From: Sasha Levin Date: Sat, 23 Apr 2022 23:59:35 +0000 (-0400) Subject: Fixes for 5.15 X-Git-Tag: v4.9.312~54^2~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d657c8ac4789934da18032e4142673de15d0fc1c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.15 Signed-off-by: Sasha Levin --- diff --git a/queue-5.15/alsa-hda-hdmi-fix-warning-about-pcm-count-when-used-.patch b/queue-5.15/alsa-hda-hdmi-fix-warning-about-pcm-count-when-used-.patch new file mode 100644 index 00000000000..fbac79f7978 --- /dev/null +++ b/queue-5.15/alsa-hda-hdmi-fix-warning-about-pcm-count-when-used-.patch @@ -0,0 +1,68 @@ +From 89780e2f7088f512fe8706f91910a9b2ddfccb2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 18:05:16 +0300 +Subject: ALSA: hda/hdmi: fix warning about PCM count when used with SOF + +From: Kai Vehmanen + +[ Upstream commit c74193787b2f683751a67603fb5f15c7584f355f ] + +With commit 13046370c4d1 ("ALSA: hda/hdmi: let new platforms assign the +pcm slot dynamically"), old behaviour to consider the HDA pin number, +when choosing PCM to assign, was dropped. + +Build on this change and limit the number of PCMs created to number of +converters (= maximum number of concurrent display/receivers) when +"mst_no_extra_pcms" and "dyn_pcm_no_legacy" quirks are both set. + +Fix the check in hdmi_find_pcm_slot() to ensure only spec->pcm_used +entries are considered in the search. Elsewhere in the driver +spec->pcm_used is already checked properly. + +Doing this avoids following warning at SOF driver probe for multiple +machine drivers: + +[ 112.425297] sof_sdw sof_sdw: hda_dsp_hdmi_build_controls: no +PCM in topology for HDMI converter 4 +[ 112.425298] sof_sdw sof_sdw: hda_dsp_hdmi_build_controls: no +PCM in topology for HDMI converter 5 +[ 112.425299] sof_sdw sof_sdw: hda_dsp_hdmi_build_controls: no +PCM in topology for HDMI converter 6 + +Fixes: 13046370c4d1 ("ALSA: hda/hdmi: let new platforms assign the pcm slot dynamically") +BugLink: https://github.com/thesofproject/linux/issues/2573 +Signed-off-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20220414150516.3638283-1-kai.vehmanen@linux.intel.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_hdmi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c +index 472d81679a27..24da843f39a1 100644 +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1387,7 +1387,7 @@ static int hdmi_find_pcm_slot(struct hdmi_spec *spec, + + last_try: + /* the last try; check the empty slots in pins */ +- for (i = 0; i < spec->num_nids; i++) { ++ for (i = 0; i < spec->pcm_used; i++) { + if (!test_bit(i, &spec->pcm_bitmap)) + return i; + } +@@ -2263,7 +2263,9 @@ static int generic_hdmi_build_pcms(struct hda_codec *codec) + * dev_num is the device entry number in a pin + */ + +- if (codec->mst_no_extra_pcms) ++ if (spec->dyn_pcm_no_legacy && codec->mst_no_extra_pcms) ++ pcm_num = spec->num_cvts; ++ else if (codec->mst_no_extra_pcms) + pcm_num = spec->num_nids; + else + pcm_num = spec->num_nids + spec->dev_num - 1; +-- +2.35.1 + diff --git a/queue-5.15/alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch b/queue-5.15/alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch new file mode 100644 index 00000000000..12aa53e767a --- /dev/null +++ b/queue-5.15/alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch @@ -0,0 +1,49 @@ +From ed56434ff3278f80ad28eb48debbef5c4d6ce86d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 17:15:08 +0200 +Subject: ALSA: usb-audio: Fix undefined behavior due to shift overflowing the + constant +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov + +[ Upstream commit 1ef8715975de8bd481abbd0839ed4f49d9e5b0ff ] + +Fix: + + sound/usb/midi.c: In function ‘snd_usbmidi_out_endpoint_create’: + sound/usb/midi.c:1389:2: error: case label does not reduce to an integer constant + case USB_ID(0xfc08, 0x0101): /* Unknown vendor Cable */ + ^~~~ + +See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory +details as to why it triggers with older gccs only. + +[ A slight correction with parentheses around the argument by tiwai ] + +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20220405151517.29753-3-bp@alien8.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/usbaudio.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h +index 167834133b9b..b8359a0aa008 100644 +--- a/sound/usb/usbaudio.h ++++ b/sound/usb/usbaudio.h +@@ -8,7 +8,7 @@ + */ + + /* handling of USB vendor/product ID pairs as 32-bit numbers */ +-#define USB_ID(vendor, product) (((vendor) << 16) | (product)) ++#define USB_ID(vendor, product) (((unsigned int)(vendor) << 16) | (product)) + #define USB_ID_VENDOR(id) ((id) >> 16) + #define USB_ID_PRODUCT(id) ((u16)(id)) + +-- +2.35.1 + diff --git a/queue-5.15/arm-vexpress-spc-avoid-negative-array-index-when-smp.patch b/queue-5.15/arm-vexpress-spc-avoid-negative-array-index-when-smp.patch new file mode 100644 index 00000000000..2e62a981f08 --- /dev/null +++ b/queue-5.15/arm-vexpress-spc-avoid-negative-array-index-when-smp.patch @@ -0,0 +1,58 @@ +From 50836f7b432ef32670bd5fe722d5c9f18ee2fc4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Mar 2022 12:04:43 -0700 +Subject: ARM: vexpress/spc: Avoid negative array index when !SMP + +From: Kees Cook + +[ Upstream commit b3f1dd52c991d79118f35e6d1bf4d7cb09882e38 ] + +When building multi_v7_defconfig+CONFIG_SMP=n, -Warray-bounds exposes +a couple negative array index accesses: + +arch/arm/mach-vexpress/spc.c: In function 've_spc_clk_init': +arch/arm/mach-vexpress/spc.c:583:21: warning: array subscript -1 is below array bounds of 'bool[2]' {aka '_Bool[2]'} [-Warray-bounds] + 583 | if (init_opp_table[cluster]) + | ~~~~~~~~~~~~~~^~~~~~~~~ +arch/arm/mach-vexpress/spc.c:556:7: note: while referencing 'init_opp_table' + 556 | bool init_opp_table[MAX_CLUSTERS] = { false }; + | ^~~~~~~~~~~~~~ +arch/arm/mach-vexpress/spc.c:592:18: warning: array subscript -1 is below array bounds of 'bool[2]' {aka '_Bool[2]'} [-Warray-bounds] + 592 | init_opp_table[cluster] = true; + | ~~~~~~~~~~~~~~^~~~~~~~~ +arch/arm/mach-vexpress/spc.c:556:7: note: while referencing 'init_opp_table' + 556 | bool init_opp_table[MAX_CLUSTERS] = { false }; + | ^~~~~~~~~~~~~~ + +Skip this logic when built !SMP. + +Link: https://lore.kernel.org/r/20220331190443.851661-1-keescook@chromium.org +Cc: Liviu Dudau +Cc: Sudeep Holla +Cc: Lorenzo Pieralisi +Cc: Russell King +Cc: linux-arm-kernel@lists.infradead.org +Acked-by: Liviu Dudau +Signed-off-by: Kees Cook +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + arch/arm/mach-vexpress/spc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-vexpress/spc.c b/arch/arm/mach-vexpress/spc.c +index 1da11bdb1dfb..1c6500c4e6a1 100644 +--- a/arch/arm/mach-vexpress/spc.c ++++ b/arch/arm/mach-vexpress/spc.c +@@ -580,7 +580,7 @@ static int __init ve_spc_clk_init(void) + } + + cluster = topology_physical_package_id(cpu_dev->id); +- if (init_opp_table[cluster]) ++ if (cluster < 0 || init_opp_table[cluster]) + continue; + + if (ve_init_opp_table(cpu_dev)) +-- +2.35.1 + diff --git a/queue-5.15/arm64-dts-imx-fix-imx8-var-som-touchscreen-property-.patch b/queue-5.15/arm64-dts-imx-fix-imx8-var-som-touchscreen-property-.patch new file mode 100644 index 00000000000..f834b6c2b05 --- /dev/null +++ b/queue-5.15/arm64-dts-imx-fix-imx8-var-som-touchscreen-property-.patch @@ -0,0 +1,67 @@ +From 79a927e8042f034c4da82c476e5a8e39058ae933 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 14:14:41 -0500 +Subject: arm64: dts: imx: Fix imx8*-var-som touchscreen property sizes + +From: Rob Herring + +[ Upstream commit 1bc12d301594eafde0a8529d28d459af81053b3a ] + +The common touchscreen properties are all 32-bit, not 16-bit. These +properties must not be too important as they are all ignored in case of an +error reading them. + +Signed-off-by: Rob Herring +Link: https://lore.kernel.org/r/Yk3moe6Hz8ELM0iS@robh.at.kernel.org' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/freescale/imx8mm-var-som.dtsi | 8 ++++---- + arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi | 8 ++++---- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/arm64/boot/dts/freescale/imx8mm-var-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-var-som.dtsi +index 1dc9d187601c..a0bd540f27d3 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mm-var-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mm-var-som.dtsi +@@ -89,12 +89,12 @@ + pendown-gpio = <&gpio1 3 GPIO_ACTIVE_LOW>; + + ti,x-min = /bits/ 16 <125>; +- touchscreen-size-x = /bits/ 16 <4008>; ++ touchscreen-size-x = <4008>; + ti,y-min = /bits/ 16 <282>; +- touchscreen-size-y = /bits/ 16 <3864>; ++ touchscreen-size-y = <3864>; + ti,x-plate-ohms = /bits/ 16 <180>; +- touchscreen-max-pressure = /bits/ 16 <255>; +- touchscreen-average-samples = /bits/ 16 <10>; ++ touchscreen-max-pressure = <255>; ++ touchscreen-average-samples = <10>; + ti,debounce-tol = /bits/ 16 <3>; + ti,debounce-rep = /bits/ 16 <1>; + ti,settle-delay-usec = /bits/ 16 <150>; +diff --git a/arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi +index b16c7caf34c1..87b5e23c766f 100644 +--- a/arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi ++++ b/arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi +@@ -70,12 +70,12 @@ + pendown-gpio = <&gpio1 3 GPIO_ACTIVE_LOW>; + + ti,x-min = /bits/ 16 <125>; +- touchscreen-size-x = /bits/ 16 <4008>; ++ touchscreen-size-x = <4008>; + ti,y-min = /bits/ 16 <282>; +- touchscreen-size-y = /bits/ 16 <3864>; ++ touchscreen-size-y = <3864>; + ti,x-plate-ohms = /bits/ 16 <180>; +- touchscreen-max-pressure = /bits/ 16 <255>; +- touchscreen-average-samples = /bits/ 16 <10>; ++ touchscreen-max-pressure = <255>; ++ touchscreen-average-samples = <10>; + ti,debounce-tol = /bits/ 16 <3>; + ti,debounce-rep = /bits/ 16 <1>; + ti,settle-delay-usec = /bits/ 16 <150>; +-- +2.35.1 + diff --git a/queue-5.15/arm64-mm-fix-p-d_leaf.patch b/queue-5.15/arm64-mm-fix-p-d_leaf.patch new file mode 100644 index 00000000000..7119e4bfd12 --- /dev/null +++ b/queue-5.15/arm64-mm-fix-p-d_leaf.patch @@ -0,0 +1,49 @@ +From 89f9478be2d3d43826946a19eef1db1976856bd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 14:00:33 +0800 +Subject: arm64: mm: fix p?d_leaf() + +From: Muchun Song + +[ Upstream commit 23bc8f69f0eceecbb87c3801d2e48827d2dca92b ] + +The pmd_leaf() is used to test a leaf mapped PMD, however, it misses +the PROT_NONE mapped PMD on arm64. Fix it. A real world issue [1] +caused by this was reported by Qian Cai. Also fix pud_leaf(). + +Link: https://patchwork.kernel.org/comment/24798260/ [1] +Fixes: 8aa82df3c123 ("arm64: mm: add p?d_leaf() definitions") +Reported-by: Qian Cai +Signed-off-by: Muchun Song +Link: https://lore.kernel.org/r/20220422060033.48711-1-songmuchun@bytedance.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/pgtable.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h +index 08363d3cc1da..ed57717cd004 100644 +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -535,7 +535,7 @@ extern pgprot_t phys_mem_access_prot(struct file *file, unsigned long pfn, + PMD_TYPE_TABLE) + #define pmd_sect(pmd) ((pmd_val(pmd) & PMD_TYPE_MASK) == \ + PMD_TYPE_SECT) +-#define pmd_leaf(pmd) pmd_sect(pmd) ++#define pmd_leaf(pmd) (pmd_present(pmd) && !pmd_table(pmd)) + #define pmd_bad(pmd) (!pmd_table(pmd)) + + #define pmd_leaf_size(pmd) (pmd_cont(pmd) ? CONT_PMD_SIZE : PMD_SIZE) +@@ -625,7 +625,7 @@ static inline unsigned long pmd_page_vaddr(pmd_t pmd) + #define pud_none(pud) (!pud_val(pud)) + #define pud_bad(pud) (!pud_table(pud)) + #define pud_present(pud) pte_present(pud_pte(pud)) +-#define pud_leaf(pud) pud_sect(pud) ++#define pud_leaf(pud) (pud_present(pud) && !pud_table(pud)) + #define pud_valid(pud) pte_valid(pud_pte(pud)) + + static inline void set_pud(pud_t *pudp, pud_t pud) +-- +2.35.1 + diff --git a/queue-5.15/asoc-atmel-remove-system-clock-tree-configuration-fo.patch b/queue-5.15/asoc-atmel-remove-system-clock-tree-configuration-fo.patch new file mode 100644 index 00000000000..e373b2bcaa9 --- /dev/null +++ b/queue-5.15/asoc-atmel-remove-system-clock-tree-configuration-fo.patch @@ -0,0 +1,142 @@ +From d2c7eac4d6702ec7374223ad66793a2083a209f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Mar 2022 15:42:39 +0000 +Subject: ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek + +From: Mark Brown + +[ Upstream commit c775cbf62ed4911e4f0f23880f01815753123690 ] + +The MCLK of the WM8731 on the AT91SAM9G20-EK board is connected to the +PCK0 output of the SoC, intended in the reference software to be supplied +using PLLB and programmed to 12MHz. As originally written for use with a +board file the audio driver was responsible for configuring the entire tree +but in the conversion to the common clock framework the registration of +the named pck0 and pllb clocks was removed so the driver has failed to +instantiate ever since. + +Since the WM8731 driver has had support for managing a MCLK provided via +the common clock framework for some time we can simply drop all the clock +management code from the machine driver other than configuration of the +sysclk rate, the CODEC driver still respects that configuration from the +machine driver. + +Fixes: ff78a189b0ae55f ("ARM: at91: remove old at91-specific clock driver") +Signed-off-by: Mark Brown +Reviewed-by: Codrin Ciubotariu +Link: https://lore.kernel.org/r/20220325154241.1600757-2-broonie@kernel.org +Signed-off-by: Sasha Levin +--- + sound/soc/atmel/sam9g20_wm8731.c | 61 -------------------------------- + 1 file changed, 61 deletions(-) + +diff --git a/sound/soc/atmel/sam9g20_wm8731.c b/sound/soc/atmel/sam9g20_wm8731.c +index 8a55d59a6c2a..d243de5f23dc 100644 +--- a/sound/soc/atmel/sam9g20_wm8731.c ++++ b/sound/soc/atmel/sam9g20_wm8731.c +@@ -46,35 +46,6 @@ + */ + #undef ENABLE_MIC_INPUT + +-static struct clk *mclk; +- +-static int at91sam9g20ek_set_bias_level(struct snd_soc_card *card, +- struct snd_soc_dapm_context *dapm, +- enum snd_soc_bias_level level) +-{ +- static int mclk_on; +- int ret = 0; +- +- switch (level) { +- case SND_SOC_BIAS_ON: +- case SND_SOC_BIAS_PREPARE: +- if (!mclk_on) +- ret = clk_enable(mclk); +- if (ret == 0) +- mclk_on = 1; +- break; +- +- case SND_SOC_BIAS_OFF: +- case SND_SOC_BIAS_STANDBY: +- if (mclk_on) +- clk_disable(mclk); +- mclk_on = 0; +- break; +- } +- +- return ret; +-} +- + static const struct snd_soc_dapm_widget at91sam9g20ek_dapm_widgets[] = { + SND_SOC_DAPM_MIC("Int Mic", NULL), + SND_SOC_DAPM_SPK("Ext Spk", NULL), +@@ -135,7 +106,6 @@ static struct snd_soc_card snd_soc_at91sam9g20ek = { + .owner = THIS_MODULE, + .dai_link = &at91sam9g20ek_dai, + .num_links = 1, +- .set_bias_level = at91sam9g20ek_set_bias_level, + + .dapm_widgets = at91sam9g20ek_dapm_widgets, + .num_dapm_widgets = ARRAY_SIZE(at91sam9g20ek_dapm_widgets), +@@ -148,7 +118,6 @@ static int at91sam9g20ek_audio_probe(struct platform_device *pdev) + { + struct device_node *np = pdev->dev.of_node; + struct device_node *codec_np, *cpu_np; +- struct clk *pllb; + struct snd_soc_card *card = &snd_soc_at91sam9g20ek; + int ret; + +@@ -162,31 +131,6 @@ static int at91sam9g20ek_audio_probe(struct platform_device *pdev) + return -EINVAL; + } + +- /* +- * Codec MCLK is supplied by PCK0 - set it up. +- */ +- mclk = clk_get(NULL, "pck0"); +- if (IS_ERR(mclk)) { +- dev_err(&pdev->dev, "Failed to get MCLK\n"); +- ret = PTR_ERR(mclk); +- goto err; +- } +- +- pllb = clk_get(NULL, "pllb"); +- if (IS_ERR(pllb)) { +- dev_err(&pdev->dev, "Failed to get PLLB\n"); +- ret = PTR_ERR(pllb); +- goto err_mclk; +- } +- ret = clk_set_parent(mclk, pllb); +- clk_put(pllb); +- if (ret != 0) { +- dev_err(&pdev->dev, "Failed to set MCLK parent\n"); +- goto err_mclk; +- } +- +- clk_set_rate(mclk, MCLK_RATE); +- + card->dev = &pdev->dev; + + /* Parse device node info */ +@@ -230,9 +174,6 @@ static int at91sam9g20ek_audio_probe(struct platform_device *pdev) + + return ret; + +-err_mclk: +- clk_put(mclk); +- mclk = NULL; + err: + atmel_ssc_put_audio(0); + return ret; +@@ -242,8 +183,6 @@ static int at91sam9g20ek_audio_remove(struct platform_device *pdev) + { + struct snd_soc_card *card = platform_get_drvdata(pdev); + +- clk_disable(mclk); +- mclk = NULL; + snd_soc_unregister_card(card); + atmel_ssc_put_audio(0); + +-- +2.35.1 + diff --git a/queue-5.15/asoc-codecs-wcd934x-do-not-switch-off-sido-buck-when.patch b/queue-5.15/asoc-codecs-wcd934x-do-not-switch-off-sido-buck-when.patch new file mode 100644 index 00000000000..9c9dca3bc62 --- /dev/null +++ b/queue-5.15/asoc-codecs-wcd934x-do-not-switch-off-sido-buck-when.patch @@ -0,0 +1,86 @@ +From 371a63b6b6e40832a90f1803e6700347eebfcc6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 10:43:13 +0100 +Subject: ASoC: codecs: wcd934x: do not switch off SIDO Buck when codec is in + use + +From: Srinivas Kandagatla + +[ Upstream commit db6dd1bee63d1d88fbddfe07af800af5948ac28e ] + +SIDO(Single-Inductor Dual-Ouput) Buck powers up both analog and digital +circuits along with internal memory, powering off this is the last thing +that codec should do when going to very low power. + +Current code was powering off this Buck if there are no users of sysclk, +which is not correct. Powering off this buck will result in no register access. +This code path was never tested until recently after adding pm support +in SoundWire controller. Fix this by removing the buck poweroff when the +codec is active and also the code that is not used. + +Without this patch all the read/write transactions will never complete and +results in SLIMBus Errors like: + +qcom,slim-ngd qcom,slim-ngd.1: Tx:MT:0x0, MC:0x60, LA:0xcf failed:-110 +wcd934x-codec wcd934x-codec.1.auto: ASoC: error at soc_component_read_no_lock + on wcd934x-codec.1.auto for register: [0x00000d05] -110 +qcom,slim-ngd-ctrl 171c0000.slim: Error Interrupt received 0x82000000 + +Reported-by: Amit Pundir +Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") +Signed-off-by: Srinivas Kandagatla +Tested-by: Amit Pundir +Link: https://lore.kernel.org/r/20220407094313.2880-1-srinivas.kandagatla@linaro.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wcd934x.c | 26 +------------------------- + 1 file changed, 1 insertion(+), 25 deletions(-) + +diff --git a/sound/soc/codecs/wcd934x.c b/sound/soc/codecs/wcd934x.c +index 7b99318070cf..144046864d15 100644 +--- a/sound/soc/codecs/wcd934x.c ++++ b/sound/soc/codecs/wcd934x.c +@@ -1274,29 +1274,7 @@ static int wcd934x_set_sido_input_src(struct wcd934x_codec *wcd, int sido_src) + if (sido_src == wcd->sido_input_src) + return 0; + +- if (sido_src == SIDO_SOURCE_INTERNAL) { +- regmap_update_bits(wcd->regmap, WCD934X_ANA_BUCK_CTL, +- WCD934X_ANA_BUCK_HI_ACCU_EN_MASK, 0); +- usleep_range(100, 110); +- regmap_update_bits(wcd->regmap, WCD934X_ANA_BUCK_CTL, +- WCD934X_ANA_BUCK_HI_ACCU_PRE_ENX_MASK, 0x0); +- usleep_range(100, 110); +- regmap_update_bits(wcd->regmap, WCD934X_ANA_RCO, +- WCD934X_ANA_RCO_BG_EN_MASK, 0); +- usleep_range(100, 110); +- regmap_update_bits(wcd->regmap, WCD934X_ANA_BUCK_CTL, +- WCD934X_ANA_BUCK_PRE_EN1_MASK, +- WCD934X_ANA_BUCK_PRE_EN1_ENABLE); +- usleep_range(100, 110); +- regmap_update_bits(wcd->regmap, WCD934X_ANA_BUCK_CTL, +- WCD934X_ANA_BUCK_PRE_EN2_MASK, +- WCD934X_ANA_BUCK_PRE_EN2_ENABLE); +- usleep_range(100, 110); +- regmap_update_bits(wcd->regmap, WCD934X_ANA_BUCK_CTL, +- WCD934X_ANA_BUCK_HI_ACCU_EN_MASK, +- WCD934X_ANA_BUCK_HI_ACCU_ENABLE); +- usleep_range(100, 110); +- } else if (sido_src == SIDO_SOURCE_RCO_BG) { ++ if (sido_src == SIDO_SOURCE_RCO_BG) { + regmap_update_bits(wcd->regmap, WCD934X_ANA_RCO, + WCD934X_ANA_RCO_BG_EN_MASK, + WCD934X_ANA_RCO_BG_ENABLE); +@@ -1382,8 +1360,6 @@ static int wcd934x_disable_ana_bias_and_syclk(struct wcd934x_codec *wcd) + regmap_update_bits(wcd->regmap, WCD934X_CLK_SYS_MCLK_PRG, + WCD934X_EXT_CLK_BUF_EN_MASK | + WCD934X_MCLK_EN_MASK, 0x0); +- wcd934x_set_sido_input_src(wcd, SIDO_SOURCE_INTERNAL); +- + regmap_update_bits(wcd->regmap, WCD934X_ANA_BIAS, + WCD934X_ANA_BIAS_EN_MASK, 0); + regmap_update_bits(wcd->regmap, WCD934X_ANA_BIAS, +-- +2.35.1 + diff --git a/queue-5.15/asoc-msm8916-wcd-digital-check-failure-for-devm_snd_.patch b/queue-5.15/asoc-msm8916-wcd-digital-check-failure-for-devm_snd_.patch new file mode 100644 index 00000000000..e4b7632d3c6 --- /dev/null +++ b/queue-5.15/asoc-msm8916-wcd-digital-check-failure-for-devm_snd_.patch @@ -0,0 +1,47 @@ +From 131ec53c427f7beea35fe9fc1ebfc7fd1a349773 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Apr 2022 11:52:39 +0000 +Subject: ASoC: msm8916-wcd-digital: Check failure for + devm_snd_soc_register_component + +From: Miaoqian Lin + +[ Upstream commit e927b05f3cc20de87f6b7d912a5bbe556931caca ] + +devm_snd_soc_register_component() may fails, we should check the error +and do the corresponding error handling. + +Fixes: 150db8c5afa1 ("ASoC: codecs: Add msm8916-wcd digital codec") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220403115239.30140-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/msm8916-wcd-digital.