From: Greg Kroah-Hartman Date: Mon, 13 Jun 2022 08:11:38 +0000 (+0200) Subject: 5.17-stable patches X-Git-Tag: v4.9.318~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d72551196aa4232ae8732d1dd73a102d2aea82f4;p=thirdparty%2Fkernel%2Fstable-queue.git 5.17-stable patches added patches: cpuidle-intel_idle-fix-cpuidle_flag_irq_enable.patch drm-amdgpu-jpeg2-add-jpeg-vmid-update-under-ib-submit.patch drm-amdgpu-update-vcn-codec-support-for-yellow-carp.patch drm-ast-create-threshold-values-for-ast2600.patch drm-atomic-force-bridge-self-refresh-exit-on-crtc-switch.patch drm-bridge-analogix_dp-support-psr-exit-to-disable-transition.patch input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch ixgbe-fix-bcast-packets-rx-on-vf-after-promisc-removal.patch ixgbe-fix-unexpected-vlan-rx-in-promisc-mode-on-vf.patch mm-huge_memory-fix-xarray-node-memory-leak.patch nfc-st21nfca-fix-incorrect-sizing-calculations-in-evt_transaction.patch nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch powerpc-32-fix-overread-overwrite-of-thread_struct-via-ptrace.patch powerpc-don-t-select-have_irq_exit_on_irq_stack.patch vduse-fix-null-pointer-dereference-on-sysfs-access.patch virtio-rng-make-device-ready-before-making-request.patch --- diff --git a/queue-5.17/cpuidle-intel_idle-fix-cpuidle_flag_irq_enable.patch b/queue-5.17/cpuidle-intel_idle-fix-cpuidle_flag_irq_enable.patch new file mode 100644 index 00000000000..cf4eb037587 --- /dev/null +++ b/queue-5.17/cpuidle-intel_idle-fix-cpuidle_flag_irq_enable.patch @@ -0,0 +1,85 @@ +From 32d4fd5751eadbe1823a37eb38df85ec5c8e6207 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Wed, 8 Jun 2022 16:27:27 +0200 +Subject: cpuidle,intel_idle: Fix CPUIDLE_FLAG_IRQ_ENABLE + +From: Peter Zijlstra + +commit 32d4fd5751eadbe1823a37eb38df85ec5c8e6207 upstream. + +Commit c227233ad64c ("intel_idle: enable interrupts before C1 on +Xeons") wrecked intel_idle in two ways: + + - must not have tracing in idle functions + - must return with IRQs disabled + +Additionally, it added a branch for no good reason. + +Fixes: c227233ad64c ("intel_idle: enable interrupts before C1 on Xeons") +Signed-off-by: Peter Zijlstra (Intel) +[ rjw: Moved the intel_idle() kerneldoc comment next to the function ] +Cc: 5.16+ # 5.16+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/idle/intel_idle.c | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +--- a/drivers/idle/intel_idle.c ++++ b/drivers/idle/intel_idle.c +@@ -109,6 +109,18 @@ static unsigned int mwait_substates __in + #define flg2MWAIT(flags) (((flags) >> 24) & 0xFF) + #define MWAIT2flg(eax) ((eax & 0xFF) << 24) + ++static __always_inline int __intel_idle(struct cpuidle_device *dev, ++ struct cpuidle_driver *drv, int index) ++{ ++ struct cpuidle_state *state = &drv->states[index]; ++ unsigned long eax = flg2MWAIT(state->flags); ++ unsigned long ecx = 1; /* break on interrupt flag */ ++ ++ mwait_idle_with_hints(eax, ecx); ++ ++ return index; ++} ++ + /** + * intel_idle - Ask the processor to enter the given idle state. + * @dev: cpuidle device of the target CPU. +@@ -129,16 +141,19 @@ static unsigned int mwait_substates __in + static __cpuidle int intel_idle(struct cpuidle_device *dev, + struct cpuidle_driver *drv, int index) + { +- struct cpuidle_state *state = &drv->states[index]; +- unsigned long eax = flg2MWAIT(state->flags); +- unsigned long ecx = 1; /* break on interrupt flag */ ++ return __intel_idle(dev, drv, index); ++} + +- if (state->flags & CPUIDLE_FLAG_IRQ_ENABLE) +- local_irq_enable(); ++static __cpuidle int intel_idle_irq(struct cpuidle_device *dev, ++ struct cpuidle_driver *drv, int index) ++{ ++ int ret; + +- mwait_idle_with_hints(eax, ecx); ++ raw_local_irq_enable(); ++ ret = __intel_idle(dev, drv, index); ++ raw_local_irq_disable(); + +- return index; ++ return ret; + } + + /** +@@ -1583,6 +1598,9 @@ static void __init intel_idle_init_cstat + /* Structure copy. */ + drv->states[drv->state_count] = cpuidle_state_table[cstate]; + ++ if (cpuidle_state_table[cstate].flags & CPUIDLE_FLAG_IRQ_ENABLE) ++ drv->states[drv->state_count].enter = intel_idle_irq; ++ + if ((disabled_states_mask & BIT(drv->state_count)) || + ((icpu->use_acpi || force_use_acpi) && + intel_idle_off_by_default(mwait_hint) && diff --git a/queue-5.17/drm-amdgpu-jpeg2-add-jpeg-vmid-update-under-ib-submit.patch b/queue-5.17/drm-amdgpu-jpeg2-add-jpeg-vmid-update-under-ib-submit.patch new file mode 100644 index 00000000000..8089f70f007 --- /dev/null +++ b/queue-5.17/drm-amdgpu-jpeg2-add-jpeg-vmid-update-under-ib-submit.patch @@ -0,0 +1,57 @@ +From 578eb31776df57c81307fb3f96ef0781332c3c7c Mon Sep 17 00:00:00 2001 +From: Mohammad Zafar Ziya +Date: Tue, 7 Jun 2022 11:38:16 +0800 +Subject: drm/amdgpu/jpeg2: Add jpeg vmid update under IB submit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mohammad Zafar Ziya + +commit 578eb31776df57c81307fb3f96ef0781332c3c7c upstream. + +Add jpeg vmid update under IB submit + +Signed-off-by: Mohammad Zafar Ziya +Acked-by: Christian König +Reviewed-by: Lijo Lazar +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c | 6 +++++- + drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.h | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.c +@@ -535,6 +535,10 @@ void jpeg_v2_0_dec_ring_emit_ib(struct a + { + unsigned vmid = AMDGPU_JOB_GET_VMID(job); + ++ amdgpu_ring_write(ring, PACKETJ(mmUVD_JPEG_IH_CTRL_INTERNAL_OFFSET, ++ 0, 0, PACKETJ_TYPE0)); ++ amdgpu_ring_write(ring, (vmid << JPEG_IH_CTRL__IH_VMID__SHIFT)); ++ + amdgpu_ring_write(ring, PACKETJ(mmUVD_LMI_JRBC_IB_VMID_INTERNAL_OFFSET, + 0, 0, PACKETJ_TYPE0)); + amdgpu_ring_write(ring, (vmid | (vmid << 4))); +@@ -768,7 +772,7 @@ static const struct amdgpu_ring_funcs jp + 8 + /* jpeg_v2_0_dec_ring_emit_vm_flush */ + 18 + 18 + /* jpeg_v2_0_dec_ring_emit_fence x2 vm fence */ + 8 + 16, +- .emit_ib_size = 22, /* jpeg_v2_0_dec_ring_emit_ib */ ++ .emit_ib_size = 24, /* jpeg_v2_0_dec_ring_emit_ib */ + .emit_ib = jpeg_v2_0_dec_ring_emit_ib, + .emit_fence = jpeg_v2_0_dec_ring_emit_fence, + .emit_vm_flush = jpeg_v2_0_dec_ring_emit_vm_flush, +--- a/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.h ++++ b/drivers/gpu/drm/amd/amdgpu/jpeg_v2_0.h +@@ -41,6 +41,7 @@ + #define mmUVD_JRBC_RB_REF_DATA_INTERNAL_OFFSET 0x4084 + #define mmUVD_JRBC_STATUS_INTERNAL_OFFSET 0x4089 + #define mmUVD_JPEG_PITCH_INTERNAL_OFFSET 0x401f ++#define mmUVD_JPEG_IH_CTRL_INTERNAL_OFFSET 0x4149 + + #define JRBC_DEC_EXTERNAL_REG_WRITE_ADDR 0x18000 + diff --git a/queue-5.17/drm-amdgpu-update-vcn-codec-support-for-yellow-carp.patch b/queue-5.17/drm-amdgpu-update-vcn-codec-support-for-yellow-carp.patch new file mode 100644 index 00000000000..370d170a9da --- /dev/null +++ b/queue-5.17/drm-amdgpu-update-vcn-codec-support-for-yellow-carp.patch @@ -0,0 +1,33 @@ +From 97e50305542f384741a5b45699aba349fe9fca73 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 26 May 2022 16:34:55 -0400 +Subject: drm/amdgpu: update VCN codec support for Yellow Carp + +From: Alex Deucher + +commit 97e50305542f384741a5b45699aba349fe9fca73 upstream. + +Supports AV1. Mesa already has support for this and +doesn't rely on the kernel caps for yellow carp, so +this was already working from an application perspective. + +Fixes: 554398174d98 ("amdgpu/nv.c - Added video codec support for Yellow Carp") +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2002 +Reviewed-by: Leo Liu +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/nv.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/nv.c ++++ b/drivers/gpu/drm/amd/amdgpu/nv.c +@@ -170,6 +170,7 @@ static const struct amdgpu_video_codec_i + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_HEVC, 8192, 4352, 186)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_VP9, 8192, 4352, 0)}, + {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_JPEG, 4096, 4096, 0)}, ++ {codec_info_build(AMDGPU_INFO_VIDEO_CAPS_CODEC_IDX_AV1, 8192, 4352, 0)}, + }; + + static const struct amdgpu_video_codecs yc_video_codecs_decode = { diff --git a/queue-5.17/drm-ast-create-threshold-values-for-ast2600.patch b/queue-5.17/drm-ast-create-threshold-values-for-ast2600.patch new file mode 100644 index 00000000000..61d0d9b7ca2 --- /dev/null +++ b/queue-5.17/drm-ast-create-threshold-values-for-ast2600.patch @@ -0,0 +1,33 @@ +From bcc77411e8a65929655cef7b63a36000724cdc4b Mon Sep 17 00:00:00 2001 +From: KuoHsiang Chou +Date: Mon, 17 Jan 2022 16:36:43 +0800 +Subject: drm/ast: Create threshold values for AST2600 + +From: KuoHsiang Chou + +commit bcc77411e8a65929655cef7b63a36000724cdc4b upstream. + +The threshold value is used for AST2600 only. + +Signed-off-by: KuoHsiang Chou +Signed-off-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20220117083643.41493-1-kuohsiang_chou@aspeedtech.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/ast/ast_mode.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -471,7 +471,10 @@ static void ast_set_color_reg(struct ast + static void ast_set_crtthd_reg(struct ast_private *ast) + { + /* Set Threshold */ +- if (ast->chip == AST2300 || ast->chip == AST2400 || ++ if (ast->chip == AST2600) { ++ ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xa7, 0xe0); ++ ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xa6, 0xa0); ++ } else if (ast->chip == AST2300 || ast->chip == AST2400 || + ast->chip == AST2500) { + ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xa7, 0x78); + ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xa6, 0x60); diff --git a/queue-5.17/drm-atomic-force-bridge-self-refresh-exit-on-crtc-switch.patch b/queue-5.17/drm-atomic-force-bridge-self-refresh-exit-on-crtc-switch.patch new file mode 100644 index 00000000000..7b646d2031d --- /dev/null +++ b/queue-5.17/drm-atomic-force-bridge-self-refresh-exit-on-crtc-switch.patch @@ -0,0 +1,74 @@ +From e54a4424925a27ed94dff046db3ce5caf4b1e748 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 28 Feb 2022 12:25:32 -0800 +Subject: drm/atomic: Force bridge self-refresh-exit on CRTC switch + +From: Brian Norris + +commit e54a4424925a27ed94dff046db3ce5caf4b1e748 upstream. + +It's possible to change which CRTC is in use for a given +connector/encoder/bridge while we're in self-refresh without fully +disabling the connector/encoder/bridge along the way. This can confuse +the bridge encoder/bridge, because +(a) it needs to track the SR state (trying to perform "active" + operations while the panel is still in SR can be Bad(TM)); and +(b) it tracks the SR state via the CRTC state (and after the switch, the + previous SR state is lost). + +Thus, we need to either somehow carry the self-refresh state over to the +new CRTC, or else force an encoder/bridge self-refresh transition during +such a switch. + +I choose the latter, so we disable the encoder (and exit PSR) before +attaching it to the new CRTC (where we can continue to assume a clean +(non-self-refresh) state). + +This fixes PSR issues seen on Rockchip RK3399 systems with +drivers/gpu/drm/bridge/analogix/analogix_dp_core.c. + +Change in v2: + +- Drop "->enable" condition; this could possibly be "->active" to + reflect the intended hardware state, but it also is a little + over-specific. We want to make a transition through "disabled" any + time we're exiting PSR at the same time as a CRTC switch. + (Thanks Liu Ying) + +Cc: Liu Ying +Cc: +Fixes: 1452c25b0e60 ("drm: Add helpers to kick off self refresh mode in drivers") +Signed-off-by: Brian Norris +Reviewed-by: Sean Paul +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20220228122522.v2.2.Ic15a2ef69c540aee8732703103e2cff51fb9c399@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_atomic_helper.