From: Sasha Levin Date: Sat, 12 Mar 2022 08:50:59 +0000 (-0500) Subject: Fixes for 5.16 X-Git-Tag: v4.9.307~49 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e2c41667300f2c2109a915f7a684ffdd9ced5f62;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.16 Signed-off-by: Sasha Levin --- diff --git a/queue-5.16/arm-boot-dts-bcm2711-fix-hvs-register-range.patch b/queue-5.16/arm-boot-dts-bcm2711-fix-hvs-register-range.patch new file mode 100644 index 00000000000..800429d82d0 --- /dev/null +++ b/queue-5.16/arm-boot-dts-bcm2711-fix-hvs-register-range.patch @@ -0,0 +1,41 @@ +From e2ff36d4e6d91b33d33024bc42ea54b34dd60a24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Feb 2022 13:07:55 +0100 +Subject: ARM: boot: dts: bcm2711: Fix HVS register range + +From: Maxime Ripard + +[ Upstream commit 515415d316168c6521d74ea8280287e28d7303e6 ] + +While the HVS has the same context memory size in the BCM2711 than in +the previous SoCs, the range allocated to the registers doubled and it +now takes 16k + 16k, compared to 8k + 16k before. + +The KMS driver will use the whole context RAM though, eventually +resulting in a pointer dereference error when we access the higher half +of the context memory since it hasn't been mapped. + +Fixes: 4564363351e2 ("ARM: dts: bcm2711: Enable the display pipeline") +Signed-off-by: Maxime Ripard +Signed-off-by: Stefan Wahren +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm2711.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/bcm2711.dtsi b/arch/arm/boot/dts/bcm2711.dtsi +index dff18fc9a906..21294f775a20 100644 +--- a/arch/arm/boot/dts/bcm2711.dtsi ++++ b/arch/arm/boot/dts/bcm2711.dtsi +@@ -290,6 +290,7 @@ pixelvalve4: pixelvalve@7e216000 { + + hvs: hvs@7e400000 { + compatible = "brcm,bcm2711-hvs"; ++ reg = <0x7e400000 0x8000>; + interrupts = ; + }; + +-- +2.34.1 + diff --git a/queue-5.16/arm-dts-aspeed-fix-ast2600-quad-spi-group.patch b/queue-5.16/arm-dts-aspeed-fix-ast2600-quad-spi-group.patch new file mode 100644 index 00000000000..527c73ceab4 --- /dev/null +++ b/queue-5.16/arm-dts-aspeed-fix-ast2600-quad-spi-group.patch @@ -0,0 +1,62 @@ +From fb9e94fece8923b42b2601296931ff4408d14591 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 10:36:31 +1030 +Subject: ARM: dts: aspeed: Fix AST2600 quad spi group +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Joel Stanley + +[ Upstream commit 2f6edb6bcb2f3f41d876e0eba2ba97f87a0296ea ] + +Requesting quad mode for the FMC resulted in an error: + + &fmc { + status = "okay"; + + pinctrl-names = "default"; + + pinctrl-0 = <&pinctrl_fwqspi_default>' + +[ 0.742963] aspeed-g6-pinctrl 1e6e2000.syscon:pinctrl: invalid function FWQSPID in map table + + +This is because the quad mode pins are a group of pins, not a function. + +After applying this patch we can request the pins and the QSPI data +lines are muxed: + + # cat /sys/kernel/debug/pinctrl/1e6e2000.syscon\:pinctrl-aspeed-g6-pinctrl/pinmux-pins |grep 1e620000.spi + pin 196 (AE12): device 1e620000.spi function FWSPID group FWQSPID + pin 197 (AF12): device 1e620000.spi function FWSPID group FWQSPID + pin 240 (Y1): device 1e620000.spi function FWSPID group FWQSPID + pin 241 (Y2): device 1e620000.spi function FWSPID group FWQSPID + pin 242 (Y3): device 1e620000.spi function FWSPID group FWQSPID + pin 243 (Y4): device 1e620000.spi function FWSPID group FWQSPID + +Fixes: f510f04c8c83 ("ARM: dts: aspeed: Add AST2600 pinmux nodes") +Signed-off-by: Joel Stanley +Reviewed-by: Andrew Jeffery +Link: https://lore.kernel.org/r/20220304011010.974863-1-joel@jms.id.au +Link: https://lore.kernel.org/r/20220304011010.974863-1-joel@jms.id.au' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi +index 6dde51c2aed3..e4775bbceecc 100644 +--- a/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi ++++ b/arch/arm/boot/dts/aspeed-g6-pinctrl.dtsi +@@ -118,7 +118,7 @@ pinctrl_fwspid_default: fwspid_default { + }; + + pinctrl_fwqspid_default: fwqspid_default { +- function = "FWQSPID"; ++ function = "FWSPID"; + groups = "FWQSPID"; + }; + +-- +2.34.1 + diff --git a/queue-5.16/arm64-dts-armada-3720-turris-mox-add-missing-etherne.patch b/queue-5.16/arm64-dts-armada-3720-turris-mox-add-missing-etherne.patch new file mode 100644 index 00000000000..6130bd4626a --- /dev/null +++ b/queue-5.16/arm64-dts-armada-3720-turris-mox-add-missing-etherne.patch @@ -0,0 +1,39 @@ +From 13291d53206d1f716a16f03e45e0657da866b36d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Jan 2022 19:20:06 +0100 +Subject: arm64: dts: armada-3720-turris-mox: Add missing ethernet0 alias +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit a0e897d1b36793fe0ab899f2fe93dff25c82f418 ] + +U-Boot uses ethernet* aliases for setting MAC addresses. Therefore define +also alias for ethernet0. + +Fixes: 7109d817db2e ("arm64: dts: marvell: add DTS for Turris Mox") +Signed-off-by: Pali Rohár +Signed-off-by: Gregory CLEMENT +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts b/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts +index 04da07ae4420..1eddf31d8bd8 100644 +--- a/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts ++++ b/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts +@@ -18,6 +18,7 @@ / { + + aliases { + spi0 = &spi0; ++ ethernet0 = ð0; + ethernet1 = ð1; + mmc0 = &sdhci0; + mmc1 = &sdhci1; +-- +2.34.1 + diff --git a/queue-5.16/arm64-dts-qcom-sm8350-correct-ufs-symbol-clocks.patch b/queue-5.16/arm64-dts-qcom-sm8350-correct-ufs-symbol-clocks.patch new file mode 100644 index 00000000000..dd6a5cd87fb --- /dev/null +++ b/queue-5.16/arm64-dts-qcom-sm8350-correct-ufs-symbol-clocks.patch @@ -0,0 +1,92 @@ +From fbde316c16e737cfe0fdb51b17a1987a400dab84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 08:20:58 -0800 +Subject: arm64: dts: qcom: sm8350: Correct UFS symbol clocks + +From: Bjorn Andersson + +[ Upstream commit 0fd4dcb607ce29110d6c0b481a98c4ff3d300551 ] + +The introduction of '9a61f813fcc8 ("clk: qcom: regmap-mux: fix parent +clock lookup")' broke UFS support on SM8350. + +The cause for this is that the symbol clocks have a specified rate in +the "freq-table-hz" table in the UFS node, which causes the UFS code to +request a rate change, for which the "bi_tcxo" happens to provide the +closest rate. Prior to the change in regmap-mux it was determined +(incorrectly) that no change was needed and everything worked. + +The rates of 75 and 300MHz matches the documentation for the symbol +clocks, but we don't represent the parent clocks today. So let's mimic +the configuration found in other platforms, by omitting the rate for the +symbol clocks as well to avoid the rate change. + +While at it also fill in the dummy symbol clocks that was dropped from +the GCC driver as it was upstreamed. + +Fixes: 59c7cf814783 ("arm64: dts: qcom: sm8350: Add UFS nodes") +Signed-off-by: Bjorn Andersson +Reviewed-by: Vinod Koul +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20211222162058.3418902-1-bjorn.andersson@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8350.dtsi | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8350.dtsi b/arch/arm64/boot/dts/qcom/sm8350.dtsi +index db102b293154..1a70a70ed056 100644 +--- a/arch/arm64/boot/dts/qcom/sm8350.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8350.dtsi +@@ -34,6 +34,24 @@ sleep_clk: sleep-clk { + clock-frequency = <32000>; + #clock-cells = <0>; + }; ++ ++ ufs_phy_rx_symbol_0_clk: ufs-phy-rx-symbol-0 { ++ compatible = "fixed-clock"; ++ clock-frequency = <1000>; ++ #clock-cells = <0>; ++ }; ++ ++ ufs_phy_rx_symbol_1_clk: ufs-phy-rx-symbol-1 { ++ compatible = "fixed-clock"; ++ clock-frequency = <1000>; ++ #clock-cells = <0>; ++ }; ++ ++ ufs_phy_tx_symbol_0_clk: ufs-phy-tx-symbol-0 { ++ compatible = "fixed-clock"; ++ clock-frequency = <1000>; ++ #clock-cells = <0>; ++ }; + }; + + cpus { +@@ -602,9 +620,9 @@ gcc: clock-controller@100000 { + <0>, + <0>, + <0>, +- <0>, +- <0>, +- <0>, ++ <&ufs_phy_rx_symbol_0_clk>, ++ <&ufs_phy_rx_symbol_1_clk>, ++ <&ufs_phy_tx_symbol_0_clk>, + <0>, + <0>; + }; +@@ -1227,8 +1245,8 @@ ufs_mem_hc: ufshc@1d84000 { + <75000000 300000000>, + <0 0>, + <0 0>, +- <75000000 300000000>, +- <75000000 300000000>; ++ <0 0>, ++ <0 0>; + status = "disabled"; + }; + +-- +2.34.1 + diff --git a/queue-5.16/arm64-dts-qcom-sm8350-describe-gcc-dependency-clocks.patch b/queue-5.16/arm64-dts-qcom-sm8350-describe-gcc-dependency-clocks.patch new file mode 100644 index 00000000000..6efb01e5e64 --- /dev/null +++ b/queue-5.16/arm64-dts-qcom-sm8350-describe-gcc-dependency-clocks.patch @@ -0,0 +1,60 @@ +From 6ca45ee47303294ed4805944a308893fa9c07732 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Nov 2021 02:27:47 +0100 +Subject: arm64: dts: qcom: sm8350: Describe GCC dependency clocks + +From: Konrad Dybcio + +[ Upstream commit 9ea9eb36b3c046fc48e737db4de69f7acd12f9be ] + +Add all the clock names that the GCC driver expects to get via DT, so that the +clock handles can be filled as the development progresses. + +Signed-off-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211114012755.112226-8-konrad.dybcio@somainline.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sm8350.dtsi | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sm8350.dtsi b/arch/arm64/boot/dts/qcom/sm8350.dtsi +index c13858cf50dd..db102b293154 100644 +--- a/arch/arm64/boot/dts/qcom/sm8350.dtsi ++++ b/arch/arm64/boot/dts/qcom/sm8350.dtsi +@@ -583,8 +583,30 @@ gcc: clock-controller@100000 { + #clock-cells = <1>; + #reset-cells = <1>; + #power-domain-cells = <1>; +- clock-names = "bi_tcxo", "sleep_clk"; +- clocks = <&rpmhcc RPMH_CXO_CLK>, <&sleep_clk>; ++ clock-names = "bi_tcxo", ++ "sleep_clk", ++ "pcie_0_pipe_clk", ++ "pcie_1_pipe_clk", ++ "ufs_card_rx_symbol_0_clk", ++ "ufs_card_rx_symbol_1_clk", ++ "ufs_card_tx_symbol_0_clk", ++ "ufs_phy_rx_symbol_0_clk", ++ "ufs_phy_rx_symbol_1_clk", ++ "ufs_phy_tx_symbol_0_clk", ++ "usb3_phy_wrapper_gcc_usb30_pipe_clk", ++ "usb3_uni_phy_sec_gcc_usb30_pipe_clk"; ++ clocks = <&rpmhcc RPMH_CXO_CLK>, ++ <&sleep_clk>, ++ <0>, ++ <0>, ++ <0>, ++ <0>, ++ <0>, ++ <0>, ++ <0>, ++ <0>, ++ <0>, ++ <0>; + }; + + ipcc: mailbox@408000 { +-- +2.34.1 + diff --git a/queue-5.16/ax25-fix-null-pointer-dereference-in-ax25_kill_by_de.patch b/queue-5.16/ax25-fix-null-pointer-dereference-in-ax25_kill_by_de.patch new file mode 100644 index 00000000000..8eacae1fbdb --- /dev/null +++ b/queue-5.16/ax25-fix-null-pointer-dereference-in-ax25_kill_by_de.patch @@ -0,0 +1,65 @@ +From 9ae5cf35fbeb7086549850b93cc42b398680d020 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 16:12:23 +0800 +Subject: ax25: Fix NULL pointer dereference in ax25_kill_by_device + +From: Duoming Zhou + +[ Upstream commit 71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac ] + +When two ax25 devices attempted to establish connection, the requester use ax25_create(), +ax25_bind() and ax25_connect() to initiate connection. The receiver use ax25_rcv() to +accept connection and use ax25_create_cb() in ax25_rcv() to create ax25_cb, but the +ax25_cb->sk is NULL. When the receiver is detaching, a NULL pointer dereference bug +caused by sock_hold(sk) in ax25_kill_by_device() will happen. The corresponding +fail log is shown below: + +=============================================================== +BUG: KASAN: null-ptr-deref in ax25_device_event+0xfd/0x290 +Call Trace: +... +ax25_device_event+0xfd/0x290 +raw_notifier_call_chain+0x5e/0x70 +dev_close_many+0x174/0x220 +unregister_netdevice_many+0x1f7/0xa60 +unregister_netdevice_queue+0x12f/0x170 +unregister_netdev+0x13/0x20 +mkiss_close+0xcd/0x140 +tty_ldisc_release+0xc0/0x220 +tty_release_struct+0x17/0xa0 +tty_release+0x62d/0x670 +... + +This patch add condition check in ax25_kill_by_device(). If s->sk is +NULL, it will goto if branch to kill device. + +Fixes: 4e0f718daf97 ("ax25: improve the incomplete fix to avoid UAF and NPD bugs") +Reported-by: Thomas Osterried +Signed-off-by: Duoming Zhou +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ax25/af_ax25.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index 44a8730c26ac..00bb087c2ca8 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -87,6 +87,13 @@ static void ax25_kill_by_device(struct net_device *dev) + ax25_for_each(s, &ax25_list) { + if (s->ax25_dev == ax25_dev) { + sk = s->sk; ++ if (!sk) { ++ spin_unlock_bh(&ax25_list_lock); ++ s->ax25_dev = NULL; ++ ax25_disconnect(s, ENETUNREACH); ++ spin_lock_bh(&ax25_list_lock); ++ goto again; ++ } + sock_hold(sk); + spin_unlock_bh(&ax25_list_lock); + lock_sock(sk); +-- +2.34.1 + diff --git a/queue-5.16/clk-qcom-dispcc-update-the-transition-delay-for-mdss.patch b/queue-5.16/clk-qcom-dispcc-update-the-transition-delay-for-mdss.patch new file mode 100644 index 00000000000..a17732fea09 --- /dev/null +++ b/queue-5.16/clk-qcom-dispcc-update-the-transition-delay-for-mdss.patch @@ -0,0 +1,101 @@ +From 617d854ad38a8fd50a2feaa417faeff6b29d45d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Feb 2022 00:26:06 +0530 +Subject: clk: qcom: dispcc: Update the transition delay for MDSS GDSC + +From: Taniya Das + +[ Upstream commit 6e6fec3f961c00ca34ffb4bf2ad9febb4b499f8d ] + +On SC7180 we observe black screens because the gdsc is being +enabled/disabled very rapidly and the GDSC FSM state does not work as +expected. This is due to the fact that the GDSC reset value is being +updated from SW. + +The recommended transition delay for mdss core gdsc updated for +SC7180/SC7280/SM8250. + +Fixes: dd3d06622138 ("clk: qcom: Add display clock controller driver for SC7180") +Fixes: 1a00c962f9cd ("clk: qcom: Add display clock controller driver for SC7280") +Fixes: 80a18f4a8567 ("clk: qcom: Add display clock controller driver for SM8150 and SM8250") +Signed-off-by: Taniya Das +Link: https://lore.kernel.org/r/20220223185606.3941-2-tdas@codeaurora.org +Reviewed-by: Bjorn Andersson +[sboyd@kernel.org: lowercase hex] +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/dispcc-sc7180.c | 5 ++++- + drivers/clk/qcom/dispcc-sc7280.c | 5 ++++- + drivers/clk/qcom/dispcc-sm8250.c | 5 ++++- + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/qcom/dispcc-sc7180.c b/drivers/clk/qcom/dispcc-sc7180.c +index 538e4963c915..5d2ae297e741 100644 +--- a/drivers/clk/qcom/dispcc-sc7180.c ++++ b/drivers/clk/qcom/dispcc-sc7180.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0-only + /* +- * Copyright (c) 2019, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2019, 2022, The Linux Foundation. All rights reserved. + */ + + #include +@@ -625,6 +625,9 @@ static struct clk_branch disp_cc_mdss_vsync_clk = { + + static struct gdsc mdss_gdsc = { + .gdscr = 0x3000, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0xf, + .pd = { + .name = "mdss_gdsc", + }, +diff --git a/drivers/clk/qcom/dispcc-sc7280.c b/drivers/clk/qcom/dispcc-sc7280.c +index 4ef4ae231794..ad596d567f6a 100644 +--- a/drivers/clk/qcom/dispcc-sc7280.c ++++ b/drivers/clk/qcom/dispcc-sc7280.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0-only + /* +- * Copyright (c) 2021, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2021-2022, The Linux Foundation. All rights reserved. + */ + + #include +@@ -787,6 +787,9 @@ static struct clk_branch disp_cc_sleep_clk = { + + static struct gdsc disp_cc_mdss_core_gdsc = { + .gdscr = 0x1004, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0xf, + .pd = { + .name = "disp_cc_mdss_core_gdsc", + }, +diff --git a/drivers/clk/qcom/dispcc-sm8250.c b/drivers/clk/qcom/dispcc-sm8250.c +index 566fdfa0a15b..db9379634fb2 100644 +--- a/drivers/clk/qcom/dispcc-sm8250.c ++++ b/drivers/clk/qcom/dispcc-sm8250.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 + /* +- * Copyright (c) 2018-2020, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2018-2020, 2022, The Linux Foundation. All rights reserved. + */ + + #include +@@ -1126,6 +1126,9 @@ static struct clk_branch disp_cc_mdss_vsync_clk = { + + static struct gdsc mdss_gdsc = { + .gdscr = 0x3000, ++ .en_rest_wait_val = 0x2, ++ .en_few_wait_val = 0x2, ++ .clk_dis_wait_val = 0xf, + .pd = { + .name = "mdss_gdsc", + }, +-- +2.34.1 + diff --git a/queue-5.16/clk-qcom-gdsc-add-support-to-update-gdsc-transition-.patch b/queue-5.16/clk-qcom-gdsc-add-support-to-update-gdsc-transition-.patch new file mode 100644 index 00000000000..8341a7f2b67 --- /dev/null +++ b/queue-5.16/clk-qcom-gdsc-add-support-to-update-gdsc-transition-.patch @@ -0,0 +1,119 @@ +From e9c424266bd273e3511aec7d025e69888803072b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Feb 2022 00:26:05 +0530 +Subject: clk: qcom: gdsc: Add support to update GDSC transition delay + +From: Taniya Das + +[ Upstream commit 4e7c4d3652f96f41179aab3ff53025c7a550d689 ] + +GDSCs have multiple transition delays which are used for the GDSC FSM +states. Older targets/designs required these values to be updated from +gdsc code to certain default values for the FSM state to work as +expected. But on the newer targets/designs the values updated from the +GDSC driver can hamper the FSM state to not work as expected. + +On SC7180 we observe black screens because the gdsc is being +enabled/disabled very rapidly and the GDSC FSM state does not work as +expected. This is due to the fact that the GDSC reset value is being +updated from SW. + +Thus add support to update the transition delay from the clock +controller gdscs as required. + +Fixes: 45dd0e55317cc ("clk: qcom: Add support for GDSCs) +Signed-off-by: Taniya Das +Link: https://lore.kernel.org/r/20220223185606.3941-1-tdas@codeaurora.org +Reviewed-by: Bjorn Andersson +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gdsc.c | 26 +++++++++++++++++++++----- + drivers/clk/qcom/gdsc.h | 8 +++++++- + 2 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/qcom/gdsc.c b/drivers/clk/qcom/gdsc.c +index 7e1dd8ccfa38..44520efc6c72 100644 +--- a/drivers/clk/qcom/gdsc.c ++++ b/drivers/clk/qcom/gdsc.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0-only + /* +- * Copyright (c) 2015, 2017-2018, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2015, 2017-2018, 2022, The Linux Foundation. All rights reserved. + */ + + #include +@@ -35,9 +35,14 @@ + #define CFG_GDSCR_OFFSET 0x4 + + /* Wait 2^n CXO cycles between all states. Here, n=2 (4 cycles). */ +-#define EN_REST_WAIT_VAL (0x2 << 20) +-#define EN_FEW_WAIT_VAL (0x8 << 16) +-#define CLK_DIS_WAIT_VAL (0x2 << 12) ++#define EN_REST_WAIT_VAL 0x2 ++#define EN_FEW_WAIT_VAL 0x8 ++#define CLK_DIS_WAIT_VAL 0x2 ++ ++/* Transition delay shifts */ ++#define EN_REST_WAIT_SHIFT 20 ++#define EN_FEW_WAIT_SHIFT 16 ++#define CLK_DIS_WAIT_SHIFT 12 + + #define RETAIN_MEM BIT(14) + #define RETAIN_PERIPH BIT(13) +@@ -380,7 +385,18 @@ static int gdsc_init(struct gdsc *sc) + */ + mask = HW_CONTROL_MASK | SW_OVERRIDE_MASK | + EN_REST_WAIT_MASK | EN_FEW_WAIT_MASK | CLK_DIS_WAIT_MASK; +- val = EN_REST_WAIT_VAL | EN_FEW_WAIT_VAL | CLK_DIS_WAIT_VAL; ++ ++ if (!sc->en_rest_wait_val) ++ sc->en_rest_wait_val = EN_REST_WAIT_VAL; ++ if (!sc->en_few_wait_val) ++ sc->en_few_wait_val = EN_FEW_WAIT_VAL; ++ if (!sc->clk_dis_wait_val) ++ sc->clk_dis_wait_val = CLK_DIS_WAIT_VAL; ++ ++ val = sc->en_rest_wait_val << EN_REST_WAIT_SHIFT | ++ sc->en_few_wait_val << EN_FEW_WAIT_SHIFT | ++ sc->clk_dis_wait_val << CLK_DIS_WAIT_SHIFT; ++ + ret = regmap_update_bits(sc->regmap, sc->gdscr, mask, val); + if (ret) + return ret; +diff --git a/drivers/clk/qcom/gdsc.h b/drivers/clk/qcom/gdsc.h +index d7cc4c21a9d4..ad313d7210bd 100644 +--- a/drivers/clk/qcom/gdsc.h ++++ b/drivers/clk/qcom/gdsc.h +@@ -1,6 +1,6 @@ + /* SPDX-License-Identifier: GPL-2.0-only */ + /* +- * Copyright (c) 2015, 2017-2018, The Linux Foundation. All rights reserved. ++ * Copyright (c) 2015, 2017-2018, 2022, The Linux Foundation. All rights reserved. + */ + + #ifndef __QCOM_GDSC_H__ +@@ -22,6 +22,9 @@ struct reset_controller_dev; + * @cxcs: offsets of branch registers to toggle mem/periph bits in + * @cxc_count: number of @cxcs + * @pwrsts: Possible powerdomain power states ++ * @en_rest_wait_val: transition delay value for receiving enr ack signal ++ * @en_few_wait_val: transition delay value for receiving enf ack signal ++ * @clk_dis_wait_val: transition delay value for halting clock + * @resets: ids of resets associated with this gdsc + * @reset_count: number of @resets + * @rcdev: reset controller +@@ -36,6 +39,9 @@ struct gdsc { + unsigned int clamp_io_ctrl; + unsigned int *cxcs; + unsigned int cxc_count; ++ unsigned int en_rest_wait_val; ++ unsigned int en_few_wait_val; ++ unsigned int clk_dis_wait_val; + const u8 pwrsts; + /* Powerdomain allowable state bitfields */ + #define PWRSTS_OFF BIT(0) +-- +2.34.1 + diff --git a/queue-5.16/drivers-hamradio-6pack-fix-uaf-bug-caused-by-mod_tim.patch b/queue-5.16/drivers-hamradio-6pack-fix-uaf-bug-caused-by-mod_tim.patch new file mode 100644 index 00000000000..7d38558d2ae --- /dev/null +++ b/queue-5.16/drivers-hamradio-6pack-fix-uaf-bug-caused-by-mod_tim.patch @@ -0,0 +1,89 @@ +From 7ed07b83b56c4463a56c6ab9cfe76a6b39e0c1cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Feb 2022 09:43:03 +0800 +Subject: drivers: hamradio: 6pack: fix UAF bug caused by mod_timer() + +From: Duoming Zhou + +[ Upstream commit efe4186e6a1b54bf38b9e05450d43b0da1fd7739 ] + +When a 6pack device is detaching, the sixpack_close() will act to cleanup +necessary resources. Although del_timer_sync() in sixpack_close() +won't return if there is an active timer, one could use mod_timer() in +sp_xmit_on_air() to wake up timer again by calling userspace syscall such +as ax25_sendmsg(), ax25_connect() and ax25_ioctl(). + +This unexpected waked handler, sp_xmit_on_air(), realizes nothing about +the undergoing cleanup and may still call pty_write() to use driver layer +resources that have already been released. + +One of the possible race conditions is shown below: + + (USE) | (FREE) +ax25_sendmsg() | + ax25_queue_xmit() | + ... | + sp_xmit() | + sp_encaps() | sixpack_close() + sp_xmit_on_air() | del_timer_sync(&sp->tx_t) + mod_timer(&sp->tx_t,...) | ... + | unregister_netdev() + | ... + (wait a while) | tty_release() + | tty_release_struct() + | release_tty() + sp_xmit_on_air() | tty_kref_put(tty_struct) //FREE + pty_write(tty_struct) //USE | ... + +The corresponding fail log is shown below: +=============================================================== +BUG: KASAN: use-after-free in __run_timers.part.0+0x170/0x470 +Write of size 8 at addr ffff88800a652ab8 by task swapper/2/0 +... +Call Trace: + ... + queue_work_on+0x3f/0x50 + pty_write+0xcd/0xe0pty_write+0xcd/0xe0 + sp_xmit_on_air+0xb2/0x1f0 + call_timer_fn+0x28/0x150 + __run_timers.part.0+0x3c2/0x470 + run_timer_softirq+0x3b/0x80 + __do_softirq+0xf1/0x380 + ... + +This patch reorders the del_timer_sync() after the unregister_netdev() +to avoid UAF bugs. Because the unregister_netdev() is well synchronized, +it flushs out any pending queues, waits the refcount of net_device +decreases to zero and removes net_device from kernel. There is not any +running routines after executing unregister_netdev(). Therefore, we could +not arouse timer from userspace again. + +Signed-off-by: Duoming Zhou +Reviewed-by: Lin Ma +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/6pack.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c +index 8a19a06b505d..ff2bb3d80fac 100644 +--- a/drivers/net/hamradio/6pack.c ++++ b/drivers/net/hamradio/6pack.c +@@ -668,11 +668,11 @@ static void sixpack_close(struct tty_struct *tty) + */ + netif_stop_queue(sp->dev); + ++ unregister_netdev(sp->dev); ++ + del_timer_sync(&sp->tx_t); + del_timer_sync(&sp->resync_t); + +- unregister_netdev(sp->dev); +- + /* Free all 6pack frame buffers after unreg. */ + kfree(sp->rbuff); + kfree(sp->xbuff); +-- +2.34.1 + diff --git a/queue-5.16/drm-amdgpu-bypass-tiling-flag-check-in-virtual-displ.patch b/queue-5.16/drm-amdgpu-bypass-tiling-flag-check-in-virtual-displ.patch new file mode 100644 index 00000000000..b807ed72c14 --- /dev/null +++ b/queue-5.16/drm-amdgpu-bypass-tiling-flag-check-in-virtual-displ.patch @@ -0,0 +1,47 @@ +From 5574a5ce51b304d74c470c16248f94b4e767fc7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Feb 2022 13:05:26 +0800 +Subject: drm/amdgpu: bypass tiling flag check in virtual display case (v2) + +From: Guchun Chen + +[ Upstream commit e2b993302f40c4eb714ecf896dd9e1c5be7d4cd7 ] + +vkms leverages common amdgpu framebuffer creation, and +also as it does not support FB modifier, there is no need +to check tiling flags when initing framebuffer when virtual +display is enabled. + +This can fix below calltrace: + +amdgpu 0000:00:08.0: GFX9+ requires FB check based on format modifier +WARNING: CPU: 0 PID: 1023 at drivers/gpu/drm/amd/amdgpu/amdgpu_display.c:1150 amdgpu_display_framebuffer_init+0x8e7/0xb40 [amdgpu] + +v2: check adev->enable_virtual_display instead as vkms can be + enabled in bare metal as well. + +Signed-off-by: Leslie Shi +Signed-off-by: Guchun Chen +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +index dc50c05f23fc..5c08047adb59 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c +@@ -1145,7 +1145,7 @@ int amdgpu_display_framebuffer_init(struct drm_device *dev, + if (ret) + return ret; + +- if (!dev->mode_config.allow_fb_modifiers) { ++ if (!dev->mode_config.allow_fb_modifiers && !adev->enable_virtual_display) { + drm_WARN_ONCE(dev, adev->family >= AMDGPU_FAMILY_AI, + "GFX9+ requires FB check based on format modifier\n"); + ret = check_tiling_flags_gfx6(rfb); +-- +2.34.1 + diff --git a/queue-5.16/drm-i915-psr-set-sf-partial-frame-enable-also-on-ful.patch b/queue-5.16/drm-i915-psr-set-sf-partial-frame-enable-also-on-ful.patch new file mode 100644 index 00000000000..32d9329b14c --- /dev/null +++ b/queue-5.16/drm-i915-psr-set-sf-partial-frame-enable-also-on-ful.patch @@ -0,0 +1,108 @@ +From 0264f762270c6f87e929c3bb2d7a58ae9e155ab4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Feb 2022 09:02:28 +0200 +Subject: drm/i915/psr: Set "SF Partial Frame Enable" also on full update +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jouni Högander + +[ Upstream commit 804f468853179b9b58af05c153c411931aa5b310 ] + +Currently we are observing occasional screen flickering when +PSR2 selective fetch is enabled. More specifically glitch seems +to happen on full frame update when cursor moves to coords +x = -1 or y = -1. + +According to Bspec SF Single full frame should not be set if +SF Partial Frame Enable is not set. This happened to be true for +ADLP as PSR2_MAN_TRK_CTL_ENABLE is always set and for ADL_P it's +actually "SF Partial Frame Enable" (Bit 31). + +Setting "SF Partial Frame Enable" bit also on full update seems to +fix screen flickering. + +Also make code more clear by setting PSR2_MAN_TRK_CTL_ENABLE +only if not on ADL_P. Bit 31 has different meaning in ADL_P. + +Bspec: 49274 + +v2: Fix Mihai Harpau email address +v3: Modify commit message and remove unnecessary comment + +Tested-by: Lyude Paul +Fixes: 7f6002e58025 ("drm/i915/display: Enable PSR2 selective fetch by default") +Reported-by: Lyude Paul +Cc: Mihai Harpau +Cc: José Roberto de Souza +Cc: Ville Syrjälä +Bugzilla: https://gitlab.freedesktop.org/drm/intel/-/issues/5077 +Signed-off-by: Jouni Högander +Reviewed-by: José Roberto de Souza +Signed-off-by: José Roberto de Souza +Link: https://patchwork.freedesktop.org/patch/msgid/20220225070228.855138-1-jouni.hogander@intel.com +(cherry picked from commit 8d5516d18b323cf7274d1cf5fe76f4a691f879c6) +Signed-off-by: Tvrtko Ursulin +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_psr.c | 16 ++++++++++++++-- + drivers/gpu/drm/i915/i915_reg.h | 1 + + 2 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_psr.c b/drivers/gpu/drm/i915/display/intel_psr.c +index 7a205fd5023b..3ba8b717e176 100644 +--- a/drivers/gpu/drm/i915/display/intel_psr.c ++++ b/drivers/gpu/drm/i915/display/intel_psr.c +@@ -1400,6 +1400,13 @@ static inline u32 man_trk_ctl_single_full_frame_bit_get(struct drm_i915_private + PSR2_MAN_TRK_CTL_SF_SINGLE_FULL_FRAME; + } + ++static inline u32 man_trk_ctl_partial_frame_bit_get(struct drm_i915_private *dev_priv) ++{ ++ return IS_ALDERLAKE_P(dev_priv) ? ++ ADLP_PSR2_MAN_TRK_CTL_SF_PARTIAL_FRAME_UPDATE : ++ PSR2_MAN_TRK_CTL_SF_PARTIAL_FRAME_UPDATE; ++} ++ + static void psr_force_hw_tracking_exit(struct intel_dp *intel_dp) + { + struct drm_i915_private *dev_priv = dp_to_i915(intel_dp); +@@ -1495,7 +1502,13 @@ static void psr2_man_trk_ctl_calc(struct intel_crtc_state *crtc_state, + { + struct intel_crtc *crtc = to_intel_crtc(crtc_state->uapi.crtc); + struct drm_i915_private *dev_priv = to_i915(crtc->base.dev); +- u32 val = PSR2_MAN_TRK_CTL_ENABLE; ++ u32 val = 0; ++ ++ if (!IS_ALDERLAKE_P(dev_priv)) ++ val = PSR2_MAN_TRK_CTL_ENABLE; ++ ++ /* SF partial frame enable has to be set even on full update */ ++ val |= man_trk_ctl_partial_frame_bit_get(dev_priv); + + if (full_update) { + /* +@@ -1515,7 +1528,6 @@ static void psr2_man_trk_ctl_calc(struct intel_crtc_state *crtc_state, + } else { + drm_WARN_ON(crtc_state->uapi.crtc->dev, clip->y1 % 4 || clip->y2 % 4); + +- val |= PSR2_MAN_TRK_CTL_SF_PARTIAL_FRAME_UPDATE; + val |= PSR2_MAN_TRK_CTL_SU_REGION_START_ADDR(clip->y1 / 4 + 1); + val |= PSR2_MAN_TRK_CTL_SU_REGION_END_ADDR(clip->y2 / 4 + 1); + } +diff --git a/drivers/gpu/drm/i915/i915_reg.h b/drivers/gpu/drm/i915/i915_reg.h +index 14ce8809efdd..e927776ae183 100644 +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -4738,6 +4738,7 @@ enum { + #define ADLP_PSR2_MAN_TRK_CTL_SU_REGION_START_ADDR(val) REG_FIELD_PREP(ADLP_PSR2_MAN_TRK_CTL_SU_REGION_START_ADDR_MASK, val) + #define ADLP_PSR2_MAN_TRK_CTL_SU_REGION_END_ADDR_MASK REG_GENMASK(12, 0) + #define ADLP_PSR2_MAN_TRK_CTL_SU_REGION_END_ADDR(val) REG_FIELD_PREP(ADLP_PSR2_MAN_TRK_CTL_SU_REGION_END_ADDR_MASK, val) ++#define ADLP_PSR2_MAN_TRK_CTL_SF_PARTIAL_FRAME_UPDATE REG_BIT(31) + #define ADLP_PSR2_MAN_TRK_CTL_SF_SINGLE_FULL_FRAME REG_BIT(14) + #define ADLP_PSR2_MAN_TRK_CTL_SF_CONTINUOS_FULL_FRAME REG_BIT(13) + +-- +2.34.1 + diff --git a/queue-5.16/drm-sun4i-mixer-fix-p010-and-p210-format-numbers.patch b/queue-5.16/drm-sun4i-mixer-fix-p010-and-p210-format-numbers.patch new file mode 100644 index 00000000000..6f8514ada56 --- /dev/null +++ b/queue-5.16/drm-sun4i-mixer-fix-p010-and-p210-format-numbers.patch @@ -0,0 +1,46 @@ +From adde11a4bd4482a437d64923a0277734e9d3b45f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 19:14:36 +0100 +Subject: drm/sun4i: mixer: Fix P010 and P210 format numbers + +From: Jernej Skrabec + +[ Upstream commit 9470c29faa91c804aa04de4c10634bf02462bfa5 ] + +It turns out that DE3 manual has inverted YUV and YVU format numbers for +P010 and P210. Invert them. + +This was tested by playing video decoded to P010 and additionally +confirmed by looking at BSP driver source. + +Fixes: 169ca4b38932 ("drm/sun4i: Add separate DE3 VI layer formats") +Signed-off-by: Jernej Skrabec +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20220228181436.1424550-1-jernej.skrabec@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun8i_mixer.