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/msm8916-wcd-digital.c b/sound/soc/codecs/msm8916-wcd-digital.c +index 9ad7fc0baf07..20a07c92b2fc 100644 +--- a/sound/soc/codecs/msm8916-wcd-digital.c ++++ b/sound/soc/codecs/msm8916-wcd-digital.c +@@ -1206,9 +1206,16 @@ static int msm8916_wcd_digital_probe(struct platform_device *pdev) + + dev_set_drvdata(dev, priv); + +- return devm_snd_soc_register_component(dev, &msm8916_wcd_digital, ++ ret = devm_snd_soc_register_component(dev, &msm8916_wcd_digital, + msm8916_wcd_digital_dai, + ARRAY_SIZE(msm8916_wcd_digital_dai)); ++ if (ret) ++ goto err_mclk; ++ ++ return 0; ++ ++err_mclk: ++ clk_disable_unprepare(priv->mclk); + err_clk: + clk_disable_unprepare(priv->ahbclk); + return ret; +-- +2.35.1 + diff --git a/queue-5.15/asoc-rk817-use-devm_clk_get-in-rk817_platform_probe.patch b/queue-5.15/asoc-rk817-use-devm_clk_get-in-rk817_platform_probe.patch new file mode 100644 index 00000000000..1a5aa799d6a --- /dev/null +++ b/queue-5.15/asoc-rk817-use-devm_clk_get-in-rk817_platform_probe.patch @@ -0,0 +1,38 @@ +From 7fcf5d81fafe2ae8b98d863a430a9d7e751de509 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Apr 2022 09:07:46 +0000 +Subject: ASoC: rk817: Use devm_clk_get() in rk817_platform_probe + +From: Miaoqian Lin + +[ Upstream commit 8ba08d3a367a70f707b7c5d53ad92b98b960ee88 ] + +We need to call clk_put() to undo clk_get() in the error path. +Use devm_clk_get() to obtain a reference to the clock, It has +the benefit that clk_put() is no longer required. + +Fixes: 0d6a04da9b25 ("ASoC: Add Rockchip rk817 audio CODEC support") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220404090753.17940-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rk817_codec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/rk817_codec.c b/sound/soc/codecs/rk817_codec.c +index 8fffe378618d..cce6f4e7992f 100644 +--- a/sound/soc/codecs/rk817_codec.c ++++ b/sound/soc/codecs/rk817_codec.c +@@ -489,7 +489,7 @@ static int rk817_platform_probe(struct platform_device *pdev) + + rk817_codec_parse_dt_property(&pdev->dev, rk817_codec_data); + +- rk817_codec_data->mclk = clk_get(pdev->dev.parent, "mclk"); ++ rk817_codec_data->mclk = devm_clk_get(pdev->dev.parent, "mclk"); + if (IS_ERR(rk817_codec_data->mclk)) { + dev_dbg(&pdev->dev, "Unable to get mclk\n"); + ret = -ENXIO; +-- +2.35.1 + diff --git a/queue-5.15/asoc-topology-correct-error-handling-in-soc_tplg_dap.patch b/queue-5.15/asoc-topology-correct-error-handling-in-soc_tplg_dap.patch new file mode 100644 index 00000000000..13053264db8 --- /dev/null +++ b/queue-5.15/asoc-topology-correct-error-handling-in-soc_tplg_dap.patch @@ -0,0 +1,48 @@ +From 9deeb26a0927f19c9cf5dabdc8044a580525facc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Mar 2022 14:49:57 +0300 +Subject: ASoC: topology: Correct error handling in + soc_tplg_dapm_widget_create() + +From: Peter Ujfalusi + +[ Upstream commit 9c363532413cda3e2c6dfa10e5cca7cd221877a0 ] + +Academic correction of error handling: +In case the allocation of kc or kcontrol_type fails the correct label to +jump is hdr_err since the template.sname has been also allocated at this +point. + +Fixes: d29d41e28eea6 ("ASoC: topology: Add support for multiple kcontrol types to a widget") +Signed-off-by: Peter Ujfalusi +Reviewed-by: Ranjani Sridharan +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20220331114957.519-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-topology.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c +index 561eddfc8c22..eff8d4f71561 100644 +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -1481,12 +1481,12 @@ static int soc_tplg_dapm_widget_create(struct soc_tplg *tplg, + template.num_kcontrols = le32_to_cpu(w->num_kcontrols); + kc = devm_kcalloc(tplg->dev, le32_to_cpu(w->num_kcontrols), sizeof(*kc), GFP_KERNEL); + if (!kc) +- goto err; ++ goto hdr_err; + + kcontrol_type = devm_kcalloc(tplg->dev, le32_to_cpu(w->num_kcontrols), sizeof(unsigned int), + GFP_KERNEL); + if (!kcontrol_type) +- goto err; ++ goto hdr_err; + + for (i = 0; i < w->num_kcontrols; i++) { + control_hdr = (struct snd_soc_tplg_ctl_hdr *)tplg->pos; +-- +2.35.1 + diff --git a/queue-5.15/brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch b/queue-5.15/brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch new file mode 100644 index 00000000000..2d03a813dfb --- /dev/null +++ b/queue-5.15/brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch @@ -0,0 +1,59 @@ +From eddf1d9d7f7481fa08f820367e4489db8fe60091 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 18:55:37 +0200 +Subject: brcmfmac: sdio: Fix undefined behavior due to shift overflowing the + constant +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov + +[ Upstream commit 6fb3a5868b2117611f41e421e10e6a8c2a13039a ] + +Fix: + + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c: In function ‘brcmf_sdio_drivestrengthinit’: + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:3798:2: error: case label does not reduce to an integer constant + case SDIOD_DRVSTR_KEY(BRCM_CC_43143_CHIP_ID, 17): + ^~~~ + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:3809:2: error: case label does not reduce to an integer constant + case SDIOD_DRVSTR_KEY(BRCM_CC_43362_CHIP_ID, 13): + ^~~~ + +See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory +details as to why it triggers with older gccs only. + +Signed-off-by: Borislav Petkov +Cc: Arend van Spriel +Cc: Franky Lin +Cc: Hante Meuleman +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: brcm80211-dev-list.pdl@broadcom.com +Cc: netdev@vger.kernel.org +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/Ykx0iRlvtBnKqtbG@zn.tnic +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +index 5d156e591b35..f7961b22e051 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -557,7 +557,7 @@ enum brcmf_sdio_frmtype { + BRCMF_SDIO_FT_SUB, + }; + +-#define SDIOD_DRVSTR_KEY(chip, pmu) (((chip) << 16) | (pmu)) ++#define SDIOD_DRVSTR_KEY(chip, pmu) (((unsigned int)(chip) << 16) | (pmu)) + + /* SDIO Pad drive strength to select value mappings */ + struct sdiod_drive_str { +-- +2.35.1 + diff --git a/queue-5.15/can-isotp-stop-timeout-monitoring-when-no-first-fram.patch b/queue-5.15/can-isotp-stop-timeout-monitoring-when-no-first-fram.patch new file mode 100644 index 00000000000..0c3a9f68dfd --- /dev/null +++ b/queue-5.15/can-isotp-stop-timeout-monitoring-when-no-first-fram.patch @@ -0,0 +1,69 @@ +From e14e256d3f6dbc93babbbf2052eca459315c2970 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 19:51:12 +0200 +Subject: can: isotp: stop timeout monitoring when no first frame was sent + +From: Oliver Hartkopp + +[ Upstream commit d73497081710c876c3c61444445512989e102152 ] + +The first attempt to fix a the 'impossible' WARN_ON_ONCE(1) in +isotp_tx_timer_handler() focussed on the identical CAN IDs created by +the syzbot reproducer and lead to upstream fix/commit 3ea566422cbd +("can: isotp: sanitize CAN ID checks in isotp_bind()"). But this did +not catch the root cause of the wrong tx.state in the tx_timer handler. + +In the isotp 'first frame' case a timeout monitoring needs to be started +before the 'first frame' is send. But when this sending failed the timeout +monitoring for this specific frame has to be disabled too. + +Otherwise the tx_timer is fired with the 'warn me' tx.state of ISOTP_IDLE. + +Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") +Link: https://lore.kernel.org/all/20220405175112.2682-1-socketcan@hartkopp.net +Reported-by: syzbot+2339c27f5c66c652843e@syzkaller.appspotmail.com +Signed-off-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/isotp.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/can/isotp.c b/net/can/isotp.c +index 5bce7c66c121..8c753dcefe7f 100644 +--- a/net/can/isotp.c ++++ b/net/can/isotp.c +@@ -866,6 +866,7 @@ static int isotp_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) + struct canfd_frame *cf; + int ae = (so->opt.flags & CAN_ISOTP_EXTEND_ADDR) ? 1 : 0; + int wait_tx_done = (so->opt.flags & CAN_ISOTP_WAIT_TX_DONE) ? 1 : 0; ++ s64 hrtimer_sec = 0; + int off; + int err; + +@@ -964,7 +965,9 @@ static int isotp_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) + isotp_create_fframe(cf, so, ae); + + /* start timeout for FC */ +- hrtimer_start(&so->txtimer, ktime_set(1, 0), HRTIMER_MODE_REL_SOFT); ++ hrtimer_sec = 1; ++ hrtimer_start(&so->txtimer, ktime_set(hrtimer_sec, 0), ++ HRTIMER_MODE_REL_SOFT); + } + + /* send the first or only CAN frame */ +@@ -977,6 +980,11 @@ static int isotp_sendmsg(struct socket *sock, struct msghdr *msg, size_t size) + if (err) { + pr_notice_once("can-isotp: %s: can_send_ret %pe\n", + __func__, ERR_PTR(err)); ++ ++ /* no transmission -> no timeout monitoring */ ++ if (hrtimer_sec) ++ hrtimer_cancel(&so->txtimer); ++ + goto err_out_drop; + } + +-- +2.35.1 + diff --git a/queue-5.15/cifs-check-the-iocb_direct-flag-not-o_direct.patch b/queue-5.15/cifs-check-the-iocb_direct-flag-not-o_direct.patch new file mode 100644 index 00000000000..6a2149dba07 --- /dev/null +++ b/queue-5.15/cifs-check-the-iocb_direct-flag-not-o_direct.patch @@ -0,0 +1,39 @@ +From 3f0bb89bd643d60c0fcb9bad9643e7a20f26f048 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 00:03:14 +0100 +Subject: cifs: Check the IOCB_DIRECT flag, not O_DIRECT + +From: David Howells + +[ Upstream commit 994fd530a512597ffcd713b0f6d5bc916c5698f0 ] + +Use the IOCB_DIRECT indicator flag on the I/O context rather than checking to +see if the file was opened O_DIRECT. + +Signed-off-by: David Howells +cc: Steve French +cc: Shyam Prasad N +cc: Rohith Surabattula +cc: linux-cifs@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifsfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c +index 29a019cf1d5f..8f8d281e3151 100644 +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -936,7 +936,7 @@ cifs_loose_read_iter(struct kiocb *iocb, struct iov_iter *iter) + ssize_t rc; + struct inode *inode = file_inode(iocb->ki_filp); + +- if (iocb->ki_filp->f_flags & O_DIRECT) ++ if (iocb->ki_flags & IOCB_DIRECT) + return cifs_user_readv(iocb, iter); + + rc = cifs_revalidate_mapping(inode); +-- +2.35.1 + diff --git a/queue-5.15/dmaengine-dw-edma-fix-unaligned-64bit-access.patch b/queue-5.15/dmaengine-dw-edma-fix-unaligned-64bit-access.patch new file mode 100644 index 00000000000..b40bb2af7c0 --- /dev/null +++ b/queue-5.15/dmaengine-dw-edma-fix-unaligned-64bit-access.patch @@ -0,0 +1,60 @@ +From 6b0658cc241b64f0c75090e06eec11a71bcb32e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Feb 2022 13:02:52 +0100 +Subject: dmaengine: dw-edma: Fix unaligned 64bit access + +From: Herve Codina + +[ Upstream commit 8fc5133d6d4da65cad6b73152fc714ad3d7f91c1 ] + +On some arch (ie aarch64 iMX8MM) unaligned PCIe accesses are +not allowed and lead to a kernel Oops. + [ 1911.668835] Unable to handle kernel paging request at virtual address ffff80001bc00a8c + [ 1911.668841] Mem abort info: + [ 1911.668844] ESR = 0x96000061 + [ 1911.668847] EC = 0x25: DABT (current EL), IL = 32 bits + [ 1911.668850] SET = 0, FnV = 0 + [ 1911.668852] EA = 0, S1PTW = 0 + [ 1911.668853] Data abort info: + [ 1911.668855] ISV = 0, ISS = 0x00000061 + [ 1911.668857] CM = 0, WnR = 1 + [ 1911.668861] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000040ff4000 + [ 1911.668864] [ffff80001bc00a8c] pgd=00000000bffff003, pud=00000000bfffe003, pmd=0068000018400705 + [ 1911.668872] Internal error: Oops: 96000061 [#1] PREEMPT SMP + ... + +The llp register present in the channel group registers is not +aligned on 64bit. + +Fix unaligned 64bit access using two 32bit accesses + +Fixes: 04e0a39fc10f ("dmaengine: dw-edma: Add writeq() and readq() for 64 bits architectures") +Signed-off-by: Herve Codina +Link: https://lore.kernel.org/r/20220225120252.309404-1-herve.codina@bootlin.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dw-edma/dw-edma-v0-core.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/dw-edma/dw-edma-v0-core.c b/drivers/dma/dw-edma/dw-edma-v0-core.c +index 329fc2e57b70..b5b8f8181e77 100644 +--- a/drivers/dma/dw-edma/dw-edma-v0-core.c ++++ b/drivers/dma/dw-edma/dw-edma-v0-core.c +@@ -415,8 +415,11 @@ void dw_edma_v0_core_start(struct dw_edma_chunk *chunk, bool first) + (DW_EDMA_V0_CCS | DW_EDMA_V0_LLE)); + /* Linked list */ + #ifdef CONFIG_64BIT +- SET_CH_64(dw, chan->dir, chan->id, llp.reg, +- chunk->ll_region.paddr); ++ /* llp is not aligned on 64bit -> keep 32bit accesses */ ++ SET_CH_32(dw, chan->dir, chan->id, llp.lsb, ++ lower_32_bits(chunk->ll_region.paddr)); ++ SET_CH_32(dw, chan->dir, chan->id, llp.msb, ++ upper_32_bits(chunk->ll_region.paddr)); + #else /* CONFIG_64BIT */ + SET_CH_32(dw, chan->dir, chan->id, llp.lsb, + lower_32_bits(chunk->ll_region.paddr)); +-- +2.35.1 + diff --git a/queue-5.15/dmaengine-idxd-add-ro-check-for-wq-max_batch_size-wr.patch b/queue-5.15/dmaengine-idxd-add-ro-check-for-wq-max_batch_size-wr.patch new file mode 100644 index 00000000000..39d9513a886 --- /dev/null +++ b/queue-5.15/dmaengine-idxd-add-ro-check-for-wq-max_batch_size-wr.patch @@ -0,0 +1,40 @@ +From 72fb36fb6285595751abdbd21fe2d7451fecfb71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Apr 2022 15:08:55 -0700 +Subject: dmaengine: idxd: add RO check for wq max_batch_size write + +From: Dave Jiang + +[ Upstream commit 66903461ffed0b66fc3e0200082d4e09365aacdc ] + +Block wq_max_batch_size_store() when the device is configured as read-only +and not configurable. + +Fixes: e7184b159dd3 ("dmaengine: idxd: add support for configurable max wq batch size") +Reported-by: Bernice Zhang +Tested-by: Bernice Zhang +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/164971493551.2201159.1942042593642155209.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/sysfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/dma/idxd/sysfs.c b/drivers/dma/idxd/sysfs.c +index 999ce13a93ad..f7ab5c077a2b 100644 +--- a/drivers/dma/idxd/sysfs.c ++++ b/drivers/dma/idxd/sysfs.c +@@ -876,6 +876,9 @@ static ssize_t wq_max_batch_size_store(struct device *dev, struct device_attribu + u64 batch_size; + int rc; + ++ if (!test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags)) ++ return -EPERM; ++ + if (wq->state != IDXD_WQ_DISABLED) + return -EPERM; + +-- +2.35.1 + diff --git a/queue-5.15/dmaengine-idxd-add-ro-check-for-wq-max_transfer_size.patch b/queue-5.15/dmaengine-idxd-add-ro-check-for-wq-max_transfer_size.patch new file mode 100644 index 00000000000..d124b3732d4 --- /dev/null +++ b/queue-5.15/dmaengine-idxd-add-ro-check-for-wq-max_transfer_size.patch @@ -0,0 +1,40 @@ +From f545f91b80a19077dd6e9be58c30be2e5d0382b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Apr 2022 15:08:01 -0700 +Subject: dmaengine: idxd: add RO check for wq max_transfer_size write + +From: Dave Jiang + +[ Upstream commit 505a2d1032ae656b0a8c736be110255503941cde ] + +Block wq_max_transfer_size_store() when the device is configured as +read-only and not configurable. + +Fixes: d7aad5550eca ("dmaengine: idxd: add support for configurable max wq xfer size") +Reported-by: Bernice Zhang +Tested-by: Bernice Zhang +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/164971488154.2200913.10706665404118545941.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/sysfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/dma/idxd/sysfs.c b/drivers/dma/idxd/sysfs.c +index f7ab5c077a2b..33d94c67fedb 100644 +--- a/drivers/dma/idxd/sysfs.c ++++ b/drivers/dma/idxd/sysfs.c +@@ -842,6 +842,9 @@ static ssize_t wq_max_transfer_size_store(struct device *dev, struct device_attr + u64 xfer_size; + int rc; + ++ if (!test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags)) ++ return -EPERM; ++ + if (wq->state != IDXD_WQ_DISABLED) + return -EPERM; + +-- +2.35.1 + diff --git a/queue-5.15/dmaengine-idxd-fix-device-cleanup-on-disable.patch b/queue-5.15/dmaengine-idxd-fix-device-cleanup-on-disable.patch new file mode 100644 index 00000000000..8b28aa02e8a --- /dev/null +++ b/queue-5.15/dmaengine-idxd-fix-device-cleanup-on-disable.patch @@ -0,0 +1,52 @@ +From 0eb100fb80493cfa9653ca6fe5ae928a748cb7d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 14:53:39 -0700 +Subject: dmaengine: idxd: fix device cleanup on disable + +From: Dave Jiang + +[ Upstream commit 12e45e89556d7a532120f976081e9e7582addd2b ] + +There are certain parts of WQ that needs to be cleaned up even after WQ is +disabled during the device disable. Those are the unchangeable parts for a +WQ when the device is still enabled. Move the cleanup outside of WQ state +check. Remove idxd_wq_disable_cleanup() inside idxd_wq_device_reset_cleanup() +since only the unchangeable parts need to be cleared. + +Fixes: 0f225705cf65 ("dmaengine: idxd: fix wq settings post wq disable") +Reported-by: Tony Zhu +Tested-by: Tony Zhu +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/164919561905.1455025.13542366389944678346.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/device.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c +index 7bd9ac1e93b2..a67bafc596b7 100644 +--- a/drivers/dma/idxd/device.c ++++ b/drivers/dma/idxd/device.c +@@ -406,7 +406,6 @@ static void idxd_wq_device_reset_cleanup(struct idxd_wq *wq) + { + lockdep_assert_held(&wq->wq_lock); + +- idxd_wq_disable_cleanup(wq); + wq->size = 0; + wq->group = NULL; + } +@@ -723,9 +722,9 @@ static void idxd_device_wqs_clear_state(struct idxd_device *idxd) + + if (wq->state == IDXD_WQ_ENABLED) { + idxd_wq_disable_cleanup(wq); +- idxd_wq_device_reset_cleanup(wq); + wq->state = IDXD_WQ_DISABLED; + } ++ idxd_wq_device_reset_cleanup(wq); + } + } + +-- +2.35.1 + diff --git a/queue-5.15/dmaengine-idxd-skip-clearing-device-context-when-dev.patch b/queue-5.15/dmaengine-idxd-skip-clearing-device-context-when-dev.patch new file mode 100644 index 00000000000..30555840138 --- /dev/null +++ b/queue-5.15/dmaengine-idxd-skip-clearing-device-context-when-dev.patch @@ -0,0 +1,42 @@ +From c6ffdf2d8ffdf5cc8fc88bc02f0b91cdb69e519c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Apr 2022 15:06:34 -0700 +Subject: dmaengine: idxd: skip clearing device context when device is + read-only + +From: Dave Jiang + +[ Upstream commit 1cd8e751d96c43ece3f6842ac2244a37d9332c3a ] + +If the device shows up as read-only configuration, skip the clearing of the +state as the context must be preserved for device re-enable after being +disabled. + +Fixes: 0dcfe41e9a4c ("dmanegine: idxd: cleanup all device related bits after disabling device") +Reported-by: Tony Zhu +Tested-by: Tony Zhu +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/164971479479.2200566.13980022473526292759.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/device.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c +index a67bafc596b7..e622245c9380 100644 +--- a/drivers/dma/idxd/device.c ++++ b/drivers/dma/idxd/device.c +@@ -730,6 +730,9 @@ static void idxd_device_wqs_clear_state(struct idxd_device *idxd) + + void idxd_device_clear_state(struct idxd_device *idxd) + { ++ if (!test_bit(IDXD_FLAG_CONFIGURABLE, &idxd->flags)) ++ return; ++ + idxd_groups_clear_state(idxd); + idxd_engines_clear_state(idxd); + idxd_device_wqs_clear_state(idxd); +-- +2.35.1 + diff --git a/queue-5.15/dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch b/queue-5.15/dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch new file mode 100644 index 00000000000..5c79f3324cf --- /dev/null +++ b/queue-5.15/dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch @@ -0,0 +1,46 @@ +From 00f0122cd36baa21fa7222425389a842545ecfe7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 06:49:51 +0000 +Subject: dmaengine: imx-sdma: Fix error checking in sdma_event_remap + +From: Miaoqian Lin + +[ Upstream commit 7104b9cb35a33ad803a1adbbfa50569b008faf15 ] + +of_parse_phandle() returns NULL on errors, rather than error +pointers. Using NULL check on grp_np to fix this. + +Fixes: d078cd1b4185 ("dmaengine: imx-sdma: Add imx6sx platform support") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220308064952.15743-1-linmq006@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/imx-sdma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c +index cacc725ca545..263f0466b1b8 100644 +--- a/drivers/dma/imx-sdma.c ++++ b/drivers/dma/imx-sdma.c +@@ -1869,7 +1869,7 @@ static int sdma_event_remap(struct sdma_engine *sdma) + u32 reg, val, shift, num_map, i; + int ret = 0; + +- if (IS_ERR(np) || IS_ERR(gpr_np)) ++ if (IS_ERR(np) || !gpr_np) + goto out; + + event_remap = of_find_property(np, propname, NULL); +@@ -1917,7 +1917,7 @@ static int sdma_event_remap(struct sdma_engine *sdma) + } + + out: +- if (!IS_ERR(gpr_np)) ++ if (gpr_np) + of_node_put(gpr_np); + + return ret; +-- +2.35.1 + diff --git a/queue-5.15/dmaengine-mediatek-fix-pm-usage-reference-leak-of-mt.patch b/queue-5.15/dmaengine-mediatek-fix-pm-usage-reference-leak-of-mt.patch new file mode 100644 index 00000000000..23a02f8ef80 --- /dev/null +++ b/queue-5.15/dmaengine-mediatek-fix-pm-usage-reference-leak-of-mt.patch @@ -0,0 +1,66 @@ +From 1b322b4bbc3dcb944868aad5feac919e71bd4f72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Mar 2022 10:21:42 +0800 +Subject: dmaengine: mediatek:Fix PM usage reference leak of + mtk_uart_apdma_alloc_chan_resources + +From: zhangqilong + +[ Upstream commit 545b2baac89b859180e51215468c05d85ea8465a ] + +pm_runtime_get_sync will increment pm usage counter even it failed. +Forgetting to putting operation will result in reference leak here. +We fix it: +1) Replacing it with pm_runtime_resume_and_get to keep usage counter + balanced. +2) Add putting operation before returning error. + +Fixes:9135408c3ace4 ("dmaengine: mediatek: Add MediaTek UART APDMA support") +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20220319022142.142709-1-zhangqilong3@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mediatek/mtk-uart-apdma.