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_atomic_helper.c ++++ b/drivers/gpu/drm/drm_atomic_helper.c +@@ -1011,9 +1011,19 @@ crtc_needs_disable(struct drm_crtc_state + return drm_atomic_crtc_effectively_active(old_state); + + /* +- * We need to run through the crtc_funcs->disable() function if the CRTC +- * is currently on, if it's transitioning to self refresh mode, or if +- * it's in self refresh mode and needs to be fully disabled. ++ * We need to disable bridge(s) and CRTC if we're transitioning out of ++ * self-refresh and changing CRTCs at the same time, because the ++ * bridge tracks self-refresh status via CRTC state. ++ */ ++ if (old_state->self_refresh_active && ++ old_state->crtc != new_state->crtc) ++ return true; ++ ++ /* ++ * We also need to run through the crtc_funcs->disable() function if ++ * the CRTC is currently on, if it's transitioning to self refresh ++ * mode, or if it's in self refresh mode and needs to be fully ++ * disabled. + */ + return old_state->active || + (old_state->self_refresh_active && !new_state->active) || diff --git a/queue-5.17/drm-bridge-analogix_dp-support-psr-exit-to-disable-transition.patch b/queue-5.17/drm-bridge-analogix_dp-support-psr-exit-to-disable-transition.patch new file mode 100644 index 00000000000..f0ffcff216b --- /dev/null +++ b/queue-5.17/drm-bridge-analogix_dp-support-psr-exit-to-disable-transition.patch @@ -0,0 +1,109 @@ +From ca871659ec1606d33b1e76de8d4cf924cf627e34 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Mon, 28 Feb 2022 12:25:31 -0800 +Subject: drm/bridge: analogix_dp: Support PSR-exit to disable transition + +From: Brian Norris + +commit ca871659ec1606d33b1e76de8d4cf924cf627e34 upstream. + +Most eDP panel functions only work correctly when the panel is not in +self-refresh. In particular, analogix_dp_bridge_disable() tends to hit +AUX channel errors if the panel is in self-refresh. + +Given the above, it appears that so far, this driver assumes that we are +never in self-refresh when it comes time to fully disable the bridge. +Prior to commit 846c7dfc1193 ("drm/atomic: Try to preserve the crtc +enabled state in drm_atomic_remove_fb, v2."), this tended to be true, +because we would automatically disable the pipe when framebuffers were +removed, and so we'd typically disable the bridge shortly after the last +display activity. + +However, that is not guaranteed: an idle (self-refresh) display pipe may +be disabled, e.g., when switching CRTCs. We need to exit PSR first. + +Stable notes: this is definitely a bugfix, and the bug has likely +existed in some form for quite a while. It may predate the "PSR helpers" +refactor, but the code looked very different before that, and it's +probably not worth rewriting the fix. + +Cc: +Fixes: 6c836d965bad ("drm/rockchip: Use the helpers for PSR") +Signed-off-by: Brian Norris +Reviewed-by: Sean Paul +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20220228122522.v2.1.I161904be17ba14526f78536ccd78b85818449b51@changeid +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/analogix/analogix_dp_core.c | 42 +++++++++++++++++++-- + 1 file changed, 38 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c ++++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_core.c +@@ -1269,6 +1269,25 @@ static int analogix_dp_bridge_attach(str + } + + static ++struct drm_crtc *analogix_dp_get_old_crtc(struct analogix_dp_device *dp, ++ struct drm_atomic_state *state) ++{ ++ struct drm_encoder *encoder = dp->encoder; ++ struct drm_connector *connector; ++ struct drm_connector_state *conn_state; ++ ++ connector = drm_atomic_get_old_connector_for_encoder(state, encoder); ++ if (!connector) ++ return NULL; ++ ++ conn_state = drm_atomic_get_old_connector_state(state, connector); ++ if (!conn_state) ++ return NULL; ++ ++ return conn_state->crtc; ++} ++ ++static + struct drm_crtc *analogix_dp_get_new_crtc(struct analogix_dp_device *dp, + struct drm_atomic_state *state) + { +@@ -1448,14 +1467,16 @@ analogix_dp_bridge_atomic_disable(struct + { + struct drm_atomic_state *old_state = old_bridge_state->base.state; + struct analogix_dp_device *dp = bridge->driver_private; +- struct drm_crtc *crtc; ++ struct drm_crtc *old_crtc, *new_crtc; ++ struct drm_crtc_state *old_crtc_state = NULL; + struct drm_crtc_state *new_crtc_state = NULL; ++ int ret; + +- crtc = analogix_dp_get_new_crtc(dp, old_state); +- if (!crtc) ++ new_crtc = analogix_dp_get_new_crtc(dp, old_state); ++ if (!new_crtc) + goto out; + +- new_crtc_state = drm_atomic_get_new_crtc_state(old_state, crtc); ++ new_crtc_state = drm_atomic_get_new_crtc_state(old_state, new_crtc); + if (!new_crtc_state) + goto out; + +@@ -1464,6 +1485,19 @@ analogix_dp_bridge_atomic_disable(struct + return; + + out: ++ old_crtc = analogix_dp_get_old_crtc(dp, old_state); ++ if (old_crtc) { ++ old_crtc_state = drm_atomic_get_old_crtc_state(old_state, ++ old_crtc); ++ ++ /* When moving from PSR to fully disabled, exit PSR first. */ ++ if (old_crtc_state && old_crtc_state->self_refresh_active) { ++ ret = analogix_dp_disable_psr(dp); ++ if (ret) ++ DRM_ERROR("Failed to disable psr (%d)\n", ret); ++ } ++ } ++ + analogix_dp_bridge_disable(bridge); + } + diff --git a/queue-5.17/input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch b/queue-5.17/input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch new file mode 100644 index 00000000000..8ab1edb0638 --- /dev/null +++ b/queue-5.17/input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch @@ -0,0 +1,55 @@ +From c42e65664390be7c1ef3838cd84956d3a2739d60 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Tue, 7 Jun 2022 12:11:33 -0700 +Subject: Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag + +From: Mathias Nyman + +commit c42e65664390be7c1ef3838cd84956d3a2739d60 upstream. + +The bcm5974 driver does the allocation and dma mapping of the usb urb +data buffer, but driver does not set the URB_NO_TRANSFER_DMA_MAP flag +to let usb core know the buffer is already mapped. + +usb core tries to map the already mapped buffer, causing a warning: +"xhci_hcd 0000:00:14.0: rejecting DMA map of vmalloc memory" + +Fix this by setting the URB_NO_TRANSFER_DMA_MAP, letting usb core +know buffer is already mapped by bcm5974 driver + +Signed-off-by: Mathias Nyman +Cc: stable@vger.kernel.org +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215890 +Link: https://lore.kernel.org/r/20220606113636.588955-1-mathias.nyman@linux.intel.