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/sun4i/sun8i_mixer.h b/drivers/gpu/drm/sun4i/sun8i_mixer.h +index 145833a9d82d..5b3fbee18671 100644 +--- a/drivers/gpu/drm/sun4i/sun8i_mixer.h ++++ b/drivers/gpu/drm/sun4i/sun8i_mixer.h +@@ -111,10 +111,10 @@ + /* format 13 is semi-planar YUV411 VUVU */ + #define SUN8I_MIXER_FBFMT_YUV411 14 + /* format 15 doesn't exist */ +-/* format 16 is P010 YVU */ +-#define SUN8I_MIXER_FBFMT_P010_YUV 17 +-/* format 18 is P210 YVU */ +-#define SUN8I_MIXER_FBFMT_P210_YUV 19 ++#define SUN8I_MIXER_FBFMT_P010_YUV 16 ++/* format 17 is P010 YVU */ ++#define SUN8I_MIXER_FBFMT_P210_YUV 18 ++/* format 19 is P210 YVU */ + /* format 20 is packed YVU444 10-bit */ + /* format 21 is packed YUV444 10-bit */ + +-- +2.34.1 + diff --git a/queue-5.16/drm-vc4-hdmi-unregister-codec-device-on-unbind.patch b/queue-5.16/drm-vc4-hdmi-unregister-codec-device-on-unbind.patch new file mode 100644 index 00000000000..4aee440e5d5 --- /dev/null +++ b/queue-5.16/drm-vc4-hdmi-unregister-codec-device-on-unbind.patch @@ -0,0 +1,70 @@ +From e898d3f12efaeead25f13506cd5e646ebdb7a1f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Jan 2022 12:14:52 +0100 +Subject: drm/vc4: hdmi: Unregister codec device on unbind + +From: Maxime Ripard + +[ Upstream commit e40945ab7c7f966d0c37b7bd7b0596497dfe228d ] + +On bind we will register the HDMI codec device but we don't unregister +it on unbind, leading to a device leakage. Unregister our device at +unbind. + +Signed-off-by: Maxime Ripard +Reviewed-by: Javier Martinez Canillas +Link: https://patchwork.freedesktop.org/patch/msgid/20220127111452.222002-1-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_hdmi.c | 8 ++++++++ + drivers/gpu/drm/vc4/vc4_hdmi.h | 1 + + 2 files changed, 9 insertions(+) + +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c +index 24f11c07bc3c..2f53ba54b81a 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.c ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.c +@@ -1522,6 +1522,7 @@ static int vc4_hdmi_audio_init(struct vc4_hdmi *vc4_hdmi) + dev_err(dev, "Couldn't register the HDMI codec: %ld\n", PTR_ERR(codec_pdev)); + return PTR_ERR(codec_pdev); + } ++ vc4_hdmi->audio.codec_pdev = codec_pdev; + + dai_link->cpus = &vc4_hdmi->audio.cpu; + dai_link->codecs = &vc4_hdmi->audio.codec; +@@ -1561,6 +1562,12 @@ static int vc4_hdmi_audio_init(struct vc4_hdmi *vc4_hdmi) + + } + ++static void vc4_hdmi_audio_exit(struct vc4_hdmi *vc4_hdmi) ++{ ++ platform_device_unregister(vc4_hdmi->audio.codec_pdev); ++ vc4_hdmi->audio.codec_pdev = NULL; ++} ++ + static irqreturn_t vc4_hdmi_hpd_irq_thread(int irq, void *priv) + { + struct vc4_hdmi *vc4_hdmi = priv; +@@ -2299,6 +2306,7 @@ static void vc4_hdmi_unbind(struct device *dev, struct device *master, + kfree(vc4_hdmi->hdmi_regset.regs); + kfree(vc4_hdmi->hd_regset.regs); + ++ vc4_hdmi_audio_exit(vc4_hdmi); + vc4_hdmi_cec_exit(vc4_hdmi); + vc4_hdmi_hotplug_exit(vc4_hdmi); + vc4_hdmi_connector_destroy(&vc4_hdmi->connector); +diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.h b/drivers/gpu/drm/vc4/vc4_hdmi.h +index 33e9f665ab8e..c0492da73683 100644 +--- a/drivers/gpu/drm/vc4/vc4_hdmi.h ++++ b/drivers/gpu/drm/vc4/vc4_hdmi.h +@@ -113,6 +113,7 @@ struct vc4_hdmi_audio { + struct snd_soc_dai_link_component platform; + struct snd_dmaengine_dai_dma_data dma_data; + struct hdmi_audio_infoframe infoframe; ++ struct platform_device *codec_pdev; + bool streaming; + }; + +-- +2.34.1 + diff --git a/queue-5.16/esp-fix-beet-mode-inter-address-family-tunneling-on-.patch b/queue-5.16/esp-fix-beet-mode-inter-address-family-tunneling-on-.patch new file mode 100644 index 00000000000..19ae1f235e4 --- /dev/null +++ b/queue-5.16/esp-fix-beet-mode-inter-address-family-tunneling-on-.patch @@ -0,0 +1,53 @@ +From a7b4e1bc551a1fae691d74a9cf693f6326da5770 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 13:11:40 +0100 +Subject: esp: Fix BEET mode inter address family tunneling on GSO + +From: Steffen Klassert + +[ Upstream commit 053c8fdf2c930efdff5496960842bbb5c34ad43a ] + +The xfrm{4,6}_beet_gso_segment() functions did not correctly set the +SKB_GSO_IPXIP4 and SKB_GSO_IPXIP6 gso types for the address family +tunneling case. Fix this by setting these gso types. + +Fixes: 384a46ea7bdc7 ("esp4: add gso_segment for esp4 beet mode") +Fixes: 7f9e40eb18a99 ("esp6: add gso_segment for esp6 beet mode") +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv4/esp4_offload.c | 3 +++ + net/ipv6/esp6_offload.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c +index 8e4e9aa12130..dad5d29a6a8d 100644 +--- a/net/ipv4/esp4_offload.c ++++ b/net/ipv4/esp4_offload.c +@@ -159,6 +159,9 @@ static struct sk_buff *xfrm4_beet_gso_segment(struct xfrm_state *x, + skb_shinfo(skb)->gso_type |= SKB_GSO_TCPV4; + } + ++ if (proto == IPPROTO_IPV6) ++ skb_shinfo(skb)->gso_type |= SKB_GSO_IPXIP4; ++ + __skb_pull(skb, skb_transport_offset(skb)); + ops = rcu_dereference(inet_offloads[proto]); + if (likely(ops && ops->callbacks.gso_segment)) +diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c +index a349d4798077..302170882382 100644 +--- a/net/ipv6/esp6_offload.c ++++ b/net/ipv6/esp6_offload.c +@@ -198,6 +198,9 @@ static struct sk_buff *xfrm6_beet_gso_segment(struct xfrm_state *x, + ipv6_skip_exthdr(skb, 0, &proto, &frag); + } + ++ if (proto == IPPROTO_IPIP) ++ skb_shinfo(skb)->gso_type |= SKB_GSO_IPXIP6; ++ + __skb_pull(skb, skb_transport_offset(skb)); + ops = rcu_dereference(inet6_offloads[proto]); + if (likely(ops && ops->callbacks.gso_segment)) +-- +2.34.1 + diff --git a/queue-5.16/esp-fix-possible-buffer-overflow-in-esp-transformati.patch b/queue-5.16/esp-fix-possible-buffer-overflow-in-esp-transformati.patch new file mode 100644 index 00000000000..c4ece047b88 --- /dev/null +++ b/queue-5.16/esp-fix-possible-buffer-overflow-in-esp-transformati.patch @@ -0,0 +1,92 @@ +From 01e2e3b55997fee3a841bff86809ae7c77f70847 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 13:11:39 +0100 +Subject: esp: Fix possible buffer overflow in ESP transformation + +From: Steffen Klassert + +[ Upstream commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 ] + +The maximum message size that can be send is bigger than +the maximum site that skb_page_frag_refill can allocate. +So it is possible to write beyond the allocated buffer. + +Fix this by doing a fallback to COW in that case. + +v2: + +Avoid get get_order() costs as suggested by Linus Torvalds. + +Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") +Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") +Reported-by: valis +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + include/net/esp.h | 2 ++ + net/ipv4/esp4.c | 5 +++++ + net/ipv6/esp6.c | 5 +++++ + 3 files changed, 12 insertions(+) + +diff --git a/include/net/esp.h b/include/net/esp.h +index 9c5637d41d95..90cd02ff77ef 100644 +--- a/include/net/esp.h ++++ b/include/net/esp.h +@@ -4,6 +4,8 @@ + + #include + ++#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER) ++ + struct ip_esp_hdr; + + static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb) +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index e1b1d080e908..70e6c87fbe3d 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -446,6 +446,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * + struct page *page; + struct sk_buff *trailer; + int tailen = esp->tailen; ++ unsigned int allocsz; + + /* this is non-NULL only with TCP/UDP Encapsulation */ + if (x->encap) { +@@ -455,6 +456,10 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * + return err; + } + ++ allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES); ++ if (allocsz > ESP_SKB_FRAG_MAXSIZE) ++ goto cow; ++ + if (!skb_cloned(skb)) { + if (tailen <= skb_tailroom(skb)) { + nfrags = 1; +diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c +index 883b53fd7846..b7b573085bd5 100644 +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -483,6 +483,7 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info + struct page *page; + struct sk_buff *trailer; + int tailen = esp->tailen; ++ unsigned int allocsz; + + if (x->encap) { + int err = esp6_output_encap(x, skb, esp); +@@ -491,6 +492,10 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info + return err; + } + ++ allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES); ++ if (allocsz > ESP_SKB_FRAG_MAXSIZE) ++ goto cow; ++ + if (!skb_cloned(skb)) { + if (tailen <= skb_tailroom(skb)) { + nfrags = 1; +-- +2.34.1 + diff --git a/queue-5.16/ethernet-fix-error-handling-in-xemaclite_of_probe.patch b/queue-5.16/ethernet-fix-error-handling-in-xemaclite_of_probe.patch new file mode 100644 index 00000000000..0c290e37aba --- /dev/null +++ b/queue-5.16/ethernet-fix-error-handling-in-xemaclite_of_probe.patch @@ -0,0 +1,48 @@ +From 6b8262d20e58b557e536ac77e6e8aa587ddf1895 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 02:47:49 +0000 +Subject: ethernet: Fix error handling in xemaclite_of_probe + +From: Miaoqian Lin + +[ Upstream commit b19ab4b38b06aae12442b2de95ccf58b5dc53584 ] + +This node pointer is returned by of_parse_phandle() with refcount +incremented in this function. Calling of_node_put() to avoid the +refcount leak. As the remove function do. + +Fixes: 5cdaaa12866e ("net: emaclite: adding MDIO and phy lib support") +Signed-off-by: Miaoqian Lin +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220308024751.2320-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_emaclite.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_emaclite.c b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +index 0815de581c7f..7ae67b054191 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c ++++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +@@ -1186,7 +1186,7 @@ static int xemaclite_of_probe(struct platform_device *ofdev) + if (rc) { + dev_err(dev, + "Cannot register network device, aborting\n"); +- goto error; ++ goto put_node; + } + + dev_info(dev, +@@ -1194,6 +1194,8 @@ static int xemaclite_of_probe(struct platform_device *ofdev) + (unsigned long __force)ndev->mem_start, lp->base_addr, ndev->irq); + return 0; + ++put_node: ++ of_node_put(lp->phy_node); + error: + free_netdev(ndev); + return rc; +-- +2.34.1 + diff --git a/queue-5.16/gianfar-ethtool-fix-refcount-leak-in-gfar_get_ts_inf.patch b/queue-5.16/gianfar-ethtool-fix-refcount-leak-in-gfar_get_ts_inf.patch new file mode 100644 index 00000000000..1dc1155fba9 --- /dev/null +++ b/queue-5.16/gianfar-ethtool-fix-refcount-leak-in-gfar_get_ts_inf.patch @@ -0,0 +1,39 @@ +From bf859b480a821d000649d747fc8902dfe801f1c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Mar 2022 01:53:13 +0000 +Subject: gianfar: ethtool: Fix refcount leak in gfar_get_ts_info + +From: Miaoqian Lin + +[ Upstream commit 2ac5b58e645c66932438bb021cb5b52097ce70b0 ] + +The of_find_compatible_node() function returns a node pointer with +refcount incremented, We should use of_node_put() on it when done +Add the missing of_node_put() to release the refcount. + +Fixes: 7349a74ea75c ("net: ethernet: gianfar_ethtool: get phc index through drvdata") +Signed-off-by: Miaoqian Lin +Reviewed-by: Jesse Brandeburg +Reviewed-by: Claudiu Manoil +Link: https://lore.kernel.org/r/20220310015313.14938-1-linmq006@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/gianfar_ethtool.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/freescale/gianfar_ethtool.c b/drivers/net/ethernet/freescale/gianfar_ethtool.c +index 7b32ed29bf4c..8c17fe5d66ed 100644 +--- a/drivers/net/ethernet/freescale/gianfar_ethtool.c ++++ b/drivers/net/ethernet/freescale/gianfar_ethtool.c +@@ -1460,6 +1460,7 @@ static int gfar_get_ts_info(struct net_device *dev, + ptp_node = of_find_compatible_node(NULL, NULL, "fsl,etsec-ptp"); + if (ptp_node) { + ptp_dev = of_find_device_by_node(ptp_node); ++ of_node_put(ptp_node); + if (ptp_dev) + ptp = platform_get_drvdata(ptp_dev); + } +-- +2.34.1 + diff --git a/queue-5.16/gpio-return-eprobe_defer-if-gc-to_irq-is-null.patch b/queue-5.16/gpio-return-eprobe_defer-if-gc-to_irq-is-null.patch new file mode 100644 index 00000000000..4a7805d8f28 --- /dev/null +++ b/queue-5.16/gpio-return-eprobe_defer-if-gc-to_irq-is-null.patch @@ -0,0 +1,72 @@ +From 103bea194821775c2400b039884171649c41e081 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Feb 2022 01:56:55 +0530 +Subject: gpio: Return EPROBE_DEFER if gc->to_irq is NULL + +From: Shreeya Patel + +[ Upstream commit ae42f9288846353982e2eab181fb41e7fd8bf60f ] + +We are racing the registering of .to_irq when probing the +i2c driver. This results in random failure of touchscreen +devices. + +Following explains the race condition better. + +[gpio driver] gpio driver registers gpio chip +[gpio consumer] gpio is acquired +[gpio consumer] gpiod_to_irq() fails with -ENXIO +[gpio driver] gpio driver registers irqchip +gpiod_to_irq works at this point, but -ENXIO is fatal + +We could see the following errors in dmesg logs when gc->to_irq is NULL + +[2.101857] i2c_hid i2c-FTS3528:00: HID over i2c has not been provided an Int IRQ +[2.101953] i2c_hid: probe of i2c-FTS3528:00 failed with error -22 + +To avoid this situation, defer probing until to_irq is registered. +Returning -EPROBE_DEFER would be the first step towards avoiding +the failure of devices due to the race in registration of .to_irq. +Final solution to this issue would be to avoid using gc irq members +until they are fully initialized. + +This issue has been reported many times in past and people have been +using workarounds like changing the pinctrl_amd to built-in instead +of loading it as a module or by adding a softdep for pinctrl_amd into +the config file. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=209413 +Reviewed-by: Linus Walleij +Reviewed-by: Andy Shevchenko +Reported-by: kernel test robot +Signed-off-by: Shreeya Patel +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index a1dca6dc03b4..dcb0dca651ac 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -3121,6 +3121,16 @@ int gpiod_to_irq(const struct gpio_desc *desc) + + return retirq; + } ++#ifdef CONFIG_GPIOLIB_IRQCHIP ++ if (gc->irq.chip) { ++ /* ++ * Avoid race condition with other code, which tries to lookup ++ * an IRQ before the irqchip has been properly registered, ++ * i.e. while gpiochip is still being brought up. ++ */ ++ return -EPROBE_DEFER; ++ } ++#endif + return -ENXIO; + } + EXPORT_SYMBOL_GPL(gpiod_to_irq); +-- +2.34.1 + diff --git a/queue-5.16/gpio-ts4900-do-not-set-dat-and-oe-together.patch b/queue-5.16/gpio-ts4900-do-not-set-dat-and-oe-together.patch new file mode 100644 index 00000000000..832a5c75d24 --- /dev/null +++ b/queue-5.16/gpio-ts4900-do-not-set-dat-and-oe-together.patch @@ -0,0 +1,82 @@ +From d5756954692e7c8be5d0c29cc3b610e4da33ab96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 17:16:16 -0800 +Subject: gpio: ts4900: Do not set DAT and OE together + +From: Mark Featherston + +[ Upstream commit 03fe003547975680fdb9ff5ab0e41cb68276c4f2 ] + +This works around an issue with the hardware where both OE and +DAT are exposed in the same register. If both are updated +simultaneously, the harware makes no guarantees that OE or DAT +will actually change in any given order and may result in a +glitch of a few ns on a GPIO pin when changing direction and value +in a single write. + +Setting direction to input now only affects OE bit. Setting +direction to output updates DAT first, then OE. + +Fixes: 9c6686322d74 ("gpio: add Technologic I2C-FPGA gpio support") +Signed-off-by: Mark Featherston +Signed-off-by: Kris Bahnsen +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-ts4900.c | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpio/gpio-ts4900.c b/drivers/gpio/gpio-ts4900.c +index d885032cf814..d918d2df4de2 100644 +--- a/drivers/gpio/gpio-ts4900.c ++++ b/drivers/gpio/gpio-ts4900.c +@@ -1,7 +1,7 @@ + /* + * Digital I/O driver for Technologic Systems I2C FPGA Core + * +- * Copyright (C) 2015 Technologic Systems ++ * Copyright (C) 2015, 2018 Technologic Systems + * Copyright (C) 2016 Savoir-Faire Linux + * + * This program is free software; you can redistribute it and/or +@@ -55,19 +55,33 @@ static int ts4900_gpio_direction_input(struct gpio_chip *chip, + { + struct ts4900_gpio_priv *priv = gpiochip_get_data(chip); + +- /* +- * This will clear the output enable bit, the other bits are +- * dontcare when this is cleared ++ /* Only clear the OE bit here, requires a RMW. Prevents potential issue ++ * with OE and data getting to the physical pin at different times. + */ +- return regmap_write(priv->regmap, offset, 0); ++ return regmap_update_bits(priv->regmap, offset, TS4900_GPIO_OE, 0); + } + + static int ts4900_gpio_direction_output(struct gpio_chip *chip, + unsigned int offset, int value) + { + struct ts4900_gpio_priv *priv = gpiochip_get_data(chip); ++ unsigned int reg; + int ret; + ++ /* If changing from an input to an output, we need to first set the ++ * proper data bit to what is requested and then set OE bit. This ++ * prevents a glitch that can occur on the IO line ++ */ ++ regmap_read(priv->regmap, offset, ®); ++ if (!(reg & TS4900_GPIO_OE)) { ++ if (value) ++ reg = TS4900_GPIO_OUT; ++ else ++ reg &= ~TS4900_GPIO_OUT; ++ ++ regmap_write(priv->regmap, offset, reg); ++ } ++ + if (value) + ret = regmap_write(priv->regmap, offset, TS4900_GPIO_OE | + TS4900_GPIO_OUT); +-- +2.34.1 + diff --git a/queue-5.16/gpiolib-acpi-convert-acpi-value-of-debounce-to-micro.patch b/queue-5.16/gpiolib-acpi-convert-acpi-value-of-debounce-to-micro.patch new file mode 100644 index 00000000000..68093fc931e --- /dev/null +++ b/queue-5.16/gpiolib-acpi-convert-acpi-value-of-debounce-to-micro.patch @@ -0,0 +1,78 @@ +From 58ca7ef4ef8ff55098dfcd3756b3953c0fd897a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 13:56:23 +0200 +Subject: gpiolib: acpi: Convert ACPI value of debounce to microseconds + +From: Andy Shevchenko + +[ Upstream commit 660c619b9d7ccd28648ee3766cdbe94ec7b27402 ] + +It appears that GPIO ACPI library uses ACPI debounce values directly. +However, the GPIO library APIs expect the debounce timeout to be in +microseconds. + +Convert ACPI value of debounce to microseconds. + +While at it, document this detail where it is appropriate. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=215664 +Reported-by: Kai-Heng Feng +Fixes: 8dcb7a15a585 ("gpiolib: acpi: Take into account debounce settings") +Signed-off-by: Andy Shevchenko +Tested-by: Kai-Heng Feng +Reviewed-by: Mika Westerberg +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpiolib-acpi.c | 6 ++++-- + drivers/gpio/gpiolib.c | 10 ++++++++++ + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c +index feb8157d2d67..c49b3b5334cd 100644 +--- a/drivers/gpio/gpiolib-acpi.c ++++ b/drivers/gpio/gpiolib-acpi.c +@@ -308,7 +308,8 @@ static struct gpio_desc *acpi_request_own_gpiod(struct gpio_chip *chip, + if (IS_ERR(desc)) + return desc; + +- ret = gpio_set_debounce_timeout(desc, agpio->debounce_timeout); ++ /* ACPI uses hundredths of milliseconds units */ ++ ret = gpio_set_debounce_timeout(desc, agpio->debounce_timeout * 10); + if (ret) + dev_warn(chip->parent, + "Failed to set debounce-timeout for pin 0x%04X, err %d\n", +@@ -1049,7 +1050,8 @@ int acpi_dev_gpio_irq_get_by(struct acpi_device *adev, const char *name, int ind + if (ret < 0) + return ret; + +- ret = gpio_set_debounce_timeout(desc, info.debounce); ++ /* ACPI uses hundredths of milliseconds units */ ++ ret = gpio_set_debounce_timeout(desc, info.debounce * 10); + if (ret) + return ret; + +diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c +index abfbf546d159..a1dca6dc03b4 100644 +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -2191,6 +2191,16 @@ static int gpio_set_bias(struct gpio_desc *desc) + return gpio_set_config_with_argument_optional(desc, bias, arg); + } + ++/** ++ * gpio_set_debounce_timeout() - Set debounce timeout ++ * @desc: GPIO descriptor to set the debounce timeout ++ * @debounce: Debounce timeout in microseconds ++ * ++ * The function calls the certain GPIO driver to set debounce timeout ++ * in the hardware. ++ * ++ * Returns 0 on success, or negative error code otherwise. ++ */ + int gpio_set_debounce_timeout(struct gpio_desc *desc, unsigned int debounce) + { + return gpio_set_config_with_argument_optional(desc, +-- +2.34.1 + diff --git a/queue-5.16/hid-elo-revert-usb-reference-counting.patch b/queue-5.16/hid-elo-revert-usb-reference-counting.patch new file mode 100644 index 00000000000..b4cd1537618 --- /dev/null +++ b/queue-5.16/hid-elo-revert-usb-reference-counting.patch @@ -0,0 +1,68 @@ +From dce1b0f691c8f3b632d88596a29a387e33b1bea4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Feb 2022 14:13:49 +0100 +Subject: HID: elo: Revert USB reference counting + +From: Jiri Kosina + +[ Upstream commit ac89895213d8950dba6ab342863a0959f73142a7 ] + +Commit 817b8b9c539 ("HID: elo: fix memory leak in elo_probe") introduced +memory leak on error path, but more importantly the whole USB reference +counting is not needed at all in the first place, as the driver itself +doesn't change the reference counting in any way, and the associated +usb_device is guaranteed to be kept around by USB core as long as the +driver binding exists. + +Reported-by: Alan Stern +Reported-by: Dan Carpenter +Fixes: fbf42729d0e ("HID: elo: update the reference count of the usb device structure") +Fixes: 817b8b9c539 ("HID: elo: fix memory leak in elo_probe") +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-elo.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/hid/hid-elo.c b/drivers/hid/hid-elo.c +index 9b42b0cdeef0..2876cb6a7dca 100644 +--- a/drivers/hid/hid-elo.c ++++ b/drivers/hid/hid-elo.c +@@ -228,7 +228,6 @@ static int elo_probe(struct hid_device *hdev, const struct hid_device_id *id) + { + struct elo_priv *priv; + int ret; +- struct usb_device *udev; + + if (!hid_is_usb(hdev)) + return -EINVAL; +@@ -238,8 +237,7 @@ static int elo_probe(struct hid_device *hdev, const struct hid_device_id *id) + return -ENOMEM; + + INIT_DELAYED_WORK(&priv->work, elo_work); +- udev = interface_to_usbdev(to_usb_interface(hdev->dev.parent)); +- priv->usbdev = usb_get_dev(udev); ++ priv->usbdev = interface_to_usbdev(to_usb_interface(hdev->dev.parent)); + + hid_set_drvdata(hdev, priv); + +@@ -262,7 +260,6 @@ static int elo_probe(struct hid_device *hdev, const struct hid_device_id *id) + + return 0; + err_free: +- usb_put_dev(udev); + kfree(priv); + return ret; + } +@@ -271,8 +268,6 @@ static void elo_remove(struct hid_device *hdev) + { + struct elo_priv *priv = hid_get_drvdata(hdev); + +- usb_put_dev(priv->usbdev); +- + hid_hw_stop(hdev); + cancel_delayed_work_sync(&priv->work); + kfree(priv); +-- +2.34.1 + diff --git a/queue-5.16/hid-hid-thrustmaster-fix-oob-read-in-thrustmaster_in.patch b/queue-5.16/hid-hid-thrustmaster-fix-oob-read-in-thrustmaster_in.patch new file mode 100644 index 00000000000..578e076b85f --- /dev/null +++ b/queue-5.16/hid-hid-thrustmaster-fix-oob-read-in-thrustmaster_in.patch @@ -0,0 +1,47 @@ +From 35371375f31fb2a8de62374ca308b730409bf55c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Feb 2022 19:01:14 +0300 +Subject: HID: hid-thrustmaster: fix OOB read in thrustmaster_interrupts + +From: Pavel Skripkin + +[ Upstream commit fc3ef2e3297b3c0e2006b5d7b3d66965e3392036 ] + +Syzbot reported an slab-out-of-bounds Read in thrustmaster_probe() bug. +The root case is in missing validation check of actual number of endpoints. + +Code should not blindly access usb_host_interface::endpoint array, since +it may contain less endpoints than code expects. + +Fix it by adding missing validaion check and print an error if +number of endpoints do not match expected number + +Fixes: c49c33637802 ("HID: support for initialization of some Thrustmaster wheels") +Reported-and-tested-by: syzbot+35eebd505e97d315d01c@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-thrustmaster.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/hid/hid-thrustmaster.c b/drivers/hid/hid-thrustmaster.c +index 03b935ff02d5..9da4240530dd 100644 +--- a/drivers/hid/hid-thrustmaster.c ++++ b/drivers/hid/hid-thrustmaster.c +@@ -158,6 +158,12 @@ static void thrustmaster_interrupts(struct hid_device *hdev) + return; + } + ++ if (usbif->cur_altsetting->desc.bNumEndpoints < 2) { ++ kfree(send_buf); ++ hid_err(hdev, "Wrong number of endpoints?\n"); ++ return; ++ } ++ + ep = &usbif->cur_altsetting->endpoint[1]; + b_ep = ep->desc.bEndpointAddress; + +-- +2.34.1 + diff --git a/queue-5.16/hid-nintendo-check-the-return-value-of-alloc_workque.patch b/queue-5.16/hid-nintendo-check-the-return-value-of-alloc_workque.patch new file mode 100644 index 00000000000..7522d59ece0 --- /dev/null +++ b/queue-5.16/hid-nintendo-check-the-return-value-of-alloc_workque.patch @@ -0,0 +1,41 @@ +From e02907a6667ed180bc6bbcd6b671afbba7c9beb4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Feb 2022 19:41:10 -0800 +Subject: HID: nintendo: check the return value of alloc_workqueue() + +From: Jia-Ju Bai + +[ Upstream commit fe23b6bbeac40de957724b90a88d46fb336e29a9 ] + +The function alloc_workqueue() in nintendo_hid_probe() can fail, but +there is no check of its return value. To fix this bug, its return value +should be checked with new error handling code. + +Fixes: c4eae84feff3e ("HID: nintendo: add rumble support") +Reported-by: TOTE Robot +Signed-off-by: Jia-Ju Bai +Reviewed-by: Silvan Jegen +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-nintendo.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-nintendo.c b/drivers/hid/hid-nintendo.c +index b6a9a0f3966e..2204de889739 100644 +--- a/drivers/hid/hid-nintendo.c ++++ b/drivers/hid/hid-nintendo.c +@@ -2128,6 +2128,10 @@ static int nintendo_hid_probe(struct hid_device *hdev, + spin_lock_init(&ctlr->lock); + ctlr->rumble_queue = alloc_workqueue("hid-nintendo-rumble_wq", + WQ_FREEZABLE | WQ_MEM_RECLAIM, 0); ++ if (!ctlr->rumble_queue) { ++ ret = -ENOMEM; ++ goto err; ++ } + INIT_WORK(&ctlr->rumble_worker, joycon_rumble_worker); + + ret = hid_parse(hdev); +-- +2.34.1 + diff --git a/queue-5.16/hid-vivaldi-fix-sysfs-attributes-leak.patch b/queue-5.16/hid-vivaldi-fix-sysfs-attributes-leak.patch new file mode 100644 index 00000000000..92541f26ad3 --- /dev/null +++ b/queue-5.16/hid-vivaldi-fix-sysfs-attributes-leak.patch @@ -0,0 +1,43 @@ +From 2693c302d1ebf1941a60c5a9e57746440e1293fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Feb 2022 17:18:58 -0800 +Subject: HID: vivaldi: fix sysfs attributes leak + +From: Dmitry Torokhov + +[ Upstream commit cc71d37fd1f11e0495b1cf580909ebea37eaa886 ] + +The driver creates the top row map sysfs attribute in input_configured() +method; unfortunately we do not have a callback that is executed when HID +interface is unbound, thus we are leaking these sysfs attributes, for +example when device is disconnected. + +To fix it let's switch to managed version of adding sysfs attributes which +will ensure that they are destroyed when the driver is unbound. + +Fixes: 14c9c014babe ("HID: add vivaldi HID driver") +Signed-off-by: Dmitry Torokhov +Tested-by: Stephen Boyd +Reviewed-by: Stephen Boyd +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-vivaldi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-vivaldi.c b/drivers/hid/hid-vivaldi.c +index 576518e704ee..d57ec1767037 100644 +--- a/drivers/hid/hid-vivaldi.c ++++ b/drivers/hid/hid-vivaldi.c +@@ -143,7 +143,7 @@ static void vivaldi_feature_mapping(struct hid_device *hdev, + static int vivaldi_input_configured(struct hid_device *hdev, + struct hid_input *hidinput) + { +- return sysfs_create_group(&hdev->dev.kobj, &input_attribute_group); ++ return devm_device_add_group(&hdev->dev, &input_attribute_group); + } + + static const struct hid_device_id vivaldi_table[] = { +-- +2.34.1 + diff --git a/queue-5.16/hwmon-pmbus-clear-pmbus-fault-warning-bits-after-rea.patch b/queue-5.16/hwmon-pmbus-clear-pmbus-fault-warning-bits-after-rea.patch new file mode 100644 index 00000000000..4132639d686 --- /dev/null +++ b/queue-5.16/hwmon-pmbus-clear-pmbus-fault-warning-bits-after-rea.patch @@ -0,0 +1,42 @@ +From 7ebe4e256b03dd1a03452557c68ff8ae08ddddd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Feb 2022 13:12:53 +0000 +Subject: hwmon: (pmbus) Clear pmbus fault/warning bits after read + +From: Vikash Chandola + +[ Upstream commit 35f165f08950a876f1b95a61d79c93678fba2fd6 ] + +Almost all fault/warning bits in pmbus status registers remain set even +after fault/warning condition are removed. As per pmbus specification +these faults must be cleared by user. +Modify hwmon behavior to clear fault/warning bit after fetching data if +fault/warning bit was set. This allows to get fresh data in next read. + +Signed-off-by: Vikash Chandola +Link: https://lore.kernel.org/r/20220222131253.2426834-1-vikash.chandola@linux.intel.