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma/mediatek/mtk-uart-apdma.c b/drivers/dma/mediatek/mtk-uart-apdma.c +index 375e7e647df6..a1517ef1f4a0 100644 +--- a/drivers/dma/mediatek/mtk-uart-apdma.c ++++ b/drivers/dma/mediatek/mtk-uart-apdma.c +@@ -274,7 +274,7 @@ static int mtk_uart_apdma_alloc_chan_resources(struct dma_chan *chan) + unsigned int status; + int ret; + +- ret = pm_runtime_get_sync(mtkd->ddev.dev); ++ ret = pm_runtime_resume_and_get(mtkd->ddev.dev); + if (ret < 0) { + pm_runtime_put_noidle(chan->device->dev); + return ret; +@@ -288,18 +288,21 @@ static int mtk_uart_apdma_alloc_chan_resources(struct dma_chan *chan) + ret = readx_poll_timeout(readl, c->base + VFF_EN, + status, !status, 10, 100); + if (ret) +- return ret; ++ goto err_pm; + + ret = request_irq(c->irq, mtk_uart_apdma_irq_handler, + IRQF_TRIGGER_NONE, KBUILD_MODNAME, chan); + if (ret < 0) { + dev_err(chan->device->dev, "Can't request dma IRQ\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_pm; + } + + if (mtkd->support_33bits) + mtk_uart_apdma_write(c, VFF_4G_SUPPORT, VFF_4G_SUPPORT_CLR_B); + ++err_pm: ++ pm_runtime_put_noidle(mtkd->ddev.dev); + return ret; + } + +-- +2.35.1 + diff --git a/queue-5.15/dpaa_eth-fix-missing-of_node_put-in-dpaa_get_ts_info.patch b/queue-5.15/dpaa_eth-fix-missing-of_node_put-in-dpaa_get_ts_info.patch new file mode 100644 index 00000000000..a81fe605993 --- /dev/null +++ b/queue-5.15/dpaa_eth-fix-missing-of_node_put-in-dpaa_get_ts_info.patch @@ -0,0 +1,46 @@ +From 7135b04fe7f5d37fec4efd2912722801d7e0fd8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Apr 2022 09:49:41 +0000 +Subject: dpaa_eth: Fix missing of_node_put in dpaa_get_ts_info() + +From: Lv Ruyi + +[ Upstream commit 1a7eb80d170c28be2928433702256fe2a0bd1e0f ] + +Both of of_get_parent() and of_parse_phandle() return node pointer with +refcount incremented, use of_node_put() on it to decrease refcount +when done. + +Reported-by: Zeal Robot +Signed-off-by: Lv Ruyi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c +index 763d2c7b5fb1..5750f9a56393 100644 +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c +@@ -489,11 +489,15 @@ static int dpaa_get_ts_info(struct net_device *net_dev, + info->phc_index = -1; + + fman_node = of_get_parent(mac_node); +- if (fman_node) ++ if (fman_node) { + ptp_node = of_parse_phandle(fman_node, "ptimer-handle", 0); ++ of_node_put(fman_node); ++ } + +- if (ptp_node) ++ if (ptp_node) { + ptp_dev = of_find_device_by_node(ptp_node); ++ of_node_put(ptp_node); ++ } + + if (ptp_dev) + ptp = platform_get_drvdata(ptp_dev); +-- +2.35.1 + diff --git a/queue-5.15/drm-i915-display-psr-unset-enable_psr2_sel_fetch-if-.patch b/queue-5.15/drm-i915-display-psr-unset-enable_psr2_sel_fetch-if-.patch new file mode 100644 index 00000000000..1d5ecff812e --- /dev/null +++ b/queue-5.15/drm-i915-display-psr-unset-enable_psr2_sel_fetch-if-.patch @@ -0,0 +1,107 @@ +From f1b95b90a5ea0f507e8ae5f363a796d8b9e462ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 08:11:17 -0700 +Subject: drm/i915/display/psr: Unset enable_psr2_sel_fetch if other checks in + intel_psr2_config_valid() fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Roberto de Souza + +[ Upstream commit bb02330408a7bde33b5f46aa14fd5d7bfe6093b7 ] + +If any of the PSR2 checks after intel_psr2_sel_fetch_config_valid() +fails, enable_psr2_sel_fetch will be kept enabled causing problems +in the functions that only checks for it and not for has_psr2. + +So here moving the check that do not depend on enable_psr2_sel_fetch +and for the remaning ones jumping to a section that unset +enable_psr2_sel_fetch in case of failure to support PSR2. + +Fixes: 6e43e276b8c9 ("drm/i915: Initial implementation of PSR2 selective fetch") +Cc: Jouni Högander +Reviewed-by: Jouni Högander +Signed-off-by: José Roberto de Souza +Link: https://patchwork.freedesktop.org/patch/msgid/20220414151118.21980-1-jose.souza@intel.com +(cherry picked from commit 554ae8dce1268789e72767a67f0635cb743b3cea) +Signed-off-by: Joonas Lahtinen +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_psr.c | 38 +++++++++++++----------- + 1 file changed, 21 insertions(+), 17 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c +index 1b0daf649e82..a3d0c57ec0f0 100644 +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -936,6 +936,20 @@ static bool intel_psr2_config_valid(struct intel_dp *intel_dp, + return false; + } + ++ /* Wa_16011303918:adl-p */ ++ if (crtc_state->vrr.enable && ++ IS_ADLP_DISPLAY_STEP(dev_priv, STEP_A0, STEP_B0)) { ++ drm_dbg_kms(&dev_priv->drm, ++ "PSR2 not enabled, not compatible with HW stepping + VRR\n"); ++ return false; ++ } ++ ++ if (!_compute_psr2_sdp_prior_scanline_indication(intel_dp, crtc_state)) { ++ drm_dbg_kms(&dev_priv->drm, ++ "PSR2 not enabled, PSR2 SDP indication do not fit in hblank\n"); ++ return false; ++ } ++ + if (HAS_PSR2_SEL_FETCH(dev_priv)) { + if (!intel_psr2_sel_fetch_config_valid(intel_dp, crtc_state) && + !HAS_PSR_HW_TRACKING(dev_priv)) { +@@ -949,12 +963,12 @@ static bool intel_psr2_config_valid(struct intel_dp *intel_dp, + if (!crtc_state->enable_psr2_sel_fetch && + IS_TGL_DISPLAY_STEP(dev_priv, STEP_A0, STEP_C0)) { + drm_dbg_kms(&dev_priv->drm, "PSR2 HW tracking is not supported this Display stepping\n"); +- return false; ++ goto unsupported; + } + + if (!psr2_granularity_check(intel_dp, crtc_state)) { + drm_dbg_kms(&dev_priv->drm, "PSR2 not enabled, SU granularity not compatible\n"); +- return false; ++ goto unsupported; + } + + if (!crtc_state->enable_psr2_sel_fetch && +@@ -963,25 +977,15 @@ static bool intel_psr2_config_valid(struct intel_dp *intel_dp, + "PSR2 not enabled, resolution %dx%d > max supported %dx%d\n", + crtc_hdisplay, crtc_vdisplay, + psr_max_h, psr_max_v); +- return false; +- } +- +- if (!_compute_psr2_sdp_prior_scanline_indication(intel_dp, crtc_state)) { +- drm_dbg_kms(&dev_priv->drm, +- "PSR2 not enabled, PSR2 SDP indication do not fit in hblank\n"); +- return false; +- } +- +- /* Wa_16011303918:adl-p */ +- if (crtc_state->vrr.enable && +- IS_ADLP_DISPLAY_STEP(dev_priv, STEP_A0, STEP_B0)) { +- drm_dbg_kms(&dev_priv->drm, +- "PSR2 not enabled, not compatible with HW stepping + VRR\n"); +- return false; ++ goto unsupported; + } + + tgl_dc3co_exitline_compute_config(intel_dp, crtc_state); + return true; ++ ++unsupported: ++ crtc_state->enable_psr2_sel_fetch = false; ++ return false; + } + + void intel_psr_compute_config(struct intel_dp *intel_dp, +-- +2.35.1 + diff --git a/queue-5.15/drm-msm-disp-check-the-return-value-of-kzalloc.patch b/queue-5.15/drm-msm-disp-check-the-return-value-of-kzalloc.patch new file mode 100644 index 00000000000..dfca02df4f1 --- /dev/null +++ b/queue-5.15/drm-msm-disp-check-the-return-value-of-kzalloc.patch @@ -0,0 +1,38 @@ +From eb53b96903f50406726c71a3a6ad54401df61c5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Mar 2022 17:15:08 +0800 +Subject: drm/msm/disp: check the return value of kzalloc() + +From: Xiaoke Wang + +[ Upstream commit f75e582b0c3ee8f0bddc2248cc8b9175f29c5937 ] + +kzalloc() is a memory allocation function which can return NULL when +some internal memory errors happen. So it is better to check it to +prevent potential wrong memory access. + +Signed-off-by: Xiaoke Wang +Reviewed-by: Abhinav Kumar +Link: https://lore.kernel.org/r/tencent_B3E19486FF39415098B572B7397C2936C309@qq.com +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c +index cabe15190ec1..369e57f73a47 100644 +--- a/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c ++++ b/drivers/gpu/drm/msm/disp/msm_disp_snapshot_util.c +@@ -169,6 +169,8 @@ void msm_disp_snapshot_add_block(struct msm_disp_state *disp_state, u32 len, + va_list va; + + new_blk = kzalloc(sizeof(struct msm_disp_state_block), GFP_KERNEL); ++ if (!new_blk) ++ return; + + va_start(va, fmt); + +-- +2.35.1 + diff --git a/queue-5.15/drm-msm-mdp5-check-the-return-of-kzalloc.patch b/queue-5.15/drm-msm-mdp5-check-the-return-of-kzalloc.patch new file mode 100644 index 00000000000..baa33d004d4 --- /dev/null +++ b/queue-5.15/drm-msm-mdp5-check-the-return-of-kzalloc.patch @@ -0,0 +1,45 @@ +From a832c02d7a08323c4c6a4720f1466cc69dc62ca7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 10:31:51 +0800 +Subject: drm/msm/mdp5: check the return of kzalloc() + +From: Xiaoke Wang + +[ Upstream commit 047ae665577776b7feb11bd4f81f46627cff95e7 ] + +kzalloc() is a memory allocation function which can return NULL when +some internal memory errors happen. So it is better to check it to +prevent potential wrong memory access. + +Besides, since mdp5_plane_reset() is void type, so we should better +set `plane-state` to NULL after releasing it. + +Signed-off-by: Xiaoke Wang +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/481055/ +Link: https://lore.kernel.org/r/tencent_8E2A1C78140EE1784AB2FF4B2088CC0AB908@qq.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c +index c6b69afcbac8..50e854207c70 100644 +--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c ++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c +@@ -90,7 +90,10 @@ static void mdp5_plane_reset(struct drm_plane *plane) + __drm_atomic_helper_plane_destroy_state(plane->state); + + kfree(to_mdp5_plane_state(plane->state)); ++ plane->state = NULL; + mdp5_state = kzalloc(sizeof(*mdp5_state), GFP_KERNEL); ++ if (!mdp5_state) ++ return; + + if (plane->type == DRM_PLANE_TYPE_PRIMARY) + mdp5_state->base.zpos = STAGE_BASE; +-- +2.35.1 + diff --git a/queue-5.15/esp-limit-skb_page_frag_refill-use-to-a-single-page.patch b/queue-5.15/esp-limit-skb_page_frag_refill-use-to-a-single-page.patch new file mode 100644 index 00000000000..054a72c3ae1 --- /dev/null +++ b/queue-5.15/esp-limit-skb_page_frag_refill-use-to-a-single-page.patch @@ -0,0 +1,94 @@ +From 737829ee4b73b0e5203673db64fee703986ae5bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 10:10:50 +0200 +Subject: esp: limit skb_page_frag_refill use to a single page + +From: Sabrina Dubroca + +[ Upstream commit 5bd8baab087dff657e05387aee802e70304cc813 ] + +Commit ebe48d368e97 ("esp: Fix possible buffer overflow in ESP +transformation") tried to fix skb_page_frag_refill usage in ESP by +capping allocsize to 32k, but that doesn't completely solve the issue, +as skb_page_frag_refill may return a single page. If that happens, we +will write out of bounds, despite the check introduced in the previous +patch. + +This patch forces COW in cases where we would end up calling +skb_page_frag_refill with a size larger than a page (first in +esp_output_head with tailen, then in esp_output_tail with +skb->data_len). + +Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") +Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/esp.h | 2 -- + net/ipv4/esp4.c | 5 ++--- + net/ipv6/esp6.c | 5 ++--- + 3 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/include/net/esp.h b/include/net/esp.h +index 90cd02ff77ef..9c5637d41d95 100644 +--- a/include/net/esp.h ++++ b/include/net/esp.h +@@ -4,8 +4,6 @@ + + #include + +-#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER) +- + struct ip_esp_hdr; + + static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb) +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index 70e6c87fbe3d..d747166bb291 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -446,7 +446,6 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * + struct page *page; + struct sk_buff *trailer; + int tailen = esp->tailen; +- unsigned int allocsz; + + /* this is non-NULL only with TCP/UDP Encapsulation */ + if (x->encap) { +@@ -456,8 +455,8 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * + return err; + } + +- allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES); +- if (allocsz > ESP_SKB_FRAG_MAXSIZE) ++ if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE || ++ ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE) + goto cow; + + if (!skb_cloned(skb)) { +diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c +index 5023f59a5b96..6219d97cac7a 100644 +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -483,7 +483,6 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info + struct page *page; + struct sk_buff *trailer; + int tailen = esp->tailen; +- unsigned int allocsz; + + if (x->encap) { + int err = esp6_output_encap(x, skb, esp); +@@ -492,8 +491,8 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info + return err; + } + +- allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES); +- if (allocsz > ESP_SKB_FRAG_MAXSIZE) ++ if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE || ++ ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE) + goto cow; + + if (!skb_cloned(skb)) { +-- +2.35.1 + diff --git a/queue-5.15/igc-fix-bug-scheduling-while-atomic.patch b/queue-5.15/igc-fix-bug-scheduling-while-atomic.patch new file mode 100644 index 00000000000..5a9119a98bf --- /dev/null +++ b/queue-5.15/igc-fix-bug-scheduling-while-atomic.patch @@ -0,0 +1,118 @@ +From 3d86995c29dc4f455fdb26642adde2d602146437 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 08:19:19 +0200 +Subject: igc: Fix BUG: scheduling while atomic + +From: Sasha Neftin + +[ Upstream commit c80a29f0fe9b6f5457e0788e27d1110577eba99b ] + +Replace usleep_range() method with udelay() method to allow atomic contexts +in low-level MDIO access functions. + +The following issue can be seen by doing the following: +$ modprobe -r bonding +$ modprobe -v bonding max_bonds=1 mode=1 miimon=100 use_carrier=0 +$ ip link set bond0 up +$ ifenslave bond0 eth0 eth1 + +[ 982.357308] BUG: scheduling while atomic: kworker/u64:0/9/0x00000002 +[ 982.364431] INFO: lockdep is turned off. +[ 982.368824] Modules linked in: bonding sctp ip6_udp_tunnel udp_tunnel mlx4_ib ib_uverbs ib_core mlx4_en mlx4_core nfp tls sunrpc intel_rapl_msr iTCO_wdt iTCO_vendor_support mxm_wmi dcdbas intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel rapl intel_cstate intel_uncore pcspkr lpc_ich mei_me ipmi_ssif mei ipmi_si ipmi_devintf ipmi_msghandler wmi acpi_power_meter xfs libcrc32c sr_mod cdrom sd_mod t10_pi sg mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm ahci libahci crc32c_intel libata i2c_algo_bit tg3 megaraid_sas igc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: bonding] +[ 982.437941] CPU: 25 PID: 9 Comm: kworker/u64:0 Kdump: loaded Tainted: G W --------- - - 4.18.0-348.el8.x86_64+debug #1 +[ 982.451333] Hardware name: Dell Inc. PowerEdge R730/0H21J3, BIOS 2.7.0 12/005/2017 +[ 982.459791] Workqueue: bond0 bond_mii_monitor [bonding] +[ 982.465622] Call Trace: +[ 982.468355] dump_stack+0x8e/0xd0 +[ 982.472056] __schedule_bug.cold.60+0x3a/0x60 +[ 982.476919] __schedule+0x147b/0x1bc0 +[ 982.481007] ? firmware_map_remove+0x16b/0x16b +[ 982.485967] ? hrtimer_fixup_init+0x40/0x40 +[ 982.490625] schedule+0xd9/0x250 +[ 982.494227] schedule_hrtimeout_range_clock+0x10d/0x2c0 +[ 982.500058] ? hrtimer_nanosleep_restart+0x130/0x130 +[ 982.505598] ? hrtimer_init_sleeper_on_stack+0x90/0x90 +[ 982.511332] ? usleep_range+0x88/0x130 +[ 982.515514] ? recalibrate_cpu_khz+0x10/0x10 +[ 982.520279] ? ktime_get+0xab/0x1c0 +[ 982.524175] ? usleep_range+0x88/0x130 +[ 982.528355] usleep_range+0xdd/0x130 +[ 982.532344] ? console_conditional_schedule+0x30/0x30 +[ 982.537987] ? igc_put_hw_semaphore+0x17/0x60 [igc] +[ 982.543432] igc_read_phy_reg_gpy+0x111/0x2b0 [igc] +[ 982.548887] igc_phy_has_link+0xfa/0x260 [igc] +[ 982.553847] ? igc_get_phy_id+0x210/0x210 [igc] +[ 982.558894] ? lock_acquire+0x34d/0x890 +[ 982.563187] ? lock_downgrade+0x710/0x710 +[ 982.567659] ? rcu_read_unlock+0x50/0x50 +[ 982.572039] igc_check_for_copper_link+0x106/0x210 [igc] +[ 982.577970] ? igc_config_fc_after_link_up+0x840/0x840 [igc] +[ 982.584286] ? rcu_read_unlock+0x50/0x50 +[ 982.588661] ? lock_release+0x591/0xb80 +[ 982.592939] ? lock_release+0x591/0xb80 +[ 982.597220] igc_has_link+0x113/0x330 [igc] +[ 982.601887] ? lock_downgrade+0x710/0x710 +[ 982.606362] igc_ethtool_get_link+0x6d/0x90 [igc] +[ 982.611614] bond_check_dev_link+0x131/0x2c0 [bonding] +[ 982.617350] ? bond_time_in_interval+0xd0/0xd0 [bonding] +[ 982.623277] ? rcu_read_lock_held+0x62/0xc0 +[ 982.627944] ? rcu_read_lock_sched_held+0xe0/0xe0 +[ 982.633198] bond_mii_monitor+0x314/0x2500 [bonding] +[ 982.638738] ? lock_contended+0x880/0x880 +[ 982.643214] ? bond_miimon_link_change+0xa0/0xa0 [bonding] +[ 982.649336] ? lock_acquire+0x34d/0x890 +[ 982.653615] ? lock_downgrade+0x710/0x710 +[ 982.658089] ? debug_object_deactivate+0x221/0x340 +[ 982.663436] ? rcu_read_unlock+0x50/0x50 +[ 982.667811] ? debug_print_object+0x2b0/0x2b0 +[ 982.672672] ? __switch_to_asm+0x41/0x70 +[ 982.677049] ? __switch_to_asm+0x35/0x70 +[ 982.681426] ? _raw_spin_unlock_irq+0x24/0x40 +[ 982.686288] ? trace_hardirqs_on+0x20/0x195 +[ 982.690956] ? _raw_spin_unlock_irq+0x24/0x40 +[ 982.695818] process_one_work+0x8f0/0x1770 +[ 982.700390] ? pwq_dec_nr_in_flight+0x320/0x320 +[ 982.705443] ? debug_show_held_locks+0x50/0x50 +[ 982.710403] worker_thread+0x87/0xb40 +[ 982.714489] ? process_one_work+0x1770/0x1770 +[ 982.719349] kthread+0x344/0x410 +[ 982.722950] ? kthread_insert_work_sanity_check+0xd0/0xd0 +[ 982.728975] ret_from_fork+0x3a/0x50 + +Fixes: 5586838fe9ce ("igc: Add code for PHY support") +Reported-by: Corinna Vinschen +Suggested-by: Dima Ruinskiy +Signed-off-by: Sasha Neftin +Tested-by: Corinna Vinschen +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_phy.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_phy.c b/drivers/net/ethernet/intel/igc/igc_phy.c +index 40dbf4b43234..6961f65d36b9 100644 +--- a/drivers/net/ethernet/intel/igc/igc_phy.c ++++ b/drivers/net/ethernet/intel/igc/igc_phy.c +@@ -581,7 +581,7 @@ static s32 igc_read_phy_reg_mdic(struct igc_hw *hw, u32 offset, u16 *data) + * the lower time out + */ + for (i = 0; i < IGC_GEN_POLL_TIMEOUT; i++) { +- usleep_range(500, 1000); ++ udelay(50); + mdic = rd32(IGC_MDIC); + if (mdic & IGC_MDIC_READY) + break; +@@ -638,7 +638,7 @@ static s32 igc_write_phy_reg_mdic(struct igc_hw *hw, u32 offset, u16 data) + * the lower time out + */ + for (i = 0; i < IGC_GEN_POLL_TIMEOUT; i++) { +- usleep_range(500, 1000); ++ udelay(50); + mdic = rd32(IGC_MDIC); + if (mdic & IGC_MDIC_READY) + break; +-- +2.35.1 + diff --git a/queue-5.15/igc-fix-infinite-loop-in-release_swfw_sync.patch b/queue-5.15/igc-fix-infinite-loop-in-release_swfw_sync.patch new file mode 100644 index 00000000000..4cb7c07a2f3 --- /dev/null +++ b/queue-5.15/igc-fix-infinite-loop-in-release_swfw_sync.patch @@ -0,0 +1,49 @@ +From 29cff2a3d20fb24ed79a2be4481e2cbc514bb99f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Mar 2022 15:32:10 +0200 +Subject: igc: Fix infinite loop in release_swfw_sync + +From: Sasha Neftin + +[ Upstream commit 907862e9aef75bf89e2b265efcc58870be06081e ] + +An infinite loop may occur if we fail to acquire the HW semaphore, +which is needed for resource release. +This will typically happen if the hardware is surprise-removed. +At this stage there is nothing to do, except log an error and quit. + +Fixes: c0071c7aa5fe ("igc: Add HW initialization code") +Suggested-by: Dima Ruinskiy +Signed-off-by: Sasha Neftin +Tested-by: Naama Meir +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_i225.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_i225.c b/drivers/net/ethernet/intel/igc/igc_i225.c +index b6807e16eea9..a0e2a404d535 100644 +--- a/drivers/net/ethernet/intel/igc/igc_i225.c ++++ b/drivers/net/ethernet/intel/igc/igc_i225.c +@@ -156,8 +156,15 @@ void igc_release_swfw_sync_i225(struct igc_hw *hw, u16 mask) + { + u32 swfw_sync; + +- while (igc_get_hw_semaphore_i225(hw)) +- ; /* Empty */ ++ /* Releasing the resource requires first getting the HW semaphore. ++ * If we fail to get the semaphore, there is nothing we can do, ++ * except log an error and quit. We are not allowed to hang here ++ * indefinitely, as it may cause denial of service or system crash. ++ */ ++ if (igc_get_hw_semaphore_i225(hw)) { ++ hw_dbg("Failed to release SW_FW_SYNC.