From: Sasha Levin Date: Sun, 24 Mar 2024 18:11:44 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v6.8.2~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b78e29243cc5e42e6e022f3757b2eae16bf2f816;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/arm-dts-sun8i-h2-plus-bananapi-m2-zero-add-regulator.patch b/queue-5.4/arm-dts-sun8i-h2-plus-bananapi-m2-zero-add-regulator.patch new file mode 100644 index 00000000000..fbd39d03bb5 --- /dev/null +++ b/queue-5.4/arm-dts-sun8i-h2-plus-bananapi-m2-zero-add-regulator.patch @@ -0,0 +1,62 @@ +From d917cfff0535b017f99ea154747b4373e6535cf8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Nov 2020 19:38:43 +0100 +Subject: ARM: dts: sun8i-h2-plus-bananapi-m2-zero: add regulator nodes + vcc-dram and vcc1v2 + +From: Michael Klein + +[ Upstream commit 23e85be1ec81647374055f731488cc9a7c013a5c ] + +Add regulator nodes vcc-dram and vcc1v2 to the devicetree. These +regulators correspond to U4 and U5 in the schematics: + +http://forum.banana-pi.org/t/bpi-m2-zero-schematic-diagram-public/4111 + +Signed-off-by: Michael Klein +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20201130183841.136708-1-michael@fossekall.de +Stable-dep-of: 4a0e7f2decbf ("netfilter: nf_tables: do not compare internal table flags on updates") +Signed-off-by: Sasha Levin +--- + .../dts/sun8i-h2-plus-bananapi-m2-zero.dts | 24 +++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/arch/arm/boot/dts/sun8i-h2-plus-bananapi-m2-zero.dts b/arch/arm/boot/dts/sun8i-h2-plus-bananapi-m2-zero.dts +index 4c6704e4c57ec..74d5732c412ba 100644 +--- a/arch/arm/boot/dts/sun8i-h2-plus-bananapi-m2-zero.dts ++++ b/arch/arm/boot/dts/sun8i-h2-plus-bananapi-m2-zero.dts +@@ -62,6 +62,30 @@ + states = <1100000 0>, <1300000 1>; + }; + ++ reg_vcc_dram: vcc-dram { ++ compatible = "regulator-fixed"; ++ regulator-name = "vcc-dram"; ++ regulator-min-microvolt = <1500000>; ++ regulator-max-microvolt = <1500000>; ++ regulator-always-on; ++ regulator-boot-on; ++ enable-active-high; ++ gpio = <&r_pio 0 9 GPIO_ACTIVE_HIGH>; /* PL9 */ ++ vin-supply = <®_vcc5v0>; ++ }; ++ ++ reg_vcc1v2: vcc1v2 { ++ compatible = "regulator-fixed"; ++ regulator-name = "vcc1v2"; ++ regulator-min-microvolt = <1200000>; ++ regulator-max-microvolt = <1200000>; ++ regulator-always-on; ++ regulator-boot-on; ++ enable-active-high; ++ gpio = <&r_pio 0 8 GPIO_ACTIVE_HIGH>; /* PL8 */ ++ vin-supply = <®_vcc5v0>; ++ }; ++ + wifi_pwrseq: wifi_pwrseq { + compatible = "mmc-pwrseq-simple"; + reset-gpios = <&r_pio 0 7 GPIO_ACTIVE_LOW>; /* PL7 */ +-- +2.43.0 + diff --git a/queue-5.4/bpf-report-rcu-qs-in-cpumap-kthread.patch b/queue-5.4/bpf-report-rcu-qs-in-cpumap-kthread.patch new file mode 100644 index 00000000000..c346851551b --- /dev/null +++ b/queue-5.4/bpf-report-rcu-qs-in-cpumap-kthread.patch @@ -0,0 +1,55 @@ +From d465f1628283ec4c61df0452e331f607e89d22f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 13:44:40 -0700 +Subject: bpf: report RCU QS in cpumap kthread + +From: Yan Zhai + +[ Upstream commit 00bf63122459e87193ee7f1bc6161c83a525569f ] + +When there are heavy load, cpumap kernel threads can be busy polling +packets from redirect queues and block out RCU tasks from reaching +quiescent states. It is insufficient to just call cond_resched() in such +context. Periodically raise a consolidated RCU QS before cond_resched +fixes the problem. + +Fixes: 6710e1126934 ("bpf: introduce new bpf cpu map type BPF_MAP_TYPE_CPUMAP") +Reviewed-by: Jesper Dangaard Brouer +Signed-off-by: Yan Zhai +Acked-by: Paul E. McKenney +Acked-by: Jesper Dangaard Brouer +Link: https://lore.kernel.org/r/c17b9f1517e19d813da3ede5ed33ee18496bb5d8.1710877680.git.yan@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + kernel/bpf/cpumap.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/bpf/cpumap.c b/kernel/bpf/cpumap.c +index a367fc8503933..19be747f4e5ab 100644 +--- a/kernel/bpf/cpumap.c ++++ b/kernel/bpf/cpumap.c +@@ -249,6 +249,7 @@ static void put_cpu_map_entry(struct bpf_cpu_map_entry *rcpu) + static int cpu_map_kthread_run(void *data) + { + struct bpf_cpu_map_entry *rcpu = data; ++ unsigned long last_qs = jiffies; + + set_current_state(TASK_INTERRUPTIBLE); + +@@ -271,10 +272,12 @@ static int cpu_map_kthread_run(void *data) + if (__ptr_ring_empty(rcpu->queue)) { + schedule(); + sched = 1; ++ last_qs = jiffies; + } else { + __set_current_state(TASK_RUNNING); + } + } else { ++ rcu_softirq_qs_periodic(last_qs); + sched = cond_resched(); + } + +-- +2.43.0 + diff --git a/queue-5.4/hsr-fix-uninit-value-access-in-hsr_get_node.patch b/queue-5.4/hsr-fix-uninit-value-access-in-hsr_get_node.patch new file mode 100644 index 00000000000..0251ad74cc0 --- /dev/null +++ b/queue-5.4/hsr-fix-uninit-value-access-in-hsr_get_node.patch @@ -0,0 +1,98 @@ +From 7c715fe7f443efa5bd12087ff888d5c0eebb0cc6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2024 00:27:19 +0900 +Subject: hsr: Fix uninit-value access in hsr_get_node() + +From: Shigeru Yoshida + +[ Upstream commit ddbec99f58571301679addbc022256970ca3eac6 ] + +KMSAN reported the following uninit-value access issue [1]: + +===================================================== +BUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 + hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 + fill_frame_info net/hsr/hsr_forward.c:577 [inline] + hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615 + hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223 + __netdev_start_xmit include/linux/netdevice.h:4940 [inline] + netdev_start_xmit include/linux/netdevice.h:4954 [inline] + xmit_one net/core/dev.c:3548 [inline] + dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 + __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 + dev_queue_xmit include/linux/netdevice.h:3134 [inline] + packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 + packet_snd net/packet/af_packet.c:3087 [inline] + packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + __sys_sendto+0x735/0xa10 net/socket.c:2191 + __do_sys_sendto net/socket.c:2203 [inline] + __se_sys_sendto net/socket.c:2199 [inline] + __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +Uninit was created at: + slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 + slab_alloc_node mm/slub.c:3478 [inline] + kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 + __alloc_skb+0x318/0x740 net/core/skbuff.c:651 + alloc_skb include/linux/skbuff.h:1286 [inline] + alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 + sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 + packet_alloc_skb net/packet/af_packet.c:2936 [inline] + packet_snd net/packet/af_packet.c:3030 [inline] + packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119 + sock_sendmsg_nosec net/socket.c:730 [inline] + __sock_sendmsg net/socket.c:745 [inline] + __sys_sendto+0x735/0xa10 net/socket.c:2191 + __do_sys_sendto net/socket.c:2203 [inline] + __se_sys_sendto net/socket.c:2199 [inline] + __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 + do_syscall_x64 arch/x86/entry/common.c:52 [inline] + do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 + entry_SYSCALL_64_after_hwframe+0x63/0x6b + +CPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 +===================================================== + +If the packet type ID field in the Ethernet header is either ETH_P_PRP or +ETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr() +reads an invalid value as a sequence number. This causes the above issue. + +This patch fixes the issue by returning NULL if the Ethernet header is not +followed by an HSR tag. + +Fixes: f266a683a480 ("net/hsr: Better frame dispatch") +Reported-and-tested-by: syzbot+2ef3a8ce8e91b5a50098@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=2ef3a8ce8e91b5a50098 [1] +Signed-off-by: Shigeru Yoshida +Link: https://lore.kernel.org/r/20240312152719.724530-1-syoshida@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_framereg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c +index 783e741491ec3..1a0f447113f24 100644 +--- a/net/hsr/hsr_framereg.c ++++ b/net/hsr/hsr_framereg.c +@@ -198,6 +198,10 @@ struct hsr_node *hsr_get_node(struct hsr_port *port, struct sk_buff *skb, + + if (ethhdr->h_proto == htons(ETH_P_PRP) || + ethhdr->h_proto == htons(ETH_P_HSR)) { ++ /* Check if skb contains hsr_ethhdr */ ++ if (skb->mac_len < sizeof(struct hsr_ethhdr)) ++ return NULL; ++ + /* Use the existing sequence_nr from the tag as starting point + * for filtering duplicate frames. + */ +-- +2.43.0 + diff --git a/queue-5.4/hsr-handle-failures-in-module-init.patch b/queue-5.4/hsr-handle-failures-in-module-init.patch new file mode 100644 index 00000000000..6583033d871 --- /dev/null +++ b/queue-5.4/hsr-handle-failures-in-module-init.patch @@ -0,0 +1,61 @@ +From 4b7b42afd4be6412aeccffcb789d9ea2d382b32c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 13:04:52 +0100 +Subject: hsr: Handle failures in module init + +From: Felix Maurer + +[ Upstream commit 3cf28cd492308e5f63ed00b29ea03ca016264376 ] + +A failure during registration of the netdev notifier was not handled at +all. A failure during netlink initialization did not unregister the netdev +notifier. + +Handle failures of netdev notifier registration and netlink initialization. +Both functions should only return negative values on failure and thereby +lead to the hsr module not being loaded. + +Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)") +Signed-off-by: Felix Maurer +Reviewed-by: Shigeru Yoshida +Reviewed-by: Breno Leitao +Link: https://lore.kernel.org/r/3ce097c15e3f7ace98fc7fd9bcbf299f092e63d1.1710504184.git.fmaurer@redhat.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_main.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/net/hsr/hsr_main.c b/net/hsr/hsr_main.c +index 9e389accbfc7e..ea627e532aab8 100644 +--- a/net/hsr/hsr_main.c ++++ b/net/hsr/hsr_main.c +@@ -113,14 +113,21 @@ static struct notifier_block hsr_nb = { + + static int __init hsr_init(void) + { +- int res; ++ int err; + + BUILD_BUG_ON(sizeof(struct hsr_tag) != HSR_HLEN); + +- register_netdevice_notifier(&hsr_nb); +- res = hsr_netlink_init(); ++ err = register_netdevice_notifier(&hsr_nb); ++ if (err) ++ return err; ++ ++ err = hsr_netlink_init(); ++ if (err) { ++ unregister_netdevice_notifier(&hsr_nb); ++ return err; ++ } + +- return res; ++ return 0; + } + + static void __exit hsr_exit(void) +-- +2.43.0 + diff --git a/queue-5.4/kconfig-fix-infinite-loop-when-expanding-a-macro-at-.patch b/queue-5.4/kconfig-fix-infinite-loop-when-expanding-a-macro-at-.patch new file mode 100644 index 00000000000..438c9cb8c09 --- /dev/null +++ b/queue-5.4/kconfig-fix-infinite-loop-when-expanding-a-macro-at-.patch @@ -0,0 +1,47 @@ +From 634fcc9b311f4f725827b3588121ff3e537ba8c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Feb 2024 00:57:59 +0900 +Subject: kconfig: fix infinite loop when expanding a macro at the end of file + +From: Masahiro Yamada + +[ Upstream commit af8bbce92044dc58e4cc039ab94ee5d470a621f5 ] + +A macro placed at the end of a file with no newline causes an infinite +loop. + +[Test Kconfig] + $(info,hello) + \ No newline at end of file + +I realized that flex-provided input() returns 0 instead of EOF when it +reaches the end of a file. + +Fixes: 104daea149c4 ("kconfig: reference environment variables directly and remove 'option env='") +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/kconfig/lexer.l | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/scripts/kconfig/lexer.l b/scripts/kconfig/lexer.l +index 6354c905b006f..3bf90d01c39f9 100644 +--- a/scripts/kconfig/lexer.l ++++ b/scripts/kconfig/lexer.l +@@ -305,8 +305,11 @@ static char *expand_token(const char *in, size_t n) + new_string(); + append_string(in, n); + +- /* get the whole line because we do not know the end of token. */ +- while ((c = input()) != EOF) { ++ /* ++ * get the whole line because we do not know the end of token. ++ * input() returns 0 (not EOF!) when it reachs the end of file. ++ */ ++ while ((c = input()) != 0) { + if (c == '\n') { + unput(c); + break; +-- +2.43.0 + diff --git a/queue-5.4/net-bnx2x-prevent-access-to-a-freed-page-in-page_poo.patch b/queue-5.4/net-bnx2x-prevent-access-to-a-freed-page-in-page_poo.patch new file mode 100644 index 00000000000..c9ae106dfcf --- /dev/null +++ b/queue-5.4/net-bnx2x-prevent-access-to-a-freed-page-in-page_poo.patch @@ -0,0 +1,89 @@ +From c72bccde741a9339337e77a869ef5600349c88bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 15:55:35 -0500 +Subject: net/bnx2x: Prevent access to a freed page in page_pool + +From: Thinh Tran + +[ Upstream commit d27e2da94a42655861ca4baea30c8cd65546f25d ] + +Fix race condition leading to system crash during EEH error handling + +During EEH error recovery, the bnx2x driver's transmit timeout logic +could cause a race condition when handling reset tasks. The +bnx2x_tx_timeout() schedules reset tasks via bnx2x_sp_rtnl_task(), +which