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/pmbus_core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c +index 776ee2237be2..ac2fbee1ba9c 100644 +--- a/drivers/hwmon/pmbus/pmbus_core.c ++++ b/drivers/hwmon/pmbus/pmbus_core.c +@@ -911,6 +911,11 @@ static int pmbus_get_boolean(struct i2c_client *client, struct pmbus_boolean *b, + pmbus_update_sensor_data(client, s2); + + regval = status & mask; ++ if (regval) { ++ ret = pmbus_write_byte_data(client, page, reg, regval); ++ if (ret) ++ goto unlock; ++ } + if (s1 && s2) { + s64 v1, v2; + +-- +2.34.1 + diff --git a/queue-5.16/i40e-stop-disabling-vfs-due-to-pf-error-responses.patch b/queue-5.16/i40e-stop-disabling-vfs-due-to-pf-error-responses.patch new file mode 100644 index 00000000000..4ffe58a47d6 --- /dev/null +++ b/queue-5.16/i40e-stop-disabling-vfs-due-to-pf-error-responses.patch @@ -0,0 +1,238 @@ +From 2bb061cd575022cf1ccaef9fcddfa1434e72524e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Feb 2022 16:51:35 -0800 +Subject: i40e: stop disabling VFs due to PF error responses + +From: Jacob Keller + +[ Upstream commit 5710ab79166504013f7c0ae6a57e7d2fd26e5c43 ] + +The i40e_vc_send_msg_to_vf_ex (and its wrapper i40e_vc_send_msg_to_vf) +function has logic to detect "failure" responses sent to the VF. If a VF +is sent more than I40E_DEFAULT_NUM_INVALID_MSGS_ALLOWED, then the VF is +marked as disabled. In either case, a dev_info message is printed +stating that a VF opcode failed. + +This logic originates from the early implementation of VF support in +commit 5c3c48ac6bf5 ("i40e: implement virtual device interface"). + +That commit did not go far enough. The "logic" for this behavior seems +to be that error responses somehow indicate a malicious VF. This is not +really true. The PF might be sending an error for any number of reasons +such as lacking resources, an unsupported operation, etc. This does not +indicate a malicious VF. We already have a separate robust malicious VF +detection which relies on hardware logic to detect and prevent a variety +of behaviors. + +There is no justification for this behavior in the original +implementation. In fact, a later commit 18b7af57d9c1 ("i40e: Lower some +message levels") reduced the opcode failure message from a dev_err to a +dev_info. In addition, recent commit 01cbf50877e6 ("i40e: Fix to not +show opcode msg on unsuccessful VF MAC change") changed the logic to +allow quieting it for expected failures. + +That commit prevented this logic from kicking in for specific +circumstances. This change did not go far enough. The behavior is not +documented nor is it part of any requirement for our products. Other +operating systems such as the FreeBSD implementation of our driver do +not include this logic. + +It is clear this check does not make sense, and causes problems which +led to ugly workarounds. + +Fix this by just removing the entire logic and the need for the +i40e_vc_send_msg_to_vf_ex function. + +Fixes: 01cbf50877e6 ("i40e: Fix to not show opcode msg on unsuccessful VF MAC change") +Fixes: 5c3c48ac6bf5 ("i40e: implement virtual device interface") +Signed-off-by: Jacob Keller +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/i40e/i40e_debugfs.c | 6 +- + .../ethernet/intel/i40e/i40e_virtchnl_pf.c | 57 +++---------------- + .../ethernet/intel/i40e/i40e_virtchnl_pf.h | 5 -- + 3 files changed, 9 insertions(+), 59 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c +index 1e57cc8c47d7..9db5001297c7 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_debugfs.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_debugfs.c +@@ -742,10 +742,8 @@ static void i40e_dbg_dump_vf(struct i40e_pf *pf, int vf_id) + vsi = pf->vsi[vf->lan_vsi_idx]; + dev_info(&pf->pdev->dev, "vf %2d: VSI id=%d, seid=%d, qps=%d\n", + vf_id, vf->lan_vsi_id, vsi->seid, vf->num_queue_pairs); +- dev_info(&pf->pdev->dev, " num MDD=%lld, invalid msg=%lld, valid msg=%lld\n", +- vf->num_mdd_events, +- vf->num_invalid_msgs, +- vf->num_valid_msgs); ++ dev_info(&pf->pdev->dev, " num MDD=%lld\n", ++ vf->num_mdd_events); + } else { + dev_info(&pf->pdev->dev, "invalid VF id %d\n", vf_id); + } +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +index c6f643e54c4f..babf8b7fa767 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c +@@ -1917,19 +1917,17 @@ int i40e_pci_sriov_configure(struct pci_dev *pdev, int num_vfs) + /***********************virtual channel routines******************/ + + /** +- * i40e_vc_send_msg_to_vf_ex ++ * i40e_vc_send_msg_to_vf + * @vf: pointer to the VF info + * @v_opcode: virtual channel opcode + * @v_retval: virtual channel return value + * @msg: pointer to the msg buffer + * @msglen: msg length +- * @is_quiet: true for not printing unsuccessful return values, false otherwise + * + * send msg to VF + **/ +-static int i40e_vc_send_msg_to_vf_ex(struct i40e_vf *vf, u32 v_opcode, +- u32 v_retval, u8 *msg, u16 msglen, +- bool is_quiet) ++static int i40e_vc_send_msg_to_vf(struct i40e_vf *vf, u32 v_opcode, ++ u32 v_retval, u8 *msg, u16 msglen) + { + struct i40e_pf *pf; + struct i40e_hw *hw; +@@ -1944,25 +1942,6 @@ static int i40e_vc_send_msg_to_vf_ex(struct i40e_vf *vf, u32 v_opcode, + hw = &pf->hw; + abs_vf_id = vf->vf_id + hw->func_caps.vf_base_id; + +- /* single place to detect unsuccessful return values */ +- if (v_retval && !is_quiet) { +- vf->num_invalid_msgs++; +- dev_info(&pf->pdev->dev, "VF %d failed opcode %d, retval: %d\n", +- vf->vf_id, v_opcode, v_retval); +- if (vf->num_invalid_msgs > +- I40E_DEFAULT_NUM_INVALID_MSGS_ALLOWED) { +- dev_err(&pf->pdev->dev, +- "Number of invalid messages exceeded for VF %d\n", +- vf->vf_id); +- dev_err(&pf->pdev->dev, "Use PF Control I/F to enable the VF\n"); +- set_bit(I40E_VF_STATE_DISABLED, &vf->vf_states); +- } +- } else { +- vf->num_valid_msgs++; +- /* reset the invalid counter, if a valid message is received. */ +- vf->num_invalid_msgs = 0; +- } +- + aq_ret = i40e_aq_send_msg_to_vf(hw, abs_vf_id, v_opcode, v_retval, + msg, msglen, NULL); + if (aq_ret) { +@@ -1975,23 +1954,6 @@ static int i40e_vc_send_msg_to_vf_ex(struct i40e_vf *vf, u32 v_opcode, + return 0; + } + +-/** +- * i40e_vc_send_msg_to_vf +- * @vf: pointer to the VF info +- * @v_opcode: virtual channel opcode +- * @v_retval: virtual channel return value +- * @msg: pointer to the msg buffer +- * @msglen: msg length +- * +- * send msg to VF +- **/ +-static int i40e_vc_send_msg_to_vf(struct i40e_vf *vf, u32 v_opcode, +- u32 v_retval, u8 *msg, u16 msglen) +-{ +- return i40e_vc_send_msg_to_vf_ex(vf, v_opcode, v_retval, +- msg, msglen, false); +-} +- + /** + * i40e_vc_send_resp_to_vf + * @vf: pointer to the VF info +@@ -2813,7 +2775,6 @@ static int i40e_vc_get_stats_msg(struct i40e_vf *vf, u8 *msg) + * i40e_check_vf_permission + * @vf: pointer to the VF info + * @al: MAC address list from virtchnl +- * @is_quiet: set true for printing msg without opcode info, false otherwise + * + * Check that the given list of MAC addresses is allowed. Will return -EPERM + * if any address in the list is not valid. Checks the following conditions: +@@ -2828,15 +2789,13 @@ static int i40e_vc_get_stats_msg(struct i40e_vf *vf, u8 *msg) + * addresses might not be accurate. + **/ + static inline int i40e_check_vf_permission(struct i40e_vf *vf, +- struct virtchnl_ether_addr_list *al, +- bool *is_quiet) ++ struct virtchnl_ether_addr_list *al) + { + struct i40e_pf *pf = vf->pf; + struct i40e_vsi *vsi = pf->vsi[vf->lan_vsi_idx]; + int mac2add_cnt = 0; + int i; + +- *is_quiet = false; + for (i = 0; i < al->num_elements; i++) { + struct i40e_mac_filter *f; + u8 *addr = al->list[i].addr; +@@ -2860,7 +2819,6 @@ static inline int i40e_check_vf_permission(struct i40e_vf *vf, + !ether_addr_equal(addr, vf->default_lan_addr.addr)) { + dev_err(&pf->pdev->dev, + "VF attempting to override administratively set MAC address, bring down and up the VF interface to resume normal operation\n"); +- *is_quiet = true; + return -EPERM; + } + +@@ -2897,7 +2855,6 @@ static int i40e_vc_add_mac_addr_msg(struct i40e_vf *vf, u8 *msg) + (struct virtchnl_ether_addr_list *)msg; + struct i40e_pf *pf = vf->pf; + struct i40e_vsi *vsi = NULL; +- bool is_quiet = false; + i40e_status ret = 0; + int i; + +@@ -2914,7 +2871,7 @@ static int i40e_vc_add_mac_addr_msg(struct i40e_vf *vf, u8 *msg) + */ + spin_lock_bh(&vsi->mac_filter_hash_lock); + +- ret = i40e_check_vf_permission(vf, al, &is_quiet); ++ ret = i40e_check_vf_permission(vf, al); + if (ret) { + spin_unlock_bh(&vsi->mac_filter_hash_lock); + goto error_param; +@@ -2952,8 +2909,8 @@ static int i40e_vc_add_mac_addr_msg(struct i40e_vf *vf, u8 *msg) + + error_param: + /* send the response to the VF */ +- return i40e_vc_send_msg_to_vf_ex(vf, VIRTCHNL_OP_ADD_ETH_ADDR, +- ret, NULL, 0, is_quiet); ++ return i40e_vc_send_msg_to_vf(vf, VIRTCHNL_OP_ADD_ETH_ADDR, ++ ret, NULL, 0); + } + + /** +diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h +index 03c42fd0fea1..a554d0a0b09b 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h ++++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.h +@@ -10,8 +10,6 @@ + + #define I40E_VIRTCHNL_SUPPORTED_QTYPES 2 + +-#define I40E_DEFAULT_NUM_INVALID_MSGS_ALLOWED 10 +- + #define I40E_VLAN_PRIORITY_SHIFT 13 + #define I40E_VLAN_MASK 0xFFF + #define I40E_PRIORITY_MASK 0xE000 +@@ -92,9 +90,6 @@ struct i40e_vf { + u8 num_queue_pairs; /* num of qps assigned to VF vsis */ + u8 num_req_queues; /* num of requested qps */ + u64 num_mdd_events; /* num of mdd events detected */ +- /* num of continuous malformed or invalid msgs detected */ +- u64 num_invalid_msgs; +- u64 num_valid_msgs; /* num of valid msgs detected */ + + unsigned long vf_caps; /* vf's adv. capabilities */ + unsigned long vf_states; /* vf's runtime states */ +-- +2.34.1 + diff --git a/queue-5.16/iavf-fix-handling-of-vlan-strip-virtual-channel-mess.patch b/queue-5.16/iavf-fix-handling-of-vlan-strip-virtual-channel-mess.patch new file mode 100644 index 00000000000..0bf081151ef --- /dev/null +++ b/queue-5.16/iavf-fix-handling-of-vlan-strip-virtual-channel-mess.patch @@ -0,0 +1,93 @@ +From 58d130a146e54633935db89f56301aa4fa8dff82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Jan 2022 13:35:43 +0000 +Subject: iavf: Fix handling of vlan strip virtual channel messages + +From: Michal Maloszewski + +[ Upstream commit 2cf29e55894886965722e6625f6a03630b4db31d ] + +Modify netdev->features for vlan stripping based on virtual +channel messages received from the PF. Change is needed +to synchronize vlan strip status between PF sysfs and iavf ethtool. + +Fixes: 5951a2b9812d ("iavf: Fix VLAN feature flags after VFR") +Signed-off-by: Norbert Ciosek +Signed-off-by: Michal Maloszewski +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/iavf/iavf_virtchnl.c | 40 +++++++++++++++++++ + 1 file changed, 40 insertions(+) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +index d3da65d24bd6..c83ac6adeeb7 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_virtchnl.c +@@ -1460,6 +1460,22 @@ void iavf_request_reset(struct iavf_adapter *adapter) + adapter->current_op = VIRTCHNL_OP_UNKNOWN; + } + ++/** ++ * iavf_netdev_features_vlan_strip_set - update vlan strip status ++ * @netdev: ptr to netdev being adjusted ++ * @enable: enable or disable vlan strip ++ * ++ * Helper function to change vlan strip status in netdev->features. ++ */ ++static void iavf_netdev_features_vlan_strip_set(struct net_device *netdev, ++ const bool enable) ++{ ++ if (enable) ++ netdev->features |= NETIF_F_HW_VLAN_CTAG_RX; ++ else ++ netdev->features &= ~NETIF_F_HW_VLAN_CTAG_RX; ++} ++ + /** + * iavf_virtchnl_completion + * @adapter: adapter structure +@@ -1683,8 +1699,18 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + } + break; + case VIRTCHNL_OP_ENABLE_VLAN_STRIPPING: ++ dev_warn(&adapter->pdev->dev, "Changing VLAN Stripping is not allowed when Port VLAN is configured\n"); ++ /* Vlan stripping could not be enabled by ethtool. ++ * Disable it in netdev->features. ++ */ ++ iavf_netdev_features_vlan_strip_set(netdev, false); ++ break; + case VIRTCHNL_OP_DISABLE_VLAN_STRIPPING: + dev_warn(&adapter->pdev->dev, "Changing VLAN Stripping is not allowed when Port VLAN is configured\n"); ++ /* Vlan stripping could not be disabled by ethtool. ++ * Enable it in netdev->features. ++ */ ++ iavf_netdev_features_vlan_strip_set(netdev, true); + break; + default: + dev_err(&adapter->pdev->dev, "PF returned error %d (%s) to our request %d\n", +@@ -1918,6 +1944,20 @@ void iavf_virtchnl_completion(struct iavf_adapter *adapter, + spin_unlock_bh(&adapter->adv_rss_lock); + } + break; ++ case VIRTCHNL_OP_ENABLE_VLAN_STRIPPING: ++ /* PF enabled vlan strip on this VF. ++ * Update netdev->features if needed to be in sync with ethtool. ++ */ ++ if (!v_retval) ++ iavf_netdev_features_vlan_strip_set(netdev, true); ++ break; ++ case VIRTCHNL_OP_DISABLE_VLAN_STRIPPING: ++ /* PF disabled vlan strip on this VF. ++ * Update netdev->features if needed to be in sync with ethtool. ++ */ ++ if (!v_retval) ++ iavf_netdev_features_vlan_strip_set(netdev, false); ++ break; + default: + if (adapter->current_op && (v_opcode != adapter->current_op)) + dev_warn(&adapter->pdev->dev, "Expected response %d from PF, received %d\n", +-- +2.34.1 + diff --git a/queue-5.16/ice-don-t-use-gfp_kernel-in-atomic-context.patch b/queue-5.16/ice-don-t-use-gfp_kernel-in-atomic-context.patch new file mode 100644 index 00000000000..ee66b7e05b9 --- /dev/null +++ b/queue-5.16/ice-don-t-use-gfp_kernel-in-atomic-context.patch @@ -0,0 +1,38 @@ +From 3ab948e6e70ddc2ecaa68194ef2d950b80d2e953 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 Jan 2022 19:46:20 +0100 +Subject: ice: Don't use GFP_KERNEL in atomic context + +From: Christophe JAILLET + +[ Upstream commit 3d97f1afd8d831e0c0dc1157418f94b8faa97b54 ] + +ice_misc_intr() is an irq handler. It should not sleep. + +Use GFP_ATOMIC instead of GFP_KERNEL when allocating some memory. + +Fixes: 348048e724a0 ("ice: Implement iidc operations") +Signed-off-by: Christophe JAILLET +Tested-by: Leszek Kaliszczuk +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index fc04b4cf4ae0..676e837d48cf 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -3016,7 +3016,7 @@ static irqreturn_t ice_misc_intr(int __always_unused irq, void *data) + struct iidc_event *event; + + ena_mask &= ~ICE_AUX_CRIT_ERR; +- event = kzalloc(sizeof(*event), GFP_KERNEL); ++ event = kzalloc(sizeof(*event), GFP_ATOMIC); + if (event) { + set_bit(IIDC_EVENT_CRIT_ERR, event->type); + /* report the entire OICR value to AUX driver */ +-- +2.34.1 + diff --git a/queue-5.16/ice-fix-curr_link_speed-advertised-speed.patch b/queue-5.16/ice-fix-curr_link_speed-advertised-speed.patch new file mode 100644 index 00000000000..69144325e6c --- /dev/null +++ b/queue-5.16/ice-fix-curr_link_speed-advertised-speed.patch @@ -0,0 +1,43 @@ +From d61d0435a9af2e3b91ceba996229b86c88789c32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Feb 2022 11:43:04 +0000 +Subject: ice: Fix curr_link_speed advertised speed + +From: Jedrzej Jagielski + +[ Upstream commit ad35ffa252af67d4cc7c744b9377a2b577748e3f ] + +Change curr_link_speed advertised speed, due to +link_info.link_speed is not equal phy.curr_user_speed_req. +Without this patch it is impossible to set advertised +speed to same as link_speed. + +Testing Hints: Try to set advertised speed +to 25G only with 25G default link (use ethtool -s 0x80000000) + +Fixes: 48cb27f2fd18 ("ice: Implement handlers for ethtool PHY/link operations") +Signed-off-by: Grzegorz Siwik +Signed-off-by: Jedrzej Jagielski +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c +index 572519e402f4..b05a5029b61f 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -2314,7 +2314,7 @@ ice_set_link_ksettings(struct net_device *netdev, + goto done; + } + +- curr_link_speed = pi->phy.link_info.link_speed; ++ curr_link_speed = pi->phy.curr_user_speed_req; + adv_link_speed = ice_ksettings_find_adv_link_speed(ks); + + /* If speed didn't get set, set it to what it currently is. +-- +2.34.1 + diff --git a/queue-5.16/ice-fix-error-with-handling-of-bonding-mtu.patch b/queue-5.16/ice-fix-error-with-handling-of-bonding-mtu.patch new file mode 100644 index 00000000000..dbdee3db169 --- /dev/null +++ b/queue-5.16/ice-fix-error-with-handling-of-bonding-mtu.patch @@ -0,0 +1,116 @@ +From 5945789d5462fe0127cb90a2dfaf0ae95c0b61a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Feb 2022 12:39:25 -0800 +Subject: ice: Fix error with handling of bonding MTU + +From: Dave Ertman + +[ Upstream commit 97b0129146b1544bbb0773585327896da3bb4e0a ] + +When a bonded interface is destroyed, .ndo_change_mtu can be called +during the tear-down process while the RTNL lock is held. This is a +problem since the auxiliary driver linked to the LAN driver needs to be +notified of the MTU change, and this requires grabbing a device_lock on +the auxiliary_device's dev. Currently this is being attempted in the +same execution context as the call to .ndo_change_mtu which is causing a +dead-lock. + +Move the notification of the changed MTU to a separate execution context +(watchdog service task) and eliminate the "before" notification. + +Fixes: 348048e724a0e ("ice: Implement iidc operations") +Signed-off-by: Dave Ertman +Tested-by: Jonathan Toppins +Tested-by: Gurucharan G (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice.h | 1 + + drivers/net/ethernet/intel/ice/ice_main.c | 29 +++++++++++------------ + 2 files changed, 15 insertions(+), 15 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice.h b/drivers/net/ethernet/intel/ice/ice.h +index b067dd9c71e7..fa91896ae699 100644 +--- a/drivers/net/ethernet/intel/ice/ice.h ++++ b/drivers/net/ethernet/intel/ice/ice.h +@@ -483,6 +483,7 @@ enum ice_pf_flags { + ICE_FLAG_MDD_AUTO_RESET_VF, + ICE_FLAG_LINK_LENIENT_MODE_ENA, + ICE_FLAG_PLUG_AUX_DEV, ++ ICE_FLAG_MTU_CHANGED, + ICE_PF_FLAGS_NBITS /* must be last */ + }; + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 8ee778aaa800..fc04b4cf4ae0 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -2240,6 +2240,17 @@ static void ice_service_task(struct work_struct *work) + if (test_and_clear_bit(ICE_FLAG_PLUG_AUX_DEV, pf->flags)) + ice_plug_aux_dev(pf); + ++ if (test_and_clear_bit(ICE_FLAG_MTU_CHANGED, pf->flags)) { ++ struct iidc_event *event; ++ ++ event = kzalloc(sizeof(*event), GFP_KERNEL); ++ if (event) { ++ set_bit(IIDC_EVENT_AFTER_MTU_CHANGE, event->type); ++ ice_send_event_to_aux(pf, event); ++ kfree(event); ++ } ++ } ++ + ice_clean_adminq_subtask(pf); + ice_check_media_subtask(pf); + ice_check_for_hang_subtask(pf); +@@ -6822,7 +6833,6 @@ static int ice_change_mtu(struct net_device *netdev, int new_mtu) + struct ice_netdev_priv *np = netdev_priv(netdev); + struct ice_vsi *vsi = np->vsi; + struct ice_pf *pf = vsi->back; +- struct iidc_event *event; + u8 count = 0; + int err = 0; + +@@ -6857,14 +6867,6 @@ static int ice_change_mtu(struct net_device *netdev, int new_mtu) + return -EBUSY; + } + +- event = kzalloc(sizeof(*event), GFP_KERNEL); +- if (!event) +- return -ENOMEM; +- +- set_bit(IIDC_EVENT_BEFORE_MTU_CHANGE, event->type); +- ice_send_event_to_aux(pf, event); +- clear_bit(IIDC_EVENT_BEFORE_MTU_CHANGE, event->type); +- + netdev->mtu = (unsigned int)new_mtu; + + /* if VSI is up, bring it down and then back up */ +@@ -6872,21 +6874,18 @@ static int ice_change_mtu(struct net_device *netdev, int new_mtu) + err = ice_down(vsi); + if (err) { + netdev_err(netdev, "change MTU if_down err %d\n", err); +- goto event_after; ++ return err; + } + + err = ice_up(vsi); + if (err) { + netdev_err(netdev, "change MTU if_up err %d\n", err); +- goto event_after; ++ return err; + } + } + + netdev_dbg(netdev, "changed MTU to %d\n", new_mtu); +-event_after: +- set_bit(IIDC_EVENT_AFTER_MTU_CHANGE, event->type); +- ice_send_event_to_aux(pf, event); +- kfree(event); ++ set_bit(ICE_FLAG_MTU_CHANGED, pf->flags); + + return err; + } +-- +2.34.1 + diff --git a/queue-5.16/ice-stop-disabling-vfs-due-to-pf-error-responses.patch b/queue-5.16/ice-stop-disabling-vfs-due-to-pf-error-responses.patch new file mode 100644 index 00000000000..4ae6cc6ddc4 --- /dev/null +++ b/queue-5.16/ice-stop-disabling-vfs-due-to-pf-error-responses.patch @@ -0,0 +1,108 @@ +From 8303ac96838dfc47281e50e2130d798bcad8455b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Feb 2022 16:51:36 -0800 +Subject: ice: stop disabling VFs due to PF error responses + +From: Jacob Keller + +[ Upstream commit 79498d5af8e458102242d1667cf44df1f1564e63 ] + +The ice_vc_send_msg_to_vf function has logic to detect "failure" +responses being sent to a VF. If a VF is sent more than +ICE_DFLT_NUM_INVAL_MSGS_ALLOWED then the VF is marked as disabled. +Almost identical logic also existed in the i40e driver. + +This logic was added to the ice driver in commit 1071a8358a28 ("ice: +Implement virtchnl commands for AVF support") which itself copied from +the i40e implementation in commit 5c3c48ac6bf5 ("i40e: implement virtual +device interface"). + +Neither commit provides a proper explanation or justification of the +check. In fact, later commits to i40e changed the logic to allow +bypassing the check in some specific instances. + +The "logic" for this seems to be that error responses somehow indicate a +malicious VF. This is not really true. The PF might be sending an error +for any number of reasons such as lack of resources, etc. + +Additionally, this causes the PF to log an info message for every failed +VF response which may confuse users, and can spam the kernel log. + +This behavior is not documented as part of any requirement for our +products and other operating system drivers such as the FreeBSD +implementation of our drivers do not include this type of check. + +In fact, the change from dev_err to dev_info in i40e commit 18b7af57d9c1 +("i40e: Lower some message levels") explains that these messages +typically don't actually indicate a real issue. It is quite likely that +a user who hits this in practice will be very confused as the VF will be +disabled without an obvious way to recover. + +We already have robust malicious driver detection logic using actual +hardware detection mechanisms that detect and prevent invalid device +usage. Remove the logic since its not a documented requirement and the +behavior is not intuitive. + +Fixes: 1071a8358a28 ("ice: Implement virtchnl commands for AVF support") +Signed-off-by: Jacob Keller +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + .../net/ethernet/intel/ice/ice_virtchnl_pf.c | 18 ------------------ + .../net/ethernet/intel/ice/ice_virtchnl_pf.h | 3 --- + 2 files changed, 21 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +index a12cc305c461..e17813fb71a1 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +@@ -2297,24 +2297,6 @@ ice_vc_send_msg_to_vf(struct ice_vf *vf, u32 v_opcode, + + dev = ice_pf_to_dev(pf); + +- /* single place to detect unsuccessful return values */ +- if (v_retval) { +- vf->num_inval_msgs++; +- dev_info(dev, "VF %d failed opcode %d, retval: %d\n", vf->vf_id, +- v_opcode, v_retval); +- if (vf->num_inval_msgs > ICE_DFLT_NUM_INVAL_MSGS_ALLOWED) { +- dev_err(dev, "Number of invalid messages exceeded for VF %d\n", +- vf->vf_id); +- dev_err(dev, "Use PF Control I/F to enable the VF\n"); +- set_bit(ICE_VF_STATE_DIS, vf->vf_states); +- return -EIO; +- } +- } else { +- vf->num_valid_msgs++; +- /* reset the invalid counter, if a valid message is received. */ +- vf->num_inval_msgs = 0; +- } +- + aq_ret = ice_aq_send_msg_to_vf(&pf->hw, vf->vf_id, v_opcode, v_retval, + msg, msglen, NULL); + if (aq_ret && pf->hw.mailboxq.sq_last_status != ICE_AQ_RC_ENOSYS) { +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.h b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.h +index 7e28ecbbe7af..f33c0889a5d4 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.h ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.h +@@ -14,7 +14,6 @@ + #define ICE_MAX_MACADDR_PER_VF 18 + + /* Malicious Driver Detection */ +-#define ICE_DFLT_NUM_INVAL_MSGS_ALLOWED 10 + #define ICE_MDD_EVENTS_THRESHOLD 30 + + /* Static VF transaction/status register def */ +@@ -134,8 +133,6 @@ struct ice_vf { + unsigned int max_tx_rate; /* Maximum Tx bandwidth limit in Mbps */ + DECLARE_BITMAP(vf_states, ICE_VF_STATES_NBITS); /* VF runtime states */ + +- u64 num_inval_msgs; /* number of continuous invalid msgs */ +- u64 num_valid_msgs; /* number of valid msgs detected */ + unsigned long vf_caps; /* VF's adv. capabilities */ + u8 num_req_qs; /* num of queue pairs requested by VF */ + u16 num_mac; +-- +2.34.1 + diff --git a/queue-5.16/ipv6-prevent-a-possible-race-condition-with-lifetime.patch b/queue-5.16/ipv6-prevent-a-possible-race-condition-with-lifetime.patch new file mode 100644 index 00000000000..f86488ba08b --- /dev/null +++ b/queue-5.16/ipv6-prevent-a-possible-race-condition-with-lifetime.patch @@ -0,0 +1,47 @@ +From 609e539407c7ea0f30dd5d719c2fd6fb03043862 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Feb 2022 14:19:56 +0100 +Subject: ipv6: prevent a possible race condition with lifetimes + +From: Niels Dossche + +[ Upstream commit 6c0d8833a605e195ae219b5042577ce52bf71fff ] + +valid_lft, prefered_lft and tstamp are always accessed under the lock +"lock" in other places. Reading these without taking the lock may result +in inconsistencies regarding the calculation of the valid and preferred +variables since decisions are taken on these fields for those variables. + +Signed-off-by: Niels Dossche +Reviewed-by: David Ahern +Signed-off-by: Niels Dossche +Link: https://lore.kernel.org/r/20220223131954.6570-1-niels.dossche@ugent.be +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 7c78e1215ae3..e92ca415756a 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -5002,6 +5002,7 @@ static int inet6_fill_ifaddr(struct sk_buff *skb, struct inet6_ifaddr *ifa, + nla_put_s32(skb, IFA_TARGET_NETNSID, args->netnsid)) + goto error; + ++ spin_lock_bh(&ifa->lock); + if (!((ifa->flags&IFA_F_PERMANENT) && + (ifa->prefered_lft == INFINITY_LIFE_TIME))) { + preferred = ifa->prefered_lft; +@@ -5023,6 +5024,7 @@ static int inet6_fill_ifaddr(struct sk_buff *skb, struct inet6_ifaddr *ifa, + preferred = INFINITY_LIFE_TIME; + valid = INFINITY_LIFE_TIME; + } ++ spin_unlock_bh(&ifa->lock); + + if (!ipv6_addr_any(&ifa->peer_addr)) { + if (nla_put_in6_addr(skb, IFA_LOCAL, &ifa->addr) < 0 || +-- +2.34.1 + diff --git a/queue-5.16/isdn-hfcpci-check-the-return-value-of-dma_set_mask-i.patch b/queue-5.16/isdn-hfcpci-check-the-return-value-of-dma_set_mask-i.patch new file mode 100644 index 00000000000..a18ea08a6ba --- /dev/null +++ b/queue-5.16/isdn-hfcpci-check-the-return-value-of-dma_set_mask-i.patch @@ -0,0 +1,41 @@ +From 5505236b33f8aa12db2c77d59af1bfc5ae491925 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 00:58:16 -0800 +Subject: isdn: hfcpci: check the return value of dma_set_mask() in setup_hw() + +From: Jia-Ju Bai + +[ Upstream commit d0aeb0d4a3f7d2a0df7e9545892bbeede8f2ac7e ] + +The function dma_set_mask() in setup_hw() can fail, so its return value +should be checked. + +Fixes: 1700fe1a10dc ("Add mISDN HFC PCI driver") +Reported-by: TOTE Robot +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcpci.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c +index bd087cca1c1d..af17459c1a5c 100644 +--- a/drivers/isdn/hardware/mISDN/hfcpci.c ++++ b/drivers/isdn/hardware/mISDN/hfcpci.c +@@ -2005,7 +2005,11 @@ setup_hw(struct hfc_pci *hc) + } + /* Allocate memory for FIFOS */ + /* the memory needs to be on a 32k boundary within the first 4G */ +- dma_set_mask(&hc->pdev->dev, 0xFFFF8000); ++ if (dma_set_mask(&hc->pdev->dev, 0xFFFF8000)) { ++ printk(KERN_WARNING ++ "HFC-PCI: No usable DMA configuration!