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/bcm5974.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/input/mouse/bcm5974.c ++++ b/drivers/input/mouse/bcm5974.c +@@ -942,17 +942,22 @@ static int bcm5974_probe(struct usb_inte + if (!dev->tp_data) + goto err_free_bt_buffer; + +- if (dev->bt_urb) ++ if (dev->bt_urb) { + usb_fill_int_urb(dev->bt_urb, udev, + usb_rcvintpipe(udev, cfg->bt_ep), + dev->bt_data, dev->cfg.bt_datalen, + bcm5974_irq_button, dev, 1); + ++ dev->bt_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; ++ } ++ + usb_fill_int_urb(dev->tp_urb, udev, + usb_rcvintpipe(udev, cfg->tp_ep), + dev->tp_data, dev->cfg.tp_datalen, + bcm5974_irq_trackpad, dev, 1); + ++ dev->tp_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; ++ + /* create bcm5974 device */ + usb_make_path(udev, dev->phys, sizeof(dev->phys)); + strlcat(dev->phys, "/input0", sizeof(dev->phys)); diff --git a/queue-5.17/ixgbe-fix-bcast-packets-rx-on-vf-after-promisc-removal.patch b/queue-5.17/ixgbe-fix-bcast-packets-rx-on-vf-after-promisc-removal.patch new file mode 100644 index 00000000000..14079d5388f --- /dev/null +++ b/queue-5.17/ixgbe-fix-bcast-packets-rx-on-vf-after-promisc-removal.patch @@ -0,0 +1,43 @@ +From 803e9895ea2b0fe80bc85980ae2d7a7e44037914 Mon Sep 17 00:00:00 2001 +From: Olivier Matz +Date: Wed, 6 Apr 2022 11:52:51 +0200 +Subject: ixgbe: fix bcast packets Rx on VF after promisc removal + +From: Olivier Matz + +commit 803e9895ea2b0fe80bc85980ae2d7a7e44037914 upstream. + +After a VF requested to remove the promiscuous flag on an interface, the +broadcast packets are not received anymore. This breaks some protocols +like ARP. + +In ixgbe_update_vf_xcast_mode(), we should keep the IXGBE_VMOLR_BAM +bit (Broadcast Accept) on promiscuous removal. + +This flag is already set by default in ixgbe_set_vmolr() on VF reset. + +Fixes: 8443c1a4b192 ("ixgbe, ixgbevf: Add new mbox API xcast mode") +Cc: stable@vger.kernel.org +Cc: Nicolas Dichtel +Signed-off-by: Olivier Matz +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c +@@ -1157,9 +1157,9 @@ static int ixgbe_update_vf_xcast_mode(st + + switch (xcast_mode) { + case IXGBEVF_XCAST_MODE_NONE: +- disable = IXGBE_VMOLR_BAM | IXGBE_VMOLR_ROMPE | ++ disable = IXGBE_VMOLR_ROMPE | + IXGBE_VMOLR_MPE | IXGBE_VMOLR_UPE | IXGBE_VMOLR_VPE; +- enable = 0; ++ enable = IXGBE_VMOLR_BAM; + break; + case IXGBEVF_XCAST_MODE_MULTI: + disable = IXGBE_VMOLR_MPE | IXGBE_VMOLR_UPE | IXGBE_VMOLR_VPE; diff --git a/queue-5.17/ixgbe-fix-unexpected-vlan-rx-in-promisc-mode-on-vf.patch b/queue-5.17/ixgbe-fix-unexpected-vlan-rx-in-promisc-mode-on-vf.patch new file mode 100644 index 00000000000..4568f2327ad --- /dev/null +++ b/queue-5.17/ixgbe-fix-unexpected-vlan-rx-in-promisc-mode-on-vf.patch @@ -0,0 +1,68 @@ +From 7bb0fb7c63df95d6027dc50d6af3bc3bbbc25483 Mon Sep 17 00:00:00 2001 +From: Olivier Matz +Date: Wed, 6 Apr 2022 11:52:52 +0200 +Subject: ixgbe: fix unexpected VLAN Rx in promisc mode on VF +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Olivier Matz + +commit 7bb0fb7c63df95d6027dc50d6af3bc3bbbc25483 upstream. + +When the promiscuous mode is enabled on a VF, the IXGBE_VMOLR_VPE +bit (VLAN Promiscuous Enable) is set. This means that the VF will +receive packets whose VLAN is not the same than the VLAN of the VF. + +For instance, in this situation: + +┌────────┐ ┌────────┐ ┌────────┐ +│ │ │ │ │ │ +│ │ │ │ │ │ +│ VF0├────┤VF1 VF2├────┤VF3 │ +│ │ │ │ │ │ +└────────┘ └────────┘ └────────┘ + VM1 VM2 VM3 + +vf 0: vlan 1000 +vf 1: vlan 1000 +vf 2: vlan 1001 +vf 3: vlan 1001 + +If we tcpdump on VF3, we see all the packets, even those transmitted +on vlan 1000. + +This behavior prevents to bridge VF1 and VF2 in VM2, because it will +create a loop: packets transmitted on VF1 will be received by VF2 and +vice-versa, and bridged again through the software bridge. + +This patch remove the activation of VLAN Promiscuous when a VF enables +the promiscuous mode. However, the IXGBE_VMOLR_UPE bit (Unicast +Promiscuous) is kept, so that a VF receives all packets that has the +same VLAN, whatever the destination MAC address. + +Fixes: 8443c1a4b192 ("ixgbe, ixgbevf: Add new mbox API xcast mode") +Cc: stable@vger.kernel.org +Cc: Nicolas Dichtel +Signed-off-by: Olivier Matz +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c +@@ -1181,9 +1181,9 @@ static int ixgbe_update_vf_xcast_mode(st + return -EPERM; + } + +- disable = 0; ++ disable = IXGBE_VMOLR_VPE; + enable = IXGBE_VMOLR_BAM | IXGBE_VMOLR_ROMPE | +- IXGBE_VMOLR_MPE | IXGBE_VMOLR_UPE | IXGBE_VMOLR_VPE; ++ IXGBE_VMOLR_MPE | IXGBE_VMOLR_UPE; + break; + default: + return -EOPNOTSUPP; diff --git a/queue-5.17/mm-huge_memory-fix-xarray-node-memory-leak.patch b/queue-5.17/mm-huge_memory-fix-xarray-node-memory-leak.patch new file mode 100644 index 00000000000..1d44c18270e --- /dev/null +++ b/queue-5.17/mm-huge_memory-fix-xarray-node-memory-leak.patch @@ -0,0 +1,64 @@ +From 69a37a8ba1b408a1c7616494aa7018e4b3844cbe Mon Sep 17 00:00:00 2001 +From: "Matthew Wilcox (Oracle)" +Date: Wed, 8 Jun 2022 15:18:34 -0400 +Subject: mm/huge_memory: Fix xarray node memory leak + +From: Matthew Wilcox (Oracle) + +commit 69a37a8ba1b408a1c7616494aa7018e4b3844cbe upstream. + +If xas_split_alloc() fails to allocate the necessary nodes to complete the +xarray entry split, it sets the xa_state to -ENOMEM, which xas_nomem() +then interprets as "Please allocate more memory", not as "Please free +any unnecessary memory" (which was the intended outcome). It's confusing +to use xas_nomem() to free memory in this context, so call xas_destroy() +instead. + +Reported-by: syzbot+9e27a75a8c24f3fe75c1@syzkaller.appspotmail.com +Fixes: 6b24ca4a1a8d ("mm: Use multi-index entries in the page cache") +Cc: stable@vger.kernel.org +Signed-off-by: Matthew Wilcox (Oracle) +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/xarray.h | 1 + + lib/xarray.c | 5 +++-- + mm/huge_memory.c | 3 +-- + 3 files changed, 5 insertions(+), 4 deletions(-) + +--- a/include/linux/xarray.h ++++ b/include/linux/xarray.h +@@ -1506,6 +1506,7 @@ void *xas_find_marked(struct xa_state *, + void xas_init_marks(const struct xa_state *); + + bool xas_nomem(struct xa_state *, gfp_t); ++void xas_destroy(struct xa_state *); + void xas_pause(struct xa_state *); + + void xas_create_range(struct xa_state *); +--- a/lib/xarray.c ++++ b/lib/xarray.c +@@ -264,9 +264,10 @@ static void xa_node_free(struct xa_node + * xas_destroy() - Free any resources allocated during the XArray operation. + * @xas: XArray operation state. + * +- * This function is now internal-only. ++ * Most users will not need to call this function; it is called for you ++ * by xas_nomem(). + */ +-static void xas_destroy(struct xa_state *xas) ++void xas_destroy(struct xa_state *xas) + { + struct xa_node *next, *node = xas->xa_alloc; + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -2736,8 +2736,7 @@ out_unlock: + if (mapping) + i_mmap_unlock_read(mapping); + out: +- /* Free any memory we didn't use */ +- xas_nomem(&xas, 0); ++ xas_destroy(&xas); + count_vm_event(!ret ? THP_SPLIT_PAGE : THP_SPLIT_PAGE_FAILED); + return ret; + } diff --git a/queue-5.17/nfc-st21nfca-fix-incorrect-sizing-calculations-in-evt_transaction.patch b/queue-5.17/nfc-st21nfca-fix-incorrect-sizing-calculations-in-evt_transaction.patch new file mode 100644 index 00000000000..ae50c7df560 --- /dev/null +++ b/queue-5.17/nfc-st21nfca-fix-incorrect-sizing-calculations-in-evt_transaction.patch @@ -0,0 +1,131 @@ +From f2e19b36593caed4c977c2f55aeba7408aeb2132 Mon Sep 17 00:00:00 2001 +From: Martin Faltesek +Date: Mon, 6 Jun 2022 21:57:29 -0500 +Subject: nfc: st21nfca: fix incorrect sizing calculations in EVT_TRANSACTION + +From: Martin Faltesek + +commit f2e19b36593caed4c977c2f55aeba7408aeb2132 upstream. + +The transaction buffer is allocated by using the size of the packet buf, +and subtracting two which seem intended to remove the two tags which are +not present in the target structure. This calculation leads to under +counting memory because of differences between the packet contents and the +target structure. The aid_len field is a u8 in the packet, but a u32 in +the structure, resulting in at least 3 bytes always being under counted. +Further, the aid data is a variable length field in the packet, but fixed +in the structure, so if this field is less than the max, the difference is +added to the under counting. + +The last validation check for transaction->params_len is also incorrect +since it employs the same accounting error. + +To fix, perform validation checks progressively to safely reach the +next field, to determine the size of both buffers and verify both tags. +Once all validation checks pass, allocate the buffer and copy the data. +This eliminates freeing memory on the error path, as those checks are +moved ahead of memory allocation. + +Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support") +Fixes: 4fbcc1a4cb20 ("nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Faltesek +Reviewed-by: Guenter Roeck +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/st21nfca/se.c | 62 +++++++++++++++++++++++----------------------- + 1 file changed, 31 insertions(+), 31 deletions(-) + +--- a/drivers/nfc/st21nfca/se.c ++++ b/drivers/nfc/st21nfca/se.c +@@ -300,6 +300,8 @@ int st21nfca_connectivity_event_received + int r = 0; + struct device *dev = &hdev->ndev->dev; + struct nfc_evt_transaction *transaction; ++ u32 aid_len; ++ u8 params_len; + + pr_debug("connectivity gate event: %x\n", event); + +@@ -308,50 +310,48 @@ int st21nfca_connectivity_event_received + r = nfc_se_connectivity(hdev->ndev, host); + break; + case ST21NFCA_EVT_TRANSACTION: +- /* +- * According to specification etsi 102 622 ++ /* According to specification etsi 102 622 + * 11.2.2.4 EVT_TRANSACTION Table 52 + * Description Tag Length + * AID 81 5 to 16 + * PARAMETERS 82 0 to 255 ++ * ++ * The key differences are aid storage length is variably sized ++ * in the packet, but fixed in nfc_evt_transaction, and that the aid_len ++ * is u8 in the packet, but u32 in the structure, and the tags in ++ * the packet are not included in nfc_evt_transaction. ++ * ++ * size in bytes: 1 1 5-16 1 1 0-255 ++ * offset: 0 1 2 aid_len + 2 aid_len + 3 aid_len + 4 ++ * member name: aid_tag(M) aid_len aid params_tag(M) params_len params ++ * example: 0x81 5-16 X 0x82 0-255 X + */ +- if (skb->len < NFC_MIN_AID_LENGTH + 2 || +- skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) ++ if (skb->len < 2 || skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) + return -EPROTO; + +- transaction = devm_kzalloc(dev, skb->len - 2, GFP_KERNEL); +- if (!transaction) +- return -ENOMEM; ++ aid_len = skb->data[1]; ++ ++ if (skb->len < aid_len + 4 || aid_len > sizeof(transaction->aid)) ++ return -EPROTO; + +- transaction->aid_len = skb->data[1]; ++ params_len = skb->data[aid_len + 3]; + +- /* Checking if the length of the AID is valid */ +- if (transaction->aid_len > sizeof(transaction->aid)) { +- devm_kfree(dev, transaction); +- return -EINVAL; +- } +- +- memcpy(transaction->aid, &skb->data[2], +- transaction->aid_len); +- +- /* Check next byte is PARAMETERS tag (82) */ +- if (skb->data[transaction->aid_len + 2] != +- NFC_EVT_TRANSACTION_PARAMS_TAG) { +- devm_kfree(dev, transaction); ++ /* Verify PARAMETERS tag is (82), and final check that there is enough ++ * space in the packet to read everything. ++ */ ++ if ((skb->data[aid_len + 2] != NFC_EVT_TRANSACTION_PARAMS_TAG) || ++ (skb->len < aid_len + 4 + params_len)) + return -EPROTO; +- } + +- transaction->params_len = skb->data[transaction->aid_len + 3]; ++ transaction = devm_kzalloc(dev, sizeof(*transaction) + params_len, GFP_KERNEL); ++ if (!transaction) ++ return -ENOMEM; + +- /* Total size is allocated (skb->len - 2) minus fixed array members */ +- if (transaction->params_len > ((skb->len - 2) - +- sizeof(struct nfc_evt_transaction))) { +- devm_kfree(dev, transaction); +- return -EINVAL; +- } ++ transaction->aid_len = aid_len; ++ transaction->params_len = params_len; + +- memcpy(transaction->params, skb->data + +- transaction->aid_len + 4, transaction->params_len); ++ memcpy(transaction->aid, &skb->data[2], aid_len); ++ memcpy(transaction->params, &skb->data[aid_len + 4], params_len); + + r = nfc_se_transaction(hdev->ndev, host, transaction); + break; diff --git a/queue-5.17/nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch b/queue-5.17/nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch new file mode 100644 index 00000000000..5dcf136b4d9 --- /dev/null +++ b/queue-5.17/nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch @@ -0,0 +1,36 @@ +From 77e5fe8f176a525523ae091d6fd0fbb8834c156d Mon Sep 17 00:00:00 2001 +From: Martin Faltesek +Date: Mon, 6 Jun 2022 21:57:27 -0500 +Subject: nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION + +From: Martin Faltesek + +commit 77e5fe8f176a525523ae091d6fd0fbb8834c156d upstream. + +The first validation check for EVT_TRANSACTION has two different checks +tied together with logical AND. One is a check for minimum packet length, +and the other is for a valid aid_tag. If either condition is true (fails), +then an error should be triggered. The fix is to change && to ||. + +Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Faltesek +Reviewed-by: Guenter Roeck +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/st21nfca/se.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nfc/st21nfca/se.c ++++ b/drivers/nfc/st21nfca/se.c +@@ -315,7 +315,7 @@ int st21nfca_connectivity_event_received + * AID 81 5 to 16 + * PARAMETERS 82 0 to 255 + */ +- if (skb->len < NFC_MIN_AID_LENGTH + 2 && ++ if (skb->len < NFC_MIN_AID_LENGTH + 2 || + skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG) + return -EPROTO; + diff --git a/queue-5.17/nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch b/queue-5.17/nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch new file mode 100644 index 00000000000..d52b04c7183 --- /dev/null +++ b/queue-5.17/nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch @@ -0,0 +1,59 @@ +From 996419e0594abb311fb958553809f24f38e7abbe Mon Sep 17 00:00:00 2001 +From: Martin Faltesek +Date: Mon, 6 Jun 2022 21:57:28 -0500 +Subject: nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling + +From: Martin Faltesek + +commit 996419e0594abb311fb958553809f24f38e7abbe upstream. + +Error paths do not free previously allocated memory. Add devm_kfree() to +those failure paths. + +Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support") +Fixes: 4fbcc1a4cb20 ("nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Faltesek +Reviewed-by: Guenter Roeck +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/st21nfca/se.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/nfc/st21nfca/se.c ++++ b/drivers/nfc/st21nfca/se.c +@@ -326,22 +326,29 @@ int st21nfca_connectivity_event_received + transaction->aid_len = skb->data[1]; + + /* Checking if the length of the AID is valid */ +- if (transaction->aid_len > sizeof(transaction->aid)) ++ if (transaction->aid_len > sizeof(transaction->aid)) { ++ devm_kfree(dev, transaction); + return -EINVAL; ++ } + + memcpy(transaction->aid, &skb->data[2], + transaction->aid_len); + + /* Check next byte is PARAMETERS tag (82) */ + if (skb->data[transaction->aid_len + 2] != +- NFC_EVT_TRANSACTION_PARAMS_TAG) ++ NFC_EVT_TRANSACTION_PARAMS_TAG) { ++ devm_kfree(dev, transaction); + return -EPROTO; ++ } + + transaction->params_len = skb->data[transaction->aid_len + 3]; + + /* Total size is allocated (skb->len - 2) minus fixed array members */ +- if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction))) ++ if (transaction->params_len > ((skb->len - 2) - ++ sizeof(struct nfc_evt_transaction))) { ++ devm_kfree(dev, transaction); + return -EINVAL; ++ } + + memcpy(transaction->params, skb->data + + transaction->aid_len + 4, transaction->params_len); diff --git a/queue-5.17/powerpc-32-fix-overread-overwrite-of-thread_struct-via-ptrace.patch b/queue-5.17/powerpc-32-fix-overread-overwrite-of-thread_struct-via-ptrace.patch new file mode 100644 index 00000000000..d426a851658 --- /dev/null +++ b/queue-5.17/powerpc-32-fix-overread-overwrite-of-thread_struct-via-ptrace.patch @@ -0,0 +1,119 @@ +From 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 7 Jun 2022 00:34:56 +1000 +Subject: powerpc/32: Fix overread/overwrite of thread_struct via ptrace + +From: Michael Ellerman + +commit 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 upstream. + +The ptrace PEEKUSR/POKEUSR (aka PEEKUSER/POKEUSER) API allows a process +to read/write registers of another process. + +To get/set a register, the API takes an index into an imaginary address +space called the "USER area", where the registers of the process are +laid out in some fashion. + +The kernel then maps that index to a particular register in its own data +structures and gets/sets the value. + +The API only allows a single machine-word to be read/written at a time. +So 4 bytes on 32-bit kernels and 8 bytes on 64-bit kernels. + +The way floating point registers (FPRs) are addressed is somewhat +complicated, because double precision float values are 64-bit even on +32-bit CPUs. That means on 32-bit kernels each FPR occupies two +word-sized locations in the USER area. On 64-bit kernels each FPR +occupies one word-sized location in the USER area. + +Internally the kernel stores the FPRs in an array of u64s, or if VSX is +enabled, an array of pairs of u64s where one half of each pair stores +the FPR. Which half of the pair stores the FPR depends on the kernel's +endianness. + +To handle the different layouts of the FPRs depending on VSX/no-VSX and +big/little endian, the TS_FPR() macro was introduced. + +Unfortunately the TS_FPR() macro does not take into account the fact +that the addressing of each FPR differs