ultimately leads to bnx2x_nic_unload(). In bnx2x_nic_unload() +SGEs are freed using bnx2x_free_rx_sge_range(). However, this could +overlap with the EEH driver's attempt to reset the device using +bnx2x_io_slot_reset(), which also tries to free SGEs. This race +condition can result in system crashes due to accessing freed memory +locations in bnx2x_free_rx_sge() + +799 static inline void bnx2x_free_rx_sge(struct bnx2x *bp, +800 struct bnx2x_fastpath *fp, u16 index) +801 { +802 struct sw_rx_page *sw_buf = &fp->rx_page_ring[index]; +803 struct page *page = sw_buf->page; +.... +where sw_buf was set to NULL after the call to dma_unmap_page() +by the preceding thread. + + EEH: Beginning: 'slot_reset' + PCI 0011:01:00.0#10000: EEH: Invoking bnx2x->slot_reset() + bnx2x: [bnx2x_io_slot_reset:14228(eth1)]IO slot reset initializing... + bnx2x 0011:01:00.0: enabling device (0140 -> 0142) + bnx2x: [bnx2x_io_slot_reset:14244(eth1)]IO slot reset --> driver unload + Kernel attempted to read user page (0) - exploit attempt? (uid: 0) + BUG: Kernel NULL pointer dereference on read at 0x00000000 + Faulting instruction address: 0xc0080000025065fc + Oops: Kernel access of bad area, sig: 11 [#1] + ..... + Call Trace: + [c000000003c67a20] [c00800000250658c] bnx2x_io_slot_reset+0x204/0x610 [bnx2x] (unreliable) + [c000000003c67af0] [c0000000000518a8] eeh_report_reset+0xb8/0xf0 + [c000000003c67b60] [c000000000052130] eeh_pe_report+0x180/0x550 + [c000000003c67c70] [c00000000005318c] eeh_handle_normal_event+0x84c/0xa60 + [c000000003c67d50] [c000000000053a84] eeh_event_handler+0xf4/0x170 + [c000000003c67da0] [c000000000194c58] kthread+0x1c8/0x1d0 + [c000000003c67e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64 + +To solve this issue, we need to verify page pool allocations before +freeing. + +Fixes: 4cace675d687 ("bnx2x: Alloc 4k fragment for each rx ring buffer element") +Signed-off-by: Thinh Tran +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20240315205535.1321-1-thinhtr@linux.ibm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h +index 3f63ffd7561bf..d17731cae8634 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h +@@ -1004,9 +1004,6 @@ static inline void bnx2x_set_fw_mac_addr(__le16 *fw_hi, __le16 *fw_mid, + static inline void bnx2x_free_rx_mem_pool(struct bnx2x *bp, + struct bnx2x_alloc_pool *pool) + { +- if (!pool->page) +- return; +- + put_page(pool->page); + + pool->page = NULL; +@@ -1017,6 +1014,9 @@ static inline void bnx2x_free_rx_sge_range(struct bnx2x *bp, + { + int i; + ++ if (!fp->page_pool.page) ++ return; ++ + if (fp->mode == TPA_MODE_DISABLED) + return; + +-- +2.43.0 + diff --git a/queue-5.4/netfilter-nf_tables-do-not-compare-internal-table-fl.patch b/queue-5.4/netfilter-nf_tables-do-not-compare-internal-table-fl.patch new file mode 100644 index 00000000000..96f54100f1e --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-do-not-compare-internal-table-fl.patch @@ -0,0 +1,34 @@ +From 6467d84e447e019f5ea6af0af86a40c3d4a872a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Mar 2024 18:51:38 +0100 +Subject: netfilter: nf_tables: do not compare internal table flags on updates + +From: Pablo Neira Ayuso + +[ Upstream commit 4a0e7f2decbf9bd72461226f1f5f7dcc4b08f139 ] + +Restore skipping transaction if table update does not modify flags. + +Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index c5dbb950822fd..2d372d5fcbfaa 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -916,7 +916,7 @@ static int nf_tables_updtable(struct nft_ctx *ctx) + if (flags & ~NFT_TABLE_F_DORMANT) + return -EINVAL; + +- if (flags == ctx->table->flags) ++ if (flags == (ctx->table->flags & NFT_TABLE_F_MASK)) + return 0; + + /* No dormant off/on/off/on games in single transaction */ +-- +2.43.0 + diff --git a/queue-5.4/octeontx2-af-use-matching-wake_up-api-variant-in-cgx.patch b/queue-5.4/octeontx2-af-use-matching-wake_up-api-variant-in-cgx.patch new file mode 100644 index 00000000000..dbddae641b8 --- /dev/null +++ b/queue-5.4/octeontx2-af-use-matching-wake_up-api-variant-in-cgx.patch @@ -0,0 +1,39 @@ +From 81b6ba73ee583e0d75e3a48372aa0e63604a4f05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Mar 2024 12:36:22 +0530 +Subject: octeontx2-af: Use matching wake_up API variant in CGX command + interface + +From: Linu Cherian + +[ Upstream commit e642921dfeed1e15e73f78f2c3b6746f72b6deb2 ] + +Use wake_up API instead of wake_up_interruptible, since +wait_event_timeout API is used for waiting on command completion. + +Fixes: 1463f382f58d ("octeontx2-af: Add support for CGX link management") +Signed-off-by: Linu Cherian +Signed-off-by: Sunil Goutham +Signed-off-by: Subbaraya Sundeep +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/cgx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/cgx.c b/drivers/net/ethernet/marvell/octeontx2/af/cgx.c +index 54e9f6dc24ea0..910ed148e827e 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/cgx.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/cgx.c +@@ -582,7 +582,7 @@ static irqreturn_t cgx_fwi_event_handler(int irq, void *data) + + /* Release thread waiting for completion */ + lmac->cmd_pend = false; +- wake_up_interruptible(&lmac->wq_cmd_cmplt); ++ wake_up(&lmac->wq_cmd_cmplt); + break; + case CGX_EVT_ASYNC: + if (cgx_event_is_linkevent(event)) +-- +2.43.0 + diff --git a/queue-5.4/octeontx2-af-use-separate-handlers-for-interrupts.patch b/queue-5.4/octeontx2-af-use-separate-handlers-for-interrupts.patch new file mode 100644 index 00000000000..8488953ec1b --- /dev/null +++ b/queue-5.4/octeontx2-af-use-separate-handlers-for-interrupts.patch @@ -0,0 +1,69 @@ +From 7dfd3e1887c962b402944222e8798893823ea0a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Mar 2024 14:59:58 +0530 +Subject: octeontx2-af: Use separate handlers for interrupts + +From: Subbaraya Sundeep + +[ Upstream commit 50e60de381c342008c0956fd762e1c26408f372c ] + +For PF to AF interrupt vector and VF to AF vector same +interrupt handler is registered which is causing race condition. +When two interrupts are raised to two CPUs at same time +then two cores serve same event corrupting the data. + +Fixes: 7304ac4567bc ("octeontx2-af: Add mailbox IRQ and msg handlers") +Signed-off-by: Subbaraya Sundeep +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +index 02b4620f7368a..9c6307186505a 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c ++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c +@@ -1708,10 +1708,9 @@ static void rvu_queue_work(struct mbox_wq_info *mw, int first, + } + } + +-static irqreturn_t rvu_mbox_intr_handler(int irq, void *rvu_irq) ++static irqreturn_t rvu_mbox_pf_intr_handler(int irq, void *rvu_irq) + { + struct rvu *rvu = (struct rvu *)rvu_irq; +- int vfs = rvu->vfs; + u64 intr; + + intr = rvu_read64(rvu, BLKADDR_RVUM, RVU_AF_PFAF_MBOX_INT); +@@ -1723,6 +1722,18 @@ static irqreturn_t rvu_mbox_intr_handler(int irq, void *rvu_irq) + + rvu_queue_work(&rvu->afpf_wq_info, 0, rvu->hw->total_pfs, intr); + ++ return IRQ_HANDLED; ++} ++ ++static irqreturn_t rvu_mbox_intr_handler(int irq, void *rvu_irq) ++{ ++ struct rvu *rvu = (struct rvu *)rvu_irq; ++ int vfs = rvu->vfs; ++ u64 intr; ++ ++ /* Sync with mbox memory region */ ++ rmb(); ++ + /* Handle VF interrupts */ + if (vfs > 64) { + intr = rvupf_read64(rvu, RVU_PF_VFPF_MBOX_INTX(1)); +@@ -2035,7 +2046,7 @@ static int rvu_register_interrupts(struct rvu *rvu) + /* Register mailbox interrupt handler */ + sprintf(&rvu->irq_name[RVU_AF_INT_VEC_MBOX * NAME_SIZE], "RVUAF Mbox"); + ret = request_irq(pci_irq_vector(rvu->pdev, RVU_AF_INT_VEC_MBOX), +- rvu_mbox_intr_handler, 0, ++ rvu_mbox_pf_intr_handler, 0, + &rvu->irq_name[RVU_AF_INT_VEC_MBOX * NAME_SIZE], rvu); + if (ret) { + dev_err(rvu->dev, +-- +2.43.0 + diff --git a/queue-5.4/packet-annotate-data-races-around-ignore_outgoing.patch b/queue-5.4/packet-annotate-data-races-around-ignore_outgoing.patch new file mode 100644 index 00000000000..cc1d16838c0 --- /dev/null +++ b/queue-5.4/packet-annotate-data-races-around-ignore_outgoing.patch @@ -0,0 +1,105 @@ +From b65b80b9482f3651de6ef964b8363e965f0a8935 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Mar 2024 14:18:16 +0000 +Subject: packet: annotate data-races around ignore_outgoing + +From: Eric Dumazet + +[ Upstream commit 6ebfad33161afacb3e1e59ed1c2feefef70f9f97 ] + +ignore_outgoing is read locklessly from dev_queue_xmit_nit() +and packet_getsockopt() + +Add appropriate READ_ONCE()/WRITE_ONCE() annotations. + +syzbot reported: + +BUG: KCSAN: data-race in dev_queue_xmit_nit / packet_setsockopt + +write to 0xffff888107804542 of 1 bytes by task 22618 on cpu 0: + packet_setsockopt+0xd83/0xfd0 net/packet/af_packet.c:4003 + do_sock_setsockopt net/socket.c:2311 [inline] + __sys_setsockopt+0x1d8/0x250 net/socket.c:2334 + __do_sys_setsockopt net/socket.c:2343 [inline] + __se_sys_setsockopt net/socket.c:2340 [inline] + __x64_sys_setsockopt+0x66/0x80 net/socket.c:2340 + do_syscall_64+0xd3/0x1d0 + entry_SYSCALL_64_after_hwframe+0x6d/0x75 + +read to 0xffff888107804542 of 1 bytes by task 27 on cpu 1: + dev_queue_xmit_nit+0x82/0x620 net/core/dev.c:2248 + xmit_one net/core/dev.c:3527 [inline] + dev_hard_start_xmit+0xcc/0x3f0 net/core/dev.c:3547 + __dev_queue_xmit+0xf24/0x1dd0 net/core/dev.c:4335 + dev_queue_xmit include/linux/netdevice.h:3091 [inline] + batadv_send_skb_packet+0x264/0x300 net/batman-adv/send.c:108 + batadv_send_broadcast_skb+0x24/0x30 net/batman-adv/send.c:127 + batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:392 [inline] + batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline] + batadv_iv_send_outstanding_bat_ogm_packet+0x3f0/0x4b0 net/batman-adv/bat_iv_ogm.c:1700 + process_one_work kernel/workqueue.c:3254 [inline] + process_scheduled_works+0x465/0x990 kernel/workqueue.c:3335 + worker_thread+0x526/0x730 kernel/workqueue.c:3416 + kthread+0x1d1/0x210 kernel/kthread.c:388 + ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147 + ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 + +value changed: 0x00 -> 0x01 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 27 Comm: kworker/u8:1 Tainted: G W 6.8.0-syzkaller-08073-g480e035fc4c7 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 +Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet + +Fixes: fa788d986a3a ("packet: add sockopt to ignore outgoing packets") +Reported-by: syzbot+c669c1136495a2e7c31f@syzkaller.appspotmail.com +Closes: https://lore.kernel.org/netdev/CANn89i+Z7MfbkBLOv=p7KZ7=K1rKHO4P1OL5LYDCtBiyqsa9oQ@mail.gmail.com/T/#t +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Reviewed-by: Willem de Bruijn +Reviewed-by: Jason Xing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 2 +- + net/packet/af_packet.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 5e043e6f09476..4f39d97209811 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -1940,7 +1940,7 @@ void dev_queue_xmit_nit(struct sk_buff *skb, struct net_device *dev) + rcu_read_lock(); + again: + list_for_each_entry_rcu(ptype, ptype_list, list) { +- if (ptype->ignore_outgoing) ++ if (READ_ONCE(ptype->ignore_outgoing)) + continue; + + /* Never send packets back to the socket +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 451f9c43b34b8..9fc020fd7ecc1 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3921,7 +3921,7 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv + if (val < 0 || val > 1) + return -EINVAL; + +- po->prot_hook.ignore_outgoing = !!val; ++ WRITE_ONCE(po->prot_hook.ignore_outgoing, !!val); + return 0; + } + case PACKET_TX_HAS_OFF: +@@ -4053,7 +4053,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname, + 0); + break; + case PACKET_IGNORE_OUTGOING: +- val = po->prot_hook.ignore_outgoing; ++ val = READ_ONCE(po->prot_hook.ignore_outgoing); + break; + case PACKET_ROLLOVER_STATS: + if (!po->rollover) +-- +2.43.0 + diff --git a/queue-5.4/rcu-add-a-helper-to-report-consolidated-flavor-qs.patch b/queue-5.4/rcu-add-a-helper-to-report-consolidated-flavor-qs.patch new file mode 100644 index 00000000000..e3ccffaa455 --- /dev/null +++ b/queue-5.4/rcu-add-a-helper-to-report-consolidated-flavor-qs.patch @@ -0,0 +1,76 @@ +From 59cec75b7478e92fc0341d3d9c1cbe80ed022db2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Mar 2024 13:44:34 -0700 +Subject: rcu: add a helper to report consolidated flavor QS + +From: Yan Zhai + +[ Upstream commit 1a77557d48cff187a169c2aec01c0dd78a5e7e50 ] + +When under heavy load, network processing can run CPU-bound for many +tens of seconds. Even in preemptible kernels (non-RT kernel), this can +block RCU Tasks grace periods, which can cause trace-event removal to +take more than a minute, which is unacceptably long. + +This commit therefore creates a new helper function that passes through +both RCU and RCU-Tasks quiescent states every 100 milliseconds. This +hard-coded value suffices for current workloads. + +Suggested-by: Paul E. McKenney +Reviewed-by: Jesper