From: Sasha Levin Date: Sun, 5 Mar 2023 01:57:02 +0000 (-0500) Subject: Fixes for 5.4 X-Git-Tag: v6.2.3~124 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ec38053d5c7fd00cf5b6c29807ff646e67004c36;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/acpi-battery-fix-missing-nul-termination-with-large-.patch b/queue-5.4/acpi-battery-fix-missing-nul-termination-with-large-.patch new file mode 100644 index 00000000000..bf82e858753 --- /dev/null +++ b/queue-5.4/acpi-battery-fix-missing-nul-termination-with-large-.patch @@ -0,0 +1,44 @@ +From 328ce2a1ea67787afec923cc7918f85ef88a36eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jan 2023 09:50:50 +0100 +Subject: ACPI: battery: Fix missing NUL-termination with large strings + +From: Armin Wolf + +[ Upstream commit f2ac14b5f197e4a2dec51e5ceaa56682ff1592bc ] + +When encountering a string bigger than the destination buffer (32 bytes), +the string is not properly NUL-terminated, causing buffer overreads later. + +This for example happens on the Inspiron 3505, where the battery +model name is larger than 32 bytes, which leads to sysfs showing +the model name together with the serial number string (which is +NUL-terminated and thus prevents worse). + +Fix this by using strscpy() which ensures that the result is +always NUL-terminated. + +Fixes: 106449e870b3 ("ACPI: Battery: Allow extract string from integer") +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/battery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c +index 974c2df13da1d..a49a09e3de1b3 100644 +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -465,7 +465,7 @@ static int extract_package(struct acpi_battery *battery, + u8 *ptr = (u8 *)battery + offsets[i].offset; + if (element->type == ACPI_TYPE_STRING || + element->type == ACPI_TYPE_BUFFER) +- strncpy(ptr, element->string.pointer, 32); ++ strscpy(ptr, element->string.pointer, 32); + else if (element->type == ACPI_TYPE_INTEGER) { + strncpy(ptr, (u8 *)&element->integer.value, + sizeof(u64)); +-- +2.39.2 + diff --git a/queue-5.4/acpi-don-t-build-acpica-with-os.patch b/queue-5.4/acpi-don-t-build-acpica-with-os.patch new file mode 100644 index 00000000000..f6d47cf04c4 --- /dev/null +++ b/queue-5.4/acpi-don-t-build-acpica-with-os.patch @@ -0,0 +1,111 @@ +From a9e4ead6d57c760bdaec9a4ebb994c54a598dac6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 13:45:58 +0000 +Subject: ACPI: Don't build ACPICA with '-Os' + +From: Mark Rutland + +[ Upstream commit 8f9e0a52810dd83406c768972d022c37e7a18f1f ] + +The ACPICA code has been built with '-Os' since the beginning of git +history, though there's no explanatory comment as to why. + +This is unfortunate as GCC drops the alignment specificed by +'-falign-functions=N' when '-Os' is used, as reported in GCC bug 88345: + + https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88345 + +This prevents CONFIG_FUNCTION_ALIGNMENT and +CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B from having their expected effect +on the ACPICA code. This is doubly unfortunate as in subsequent patches +arm64 will depend upon CONFIG_FUNCTION_ALIGNMENT for its ftrace +implementation. + +Drop the '-Os' flag when building the ACPICA code. With this removed, +the code builds cleanly and works correctly in testing so far. + +I've tested this by selecting CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B=y, +building and booting a kernel using ACPI, and looking for misaligned +text symbols: + +* arm64: + + Before, v6.2-rc3: + # uname -rm + 6.2.0-rc3 aarch64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 5009 + + Before, v6.2-rc3 + fixed __cold: + # uname -rm + 6.2.0-rc3-00001-g2a2bedf8bfa9 aarch64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 919 + + After: + # uname -rm + 6.2.0-rc3-00002-g267bddc38572 aarch64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 323 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | grep acpi | wc -l + 0 + +* x86_64: + + Before, v6.2-rc3: + # uname -rm + 6.2.0-rc3 x86_64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 11537 + + Before, v6.2-rc3 + fixed __cold: + # uname -rm + 6.2.0-rc3-00001-g2a2bedf8bfa9 x86_64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 2805 + + After: + # uname -rm + 6.2.0-rc3-00002-g267bddc38572 x86_64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 1357 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | grep acpi | wc -l + 0 + +With the patch applied, the remaining unaligned text labels are a +combination of static call trampolines and labels in assembly, which can +be dealt with in subsequent patches. + +Signed-off-by: Mark Rutland +Acked-by: Rafael J. Wysocki +Cc: Florent Revest +Cc: Len Brown +Cc: Masami Hiramatsu +Cc: Peter Zijlstra +Cc: Robert Moore +Cc: Steven Rostedt +Cc: Will Deacon +Cc: linux-acpi@vger.kernel.org +Link: https://lore.kernel.org/r/20230123134603.1064407-4-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpica/Makefile b/drivers/acpi/acpica/Makefile +index 59700433a96e5..f919811156b1f 100644 +--- a/drivers/acpi/acpica/Makefile ++++ b/drivers/acpi/acpica/Makefile +@@ -3,7 +3,7 @@ + # Makefile for ACPICA Core interpreter + # + +-ccflags-y := -Os -D_LINUX -DBUILDING_ACPICA ++ccflags-y := -D_LINUX -DBUILDING_ACPICA + ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT + + # use acpi.o to put all files here into acpi.o modparam namespace +-- +2.39.2 + diff --git a/queue-5.4/acpi-video-fix-lenovo-ideapad-z570-dmi-match.patch b/queue-5.4/acpi-video-fix-lenovo-ideapad-z570-dmi-match.patch new file mode 100644 index 00000000000..99869a4d726 --- /dev/null +++ b/queue-5.4/acpi-video-fix-lenovo-ideapad-z570-dmi-match.patch @@ -0,0 +1,42 @@ +From d3bc80fa99ba8d071f56c761f831c22f1e9bf4a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Feb 2023 13:44:49 +0100 +Subject: ACPI: video: Fix Lenovo Ideapad Z570 DMI match + +From: Hans de Goede + +[ Upstream commit 2d11eae42d52a131f06061015e49dc0f085c5bfc ] + +Multiple Ideapad Z570 variants need acpi_backlight=native to force native +use on these pre Windows 8 machines since acpi_video backlight control +does not work here. + +The original DMI quirk matches on a product_name of "102434U" but other +variants may have different product_name-s such as e.g. "1024D9U". + +Move to checking product_version instead as is more or less standard for +Lenovo DMI quirks for similar reasons. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index e5518b88f7102..ef40cd7f36eba 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -316,7 +316,7 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + .ident = "Lenovo Ideapad Z570", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_NAME, "102434U"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Ideapad Z570"), + }, + }, + { +-- +2.39.2 + diff --git a/queue-5.4/acpica-drop-port-i-o-validation-for-some-regions.patch b/queue-5.4/acpica-drop-port-i-o-validation-for-some-regions.patch new file mode 100644 index 00000000000..152c97f5d07 --- /dev/null +++ b/queue-5.4/acpica-drop-port-i-o-validation-for-some-regions.patch @@ -0,0 +1,75 @@ +From f1dae72898e3eb1ecc63ee5819757b108830a992 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 09:51:20 -0600 +Subject: ACPICA: Drop port I/O validation for some regions + +From: Mario Limonciello + +[ Upstream commit e1d9148582ab2c3dada5c5cf8ca7531ca269fee5 ] + +Microsoft introduced support in Windows XP for blocking port I/O +to various regions. For Windows compatibility ACPICA has adopted +the same protections and will disallow writes to those +(presumably) the same regions. + +On some systems the AML included with the firmware will issue 4 byte +long writes to 0x80. These writes aren't making it over because of this +blockage. The first 4 byte write attempt is rejected, and then +subsequently 1 byte at a time each offset is tried. The first at 0x80 +works, but then the next 3 bytes are rejected. + +This manifests in bizarre failures for devices that expected the AML to +write all 4 bytes. Trying the same AML on Windows 10 or 11 doesn't hit +this failure and all 4 bytes are written. + +Either some of these regions were wrong or some point after Windows XP +some of these regions blocks have been lifted. + +In the last 15 years there doesn't seem to be any reports popping up of +this error in the Windows event viewer anymore. There is no documentation +at Microsoft's developer site indicating that Windows ACPI interpreter +blocks these regions. Between the lack of documentation and the fact that +the writes actually do work in Windows 10 and 11, it's quite likely +Windows doesn't actually enforce this anymore. + +So to help the issue, only enforce Windows XP specific entries if the +latest _OSI supported is Windows XP. Continue to enforce the +ALWAYS_ILLEGAL entries. + +Link: https://github.com/acpica/acpica/pull/817 +Fixes: 7f0719039085 ("ACPICA: New: I/O port protection") +Signed-off-by: Mario Limonciello +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/hwvalid.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/acpi/acpica/hwvalid.c b/drivers/acpi/acpica/hwvalid.c +index cd576153257c6..f1495b88bf138 100644 +--- a/drivers/acpi/acpica/hwvalid.c ++++ b/drivers/acpi/acpica/hwvalid.c +@@ -23,8 +23,8 @@ acpi_hw_validate_io_request(acpi_io_address address, u32 bit_width); + * + * The table is used to implement the Microsoft port access rules that + * first appeared in Windows XP. Some ports are always illegal, and some +- * ports are only illegal if the BIOS calls _OSI with a win_XP string or +- * later (meaning that the BIOS itelf is post-XP.) ++ * ports are only illegal if the BIOS calls _OSI with nothing newer than ++ * the specific _OSI strings. + * + * This provides ACPICA with the desired port protections and + * Microsoft compatibility. +@@ -145,7 +145,8 @@ acpi_hw_validate_io_request(acpi_io_address address, u32 bit_width) + + /* Port illegality may depend on the _OSI calls made by the BIOS */ + +- if (acpi_gbl_osi_data >= port_info->osi_dependency) { ++ if (port_info->osi_dependency == ACPI_ALWAYS_ILLEGAL || ++ acpi_gbl_osi_data == port_info->osi_dependency) { + ACPI_DEBUG_PRINT((ACPI_DB_VALUES, + "Denied AML access to port 0x%8.8X%8.8X/%X (%s 0x%.4X-0x%.4X)\n", + ACPI_FORMAT_UINT64(address), +-- +2.39.2 + diff --git a/queue-5.4/acpica-nsrepair-handle-cases-without-a-return-value-.patch b/queue-5.4/acpica-nsrepair-handle-cases-without-a-return-value-.patch new file mode 100644 index 00000000000..d3d668db1f1 --- /dev/null +++ b/queue-5.4/acpica-nsrepair-handle-cases-without-a-return-value-.patch @@ -0,0 +1,65 @@ +From f9f92e3fbc6678fa905ddc11eb9088b2dfbbb1cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Jan 2023 02:53:08 +0300 +Subject: ACPICA: nsrepair: handle cases without a return value correctly + +From: Daniil Tatianin + +[ Upstream commit ca843a4c79486e99a19b859ef0b9887854afe146 ] + +Previously acpi_ns_simple_repair() would crash if expected_btypes +contained any combination of ACPI_RTYPE_NONE with a different type, +e.g | ACPI_RTYPE_INTEGER because of slightly incorrect logic in the +!return_object branch, which wouldn't return AE_AML_NO_RETURN_VALUE +for such cases. + +Found by Linux Verification Center (linuxtesting.org) with the SVACE +static analysis tool. + +Link: https://github.com/acpica/acpica/pull/811 +Fixes: 61db45ca2163 ("ACPICA: Restore code that repairs NULL package elements in return values.") +Signed-off-by: Daniil Tatianin +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/nsrepair.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/acpi/acpica/nsrepair.c b/drivers/acpi/acpica/nsrepair.c +index be86fea8e4d48..57e6488f6933f 100644 +--- a/drivers/acpi/acpica/nsrepair.c ++++ b/drivers/acpi/acpica/nsrepair.c +@@ -181,8 +181,9 @@ acpi_ns_simple_repair(struct acpi_evaluate_info *info, + * Try to fix if there was no return object. Warning if failed to fix. + */ + if (!return_object) { +- if (expected_btypes && (!(expected_btypes & ACPI_RTYPE_NONE))) { +- if (package_index != ACPI_NOT_PACKAGE_ELEMENT) { ++ if (expected_btypes) { ++ if (!(expected_btypes & ACPI_RTYPE_NONE) && ++ package_index != ACPI_NOT_PACKAGE_ELEMENT) { + ACPI_WARN_PREDEFINED((AE_INFO, + info->full_pathname, + ACPI_WARN_ALWAYS, +@@ -196,14 +197,15 @@ acpi_ns_simple_repair(struct acpi_evaluate_info *info, + if (ACPI_SUCCESS(status)) { + return (AE_OK); /* Repair was successful */ + } +- } else { ++ } ++ ++ if (expected_btypes != ACPI_RTYPE_NONE) { + ACPI_WARN_PREDEFINED((AE_INFO, + info->full_pathname, + ACPI_WARN_ALWAYS, + "Missing expected return value")); ++ return (AE_AML_NO_RETURN_VALUE); + } +- +- return (AE_AML_NO_RETURN_VALUE); + } + } + +-- +2.39.2 + diff --git a/queue-5.4/alsa-hda-ca0132-minor-fix-for-allocation-size.patch b/queue-5.4/alsa-hda-ca0132-minor-fix-for-allocation-size.patch new file mode 100644 index 00000000000..5f43bfa1996 --- /dev/null +++ b/queue-5.4/alsa-hda-ca0132-minor-fix-for-allocation-size.patch @@ -0,0 +1,40 @@ +From deba2ccccf6ae15b8b45e354c102e57ef2e4df96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 14:15:23 +0300 +Subject: ALSA: hda/ca0132: minor fix for allocation size + +From: Alexey V. Vissarionov + +[ Upstream commit 3ee0fe7fa39b14d1cea455b7041f2df933bd97d2 ] + +Although the "dma_chan" pointer occupies more or equal space compared +to "*dma_chan", the allocation size should use the size of variable +itself. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 01ef7dbffb41 ("ALSA: hda - Update CA0132 codec to load DSP firmware binary") +Signed-off-by: Alexey V. Vissarionov +Link: https://lore.kernel.org/r/20230117111522.GA15213@altlinux.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_ca0132.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 3ef1084b66884..574c39120df86 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -2047,7 +2047,7 @@ static int dspio_set_uint_param_no_source(struct hda_codec *codec, int mod_id, + static int dspio_alloc_dma_chan(struct hda_codec *codec, unsigned int *dma_chan) + { + int status = 0; +- unsigned int size = sizeof(dma_chan); ++ unsigned int size = sizeof(*dma_chan); + + codec_dbg(codec, " dspio_alloc_dma_chan() -- begin\n"); + status = dspio_scp(codec, MASTERCONTROL, 0x20, +-- +2.39.2 + diff --git a/queue-5.4/arm-dts-exynos-correct-wr-active-property-in-exynos3.patch b/queue-5.4/arm-dts-exynos-correct-wr-active-property-in-exynos3.patch new file mode 100644 index 00000000000..168a3069664 --- /dev/null +++ b/queue-5.4/arm-dts-exynos-correct-wr-active-property-in-exynos3.patch @@ -0,0 +1,37 @@ +From 86528af6d9e8e899de26326dade7359fbbd89522 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 16:53:54 +0100 +Subject: ARM: dts: exynos: correct wr-active property in Exynos3250 Rinato + +From: Krzysztof Kozlowski + +[ Upstream commit d15d2a617499882971ddb773a583015bf36fa492 ] + +The property is wr-active: + + exynos3250-rinato.dtb: fimd@11c00000: i80-if-timings: 'wr-act' does not match any of the regexes: 'pinctrl-[0-9]+' + +Fixes: b59b3afb94d4 ("ARM: dts: add fimd device support for exynos3250-rinato") +Link: https://lore.kernel.org/r/20230120155404.323386-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos3250-rinato.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos3250-rinato.dts b/arch/arm/boot/dts/exynos3250-rinato.dts +index 468932f452895..72d6b7c27151e 100644 +--- a/arch/arm/boot/dts/exynos3250-rinato.dts ++++ b/arch/arm/boot/dts/exynos3250-rinato.dts +@@ -239,7 +239,7 @@ &fimd { + i80-if-timings { + cs-setup = <0>; + wr-setup = <0>; +- wr-act = <1>; ++ wr-active = <1>; + wr-hold = <0>; + }; + }; +-- +2.39.2 + diff --git a/queue-5.4/arm-dts-exynos-use-exynos5420-compatible-for-the-mip.patch b/queue-5.4/arm-dts-exynos-use-exynos5420-compatible-for-the-mip.patch new file mode 100644 index 00000000000..2cec0df4419 --- /dev/null +++ b/queue-5.4/arm-dts-exynos-use-exynos5420-compatible-for-the-mip.patch @@ -0,0 +1,37 @@ +From c2ba4c95f40fa1e8cca7c5efaf4fdc9676ae4d63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Jan 2023 22:18:42 +0200 +Subject: ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy + +From: Markuss Broks + +[ Upstream commit 5d5aa219a790d61cad2c38e1aa32058f16ad2f0b ] + +For some reason, the driver adding support for Exynos5420 MIPI phy +back in 2016 wasn't used on Exynos5420, which caused a kernel panic. +Add the proper compatible for it. + +Signed-off-by: Markuss Broks +Link: https://lore.kernel.org/r/20230121201844.46872-2-markuss.broks@gmail.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos5420.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos5420.dtsi b/arch/arm/boot/dts/exynos5420.dtsi +index 7d51e0f4ab79a..5da434ccf12ae 100644 +--- a/arch/arm/boot/dts/exynos5420.dtsi ++++ b/arch/arm/boot/dts/exynos5420.dtsi +@@ -539,7 +539,7 @@ dp_phy: dp-video-phy { + }; + + mipi_phy: mipi-video-phy { +- compatible = "samsung,s5pv210-mipi-video-phy"; ++ compatible = "samsung,exynos5420-mipi-video-phy"; + syscon = <&pmu_system_controller>; + #phy-cells = <1>; + }; +-- +2.39.2 + diff --git a/queue-5.4/arm-dts-imx7s-correct-iomuxc-gpr-mux-controller-cell.patch b/queue-5.4/arm-dts-imx7s-correct-iomuxc-gpr-mux-controller-cell.patch new file mode 100644 index 00000000000..4a2c3ab0e02 --- /dev/null +++ b/queue-5.4/arm-dts-imx7s-correct-iomuxc-gpr-mux-controller-cell.patch @@ -0,0 +1,36 @@ +From 32403379c240480cb9026430625dbd9e909a1b61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Dec 2022 11:04:33 +0800 +Subject: ARM: dts: imx7s: correct iomuxc gpr mux controller cells + +From: Peng Fan + +[ Upstream commit 0e3e1946606a2919b1dda9967ab2e1c5af2fedd6 ] + +Per binding doc reg-mux.yaml, the #mux-control-cells should be 1 + +Signed-off-by: Peng Fan +Reviewed-by: Marco Felsch +Fixes: 94a905a79f2c ("ARM: dts: imx7s: add multiplexer controls") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx7s.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/imx7s.dtsi b/arch/arm/boot/dts/imx7s.dtsi +index e2e604d6ba0b4..1ef076b64de26 100644 +--- a/arch/arm/boot/dts/imx7s.dtsi ++++ b/arch/arm/boot/dts/imx7s.dtsi +@@ -504,7 +504,7 @@ gpr: iomuxc-gpr@30340000 { + + mux: mux-controller { + compatible = "mmio-mux"; +- #mux-control-cells = <0>; ++ #mux-control-cells = <1>; + mux-reg-masks = <0x14 0x00000010>; + }; + +-- +2.39.2 + diff --git a/queue-5.4/arm-imx-call-ida_simple_remove-for-ida_simple_get.patch b/queue-5.4/arm-imx-call-ida_simple_remove-for-ida_simple_get.patch new file mode 100644 index 00000000000..36eea85eaae --- /dev/null +++ b/queue-5.4/arm-imx-call-ida_simple_remove-for-ida_simple_get.patch @@ -0,0 +1,102 @@ +From e9b6e528097d793ac30f81d2fe1802f643810699 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jan 2023 14:11:23 +0800 +Subject: ARM: imx: Call ida_simple_remove() for ida_simple_get + +From: Angus Chen + +[ Upstream commit ebeb49f43c8952f12aa20f03f00d7009edc2d1c5 ] + +The function call ida_simple_get maybe fail,we should deal with it. +And if ida_simple_get success ,it need to call ida_simple_remove also. +BTW,devm_kasprintf can handle id is zero for consistency. + +Fixes: e76bdfd7403a ("ARM: imx: Added perf functionality to mmdc driver") +Signed-off-by: Angus Chen +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/mach-imx/mmdc.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/arch/arm/mach-imx/mmdc.c b/arch/arm/mach-imx/mmdc.c +index af12668d0bf51..b9efe9da06e0b 100644 +--- a/arch/arm/mach-imx/mmdc.c ++++ b/arch/arm/mach-imx/mmdc.c +@@ -99,6 +99,7 @@ struct mmdc_pmu { + cpumask_t cpu; + struct hrtimer hrtimer; + unsigned int active_events; ++ int id; + struct device *dev; + struct perf_event *mmdc_events[MMDC_NUM_COUNTERS]; + struct hlist_node node; +@@ -433,8 +434,6 @@ static enum hrtimer_restart mmdc_pmu_timer_handler(struct hrtimer *hrtimer) + static int mmdc_pmu_init(struct mmdc_pmu *pmu_mmdc, + void __iomem *mmdc_base, struct device *dev) + { +- int mmdc_num; +- + *pmu_mmdc = (struct mmdc_pmu) { + .pmu = (struct pmu) { + .task_ctx_nr = perf_invalid_context, +@@ -452,15 +451,16 @@ static int mmdc_pmu_init(struct mmdc_pmu *pmu_mmdc, + .active_events = 0, + }; + +- mmdc_num = ida_simple_get(&mmdc_ida, 0, 0, GFP_KERNEL); ++ pmu_mmdc->id = ida_simple_get(&mmdc_ida, 0, 0, GFP_KERNEL); + +- return mmdc_num; ++ return pmu_mmdc->id; + } + + static int imx_mmdc_remove(struct platform_device *pdev) + { + struct mmdc_pmu *pmu_mmdc = platform_get_drvdata(pdev); + ++ ida_simple_remove(&mmdc_ida, pmu_mmdc->id); + cpuhp_state_remove_instance_nocalls(cpuhp_mmdc_state, &pmu_mmdc->node); + perf_pmu_unregister(&pmu_mmdc->pmu); + iounmap(pmu_mmdc->mmdc_base); +@@ -474,7 +474,6 @@ static int imx_mmdc_perf_init(struct platform_device *pdev, void __iomem *mmdc_b + { + struct mmdc_pmu *pmu_mmdc; + char *name; +- int mmdc_num; + int ret; + const struct of_device_id *of_id = + of_match_device(imx_mmdc_dt_ids, &pdev->dev); +@@ -497,14 +496,14 @@ static int imx_mmdc_perf_init(struct platform_device *pdev, void __iomem *mmdc_b + cpuhp_mmdc_state = ret; + } + +- mmdc_num = mmdc_pmu_init(pmu_mmdc, mmdc_base, &pdev->dev); +- pmu_mmdc->mmdc_ipg_clk = mmdc_ipg_clk; +- if (mmdc_num == 0) +- name = "mmdc"; +- else +- name = devm_kasprintf(&pdev->dev, +- GFP_KERNEL, "mmdc%d", mmdc_num); ++ ret = mmdc_pmu_init(pmu_mmdc, mmdc_base, &pdev->dev); ++ if (ret < 0) ++ goto pmu_free; + ++ name = devm_kasprintf(&pdev->dev, ++ GFP_KERNEL, "mmdc%d", ret); ++ ++ pmu_mmdc->mmdc_ipg_clk = mmdc_ipg_clk; + pmu_mmdc->devtype_data = (struct fsl_mmdc_devtype_data *)of_id->data; + + hrtimer_init(&pmu_mmdc->hrtimer, CLOCK_MONOTONIC, +@@ -525,6 +524,7 @@ static int imx_mmdc_perf_init(struct platform_device *pdev, void __iomem *mmdc_b + + pmu_register_err: + pr_warn("MMDC Perf PMU failed (%d), disabled\n", ret); ++ ida_simple_remove(&mmdc_ida, pmu_mmdc->id); + cpuhp_state_remove_instance_nocalls(cpuhp_mmdc_state, &pmu_mmdc->node); + hrtimer_cancel(&pmu_mmdc->hrtimer); + pmu_free: +-- +2.39.2 + diff --git a/queue-5.4/arm-omap1-call-platform_device_put-in-error-case-in-.patch b/queue-5.4/arm-omap1-call-platform_device_put-in-error-case-in-.patch new file mode 100644 index 00000000000..0c120d977d3 --- /dev/null +++ b/queue-5.4/arm-omap1-call-platform_device_put-in-error-case-in-.patch @@ -0,0 +1,39 @@ +From db2042bd091cbdccc2136a88472cc8e4a50f3a75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 11:57:54 +0200 +Subject: ARM: OMAP1: call platform_device_put() in error case in + omap1_dm_timer_init() + +From: Yang Yingliang + +[ Upstream commit 0414a100d6ab32721efa70ab55524540fdfe0ede ] + +If platform_device_add() is not called or failed, it should call +platform_device_put() in error case. + +Fixes: 97933d6ced60 ("ARM: OMAP1: dmtimer: conversion to platform devices") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Message-Id: <20220701094602.2365099-1-yangyingliang@huawei.com> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap1/timer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap1/timer.c b/arch/arm/mach-omap1/timer.c +index 4447210c9b0d8..291bc376d30e8 100644 +--- a/arch/arm/mach-omap1/timer.c ++++ b/arch/arm/mach-omap1/timer.c +@@ -165,7 +165,7 @@ static int __init omap1_dm_timer_init(void) + kfree(pdata); + + err_free_pdev: +- platform_device_unregister(pdev); ++ platform_device_put(pdev); + + return ret; + } +-- +2.39.2 + diff --git a/queue-5.4/arm-omap2-fix-memory-leak-in-realtime_counter_init.patch b/queue-5.4/arm-omap2-fix-memory-leak-in-realtime_counter_init.patch new file mode 100644 index 00000000000..1f91fe69888 --- /dev/null +++ b/queue-5.4/arm-omap2-fix-memory-leak-in-realtime_counter_init.patch @@ -0,0 +1,36 @@ +From 4180f98831fa9aad0e5ff2897b5d4655f9e38492 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 22:19:17 +0800 +Subject: ARM: OMAP2+: Fix memory leak in realtime_counter_init() + +From: Chen Hui + +[ Upstream commit ed8167cbf65c2b6ff6faeb0f96ded4d6d581e1ac ] + +The "sys_clk" resource is malloced by clk_get(), +it is not released when the function return. + +Fixes: fa6d79d27614 ("ARM: OMAP: Add initialisation for the real-time counter.") +Signed-off-by: Chen Hui +Message-Id: <20221108141917.46796-1-judy.chenhui@huawei.com> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-omap2/timer.c b/arch/arm/mach-omap2/timer.c +index 1defb838eae3a..a5da85b73461b 100644 +--- a/arch/arm/mach-omap2/timer.c ++++ b/arch/arm/mach-omap2/timer.c +@@ -700,6 +700,7 @@ static void __init realtime_counter_init(void) + } + + rate = clk_get_rate(sys_clk); ++ clk_put(sys_clk); + + if (soc_is_dra7xx()) { + /* +-- +2.39.2 + diff --git a/queue-5.4/arm-zynq-fix-refcount-leak-in-zynq_early_slcr_init.patch b/queue-5.4/arm-zynq-fix-refcount-leak-in-zynq_early_slcr_init.patch new file mode 100644 index 00000000000..d7f2f2cca2f --- /dev/null +++ b/queue-5.4/arm-zynq-fix-refcount-leak-in-zynq_early_slcr_init.patch @@ -0,0 +1,37 @@ +From 9ac2b5146ccc344fe3287d8f79143bd3560cf468 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 22:05:44 +0800 +Subject: ARM: zynq: Fix refcount leak in zynq_early_slcr_init + +From: Qiheng Lin + +[ Upstream commit 9eedb910a3be0005b88c696a8552c0d4c9937cd4 ] + +of_find_compatible_node() returns a node pointer with refcount incremented, +we should use of_node_put() on error path. