef _ASM_S390_DEBUG_H ++#define _ASM_S390_DEBUG_H + + #include + #include +@@ -425,4 +425,4 @@ int debug_unregister_view(debug_info_t *id, struct debug_view *view); + #define PRINT_FATAL(x...) printk(KERN_DEBUG PRINTK_HEADER x) + #endif /* DASD_DEBUG */ + +-#endif /* DEBUG_H */ ++#endif /* _ASM_S390_DEBUG_H */ +-- +2.39.0 + diff --git a/queue-5.10/scsi-hisi_sas-set-a-port-invalid-only-if-there-are-n.patch b/queue-5.10/scsi-hisi_sas-set-a-port-invalid-only-if-there-are-n.patch new file mode 100644 index 00000000000..1c0a89e4b7d --- /dev/null +++ b/queue-5.10/scsi-hisi_sas-set-a-port-invalid-only-if-there-are-n.patch @@ -0,0 +1,43 @@ +From 1d635cd3c65eb3f9cc365785454c8d0d71984ab9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jan 2023 12:03:20 +0800 +Subject: scsi: hisi_sas: Set a port invalid only if there are no devices + attached when refreshing port id + +From: Yihang Li + +[ Upstream commit f58c89700630da6554b24fd3df293a24874c10c1 ] + +Currently the driver sets the port invalid if one phy in the port is not +enabled, which may cause issues in expander situation. In directly attached +situation, if phy up doesn't occur in time when refreshing port id, the +port is incorrectly set to invalid which will also cause disk lost. + +Therefore set a port invalid only if there are no devices attached to the +port. + +Signed-off-by: Yihang Li +Signed-off-by: Xiang Chen +Link: https://lore.kernel.org/r/1672805000-141102-3-git-send-email-chenxiang66@hisilicon.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hisi_sas/hisi_sas_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c +index 1feca45384c7..e5b9229310a0 100644 +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -1408,7 +1408,7 @@ static void hisi_sas_refresh_port_id(struct hisi_hba *hisi_hba) + device->linkrate = phy->sas_phy.linkrate; + + hisi_hba->hw->setup_itct(hisi_hba, sas_dev); +- } else ++ } else if (!port->port_attached) + port->id = 0xff; + } + } +-- +2.39.0 + diff --git a/queue-5.10/scsi-iscsi-fix-multiple-iscsi-session-unbind-events-.patch b/queue-5.10/scsi-iscsi-fix-multiple-iscsi-session-unbind-events-.patch new file mode 100644 index 00000000000..cf7ae44d6ee --- /dev/null +++ b/queue-5.10/scsi-iscsi-fix-multiple-iscsi-session-unbind-events-.patch @@ -0,0 +1,195 @@ +From 3ca95f7be972a4db56be040d3d2ce76c749c3d1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Nov 2022 09:07:52 +0800 +Subject: scsi: iscsi: Fix multiple iSCSI session unbind events sent to + userspace + +From: Wenchao Hao + +[ Upstream commit a3be19b91ea7121d388084e8c07f5b1b982eb40c ] + +It was observed that the kernel would potentially send +ISCSI_KEVENT_UNBIND_SESSION multiple times. Introduce 'target_state' in +iscsi_cls_session() to make sure session will send only one unbind session +event. + +This introduces a regression wrt. the issue fixed in commit 13e60d3ba287 +("scsi: iscsi: Report unbind session event when the target has been +removed"). If iscsid dies for any reason after sending an unbind session to +kernel, once iscsid is restarted, the kernel's ISCSI_KEVENT_UNBIND_SESSION +event is lost and userspace is then unable to logout. However, the session +is actually in invalid state (its target_id is INVALID) so iscsid should +not sync this session during restart. + +Consequently we need to check the session's target state during iscsid +restart. If session is in unbound state, do not sync this session and +perform session teardown. This is OK because once a session is unbound, we +can not recover it any more (mainly because its target id is INVALID). + +Signed-off-by: Wenchao Hao +Link: https://lore.kernel.org/r/20221126010752.231917-1-haowenchao@huawei.com +Reviewed-by: Mike Christie +Reviewed-by: Wu Bo +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 50 ++++++++++++++++++++++++++--- + include/scsi/scsi_transport_iscsi.h | 9 ++++++ + 2 files changed, 54 insertions(+), 5 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index ef7cd7520e7c..092bd6a3d64a 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -1674,6 +1674,13 @@ static const char *iscsi_session_state_name(int state) + return name; + } + ++static char *iscsi_session_target_state_name[] = { ++ [ISCSI_SESSION_TARGET_UNBOUND] = "UNBOUND", ++ [ISCSI_SESSION_TARGET_ALLOCATED] = "ALLOCATED", ++ [ISCSI_SESSION_TARGET_SCANNED] = "SCANNED", ++ [ISCSI_SESSION_TARGET_UNBINDING] = "UNBINDING", ++}; ++ + int