\n"); ++ return; ++ } + + swfw_sync = rd32(IGC_SW_FW_SYNC); + swfw_sync &= ~mask; +-- +2.35.1 + diff --git a/queue-5.15/igc-fix-suspending-when-ptm-is-active.patch b/queue-5.15/igc-fix-suspending-when-ptm-is-active.patch new file mode 100644 index 00000000000..f4e085e48ae --- /dev/null +++ b/queue-5.15/igc-fix-suspending-when-ptm-is-active.patch @@ -0,0 +1,65 @@ +From c715aaa2a405b17b219be3217cd48adf844232c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 18:58:15 -0700 +Subject: igc: Fix suspending when PTM is active + +From: Vinicius Costa Gomes + +[ Upstream commit 822f52e7efdc88fccffb9fbf6250a4b7666a0b0f ] + +Some mainboard/CPU combinations, in particular, Alder Lake-S with a +W680 mainboard, have shown problems (system hangs usually, no kernel +logs) with suspend/resume when PCIe PTM is enabled and active. In some +cases, it could be reproduced when removing the igc module. + +The best we can do is to stop PTM dialogs from the downstream/device +side before the interface is brought down. PCIe PTM will be re-enabled +when the interface is being brought up. + +Fixes: a90ec8483732 ("igc: Add support for PTP getcrosststamp()") +Signed-off-by: Vinicius Costa Gomes +Tested-by: Naama Meir +Acked-by: Paul Menzel +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ptp.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c +index 4f9245aa79a1..8e521f99b80a 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ptp.c ++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c +@@ -996,6 +996,17 @@ static void igc_ptp_time_restore(struct igc_adapter *adapter) + igc_ptp_write_i225(adapter, &ts); + } + ++static void igc_ptm_stop(struct igc_adapter *adapter) ++{ ++ struct igc_hw *hw = &adapter->hw; ++ u32 ctrl; ++ ++ ctrl = rd32(IGC_PTM_CTRL); ++ ctrl &= ~IGC_PTM_CTRL_EN; ++ ++ wr32(IGC_PTM_CTRL, ctrl); ++} ++ + /** + * igc_ptp_suspend - Disable PTP work items and prepare for suspend + * @adapter: Board private structure +@@ -1013,8 +1024,10 @@ void igc_ptp_suspend(struct igc_adapter *adapter) + adapter->ptp_tx_skb = NULL; + clear_bit_unlock(__IGC_PTP_TX_IN_PROGRESS, &adapter->state); + +- if (pci_device_is_present(adapter->pdev)) ++ if (pci_device_is_present(adapter->pdev)) { + igc_ptp_time_save(adapter); ++ igc_ptm_stop(adapter); ++ } + } + + /** +-- +2.35.1 + diff --git a/queue-5.15/ip6_gre-avoid-updating-tunnel-tun_hlen-in-__gre6_xmi.patch b/queue-5.15/ip6_gre-avoid-updating-tunnel-tun_hlen-in-__gre6_xmi.patch new file mode 100644 index 00000000000..04985a255d5 --- /dev/null +++ b/queue-5.15/ip6_gre-avoid-updating-tunnel-tun_hlen-in-__gre6_xmi.patch @@ -0,0 +1,48 @@ +From 6ac5e57c32ec563f33a86e37a8ff184a446fe9c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 13:34:26 -0700 +Subject: ip6_gre: Avoid updating tunnel->tun_hlen in __gre6_xmit() + +From: Peilin Ye + +[ Upstream commit f40c064e933d7787ca7411b699504d7a2664c1f5 ] + +Do not update tunnel->tun_hlen in data plane code. Use a local variable +instead, just like "tunnel_hlen" in net/ipv4/ip_gre.c:gre_fb_xmit(). + +Co-developed-by: Cong Wang +Signed-off-by: Cong Wang +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 466a5610e3ca..288720838329 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -743,6 +743,7 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + struct ip_tunnel_info *tun_info; + const struct ip_tunnel_key *key; + __be16 flags; ++ int tun_hlen; + + tun_info = skb_tunnel_info_txcheck(skb); + if (IS_ERR(tun_info) || +@@ -760,9 +761,9 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + dsfield = key->tos; + flags = key->tun_flags & + (TUNNEL_CSUM | TUNNEL_KEY | TUNNEL_SEQ); +- tunnel->tun_hlen = gre_calc_hlen(flags); ++ tun_hlen = gre_calc_hlen(flags); + +- gre_build_header(skb, tunnel->tun_hlen, ++ gre_build_header(skb, tun_hlen, + flags, protocol, + tunnel_id_to_key32(tun_info->key.tun_id), + (flags & TUNNEL_SEQ) ? htonl(tunnel->o_seqno++) +-- +2.35.1 + diff --git a/queue-5.15/ip6_gre-fix-skb_under_panic-in-__gre6_xmit.patch b/queue-5.15/ip6_gre-fix-skb_under_panic-in-__gre6_xmit.patch new file mode 100644 index 00000000000..8a94f17b9a6 --- /dev/null +++ b/queue-5.15/ip6_gre-fix-skb_under_panic-in-__gre6_xmit.patch @@ -0,0 +1,128 @@ +From 8381b10f8f53f44a1d423e11335b123547e61a1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 13:35:40 -0700 +Subject: ip6_gre: Fix skb_under_panic in __gre6_xmit() + +From: Peilin Ye + +[ Upstream commit ab198e1d0dd8dc4bc7575fb50758e2cbd51e14e1 ] + +Feng reported an skb_under_panic BUG triggered by running +test_ip6gretap() in tools/testing/selftests/bpf/test_tunnel.sh: + +[ 82.492551] skbuff: skb_under_panic: text:ffffffffb268bb8e len:403 put:12 head:ffff9997c5480000 data:ffff9997c547fff8 tail:0x18b end:0x2c0 dev:ip6gretap11 +<...> +[ 82.607380] Call Trace: +[ 82.609389] +[ 82.611136] skb_push.cold.109+0x10/0x10 +[ 82.614289] __gre6_xmit+0x41e/0x590 +[ 82.617169] ip6gre_tunnel_xmit+0x344/0x3f0 +[ 82.620526] dev_hard_start_xmit+0xf1/0x330 +[ 82.623882] sch_direct_xmit+0xe4/0x250 +[ 82.626961] __dev_queue_xmit+0x720/0xfe0 +<...> +[ 82.633431] packet_sendmsg+0x96a/0x1cb0 +[ 82.636568] sock_sendmsg+0x30/0x40 +<...> + +The following sequence of events caused the BUG: + +1. During ip6gretap device initialization, tunnel->tun_hlen (e.g. 4) is + calculated based on old flags (see ip6gre_calc_hlen()); +2. packet_snd() reserves header room for skb A, assuming + tunnel->tun_hlen is 4; +3. Later (in clsact Qdisc), the eBPF program sets a new tunnel key for + skb A using bpf_skb_set_tunnel_key() (see _ip6gretap_set_tunnel()); +4. __gre6_xmit() detects the new tunnel key, and recalculates + "tun_hlen" (e.g. 12) based on new flags (e.g. TUNNEL_KEY and + TUNNEL_SEQ); +5. gre_build_header() calls skb_push() with insufficient reserved header + room, triggering the BUG. + +As sugguested by Cong, fix it by moving the call to skb_cow_head() after +the recalculation of tun_hlen. + +Reproducer: + + OBJ=$LINUX/tools/testing/selftests/bpf/test_tunnel_kern.o + + ip netns add at_ns0 + ip link add veth0 type veth peer name veth1 + ip link set veth0 netns at_ns0 + ip netns exec at_ns0 ip addr add 172.16.1.100/24 dev veth0 + ip netns exec at_ns0 ip link set dev veth0 up + ip link set dev veth1 up mtu 1500 + ip addr add dev veth1 172.16.1.200/24 + + ip netns exec at_ns0 ip addr add ::11/96 dev veth0 + ip netns exec at_ns0 ip link set dev veth0 up + ip addr add dev veth1 ::22/96 + ip link set dev veth1 up + + ip netns exec at_ns0 \ + ip link add dev ip6gretap00 type ip6gretap seq flowlabel 0xbcdef key 2 \ + local ::11 remote ::22 + + ip netns exec at_ns0 ip addr add dev ip6gretap00 10.1.1.100/24 + ip netns exec at_ns0 ip addr add dev ip6gretap00 fc80::100/96 + ip netns exec at_ns0 ip link set dev ip6gretap00 up + + ip link add dev ip6gretap11 type ip6gretap external + ip addr add dev ip6gretap11 10.1.1.200/24 + ip addr add dev ip6gretap11 fc80::200/24 + ip link set dev ip6gretap11 up + + tc qdisc add dev ip6gretap11 clsact + tc filter add dev ip6gretap11 egress bpf da obj $OBJ sec ip6gretap_set_tunnel + tc filter add dev ip6gretap11 ingress bpf da obj $OBJ sec ip6gretap_get_tunnel + + ping6 -c 3 -w 10 -q ::11 + +Fixes: 6712abc168eb ("ip6_gre: add ip6 gre and gretap collect_md mode") +Reported-by: Feng Zhou +Co-developed-by: Cong Wang +Signed-off-by: Cong Wang +Signed-off-by: Peilin Ye +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_gre.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index 288720838329..869c3337e319 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -733,9 +733,6 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + else + fl6->daddr = tunnel->parms.raddr; + +- if (skb_cow_head(skb, dev->needed_headroom ?: tunnel->hlen)) +- return -ENOMEM; +- + /* Push GRE header. */ + protocol = (dev->type == ARPHRD_ETHER) ? htons(ETH_P_TEB) : proto; + +@@ -763,6 +760,9 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + (TUNNEL_CSUM | TUNNEL_KEY | TUNNEL_SEQ); + tun_hlen = gre_calc_hlen(flags); + ++ if (skb_cow_head(skb, dev->needed_headroom ?: tun_hlen + tunnel->encap_hlen)) ++ return -ENOMEM; ++ + gre_build_header(skb, tun_hlen, + flags, protocol, + tunnel_id_to_key32(tun_info->key.tun_id), +@@ -773,6 +773,9 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb, + if (tunnel->parms.o_flags & TUNNEL_SEQ) + tunnel->o_seqno++; + ++ if (skb_cow_head(skb, dev->needed_headroom ?: tunnel->hlen)) ++ return -ENOMEM; ++ + gre_build_header(skb, tunnel->tun_hlen, tunnel->parms.o_flags, + protocol, tunnel->parms.o_key, + htonl(tunnel->o_seqno)); +-- +2.35.1 + diff --git a/queue-5.15/ipv6-make-ip6_rt_gc_expire-an-atomic_t.patch b/queue-5.15/ipv6-make-ip6_rt_gc_expire-an-atomic_t.patch new file mode 100644 index 00000000000..f11bbc4931a --- /dev/null +++ b/queue-5.15/ipv6-make-ip6_rt_gc_expire-an-atomic_t.patch @@ -0,0 +1,124 @@ +From 508e86e05f5cf9ca7d03a4bf9dee3f289a49578d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 11:13:33 -0700 +Subject: ipv6: make ip6_rt_gc_expire an atomic_t + +From: Eric Dumazet + +[ Upstream commit 9cb7c013420f98fa6fd12fc6a5dc055170c108db ] + +Reads and Writes to ip6_rt_gc_expire always have been racy, +as syzbot reported lately [1] + +There is a possible risk of under-flow, leading +to unexpected high value passed to fib6_run_gc(), +although I have not observed this in the field. + +Hosts hitting ip6_dst_gc() very hard are under pretty bad +state anyway. + +[1] +BUG: KCSAN: data-race in ip6_dst_gc / ip6_dst_gc + +read-write to 0xffff888102110744 of 4 bytes by task 13165 on cpu 1: + ip6_dst_gc+0x1f3/0x220 net/ipv6/route.c:3311 + dst_alloc+0x9b/0x160 net/core/dst.c:86 + ip6_dst_alloc net/ipv6/route.c:344 [inline] + icmp6_dst_alloc+0xb2/0x360 net/ipv6/route.c:3261 + mld_sendpack+0x2b9/0x580 net/ipv6/mcast.c:1807 + mld_send_cr net/ipv6/mcast.c:2119 [inline] + mld_ifc_work+0x576/0x800 net/ipv6/mcast.c:2651 + process_one_work+0x3d3/0x720 kernel/workqueue.c:2289 + worker_thread+0x618/0xa70 kernel/workqueue.c:2436 + kthread+0x1a9/0x1e0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 + +read-write to 0xffff888102110744 of 4 bytes by task 11607 on cpu 0: + ip6_dst_gc+0x1f3/0x220 net/ipv6/route.c:3311 + dst_alloc+0x9b/0x160 net/core/dst.c:86 + ip6_dst_alloc net/ipv6/route.c:344 [inline] + icmp6_dst_alloc+0xb2/0x360 net/ipv6/route.c:3261 + mld_sendpack+0x2b9/0x580 net/ipv6/mcast.c:1807 + mld_send_cr net/ipv6/mcast.c:2119 [inline] + mld_ifc_work+0x576/0x800 net/ipv6/mcast.c:2651 + process_one_work+0x3d3/0x720 kernel/workqueue.c:2289 + worker_thread+0x618/0xa70 kernel/workqueue.c:2436 + kthread+0x1a9/0x1e0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 + +value changed: 0x00000bb3 -> 0x00000ba9 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 11607 Comm: kworker/0:21 Not tainted 5.18.0-rc1-syzkaller-00037-g42e7a03d3bad-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: mld mld_ifc_work + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Reviewed-by: David Ahern +Link: https://lore.kernel.org/r/20220413181333.649424-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/net/netns/ipv6.h | 4 ++-- + net/ipv6/route.c | 11 ++++++----- + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h +index 6bd7e5a85ce7..ff82983b7ab4 100644 +--- a/include/net/netns/ipv6.h ++++ b/include/net/netns/ipv6.h +@@ -75,8 +75,8 @@ struct netns_ipv6 { + struct list_head fib6_walkers; + rwlock_t fib6_walker_lock; + spinlock_t fib6_gc_lock; +- unsigned int ip6_rt_gc_expire; +- unsigned long ip6_rt_last_gc; ++ atomic_t ip6_rt_gc_expire; ++ unsigned long ip6_rt_last_gc; + unsigned char flowlabel_has_excl; + #ifdef CONFIG_IPV6_MULTIPLE_TABLES + bool fib6_has_custom_rules; +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 6b269595efaa..0ca7c780d97a 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -3303,6 +3303,7 @@ static int ip6_dst_gc(struct dst_ops *ops) + int rt_elasticity = net->ipv6.sysctl.ip6_rt_gc_elasticity; + int rt_gc_timeout = net->ipv6.sysctl.ip6_rt_gc_timeout; + unsigned long rt_last_gc = net->ipv6.ip6_rt_last_gc; ++ unsigned int val; + int entries; + + entries = dst_entries_get_fast(ops); +@@ -3313,13 +3314,13 @@ static int ip6_dst_gc(struct dst_ops *ops) + entries <= rt_max_size) + goto out; + +- net->ipv6.ip6_rt_gc_expire++; +- fib6_run_gc(net->ipv6.ip6_rt_gc_expire, net, true); ++ fib6_run_gc(atomic_inc_return(&net->ipv6.ip6_rt_gc_expire), net, true); + entries = dst_entries_get_slow(ops); + if (entries < ops->gc_thresh) +- net->ipv6.ip6_rt_gc_expire = rt_gc_timeout>>1; ++ atomic_set(&net->ipv6.ip6_rt_gc_expire, rt_gc_timeout >> 1); + out: +- net->ipv6.ip6_rt_gc_expire -= net->ipv6.ip6_rt_gc_expire>>rt_elasticity; ++ val = atomic_read(&net->ipv6.ip6_rt_gc_expire); ++ atomic_set(&net->ipv6.ip6_rt_gc_expire, val - (val >> rt_elasticity)); + return entries > rt_max_size; + } + +@@ -6528,7 +6529,7 @@ static int __net_init ip6_route_net_init(struct net *net) + net->ipv6.sysctl.ip6_rt_min_advmss = IPV6_MIN_MTU - 20 - 40; + net->ipv6.sysctl.skip_notify_on_dev_down = 0; + +- net->ipv6.ip6_rt_gc_expire = 30*HZ; ++ atomic_set(&net->ipv6.ip6_rt_gc_expire, 30*HZ); + + ret = 0; + out: +-- +2.35.1 + diff --git a/queue-5.15/l3mdev-l3mdev_master_upper_ifindex_by_index_rcu-shou.patch b/queue-5.15/l3mdev-l3mdev_master_upper_ifindex_by_index_rcu-shou.patch new file mode 100644 index 00000000000..5a9919ea809 --- /dev/null +++ b/queue-5.15/l3mdev-l3mdev_master_upper_ifindex_by_index_rcu-shou.patch @@ -0,0 +1,65 @@ +From 2a79f8cc00644367a1103a580359d429764a0305 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 11:43:19 -0600 +Subject: l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using + netdev_master_upper_dev_get_rcu + +From: David Ahern + +[ Upstream commit 83daab06252ee5d0e1f4373ff28b79304945fc19 ] + +Next patch uses l3mdev_master_upper_ifindex_by_index_rcu which throws +a splat with debug kernels: + +[13783.087570] ------------[ cut here ]------------ +[13783.093974] RTNL: assertion failed at net/core/dev.c (6702) +[13783.100761] WARNING: CPU: 3 PID: 51132 at net/core/dev.c:6702 netdev_master_upper_dev_get+0x16a/0x1a0 + +[13783.184226] CPU: 3 PID: 51132 Comm: kworker/3:3 Not tainted 5.17.0-custom-100090-g6f963aafb1cc #682 +[13783.194788] Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017 +[13783.204755] Workqueue: mld mld_ifc_work [ipv6] +[13783.210338] RIP: 0010:netdev_master_upper_dev_get+0x16a/0x1a0 +[13783.217209] Code: 0f 85 e3 fe ff ff e8 65 ac ec fe ba 2e 1a 00 00 48 c7 c6 60 6f 38 83 48 c7 c7 c0 70 38 83 c6 05 5e b5 d7 01 01 e8 c6 29 52 00 <0f> 0b e9 b8 fe ff ff e8 5a 6c 35 ff e9 1c ff ff ff 48 89 ef e8 7d +[13783.238659] RSP: 0018:ffffc9000b37f5a8 EFLAGS: 00010286 +[13783.244995] RAX: 0000000000000000 RBX: ffff88812ee5c000 RCX: 0000000000000000 +[13783.253379] RDX: ffff88811ce09d40 RSI: ffffffff812d0fcd RDI: fffff5200166fea7 +[13783.261769] RBP: 0000000000000000 R08: 0000000000000001 R09: ffff8882375f4287 +[13783.270138] R10: ffffed1046ebe850 R11: 0000000000000001 R12: dffffc0000000000 +[13783.278510] R13: 0000000000000275 R14: ffffc9000b37f688 R15: ffff8881273b4af8 +[13783.286870] FS: 0000000000000000(0000) GS:ffff888237400000(0000) knlGS:0000000000000000 +[13783.296352] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[13783.303177] CR2: 00007ff25fc9b2e8 CR3: 0000000174d23000 CR4: 00000000001006e0 +[13783.311546] Call Trace: +[13783.314660] +[13783.317553] l3mdev_master_upper_ifindex_by_index_rcu+0x43/0xe0 +... + +Change l3mdev_master_upper_ifindex_by_index_rcu to use +netdev_master_upper_dev_get_rcu. + +Fixes: 6a6d6681ac1a ("l3mdev: add function to retreive upper master") +Signed-off-by: Ido Schimmel +Signed-off-by: David Ahern +Cc: Alexis Bauvin +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/l3mdev/l3mdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/l3mdev/l3mdev.c b/net/l3mdev/l3mdev.c +index 17927966abb3..8b14a24f1040 100644 +--- a/net/l3mdev/l3mdev.c ++++ b/net/l3mdev/l3mdev.c +@@ -147,7 +147,7 @@ int l3mdev_master_upper_ifindex_by_index_rcu(struct net *net, int ifindex) + + dev = dev_get_by_index_rcu(net, ifindex); + while (dev && !netif_is_l3_master(dev)) +- dev = netdev_master_upper_dev_get(dev); ++ dev = netdev_master_upper_dev_get_rcu(dev); + + return dev ? dev->ifindex : 0; + } +-- +2.35.1 + diff --git a/queue-5.15/mt76-fix-undefined-behavior-due-to-shift-overflowing.patch b/queue-5.15/mt76-fix-undefined-behavior-due-to-shift-overflowing.patch new file mode 100644 index 00000000000..c65086ab939 --- /dev/null +++ b/queue-5.15/mt76-fix-undefined-behavior-due-to-shift-overflowing.patch @@ -0,0 +1,56 @@ +From 6c42b9351c0141966513bdc4fb690d710c4c7cc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 17:15:14 +0200 +Subject: mt76: Fix undefined behavior due to shift overflowing the constant +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov + +[ Upstream commit dbc2b1764734857d68425468ffa8486e97ab89df ] + +Fix: + + drivers/net/wireless/mediatek/mt76/mt76x2/pci.c: In function ‘mt76x2e_probe’: + ././include/linux/compiler_types.h:352:38: error: call to ‘__compiletime_assert_946’ \ + declared with attribute error: FIELD_PREP: mask is not constant + _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) + +See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory +details as to why it triggers with older gccs only. + +Signed-off-by: Borislav Petkov +Cc: Felix Fietkau +Cc: Lorenzo Bianconi +Cc: Ryder Lee +Cc: Shayne Chen +Cc: Sean Wang +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220405151517.29753-9-bp@alien8.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76x2/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/pci.c b/drivers/net/wireless/mediatek/mt76/mt76x2/pci.c +index adf288e50e21..5cd0379d86de 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x2/pci.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2/pci.c +@@ -80,7 +80,7 @@ mt76x2e_probe(struct pci_dev *pdev, const struct pci_device_id *id) + mt76_rmw_field(dev, 0x15a10, 0x1f << 16, 0x9); + + /* RG_SSUSB_G1_CDR_BIC_LTR = 0xf */ +- mt76_rmw_field(dev, 0x15a0c, 0xf << 28, 0xf); ++ mt76_rmw_field(dev, 0x15a0c, 0xfU << 28, 0xf); + + /* RG_SSUSB_CDR_BR_PE1D = 0x3 */ + mt76_rmw_field(dev, 0x15c58, 0x3 << 6, 0x3); +-- +2.35.1 + diff --git a/queue-5.15/net-atlantic-avoid-out-of-bounds-indexing.patch b/queue-5.15/net-atlantic-avoid-out-of-bounds-indexing.patch new file mode 100644 index 00000000000..e28dd52988a --- /dev/null +++ b/queue-5.15/net-atlantic-avoid-out-of-bounds-indexing.patch @@ -0,0 +1,127 @@ +From b6ca969a8d9fde008edebdcf48d91e0940902a65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Apr 2022 10:22:04 +0800 +Subject: net: atlantic: Avoid out-of-bounds indexing + +From: Kai-Heng Feng + +[ Upstream commit 8d3a6c37d50d5a0504c126c932cc749e6dd9c78f ] + +UBSAN warnings are observed on atlantic driver: +[ 294.432996] UBSAN: array-index-out-of-bounds in /build/linux-Qow4fL/linux-5.15.0/drivers/net/ethernet/aquantia/atlantic/aq_nic.c:484:48 +[ 294.433695] index 8 is out of range for type 'aq_vec_s *[8]' + +The ring is dereferenced right before breaking out the loop, to prevent +that from happening, only use the index in the loop to fix the issue. + +BugLink: https://bugs.launchpad.net/bugs/1958770 +Tested-by: Mario Limonciello +Signed-off-by: Kai-Heng Feng +Reviewed-by: Igor Russkikh +Link: https://lore.kernel.org/r/20220408022204.16815-1-kai.heng.feng@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + .../net/ethernet/aquantia/atlantic/aq_nic.c | 8 +++---- + .../net/ethernet/aquantia/atlantic/aq_vec.c | 24 +++++++++---------- + 2 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +index 9de0065f89b9..fbb1e05d5878 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +@@ -480,8 +480,8 @@ int aq_nic_start(struct aq_nic_s *self) + if (err < 0) + goto err_exit; + +- for (i = 0U, aq_vec = self->aq_vec[0]; +- self->aq_vecs > i; ++i, aq_vec = self->aq_vec[i]) { ++ for (i = 0U; self->aq_vecs > i; ++i) { ++ aq_vec = self->aq_vec[i]; + err = aq_vec_start(aq_vec); + if (err < 0) + goto err_exit; +@@ -511,8 +511,8 @@ int aq_nic_start(struct aq_nic_s *self) + mod_timer(&self->polling_timer, jiffies + + AQ_CFG_POLLING_TIMER_INTERVAL); + } else { +- for (i = 0U, aq_vec = self->aq_vec[0]; +- self->aq_vecs > i; ++i, aq_vec = self->aq_vec[i]) { ++ for (i = 0U; self->aq_vecs > i; ++i) { ++ aq_vec = self->aq_vec[i]; + err = aq_pci_func_alloc_irq(self, i, self->ndev->name, + aq_vec_isr, aq_vec, + aq_vec_get_affinity_mask(aq_vec)); +diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_vec.c b/drivers/net/ethernet/aquantia/atlantic/aq_vec.c +index f4774cf051c9..6ab1f3212d24 100644 +--- a/drivers/net/ethernet/aquantia/atlantic/aq_vec.