\n"); ++ return -EIO; ++ } + buffer = dma_alloc_coherent(&hc->pdev->dev, 0x8000, &hc->hw.dmahandle, + GFP_KERNEL); + /* We silently assume the address is okay if nonzero */ +-- +2.34.1 + diff --git a/queue-5.16/kvm-fix-lockdep-false-negative-during-host-resume.patch b/queue-5.16/kvm-fix-lockdep-false-negative-during-host-resume.patch new file mode 100644 index 00000000000..fef73a6f717 --- /dev/null +++ b/queue-5.16/kvm-fix-lockdep-false-negative-during-host-resume.patch @@ -0,0 +1,58 @@ +From 25944e8c7591504c63cfdc267fbff345b019cfc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Feb 2022 02:15:42 -0800 +Subject: KVM: Fix lockdep false negative during host resume + +From: Wanpeng Li + +[ Upstream commit 4cb9a998b1ce25fad74a82f5a5c45a4ef40de337 ] + +I saw the below splatting after the host suspended and resumed. + + WARNING: CPU: 0 PID: 2943 at kvm/arch/x86/kvm/../../../virt/kvm/kvm_main.c:5531 kvm_resume+0x2c/0x30 [kvm] + CPU: 0 PID: 2943 Comm: step_after_susp Tainted: G W IOE 5.17.0-rc3+ #4 + RIP: 0010:kvm_resume+0x2c/0x30 [kvm] + Call Trace: + + syscore_resume+0x90/0x340 + suspend_devices_and_enter+0xaee/0xe90 + pm_suspend.cold+0x36b/0x3c2 + state_store+0x82/0xf0 + kernfs_fop_write_iter+0x1b6/0x260 + new_sync_write+0x258/0x370 + vfs_write+0x33f/0x510 + ksys_write+0xc9/0x160 + do_syscall_64+0x3b/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +lockdep_is_held() can return -1 when lockdep is disabled which triggers +this warning. Let's use lockdep_assert_not_held() which can detect +incorrect calls while holding a lock and it also avoids false negatives +when lockdep is disabled. + +Signed-off-by: Wanpeng Li +Message-Id: <1644920142-81249-1-git-send-email-wanpengli@tencent.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + virt/kvm/kvm_main.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index 71ddc7a8bc30..6ae9e04d0585 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -5347,9 +5347,7 @@ static int kvm_suspend(void) + static void kvm_resume(void) + { + if (kvm_usage_count) { +-#ifdef CONFIG_LOCKDEP +- WARN_ON(lockdep_is_held(&kvm_count_lock)); +-#endif ++ lockdep_assert_not_held(&kvm_count_lock); + hardware_enable_nolock(NULL); + } + } +-- +2.34.1 + diff --git a/queue-5.16/kvm-x86-disable-kvm_hc_clock_pairing-if-tsc-is-in-al.patch b/queue-5.16/kvm-x86-disable-kvm_hc_clock_pairing-if-tsc-is-in-al.patch new file mode 100644 index 00000000000..7fd6ea6e61a --- /dev/null +++ b/queue-5.16/kvm-x86-disable-kvm_hc_clock_pairing-if-tsc-is-in-al.patch @@ -0,0 +1,50 @@ +From 7e6df81a4719def09302fe05e0e04ae3aea8efab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Feb 2022 18:26:54 +0000 +Subject: kvm: x86: Disable KVM_HC_CLOCK_PAIRING if tsc is in always catchup + mode + +From: Anton Romanov + +[ Upstream commit 3a55f729240a686aa8af00af436306c0cd532522 ] + +If vcpu has tsc_always_catchup set each request updates pvclock data. +KVM_HC_CLOCK_PAIRING consumers such as ptp_kvm_x86 rely on tsc read on +host's side and do hypercall inside pvclock_read_retry loop leading to +infinite loop in such situation. + +v3: + Removed warn + Changed return code to KVM_EFAULT +v2: + Added warn + +Signed-off-by: Anton Romanov +Message-Id: <20220216182653.506850-1-romanton@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/x86.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index c6eb3e45e3d8..e8f495b9ae10 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -8770,6 +8770,13 @@ static int kvm_pv_clock_pairing(struct kvm_vcpu *vcpu, gpa_t paddr, + if (clock_type != KVM_CLOCK_PAIRING_WALLCLOCK) + return -KVM_EOPNOTSUPP; + ++ /* ++ * When tsc is in permanent catchup mode guests won't be able to use ++ * pvclock_read_retry loop to get consistent view of pvclock ++ */ ++ if (vcpu->arch.tsc_always_catchup) ++ return -KVM_EOPNOTSUPP; ++ + if (!kvm_get_walltime_and_clockread(&ts, &cycle)) + return -KVM_EOPNOTSUPP; + +-- +2.34.1 + diff --git a/queue-5.16/misdn-fix-memory-leak-in-dsp_pipeline_build.patch b/queue-5.16/misdn-fix-memory-leak-in-dsp_pipeline_build.patch new file mode 100644 index 00000000000..9e566dc20f7 --- /dev/null +++ b/queue-5.16/misdn-fix-memory-leak-in-dsp_pipeline_build.patch @@ -0,0 +1,52 @@ +From a8c743ada9d641c63b023c9730d0bc0022599aac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Mar 2022 21:25:36 +0300 +Subject: mISDN: Fix memory leak in dsp_pipeline_build() + +From: Alexey Khoroshilov + +[ Upstream commit c6a502c2299941c8326d029cfc8a3bc8a4607ad5 ] + +dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), +but then it updates dup variable by strsep(&dup, "|"). +As a result when it calls kfree(dup), the dup variable contains NULL. + +Found by Linux Driver Verification project (linuxtesting.org) with SVACE. + +Signed-off-by: Alexey Khoroshilov +Fixes: 960366cf8dbb ("Add mISDN DSP") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/dsp_pipeline.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/isdn/mISDN/dsp_pipeline.c b/drivers/isdn/mISDN/dsp_pipeline.c +index e11ca6bbc7f4..c3b2c99b5cd5 100644 +--- a/drivers/isdn/mISDN/dsp_pipeline.c ++++ b/drivers/isdn/mISDN/dsp_pipeline.c +@@ -192,7 +192,7 @@ void dsp_pipeline_destroy(struct dsp_pipeline *pipeline) + int dsp_pipeline_build(struct dsp_pipeline *pipeline, const char *cfg) + { + int found = 0; +- char *dup, *tok, *name, *args; ++ char *dup, *next, *tok, *name, *args; + struct dsp_element_entry *entry, *n; + struct dsp_pipeline_entry *pipeline_entry; + struct mISDN_dsp_element *elem; +@@ -203,10 +203,10 @@ int dsp_pipeline_build(struct dsp_pipeline *pipeline, const char *cfg) + if (!list_empty(&pipeline->list)) + _dsp_pipeline_destroy(pipeline); + +- dup = kstrdup(cfg, GFP_ATOMIC); ++ dup = next = kstrdup(cfg, GFP_ATOMIC); + if (!dup) + return 0; +- while ((tok = strsep(&dup, "|"))) { ++ while ((tok = strsep(&next, "|"))) { + if (!strlen(tok)) + continue; + name = strsep(&tok, "("); +-- +2.34.1 + diff --git a/queue-5.16/mm-gup-make-fault_in_safe_writeable-use-fixup_user_f.patch b/queue-5.16/mm-gup-make-fault_in_safe_writeable-use-fixup_user_f.patch new file mode 100644 index 00000000000..2fdeb8b2228 --- /dev/null +++ b/queue-5.16/mm-gup-make-fault_in_safe_writeable-use-fixup_user_f.patch @@ -0,0 +1,118 @@ +From 220698214338c6676e2efe15011d18d48d8c533a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 11:55:48 -0800 +Subject: mm: gup: make fault_in_safe_writeable() use fixup_user_fault() + +From: Linus Torvalds + +[ Upstream commit fe673d3f5bf1fc50cdc4b754831db91a2ec10126 ] + +Instead of using GUP, make fault_in_safe_writeable() actually force a +'handle_mm_fault()' using the same fixup_user_fault() machinery that +futexes already use. + +Using the GUP machinery meant that fault_in_safe_writeable() did not do +everything that a real fault would do, ranging from not auto-expanding +the stack segment, to not updating accessed or dirty flags in the page +tables (GUP sets those flags on the pages themselves). + +The latter causes problems on architectures (like s390) that do accessed +bit handling in software, which meant that fault_in_safe_writeable() +didn't actually do all the fault handling it needed to, and trying to +access the user address afterwards would still cause faults. + +Reported-and-tested-by: Andreas Gruenbacher +Fixes: cdd591fc86e3 ("iov_iter: Introduce fault_in_iov_iter_writeable") +Link: https://lore.kernel.org/all/CAHc6FU5nP+nziNGG0JAF1FUx-GV7kKFvM7aZuU_XD2_1v4vnvg@mail.gmail.com/ +Acked-by: David Hildenbrand +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/gup.c | 57 +++++++++++++++++++------------------------------------- + 1 file changed, 19 insertions(+), 38 deletions(-) + +diff --git a/mm/gup.c b/mm/gup.c +index 37087529bb95..b7e5e80538c9 100644 +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -1723,11 +1723,11 @@ EXPORT_SYMBOL(fault_in_writeable); + * @uaddr: start of address range + * @size: length of address range + * +- * Faults in an address range using get_user_pages, i.e., without triggering +- * hardware page faults. This is primarily useful when we already know that +- * some or all of the pages in the address range aren't in memory. ++ * Faults in an address range for writing. This is primarily useful when we ++ * already know that some or all of the pages in the address range aren't in ++ * memory. + * +- * Other than fault_in_writeable(), this function is non-destructive. ++ * Unlike fault_in_writeable(), this function is non-destructive. + * + * Note that we don't pin or otherwise hold the pages referenced that we fault + * in. There's no guarantee that they'll stay in memory for any duration of +@@ -1738,46 +1738,27 @@ EXPORT_SYMBOL(fault_in_writeable); + */ + size_t fault_in_safe_writeable(const char __user *uaddr, size_t size) + { +- unsigned long start = (unsigned long)untagged_addr(uaddr); +- unsigned long end, nstart, nend; ++ unsigned long start = (unsigned long)uaddr, end; + struct mm_struct *mm = current->mm; +- struct vm_area_struct *vma = NULL; +- int locked = 0; ++ bool unlocked = false; + +- nstart = start & PAGE_MASK; ++ if (unlikely(size == 0)) ++ return 0; + end = PAGE_ALIGN(start + size); +- if (end < nstart) ++ if (end < start) + end = 0; +- for (; nstart != end; nstart = nend) { +- unsigned long nr_pages; +- long ret; + +- if (!locked) { +- locked = 1; +- mmap_read_lock(mm); +- vma = find_vma(mm, nstart); +- } else if (nstart >= vma->vm_end) +- vma = vma->vm_next; +- if (!vma || vma->vm_start >= end) +- break; +- nend = end ? min(end, vma->vm_end) : vma->vm_end; +- if (vma->vm_flags & (VM_IO | VM_PFNMAP)) +- continue; +- if (nstart < vma->vm_start) +- nstart = vma->vm_start; +- nr_pages = (nend - nstart) / PAGE_SIZE; +- ret = __get_user_pages_locked(mm, nstart, nr_pages, +- NULL, NULL, &locked, +- FOLL_TOUCH | FOLL_WRITE); +- if (ret <= 0) ++ mmap_read_lock(mm); ++ do { ++ if (fixup_user_fault(mm, start, FAULT_FLAG_WRITE, &unlocked)) + break; +- nend = nstart + ret * PAGE_SIZE; +- } +- if (locked) +- mmap_read_unlock(mm); +- if (nstart == end) +- return 0; +- return size - min_t(size_t, nstart - start, size); ++ start = (start + PAGE_SIZE) & PAGE_MASK; ++ } while (start != end); ++ mmap_read_unlock(mm); ++ ++ if (size > (unsigned long)uaddr - start) ++ return size - ((unsigned long)uaddr - start); ++ return 0; + } + EXPORT_SYMBOL(fault_in_safe_writeable); + +-- +2.34.1 + diff --git a/queue-5.16/net-arc_emac-fix-use-after-free-in-arc_mdio_probe.patch b/queue-5.16/net-arc_emac-fix-use-after-free-in-arc_mdio_probe.patch new file mode 100644 index 00000000000..59340e5be3f --- /dev/null +++ b/queue-5.16/net-arc_emac-fix-use-after-free-in-arc_mdio_probe.patch @@ -0,0 +1,59 @@ +From 383bebe0ae4689713de96fbe2d21028ed8209841 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 20:18:24 +0800 +Subject: net: arc_emac: Fix use after free in arc_mdio_probe() + +From: Jianglei Nie + +[ Upstream commit bc0e610a6eb0d46e4123fafdbe5e6141d9fff3be ] + +If bus->state is equal to MDIOBUS_ALLOCATED, mdiobus_free(bus) will free +the "bus". But bus->name is still used in the next line, which will lead +to a use after free. + +We can fix it by putting the name in a local variable and make the +bus->name point to the rodata section "name",then use the name in the +error message without referring to bus to avoid the uaf. + +Fixes: 95b5fc03c189 ("net: arc_emac: Make use of the helper function dev_err_probe()") +Signed-off-by: Jianglei Nie +Link: https://lore.kernel.org/r/20220309121824.36529-1-niejianglei2021@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/arc/emac_mdio.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/arc/emac_mdio.c b/drivers/net/ethernet/arc/emac_mdio.c +index 9acf589b1178..87f40c2ba904 100644 +--- a/drivers/net/ethernet/arc/emac_mdio.c ++++ b/drivers/net/ethernet/arc/emac_mdio.c +@@ -132,6 +132,7 @@ int arc_mdio_probe(struct arc_emac_priv *priv) + { + struct arc_emac_mdio_bus_data *data = &priv->bus_data; + struct device_node *np = priv->dev->of_node; ++ const char *name = "Synopsys MII Bus"; + struct mii_bus *bus; + int error; + +@@ -142,7 +143,7 @@ int arc_mdio_probe(struct arc_emac_priv *priv) + priv->bus = bus; + bus->priv = priv; + bus->parent = priv->dev; +- bus->name = "Synopsys MII Bus"; ++ bus->name = name; + bus->read = &arc_mdio_read; + bus->write = &arc_mdio_write; + bus->reset = &arc_mdio_reset; +@@ -167,7 +168,7 @@ int arc_mdio_probe(struct arc_emac_priv *priv) + if (error) { + mdiobus_free(bus); + return dev_err_probe(priv->dev, error, +- "cannot register MDIO bus %s\n", bus->name); ++ "cannot register MDIO bus %s\n", name); + } + + return 0; +-- +2.34.1 + diff --git a/queue-5.16/net-bcmgenet-don-t-claim-wol-when-its-not-available.patch b/queue-5.16/net-bcmgenet-don-t-claim-wol-when-its-not-available.patch new file mode 100644 index 00000000000..4c09457dfbc --- /dev/null +++ b/queue-5.16/net-bcmgenet-don-t-claim-wol-when-its-not-available.patch @@ -0,0 +1,58 @@ +From 3d9281c7a05e3cd39aa7204f15dfd67155b6a85f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 22:55:35 -0600 +Subject: net: bcmgenet: Don't claim WOL when its not available + +From: Jeremy Linton + +[ Upstream commit 00b022f8f876a3a036b0df7f971001bef6398605 ] + +Some of the bcmgenet platforms don't correctly support WOL, yet +ethtool returns: + +"Supports Wake-on: gsf" + +which is false. + +Ideally if there isn't a wol_irq, or there is something else that +keeps the device from being able to wakeup it should display: + +"Supports Wake-on: d" + +This patch checks whether the device can wakup, before using the +hard-coded supported flags. This corrects the ethtool reporting, as +well as the WOL configuration because ethtool verifies that the mode +is supported before attempting it. + +Fixes: c51de7f3976b ("net: bcmgenet: add Wake-on-LAN support code") +Signed-off-by: Jeremy Linton +Tested-by: Peter Robinson +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220310045535.224450-1-jeremy.linton@arm.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +index e31a5a397f11..f55d9d9c01a8 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet_wol.c +@@ -40,6 +40,13 @@ + void bcmgenet_get_wol(struct net_device *dev, struct ethtool_wolinfo *wol) + { + struct bcmgenet_priv *priv = netdev_priv(dev); ++ struct device *kdev = &priv->pdev->dev; ++ ++ if (!device_can_wakeup(kdev)) { ++ wol->supported = 0; ++ wol->wolopts = 0; ++ return; ++ } + + wol->supported = WAKE_MAGIC | WAKE_MAGICSECURE | WAKE_FILTER; + wol->wolopts = priv->wolopts; +-- +2.34.1 + diff --git a/queue-5.16/net-dsa-mt7530-fix-incorrect-test-in-mt753x_phylink_.patch b/queue-5.16/net-dsa-mt7530-fix-incorrect-test-in-mt753x_phylink_.patch new file mode 100644 index 00000000000..a6d1d3198a7 --- /dev/null +++ b/queue-5.16/net-dsa-mt7530-fix-incorrect-test-in-mt753x_phylink_.patch @@ -0,0 +1,37 @@ +From 832f5e295e5b42d1e8d3e51e35695a8a0b7de835 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 12:13:30 +0000 +Subject: net: dsa: mt7530: fix incorrect test in mt753x_phylink_validate() + +From: Russell King (Oracle) + +[ Upstream commit e5417cbf7ab5df1632e68fe7d9e6331fc0e7dbd6 ] + +Discussing one of the tests in mt753x_phylink_validate() with Landen +Chao confirms that the "||" should be "&&". Fix this. + +Fixes: c288575f7810 ("net: dsa: mt7530: Add the support of MT7531 switch") +Signed-off-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/E1nRCF0-00CiXD-7q@rmk-PC.armlinux.org.uk +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mt7530.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/mt7530.c b/drivers/net/dsa/mt7530.c +index fb59efc7f926..14bf1828cbba 100644 +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -2928,7 +2928,7 @@ mt753x_phylink_validate(struct dsa_switch *ds, int port, + + phylink_set_port_modes(mask); + +- if (state->interface != PHY_INTERFACE_MODE_TRGMII || ++ if (state->interface != PHY_INTERFACE_MODE_TRGMII && + !phy_interface_mode_is_8023z(state->interface)) { + phylink_set(mask, 10baseT_Half); + phylink_set(mask, 10baseT_Full); +-- +2.34.1 + diff --git a/queue-5.16/net-ethernet-lpc_eth-handle-error-for-clk_enable.patch b/queue-5.16/net-ethernet-lpc_eth-handle-error-for-clk_enable.patch new file mode 100644 index 00000000000..5ae710112d0 --- /dev/null +++ b/queue-5.16/net-ethernet-lpc_eth-handle-error-for-clk_enable.patch @@ -0,0 +1,47 @@ +From a10a4844ffe71dd7fe10228a66b27aab2981e2ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 14:57:39 +0800 +Subject: net: ethernet: lpc_eth: Handle error for clk_enable + +From: Jiasheng Jiang + +[ Upstream commit 2169b79258c8be803d2595d6456b1e77129fe154 ] + +As the potential failure of the clk_enable(), +it should be better to check it and return error +if fails. + +Fixes: b7370112f519 ("lpc32xx: Added ethernet driver") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/nxp/lpc_eth.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/nxp/lpc_eth.c b/drivers/net/ethernet/nxp/lpc_eth.c +index bc39558fe82b..756f97dce85b 100644 +--- a/drivers/net/ethernet/nxp/lpc_eth.c ++++ b/drivers/net/ethernet/nxp/lpc_eth.c +@@ -1471,6 +1471,7 @@ static int lpc_eth_drv_resume(struct platform_device *pdev) + { + struct net_device *ndev = platform_get_drvdata(pdev); + struct netdata_local *pldat; ++ int ret; + + if (device_may_wakeup(&pdev->dev)) + disable_irq_wake(ndev->irq); +@@ -1480,7 +1481,9 @@ static int lpc_eth_drv_resume(struct platform_device *pdev) + pldat = netdev_priv(ndev); + + /* Enable interface clock */ +- clk_enable(pldat->clk); ++ ret = clk_enable(pldat->clk); ++ if (ret) ++ return ret; + + /* Reset and initialize */ + __lpc_eth_reset(pldat); +-- +2.34.1 + diff --git a/queue-5.16/net-ethernet-ti-cpts-handle-error-for-clk_enable.patch b/queue-5.16/net-ethernet-ti-cpts-handle-error-for-clk_enable.patch new file mode 100644 index 00000000000..ac5c4ceed16 --- /dev/null +++ b/queue-5.16/net-ethernet-ti-cpts-handle-error-for-clk_enable.patch @@ -0,0 +1,39 @@ +From 7cfe507abf54131f111de69127a2746bee6f2c28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 14:40:07 +0800 +Subject: net: ethernet: ti: cpts: Handle error for clk_enable + +From: Jiasheng Jiang + +[ Upstream commit 6babfc6e6fab068018c36e8f6605184b8c0b349d ] + +As the potential failure of the clk_enable(), +it should be better to check it and return error +if fails. + +Fixes: 8a2c9a5ab4b9 ("net: ethernet: ti: cpts: rework initialization/deinitialization") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpts.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ti/cpts.c b/drivers/net/ethernet/ti/cpts.c +index dc70a6bfaa6a..92ca739fac01 100644 +--- a/drivers/net/ethernet/ti/cpts.c ++++ b/drivers/net/ethernet/ti/cpts.c +@@ -568,7 +568,9 @@ int cpts_register(struct cpts *cpts) + for (i = 0; i < CPTS_MAX_EVENTS; i++) + list_add(&cpts->pool_data[i].list, &cpts->pool); + +- clk_enable(cpts->refclk); ++ err = clk_enable(cpts->refclk); ++ if (err) ++ return err; + + cpts_write32(cpts, CPTS_EN, control); + cpts_write32(cpts, TS_PEND_EN, int_enable); +-- +2.34.1 + diff --git a/queue-5.16/net-gro-move-skb_gro_receive_list-to-udp_offload.c.patch b/queue-5.16/net-gro-move-skb_gro_receive_list-to-udp_offload.c.patch new file mode 100644 index 00000000000..ac1922e66af --- /dev/null +++ b/queue-5.16/net-gro-move-skb_gro_receive_list-to-udp_offload.c.patch @@ -0,0 +1,110 @@ +From b335646369d7cc97794d208ad877071da30008d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Nov 2021 09:05:52 -0800 +Subject: net: gro: move skb_gro_receive_list to udp_offload.c + +From: Eric Dumazet + +[ Upstream commit 0b935d7f8c07bf0a192712bdbf76dbf45ef8b115 ] + +This helper is used once, no need to keep it in fat net/core/skbuff.c + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/netdevice.h | 1 - + net/core/skbuff.c | 26 -------------------------- + net/ipv4/udp_offload.c | 27 +++++++++++++++++++++++++++ + 3 files changed, 27 insertions(+), 27 deletions(-) + +diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h +index 049858c671ef..7500ac08c9ba 100644 +--- a/include/linux/netdevice.h ++++ b/include/linux/netdevice.h +@@ -3007,7 +3007,6 @@ struct net_device *dev_get_by_napi_id(unsigned int napi_id); + int netdev_get_name(struct net *net, char *name, int ifindex); + int dev_restart(struct net_device *dev); + int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb); +-int skb_gro_receive_list(struct sk_buff *p, struct sk_buff *skb); + + static inline unsigned int skb_gro_offset(const struct sk_buff *skb) + { +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 56e23333e708..f1e3d70e8987 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3919,32 +3919,6 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb, + } + EXPORT_SYMBOL_GPL(skb_segment_list); + +-int skb_gro_receive_list(struct sk_buff *p, struct sk_buff *skb) +-{ +- if (unlikely(p->len + skb->len >= 65536)) +- return -E2BIG; +- +- if (NAPI_GRO_CB(p)->last == p) +- skb_shinfo(p)->frag_list = skb; +- else +- NAPI_GRO_CB(p)->last->next = skb; +- +- skb_pull(skb, skb_gro_offset(skb)); +- +- NAPI_GRO_CB(p)->last = skb; +- NAPI_GRO_CB(p)->count++; +- p->data_len += skb->len; +- +- /* sk owenrship - if any - completely transferred to the aggregated packet */ +- skb->destructor = NULL; +- p->truesize += skb->truesize; +- p->len += skb->len; +- +- NAPI_GRO_CB(skb)->same_flow = 1; +- +- return 0; +-} +- + /** + * skb_segment - Perform protocol segmentation on skb. + * @head_skb: buffer to segment +diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c +index 86d32a1e62ac..c2398f9e46f0 100644 +--- a/net/ipv4/udp_offload.c ++++ b/net/ipv4/udp_offload.c +@@ -424,6 +424,33 @@ static struct sk_buff *udp4_ufo_fragment(struct sk_buff *skb, + return segs; + } + ++static int skb_gro_receive_list(struct sk_buff *p, struct sk_buff *skb) ++{ ++ if (unlikely(p->len + skb->len >= 65536)) ++ return -E2BIG; ++ ++ if (NAPI_GRO_CB(p)->last == p) ++ skb_shinfo(p)->frag_list = skb; ++ else ++ NAPI_GRO_CB(p)->last->next = skb; ++ ++ skb_pull(skb, skb_gro_offset(skb)); ++ ++ NAPI_GRO_CB(p)->last = skb; ++ NAPI_GRO_CB(p)->count++; ++ p->data_len += skb->len; ++ ++ /* sk owenrship - if any - completely transferred to the aggregated packet */ ++ skb->destructor = NULL; ++ p->truesize += skb->truesize; ++ p->len += skb->len; ++ ++ NAPI_GRO_CB(skb)->same_flow = 1; ++ ++ return 0; ++} ++ ++ + #define UDP_GRO_CNT_MAX 64 + static struct sk_buff *udp_gro_receive_segment(struct list_head *head, + struct sk_buff *skb) +-- +2.34.1 + diff --git a/queue-5.16/net-marvell-prestera-add-missing-of_node_put-in-pres.patch b/queue-5.16/net-marvell-prestera-add-missing-of_node_put-in-pres.patch new file mode 100644 index 00000000000..e701e176597 --- /dev/null +++ b/queue-5.16/net-marvell-prestera-add-missing-of_node_put-in-pres.patch @@ -0,0 +1,36 @@ +From 86a64938e1a225176aba3b399668c179243d992a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 07:42:47 +0000 +Subject: net: marvell: prestera: Add missing of_node_put() in + prestera_switch_set_base_mac_addr + +From: Miaoqian Lin + +[ Upstream commit c9ffa3e2bc451816ce0295e40063514fabf2bd36 ] + +This node pointer is returned by of_find_compatible_node() with +refcount incremented. Calling of_node_put() to aovid the refcount leak. + +Fixes: 501ef3066c89 ("net: marvell: prestera: Add driver for Prestera family ASIC devices") +Signed-off-by: Miaoqian Lin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/prestera/prestera_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/marvell/prestera/prestera_main.c b/drivers/net/ethernet/marvell/prestera/prestera_main.c +index c687dc9aa973..36c5b1eba30d 100644 +--- a/drivers/net/ethernet/marvell/prestera/prestera_main.c ++++ b/drivers/net/ethernet/marvell/prestera/prestera_main.c +@@ -553,6 +553,7 @@ static int prestera_switch_set_base_mac_addr(struct prestera_switch *sw) + dev_info(prestera_dev(sw), "using random base mac address\n"); + } + of_node_put(base_mac_np); ++ of_node_put(np); + + return prestera_hw_switch_mac_set(sw, sw->base_mac); + } +-- +2.34.1 + diff --git a/queue-5.16/net-mlx5-fix-a-race-on-command-flush-flow.patch b/queue-5.16/net-mlx5-fix-a-race-on-command-flush-flow.patch new file mode 100644 index 00000000000..b1025c3fbfe --- /dev/null +++ b/queue-5.16/net-mlx5-fix-a-race-on-command-flush-flow.patch @@ -0,0 +1,92 @@ +From 8a4c93e3bca7590c499514996d3f0cc231db4513 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Feb 2022 11:47:44 +0200 +Subject: net/mlx5: Fix a race on command flush flow + +From: Moshe Shemesh + +[ Upstream commit 063bd355595428750803d8736a9bb7c8db67d42d ] + +Fix a refcount use after free warning due to a race on command entry. +Such race occurs when one of the commands releases its last refcount and +frees its index and entry while another process running command flush +flow takes refcount to this command entry. The process which handles +commands flush may see this command as needed to be flushed if the other +process released its refcount but didn't release the index yet. Fix it +by adding the needed spin lock. + +It fixes the following warning trace: + +refcount_t: addition on 0; use-after-free. +WARNING: CPU: 11 PID: 540311 at lib/refcount.c:25 refcount_warn_saturate+0x80/0xe0 +... +RIP: 0010:refcount_warn_saturate+0x80/0xe0 +... +Call Trace: + + mlx5_cmd_trigger_completions+0x293/0x340 [mlx5_core] + mlx5_cmd_flush+0x3a/0xf0 [mlx5_core] + enter_error_state+0x44/0x80 [mlx5_core] + mlx5_fw_fatal_reporter_err_work+0x37/0xe0 [mlx5_core] + process_one_work+0x1be/0x390 + worker_thread+0x4d/0x3d0 + ? rescuer_thread+0x350/0x350 + kthread+0x141/0x160 + ? set_kthread_struct+0x40/0x40 + ret_from_fork+0x1f/0x30 + + +Fixes: 50b2412b7e78 ("net/mlx5: Avoid possible free of command entry while timeout comp handler") +Signed-off-by: Moshe Shemesh +Reviewed-by: Eran Ben Elisha +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index 17fe05809653..3eacd8739929 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -131,11 +131,8 @@ static int cmd_alloc_index(struct mlx5_cmd *cmd) + + static void cmd_free_index(struct mlx5_cmd *cmd, int idx) + { +- unsigned long flags; +- +- spin_lock_irqsave(&cmd->alloc_lock, flags); ++ lockdep_assert_held(&cmd->alloc_lock); + set_bit(idx, &cmd->bitmask); +- spin_unlock_irqrestore(&cmd->alloc_lock, flags); + } + + static void cmd_ent_get(struct mlx5_cmd_work_ent *ent) +@@ -145,17 +142,21 @@ static void cmd_ent_get(struct mlx5_cmd_work_ent *ent) + + static void cmd_ent_put(struct mlx5_cmd_work_ent *ent) + { ++ struct mlx5_cmd *cmd = ent->cmd; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&cmd->alloc_lock, flags); + if (!refcount_dec_and_test(&ent->refcnt)) +- return; ++ goto out; + + if (ent->idx >= 0) { +- struct mlx5_cmd *cmd = ent->cmd; +- + cmd_free_index(cmd, ent->idx); + up(ent->page_queue ? &cmd->pages_sem : &cmd->sem); + } + + cmd_free_ent(ent); ++out: ++ spin_unlock_irqrestore(&cmd->alloc_lock, flags); + } + + static struct mlx5_cmd_layout *get_inst(struct mlx5_cmd *cmd, int idx) +-- +2.34.1 + diff --git a/queue-5.16/net-mlx5-fix-size-field-in-bufferx_reg-struct.patch b/queue-5.16/net-mlx5-fix-size-field-in-bufferx_reg-struct.patch new file mode 100644 index 00000000000..0e719686d81 --- /dev/null +++ b/queue-5.16/net-mlx5-fix-size-field-in-bufferx_reg-struct.patch @@ -0,0 +1,39 @@ +From c0805eb5cd068a743e8e22eb60d0e491ad66d9c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Mar 2021 14:38:55 +0200 +Subject: net/mlx5: Fix size field in bufferx_reg struct + +From: Mohammad Kabat + +[ Upstream commit ac77998b7ac3044f0509b097da9637184598980d ] + +According to HW spec the field "size" should be 16 bits +in bufferx register. + +Fixes: e281682bf294 ("net/mlx5_core: HW data structs/types definitions cleanup") +Signed-off-by: Mohammad Kabat +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + include/linux/mlx5/mlx5_ifc.