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 3329659df030 ("ARM: zynq: Simplify SLCR initialization") +Signed-off-by: Qiheng Lin +Link: https://lore.kernel.org/r/20221129140544.41293-1-linqiheng@huawei.com +Signed-off-by: Michal Simek +Signed-off-by: Sasha Levin +--- + arch/arm/mach-zynq/slcr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-zynq/slcr.c b/arch/arm/mach-zynq/slcr.c +index 37707614885a5..9765b3f4c2fc5 100644 +--- a/arch/arm/mach-zynq/slcr.c ++++ b/arch/arm/mach-zynq/slcr.c +@@ -213,6 +213,7 @@ int __init zynq_early_slcr_init(void) + zynq_slcr_regmap = syscon_regmap_lookup_by_compatible("xlnx,zynq-slcr"); + if (IS_ERR(zynq_slcr_regmap)) { + pr_err("%s: failed to find zynq-slcr\n", __func__); ++ of_node_put(np); + return -ENODEV; + } + +-- +2.39.2 + diff --git a/queue-5.4/arm64-dts-amlogic-meson-axg-fix-scpi-clock-dvfs-node.patch b/queue-5.4/arm64-dts-amlogic-meson-axg-fix-scpi-clock-dvfs-node.patch new file mode 100644 index 00000000000..d628e30af70 --- /dev/null +++ b/queue-5.4/arm64-dts-amlogic-meson-axg-fix-scpi-clock-dvfs-node.patch @@ -0,0 +1,35 @@ +From 8982d38076ae2da6c8c3553ed177bf6df7464041 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:34:23 +0100 +Subject: arm64: dts: amlogic: meson-axg: fix SCPI clock dvfs node name + +From: Neil Armstrong + +[ Upstream commit 5b7069d72f03c92a0ab919725017394ebce03a81 ] + +Fixes: +scpi: clocks: 'clock-controller' does not match any of the regexes: '^clocks-[0-9a-f]+$', 'pinctrl-[0-9]+' + +Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-2-44351528957e@linaro.org +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-axg.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-axg.dtsi b/arch/arm64/boot/dts/amlogic/meson-axg.dtsi +index 8732229f0588c..7b2be0942c3bb 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-axg.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-axg.dtsi +@@ -150,7 +150,7 @@ scpi { + scpi_clocks: clocks { + compatible = "arm,scpi-clocks"; + +- scpi_dvfs: clock-controller { ++ scpi_dvfs: clocks-0 { + compatible = "arm,scpi-dvfs-clocks"; + #clock-cells = <1>; + clock-indices = <0>; +-- +2.39.2 + diff --git a/queue-5.4/arm64-dts-amlogic-meson-gx-add-missing-scpi-sensors-.patch b/queue-5.4/arm64-dts-amlogic-meson-gx-add-missing-scpi-sensors-.patch new file mode 100644 index 00000000000..4f78f869da7 --- /dev/null +++ b/queue-5.4/arm64-dts-amlogic-meson-gx-add-missing-scpi-sensors-.patch @@ -0,0 +1,37 @@ +From 737be3f37afd467b0caf619ed8b1e9e778c12e61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:34:24 +0100 +Subject: arm64: dts: amlogic: meson-gx: add missing SCPI sensors compatible + +From: Neil Armstrong + +[ Upstream commit 2ff650051493d5bdb6dd09d4c2850bb37db6be31 ] + +Fixes: +scpi: sensors:compatible: 'oneOf' conditional failed, one must be fixed: + ['amlogic,meson-gxbb-scpi-sensors'] is too short + 'arm,scpi-sensors' was expected + +Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-3-44351528957e@linaro.org +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-axg.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-axg.dtsi b/arch/arm64/boot/dts/amlogic/meson-axg.dtsi +index 7b2be0942c3bb..72255898081c8 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-axg.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-axg.dtsi +@@ -159,7 +159,7 @@ scpi_dvfs: clocks-0 { + }; + + scpi_sensors: sensors { +- compatible = "amlogic,meson-gxbb-scpi-sensors"; ++ compatible = "amlogic,meson-gxbb-scpi-sensors", "arm,scpi-sensors"; + #thermal-sensor-cells = <1>; + }; + }; +-- +2.39.2 + diff --git a/queue-5.4/arm64-dts-amlogic-meson-gx-add-missing-unit-address-.patch b/queue-5.4/arm64-dts-amlogic-meson-gx-add-missing-unit-address-.patch new file mode 100644 index 00000000000..168072ce035 --- /dev/null +++ b/queue-5.4/arm64-dts-amlogic-meson-gx-add-missing-unit-address-.patch @@ -0,0 +1,36 @@ +From c4ddb4eca887ba63e5698e0dda6eb518a03d75c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:34:27 +0100 +Subject: arm64: dts: amlogic: meson-gx: add missing unit address to rng node + name + +From: Neil Armstrong + +[ Upstream commit 61ff70708b98a85516eccb3755084ac97b42cf48 ] + +Fixes: +bus@c8834000: rng: {...} should not be valid under {'type': 'object'} + +Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-6-44351528957e@linaro.org +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +index c923715222580..e9f9ddd27ad7e 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +@@ -464,7 +464,7 @@ periphs: bus@c8834000 { + #size-cells = <2>; + ranges = <0x0 0x0 0x0 0xc8834000 0x0 0x2000>; + +- hwrng: rng { ++ hwrng: rng@0 { + compatible = "amlogic,meson-rng"; + reg = <0x0 0x0 0x0 0x4>; + }; +-- +2.39.2 + diff --git a/queue-5.4/arm64-dts-amlogic-meson-gx-fix-scpi-clock-dvfs-node-.patch b/queue-5.4/arm64-dts-amlogic-meson-gx-fix-scpi-clock-dvfs-node-.patch new file mode 100644 index 00000000000..b6d3e2aef70 --- /dev/null +++ b/queue-5.4/arm64-dts-amlogic-meson-gx-fix-scpi-clock-dvfs-node-.patch @@ -0,0 +1,35 @@ +From e688c8cfcc3bb2b351b126b54a0708b6c2b99778 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:34:22 +0100 +Subject: arm64: dts: amlogic: meson-gx: fix SCPI clock dvfs node name + +From: Neil Armstrong + +[ Upstream commit 127f79212b07c5d9a6657a87e3eafdd889335814 ] + +Fixes: +scpi: clocks: 'clock-controller' does not match any of the regexes: '^clocks-[0-9a-f]+$', 'pinctrl-[0-9]+' + +Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-1-44351528957e@linaro.org +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +index 0e9784f3980d3..c923715222580 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +@@ -189,7 +189,7 @@ scpi { + scpi_clocks: clocks { + compatible = "arm,scpi-clocks"; + +- scpi_dvfs: clock-controller { ++ scpi_dvfs: clocks-0 { + compatible = "arm,scpi-dvfs-clocks"; + #clock-cells = <1>; + clock-indices = <0>; +-- +2.39.2 + diff --git a/queue-5.4/arm64-dts-amlogic-meson-gxl-add-missing-unit-address.patch b/queue-5.4/arm64-dts-amlogic-meson-gxl-add-missing-unit-address.patch new file mode 100644 index 00000000000..c7db21d66d2 --- /dev/null +++ b/queue-5.4/arm64-dts-amlogic-meson-gxl-add-missing-unit-address.patch @@ -0,0 +1,36 @@ +From 215868c72b1227fd1938d735403dcc6f2294e4c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:34:30 +0100 +Subject: arm64: dts: amlogic: meson-gxl: add missing unit address to + eth-phy-mux node name + +From: Neil Armstrong + +[ Upstream commit d19189f70ba596798ea49166d2d1ef36a8df5289 ] + +Fixes: +bus@c8834000: eth-phy-mux: {...} should not be valid under {'type': 'object'} + +Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-9-44351528957e@linaro.org +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gxl.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi b/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi +index e3cfa24dca5ab..6809f495a5030 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi +@@ -700,7 +700,7 @@ mux { + }; + }; + +- eth-phy-mux { ++ eth-phy-mux@55c { + compatible = "mdio-mux-mmioreg", "mdio-mux"; + #address-cells = <1>; + #size-cells = <0>; +-- +2.39.2 + diff --git a/queue-5.4/arm64-dts-amlogic-meson-gxl-s905d-phicomm-n1-fix-led.patch b/queue-5.4/arm64-dts-amlogic-meson-gxl-s905d-phicomm-n1-fix-led.patch new file mode 100644 index 00000000000..91087ea4fd0 --- /dev/null +++ b/queue-5.4/arm64-dts-amlogic-meson-gxl-s905d-phicomm-n1-fix-led.patch @@ -0,0 +1,35 @@ +From 39509709af6e1da2541557f43ed93c45bfb9d8ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:34:33 +0100 +Subject: arm64: dts: amlogic: meson-gxl-s905d-phicomm-n1: fix led node name + +From: Neil Armstrong + +[ Upstream commit eee64d8fbbdaab72bbab3e462f3a7b742d20c8c2 ] + +Fixes: +leds: status: {...} is not of type 'array' + +Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-12-44351528957e@linaro.org +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gxl-s905d-phicomm-n1.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gxl-s905d-phicomm-n1.dts b/arch/arm64/boot/dts/amlogic/meson-gxl-s905d-phicomm-n1.dts +index b5667f1fb2c8f..22fb3e324da5d 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905d-phicomm-n1.dts ++++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905d-phicomm-n1.dts +@@ -18,7 +18,7 @@ cvbs-connector { + leds { + compatible = "gpio-leds"; + +- status { ++ led { + label = "n1:white:status"; + gpios = <&gpio_ao GPIOAO_9 GPIO_ACTIVE_HIGH>; + default-state = "on"; +-- +2.39.2 + diff --git a/queue-5.4/arm64-dts-mediatek-mt7622-add-missing-pwm-cells-to-p.patch b/queue-5.4/arm64-dts-mediatek-mt7622-add-missing-pwm-cells-to-p.patch new file mode 100644 index 00000000000..8afae083810 --- /dev/null +++ b/queue-5.4/arm64-dts-mediatek-mt7622-add-missing-pwm-cells-to-p.patch @@ -0,0 +1,35 @@ +From c671b9e4a7e19a77a5fce653171c1248079b59ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 12:20:27 +0100 +Subject: arm64: dts: mediatek: mt7622: Add missing pwm-cells to pwm node + +From: AngeloGioacchino Del Regno + +[ Upstream commit 22925af785fa3470efdf566339616d801119d348 ] + +Specify #pwm-cells on pwm@11006000 to make it actually usable. + +Fixes: ae457b7679c4 ("arm64: dts: mt7622: add SoC and peripheral related device nodes") +Signed-off-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20221128112028.58021-2-angelogioacchino.delregno@collabora.com +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/mediatek/mt7622.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/mediatek/mt7622.dtsi b/arch/arm64/boot/dts/mediatek/mt7622.dtsi +index e7e002d8b1089..3bfe9f5d2a14f 100644 +--- a/arch/arm64/boot/dts/mediatek/mt7622.dtsi ++++ b/arch/arm64/boot/dts/mediatek/mt7622.dtsi +@@ -428,6 +428,7 @@ uart3: serial@11005000 { + pwm: pwm@11006000 { + compatible = "mediatek,mt7622-pwm"; + reg = <0 0x11006000 0 0x1000>; ++ #pwm-cells = <2>; + interrupts = ; + clocks = <&topckgen CLK_TOP_PWM_SEL>, + <&pericfg CLK_PERI_PWM_PD>, +-- +2.39.2 + diff --git a/queue-5.4/arm64-dts-meson-g12a-fix-internal-ethernet-phy-unit-.patch b/queue-5.4/arm64-dts-meson-g12a-fix-internal-ethernet-phy-unit-.patch new file mode 100644 index 00000000000..dd2f781af91 --- /dev/null +++ b/queue-5.4/arm64-dts-meson-g12a-fix-internal-ethernet-phy-unit-.patch @@ -0,0 +1,41 @@ +From e8ce515ebabc5af5ad90264369e704654b07d982 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 22:13:49 +0100 +Subject: arm64: dts: meson-g12a: Fix internal Ethernet PHY unit name + +From: Martin Blumenstingl + +[ Upstream commit e7303651bbc76c848007f1cfac1fbeaa65f600d1 ] + +Documentation/devicetree/bindings/net/ethernet-phy.yaml defines that the +node name for Ethernet PHYs should match the following pattern: + ^ethernet-phy(@[a-f0-9]+)?$ + +Replace the underscore with a hyphen to adhere to this binding. + +Fixes: 280c17df8fbf ("arm64: dts: meson: g12a: add mdio multiplexer") +Signed-off-by: Martin Blumenstingl +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20230111211350.1461860-6-martin.blumenstingl@googlemail.com +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi +index 6b495587eee2d..937b27549d56d 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi +@@ -1783,7 +1783,7 @@ int_mdio: mdio@1 { + #address-cells = <1>; + #size-cells = <0>; + +- internal_ephy: ethernet_phy@8 { ++ internal_ephy: ethernet-phy@8 { + compatible = "ethernet-phy-id0180.3301", + "ethernet-phy-ieee802.3-c22"; + interrupts = ; +-- +2.39.2 + diff --git a/queue-5.4/arm64-dts-meson-gx-fix-ethernet-mac-address-unit-nam.patch b/queue-5.4/arm64-dts-meson-gx-fix-ethernet-mac-address-unit-nam.patch new file mode 100644 index 00000000000..cf5db25c3a3 --- /dev/null +++ b/queue-5.4/arm64-dts-meson-gx-fix-ethernet-mac-address-unit-nam.patch @@ -0,0 +1,39 @@ +From 03b2cab364ec3808ef8b460bce47d8ea3fa027e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 22:13:48 +0100 +Subject: arm64: dts: meson-gx: Fix Ethernet MAC address unit name + +From: Martin Blumenstingl + +[ Upstream commit 8ed5310356bfa47cc6bb4221ae6b21258c52e3d1 ] + +Unit names should use hyphens instead of underscores to not cause +warnings. + +Fixes: bfe59f92d306 ("ARM64: dts: amlogic: gxbb: Enable NVMEM") +Suggested-by: Vyacheslav Bocharov +Signed-off-by: Martin Blumenstingl +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20230111211350.1461860-5-martin.blumenstingl@googlemail.com +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +index 0c667ec15f8cf..ff68dcaf64ef8 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +@@ -172,7 +172,7 @@ sn: sn@14 { + reg = <0x14 0x10>; + }; + +- eth_mac: eth_mac@34 { ++ eth_mac: eth-mac@34 { + reg = <0x34 0x10>; + }; + +-- +2.39.2 + diff --git a/queue-5.4/arm64-dts-meson-gx-fix-the-scpi-dvfs-node-name-and-u.patch b/queue-5.4/arm64-dts-meson-gx-fix-the-scpi-dvfs-node-name-and-u.patch new file mode 100644 index 00000000000..56cb71816f4 --- /dev/null +++ b/queue-5.4/arm64-dts-meson-gx-fix-the-scpi-dvfs-node-name-and-u.patch @@ -0,0 +1,40 @@ +From c25a49b057f1e775982a9322aad90526d2b8f4d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 22:13:50 +0100 +Subject: arm64: dts: meson-gx: Fix the SCPI DVFS node name and unit address + +From: Martin Blumenstingl + +[ Upstream commit f189c869ad92787ddd753558bcbae89d75825bb6 ] + +Node names should be generic and use hyphens instead of underscores to +not cause warnings. Also nodes without a reg property should not have a +unit-address. Change the scpi_dvfs node to use clock-controller as node +name without a unit address (since it does not have a reg property). + +Fixes: 70db166a2baa ("ARM64: dts: meson-gxbb: Add SCPI with cpufreq & sensors Nodes") +Signed-off-by: Martin Blumenstingl +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20230111211350.1461860-7-martin.blumenstingl@googlemail.com +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +index ff68dcaf64ef8..0e9784f3980d3 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +@@ -189,7 +189,7 @@ scpi { + scpi_clocks: clocks { + compatible = "arm,scpi-clocks"; + +- scpi_dvfs: scpi_clocks@0 { ++ scpi_dvfs: clock-controller { + compatible = "arm,scpi-dvfs-clocks"; + #clock-cells = <1>; + clock-indices = <0>; +-- +2.39.2 + diff --git a/queue-5.4/arm64-dts-meson-remove-cpu-opps-below-1ghz-for-g12a-.patch b/queue-5.4/arm64-dts-meson-remove-cpu-opps-below-1ghz-for-g12a-.patch new file mode 100644 index 00000000000..dbfc3b860a4 --- /dev/null +++ b/queue-5.4/arm64-dts-meson-remove-cpu-opps-below-1ghz-for-g12a-.patch @@ -0,0 +1,59 @@ +From ad2c4b17a8cbf6015dbba7c8b835332021ded3ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 05:30:31 +0000 +Subject: arm64: dts: meson: remove CPU opps below 1GHz for G12A boards + +From: Christian Hewitt + +[ Upstream commit 3cbd431c2b34d84605d358c8c57654193fd661fb ] + +Amlogic G12A devices experience CPU stalls and random board wedges when +the system idles and CPU cores clock down to lower opp points. Recent +vendor kernels include a change to remove 100-250MHz and other distro +sources also remove the 500/667MHz points. Unless all 100-667Mhz opps +are removed or the CPU governor forced to performance stalls are still +observed, so let's remove them to improve stability and uptime. + +Fixes: b190056fa9ee ("arm64: dts: meson-g12a: add cpus OPP table") +Signed-off-by: Christian Hewitt +Link: https://lore.kernel.org/r/20230119053031.21400-1-christianshewitt@gmail.com +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-g12a.dtsi | 20 -------------------- + 1 file changed, 20 deletions(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-g12a.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12a.dtsi +index eb5d177d7a999..c8c438c0b429c 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-g12a.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-g12a.dtsi +@@ -54,26 +54,6 @@ cpu_opp_table: opp-table { + compatible = "operating-points-v2"; + opp-shared; + +- opp-100000000 { +- opp-hz = /bits/ 64 <100000000>; +- opp-microvolt = <731000>; +- }; +- +- opp-250000000 { +- opp-hz = /bits/ 64 <250000000>; +- opp-microvolt = <731000>; +- }; +- +- opp-500000000 { +- opp-hz = /bits/ 64 <500000000>; +- opp-microvolt = <731000>; +- }; +- +- opp-667000000 { +- opp-hz = /bits/ 64 <666666666>; +- opp-microvolt = <731000>; +- }; +- + opp-1000000000 { + opp-hz = /bits/ 64 <1000000000>; + opp-microvolt = <731000>; +-- +2.39.2 + diff --git a/queue-5.4/arm64-dts-qcom-qcs404-use-symbol-names-for-pcie-rese.patch b/queue-5.4/arm64-dts-qcom-qcs404-use-symbol-names-for-pcie-rese.patch new file mode 100644 index 00000000000..38c0f0c4be1 --- /dev/null +++ b/queue-5.4/arm64-dts-qcom-qcs404-use-symbol-names-for-pcie-rese.patch @@ -0,0 +1,58 @@ +From 8a25c9d7684e8b776f2d4194f5a72781582dc01b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Dec 2022 06:21:51 +0200 +Subject: arm64: dts: qcom: qcs404: use symbol names for PCIe resets + +From: Dmitry Baryshkov + +[ Upstream commit 41a37d157a613444c97e8f71a5fb2a21116b70d7 ] + +The commit e5bbbff5b7d7 ("clk: gcc-qcs404: Add PCIe resets") added names +for PCIe resets, but it did not change the existing qcs404.dtsi to use +these names. Do it now and use symbol names to make it easier to check +and modify the dtsi in future. + +Fixes: e5bbbff5b7d7 ("clk: gcc-qcs404: Add PCIe resets") +Reviewed-by: Konrad Dybcio +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20221226042154.2666748-14-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/qcs404.dtsi | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/qcs404.dtsi b/arch/arm64/boot/dts/qcom/qcs404.dtsi +index a97eeb4569c00..1eb51b12cfac7 100644 +--- a/arch/arm64/boot/dts/qcom/qcs404.dtsi ++++ b/arch/arm64/boot/dts/qcom/qcs404.dtsi +@@ -533,7 +533,7 @@ pcie_phy: phy@7786000 { + + clocks = <&gcc GCC_PCIE_0_PIPE_CLK>; + resets = <&gcc GCC_PCIEPHY_0_PHY_BCR>, +- <&gcc 21>; ++ <&gcc GCC_PCIE_0_PIPE_ARES>; + reset-names = "phy", "pipe"; + + clock-output-names = "pcie_0_pipe_clk"; +@@ -991,12 +991,12 @@ pcie: pci@10000000 { + <&gcc GCC_PCIE_0_SLV_AXI_CLK>; + clock-names = "iface", "aux", "master_bus", "slave_bus"; + +- resets = <&gcc 18>, +- <&gcc 17>, +- <&gcc 15>, +- <&gcc 19>, ++ resets = <&gcc GCC_PCIE_0_AXI_MASTER_ARES>, ++ <&gcc GCC_PCIE_0_AXI_SLAVE_ARES>, ++ <&gcc GCC_PCIE_0_AXI_MASTER_STICKY_ARES>, ++ <&gcc GCC_PCIE_0_CORE_STICKY_ARES>, + <&gcc GCC_PCIE_0_BCR>, +- <&gcc 16>; ++ <&gcc GCC_PCIE_0_AHB_ARES>; + reset-names = "axi_m", + "axi_s", + "axi_m_sticky", +-- +2.39.2 + diff --git a/queue-5.4/asoc-dapm-declare-missing-structure-prototypes.patch b/queue-5.4/asoc-dapm-declare-missing-structure-prototypes.patch new file mode 100644 index 00000000000..5c94ef65d2d --- /dev/null +++ b/queue-5.4/asoc-dapm-declare-missing-structure-prototypes.patch @@ -0,0 +1,43 @@ +From 5868c2ec92a93c70a8d569267f57db4ce7705bb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Jun 2020 23:35:42 +0800 +Subject: ASoC: dapm: declare missing structure prototypes + +From: Tzung-Bi Shih + +[ Upstream commit 3d62ef4280a377bb2ccaee4e8f6c5093f5b8f9d4 ] + +To fix compilation warnings: + +- struct 'snd_soc_pcm_runtime' declared inside parameter list will not + be visible outside of this definition or declaration +- struct 'soc_enum' declared inside parameter list will not be visible + outside of this definition or declaration + +Declares the missing structure prototypes. + +Signed-off-by: Tzung-Bi Shih +Link: https://lore.kernel.org/r/20200625153543.85039-3-tzungbi@google.com +Signed-off-by: Mark Brown +Stable-dep-of: fdff966bfde7 ("ASoC: soc-dapm.h: fixup warning struct snd_pcm_substream not declared") +Signed-off-by: Sasha Levin +--- + include/sound/soc-dapm.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/sound/soc-dapm.h b/include/sound/soc-dapm.h +index 6e8a312253838..8c8988bfef8f4 100644 +--- a/include/sound/soc-dapm.h ++++ b/include/sound/soc-dapm.h +@@ -16,6 +16,8 @@ + #include + + struct device; ++struct snd_soc_pcm_runtime; ++struct soc_enum; + + /* widget has no PM register bit */ + #define SND_SOC_NOPM -1 +-- +2.39.2 + diff --git a/queue-5.4/asoc-fsl_sai-initialize-is_dsp_mode-flag.patch b/queue-5.4/asoc-fsl_sai-initialize-is_dsp_mode-flag.patch new file mode 100644 index 00000000000..6766851585c --- /dev/null +++ b/queue-5.4/asoc-fsl_sai-initialize-is_dsp_mode-flag.patch @@ -0,0 +1,42 @@ +From ed6652e28234245edea19b503e953c3313f0db8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jan 2023 15:07:54 +0800 +Subject: ASoC: fsl_sai: initialize is_dsp_mode flag + +From: Shengjiu Wang + +[ Upstream commit a23924b7dd7b748fff8e305e1daf590fed2af21b ] + +Initialize is_dsp_mode flag in the beginning of function +fsl_sai_set_dai_fmt_tr(). + +When the DAIFMT is DAIFMT_DSP_B the first time, is_dsp_mode is +true, then the second time DAIFMT is DAIFMT_I2S, is_dsp_mode +still true, which is a wrong state. So need to initialize +is_dsp_mode flag every time. + +Fixes: a3f7dcc9cc03 ("ASoC: fsl-sai: Add SND_SOC_DAIFMT_DSP_A/B support.") +Signed-off-by: Shengjiu Wang +Reviewed-by: Iuliana Prodan +Link: https://lore.kernel.org/r/1673852874-32200-1-git-send-email-shengjiu.wang@nxp.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/fsl_sai.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c +index 027259695551c..f8445231ad782 100644 +--- a/sound/soc/fsl/fsl_sai.c ++++ b/sound/soc/fsl/fsl_sai.c +@@ -212,6 +212,7 @@ static int fsl_sai_set_dai_fmt_tr(struct snd_soc_dai *cpu_dai, + if (!sai->is_lsb_first) + val_cr4 |= FSL_SAI_CR4_MF; + ++ sai->is_dsp_mode = false; + /* DAI mode */ + switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) { + case SND_SOC_DAIFMT_I2S: +-- +2.39.2 + diff --git a/queue-5.4/asoc-kirkwood-iterate-over-array-indexes-instead-of-.patch b/queue-5.4/asoc-kirkwood-iterate-over-array-indexes-instead-of-.patch new file mode 100644 index 00000000000..990155e87e9 --- /dev/null +++ b/queue-5.4/asoc-kirkwood-iterate-over-array-indexes-instead-of-.patch @@ -0,0 +1,50 @@ +From ca9f40513734b001fa1ffc2d25ca9ab01746c464 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jan 2023 14:41:29 -0800 +Subject: ASoC: kirkwood: Iterate over array indexes instead of using pointer + math + +From: Kees Cook + +[ Upstream commit b3bcedc0402fcdc5c8624c433562d9d1882749d8 ] + +Walking the dram->cs array was seen as accesses beyond the first array +item by the compiler. Instead, use the array index directly. This allows +for run-time bounds checking under CONFIG_UBSAN_BOUNDS as well. Seen +with GCC 13 with -fstrict-flex-arrays: + +../sound/soc/kirkwood/kirkwood-dma.c: In function +'kirkwood_dma_conf_mbus_windows.constprop': +../sound/soc/kirkwood/kirkwood-dma.c:90:24: warning: array subscript 0 is outside array bounds of 'const struct mbus_dram_window[0]' [-Warray-bounds=] + 90 | if ((cs->base & 0xffff0000) < (dma & 0xffff0000)) { + | ~~^~~~~~ + +Cc: Liam Girdwood +Cc: Mark Brown +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: alsa-devel@alsa-project.org +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20230127224128.never.410-kees@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/kirkwood/kirkwood-dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/kirkwood/kirkwood-dma.c b/sound/soc/kirkwood/kirkwood-dma.c +index d2d5c25bf5502..0215d187bdff5 100644 +--- a/sound/soc/kirkwood/kirkwood-dma.c ++++ b/sound/soc/kirkwood/kirkwood-dma.c +@@ -86,7 +86,7 @@ kirkwood_dma_conf_mbus_windows(void __iomem *base, int win, + + /* try to find matching cs for current dma address */ + for (i = 0; i < dram->num_cs; i++) { +- const struct mbus_dram_window *cs = dram->cs + i; ++ const struct mbus_dram_window *cs = &dram->cs[i]; + if ((cs->base & 0xffff0000) < (dma & 0xffff0000)) { + writel(cs->base & 0xffff0000, + base + KIRKWOOD_AUDIO_WIN_BASE_REG(win)); +-- +2.39.2 + diff --git a/queue-5.4/asoc-soc-compress.c-fixup-private_data-on-snd_soc_ne.patch b/queue-5.4/asoc-soc-compress.c-fixup-private_data-on-snd_soc_ne.patch new file mode 100644 index 00000000000..1fed6e72f3b --- /dev/null +++ b/queue-5.4/asoc-soc-compress.c-fixup-private_data-on-snd_soc_ne.patch @@ -0,0 +1,41 @@ +From e5b1d960f07c8a61bbcb08b625fb95ccca5863d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 23:17:20 +0000 +Subject: ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress() + +From: Kuninori Morimoto + +[ Upstream commit ffe4c0f0bfaa571a676a0e946d4a6a0607f94294 ] + +commit d3268a40d4b19f ("ASoC: soc-compress.c: fix NULL dereference") +enables DPCM capture, but it should independent from playback. +This patch fixup it. + +Fixes: d3268a40d4b1 ("ASoC: soc-compress.c: fix NULL dereference") +Link: https://lore.kernel.org/r/87tu0i6j7j.wl-kuninori.morimoto.gx@renesas.com +Acked-by: Charles Keepax +Acked-by: Pierre-Louis Bossart +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/871qnkvo1s.