Dangaard Brouer +Signed-off-by: Yan Zhai +Reviewed-by: Paul E. McKenney +Acked-by: Jesper Dangaard Brouer +Link: https://lore.kernel.org/r/90431d46ee112d2b0af04dbfe936faaca11810a5.1710877680.git.yan@cloudflare.com +Signed-off-by: Jakub Kicinski +Stable-dep-of: 00bf63122459 ("bpf: report RCU QS in cpumap kthread") +Signed-off-by: Sasha Levin +--- + include/linux/rcupdate.h | 31 +++++++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/include/linux/rcupdate.h b/include/linux/rcupdate.h +index c75b38ba4a728..bc4b5c905a602 100644 +--- a/include/linux/rcupdate.h ++++ b/include/linux/rcupdate.h +@@ -164,6 +164,37 @@ do { \ + cond_resched(); \ + } while (0) + ++/** ++ * rcu_softirq_qs_periodic - Report RCU and RCU-Tasks quiescent states ++ * @old_ts: jiffies at start of processing. ++ * ++ * This helper is for long-running softirq handlers, such as NAPI threads in ++ * networking. The caller should initialize the variable passed in as @old_ts ++ * at the beginning of the softirq handler. When invoked frequently, this macro ++ * will invoke rcu_softirq_qs() every 100 milliseconds thereafter, which will ++ * provide both RCU and RCU-Tasks quiescent states. Note that this macro ++ * modifies its old_ts argument. ++ * ++ * Because regions of code that have disabled softirq act as RCU read-side ++ * critical sections, this macro should be invoked with softirq (and ++ * preemption) enabled. ++ * ++ * The macro is not needed when CONFIG_PREEMPT_RT is defined. RT kernels would ++ * have more chance to invoke schedule() calls and provide necessary quiescent ++ * states. As a contrast, calling cond_resched() only won't achieve the same ++ * effect because cond_resched() does not provide RCU-Tasks quiescent states. ++ */ ++#define rcu_softirq_qs_periodic(old_ts) \ ++do { \ ++ if (!IS_ENABLED(CONFIG_PREEMPT_RT) && \ ++ time_after(jiffies, (old_ts) + HZ / 10)) { \ ++ preempt_disable(); \ ++ rcu_softirq_qs(); \ ++ preempt_enable(); \ ++ (old_ts) = jiffies; \ ++ } \ ++} while (0) ++ + /* + * Infrastructure to implement the synchronize_() primitives in + * TREE_RCU and rcu_barrier_() primitives in TINY_RCU. +-- +2.43.0 + diff --git a/queue-5.4/rds-introduce-acquire-release-ordering-in-acquire-re.patch b/queue-5.4/rds-introduce-acquire-release-ordering-in-acquire-re.patch new file mode 100644 index 00000000000..65d2be92d9b --- /dev/null +++ b/queue-5.4/rds-introduce-acquire-release-ordering-in-acquire-re.patch @@ -0,0 +1,51 @@ +From fbbf4862b91a30cf91e7d5a5f1bd1304065be054 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Mar 2024 18:28:38 +0900 +Subject: rds: introduce acquire/release ordering in acquire/release_in_xmit() + +From: Yewon Choi + +[ Upstream commit 1422f28826d2a0c11e5240b3e951c9e214d8656e ] + +acquire/release_in_xmit() work as bit lock in rds_send_xmit(), so they +are expected to ensure acquire/release memory ordering semantics. +However, test_and_set_bit/clear_bit() don't imply such semantics, on +top of this, following smp_mb__after_atomic() does not guarantee release +ordering (memory barrier actually should be placed before clear_bit()). + +Instead, we use clear_bit_unlock/test_and_set_bit_lock() here. + +Fixes: 0f4b1c7e89e6 ("rds: fix rds_send_xmit() serialization") +Fixes: 1f9ecd7eacfd ("RDS: Pass rds_conn_path to rds_send_xmit()") +Signed-off-by: Yewon Choi +Reviewed-by: Michal Kubiak +Link: https://lore.kernel.org/r/ZfQUxnNTO9AJmzwc@libra05 +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/rds/send.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/net/rds/send.c b/net/rds/send.c +index 6c2c5667e3a39..c0cebf4b4fe56 100644 +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -103,13 +103,12 @@ EXPORT_SYMBOL_GPL(rds_send_path_reset); + + static int acquire_in_xmit(struct rds_conn_path *cp) + { +- return test_and_set_bit(RDS_IN_XMIT, &cp->cp_flags) == 0; ++ return test_and_set_bit_lock(RDS_IN_XMIT, &cp->cp_flags) == 0; + } + + static void release_in_xmit(struct rds_conn_path *cp) + { +- clear_bit(RDS_IN_XMIT, &cp->cp_flags); +- smp_mb__after_atomic(); ++ clear_bit_unlock(RDS_IN_XMIT, &cp->cp_flags); + /* + * We don't use wait_on_bit()/wake_up_bit() because our waking is in a + * hot path and finding waiters is very rare. We don't want to walk +-- +2.43.0 + diff --git a/queue-5.4/regmap-add-missing-map-bus-check.patch b/queue-5.4/regmap-add-missing-map-bus-check.patch new file mode 100644 index 00000000000..0560c06a485 --- /dev/null +++ b/queue-5.4/regmap-add-missing-map-bus-check.patch @@ -0,0 +1,41 @@ +From a10175cfa49ca94deac42d72a71d26a1aa4b2d68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 May 2022 02:30:35 +0200 +Subject: regmap: Add missing map->bus check + +From: Marek Vasut + +[ Upstream commit 5c422f0b970d287efa864b8390a02face404db5d ] + +The map->bus can be NULL here, add the missing NULL pointer check. + +Fixes: d77e745613680 ("regmap: Add bulk read/write callbacks into regmap_config") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Marek Vasut +Cc: Dan Carpenter +Cc: Mark Brown +To: linux-kernel@vger.kernel.org +Link: https://lore.kernel.org/r/20220509003035.225272-1-marex@denx.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 6f580883c1973..aa9c6e0ff878d 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1648,7 +1648,7 @@ static int _regmap_raw_write_impl(struct regmap *map, unsigned int reg, + map->format.reg_bytes + + map->format.pad_bytes + + val_len); +- else if (map->bus->gather_write) ++ else if (map->bus && map->bus->gather_write) + ret = map->bus->gather_write(map->bus_context, map->work_buf, + map->format.reg_bytes + + map->format.pad_bytes, +-- +2.43.0 + diff --git a/queue-5.4/rtc-mt6397-select-irq_domain-instead-of-depending-on.patch b/queue-5.4/rtc-mt6397-select-irq_domain-instead-of-depending-on.patch new file mode 100644 index 00000000000..049855424c5 --- /dev/null +++ b/queue-5.4/rtc-mt6397-select-irq_domain-instead-of-depending-on.patch @@ -0,0 +1,59 @@ +From cfa399e3ae5bd57338b92a4a359b7c7d9effef42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Feb 2024 21:02:58 -0800 +Subject: rtc: mt6397: select IRQ_DOMAIN instead of depending on it + +From: Randy Dunlap + +[ Upstream commit 544c42f798e1651dcb04fb0395219bf0f1c2607e ] + +IRQ_DOMAIN is a hidden (not user visible) symbol. Users cannot set +it directly thru "make *config", so drivers should select it instead +of depending on it if they need it. +Relying on it being set for a dependency is risky. + +Consistently