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index fbaab440a484..58a60e46c319 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -9875,8 +9875,8 @@ struct mlx5_ifc_bufferx_reg_bits { + u8 reserved_at_0[0x6]; + u8 lossy[0x1]; + u8 epsb[0x1]; +- u8 reserved_at_8[0xc]; +- u8 size[0xc]; ++ u8 reserved_at_8[0x8]; ++ u8 size[0x10]; + + u8 xoff_threshold[0x10]; + u8 xon_threshold[0x10]; +-- +2.34.1 + diff --git a/queue-5.16/net-mlx5e-lag-only-handle-events-from-highest-priori.patch b/queue-5.16/net-mlx5e-lag-only-handle-events-from-highest-priori.patch new file mode 100644 index 00000000000..f00e2d8d687 --- /dev/null +++ b/queue-5.16/net-mlx5e-lag-only-handle-events-from-highest-priori.patch @@ -0,0 +1,59 @@ +From 36ffc0b6b3fad22a365a22ee00a916b21cbc07a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Feb 2022 13:56:57 +0200 +Subject: net/mlx5e: Lag, Only handle events from highest priority multipath + entry + +From: Roi Dayan + +[ Upstream commit ad11c4f1d8fd1f03639460e425a36f7fd0ea83f5 ] + +There could be multiple multipath entries but changing the port affinity +for each one doesn't make much sense and there should be a default one. +So only track the entry with lowest priority value. +The commit doesn't affect existing users with a single entry. + +Fixes: 544fe7c2e654 ("net/mlx5e: Activate HW multipath and handle port affinity based on FIB events") +Signed-off-by: Roi Dayan +Reviewed-by: Maor Dickman +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c +index 1ca01a5b6cdd..626aa60b6099 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c +@@ -126,6 +126,10 @@ static void mlx5_lag_fib_route_event(struct mlx5_lag *ldev, + return; + } + ++ /* Handle multipath entry with lower priority value */ ++ if (mp->mfi && mp->mfi != fi && fi->fib_priority >= mp->mfi->fib_priority) ++ return; ++ + /* Handle add/replace event */ + nhs = fib_info_num_path(fi); + if (nhs == 1) { +@@ -135,12 +139,13 @@ static void mlx5_lag_fib_route_event(struct mlx5_lag *ldev, + int i = mlx5_lag_dev_get_netdev_idx(ldev, nh_dev); + + if (i < 0) +- i = MLX5_LAG_NORMAL_AFFINITY; +- else +- ++i; ++ return; + ++ i++; + mlx5_lag_set_port_affinity(ldev, i); + } ++ ++ mp->mfi = fi; + return; + } + +-- +2.34.1 + diff --git a/queue-5.16/net-mlx5e-shampo-reduce-tir-indication.patch b/queue-5.16/net-mlx5e-shampo-reduce-tir-indication.patch new file mode 100644 index 00000000000..13b2d272b0f --- /dev/null +++ b/queue-5.16/net-mlx5e-shampo-reduce-tir-indication.patch @@ -0,0 +1,67 @@ +From c280b238d9a47a2fb3ee98e2666d15e2c825fcd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Mar 2022 17:07:08 +0200 +Subject: net/mlx5e: SHAMPO, reduce TIR indication + +From: Ben Ben-Ishay + +[ Upstream commit 99a2b9be077ae3a5d97fbf5f7782e0f2e9812978 ] + +SHAMPO is an RQ / WQ feature, an indication was added to the TIR in the +first place to enforce suitability between connected TIR and RQ, this +enforcement does not exist in current the Firmware implementation and was +redundant in the first place. + +Fixes: 83439f3c37aa ("net/mlx5e: Add HW-GRO offload") +Signed-off-by: Ben Ben-Ishay +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 --- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +-- + include/linux/mlx5/mlx5_ifc.h | 1 - + 3 files changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c +index da169b816665..d4239e3b3c88 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c +@@ -88,9 +88,6 @@ void mlx5e_tir_builder_build_packet_merge(struct mlx5e_tir_builder *builder, + (MLX5E_PARAMS_DEFAULT_LRO_WQE_SZ - rough_max_l2_l3_hdr_sz) >> 8); + MLX5_SET(tirc, tirc, lro_timeout_period_usecs, pkt_merge_param->timeout); + break; +- case MLX5E_PACKET_MERGE_SHAMPO: +- MLX5_SET(tirc, tirc, packet_merge_mask, MLX5_TIRC_PACKET_MERGE_MASK_SHAMPO); +- break; + default: + break; + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index d92b82cdfd4e..22de7327c5a8 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -3592,8 +3592,7 @@ static int set_feature_hw_gro(struct net_device *netdev, bool enable) + goto out; + } + +- err = mlx5e_safe_switch_params(priv, &new_params, +- mlx5e_modify_tirs_packet_merge_ctx, NULL, reset); ++ err = mlx5e_safe_switch_params(priv, &new_params, NULL, NULL, reset); + out: + mutex_unlock(&priv->state_lock); + return err; +diff --git a/include/linux/mlx5/mlx5_ifc.h b/include/linux/mlx5/mlx5_ifc.h +index 58a60e46c319..66522bc56a0b 100644 +--- a/include/linux/mlx5/mlx5_ifc.h ++++ b/include/linux/mlx5/mlx5_ifc.h +@@ -3410,7 +3410,6 @@ enum { + enum { + MLX5_TIRC_PACKET_MERGE_MASK_IPV4_LRO = BIT(0), + MLX5_TIRC_PACKET_MERGE_MASK_IPV6_LRO = BIT(1), +- MLX5_TIRC_PACKET_MERGE_MASK_SHAMPO = BIT(2), + }; + + enum { +-- +2.34.1 + diff --git a/queue-5.16/net-phy-dp83822-clear-misr2-register-to-disable-inte.patch b/queue-5.16/net-phy-dp83822-clear-misr2-register-to-disable-inte.patch new file mode 100644 index 00000000000..19324d33240 --- /dev/null +++ b/queue-5.16/net-phy-dp83822-clear-misr2-register-to-disable-inte.patch @@ -0,0 +1,43 @@ +From b0e504c37192b77ed0f01419fb2beba8f4ca0955 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 15:22:28 +0100 +Subject: net: phy: DP83822: clear MISR2 register to disable interrupts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Léger + +[ Upstream commit 37c9d66c95564c85a001d8a035354f0220a1e1c3 ] + +MISR1 was cleared twice but the original author intention was probably +to clear MISR1 & MISR2 to completely disable interrupts. Fix it to +clear MISR2. + +Fixes: 87461f7a58ab ("net: phy: DP83822 initial driver submission") +Signed-off-by: Clément Léger +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220309142228.761153-1-clement.leger@bootlin.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/dp83822.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/phy/dp83822.c b/drivers/net/phy/dp83822.c +index 211b5476a6f5..ce17b2af3218 100644 +--- a/drivers/net/phy/dp83822.c ++++ b/drivers/net/phy/dp83822.c +@@ -274,7 +274,7 @@ static int dp83822_config_intr(struct phy_device *phydev) + if (err < 0) + return err; + +- err = phy_write(phydev, MII_DP83822_MISR1, 0); ++ err = phy_write(phydev, MII_DP83822_MISR2, 0); + if (err < 0) + return err; + +-- +2.34.1 + diff --git a/queue-5.16/net-phy-meson-gxl-fix-interrupt-handling-in-forced-m.patch b/queue-5.16/net-phy-meson-gxl-fix-interrupt-handling-in-forced-m.patch new file mode 100644 index 00000000000..8fa609df3a8 --- /dev/null +++ b/queue-5.16/net-phy-meson-gxl-fix-interrupt-handling-in-forced-m.patch @@ -0,0 +1,95 @@ +From 9cf841b027751f51ca7edb04a92fcc82733b9d69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Mar 2022 08:54:15 +0100 +Subject: net: phy: meson-gxl: fix interrupt handling in forced mode + +From: Heiner Kallweit + +[ Upstream commit a502a8f04097e038c3daa16c5202a9538116d563 ] + +This PHY doesn't support a link-up interrupt source. If aneg is enabled +we use the "aneg complete" interrupt for this purpose, but if aneg is +disabled link-up isn't signaled currently. +According to a vendor driver there's an additional "energy detect" +interrupt source that can be used to signal link-up if aneg is disabled. +We can safely ignore this interrupt source if aneg is enabled. + +This patch was tested on a TX3 Mini TV box with S905W (even though +boot message says it's a S905D). + +This issue has been existing longer, but due to changes in phylib and +the driver the patch applies only from the commit marked as fixed. + +Fixes: 84c8f773d2dc ("net: phy: meson-gxl: remove the use of .ack_callback()") +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/04cac530-ea1b-850e-6cfa-144a55c4d75d@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/meson-gxl.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/phy/meson-gxl.c b/drivers/net/phy/meson-gxl.c +index 7e7904fee1d9..c49062ad72c6 100644 +--- a/drivers/net/phy/meson-gxl.c ++++ b/drivers/net/phy/meson-gxl.c +@@ -30,8 +30,12 @@ + #define INTSRC_LINK_DOWN BIT(4) + #define INTSRC_REMOTE_FAULT BIT(5) + #define INTSRC_ANEG_COMPLETE BIT(6) ++#define INTSRC_ENERGY_DETECT BIT(7) + #define INTSRC_MASK 30 + ++#define INT_SOURCES (INTSRC_LINK_DOWN | INTSRC_ANEG_COMPLETE | \ ++ INTSRC_ENERGY_DETECT) ++ + #define BANK_ANALOG_DSP 0 + #define BANK_WOL 1 + #define BANK_BIST 3 +@@ -200,7 +204,6 @@ static int meson_gxl_ack_interrupt(struct phy_device *phydev) + + static int meson_gxl_config_intr(struct phy_device *phydev) + { +- u16 val; + int ret; + + if (phydev->interrupts == PHY_INTERRUPT_ENABLED) { +@@ -209,16 +212,9 @@ static int meson_gxl_config_intr(struct phy_device *phydev) + if (ret) + return ret; + +- val = INTSRC_ANEG_PR +- | INTSRC_PARALLEL_FAULT +- | INTSRC_ANEG_LP_ACK +- | INTSRC_LINK_DOWN +- | INTSRC_REMOTE_FAULT +- | INTSRC_ANEG_COMPLETE; +- ret = phy_write(phydev, INTSRC_MASK, val); ++ ret = phy_write(phydev, INTSRC_MASK, INT_SOURCES); + } else { +- val = 0; +- ret = phy_write(phydev, INTSRC_MASK, val); ++ ret = phy_write(phydev, INTSRC_MASK, 0); + + /* Ack any pending IRQ */ + ret = meson_gxl_ack_interrupt(phydev); +@@ -237,9 +233,16 @@ static irqreturn_t meson_gxl_handle_interrupt(struct phy_device *phydev) + return IRQ_NONE; + } + ++ irq_status &= INT_SOURCES; ++ + if (irq_status == 0) + return IRQ_NONE; + ++ /* Aneg-complete interrupt is used for link-up detection */ ++ if (phydev->autoneg == AUTONEG_ENABLE && ++ irq_status == INTSRC_ENERGY_DETECT) ++ return IRQ_HANDLED; ++ + phy_trigger_machine(phydev); + + return IRQ_HANDLED; +-- +2.34.1 + diff --git a/queue-5.16/net-phy-meson-gxl-improve-link-up-behavior.patch b/queue-5.16/net-phy-meson-gxl-improve-link-up-behavior.patch new file mode 100644 index 00000000000..eadcd48afd2 --- /dev/null +++ b/queue-5.16/net-phy-meson-gxl-improve-link-up-behavior.patch @@ -0,0 +1,47 @@ +From 3963761e4c9fc3225bd6e9a2e6599ee34f864769 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 22:04:47 +0100 +Subject: net: phy: meson-gxl: improve link-up behavior + +From: Heiner Kallweit + +[ Upstream commit 2c87c6f9fbddc5b84d67b2fa3f432fcac6d99d93 ] + +Sometimes the link comes up but no data flows. This patch fixes +this behavior. It's not clear what's the root cause of the issue. + +According to the tests one other link-up issue remains. +In very rare cases the link isn't even reported as up. + +Fixes: 84c8f773d2dc ("net: phy: meson-gxl: remove the use of .ack_callback()") +Tested-by: Erico Nunes +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/e3473452-a1f9-efcf-5fdd-02b6f44c3fcd@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/meson-gxl.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/meson-gxl.c b/drivers/net/phy/meson-gxl.c +index c49062ad72c6..73f7962a37d3 100644 +--- a/drivers/net/phy/meson-gxl.c ++++ b/drivers/net/phy/meson-gxl.c +@@ -243,7 +243,13 @@ static irqreturn_t meson_gxl_handle_interrupt(struct phy_device *phydev) + irq_status == INTSRC_ENERGY_DETECT) + return IRQ_HANDLED; + +- phy_trigger_machine(phydev); ++ /* Give PHY some time before MAC starts sending data. This works ++ * around an issue where network doesn't come up properly. ++ */ ++ if (!(irq_status & INTSRC_LINK_DOWN)) ++ phy_queue_state_machine(phydev, msecs_to_jiffies(100)); ++ else ++ phy_trigger_machine(phydev); + + return IRQ_HANDLED; + } +-- +2.34.1 + diff --git a/queue-5.16/net-qlogic-check-the-return-value-of-dma_alloc_coher.patch b/queue-5.16/net-qlogic-check-the-return-value-of-dma_alloc_coher.patch new file mode 100644 index 00000000000..6d32ac62e35 --- /dev/null +++ b/queue-5.16/net-qlogic-check-the-return-value-of-dma_alloc_coher.patch @@ -0,0 +1,50 @@ +From 7cc7bf75f90ad865bbd57c1e4a023e6145455a81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 01:14:11 -0800 +Subject: net: qlogic: check the return value of dma_alloc_coherent() in + qed_vf_hw_prepare() + +From: Jia-Ju Bai + +[ Upstream commit e0058f0fa80f6e09c4d363779c241c45a3c56b94 ] + +The function dma_alloc_coherent() in qed_vf_hw_prepare() can fail, so +its return value should be checked. + +Fixes: 1408cc1fa48c ("qed: Introduce VFs") +Reported-by: TOTE Robot +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_vf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_vf.c b/drivers/net/ethernet/qlogic/qed/qed_vf.c +index 597cd9cd57b5..7b0e390c0b07 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c +@@ -513,6 +513,9 @@ int qed_vf_hw_prepare(struct qed_hwfn *p_hwfn) + p_iov->bulletin.size, + &p_iov->bulletin.phys, + GFP_KERNEL); ++ if (!p_iov->bulletin.p_virt) ++ goto free_pf2vf_reply; ++ + DP_VERBOSE(p_hwfn, QED_MSG_IOV, + "VF's bulletin Board [%p virt 0x%llx phys 0x%08x bytes]\n", + p_iov->bulletin.p_virt, +@@ -552,6 +555,10 @@ int qed_vf_hw_prepare(struct qed_hwfn *p_hwfn) + + return rc; + ++free_pf2vf_reply: ++ dma_free_coherent(&p_hwfn->cdev->pdev->dev, ++ sizeof(union pfvf_tlvs), ++ p_iov->pf2vf_reply, p_iov->pf2vf_reply_phys); + free_vf2pf_request: + dma_free_coherent(&p_hwfn->cdev->pdev->dev, + sizeof(union vfpf_tlvs), +-- +2.34.1 + diff --git a/queue-5.16/net-sysfs-add-check-for-netdevice-being-present-to-s.patch b/queue-5.16/net-sysfs-add-check-for-netdevice-being-present-to-s.patch new file mode 100644 index 00000000000..bcc8f5e07b4 --- /dev/null +++ b/queue-5.16/net-sysfs-add-check-for-netdevice-being-present-to-s.patch @@ -0,0 +1,78 @@ +From 8c4d54a31a4e98dfef2e5994859d981079865cd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Feb 2022 07:25:18 +0530 +Subject: net-sysfs: add check for netdevice being present to speed_show + +From: suresh kumar + +[ Upstream commit 4224cfd7fb6523f7a9d1c8bb91bb5df1e38eb624 ] + +When bringing down the netdevice or system shutdown, a panic can be +triggered while accessing the sysfs path because the device is already +removed. + + [ 755.549084] mlx5_core 0000:12:00.1: Shutdown was called + [ 756.404455] mlx5_core 0000:12:00.0: Shutdown was called + ... + [ 757.937260] BUG: unable to handle kernel NULL pointer dereference at (null) + [ 758.031397] IP: [] dma_pool_alloc+0x1ab/0x280 + + crash> bt + ... + PID: 12649 TASK: ffff8924108f2100 CPU: 1 COMMAND: "amsd" + ... + #9 [ffff89240e1a38b0] page_fault at ffffffff8f38c778 + [exception RIP: dma_pool_alloc+0x1ab] + RIP: ffffffff8ee11acb RSP: ffff89240e1a3968 RFLAGS: 00010046 + RAX: 0000000000000246 RBX: ffff89243d874100 RCX: 0000000000001000 + RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff89243d874090 + RBP: ffff89240e1a39c0 R8: 000000000001f080 R9: ffff8905ffc03c00 + R10: ffffffffc04680d4 R11: ffffffff8edde9fd R12: 00000000000080d0 + R13: ffff89243d874090 R14: ffff89243d874080 R15: 0000000000000000 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #10 [ffff89240e1a39c8] mlx5_alloc_cmd_msg at ffffffffc04680f3 [mlx5_core] + #11 [ffff89240e1a3a18] cmd_exec at ffffffffc046ad62 [mlx5_core] + #12 [ffff89240e1a3ab8] mlx5_cmd_exec at ffffffffc046b4fb [mlx5_core] + #13 [ffff89240e1a3ae8] mlx5_core_access_reg at ffffffffc0475434 [mlx5_core] + #14 [ffff89240e1a3b40] mlx5e_get_fec_caps at ffffffffc04a7348 [mlx5_core] + #15 [ffff89240e1a3bb0] get_fec_supported_advertised at ffffffffc04992bf [mlx5_core] + #16 [ffff89240e1a3c08] mlx5e_get_link_ksettings at ffffffffc049ab36 [mlx5_core] + #17 [ffff89240e1a3ce8] __ethtool_get_link_ksettings at ffffffff8f25db46 + #18 [ffff89240e1a3d48] speed_show at ffffffff8f277208 + #19 [ffff89240e1a3dd8] dev_attr_show at ffffffff8f0b70e3 + #20 [ffff89240e1a3df8] sysfs_kf_seq_show at ffffffff8eedbedf + #21 [ffff89240e1a3e18] kernfs_seq_show at ffffffff8eeda596 + #22 [ffff89240e1a3e28] seq_read at ffffffff8ee76d10 + #23 [ffff89240e1a3e98] kernfs_fop_read at ffffffff8eedaef5 + #24 [ffff89240e1a3ed8] vfs_read at ffffffff8ee4e3ff + #25 [ffff89240e1a3f08] sys_read at ffffffff8ee4f27f + #26 [ffff89240e1a3f50] system_call_fastpath at ffffffff8f395f92 + + crash> net_device.state ffff89443b0c0000 + state = 0x5 (__LINK_STATE_START| __LINK_STATE_NOCARRIER) + +To prevent this scenario, we also make sure that the netdevice is present. + +Signed-off-by: suresh kumar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/net-sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c +index d7f9ee830d34..9e5657f63245 100644 +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -213,7 +213,7 @@ static ssize_t speed_show(struct device *dev, + if (!rtnl_trylock()) + return restart_syscall(); + +- if (netif_running(netdev)) { ++ if (netif_running(netdev) && netif_device_present(netdev)) { + struct ethtool_link_ksettings cmd; + + if (!__ethtool_get_link_ksettings(netdev, &cmd)) +-- +2.34.1 + diff --git a/queue-5.16/nfc-port100-fix-use-after-free-in-port100_send_compl.patch b/queue-5.16/nfc-port100-fix-use-after-free-in-port100_send_compl.patch new file mode 100644 index 00000000000..7911044f9ed --- /dev/null +++ b/queue-5.16/nfc-port100-fix-use-after-free-in-port100_send_compl.patch @@ -0,0 +1,86 @@ +From af1c14f65fa42295360feecc2127e465b2679988 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 21:50:07 +0300 +Subject: NFC: port100: fix use-after-free in port100_send_complete + +From: Pavel Skripkin + +[ Upstream commit f80cfe2f26581f188429c12bd937eb905ad3ac7b ] + +Syzbot reported UAF in port100_send_complete(). The root case is in +missing usb_kill_urb() calls on error handling path of ->probe function. + +port100_send_complete() accesses devm allocated memory which will be +freed on probe failure. We should kill this urbs before returning an +error from probe function to prevent reported use-after-free + +Fail log: + +BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 +Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26 +... +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 + __kasan_report mm/kasan/report.c:442 [inline] + kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 + port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 + __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670 + +... + +Allocated by task 1255: + kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 + kasan_set_track mm/kasan/common.c:45 [inline] + set_alloc_info mm/kasan/common.c:436 [inline] + ____kasan_kmalloc mm/kasan/common.c:515 [inline] + ____kasan_kmalloc mm/kasan/common.c:474 [inline] + __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 + alloc_dr drivers/base/devres.c:116 [inline] + devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823 + devm_kzalloc include/linux/device.h:209 [inline] + port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502 + +Freed by task 1255: + kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 + kasan_set_track+0x21/0x30 mm/kasan/common.c:45 + kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 + ____kasan_slab_free mm/kasan/common.c:366 [inline] + ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328 + kasan_slab_free include/linux/kasan.h:236 [inline] + __cache_free mm/slab.c:3437 [inline] + kfree+0xf8/0x2b0 mm/slab.c:3794 + release_nodes+0x112/0x1a0 drivers/base/devres.c:501 + devres_release_all+0x114/0x190 drivers/base/devres.c:530 + really_probe+0x626/0xcc0 drivers/base/dd.c:670 + +Reported-and-tested-by: syzbot+16bcb127fb73baeecb14@syzkaller.appspotmail.com +Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation") +Signed-off-by: Pavel Skripkin +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220308185007.6987-1-paskripkin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/port100.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nfc/port100.c b/drivers/nfc/port100.c +index d7db1a0e6be1..00d8ea6dcb5d 100644 +--- a/drivers/nfc/port100.c ++++ b/drivers/nfc/port100.c +@@ -1612,7 +1612,9 @@ static int port100_probe(struct usb_interface *interface, + nfc_digital_free_device(dev->nfc_digital_dev); + + error: ++ usb_kill_urb(dev->in_urb); + usb_free_urb(dev->in_urb); ++ usb_kill_urb(dev->out_urb); + usb_free_urb(dev->out_urb); + usb_put_dev(dev->udev); + +-- +2.34.1 + diff --git a/queue-5.16/nvme-tcp-send-h2cdata-pdus-based-on-maxh2cdata.patch b/queue-5.16/nvme-tcp-send-h2cdata-pdus-based-on-maxh2cdata.patch new file mode 100644 index 00000000000..e99d77a8e99 --- /dev/null +++ b/queue-5.16/nvme-tcp-send-h2cdata-pdus-based-on-maxh2cdata.patch @@ -0,0 +1,230 @@ +From e8876a033e0abb46f497768e2c30f60f10ac24e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Jan 2022 22:27:44 +0530 +Subject: nvme-tcp: send H2CData PDUs based on MAXH2CDATA + +From: Varun Prakash + +[ Upstream commit c2700d2886a87f83f31e0a301de1d2350b52c79b ] + +As per NVMe/TCP specification (revision 1.0a, section 3.6.2.3) +Maximum Host to Controller Data length (MAXH2CDATA): Specifies the +maximum number of PDU-Data bytes per H2CData PDU in bytes. This value +is a multiple of dwords and should be no less than 4,096. + +Current code sets H2CData PDU data_length to r2t_length, +it does not check MAXH2CDATA value. Fix this by setting H2CData PDU +data_length to min(req->h2cdata_left, queue->maxh2cdata). + +Also validate MAXH2CDATA value returned by target in ICResp PDU, +if it is not a multiple of dword or if it is less than 4096 return +-EINVAL from nvme_tcp_init_connection(). + +Signed-off-by: Varun Prakash +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/tcp.c | 63 +++++++++++++++++++++++++++++++--------- + include/linux/nvme-tcp.h | 1 + + 2 files changed, 50 insertions(+), 14 deletions(-) + +diff --git a/drivers/nvme/host/tcp.c b/drivers/nvme/host/tcp.c +index 891a36d02e7c..65e00c64a588 100644 +--- a/drivers/nvme/host/tcp.c ++++ b/drivers/nvme/host/tcp.c +@@ -44,6 +44,8 @@ struct nvme_tcp_request { + u32 data_len; + u32 pdu_len; + u32 pdu_sent; ++ u32 h2cdata_left; ++ u32 h2cdata_offset; + u16 ttag; + __le16 status; + struct list_head entry; +@@ -95,6 +97,7 @@ struct nvme_tcp_queue { + struct nvme_tcp_request *request; + + int queue_size; ++ u32 maxh2cdata; + size_t cmnd_capsule_len; + struct nvme_tcp_ctrl *ctrl; + unsigned long flags; +@@ -572,23 +575,26 @@ static int nvme_tcp_handle_comp(struct nvme_tcp_queue *queue, + return ret; + } + +-static void nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req, +- struct nvme_tcp_r2t_pdu *pdu) ++static void nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req) + { + struct nvme_tcp_data_pdu *data = req->pdu; + struct nvme_tcp_queue *queue = req->queue; + struct request *rq = blk_mq_rq_from_pdu(req); ++ u32 h2cdata_sent = req->pdu_len; + u8 hdgst = nvme_tcp_hdgst_len(queue); + u8 ddgst = nvme_tcp_ddgst_len(queue); + + req->state = NVME_TCP_SEND_H2C_PDU; + req->offset = 0; +- req->pdu_len = le32_to_cpu(pdu->r2t_length); ++ req->pdu_len = min(req->h2cdata_left, queue->maxh2cdata); + req->pdu_sent = 0; ++ req->h2cdata_left -= req->pdu_len; ++ req->h2cdata_offset += h2cdata_sent; + + memset(data, 0, sizeof(*data)); + data->hdr.type = nvme_tcp_h2c_data; +- data->hdr.flags = NVME_TCP_F_DATA_LAST; ++ if (!req->h2cdata_left) ++ data->hdr.flags = NVME_TCP_F_DATA_LAST; + if (queue->hdr_digest) + data->hdr.flags |= NVME_TCP_F_HDGST; + if (queue->data_digest) +@@ -597,9 +603,9 @@ static void nvme_tcp_setup_h2c_data_pdu(struct nvme_tcp_request *req, + data->hdr.pdo = data->hdr.hlen + hdgst; + data->hdr.plen = + cpu_to_le32(data->hdr.hlen + hdgst + req->pdu_len + ddgst); +- data->ttag = pdu->ttag; ++ data->ttag = req->ttag; + data->command_id = nvme_cid(rq); +- data->data_offset = pdu->r2t_offset; ++ data->data_offset = cpu_to_le32(req->h2cdata_offset); + data->data_length = cpu_to_le32(req->pdu_len); + } + +@@ -609,6 +615,7 @@ static int nvme_tcp_handle_r2t(struct nvme_tcp_queue *queue, + struct nvme_tcp_request *req; + struct request *rq; + u32 r2t_length = le32_to_cpu(pdu->r2t_length); ++ u32 r2t_offset = le32_to_cpu(pdu->r2t_offset); + + rq = nvme_find_rq(nvme_tcp_tagset(queue), pdu->command_id); + if (!rq) { +@@ -633,14 +640,19 @@ static int nvme_tcp_handle_r2t(struct nvme_tcp_queue *queue, + return -EPROTO; + } + +- if (unlikely(le32_to_cpu(pdu->r2t_offset) < req->data_sent)) { ++ if (unlikely(r2t_offset < req->data_sent)) { + dev_err(queue->ctrl->ctrl.device, + "req %d unexpected r2t offset %u (expected %zu)\n", +- rq->tag, le32_to_cpu(pdu->r2t_offset), req->data_sent); ++ rq->tag, r2t_offset, req->data_sent); + return -EPROTO; + } + +- nvme_tcp_setup_h2c_data_pdu(req, pdu); ++ req->pdu_len = 0; ++ req->h2cdata_left = r2t_length; ++ req->h2cdata_offset = r2t_offset; ++ req->ttag = pdu->ttag; ++ ++ nvme_tcp_setup_h2c_data_pdu(req); + nvme_tcp_queue_request(req, false, true); + + return 0; +@@ -928,6 +940,7 @@ static int nvme_tcp_try_send_data(struct nvme_tcp_request *req) + { + struct nvme_tcp_queue *queue = req->queue; + int req_data_len = req->data_len; ++ u32 h2cdata_left = req->h2cdata_left; + + while (true) { + struct page *page = nvme_tcp_req_cur_page(req); +@@ -972,7 +985,10 @@ static int nvme_tcp_try_send_data(struct nvme_tcp_request *req) + req->state = NVME_TCP_SEND_DDGST; + req->offset = 0; + } else { +- nvme_tcp_done_send_req(queue); ++ if (h2cdata_left) ++ nvme_tcp_setup_h2c_data_pdu(req); ++ else ++ nvme_tcp_done_send_req(queue); + } + return 1; + } +@@ -1030,9 +1046,14 @@ static int nvme_tcp_try_send_data_pdu(struct nvme_tcp_request *req) + if (queue->hdr_digest && !req->offset) + nvme_tcp_hdgst(queue->snd_hash, pdu, sizeof(*pdu)); + +- ret = kernel_sendpage(queue->sock, virt_to_page(pdu), +- offset_in_page(pdu) + req->offset, len, +- MSG_DONTWAIT | MSG_MORE | MSG_SENDPAGE_NOTLAST); ++ if (!req->h2cdata_left) ++ ret = kernel_sendpage(queue->sock, virt_to_page(pdu), ++ offset_in_page(pdu) + req->offset, len, ++ MSG_DONTWAIT | MSG_MORE | MSG_SENDPAGE_NOTLAST); ++ else ++ ret = sock_no_sendpage(queue->sock, virt_to_page(pdu), ++ offset_in_page(pdu) + req->offset, len, ++ MSG_DONTWAIT | MSG_MORE); + if (unlikely(ret <= 0)) + return ret; + +@@ -1052,6 +1073,7 @@ static int nvme_tcp_try_send_ddgst(struct nvme_tcp_request *req) + { + struct nvme_tcp_queue *queue = req->queue; + size_t offset = req->offset; ++ u32 h2cdata_left = req->h2cdata_left; + int ret; + struct msghdr msg = { .msg_flags = MSG_DONTWAIT }; + struct kvec iov = { +@@ -1069,7 +1091,10 @@ static int nvme_tcp_try_send_ddgst(struct nvme_tcp_request *req) + return ret; + + if (offset + ret == NVME_TCP_DIGEST_LENGTH) { +- nvme_tcp_done_send_req(queue); ++ if (h2cdata_left) ++ nvme_tcp_setup_h2c_data_pdu(req); ++ else ++ nvme_tcp_done_send_req(queue); + return 1; + } + +@@ -1261,6 +1286,7 @@ static int nvme_tcp_init_connection(struct nvme_tcp_queue *queue) + struct msghdr msg = {}; + struct kvec iov; + bool ctrl_hdgst, ctrl_ddgst; ++ u32 maxh2cdata; + int ret; + + icreq = kzalloc(sizeof(*icreq), GFP_KERNEL); +@@ -1344,6 +1370,14 @@ static int nvme_tcp_init_connection(struct nvme_tcp_queue *queue) + goto free_icresp; + } + ++ maxh2cdata = le32_to_cpu(icresp->maxdata); ++ if ((maxh2cdata % 4) || (maxh2cdata < NVME_TCP_MIN_MAXH2CDATA)) { ++ pr_err("queue %d: invalid maxh2cdata returned %u\n", ++ nvme_tcp_queue_id(queue), maxh2cdata); ++ goto free_icresp; ++ } ++ queue->maxh2cdata = maxh2cdata; ++ + ret = 0; + free_icresp: + kfree(icresp); +@@ -2329,6 +2363,7 @@ static blk_status_t nvme_tcp_setup_cmd_pdu(struct nvme_ns *ns, + req->data_sent = 0; + req->pdu_len = 0; + req->pdu_sent = 0; ++ req->h2cdata_left = 0; + req->data_len = blk_rq_nr_phys_segments(rq) ? + blk_rq_payload_bytes(rq) : 0; + req->curr_bio = rq->bio; +diff --git a/include/linux/nvme-tcp.h b/include/linux/nvme-tcp.h +index 959e0bd9a913..75470159a194 100644 +--- a/include/linux/nvme-tcp.h ++++ b/include/linux/nvme-tcp.h +@@ -12,6 +12,7 @@ + #define NVME_TCP_DISC_PORT 8009 + #define NVME_TCP_ADMIN_CCSZ SZ_8K + #define NVME_TCP_DIGEST_LENGTH 4 ++#define NVME_TCP_MIN_MAXH2CDATA 4096 + + enum nvme_tcp_pfv { + NVME_TCP_PFV_1_0 = 0x0, +-- +2.34.1 + diff --git a/queue-5.16/of-fdt-move-elfcorehdr-reservation-early-for-crash-d.patch b/queue-5.16/of-fdt-move-elfcorehdr-reservation-early-for-crash-d.patch new file mode 100644 index 00000000000..c68a90cf6d1 --- /dev/null +++ b/queue-5.16/of-fdt-move-elfcorehdr-reservation-early-for-crash-d.patch @@ -0,0 +1,38 @@ +From 6157280e7d64284462246668d280fa87538070a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jan 2022 09:53:21 +0530 +Subject: of/fdt: move elfcorehdr reservation early for crash dump kernel + +From: Nikhil Gupta + +[ Upstream commit 132507ed04ce0c5559be04dd378fec4f3bbc00e8 ] + +elfcorehdr_addr is fixed address passed to Second kernel which may be conflicted +with potential reserved memory in Second kernel,so fdt_reserve_elfcorehdr() ahead +of fdt_init_reserved_mem() can relieve this situation. + +Signed-off-by: Nikhil Gupta +Signed-off-by: Rob Herring +Link: https://lore.kernel.org/r/20220128042321.15228-1-nikhil.gupta@nxp.com +Signed-off-by: Sasha Levin +--- + drivers/of/fdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c +index 7e868e5995b7..f66abb496ed1 100644 +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -644,8 +644,8 @@ void __init early_init_fdt_scan_reserved_mem(void) + } + + fdt_scan_reserved_mem(); +- fdt_init_reserved_mem(); + fdt_reserve_elfcorehdr(); ++ fdt_init_reserved_mem(); + } + + /** +-- +2.34.1 + diff --git a/queue-5.16/pci-mark-all-amd-navi10-and-navi14-gpu-ats-as-broken.patch b/queue-5.16/pci-mark-all-amd-navi10-and-navi14-gpu-ats-as-broken.patch new file mode 100644 index 00000000000..e5b9cf93cab --- /dev/null +++ b/queue-5.16/pci-mark-all-amd-navi10-and-navi14-gpu-ats-as-broken.patch @@ -0,0 +1,91 @@ +From 0b17ff1652e226ca320245c82fbfe7c853c958c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Feb 2022 11:08:01 -0500 +Subject: PCI: Mark all AMD Navi10 and Navi14 GPU ATS as broken +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +[ Upstream commit 3f1271b54edcc692da5a3663f2aa2a64781f9bc3 ] + +There are enough VBIOS escapes without the proper workaround that some +users still hit this. Microsoft never productized ATS on Windows so OEM +platforms that were Windows-only didn't always validate ATS. + +The advantages of ATS are not worth it compared to the potential +instabilities on harvested boards. Disable ATS on all Navi10 and Navi14 +boards. + +Symptoms include: + + amdgpu 0000:07:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0007 address=0xffffc02000 flags=0x0000] + AMD-Vi: Event logged [IO_PAGE_FAULT device=07:00.0 domain=0x0007 address=0xffffc02000 flags=0x0000] + [drm:amdgpu_job_timedout [amdgpu]] *ERROR* ring sdma0 timeout, signaled seq=6047, emitted seq=6049 + amdgpu 0000:07:00.0: amdgpu: GPU reset begin! + amdgpu 0000:07:00.0: amdgpu: GPU reset succeeded, trying to resume + amdgpu 0000:07:00.0: [drm:amdgpu_ring_test_helper [amdgpu]] *ERROR* ring sdma0 test failed (-110) + [drm:amdgpu_device_ip_resume_phase2 [amdgpu]] *ERROR* resume of IP block failed -110 + amdgpu 0000:07:00.0: amdgpu: GPU reset(1) failed + +Related commits: + + e8946a53e2a6 ("PCI: Mark AMD Navi14 GPU ATS as broken") + a2da5d8cc0b0 ("PCI: Mark AMD Raven iGPU ATS as broken in some platforms") + 45beb31d3afb ("PCI: Mark AMD Navi10 GPU rev 0x00 ATS as broken") + 5e89cd303e3a ("PCI: Mark AMD Navi14 GPU rev 0xc5 ATS as broken") + d28ca864c493 ("PCI: Mark AMD Stoney Radeon R7 GPU ATS as broken") + 9b44b0b09dec ("PCI: Mark AMD Stoney GPU ATS as broken") + +[bhelgaas: add symptoms and related commits] +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1760 +Link: https://lore.kernel.org/r/20220222160801.841643-1-alexander.deucher@amd.com +Signed-off-by: Alex Deucher +Signed-off-by: Bjorn Helgaas +Acked-by: Christian König +Acked-by: Guchun Chen +Signed-off-by: Sasha Levin +--- + drivers/pci/quirks.