iscsi_session_chkready(struct iscsi_cls_session *session) + { + unsigned long flags; +@@ -1805,9 +1812,13 @@ static int iscsi_user_scan_session(struct device *dev, void *data) + if ((scan_data->channel == SCAN_WILD_CARD || + scan_data->channel == 0) && + (scan_data->id == SCAN_WILD_CARD || +- scan_data->id == id)) ++ scan_data->id == id)) { + scsi_scan_target(&session->dev, 0, id, + scan_data->lun, scan_data->rescan); ++ spin_lock_irqsave(&session->lock, flags); ++ session->target_state = ISCSI_SESSION_TARGET_SCANNED; ++ spin_unlock_irqrestore(&session->lock, flags); ++ } + } + + user_scan_exit: +@@ -1996,31 +2007,41 @@ static void __iscsi_unbind_session(struct work_struct *work) + struct iscsi_cls_host *ihost = shost->shost_data; + unsigned long flags; + unsigned int target_id; ++ bool remove_target = true; + + ISCSI_DBG_TRANS_SESSION(session, "Unbinding session\n"); + + /* Prevent new scans and make sure scanning is not in progress */ + mutex_lock(&ihost->mutex); + spin_lock_irqsave(&session->lock, flags); +- if (session->target_id == ISCSI_MAX_TARGET) { ++ if (session->target_state == ISCSI_SESSION_TARGET_ALLOCATED) { ++ remove_target = false; ++ } else if (session->target_state != ISCSI_SESSION_TARGET_SCANNED) { + spin_unlock_irqrestore(&session->lock, flags); + mutex_unlock(&ihost->mutex); +- goto unbind_session_exit; ++ ISCSI_DBG_TRANS_SESSION(session, ++ "Skipping target unbinding: Session is unbound/unbinding.\n"); ++ return; + } + ++ session->target_state = ISCSI_SESSION_TARGET_UNBINDING; + target_id = session->target_id; + session->target_id = ISCSI_MAX_TARGET; + spin_unlock_irqrestore(&session->lock, flags); + mutex_unlock(&ihost->mutex); + +- scsi_remove_target(&session->dev); ++ if (remove_target) ++ scsi_remove_target(&session->dev); + + if (session->ida_used) + ida_simple_remove(&iscsi_sess_ida, target_id); + +-unbind_session_exit: + iscsi_session_event(session, ISCSI_KEVENT_UNBIND_SESSION); + ISCSI_DBG_TRANS_SESSION(session, "Completed target removal\n"); ++ ++ spin_lock_irqsave(&session->lock, flags); ++ session->target_state = ISCSI_SESSION_TARGET_UNBOUND; ++ spin_unlock_irqrestore(&session->lock, flags); + } + + static void __iscsi_destroy_session(struct work_struct *work) +@@ -2089,6 +2110,9 @@ int iscsi_add_session(struct iscsi_cls_session *session, unsigned int target_id) + session->ida_used = true; + } else + session->target_id = target_id; ++ spin_lock_irqsave(&session->lock, flags); ++ session->target_state = ISCSI_SESSION_TARGET_ALLOCATED; ++ spin_unlock_irqrestore(&session->lock, flags); + + dev_set_name(&session->dev, "session%u", session->sid); + err = device_add(&session->dev); +@@ -4343,6 +4367,19 @@ iscsi_session_attr(def_taskmgmt_tmo, ISCSI_PARAM_DEF_TASKMGMT_TMO, 0); + iscsi_session_attr(discovery_parent_idx, ISCSI_PARAM_DISCOVERY_PARENT_IDX, 0); + iscsi_session_attr(discovery_parent_type, ISCSI_PARAM_DISCOVERY_PARENT_TYPE, 0); + ++static ssize_t ++show_priv_session_target_state(struct device *dev, struct device_attribute *attr, ++ char *buf) ++{ ++ struct iscsi_cls_session *session = iscsi_dev_to_session(dev->parent); ++ ++ return sysfs_emit(buf, "%s\n", ++ iscsi_session_target_state_name[session->target_state]); ++} ++ ++static ISCSI_CLASS_ATTR(priv_sess, target_state, S_IRUGO, ++ show_priv_session_target_state, NULL); ++ + static ssize_t + show_priv_session_state(struct device *dev, struct device_attribute *attr, + char *buf) +@@ -4445,6 +4482,7 @@ static struct attribute *iscsi_session_attrs[] = { + &dev_attr_sess_boot_target.attr, + &dev_attr_priv_sess_recovery_tmo.attr, + &dev_attr_priv_sess_state.attr, ++ &dev_attr_priv_sess_target_state.attr, + &dev_attr_priv_sess_creator.attr, + &dev_attr_sess_chap_out_idx.attr, + &dev_attr_sess_chap_in_idx.attr, +@@ -4558,6 +4596,8 @@ static umode_t iscsi_session_attr_is_visible(struct kobject *kobj, + return S_IRUGO | S_IWUSR; + else if (attr == &dev_attr_priv_sess_state.attr) + return S_IRUGO; ++ else if (attr == &dev_attr_priv_sess_target_state.attr) ++ return S_IRUGO; + else if (attr == &dev_attr_priv_sess_creator.attr) + return S_IRUGO; + else if (attr == &dev_attr_priv_sess_target_id.attr) +diff --git a/include/scsi/scsi_transport_iscsi.h b/include/scsi/scsi_transport_iscsi.h +index 037c77fb5dc5..c4de15f7a0a5 100644 +--- a/include/scsi/scsi_transport_iscsi.h ++++ b/include/scsi/scsi_transport_iscsi.h +@@ -236,6 +236,14 @@ enum { + ISCSI_SESSION_FREE, + }; + ++enum { ++ ISCSI_SESSION_TARGET_UNBOUND, ++ ISCSI_SESSION_TARGET_ALLOCATED, ++ ISCSI_SESSION_TARGET_SCANNED, ++ ISCSI_SESSION_TARGET_UNBINDING, ++ ISCSI_SESSION_TARGET_MAX, ++}; ++ + #define ISCSI_MAX_TARGET -1 + + struct iscsi_cls_session { +@@ -262,6 +270,7 @@ struct iscsi_cls_session { + */ + pid_t creator; + int state; ++ int target_state; /* session target bind state */ + int sid; /* session id */ + void *dd_data; /* LLD private data */ + struct device dev; /* sysfs transport/container device */ +-- +2.39.0 + diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 00000000000..9949a8b2c2d --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,74 @@ +clk-generalize-devm_clk_get-a-bit.patch +clk-provide-new-devm_clk-helpers-for-prepared-and-en.patch +memory-atmel-sdramc-fix-missing-clk_disable_unprepar.patch +memory-mvebu-devbus-fix-missing-clk_disable_unprepar.patch +arm-dts-imx6ul-pico-dwarf-use-clock-frequency.patch +arm-dts-imx7d-pico-use-clock-frequency.patch +arm-dts-imx6qdl-gw560x-remove-incorrect-uart-has-rts.patch +arm64-dts-imx8mm-beacon-fix-ecspi2-pinmux.patch +arm-imx-add-missing-of_node_put.patch +hid-intel_ish-hid-add-check-for-ishtp_dma_tx_map.patch +edac-highbank-fix-memory-leak-in-highbank_mc_probe.patch +firmware-arm_scmi-harden-shared-memory-access-in-fet.patch +firmware-arm_scmi-harden-shared-memory-access-in-fet.patch-17789 +tomoyo-fix-broken-dependency-on-.conf.default.patch +rdma-core-fix-ib-block-iterator-counter-overflow.patch +ib-hfi1-reject-a-zero-length-user-expected-buffer.patch +ib-hfi1-reserve-user-expected-tids.patch +ib-hfi1-fix-expected-receive-setup-error-exit-issues.patch +ib-hfi1-immediately-remove-invalid-memory-from-hardw.patch +ib-hfi1-remove-user-expected-buffer-invalidate-race.patch +affs-initialize-fsdata-in-affs_truncate.patch +pm-avs-qcom-cpr-fix-an-error-handling-path-in-cpr_pr.patch +phy-ti-fix-kconfig-warning-and-operator-precedence.patch +arm-dts-at91-sam9x60-fix-the-ddr-clock-for-sam9x60.patch +amd-xgbe-tx-flow-ctrl-registers-are-h-w-ver-dependen.patch +amd-xgbe-delay-an-timeout-during-kr-training.patch +bpf-fix-pointer-leak-due-to-insufficient-speculative.patch +phy-rockchip-inno-usb2-fix-missing-clk_disable_unpre.patch +net-nfc-fix-use-after-free-in-local_cleanup.patch +net-wan-add-checks-for-null-for-utdm-in-undo_uhdlc_i.patch +gpio-mxc-always-set-gpios-used-as-interrupt-source-t.patch +wifi-rndis_wlan-prevent-buffer-overflow-in-rndis_que.patch +net-sched-sch_taprio-fix-possible-use-after-free.patch +l2tp-serialize-access-to-sk_user_data-with-sk_callba.patch +l2tp-don-t-sleep-and-disable-bh-under-writer-side-sk.patch +l2tp-convert-l2tp_tunnel_list-to-idr.patch +l2tp-close-all-race-conditions-in-l2tp_tunnel_regist.patch +net-usb-sr9700-handle-negative-len.patch +net-mdio-validate-parameter-addr-in-mdiobus_get_phy.patch +hid-check-empty-report_list-in-hid_validate_values.patch +hid-check-empty-report_list-in-bigben_probe.patch +net-stmmac-fix-invalid-call-to-mdiobus_get_phy.patch +hid-revert-cherry_mouse_000c-quirk.patch +usb-gadget-f_fs-prevent-race-during-ffs_ep0_queue_wa.patch +usb-gadget-f_fs-ensure-ep0req-is-dequeued-before-fre.patch +net-mlx5-eliminate-anonymous-module_init-module_exit.patch +drm-panfrost-fix-generic_atomic64-dependency.patch +dmaengine-fix-double-increment-of-client_count-in-dm.patch +net-macb-fix-ptp-tx-timestamp-failure-due-to-packet-.patch +l2tp-prevent-lockdep-issue-in-l2tp_tunnel_register.patch +hid-betop-check-shape-of-output-reports.patch +dmaengine-xilinx_dma-call-of_node_put-when-breaking-.patch +nvme-pci-fix-timeout-request-state-check.patch +tcp-avoid-the-lookup-process-failing-to-get-sk-in-eh.patch +w1-fix-deadloop-in-__w1_remove_master_device.patch +w1-fix-warning-after-calling-w1_process.patch +driver-core-fix-test_async_probe_init-saves-device-i.patch +net-dsa-microchip-ksz9477-port-map-correction-in-alu.patch +tcp-fix-rate_app_limited-to-default-to-1.patch +scsi-iscsi-fix-multiple-iscsi-session-unbind-events-.patch +cpufreq-add-tegra234-to-cpufreq-dt-platdev-blocklist.patch +kcsan-test-don-t-put-the-expect-array-on-the-stack.patch +asoc-fsl_micfil-correct-the-number-of-steps-on-sx-co.patch +drm-add-orientation-quirk-for-lenovo-ideapad-d330-10.patch +s390-debug-add-_asm_s390_-prefix-to-header-guard.patch +cpufreq-armada-37xx-stop-using-0-as-null-pointer.patch +asoc-fsl_ssi-rename-ac-97-streams-to-avoid-collision.patch +asoc-fsl-asoc-card-fix-naming-of-ac-97-codec-widgets.patch +spi-spidev-remove-debug-messages-that-access-spidev-.patch +kvm-s390-interrupt-use-read_once-before-cmpxchg.patch +scsi-hisi_sas-set-a-port-invalid-only-if-there-are-n.patch +platform-x86-touchscreen_dmi-add-info-for-the-csl-pa.patch +platform-x86-asus-nb-wmi-add-alternate-mapping-for-k.patch +lockref-stop-doing-cpu_relax-in-the-cmpxchg-loop.patch diff --git a/queue-5.10/spi-spidev-remove-debug-messages-that-access-spidev-.patch b/queue-5.10/spi-spidev-remove-debug-messages-that-access-spidev-.patch new file mode 100644 index 00000000000..2273d0771e2 --- /dev/null +++ b/queue-5.10/spi-spidev-remove-debug-messages-that-access-spidev-.patch @@ -0,0 +1,46 @@ +From 8cc9c4aa924c5c587121ab35c3eb3cb6477c770d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jan 2023 11:07:19 +0100 +Subject: spi: spidev: remove debug messages that access spidev->spi without + locking + +From: Bartosz Golaszewski + +[ Upstream commit 6b35b173dbc1711f8d272e3f322d2ad697015919 ] + +The two debug messages in spidev_open() dereference spidev->spi without +taking the lock and without checking if it's not null. This can lead to +a crash. Drop the messages as they're not needed - the user-space will +get informed about ENOMEM with the syscall return value. + +Signed-off-by: Bartosz Golaszewski +Link: https://lore.kernel.org/r/20230106100719.196243-2-brgl@bgdev.pl +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spidev.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c +index 9c5ec99431d2..aee960a7d7f9 100644 +--- a/drivers/spi/spidev.c ++++ b/drivers/spi/spidev.c +@@ -592,7 +592,6 @@ static int spidev_open(struct inode *inode, struct file *filp) + if (!spidev->tx_buffer) { + spidev->tx_buffer = kmalloc(bufsiz, GFP_KERNEL); + if (!spidev->tx_buffer) { +- dev_dbg(&spidev->spi->dev, "open/ENOMEM\n"); + status = -ENOMEM; + goto err_find_dev; + } +@@ -601,7 +600,6 @@ static int spidev_open(struct inode *inode, struct file *filp) + if (!spidev->rx_buffer) { + spidev->rx_buffer = kmalloc(bufsiz, GFP_KERNEL); + if (!spidev->rx_buffer) { +- dev_dbg(&spidev->spi->dev, "open/ENOMEM\n"); + status = -ENOMEM; + goto err_alloc_rx_buf; + } +-- +2.39.0 + diff --git a/queue-5.10/tcp-avoid-the-lookup-process-failing-to-get-sk-in-eh.patch b/queue-5.10/tcp-avoid-the-lookup-process-failing-to-get-sk-in-eh.patch new file mode 100644 index 00000000000..915ad3d6c4d --- /dev/null +++ b/queue-5.10/tcp-avoid-the-lookup-process-failing-to-get-sk-in-eh.patch @@ -0,0 +1,121 @@ +From ba9b39bdaae3c46edd96dfc6bdbd7f4ac43cf43e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 09:59:41 +0800 +Subject: tcp: avoid the lookup process failing to get sk in ehash table + +From: Jason Xing + +[ Upstream commit 3f4ca5fafc08881d7a57daa20449d171f2887043 ] + +While one cpu is working on looking up the right socket from ehash +table, another cpu is done deleting the request socket and is about +to add (or is adding) the big socket from the table. It means that +we could miss both of them, even though it has little chance. + +Let me draw a call trace map of the server side. + CPU 0 CPU 1 + ----- ----- +tcp_v4_rcv() syn_recv_sock() + inet_ehash_insert() + -> sk_nulls_del_node_init_rcu(osk) +__inet_lookup_established() + -> __sk_nulls_add_node_rcu(sk, list) + +Notice that the CPU 0 is receiving the data after the final ack +during 3-way shakehands and CPU 1 is still handling the final ack. + +Why could this be a real problem? +This case is happening only when the final ack and the first data +receiving by different CPUs. Then the server receiving data with +ACK flag tries to search one proper established socket from ehash +table, but apparently it fails as my map shows above. After that, +the server fetches a listener socket and then sends a RST because +it finds a ACK flag in the skb (data), which obeys RST definition +in RFC 793. + +Besides, Eric pointed out there's one more race condition where it +handles tw socket hashdance. Only by adding to the tail of the list +before deleting the old one can we avoid the race if the reader has +already begun the bucket traversal and it would possibly miss the head. + +Many thanks to Eric for great help from beginning to end. + +Fixes: 5e0724d027f0 ("tcp/dccp: fix hashdance race for passive sessions") +Suggested-by: Eric Dumazet +Signed-off-by: Jason Xing +Reviewed-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Link: https://lore.kernel.org/lkml/20230112065336.41034-1-kerneljasonxing@gmail.com/ +Link: https://lore.kernel.org/r/20230118015941.1313-1-kerneljasonxing@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 17 +++++++++++++++-- + net/ipv4/inet_timewait_sock.c | 8 ++++---- + 2 files changed, 19 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index c68a1dae25ca..2615b72118d1 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -571,8 +571,20 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + spin_lock(lock); + if (osk) { + WARN_ON_ONCE(sk->sk_hash != osk->sk_hash); +- ret = sk_nulls_del_node_init_rcu(osk); +- } else if (found_dup_sk) { ++ ret = sk_hashed(osk); ++ if (ret) { ++ /* Before deleting the node, we insert a new one to make ++ * sure that the look-up-sk process would not miss either ++ * of them and that at least one node would exist in ehash ++ * table all the time. Otherwise there's a tiny chance ++ * that lookup process could find nothing in ehash table. ++ */ ++ __sk_nulls_add_node_tail_rcu(sk, list); ++ sk_nulls_del_node_init_rcu(osk); ++ } ++ goto unlock; ++ } ++ if (found_dup_sk) { + *found_dup_sk = inet_ehash_lookup_by_sk(sk, list); + if (*found_dup_sk) + ret = false; +@@ -581,6 +593,7 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk) + if (ret) + __sk_nulls_add_node_rcu(sk, list); + ++unlock: + spin_unlock(lock); + + return ret; +diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c +index c411c87ae865..a00102d7c7fd 100644 +--- a/net/ipv4/inet_timewait_sock.c ++++ b/net/ipv4/inet_timewait_sock.c +@@ -81,10 +81,10 @@ void inet_twsk_put(struct inet_timewait_sock *tw) + } + EXPORT_SYMBOL_GPL(inet_twsk_put); + +-static void inet_twsk_add_node_rcu(struct inet_timewait_sock *tw, +- struct hlist_nulls_head *list) ++static void inet_twsk_add_node_tail_rcu(struct inet_timewait_sock *tw, ++ struct hlist_nulls_head *list) + { +- hlist_nulls_add_head_rcu(&tw->tw_node, list); ++ hlist_nulls_add_tail_rcu(&tw->tw_node, list); + } + + static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw, +@@ -120,7 +120,7 @@ void inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk, + + spin_lock(lock); + +- inet_twsk_add_node_rcu(tw, &ehead->chain); ++ inet_twsk_add_node_tail_rcu(tw, &ehead->chain); + + /* Step 3: Remove SK from hash chain */ + if (__sk_nulls_del_node_init_rcu(sk)) +-- +2.39.0 + diff --git a/queue-5.10/tcp-fix-rate_app_limited-to-default-to-1.patch b/queue-5.10/tcp-fix-rate_app_limited-to-default-to-1.patch new file mode 100644 index 00000000000..dc787d30283 --- /dev/null +++ b/queue-5.10/tcp-fix-rate_app_limited-to-default-to-1.patch @@ -0,0 +1,51 @@ +From 3ecfe23819c32c3550df19f94bf935d1980dcf07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 19:00:28 +0000 +Subject: tcp: fix rate_app_limited to default to 1 + +From: David Morley + +[ Upstream commit 300b655db1b5152d6101bcb6801d50899b20c2d6 ] + +The initial default value of 0 for tp->rate_app_limited was incorrect, +since a flow is indeed application-limited until it first sends +data. Fixing the default to be 1 is generally correct but also +specifically will help user-space applications avoid using the initial +tcpi_delivery_rate value of 0 that persists until the connection has +some non-zero bandwidth sample. + +Fixes: eb8329e0a04d ("tcp: export data delivery rate") +Suggested-by: Yuchung Cheng +Signed-off-by: David Morley +Signed-off-by: Neal Cardwell +Tested-by: David Morley +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index cc588bc2b11d..6a0560a735ce 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -432,6 +432,7 @@ void tcp_init_sock(struct sock *sk) + + /* There's a bubble in the pipe until at least the first ACK. */ + tp->app_limited = ~0U; ++ tp->rate_app_limited = 1; + + /* See draft-stevens-tcpca-spec-01 for discussion of the + * initialization of these values. +@@ -2837,6 +2838,7 @@ int tcp_disconnect(struct sock *sk, int flags) + tp->last_oow_ack_time = 0; + /* There's a bubble in the pipe until at least the first ACK. */ + tp->app_limited = ~0U; ++ tp->rate_app_limited = 1; + tp->rack.mstamp = 0; + tp->rack.advanced = 0; + tp->rack.reo_wnd_steps = 1; +-- +2.39.0 + diff --git a/queue-5.10/tomoyo-fix-broken-dependency-on-.conf.default.patch b/queue-5.10/tomoyo-fix-broken-dependency-on-.conf.default.patch new file mode 100644 index 00000000000..4b914df4e9b --- /dev/null +++ b/queue-5.10/tomoyo-fix-broken-dependency-on-.conf.default.patch @@ -0,0 +1,61 @@ +From 0225760079aca8b169bd22295d34b18ff33b0fc5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Jan 2023 16:47:41 +0900 +Subject: tomoyo: fix broken dependency on *.conf.default + +From: Masahiro Yamada + +[ Upstream commit eaf2213ba563b2d74a1f2c13a6b258273f689802 ] + +If *.conf.default is updated, builtin-policy.h should be rebuilt, +but this does not work when compiled with O= option. + +[Without this commit] + + $ touch security/tomoyo/policy/exception_policy.conf.default + $ make O=/tmp security/tomoyo/ + make[1]: Entering directory '/tmp' + GEN Makefile + CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh + DESCEND objtool + make[1]: Leaving directory '/tmp' + +[With this commit] + + $ touch security/tomoyo/policy/exception_policy.conf.default + $ make O=/tmp security/tomoyo/ + make[1]: Entering directory '/tmp' + GEN Makefile + CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh + DESCEND objtool + POLICY security/tomoyo/builtin-policy.h + CC security/tomoyo/common.o + AR security/tomoyo/built-in.a + make[1]: Leaving directory '/tmp' + +$(srctree)/ is essential because $(wildcard ) does not follow VPATH. + +Fixes: f02dee2d148b ("tomoyo: Do not generate empty policy files") +Signed-off-by: Masahiro Yamada +Signed-off-by: Tetsuo Handa +Signed-off-by: Sasha Levin +--- + security/tomoyo/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/tomoyo/Makefile b/security/tomoyo/Makefile +index cca5a3012fee..221eaadffb09 100644 +--- a/security/tomoyo/Makefile ++++ b/security/tomoyo/Makefile +@@ -10,7 +10,7 @@ endef + quiet_cmd_policy = POLICY $@ + cmd_policy = ($(call do_policy,profile); $(call do_policy,exception_policy); $(call do_policy,domain_policy); $(call do_policy,manager); $(call do_policy,stat)) >$@ + +-$(obj)/builtin-policy.h: $(wildcard $(obj)/policy/*.conf $(src)/policy/*.conf.default) FORCE ++$(obj)/builtin-policy.h: $(wildcard $(obj)/policy/*.conf $(srctree)/$(src)/policy/*.conf.default) FORCE + $(call if_changed,policy) + + $(obj)/common.o: $(obj)/builtin-policy.h +-- +2.39.0 + diff --git a/queue-5.10/usb-gadget-f_fs-ensure-ep0req-is-dequeued-before-fre.patch b/queue-5.10/usb-gadget-f_fs-ensure-ep0req-is-dequeued-before-fre.patch new file mode 100644 index 00000000000..d912b83e0a4 --- /dev/null +++ b/queue-5.10/usb-gadget-f_fs-ensure-ep0req-is-dequeued-before-fre.patch @@ -0,0 +1,43 @@ +From 2253700fced61ed546332d6fece8a20c0f041a77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 10:59:06 +0530 +Subject: usb: gadget: f_fs: Ensure ep0req is dequeued before free_request + +From: Udipto Goswami + +[ Upstream commit ce405d561b020e5a46340eb5146805a625dcacee ] + +As per the documentation, function usb_ep_free_request guarantees +the request will not be queued or no longer be re-queued (or +otherwise used). However, with the current implementation it +doesn't make sure that the request in ep0 isn't reused. + +Fix this by dequeuing the ep0req on functionfs_unbind before +freeing the request to align with the definition. + +Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver") +Signed-off-by: Udipto Goswami +Tested-by: Krishna Kurapati +Link: https://lore.kernel.org/r/20221215052906.8993-3-quic_ugoswami@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 38942c6d3019..94000fd190e5 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1884,6 +1884,8 @@ static void functionfs_unbind(struct ffs_data *ffs) + ENTER(); + + if (!WARN_ON(!ffs->gadget)) { ++ /* dequeue before freeing ep0req */ ++ usb_ep_dequeue(ffs->gadget->ep0, ffs->ep0req); + mutex_lock(&ffs->mutex); + usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req); + ffs->ep0req = NULL; +-- +2.39.0 + diff --git a/queue-5.10/usb-gadget-f_fs-prevent-race-during-ffs_ep0_queue_wa.patch b/queue-5.10/usb-gadget-f_fs-prevent-race-during-ffs_ep0_queue_wa.patch new file mode 100644 index 00000000000..dd344aabc61 --- /dev/null +++ b/queue-5.10/usb-gadget-f_fs-prevent-race-during-ffs_ep0_queue_wa.patch @@ -0,0 +1,61 @@ +From 4a9f62c20dcaf7a6b215eba7bf61c6589ad6f861 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 10:59:05 +0530 +Subject: usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait + +From: Udipto Goswami + +[ Upstream commit 6a19da111057f69214b97c62fb0ac59023970850 ] + +While performing fast composition switch, there is a possibility that the +process of ffs_ep0_write/ffs_ep0_read get