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_vec.c +@@ -43,8 +43,8 @@ static int aq_vec_poll(struct napi_struct *napi, int budget) + if (!self) { + err = -EINVAL; + } else { +- for (i = 0U, ring = self->ring[0]; +- self->tx_rings > i; ++i, ring = self->ring[i]) { ++ for (i = 0U; self->tx_rings > i; ++i) { ++ ring = self->ring[i]; + u64_stats_update_begin(&ring[AQ_VEC_RX_ID].stats.rx.syncp); + ring[AQ_VEC_RX_ID].stats.rx.polls++; + u64_stats_update_end(&ring[AQ_VEC_RX_ID].stats.rx.syncp); +@@ -182,8 +182,8 @@ int aq_vec_init(struct aq_vec_s *self, const struct aq_hw_ops *aq_hw_ops, + self->aq_hw_ops = aq_hw_ops; + self->aq_hw = aq_hw; + +- for (i = 0U, ring = self->ring[0]; +- self->tx_rings > i; ++i, ring = self->ring[i]) { ++ for (i = 0U; self->tx_rings > i; ++i) { ++ ring = self->ring[i]; + err = aq_ring_init(&ring[AQ_VEC_TX_ID], ATL_RING_TX); + if (err < 0) + goto err_exit; +@@ -224,8 +224,8 @@ int aq_vec_start(struct aq_vec_s *self) + unsigned int i = 0U; + int err = 0; + +- for (i = 0U, ring = self->ring[0]; +- self->tx_rings > i; ++i, ring = self->ring[i]) { ++ for (i = 0U; self->tx_rings > i; ++i) { ++ ring = self->ring[i]; + err = self->aq_hw_ops->hw_ring_tx_start(self->aq_hw, + &ring[AQ_VEC_TX_ID]); + if (err < 0) +@@ -248,8 +248,8 @@ void aq_vec_stop(struct aq_vec_s *self) + struct aq_ring_s *ring = NULL; + unsigned int i = 0U; + +- for (i = 0U, ring = self->ring[0]; +- self->tx_rings > i; ++i, ring = self->ring[i]) { ++ for (i = 0U; self->tx_rings > i; ++i) { ++ ring = self->ring[i]; + self->aq_hw_ops->hw_ring_tx_stop(self->aq_hw, + &ring[AQ_VEC_TX_ID]); + +@@ -268,8 +268,8 @@ void aq_vec_deinit(struct aq_vec_s *self) + if (!self) + goto err_exit; + +- for (i = 0U, ring = self->ring[0]; +- self->tx_rings > i; ++i, ring = self->ring[i]) { ++ for (i = 0U; self->tx_rings > i; ++i) { ++ ring = self->ring[i]; + aq_ring_tx_clean(&ring[AQ_VEC_TX_ID]); + aq_ring_rx_deinit(&ring[AQ_VEC_RX_ID]); + } +@@ -297,8 +297,8 @@ void aq_vec_ring_free(struct aq_vec_s *self) + if (!self) + goto err_exit; + +- for (i = 0U, ring = self->ring[0]; +- self->tx_rings > i; ++i, ring = self->ring[i]) { ++ for (i = 0U; self->tx_rings > i; ++i) { ++ ring = self->ring[i]; + aq_ring_free(&ring[AQ_VEC_TX_ID]); + if (i < self->rx_rings) + aq_ring_free(&ring[AQ_VEC_RX_ID]); +-- +2.35.1 + diff --git a/queue-5.15/net-dsa-hellcreek-calculate-checksums-in-tagger.patch b/queue-5.15/net-dsa-hellcreek-calculate-checksums-in-tagger.patch new file mode 100644 index 00000000000..26c9a4c8ec3 --- /dev/null +++ b/queue-5.15/net-dsa-hellcreek-calculate-checksums-in-tagger.patch @@ -0,0 +1,49 @@ +From 10baf446d2207839ebfb7bd3bd7e21274192ec70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Apr 2022 12:33:20 +0200 +Subject: net: dsa: hellcreek: Calculate checksums in tagger + +From: Kurt Kanzenbach + +[ Upstream commit 0763120b090418a5257402754e22a34227ae5f12 ] + +In case the checksum calculation is offloaded to the DSA master network +interface, it will include the switch trailing tag. As soon as the switch strips +that tag on egress, the calculated checksum is wrong. + +Therefore, add the checksum calculation to the tagger (if required) before +adding the switch tag. This way, the hellcreek code works with all DSA master +interfaces regardless of their declared feature set. + +Fixes: 01ef09caad66 ("net: dsa: Add tag handling for Hirschmann Hellcreek switches") +Signed-off-by: Kurt Kanzenbach +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220415103320.90657-1-kurt@linutronix.de +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/dsa/tag_hellcreek.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/dsa/tag_hellcreek.c b/net/dsa/tag_hellcreek.c +index f64b805303cd..eb204ad36eee 100644 +--- a/net/dsa/tag_hellcreek.c ++++ b/net/dsa/tag_hellcreek.c +@@ -21,6 +21,14 @@ static struct sk_buff *hellcreek_xmit(struct sk_buff *skb, + struct dsa_port *dp = dsa_slave_to_port(dev); + u8 *tag; + ++ /* Calculate checksums (if required) before adding the trailer tag to ++ * avoid including it in calculations. That would lead to wrong ++ * checksums after the switch strips the tag. ++ */ ++ if (skb->ip_summed == CHECKSUM_PARTIAL && ++ skb_checksum_help(skb)) ++ return NULL; ++ + /* Tag encoding */ + tag = skb_put(skb, HELLCREEK_TAG_LEN); + *tag = BIT(dp->index); +-- +2.35.1 + diff --git a/queue-5.15/net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch b/queue-5.15/net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch new file mode 100644 index 00000000000..d01a55431e8 --- /dev/null +++ b/queue-5.15/net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch @@ -0,0 +1,64 @@ +From 9ecf445b77ccbfdf8e1b0d3758f256b30ef9606b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 19:16:59 +0300 +Subject: net: macb: Restart tx only if queue pointer is lagging + +From: Tomas Melin + +[ Upstream commit 5ad7f18cd82cee8e773d40cc7a1465a526f2615c ] + +commit 4298388574da ("net: macb: restart tx after tx used bit read") +added support for restarting transmission. Restarting tx does not work +in case controller asserts TXUBR interrupt and TQBP is already at the end +of the tx queue. In that situation, restarting tx will immediately cause +assertion of another TXUBR interrupt. The driver will end up in an infinite +interrupt loop which it cannot break out of. + +For cases where TQBP is at the end of the tx queue, instead +only clear TX_USED interrupt. As more data gets pushed to the queue, +transmission will resume. + +This issue was observed on a Xilinx Zynq-7000 based board. +During stress test of the network interface, +driver would get stuck on interrupt loop within seconds or minutes +causing CPU to stall. + +Signed-off-by: Tomas Melin +Tested-by: Claudiu Beznea +Reviewed-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220407161659.14532-1-tomas.melin@vaisala.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 9705c49655ad..217c1a0f8940 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -1689,6 +1689,7 @@ static void macb_tx_restart(struct macb_queue *queue) + unsigned int head = queue->tx_head; + unsigned int tail = queue->tx_tail; + struct macb *bp = queue->bp; ++ unsigned int head_idx, tbqp; + + if (bp->caps & MACB_CAPS_ISR_CLEAR_ON_WRITE) + queue_writel(queue, ISR, MACB_BIT(TXUBR)); +@@ -1696,6 +1697,13 @@ static void macb_tx_restart(struct macb_queue *queue) + if (head == tail) + return; + ++ tbqp = queue_readl(queue, TBQP) / macb_dma_desc_get_size(bp); ++ tbqp = macb_adj_dma_desc_idx(bp, macb_tx_ring_wrap(bp, tbqp)); ++ head_idx = macb_adj_dma_desc_idx(bp, macb_tx_ring_wrap(bp, head)); ++ ++ if (tbqp == head_idx) ++ return; ++ + macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART)); + } + +-- +2.35.1 + diff --git a/queue-5.15/net-mscc-ocelot-fix-broken-ip-multicast-flooding.patch b/queue-5.15/net-mscc-ocelot-fix-broken-ip-multicast-flooding.patch new file mode 100644 index 00000000000..78dd255cccd --- /dev/null +++ b/queue-5.15/net-mscc-ocelot-fix-broken-ip-multicast-flooding.patch @@ -0,0 +1,45 @@ +From 0b994cf6f17e808deec35b8a8086aa2ed9afc507 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Apr 2022 18:19:50 +0300 +Subject: net: mscc: ocelot: fix broken IP multicast flooding + +From: Vladimir Oltean + +[ Upstream commit 4cf35a2b627a020fe1a6b6fc7a6a12394644e474 ] + +When the user runs: +bridge link set dev $br_port mcast_flood on + +this command should affect not only L2 multicast, but also IPv4 and IPv6 +multicast. + +In the Ocelot switch, unknown multicast gets flooded according to +different PGIDs according to its type, and PGID_MC only handles L2 +multicast. Therefore, by leaving PGID_MCIPV4 and PGID_MCIPV6 at their +default value of 0, unknown IP multicast traffic is never flooded. + +Fixes: 421741ea5672 ("net: mscc: ocelot: offload bridge port flags to device") +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20220415151950.219660-1-vladimir.oltean@nxp.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c +index 6aad0953e8fe..a59300d9e000 100644 +--- a/drivers/net/ethernet/mscc/ocelot.c ++++ b/drivers/net/ethernet/mscc/ocelot.c +@@ -1932,6 +1932,8 @@ static void ocelot_port_set_mcast_flood(struct ocelot *ocelot, int port, + val = BIT(port); + + ocelot_rmw_rix(ocelot, val, BIT(port), ANA_PGID_PGID, PGID_MC); ++ ocelot_rmw_rix(ocelot, val, BIT(port), ANA_PGID_PGID, PGID_MCIPV4); ++ ocelot_rmw_rix(ocelot, val, BIT(port), ANA_PGID_PGID, PGID_MCIPV6); + } + + static void ocelot_port_set_bcast_flood(struct ocelot *ocelot, int port, +-- +2.35.1 + diff --git a/queue-5.15/net-packet-fix-packet_sock-xmit-return-value-checkin.patch b/queue-5.15/net-packet-fix-packet_sock-xmit-return-value-checkin.patch new file mode 100644 index 00000000000..1b7b9328673 --- /dev/null +++ b/queue-5.15/net-packet-fix-packet_sock-xmit-return-value-checkin.patch @@ -0,0 +1,59 @@ +From c3e6018392c1735161c042c7b31293777fa59f85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 16:49:25 +0800 +Subject: net/packet: fix packet_sock xmit return value checking + +From: Hangbin Liu + +[ Upstream commit 29e8e659f984be00d75ec5fef4e37c88def72712 ] + +packet_sock xmit could be dev_queue_xmit, which also returns negative +errors. So only checking positive errors is not enough, or userspace +sendmsg may return success while packet is not send out. + +Move the net_xmit_errno() assignment in the braces as checkpatch.pl said +do not use assignment in if condition. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Flavio Leitner +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index c0d4a65931de..88c3b5cf8d94 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2820,8 +2820,9 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + + status = TP_STATUS_SEND_REQUEST; + err = po->xmit(skb); +- if (unlikely(err > 0)) { +- err = net_xmit_errno(err); ++ if (unlikely(err != 0)) { ++ if (err > 0) ++ err = net_xmit_errno(err); + if (err && __packet_get_status(po, ph) == + TP_STATUS_AVAILABLE) { + /* skb was destructed already */ +@@ -3022,8 +3023,12 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + skb->no_fcs = 1; + + err = po->xmit(skb); +- if (err > 0 && (err = net_xmit_errno(err)) != 0) +- goto out_unlock; ++ if (unlikely(err != 0)) { ++ if (err > 0) ++ err = net_xmit_errno(err); ++ if (err) ++ goto out_unlock; ++ } + + dev_put(dev); + +-- +2.35.1 + diff --git a/queue-5.15/net-restore-alpha-order-to-ethernet-devices-in-confi.patch b/queue-5.15/net-restore-alpha-order-to-ethernet-devices-in-confi.patch new file mode 100644 index 00000000000..69fda091b0c --- /dev/null +++ b/queue-5.15/net-restore-alpha-order-to-ethernet-devices-in-confi.patch @@ -0,0 +1,113 @@ +From 7ad8b69ec1a40dd216a313ed5dd5a546158e0447 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 09:03:12 -0700 +Subject: net: restore alpha order to Ethernet devices in config + +From: Stephen Hemminger + +[ Upstream commit da367ac74aecb59b62a9538009d4aee8ce4bdfb3 ] + +The displayed list of Ethernet devices in make menuconfig +has gotten out of order. This is mostly due to changes in vendor +names etc, but also because of new Microsoft entry in wrong place. + +This restores so that the display is in order even if the names +of the sub directories are not. + +Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)") +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/Kconfig | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/Kconfig b/drivers/net/ethernet/Kconfig +index 412ae3e43ffb..35ac6fe7529c 100644 +--- a/drivers/net/ethernet/Kconfig ++++ b/drivers/net/ethernet/Kconfig +@@ -34,15 +34,6 @@ source "drivers/net/ethernet/apple/Kconfig" + source "drivers/net/ethernet/aquantia/Kconfig" + source "drivers/net/ethernet/arc/Kconfig" + source "drivers/net/ethernet/atheros/Kconfig" +-source "drivers/net/ethernet/broadcom/Kconfig" +-source "drivers/net/ethernet/brocade/Kconfig" +-source "drivers/net/ethernet/cadence/Kconfig" +-source "drivers/net/ethernet/calxeda/Kconfig" +-source "drivers/net/ethernet/cavium/Kconfig" +-source "drivers/net/ethernet/chelsio/Kconfig" +-source "drivers/net/ethernet/cirrus/Kconfig" +-source "drivers/net/ethernet/cisco/Kconfig" +-source "drivers/net/ethernet/cortina/Kconfig" + + config CX_ECAT + tristate "Beckhoff CX5020 EtherCAT master support" +@@ -56,6 +47,14 @@ config CX_ECAT + To compile this driver as a module, choose M here. The module + will be called ec_bhf. + ++source "drivers/net/ethernet/broadcom/Kconfig" ++source "drivers/net/ethernet/cadence/Kconfig" ++source "drivers/net/ethernet/calxeda/Kconfig" ++source "drivers/net/ethernet/cavium/Kconfig" ++source "drivers/net/ethernet/chelsio/Kconfig" ++source "drivers/net/ethernet/cirrus/Kconfig" ++source "drivers/net/ethernet/cisco/Kconfig" ++source "drivers/net/ethernet/cortina/Kconfig" + source "drivers/net/ethernet/davicom/Kconfig" + + config DNET +@@ -82,7 +81,6 @@ source "drivers/net/ethernet/huawei/Kconfig" + source "drivers/net/ethernet/i825xx/Kconfig" + source "drivers/net/ethernet/ibm/Kconfig" + source "drivers/net/ethernet/intel/Kconfig" +-source "drivers/net/ethernet/microsoft/Kconfig" + source "drivers/net/ethernet/xscale/Kconfig" + + config JME +@@ -125,8 +123,9 @@ source "drivers/net/ethernet/mediatek/Kconfig" + source "drivers/net/ethernet/mellanox/Kconfig" + source "drivers/net/ethernet/micrel/Kconfig" + source "drivers/net/ethernet/microchip/Kconfig" +-source "drivers/net/ethernet/moxa/Kconfig" + source "drivers/net/ethernet/mscc/Kconfig" ++source "drivers/net/ethernet/microsoft/Kconfig" ++source "drivers/net/ethernet/moxa/Kconfig" + source "drivers/net/ethernet/myricom/Kconfig" + + config FEALNX +@@ -138,10 +137,10 @@ config FEALNX + Say Y here to support the Myson MTD-800 family of PCI-based Ethernet + cards. + ++source "drivers/net/ethernet/ni/Kconfig" + source "drivers/net/ethernet/natsemi/Kconfig" + source "drivers/net/ethernet/neterion/Kconfig" + source "drivers/net/ethernet/netronome/Kconfig" +-source "drivers/net/ethernet/ni/Kconfig" + source "drivers/net/ethernet/8390/Kconfig" + source "drivers/net/ethernet/nvidia/Kconfig" + source "drivers/net/ethernet/nxp/Kconfig" +@@ -161,6 +160,7 @@ source "drivers/net/ethernet/packetengines/Kconfig" + source "drivers/net/ethernet/pasemi/Kconfig" + source "drivers/net/ethernet/pensando/Kconfig" + source "drivers/net/ethernet/qlogic/Kconfig" ++source "drivers/net/ethernet/brocade/Kconfig" + source "drivers/net/ethernet/qualcomm/Kconfig" + source "drivers/net/ethernet/rdc/Kconfig" + source "drivers/net/ethernet/realtek/Kconfig" +@@ -168,10 +168,10 @@ source "drivers/net/ethernet/renesas/Kconfig" + source "drivers/net/ethernet/rocker/Kconfig" + source "drivers/net/ethernet/samsung/Kconfig" + source "drivers/net/ethernet/seeq/Kconfig" +-source "drivers/net/ethernet/sfc/Kconfig" + source "drivers/net/ethernet/sgi/Kconfig" + source "drivers/net/ethernet/silan/Kconfig" + source "drivers/net/ethernet/sis/Kconfig" ++source "drivers/net/ethernet/sfc/Kconfig" + source "drivers/net/ethernet/smsc/Kconfig" + source "drivers/net/ethernet/socionext/Kconfig" + source "drivers/net/ethernet/stmicro/Kconfig" +-- +2.35.1 + diff --git a/queue-5.15/net-sched-cls_u32-fix-possible-leak-in-u32_init_knod.patch b/queue-5.15/net-sched-cls_u32-fix-possible-leak-in-u32_init_knod.patch new file mode 100644 index 00000000000..71f4f17c51b --- /dev/null +++ b/queue-5.15/net-sched-cls_u32-fix-possible-leak-in-u32_init_knod.patch @@ -0,0 +1,57 @@ +From 77de633f7a40be6a390eb3b886b73adbf9523563 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 10:35:42 -0700 +Subject: net/sched: cls_u32: fix possible leak in u32_init_knode() + +From: Eric Dumazet + +[ Upstream commit ec5b0f605b105457f257f2870acad4a5d463984b ] + +While investigating a related syzbot report, +I found that whenever call to tcf_exts_init() +from u32_init_knode() is failing, we end up +with an elevated refcount on ht->refcnt + +To avoid that, only increase the refcount after +all possible errors have been evaluated. + +Fixes: b9a24bb76bf6 ("net_sched: properly handle failure case of tcf_exts_init()") +Signed-off-by: Eric Dumazet +Cc: Cong Wang +Cc: Jiri Pirko +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index 81f933ebee05..5d30db0d7157 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -814,10 +814,6 @@ static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp, + new->flags = n->flags; + RCU_INIT_POINTER(new->ht_down, ht); + +- /* bump reference count as long as we hold pointer to structure */ +- if (ht) +- ht->refcnt++; +- + #ifdef CONFIG_CLS_U32_PERF + /* Statistics may be incremented by readers during update + * so we must keep them in tact. When the node is later destroyed +@@ -839,6 +835,10 @@ static struct tc_u_knode *u32_init_knode(struct net *net, struct tcf_proto *tp, + return NULL; + } + ++ /* bump reference count as long as we hold pointer to structure */ ++ if (ht) ++ ht->refcnt++; ++ + return new; + } + +-- +2.35.1 + diff --git a/queue-5.15/net-smc-fix-sock-leak-when-release-after-smc_shutdow.patch b/queue-5.15/net-smc-fix-sock-leak-when-release-after-smc_shutdow.patch new file mode 100644 index 00000000000..234e583fe18 --- /dev/null +++ b/queue-5.15/net-smc-fix-sock-leak-when-release-after-smc_shutdow.patch @@ -0,0 +1,45 @@ +From f3493f7ccddab5de4056c1e71668f4bfaeb8b515 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 15:51:03 +0800 +Subject: net/smc: Fix sock leak when release after smc_shutdown() + +From: Tony Lu + +[ Upstream commit 1a74e99323746353bba11562a2f2d0aa8102f402 ] + +Since commit e5d5aadcf3cd ("net/smc: fix sk_refcnt underflow on linkdown +and fallback"), for a fallback connection, __smc_release() does not call +sock_put() if its state is already SMC_CLOSED. + +When calling smc_shutdown() after falling back, its state is set to +SMC_CLOSED but does not call sock_put(), so this patch calls it. + +Reported-and-tested-by: syzbot+6e29a053eb165bd50de5@syzkaller.appspotmail.com +Fixes: e5d5aadcf3cd ("net/smc: fix sk_refcnt underflow on linkdown and fallback") +Signed-off-by: Tony Lu +Acked-by: Karsten Graul +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index fa8897497dcc..499058248bdb 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -2332,8 +2332,10 @@ static int smc_shutdown(struct socket *sock, int how) + if (smc->use_fallback) { + rc = kernel_sock_shutdown(smc->clcsock, how); + sk->sk_shutdown = smc->clcsock->sk->sk_shutdown; +- if (sk->sk_shutdown == SHUTDOWN_MASK) ++ if (sk->sk_shutdown == SHUTDOWN_MASK) { + sk->sk_state = SMC_CLOSED; ++ sock_put(sk); ++ } + goto out; + } + switch (how) { +-- +2.35.1 + diff --git a/queue-5.15/net-stmmac-use-readl_poll_timeout_atomic-in-atomic-s.patch b/queue-5.15/net-stmmac-use-readl_poll_timeout_atomic-in-atomic-s.patch new file mode 100644 index 00000000000..6c14cdcc96e --- /dev/null +++ b/queue-5.15/net-stmmac-use-readl_poll_timeout_atomic-in-atomic-s.patch @@ -0,0 +1,74 @@ +From d5f798507ca8b3b9c39e8aaf2f65e4db547d8a36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Apr 2022 16:42:26 +0800 +Subject: net: stmmac: Use readl_poll_timeout_atomic() in atomic state + +From: Kevin Hao + +[ Upstream commit 234901de2bc6847eaa0aeb4aba62c31ffb8d3ad6 ] + +The init_systime() may be invoked in atomic state. We have observed the +following call trace when running "phc_ctl /dev/ptp0 set" on a Intel +Agilex board. + BUG: sleeping function called from invalid context at drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c:74 + in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 381, name: phc_ctl + preempt_count: 1, expected: 0 + RCU nest depth: 0, expected: 0 + Preemption disabled at: + [] stmmac_set_time+0x34/0x8c + CPU: 2 PID: 381 Comm: phc_ctl Not tainted 5.18.0-rc2-next-20220414-yocto-standard+ #567 + Hardware name: SoCFPGA Agilex SoCDK (DT) + Call trace: + dump_backtrace.part.0+0xc4/0xd0 + show_stack+0x24/0x40 + dump_stack_lvl+0x7c/0xa0 + dump_stack+0x18/0x34 + __might_resched+0x154/0x1c0 + __might_sleep+0x58/0x90 + init_systime+0x78/0x120 + stmmac_set_time+0x64/0x8c + ptp_clock_settime+0x60/0x9c + pc_clock_settime+0x6c/0xc0 + __arm64_sys_clock_settime+0x88/0xf0 + invoke_syscall+0x5c/0x130 + el0_svc_common.constprop.0+0x4c/0x100 + do_el0_svc+0x7c/0xa0 + el0_svc+0x58/0xcc + el0t_64_sync_handler+0xa4/0x130 + el0t_64_sync+0x18c/0x190 + +So we should use readl_poll_timeout_atomic() here instead of +readl_poll_timeout(). + +Also adjust the delay time to 10us to fix a "__bad_udelay" build error +reported by "kernel test robot ". I have tested this on +Intel Agilex and NXP S32G boards, there is no delay needed at all. +So the 10us delay should be long enough for most cases. + +Fixes: ff8ed737860e ("net: stmmac: use readl_poll_timeout() function in init_systime()") +Signed-off-by: Kevin Hao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c +index a7ec9f4d46ce..d68ef72dcdde 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c +@@ -71,9 +71,9 @@ static int init_systime(void __iomem *ioaddr, u32 sec, u32 nsec) + writel(value, ioaddr + PTP_TCR); + + /* wait for present system time initialize to complete */ +- return readl_poll_timeout(ioaddr + PTP_TCR, value, ++ return readl_poll_timeout_atomic(ioaddr + PTP_TCR, value, + !