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c +index 20a932690738..db864bf634a3 100644 +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -5344,11 +5344,6 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_SERVERWORKS, 0x0422, quirk_no_ext_tags); + */ + static void quirk_amd_harvest_no_ats(struct pci_dev *pdev) + { +- if ((pdev->device == 0x7312 && pdev->revision != 0x00) || +- (pdev->device == 0x7340 && pdev->revision != 0xc5) || +- (pdev->device == 0x7341 && pdev->revision != 0x00)) +- return; +- + if (pdev->device == 0x15d8) { + if (pdev->revision == 0xcf && + pdev->subsystem_vendor == 0xea50 && +@@ -5370,10 +5365,19 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x98e4, quirk_amd_harvest_no_ats); + /* AMD Iceland dGPU */ + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x6900, quirk_amd_harvest_no_ats); + /* AMD Navi10 dGPU */ ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7310, quirk_amd_harvest_no_ats); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7312, quirk_amd_harvest_no_ats); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7318, quirk_amd_harvest_no_ats); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7319, quirk_amd_harvest_no_ats); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x731a, quirk_amd_harvest_no_ats); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x731b, quirk_amd_harvest_no_ats); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x731e, quirk_amd_harvest_no_ats); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x731f, quirk_amd_harvest_no_ats); + /* AMD Navi14 dGPU */ + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7340, quirk_amd_harvest_no_ats); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7341, quirk_amd_harvest_no_ats); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x7347, quirk_amd_harvest_no_ats); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x734f, quirk_amd_harvest_no_ats); + /* AMD Raven platform iGPU */ + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x15d8, quirk_amd_harvest_no_ats); + #endif /* CONFIG_PCI_ATS */ +-- +2.34.1 + diff --git a/queue-5.16/pinctrl-tigerlake-revert-add-alder-lake-m-acpi-id.patch b/queue-5.16/pinctrl-tigerlake-revert-add-alder-lake-m-acpi-id.patch new file mode 100644 index 00000000000..46059539d2e --- /dev/null +++ b/queue-5.16/pinctrl-tigerlake-revert-add-alder-lake-m-acpi-id.patch @@ -0,0 +1,37 @@ +From 446f95e138bff44d332b49de83ea1a1346df9178 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 19:49:13 +0200 +Subject: pinctrl: tigerlake: Revert "Add Alder Lake-M ACPI ID" + +From: Andy Shevchenko + +[ Upstream commit 6f66db29e2415cbe8759c48584f9cae19b3c2651 ] + +It appears that last minute change moved ACPI ID of Alder Lake-M +to the INTC1055, which is already in the driver. + +This ID on the other hand will be used elsewhere. + +This reverts commit 258435a1c8187f559549e515d2f77fa0b57bcd27. + +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/intel/pinctrl-tigerlake.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/pinctrl/intel/pinctrl-tigerlake.c b/drivers/pinctrl/intel/pinctrl-tigerlake.c +index 0bcd19597e4a..3ddaeffc0415 100644 +--- a/drivers/pinctrl/intel/pinctrl-tigerlake.c ++++ b/drivers/pinctrl/intel/pinctrl-tigerlake.c +@@ -749,7 +749,6 @@ static const struct acpi_device_id tgl_pinctrl_acpi_match[] = { + { "INT34C5", (kernel_ulong_t)&tgllp_soc_data }, + { "INT34C6", (kernel_ulong_t)&tglh_soc_data }, + { "INTC1055", (kernel_ulong_t)&tgllp_soc_data }, +- { "INTC1057", (kernel_ulong_t)&tgllp_soc_data }, + { } + }; + MODULE_DEVICE_TABLE(acpi, tgl_pinctrl_acpi_match); +-- +2.34.1 + diff --git a/queue-5.16/qed-return-status-of-qed_iov_get_link.patch b/queue-5.16/qed-return-status-of-qed_iov_get_link.patch new file mode 100644 index 00000000000..0b387c7c338 --- /dev/null +++ b/queue-5.16/qed-return-status-of-qed_iov_get_link.patch @@ -0,0 +1,87 @@ +From 9b6d4bdd349e5208796ed10b30f792e3418ac0f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 07:06:42 -0800 +Subject: qed: return status of qed_iov_get_link + +From: Tom Rix + +[ Upstream commit d9dc0c84ad2d4cc911ba252c973d1bf18d5eb9cf ] + +Clang static analysis reports this issue +qed_sriov.c:4727:19: warning: Assigned value is + garbage or undefined + ivi->max_tx_rate = tx_rate ? tx_rate : link.speed; + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +link is only sometimes set by the call to qed_iov_get_link() +qed_iov_get_link fails without setting link or returning +status. So change the decl to return status. + +Fixes: 73390ac9d82b ("qed*: support ndo_get_vf_config") +Signed-off-by: Tom Rix +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qed/qed_sriov.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qed/qed_sriov.c b/drivers/net/ethernet/qlogic/qed/qed_sriov.c +index 8ac38828ba45..48cf4355bc47 100644 +--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c +@@ -3806,11 +3806,11 @@ bool qed_iov_mark_vf_flr(struct qed_hwfn *p_hwfn, u32 *p_disabled_vfs) + return found; + } + +-static void qed_iov_get_link(struct qed_hwfn *p_hwfn, +- u16 vfid, +- struct qed_mcp_link_params *p_params, +- struct qed_mcp_link_state *p_link, +- struct qed_mcp_link_capabilities *p_caps) ++static int qed_iov_get_link(struct qed_hwfn *p_hwfn, ++ u16 vfid, ++ struct qed_mcp_link_params *p_params, ++ struct qed_mcp_link_state *p_link, ++ struct qed_mcp_link_capabilities *p_caps) + { + struct qed_vf_info *p_vf = qed_iov_get_vf_info(p_hwfn, + vfid, +@@ -3818,7 +3818,7 @@ static void qed_iov_get_link(struct qed_hwfn *p_hwfn, + struct qed_bulletin_content *p_bulletin; + + if (!p_vf) +- return; ++ return -EINVAL; + + p_bulletin = p_vf->bulletin.p_virt; + +@@ -3828,6 +3828,7 @@ static void qed_iov_get_link(struct qed_hwfn *p_hwfn, + __qed_vf_get_link_state(p_hwfn, p_link, p_bulletin); + if (p_caps) + __qed_vf_get_link_caps(p_hwfn, p_caps, p_bulletin); ++ return 0; + } + + static int +@@ -4686,6 +4687,7 @@ static int qed_get_vf_config(struct qed_dev *cdev, + struct qed_public_vf_info *vf_info; + struct qed_mcp_link_state link; + u32 tx_rate; ++ int ret; + + /* Sanitize request */ + if (IS_VF(cdev)) +@@ -4699,7 +4701,9 @@ static int qed_get_vf_config(struct qed_dev *cdev, + + vf_info = qed_iov_get_public_vf_info(hwfn, vf_id, true); + +- qed_iov_get_link(hwfn, vf_id, NULL, &link, NULL); ++ ret = qed_iov_get_link(hwfn, vf_id, NULL, &link, NULL); ++ if (ret) ++ return ret; + + /* Fill information about VF */ + ivi->vf = vf_id; +-- +2.34.1 + diff --git a/queue-5.16/revert-xen-netback-check-for-hotplug-status-existenc.patch b/queue-5.16/revert-xen-netback-check-for-hotplug-status-existenc.patch new file mode 100644 index 00000000000..db0a343825e --- /dev/null +++ b/queue-5.16/revert-xen-netback-check-for-hotplug-status-existenc.patch @@ -0,0 +1,68 @@ +From 400fd96b075115c4a42f54f912a66a641dcd0cc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Feb 2022 01:18:17 +0100 +Subject: Revert "xen-netback: Check for hotplug-status existence before + watching" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Marczykowski-Górecki + +[ Upstream commit e8240addd0a3919e0fd7436416afe9aa6429c484 ] + +This reverts commit 2afeec08ab5c86ae21952151f726bfe184f6b23d. + +The reasoning in the commit was wrong - the code expected to setup the +watch even if 'hotplug-status' didn't exist. In fact, it relied on the +watch being fired the first time - to check if maybe 'hotplug-status' is +already set to 'connected'. Not registering a watch for non-existing +path (which is the case if hotplug script hasn't been executed yet), +made the backend not waiting for the hotplug script to execute. This in +turns, made the netfront think the interface is fully operational, while +in fact it was not (the vif interface on xen-netback side might not be +configured yet). + +This was a workaround for 'hotplug-status' erroneously being removed. +But since that is reverted now, the workaround is not necessary either. + +More discussion at +https://lore.kernel.org/xen-devel/afedd7cb-a291-e773-8b0d-4db9b291fa98@ipxe.org/T/#u + +Signed-off-by: Marek Marczykowski-Górecki +Reviewed-by: Paul Durrant +Reviewed-by: Michael Brown +Link: https://lore.kernel.org/r/20220222001817.2264967-2-marmarek@invisiblethingslab.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/xenbus.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c +index 3fad58d22155..990360d75cb6 100644 +--- a/drivers/net/xen-netback/xenbus.c ++++ b/drivers/net/xen-netback/xenbus.c +@@ -824,15 +824,11 @@ static void connect(struct backend_info *be) + xenvif_carrier_on(be->vif); + + unregister_hotplug_status_watch(be); +- if (xenbus_exists(XBT_NIL, dev->nodename, "hotplug-status")) { +- err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch, +- NULL, hotplug_status_changed, +- "%s/%s", dev->nodename, +- "hotplug-status"); +- if (err) +- goto err; ++ err = xenbus_watch_pathfmt(dev, &be->hotplug_status_watch, NULL, ++ hotplug_status_changed, ++ "%s/%s", dev->nodename, "hotplug-status"); ++ if (!err) + be->have_hotplug_status_watch = 1; +- } + + netif_tx_wake_all_queues(be->vif->dev); + +-- +2.34.1 + diff --git a/queue-5.16/revert-xen-netback-remove-hotplug-status-once-it-has.patch b/queue-5.16/revert-xen-netback-remove-hotplug-status-once-it-has.patch new file mode 100644 index 00000000000..62b4ff7d1f6 --- /dev/null +++ b/queue-5.16/revert-xen-netback-remove-hotplug-status-once-it-has.patch @@ -0,0 +1,66 @@ +From 29cfa77d8140e0b5ad431d0ad46afe7b0a892f73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Feb 2022 01:18:16 +0100 +Subject: Revert "xen-netback: remove 'hotplug-status' once it has served its + purpose" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Marczykowski-Górecki + +[ Upstream commit 0f4558ae91870692ce7f509c31c9d6ee721d8cdc ] + +This reverts commit 1f2565780e9b7218cf92c7630130e82dcc0fe9c2. + +The 'hotplug-status' node should not be removed as long as the vif +device remains configured. Otherwise the xen-netback would wait for +re-running the network script even if it was already called (in case of +the frontent re-connecting). But also, it _should_ be removed when the +vif device is destroyed (for example when unbinding the driver) - +otherwise hotplug script would not configure the device whenever it +re-appear. + +Moving removal of the 'hotplug-status' node was a workaround for nothing +calling network script after xen-netback module is reloaded. But when +vif interface is re-created (on xen-netback unbind/bind for example), +the script should be called, regardless of who does that - currently +this case is not handled by the toolstack, and requires manual +script call. Keeping hotplug-status=connected to skip the call is wrong +and leads to not configured interface. + +More discussion at +https://lore.kernel.org/xen-devel/afedd7cb-a291-e773-8b0d-4db9b291fa98@ipxe.org/T/#u + +Signed-off-by: Marek Marczykowski-Górecki +Reviewed-by: Paul Durrant +Link: https://lore.kernel.org/r/20220222001817.2264967-1-marmarek@invisiblethingslab.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/xen-netback/xenbus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c +index d24b7a7993aa..3fad58d22155 100644 +--- a/drivers/net/xen-netback/xenbus.c ++++ b/drivers/net/xen-netback/xenbus.c +@@ -256,6 +256,7 @@ static void backend_disconnect(struct backend_info *be) + unsigned int queue_index; + + xen_unregister_watchers(vif); ++ xenbus_rm(XBT_NIL, be->dev->nodename, "hotplug-status"); + #ifdef CONFIG_DEBUG_FS + xenvif_debugfs_delif(vif); + #endif /* CONFIG_DEBUG_FS */ +@@ -675,7 +676,6 @@ static void hotplug_status_changed(struct xenbus_watch *watch, + + /* Not interested in this watch anymore. */ + unregister_hotplug_status_watch(be); +- xenbus_rm(XBT_NIL, be->dev->nodename, "hotplug-status"); + } + kfree(str); + } +-- +2.34.1 + diff --git a/queue-5.16/sctp-fix-kernel-infoleak-for-sctp-sockets.patch b/queue-5.16/sctp-fix-kernel-infoleak-for-sctp-sockets.patch new file mode 100644 index 00000000000..87ea0b956e1 --- /dev/null +++ b/queue-5.16/sctp-fix-kernel-infoleak-for-sctp-sockets.patch @@ -0,0 +1,128 @@ +From a3288d303f84ef8ca01487ff5420c653c899a7f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 16:11:45 -0800 +Subject: sctp: fix kernel-infoleak for SCTP sockets + +From: Eric Dumazet + +[ Upstream commit 633593a808980f82d251d0ca89730d8bb8b0220c ] + +syzbot reported a kernel infoleak [1] of 4 bytes. + +After analysis, it turned out r->idiag_expires is not initialized +if inet_sctp_diag_fill() calls inet_diag_msg_common_fill() + +Make sure to clear idiag_timer/idiag_retrans/idiag_expires +and let inet_diag_msg_sctpasoc_fill() fill them again if needed. + +[1] + +BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline] +BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline] +BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668 + instrument_copy_to_user include/linux/instrumented.h:121 [inline] + copyout lib/iov_iter.c:154 [inline] + _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668 + copy_to_iter include/linux/uio.h:162 [inline] + simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519 + __skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425 + skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533 + skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline] + netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977 + sock_recvmsg_nosec net/socket.c:948 [inline] + sock_recvmsg net/socket.c:966 [inline] + __sys_recvfrom+0x795/0xa10 net/socket.c:2097 + __do_sys_recvfrom net/socket.c:2115 [inline] + __se_sys_recvfrom net/socket.c:2111 [inline] + __x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:737 [inline] + slab_alloc_node mm/slub.c:3247 [inline] + __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975 + kmalloc_reserve net/core/skbuff.c:354 [inline] + __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 + alloc_skb include/linux/skbuff.h:1158 [inline] + netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248 + __netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373 + netlink_dump_start include/linux/netlink.h:254 [inline] + inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341 + sock_diag_rcv_msg+0x24a/0x620 + netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494 + sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277 + netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] + netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343 + netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919 + sock_sendmsg_nosec net/socket.c:705 [inline] + sock_sendmsg net/socket.c:725 [inline] + sock_write_iter+0x594/0x690 net/socket.c:1061 + do_iter_readv_writev+0xa7f/0xc70 + do_iter_write+0x52c/0x1500 fs/read_write.c:851 + vfs_writev fs/read_write.c:924 [inline] + do_writev+0x645/0xe00 fs/read_write.c:967 + __do_sys_writev fs/read_write.c:1040 [inline] + __se_sys_writev fs/read_write.c:1037 [inline] + __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Bytes 68-71 of 2508 are uninitialized +Memory access of size 2508 starts at ffff888114f9b000 +Data copied to user address 00007f7fe09ff2e0 + +CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Cc: Vlad Yasevich +Cc: Neil Horman +Cc: Marcelo Ricardo Leitner +Reviewed-by: Xin Long +Link: https://lore.kernel.org/r/20220310001145.297371-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sctp/diag.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/net/sctp/diag.c b/net/sctp/diag.c +index 034e2c74497d..d9c6d8f30f09 100644 +--- a/net/sctp/diag.c ++++ b/net/sctp/diag.c +@@ -61,10 +61,6 @@ static void inet_diag_msg_sctpasoc_fill(struct inet_diag_msg *r, + r->idiag_timer = SCTP_EVENT_TIMEOUT_T3_RTX; + r->idiag_retrans = asoc->rtx_data_chunks; + r->idiag_expires = jiffies_to_msecs(t3_rtx->expires - jiffies); +- } else { +- r->idiag_timer = 0; +- r->idiag_retrans = 0; +- r->idiag_expires = 0; + } + } + +@@ -144,13 +140,14 @@ static int inet_sctp_diag_fill(struct sock *sk, struct sctp_association *asoc, + r = nlmsg_data(nlh); + BUG_ON(!sk_fullsock(sk)); + ++ r->idiag_timer = 0; ++ r->idiag_retrans = 0; ++ r->idiag_expires = 0; + if (asoc) { + inet_diag_msg_sctpasoc_fill(r, sk, asoc); + } else { + inet_diag_msg_common_fill(r, sk); + r->idiag_state = sk->sk_state; +- r->idiag_timer = 0; +- r->idiag_retrans = 0; + } + + if (inet_diag_msg_attrs_fill(sk, skb, r, ext, user_ns, net_admin)) +-- +2.34.1 + diff --git a/queue-5.16/selftest-vm-fix-map_fixed_noreplace-test-failure.patch b/queue-5.16/selftest-vm-fix-map_fixed_noreplace-test-failure.patch new file mode 100644 index 00000000000..5789d6ffcb4 --- /dev/null +++ b/queue-5.16/selftest-vm-fix-map_fixed_noreplace-test-failure.patch @@ -0,0 +1,181 @@ +From 7450b094788db34fabd60935a4f31ae3625a6588 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Feb 2022 19:11:08 -0800 +Subject: selftest/vm: fix map_fixed_noreplace test failure + +From: Aneesh Kumar K.V + +[ Upstream commit f39c58008dee7ab5fc94c3f1995a21e886801df0 ] + +On the latest RHEL the test fails due to executable mapped at 256MB +address + + # ./map_fixed_noreplace + mmap() @ 0x10000000-0x10050000 p=0xffffffffffffffff result=File exists + 10000000-10010000 r-xp 00000000 fd:04 34905657 /root/rpmbuild/BUILD/kernel-5.14.0-56.el9/linux-5.14.0-56.el9.ppc64le/tools/testing/selftests/vm/map_fixed_noreplace + 10010000-10020000 r--p 00000000 fd:04 34905657 /root/rpmbuild/BUILD/kernel-5.14.0-56.el9/linux-5.14.0-56.el9.ppc64le/tools/testing/selftests/vm/map_fixed_noreplace + 10020000-10030000 rw-p 00010000 fd:04 34905657 /root/rpmbuild/BUILD/kernel-5.14.0-56.el9/linux-5.14.0-56.el9.ppc64le/tools/testing/selftests/vm/map_fixed_noreplace + 10029b90000-10029bc0000 rw-p 00000000 00:00 0 [heap] + 7fffbb510000-7fffbb750000 r-xp 00000000 fd:04 24534 /usr/lib64/libc.so.6 + 7fffbb750000-7fffbb760000 r--p 00230000 fd:04 24534 /usr/lib64/libc.so.6 + 7fffbb760000-7fffbb770000 rw-p 00240000 fd:04 24534 /usr/lib64/libc.so.6 + 7fffbb780000-7fffbb7a0000 r--p 00000000 00:00 0 [vvar] + 7fffbb7a0000-7fffbb7b0000 r-xp 00000000 00:00 0 [vdso] + 7fffbb7b0000-7fffbb800000 r-xp 00000000 fd:04 24514 /usr/lib64/ld64.so.2 + 7fffbb800000-7fffbb810000 r--p 00040000 fd:04 24514 /usr/lib64/ld64.so.2 + 7fffbb810000-7fffbb820000 rw-p 00050000 fd:04 24514 /usr/lib64/ld64.so.2 + 7fffd93f0000-7fffd9420000 rw-p 00000000 00:00 0 [stack] + Error: couldn't map the space we need for the test + +Fix this by finding a free address using mmap instead of hardcoding +BASE_ADDRESS. + +Link: https://lkml.kernel.org/r/20220217083417.373823-1-aneesh.kumar@linux.ibm.com +Signed-off-by: Aneesh Kumar K.V +Cc: Michael Ellerman +Cc: Jann Horn +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + .../selftests/vm/map_fixed_noreplace.c | 49 ++++++++++++++----- + 1 file changed, 37 insertions(+), 12 deletions(-) + +diff --git a/tools/testing/selftests/vm/map_fixed_noreplace.c b/tools/testing/selftests/vm/map_fixed_noreplace.c +index d91bde511268..eed44322d1a6 100644 +--- a/tools/testing/selftests/vm/map_fixed_noreplace.c ++++ b/tools/testing/selftests/vm/map_fixed_noreplace.c +@@ -17,9 +17,6 @@ + #define MAP_FIXED_NOREPLACE 0x100000 + #endif + +-#define BASE_ADDRESS (256ul * 1024 * 1024) +- +- + static void dump_maps(void) + { + char cmd[32]; +@@ -28,18 +25,46 @@ static void dump_maps(void) + system(cmd); + } + ++static unsigned long find_base_addr(unsigned long size) ++{ ++ void *addr; ++ unsigned long flags; ++ ++ flags = MAP_PRIVATE | MAP_ANONYMOUS; ++ addr = mmap(NULL, size, PROT_NONE, flags, -1, 0); ++ if (addr == MAP_FAILED) { ++ printf("Error: couldn't map the space we need for the test\n"); ++ return 0; ++ } ++ ++ if (munmap(addr, size) != 0) { ++ printf("Error: couldn't map the space we need for the test\n"); ++ return 0; ++ } ++ return (unsigned long)addr; ++} ++ + int main(void) + { ++ unsigned long base_addr; + unsigned long flags, addr, size, page_size; + char *p; + + page_size = sysconf(_SC_PAGE_SIZE); + ++ //let's find a base addr that is free before we start the tests ++ size = 5 * page_size; ++ base_addr = find_base_addr(size); ++ if (!base_addr) { ++ printf("Error: couldn't map the space we need for the test\n"); ++ return 1; ++ } ++ + flags = MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED_NOREPLACE; + + // Check we can map all the areas we need below + errno = 0; +- addr = BASE_ADDRESS; ++ addr = base_addr; + size = 5 * page_size; + p = mmap((void *)addr, size, PROT_NONE, flags, -1, 0); + +@@ -60,7 +85,7 @@ int main(void) + printf("unmap() successful\n"); + + errno = 0; +- addr = BASE_ADDRESS + page_size; ++ addr = base_addr + page_size; + size = 3 * page_size; + p = mmap((void *)addr, size, PROT_NONE, flags, -1, 0); + printf("mmap() @ 0x%lx-0x%lx p=%p result=%m\n", addr, addr + size, p); +@@ -80,7 +105,7 @@ int main(void) + * +4 | free | new + */ + errno = 0; +- addr = BASE_ADDRESS; ++ addr = base_addr; + size = 5 * page_size; + p = mmap((void *)addr, size, PROT_NONE, flags, -1, 0); + printf("mmap() @ 0x%lx-0x%lx p=%p result=%m\n", addr, addr + size, p); +@@ -101,7 +126,7 @@ int main(void) + * +4 | free | + */ + errno = 0; +- addr = BASE_ADDRESS + (2 * page_size); ++ addr = base_addr + (2 * page_size); + size = page_size; + p = mmap((void *)addr, size, PROT_NONE, flags, -1, 0); + printf("mmap() @ 0x%lx-0x%lx p=%p result=%m\n", addr, addr + size, p); +@@ -121,7 +146,7 @@ int main(void) + * +4 | free | new + */ + errno = 0; +- addr = BASE_ADDRESS + (3 * page_size); ++ addr = base_addr + (3 * page_size); + size = 2 * page_size; + p = mmap((void *)addr, size, PROT_NONE, flags, -1, 0); + printf("mmap() @ 0x%lx-0x%lx p=%p result=%m\n", addr, addr + size, p); +@@ -141,7 +166,7 @@ int main(void) + * +4 | free | + */ + errno = 0; +- addr = BASE_ADDRESS; ++ addr = base_addr; + size = 2 * page_size; + p = mmap((void *)addr, size, PROT_NONE, flags, -1, 0); + printf("mmap() @ 0x%lx-0x%lx p=%p result=%m\n", addr, addr + size, p); +@@ -161,7 +186,7 @@ int main(void) + * +4 | free | + */ + errno = 0; +- addr = BASE_ADDRESS; ++ addr = base_addr; + size = page_size; + p = mmap((void *)addr, size, PROT_NONE, flags, -1, 0); + printf("mmap() @ 0x%lx-0x%lx p=%p result=%m\n", addr, addr + size, p); +@@ -181,7 +206,7 @@ int main(void) + * +4 | free | new + */ + errno = 0; +- addr = BASE_ADDRESS + (4 * page_size); ++ addr = base_addr + (4 * page_size); + size = page_size; + p = mmap((void *)addr, size, PROT_NONE, flags, -1, 0); + printf("mmap() @ 0x%lx-0x%lx p=%p result=%m\n", addr, addr + size, p); +@@ -192,7 +217,7 @@ int main(void) + return 1; + } + +- addr = BASE_ADDRESS; ++ addr = base_addr; + size = 5 * page_size; + if (munmap((void *)addr, size) != 0) { + dump_maps(); +-- +2.34.1 + diff --git a/queue-5.16/selftests-bpf-add-test-for-bpf_timer-overwriting-cra.patch b/queue-5.16/selftests-bpf-add-test-for-bpf_timer-overwriting-cra.patch new file mode 100644 index 00000000000..86f95fb9e94 --- /dev/null +++ b/queue-5.16/selftests-bpf-add-test-for-bpf_timer-overwriting-cra.patch @@ -0,0 +1,125 @@ +From 8c20f1caa242413bc52cd3252dab08f0626258a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Feb 2022 12:33:24 +0530 +Subject: selftests/bpf: Add test for bpf_timer overwriting crash + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit a7e75016a0753c24d6c995bc02501ae35368e333 ] + +Add a test that validates that timer value is not overwritten when doing +a copy_map_value call in the kernel. Without the prior fix, this test +triggers a crash. + +Signed-off-by: Kumar Kartikeya Dwivedi +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20220209070324.1093182-3-memxor@gmail.com +Signed-off-by: Sasha Levin +--- + .../selftests/bpf/prog_tests/timer_crash.c | 32 +++++++++++ + .../testing/selftests/bpf/progs/timer_crash.c | 54 +++++++++++++++++++ + 2 files changed, 86 insertions(+) + create mode 100644 tools/testing/selftests/bpf/prog_tests/timer_crash.c + create mode 100644 tools/testing/selftests/bpf/progs/timer_crash.c + +diff --git a/tools/testing/selftests/bpf/prog_tests/timer_crash.c b/tools/testing/selftests/bpf/prog_tests/timer_crash.c +new file mode 100644 +index 000000000000..f74b82305da8 +--- /dev/null ++++ b/tools/testing/selftests/bpf/prog_tests/timer_crash.c +@@ -0,0 +1,32 @@ ++// SPDX-License-Identifier: GPL-2.0 ++#include ++#include "timer_crash.skel.h" ++ ++enum { ++ MODE_ARRAY, ++ MODE_HASH, ++}; ++ ++static void test_timer_crash_mode(int mode) ++{ ++ struct timer_crash *skel; ++ ++ skel = timer_crash__open_and_load(); ++ if (!ASSERT_OK_PTR(skel, "timer_crash__open_and_load")) ++ return; ++ skel->bss->pid = getpid(); ++ skel->bss->crash_map = mode; ++ if (!ASSERT_OK(timer_crash__attach(skel), "timer_crash__attach")) ++ goto end; ++ usleep(1); ++end: ++ timer_crash__destroy(skel); ++} ++ ++void test_timer_crash(void) ++{ ++ if (test__start_subtest("array")) ++ test_timer_crash_mode(MODE_ARRAY); ++ if (test__start_subtest("hash")) ++ test_timer_crash_mode(MODE_HASH); ++} +diff --git a/tools/testing/selftests/bpf/progs/timer_crash.c b/tools/testing/selftests/bpf/progs/timer_crash.c +new file mode 100644 +index 000000000000..f8f7944e70da +--- /dev/null ++++ b/tools/testing/selftests/bpf/progs/timer_crash.c +@@ -0,0 +1,54 @@ ++// SPDX-License-Identifier: GPL-2.0 ++ ++#include ++#include ++#include ++ ++struct map_elem { ++ struct bpf_timer timer; ++ struct bpf_spin_lock lock; ++}; ++ ++struct { ++ __uint(type, BPF_MAP_TYPE_ARRAY); ++ __uint(max_entries, 1); ++ __type(key, int); ++ __type(value, struct map_elem); ++} amap SEC(".maps"); ++ ++struct { ++ __uint(type, BPF_MAP_TYPE_HASH); ++ __uint(max_entries, 1); ++ __type(key, int); ++ __type(value, struct map_elem); ++} hmap SEC(".maps"); ++ ++int pid = 0; ++int crash_map = 0; /* 0 for amap, 1 for hmap */ ++ ++SEC("fentry/do_nanosleep") ++int sys_enter(void *ctx) ++{ ++ struct map_elem *e, value = {}; ++ void *map = crash_map ? (void *)&hmap : (void *)&amap; ++ ++ if (bpf_get_current_task_btf()->tgid != pid) ++ return 0; ++ ++ *(void **)&value = (void *)0xdeadcaf3; ++ ++ bpf_map_update_elem(map, &(int){0}, &value, 0); ++ /* For array map, doing bpf_map_update_elem will do a ++ * check_and_free_timer_in_array, which will trigger the crash if timer ++ * pointer was overwritten, for hmap we need to use bpf_timer_cancel. ++ */ ++ if (crash_map == 1) { ++ e = bpf_map_lookup_elem(map, &(int){0}); ++ if (!e) ++ return 0; ++ bpf_timer_cancel(&e->timer); ++ } ++ return 0; ++} ++ ++char _license[] SEC("license") = "GPL"; +-- +2.34.1 + diff --git a/queue-5.16/selftests-memfd-clean-up-mapping-in-mfd_fail_write.patch b/queue-5.16/selftests-memfd-clean-up-mapping-in-mfd_fail_write.patch new file mode 100644 index 00000000000..de96386bb9f --- /dev/null +++ b/queue-5.16/selftests-memfd-clean-up-mapping-in-mfd_fail_write.patch @@ -0,0 +1,57 @@ +From 351ef217bf3de081dfd0d2c61a8f1aa8443c9ab8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Feb 2022 19:11:26 -0800 +Subject: selftests/memfd: clean up mapping in mfd_fail_write + +From: Mike Kravetz + +[ Upstream commit fda153c89af344d21df281009a9d046cf587ea0f ] + +Running the memfd script ./run_hugetlbfs_test.sh will often end in error +as follows: + + memfd-hugetlb: CREATE + memfd-hugetlb: BASIC + memfd-hugetlb: SEAL-WRITE + memfd-hugetlb: SEAL-FUTURE-WRITE + memfd-hugetlb: SEAL-SHRINK + fallocate(ALLOC) failed: No space left on device + ./run_hugetlbfs_test.sh: line 60: 166855 Aborted (core dumped) ./memfd_test hugetlbfs + opening: ./mnt/memfd + fuse: DONE + +If no hugetlb pages have been preallocated, run_hugetlbfs_test.sh will +allocate 'just enough' pages to run the test. In the SEAL-FUTURE-WRITE +test the mfd_fail_write routine maps the file, but does not unmap. As a +result, two hugetlb pages remain reserved for the mapping. When the +fallocate call in the SEAL-SHRINK test attempts allocate all hugetlb +pages, it is short by the two reserved pages. + +Fix by making sure to unmap in mfd_fail_write. + +Link: https://lkml.kernel.org/r/20220219004340.56478-1-mike.kravetz@oracle.com +Signed-off-by: Mike Kravetz +Cc: Joel Fernandes +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/memfd/memfd_test.