between 32-bit and 64-bit +kernels. It just takes the index into the "USER area" passed from +userspace and indexes into the fp_state.fpr array. + +On 32-bit there are 64 indexes that address FPRs, but only 32 entries in +the fp_state.fpr array, meaning the user can read/write 256 bytes past +the end of the array. Because the fp_state sits in the middle of the +thread_struct there are various fields than can be overwritten, +including some pointers. As such it may be exploitable. + +It has also been observed to cause systems to hang or otherwise +misbehave when using gdbserver, and is probably the root cause of this +report which could not be easily reproduced: + https://lore.kernel.org/linuxppc-dev/dc38afe9-6b78-f3f5-666b-986939e40fc6@keymile.com/ + +Rather than trying to make the TS_FPR() macro even more complicated to +fix the bug, or add more macros, instead add a special-case for 32-bit +kernels. This is more obvious and hopefully avoids a similar bug +happening again in future. + +Note that because 32-bit kernels never have VSX enabled the code doesn't +need to consider TS_FPRWIDTH/OFFSET at all. Add a BUILD_BUG_ON() to +ensure that 32-bit && VSX is never enabled. + +Fixes: 87fec0514f61 ("powerpc: PTRACE_PEEKUSR/PTRACE_POKEUSER of FPR registers in little endian builds") +Cc: stable@vger.kernel.org # v3.13+ +Reported-by: Ariel Miculas +Tested-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220609133245.573565-1-mpe@ellerman.id.au +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/ptrace/ptrace-fpu.c | 20 ++++++++++++++------ + arch/powerpc/kernel/ptrace/ptrace.c | 3 +++ + 2 files changed, 17 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/kernel/ptrace/ptrace-fpu.c ++++ b/arch/powerpc/kernel/ptrace/ptrace-fpu.c +@@ -17,9 +17,13 @@ int ptrace_get_fpr(struct task_struct *c + + #ifdef CONFIG_PPC_FPU_REGS + flush_fp_to_thread(child); +- if (fpidx < (PT_FPSCR - PT_FPR0)) +- memcpy(data, &child->thread.TS_FPR(fpidx), sizeof(long)); +- else ++ if (fpidx < (PT_FPSCR - PT_FPR0)) { ++ if (IS_ENABLED(CONFIG_PPC32)) ++ // On 32-bit the index we are passed refers to 32-bit words ++ *data = ((u32 *)child->thread.fp_state.fpr)[fpidx]; ++ else ++ memcpy(data, &child->thread.TS_FPR(fpidx), sizeof(long)); ++ } else + *data = child->thread.fp_state.fpscr; + #else + *data = 0; +@@ -39,9 +43,13 @@ int ptrace_put_fpr(struct task_struct *c + + #ifdef CONFIG_PPC_FPU_REGS + flush_fp_to_thread(child); +- if (fpidx < (PT_FPSCR - PT_FPR0)) +- memcpy(&child->thread.TS_FPR(fpidx), &data, sizeof(long)); +- else ++ if (fpidx < (PT_FPSCR - PT_FPR0)) { ++ if (IS_ENABLED(CONFIG_PPC32)) ++ // On 32-bit the index we are passed refers to 32-bit words ++ ((u32 *)child->thread.fp_state.fpr)[fpidx] = data; ++ else ++ memcpy(&child->thread.TS_FPR(fpidx), &data, sizeof(long)); ++ } else + child->thread.fp_state.fpscr = data; + #endif + +--- a/arch/powerpc/kernel/ptrace/ptrace.c ++++ b/arch/powerpc/kernel/ptrace/ptrace.c +@@ -445,4 +445,7 @@ void __init pt_regs_check(void) + * real registers. + */ + BUILD_BUG_ON(PT_DSCR < sizeof(struct user_pt_regs) / sizeof(unsigned long)); ++ ++ // ptrace_get/put_fpr() rely on PPC32 and VSX being incompatible ++ BUILD_BUG_ON(IS_ENABLED(CONFIG_PPC32) && IS_ENABLED(CONFIG_VSX)); + } diff --git a/queue-5.17/powerpc-don-t-select-have_irq_exit_on_irq_stack.patch b/queue-5.17/powerpc-don-t-select-have_irq_exit_on_irq_stack.patch new file mode 100644 index 00000000000..390cf281b32 --- /dev/null +++ b/queue-5.17/powerpc-don-t-select-have_irq_exit_on_irq_stack.patch @@ -0,0 +1,52 @@ +From 1346d00e1bdfd4067f92bc14e8a6131a01de4190 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Wed, 25 May 2022 13:26:39 +1000 +Subject: powerpc: Don't select HAVE_IRQ_EXIT_ON_IRQ_STACK + +From: Michael Ellerman + +commit 1346d00e1bdfd4067f92bc14e8a6131a01de4190 upstream. + +The HAVE_IRQ_EXIT_ON_IRQ_STACK option tells generic code that irq_exit() +is called while still running on the hard irq stack (hardirq_ctx[] in +the powerpc code). + +Selecting the option means the generic code will *not* switch to the +softirq stack before running softirqs, because the code is already +running on the (mostly empty) hard irq stack. + +But since commit 1b1b6a6f4cc0 ("powerpc: handle irq_enter/irq_exit in +interrupt handler wrappers"), irq_exit() is now called on the regular task +stack, not the hard irq stack. + +That's because previously irq_exit() was called in __do_irq() which is +run on the hard irq stack, but now it is called in +interrupt_async_exit_prepare() which is called from do_irq() constructed +by the wrapper macro, which is after the switch back to the task stack. + +So drop HAVE_IRQ_EXIT_ON_IRQ_STACK from the Kconfig. This will mean an +extra stack switch when processing some interrupts, but should +significantly reduce the likelihood of stack overflow. + +It also means the softirq stack will be used for running softirqs from +other interrupts that don't use the hard irq stack, eg. timer interrupts. + +Fixes: 1b1b6a6f4cc0 ("powerpc: handle irq_enter/irq_exit in interrupt handler wrappers") +Cc: stable@vger.kernel.org # v5.12+ +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220525032639.1947280-1-mpe@ellerman.id.au +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -211,7 +211,6 @@ config PPC + select HAVE_HARDLOCKUP_DETECTOR_PERF if PERF_EVENTS && HAVE_PERF_EVENTS_NMI && !HAVE_HARDLOCKUP_DETECTOR_ARCH + select HAVE_HW_BREAKPOINT if PERF_EVENTS && (PPC_BOOK3S || PPC_8xx) + select HAVE_IOREMAP_PROT +- select HAVE_IRQ_EXIT_ON_IRQ_STACK + select HAVE_IRQ_TIME_ACCOUNTING + select HAVE_KERNEL_GZIP + select HAVE_KERNEL_LZMA if DEFAULT_UIMAGE diff --git a/queue-5.17/series b/queue-5.17/series index c0196291f56..234e47f91ef 100644 --- a/queue-5.17/series +++ b/queue-5.17/series @@ -272,3 +272,20 @@ mmc-block-fix-cqe-recovery-reset-success.patch net-phy-dp83867-retrigger-sgmii-an-when-link-change.patch net-openvswitch-fix-misuse-of-the-cached-connection-on-tuple-changes.patch