(value & PTP_TCR_TSINIT), +- 10000, 100000); ++ 10, 100000); + } + + static int config_addend(void __iomem *ioaddr, u32 addend) +-- +2.35.1 + diff --git a/queue-5.15/netlink-reset-network-and-mac-headers-in-netlink_dum.patch b/queue-5.15/netlink-reset-network-and-mac-headers-in-netlink_dum.patch new file mode 100644 index 00000000000..cd474ef5cee --- /dev/null +++ b/queue-5.15/netlink-reset-network-and-mac-headers-in-netlink_dum.patch @@ -0,0 +1,136 @@ +From a17bbdeb70cc77e46f2f6cde4ee3420bf45fb285 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Apr 2022 11:14:42 -0700 +Subject: netlink: reset network and mac headers in netlink_dump() + +From: Eric Dumazet + +[ Upstream commit 99c07327ae11e24886d552dddbe4537bfca2765d ] + +netlink_dump() is allocating an skb, reserves space in it +but forgets to reset network header. + +This allows a BPF program, invoked later from sk_filter() +to access uninitialized kernel memory from the reserved +space. + +Theorically mac header reset could be omitted, because +it is set to a special initial value. +bpf_internal_load_pointer_neg_helper calls skb_mac_header() +without checking skb_mac_header_was_set(). +Relying on skb->len not being too big seems fragile. +We also could add a sanity check in bpf_internal_load_pointer_neg_helper() +to avoid surprises in the future. + +syzbot report was: + +BUG: KMSAN: uninit-value in ___bpf_prog_run+0xa22b/0xb420 kernel/bpf/core.c:1637 + ___bpf_prog_run+0xa22b/0xb420 kernel/bpf/core.c:1637 + __bpf_prog_run32+0x121/0x180 kernel/bpf/core.c:1796 + bpf_dispatcher_nop_func include/linux/bpf.h:784 [inline] + __bpf_prog_run include/linux/filter.h:626 [inline] + bpf_prog_run include/linux/filter.h:633 [inline] + __bpf_prog_run_save_cb+0x168/0x580 include/linux/filter.h:756 + bpf_prog_run_save_cb include/linux/filter.h:770 [inline] + sk_filter_trim_cap+0x3bc/0x8c0 net/core/filter.c:150 + sk_filter include/linux/filter.h:905 [inline] + netlink_dump+0xe0c/0x16c0 net/netlink/af_netlink.c:2276 + netlink_recvmsg+0x1129/0x1c80 net/netlink/af_netlink.c:2002 + sock_recvmsg_nosec net/socket.c:948 [inline] + sock_recvmsg net/socket.c:966 [inline] + sock_read_iter+0x5a9/0x630 net/socket.c:1039 + do_iter_readv_writev+0xa7f/0xc70 + do_iter_read+0x52c/0x14c0 fs/read_write.c:786 + vfs_readv fs/read_write.c:906 [inline] + do_readv+0x432/0x800 fs/read_write.c:943 + __do_sys_readv fs/read_write.c:1034 [inline] + __se_sys_readv fs/read_write.c:1031 [inline] + __x64_sys_readv+0xe5/0x120 fs/read_write.c:1031 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Uninit was stored to memory at: + ___bpf_prog_run+0x96c/0xb420 kernel/bpf/core.c:1558 + __bpf_prog_run32+0x121/0x180 kernel/bpf/core.c:1796 + bpf_dispatcher_nop_func include/linux/bpf.h:784 [inline] + __bpf_prog_run include/linux/filter.h:626 [inline] + bpf_prog_run include/linux/filter.h:633 [inline] + __bpf_prog_run_save_cb+0x168/0x580 include/linux/filter.h:756 + bpf_prog_run_save_cb include/linux/filter.h:770 [inline] + sk_filter_trim_cap+0x3bc/0x8c0 net/core/filter.c:150 + sk_filter include/linux/filter.h:905 [inline] + netlink_dump+0xe0c/0x16c0 net/netlink/af_netlink.c:2276 + netlink_recvmsg+0x1129/0x1c80 net/netlink/af_netlink.c:2002 + sock_recvmsg_nosec net/socket.c:948 [inline] + sock_recvmsg net/socket.c:966 [inline] + sock_read_iter+0x5a9/0x630 net/socket.c:1039 + do_iter_readv_writev+0xa7f/0xc70 + do_iter_read+0x52c/0x14c0 fs/read_write.c:786 + vfs_readv fs/read_write.c:906 [inline] + do_readv+0x432/0x800 fs/read_write.c:943 + __do_sys_readv fs/read_write.c:1034 [inline] + __se_sys_readv fs/read_write.c:1031 [inline] + __x64_sys_readv+0xe5/0x120 fs/read_write.c:1031 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:737 [inline] + slab_alloc_node mm/slub.c:3244 [inline] + __kmalloc_node_track_caller+0xde3/0x14f0 mm/slub.c:4972 + kmalloc_reserve net/core/skbuff.c:354 [inline] + __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 + alloc_skb include/linux/skbuff.h:1158 [inline] + netlink_dump+0x30f/0x16c0 net/netlink/af_netlink.c:2242 + netlink_recvmsg+0x1129/0x1c80 net/netlink/af_netlink.c:2002 + sock_recvmsg_nosec net/socket.c:948 [inline] + sock_recvmsg net/socket.c:966 [inline] + sock_read_iter+0x5a9/0x630 net/socket.c:1039 + do_iter_readv_writev+0xa7f/0xc70 + do_iter_read+0x52c/0x14c0 fs/read_write.c:786 + vfs_readv fs/read_write.c:906 [inline] + do_readv+0x432/0x800 fs/read_write.c:943 + __do_sys_readv fs/read_write.c:1034 [inline] + __se_sys_readv fs/read_write.c:1031 [inline] + __x64_sys_readv+0xe5/0x120 fs/read_write.c:1031 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +CPU: 0 PID: 3470 Comm: syz-executor751 Not tainted 5.17.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: db65a3aaf29e ("netlink: Trim skb to alloc size to avoid MSG_TRUNC") +Fixes: 9063e21fb026 ("netlink: autosize skb lengthes") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://lore.kernel.org/r/20220415181442.551228-1-eric.dumazet@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 83ca93b32f5f..fb7f7b17c78c 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2284,6 +2284,13 @@ static int netlink_dump(struct sock *sk) + * single netdev. The outcome is MSG_TRUNC error. + */ + skb_reserve(skb, skb_tailroom(skb) - alloc_size); ++ ++ /* Make sure malicious BPF programs can not read unitialized memory ++ * from skb->head -> skb->data ++ */ ++ skb_reset_network_header(skb); ++ skb_reset_mac_header(skb); ++ + netlink_skb_set_owner_r(skb, sk); + + if (nlk->dump_done_errno > 0) { +-- +2.35.1 + diff --git a/queue-5.15/nvme-add-a-quirk-to-disable-namespace-identifiers.patch b/queue-5.15/nvme-add-a-quirk-to-disable-namespace-identifiers.patch new file mode 100644 index 00000000000..e80778c8a1e --- /dev/null +++ b/queue-5.15/nvme-add-a-quirk-to-disable-namespace-identifiers.patch @@ -0,0 +1,103 @@ +From 4f3ce049d41b6543c0de4dbc62744f7beb70e6ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Apr 2022 08:05:27 +0200 +Subject: nvme: add a quirk to disable namespace identifiers + +From: Christoph Hellwig + +[ Upstream commit 00ff400e6deee00f7b15e200205b2708b63b8cf6 ] + +Add a quirk to disable using and exporting namespace identifiers for +controllers where they are broken beyond repair. + +The most directly visible problem with non-unique namespace identifiers +is that they break the /dev/disk/by-id/ links, with the link for a +supposedly unique identifier now pointing to one of multiple possible +namespaces that share the same ID, and a somewhat random selection of +which one actually shows up. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 24 ++++++++++++++++++------ + drivers/nvme/host/nvme.h | 5 +++++ + 2 files changed, 23 insertions(+), 6 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 4c35e9acf8ee..f2bb57615762 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -1354,6 +1354,8 @@ static int nvme_process_ns_desc(struct nvme_ctrl *ctrl, struct nvme_ns_ids *ids, + warn_str, cur->nidl); + return -1; + } ++ if (ctrl->quirks & NVME_QUIRK_BOGUS_NID) ++ return NVME_NIDT_EUI64_LEN; + memcpy(ids->eui64, data + sizeof(*cur), NVME_NIDT_EUI64_LEN); + return NVME_NIDT_EUI64_LEN; + case NVME_NIDT_NGUID: +@@ -1362,6 +1364,8 @@ static int nvme_process_ns_desc(struct nvme_ctrl *ctrl, struct nvme_ns_ids *ids, + warn_str, cur->nidl); + return -1; + } ++ if (ctrl->quirks & NVME_QUIRK_BOGUS_NID) ++ return NVME_NIDT_NGUID_LEN; + memcpy(ids->nguid, data + sizeof(*cur), NVME_NIDT_NGUID_LEN); + return NVME_NIDT_NGUID_LEN; + case NVME_NIDT_UUID: +@@ -1370,6 +1374,8 @@ static int nvme_process_ns_desc(struct nvme_ctrl *ctrl, struct nvme_ns_ids *ids, + warn_str, cur->nidl); + return -1; + } ++ if (ctrl->quirks & NVME_QUIRK_BOGUS_NID) ++ return NVME_NIDT_UUID_LEN; + uuid_copy(&ids->uuid, data + sizeof(*cur)); + return NVME_NIDT_UUID_LEN; + case NVME_NIDT_CSI: +@@ -1466,12 +1472,18 @@ static int nvme_identify_ns(struct nvme_ctrl *ctrl, unsigned nsid, + if ((*id)->ncap == 0) /* namespace not allocated or attached */ + goto out_free_id; + +- if (ctrl->vs >= NVME_VS(1, 1, 0) && +- !memchr_inv(ids->eui64, 0, sizeof(ids->eui64))) +- memcpy(ids->eui64, (*id)->eui64, sizeof(ids->eui64)); +- if (ctrl->vs >= NVME_VS(1, 2, 0) && +- !memchr_inv(ids->nguid, 0, sizeof(ids->nguid))) +- memcpy(ids->nguid, (*id)->nguid, sizeof(ids->nguid)); ++ ++ if (ctrl->quirks & NVME_QUIRK_BOGUS_NID) { ++ dev_info(ctrl->device, ++ "Ignoring bogus Namespace Identifiers\n"); ++ } else { ++ if (ctrl->vs >= NVME_VS(1, 1, 0) && ++ !memchr_inv(ids->eui64, 0, sizeof(ids->eui64))) ++ memcpy(ids->eui64, (*id)->eui64, sizeof(ids->eui64)); ++ if (ctrl->vs >= NVME_VS(1, 2, 0) && ++ !memchr_inv(ids->nguid, 0, sizeof(ids->nguid))) ++ memcpy(ids->nguid, (*id)->nguid, sizeof(ids->nguid)); ++ } + + return 0; + +diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h +index 0628e2d802e7..f1e5c7564cae 100644 +--- a/drivers/nvme/host/nvme.h ++++ b/drivers/nvme/host/nvme.h +@@ -144,6 +144,11 @@ enum nvme_quirks { + * encoding the generation sequence number. + */ + NVME_QUIRK_SKIP_CID_GEN = (1 << 17), ++ ++ /* ++ * Reports garbage in the namespace identifiers (eui64, nguid, uuid). ++ */ ++ NVME_QUIRK_BOGUS_NID = (1 << 18), + }; + + /* +-- +2.35.1 + diff --git a/queue-5.15/nvme-pci-disable-namespace-identifiers-for-qemu-cont.patch b/queue-5.15/nvme-pci-disable-namespace-identifiers-for-qemu-cont.patch new file mode 100644 index 00000000000..69564210186 --- /dev/null +++ b/queue-5.15/nvme-pci-disable-namespace-identifiers-for-qemu-cont.patch @@ -0,0 +1,44 @@ +From ede7487a8b17e8476b3092e00670ab6c7fdbed9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 07:07:56 +0200 +Subject: nvme-pci: disable namespace identifiers for Qemu controllers + +From: Christoph Hellwig + +[ Upstream commit 66dd346b84d79fde20832ed691a54f4881eac20d ] + +Qemu unconditionally reports a UUID, which depending on the qemu version +is either all-null (which is incorrect but harmless) or contains a single +bit set for all controllers. In addition it can also optionally report +a eui64 which needs to be manually set. Disable namespace identifiers +for Qemu controlles entirely even if in some cases they could be set +correctly through manual intervention. + +Reported-by: Luis Chamberlain +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 61f01f5afdc1..d7695bdbde8d 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3314,7 +3314,10 @@ static const struct pci_device_id nvme_id_table[] = { + .driver_data = NVME_QUIRK_IGNORE_DEV_SUBNQN, }, + { PCI_VDEVICE(INTEL, 0x5845), /* Qemu emulated controller */ + .driver_data = NVME_QUIRK_IDENTIFY_CNS | +- NVME_QUIRK_DISABLE_WRITE_ZEROES, }, ++ NVME_QUIRK_DISABLE_WRITE_ZEROES | ++ NVME_QUIRK_BOGUS_NID, }, ++ { PCI_VDEVICE(REDHAT, 0x0010), /* Qemu emulated controller */ ++ .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(0x126f, 0x2263), /* Silicon Motion unidentified */ + .driver_data = NVME_QUIRK_NO_NS_DESC_LIST, }, + { PCI_DEVICE(0x1bb1, 0x0100), /* Seagate Nytro Flash Storage */ +-- +2.35.1 + diff --git a/queue-5.15/nvme-pci-disable-namespace-identifiers-for-the-maxio.patch b/queue-5.15/nvme-pci-disable-namespace-identifiers-for-the-maxio.patch new file mode 100644 index 00000000000..609237eb047 --- /dev/null +++ b/queue-5.15/nvme-pci-disable-namespace-identifiers-for-the-maxio.patch @@ -0,0 +1,43 @@ +From d8992e70d5431f43cae9a4b6cfaa6663a9351a2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Apr 2022 08:05:27 +0200 +Subject: nvme-pci: disable namespace identifiers for the MAXIO MAP1002/1202 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christoph Hellwig + +[ Upstream commit a98a945b80f8684121d477ae68ebc01da953da1f ] + +The MAXIO MAP1002/1202 controllers reports completely bogus Namespace +identifiers that even change after suspend cycles. Disable using +the Identifiers entirely. + +Reported-by: 金韬 +Signed-off-by: Christoph Hellwig +Reviewed-by: Keith Busch +Tested-by: 金韬 +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index b925a5f4afc3..61f01f5afdc1 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3352,6 +3352,10 @@ static const struct pci_device_id nvme_id_table[] = { + .driver_data = NVME_QUIRK_NO_DEEPEST_PS, }, + { PCI_DEVICE(0x2646, 0x2263), /* KINGSTON A2000 NVMe SSD */ + .driver_data = NVME_QUIRK_NO_DEEPEST_PS, }, ++ { PCI_DEVICE(0x1e4B, 0x1002), /* MAXIO MAP1002 */ ++ .driver_data = NVME_QUIRK_BOGUS_NID, }, ++ { PCI_DEVICE(0x1e4B, 0x1202), /* MAXIO MAP1202 */ ++ .driver_data = NVME_QUIRK_BOGUS_NID, }, + { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0x0061), + .driver_data = NVME_QUIRK_DMA_ADDRESS_BITS_48, }, + { PCI_DEVICE(PCI_VENDOR_ID_AMAZON, 0x0065), +-- +2.35.1 + diff --git a/queue-5.15/platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch b/queue-5.15/platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch new file mode 100644 index 00000000000..7111299a95f --- /dev/null +++ b/queue-5.15/platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch @@ -0,0 +1,41 @@ +From 48b319e8fd670439693d37a4be689898a65b0669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Mar 2022 14:18:30 +0800 +Subject: platform/x86: samsung-laptop: Fix an unsigned comparison which can + never be negative + +From: Jiapeng Chong + +[ Upstream commit 0284d4d1be753f648f28b77bdfbe6a959212af5c ] + +Eliminate the follow smatch warnings: + +drivers/platform/x86/samsung-laptop.c:1124 kbd_led_set() warn: unsigned +'value' is never less than zero. + +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Link: https://lore.kernel.org/r/20220322061830.105579-1-jiapeng.chong@linux.alibaba.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/samsung-laptop.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c +index 7ee010aa740a..404bdb4cbfae 100644 +--- a/drivers/platform/x86/samsung-laptop.c ++++ b/drivers/platform/x86/samsung-laptop.c +@@ -1121,8 +1121,6 @@ static void kbd_led_set(struct led_classdev *led_cdev, + + if (value > samsung->kbd_led.max_brightness) + value = samsung->kbd_led.max_brightness; +- else if (value < 0) +- value = 0; + + samsung->kbd_led_wk = value; + queue_work(samsung->led_workqueue, &samsung->kbd_led_work); +-- +2.35.1 + diff --git a/queue-5.15/reset-renesas-check-return-value-of-reset_control_de.patch b/queue-5.15/reset-renesas-check-return-value-of-reset_control_de.patch new file mode 100644 index 00000000000..e9e4f6918f8 --- /dev/null +++ b/queue-5.15/reset-renesas-check-return-value-of-reset_control_de.patch @@ -0,0 +1,39 @@ +From 5660907658027ff8cb4a250ddf3f9413881b6dc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 11:25:46 +0100 +Subject: reset: renesas: Check return value of reset_control_deassert() + +From: Heiner Kallweit + +[ Upstream commit da18980a855edf44270f05455e0ec3f2472f64cc ] + +Deasserting the reset is vital, therefore bail out in case of error. + +Suggested-by: Biju Das +Signed-off-by: Heiner Kallweit +Reviewed-by: Biju Das +Link: https://lore.kernel.org/r/b2131908-0110-006b-862f-080517f3e2d8@gmail.com +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/reset/reset-rzg2l-usbphy-ctrl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/reset/reset-rzg2l-usbphy-ctrl.c b/drivers/reset/reset-rzg2l-usbphy-ctrl.c +index 1e8315038850..a8dde4606360 100644 +--- a/drivers/reset/reset-rzg2l-usbphy-ctrl.c ++++ b/drivers/reset/reset-rzg2l-usbphy-ctrl.c +@@ -121,7 +121,9 @@ static int rzg2l_usbphy_ctrl_probe(struct platform_device *pdev) + return dev_err_probe(dev, PTR_ERR(priv->rstc), + "failed to get reset\n"); + +- reset_control_deassert(priv->rstc); ++ error = reset_control_deassert(priv->rstc); ++ if (error) ++ return error; + + priv->rcdev.ops = &rzg2l_usbphy_ctrl_reset_ops; + priv->rcdev.of_reset_n_cells = 1; +-- +2.35.1 + diff --git a/queue-5.15/reset-tegra-bpmp-restore-handle-errors-in-bpmp-respo.patch b/queue-5.15/reset-tegra-bpmp-restore-handle-errors-in-bpmp-respo.patch new file mode 100644 index 00000000000..628200fe369 --- /dev/null +++ b/queue-5.15/reset-tegra-bpmp-restore-handle-errors-in-bpmp-respo.patch @@ -0,0 +1,58 @@ +From 88c685bc84a1949f457db0b639564c2f4602aa2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jan 2022 19:26:46 +0530 +Subject: reset: tegra-bpmp: Restore Handle errors in BPMP response + +From: Sameer Pujar + +[ Upstream commit d1da1052ffad63aa5181b69f20a6952e31f339c2 ] + +This reverts following commit 69125b4b9440 ("reset: tegra-bpmp: Revert +Handle errors in BPMP response"). + +The Tegra194 HDA reset failure is fixed by commit d278dc9151a0 ("ALSA: +hda/tegra: Fix Tegra194 HDA reset failure"). The temporary revert of +original commit c045ceb5a145 ("reset: tegra-bpmp: Handle errors in BPMP +response") can be removed now. + +Signed-off-by: Sameer Pujar +Tested-by: Jon Hunter +Reviewed-by: Jon Hunter +Acked-by: Thierry Reding +Signed-off-by: Philipp Zabel +Link: https://lore.kernel.org/r/1641995806-15245-1-git-send-email-spujar@nvidia.com +Signed-off-by: Sasha Levin +--- + drivers/reset/tegra/reset-bpmp.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/reset/tegra/reset-bpmp.c b/drivers/reset/tegra/reset-bpmp.c +index 24d3395964cc..4c5bba52b105 100644 +--- a/drivers/reset/tegra/reset-bpmp.c ++++ b/drivers/reset/tegra/reset-bpmp.c +@@ -20,6 +20,7 @@ static int tegra_bpmp_reset_common(struct reset_controller_dev *rstc, + struct tegra_bpmp *bpmp = to_tegra_bpmp(rstc); + struct mrq_reset_request request; + struct tegra_bpmp_message msg; ++ int err; + + memset(&request, 0, sizeof(request)); + request.cmd = command; +@@ -30,7 +31,13 @@ static int tegra_bpmp_reset_common(struct reset_controller_dev *rstc, + msg.tx.data = &request; + msg.tx.size = sizeof(request); + +- return tegra_bpmp_transfer(bpmp, &msg); ++ err = tegra_bpmp_transfer(bpmp, &msg); ++ if (err) ++ return err; ++ if (msg.rx.ret) ++ return -EINVAL; ++ ++ return 0; + } + + static int tegra_bpmp_reset_module(struct reset_controller_dev *rstc, +-- +2.35.1 + diff --git a/queue-5.15/rxrpc-restore-removed-timer-deletion.patch b/queue-5.15/rxrpc-restore-removed-timer-deletion.patch new file mode 100644 index 00000000000..dea1d914843 --- /dev/null +++ b/queue-5.15/rxrpc-restore-removed-timer-deletion.patch @@ -0,0 +1,59 @@ +From 9fb2697f16f637257b2b717f159a31a759266dff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 11:16:25 +0100 +Subject: rxrpc: Restore removed timer deletion + +From: David Howells + +[ Upstream commit ee3b0826b4764f6c13ad6db67495c5a1c38e9025 ] + +A recent patch[1] from Eric Dumazet flipped the order in which the +keepalive timer and the keepalive worker were cancelled in order to fix a +syzbot reported issue[2]. Unfortunately, this enables the mirror image bug +whereby the timer races with rxrpc_exit_net(), restarting the worker after +it has been cancelled: + + CPU 1 CPU 2 + =============== ===================== + if (rxnet->live) + + rxnet->live = false; + cancel_work_sync(&rxnet->peer_keepalive_work); + rxrpc_queue_work(&rxnet->peer_keepalive_work); + del_timer_sync(&rxnet->peer_keepalive_timer); + +Fix this by restoring the removed del_timer_sync() so that we try to remove +the timer twice. If the timer runs again, it should see ->live == false +and not restart the worker. + +Fixes: 1946014ca3b1 ("rxrpc: fix a race in rxrpc_exit_net()") +Signed-off-by: David Howells +cc: Eric Dumazet +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/20220404183439.3537837-1-eric.dumazet@gmail.com/ [1] +Link: https://syzkaller.appspot.com/bug?extid=724378c4bb58f703b09a [2] +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rxrpc/net_ns.