using "select" or "depends on" can also help reduce +Kconfig circular dependency issues. + +Therefore, change the use of "depends on" for IRQ_DOMAIN to +"select" for RTC_DRV_MT6397. + +Fixes: 04d3ba70a3c9 ("rtc: mt6397: add IRQ domain dependency") +Cc: Arnd Bergmann +Cc: Eddie Huang +Cc: Sean Wang +Cc: Matthias Brugger +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-mediatek@lists.infradead.org +Cc: Alessandro Zummo +Cc: Alexandre Belloni +Cc: linux-rtc@vger.kernel.org +Cc: Marc Zyngier +Cc: Philipp Zabel +Cc: Peter Rosin +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20240213050258.6167-1-rdunlap@infradead.org +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/rtc/Kconfig b/drivers/rtc/Kconfig +index 0ad8d84aeb339..22638878c9819 100644 +--- a/drivers/rtc/Kconfig ++++ b/drivers/rtc/Kconfig +@@ -1811,7 +1811,8 @@ config RTC_DRV_MOXART + + config RTC_DRV_MT6397 + tristate "MediaTek PMIC based RTC" +- depends on MFD_MT6397 || (COMPILE_TEST && IRQ_DOMAIN) ++ depends on MFD_MT6397 || COMPILE_TEST ++ select IRQ_DOMAIN + help + This selects the MediaTek(R) RTC driver. RTC is part of MediaTek + MT6397 PMIC. You should enable MT6397 PMIC MFD before select +-- +2.43.0 + diff --git a/queue-5.4/s390-vtime-fix-average-steal-time-calculation.patch b/queue-5.4/s390-vtime-fix-average-steal-time-calculation.patch new file mode 100644 index 00000000000..cfff773a890 --- /dev/null +++ b/queue-5.4/s390-vtime-fix-average-steal-time-calculation.patch @@ -0,0 +1,64 @@ +From 0f7bd6ab8d33230ff3750f057eba89bb673c8728 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Mar 2024 12:31:52 +0100 +Subject: s390/vtime: fix average steal time calculation + +From: Mete Durlu + +[ Upstream commit 367c50f78451d3bd7ad70bc5c89f9ba6dec46ca9 ] + +Current average steal timer calculation produces volatile and inflated +values. The only user of this value is KVM so far and it uses that to +decide whether or not to yield the vCPU which is seeing steal time. +KVM compares average steal timer to a threshold and if the threshold +is past then it does not allow CPU polling and yields it to host, else +it keeps the CPU by polling. +Since KVM's steal time threshold is very low by default (%10) it most +likely is not effected much by the bloated average steal timer values +because the operating region is pretty small. However there might be +new users in the future who might rely on this number. Fix average +steal timer calculation by changing the formula from: + + avg_steal_timer = avg_steal_timer / 2 + steal_timer; + +to the following: + + avg_steal_timer = (avg_steal_timer + steal_timer) / 2; + +This ensures that avg_steal_timer is actually a naive average of steal +timer values. It now closely follows steal timer values but of course +in a smoother manner. + +Fixes: 152e9b8676c6 ("s390/vtime: steal time exponential moving average") +Signed-off-by: Mete Durlu +Acked-by: Heiko Carstens +Acked-by: Christian Borntraeger +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/vtime.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/kernel/vtime.c b/arch/s390/kernel/vtime.c +index 6e60cc2443b2e..2c99de1cc92cb 100644 +--- a/arch/s390/kernel/vtime.c ++++ b/arch/s390/kernel/vtime.c +@@ -214,13 +214,13 @@ void vtime_flush(struct task_struct *tsk) + virt_timer_expire(); + + steal = S390_lowcore.steal_timer; +- avg_steal = S390_lowcore.avg_steal_timer / 2; ++ avg_steal = S390_lowcore.avg_steal_timer; + if ((s64) steal > 0) { + S390_lowcore.steal_timer = 0; + account_steal_time(cputime_to_nsecs(steal)); + avg_steal += steal; + } +- S390_lowcore.avg_steal_timer = avg_steal; ++ S390_lowcore.avg_steal_timer = avg_steal / 2; + } + + /* +-- +2.43.0 + diff --git a/queue-5.4/serial-8250_exar-don-t-remove-gpio-device-on-suspend.patch b/queue-5.4/serial-8250_exar-don-t-remove-gpio-device-on-suspend.patch new file mode 100644 index 00000000000..8eedb0f5755 --- /dev/null +++ b/queue-5.4/serial-8250_exar-don-t-remove-gpio-device-on-suspend.patch @@ -0,0 +1,49 @@ +From 2b699e38a82cd6832f598936ca7ed5a17969d7ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Feb 2024 17:04:57 +0200 +Subject: serial: 8250_exar: Don't remove GPIO device on suspend + +From: Andy Shevchenko + +[ Upstream commit 73b5a5c00be39e23b194bad10e1ea8bb73eee176 ] + +It seems a copy&paste mistake that suspend callback removes the GPIO +device. There is no counterpart of this action, means once suspended +there is no more GPIO device available untile full unbind-bind cycle +is performed. Remove suspicious GPIO device removal in suspend. + +Fixes: d0aeaa83f0b0 ("serial: exar: split out the exar code from 8250_pci") +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20240219150627.2101198-2-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_exar.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c +index 93367dea4d8a5..0dfe9ceb032a5 100644 +--- a/drivers/tty/serial/8250/8250_exar.c ++++ b/drivers/tty/serial/8250/8250_exar.c +@@ -639,6 +639,7 @@ static void exar_pci_remove(struct pci_dev *pcidev) + for (i = 0; i < priv->nr; i++) + serial8250_unregister_port(priv->line[i]); + ++ /* Ensure that every init quirk is properly torn down */ + if (priv->board->exit) + priv->board->exit(pcidev); + } +@@ -653,10 +654,6 @@ static int __maybe_unused exar_suspend(struct device *dev) + if (priv->line[i] >= 0) + serial8250_suspend_port(priv->line[i]); + +- /* Ensure that every init quirk is properly torn down */ +- if (priv->board->exit) +- priv->board->exit(pcidev); +- + return 0; + } + +-- +2.43.0 + diff --git a/queue-5.4/serial-max310x-fix-syntax-error-in-irq-error-message.patch b/queue-5.4/serial-max310x-fix-syntax-error-in-irq-error-message.patch new file mode 100644 index 00000000000..f3c8951821c --- /dev/null +++ b/queue-5.4/serial-max310x-fix-syntax-error-in-irq-error-message.patch @@ -0,0 +1,40 @@ +From 88114168b9fb7420680273425265440ab9c9d555 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Jan 2024 10:22:01 -0500 +Subject: serial: max310x: fix syntax error in IRQ error message + +From: Hugo Villeneuve + +[ Upstream commit 8ede8c6f474255b2213cccd7997b993272a8e2f9 ] + +Replace g with q. + +Helpful when grepping thru source code or logs for +"request" keyword. + +Fixes: f65444187a66 ("serial: New serial driver MAX310X") +Reviewed-by: Andy Shevchenko +Signed-off-by: Hugo Villeneuve +Link: https://lore.kernel.org/r/20240118152213.2644269-6-hugo@hugovil.