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c +index 192a2899bae8..94df2692e6e4 100644 +--- a/tools/testing/selftests/memfd/memfd_test.c ++++ b/tools/testing/selftests/memfd/memfd_test.c +@@ -455,6 +455,7 @@ static void mfd_fail_write(int fd) + printf("mmap()+mprotect() didn't fail as expected\n"); + abort(); + } ++ munmap(p, mfd_def_size); + } + + /* verify PUNCH_HOLE fails */ +-- +2.34.1 + diff --git a/queue-5.16/selftests-pmtu.sh-kill-nettest-processes-launched-in.patch b/queue-5.16/selftests-pmtu.sh-kill-nettest-processes-launched-in.patch new file mode 100644 index 00000000000..d13410c6960 --- /dev/null +++ b/queue-5.16/selftests-pmtu.sh-kill-nettest-processes-launched-in.patch @@ -0,0 +1,67 @@ +From c4b5881b368fb057759441332f2e9e3073c606aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 23:15:03 +0100 +Subject: selftests: pmtu.sh: Kill nettest processes launched in subshell. + +From: Guillaume Nault + +[ Upstream commit 94a4a4fe4c696413932eed8bdec46574de9576b8 ] + +When using "run_cmd &", then "$!" refers to the PID of the +subshell used to run , not the command itself. Therefore +nettest_pids actually doesn't contain the list of the nettest commands +running in the background. So cleanup() can't kill them and the nettest +processes run until completion (fortunately they have a 5s timeout). + +Fix this by defining a new command for running processes in the +background, for which "$!" really refers to the PID of the command run. + +Also, double quote variables on the modified lines, to avoid shellcheck +warnings. + +Fixes: ece1278a9b81 ("selftests: net: add ESP-in-UDP PMTU test") +Signed-off-by: Guillaume Nault +Reviewed-by: Shuah Khan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/pmtu.sh | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/pmtu.sh b/tools/testing/selftests/net/pmtu.sh +index 2e8972573d91..694732e4b344 100755 +--- a/tools/testing/selftests/net/pmtu.sh ++++ b/tools/testing/selftests/net/pmtu.sh +@@ -374,6 +374,16 @@ run_cmd() { + return $rc + } + ++run_cmd_bg() { ++ cmd="$*" ++ ++ if [ "$VERBOSE" = "1" ]; then ++ printf " COMMAND: %s &\n" "${cmd}" ++ fi ++ ++ $cmd 2>&1 & ++} ++ + # Find the auto-generated name for this namespace + nsname() { + eval echo \$NS_$1 +@@ -670,10 +680,10 @@ setup_nettest_xfrm() { + [ ${1} -eq 6 ] && proto="-6" || proto="" + port=${2} + +- run_cmd ${ns_a} nettest ${proto} -q -D -s -x -p ${port} -t 5 & ++ run_cmd_bg "${ns_a}" nettest "${proto}" -q -D -s -x -p "${port}" -t 5 + nettest_pids="${nettest_pids} $!" + +- run_cmd ${ns_b} nettest ${proto} -q -D -s -x -p ${port} -t 5 & ++ run_cmd_bg "${ns_b}" nettest "${proto}" -q -D -s -x -p "${port}" -t 5 + nettest_pids="${nettest_pids} $!" + } + +-- +2.34.1 + diff --git a/queue-5.16/selftests-pmtu.sh-kill-tcpdump-processes-launched-by.patch b/queue-5.16/selftests-pmtu.sh-kill-tcpdump-processes-launched-by.patch new file mode 100644 index 00000000000..13619f688a6 --- /dev/null +++ b/queue-5.16/selftests-pmtu.sh-kill-tcpdump-processes-launched-by.patch @@ -0,0 +1,95 @@ +From 957f6babff0db499869fdfad367298a8ef8f7940 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 23:15:00 +0100 +Subject: selftests: pmtu.sh: Kill tcpdump processes launched by subshell. + +From: Guillaume Nault + +[ Upstream commit 18dfc667550fe9c032a6dcc3402b50e691e18029 ] + +The cleanup() function takes care of killing processes launched by the +test functions. It relies on variables like ${tcpdump_pids} to get the +relevant PIDs. But tests are run in their own subshell, so updated +*_pids values are invisible to other shells. Therefore cleanup() never +sees any process to kill: + +$ ./tools/testing/selftests/net/pmtu.sh -t pmtu_ipv4_exception +TEST: ipv4: PMTU exceptions [ OK ] +TEST: ipv4: PMTU exceptions - nexthop objects [ OK ] + +$ pgrep -af tcpdump +6084 tcpdump -s 0 -i veth_A-R1 -w pmtu_ipv4_exception_veth_A-R1.pcap +6085 tcpdump -s 0 -i veth_R1-A -w pmtu_ipv4_exception_veth_R1-A.pcap +6086 tcpdump -s 0 -i veth_R1-B -w pmtu_ipv4_exception_veth_R1-B.pcap +6087 tcpdump -s 0 -i veth_B-R1 -w pmtu_ipv4_exception_veth_B-R1.pcap +6088 tcpdump -s 0 -i veth_A-R2 -w pmtu_ipv4_exception_veth_A-R2.pcap +6089 tcpdump -s 0 -i veth_R2-A -w pmtu_ipv4_exception_veth_R2-A.pcap +6090 tcpdump -s 0 -i veth_R2-B -w pmtu_ipv4_exception_veth_R2-B.pcap +6091 tcpdump -s 0 -i veth_B-R2 -w pmtu_ipv4_exception_veth_B-R2.pcap +6228 tcpdump -s 0 -i veth_A-R1 -w pmtu_ipv4_exception_veth_A-R1.pcap +6229 tcpdump -s 0 -i veth_R1-A -w pmtu_ipv4_exception_veth_R1-A.pcap +6230 tcpdump -s 0 -i veth_R1-B -w pmtu_ipv4_exception_veth_R1-B.pcap +6231 tcpdump -s 0 -i veth_B-R1 -w pmtu_ipv4_exception_veth_B-R1.pcap +6232 tcpdump -s 0 -i veth_A-R2 -w pmtu_ipv4_exception_veth_A-R2.pcap +6233 tcpdump -s 0 -i veth_R2-A -w pmtu_ipv4_exception_veth_R2-A.pcap +6234 tcpdump -s 0 -i veth_R2-B -w pmtu_ipv4_exception_veth_R2-B.pcap +6235 tcpdump -s 0 -i veth_B-R2 -w pmtu_ipv4_exception_veth_B-R2.pcap + +Fix this by running cleanup() in the context of the test subshell. +Now that each test cleans the environment after completion, there's no +need for calling cleanup() again when the next test starts. So let's +drop it from the setup() function. This is okay because cleanup() is +also called when pmtu.sh starts, so even the first test starts in a +clean environment. + +Also, use tcpdump's immediate mode. Otherwise it might not have time to +process buffered packets, resulting in missing packets or even empty +pcap files for short tests. + +Note: PAUSE_ON_FAIL is still evaluated before cleanup(), so one can +still inspect the test environment upon failure when using -p. + +Fixes: a92a0a7b8e7c ("selftests: pmtu: Simplify cleanup and namespace names") +Signed-off-by: Guillaume Nault +Reviewed-by: Shuah Khan +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/pmtu.sh | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/net/pmtu.sh b/tools/testing/selftests/net/pmtu.sh +index 543ad7513a8e..2e8972573d91 100755 +--- a/tools/testing/selftests/net/pmtu.sh ++++ b/tools/testing/selftests/net/pmtu.sh +@@ -865,7 +865,6 @@ setup_ovs_bridge() { + setup() { + [ "$(id -u)" -ne 0 ] && echo " need to run as root" && return $ksft_skip + +- cleanup + for arg do + eval setup_${arg} || { echo " ${arg} not supported"; return 1; } + done +@@ -876,7 +875,7 @@ trace() { + + for arg do + [ "${ns_cmd}" = "" ] && ns_cmd="${arg}" && continue +- ${ns_cmd} tcpdump -s 0 -i "${arg}" -w "${name}_${arg}.pcap" 2> /dev/null & ++ ${ns_cmd} tcpdump --immediate-mode -s 0 -i "${arg}" -w "${name}_${arg}.pcap" 2> /dev/null & + tcpdump_pids="${tcpdump_pids} $!" + ns_cmd= + done +@@ -1836,6 +1835,10 @@ run_test() { + + unset IFS + ++ # Since cleanup() relies on variables modified by this subshell, it ++ # has to run in this context. ++ trap cleanup EXIT ++ + if [ "$VERBOSE" = "1" ]; then + printf "\n##########################################################################\n\n" + fi +-- +2.34.1 + diff --git a/queue-5.16/series b/queue-5.16/series new file mode 100644 index 00000000000..179e07c6668 --- /dev/null +++ b/queue-5.16/series @@ -0,0 +1,85 @@ +arm64-dts-qcom-sm8350-describe-gcc-dependency-clocks.patch +arm64-dts-qcom-sm8350-correct-ufs-symbol-clocks.patch +hid-elo-revert-usb-reference-counting.patch +hid-hid-thrustmaster-fix-oob-read-in-thrustmaster_in.patch +arm-boot-dts-bcm2711-fix-hvs-register-range.patch +clk-qcom-gdsc-add-support-to-update-gdsc-transition-.patch +clk-qcom-dispcc-update-the-transition-delay-for-mdss.patch +soc-mediatek-mt8192-mmsys-fix-dither-to-dsi0-path-s-.patch +hid-vivaldi-fix-sysfs-attributes-leak.patch +hid-nintendo-check-the-return-value-of-alloc_workque.patch +arm64-dts-armada-3720-turris-mox-add-missing-etherne.patch +tipc-fix-kernel-panic-when-enabling-bearer.patch +vdpa-mlx5-add-validation-for-virtio_net_ctrl_mq_vq_p.patch +vduse-fix-returning-wrong-type-in-vduse_domain_alloc.patch +net-phy-meson-gxl-fix-interrupt-handling-in-forced-m.patch +misdn-fix-memory-leak-in-dsp_pipeline_build.patch +vhost-fix-hung-thread-due-to-erroneous-iotlb-entries.patch +virtio-blk-don-t-use-max_discard_segments-if-max_dis.patch +virtio-blk-remove-bug_on-in-virtio_queue_rq.patch +vdpa-fix-use-after-free-on-vp_vdpa_remove.patch +isdn-hfcpci-check-the-return-value-of-dma_set_mask-i.patch +net-qlogic-check-the-return-value-of-dma_alloc_coher.patch +esp-fix-possible-buffer-overflow-in-esp-transformati.patch +esp-fix-beet-mode-inter-address-family-tunneling-on-.patch +net-gro-move-skb_gro_receive_list-to-udp_offload.c.patch +qed-return-status-of-qed_iov_get_link.patch +smsc95xx-ignore-enodev-errors-when-device-is-unplugg.patch +gpiolib-acpi-convert-acpi-value-of-debounce-to-micro.patch +drm-i915-psr-set-sf-partial-frame-enable-also-on-ful.patch +drm-sun4i-mixer-fix-p010-and-p210-format-numbers.patch +net-dsa-mt7530-fix-incorrect-test-in-mt753x_phylink_.patch +arm-dts-aspeed-fix-ast2600-quad-spi-group.patch +iavf-fix-handling-of-vlan-strip-virtual-channel-mess.patch +i40e-stop-disabling-vfs-due-to-pf-error-responses.patch +ice-stop-disabling-vfs-due-to-pf-error-responses.patch +ice-fix-error-with-handling-of-bonding-mtu.patch +ice-don-t-use-gfp_kernel-in-atomic-context.patch +ice-fix-curr_link_speed-advertised-speed.patch +ethernet-fix-error-handling-in-xemaclite_of_probe.patch +tipc-fix-incorrect-order-of-state-message-data-sanit.patch +net-ethernet-ti-cpts-handle-error-for-clk_enable.patch +net-ethernet-lpc_eth-handle-error-for-clk_enable.patch +net-marvell-prestera-add-missing-of_node_put-in-pres.patch +ax25-fix-null-pointer-dereference-in-ax25_kill_by_de.patch +net-mlx5-fix-size-field-in-bufferx_reg-struct.patch +net-mlx5-fix-a-race-on-command-flush-flow.patch +net-mlx5e-lag-only-handle-events-from-highest-priori.patch +net-mlx5e-shampo-reduce-tir-indication.patch +nfc-port100-fix-use-after-free-in-port100_send_compl.patch +selftests-pmtu.sh-kill-tcpdump-processes-launched-by.patch +selftests-pmtu.sh-kill-nettest-processes-launched-in.patch +gpio-ts4900-do-not-set-dat-and-oe-together.patch +mm-gup-make-fault_in_safe_writeable-use-fixup_user_f.patch +gianfar-ethtool-fix-refcount-leak-in-gfar_get_ts_inf.patch +net-phy-dp83822-clear-misr2-register-to-disable-inte.patch +sctp-fix-kernel-infoleak-for-sctp-sockets.patch +net-arc_emac-fix-use-after-free-in-arc_mdio_probe.patch +net-bcmgenet-don-t-claim-wol-when-its-not-available.patch +net-phy-meson-gxl-improve-link-up-behavior.patch +selftests-bpf-add-test-for-bpf_timer-overwriting-cra.patch +swiotlb-fix-info-leak-with-dma_from_device.patch +usb-dwc3-pci-add-support-for-the-intel-raptor-lake-s.patch +pinctrl-tigerlake-revert-add-alder-lake-m-acpi-id.patch +kvm-fix-lockdep-false-negative-during-host-resume.patch +kvm-x86-disable-kvm_hc_clock_pairing-if-tsc-is-in-al.patch +spi-rockchip-fix-error-in-getting-num-cs-property.patch +spi-rockchip-terminate-dma-transmission-when-slave-a.patch +drm-vc4-hdmi-unregister-codec-device-on-unbind.patch +of-fdt-move-elfcorehdr-reservation-early-for-crash-d.patch +x86-kvm-don-t-use-pv-tlb-ipi-sched_yield-if-on-1-vcp.patch +drivers-hamradio-6pack-fix-uaf-bug-caused-by-mod_tim.patch +net-sysfs-add-check-for-netdevice-being-present-to-s.patch +hwmon-pmbus-clear-pmbus-fault-warning-bits-after-rea.patch +nvme-tcp-send-h2cdata-pdus-based-on-maxh2cdata.patch +pci-mark-all-amd-navi10-and-navi14-gpu-ats-as-broken.patch +gpio-return-eprobe_defer-if-gc-to_irq-is-null.patch +drm-amdgpu-bypass-tiling-flag-check-in-virtual-displ.patch +revert-xen-netback-remove-hotplug-status-once-it-has.patch +revert-xen-netback-check-for-hotplug-status-existenc.patch +ipv6-prevent-a-possible-race-condition-with-lifetime.patch +tracing-ensure-trace-buffer-is-at-least-4096-bytes-l.patch +tracing-osnoise-make-osnoise_main-to-sleep-for-micro.patch +tracing-fix-selftest-config-check-for-function-graph.patch +selftest-vm-fix-map_fixed_noreplace-test-failure.patch +selftests-memfd-clean-up-mapping-in-mfd_fail_write.patch diff --git a/queue-5.16/smsc95xx-ignore-enodev-errors-when-device-is-unplugg.patch b/queue-5.16/smsc95xx-ignore-enodev-errors-when-device-is-unplugg.patch new file mode 100644 index 00000000000..089d6dbd46d --- /dev/null +++ b/queue-5.16/smsc95xx-ignore-enodev-errors-when-device-is-unplugg.patch @@ -0,0 +1,141 @@ +From a3a64fda9cb7a252aa226268acd11de763971f40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 17:47:20 -0300 +Subject: smsc95xx: Ignore -ENODEV errors when device is unplugged + +From: Fabio Estevam + +[ Upstream commit c70c453abcbf3ecbaadd4c3236a5119b8da365cf ] + +According to Documentation/driver-api/usb/URB.rst when a device +is unplugged usb_submit_urb() returns -ENODEV. + +This error code propagates all the way up to usbnet_read_cmd() and +usbnet_write_cmd() calls inside the smsc95xx.c driver during +Ethernet cable unplug, unbind or reboot. + +This causes the following errors to be shown on reboot, for example: + +ci_hdrc ci_hdrc.1: remove, state 1 +usb usb2: USB disconnect, device number 1 +usb 2-1: USB disconnect, device number 2 +usb 2-1.1: USB disconnect, device number 3 +smsc95xx 2-1.1:1.0 eth1: unregister 'smsc95xx' usb-ci_hdrc.1-1.1, smsc95xx USB 2.0 Ethernet +smsc95xx 2-1.1:1.0 eth1: Failed to read reg index 0x00000114: -19 +smsc95xx 2-1.1:1.0 eth1: Error reading MII_ACCESS +smsc95xx 2-1.1:1.0 eth1: __smsc95xx_mdio_read: MII is busy +smsc95xx 2-1.1:1.0 eth1: Failed to read reg index 0x00000114: -19 +smsc95xx 2-1.1:1.0 eth1: Error reading MII_ACCESS +smsc95xx 2-1.1:1.0 eth1: __smsc95xx_mdio_read: MII is busy +smsc95xx 2-1.1:1.0 eth1: hardware isn't capable of remote wakeup +usb 2-1.4: USB disconnect, device number 4 +ci_hdrc ci_hdrc.1: USB bus 2 deregistered +ci_hdrc ci_hdrc.0: remove, state 4 +usb usb1: USB disconnect, device number 1 +ci_hdrc ci_hdrc.0: USB bus 1 deregistered +imx2-wdt 30280000.watchdog: Device shutdown: Expect reboot! +reboot: Restarting system + +Ignore the -ENODEV errors inside __smsc95xx_mdio_read() and +__smsc95xx_phy_wait_not_busy() and do not print error messages +when -ENODEV is returned. + +Fixes: a049a30fc27c ("net: usb: Correct PHY handling of smsc95xx") +Signed-off-by: Fabio Estevam +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/smsc95xx.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c +index bc1e3dd67c04..a0f29482294d 100644 +--- a/drivers/net/usb/smsc95xx.c ++++ b/drivers/net/usb/smsc95xx.c +@@ -84,9 +84,10 @@ static int __must_check __smsc95xx_read_reg(struct usbnet *dev, u32 index, + ret = fn(dev, USB_VENDOR_REQUEST_READ_REGISTER, USB_DIR_IN + | USB_TYPE_VENDOR | USB_RECIP_DEVICE, + 0, index, &buf, 4); +- if (unlikely(ret < 0)) { +- netdev_warn(dev->net, "Failed to read reg index 0x%08x: %d\n", +- index, ret); ++ if (ret < 0) { ++ if (ret != -ENODEV) ++ netdev_warn(dev->net, "Failed to read reg index 0x%08x: %d\n", ++ index, ret); + return ret; + } + +@@ -116,7 +117,7 @@ static int __must_check __smsc95xx_write_reg(struct usbnet *dev, u32 index, + ret = fn(dev, USB_VENDOR_REQUEST_WRITE_REGISTER, USB_DIR_OUT + | USB_TYPE_VENDOR | USB_RECIP_DEVICE, + 0, index, &buf, 4); +- if (unlikely(ret < 0)) ++ if (ret < 0 && ret != -ENODEV) + netdev_warn(dev->net, "Failed to write reg index 0x%08x: %d\n", + index, ret); + +@@ -159,6 +160,9 @@ static int __must_check __smsc95xx_phy_wait_not_busy(struct usbnet *dev, + do { + ret = __smsc95xx_read_reg(dev, MII_ADDR, &val, in_pm); + if (ret < 0) { ++ /* Ignore -ENODEV error during disconnect() */ ++ if (ret == -ENODEV) ++ return 0; + netdev_warn(dev->net, "Error reading MII_ACCESS\n"); + return ret; + } +@@ -194,7 +198,8 @@ static int __smsc95xx_mdio_read(struct usbnet *dev, int phy_id, int idx, + addr = mii_address_cmd(phy_id, idx, MII_READ_ | MII_BUSY_); + ret = __smsc95xx_write_reg(dev, MII_ADDR, addr, in_pm); + if (ret < 0) { +- netdev_warn(dev->net, "Error writing MII_ADDR\n"); ++ if (ret != -ENODEV) ++ netdev_warn(dev->net, "Error writing MII_ADDR\n"); + goto done; + } + +@@ -206,7 +211,8 @@ static int __smsc95xx_mdio_read(struct usbnet *dev, int phy_id, int idx, + + ret = __smsc95xx_read_reg(dev, MII_DATA, &val, in_pm); + if (ret < 0) { +- netdev_warn(dev->net, "Error reading MII_DATA\n"); ++ if (ret != -ENODEV) ++ netdev_warn(dev->net, "Error reading MII_DATA\n"); + goto done; + } + +@@ -214,6 +220,10 @@ static int __smsc95xx_mdio_read(struct usbnet *dev, int phy_id, int idx, + + done: + mutex_unlock(&dev->phy_mutex); ++ ++ /* Ignore -ENODEV error during disconnect() */ ++ if (ret == -ENODEV) ++ return 0; + return ret; + } + +@@ -235,7 +245,8 @@ static void __smsc95xx_mdio_write(struct usbnet *dev, int phy_id, + val = regval; + ret = __smsc95xx_write_reg(dev, MII_DATA, val, in_pm); + if (ret < 0) { +- netdev_warn(dev->net, "Error writing MII_DATA\n"); ++ if (ret != -ENODEV) ++ netdev_warn(dev->net, "Error writing MII_DATA\n"); + goto done; + } + +@@ -243,7 +254,8 @@ static void __smsc95xx_mdio_write(struct usbnet *dev, int phy_id, + addr = mii_address_cmd(phy_id, idx, MII_WRITE_ | MII_BUSY_); + ret = __smsc95xx_write_reg(dev, MII_ADDR, addr, in_pm); + if (ret < 0) { +- netdev_warn(dev->net, "Error writing MII_ADDR\n"); ++ if (ret != -ENODEV) ++ netdev_warn(dev->net, "Error writing MII_ADDR\n"); + goto done; + } + +-- +2.34.1 + diff --git a/queue-5.16/soc-mediatek-mt8192-mmsys-fix-dither-to-dsi0-path-s-.patch b/queue-5.16/soc-mediatek-mt8192-mmsys-fix-dither-to-dsi0-path-s-.patch new file mode 100644 index 00000000000..9ee2cdafaaf --- /dev/null +++ b/queue-5.16/soc-mediatek-mt8192-mmsys-fix-dither-to-dsi0-path-s-.patch @@ -0,0 +1,55 @@ +From 3a9f673df7cc65b348b841639dc89104e284c177 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Jan 2022 15:20:56 +0100 +Subject: soc: mediatek: mt8192-mmsys: Fix dither to dsi0 path's input sel +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: AngeloGioacchino Del Regno + +[ Upstream commit c432cd598a185afefba1ac3b0ee226f222f71341 ] + +In commit d687e056a18f ("soc: mediatek: mmsys: Add mt8192 mmsys routing table"), +the mmsys routing table for mt8192 was introduced but the input selector +for DITHER->DSI0 has no value assigned to it. + +This means that we are clearing bit 0 instead of setting it, blocking +communication between these two blocks; due to that, any display that +is connected to DSI0 will not work, as no data will go through. +The effect of that issue is that, during bootup, the DRM will block for +some time, while atomically waiting for a vblank that never happens; +later, the situation doesn't get better, leaving the display in a +non-functional state. + +To fix this issue, fix the route entry in the table by assigning the +dither input selector to MT8192_DISP_DSI0_SEL_IN. + +Fixes: d687e056a18f ("soc: mediatek: mmsys: Add mt8192 mmsys routing table") +Signed-off-by: AngeloGioacchino Del Regno +Tested-by: Alyssa Rosenzweig +Reviewed-by: Nícolas F. R. A. Prado +Link: https://lore.kernel.org/r/20220128142056.359900-1-angelogioacchino.delregno@collabora.com +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +--- + drivers/soc/mediatek/mt8192-mmsys.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/soc/mediatek/mt8192-mmsys.h b/drivers/soc/mediatek/mt8192-mmsys.h +index 6f0a57044a7b..6aae0b12b6ff 100644 +--- a/drivers/soc/mediatek/mt8192-mmsys.h ++++ b/drivers/soc/mediatek/mt8192-mmsys.h +@@ -53,7 +53,8 @@ static const struct mtk_mmsys_routes mmsys_mt8192_routing_table[] = { + MT8192_AAL0_SEL_IN_CCORR0 + }, { + DDP_COMPONENT_DITHER, DDP_COMPONENT_DSI0, +- MT8192_DISP_DSI0_SEL_IN, MT8192_DSI0_SEL_IN_DITHER0 ++ MT8192_DISP_DSI0_SEL_IN, MT8192_DSI0_SEL_IN_DITHER0, ++ MT8192_DSI0_SEL_IN_DITHER0 + }, { + DDP_COMPONENT_RDMA0, DDP_COMPONENT_COLOR0, + MT8192_DISP_RDMA0_SOUT_SEL, MT8192_RDMA0_SOUT_COLOR0, +-- +2.34.1 + diff --git a/queue-5.16/spi-rockchip-fix-error-in-getting-num-cs-property.patch b/queue-5.16/spi-rockchip-fix-error-in-getting-num-cs-property.patch new file mode 100644 index 00000000000..1ade068b804 --- /dev/null +++ b/queue-5.16/spi-rockchip-fix-error-in-getting-num-cs-property.patch @@ -0,0 +1,47 @@ +From 8a2ccd14f23cbe8accb35afbd90d6961098ea4a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Feb 2022 09:40:23 +0800 +Subject: spi: rockchip: Fix error in getting num-cs property + +From: Jon Lin + +[ Upstream commit 9382df0a98aad5bbcd4d634790305a1d786ad224 ] + +Get num-cs u32 from dts of_node property rather than u16. + +Signed-off-by: Jon Lin +Link: https://lore.kernel.org/r/20220216014028.8123-2-jon.lin@rock-chips.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-rockchip.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-rockchip.c b/drivers/spi/spi-rockchip.c +index 553b6b9d0222..4f65ba3dd19c 100644 +--- a/drivers/spi/spi-rockchip.c ++++ b/drivers/spi/spi-rockchip.c +@@ -654,7 +654,7 @@ static int rockchip_spi_probe(struct platform_device *pdev) + struct spi_controller *ctlr; + struct resource *mem; + struct device_node *np = pdev->dev.of_node; +- u32 rsd_nsecs; ++ u32 rsd_nsecs, num_cs; + bool slave_mode; + + slave_mode = of_property_read_bool(np, "spi-slave"); +@@ -764,8 +764,9 @@ static int rockchip_spi_probe(struct platform_device *pdev) + * rk spi0 has two native cs, spi1..5 one cs only + * if num-cs is missing in the dts, default to 1 + */ +- if (of_property_read_u16(np, "num-cs", &ctlr->num_chipselect)) +- ctlr->num_chipselect = 1; ++ if (of_property_read_u32(np, "num-cs", &num_cs)) ++ num_cs = 1; ++ ctlr->num_chipselect = num_cs; + ctlr->use_gpio_descriptors = true; + } + ctlr->dev.of_node = pdev->dev.of_node; +-- +2.34.1 + diff --git a/queue-5.16/spi-rockchip-terminate-dma-transmission-when-slave-a.patch b/queue-5.16/spi-rockchip-terminate-dma-transmission-when-slave-a.patch new file mode 100644 index 00000000000..8a261e0d90b --- /dev/null +++ b/queue-5.16/spi-rockchip-terminate-dma-transmission-when-slave-a.patch @@ -0,0 +1,40 @@ +From b9170743b938f4f55018249eb21997061e0d4966 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Feb 2022 09:40:24 +0800 +Subject: spi: rockchip: terminate dma transmission when slave abort + +From: Jon Lin + +[ Upstream commit 80808768e41324d2e23de89972b5406c1020e6e4 ] + +After slave abort, all DMA should be stopped, or it will affect the +next transmission and maybe abort again. + +Signed-off-by: Jon Lin +Link: https://lore.kernel.org/r/20220216014028.8123-3-jon.lin@rock-chips.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-rockchip.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/spi/spi-rockchip.c b/drivers/spi/spi-rockchip.c +index 4f65ba3dd19c..c6a1bb09be05 100644 +--- a/drivers/spi/spi-rockchip.c ++++ b/drivers/spi/spi-rockchip.c +@@ -585,6 +585,12 @@ static int rockchip_spi_slave_abort(struct spi_controller *ctlr) + { + struct rockchip_spi *rs = spi_controller_get_devdata(ctlr); + ++ if (atomic_read(&rs->state) & RXDMA) ++ dmaengine_terminate_sync(ctlr->dma_rx); ++ if (atomic_read(&rs->state) & TXDMA) ++ dmaengine_terminate_sync(ctlr->dma_tx); ++ atomic_set(&rs->state, 0); ++ spi_enable_chip(rs, false); + rs->slave_abort = true; + spi_finalize_current_transfer(ctlr); + +-- +2.34.1 + diff --git a/queue-5.16/swiotlb-fix-info-leak-with-dma_from_device.patch b/queue-5.16/swiotlb-fix-info-leak-with-dma_from_device.patch new file mode 100644 index 00000000000..b4648dfaf31 --- /dev/null +++ b/queue-5.16/swiotlb-fix-info-leak-with-dma_from_device.patch @@ -0,0 +1,111 @@ +From e18a075b82a084f5f24bdd3a992af991a58d5fa6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Feb 2022 02:12:52 +0100 +Subject: swiotlb: fix info leak with DMA_FROM_DEVICE + +From: Halil Pasic + +[ Upstream commit ddbd89deb7d32b1fbb879f48d68fda1a8ac58e8e ] + +The problem I'm addressing was discovered by the LTP test covering +cve-2018-1000204. + +A short description of what happens follows: +1) The test case issues a command code 00 (TEST UNIT READY) via the SG_IO + interface with: dxfer_len == 524288, dxdfer_dir == SG_DXFER_FROM_DEV + and a corresponding dxferp. The peculiar thing about this is that TUR + is not reading from the device. +2) In sg_start_req() the invocation of blk_rq_map_user() effectively + bounces the user-space buffer. As if the device was to transfer into + it. Since commit a45b599ad808 ("scsi: sg: allocate with __GFP_ZERO in + sg_build_indirect()") we make sure this first bounce buffer is + allocated with GFP_ZERO. +3) For the rest of the story we keep ignoring that we have a TUR, so the + device won't touch the buffer we prepare as if the we had a + DMA_FROM_DEVICE type of situation. My setup uses a virtio-scsi device + and the buffer allocated by SG is mapped by the function + virtqueue_add_split() which uses DMA_FROM_DEVICE for the "in" sgs (here + scatter-gather and not scsi generics). This mapping involves bouncing + via the swiotlb (we need swiotlb to do virtio in protected guest like + s390 Secure Execution, or AMD SEV). +4) When the SCSI TUR is done, we first copy back the content of the second + (that is swiotlb) bounce buffer (which most likely contains some + previous IO data), to the first bounce buffer, which contains all + zeros. Then we copy back the content of the first bounce buffer to + the user-space buffer. +5) The test case detects that the buffer, which it zero-initialized, + ain't all zeros and fails. + +One can argue that this is an swiotlb problem, because without swiotlb +we leak all zeros, and the swiotlb should be transparent in a sense that +it does not affect the outcome (if all other participants are well +behaved). + +Copying the content of the original buffer into the swiotlb buffer is +the only way I can think of to make swiotlb transparent in such +scenarios. So let's do just that if in doubt, but allow the driver +to tell us that the whole mapped buffer is going to be overwritten, +in which case we can preserve the old behavior and avoid the performance +impact of the extra bounce. + +Signed-off-by: Halil Pasic +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + Documentation/core-api/dma-attributes.rst | 8 ++++++++ + include/linux/dma-mapping.h | 8 ++++++++ + kernel/dma/swiotlb.c | 3 ++- + 3 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/Documentation/core-api/dma-attributes.rst b/Documentation/core-api/dma-attributes.rst +index 1887d92e8e92..17706dc91ec9 100644 +--- a/Documentation/core-api/dma-attributes.rst ++++ b/Documentation/core-api/dma-attributes.rst +@@ -130,3 +130,11 @@ accesses to DMA buffers in both privileged "supervisor" and unprivileged + subsystem that the buffer is fully accessible at the elevated privilege + level (and ideally inaccessible or at least read-only at the + lesser-privileged levels). ++ ++DMA_ATTR_OVERWRITE ++------------------ ++ ++This is a hint to the DMA-mapping subsystem that the device is expected to ++overwrite the entire mapped size, thus the caller does not require any of the ++previous buffer contents to be preserved. This allows bounce-buffering ++implementations to optimise DMA_FROM_DEVICE transfers. +diff --git a/include/linux/dma-mapping.h b/include/linux/dma-mapping.h +index dca2b1355bb1..6150d11a607e 100644 +--- a/include/linux/dma-mapping.h ++++ b/include/linux/dma-mapping.h +@@ -61,6 +61,14 @@ + */ + #define DMA_ATTR_PRIVILEGED (1UL << 9) + ++/* ++ * This is a hint to the DMA-mapping subsystem that the device is expected ++ * to overwrite the entire mapped size, thus the caller does not require any ++ * of the previous buffer contents to be preserved. This allows ++ * bounce-buffering implementations to optimise DMA_FROM_DEVICE transfers. ++ */ ++#define DMA_ATTR_OVERWRITE (1UL << 10) ++ + /* + * A dma_addr_t can hold any valid DMA or bus address for the platform. It can + * be given to a device to use as a DMA source or target. It is specific to a +diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c +index 8e840fbbed7c..d958b1201092 100644 +--- a/kernel/dma/swiotlb.c ++++ b/kernel/dma/swiotlb.c +@@ -582,7 +582,8 @@ phys_addr_t swiotlb_tbl_map_single(struct device *dev, phys_addr_t orig_addr, + mem->slots[index + i].orig_addr = slot_addr(orig_addr, i); + tlb_addr = slot_addr(mem->start, index) + offset; + if (!(attrs & DMA_ATTR_SKIP_CPU_SYNC) && +- (dir == DMA_TO_DEVICE || dir == DMA_BIDIRECTIONAL)) ++ (!(attrs & DMA_ATTR_OVERWRITE) || dir == DMA_TO_DEVICE || ++ dir == DMA_BIDIRECTIONAL)) + swiotlb_bounce(dev, tlb_addr, mapping_size, DMA_TO_DEVICE); + return tlb_addr; + } +-- +2.34.1 + diff --git a/queue-5.16/tipc-fix-incorrect-order-of-state-message-data-sanit.patch b/queue-5.16/tipc-fix-incorrect-order-of-state-message-data-sanit.patch new file mode 100644 index 00000000000..e7162cff2aa --- /dev/null +++ b/queue-5.16/tipc-fix-incorrect-order-of-state-message-data-sanit.patch @@ -0,0 +1,59 @@ +From 71700ebee47c9d0cb409c438be69bf437d31148d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 02:11:59 +0000 +Subject: tipc: fix incorrect order of state message data sanity check + +From: Tung Nguyen + +[ Upstream commit c79fcc27be90b308b3fa90811aefafdd4078668c ] + +When receiving a state message, function tipc_link_validate_msg() +is called to validate its header portion. Then, its data portion +is validated before it can be accessed correctly. However, current +data sanity check is done after the message header is accessed to +update some link variables. + +This commit fixes this issue by moving the data sanity check to +the beginning of state message handling and right after the header +sanity check. + +Fixes: 9aa422ad3266 ("tipc: improve size validations for received domain records") +Acked-by: Jon Maloy +Signed-off-by: Tung Nguyen +Link: https://lore.kernel.org/r/20220308021200.9245-1-tung.q.nguyen@dektech.com.au +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/link.