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/rxrpc/net_ns.c b/net/rxrpc/net_ns.c +index f15d6942da45..cc7e30733feb 100644 +--- a/net/rxrpc/net_ns.c ++++ b/net/rxrpc/net_ns.c +@@ -113,7 +113,9 @@ static __net_exit void rxrpc_exit_net(struct net *net) + struct rxrpc_net *rxnet = rxrpc_net(net); + + rxnet->live = false; ++ del_timer_sync(&rxnet->peer_keepalive_timer); + cancel_work_sync(&rxnet->peer_keepalive_work); ++ /* Remove the timer again as the worker may have restarted it. */ + del_timer_sync(&rxnet->peer_keepalive_timer); + rxrpc_destroy_all_calls(rxnet); + rxrpc_destroy_all_connections(rxnet); +-- +2.35.1 + diff --git a/queue-5.15/scsi-iscsi-fix-nop-handling-during-conn-recovery.patch b/queue-5.15/scsi-iscsi-fix-nop-handling-during-conn-recovery.patch new file mode 100644 index 00000000000..9085c651ee7 --- /dev/null +++ b/queue-5.15/scsi-iscsi-fix-nop-handling-during-conn-recovery.patch @@ -0,0 +1,73 @@ +From 84acc239a6cd6a5bec04479368468b3d1127078d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 19:13:12 -0500 +Subject: scsi: iscsi: Fix NOP handling during conn recovery + +From: Mike Christie + +[ Upstream commit 44ac97109e42f87b1a34954704b81b6c8eca80c4 ] + +If a offload driver doesn't use the xmit workqueue, then when we are doing +ep_disconnect libiscsi can still inject PDUs to the driver. This adds a +check for if the connection is bound before trying to inject PDUs. + +Link: https://lore.kernel.org/r/20220408001314.5014-9-michael.christie@oracle.com +Tested-by: Manish Rangankar +Reviewed-by: Lee Duncan +Reviewed-by: Chris Leech +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libiscsi.c | 7 ++++++- + include/scsi/libiscsi.h | 2 +- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index a4f26431b033..0f2c7098f9d6 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -678,7 +678,8 @@ __iscsi_conn_send_pdu(struct iscsi_conn *conn, struct iscsi_hdr *hdr, + struct iscsi_task *task; + itt_t itt; + +- if (session->state == ISCSI_STATE_TERMINATE) ++ if (session->state == ISCSI_STATE_TERMINATE || ++ !test_bit(ISCSI_CONN_FLAG_BOUND, &conn->flags)) + return NULL; + + if (opcode == ISCSI_OP_LOGIN || opcode == ISCSI_OP_TEXT) { +@@ -2214,6 +2215,8 @@ void iscsi_conn_unbind(struct iscsi_cls_conn *cls_conn, bool is_active) + iscsi_suspend_tx(conn); + + spin_lock_bh(&session->frwd_lock); ++ clear_bit(ISCSI_CONN_FLAG_BOUND, &conn->flags); ++ + if (!is_active) { + /* + * if logout timed out before userspace could even send a PDU +@@ -3312,6 +3315,8 @@ int iscsi_conn_bind(struct iscsi_cls_session *cls_session, + spin_lock_bh(&session->frwd_lock); + if (is_leading) + session->leadconn = conn; ++ ++ set_bit(ISCSI_CONN_FLAG_BOUND, &conn->flags); + spin_unlock_bh(&session->frwd_lock); + + /* +diff --git a/include/scsi/libiscsi.h b/include/scsi/libiscsi.h +index bdb0ae11682d..d1e282f0d6f1 100644 +--- a/include/scsi/libiscsi.h ++++ b/include/scsi/libiscsi.h +@@ -55,7 +55,7 @@ enum { + /* Connection flags */ + #define ISCSI_CONN_FLAG_SUSPEND_TX BIT(0) + #define ISCSI_CONN_FLAG_SUSPEND_RX BIT(1) +- ++#define ISCSI_CONN_FLAG_BOUND BIT(2) + + #define ISCSI_ITT_MASK 0x1fff + #define ISCSI_TOTAL_CMDS_MAX 4096 +-- +2.35.1 + diff --git a/queue-5.15/scsi-iscsi-merge-suspend-fields.patch b/queue-5.15/scsi-iscsi-merge-suspend-fields.patch new file mode 100644 index 00000000000..f5666a7e393 --- /dev/null +++ b/queue-5.15/scsi-iscsi-merge-suspend-fields.patch @@ -0,0 +1,195 @@ +From 9c81ec53b00250ee6077c53e59a9c344ccdf2769 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 19:13:11 -0500 +Subject: scsi: iscsi: Merge suspend fields + +From: Mike Christie + +[ Upstream commit 5bd856256f8c03e329f8ff36d8c8efcb111fe6df ] + +Move the tx and rx suspend fields into one flags field. + +Link: https://lore.kernel.org/r/20220408001314.5014-8-michael.christie@oracle.com +Tested-by: Manish Rangankar +Reviewed-by: Lee Duncan +Reviewed-by: Chris Leech +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/bnx2i/bnx2i_hwi.c | 2 +- + drivers/scsi/bnx2i/bnx2i_iscsi.c | 2 +- + drivers/scsi/cxgbi/libcxgbi.c | 6 +++--- + drivers/scsi/libiscsi.c | 20 ++++++++++---------- + drivers/scsi/libiscsi_tcp.c | 2 +- + include/scsi/libiscsi.h | 9 +++++---- + 6 files changed, 21 insertions(+), 20 deletions(-) + +diff --git a/drivers/scsi/bnx2i/bnx2i_hwi.c b/drivers/scsi/bnx2i/bnx2i_hwi.c +index 5521469ce678..e16327a4b4c9 100644 +--- a/drivers/scsi/bnx2i/bnx2i_hwi.c ++++ b/drivers/scsi/bnx2i/bnx2i_hwi.c +@@ -1977,7 +1977,7 @@ static int bnx2i_process_new_cqes(struct bnx2i_conn *bnx2i_conn) + if (nopin->cq_req_sn != qp->cqe_exp_seq_sn) + break; + +- if (unlikely(test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_rx))) { ++ if (unlikely(test_bit(ISCSI_CONN_FLAG_SUSPEND_RX, &conn->flags))) { + if (nopin->op_code == ISCSI_OP_NOOP_IN && + nopin->itt == (u16) RESERVED_ITT) { + printk(KERN_ALERT "bnx2i: Unsolicited " +diff --git a/drivers/scsi/bnx2i/bnx2i_iscsi.c b/drivers/scsi/bnx2i/bnx2i_iscsi.c +index 1b5f3e143f07..2e5241d12dc3 100644 +--- a/drivers/scsi/bnx2i/bnx2i_iscsi.c ++++ b/drivers/scsi/bnx2i/bnx2i_iscsi.c +@@ -1721,7 +1721,7 @@ static int bnx2i_tear_down_conn(struct bnx2i_hba *hba, + struct iscsi_conn *conn = ep->conn->cls_conn->dd_data; + + /* Must suspend all rx queue activity for this ep */ +- set_bit(ISCSI_SUSPEND_BIT, &conn->suspend_rx); ++ set_bit(ISCSI_CONN_FLAG_SUSPEND_RX, &conn->flags); + } + /* CONN_DISCONNECT timeout may or may not be an issue depending + * on what transcribed in TCP layer, different targets behave +diff --git a/drivers/scsi/cxgbi/libcxgbi.c b/drivers/scsi/cxgbi/libcxgbi.c +index 8c7d4dda4cf2..4365d52c6430 100644 +--- a/drivers/scsi/cxgbi/libcxgbi.c ++++ b/drivers/scsi/cxgbi/libcxgbi.c +@@ -1634,11 +1634,11 @@ void cxgbi_conn_pdu_ready(struct cxgbi_sock *csk) + log_debug(1 << CXGBI_DBG_PDU_RX, + "csk 0x%p, conn 0x%p.\n", csk, conn); + +- if (unlikely(!conn || conn->suspend_rx)) { ++ if (unlikely(!conn || test_bit(ISCSI_CONN_FLAG_SUSPEND_RX, &conn->flags))) { + log_debug(1 << CXGBI_DBG_PDU_RX, +- "csk 0x%p, conn 0x%p, id %d, suspend_rx %lu!\n", ++ "csk 0x%p, conn 0x%p, id %d, conn flags 0x%lx!\n", + csk, conn, conn ? conn->id : 0xFF, +- conn ? conn->suspend_rx : 0xFF); ++ conn ? conn->flags : 0xFF); + return; + } + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index cbc263ec9d66..a4f26431b033 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1392,8 +1392,8 @@ static bool iscsi_set_conn_failed(struct iscsi_conn *conn) + if (conn->stop_stage == 0) + session->state = ISCSI_STATE_FAILED; + +- set_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx); +- set_bit(ISCSI_SUSPEND_BIT, &conn->suspend_rx); ++ set_bit(ISCSI_CONN_FLAG_SUSPEND_TX, &conn->flags); ++ set_bit(ISCSI_CONN_FLAG_SUSPEND_RX, &conn->flags); + return true; + } + +@@ -1454,7 +1454,7 @@ static int iscsi_xmit_task(struct iscsi_conn *conn, struct iscsi_task *task, + * Do this after dropping the extra ref because if this was a requeue + * it's removed from that list and cleanup_queued_task would miss it. + */ +- if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) { ++ if (test_bit(ISCSI_CONN_FLAG_SUSPEND_TX, &conn->flags)) { + /* + * Save the task and ref in case we weren't cleaning up this + * task and get woken up again. +@@ -1532,7 +1532,7 @@ static int iscsi_data_xmit(struct iscsi_conn *conn) + int rc = 0; + + spin_lock_bh(&conn->session->frwd_lock); +- if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) { ++ if (test_bit(ISCSI_CONN_FLAG_SUSPEND_TX, &conn->flags)) { + ISCSI_DBG_SESSION(conn->session, "Tx suspended!\n"); + spin_unlock_bh(&conn->session->frwd_lock); + return -ENODATA; +@@ -1746,7 +1746,7 @@ int iscsi_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *sc) + goto fault; + } + +- if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) { ++ if (test_bit(ISCSI_CONN_FLAG_SUSPEND_TX, &conn->flags)) { + reason = FAILURE_SESSION_IN_RECOVERY; + sc->result = DID_REQUEUE << 16; + goto fault; +@@ -1935,7 +1935,7 @@ static void fail_scsi_tasks(struct iscsi_conn *conn, u64 lun, int error) + void iscsi_suspend_queue(struct iscsi_conn *conn) + { + spin_lock_bh(&conn->session->frwd_lock); +- set_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx); ++ set_bit(ISCSI_CONN_FLAG_SUSPEND_TX, &conn->flags); + spin_unlock_bh(&conn->session->frwd_lock); + } + EXPORT_SYMBOL_GPL(iscsi_suspend_queue); +@@ -1953,7 +1953,7 @@ void iscsi_suspend_tx(struct iscsi_conn *conn) + struct Scsi_Host *shost = conn->session->host; + struct iscsi_host *ihost = shost_priv(shost); + +- set_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx); ++ set_bit(ISCSI_CONN_FLAG_SUSPEND_TX, &conn->flags); + if (ihost->workq) + flush_workqueue(ihost->workq); + } +@@ -1961,7 +1961,7 @@ EXPORT_SYMBOL_GPL(iscsi_suspend_tx); + + static void iscsi_start_tx(struct iscsi_conn *conn) + { +- clear_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx); ++ clear_bit(ISCSI_CONN_FLAG_SUSPEND_TX, &conn->flags); + iscsi_conn_queue_work(conn); + } + +@@ -3324,8 +3324,8 @@ int iscsi_conn_bind(struct iscsi_cls_session *cls_session, + /* + * Unblock xmitworker(), Login Phase will pass through. + */ +- clear_bit(ISCSI_SUSPEND_BIT, &conn->suspend_rx); +- clear_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx); ++ clear_bit(ISCSI_CONN_FLAG_SUSPEND_RX, &conn->flags); ++ clear_bit(ISCSI_CONN_FLAG_SUSPEND_TX, &conn->flags); + return 0; + } + EXPORT_SYMBOL_GPL(iscsi_conn_bind); +diff --git a/drivers/scsi/libiscsi_tcp.c b/drivers/scsi/libiscsi_tcp.c +index 2e9ffe3d1a55..883005757ddb 100644 +--- a/drivers/scsi/libiscsi_tcp.c ++++ b/drivers/scsi/libiscsi_tcp.c +@@ -927,7 +927,7 @@ int iscsi_tcp_recv_skb(struct iscsi_conn *conn, struct sk_buff *skb, + */ + conn->last_recv = jiffies; + +- if (unlikely(conn->suspend_rx)) { ++ if (unlikely(test_bit(ISCSI_CONN_FLAG_SUSPEND_RX, &conn->flags))) { + ISCSI_DBG_TCP(conn, "Rx suspended!\n"); + *status = ISCSI_TCP_SUSPENDED; + return 0; +diff --git a/include/scsi/libiscsi.h b/include/scsi/libiscsi.h +index 4ee233e5a6ff..bdb0ae11682d 100644 +--- a/include/scsi/libiscsi.h ++++ b/include/scsi/libiscsi.h +@@ -52,8 +52,10 @@ enum { + + #define ISID_SIZE 6 + +-/* Connection suspend "bit" */ +-#define ISCSI_SUSPEND_BIT 1 ++/* Connection flags */ ++#define ISCSI_CONN_FLAG_SUSPEND_TX BIT(0) ++#define ISCSI_CONN_FLAG_SUSPEND_RX BIT(1) ++ + + #define ISCSI_ITT_MASK 0x1fff + #define ISCSI_TOTAL_CMDS_MAX 4096 +@@ -199,8 +201,7 @@ struct iscsi_conn { + struct list_head cmdqueue; /* data-path cmd queue */ + struct list_head requeue; /* tasks needing another run */ + struct work_struct xmitwork; /* per-conn. xmit workqueue */ +- unsigned long suspend_tx; /* suspend Tx */ +- unsigned long suspend_rx; /* suspend Rx */ ++ unsigned long flags; /* ISCSI_CONN_FLAGs */ + + /* negotiated params */ + unsigned max_recv_dlength; /* initiator_max_recv_dsl*/ +-- +2.35.1 + diff --git a/queue-5.15/scsi-iscsi-release-endpoint-id-when-its-freed.patch b/queue-5.15/scsi-iscsi-release-endpoint-id-when-its-freed.patch new file mode 100644 index 00000000000..27c77493c33 --- /dev/null +++ b/queue-5.15/scsi-iscsi-release-endpoint-id-when-its-freed.patch @@ -0,0 +1,176 @@ +From 110f2e85859e615adfcfb9585fb29c2c552d8636 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 19:13:07 -0500 +Subject: scsi: iscsi: Release endpoint ID when its freed + +From: Mike Christie + +[ Upstream commit 3c6ae371b8a1ffba1fc415989fd581ebf841ed0a ] + +We can't release the endpoint ID until all references to the endpoint have +been dropped or it could be allocated while in use. This has us use an idr +instead of looping over all conns to find a free ID and then free the ID +when all references have been dropped instead of when the device is only +deleted. + +Link: https://lore.kernel.org/r/20220408001314.5014-4-michael.christie@oracle.com +Tested-by: Manish Rangankar +Reviewed-by: Lee Duncan +Reviewed-by: Chris Leech +Reviewed-by: Wu Bo +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 71 ++++++++++++++--------------- + include/scsi/scsi_transport_iscsi.h | 2 +- + 2 files changed, 36 insertions(+), 37 deletions(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index c7b1b2e8bb02..bcdfcb25349a 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -86,6 +86,9 @@ struct iscsi_internal { + struct transport_container session_cont; + }; + ++static DEFINE_IDR(iscsi_ep_idr); ++static DEFINE_MUTEX(iscsi_ep_idr_mutex); ++ + static atomic_t iscsi_session_nr; /* sysfs session id for next new session */ + static struct workqueue_struct *iscsi_eh_timer_workq; + +@@ -169,6 +172,11 @@ struct device_attribute dev_attr_##_prefix##_##_name = \ + static void iscsi_endpoint_release(struct device *dev) + { + struct iscsi_endpoint *ep = iscsi_dev_to_endpoint(dev); ++ ++ mutex_lock(&iscsi_ep_idr_mutex); ++ idr_remove(&iscsi_ep_idr, ep->id); ++ mutex_unlock(&iscsi_ep_idr_mutex); ++ + kfree(ep); + } + +@@ -181,7 +189,7 @@ static ssize_t + show_ep_handle(struct device *dev, struct device_attribute *attr, char *buf) + { + struct iscsi_endpoint *ep = iscsi_dev_to_endpoint(dev); +- return sysfs_emit(buf, "%llu\n", (unsigned long long) ep->id); ++ return sysfs_emit(buf, "%d\n", ep->id); + } + static ISCSI_ATTR(ep, handle, S_IRUGO, show_ep_handle, NULL); + +@@ -194,48 +202,32 @@ static struct attribute_group iscsi_endpoint_group = { + .attrs = iscsi_endpoint_attrs, + }; + +-#define ISCSI_MAX_EPID -1 +- +-static int iscsi_match_epid(struct device *dev, const void *data) +-{ +- struct iscsi_endpoint *ep = iscsi_dev_to_endpoint(dev); +- const uint64_t *epid = data; +- +- return *epid == ep->id; +-} +- + struct iscsi_endpoint * + iscsi_create_endpoint(int dd_size) + { +- struct device *dev; + struct iscsi_endpoint *ep; +- uint64_t id; +- int err; +- +- for (id = 1; id < ISCSI_MAX_EPID; id++) { +- dev = class_find_device(&iscsi_endpoint_class, NULL, &id, +- iscsi_match_epid); +- if (!dev) +- break; +- else +- put_device(dev); +- } +- if (id == ISCSI_MAX_EPID) { +- printk(KERN_ERR "Too many connections. Max supported %u\n", +- ISCSI_MAX_EPID - 1); +- return NULL; +- } ++ int err, id; + + ep = kzalloc(sizeof(*ep) + dd_size, GFP_KERNEL); + if (!ep) + return NULL; + ++ mutex_lock(&iscsi_ep_idr_mutex); ++ id = idr_alloc(&iscsi_ep_idr, ep, 0, -1, GFP_NOIO); ++ if (id < 0) { ++ mutex_unlock(&iscsi_ep_idr_mutex); ++ printk(KERN_ERR "Could not allocate endpoint ID. Error %d.\n", ++ id); ++ goto free_ep; ++ } ++ mutex_unlock(&iscsi_ep_idr_mutex); ++ + ep->id = id; + ep->dev.class = &iscsi_endpoint_class; +- dev_set_name(&ep->dev, "ep-%llu", (unsigned long long) id); ++ dev_set_name(&ep->dev, "ep-%d", id); + err = device_register(&ep->dev); + if (err) +- goto free_ep; ++ goto free_id; + + err = sysfs_create_group(&ep->dev.kobj, &iscsi_endpoint_group); + if (err) +@@ -249,6 +241,10 @@ iscsi_create_endpoint(int dd_size) + device_unregister(&ep->dev); + return NULL; + ++free_id: ++ mutex_lock(&iscsi_ep_idr_mutex); ++ idr_remove(&iscsi_ep_idr, id); ++ mutex_unlock(&iscsi_ep_idr_mutex); + free_ep: + kfree(ep); + return NULL; +@@ -276,14 +272,17 @@ EXPORT_SYMBOL_GPL(iscsi_put_endpoint); + */ + struct iscsi_endpoint *iscsi_lookup_endpoint(u64 handle) + { +- struct device *dev; ++ struct iscsi_endpoint *ep; + +- dev = class_find_device(&iscsi_endpoint_class, NULL, &handle, +- iscsi_match_epid); +- if (!dev) +- return NULL; ++ mutex_lock(&iscsi_ep_idr_mutex); ++ ep = idr_find(&iscsi_ep_idr, handle); ++ if (!ep) ++ goto unlock; + +- return iscsi_dev_to_endpoint(dev); ++ get_device(&ep->dev); ++unlock: ++ mutex_unlock(&iscsi_ep_idr_mutex); ++ return ep; + } + EXPORT_SYMBOL_GPL(iscsi_lookup_endpoint); + +diff --git a/include/scsi/scsi_transport_iscsi.h b/include/scsi/scsi_transport_iscsi.h +index 037c77fb5dc5..3ecf9702287b 100644 +--- a/include/scsi/scsi_transport_iscsi.h ++++ b/include/scsi/scsi_transport_iscsi.h +@@ -296,7 +296,7 @@ extern void iscsi_host_for_each_session(struct Scsi_Host *shost, + struct iscsi_endpoint { + void *dd_data; /* LLD private data */ + struct device dev; +- uint64_t id; ++ int id; + struct iscsi_cls_conn *conn; + }; + +-- +2.35.1 + diff --git a/queue-5.15/scsi-qedi-fix-failed-disconnect-handling.patch b/queue-5.15/scsi-qedi-fix-failed-disconnect-handling.patch new file mode 100644 index 00000000000..19dbee2283b --- /dev/null +++ b/queue-5.15/scsi-qedi-fix-failed-disconnect-handling.patch @@ -0,0 +1,146 @@ +From da727a6d9d5bb4749d7922a3063a062dabf070cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 19:13:13 -0500 +Subject: scsi: qedi: Fix failed disconnect handling + +From: Mike Christie + +[ Upstream commit 857b06527f707f5df634b854898a191b5c1d0272 ] + +We set the qedi_ep state to EP_STATE_OFLDCONN_START when the ep is +created. Then in qedi_set_path we kick off the offload work. If userspace +times out the connection and calls ep_disconnect, qedi will only flush the +offload work if the qedi_ep state has transitioned away from +EP_STATE_OFLDCONN_START. If we can't connect we will not have transitioned +state and will leave the offload work running, and we will free the qedi_ep +from under it. + +This patch just has us init the work when we create the ep, then always +flush it. + +Link: https://lore.kernel.org/r/20220408001314.5014-10-michael.christie@oracle.com +Tested-by: Manish Rangankar +Reviewed-by: Lee Duncan +Reviewed-by: Chris Leech +Acked-by: Manish Rangankar +Signed-off-by: Mike Christie +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qedi/qedi_iscsi.c | 69 +++++++++++++++++----------------- + 1 file changed, 34 insertions(+), 35 deletions(-) + +diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c +index c5260429c637..04b40a6c1aff 100644 +--- a/drivers/scsi/qedi/qedi_iscsi.c ++++ b/drivers/scsi/qedi/qedi_iscsi.c +@@ -859,6 +859,37 @@ static int qedi_task_xmit(struct iscsi_task *task) + return qedi_iscsi_send_ioreq(task); + } + ++static void qedi_offload_work(struct work_struct *work) ++{ ++ struct qedi_endpoint *qedi_ep = ++ container_of(work, struct qedi_endpoint, offload_work); ++ struct qedi_ctx *qedi; ++ int wait_delay = 5 * HZ; ++ int ret; ++ ++ qedi = qedi_ep->qedi; ++ ++ ret = qedi_iscsi_offload_conn(qedi_ep); ++ if (ret) { ++ QEDI_ERR(&qedi->dbg_ctx, ++ "offload error: iscsi_cid=%u, qedi_ep=%p, ret=%d\n", ++ qedi_ep->iscsi_cid, qedi_ep, ret); ++ qedi_ep->state = EP_STATE_OFLDCONN_FAILED; ++ return; ++ } ++ ++ ret = wait_event_interruptible_timeout(qedi_ep->tcp_ofld_wait, ++ (qedi_ep->state == ++ EP_STATE_OFLDCONN_COMPL), ++ wait_delay); ++ if (ret <= 0 || qedi_ep->state != EP_STATE_OFLDCONN_COMPL) { ++ qedi_ep->state = EP_STATE_OFLDCONN_FAILED; ++ QEDI_ERR(&qedi->dbg_ctx, ++ "Offload conn TIMEOUT iscsi_cid=%u, qedi_ep=%p\n", ++ qedi_ep->iscsi_cid, qedi_ep); ++ } ++} ++ + static struct iscsi_endpoint * + qedi_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr, + int non_blocking) +@@ -907,6 +938,7 @@ qedi_ep_connect(struct Scsi_Host *shost, struct sockaddr *dst_addr, + } + qedi_ep = ep->dd_data; + memset(qedi_ep, 0, sizeof(struct qedi_endpoint)); ++ INIT_WORK(&qedi_ep->offload_work, qedi_offload_work); + qedi_ep->state = EP_STATE_IDLE; + qedi_ep->iscsi_cid = (u32)-1; + qedi_ep->qedi = qedi; +@@ -1055,12 +1087,11 @@ static void qedi_ep_disconnect(struct iscsi_endpoint *ep) + qedi_ep = ep->dd_data; + qedi = qedi_ep->qedi; + ++ flush_work(&qedi_ep->offload_work); ++ + if (qedi_ep->state == EP_STATE_OFLDCONN_START) + goto ep_exit_recover; + +- if (qedi_ep->state != EP_STATE_OFLDCONN_NONE) +- flush_work(&qedi_ep->offload_work); +- + if (qedi_ep->conn) { + qedi_conn = qedi_ep->conn; + abrt_conn = qedi_conn->abrt_conn; +@@ -1234,37 +1265,6 @@ static int qedi_data_avail(struct qedi_ctx *qedi, u16 vlanid) + return rc; + } + +-static void qedi_offload_work(struct work_struct *work) +-{ +- struct qedi_endpoint *qedi_ep = +- container_of(work, struct qedi_endpoint, offload_work); +- struct qedi_ctx *qedi; +- int wait_delay = 5 * HZ; +- int ret; +- +- qedi = qedi_ep->qedi; +- +- ret = qedi_iscsi_offload_conn(qedi_ep); +- if (ret) { +- QEDI_ERR(&qedi->dbg_ctx, +- "offload error: iscsi_cid=%u, qedi_ep=%p, ret=%d\n", +- qedi_ep->iscsi_cid, qedi_ep, ret); +- qedi_ep->state = EP_STATE_OFLDCONN_FAILED; +- return; +- } +- +- ret = wait_event_interruptible_timeout(qedi_ep->tcp_ofld_wait, +- (qedi_ep->state == +- EP_STATE_OFLDCONN_COMPL), +- wait_delay); +- if ((ret <= 0) || (qedi_ep->state != EP_STATE_OFLDCONN_COMPL)) { +- qedi_ep->state = EP_STATE_OFLDCONN_FAILED; +- QEDI_ERR(&qedi->dbg_ctx, +- "Offload conn TIMEOUT iscsi_cid=%u, qedi_ep=%p\n", +- qedi_ep->iscsi_cid, qedi_ep); +- } +-} +- + static int qedi_set_path(struct Scsi_Host *shost, struct iscsi_path *path_data) + { + struct qedi_ctx *qedi; +@@ -1380,7 +1380,6 @@ static int qedi_set_path(struct Scsi_Host *shost, struct iscsi_path *path_data) + qedi_ep->dst_addr, qedi_ep->dst_port); + } + +- INIT_WORK(&qedi_ep->offload_work, qedi_offload_work); + queue_work(qedi->offload_thread, &qedi_ep->offload_work); + + ret = 0; +-- +2.35.1 + diff --git a/queue-5.15/selftests-mlxsw-vxlan_flooding-prevent-flooding-of-u.patch b/queue-5.15/selftests-mlxsw-vxlan_flooding-prevent-flooding-of-u.patch new file mode 100644 index 00000000000..5b2ebef3fe7 --- /dev/null +++ b/queue-5.15/selftests-mlxsw-vxlan_flooding-prevent-flooding-of-u.patch @@ -0,0 +1,71 @@ +From 83bfe531381e954665f956b95105d6020210f554 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Apr 2022 16:51:54 +0300 +Subject: selftests: mlxsw: vxlan_flooding: Prevent flooding of unwanted + packets + +From: Ido Schimmel + +[ Upstream commit 044011fdf162c5dd61c02841930c8f438a9adadb ] + +The test verifies that packets are correctly flooded by the bridge and +the VXLAN device by matching on the encapsulated packets at the other +end. However, if packets other than those generated by the test also +ingress the bridge (e.g., MLD packets), they will be flooded as well and +interfere with the expected count. + +Make the test more robust by making sure that only the packets generated +by the test can ingress the bridge. Drop all the rest using tc filters +on the egress of 'br0' and 'h1'. + +In the software data path, the problem can be solved by matching on the +inner destination MAC or dropping unwanted packets at the egress of the +VXLAN device, but this is not currently supported by mlxsw. + +Fixes: 94d302deae25 ("selftests: mlxsw: Add a test for VxLAN flooding") +Signed-off-by: Ido Schimmel +Reviewed-by: Amit Cohen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../drivers/net/mlxsw/vxlan_flooding.sh | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/tools/testing/selftests/drivers/net/mlxsw/vxlan_flooding.sh b/tools/testing/selftests/drivers/net/mlxsw/vxlan_flooding.sh +index fedcb7b35af9..af5ea50ed5c0 100755 +--- a/tools/testing/selftests/drivers/net/mlxsw/vxlan_flooding.sh ++++ b/tools/testing/selftests/drivers/net/mlxsw/vxlan_flooding.sh +@@ -172,6 +172,17 @@ flooding_filters_add() + local lsb + local i + ++ # Prevent unwanted packets from entering the bridge and interfering ++ # with the test. ++ tc qdisc add dev br0 clsact ++ tc filter add dev br0 egress protocol all pref 1 handle 1 \ ++ matchall skip_hw action drop ++ tc qdisc add dev $h1 clsact ++ tc filter add dev $h1 egress protocol all pref 1 handle 1 \ ++ flower skip_hw dst_mac de:ad:be:ef:13:37 action pass ++ tc filter add dev $h1 egress protocol all pref 2 handle 2 \ ++ matchall skip_hw action drop ++ + tc qdisc add dev $rp2 clsact + + for i in $(eval echo {1..