into a race condition +due to ep0req being freed up from functionfs_unbind. + +Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait +by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't +bounded so it can go ahead and mark the ep0req to NULL, and since there +is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free. + +Fix this by making a serialized execution between the two functions using +a mutex_lock(ffs->mutex). + +Fixes: ddf8abd25994 ("USB: f_fs: the FunctionFS driver") +Signed-off-by: Udipto Goswami +Tested-by: Krishna Kurapati +Link: https://lore.kernel.org/r/20221215052906.8993-2-quic_ugoswami@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index bb0d92837f67..38942c6d3019 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -278,6 +278,9 @@ static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len) + struct usb_request *req = ffs->ep0req; + int ret; + ++ if (!req) ++ return -EINVAL; ++ + req->zero = len < le16_to_cpu(ffs->ev.setup.wLength); + + spin_unlock_irq(&ffs->ev.waitq.lock); +@@ -1881,10 +1884,12 @@ static void functionfs_unbind(struct ffs_data *ffs) + ENTER(); + + if (!WARN_ON(!ffs->gadget)) { ++ mutex_lock(&ffs->mutex); + usb_ep_free_request(ffs->gadget->ep0, ffs->ep0req); + ffs->ep0req = NULL; + ffs->gadget = NULL; + clear_bit(FFS_FL_BOUND, &ffs->flags); ++ mutex_unlock(&ffs->mutex); + ffs_data_put(ffs); + } + } +-- +2.39.0 + diff --git a/queue-5.10/w1-fix-deadloop-in-__w1_remove_master_device.patch b/queue-5.10/w1-fix-deadloop-in-__w1_remove_master_device.patch new file mode 100644 index 00000000000..3886742472c --- /dev/null +++ b/queue-5.10/w1-fix-deadloop-in-__w1_remove_master_device.patch @@ -0,0 +1,83 @@ +From ebae289e0872fb1fb6dbaf71b43ff0bc45b4e6b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 16:04:34 +0800 +Subject: w1: fix deadloop in __w1_remove_master_device() + +From: Yang Yingliang + +[ Upstream commit 25d5648802f12ae486076ceca5d7ddf1fef792b2 ] + +I got a deadloop report while doing device(ds2482) add/remove test: + + [ 162.241881] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1. + [ 163.272251] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1. + [ 164.296157] w1_master_driver w1_bus_master1: Waiting for w1_bus_master1 to become free: refcnt=1. + ... + +__w1_remove_master_device() can't return, because the dev->refcnt is not zero. + +w1_add_master_device() | + w1_alloc_dev() | + atomic_set(&dev->refcnt, 2) | + kthread_run() | + |__w1_remove_master_device() + | kthread_stop() + // KTHREAD_SHOULD_STOP is set, | + // threadfn(w1_process) won't be | + // called. | + kthread() | + | // refcnt will never be 0, it's deadloop. + | while (atomic_read(&dev->refcnt)) {...} + +After calling w1_add_master_device(), w1_process() is not really +invoked, before w1_process() starting, if kthread_stop() is called +in __w1_remove_master_device(), w1_process() will never be called, +the refcnt can not be decreased, then it causes deadloop in remove +function because of non-zero refcnt. + +We need to make sure w1_process() is really started, so move the +set refcnt into w1_process() to fix this problem. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221205080434.3149205-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/w1/w1.c | 2 ++ + drivers/w1/w1_int.c | 5 ++--- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c +index 15a2ee32f116..6e9f3569971d 100644 +--- a/drivers/w1/w1.c ++++ b/drivers/w1/w1.c +@@ -1131,6 +1131,8 @@ int w1_process(void *data) + /* remainder if it woke up early */ + unsigned long jremain = 0; + ++ atomic_inc(&dev->refcnt); ++ + for (;;) { + + if (!jremain && dev->search_count) { +diff --git a/drivers/w1/w1_int.c b/drivers/w1/w1_int.c +index b3e1792d9c49..3a71c5eb2f83 100644 +--- a/drivers/w1/w1_int.c ++++ b/drivers/w1/w1_int.c +@@ -51,10 +51,9 @@ static struct w1_master *w1_alloc_dev(u32 id, int slave_count, int slave_ttl, + dev->search_count = w1_search_count; + dev->enable_pullup = w1_enable_pullup; + +- /* 1 for w1_process to decrement +- * 1 for __w1_remove_master_device to decrement ++ /* For __w1_remove_master_device to decrement + */ +- atomic_set(&dev->refcnt, 2); ++ atomic_set(&dev->refcnt, 1); + + INIT_LIST_HEAD(&dev->slist); + INIT_LIST_HEAD(&dev->async_list); +-- +2.39.0 + diff --git a/queue-5.10/w1-fix-warning-after-calling-w1_process.patch b/queue-5.10/w1-fix-warning-after-calling-w1_process.patch new file mode 100644 index 