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-compress.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c +index da6e40aef7b6e..1e37bb7436ecc 100644 +--- a/sound/soc/soc-compress.c ++++ b/sound/soc/soc-compress.c +@@ -927,7 +927,7 @@ int snd_soc_new_compress(struct snd_soc_pcm_runtime *rtd, int num) + rtd->fe_compr = 1; + if (rtd->dai_link->dpcm_playback) + be_pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream->private_data = rtd; +- else if (rtd->dai_link->dpcm_capture) ++ if (rtd->dai_link->dpcm_capture) + be_pcm->streams[SNDRV_PCM_STREAM_CAPTURE].substream->private_data = rtd; + memcpy(compr->ops, &soc_compr_dyn_ops, sizeof(soc_compr_dyn_ops)); + } else { +-- +2.39.2 + diff --git a/queue-5.4/asoc-soc-dapm.h-fixup-warning-struct-snd_pcm_substre.patch b/queue-5.4/asoc-soc-dapm.h-fixup-warning-struct-snd_pcm_substre.patch new file mode 100644 index 00000000000..6acc4b0c234 --- /dev/null +++ b/queue-5.4/asoc-soc-dapm.h-fixup-warning-struct-snd_pcm_substre.patch @@ -0,0 +1,37 @@ +From 517d3be0dc42cfe4cd3d996d3be75ff081dcc82b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Feb 2023 13:28:51 +0000 +Subject: ASoC: soc-dapm.h: fixup warning struct snd_pcm_substream not declared + +From: Lucas Tanure + +[ Upstream commit fdff966bfde7cf0c85562d2bfb1ff1ba83da5f7b ] + +Add struct snd_pcm_substream forward declaration + +Fixes: 078a85f2806f ("ASoC: dapm: Only power up active channels from a DAI") +Signed-off-by: Lucas Tanure +Reviewed-by: Charles Keepax +Reviewed-by: AngeloGioacchino Del Regno +Link: https://lore.kernel.org/r/20230215132851.1626881-1-lucas.tanure@collabora.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + include/sound/soc-dapm.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/sound/soc-dapm.h b/include/sound/soc-dapm.h +index 8c8988bfef8f4..659400d40873d 100644 +--- a/include/sound/soc-dapm.h ++++ b/include/sound/soc-dapm.h +@@ -16,6 +16,7 @@ + #include + + struct device; ++struct snd_pcm_substream; + struct snd_soc_pcm_runtime; + struct soc_enum; + +-- +2.39.2 + diff --git a/queue-5.4/ath9k-hif_usb-simplify-if-if-to-if-else.patch b/queue-5.4/ath9k-hif_usb-simplify-if-if-to-if-else.patch new file mode 100644 index 00000000000..55760a34ddc --- /dev/null +++ b/queue-5.4/ath9k-hif_usb-simplify-if-if-to-if-else.patch @@ -0,0 +1,44 @@ +From d1bfc674c51db3dfdd00a7a54232bcd83022aec6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Apr 2022 10:37:32 +0300 +Subject: ath9k: hif_usb: simplify if-if to if-else +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wan Jiabing + +[ Upstream commit 2950833f10cfa601813262e1d9c8473f9415681b ] + +Use if and else instead of if(A) and if (!A). + +Signed-off-by: Wan Jiabing +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220424094441.104937-1-wanjiabing@vivo.com +Stable-dep-of: 0af54343a762 ("wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 8a18a33b5b59f..15c8b512a1d9f 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -368,10 +368,9 @@ static int __hif_usb_tx(struct hif_device_usb *hif_dev) + __skb_queue_head_init(&tx_buf->skb_queue); + list_move_tail(&tx_buf->list, &hif_dev->tx.tx_buf); + hif_dev->tx.tx_buf_cnt++; +- } +- +- if (!ret) ++ } else { + TX_STAT_INC(buf_queued); ++ } + + return ret; + } +-- +2.39.2 + diff --git a/queue-5.4/ath9k-htc-clean-up-statistics-macros.patch b/queue-5.4/ath9k-htc-clean-up-statistics-macros.patch new file mode 100644 index 00000000000..b1cca99747d --- /dev/null +++ b/queue-5.4/ath9k-htc-clean-up-statistics-macros.patch @@ -0,0 +1,232 @@ +From ad94484c24d12b1ebe4e0e9de34f43e837c4242f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 21:44:07 +0300 +Subject: ath9k: htc: clean up statistics macros +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pavel Skripkin + +[ Upstream commit d7fc76039b74ad37b7056d5607b05d7cb31a5404 ] + +I've changed *STAT_* macros a bit in previous patch and I seems like +they become really unreadable. Align these macros definitions to make +code cleaner and fix folllowing checkpatch warning + +ERROR: Macros with complex values should be enclosed in parentheses + +Also, statistics macros now accept an hif_dev as argument, since +macros that depend on having a local variable with a magic name +don't abide by the coding style. + +No functional change + +Suggested-by: Jeff Johnson +Signed-off-by: Pavel Skripkin +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/ebb2306d06a496cd1b032155ae52fdc5fa8cc2c5.1655145743.git.paskripkin@gmail.com +Stable-dep-of: 0af54343a762 ("wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 26 +++++++-------- + drivers/net/wireless/ath/ath9k/htc.h | 32 +++++++++++-------- + drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 10 +++--- + 3 files changed, 36 insertions(+), 32 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 15c8b512a1d9f..f68e47f9b01e2 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -244,11 +244,11 @@ static inline void ath9k_skb_queue_complete(struct hif_device_usb *hif_dev, + ath9k_htc_txcompletion_cb(hif_dev->htc_handle, + skb, txok); + if (txok) { +- TX_STAT_INC(skb_success); +- TX_STAT_ADD(skb_success_bytes, ln); ++ TX_STAT_INC(hif_dev, skb_success); ++ TX_STAT_ADD(hif_dev, skb_success_bytes, ln); + } + else +- TX_STAT_INC(skb_failed); ++ TX_STAT_INC(hif_dev, skb_failed); + } + } + +@@ -302,7 +302,7 @@ static void hif_usb_tx_cb(struct urb *urb) + hif_dev->tx.tx_buf_cnt++; + if (!(hif_dev->tx.flags & HIF_USB_TX_STOP)) + __hif_usb_tx(hif_dev); /* Check for pending SKBs */ +- TX_STAT_INC(buf_completed); ++ TX_STAT_INC(hif_dev, buf_completed); + spin_unlock(&hif_dev->tx.tx_lock); + } + +@@ -353,7 +353,7 @@ static int __hif_usb_tx(struct hif_device_usb *hif_dev) + tx_buf->len += tx_buf->offset; + + __skb_queue_tail(&tx_buf->skb_queue, nskb); +- TX_STAT_INC(skb_queued); ++ TX_STAT_INC(hif_dev, skb_queued); + } + + usb_fill_bulk_urb(tx_buf->urb, hif_dev->udev, +@@ -369,7 +369,7 @@ static int __hif_usb_tx(struct hif_device_usb *hif_dev) + list_move_tail(&tx_buf->list, &hif_dev->tx.tx_buf); + hif_dev->tx.tx_buf_cnt++; + } else { +- TX_STAT_INC(buf_queued); ++ TX_STAT_INC(hif_dev, buf_queued); + } + + return ret; +@@ -514,7 +514,7 @@ static void hif_usb_sta_drain(void *hif_handle, u8 idx) + ath9k_htc_txcompletion_cb(hif_dev->htc_handle, + skb, false); + hif_dev->tx.tx_skb_cnt--; +- TX_STAT_INC(skb_failed); ++ TX_STAT_INC(hif_dev, skb_failed); + } + } + +@@ -585,14 +585,14 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + pkt_tag = get_unaligned_le16(ptr + index + 2); + + if (pkt_tag != ATH_USB_RX_STREAM_MODE_TAG) { +- RX_STAT_INC(skb_dropped); ++ RX_STAT_INC(hif_dev, skb_dropped); + return; + } + + if (pkt_len > 2 * MAX_RX_BUF_SIZE) { + dev_err(&hif_dev->udev->dev, + "ath9k_htc: invalid pkt_len (%x)\n", pkt_len); +- RX_STAT_INC(skb_dropped); ++ RX_STAT_INC(hif_dev, skb_dropped); + return; + } + +@@ -618,7 +618,7 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + goto err; + } + skb_reserve(nskb, 32); +- RX_STAT_INC(skb_allocated); ++ RX_STAT_INC(hif_dev, skb_allocated); + + memcpy(nskb->data, &(skb->data[chk_idx+4]), + hif_dev->rx_transfer_len); +@@ -639,7 +639,7 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + goto err; + } + skb_reserve(nskb, 32); +- RX_STAT_INC(skb_allocated); ++ RX_STAT_INC(hif_dev, skb_allocated); + + memcpy(nskb->data, &(skb->data[chk_idx+4]), pkt_len); + skb_put(nskb, pkt_len); +@@ -649,10 +649,10 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + + err: + for (i = 0; i < pool_index; i++) { +- RX_STAT_ADD(skb_completed_bytes, skb_pool[i]->len); ++ RX_STAT_ADD(hif_dev, skb_completed_bytes, skb_pool[i]->len); + ath9k_htc_rx_msg(hif_dev->htc_handle, skb_pool[i], + skb_pool[i]->len, USB_WLAN_RX_PIPE); +- RX_STAT_INC(skb_completed); ++ RX_STAT_INC(hif_dev, skb_completed); + } + } + +diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h +index 81107100e3682..655238a59ee03 100644 +--- a/drivers/net/wireless/ath/ath9k/htc.h ++++ b/drivers/net/wireless/ath/ath9k/htc.h +@@ -325,14 +325,18 @@ static inline struct ath9k_htc_tx_ctl *HTC_SKB_CB(struct sk_buff *skb) + } + + #ifdef CONFIG_ATH9K_HTC_DEBUGFS +-#define __STAT_SAFE(expr) (hif_dev->htc_handle->drv_priv ? (expr) : 0) +-#define TX_STAT_INC(c) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.tx_stats.c++) +-#define TX_STAT_ADD(c, a) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.tx_stats.c += a) +-#define RX_STAT_INC(c) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.skbrx_stats.c++) +-#define RX_STAT_ADD(c, a) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.skbrx_stats.c += a) +-#define CAB_STAT_INC priv->debug.tx_stats.cab_queued++ +- +-#define TX_QSTAT_INC(q) (priv->debug.tx_stats.queue_stats[q]++) ++#define __STAT_SAFE(hif_dev, expr) ((hif_dev)->htc_handle->drv_priv ? (expr) : 0) ++#define CAB_STAT_INC(priv) ((priv)->debug.tx_stats.cab_queued++) ++#define TX_QSTAT_INC(priv, q) ((priv)->debug.tx_stats.queue_stats[q]++) ++ ++#define TX_STAT_INC(hif_dev, c) \ ++ __STAT_SAFE((hif_dev), (hif_dev)->htc_handle->drv_priv->debug.tx_stats.c++) ++#define TX_STAT_ADD(hif_dev, c, a) \ ++ __STAT_SAFE((hif_dev), (hif_dev)->htc_handle->drv_priv->debug.tx_stats.c += a) ++#define RX_STAT_INC(hif_dev, c) \ ++ __STAT_SAFE((hif_dev), (hif_dev)->htc_handle->drv_priv->debug.skbrx_stats.c++) ++#define RX_STAT_ADD(hif_dev, c, a) \ ++ __STAT_SAFE((hif_dev), (hif_dev)->htc_handle->drv_priv->debug.skbrx_stats.c += a) + + void ath9k_htc_err_stat_rx(struct ath9k_htc_priv *priv, + struct ath_rx_status *rs); +@@ -372,13 +376,13 @@ void ath9k_htc_get_et_stats(struct ieee80211_hw *hw, + struct ethtool_stats *stats, u64 *data); + #else + +-#define TX_STAT_INC(c) do { } while (0) +-#define TX_STAT_ADD(c, a) do { } while (0) +-#define RX_STAT_INC(c) do { } while (0) +-#define RX_STAT_ADD(c, a) do { } while (0) +-#define CAB_STAT_INC do { } while (0) ++#define TX_STAT_INC(hif_dev, c) ++#define TX_STAT_ADD(hif_dev, c, a) ++#define RX_STAT_INC(hif_dev, c) ++#define RX_STAT_ADD(hif_dev, c, a) + +-#define TX_QSTAT_INC(c) do { } while (0) ++#define CAB_STAT_INC(priv) ++#define TX_QSTAT_INC(priv, c) + + static inline void ath9k_htc_err_stat_rx(struct ath9k_htc_priv *priv, + struct ath_rx_status *rs) +diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +index eeaf63de71bfd..ee021738bef02 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +@@ -106,20 +106,20 @@ static inline enum htc_endpoint_id get_htc_epid(struct ath9k_htc_priv *priv, + + switch (qnum) { + case 0: +- TX_QSTAT_INC(IEEE80211_AC_VO); ++ TX_QSTAT_INC(priv, IEEE80211_AC_VO); + epid = priv->data_vo_ep; + break; + case 1: +- TX_QSTAT_INC(IEEE80211_AC_VI); ++ TX_QSTAT_INC(priv, IEEE80211_AC_VI); + epid = priv->data_vi_ep; + break; + case 2: +- TX_QSTAT_INC(IEEE80211_AC_BE); ++ TX_QSTAT_INC(priv, IEEE80211_AC_BE); + epid = priv->data_be_ep; + break; + case 3: + default: +- TX_QSTAT_INC(IEEE80211_AC_BK); ++ TX_QSTAT_INC(priv, IEEE80211_AC_BK); + epid = priv->data_bk_ep; + break; + } +@@ -323,7 +323,7 @@ static void ath9k_htc_tx_data(struct ath9k_htc_priv *priv, + memcpy(tx_fhdr, (u8 *) &tx_hdr, sizeof(tx_hdr)); + + if (is_cab) { +- CAB_STAT_INC; ++ CAB_STAT_INC(priv); + tx_ctl->epid = priv->cab_ep; + return; + } +-- +2.39.2 + diff --git a/queue-5.4/blk-iocost-fix-divide-by-0-error-in-calc_lcoefs.patch b/queue-5.4/blk-iocost-fix-divide-by-0-error-in-calc_lcoefs.patch new file mode 100644 index 00000000000..c3b0a9e4d88 --- /dev/null +++ b/queue-5.4/blk-iocost-fix-divide-by-0-error-in-calc_lcoefs.patch @@ -0,0 +1,70 @@ +From 7b076b42af80e238a1476a626c628fe9181970bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 15:08:05 +0800 +Subject: blk-iocost: fix divide by 0 error in calc_lcoefs() + +From: Li Nan + +[ Upstream commit 984af1e66b4126cf145153661cc24c213e2ec231 ] + +echo max of u64 to cost.model can cause divide by 0 error. + + # echo 8:0 rbps=18446744073709551615 > /sys/fs/cgroup/io.cost.model + + divide error: 0000 [#1] PREEMPT SMP + RIP: 0010:calc_lcoefs+0x4c/0xc0 + Call Trace: + + ioc_refresh_params+0x2b3/0x4f0 + ioc_cost_model_write+0x3cb/0x4c0 + ? _copy_from_iter+0x6d/0x6c0 + ? kernfs_fop_write_iter+0xfc/0x270 + cgroup_file_write+0xa0/0x200 + kernfs_fop_write_iter+0x17d/0x270 + vfs_write+0x414/0x620 + ksys_write+0x73/0x160 + __x64_sys_write+0x1e/0x30 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +calc_lcoefs() uses the input value of cost.model in DIV_ROUND_UP_ULL, +overflow would happen if bps plus IOC_PAGE_SIZE is greater than +ULLONG_MAX, it can cause divide by 0 error. + +Fix the problem by setting basecost + +Signed-off-by: Li Nan +Signed-off-by: Yu Kuai +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20230117070806.3857142-5-yukuai1@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-iocost.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/block/blk-iocost.c b/block/blk-iocost.c +index ef287c33d6d97..4fdc8858a69a9 100644 +--- a/block/blk-iocost.c ++++ b/block/blk-iocost.c +@@ -785,9 +785,14 @@ static void calc_lcoefs(u64 bps, u64 seqiops, u64 randiops, + + *page = *seqio = *randio = 0; + +- if (bps) +- *page = DIV64_U64_ROUND_UP(VTIME_PER_SEC, +- DIV_ROUND_UP_ULL(bps, IOC_PAGE_SIZE)); ++ if (bps) { ++ u64 bps_pages = DIV_ROUND_UP_ULL(bps, IOC_PAGE_SIZE); ++ ++ if (bps_pages) ++ *page = DIV64_U64_ROUND_UP(VTIME_PER_SEC, bps_pages); ++ else ++ *page = 1; ++ } + + if (seqiops) { + v = DIV64_U64_ROUND_UP(VTIME_PER_SEC, seqiops); +-- +2.39.2 + diff --git a/queue-5.4/blk-mq-correct-stale-comment-of-.get_budget.patch b/queue-5.4/blk-mq-correct-stale-comment-of-.get_budget.patch new file mode 100644 index 00000000000..1342228326e --- /dev/null +++ b/queue-5.4/blk-mq-correct-stale-comment-of-.get_budget.patch @@ -0,0 +1,49 @@ +From e64ee059fcc2a85999bb621ac5b1285379f7308a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 17:37:26 +0800 +Subject: blk-mq: correct stale comment of .get_budget + +From: Kemeng Shi + +[ Upstream commit 01542f651a9f58a9b176c3d3dc3eefbacee53b78 ] + +Commit 88022d7201e96 ("blk-mq: don't handle failure in .get_budget") +remove BLK_STS_RESOURCE return value and we only check if we can get +the budget from .get_budget() now. +Correct stale comment that ".get_budget() returns BLK_STS_NO_RESOURCE" +to ".get_budget() fails to get the budget". + +Fixes: 88022d7201e9 ("blk-mq: don't handle failure in .get_budget") +Signed-off-by: Kemeng Shi +Reviewed-by: Christoph Hellwig +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq-sched.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/block/blk-mq-sched.c b/block/blk-mq-sched.c +index 31d1e7150192e..126a9a6355948 100644 +--- a/block/blk-mq-sched.c ++++ b/block/blk-mq-sched.c +@@ -91,7 +91,7 @@ void blk_mq_sched_restart(struct blk_mq_hw_ctx *hctx) + /* + * Only SCSI implements .get_budget and .put_budget, and SCSI restarts + * its queue by itself in its completion handler, so we don't need to +- * restart queue if .get_budget() returns BLK_STS_NO_RESOURCE. ++ * restart queue if .get_budget() fails to get the budget. + * + * Returns -EAGAIN if hctx->dispatch was found non-empty and run_work has to + * be run again. This is necessary to avoid starving flushes. +@@ -148,7 +148,7 @@ static struct blk_mq_ctx *blk_mq_next_ctx(struct blk_mq_hw_ctx *hctx, + /* + * Only SCSI implements .get_budget and .put_budget, and SCSI restarts + * its queue by itself in its completion handler, so we don't need to +- * restart queue if .get_budget() returns BLK_STS_NO_RESOURCE. ++ * restart queue if .get_budget() fails to get the budget. + * + * Returns -EAGAIN if hctx->dispatch was found non-empty and run_work has to + * to be run again. This is necessary to avoid starving flushes. +-- +2.39.2 + diff --git a/queue-5.4/blk-mq-remove-stale-comment-for-blk_mq_sched_mark_re.patch b/queue-5.4/blk-mq-remove-stale-comment-for-blk_mq_sched_mark_re.patch new file mode 100644 index 00000000000..493e94a610f --- /dev/null +++ b/queue-5.4/blk-mq-remove-stale-comment-for-blk_mq_sched_mark_re.patch @@ -0,0 +1,41 @@ +From 4a44ff3496be7418dee5b33c7b3e7ca174965e6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 17:37:14 +0800 +Subject: blk-mq: remove stale comment for blk_mq_sched_mark_restart_hctx + +From: Kemeng Shi + +[ Upstream commit c31e76bcc379182fe67a82c618493b7b8868c672 ] + +Commit 97889f9ac24f8 ("blk-mq: remove synchronize_rcu() from +blk_mq_del_queue_tag_set()") remove handle of TAG_SHARED in restart, +then shared_hctx_restart counted for how many hardware queues are marked +for restart is removed too. +Remove the stale comment that we still count hardware queues need restart. + +Fixes: 97889f9ac24f ("blk-mq: remove synchronize_rcu() from blk_mq_del_queue_tag_set()") +Reviewed-by: Christoph Hellwig +Signed-off-by: Kemeng Shi +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq-sched.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/block/blk-mq-sched.c b/block/blk-mq-sched.c +index 2e1afd3559b28..31d1e7150192e 100644 +--- a/block/blk-mq-sched.c ++++ b/block/blk-mq-sched.c +@@ -59,8 +59,7 @@ void blk_mq_sched_assign_ioc(struct request *rq) + } + + /* +- * Mark a hardware queue as needing a restart. For shared queues, maintain +- * a count of how many hardware queues are marked for restart. ++ * Mark a hardware queue as needing a restart. + */ + void blk_mq_sched_mark_restart_hctx(struct blk_mq_hw_ctx *hctx) + { +-- +2.39.2 + diff --git a/queue-5.4/blk-mq-wait-on-correct-sbitmap_queue-in-blk_mq_mark_.patch b/queue-5.4/blk-mq-wait-on-correct-sbitmap_queue-in-blk_mq_mark_.patch new file mode 100644 index 00000000000..f70a5c6223d --- /dev/null +++ b/queue-5.4/blk-mq-wait-on-correct-sbitmap_queue-in-blk_mq_mark_.patch @@ -0,0 +1,53 @@ +From 748d32e1d793e736693bc5afd2dbff0e5aa1ef6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 17:37:15 +0800 +Subject: blk-mq: wait on correct sbitmap_queue in blk_mq_mark_tag_wait + +From: Kemeng Shi + +[ Upstream commit 98b99e9412d0cde8c7b442bf5efb09528a2ede8b ] + +For shared queues case, we will only wait on bitmap_tags if we fail to get +driver tag. However, rq could be from breserved_tags, then two problems +will occur: +1. io hung if no tag is currently allocated from bitmap_tags. +2. unnecessary wakeup when tag is freed to bitmap_tags while no tag is +freed to breserved_tags. +Wait on the bitmap which rq from to fix this. + +Fixes: f906a6a0f426 ("blk-mq: improve tag waiting setup for non-shared tags") +Reviewed-by: Christoph Hellwig +Signed-off-by: Kemeng Shi +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 84798d09ca464..325a5944b4cb2 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1112,7 +1112,7 @@ static int blk_mq_dispatch_wake(wait_queue_entry_t *wait, unsigned mode, + static bool blk_mq_mark_tag_wait(struct blk_mq_hw_ctx *hctx, + struct request *rq) + { +- struct sbitmap_queue *sbq = &hctx->tags->bitmap_tags; ++ struct sbitmap_queue *sbq; + struct wait_queue_head *wq; + wait_queue_entry_t *wait; + bool ret; +@@ -1135,6 +1135,10 @@ static bool blk_mq_mark_tag_wait(struct blk_mq_hw_ctx *hctx, + if (!list_empty_careful(&wait->entry)) + return false; + ++ if (blk_mq_tag_is_reserved(rq->mq_hctx->sched_tags, rq->internal_tag)) ++ sbq = &hctx->tags->breserved_tags; ++ else ++ sbq = &hctx->tags->bitmap_tags; + wq = &bt_wait_ptr(sbq, hctx)->wait; + + spin_lock_irq(&wq->lock); +-- +2.39.2 + diff --git a/queue-5.4/block-bio-integrity-copy-flags-when-bio_integrity_pa.patch b/queue-5.4/block-bio-integrity-copy-flags-when-bio_integrity_pa.patch new file mode 100644 index 00000000000..a61c33855f8 --- /dev/null +++ b/queue-5.4/block-bio-integrity-copy-flags-when-bio_integrity_pa.patch @@ -0,0 +1,44 @@ +From 0a0ba547d728e984e215858c018e554916407f3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Feb 2023 12:18:01 -0500 +Subject: block: bio-integrity: Copy flags when bio_integrity_payload is cloned + +From: Martin K. Petersen + +[ Upstream commit b6a4bdcda430e3ca43bbb9cb1d4d4d34ebe15c40 ] + +Make sure to copy the flags when a bio_integrity_payload is cloned. +Otherwise per-I/O properties such as IP checksum flag will not be +passed down to the HBA driver. Since the integrity buffer is owned by +the original bio, the BIP_BLOCK_INTEGRITY flag needs to be masked off +to avoid a double free in the completion path. + +Fixes: aae7df50190a ("block: Integrity checksum flag") +Fixes: b1f01388574c ("block: Relocate bio integrity flags") +Reported-by: Saurav Kashyap +Tested-by: Saurav Kashyap +Signed-off-by: Martin K. Petersen +Reviewed-by: Christoph Hellwig +Reviewed-by: Chaitanya Kulkarni +Link: https://lore.kernel.org/r/20230215171801.21062-1-martin.petersen@oracle.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bio-integrity.