writeback-fix-inode-i_io_list-not-be-protected-by-inode-i_lock-error.patch +nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch +nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch +nfc-st21nfca-fix-incorrect-sizing-calculations-in-evt_transaction.patch +ixgbe-fix-bcast-packets-rx-on-vf-after-promisc-removal.patch +ixgbe-fix-unexpected-vlan-rx-in-promisc-mode-on-vf.patch +input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch +vduse-fix-null-pointer-dereference-on-sysfs-access.patch +cpuidle-intel_idle-fix-cpuidle_flag_irq_enable.patch +mm-huge_memory-fix-xarray-node-memory-leak.patch +powerpc-don-t-select-have_irq_exit_on_irq_stack.patch +drm-bridge-analogix_dp-support-psr-exit-to-disable-transition.patch +drm-atomic-force-bridge-self-refresh-exit-on-crtc-switch.patch +drm-amdgpu-jpeg2-add-jpeg-vmid-update-under-ib-submit.patch +drm-amdgpu-update-vcn-codec-support-for-yellow-carp.patch +virtio-rng-make-device-ready-before-making-request.patch +powerpc-32-fix-overread-overwrite-of-thread_struct-via-ptrace.patch +drm-ast-create-threshold-values-for-ast2600.patch diff --git a/queue-5.17/vduse-fix-null-pointer-dereference-on-sysfs-access.patch b/queue-5.17/vduse-fix-null-pointer-dereference-on-sysfs-access.patch new file mode 100644 index 00000000000..8a8914d7009 --- /dev/null +++ b/queue-5.17/vduse-fix-null-pointer-dereference-on-sysfs-access.patch @@ -0,0 +1,68 @@ +From b27ee76c74dc831d6e092eaebc2dfc9c0beed1c9 Mon Sep 17 00:00:00 2001 +From: Xie Yongji +Date: Tue, 26 Apr 2022 15:36:56 +0800 +Subject: vduse: Fix NULL pointer dereference on sysfs access + +From: Xie Yongji + +commit b27ee76c74dc831d6e092eaebc2dfc9c0beed1c9 upstream. + +The control device has no drvdata. So we will get a +NULL pointer dereference when accessing control +device's msg_timeout attribute via sysfs: + +[ 132.841881][ T3644] BUG: kernel NULL pointer dereference, address: 00000000000000f8 +[ 132.850619][ T3644] RIP: 0010:msg_timeout_show (drivers/vdpa/vdpa_user/vduse_dev.c:1271) +[ 132.869447][ T3644] dev_attr_show (drivers/base/core.c:2094) +[ 132.870215][ T3644] sysfs_kf_seq_show (fs/sysfs/file.c:59) +[ 132.871164][ T3644] ? device_remove_bin_file (drivers/base/core.c:2088) +[ 132.872082][ T3644] kernfs_seq_show (fs/kernfs/file.c:164) +[ 132.872838][ T3644] seq_read_iter (fs/seq_file.c:230) +[ 132.873578][ T3644] ? __vmalloc_area_node (mm/vmalloc.c:3041) +[ 132.874532][ T3644] kernfs_fop_read_iter (fs/kernfs/file.c:238) +[ 132.875513][ T3644] __kernel_read (fs/read_write.c:440 (discriminator 1)) +[ 132.876319][ T3644] kernel_read (fs/read_write.c:459) +[ 132.877129][ T3644] kernel_read_file (fs/kernel_read_file.c:94) +[ 132.877978][ T3644] kernel_read_file_from_fd (include/linux/file.h:45 fs/kernel_read_file.c:186) +[ 132.879019][ T3644] __do_sys_finit_module (kernel/module.c:4207) +[ 132.879930][ T3644] __ia32_sys_finit_module (kernel/module.c:4189) +[ 132.880930][ T3644] do_int80_syscall_32 (arch/x86/entry/common.c:112 arch/x86/entry/common.c:132) +[ 132.881847][ T3644] entry_INT80_compat (arch/x86/entry/entry_64_compat.S:419) + +To fix it, don't create the unneeded attribute for +control device anymore. + +Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace") +Reported-by: kernel test robot +Cc: stable@vger.kernel.org +Signed-off-by: Xie Yongji +Message-Id: <20220426073656.229-1-xieyongji@bytedance.com> +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vdpa/vdpa_user/vduse_dev.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/vdpa/vdpa_user/vduse_dev.c ++++ b/drivers/vdpa/vdpa_user/vduse_dev.c +@@ -1344,9 +1344,9 @@ static int vduse_create_dev(struct vduse + + dev->minor = ret; + dev->msg_timeout = VDUSE_MSG_DEFAULT_TIMEOUT; +- dev->dev = device_create(vduse_class, NULL, +- MKDEV(MAJOR(vduse_major), dev->minor), +- dev, "%s", config->name); ++ dev->dev = device_create_with_groups(vduse_class, NULL, ++ MKDEV(MAJOR(vduse_major), dev->minor), ++ dev, vduse_dev_groups, "%s", config->name); + if (IS_ERR(dev->dev)) { + ret = PTR_ERR(dev->dev); + goto err_dev; +@@ -1595,7 +1595,6 @@ static int vduse_init(void) + return PTR_ERR(vduse_class); + + vduse_class->devnode = vduse_devnode; +- vduse_class->dev_groups = vduse_dev_groups; + + ret = alloc_chrdev_region(&vduse_major, 0, VDUSE_DEV_MAX, "vduse"); + if (ret) diff --git a/queue-5.17/virtio-rng-make-device-ready-before-making-request.patch b/queue-5.17/virtio-rng-make-device-ready-before-making-request.patch new file mode 100644 index 00000000000..df8209f586e --- /dev/null +++ b/queue-5.17/virtio-rng-make-device-ready-before-making-request.patch @@ -0,0 +1,44 @@ +From 228432551bd8783211e494ab35f42a4344580502 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 8 Jun 2022 14:14:22 +0800 +Subject: virtio-rng: make device ready before making request + +From: Jason Wang + +commit 228432551bd8783211e494ab35f42a4344580502 upstream. + +Current virtio-rng does a entropy request before DRIVER_OK, this +violates the spec: + +virtio spec requires that all drivers set DRIVER_OK +before using devices. + +Further, kernel will ignore the interrupt after commit +8b4ec69d7e09 ("virtio: harden vring IRQ"). + +Fixing this by making device ready before the request. + +Cc: stable@vger.kernel.org +Fixes: 8b4ec69d7e09 ("virtio: harden vring IRQ") +Fixes: f7f510ec1957 ("virtio: An entropy device, as suggested by hpa.") +Reported-and-tested-by: syzbot+5b59d6d459306a556f54@syzkaller.appspotmail.com +Signed-off-by: Jason Wang +Message-Id: <20220608061422.38437-1-jasowang@redhat.com> +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Laurent Vivier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/hw_random/virtio-rng.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/char/hw_random/virtio-rng.c ++++ b/drivers/char/hw_random/virtio-rng.c +@@ -159,6 +159,8 @@ static int probe_common(struct virtio_de + goto err_find; + } + ++ virtio_device_ready(vdev); ++ + /* we always have a pending entropy request */ + request_entropy(vi); +