00000000000..46d264ff599 --- /dev/null +++ b/queue-5.10/w1-fix-warning-after-calling-w1_process.patch @@ -0,0 +1,55 @@ +From 20140d5e6ba85a3ffaa111e2984a660eaba9a010 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 18:15:58 +0800 +Subject: w1: fix WARNING after calling w1_process() + +From: Yang Yingliang + +[ Upstream commit 36225a7c72e9e3e1ce4001b6ce72849f5c9a2d3b ] + +I got the following WARNING message while removing driver(ds2482): + +------------[ cut here ]------------ +do not call blocking ops when !TASK_RUNNING; state=1 set at [<000000002d50bfb6>] w1_process+0x9e/0x1d0 [wire] +WARNING: CPU: 0 PID: 262 at kernel/sched/core.c:9817 __might_sleep+0x98/0xa0 +CPU: 0 PID: 262 Comm: w1_bus_master1 Tainted: G N 6.1.0-rc3+ #307 +RIP: 0010:__might_sleep+0x98/0xa0 +Call Trace: + exit_signals+0x6c/0x550 + do_exit+0x2b4/0x17e0 + kthread_exit+0x52/0x60 + kthread+0x16d/0x1e0 + ret_from_fork+0x1f/0x30 + +The state of task is set to TASK_INTERRUPTIBLE in loop in w1_process(), +set it to TASK_RUNNING when it breaks out of the loop to avoid the +warning. + +Fixes: 3c52e4e62789 ("W1: w1_process, block or sleep") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221205101558.3599162-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/w1/w1.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c +index 6e9f3569971d..15842377c8d2 100644 +--- a/drivers/w1/w1.c ++++ b/drivers/w1/w1.c +@@ -1160,8 +1160,10 @@ int w1_process(void *data) + */ + mutex_unlock(&dev->list_mutex); + +- if (kthread_should_stop()) ++ if (kthread_should_stop()) { ++ __set_current_state(TASK_RUNNING); + break; ++ } + + /* Only sleep when the search is active. */ + if (dev->search_count) { +-- +2.39.0 + diff --git a/queue-5.10/wifi-rndis_wlan-prevent-buffer-overflow-in-rndis_que.patch b/queue-5.10/wifi-rndis_wlan-prevent-buffer-overflow-in-rndis_que.patch new file mode 100644 index 00000000000..8888c88a2ec --- /dev/null +++ b/queue-5.10/wifi-rndis_wlan-prevent-buffer-overflow-in-rndis_que.patch @@ -0,0 +1,75 @@ +From 66681253cf245cd2af43b4896974c82583916c61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 18:50:31 +0100 +Subject: wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid + +From: Szymon Heidrich + +[ Upstream commit b870e73a56c4cccbec33224233eaf295839f228c ] + +Since resplen and respoffs are signed integers sufficiently +large values of unsigned int len and offset members of RNDIS +response will result in negative values of prior variables. +This may be utilized to bypass implemented security checks +to either extract memory contents by manipulating offset or +overflow the data buffer via memcpy by manipulating both +offset and len. + +Additionally assure that sum of resplen and respoffs does not +overflow so buffer boundaries are kept. + +Fixes: 80f8c5b434f9 ("rndis_wlan: copy only useful data from rndis_command respond") +Signed-off-by: Szymon Heidrich +Reviewed-by: Alexander Duyck +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230111175031.7049-1-szymon.heidrich@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rndis_wlan.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c +index 75b5d545b49e..dc076d844868 100644 +--- a/drivers/net/wireless/rndis_wlan.c ++++ b/drivers/net/wireless/rndis_wlan.c +@@ -694,8 +694,8 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len) + struct rndis_query *get; + struct rndis_query_c *get_c; + } u; +- int ret, buflen; +- int resplen, respoffs, copylen; ++ int ret; ++ size_t buflen, resplen, respoffs, copylen; + + buflen = *len + sizeof(*u.get); + if (buflen < CONTROL_BUFFER_SIZE) +@@ -730,22 +730,15 @@ static int rndis_query_oid(struct usbnet *dev, u32 oid, void *data, int *len) + + if (respoffs > buflen) { + /* Device returned data offset outside buffer, error. */ +- netdev_dbg(dev->net, "%s(%s): received invalid " +- "data offset: %d > %d\n", __func__, +- oid_to_string(oid), respoffs, buflen); ++ netdev_dbg(dev->net, ++ "%s(%s): received invalid data offset: %zu > %zu\n", ++ __func__, oid_to_string(oid), respoffs, buflen); + + ret = -EINVAL; + goto exit_unlock; + } + +- if ((resplen + respoffs) > buflen) { +- /* Device would have returned more data if buffer would +- * have been big enough. Copy just the bits that we got. +- */ +- copylen = buflen - respoffs; +- } else { +- copylen = resplen; +- } ++ copylen = min(resplen, buflen - respoffs); + + if (copylen > *len) + copylen = *len; +-- +2.39.0 +