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/bio-integrity.c b/block/bio-integrity.c +index ec295be93ca0d..247f7c480e662 100644 +--- a/block/bio-integrity.c ++++ b/block/bio-integrity.c +@@ -424,6 +424,7 @@ int bio_integrity_clone(struct bio *bio, struct bio *bio_src, + + bip->bip_vcnt = bip_src->bip_vcnt; + bip->bip_iter = bip_src->bip_iter; ++ bip->bip_flags = bip_src->bip_flags & ~BIP_BLOCK_INTEGRITY; + + return 0; + } +-- +2.39.2 + diff --git a/queue-5.4/block-limit-number-of-items-taken-from-the-i-o-sched.patch b/queue-5.4/block-limit-number-of-items-taken-from-the-i-o-sched.patch new file mode 100644 index 00000000000..a7993b44829 --- /dev/null +++ b/queue-5.4/block-limit-number-of-items-taken-from-the-i-o-sched.patch @@ -0,0 +1,180 @@ +From f6e243577ef0837013c37f0dfe108b8958313ab6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Apr 2020 08:03:21 -0700 +Subject: block: Limit number of items taken from the I/O scheduler in one go + +From: Salman Qazi + +[ Upstream commit 28d65729b050977d8a9125e6726871e83bd22124 ] + +Flushes bypass the I/O scheduler and get added to hctx->dispatch +in blk_mq_sched_bypass_insert. This can happen while a kworker is running +hctx->run_work work item and is past the point in +blk_mq_sched_dispatch_requests where hctx->dispatch is checked. + +The blk_mq_do_dispatch_sched call is not guaranteed to end in bounded time, +because the I/O scheduler can feed an arbitrary number of commands. + +Since we have only one hctx->run_work, the commands waiting in +hctx->dispatch will wait an arbitrary length of time for run_work to be +rerun. + +A similar phenomenon exists with dispatches from the software queue. + +The solution is to poll hctx->dispatch in blk_mq_do_dispatch_sched and +blk_mq_do_dispatch_ctx and return from the run_work handler and let it +rerun. + +Signed-off-by: Salman Qazi +Reviewed-by: Ming Lei +Signed-off-by: Jens Axboe +Stable-dep-of: c31e76bcc379 ("blk-mq: remove stale comment for blk_mq_sched_mark_restart_hctx") +Signed-off-by: Sasha Levin +--- + block/blk-mq-sched.c | 64 +++++++++++++++++++++++++++++++++++--------- + 1 file changed, 51 insertions(+), 13 deletions(-) + +diff --git a/block/blk-mq-sched.c b/block/blk-mq-sched.c +index f422c7feea7e0..2e1afd3559b28 100644 +--- a/block/blk-mq-sched.c ++++ b/block/blk-mq-sched.c +@@ -93,12 +93,16 @@ void blk_mq_sched_restart(struct blk_mq_hw_ctx *hctx) + * Only SCSI implements .get_budget and .put_budget, and SCSI restarts + * its queue by itself in its completion handler, so we don't need to + * restart queue if .get_budget() returns BLK_STS_NO_RESOURCE. ++ * ++ * Returns -EAGAIN if hctx->dispatch was found non-empty and run_work has to ++ * be run again. This is necessary to avoid starving flushes. + */ +-static void blk_mq_do_dispatch_sched(struct blk_mq_hw_ctx *hctx) ++static int blk_mq_do_dispatch_sched(struct blk_mq_hw_ctx *hctx) + { + struct request_queue *q = hctx->queue; + struct elevator_queue *e = q->elevator; + LIST_HEAD(rq_list); ++ int ret = 0; + + do { + struct request *rq; +@@ -106,6 +110,11 @@ static void blk_mq_do_dispatch_sched(struct blk_mq_hw_ctx *hctx) + if (e->type->ops.has_work && !e->type->ops.has_work(hctx)) + break; + ++ if (!list_empty_careful(&hctx->dispatch)) { ++ ret = -EAGAIN; ++ break; ++ } ++ + if (!blk_mq_get_dispatch_budget(hctx)) + break; + +@@ -122,6 +131,8 @@ static void blk_mq_do_dispatch_sched(struct blk_mq_hw_ctx *hctx) + */ + list_add(&rq->queuelist, &rq_list); + } while (blk_mq_dispatch_rq_list(q, &rq_list, true)); ++ ++ return ret; + } + + static struct blk_mq_ctx *blk_mq_next_ctx(struct blk_mq_hw_ctx *hctx, +@@ -139,16 +150,25 @@ static struct blk_mq_ctx *blk_mq_next_ctx(struct blk_mq_hw_ctx *hctx, + * Only SCSI implements .get_budget and .put_budget, and SCSI restarts + * its queue by itself in its completion handler, so we don't need to + * restart queue if .get_budget() returns BLK_STS_NO_RESOURCE. ++ * ++ * Returns -EAGAIN if hctx->dispatch was found non-empty and run_work has to ++ * to be run again. This is necessary to avoid starving flushes. + */ +-static void blk_mq_do_dispatch_ctx(struct blk_mq_hw_ctx *hctx) ++static int blk_mq_do_dispatch_ctx(struct blk_mq_hw_ctx *hctx) + { + struct request_queue *q = hctx->queue; + LIST_HEAD(rq_list); + struct blk_mq_ctx *ctx = READ_ONCE(hctx->dispatch_from); ++ int ret = 0; + + do { + struct request *rq; + ++ if (!list_empty_careful(&hctx->dispatch)) { ++ ret = -EAGAIN; ++ break; ++ } ++ + if (!sbitmap_any_bit_set(&hctx->ctx_map)) + break; + +@@ -174,21 +194,17 @@ static void blk_mq_do_dispatch_ctx(struct blk_mq_hw_ctx *hctx) + } while (blk_mq_dispatch_rq_list(q, &rq_list, true)); + + WRITE_ONCE(hctx->dispatch_from, ctx); ++ return ret; + } + +-void blk_mq_sched_dispatch_requests(struct blk_mq_hw_ctx *hctx) ++int __blk_mq_sched_dispatch_requests(struct blk_mq_hw_ctx *hctx) + { + struct request_queue *q = hctx->queue; + struct elevator_queue *e = q->elevator; + const bool has_sched_dispatch = e && e->type->ops.dispatch_request; ++ int ret = 0; + LIST_HEAD(rq_list); + +- /* RCU or SRCU read lock is needed before checking quiesced flag */ +- if (unlikely(blk_mq_hctx_stopped(hctx) || blk_queue_quiesced(q))) +- return; +- +- hctx->run++; +- + /* + * If we have previous entries on our dispatch list, grab them first for + * more fair dispatch. +@@ -217,19 +233,41 @@ void blk_mq_sched_dispatch_requests(struct blk_mq_hw_ctx *hctx) + blk_mq_sched_mark_restart_hctx(hctx); + if (blk_mq_dispatch_rq_list(q, &rq_list, false)) { + if (has_sched_dispatch) +- blk_mq_do_dispatch_sched(hctx); ++ ret = blk_mq_do_dispatch_sched(hctx); + else +- blk_mq_do_dispatch_ctx(hctx); ++ ret = blk_mq_do_dispatch_ctx(hctx); + } + } else if (has_sched_dispatch) { +- blk_mq_do_dispatch_sched(hctx); ++ ret = blk_mq_do_dispatch_sched(hctx); + } else if (hctx->dispatch_busy) { + /* dequeue request one by one from sw queue if queue is busy */ +- blk_mq_do_dispatch_ctx(hctx); ++ ret = blk_mq_do_dispatch_ctx(hctx); + } else { + blk_mq_flush_busy_ctxs(hctx, &rq_list); + blk_mq_dispatch_rq_list(q, &rq_list, false); + } ++ ++ return ret; ++} ++ ++void blk_mq_sched_dispatch_requests(struct blk_mq_hw_ctx *hctx) ++{ ++ struct request_queue *q = hctx->queue; ++ ++ /* RCU or SRCU read lock is needed before checking quiesced flag */ ++ if (unlikely(blk_mq_hctx_stopped(hctx) || blk_queue_quiesced(q))) ++ return; ++ ++ hctx->run++; ++ ++ /* ++ * A return of -EAGAIN is an indication that hctx->dispatch is not ++ * empty and we must run again in order to avoid starving flushes. ++ */ ++ if (__blk_mq_sched_dispatch_requests(hctx) == -EAGAIN) { ++ if (__blk_mq_sched_dispatch_requests(hctx) == -EAGAIN) ++ blk_mq_run_hw_queue(hctx, true); ++ } + } + + bool blk_mq_sched_try_merge(struct request_queue *q, struct bio *bio, +-- +2.39.2 + diff --git a/queue-5.4/bluetooth-l2cap-fix-potential-user-after-free.patch b/queue-5.4/bluetooth-l2cap-fix-potential-user-after-free.patch new file mode 100644 index 00000000000..623548c7e5b --- /dev/null +++ b/queue-5.4/bluetooth-l2cap-fix-potential-user-after-free.patch @@ -0,0 +1,93 @@ +From a08a0d6d5efed7092f63628d11cbae37a5f499f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 14:01:11 -0800 +Subject: Bluetooth: L2CAP: Fix potential user-after-free + +From: Luiz Augusto von Dentz + +[ Upstream commit df5703348813235874d851934e957c3723d71644 ] + +This fixes all instances of which requires to allocate a buffer calling +alloc_skb which may release the chan lock and reacquire later which +makes it possible that the chan is disconnected in the meantime. + +Fixes: a6a5568c03c4 ("Bluetooth: Lock the L2CAP channel when sending") +Reported-by: Alexander Coffin +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 24 ------------------------ + net/bluetooth/l2cap_sock.c | 8 ++++++++ + 2 files changed, 8 insertions(+), 24 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 0e51ed3412ef3..4f286c76a50d4 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -2526,14 +2526,6 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len) + if (IS_ERR(skb)) + return PTR_ERR(skb); + +- /* Channel lock is released before requesting new skb and then +- * reacquired thus we need to recheck channel state. +- */ +- if (chan->state != BT_CONNECTED) { +- kfree_skb(skb); +- return -ENOTCONN; +- } +- + l2cap_do_send(chan, skb); + return len; + } +@@ -2577,14 +2569,6 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len) + if (IS_ERR(skb)) + return PTR_ERR(skb); + +- /* Channel lock is released before requesting new skb and then +- * reacquired thus we need to recheck channel state. +- */ +- if (chan->state != BT_CONNECTED) { +- kfree_skb(skb); +- return -ENOTCONN; +- } +- + l2cap_do_send(chan, skb); + err = len; + break; +@@ -2605,14 +2589,6 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len) + */ + err = l2cap_segment_sdu(chan, &seg_queue, msg, len); + +- /* The channel could have been closed while segmenting, +- * check that it is still connected. +- */ +- if (chan->state != BT_CONNECTED) { +- __skb_queue_purge(&seg_queue); +- err = -ENOTCONN; +- } +- + if (err) + break; + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 08e9f332adad3..0fa5ced767a24 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1433,6 +1433,14 @@ static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan, + if (!skb) + return ERR_PTR(err); + ++ /* Channel lock is released before requesting new skb and then ++ * reacquired thus we need to recheck channel state. ++ */ ++ if (chan->state != BT_CONNECTED) { ++ kfree_skb(skb); ++ return ERR_PTR(-ENOTCONN); ++ } ++ + skb->priority = sk->sk_priority; + + bt_cb(skb)->l2cap.chan = chan; +-- +2.39.2 + diff --git a/queue-5.4/can-esd_usb-move-mislocated-storage-of-sja1000_ecc_s.patch b/queue-5.4/can-esd_usb-move-mislocated-storage-of-sja1000_ecc_s.patch new file mode 100644 index 00000000000..1021c0165e3 --- /dev/null +++ b/queue-5.4/can-esd_usb-move-mislocated-storage-of-sja1000_ecc_s.patch @@ -0,0 +1,49 @@ +From c1dcb2b6962f0abfbe8fff59718fb704e1bfa170 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 20:04:48 +0100 +Subject: can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case + of a bus error + +From: Frank Jungclaus + +[ Upstream commit 118469f88180438ef43dee93d71f77c00e7b425d ] + +Move the supply for cf->data[3] (bit stream position of CAN error), in +case of a bus- or protocol-error, outside of the "switch (ecc & +SJA1000_ECC_MASK){}"-statement, because this bit stream position is +independent of the error type. + +Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device") +Signed-off-by: Frank Jungclaus +Link: https://lore.kernel.org/all/20230216190450.3901254-2-frank.jungclaus@esd.eu +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/esd_usb2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c +index 73c5343e609bc..c9ccce6c60b46 100644 +--- a/drivers/net/can/usb/esd_usb2.c ++++ b/drivers/net/can/usb/esd_usb2.c +@@ -278,7 +278,6 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv, + cf->data[2] |= CAN_ERR_PROT_STUFF; + break; + default: +- cf->data[3] = ecc & SJA1000_ECC_SEG; + break; + } + +@@ -286,6 +285,9 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv, + if (!(ecc & SJA1000_ECC_DIR)) + cf->data[2] |= CAN_ERR_PROT_TX; + ++ /* Bit stream position in CAN frame as the error was detected */ ++ cf->data[3] = ecc & SJA1000_ECC_SEG; ++ + if (priv->can.state == CAN_STATE_ERROR_WARNING || + priv->can.state == CAN_STATE_ERROR_PASSIVE) { + cf->data[1] = (txerr > rxerr) ? +-- +2.39.2 + diff --git a/queue-5.4/cifs-fix-lost-destroy-smbd-connection-when-mr-alloca.patch b/queue-5.4/cifs-fix-lost-destroy-smbd-connection-when-mr-alloca.patch new file mode 100644 index 00000000000..dfc65c86f9a --- /dev/null +++ b/queue-5.4/cifs-fix-lost-destroy-smbd-connection-when-mr-alloca.patch @@ -0,0 +1,42 @@ +From 8d04ba853f714a71d55db593770f7b7a5afd5975 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 16:42:07 +0800 +Subject: cifs: Fix lost destroy smbd connection when MR allocate failed + +From: Zhang Xiaoxu + +[ Upstream commit e9d3401d95d62a9531082cd2453ed42f2740e3fd ] + +If the MR allocate failed, the smb direct connection info is NULL, +then smbd_destroy() will directly return, then the connection info +will be leaked. + +Let's set the smb direct connection info to the server before call +smbd_destroy(). + +Fixes: c7398583340a ("CIFS: SMBD: Implement RDMA memory registration") +Signed-off-by: Zhang Xiaoxu +Acked-by: Paulo Alcantara (SUSE) +Reviewed-by: David Howells +Reviewed-by: Tom Talpey +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smbdirect.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/cifs/smbdirect.c b/fs/cifs/smbdirect.c +index 2cea6c25d1b0e..66265e7303cd4 100644 +--- a/fs/cifs/smbdirect.c ++++ b/fs/cifs/smbdirect.c +@@ -1784,6 +1784,7 @@ static struct smbd_connection *_smbd_get_connection( + + allocate_mr_failed: + /* At this point, need to a full transport shutdown */ ++ server->smbd_conn = info; + smbd_destroy(server); + return NULL; + +-- +2.39.2 + diff --git a/queue-5.4/cifs-fix-warning-and-uaf-when-destroy-the-mr-list.patch b/queue-5.4/cifs-fix-warning-and-uaf-when-destroy-the-mr-list.patch new file mode 100644 index 00000000000..586ef728dfe --- /dev/null +++ b/queue-5.4/cifs-fix-warning-and-uaf-when-destroy-the-mr-list.patch @@ -0,0 +1,133 @@ +From 50d76ca9f2cd82dcbc8dc6e8d41deb8294eb9979 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 16:42:08 +0800 +Subject: cifs: Fix warning and UAF when destroy the MR list + +From: Zhang Xiaoxu + +[ Upstream commit 3e161c2791f8e661eed24a2c624087084d910215 ] + +If the MR allocate failed, the MR recovery work not initialized +and list not cleared. Then will be warning and UAF when release +the MR: + + WARNING: CPU: 4 PID: 824 at kernel/workqueue.c:3066 __flush_work.isra.0+0xf7/0x110 + CPU: 4 PID: 824 Comm: mount.cifs Not tainted 6.1.0-rc5+ #82 + RIP: 0010:__flush_work.isra.0+0xf7/0x110 + Call Trace: + + __cancel_work_timer+0x2ba/0x2e0 + smbd_destroy+0x4e1/0x990 + _smbd_get_connection+0x1cbd/0x2110 + smbd_get_connection+0x21/0x40 + cifs_get_tcp_session+0x8ef/0xda0 + mount_get_conns+0x60/0x750 + cifs_mount+0x103/0xd00 + cifs_smb3_do_mount+0x1dd/0xcb0 + smb3_get_tree+0x1d5/0x300 + vfs_get_tree+0x41/0xf0 + path_mount+0x9b3/0xdd0 + __x64_sys_mount+0x190/0x1d0 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + + BUG: KASAN: use-after-free in smbd_destroy+0x4fc/0x990 + Read of size 8 at addr ffff88810b156a08 by task mount.cifs/824 + CPU: 4 PID: 824 Comm: mount.cifs Tainted: G W 6.1.0-rc5+ #82 + Call Trace: + dump_stack_lvl+0x34/0x44 + print_report+0x171/0x472 + kasan_report+0xad/0x130 + smbd_destroy+0x4fc/0x990 + _smbd_get_connection+0x1cbd/0x2110 + smbd_get_connection+0x21/0x40 + cifs_get_tcp_session+0x8ef/0xda0 + mount_get_conns+0x60/0x750 + cifs_mount+0x103/0xd00 + cifs_smb3_do_mount+0x1dd/0xcb0 + smb3_get_tree+0x1d5/0x300 + vfs_get_tree+0x41/0xf0 + path_mount+0x9b3/0xdd0 + __x64_sys_mount+0x190/0x1d0 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + + Allocated by task 824: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + __kasan_kmalloc+0x7a/0x90 + _smbd_get_connection+0x1b6f/0x2110 + smbd_get_connection+0x21/0x40 + cifs_get_tcp_session+0x8ef/0xda0 + mount_get_conns+0x60/0x750 + cifs_mount+0x103/0xd00 + cifs_smb3_do_mount+0x1dd/0xcb0 + smb3_get_tree+0x1d5/0x300 + vfs_get_tree+0x41/0xf0 + path_mount+0x9b3/0xdd0 + __x64_sys_mount+0x190/0x1d0 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + + Freed by task 824: + kasan_save_stack+0x1e/0x40 + kasan_set_track+0x21/0x30 + kasan_save_free_info+0x2a/0x40 + ____kasan_slab_free+0x143/0x1b0 + __kmem_cache_free+0xc8/0x330 + _smbd_get_connection+0x1c6a/0x2110 + smbd_get_connection+0x21/0x40 + cifs_get_tcp_session+0x8ef/0xda0 + mount_get_conns+0x60/0x750 + cifs_mount+0x103/0xd00 + cifs_smb3_do_mount+0x1dd/0xcb0 + smb3_get_tree+0x1d5/0x300 + vfs_get_tree+0x41/0xf0 + path_mount+0x9b3/0xdd0 + __x64_sys_mount+0x190/0x1d0 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Let's initialize the MR recovery work before MR allocate to prevent +the warning, remove the MRs from the list to prevent the UAF. + +Fixes: c7398583340a ("CIFS: SMBD: Implement RDMA memory registration") +Acked-by: Paulo Alcantara (SUSE) +Reviewed-by: Tom Talpey +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smbdirect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/cifs/smbdirect.c b/fs/cifs/smbdirect.c +index 66265e7303cd4..2f2a1d980cdf4 100644 +--- a/fs/cifs/smbdirect.c ++++ b/fs/cifs/smbdirect.c +@@ -2348,6 +2348,7 @@ static int allocate_mr_list(struct smbd_connection *info) + atomic_set(&info->mr_ready_count, 0); + atomic_set(&info->mr_used_count, 0); + init_waitqueue_head(&info->wait_for_mr_cleanup); ++ INIT_WORK(&info->mr_recovery_work, smbd_mr_recovery_work); + /* Allocate more MRs (2x) than hardware responder_resources */ + for (i = 0; i < info->responder_resources * 2; i++) { + smbdirect_mr = kzalloc(sizeof(*smbdirect_mr), GFP_KERNEL); +@@ -2376,13 +2377,13 @@ static int allocate_mr_list(struct smbd_connection *info) + list_add_tail(&smbdirect_mr->list, &info->mr_list); + atomic_inc(&info->mr_ready_count); + } +- INIT_WORK(&info->mr_recovery_work, smbd_mr_recovery_work); + return 0; + + out: + kfree(smbdirect_mr); + + list_for_each_entry_safe(smbdirect_mr, tmp, &info->mr_list, list) { ++ list_del(&smbdirect_mr->list); + ib_dereg_mr(smbdirect_mr->mr); + kfree(smbdirect_mr->sgl); + kfree(smbdirect_mr); +-- +2.39.2 + diff --git a/queue-5.4/clk-honor-clk_ops_parent_enable-in-clk_core_is_enabl.patch b/queue-5.4/clk-honor-clk_ops_parent_enable-in-clk_core_is_enabl.patch new file mode 100644 index 00000000000..0dee018e3be --- /dev/null +++ b/queue-5.4/clk-honor-clk_ops_parent_enable-in-clk_core_is_enabl.patch @@ -0,0 +1,68 @@ +From 43829fe0f5795394a39c143a9e5b76c12ca4d049 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jan 2023 17:23:30 +0800 +Subject: clk: Honor CLK_OPS_PARENT_ENABLE in clk_core_is_enabled() + +From: Chen-Yu Tsai + +[ Upstream commit 79200d5851c8e7179f68a4a6f162d8f1bde4986f ] + +In the previous commits that added CLK_OPS_PARENT_ENABLE, support for +this flag was only added to rate change operations (rate setting and +reparent) and disabling unused subtree. It was not added to the +clock gate related operations. Any hardware driver that needs it for +these operations will either see bogus results, or worse, hang. + +This has been seen on MT8192 and MT8195, where the imp_ii2_* clk +drivers set this, but dumping debugfs clk_summary would cause it +to hang. + +Prepare parent on prepare and enable parent on enable dependencies are +already handled automatically by the core as part of its sequencing. +Whether the case for "enable parent on prepare" should be supported by +this flag or not is not clear, and thus ignored for now. + +This change solely fixes the handling of clk_core_is_enabled, i.e. +enabling the parent clock when reading the hardware state. Unfortunately +clk_core_is_enabled is called in a variety of places, sometimes with +the enable clock already held. To avoid deadlocking, the core will +ignore readouts and just return false if CLK_OPS_PARENT_ENABLE is set +but the parent isn't currently enabled. + +Fixes: fc8726a2c021 ("clk: core: support clocks which requires parents enable (part 2)") +Fixes: a4b3518d146f ("clk: core: support clocks which requires parents enable (part 1)") +Signed-off-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20230103092330.494102-1-wenst@chromium.org +Tested-by: AngeloGioacchino Del Regno +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c +index c002f83adf573..1c73668b43755 100644 +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -251,6 +251,17 @@ static bool clk_core_is_enabled(struct clk_core *core) + } + } + ++ /* ++ * This could be called with the enable lock held, or from atomic ++ * context. If the parent isn't enabled already, we can't do ++ * anything here. We can also assume this clock isn't enabled. ++ */ ++ if ((core->flags & CLK_OPS_PARENT_ENABLE) && core->parent) ++ if (!clk_core_is_enabled(core->parent)) { ++ ret = false; ++ goto done; ++ } ++ + ret = core->ops->is_enabled(core->hw); + done: + if (core->rpm_enabled) +-- +2.39.2 + diff --git a/queue-5.4/clk-qcom-gcc-qcs404-disable-gpll-04-_out_aux-parents.patch b/queue-5.4/clk-qcom-gcc-qcs404-disable-gpll-04-_out_aux-parents.patch new file mode 100644 index 00000000000..1e430a572f0 --- /dev/null +++ b/queue-5.4/clk-qcom-gcc-qcs404-disable-gpll-04-_out_aux-parents.patch @@ -0,0 +1,146 @@ +From 5ae49a2fe6521a09942ed5816368168984c24fd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Dec 2022 06:21:43 +0200 +Subject: clk: qcom: gcc-qcs404: disable gpll[04]_out_aux parents + +From: Dmitry Baryshkov + +[ Upstream commit 712c64caf31374de57aa193a9dff57172b2f6f82 ] + +On the QCS404 platform the driver for the Global Clock Controller +doens't define gpll0_out_aux and gpll4_out_aux clocks, so it's not +possible to use them as parents. Remove entries for these clocks. + +Note: backporting this patch to earlier kernels would also require a +previous patch which switches the gcc driver to use ARRAY_SIZE for +parent data arrays. + +Fixes: 652f1813c113 ("clk: qcom: gcc: Add global clock controller driver for QCS404") +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20221226042154.2666748-6-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-qcs404.c | 16 ---------------- + 1 file changed, 16 deletions(-) + +diff --git a/drivers/clk/qcom/gcc-qcs404.c b/drivers/clk/qcom/gcc-qcs404.c +index bd32212f37e64..265e774d63476 100644 +--- a/drivers/clk/qcom/gcc-qcs404.c ++++ b/drivers/clk/qcom/gcc-qcs404.c +@@ -25,11 +25,9 @@ enum { + P_CORE_BI_PLL_TEST_SE, + P_DSI0_PHY_PLL_OUT_BYTECLK, + P_DSI0_PHY_PLL_OUT_DSICLK, +- P_GPLL0_OUT_AUX, + P_GPLL0_OUT_MAIN, + P_GPLL1_OUT_MAIN, + P_GPLL3_OUT_MAIN, +- P_GPLL4_OUT_AUX, + P_GPLL4_OUT_MAIN, + P_GPLL6_OUT_AUX, + P_HDMI_PHY_PLL_CLK, +@@ -109,28 +107,24 @@ static const char * const gcc_parent_names_4[] = { + static const struct parent_map gcc_parent_map_5[] = { + { P_XO, 0 }, + { P_DSI0_PHY_PLL_OUT_BYTECLK, 1 }, +- { P_GPLL0_OUT_AUX, 2 }, + { P_CORE_BI_PLL_TEST_SE, 7 }, + }; + + static const char * const gcc_parent_names_5[] = { + "cxo", + "dsi0pll_byteclk_src", +- "gpll0_out_aux", + "core_bi_pll_test_se", + }; + + static const struct parent_map gcc_parent_map_6[] = { + { P_XO, 0 }, + { P_DSI0_PHY_PLL_OUT_BYTECLK, 2 }, +- { P_GPLL0_OUT_AUX, 3 }, + { P_CORE_BI_PLL_TEST_SE, 7 }, + }; + + static const char * const gcc_parent_names_6[] = { + "cxo", + "dsi0_phy_pll_out_byteclk", +- "gpll0_out_aux", + "core_bi_pll_test_se", + }; + +@@ -139,7 +133,6 @@ static const struct parent_map gcc_parent_map_7[] = { + { P_GPLL0_OUT_MAIN, 1 }, + { P_GPLL3_OUT_MAIN, 2 }, + { P_GPLL6_OUT_AUX, 3 }, +- { P_GPLL4_OUT_AUX, 4 }, + { P_CORE_BI_PLL_TEST_SE, 7 }, + }; + +@@ -148,7 +141,6 @@ static const char * const gcc_parent_names_7[] = { + "gpll0_out_main", + "gpll3_out_main", + "gpll6_out_aux", +- "gpll4_out_aux", + "core_bi_pll_test_se", + }; + +@@ -207,14 +199,12 @@ static const char * const gcc_parent_names_11[] = { + static const struct parent_map gcc_parent_map_12[] = { + { P_XO, 0 }, + { P_DSI0_PHY_PLL_OUT_DSICLK, 1 }, +- { P_GPLL0_OUT_AUX, 2 }, + { P_CORE_BI_PLL_TEST_SE, 7 }, + }; + + static const char * const gcc_parent_names_12[] = { + "cxo", + "dsi0pll_pclk_src", +- "gpll0_out_aux", + "core_bi_pll_test_se", + }; + +@@ -237,40 +227,34 @@ static const char * const gcc_parent_names_13[] = { + static const struct parent_map gcc_parent_map_14[] = { + { P_XO, 0 }, + { P_GPLL0_OUT_MAIN, 1 }, +- { P_GPLL4_OUT_AUX, 2 }, + { P_CORE_BI_PLL_TEST_SE, 7 }, + }; + + static const char * const gcc_parent_names_14[] = { + "cxo", + "gpll0_out_main", +- "gpll4_out_aux", + "core_bi_pll_test_se", + }; + + static const struct parent_map gcc_parent_map_15[] = { + { P_XO, 0 }, +- { P_GPLL0_OUT_AUX, 2 }, + { P_CORE_BI_PLL_TEST_SE, 7 }, + }; + + static const char * const gcc_parent_names_15[] = { + "cxo", +- "gpll0_out_aux", + "core_bi_pll_test_se", + }; + + static const struct parent_map gcc_parent_map_16[] = { + { P_XO, 0 }, + { P_GPLL0_OUT_MAIN, 1 }, +- { P_GPLL0_OUT_AUX, 2 }, + { P_CORE_BI_PLL_TEST_SE, 7 }, + }; + + static const char * const gcc_parent_names_16[] = { + "cxo", + "gpll0_out_main", +- "gpll0_out_aux", + "core_bi_pll_test_se", + }; + +-- +2.39.2 + diff --git a/queue-5.4/clk-qcom-gcc-qcs404-fix-names-of-the-dsi-clocks-used.patch b/queue-5.4/clk-qcom-gcc-qcs404-fix-names-of-the-dsi-clocks-used.patch new file mode 100644 index 00000000000..9b652551c0d --- /dev/null +++ b/queue-5.4/clk-qcom-gcc-qcs404-fix-names-of-the-dsi-clocks-used.patch @@ -0,0 +1,66 @@ +From c22736b3b1b3184d417f3fec09bfc8151be5ec5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Dec 2022 06:21:44 +0200 +Subject: clk: qcom: gcc-qcs404: fix names of the DSI clocks used as parents + +From: Dmitry Baryshkov + +[ Upstream commit 47d94d30cd3dcc743241b4208b1eec7247610c84 ] + +The QCS404 uses 28nm LPM DSI PHY, which registers dsi0pll and +dsi0pllbyte clocks. Fix all DSI PHY clock names used as parents inside +the GCC driver. + +Fixes: 652f1813c113 ("clk: qcom: gcc: Add global clock controller driver for QCS404") +Reviewed-by: Konrad Dybcio +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20221226042154.2666748-7-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gcc-qcs404.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/clk/qcom/gcc-qcs404.c b/drivers/clk/qcom/gcc-qcs404.c +index 265e774d63476..5982253b03307 100644 +--- a/drivers/clk/qcom/gcc-qcs404.c ++++ b/drivers/clk/qcom/gcc-qcs404.c +@@ -112,7 +112,7 @@ static const struct parent_map gcc_parent_map_5[] = { + + static const char * const gcc_parent_names_5[] = { + "cxo", +- "dsi0pll_byteclk_src", ++ "dsi0pllbyte", + "core_bi_pll_test_se", + }; + +@@ -124,7 +124,7 @@ static const struct parent_map gcc_parent_map_6[] = { + + static const char * const gcc_parent_names_6[] = { + "cxo", +- "dsi0_phy_pll_out_byteclk", ++ "dsi0pllbyte", + "core_bi_pll_test_se", + }; + +@@ -167,7 +167,7 @@ static const struct parent_map gcc_parent_map_9[] = { + static const char * const gcc_parent_names_9[] = { + "cxo", + "gpll0_out_main", +- "dsi0_phy_pll_out_dsiclk", ++ "dsi0pll", + "gpll6_out_aux", + "core_bi_pll_test_se", + }; +@@ -204,7 +204,7 @@ static const struct parent_map gcc_parent_map_12[] = { + + static const char * const gcc_parent_names_12[] = { + "cxo", +- "dsi0pll_pclk_src", ++ "dsi0pll", + "core_bi_pll_test_se", + }; + +-- +2.39.2 + diff --git a/queue-5.4/clk-qcom-gpucc-sdm845-fix-clk_dis_wait-being-program.patch b/queue-5.4/clk-qcom-gpucc-sdm845-fix-clk_dis_wait-being-program.patch new file mode 100644 index 00000000000..2169ec881b7 --- /dev/null +++ b/queue-5.4/clk-qcom-gpucc-sdm845-fix-clk_dis_wait-being-program.patch @@ -0,0 +1,63 @@ +From be171fe44b81a754508494a2b65e54148967e1e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 19:23:05 +0200 +Subject: clk: qcom: gpucc-sdm845: fix clk_dis_wait being programmed for CX + GDSC + +From: Dmitry Baryshkov + +[ Upstream commit cb81719e3c1165ef1bc33137dc628f750eed8ea4 ] + +The gdsc_init() function will rewrite the CLK_DIS_WAIT field while +registering the GDSC (writing the value 0x2 by default). This will +override the setting done in the driver's probe function. + +Set cx_gdsc.clk_dis_wait_val to 8 to follow the intention of the probe +function. + +Fixes: 453361cdd757 ("clk: qcom: Add graphics clock controller driver for SDM845") +Reviewed-by: Stephen Boyd +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Konrad Dybcio +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230201172305.993146-2-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/gpucc-sdm845.