$num_remotes}); do +@@ -194,6 +205,12 @@ flooding_filters_del() + done + + tc qdisc del dev $rp2 clsact ++ ++ tc filter del dev $h1 egress protocol all pref 2 handle 2 matchall ++ tc filter del dev $h1 egress protocol all pref 1 handle 1 flower ++ tc qdisc del dev $h1 clsact ++ tc filter del dev br0 egress protocol all pref 1 handle 1 matchall ++ tc qdisc del dev br0 clsact + } + + flooding_check_packets() +-- +2.35.1 + diff --git a/queue-5.15/series b/queue-5.15/series index 5b92244833c..f86bbf7bb68 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -14,3 +14,63 @@ scsi-ufs-core-scsi_get_lba-error-fix.patch net-sched-cls_u32-fix-netns-refcount-changes-in-u32_change.patch alsa-usb-audio-clear-midi-port-active-flag-after-draining.patch alsa-hda-realtek-add-quirk-for-clevo-np70pnp.patch +asoc-atmel-remove-system-clock-tree-configuration-fo.patch +asoc-topology-correct-error-handling-in-soc_tplg_dap.patch +asoc-rk817-use-devm_clk_get-in-rk817_platform_probe.patch +asoc-msm8916-wcd-digital-check-failure-for-devm_snd_.patch +asoc-codecs-wcd934x-do-not-switch-off-sido-buck-when.patch +dmaengine-idxd-fix-device-cleanup-on-disable.patch +dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch +dmaengine-mediatek-fix-pm-usage-reference-leak-of-mt.patch +dmaengine-dw-edma-fix-unaligned-64bit-access.patch +spi-spi-mtk-nor-initialize-spi-controller-after-resu.patch +esp-limit-skb_page_frag_refill-use-to-a-single-page.patch +spi-cadence-quadspi-fix-incorrect-supports_op-return.patch +igc-fix-infinite-loop-in-release_swfw_sync.patch +igc-fix-bug-scheduling-while-atomic.patch +igc-fix-suspending-when-ptm-is-active.patch +alsa-hda-hdmi-fix-warning-about-pcm-count-when-used-.patch +rxrpc-restore-removed-timer-deletion.patch +net-smc-fix-sock-leak-when-release-after-smc_shutdow.patch +net-packet-fix-packet_sock-xmit-return-value-checkin.patch +ip6_gre-avoid-updating-tunnel-tun_hlen-in-__gre6_xmi.patch +ip6_gre-fix-skb_under_panic-in-__gre6_xmit.patch +net-restore-alpha-order-to-ethernet-devices-in-confi.patch +net-sched-cls_u32-fix-possible-leak-in-u32_init_knod.patch +l3mdev-l3mdev_master_upper_ifindex_by_index_rcu-shou.patch +ipv6-make-ip6_rt_gc_expire-an-atomic_t.patch +can-isotp-stop-timeout-monitoring-when-no-first-fram.patch +net-dsa-hellcreek-calculate-checksums-in-tagger.patch +net-mscc-ocelot-fix-broken-ip-multicast-flooding.patch +netlink-reset-network-and-mac-headers-in-netlink_dum.patch +drm-i915-display-psr-unset-enable_psr2_sel_fetch-if-.patch +net-stmmac-use-readl_poll_timeout_atomic-in-atomic-s.patch +dmaengine-idxd-add-ro-check-for-wq-max_batch_size-wr.patch +dmaengine-idxd-add-ro-check-for-wq-max_transfer_size.patch +dmaengine-idxd-skip-clearing-device-context-when-dev.patch +selftests-mlxsw-vxlan_flooding-prevent-flooding-of-u.patch +arm64-mm-fix-p-d_leaf.patch +arm-vexpress-spc-avoid-negative-array-index-when-smp.patch +reset-renesas-check-return-value-of-reset_control_de.patch +reset-tegra-bpmp-restore-handle-errors-in-bpmp-respo.patch +platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch +alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch +drm-msm-disp-check-the-return-value-of-kzalloc.patch +arm64-dts-imx-fix-imx8-var-som-touchscreen-property-.patch +vxlan-fix-error-return-code-in-vxlan_fdb_append.patch +cifs-check-the-iocb_direct-flag-not-o_direct.patch +net-atlantic-avoid-out-of-bounds-indexing.patch +mt76-fix-undefined-behavior-due-to-shift-overflowing.patch +brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch +dpaa_eth-fix-missing-of_node_put-in-dpaa_get_ts_info.patch +drm-msm-mdp5-check-the-return-of-kzalloc.patch +net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch +scsi-iscsi-release-endpoint-id-when-its-freed.patch +scsi-iscsi-merge-suspend-fields.patch +scsi-iscsi-fix-nop-handling-during-conn-recovery.patch +scsi-qedi-fix-failed-disconnect-handling.patch +stat-fix-inconsistency-between-struct-stat-and-struc.patch +vfs-filename_create-fix-incorrect-intent.patch +nvme-add-a-quirk-to-disable-namespace-identifiers.patch +nvme-pci-disable-namespace-identifiers-for-the-maxio.patch +nvme-pci-disable-namespace-identifiers-for-qemu-cont.patch diff --git a/queue-5.15/spi-cadence-quadspi-fix-incorrect-supports_op-return.patch b/queue-5.15/spi-cadence-quadspi-fix-incorrect-supports_op-return.patch new file mode 100644 index 00000000000..5fab2cb5660 --- /dev/null +++ b/queue-5.15/spi-cadence-quadspi-fix-incorrect-supports_op-return.patch @@ -0,0 +1,63 @@ +From f56d18830151c1aa07a5d260a21f274bc0fa584f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 15:28:32 +0200 +Subject: spi: cadence-quadspi: fix incorrect supports_op() return value + +From: Matthias Schiffer + +[ Upstream commit f1d388f216aeb41a5df518815ae559d14a6d438e ] + +Since the conversion to spi-mem, the driver advertised support for +various operations that cqspi_set_protocol() was never expected to handle +correctly - in particuar all non-DTR operations with command or address +buswidth > 1. For DTR, all operations except for 8-8-8 would fail, as +cqspi_set_protocol() returns -EINVAL. + +In non-DTR mode, this resulted in data corruption for SPI-NOR flashes that +support such operations. As a minimal fix that can be backported to stable +kernels, simply disallow the unsupported operations again to avoid this +issue. + +Fixes: a314f6367787 ("mtd: spi-nor: Convert cadence-quadspi to use spi-mem framework") +Signed-off-by: Matthias Schiffer +Link: https://lore.kernel.org/r/20220406132832.199777-1-matthias.schiffer@ew.tq-group.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-cadence-quadspi.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c +index 1a6294a06e72..75680eecd2f7 100644 +--- a/drivers/spi/spi-cadence-quadspi.c ++++ b/drivers/spi/spi-cadence-quadspi.c +@@ -1226,9 +1226,24 @@ static bool cqspi_supports_mem_op(struct spi_mem *mem, + all_false = !op->cmd.dtr && !op->addr.dtr && !op->dummy.dtr && + !op->data.dtr; + +- /* Mixed DTR modes not supported. */ +- if (!(all_true || all_false)) ++ if (all_true) { ++ /* Right now we only support 8-8-8 DTR mode. */ ++ if (op->cmd.nbytes && op->cmd.buswidth != 8) ++ return false; ++ if (op->addr.nbytes && op->addr.buswidth != 8) ++ return false; ++ if (op->data.nbytes && op->data.buswidth != 8) ++ return false; ++ } else if (all_false) { ++ /* Only 1-1-X ops are supported without DTR */ ++ if (op->cmd.nbytes && op->cmd.buswidth > 1) ++ return false; ++ if (op->addr.nbytes && op->addr.buswidth > 1) ++ return false; ++ } else { ++ /* Mixed DTR modes are not supported. */ + return false; ++ } + + if (all_true) + return spi_mem_dtr_supports_op(mem, op); +-- +2.35.1 + diff --git a/queue-5.15/spi-spi-mtk-nor-initialize-spi-controller-after-resu.patch b/queue-5.15/spi-spi-mtk-nor-initialize-spi-controller-after-resu.patch new file mode 100644 index 00000000000..13cc7697934 --- /dev/null +++ b/queue-5.15/spi-spi-mtk-nor-initialize-spi-controller-after-resu.patch @@ -0,0 +1,53 @@ +From 66beb0c72aa103e741f5529d876b4e06534a38f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 19:57:43 +0800 +Subject: spi: spi-mtk-nor: initialize spi controller after resume + +From: Allen-KH Cheng + +[ Upstream commit 317c2045618cc1f8d38beb8c93a7bdb6ad8638c6 ] + +After system resumes, the registers of nor controller are +initialized with default values. The nor controller will +not function properly. + +To handle both issues above, we add mtk_nor_init() in +mtk_nor_resume after pm_runtime_force_resume(). + +Fixes: 3bfd9103c7af ("spi: spi-mtk-nor: Add power management support") + +Signed-off-by: Allen-KH Cheng +Reviewed-by: Rex-BC Chen +Link: https://lore.kernel.org/r/20220412115743.22641-1-allen-kh.cheng@mediatek.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-mtk-nor.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-mtk-nor.c b/drivers/spi/spi-mtk-nor.c +index 5c93730615f8..6d203477c04b 100644 +--- a/drivers/spi/spi-mtk-nor.c ++++ b/drivers/spi/spi-mtk-nor.c +@@ -909,7 +909,17 @@ static int __maybe_unused mtk_nor_suspend(struct device *dev) + + static int __maybe_unused mtk_nor_resume(struct device *dev) + { +- return pm_runtime_force_resume(dev); ++ struct spi_controller *ctlr = dev_get_drvdata(dev); ++ struct mtk_nor *sp = spi_controller_get_devdata(ctlr); ++ int ret; ++ ++ ret = pm_runtime_force_resume(dev); ++ if (ret) ++ return ret; ++ ++ mtk_nor_init(sp); ++ ++ return 0; + } + + static const struct dev_pm_ops mtk_nor_pm_ops = { +-- +2.35.1 + diff --git a/queue-5.15/stat-fix-inconsistency-between-struct-stat-and-struc.patch b/queue-5.15/stat-fix-inconsistency-between-struct-stat-and-struc.patch new file mode 100644 index 00000000000..281485c1763 --- /dev/null +++ b/queue-5.15/stat-fix-inconsistency-between-struct-stat-and-struc.patch @@ -0,0 +1,138 @@ +From 4ad9c70bd198d99e41b7dc31ac38d796e0431355 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 05:41:00 -0400 +Subject: stat: fix inconsistency between struct stat and struct compat_stat + +From: Mikulas Patocka + +[ Upstream commit 932aba1e169090357a77af18850a10c256b50819 ] + +struct stat (defined in arch/x86/include/uapi/asm/stat.h) has 32-bit +st_dev and st_rdev; struct compat_stat (defined in +arch/x86/include/asm/compat.h) has 16-bit st_dev and st_rdev followed by +a 16-bit padding. + +This patch fixes struct compat_stat to match struct stat. + +[ Historical note: the old x86 'struct stat' did have that 16-bit field + that the compat layer had kept around, but it was changes back in 2003 + by "struct stat - support larger dev_t": + + https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/?id=e95b2065677fe32512a597a79db94b77b90c968d + + and back in those days, the x86_64 port was still new, and separate + from the i386 code, and had already picked up the old version with a + 16-bit st_dev field ] + +Note that we can't change compat_dev_t because it is used by +compat_loop_info. + +Also, if the st_dev and st_rdev values are 32-bit, we don't have to use +old_valid_dev to test if the value fits into them. This fixes +-EOVERFLOW on filesystems that are on NVMe because NVMe uses the major +number 259. + +Signed-off-by: Mikulas Patocka +Cc: Andreas Schwab +Cc: Matthew Wilcox +Cc: Christoph Hellwig +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/compat.h | 6 ++---- + fs/stat.c | 19 ++++++++++--------- + 2 files changed, 12 insertions(+), 13 deletions(-) + +diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h +index 7516e4199b3c..20fd0acd7d80 100644 +--- a/arch/x86/include/asm/compat.h ++++ b/arch/x86/include/asm/compat.h +@@ -28,15 +28,13 @@ typedef u16 compat_ipc_pid_t; + typedef __kernel_fsid_t compat_fsid_t; + + struct compat_stat { +- compat_dev_t st_dev; +- u16 __pad1; ++ u32 st_dev; + compat_ino_t st_ino; + compat_mode_t st_mode; + compat_nlink_t st_nlink; + __compat_uid_t st_uid; + __compat_gid_t st_gid; +- compat_dev_t st_rdev; +- u16 __pad2; ++ u32 st_rdev; + u32 st_size; + u32 st_blksize; + u32 st_blocks; +diff --git a/fs/stat.c b/fs/stat.c +index 28d2020ba1f4..246d138ec066 100644 +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -334,9 +334,6 @@ SYSCALL_DEFINE2(fstat, unsigned int, fd, struct __old_kernel_stat __user *, stat + # define choose_32_64(a,b) b + #endif + +-#define valid_dev(x) choose_32_64(old_valid_dev(x),true) +-#define encode_dev(x) choose_32_64(old_encode_dev,new_encode_dev)(x) +- + #ifndef INIT_STRUCT_STAT_PADDING + # define INIT_STRUCT_STAT_PADDING(st) memset(&st, 0, sizeof(st)) + #endif +@@ -345,7 +342,9 @@ static int cp_new_stat(struct kstat *stat, struct stat __user *statbuf) + { + struct stat tmp; + +- if (!valid_dev(stat->dev) || !valid_dev(stat->rdev)) ++ if (sizeof(tmp.st_dev) < 4 && !old_valid_dev(stat->dev)) ++ return -EOVERFLOW; ++ if (sizeof(tmp.st_rdev) < 4 && !old_valid_dev(stat->rdev)) + return -EOVERFLOW; + #if BITS_PER_LONG == 32 + if (stat->size > MAX_NON_LFS) +@@ -353,7 +352,7 @@ static int cp_new_stat(struct kstat *stat, struct stat __user *statbuf) + #endif + + INIT_STRUCT_STAT_PADDING(tmp); +- tmp.st_dev = encode_dev(stat->dev); ++ tmp.st_dev = new_encode_dev(stat->dev); + tmp.st_ino = stat->ino; + if (sizeof(tmp.st_ino) < sizeof(stat->ino) && tmp.st_ino != stat->ino) + return -EOVERFLOW; +@@ -363,7 +362,7 @@ static int cp_new_stat(struct kstat *stat, struct stat __user *statbuf) + return -EOVERFLOW; + SET_UID(tmp.st_uid, from_kuid_munged(current_user_ns(), stat->uid)); + SET_GID(tmp.st_gid, from_kgid_munged(current_user_ns(), stat->gid)); +- tmp.st_rdev = encode_dev(stat->rdev); ++ tmp.st_rdev = new_encode_dev(stat->rdev); + tmp.st_size = stat->size; + tmp.st_atime = stat->atime.tv_sec; + tmp.st_mtime = stat->mtime.tv_sec; +@@ -644,11 +643,13 @@ static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf) + { + struct compat_stat tmp; + +- if (!old_valid_dev(stat->dev) || !old_valid_dev(stat->rdev)) ++ if (sizeof(tmp.st_dev) < 4 && !old_valid_dev(stat->dev)) ++ return -EOVERFLOW; ++ if (sizeof(tmp.st_rdev) < 4 && !old_valid_dev(stat->rdev)) + return -EOVERFLOW; + + memset(&tmp, 0, sizeof(tmp)); +- tmp.st_dev = old_encode_dev(stat->dev); ++ tmp.st_dev = new_encode_dev(stat->dev); + tmp.st_ino = stat->ino; + if (sizeof(tmp.st_ino) < sizeof(stat->ino) && tmp.st_ino != stat->ino) + return -EOVERFLOW; +@@ -658,7 +659,7 @@ static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf) + return -EOVERFLOW; + SET_UID(tmp.st_uid, from_kuid_munged(current_user_ns(), stat->uid)); + SET_GID(tmp.st_gid, from_kgid_munged(current_user_ns(), stat->gid)); +- tmp.st_rdev = old_encode_dev(stat->rdev); ++ tmp.st_rdev = new_encode_dev(stat->rdev); + if ((u64) stat->size > MAX_NON_LFS) + return -EOVERFLOW; + tmp.st_size = stat->size; +-- +2.35.1 + diff --git a/queue-5.15/vfs-filename_create-fix-incorrect-intent.patch b/queue-5.15/vfs-filename_create-fix-incorrect-intent.patch new file mode 100644 index 00000000000..791abfa93d1 --- /dev/null +++ b/queue-5.15/vfs-filename_create-fix-incorrect-intent.patch @@ -0,0 +1,108 @@ +From 93f0b7b896fe7b5e7892273a6459f9b5155e28c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 13:57:35 +1000 +Subject: VFS: filename_create(): fix incorrect intent. + +From: NeilBrown + +[ Upstream commit b3d4650d82c71b9c9a8184de9e8bb656012b289e ] + +When asked to create a path ending '/', but which is not to be a +directory (LOOKUP_DIRECTORY not set), filename_create() will never try +to create the file. If it doesn't exist, -ENOENT is reported. + +However, it still passes LOOKUP_CREATE|LOOKUP_EXCL to the filesystems +->lookup() function, even though there is no intent to create. This is +misleading and can cause incorrect behaviour. + +If you try + + ln -s foo /path/dir/ + +where 'dir' is a directory on an NFS filesystem which is not currently +known in the dcache, this will fail with ENOENT. + +But as the name is not in the dcache, nfs_lookup gets called with +LOOKUP_CREATE|LOOKUP_EXCL and so it returns NULL without performing any +lookup, with the expectation that a subsequent call to create the target +will be made, and the lookup can be combined with the creation. In the +case with a trailing '/' and no LOOKUP_DIRECTORY, that call is never +made. Instead filename_create() sees that the dentry is not (yet) +positive and returns -ENOENT - even though the directory actually +exists. + +So only set LOOKUP_CREATE|LOOKUP_EXCL if there really is an intent to +create, and use the absence of these flags to decide if -ENOENT should +be returned. + +Note that filename_parentat() is only interested in LOOKUP_REVAL, so we +split that out and store it in 'reval_flag'. __lookup_hash() then gets +reval_flag combined with whatever create flags were determined to be +needed. + +Reviewed-by: David Disseldorp +Reviewed-by: Jeff Layton +Signed-off-by: NeilBrown +Cc: Al Viro +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/namei.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/fs/namei.c b/fs/namei.c +index 3bb65f48fe1d..8882a70dc119 100644 +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -3625,18 +3625,14 @@ static struct dentry *filename_create(int dfd, struct filename *name, + { + struct dentry *dentry = ERR_PTR(-EEXIST); + struct qstr last; ++ bool want_dir = lookup_flags & LOOKUP_DIRECTORY; ++ unsigned int reval_flag = lookup_flags & LOOKUP_REVAL; ++ unsigned int create_flags = LOOKUP_CREATE | LOOKUP_EXCL; + int type; + int err2; + int error; +- bool is_dir = (lookup_flags & LOOKUP_DIRECTORY); + +- /* +- * Note that only LOOKUP_REVAL and LOOKUP_DIRECTORY matter here. Any +- * other flags passed in are ignored! +- */ +- lookup_flags &= LOOKUP_REVAL; +- +- error = filename_parentat(dfd, name, lookup_flags, path, &last, &type); ++ error = filename_parentat(dfd, name, reval_flag, path, &last, &type); + if (error) + return ERR_PTR(error); + +@@ -3650,11 +3646,13 @@ static struct dentry *filename_create(int dfd, struct filename *name, + /* don't fail immediately if it's r/o, at least try to report other errors */ + err2 = mnt_want_write(path->mnt); + /* +- * Do the final lookup. ++ * Do the final lookup. Suppress 'create' if there is a trailing ++ * '/', and a directory wasn't requested. + */ +- lookup_flags |= LOOKUP_CREATE | LOOKUP_EXCL; ++ if (last.name[last.len] && !want_dir) ++ create_flags = 0; + inode_lock_nested(path->dentry->d_inode, I_MUTEX_PARENT); +- dentry = __lookup_hash(&last, path->dentry, lookup_flags); ++ dentry = __lookup_hash(&last, path->dentry, reval_flag | create_flags); + if (IS_ERR(dentry)) + goto unlock; + +@@ -3668,7 +3666,7 @@ static struct dentry *filename_create(int dfd, struct filename *name, + * all is fine. Let's be bastards - you had / on the end, you've + * been asking for (non-existent) directory. -ENOENT for you. + */ +- if (unlikely(!is_dir && last.name[last.len])) { ++ if (unlikely(!create_flags)) { + error = -ENOENT; + goto fail; + } +-- +2.35.1 + diff --git a/queue-5.15/vxlan-fix-error-return-code-in-vxlan_fdb_append.patch b/queue-5.15/vxlan-fix-error-return-code-in-vxlan_fdb_append.patch new file mode 100644 index 00000000000..f7b926cdbd5 --- /dev/null +++ b/queue-5.15/vxlan-fix-error-return-code-in-vxlan_fdb_append.patch @@ -0,0 +1,40 @@ +From 1ba809e6b488ba8d13a7c000f6469dcf9563659a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 22:46:22 -0400 +Subject: vxlan: fix error return code in vxlan_fdb_append + +From: Hongbin Wang + +[ Upstream commit 7cea5560bf656b84f9ed01c0cc829d4eecd0640b ] + +When kmalloc and dst_cache_init failed, +should return ENOMEM rather than ENOBUFS. + +Signed-off-by: Hongbin Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index 141635a35c28..129e270e9a7c 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -711,11 +711,11 @@ static int vxlan_fdb_append(struct vxlan_fdb *f, + + rd = kmalloc(sizeof(*rd), GFP_ATOMIC); + if (rd == NULL) +- return -ENOBUFS; ++ return -ENOMEM; + + if (dst_cache_init(&rd->dst_cache, GFP_ATOMIC)) { + kfree(rd); +- return -ENOBUFS; ++ return -ENOMEM; + } + + rd->remote_ip = *ip; +-- +2.35.1 +