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/tipc/link.c b/net/tipc/link.c +index 4e7936d9b442..115a4a7950f5 100644 +--- a/net/tipc/link.c ++++ b/net/tipc/link.c +@@ -2285,6 +2285,11 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + break; + + case STATE_MSG: ++ /* Validate Gap ACK blocks, drop if invalid */ ++ glen = tipc_get_gap_ack_blks(&ga, l, hdr, true); ++ if (glen > dlen) ++ break; ++ + l->rcv_nxt_state = msg_seqno(hdr) + 1; + + /* Update own tolerance if peer indicates a non-zero value */ +@@ -2310,10 +2315,6 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, + break; + } + +- /* Receive Gap ACK blocks from peer if any */ +- glen = tipc_get_gap_ack_blks(&ga, l, hdr, true); +- if(glen > dlen) +- break; + tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr, + &l->mon_state, l->bearer_id); + +-- +2.34.1 + diff --git a/queue-5.16/tipc-fix-kernel-panic-when-enabling-bearer.patch b/queue-5.16/tipc-fix-kernel-panic-when-enabling-bearer.patch new file mode 100644 index 00000000000..951d4599867 --- /dev/null +++ b/queue-5.16/tipc-fix-kernel-panic-when-enabling-bearer.patch @@ -0,0 +1,106 @@ +From 3da9cb46e51354fa5f6e4e26bd4c72d6703649ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Mar 2022 03:25:18 +0000 +Subject: tipc: fix kernel panic when enabling bearer + +From: Tung Nguyen + +[ Upstream commit be4977b847f5d5cedb64d50eaaf2218c3a55a3a3 ] + +When enabling a bearer on a node, a kernel panic is observed: + +[ 4.498085] RIP: 0010:tipc_mon_prep+0x4e/0x130 [tipc] +... +[ 4.520030] Call Trace: +[ 4.520689] +[ 4.521236] tipc_link_build_proto_msg+0x375/0x750 [tipc] +[ 4.522654] tipc_link_build_state_msg+0x48/0xc0 [tipc] +[ 4.524034] __tipc_node_link_up+0xd7/0x290 [tipc] +[ 4.525292] tipc_rcv+0x5da/0x730 [tipc] +[ 4.526346] ? __netif_receive_skb_core+0xb7/0xfc0 +[ 4.527601] tipc_l2_rcv_msg+0x5e/0x90 [tipc] +[ 4.528737] __netif_receive_skb_list_core+0x20b/0x260 +[ 4.530068] netif_receive_skb_list_internal+0x1bf/0x2e0 +[ 4.531450] ? dev_gro_receive+0x4c2/0x680 +[ 4.532512] napi_complete_done+0x6f/0x180 +[ 4.533570] virtnet_poll+0x29c/0x42e [virtio_net] +... + +The node in question is receiving activate messages in another +thread after changing bearer status to allow message sending/ +receiving in current thread: + + thread 1 | thread 2 + -------- | -------- + | +tipc_enable_bearer() | + test_and_set_bit_lock() | + tipc_bearer_xmit_skb() | + | tipc_l2_rcv_msg() + | tipc_rcv() + | __tipc_node_link_up() + | tipc_link_build_state_msg() + | tipc_link_build_proto_msg() + | tipc_mon_prep() + | { + | ... + | // null-pointer dereference + | u16 gen = mon->dom_gen; + | ... + | } + // Not being executed yet | + tipc_mon_create() | + { | + ... | + // allocate | + mon = kzalloc(); | + ... | + } | + +Monitoring pointer in thread 2 is dereferenced before monitoring data +is allocated in thread 1. This causes kernel panic. + +This commit fixes it by allocating the monitoring data before enabling +the bearer to receive messages. + +Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework") +Reported-by: Shuang Li +Acked-by: Jon Maloy +Signed-off-by: Tung Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/bearer.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index 60bc74b76adc..1cb5907d90d8 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -352,16 +352,18 @@ static int tipc_enable_bearer(struct net *net, const char *name, + goto rejected; + } + +- test_and_set_bit_lock(0, &b->up); +- rcu_assign_pointer(tn->bearer_list[bearer_id], b); +- if (skb) +- tipc_bearer_xmit_skb(net, bearer_id, skb, &b->bcast_addr); +- ++ /* Create monitoring data before accepting activate messages */ + if (tipc_mon_create(net, bearer_id)) { + bearer_disable(net, b); ++ kfree_skb(skb); + return -ENOMEM; + } + ++ test_and_set_bit_lock(0, &b->up); ++ rcu_assign_pointer(tn->bearer_list[bearer_id], b); ++ if (skb) ++ tipc_bearer_xmit_skb(net, bearer_id, skb, &b->bcast_addr); ++ + pr_info("Enabled bearer <%s>, priority %u\n", name, prio); + + return res; +-- +2.34.1 + diff --git a/queue-5.16/tracing-ensure-trace-buffer-is-at-least-4096-bytes-l.patch b/queue-5.16/tracing-ensure-trace-buffer-is-at-least-4096-bytes-l.patch new file mode 100644 index 00000000000..704ed4665ca --- /dev/null +++ b/queue-5.16/tracing-ensure-trace-buffer-is-at-least-4096-bytes-l.patch @@ -0,0 +1,58 @@ +From e5f0cb64eb1a03faeeb230e9ece6329b57785a84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Feb 2022 14:44:56 +0100 +Subject: tracing: Ensure trace buffer is at least 4096 bytes large + +From: Sven Schnelle + +[ Upstream commit 7acf3a127bb7c65ff39099afd78960e77b2ca5de ] + +Booting the kernel with 'trace_buf_size=1' give a warning at +boot during the ftrace selftests: + +[ 0.892809] Running postponed tracer tests: +[ 0.892893] Testing tracer function: +[ 0.901899] Callback from call_rcu_tasks_trace() invoked. +[ 0.983829] Callback from call_rcu_tasks_rude() invoked. +[ 1.072003] .. bad ring buffer .. corrupted trace buffer .. +[ 1.091944] Callback from call_rcu_tasks() invoked. +[ 1.097695] PASSED +[ 1.097701] Testing dynamic ftrace: .. filter failed count=0 ..FAILED! +[ 1.353474] ------------[ cut here ]------------ +[ 1.353478] WARNING: CPU: 0 PID: 1 at kernel/trace/trace.c:1951 run_tracer_selftest+0x13c/0x1b0 + +Therefore enforce a minimum of 4096 bytes to make the selftest pass. + +Link: https://lkml.kernel.org/r/20220214134456.1751749-1-svens@linux.ibm.com + +Signed-off-by: Sven Schnelle +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index 24683115eade..5816ad79cce8 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1472,10 +1472,12 @@ static int __init set_buf_size(char *str) + if (!str) + return 0; + buf_size = memparse(str, &str); +- /* nr_entries can not be zero */ +- if (buf_size == 0) +- return 0; +- trace_buf_size = buf_size; ++ /* ++ * nr_entries can not be zero and the startup ++ * tests require some buffer space. Therefore ++ * ensure we have at least 4096 bytes of buffer. ++ */ ++ trace_buf_size = max(4096UL, buf_size); + return 1; + } + __setup("trace_buf_size=", set_buf_size); +-- +2.34.1 + diff --git a/queue-5.16/tracing-fix-selftest-config-check-for-function-graph.patch b/queue-5.16/tracing-fix-selftest-config-check-for-function-graph.patch new file mode 100644 index 00000000000..213e75350f2 --- /dev/null +++ b/queue-5.16/tracing-fix-selftest-config-check-for-function-graph.patch @@ -0,0 +1,48 @@ +From 507922c8aa77612fa7f48099c14dc5bf72fc86eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 16:38:06 +0000 +Subject: tracing: Fix selftest config check for function graph start up test + +From: Christophe Leroy + +[ Upstream commit c5229a0bd47814770c895e94fbc97ad21819abfe ] + +CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS is required to test +direct tramp. + +Link: https://lkml.kernel.org/r/bdc7e594e13b0891c1d61bc8d56c94b1890eaed7.1640017960.git.christophe.leroy@csgroup.eu + +Signed-off-by: Christophe Leroy +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_selftest.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/kernel/trace/trace_selftest.c b/kernel/trace/trace_selftest.c +index afd937a46496..abcadbe933bb 100644 +--- a/kernel/trace/trace_selftest.c ++++ b/kernel/trace/trace_selftest.c +@@ -784,9 +784,7 @@ static struct fgraph_ops fgraph_ops __initdata = { + .retfunc = &trace_graph_return, + }; + +-#if defined(CONFIG_DYNAMIC_FTRACE) && \ +- defined(CONFIG_HAVE_DYNAMIC_FTRACE_WITH_ARGS) +-#define TEST_DIRECT_TRAMP ++#ifdef CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS + noinline __noclone static void trace_direct_tramp(void) { } + #endif + +@@ -849,7 +847,7 @@ trace_selftest_startup_function_graph(struct tracer *trace, + goto out; + } + +-#ifdef TEST_DIRECT_TRAMP ++#ifdef CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS + tracing_reset_online_cpus(&tr->array_buffer); + set_graph_array(tr); + +-- +2.34.1 + diff --git a/queue-5.16/tracing-osnoise-make-osnoise_main-to-sleep-for-micro.patch b/queue-5.16/tracing-osnoise-make-osnoise_main-to-sleep-for-micro.patch new file mode 100644 index 00000000000..66b87b13635 --- /dev/null +++ b/queue-5.16/tracing-osnoise-make-osnoise_main-to-sleep-for-micro.patch @@ -0,0 +1,103 @@ +From 03fef96ac99fe5bc18ce856dcfd17fd8a480731a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Feb 2022 16:17:38 +0100 +Subject: tracing/osnoise: Make osnoise_main to sleep for microseconds + +From: Daniel Bristot de Oliveira + +[ Upstream commit dd990352f01ee9a6c6eee152e5d11c021caccfe4 ] + +osnoise's runtime and period are in the microseconds scale, but it is +currently sleeping in the millisecond's scale. This behavior roots in the +usage of hwlat as the skeleton for osnoise. + +Make osnoise to sleep in the microseconds scale. Also, move the sleep to +a specialized function. + +Link: https://lkml.kernel.org/r/302aa6c7bdf2d131719b22901905e9da122a11b2.1645197336.git.bristot@kernel.org + +Cc: Ingo Molnar +Signed-off-by: Daniel Bristot de Oliveira +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_osnoise.c | 53 ++++++++++++++++++++++-------------- + 1 file changed, 32 insertions(+), 21 deletions(-) + +diff --git a/kernel/trace/trace_osnoise.c b/kernel/trace/trace_osnoise.c +index b58674e8644a..58c788b0ca27 100644 +--- a/kernel/trace/trace_osnoise.c ++++ b/kernel/trace/trace_osnoise.c +@@ -1437,6 +1437,37 @@ static int run_osnoise(void) + static struct cpumask osnoise_cpumask; + static struct cpumask save_cpumask; + ++/* ++ * osnoise_sleep - sleep until the next period ++ */ ++static void osnoise_sleep(void) ++{ ++ u64 interval; ++ ktime_t wake_time; ++ ++ mutex_lock(&interface_lock); ++ interval = osnoise_data.sample_period - osnoise_data.sample_runtime; ++ mutex_unlock(&interface_lock); ++ ++ /* ++ * differently from hwlat_detector, the osnoise tracer can run ++ * without a pause because preemption is on. ++ */ ++ if (!interval) { ++ /* Let synchronize_rcu_tasks() make progress */ ++ cond_resched_tasks_rcu_qs(); ++ return; ++ } ++ ++ wake_time = ktime_add_us(ktime_get(), interval); ++ __set_current_state(TASK_INTERRUPTIBLE); ++ ++ while (schedule_hrtimeout_range(&wake_time, 0, HRTIMER_MODE_ABS)) { ++ if (kthread_should_stop()) ++ break; ++ } ++} ++ + /* + * osnoise_main - The osnoise detection kernel thread + * +@@ -1445,30 +1476,10 @@ static struct cpumask save_cpumask; + */ + static int osnoise_main(void *data) + { +- u64 interval; + + while (!kthread_should_stop()) { +- + run_osnoise(); +- +- mutex_lock(&interface_lock); +- interval = osnoise_data.sample_period - osnoise_data.sample_runtime; +- mutex_unlock(&interface_lock); +- +- do_div(interval, USEC_PER_MSEC); +- +- /* +- * differently from hwlat_detector, the osnoise tracer can run +- * without a pause because preemption is on. +- */ +- if (interval < 1) { +- /* Let synchronize_rcu_tasks() make progress */ +- cond_resched_tasks_rcu_qs(); +- continue; +- } +- +- if (msleep_interruptible(interval)) +- break; ++ osnoise_sleep(); + } + + return 0; +-- +2.34.1 + diff --git a/queue-5.16/usb-dwc3-pci-add-support-for-the-intel-raptor-lake-s.patch b/queue-5.16/usb-dwc3-pci-add-support-for-the-intel-raptor-lake-s.patch new file mode 100644 index 00000000000..6497dde9ca7 --- /dev/null +++ b/queue-5.16/usb-dwc3-pci-add-support-for-the-intel-raptor-lake-s.patch @@ -0,0 +1,45 @@ +From dd4b485049a4ceab073ed59a64a71b2db5986d7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Feb 2022 17:19:48 +0300 +Subject: usb: dwc3: pci: add support for the Intel Raptor Lake-S + +From: Heikki Krogerus + +[ Upstream commit 038438a25c45d5ac996e95a22fa9e76ff3d1f8c7 ] + +This patch adds the necessary PCI ID for Intel Raptor Lake-S +devices. + +Signed-off-by: Heikki Krogerus +Link: https://lore.kernel.org/r/20220214141948.18637-1-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c +index 1ecedbb1684c..06d0e88ec8af 100644 +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -43,6 +43,7 @@ + #define PCI_DEVICE_ID_INTEL_ADLP 0x51ee + #define PCI_DEVICE_ID_INTEL_ADLM 0x54ee + #define PCI_DEVICE_ID_INTEL_ADLS 0x7ae1 ++#define PCI_DEVICE_ID_INTEL_RPLS 0x7a61 + #define PCI_DEVICE_ID_INTEL_TGL 0x9a15 + #define PCI_DEVICE_ID_AMD_MR 0x163a + +@@ -420,6 +421,9 @@ static const struct pci_device_id dwc3_pci_id_table[] = { + { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_ADLS), + (kernel_ulong_t) &dwc3_pci_intel_swnode, }, + ++ { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_RPLS), ++ (kernel_ulong_t) &dwc3_pci_intel_swnode, }, ++ + { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_TGL), + (kernel_ulong_t) &dwc3_pci_intel_swnode, }, + +-- +2.34.1 + diff --git a/queue-5.16/vdpa-fix-use-after-free-on-vp_vdpa_remove.patch b/queue-5.16/vdpa-fix-use-after-free-on-vp_vdpa_remove.patch new file mode 100644 index 00000000000..33258bc2104 --- /dev/null +++ b/queue-5.16/vdpa-fix-use-after-free-on-vp_vdpa_remove.patch @@ -0,0 +1,61 @@ +From 2a1efc6fe0290a9fda99a0c236043dd37e1ac192 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Mar 2022 17:10:59 +0800 +Subject: vdpa: fix use-after-free on vp_vdpa_remove + +From: Zhang Min + +[ Upstream commit eb057b44dbe35ae14527830236a92f51de8f9184 ] + +When vp_vdpa driver is unbind, vp_vdpa is freed in vdpa_unregister_device +and then vp_vdpa->mdev.pci_dev is dereferenced in vp_modern_remove, +triggering use-after-free. + +Call Trace of unbinding driver free vp_vdpa : +do_syscall_64 + vfs_write + kernfs_fop_write_iter + device_release_driver_internal + pci_device_remove + vp_vdpa_remove + vdpa_unregister_device + kobject_release + device_release + kfree + +Call Trace of dereference vp_vdpa->mdev.pci_dev: +vp_modern_remove + pci_release_selected_regions + pci_release_region + pci_resource_len + pci_resource_end + (dev)->resource[(bar)].end + +Signed-off-by: Zhang Min +Signed-off-by: Yi Wang +Link: https://lore.kernel.org/r/20220301091059.46869-1-wang.yi59@zte.com.cn +Signed-off-by: Michael S. Tsirkin +Fixes: 64b9f64f80a6 ("vdpa: introduce virtio pci driver") +Reviewed-by: Stefano Garzarella +Signed-off-by: Sasha Levin +--- + drivers/vdpa/virtio_pci/vp_vdpa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vdpa/virtio_pci/vp_vdpa.c b/drivers/vdpa/virtio_pci/vp_vdpa.c +index e3ff7875e123..fab161961160 100644 +--- a/drivers/vdpa/virtio_pci/vp_vdpa.c ++++ b/drivers/vdpa/virtio_pci/vp_vdpa.c +@@ -525,8 +525,8 @@ static void vp_vdpa_remove(struct pci_dev *pdev) + { + struct vp_vdpa *vp_vdpa = pci_get_drvdata(pdev); + +- vdpa_unregister_device(&vp_vdpa->vdpa); + vp_modern_remove(&vp_vdpa->mdev); ++ vdpa_unregister_device(&vp_vdpa->vdpa); + } + + static struct pci_driver vp_vdpa_driver = { +-- +2.34.1 + diff --git a/queue-5.16/vdpa-mlx5-add-validation-for-virtio_net_ctrl_mq_vq_p.patch b/queue-5.16/vdpa-mlx5-add-validation-for-virtio_net_ctrl_mq_vq_p.patch new file mode 100644 index 00000000000..08550949d26 --- /dev/null +++ b/queue-5.16/vdpa-mlx5-add-validation-for-virtio_net_ctrl_mq_vq_p.patch @@ -0,0 +1,62 @@ +From a96348955127fd02c48b09123fc5c1ed6b6f6211 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Jan 2022 19:28:01 -0500 +Subject: vdpa/mlx5: add validation for VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command + +From: Si-Wei Liu + +[ Upstream commit ed0f849fc3a63ed2ddf5e72cdb1de3bdbbb0f8eb ] + +When control vq receives a VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET command +request from the driver, presently there is no validation against the +number of queue pairs to configure, or even if multiqueue had been +negotiated or not is unverified. This may lead to kernel panic due to +uninitialized resource for the queues were there any bogus request +sent down by untrusted driver. Tie up the loose ends there. + +Fixes: 52893733f2c5 ("vdpa/mlx5: Add multiqueue support") +Signed-off-by: Si-Wei Liu +Link: https://lore.kernel.org/r/1642206481-30721-4-git-send-email-si-wei.liu@oracle.com +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Eli Cohen +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/vdpa/mlx5/net/mlx5_vnet.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c +index ef6da39ccb3f..7b4ab7cfc359 100644 +--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c ++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c +@@ -1571,11 +1571,27 @@ static virtio_net_ctrl_ack handle_ctrl_mq(struct mlx5_vdpa_dev *mvdev, u8 cmd) + + switch (cmd) { + case VIRTIO_NET_CTRL_MQ_VQ_PAIRS_SET: ++ /* This mq feature check aligns with pre-existing userspace ++ * implementation. ++ * ++ * Without it, an untrusted driver could fake a multiqueue config ++ * request down to a non-mq device that may cause kernel to ++ * panic due to uninitialized resources for extra vqs. Even with ++ * a well behaving guest driver, it is not expected to allow ++ * changing the number of vqs on a non-mq device. ++ */ ++ if (!MLX5_FEATURE(mvdev, VIRTIO_NET_F_MQ)) ++ break; ++ + read = vringh_iov_pull_iotlb(&cvq->vring, &cvq->riov, (void *)&mq, sizeof(mq)); + if (read != sizeof(mq)) + break; + + newqps = mlx5vdpa16_to_cpu(mvdev, mq.virtqueue_pairs); ++ if (newqps < VIRTIO_NET_CTRL_MQ_VQ_PAIRS_MIN || ++ newqps > mlx5_vdpa_max_qps(mvdev->max_vqs)) ++ break; ++ + if (ndev->cur_num_vqs == 2 * newqps) { + status = VIRTIO_NET_OK; + break; +-- +2.34.1 + diff --git a/queue-5.16/vduse-fix-returning-wrong-type-in-vduse_domain_alloc.patch b/queue-5.16/vduse-fix-returning-wrong-type-in-vduse_domain_alloc.patch new file mode 100644 index 00000000000..bfd313c5300 --- /dev/null +++ b/queue-5.16/vduse-fix-returning-wrong-type-in-vduse_domain_alloc.patch @@ -0,0 +1,41 @@ +From ee83f5e9b98b48bf2e2ff7384595b3fb93ddccd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Jan 2022 16:39:39 +0800 +Subject: vduse: Fix returning wrong type in vduse_domain_alloc_iova() + +From: Xie Yongji + +[ Upstream commit b9d102dafec6af1c07b610faf0a6d4e8aee14ae0 ] + +This fixes the following smatch warnings: + +drivers/vdpa/vdpa_user/iova_domain.c:305 vduse_domain_alloc_iova() warn: should 'iova_pfn << shift' be a 64 bit type? + +Fixes: 8c773d53fb7b ("vduse: Implement an MMU-based software IOTLB") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Xie Yongji +Link: https://lore.kernel.org/r/20220121083940.102-1-xieyongji@bytedance.com +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/vdpa/vdpa_user/iova_domain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vdpa/vdpa_user/iova_domain.c b/drivers/vdpa/vdpa_user/iova_domain.c +index 1daae2608860..0678c2514197 100644 +--- a/drivers/vdpa/vdpa_user/iova_domain.c ++++ b/drivers/vdpa/vdpa_user/iova_domain.c +@@ -302,7 +302,7 @@ vduse_domain_alloc_iova(struct iova_domain *iovad, + iova_len = roundup_pow_of_two(iova_len); + iova_pfn = alloc_iova_fast(iovad, iova_len, limit >> shift, true); + +- return iova_pfn << shift; ++ return (dma_addr_t)iova_pfn << shift; + } + + static void vduse_domain_free_iova(struct iova_domain *iovad, +-- +2.34.1 + diff --git a/queue-5.16/vhost-fix-hung-thread-due-to-erroneous-iotlb-entries.patch b/queue-5.16/vhost-fix-hung-thread-due-to-erroneous-iotlb-entries.patch new file mode 100644 index 00000000000..a3adc1584ce --- /dev/null +++ b/queue-5.16/vhost-fix-hung-thread-due-to-erroneous-iotlb-entries.patch @@ -0,0 +1,89 @@ +From f698a027569124207a961ee541a8485cc9e2f5b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 15:25:25 +0530 +Subject: vhost: fix hung thread due to erroneous iotlb entries + +From: Anirudh Rayabharam + +[ Upstream commit e2ae38cf3d91837a493cb2093c87700ff3cbe667 ] + +In vhost_iotlb_add_range_ctx(), range size can overflow to 0 when +start is 0 and last is ULONG_MAX. One instance where it can happen +is when userspace sends an IOTLB message with iova=size=uaddr=0 +(vhost_process_iotlb_msg). So, an entry with size = 0, start = 0, +last = ULONG_MAX ends up in the iotlb. Next time a packet is sent, +iotlb_access_ok() loops indefinitely due to that erroneous entry. + + Call Trace: + + iotlb_access_ok+0x21b/0x3e0 drivers/vhost/vhost.c:1340 + vq_meta_prefetch+0xbc/0x280 drivers/vhost/vhost.c:1366 + vhost_transport_do_send_pkt+0xe0/0xfd0 drivers/vhost/vsock.c:104 + vhost_worker+0x23d/0x3d0 drivers/vhost/vhost.c:372 + kthread+0x2e9/0x3a0 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 + + +Reported by syzbot at: + https://syzkaller.appspot.com/bug?extid=0abd373e2e50d704db87 + +To fix this, do two things: + +1. Return -EINVAL in vhost_chr_write_iter() when userspace asks to map + a range with size 0. +2. Fix vhost_iotlb_add_range_ctx() to handle the range [0, ULONG_MAX] + by splitting it into two entries. + +Fixes: 0bbe30668d89e ("vhost: factor out IOTLB") +Reported-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com +Tested-by: syzbot+0abd373e2e50d704db87@syzkaller.appspotmail.com +Signed-off-by: Anirudh Rayabharam +Link: https://lore.kernel.org/r/20220305095525.5145-1-mail@anirudhrb.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/vhost/iotlb.c | 11 +++++++++++ + drivers/vhost/vhost.c | 5 +++++ + 2 files changed, 16 insertions(+) + +diff --git a/drivers/vhost/iotlb.c b/drivers/vhost/iotlb.c +index 670d56c879e5..40b098320b2a 100644 +--- a/drivers/vhost/iotlb.c ++++ b/drivers/vhost/iotlb.c +@@ -57,6 +57,17 @@ int vhost_iotlb_add_range_ctx(struct vhost_iotlb *iotlb, + if (last < start) + return -EFAULT; + ++ /* If the range being mapped is [0, ULONG_MAX], split it into two entries ++ * otherwise its size would overflow u64. ++ */ ++ if (start == 0 && last == ULONG_MAX) { ++ u64 mid = last / 2; ++ ++ vhost_iotlb_add_range_ctx(iotlb, start, mid, addr, perm, opaque); ++ addr += mid + 1; ++ start = mid + 1; ++ } ++ + if (iotlb->limit && + iotlb->nmaps == iotlb->limit && + iotlb->flags & VHOST_IOTLB_FLAG_RETIRE) { +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index 59edb5a1ffe2..55475fd59fb7 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -1170,6 +1170,11 @@ ssize_t vhost_chr_write_iter(struct vhost_dev *dev, + goto done; + } + ++ if (msg.size == 0) { ++ ret = -EINVAL; ++ goto done; ++ } ++ + if (dev->msg_handler) + ret = dev->msg_handler(dev, &msg); + else +-- +2.34.1 + diff --git a/queue-5.16/virtio-blk-don-t-use-max_discard_segments-if-max_dis.patch b/queue-5.16/virtio-blk-don-t-use-max_discard_segments-if-max_dis.patch new file mode 100644 index 00000000000..b03345d9c3d --- /dev/null +++ b/queue-5.16/virtio-blk-don-t-use-max_discard_segments-if-max_dis.patch @@ -0,0 +1,49 @@ +From 921f4bfcc10ae4336f0c1f405b395d2cd14b8ccd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Mar 2022 18:00:57 +0800 +Subject: virtio-blk: Don't use MAX_DISCARD_SEGMENTS if max_discard_seg is zero + +From: Xie Yongji + +[ Upstream commit dacc73ed0b88f1a787ec20385f42ca9dd9eddcd0 ] + +Currently the value of max_discard_segment will be set to +MAX_DISCARD_SEGMENTS (256) with no basis in hardware if device +set 0 to max_discard_seg in configuration space. It's incorrect +since the device might not be able to handle such large descriptors. +To fix it, let's follow max_segments restrictions in this case. + +Fixes: 1f23816b8eb8 ("virtio_blk: add discard and write zeroes support") +Signed-off-by: Xie Yongji +Link: https://lore.kernel.org/r/20220304100058.116-1-xieyongji@bytedance.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/block/virtio_blk.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c +index 6ae38776e30e..87f239eb0a99 100644 +--- a/drivers/block/virtio_blk.c ++++ b/drivers/block/virtio_blk.c +@@ -926,9 +926,15 @@ static int virtblk_probe(struct virtio_device *vdev) + + virtio_cread(vdev, struct virtio_blk_config, max_discard_seg, + &v); ++ ++ /* ++ * max_discard_seg == 0 is out of spec but we always ++ * handled it. ++ */ ++ if (!v) ++ v = sg_elems - 2; + blk_queue_max_discard_segments(q, +- min_not_zero(v, +- MAX_DISCARD_SEGMENTS)); ++ min(v, MAX_DISCARD_SEGMENTS)); + + blk_queue_flag_set(QUEUE_FLAG_DISCARD, q); + } +-- +2.34.1 + diff --git a/queue-5.16/virtio-blk-remove-bug_on-in-virtio_queue_rq.patch b/queue-5.16/virtio-blk-remove-bug_on-in-virtio_queue_rq.patch new file mode 100644 index 00000000000..4b1ab5ea7db --- /dev/null +++ b/queue-5.16/virtio-blk-remove-bug_on-in-virtio_queue_rq.patch @@ -0,0 +1,92 @@ +From e35ea698a37f0c7a4714410da31051566fa37206 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Mar 2022 18:00:58 +0800 +Subject: virtio-blk: Remove BUG_ON() in virtio_queue_rq() + +From: Xie Yongji + +[ Upstream commit e030759a1ddcbf61d42b6e996bfeb675e0032d8b ] + +Currently we have a BUG_ON() to make sure the number of sg +list does not exceed queue_max_segments() in virtio_queue_rq(). +However, the block layer uses queue_max_discard_segments() +instead of queue_max_segments() to limit the sg list for +discard requests. So the BUG_ON() might be triggered if +virtio-blk device reports a larger value for max discard +segment than queue_max_segments(). To fix it, let's simply +remove the BUG_ON() which has become unnecessary after commit +02746e26c39e("virtio-blk: avoid preallocating big SGL for data"). +And the unused vblk->sg_elems can also be removed together. + +Fixes: 1f23816b8eb8 ("virtio_blk: add discard and write zeroes support") +Suggested-by: Christoph Hellwig +Signed-off-by: Xie Yongji +Reviewed-by: Max Gurtovoy +Link: https://lore.kernel.org/r/20220304100058.116-2-xieyongji@bytedance.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/block/virtio_blk.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c +index 87f239eb0a99..b3df5e5452a7 100644 +--- a/drivers/block/virtio_blk.c ++++ b/drivers/block/virtio_blk.c +@@ -76,9 +76,6 @@ struct virtio_blk { + */ + refcount_t refs; + +- /* What host tells us, plus 2 for header & tailer. */ +- unsigned int sg_elems; +- + /* Ida index - used to track minor number allocations. */ + int index; + +@@ -322,8 +319,6 @@ static blk_status_t virtio_queue_rq(struct blk_mq_hw_ctx *hctx, + blk_status_t status; + int err; + +- BUG_ON(req->nr_phys_segments + 2 > vblk->sg_elems); +- + status = virtblk_setup_cmd(vblk->vdev, req, vbr); + if (unlikely(status)) + return status; +@@ -783,8 +778,6 @@ static int virtblk_probe(struct virtio_device *vdev) + /* Prevent integer overflows and honor max vq size */ + sg_elems = min_t(u32, sg_elems, VIRTIO_BLK_MAX_SG_ELEMS - 2); + +- /* We need extra sg elements at head and tail. */ +- sg_elems += 2; + vdev->priv = vblk = kmalloc(sizeof(*vblk), GFP_KERNEL); + if (!vblk) { + err = -ENOMEM; +@@ -796,7 +789,6 @@ static int virtblk_probe(struct virtio_device *vdev) + mutex_init(&vblk->vdev_mutex); + + vblk->vdev = vdev; +- vblk->sg_elems = sg_elems; + + INIT_WORK(&vblk->config_work, virtblk_config_changed_work); + +@@ -854,7 +846,7 @@ static int virtblk_probe(struct virtio_device *vdev) + set_disk_ro(vblk->disk, 1); + + /* We can handle whatever the host told us to handle. */ +- blk_queue_max_segments(q, vblk->sg_elems-2); ++ blk_queue_max_segments(q, sg_elems); + + /* No real sector limit. */ + blk_queue_max_hw_sectors(q, -1U); +@@ -932,7 +924,7 @@ static int virtblk_probe(struct virtio_device *vdev) + * handled it. + */ + if (!v) +- v = sg_elems - 2; ++ v = sg_elems; + blk_queue_max_discard_segments(q, + min(v, MAX_DISCARD_SEGMENTS)); + +-- +2.34.1 + diff --git a/queue-5.16/x86-kvm-don-t-use-pv-tlb-ipi-sched_yield-if-on-1-vcp.patch b/queue-5.16/x86-kvm-don-t-use-pv-tlb-ipi-sched_yield-if-on-1-vcp.patch new file mode 100644 index 00000000000..f262e4924ad --- /dev/null +++ b/queue-5.16/x86-kvm-don-t-use-pv-tlb-ipi-sched_yield-if-on-1-vcp.patch @@ -0,0 +1,54 @@ +From 55edad006d6b646b19897b6d3572a209b172e318 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Feb 2022 00:10:38 -0800 +Subject: x86/kvm: Don't use pv tlb/ipi/sched_yield if on 1 vCPU + +From: Wanpeng Li + +[ Upstream commit ec756e40e271866f951d77c5e923d8deb6002b15 ] + +Inspired by commit 3553ae5690a (x86/kvm: Don't use pvqspinlock code if +only 1 vCPU), on a VM with only 1 vCPU, there is no need to enable +pv tlb/ipi/sched_yield and we can save the memory for __pv_cpu_mask. + +Signed-off-by: Wanpeng Li +Message-Id: <1645171838-2855-1-git-send-email-wanpengli@tencent.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/kvm.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c +index 59abbdad7729..ff3db164e52c 100644 +--- a/arch/x86/kernel/kvm.c ++++ b/arch/x86/kernel/kvm.c +@@ -462,19 +462,22 @@ static bool pv_tlb_flush_supported(void) + { + return (kvm_para_has_feature(KVM_FEATURE_PV_TLB_FLUSH) && + !kvm_para_has_hint(KVM_HINTS_REALTIME) && +- kvm_para_has_feature(KVM_FEATURE_STEAL_TIME)); ++ kvm_para_has_feature(KVM_FEATURE_STEAL_TIME) && ++ (num_possible_cpus() != 1)); + } + + static bool pv_ipi_supported(void) + { +- return kvm_para_has_feature(KVM_FEATURE_PV_SEND_IPI); ++ return (kvm_para_has_feature(KVM_FEATURE_PV_SEND_IPI) && ++ (num_possible_cpus() != 1)); + } + + static bool pv_sched_yield_supported(void) + { + return (kvm_para_has_feature(KVM_FEATURE_PV_SCHED_YIELD) && + !kvm_para_has_hint(KVM_HINTS_REALTIME) && +- kvm_para_has_feature(KVM_FEATURE_STEAL_TIME)); ++ kvm_para_has_feature(KVM_FEATURE_STEAL_TIME) && ++ (num_possible_cpus() != 1)); + } + + #define KVM_IPI_CLUSTER_SIZE (2 * BITS_PER_LONG) +-- +2.34.1 +