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/clk/qcom/gpucc-sdm845.c b/drivers/clk/qcom/gpucc-sdm845.c +index e40efba1bf7d4..7a116f62168bd 100644 +--- a/drivers/clk/qcom/gpucc-sdm845.c ++++ b/drivers/clk/qcom/gpucc-sdm845.c +@@ -22,8 +22,6 @@ + #define CX_GMU_CBCR_SLEEP_SHIFT 4 + #define CX_GMU_CBCR_WAKE_MASK 0xf + #define CX_GMU_CBCR_WAKE_SHIFT 8 +-#define CLK_DIS_WAIT_SHIFT 12 +-#define CLK_DIS_WAIT_MASK (0xf << CLK_DIS_WAIT_SHIFT) + + enum { + P_BI_TCXO, +@@ -124,6 +122,7 @@ static struct clk_branch gpu_cc_cxo_clk = { + static struct gdsc gpu_cx_gdsc = { + .gdscr = 0x106c, + .gds_hw_ctrl = 0x1540, ++ .clk_dis_wait_val = 0x8, + .pd = { + .name = "gpu_cx_gdsc", + }, +@@ -221,10 +220,6 @@ static int gpu_cc_sdm845_probe(struct platform_device *pdev) + value = 0xf << CX_GMU_CBCR_WAKE_SHIFT | 0xf << CX_GMU_CBCR_SLEEP_SHIFT; + regmap_update_bits(regmap, 0x1098, mask, value); + +- /* Configure clk_dis_wait for gpu_cx_gdsc */ +- regmap_update_bits(regmap, 0x106c, CLK_DIS_WAIT_MASK, +- 8 << CLK_DIS_WAIT_SHIFT); +- + return qcom_cc_really_probe(pdev, &gpu_cc_sdm845_desc, regmap); + } + +-- +2.39.2 + diff --git a/queue-5.4/clk-renesas-cpg-mssr-fix-use-after-free-if-cpg_mssr_.patch b/queue-5.4/clk-renesas-cpg-mssr-fix-use-after-free-if-cpg_mssr_.patch new file mode 100644 index 00000000000..4b1a3273169 --- /dev/null +++ b/queue-5.4/clk-renesas-cpg-mssr-fix-use-after-free-if-cpg_mssr_.patch @@ -0,0 +1,50 @@ +From 1079e5cd6c5febd1b88ff605ea99bbcf5403ab92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Dec 2022 17:40:17 +0300 +Subject: clk: renesas: cpg-mssr: Fix use after free if cpg_mssr_common_init() + failed + +From: Alexey Khoroshilov + +[ Upstream commit fbfd614aeaa2853c2c575299dfe2458db8eff67e ] + +If cpg_mssr_common_init() fails after assigning priv to global variable +cpg_mssr_priv, it deallocates priv, but cpg_mssr_priv keeps dangling +pointer that potentially can be used later. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 1f7db7bbf031 ("clk: renesas: cpg-mssr: Add early clock support") +Signed-off-by: Alexey Khoroshilov +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/1671806417-32623-1-git-send-email-khoroshilov@ispras.ru +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/clk/renesas/renesas-cpg-mssr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/renesas/renesas-cpg-mssr.c b/drivers/clk/renesas/renesas-cpg-mssr.c +index 6f9612c169afe..9ffd1bf80b6a3 100644 +--- a/drivers/clk/renesas/renesas-cpg-mssr.c ++++ b/drivers/clk/renesas/renesas-cpg-mssr.c +@@ -907,7 +907,6 @@ static int __init cpg_mssr_common_init(struct device *dev, + goto out_err; + } + +- cpg_mssr_priv = priv; + priv->num_core_clks = info->num_total_core_clks; + priv->num_mod_clks = info->num_hw_mod_clks; + priv->last_dt_core_clk = info->last_dt_core_clk; +@@ -921,6 +920,8 @@ static int __init cpg_mssr_common_init(struct device *dev, + if (error) + goto out_err; + ++ cpg_mssr_priv = priv; ++ + return 0; + + out_err: +-- +2.39.2 + diff --git a/queue-5.4/clk-renesas-cpg-mssr-remove-superfluous-check-in-res.patch b/queue-5.4/clk-renesas-cpg-mssr-remove-superfluous-check-in-res.patch new file mode 100644 index 00000000000..2fd2f68f949 --- /dev/null +++ b/queue-5.4/clk-renesas-cpg-mssr-remove-superfluous-check-in-res.patch @@ -0,0 +1,40 @@ +From 2fdb2d34e34ae5aaa3c93869caaca961cc621d32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 09:23:34 +0100 +Subject: clk: renesas: cpg-mssr: Remove superfluous check in resume code + +From: Geert Uytterhoeven + +[ Upstream commit 1c052043c79af5f70e80e2acd4dd70904ae08666 ] + +When the code flow arrives at printing the error message in +cpg_mssr_resume_noirq(), we know for sure that we are not running on an +RZ/A Soc, as the code checked for that before. + +Fixes: ace342097768e35f ("clk: renesas: cpg-mssr: Fix STBCR suspend/resume handling") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/144a3e66d748c0c17f3524ac8fa6ece5bf5b6f1e.1673425314.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/clk/renesas/renesas-cpg-mssr.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/renesas/renesas-cpg-mssr.c b/drivers/clk/renesas/renesas-cpg-mssr.c +index fd9ca86cc60f6..d0ccb52b02703 100644 +--- a/drivers/clk/renesas/renesas-cpg-mssr.c ++++ b/drivers/clk/renesas/renesas-cpg-mssr.c +@@ -862,9 +862,8 @@ static int cpg_mssr_resume_noirq(struct device *dev) + } + + if (!i) +- dev_warn(dev, "Failed to enable %s%u[0x%x]\n", +- priv->reg_layout == CLK_REG_LAYOUT_RZ_A ? +- "STB" : "SMSTP", reg, oldval & mask); ++ dev_warn(dev, "Failed to enable SMSTP%u[0x%x]\n", reg, ++ oldval & mask); + } + + return 0; +-- +2.39.2 + diff --git a/queue-5.4/clk-renesas-cpg-mssr-use-enum-clk_reg_layout-instead.patch b/queue-5.4/clk-renesas-cpg-mssr-use-enum-clk_reg_layout-instead.patch new file mode 100644 index 00000000000..af24df11849 --- /dev/null +++ b/queue-5.4/clk-renesas-cpg-mssr-use-enum-clk_reg_layout-instead.patch @@ -0,0 +1,214 @@ +From 8e86f28765b9d2c6079eb69d01a07baee077d883 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 16:43:49 +0900 +Subject: clk: renesas: cpg-mssr: Use enum clk_reg_layout instead of a boolean + flag + +From: Yoshihiro Shimoda + +[ Upstream commit ffbf9cf3f9460e320c3f1a90a51145da86c16781 ] + +Geert suggested defining multiple register layout variants using an enum +[1] to support further devices like R-Car V3U. So, use enum +clk_reg_layout instead of a boolean .stbyctrl flag. No behavioral +change. + +[1] https://lore.kernel.org/linux-renesas-soc/CAMuHMdVAgN69p9FFnQdO4iHk2CHkeNaVui2Q-FOY6_BFVjQ-Nw@mail.gmail.com/ + +Signed-off-by: Yoshihiro Shimoda +Link: https://lore.kernel.org/r/1599810232-29035-2-git-send-email-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Geert Uytterhoeven +Stable-dep-of: 1c052043c79a ("clk: renesas: cpg-mssr: Remove superfluous check in resume code") +Signed-off-by: Sasha Levin +--- + drivers/clk/renesas/r7s9210-cpg-mssr.c | 2 +- + drivers/clk/renesas/renesas-cpg-mssr.c | 27 +++++++++++++------------- + drivers/clk/renesas/renesas-cpg-mssr.h | 12 +++++++----- + 3 files changed, 22 insertions(+), 19 deletions(-) + +diff --git a/drivers/clk/renesas/r7s9210-cpg-mssr.c b/drivers/clk/renesas/r7s9210-cpg-mssr.c +index cf65d4e0e1166..2772eb0b8ba76 100644 +--- a/drivers/clk/renesas/r7s9210-cpg-mssr.c ++++ b/drivers/clk/renesas/r7s9210-cpg-mssr.c +@@ -213,7 +213,7 @@ const struct cpg_mssr_info r7s9210_cpg_mssr_info __initconst = { + .cpg_clk_register = rza2_cpg_clk_register, + + /* RZ/A2 has Standby Control Registers */ +- .stbyctrl = true, ++ .reg_layout = CLK_REG_LAYOUT_RZ_A, + }; + + static void __init r7s9210_cpg_mssr_early_init(struct device_node *np) +diff --git a/drivers/clk/renesas/renesas-cpg-mssr.c b/drivers/clk/renesas/renesas-cpg-mssr.c +index 9ffd1bf80b6a3..fd9ca86cc60f6 100644 +--- a/drivers/clk/renesas/renesas-cpg-mssr.c ++++ b/drivers/clk/renesas/renesas-cpg-mssr.c +@@ -111,12 +111,12 @@ static const u16 srcr[] = { + * @rcdev: Optional reset controller entity + * @dev: CPG/MSSR device + * @base: CPG/MSSR register block base address ++ * @reg_layout: CPG/MSSR register layout + * @rmw_lock: protects RMW register accesses + * @np: Device node in DT for this CPG/MSSR module + * @num_core_clks: Number of Core Clocks in clks[] + * @num_mod_clks: Number of Module Clocks in clks[] + * @last_dt_core_clk: ID of the last Core Clock exported to DT +- * @stbyctrl: This device has Standby Control Registers + * @notifiers: Notifier chain to save/restore clock state for system resume + * @smstpcr_saved[].mask: Mask of SMSTPCR[] bits under our control + * @smstpcr_saved[].val: Saved values of SMSTPCR[] +@@ -128,13 +128,13 @@ struct cpg_mssr_priv { + #endif + struct device *dev; + void __iomem *base; ++ enum clk_reg_layout reg_layout; + spinlock_t rmw_lock; + struct device_node *np; + + unsigned int num_core_clks; + unsigned int num_mod_clks; + unsigned int last_dt_core_clk; +- bool stbyctrl; + + struct raw_notifier_head notifiers; + struct { +@@ -177,7 +177,7 @@ static int cpg_mstp_clock_endisable(struct clk_hw *hw, bool enable) + enable ? "ON" : "OFF"); + spin_lock_irqsave(&priv->rmw_lock, flags); + +- if (priv->stbyctrl) { ++ if (priv->reg_layout == CLK_REG_LAYOUT_RZ_A) { + value = readb(priv->base + STBCR(reg)); + if (enable) + value &= ~bitmask; +@@ -199,7 +199,7 @@ static int cpg_mstp_clock_endisable(struct clk_hw *hw, bool enable) + + spin_unlock_irqrestore(&priv->rmw_lock, flags); + +- if (!enable || priv->stbyctrl) ++ if (!enable || priv->reg_layout == CLK_REG_LAYOUT_RZ_A) + return 0; + + for (i = 1000; i > 0; --i) { +@@ -233,7 +233,7 @@ static int cpg_mstp_clock_is_enabled(struct clk_hw *hw) + struct cpg_mssr_priv *priv = clock->priv; + u32 value; + +- if (priv->stbyctrl) ++ if (priv->reg_layout == CLK_REG_LAYOUT_RZ_A) + value = readb(priv->base + STBCR(clock->index / 32)); + else + value = readl(priv->base + MSTPSR(clock->index / 32)); +@@ -272,7 +272,7 @@ struct clk *cpg_mssr_clk_src_twocell_get(struct of_phandle_args *clkspec, + + case CPG_MOD: + type = "module"; +- if (priv->stbyctrl) { ++ if (priv->reg_layout == CLK_REG_LAYOUT_RZ_A) { + idx = MOD_CLK_PACK_10(clkidx); + range_check = 7 - (clkidx % 10); + } else { +@@ -800,7 +800,8 @@ static int cpg_mssr_suspend_noirq(struct device *dev) + /* Save module registers with bits under our control */ + for (reg = 0; reg < ARRAY_SIZE(priv->smstpcr_saved); reg++) { + if (priv->smstpcr_saved[reg].mask) +- priv->smstpcr_saved[reg].val = priv->stbyctrl ? ++ priv->smstpcr_saved[reg].val = ++ priv->reg_layout == CLK_REG_LAYOUT_RZ_A ? + readb(priv->base + STBCR(reg)) : + readl(priv->base + SMSTPCR(reg)); + } +@@ -830,7 +831,7 @@ static int cpg_mssr_resume_noirq(struct device *dev) + if (!mask) + continue; + +- if (priv->stbyctrl) ++ if (priv->reg_layout == CLK_REG_LAYOUT_RZ_A) + oldval = readb(priv->base + STBCR(reg)); + else + oldval = readl(priv->base + SMSTPCR(reg)); +@@ -839,7 +840,7 @@ static int cpg_mssr_resume_noirq(struct device *dev) + if (newval == oldval) + continue; + +- if (priv->stbyctrl) { ++ if (priv->reg_layout == CLK_REG_LAYOUT_RZ_A) { + writeb(newval, priv->base + STBCR(reg)); + /* dummy read to ensure write has completed */ + readb(priv->base + STBCR(reg)); +@@ -862,8 +863,8 @@ static int cpg_mssr_resume_noirq(struct device *dev) + + if (!i) + dev_warn(dev, "Failed to enable %s%u[0x%x]\n", +- priv->stbyctrl ? "STB" : "SMSTP", reg, +- oldval & mask); ++ priv->reg_layout == CLK_REG_LAYOUT_RZ_A ? ++ "STB" : "SMSTP", reg, oldval & mask); + } + + return 0; +@@ -911,7 +912,7 @@ static int __init cpg_mssr_common_init(struct device *dev, + priv->num_mod_clks = info->num_hw_mod_clks; + priv->last_dt_core_clk = info->last_dt_core_clk; + RAW_INIT_NOTIFIER_HEAD(&priv->notifiers); +- priv->stbyctrl = info->stbyctrl; ++ priv->reg_layout = info->reg_layout; + + for (i = 0; i < nclks; i++) + priv->clks[i] = ERR_PTR(-ENOENT); +@@ -991,7 +992,7 @@ static int __init cpg_mssr_probe(struct platform_device *pdev) + return error; + + /* Reset Controller not supported for Standby Control SoCs */ +- if (info->stbyctrl) ++ if (priv->reg_layout == CLK_REG_LAYOUT_RZ_A) + return 0; + + error = cpg_mssr_reset_controller_register(priv); +diff --git a/drivers/clk/renesas/renesas-cpg-mssr.h b/drivers/clk/renesas/renesas-cpg-mssr.h +index 4ddcdf3bfb95f..f05521b5fa6e2 100644 +--- a/drivers/clk/renesas/renesas-cpg-mssr.h ++++ b/drivers/clk/renesas/renesas-cpg-mssr.h +@@ -85,6 +85,11 @@ struct mssr_mod_clk { + + struct device_node; + ++enum clk_reg_layout { ++ CLK_REG_LAYOUT_RCAR_GEN2_AND_GEN3 = 0, ++ CLK_REG_LAYOUT_RZ_A, ++}; ++ + /** + * SoC-specific CPG/MSSR Description + * +@@ -105,6 +110,7 @@ struct device_node; + * @crit_mod_clks: Array with Module Clock IDs of critical clocks that + * should not be disabled without a knowledgeable driver + * @num_crit_mod_clks: Number of entries in crit_mod_clks[] ++ * @reg_layout: CPG/MSSR register layout from enum clk_reg_layout + * + * @core_pm_clks: Array with IDs of Core Clocks that are suitable for Power + * Management, in addition to Module Clocks +@@ -112,10 +118,6 @@ struct device_node; + * + * @init: Optional callback to perform SoC-specific initialization + * @cpg_clk_register: Optional callback to handle special Core Clock types +- * +- * @stbyctrl: This device has Standby Control Registers which are 8-bits +- * wide, no status registers (MSTPSR) and have different address +- * offsets. + */ + + struct cpg_mssr_info { +@@ -130,7 +132,7 @@ struct cpg_mssr_info { + unsigned int num_core_clks; + unsigned int last_dt_core_clk; + unsigned int num_total_core_clks; +- bool stbyctrl; ++ enum clk_reg_layout reg_layout; + + /* Module Clocks */ + const struct mssr_mod_clk *mod_clks; +-- +2.39.2 + diff --git a/queue-5.4/coda-avoid-partial-allocation-of-sig_inputargs.patch b/queue-5.4/coda-avoid-partial-allocation-of-sig_inputargs.patch new file mode 100644 index 00000000000..f081a839d96 --- /dev/null +++ b/queue-5.4/coda-avoid-partial-allocation-of-sig_inputargs.patch @@ -0,0 +1,46 @@ +From 8423904479c52d332be6b8a00012ae073c1fc611 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jan 2023 14:39:21 -0800 +Subject: coda: Avoid partial allocation of sig_inputArgs + +From: Kees Cook + +[ Upstream commit 48df133578c70185a95a49390d42df1996ddba2a ] + +GCC does not like having a partially allocated object, since it cannot +reason about it for bounds checking when it is passed to other code. +Instead, fully allocate sig_inputArgs. (Alternatively, sig_inputArgs +should be defined as a struct coda_in_hdr, if it is actually not using +any other part of the union.) Seen under GCC 13: + +../fs/coda/upcall.c: In function 'coda_upcall': +../fs/coda/upcall.c:801:22: warning: array subscript 'union inputArgs[0]' is partly outside array bounds of 'unsigned char[20]' [-Warray-bounds=] + 801 | sig_inputArgs->ih.opcode = CODA_SIGNAL; + | ^~ + +Cc: Jan Harkes +Cc: coda@cs.cmu.edu +Cc: codalist@coda.cs.cmu.edu +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20230127223921.never.882-kees@kernel.org +Signed-off-by: Sasha Levin +--- + fs/coda/upcall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/coda/upcall.c b/fs/coda/upcall.c +index eb3b1898da462..610484c90260b 100644 +--- a/fs/coda/upcall.c ++++ b/fs/coda/upcall.c +@@ -790,7 +790,7 @@ static int coda_upcall(struct venus_comm *vcp, + sig_req = kmalloc(sizeof(struct upc_req), GFP_KERNEL); + if (!sig_req) goto exit; + +- sig_inputArgs = kvzalloc(sizeof(struct coda_in_hdr), GFP_KERNEL); ++ sig_inputArgs = kvzalloc(sizeof(*sig_inputArgs), GFP_KERNEL); + if (!sig_inputArgs) { + kfree(sig_req); + goto exit; +-- +2.39.2 + diff --git a/queue-5.4/crypto-ccp-failure-on-re-initialization-due-to-dupli.patch b/queue-5.4/crypto-ccp-failure-on-re-initialization-due-to-dupli.patch new file mode 100644 index 00000000000..36f1aa4bbc1 --- /dev/null +++ b/queue-5.4/crypto-ccp-failure-on-re-initialization-due-to-dupli.patch @@ -0,0 +1,115 @@ +From a3da966677b7f0b28bfc805fea24931ee13cfc3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Jan 2023 10:15:02 +0800 +Subject: crypto: ccp - Failure on re-initialization due to duplicate sysfs + filename + +From: Koba Ko + +[ Upstream commit 299bf602b3f92f1456aef59c6413591fb02e762a ] + +The following warning appears during the CCP module re-initialization: + +[ 140.965403] sysfs: cannot create duplicate filename +'/devices/pci0000:00/0000:00:07.1/0000:03:00.2/dma/dma0chan0' +[ 140.975736] CPU: 0 PID: 388 Comm: kworker/0:2 Kdump: loaded Not +tainted 6.2.0-0.rc2.18.eln124.x86_64 #1 +[ 140.985185] Hardware name: HPE ProLiant DL325 Gen10/ProLiant DL325 +Gen10, BIOS A41 07/17/2020 +[ 140.993761] Workqueue: events work_for_cpu_fn +[ 140.998151] Call Trace: +[ 141.000613] +[ 141.002726] dump_stack_lvl+0x33/0x46 +[ 141.006415] sysfs_warn_dup.cold+0x17/0x23 +[ 141.010542] sysfs_create_dir_ns+0xba/0xd0 +[ 141.014670] kobject_add_internal+0xba/0x260 +[ 141.018970] kobject_add+0x81/0xb0 +[ 141.022395] device_add+0xdc/0x7e0 +[ 141.025822] ? complete_all+0x20/0x90 +[ 141.029510] __dma_async_device_channel_register+0xc9/0x130 +[ 141.035119] dma_async_device_register+0x19e/0x3b0 +[ 141.039943] ccp_dmaengine_register+0x334/0x3f0 [ccp] +[ 141.045042] ccp5_init+0x662/0x6a0 [ccp] +[ 141.049000] ? devm_kmalloc+0x40/0xd0 +[ 141.052688] ccp_dev_init+0xbb/0xf0 [ccp] +[ 141.056732] ? __pci_set_master+0x56/0xd0 +[ 141.060768] sp_init+0x70/0x90 [ccp] +[ 141.064377] sp_pci_probe+0x186/0x1b0 [ccp] +[ 141.068596] local_pci_probe+0x41/0x80 +[ 141.072374] work_for_cpu_fn+0x16/0x20 +[ 141.076145] process_one_work+0x1c8/0x380 +[ 141.080181] worker_thread+0x1ab/0x380 +[ 141.083953] ? __pfx_worker_thread+0x10/0x10 +[ 141.088250] kthread+0xda/0x100 +[ 141.091413] ? __pfx_kthread+0x10/0x10 +[ 141.095185] ret_from_fork+0x2c/0x50 +[ 141.098788] +[ 141.100996] kobject_add_internal failed for dma0chan0 with -EEXIST, +don't try to register things with the same name in the same directory. +[ 141.113703] ccp 0000:03:00.2: ccp initialization failed + +The /dma/dma0chan0 sysfs file is not removed since dma_chan object +has been released in ccp_dma_release() before releasing dma device. +A correct procedure would be: release dma channels first => unregister +dma device => release ccp dma object. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216888 +Fixes: 68dbe80f5b51 ("crypto: ccp - Release dma channels before dmaengine unrgister") +Tested-by: Vladis Dronov +Signed-off-by: Koba Ko +Reviewed-by: Vladis Dronov +Acked-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/ccp-dmaengine.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/drivers/crypto/ccp/ccp-dmaengine.c b/drivers/crypto/ccp/ccp-dmaengine.c +index b9299defb431d..e416456b2b8aa 100644 +--- a/drivers/crypto/ccp/ccp-dmaengine.c ++++ b/drivers/crypto/ccp/ccp-dmaengine.c +@@ -643,14 +643,26 @@ static void ccp_dma_release(struct ccp_device *ccp) + chan = ccp->ccp_dma_chan + i; + dma_chan = &chan->dma_chan; + +- if (dma_chan->client_count) +- dma_release_channel(dma_chan); +- + tasklet_kill(&chan->cleanup_tasklet); + list_del_rcu(&dma_chan->device_node); + } + } + ++static void ccp_dma_release_channels(struct ccp_device *ccp) ++{ ++ struct ccp_dma_chan *chan; ++ struct dma_chan *dma_chan; ++ unsigned int i; ++ ++ for (i = 0; i < ccp->cmd_q_count; i++) { ++ chan = ccp->ccp_dma_chan + i; ++ dma_chan = &chan->dma_chan; ++ ++ if (dma_chan->client_count) ++ dma_release_channel(dma_chan); ++ } ++} ++ + int ccp_dmaengine_register(struct ccp_device *ccp) + { + struct ccp_dma_chan *chan; +@@ -771,8 +783,9 @@ void ccp_dmaengine_unregister(struct ccp_device *ccp) + if (!dmaengine) + return; + +- ccp_dma_release(ccp); ++ ccp_dma_release_channels(ccp); + dma_async_device_unregister(dma_dev); ++ ccp_dma_release(ccp); + + kmem_cache_destroy(ccp->dma_desc_cache); + kmem_cache_destroy(ccp->dma_cmd_cache); +-- +2.39.2 + diff --git a/queue-5.4/crypto-crypto4xx-call-dma_unmap_page-when-done.patch b/queue-5.4/crypto-crypto4xx-call-dma_unmap_page-when-done.patch new file mode 100644 index 00000000000..443e6e90220 --- /dev/null +++ b/queue-5.4/crypto-crypto4xx-call-dma_unmap_page-when-done.patch @@ -0,0 +1,64 @@ +From 3f60ba51eefe6abb422b7f03f8046b0c00ed5d6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Feb 2023 14:01:53 +0800 +Subject: crypto: crypto4xx - Call dma_unmap_page when done + +From: Herbert Xu + +[ Upstream commit bcdda4301bdc4955d45f7e1ffefb6207967b067e ] + +In crypto4xx_cipher_done, we should be unmapping the dst page, not +mapping it. + +This was flagged by a sparse warning about the unused addr variable. +While we're at it, also fix a sparse warning regarding the unused +ctx variable in crypto4xx_ahash_done (by actually using it). + +Fixes: 049359d65527 ("crypto: amcc - Add crypt4xx driver") +Signed-off-by: Herbert Xu +Tested-by: Christian Lamparter +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/amcc/crypto4xx_core.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/crypto/amcc/crypto4xx_core.c b/drivers/crypto/amcc/crypto4xx_core.c +index 230e8902c727c..b58f21dd3fed6 100644 +--- a/drivers/crypto/amcc/crypto4xx_core.c ++++ b/drivers/crypto/amcc/crypto4xx_core.c +@@ -521,7 +521,6 @@ static void crypto4xx_cipher_done(struct crypto4xx_device *dev, + { + struct skcipher_request *req; + struct scatterlist *dst; +- dma_addr_t addr; + + req = skcipher_request_cast(pd_uinfo->async_req); + +@@ -530,8 +529,8 @@ static void crypto4xx_cipher_done(struct crypto4xx_device *dev, + req->cryptlen, req->dst); + } else { + dst = pd_uinfo->dest_va; +- addr = dma_map_page(dev->core_dev->device, sg_page(dst), +- dst->offset, dst->length, DMA_FROM_DEVICE); ++ dma_unmap_page(dev->core_dev->device, pd->dest, dst->length, ++ DMA_FROM_DEVICE); + } + + if (pd_uinfo->sa_va->sa_command_0.bf.save_iv == SA_SAVE_IV) { +@@ -556,10 +555,9 @@ static void crypto4xx_ahash_done(struct crypto4xx_device *dev, + struct ahash_request *ahash_req; + + ahash_req = ahash_request_cast(pd_uinfo->async_req); +- ctx = crypto_tfm_ctx(ahash_req->base.tfm); ++ ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(ahash_req)); + +- crypto4xx_copy_digest_to_dst(ahash_req->result, pd_uinfo, +- crypto_tfm_ctx(ahash_req->base.tfm)); ++ crypto4xx_copy_digest_to_dst(ahash_req->result, pd_uinfo, ctx); + crypto4xx_ret_sg_desc(dev, pd_uinfo); + + if (pd_uinfo->state & PD_ENTRY_BUSY) +-- +2.39.2 + diff --git a/queue-5.4/crypto-essiv-handle-ebusy-correctly.patch b/queue-5.4/crypto-essiv-handle-ebusy-correctly.patch new file mode 100644 index 00000000000..507a1bc0077 --- /dev/null +++ b/queue-5.4/crypto-essiv-handle-ebusy-correctly.patch @@ -0,0 +1,55 @@ +From c0dbe662b9dd04c70916f0f203176af1036797cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jan 2023 18:24:09 +0800 +Subject: crypto: essiv - Handle EBUSY correctly + +From: Herbert Xu + +[ Upstream commit b5a772adf45a32c68bef28e60621f12617161556 ] + +As it is essiv only handles the special return value of EINPROGERSS, +which means that in all other cases it will free data related to the +request. + +However, as the caller of essiv may specify MAY_BACKLOG, we also need +to expect EBUSY and treat it in the same way. Otherwise backlogged +requests will trigger a use-after-free. + +Fixes: be1eb7f78aa8 ("crypto: essiv - create wrapper template...") +Signed-off-by: Herbert Xu +Acked-by: Ard Biesheuvel +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/essiv.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/essiv.c b/crypto/essiv.c +index 3d3f9d7f607ca..aa6b89e91ac80 100644 +--- a/crypto/essiv.c ++++ b/crypto/essiv.c +@@ -188,7 +188,12 @@ static void essiv_aead_done(struct crypto_async_request *areq, int err) + struct aead_request *req = areq->data; + struct essiv_aead_request_ctx *rctx = aead_request_ctx(req); + ++ if (err == -EINPROGRESS) ++ goto out; ++ + kfree(rctx->assoc); ++ ++out: + aead_request_complete(req, err); + } + +@@ -264,7 +269,7 @@ static int essiv_aead_crypt(struct aead_request *req, bool enc) + err = enc ? crypto_aead_encrypt(subreq) : + crypto_aead_decrypt(subreq); + +- if (rctx->assoc && err != -EINPROGRESS) ++ if (rctx->assoc && err != -EINPROGRESS && err != -EBUSY) + kfree(rctx->assoc); + return err; + } +-- +2.39.2 + diff --git a/queue-5.4/crypto-essiv-remove-redundant-null-pointer-check-bef.patch b/queue-5.4/crypto-essiv-remove-redundant-null-pointer-check-bef.patch new file mode 100644 index 00000000000..64bcd60e6d7 --- /dev/null +++ b/queue-5.4/crypto-essiv-remove-redundant-null-pointer-check-bef.patch @@ -0,0 +1,37 @@ +From b311c864e5e6cb849a3e78398333dca44e41f7e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Nov 2019 14:51:00 +0800 +Subject: crypto: essiv - remove redundant null pointer check before kfree + +From: Chen Wandun + +[ Upstream commit e18036da5c23530994faf7243b592e581f1efed2 ] + +kfree has taken null pointer check into account. so it is safe to +remove the unnecessary check. + +Signed-off-by: Chen Wandun +Signed-off-by: Herbert Xu +Stable-dep-of: b5a772adf45a ("crypto: essiv - Handle EBUSY correctly") +Signed-off-by: Sasha Levin +--- + crypto/essiv.