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/max310x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/max310x.c b/drivers/tty/serial/max310x.c +index 2f88eae8a55a1..5570fd3b84e15 100644 +--- a/drivers/tty/serial/max310x.c ++++ b/drivers/tty/serial/max310x.c +@@ -1460,7 +1460,7 @@ static int max310x_probe(struct device *dev, const struct max310x_devtype *devty + if (!ret) + return 0; + +- dev_err(dev, "Unable to reguest IRQ %i\n", irq); ++ dev_err(dev, "Unable to request IRQ %i\n", irq); + + out_uart: + for (i = 0; i < devtype->nr; i++) { +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 7e919d728c2..9d6d6c099b9 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -157,3 +157,26 @@ net-sunrpc-fix-an-off-by-one-in-rpc_sockaddr2uaddr.patch watchdog-stm32_iwdg-initialize-default-timeout.patch nfs-fix-an-off-by-one-in-root_nfs_cat.patch afs-revert-afs-hide-silly-rename-files-from-userspac.patch +usb-phy-generic-get-the-vbus-supply.patch +tty-vt-fix-20-vs-0x20-typo-in-escsiignore.patch +serial-max310x-fix-syntax-error-in-irq-error-message.patch +tty-serial-samsung-fix-tx_empty-to-return-tiocser_te.patch +kconfig-fix-infinite-loop-when-expanding-a-macro-at-.patch +rtc-mt6397-select-irq_domain-instead-of-depending-on.patch +serial-8250_exar-don-t-remove-gpio-device-on-suspend.patch +staging-greybus-fix-get_channel_from_mode-failure-pa.patch +usb-gadget-net2272-use-irqflags-in-the-call-to-net22.patch +octeontx2-af-use-matching-wake_up-api-variant-in-cgx.patch +s390-vtime-fix-average-steal-time-calculation.patch +hsr-fix-uninit-value-access-in-hsr_get_node.patch +packet-annotate-data-races-around-ignore_outgoing.patch +rds-introduce-acquire-release-ordering-in-acquire-re.patch +hsr-handle-failures-in-module-init.patch +net-bnx2x-prevent-access-to-a-freed-page-in-page_poo.patch +octeontx2-af-use-separate-handlers-for-interrupts.patch +arm-dts-sun8i-h2-plus-bananapi-m2-zero-add-regulator.patch +netfilter-nf_tables-do-not-compare-internal-table-fl.patch +rcu-add-a-helper-to-report-consolidated-flavor-qs.patch +bpf-report-rcu-qs-in-cpumap-kthread.patch +spi-spi-mt65xx-fix-null-pointer-access-in-interrupt-.patch +regmap-add-missing-map-bus-check.patch diff --git a/queue-5.4/spi-spi-mt65xx-fix-null-pointer-access-in-interrupt-.patch b/queue-5.4/spi-spi-mt65xx-fix-null-pointer-access-in-interrupt-.patch new file mode 100644 index 00000000000..74e21d71ce5 --- /dev/null +++ b/queue-5.4/spi-spi-mt65xx-fix-null-pointer-access-in-interrupt-.patch @@ -0,0 +1,61 @@ +From f9daf1707c691e638f6377e647a89d09c2a24bb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Mar 2024 15:08:57 +0800 +Subject: spi: spi-mt65xx: Fix NULL pointer access in interrupt handler + +From: Fei Shao + +[ Upstream commit a20ad45008a7c82f1184dc6dee280096009ece55 ] + +The TX buffer in spi_transfer can be a NULL pointer, so the interrupt +handler may end up writing to the invalid memory and cause crashes. + +Add a check to trans->tx_buf before using it. + +Fixes: 1ce24864bff4 ("spi: mediatek: Only do dma for 4-byte aligned buffers") +Signed-off-by: Fei Shao +Reviewed-by: AngeloGioacchino Del Regno +Link: https://msgid.link/r/20240321070942.1587146-2-fshao@chromium.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-mt65xx.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c +index 29d44f5d5212c..8105b458d12f7 100644 +--- a/drivers/spi/spi-mt65xx.c ++++ b/drivers/spi/spi-mt65xx.c +@@ -559,17 +559,19 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) + mdata->xfer_len = min(MTK_SPI_MAX_FIFO_SIZE, len); + mtk_spi_setup_packet(master); + +- cnt = mdata->xfer_len / 4; +- iowrite32_rep(mdata->base + SPI_TX_DATA_REG, +- trans->tx_buf + mdata->num_xfered, cnt); ++ if (trans->tx_buf) { ++ cnt = mdata->xfer_len / 4; ++ iowrite32_rep(mdata->base + SPI_TX_DATA_REG, ++ trans->tx_buf + mdata->num_xfered, cnt); + +- remainder = mdata->xfer_len % 4; +- if (remainder > 0) { +- reg_val = 0; +- memcpy(®_val, +- trans->tx_buf + (cnt * 4) + mdata->num_xfered, +- remainder); +- writel(reg_val, mdata->base + SPI_TX_DATA_REG); ++ remainder = mdata->xfer_len % 4; ++ if (remainder > 0) { ++ reg_val = 0; ++ memcpy(®_val, ++ trans->tx_buf + (cnt * 4) + mdata->num_xfered, ++ remainder); ++ writel(reg_val, mdata->base + SPI_TX_DATA_REG); ++ } + } + + mtk_spi_enable_transfer(master); +-- +2.43.0 + diff --git a/queue-5.4/staging-greybus-fix-get_channel_from_mode-failure-pa.patch b/queue-5.4/staging-greybus-fix-get_channel_from_mode-failure-pa.patch new file mode 100644 index 00000000000..14f588a0150 --- /dev/null +++ b/queue-5.4/staging-greybus-fix-get_channel_from_mode-failure-pa.patch @@ -0,0 +1,54 @@ +From 0230b3ebc73d2cc76207283cc0824052174ea9d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Mar 2024 10:04:48 +0300 +Subject: staging: greybus: fix get_channel_from_mode() failure path + +From: Dan Carpenter + +[ Upstream commit 34164202a5827f60a203ca9acaf2d9f7d432aac8 ] + +The get_channel_from_mode() function is supposed to return the channel +which matches the mode. But it has a bug where if it doesn't find a +matching channel then it returns the last channel. It should return +NULL instead. + +Also remove an unnecessary NULL check on "channel". + +Fixes: 2870b52bae4c ("greybus: lights: add lights implementation") +Signed-off-by: Dan Carpenter +Reviewed-by: Rui Miguel Silva +Reviewed-by: Alex Elder +Link: https://lore.kernel.org/r/379c0cb4-39e0-4293-8a18-c7b1298e5420@moroto.mountain +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/greybus/light.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/greybus/light.c b/drivers/staging/greybus/light.c +index d2672b65c3f49..e59bb27236b9f 100644 +--- a/drivers/staging/greybus/light.c ++++ b/drivers/staging/greybus/light.c +@@ -100,15 +100,15 @@ static struct led_classdev *get_channel_cdev(struct gb_channel *channel) + static struct gb_channel *get_channel_from_mode(struct gb_light *light, + u32 mode) + { +- struct gb_channel *channel = NULL; ++ struct gb_channel *channel; + int i; + + for (i = 0; i < light->channels_count; i++) { + channel = &light->channels[i]; +- if (channel && channel->mode == mode) +- break; ++ if (channel->mode == mode) ++ return channel; + } +- return channel; ++ return NULL; + } + + static int __gb_lights_flash_intensity_set(struct gb_channel *channel, +-- +2.43.0 + diff --git a/queue-5.4/tty-serial-samsung-fix-tx_empty-to-return-tiocser_te.patch b/queue-5.4/tty-serial-samsung-fix-tx_empty-to-return-tiocser_te.patch new file mode 100644 index 00000000000..15cc0181531 --- /dev/null +++ b/queue-5.4/tty-serial-samsung-fix-tx_empty-to-return-tiocser_te.patch @@ -0,0 +1,45 @@ +From 40a21775ed75d47b2ddd5a680357f2fda7240199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Jan 2024 10:45:08 +0000 +Subject: tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT + +From: Tudor Ambarus + +[ Upstream commit 314c2b399288f0058a8c5b6683292cbde5f1531b ] + +The core expects for tx_empty() either TIOCSER_TEMT when the tx is +empty or 0 otherwise. s3c24xx_serial_txempty_nofifo() might return +0x4, and at least uart_get_lsr_info() tries to clear exactly +TIOCSER_TEMT (BIT(1)). Fix tx_empty() to return TIOCSER_TEMT. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Tudor Ambarus +Reviewed-by: Sam Protsenko +Link: https://lore.kernel.org/r/20240119104526.1221243-2-tudor.ambarus@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/samsung.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index 24f9bd9101662..78d97dbfc18a8 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -800,11 +800,10 @@ static unsigned int s3c24xx_serial_tx_empty(struct uart_port *port) + if ((ufstat & info->tx_fifomask) != 0 || + (ufstat & info->tx_fifofull)) + return 0; +- +- return 1; ++ return TIOCSER_TEMT; + } + +- return s3c24xx_serial_txempty_nofifo(port); ++ return s3c24xx_serial_txempty_nofifo(port) ? TIOCSER_TEMT : 0; + } + + /* no modem control lines */ +-- +2.43.0 + diff --git a/queue-5.4/tty-vt-fix-20-vs-0x20-typo-in-escsiignore.patch b/queue-5.4/tty-vt-fix-20-vs-0x20-typo-in-escsiignore.patch new file mode 100644 index 00000000000..9f5c5d80dcd --- /dev/null +++ b/queue-5.4/tty-vt-fix-20-vs-0x20-typo-in-escsiignore.patch @@ -0,0 +1,45 @@ +From cedcef3626519598afdc08ad569ee6350fd68c55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Jan 2024 12:03:17 +0100 +Subject: tty: vt: fix 20 vs 0x20 typo in EScsiignore + +From: Jiri Slaby (SUSE) + +[ Upstream commit 0e6a92f67c8a94707f7bb27ac29e2bdf3e7c167d ] + +The if (c >= 20 && c <= 0x3f) test added in commit 7a99565f8732 is +wrong. 20 is DC4 in ascii and it makes no sense to consider that as the +bottom limit. Instead, it should be 0x20 as in the other test in +the commit above. This is supposed to NOT change anything as we handle +interesting 20-0x20 asciis far before this if. + +So for sakeness, change to 0x20 (which is SPACE). + +Signed-off-by: "Jiri Slaby (SUSE)" +Fixes: 7a99565f8732 ("vt: ignore csi sequences with intermediate characters.") +Cc: Martin Hostettler +Link: https://lore.kernel.org/all/ZaP45QY2WEsDqoxg@neutronstar.dyndns.org/ +Tested-by: Helge Deller # parisc STI console +Link: https://lore.kernel.org/r/20240122110401.7289-4-jirislaby@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/vt/vt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c +index e00ebda492198..171e643cf200e 100644 +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -2508,7 +2508,7 @@ static void do_con_trol(struct tty_struct *tty, struct vc_data *vc, int c) + } + return; + case EScsiignore: +- if (c >= 20 && c <= 0x3f) ++ if (c >= 0x20 && c <= 0x3f) + return; + vc->vc_state = ESnormal; + return; +-- +2.43.0 + diff --git a/queue-5.4/usb-gadget-net2272-use-irqflags-in-the-call-to-net22.patch b/queue-5.4/usb-gadget-net2272-use-irqflags-in-the-call-to-net22.patch new file mode 100644 index 00000000000..be009b38e4f --- /dev/null +++ b/queue-5.4/usb-gadget-net2272-use-irqflags-in-the-call-to-net22.patch @@ -0,0 +1,47 @@ +From 0f4a8a19d8792c569d5c981b988ec428daad4dc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Mar 2024 18:17:34 +0000 +Subject: usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Colin Ian King + +[ Upstream commit 600556809f04eb3bbccd05218215dcd7b285a9a9 ] + +Currently the variable irqflags is being set but is not being used, +it appears it should be used in the call to net2272_probe_fin +rather than IRQF_TRIGGER_LOW being used. Kudos to Uwe Kleine-König +for suggesting the fix. + +Cleans up clang scan build warning: +drivers/usb/gadget/udc/net2272.c:2610:15: warning: variable 'irqflags' +set but not used [-Wunused-but-set-variable] + +Fixes: ceb80363b2ec ("USB: net2272: driver for PLX NET2272 USB device controller") +Signed-off-by: Colin Ian King +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20240307181734.2034407-1-colin.i.king@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/net2272.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c +index 5980540a8fff2..de7757260d6cc 100644 +--- a/drivers/usb/gadget/udc/net2272.c ++++ b/drivers/usb/gadget/udc/net2272.c +@@ -2632,7 +2632,7 @@ net2272_plat_probe(struct platform_device *pdev) + goto err_req; + } + +- ret = net2272_probe_fin(dev, IRQF_TRIGGER_LOW); ++ ret = net2272_probe_fin(dev, irqflags); + if (ret) + goto err_io; + +-- +2.43.0 + diff --git a/queue-5.4/usb-phy-generic-get-the-vbus-supply.patch b/queue-5.4/usb-phy-generic-get-the-vbus-supply.patch new file mode 100644 index 00000000000..ab928e505d4 --- /dev/null +++ b/queue-5.4/usb-phy-generic-get-the-vbus-supply.patch @@ -0,0 +1,44 @@ +From 8b953b1a5ea098afcee9bc250fe248f4053ed7ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Apr 2022 13:14:09 -0400 +Subject: usb: phy: generic: Get the vbus supply + +From: Sean Anderson + +[ Upstream commit 03e607cbb2931374db1825f371e9c7f28526d3f4 ] + +While support for working with a vbus was added, the regulator was never +actually gotten (despite what was documented). Fix this by actually +getting the supply from the device tree. + +Fixes: 7acc9973e3c4 ("usb: phy: generic: add vbus support") +Cc: stable +Signed-off-by: Sean Anderson +Link: https://lore.kernel.org/r/20220425171412.1188485-3-sean.anderson@seco.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/phy/phy-generic.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/usb/phy/phy-generic.c b/drivers/usb/phy/phy-generic.c +index a53b89be53248..8a04b157f19f3 100644 +--- a/drivers/usb/phy/phy-generic.c ++++ b/drivers/usb/phy/phy-generic.c +@@ -283,6 +283,13 @@ int usb_phy_gen_create_phy(struct device *dev, struct usb_phy_generic *nop, + return -EPROBE_DEFER; + } + ++ nop->vbus_draw = devm_regulator_get_exclusive(dev, "vbus"); ++ if (PTR_ERR(nop->vbus_draw) == -ENODEV) ++ nop->vbus_draw = NULL; ++ if (IS_ERR(nop->vbus_draw)) ++ return dev_err_probe(dev, PTR_ERR(nop->vbus_draw), ++ "could not get vbus regulator\n"); ++ + nop->dev = dev; + nop->phy.dev = nop->dev; + nop->phy.label = "nop-xceiv"; +-- +2.43.0 +