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/crypto/essiv.c b/crypto/essiv.c +index a8befc8fb06ed..3d3f9d7f607ca 100644 +--- a/crypto/essiv.c ++++ b/crypto/essiv.c +@@ -188,8 +188,7 @@ static void essiv_aead_done(struct crypto_async_request *areq, int err) + struct aead_request *req = areq->data; + struct essiv_aead_request_ctx *rctx = aead_request_ctx(req); + +- if (rctx->assoc) +- kfree(rctx->assoc); ++ kfree(rctx->assoc); + aead_request_complete(req, err); + } + +-- +2.39.2 + diff --git a/queue-5.4/crypto-rsa-pkcs1pad-use-akcipher_request_complete.patch b/queue-5.4/crypto-rsa-pkcs1pad-use-akcipher_request_complete.patch new file mode 100644 index 00000000000..8fb5ae88b52 --- /dev/null +++ b/queue-5.4/crypto-rsa-pkcs1pad-use-akcipher_request_complete.patch @@ -0,0 +1,91 @@ +From ea289b2a1b2320bb8ae69b9a650302de1e3a1c4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Jan 2023 16:02:04 +0800 +Subject: crypto: rsa-pkcs1pad - Use akcipher_request_complete + +From: Herbert Xu + +[ Upstream commit 564cabc0ca0bdfa8f0fc1ae74b24d0a7554522c5 ] + +Use the akcipher_request_complete helper instead of calling the +completion function directly. In fact the previous code was buggy +in that EINPROGRESS was never passed back to the original caller. + +Fixes: 3d5b1ecdea6f ("crypto: rsa - RSA padding algorithm") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/rsa-pkcs1pad.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/crypto/rsa-pkcs1pad.c b/crypto/rsa-pkcs1pad.c +index 9cbafaf6dd851..5b4b12b8a71a7 100644 +--- a/crypto/rsa-pkcs1pad.c ++++ b/crypto/rsa-pkcs1pad.c +@@ -213,16 +213,14 @@ static void pkcs1pad_encrypt_sign_complete_cb( + struct crypto_async_request *child_async_req, int err) + { + struct akcipher_request *req = child_async_req->data; +- struct crypto_async_request async_req; + + if (err == -EINPROGRESS) +- return; ++ goto out; ++ ++ err = pkcs1pad_encrypt_sign_complete(req, err); + +- async_req.data = req->base.data; +- async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req)); +- async_req.flags = child_async_req->flags; +- req->base.complete(&async_req, +- pkcs1pad_encrypt_sign_complete(req, err)); ++out: ++ akcipher_request_complete(req, err); + } + + static int pkcs1pad_encrypt(struct akcipher_request *req) +@@ -331,15 +329,14 @@ static void pkcs1pad_decrypt_complete_cb( + struct crypto_async_request *child_async_req, int err) + { + struct akcipher_request *req = child_async_req->data; +- struct crypto_async_request async_req; + + if (err == -EINPROGRESS) +- return; ++ goto out; ++ ++ err = pkcs1pad_decrypt_complete(req, err); + +- async_req.data = req->base.data; +- async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req)); +- async_req.flags = child_async_req->flags; +- req->base.complete(&async_req, pkcs1pad_decrypt_complete(req, err)); ++out: ++ akcipher_request_complete(req, err); + } + + static int pkcs1pad_decrypt(struct akcipher_request *req) +@@ -511,15 +508,14 @@ static void pkcs1pad_verify_complete_cb( + struct crypto_async_request *child_async_req, int err) + { + struct akcipher_request *req = child_async_req->data; +- struct crypto_async_request async_req; + + if (err == -EINPROGRESS) +- return; ++ goto out; + +- async_req.data = req->base.data; +- async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req)); +- async_req.flags = child_async_req->flags; +- req->base.complete(&async_req, pkcs1pad_verify_complete(req, err)); ++ err = pkcs1pad_verify_complete(req, err); ++ ++out: ++ akcipher_request_complete(req, err); + } + + /* +-- +2.39.2 + diff --git a/queue-5.4/crypto-seqiv-handle-ebusy-correctly.patch b/queue-5.4/crypto-seqiv-handle-ebusy-correctly.patch new file mode 100644 index 00000000000..6e87e7e0a0d --- /dev/null +++ b/queue-5.4/crypto-seqiv-handle-ebusy-correctly.patch @@ -0,0 +1,40 @@ +From da4a153d87f8db502b830d191f3414e2d3624219 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jan 2023 18:27:51 +0800 +Subject: crypto: seqiv - Handle EBUSY correctly + +From: Herbert Xu + +[ Upstream commit 32e62025e5e52fbe4812ef044759de7010b15dbc ] + +As it is seqiv only handles the special return value of EINPROGERSS, +which means that in all other cases it will free data related to the +request. + +However, as the caller of seqiv may specify MAY_BACKLOG, we also need +to expect EBUSY and treat it in the same way. Otherwise backlogged +requests will trigger a use-after-free. + +Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/seqiv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/seqiv.c b/crypto/seqiv.c +index 96d222c32accc..ae1d67d036259 100644 +--- a/crypto/seqiv.c ++++ b/crypto/seqiv.c +@@ -25,7 +25,7 @@ static void seqiv_aead_encrypt_complete2(struct aead_request *req, int err) + struct aead_request *subreq = aead_request_ctx(req); + struct crypto_aead *geniv; + +- if (err == -EINPROGRESS) ++ if (err == -EINPROGRESS || err == -EBUSY) + return; + + if (err) +-- +2.39.2 + diff --git a/queue-5.4/crypto-x86-ghash-fix-unaligned-access-in-ghash_setke.patch b/queue-5.4/crypto-x86-ghash-fix-unaligned-access-in-ghash_setke.patch new file mode 100644 index 00000000000..ff091ead6b4 --- /dev/null +++ b/queue-5.4/crypto-x86-ghash-fix-unaligned-access-in-ghash_setke.patch @@ -0,0 +1,53 @@ +From b378152eb2cb17f2b716df8a094bfaf253e6ca19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Dec 2022 21:40:40 -0800 +Subject: crypto: x86/ghash - fix unaligned access in ghash_setkey() + +From: Eric Biggers + +[ Upstream commit 116db2704c193fff6d73ea6c2219625f0c9bdfc8 ] + +The key can be unaligned, so use the unaligned memory access helpers. + +Fixes: 8ceee72808d1 ("crypto: ghash-clmulni-intel - use C implementation for setkey()") +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/x86/crypto/ghash-clmulni-intel_glue.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/crypto/ghash-clmulni-intel_glue.c b/arch/x86/crypto/ghash-clmulni-intel_glue.c +index 04d72a5a8ce98..c9864ac9c0149 100644 +--- a/arch/x86/crypto/ghash-clmulni-intel_glue.c ++++ b/arch/x86/crypto/ghash-clmulni-intel_glue.c +@@ -19,6 +19,7 @@ + #include + #include + #include ++#include + + #define GHASH_BLOCK_SIZE 16 + #define GHASH_DIGEST_SIZE 16 +@@ -54,7 +55,6 @@ static int ghash_setkey(struct crypto_shash *tfm, + const u8 *key, unsigned int keylen) + { + struct ghash_ctx *ctx = crypto_shash_ctx(tfm); +- be128 *x = (be128 *)key; + u64 a, b; + + if (keylen != GHASH_BLOCK_SIZE) { +@@ -63,8 +63,8 @@ static int ghash_setkey(struct crypto_shash *tfm, + } + + /* perform multiplication by 'x' in GF(2^128) */ +- a = be64_to_cpu(x->a); +- b = be64_to_cpu(x->b); ++ a = get_unaligned_be64(key); ++ b = get_unaligned_be64(key + 8); + + ctx->shash.a = (b << 1) | (a >> 63); + ctx->shash.b = (a << 1) | (b >> 63); +-- +2.39.2 + diff --git a/queue-5.4/dm-cache-add-cond_resched-to-various-workqueue-loops.patch b/queue-5.4/dm-cache-add-cond_resched-to-various-workqueue-loops.patch new file mode 100644 index 00000000000..1f97134f3fe --- /dev/null +++ b/queue-5.4/dm-cache-add-cond_resched-to-various-workqueue-loops.patch @@ -0,0 +1,50 @@ +From eecd73d287dc78cae35bff1d642ee7e726d15da8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 15:31:08 -0500 +Subject: dm cache: add cond_resched() to various workqueue loops + +From: Mike Snitzer + +[ Upstream commit 76227f6dc805e9e960128bcc6276647361e0827c ] + +Otherwise on resource constrained systems these workqueues may be too +greedy. + +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-cache-target.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c +index 10b2a4e10a46b..08b5e44df3248 100644 +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -1910,6 +1910,7 @@ static void process_deferred_bios(struct work_struct *ws) + + else + commit_needed = process_bio(cache, bio) || commit_needed; ++ cond_resched(); + } + + if (commit_needed) +@@ -1932,6 +1933,7 @@ static void requeue_deferred_bios(struct cache *cache) + while ((bio = bio_list_pop(&bios))) { + bio->bi_status = BLK_STS_DM_REQUEUE; + bio_endio(bio); ++ cond_resched(); + } + } + +@@ -1972,6 +1974,8 @@ static void check_migrations(struct work_struct *ws) + r = mg_start(cache, op, NULL); + if (r) + break; ++ ++ cond_resched(); + } + } + +-- +2.39.2 + diff --git a/queue-5.4/dm-remove-flush_scheduled_work-during-local_exit.patch b/queue-5.4/dm-remove-flush_scheduled_work-during-local_exit.patch new file mode 100644 index 00000000000..21b3e39e4cd --- /dev/null +++ b/queue-5.4/dm-remove-flush_scheduled_work-during-local_exit.patch @@ -0,0 +1,43 @@ +From 95dc6055f8abcf48472cb59bbb50a277f5345fa9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 13:06:05 -0500 +Subject: dm: remove flush_scheduled_work() during local_exit() + +From: Mike Snitzer + +[ Upstream commit 0b22ff5360f5c4e11050b89206370fdf7dc0a226 ] + +Commit acfe0ad74d2e1 ("dm: allocate a special workqueue for deferred +device removal") switched from using system workqueue to a single +workqueue local to DM. But it didn't eliminate the call to +flush_scheduled_work() that was introduced purely for the benefit of +deferred device removal with commit 2c140a246dc ("dm: allow remove to +be deferred"). + +Since DM core uses its own workqueue (and queue_work) there is no need +to call flush_scheduled_work() from local_exit(). local_exit()'s +destroy_workqueue(deferred_remove_workqueue) handles flushing work +started with queue_work(). + +Fixes: acfe0ad74d2e1 ("dm: allocate a special workqueue for deferred device removal") +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index d4cebb38709bd..b58ff1a0fda7d 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -263,7 +263,6 @@ static int __init local_init(void) + + static void local_exit(void) + { +- flush_scheduled_work(); + destroy_workqueue(deferred_remove_workqueue); + + unregister_blkdev(_major, _name); +-- +2.39.2 + diff --git a/queue-5.4/dm-thin-add-cond_resched-to-various-workqueue-loops.patch b/queue-5.4/dm-thin-add-cond_resched-to-various-workqueue-loops.patch new file mode 100644 index 00000000000..ee06a129283 --- /dev/null +++ b/queue-5.4/dm-thin-add-cond_resched-to-various-workqueue-loops.patch @@ -0,0 +1,41 @@ +From 1b3dbf62fcc037c1fc113025e46da228db0390ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 15:29:44 -0500 +Subject: dm thin: add cond_resched() to various workqueue loops + +From: Mike Snitzer + +[ Upstream commit e4f80303c2353952e6e980b23914e4214487f2a6 ] + +Otherwise on resource constrained systems these workqueues may be too +greedy. + +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-thin.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c +index 4f161725dda0a..999447bde8203 100644 +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -2224,6 +2224,7 @@ static void process_thin_deferred_bios(struct thin_c *tc) + throttle_work_update(&pool->throttle); + dm_pool_issue_prefetches(pool->pmd); + } ++ cond_resched(); + } + blk_finish_plug(&plug); + } +@@ -2307,6 +2308,7 @@ static void process_thin_deferred_cells(struct thin_c *tc) + else + pool->process_cell(tc, cell); + } ++ cond_resched(); + } while (!list_empty(&cells)); + } + +-- +2.39.2 + diff --git a/queue-5.4/docs-scripts-gdb-add-necessary-make-scripts_gdb-step.patch b/queue-5.4/docs-scripts-gdb-add-necessary-make-scripts_gdb-step.patch new file mode 100644 index 00000000000..06be24088f3 --- /dev/null +++ b/queue-5.4/docs-scripts-gdb-add-necessary-make-scripts_gdb-step.patch @@ -0,0 +1,46 @@ +From ee4de3ee0f59b89778d788a44fc81c754279c44f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 00:23:20 +0100 +Subject: docs/scripts/gdb: add necessary make scripts_gdb step + +From: Jakob Koschel + +[ Upstream commit 6b219431037bf98c9efd49716aea9b68440477a3 ] + +In order to debug the kernel successfully with gdb you need to run +'make scripts_gdb' nowadays. + +This was changed with the following commit: + +Commit 67274c083438340ad16c ("scripts/gdb: delay generation of gdb +constants.py") + +In order to have a complete guide for beginners this remark +should be added to the offial documentation. + +Signed-off-by: Jakob Koschel +Link: https://lore.kernel.org/r/20230112-documentation-gdb-v2-1-292785c43dc9@gmail.com +Signed-off-by: Jonathan Corbet +Signed-off-by: Sasha Levin +--- + Documentation/dev-tools/gdb-kernel-debugging.rst | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/Documentation/dev-tools/gdb-kernel-debugging.rst b/Documentation/dev-tools/gdb-kernel-debugging.rst +index 19df79286f000..afe4bc206486c 100644 +--- a/Documentation/dev-tools/gdb-kernel-debugging.rst ++++ b/Documentation/dev-tools/gdb-kernel-debugging.rst +@@ -39,6 +39,10 @@ Setup + this mode. In this case, you should build the kernel with + CONFIG_RANDOMIZE_BASE disabled if the architecture supports KASLR. + ++- Build the gdb scripts (required on kernels v5.1 and above):: ++ ++ make scripts_gdb ++ + - Enable the gdb stub of QEMU/KVM, either + + - at VM startup time by appending "-s" to the QEMU command line +-- +2.39.2 + diff --git a/queue-5.4/drm-amd-display-fix-potential-null-deref-in-dm_resum.patch b/queue-5.4/drm-amd-display-fix-potential-null-deref-in-dm_resum.patch new file mode 100644 index 00000000000..6c3462d48e3 --- /dev/null +++ b/queue-5.4/drm-amd-display-fix-potential-null-deref-in-dm_resum.patch @@ -0,0 +1,53 @@ +From b77d44ea035e3e709c21a0b112341bbe5c94ca27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 09:06:42 -0500 +Subject: drm/amd/display: Fix potential null-deref in dm_resume + +From: Roman Li + +[ Upstream commit 7a7175a2cd84b7874bebbf8e59f134557a34161b ] + +[Why] +Fixing smatch error: +dm_resume() error: we previously assumed 'aconnector->dc_link' could be null + +[How] +Check if dc_link null at the beginning of the loop, +so further checks can be dropped. + +Reported-by: kernel test robot +Reported-by: Dan Carpenter + +Reviewed-by: Wayne Lin +Acked-by: Jasdeep Dhillon +Signed-off-by: Roman Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +index 9fd711005c1f5..1e7083bc8a527 100644 +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -1206,12 +1206,14 @@ static int dm_resume(void *handle) + list_for_each_entry(connector, &ddev->mode_config.connector_list, head) { + aconnector = to_amdgpu_dm_connector(connector); + ++ if (!aconnector->dc_link) ++ continue; ++ + /* + * this is the case when traversing through already created + * MST connectors, should be skipped + */ +- if (aconnector->dc_link && +- aconnector->dc_link->type == dc_connection_mst_branch) ++ if (aconnector->dc_link->type == dc_connection_mst_branch) + continue; + + mutex_lock(&aconnector->hpd_lock); +-- +2.39.2 + diff --git a/queue-5.4/drm-bridge-introduce-drm_bridge_get_next_bridge.patch b/queue-5.4/drm-bridge-introduce-drm_bridge_get_next_bridge.patch new file mode 100644 index 00000000000..c8eafdb9c29 --- /dev/null +++ b/queue-5.4/drm-bridge-introduce-drm_bridge_get_next_bridge.patch @@ -0,0 +1,121 @@ +From badf218852f2ff24d1f21b432c681e53998223c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2019 15:15:06 +0100 +Subject: drm/bridge: Introduce drm_bridge_get_next_bridge() + +From: Boris Brezillon + +[ Upstream commit fadf872d9d9274a3be34d8438e0f6bb465c8f98b ] + +And use it in drivers accessing the bridge->next field directly. +This is part of our attempt to make the bridge chain a double-linked list +based on the generic list helpers. + +Signed-off-by: Boris Brezillon +Reviewed-by: Neil Armstrong +Reviewed-by: Laurent Pinchart +Link: https://patchwork.freedesktop.org/patch/msgid/20191203141515.3597631-3-boris.brezillon@collabora.com +Stable-dep-of: 13fcfcb2a9a4 ("drm/msm/mdp5: Add check for kzalloc") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_encoder.c | 2 +- + drivers/gpu/drm/mediatek/mtk_hdmi.c | 6 ++++-- + drivers/gpu/drm/omapdrm/omap_drv.c | 4 ++-- + drivers/gpu/drm/omapdrm/omap_encoder.c | 3 ++- + include/drm/drm_bridge.h | 13 +++++++++++++ + 5 files changed, 22 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/drm_encoder.c b/drivers/gpu/drm/drm_encoder.c +index 7fb47b7b8b44a..80ce9e1040de1 100644 +--- a/drivers/gpu/drm/drm_encoder.c ++++ b/drivers/gpu/drm/drm_encoder.c +@@ -170,7 +170,7 @@ void drm_encoder_cleanup(struct drm_encoder *encoder) + struct drm_bridge *next; + + while (bridge) { +- next = bridge->next; ++ next = drm_bridge_get_next_bridge(bridge); + drm_bridge_detach(bridge); + bridge = next; + } +diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c +index 37960172a3a15..74a54a9e35339 100644 +--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c ++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c +@@ -1237,16 +1237,18 @@ static int mtk_hdmi_conn_mode_valid(struct drm_connector *conn, + struct drm_display_mode *mode) + { + struct mtk_hdmi *hdmi = hdmi_ctx_from_conn(conn); ++ struct drm_bridge *next_bridge; + + dev_dbg(hdmi->dev, "xres=%d, yres=%d, refresh=%d, intl=%d clock=%d\n", + mode->hdisplay, mode->vdisplay, mode->vrefresh, + !!(mode->flags & DRM_MODE_FLAG_INTERLACE), mode->clock * 1000); + +- if (hdmi->bridge.next) { ++ next_bridge = drm_bridge_get_next_bridge(&hdmi->bridge); ++ if (next_bridge) { + struct drm_display_mode adjusted_mode; + + drm_mode_copy(&adjusted_mode, mode); +- if (!drm_bridge_chain_mode_fixup(hdmi->bridge.next, mode, ++ if (!drm_bridge_chain_mode_fixup(next_bridge, mode, + &adjusted_mode)) + return MODE_BAD; + } +diff --git a/drivers/gpu/drm/omapdrm/omap_drv.c b/drivers/gpu/drm/omapdrm/omap_drv.c +index 2983c003698ec..a4645b78f7374 100644 +--- a/drivers/gpu/drm/omapdrm/omap_drv.c ++++ b/drivers/gpu/drm/omapdrm/omap_drv.c +@@ -216,8 +216,8 @@ static int omap_display_id(struct omap_dss_device *output) + } else if (output->bridge) { + struct drm_bridge *bridge = output->bridge; + +- while (bridge->next) +- bridge = bridge->next; ++ while (drm_bridge_get_next_bridge(bridge)) ++ bridge = drm_bridge_get_next_bridge(bridge); + + node = bridge->of_node; + } else if (output->panel) { +diff --git a/drivers/gpu/drm/omapdrm/omap_encoder.c b/drivers/gpu/drm/omapdrm/omap_encoder.c +index 6fe14111cd956..b626b543a9923 100644 +--- a/drivers/gpu/drm/omapdrm/omap_encoder.c ++++ b/drivers/gpu/drm/omapdrm/omap_encoder.c +@@ -125,7 +125,8 @@ static void omap_encoder_mode_set(struct drm_encoder *encoder, + for (dssdev = output; dssdev; dssdev = dssdev->next) + omap_encoder_update_videomode_flags(&vm, dssdev->bus_flags); + +- for (bridge = output->bridge; bridge; bridge = bridge->next) { ++ for (bridge = output->bridge; bridge; ++ bridge = drm_bridge_get_next_bridge(bridge)) { + if (!bridge->timings) + continue; + +diff --git a/include/drm/drm_bridge.h b/include/drm/drm_bridge.h +index 442a0654e1bfa..9f7192366cfbe 100644 +--- a/include/drm/drm_bridge.h ++++ b/include/drm/drm_bridge.h +@@ -409,6 +409,19 @@ struct drm_bridge *of_drm_find_bridge(struct device_node *np); + int drm_bridge_attach(struct drm_encoder *encoder, struct drm_bridge *bridge, + struct drm_bridge *previous); + ++/** ++ * drm_bridge_get_next_bridge() - Get the next bridge in the chain ++ * @bridge: bridge object ++ * ++ * RETURNS: ++ * the next bridge in the chain after @bridge, or NULL if @bridge is the last. ++ */ ++static inline struct drm_bridge * ++drm_bridge_get_next_bridge(struct drm_bridge *bridge) ++{ ++ return bridge->next; ++} ++ + bool drm_bridge_chain_mode_fixup(struct drm_bridge *bridge, + const struct drm_display_mode *mode, + struct drm_display_mode *adjusted_mode); +-- +2.39.2 + diff --git a/queue-5.4/drm-bridge-megachips-fix-error-handling-in-i2c_regis.patch b/queue-5.4/drm-bridge-megachips-fix-error-handling-in-i2c_regis.patch new file mode 100644 index 00000000000..7e74ba1965d --- /dev/null +++ b/queue-5.4/drm-bridge-megachips-fix-error-handling-in-i2c_regis.patch @@ -0,0 +1,65 @@ +From e3785c3a52bfbb84388aaeef7831bca2aa707856 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 09:12:26 +0000 +Subject: drm/bridge: megachips: Fix error handling in i2c_register_driver() + +From: Yuan Can + +[ Upstream commit 4ecff954c370b82bce45bdca2846c5c5563e8a8a ] + +A problem about insmod megachips-stdpxxxx-ge-b850v3-fw.ko failed is +triggered with the following log given: + +[ 4497.981497] Error: Driver 'stdp4028-ge-b850v3-fw' is already registered, aborting... +insmod: ERROR: could not insert module megachips-stdpxxxx-ge-b850v3-fw.ko: Device or resource busy + +The reason is that stdpxxxx_ge_b850v3_init() returns i2c_add_driver() +directly without checking its return value, if i2c_add_driver() failed, +it returns without calling i2c_del_driver() on the previous i2c driver, +resulting the megachips-stdpxxxx-ge-b850v3-fw can never be installed +later. +A simple call graph is shown as below: + + stdpxxxx_ge_b850v3_init() + i2c_add_driver(&stdp4028_ge_b850v3_fw_driver) + i2c_add_driver(&stdp2690_ge_b850v3_fw_driver) + i2c_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without delete stdp4028_ge_b850v3_fw_driver + +Fix by calling i2c_del_driver() on stdp4028_ge_b850v3_fw_driver when +i2c_add_driver() returns error. + +Fixes: fcfa0ddc18ed ("drm/bridge: Drivers for megachips-stdpxxxx-ge-b850v3-fw (LVDS-DP++)") +Signed-off-by: Yuan Can +Reviewed-by: Andrzej Hajda +Tested-by: Ian Ray +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20221108091226.114524-1-yuancan@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +index b72f6f541d4ef..14d578fce09f9 100644 +--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c ++++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +@@ -426,7 +426,11 @@ static int __init stdpxxxx_ge_b850v3_init(void) + if (ret) + return ret; + +- return i2c_add_driver(&stdp2690_ge_b850v3_fw_driver); ++ ret = i2c_add_driver(&stdp2690_ge_b850v3_fw_driver); ++ if (ret) ++ i2c_del_driver(&stdp4028_ge_b850v3_fw_driver); ++ ++ return ret; + } + module_init(stdpxxxx_ge_b850v3_init); + +-- +2.39.2 + diff --git a/queue-5.4/drm-bridge-rename-bridge-helpers-targeting-a-bridge-.patch b/queue-5.4/drm-bridge-rename-bridge-helpers-targeting-a-bridge-.patch new file mode 100644 index 00000000000..f57d0534da3 --- /dev/null +++ b/queue-5.4/drm-bridge-rename-bridge-helpers-targeting-a-bridge-.patch @@ -0,0 +1,636 @@ +From 9c4e9ec8139746c65cf55d460f074dc86efc3a00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Dec 2019 15:15:05 +0100 +Subject: drm/bridge: Rename bridge helpers targeting a bridge chain + +From: Boris Brezillon + +[ Upstream commit ea099adfdf4bf35903dc1c0f59a0d60175759c70 ] + +Change the prefix of bridge helpers targeting a bridge chain from +drm_bridge_ to drm_bridge_chain_ to better reflect the fact that +the operation will happen on all elements of chain, starting at the +bridge passed in argument. + +Signed-off-by: Boris Brezillon +Reviewed-by: Neil Armstrong +Acked-by: Laurent Pinchart +Link: https://patchwork.freedesktop.org/patch/msgid/20191203141515.3597631-2-boris.brezillon@collabora.com +Stable-dep-of: 13fcfcb2a9a4 ("drm/msm/mdp5: Add check for kzalloc") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_atomic_helper.c | 19 ++-- + drivers/gpu/drm/drm_bridge.c | 125 ++++++++++++------------ + drivers/gpu/drm/drm_probe_helper.c | 2 +- + drivers/gpu/drm/exynos/exynos_drm_dsi.c | 8 +- + drivers/gpu/drm/mediatek/mtk_hdmi.c | 4 +- + drivers/gpu/drm/vc4/vc4_dsi.c | 8 +- + include/drm/drm_bridge.h | 64 ++++++------ + 7 files changed, 120 insertions(+), 110 deletions(-) + +diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c +index 5e906ea6df67d..e95c45cf5ffe8 100644 +--- a/drivers/gpu/drm/drm_atomic_helper.c ++++ b/drivers/gpu/drm/drm_atomic_helper.c +@@ -445,8 +445,9 @@ mode_fixup(struct drm_atomic_state *state) + encoder = new_conn_state->best_encoder; + funcs = encoder->helper_private; + +- ret = drm_bridge_mode_fixup(encoder->bridge, &new_crtc_state->mode, +- &new_crtc_state->adjusted_mode); ++ ret = drm_bridge_chain_mode_fixup(encoder->bridge, ++ &new_crtc_state->mode, ++ &new_crtc_state->adjusted_mode); + if (!ret) { + DRM_DEBUG_ATOMIC("Bridge fixup failed\n"); + return -EINVAL; +@@ -511,7 +512,7 @@ static enum drm_mode_status mode_valid_path(struct drm_connector *connector, + return ret; + } + +- ret = drm_bridge_mode_valid(encoder->bridge, mode); ++ ret = drm_bridge_chain_mode_valid(encoder->bridge, mode); + if (ret != MODE_OK) { + DRM_DEBUG_ATOMIC("[BRIDGE] mode_valid() failed\n"); + return ret; +@@ -1030,7 +1031,7 @@ disable_outputs(struct drm_device *dev, struct drm_atomic_state *old_state) + * Each encoder has at most one connector (since we always steal + * it away), so we won't call disable hooks twice. + */ +- drm_atomic_bridge_disable(encoder->bridge, old_state); ++ drm_atomic_bridge_chain_disable(encoder->bridge, old_state); + + /* Right function depends upon target state. */ + if (funcs) { +@@ -1044,7 +1045,8 @@ disable_outputs(struct drm_device *dev, struct drm_atomic_state *old_state) + funcs->dpms(encoder, DRM_MODE_DPMS_OFF); + } + +- drm_atomic_bridge_post_disable(encoder->bridge, old_state); ++ drm_atomic_bridge_chain_post_disable(encoder->bridge, ++ old_state); + } + + for_each_oldnew_crtc_in_state(old_state, crtc, old_crtc_state, new_crtc_state, i) { +@@ -1225,7 +1227,8 @@ crtc_set_mode(struct drm_device *dev, struct drm_atomic_state *old_state) + funcs->mode_set(encoder, mode, adjusted_mode); + } + +- drm_bridge_mode_set(encoder->bridge, mode, adjusted_mode); ++ drm_bridge_chain_mode_set(encoder->bridge, mode, ++ adjusted_mode); + } + } + +@@ -1342,7 +1345,7 @@ void drm_atomic_helper_commit_modeset_enables(struct drm_device *dev, + * Each encoder has at most one connector (since we always steal + * it away), so we won't call enable hooks twice. + */ +- drm_atomic_bridge_pre_enable(encoder->bridge, old_state); ++ drm_atomic_bridge_chain_pre_enable(encoder->bridge, old_state); + + if (funcs) { + if (funcs->atomic_enable) +@@ -1353,7 +1356,7 @@ void drm_atomic_helper_commit_modeset_enables(struct drm_device *dev, + funcs->commit(encoder); + } + +- drm_atomic_bridge_enable(encoder->bridge, old_state); ++ drm_atomic_bridge_chain_enable(encoder->bridge, old_state); + } + + drm_atomic_helper_commit_writebacks(dev, old_state); +diff --git a/drivers/gpu/drm/drm_bridge.c b/drivers/gpu/drm/drm_bridge.c +index cba537c99e437..54c874493c57e 100644 +--- a/drivers/gpu/drm/drm_bridge.c ++++ b/drivers/gpu/drm/drm_bridge.c +@@ -172,8 +172,8 @@ void drm_bridge_detach(struct drm_bridge *bridge) + */ + + /** +- * drm_bridge_mode_fixup - fixup proposed mode for all bridges in the +- * encoder chain ++ * drm_bridge_chain_mode_fixup - fixup proposed mode for all bridges in the ++ * encoder chain + * @bridge: bridge control structure + * @mode: desired mode to be set for the bridge + * @adjusted_mode: updated mode that works for this bridge +@@ -186,9 +186,9 @@ void drm_bridge_detach(struct drm_bridge *bridge) + * RETURNS: + * true on success, false on failure + */ +-bool drm_bridge_mode_fixup(struct drm_bridge *bridge, +- const struct drm_display_mode *mode, +- struct drm_display_mode *adjusted_mode) ++bool drm_bridge_chain_mode_fixup(struct drm_bridge *bridge, ++ const struct drm_display_mode *mode, ++ struct drm_display_mode *adjusted_mode) + { + bool ret = true; + +@@ -198,15 +198,16 @@ bool drm_bridge_mode_fixup(struct drm_bridge *bridge, + if (bridge->funcs->mode_fixup) + ret = bridge->funcs->mode_fixup(bridge, mode, adjusted_mode); + +- ret = ret && drm_bridge_mode_fixup(bridge->next, mode, adjusted_mode); ++ ret = ret && drm_bridge_chain_mode_fixup(bridge->next, mode, ++ adjusted_mode); + + return ret; + } +-EXPORT_SYMBOL(drm_bridge_mode_fixup); ++EXPORT_SYMBOL(drm_bridge_chain_mode_fixup); + + /** +- * drm_bridge_mode_valid - validate the mode against all bridges in the +- * encoder chain. ++ * drm_bridge_chain_mode_valid - validate the mode against all bridges in the ++ * encoder chain. + * @bridge: bridge control structure + * @mode: desired mode to be validated + * +@@ -219,8 +220,9 @@ EXPORT_SYMBOL(drm_bridge_mode_fixup); + * RETURNS: + * MODE_OK on success, drm_mode_status Enum error code on failure + */ +-enum drm_mode_status drm_bridge_mode_valid(struct drm_bridge *bridge, +- const struct drm_display_mode *mode) ++enum drm_mode_status ++drm_bridge_chain_mode_valid(struct drm_bridge *bridge, ++ const struct drm_display_mode *mode) + { + enum drm_mode_status ret = MODE_OK; + +@@ -233,12 +235,12 @@ enum drm_mode_status drm_bridge_mode_valid(struct drm_bridge *bridge, + if (ret != MODE_OK) + return ret; + +- return drm_bridge_mode_valid(bridge->next, mode); ++ return drm_bridge_chain_mode_valid(bridge->next, mode); + } +-EXPORT_SYMBOL(drm_bridge_mode_valid); ++EXPORT_SYMBOL(drm_bridge_chain_mode_valid); + + /** +- * drm_bridge_disable - disables all bridges in the encoder chain ++ * drm_bridge_chain_disable - disables all bridges in the encoder chain + * @bridge: bridge control structure + * + * Calls &drm_bridge_funcs.disable op for all the bridges in the encoder +@@ -247,20 +249,21 @@ EXPORT_SYMBOL(drm_bridge_mode_valid); + * + * Note: the bridge passed should be the one closest to the encoder + */ +-void drm_bridge_disable(struct drm_bridge *bridge) ++void drm_bridge_chain_disable(struct drm_bridge *bridge) + { + if (!bridge) + return; + +- drm_bridge_disable(bridge->next); ++ drm_bridge_chain_disable(bridge->next); + + if (bridge->funcs->disable) + bridge->funcs->disable(bridge); + } +-EXPORT_SYMBOL(drm_bridge_disable); ++EXPORT_SYMBOL(drm_bridge_chain_disable); + + /** +- * drm_bridge_post_disable - cleans up after disabling all bridges in the encoder chain ++ * drm_bridge_chain_post_disable - cleans up after disabling all bridges in the ++ * encoder chain + * @bridge: bridge control structure + * + * Calls &drm_bridge_funcs.post_disable op for all the bridges in the +@@ -269,7 +272,7 @@ EXPORT_SYMBOL(drm_bridge_disable); + * + * Note: the bridge passed should be the one closest to the encoder + */ +-void drm_bridge_post_disable(struct drm_bridge *bridge) ++void drm_bridge_chain_post_disable(struct drm_bridge *bridge) + { + if (!bridge) + return; +@@ -277,25 +280,25 @@ void drm_bridge_post_disable(struct drm_bridge *bridge) + if (bridge->funcs->post_disable) + bridge->funcs->post_disable(bridge); + +- drm_bridge_post_disable(bridge->next); ++ drm_bridge_chain_post_disable(bridge->next); + } +-EXPORT_SYMBOL(drm_bridge_post_disable); ++EXPORT_SYMBOL(drm_bridge_chain_post_disable); + + /** +- * drm_bridge_mode_set - set proposed mode for all bridges in the +- * encoder chain ++ * drm_bridge_chain_mode_set - set proposed mode for all bridges in the ++ * encoder chain + * @bridge: bridge control structure +- * @mode: desired mode to be set for the bridge +- * @adjusted_mode: updated mode that works for this bridge ++ * @mode: desired mode to be set for the encoder chain ++ * @adjusted_mode: updated mode that works for this encoder chain + * + * Calls &drm_bridge_funcs.mode_set op for all the bridges in the + * encoder chain, starting from the first bridge to the last. + * + * Note: the bridge passed should be the one closest to the encoder + */ +-void drm_bridge_mode_set(struct drm_bridge *bridge, +- const struct drm_display_mode *mode, +- const struct drm_display_mode *adjusted_mode) ++void drm_bridge_chain_mode_set(struct drm_bridge *bridge, ++ const struct drm_display_mode *mode, ++ const struct drm_display_mode *adjusted_mode) + { + if (!bridge) + return; +@@ -303,13 +306,13 @@ void drm_bridge_mode_set(struct drm_bridge *bridge, + if (bridge->funcs->mode_set) + bridge->funcs->mode_set(bridge, mode, adjusted_mode); + +- drm_bridge_mode_set(bridge->next, mode, adjusted_mode); ++ drm_bridge_chain_mode_set(bridge->next, mode, adjusted_mode); + } +-EXPORT_SYMBOL(drm_bridge_mode_set); ++EXPORT_SYMBOL(drm_bridge_chain_mode_set); + + /** +- * drm_bridge_pre_enable - prepares for enabling all +- * bridges in the encoder chain ++ * drm_bridge_chain_pre_enable - prepares for enabling all bridges in the ++ * encoder chain + * @bridge: bridge control structure + * + * Calls &drm_bridge_funcs.pre_enable op for all the bridges in the encoder +@@ -318,20 +321,20 @@ EXPORT_SYMBOL(drm_bridge_mode_set); + * + * Note: the bridge passed should be the one closest to the encoder + */ +-void drm_bridge_pre_enable(struct drm_bridge *bridge) ++void drm_bridge_chain_pre_enable(struct drm_bridge *bridge) + { + if (!bridge) + return; + +- drm_bridge_pre_enable(bridge->next); ++ drm_bridge_chain_pre_enable(bridge->next); + + if (bridge->funcs->pre_enable) + bridge->funcs->pre_enable(bridge); + } +-EXPORT_SYMBOL(drm_bridge_pre_enable); ++EXPORT_SYMBOL(drm_bridge_chain_pre_enable); + + /** +- * drm_bridge_enable - enables all bridges in the encoder chain ++ * drm_bridge_chain_enable - enables all bridges in the encoder chain + * @bridge: bridge control structure + * + * Calls &drm_bridge_funcs.enable op for all the bridges in the encoder +@@ -340,7 +343,7 @@ EXPORT_SYMBOL(drm_bridge_pre_enable); + * + * Note that the bridge passed should be the one closest to the encoder + */ +-void drm_bridge_enable(struct drm_bridge *bridge) ++void drm_bridge_chain_enable(struct drm_bridge *bridge) + { + if (!bridge) + return; +@@ -348,12 +351,12 @@ void drm_bridge_enable(struct drm_bridge *bridge) + if (bridge->funcs->enable) + bridge->funcs->enable(bridge); + +- drm_bridge_enable(bridge->next); ++ drm_bridge_chain_enable(bridge->next); + } +-EXPORT_SYMBOL(drm_bridge_enable); ++EXPORT_SYMBOL(drm_bridge_chain_enable); + + /** +- * drm_atomic_bridge_disable - disables all bridges in the encoder chain ++ * drm_atomic_bridge_chain_disable - disables all bridges in the encoder chain + * @bridge: bridge control structure + * @state: atomic state being committed + * +@@ -364,24 +367,24 @@ EXPORT_SYMBOL(drm_bridge_enable); + * + * Note: the bridge passed should be the one closest to the encoder + */ +-void drm_atomic_bridge_disable(struct drm_bridge *bridge, +- struct drm_atomic_state *state) ++void drm_atomic_bridge_chain_disable(struct drm_bridge *bridge, ++ struct drm_atomic_state *state) + { + if (!bridge) + return; + +- drm_atomic_bridge_disable(bridge->next, state); ++ drm_atomic_bridge_chain_disable(bridge->next, state); + + if (bridge->funcs->atomic_disable) + bridge->funcs->atomic_disable(bridge, state); + else if (bridge->funcs->disable) + bridge->funcs->disable(bridge); + } +-EXPORT_SYMBOL(drm_atomic_bridge_disable); ++EXPORT_SYMBOL(drm_atomic_bridge_chain_disable); + + /** +- * drm_atomic_bridge_post_disable - cleans up after disabling all bridges in the +- * encoder chain ++ * drm_atomic_bridge_chain_post_disable - cleans up after disabling all bridges ++ * in the encoder chain + * @bridge: bridge control structure + * @state: atomic state being committed + * +@@ -392,8 +395,8 @@ EXPORT_SYMBOL(drm_atomic_bridge_disable); + * + * Note: the bridge passed should be the one closest to the encoder + */ +-void drm_atomic_bridge_post_disable(struct drm_bridge *bridge, +- struct drm_atomic_state *state) ++void drm_atomic_bridge_chain_post_disable(struct drm_bridge *bridge, ++ struct drm_atomic_state *state) + { + if (!bridge) + return; +@@ -403,13 +406,13 @@ void drm_atomic_bridge_post_disable(struct drm_bridge *bridge, + else if (bridge->funcs->post_disable) + bridge->funcs->post_disable(bridge); + +- drm_atomic_bridge_post_disable(bridge->next, state); ++ drm_atomic_bridge_chain_post_disable(bridge->next, state); + } +-EXPORT_SYMBOL(drm_atomic_bridge_post_disable); ++EXPORT_SYMBOL(drm_atomic_bridge_chain_post_disable); + + /** +- * drm_atomic_bridge_pre_enable - prepares for enabling all bridges in the +- * encoder chain ++ * drm_atomic_bridge_chain_pre_enable - prepares for enabling all bridges in ++ * the encoder chain + * @bridge: bridge control structure + * @state: atomic state being committed + * +@@ -420,23 +423,23 @@ EXPORT_SYMBOL(drm_atomic_bridge_post_disable); + * + * Note: the bridge passed should be the one closest to the encoder + */ +-void drm_atomic_bridge_pre_enable(struct drm_bridge *bridge, +- struct drm_atomic_state *state) ++void drm_atomic_bridge_chain_pre_enable(struct drm_bridge *bridge, ++ struct drm_atomic_state *state) + { + if (!bridge) + return; + +- drm_atomic_bridge_pre_enable(bridge->next, state); ++ drm_atomic_bridge_chain_pre_enable(bridge->next, state); + + if (bridge->funcs->atomic_pre_enable) + bridge->funcs->atomic_pre_enable(bridge, state); + else if (bridge->funcs->pre_enable) + bridge->funcs->pre_enable(bridge); + } +-EXPORT_SYMBOL(drm_atomic_bridge_pre_enable); ++EXPORT_SYMBOL(drm_atomic_bridge_chain_pre_enable); + + /** +- * drm_atomic_bridge_enable - enables all bridges in the encoder chain ++ * drm_atomic_bridge_chain_enable - enables all bridges in the encoder chain + * @bridge: bridge control structure + * @state: atomic state being committed + * +@@ -447,8 +450,8 @@ EXPORT_SYMBOL(drm_atomic_bridge_pre_enable); + * + * Note: the bridge passed should be the one closest to the encoder + */ +-void drm_atomic_bridge_enable(struct drm_bridge *bridge, +- struct drm_atomic_state *state) ++void drm_atomic_bridge_chain_enable(struct drm_bridge *bridge, ++ struct drm_atomic_state *state) + { + if (!bridge) + return; +@@ -458,9 +461,9 @@ void drm_atomic_bridge_enable(struct drm_bridge *bridge, + else if (bridge->funcs->enable) + bridge->funcs->enable(bridge); + +- drm_atomic_bridge_enable(bridge->next, state); ++ drm_atomic_bridge_chain_enable(bridge->next, state); + } +-EXPORT_SYMBOL(drm_atomic_bridge_enable); ++EXPORT_SYMBOL(drm_atomic_bridge_chain_enable); + + #ifdef CONFIG_OF + /** +diff --git a/drivers/gpu/drm/drm_probe_helper.c b/drivers/gpu/drm/drm_probe_helper.c +index ef2c468205a20..d45f43feaf862 100644 +--- a/drivers/gpu/drm/drm_probe_helper.c ++++ b/drivers/gpu/drm/drm_probe_helper.c +@@ -112,7 +112,7 @@ drm_mode_validate_pipeline(struct drm_display_mode *mode, + continue; + } + +- ret = drm_bridge_mode_valid(encoder->bridge, mode); ++ ret = drm_bridge_chain_mode_valid(encoder->bridge, mode); + if (ret != MODE_OK) { + /* There is also no point in continuing for crtc check + * here. */ +diff --git a/drivers/gpu/drm/exynos/exynos_drm_dsi.c b/drivers/gpu/drm/exynos/exynos_drm_dsi.c +index b83acd696774b..babf3db82ce33 100644 +--- a/drivers/gpu/drm/exynos/exynos_drm_dsi.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_dsi.c +@@ -1389,7 +1389,7 @@ static void exynos_dsi_enable(struct drm_encoder *encoder) + if (ret < 0) + goto err_put_sync; + } else { +- drm_bridge_pre_enable(dsi->out_bridge); ++ drm_bridge_chain_pre_enable(dsi->out_bridge); + } + + exynos_dsi_set_display_mode(dsi); +@@ -1400,7 +1400,7 @@ static void exynos_dsi_enable(struct drm_encoder *encoder) + if (ret < 0) + goto err_display_disable; + } else { +- drm_bridge_enable(dsi->out_bridge); ++ drm_bridge_chain_enable(dsi->out_bridge); + } + + dsi->state |= DSIM_STATE_VIDOUT_AVAILABLE; +@@ -1425,10 +1425,10 @@ static void exynos_dsi_disable(struct drm_encoder *encoder) + dsi->state &= ~DSIM_STATE_VIDOUT_AVAILABLE; + + drm_panel_disable(dsi->panel); +- drm_bridge_disable(dsi->out_bridge); ++ drm_bridge_chain_disable(dsi->out_bridge); + exynos_dsi_set_display_enable(dsi, false); + drm_panel_unprepare(dsi->panel); +- drm_bridge_post_disable(dsi->out_bridge); ++ drm_bridge_chain_post_disable(dsi->out_bridge); + dsi->state &= ~DSIM_STATE_ENABLED; + pm_runtime_put_sync(dsi->dev); + } +diff --git a/drivers/gpu/drm/mediatek/mtk_hdmi.c b/drivers/gpu/drm/mediatek/mtk_hdmi.c +index 6b22fd63c3f55..37960172a3a15 100644 +--- a/drivers/gpu/drm/mediatek/mtk_hdmi.c ++++ b/drivers/gpu/drm/mediatek/mtk_hdmi.c +@@ -1246,8 +1246,8 @@ static int mtk_hdmi_conn_mode_valid(struct drm_connector *conn, + struct drm_display_mode adjusted_mode; + + drm_mode_copy(&adjusted_mode, mode); +- if (!drm_bridge_mode_fixup(hdmi->bridge.next, mode, +- &adjusted_mode)) ++ if (!drm_bridge_chain_mode_fixup(hdmi->bridge.next, mode, ++ &adjusted_mode)) + return MODE_BAD; + } + +diff --git a/drivers/gpu/drm/vc4/vc4_dsi.c b/drivers/gpu/drm/vc4/vc4_dsi.c +index e249ab378700e..67bfbffdb65c4 100644 +--- a/drivers/gpu/drm/vc4/vc4_dsi.c ++++ b/drivers/gpu/drm/vc4/vc4_dsi.c +@@ -752,9 +752,9 @@ static void vc4_dsi_encoder_disable(struct drm_encoder *encoder) + struct vc4_dsi *dsi = vc4_encoder->dsi; + struct device *dev = &dsi->pdev->dev; + +- drm_bridge_disable(dsi->bridge); ++ drm_bridge_chain_disable(dsi->bridge); + vc4_dsi_ulps(dsi, true); +- drm_bridge_post_disable(dsi->bridge); ++ drm_bridge_chain_post_disable(dsi->bridge); + + clk_disable_unprepare(dsi->pll_phy_clock); + clk_disable_unprepare(dsi->escape_clock); +@@ -1052,7 +1052,7 @@ static void vc4_dsi_encoder_enable(struct drm_encoder *encoder) + + vc4_dsi_ulps(dsi, false); + +- drm_bridge_pre_enable(dsi->bridge); ++ drm_bridge_chain_pre_enable(dsi->bridge); + + if (dsi->mode_flags & MIPI_DSI_MODE_VIDEO) { + DSI_PORT_WRITE(DISP0_CTRL, +@@ -1069,7 +1069,7 @@ static void vc4_dsi_encoder_enable(struct drm_encoder *encoder) + DSI_DISP0_ENABLE); + } + +- drm_bridge_enable(dsi->bridge); ++ drm_bridge_chain_enable(dsi->bridge); + + if (debug_dump_regs) { + struct drm_printer p = drm_info_printer(&dsi->pdev->dev); +diff --git a/include/drm/drm_bridge.h b/include/drm/drm_bridge.h +index 7616f6562fe48..442a0654e1bfa 100644 +--- a/include/drm/drm_bridge.h ++++ b/include/drm/drm_bridge.h +@@ -254,9 +254,10 @@ struct drm_bridge_funcs { + * there is one) when this callback is called. + * + * Note that this function will only be invoked in the context of an +- * atomic commit. It will not be invoked from &drm_bridge_pre_enable. It +- * would be prudent to also provide an implementation of @pre_enable if +- * you are expecting driver calls into &drm_bridge_pre_enable. ++ * atomic commit. It will not be invoked from ++ * &drm_bridge_chain_pre_enable. It would be prudent to also provide an ++ * implementation of @pre_enable if you are expecting driver calls into ++ * &drm_bridge_chain_pre_enable. + * + * The @atomic_pre_enable callback is optional. + */ +@@ -279,9 +280,9 @@ struct drm_bridge_funcs { + * chain if there is one. + * + * Note that this function will only be invoked in the context of an +- * atomic commit. It will not be invoked from &drm_bridge_enable. It +- * would be prudent to also provide an implementation of @enable if +- * you are expecting driver calls into &drm_bridge_enable. ++ * atomic commit. It will not be invoked from &drm_bridge_chain_enable. ++ * It would be prudent to also provide an implementation of @enable if ++ * you are expecting driver calls into &drm_bridge_chain_enable. + * + * The enable callback is optional. + */ +@@ -301,9 +302,10 @@ struct drm_bridge_funcs { + * signals) feeding it is still running when this callback is called. + * + * Note that this function will only be invoked in the context of an +- * atomic commit. It will not be invoked from &drm_bridge_disable. It +- * would be prudent to also provide an implementation of @disable if +- * you are expecting driver calls into &drm_bridge_disable. ++ * atomic commit. It will not be invoked from ++ * &drm_bridge_chain_disable. It would be prudent to also provide an ++ * implementation of @disable if you are expecting driver calls into ++ * &drm_bridge_chain_disable. + * + * The disable callback is optional. + */ +@@ -325,10 +327,11 @@ struct drm_bridge_funcs { + * called. + * + * Note that this function will only be invoked in the context of an +- * atomic commit. It will not be invoked from &drm_bridge_post_disable. ++ * atomic commit. It will not be invoked from ++ * &drm_bridge_chain_post_disable. + * It would be prudent to also provide an implementation of + * @post_disable if you are expecting driver calls into +- * &drm_bridge_post_disable. ++ * &drm_bridge_chain_post_disable. + * + * The post_disable callback is optional. + */ +@@ -406,27 +409,28 @@ struct drm_bridge *of_drm_find_bridge(struct device_node *np); + int drm_bridge_attach(struct drm_encoder *encoder, struct drm_bridge *bridge, + struct drm_bridge *previous); + +-bool drm_bridge_mode_fixup(struct drm_bridge *bridge, +- const struct drm_display_mode *mode, +- struct drm_display_mode *adjusted_mode); +-enum drm_mode_status drm_bridge_mode_valid(struct drm_bridge *bridge, +- const struct drm_display_mode *mode); +-void drm_bridge_disable(struct drm_bridge *bridge); +-void drm_bridge_post_disable(struct drm_bridge *bridge); +-void drm_bridge_mode_set(struct drm_bridge *bridge, +- const struct drm_display_mode *mode, +- const struct drm_display_mode *adjusted_mode); +-void drm_bridge_pre_enable(struct drm_bridge *bridge); +-void drm_bridge_enable(struct drm_bridge *bridge); ++bool drm_bridge_chain_mode_fixup(struct drm_bridge *bridge, ++ const struct drm_display_mode *mode, ++ struct drm_display_mode *adjusted_mode); ++enum drm_mode_status ++drm_bridge_chain_mode_valid(struct drm_bridge *bridge, ++ const struct drm_display_mode *mode); ++void drm_bridge_chain_disable(struct drm_bridge *bridge); ++void drm_bridge_chain_post_disable(struct drm_bridge *bridge); ++void drm_bridge_chain_mode_set(struct drm_bridge *bridge, ++ const struct drm_display_mode *mode, ++ const struct drm_display_mode *adjusted_mode); ++void drm_bridge_chain_pre_enable(struct drm_bridge *bridge); ++void drm_bridge_chain_enable(struct drm_bridge *bridge); + +-void drm_atomic_bridge_disable(struct drm_bridge *bridge, +- struct drm_atomic_state *state); +-void drm_atomic_bridge_post_disable(struct drm_bridge *bridge, ++void drm_atomic_bridge_chain_disable(struct drm_bridge *bridge, ++ struct drm_atomic_state *state); ++void drm_atomic_bridge_chain_post_disable(struct drm_bridge *bridge, ++ struct drm_atomic_state *state); ++void drm_atomic_bridge_chain_pre_enable(struct drm_bridge *bridge, ++ struct drm_atomic_state *state); ++void drm_atomic_bridge_chain_enable(struct drm_bridge *bridge, + struct drm_atomic_state *state); +-void drm_atomic_bridge_pre_enable(struct drm_bridge *bridge, +- struct drm_atomic_state *state); +-void drm_atomic_bridge_enable(struct drm_bridge *bridge, +- struct drm_atomic_state *state); + + #ifdef CONFIG_DRM_PANEL_BRIDGE + struct drm_bridge *drm_panel_bridge_add(struct drm_panel *panel, +-- +2.39.2 + diff --git a/queue-5.4/drm-exynos-don-t-reset-bridge-next.patch b/queue-5.4/drm-exynos-don-t-reset-bridge-next.patch new file mode 100644 index 00000000000..36a73f41df3 --- /dev/null +++ b/queue-5.4/drm-exynos-don-t-reset-bridge-next.patch @@ -0,0 +1,41 @@ +From 3f61d47304a22fbab3e62d5143206c539100803e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 17:44:53 +0200 +Subject: drm/exynos: Don't reset bridge->next + +From: Boris Brezillon + +[ Upstream commit bd19c4527056b3e42e8c286136660aa14d0b6c90 ] + +bridge->next is only points to the new bridge if drm_bridge_attach() +succeeds. No need to reset it manually here. + +Note that this change is part of the attempt to make the bridge chain +a double-linked list. In order to do that we must patch all drivers +manipulating the bridge->next field. + +Signed-off-by: Boris Brezillon +Reviewed-by: Laurent Pinchart +Acked-by: Inki Dae +Link: https://patchwork.freedesktop.org/patch/msgid/20191023154512.9762-3-boris.brezillon@collabora.com +Stable-dep-of: 13fcfcb2a9a4 ("drm/msm/mdp5: Add check for kzalloc") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/exynos/exynos_dp.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/exynos/exynos_dp.c b/drivers/gpu/drm/exynos/exynos_dp.c +index e0cfae744afc9..01c5fbf9083a0 100644 +--- a/drivers/gpu/drm/exynos/exynos_dp.c ++++ b/drivers/gpu/drm/exynos/exynos_dp.c +@@ -109,7 +109,6 @@ static int exynos_dp_bridge_attach(struct analogix_dp_plat_data *plat_data, + if (ret) { + DRM_DEV_ERROR(dp->dev, + "Failed to attach bridge to drm\n"); +- bridge->next = NULL; + return ret; + } + } +-- +2.39.2 + diff --git a/queue-5.4/drm-fourcc-add-missing-big-endian-xrgb1555-and-rgb56.patch b/queue-5.4/drm-fourcc-add-missing-big-endian-xrgb1555-and-rgb56.patch new file mode 100644 index 00000000000..d38563ce7eb --- /dev/null +++ b/queue-5.4/drm-fourcc-add-missing-big-endian-xrgb1555-and-rgb56.patch @@ -0,0 +1,50 @@ +From fe591e82dd85f50ea85620b41308a0fe9376c409 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 17:43:10 +0100 +Subject: drm/fourcc: Add missing big-endian XRGB1555 and RGB565 formats + +From: Geert Uytterhoeven + +[ Upstream commit 6fb6c979ca628583d4d0c59a0f8ff977e581ecc0 ] + +As of commit eae06120f1974e1a ("drm: refuse ADDFB2 ioctl for broken +bigendian drivers"), drivers must set the +quirk_addfb_prefer_host_byte_order quirk to make the drm_mode_addfb() +compat code work correctly on big-endian machines. + +While that works fine for big-endian XRGB8888 and ARGB8888, which are +mapped to the existing little-endian BGRX8888 and BGRA8888 formats, it +does not work for big-endian XRGB1555 and RGB565, as the latter are not +listed in the format database. + +Fix this by adding the missing formats. Limit this to big-endian +platforms, as there is currently no need to support these formats on +little-endian platforms. + +Fixes: 6960e6da9cec3f66 ("drm: fix drm_mode_addfb() on big endian machines.") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/3ee1f8144feb96c28742b22384189f1f83bcfc1a.1669221671.git.geert@linux-m68k.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_fourcc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/drm_fourcc.c b/drivers/gpu/drm/drm_fourcc.c +index c630064ccf416..d88a312962b3d 100644 +--- a/drivers/gpu/drm/drm_fourcc.c ++++ b/drivers/gpu/drm/drm_fourcc.c +@@ -178,6 +178,10 @@ const struct drm_format_info *__drm_format_info(u32 format) + { .format = DRM_FORMAT_BGRA5551, .depth = 15, .num_planes = 1, .cpp = { 2, 0, 0 }, .hsub = 1, .vsub = 1, .has_alpha = true }, + { .format = DRM_FORMAT_RGB565, .depth = 16, .num_planes = 1, .cpp = { 2, 0, 0 }, .hsub = 1, .vsub = 1 }, + { .format = DRM_FORMAT_BGR565, .depth = 16, .num_planes = 1, .cpp = { 2, 0, 0 }, .hsub = 1, .vsub = 1 }, ++#ifdef __BIG_ENDIAN ++ { .format = DRM_FORMAT_XRGB1555 | DRM_FORMAT_BIG_ENDIAN, .depth = 15, .num_planes = 1, .cpp = { 2, 0, 0 }, .hsub = 1, .vsub = 1 }, ++ { .format = DRM_FORMAT_RGB565 | DRM_FORMAT_BIG_ENDIAN, .depth = 16, .num_planes = 1, .cpp = { 2, 0, 0 }, .hsub = 1, .vsub = 1 }, ++#endif + { .format = DRM_FORMAT_RGB888, .depth = 24, .num_planes = 1, .cpp = { 3, 0, 0 }, .hsub = 1, .vsub = 1 }, + { .format = DRM_FORMAT_BGR888, .depth = 24, .num_planes = 1, .cpp = { 3, 0, 0 }, .hsub = 1, .vsub = 1 }, + { .format = DRM_FORMAT_XRGB8888, .depth = 24, .num_planes = 1, .cpp = { 4, 0, 0 }, .hsub = 1, .vsub = 1 }, +-- +2.39.2 + diff --git a/queue-5.4/drm-initialize-struct-drm_crtc_state.no_vblank-from-.patch b/queue-5.4/drm-initialize-struct-drm_crtc_state.no_vblank-from-.patch new file mode 100644 index 00000000000..1329366453b --- /dev/null +++ b/queue-5.4/drm-initialize-struct-drm_crtc_state.no_vblank-from-.patch @@ -0,0 +1,215 @@ +From 640f44d3cf1d2c2adc9db78e86cad8384e353df9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jan 2020 13:05:17 +0100 +Subject: drm: Initialize struct drm_crtc_state.no_vblank from device settings + +From: Thomas Zimmermann + +[ Upstream commit 7beb691f1e6f349c9df3384a85e7a53c5601aaaf ] + +At the end of a commit, atomic helpers can generate a fake VBLANK event +automatically. Originally implemented for writeback connectors, the +functionality can be used by any driver and/or hardware without proper +VBLANK interrupt. + +The patch updates the documentation to make this behaviour official: +settings struct drm_crtc_state.no_vblank to true enables automatic +generation of fake VBLANK events. + +The new interface drm_dev_has_vblank() returns true if vblanking has +been initialized for a device, or false otherwise. Atomic helpers use +this function when initializing no_vblank in the CRTC state in +drm_atomic_helper_check_modeset(). If vblanking has been initialized +for a device, no_blank is disabled. Otherwise it's enabled. Hence, +atomic helpers will automatically send out fake VBLANK events with any +driver that did not initialize vblanking. + +v5: + * more precise documentation and commit message +v4: + * replace drm_crtc_has_vblank() with drm_dev_has_vblank() + * add drm_dev_has_vblank() in this patch + * move driver changes into separate patches +v3: + * squash all related changes patches into this patch + +Signed-off-by: Thomas Zimmermann +Acked-by: Gerd Hoffmann +Reviewed-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20200129120531.6891-2-tzimmermann@suse.de +Stable-dep-of: 13fcfcb2a9a4 ("drm/msm/mdp5: Add check for kzalloc") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_atomic_helper.c | 10 ++++++++- + drivers/gpu/drm/drm_vblank.c | 28 ++++++++++++++++++++++++ + include/drm/drm_crtc.h | 34 +++++++++++++++++++++++------ + include/drm/drm_simple_kms_helper.h | 7 ++++-- + include/drm/drm_vblank.h | 1 + + 5 files changed, 70 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c +index e95c45cf5ffe8..62b77f3a950b8 100644 +--- a/drivers/gpu/drm/drm_atomic_helper.c ++++ b/drivers/gpu/drm/drm_atomic_helper.c +@@ -589,6 +589,7 @@ mode_valid(struct drm_atomic_state *state) + * &drm_crtc_state.connectors_changed is set when a connector is added or + * removed from the crtc. &drm_crtc_state.active_changed is set when + * &drm_crtc_state.active changes, which is used for DPMS. ++ * &drm_crtc_state.no_vblank is set from the result of drm_dev_has_vblank(). + * See also: drm_atomic_crtc_needs_modeset() + * + * IMPORTANT: +@@ -655,6 +656,11 @@ drm_atomic_helper_check_modeset(struct drm_device *dev, + + return -EINVAL; + } ++ ++ if (drm_dev_has_vblank(dev)) ++ new_crtc_state->no_vblank = false; ++ else ++ new_crtc_state->no_vblank = true; + } + + ret = handle_conflicting_encoders(state, false); +@@ -2205,7 +2211,9 @@ EXPORT_SYMBOL(drm_atomic_helper_wait_for_dependencies); + * when a job is queued, and any change to the pipeline that does not touch the + * connector is leading to timeouts when calling + * drm_atomic_helper_wait_for_vblanks() or +- * drm_atomic_helper_wait_for_flip_done(). ++ * drm_atomic_helper_wait_for_flip_done(). In addition to writeback ++ * connectors, this function can also fake VBLANK events for CRTCs without ++ * VBLANK interrupt. + * + * This is part of the atomic helper support for nonblocking commits, see + * drm_atomic_helper_setup_commit() for an overview. +diff --git a/drivers/gpu/drm/drm_vblank.c b/drivers/gpu/drm/drm_vblank.c +index 552ec82e9bc52..c98ed8146242d 100644 +--- a/drivers/gpu/drm/drm_vblank.c ++++ b/drivers/gpu/drm/drm_vblank.c +@@ -69,6 +69,12 @@ + * &drm_driver.max_vblank_count. In that case the vblank core only disables the + * vblanks after a timer has expired, which can be configured through the + * ``vblankoffdelay`` module parameter. ++ * ++ * Drivers for hardware without support for vertical-blanking interrupts ++ * must not call drm_vblank_init(). For such drivers, atomic helpers will ++ * automatically generate fake vblank events as part of the display update. ++ * This functionality also can be controlled by the driver by enabling and ++ * disabling struct drm_crtc_state.no_vblank. + */ + + /* Retry timestamp calculation up to 3 times to satisfy +@@ -488,6 +494,28 @@ int drm_vblank_init(struct drm_device *dev, unsigned int num_crtcs) + } + EXPORT_SYMBOL(drm_vblank_init); + ++/** ++ * drm_dev_has_vblank - test if vblanking has been initialized for ++ * a device ++ * @dev: the device ++ * ++ * Drivers may call this function to test if vblank support is ++ * initialized for a device. For most hardware this means that vblanking ++ * can also be enabled. ++ * ++ * Atomic helpers use this function to initialize ++ * &drm_crtc_state.no_vblank. See also drm_atomic_helper_check_modeset(). ++ * ++ * Returns: ++ * True if vblanking has been initialized for the given device, false ++ * otherwise. ++ */ ++bool drm_dev_has_vblank(const struct drm_device *dev) ++{ ++ return dev->num_crtcs != 0; ++} ++EXPORT_SYMBOL(drm_dev_has_vblank); ++ + /** + * drm_crtc_vblank_waitqueue - get vblank waitqueue for the CRTC + * @crtc: which CRTC's vblank waitqueue to retrieve +diff --git a/include/drm/drm_crtc.h b/include/drm/drm_crtc.h +index 408b6f4e63c0c..ebcce95f9da63 100644 +--- a/include/drm/drm_crtc.h ++++ b/include/drm/drm_crtc.h +@@ -175,12 +175,25 @@ struct drm_crtc_state { + * @no_vblank: + * + * Reflects the ability of a CRTC to send VBLANK events. This state +- * usually depends on the pipeline configuration, and the main usuage +- * is CRTCs feeding a writeback connector operating in oneshot mode. +- * In this case the VBLANK event is only generated when a job is queued +- * to the writeback connector, and we want the core to fake VBLANK +- * events when this part of the pipeline hasn't changed but others had +- * or when the CRTC and connectors are being disabled. ++ * usually depends on the pipeline configuration. If set to true, DRM ++ * atomic helpers will send out a fake VBLANK event during display ++ * updates after all hardware changes have been committed. This is ++ * implemented in drm_atomic_helper_fake_vblank(). ++ * ++ * One usage is for drivers and/or hardware without support for VBLANK ++ * interrupts. Such drivers typically do not initialize vblanking ++ * (i.e., call drm_vblank_init() with the number of CRTCs). For CRTCs ++ * without initialized vblanking, this field is set to true in ++ * drm_atomic_helper_check_modeset(), and a fake VBLANK event will be ++ * send out on each update of the display pipeline by ++ * drm_atomic_helper_fake_vblank(). ++ * ++ * Another usage is CRTCs feeding a writeback connector operating in ++ * oneshot mode. In this case the fake VBLANK event is only generated ++ * when a job is queued to the writeback connector, and we want the ++ * core to fake VBLANK events when this part of the pipeline hasn't ++ * changed but others had or when the CRTC and connectors are being ++ * disabled. + * + * __drm_atomic_helper_crtc_duplicate_state() will not reset the value + * from the current state, the CRTC driver is then responsible for +@@ -336,7 +349,14 @@ struct drm_crtc_state { + * - Events for disabled CRTCs are not allowed, and drivers can ignore + * that case. + * +- * This can be handled by the drm_crtc_send_vblank_event() function, ++ * For very simple hardware without VBLANK interrupt, enabling ++ * &struct drm_crtc_state.no_vblank makes DRM's atomic commit helpers ++ * send a fake VBLANK event at the end of the display update after all ++ * hardware changes have been applied. See ++ * drm_atomic_helper_fake_vblank(). ++ * ++ * For more complex hardware this ++ * can be handled by the drm_crtc_send_vblank_event() function, + * which the driver should call on the provided event upon completion of + * the atomic commit. Note that if the driver supports vblank signalling + * and timestamping the vblank counters and timestamps must agree with +diff --git a/include/drm/drm_simple_kms_helper.h b/include/drm/drm_simple_kms_helper.h +index 4d89cd0a60db8..df615eb92b098 100644 +--- a/include/drm/drm_simple_kms_helper.h ++++ b/include/drm/drm_simple_kms_helper.h +@@ -100,8 +100,11 @@ struct drm_simple_display_pipe_funcs { + * This is the function drivers should submit the + * &drm_pending_vblank_event from. Using either + * drm_crtc_arm_vblank_event(), when the driver supports vblank +- * interrupt handling, or drm_crtc_send_vblank_event() directly in case +- * the hardware lacks vblank support entirely. ++ * interrupt handling, or drm_crtc_send_vblank_event() for more ++ * complex case. In case the hardware lacks vblank support entirely, ++ * drivers can set &struct drm_crtc_state.no_vblank in ++ * &struct drm_simple_display_pipe_funcs.check and let DRM's ++ * atomic helper fake a vblank event. + */ + void (*update)(struct drm_simple_display_pipe *pipe, + struct drm_plane_state *old_plane_state); +diff --git a/include/drm/drm_vblank.h b/include/drm/drm_vblank.h +index 9fe4ba8bc622c..2559fb9218699 100644 +--- a/include/drm/drm_vblank.h ++++ b/include/drm/drm_vblank.h +@@ -195,6 +195,7 @@ struct drm_vblank_crtc { + }; + + int drm_vblank_init(struct drm_device *dev, unsigned int num_crtcs); ++bool drm_dev_has_vblank(const struct drm_device *dev); + u64 drm_crtc_vblank_count(struct drm_crtc *crtc); + u64 drm_crtc_vblank_count_and_time(struct drm_crtc *crtc, + ktime_t *vblanktime); +-- +2.39.2 + diff --git a/queue-5.4/drm-mediatek-clean-dangling-pointer-on-bind-error-pa.patch b/queue-5.4/drm-mediatek-clean-dangling-pointer-on-bind-error-pa.patch new file mode 100644 index 00000000000..1cbde66be83 --- /dev/null +++ b/queue-5.4/drm-mediatek-clean-dangling-pointer-on-bind-error-pa.patch @@ -0,0 +1,44 @@ +From c7d80df0ebbb6b7d4c5d437cc1cc26e636cd6f2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 09:39:49 -0500 +Subject: drm/mediatek: Clean dangling pointer on bind error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nícolas F. R. A. Prado + +[ Upstream commit 36aa8c61af55675ed967900fbe5deb32d776f051 ] + +mtk_drm_bind() can fail, in which case drm_dev_put() is called, +destroying the drm_device object. However a pointer to it was still +being held in the private object, and that pointer would be passed along +to DRM in mtk_drm_sys_prepare() if a suspend were triggered at that +point, resulting in a panic. Clean the pointer when destroying the +object in the error path to prevent this from happening. + +Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Nícolas F. R. A. Prado +Reviewed-by: AngeloGioacchino Del Regno +Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20221122143949.3493104-1-nfraprado@collabora.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_drv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_drv.c b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +index f98bb2e263723..5569454ad9e40 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c +@@ -417,6 +417,7 @@ static int mtk_drm_bind(struct device *dev) + err_deinit: + mtk_drm_kms_deinit(drm); + err_free: ++ private->drm = NULL; + drm_dev_put(drm); + return ret; + } +-- +2.39.2 + diff --git a/queue-5.4/drm-mediatek-drop-unbalanced-obj-unref.patch b/queue-5.4/drm-mediatek-drop-unbalanced-obj-unref.patch new file mode 100644 index 00000000000..fad65c9952b --- /dev/null +++ b/queue-5.4/drm-mediatek-drop-unbalanced-obj-unref.patch @@ -0,0 +1,37 @@ +From 8fe75410bf549394ae27f8127ef79517e236ea2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 15:12:55 -0800 +Subject: drm/mediatek: Drop unbalanced obj unref + +From: Rob Clark + +[ Upstream commit 4deef811828e87e26a978d5d6433b261d4713849 ] + +In the error path, mtk_drm_gem_object_mmap() is dropping an obj +reference that it doesn't own. + +Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Rob Clark +Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20230119231255.2883365-1-robdclark@gmail.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_gem.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +index 7ff6de44a9fa8..2fa432287d690 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +@@ -142,8 +142,6 @@ static int mtk_drm_gem_object_mmap(struct drm_gem_object *obj, + + ret = dma_mmap_attrs(priv->dma_dev, vma, mtk_gem->cookie, + mtk_gem->dma_addr, obj->size, mtk_gem->dma_attrs); +- if (ret) +- drm_gem_vm_close(vma); + + return ret; + } +-- +2.39.2 + diff --git a/queue-5.4/drm-mediatek-remove-cast-to-pointers-passed-to-kfree.patch b/queue-5.4/drm-mediatek-remove-cast-to-pointers-passed-to-kfree.patch new file mode 100644 index 00000000000..6e141e00dad --- /dev/null +++ b/queue-5.4/drm-mediatek-remove-cast-to-pointers-passed-to-kfree.patch @@ -0,0 +1,51 @@ +From 6d3db4a705388ff3b192dcbf7bd2a958541cc63e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Oct 2019 14:11:07 +0300 +Subject: drm/mediatek: remove cast to pointers passed to kfree + +From: Wambui Karuga + +[ Upstream commit 2ec35bd21d3290c8f76020dc60503deacd18e24b ] + +Remove unnecessary casts to pointer types passed to kfree. +Issue detected by coccinelle: +@@ +type t1; +expression *e; +@@ + +-kfree((t1 *)e); ++kfree(e); + +Signed-off-by: Wambui Karuga +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20191023111107.9972-1-wambui.karugax@gmail.com +Stable-dep-of: 4744cde06f57 ("drm/mediatek: Use NULL instead of 0 for NULL pointer") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_gem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +index ca672f1d140de..b04a3c2b111e0 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +@@ -271,7 +271,7 @@ void *mtk_drm_gem_prime_vmap(struct drm_gem_object *obj) + pgprot_writecombine(PAGE_KERNEL)); + + out: +- kfree((void *)sgt); ++ kfree(sgt); + + return mtk_gem->kvaddr; + } +@@ -285,5 +285,5 @@ void mtk_drm_gem_prime_vunmap(struct drm_gem_object *obj, void *vaddr) + + vunmap(vaddr); + mtk_gem->kvaddr = 0; +- kfree((void *)mtk_gem->pages); ++ kfree(mtk_gem->pages); + } +-- +2.39.2 + diff --git a/queue-5.4/drm-mediatek-use-null-instead-of-0-for-null-pointer.patch b/queue-5.4/drm-mediatek-use-null-instead-of-0-for-null-pointer.patch new file mode 100644 index 00000000000..f17aae9efb7 --- /dev/null +++ b/queue-5.4/drm-mediatek-use-null-instead-of-0-for-null-pointer.patch @@ -0,0 +1,37 @@ +From f185925e9161d34ed70c5f2bdc981a870fa51561 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 10:44:41 +0800 +Subject: drm/mediatek: Use NULL instead of 0 for NULL pointer + +From: Miles Chen + +[ Upstream commit 4744cde06f57dd6fbaac468663b1fe2f653eaa16 ] + +Use NULL for NULL pointer to fix the following sparse warning: +drivers/gpu/drm/mediatek/mtk_drm_gem.c:265:27: sparse: warning: Using plain integer as NULL pointer + +Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap function") +Signed-off-by: Miles Chen +Reviewed-by: AngeloGioacchino Del Regno +Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20230111024443.24559-1-miles.chen@mediatek.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_gem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +index b04a3c2b111e0..7ff6de44a9fa8 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +@@ -284,6 +284,6 @@ void mtk_drm_gem_prime_vunmap(struct drm_gem_object *obj, void *vaddr) + return; + + vunmap(vaddr); +- mtk_gem->kvaddr = 0; ++ mtk_gem->kvaddr = NULL; + kfree(mtk_gem->pages); + } +-- +2.39.2 + diff --git a/queue-5.4/drm-mipi-dsi-fix-byte-order-of-16-bit-dcs-set-get-br.patch b/queue-5.4/drm-mipi-dsi-fix-byte-order-of-16-bit-dcs-set-get-br.patch new file mode 100644 index 00000000000..d8c5167c93f --- /dev/null +++ b/queue-5.4/drm-mipi-dsi-fix-byte-order-of-16-bit-dcs-set-get-br.patch @@ -0,0 +1,117 @@ +From 7444d62e66ffabf856670fedc9bb2496416772e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jan 2023 17:49:07 -0500 +Subject: drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness + +From: Daniel Mentz + +[ Upstream commit c9d27c6be518b4ef2966d9564654ef99292ea1b3 ] + +The MIPI DCS specification demands that brightness values are sent in +big endian byte order. It also states that one parameter (i.e. one byte) +shall be sent/received for 8 bit wide values, and two parameters shall +be used for values that are between 9 and 16 bits wide. + +Add new functions to properly handle 16-bit brightness in big endian, +since the two 8- and 16-bit cases are distinct from each other. + +[richard: use separate functions instead of switch/case] +[richard: split into 16-bit component] + +Fixes: 1a9d759331b8 ("drm/dsi: Implement DCS set/get display brightness") +Signed-off-by: Daniel Mentz +Link: https://android.googlesource.com/kernel/msm/+/754affd62d0ee268c686c53169b1dbb7deac8550 +[richard: fix 16-bit brightness_get] +Signed-off-by: Richard Acayan +Tested-by: Caleb Connolly +Reviewed-by: Neil Armstrong +Reviewed-by: Sam Ravnborg +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230116224909.23884-2-mailingradian@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_mipi_dsi.c | 52 ++++++++++++++++++++++++++++++++++ + include/drm/drm_mipi_dsi.h | 4 +++ + 2 files changed, 56 insertions(+) + +diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c +index bb7f72ade628c..b942c69e9b489 100644 +--- a/drivers/gpu/drm/drm_mipi_dsi.c ++++ b/drivers/gpu/drm/drm_mipi_dsi.c +@@ -1091,6 +1091,58 @@ int mipi_dsi_dcs_get_display_brightness(struct mipi_dsi_device *dsi, + } + EXPORT_SYMBOL(mipi_dsi_dcs_get_display_brightness); + ++/** ++ * mipi_dsi_dcs_set_display_brightness_large() - sets the 16-bit brightness value ++ * of the display ++ * @dsi: DSI peripheral device ++ * @brightness: brightness value ++ * ++ * Return: 0 on success or a negative error code on failure. ++ */ ++int mipi_dsi_dcs_set_display_brightness_large(struct mipi_dsi_device *dsi, ++ u16 brightness) ++{ ++ u8 payload[2] = { brightness >> 8, brightness & 0xff }; ++ ssize_t err; ++ ++ err = mipi_dsi_dcs_write(dsi, MIPI_DCS_SET_DISPLAY_BRIGHTNESS, ++ payload, sizeof(payload)); ++ if (err < 0) ++ return err; ++ ++ return 0; ++} ++EXPORT_SYMBOL(mipi_dsi_dcs_set_display_brightness_large); ++ ++/** ++ * mipi_dsi_dcs_get_display_brightness_large() - gets the current 16-bit ++ * brightness value of the display ++ * @dsi: DSI peripheral device ++ * @brightness: brightness value ++ * ++ * Return: 0 on success or a negative error code on failure. ++ */ ++int mipi_dsi_dcs_get_display_brightness_large(struct mipi_dsi_device *dsi, ++ u16 *brightness) ++{ ++ u8 brightness_be[2]; ++ ssize_t err; ++ ++ err = mipi_dsi_dcs_read(dsi, MIPI_DCS_GET_DISPLAY_BRIGHTNESS, ++ brightness_be, sizeof(brightness_be)); ++ if (err <= 0) { ++ if (err == 0) ++ err = -ENODATA; ++ ++ return err; ++ } ++ ++ *brightness = (brightness_be[0] << 8) | brightness_be[1]; ++ ++ return 0; ++} ++EXPORT_SYMBOL(mipi_dsi_dcs_get_display_brightness_large); ++ + static int mipi_dsi_drv_probe(struct device *dev) + { + struct mipi_dsi_driver *drv = to_mipi_dsi_driver(dev->driver); +diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h +index 13cf2ae59f6cb..3057511c88e64 100644 +--- a/include/drm/drm_mipi_dsi.h ++++ b/include/drm/drm_mipi_dsi.h +@@ -279,6 +279,10 @@ int mipi_dsi_dcs_set_display_brightness(struct mipi_dsi_device *dsi, + u16 brightness); + int mipi_dsi_dcs_get_display_brightness(struct mipi_dsi_device *dsi, + u16 *brightness); ++int mipi_dsi_dcs_set_display_brightness_large(struct mipi_dsi_device *dsi, ++ u16 brightness); ++int mipi_dsi_dcs_get_display_brightness_large(struct mipi_dsi_device *dsi, ++ u16 *brightness); + + /** + * struct mipi_dsi_driver - DSI driver +-- +2.39.2 + diff --git a/queue-5.4/drm-msm-dpu-add-check-for-cstate.patch b/queue-5.4/drm-msm-dpu-add-check-for-cstate.patch new file mode 100644 index 00000000000..d6e04706930 --- /dev/null +++ b/queue-5.4/drm-msm-dpu-add-check-for-cstate.patch @@ -0,0 +1,45 @@ +From 8a5d9cbf2224f5710d93ba0bf72fb1d882c5ca46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 16:05:17 +0800 +Subject: drm/msm/dpu: Add check for cstate + +From: Jiasheng Jiang + +[ Upstream commit c96988b7d99327bb08bd9efd29a203b22cd88ace ] + +As kzalloc may fail and return NULL pointer, +it should be better to check cstate +in order to avoid the NULL pointer dereference +in __drm_atomic_helper_crtc_reset. + +Fixes: 1cff7440a86e ("drm/msm: Convert to using __drm_atomic_helper_crtc_reset() for reset.") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Abhinav Kumar +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/514163/ +Link: https://lore.kernel.org/r/20221206080517.43786-1-jiasheng@iscas.ac.cn +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +index 4aed5e9a84a45..d61c3855670dd 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +@@ -651,7 +651,10 @@ static void dpu_crtc_reset(struct drm_crtc *crtc) + if (crtc->state) + dpu_crtc_destroy_state(crtc, crtc->state); + +- __drm_atomic_helper_crtc_reset(crtc, &cstate->base); ++ if (cstate) ++ __drm_atomic_helper_crtc_reset(crtc, &cstate->base); ++ else ++ __drm_atomic_helper_crtc_reset(crtc, NULL); + } + + /** +-- +2.39.2 + diff --git a/queue-5.4/drm-msm-dpu-add-check-for-pstates.patch b/queue-5.4/drm-msm-dpu-add-check-for-pstates.patch new file mode 100644 index 00000000000..7587fc495d4 --- /dev/null +++ b/queue-5.4/drm-msm-dpu-add-check-for-pstates.patch @@ -0,0 +1,40 @@ +From 291aa5320b614e2a2a2ef5eab2c43beda38f3ce6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 16:02:36 +0800 +Subject: drm/msm/dpu: Add check for pstates + +From: Jiasheng Jiang + +[ Upstream commit 93340e10b9c5fc86730d149636e0aa8b47bb5a34 ] + +As kzalloc may fail and return NULL pointer, +it should be better to check pstates +in order to avoid the NULL pointer dereference. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/514160/ +Link: https://lore.kernel.org/r/20221206080236.43687-1-jiasheng@iscas.ac.cn +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +index d61c3855670dd..2e28db60f4d2f 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c +@@ -836,6 +836,8 @@ static int dpu_crtc_atomic_check(struct drm_crtc *crtc, + } + + pstates = kzalloc(sizeof(*pstates) * DPU_STAGE_MAX * 4, GFP_KERNEL); ++ if (!pstates) ++ return -ENOMEM; + + dpu_crtc = to_dpu_crtc(crtc); + cstate = to_dpu_crtc_state(state); +-- +2.39.2 + diff --git a/queue-5.4/drm-msm-dsi-add-missing-check-for-alloc_ordered_work.patch b/queue-5.4/drm-msm-dsi-add-missing-check-for-alloc_ordered_work.patch new file mode 100644 index 00000000000..ba40c949355 --- /dev/null +++ b/queue-5.4/drm-msm-dsi-add-missing-check-for-alloc_ordered_work.patch @@ -0,0 +1,39 @@ +From f5ffef9cb4174f93018b5d48f87e534d789b543b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 10:16:51 +0800 +Subject: drm/msm/dsi: Add missing check for alloc_ordered_workqueue + +From: Jiasheng Jiang + +[ Upstream commit 115906ca7b535afb1fe7b5406c566ccd3873f82b ] + +Add check for the return value of alloc_ordered_workqueue as it may return +NULL pointer and cause NULL pointer dereference. + +Signed-off-by: Jiasheng Jiang +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/517646/ +Link: https://lore.kernel.org/r/20230110021651.12770-1-jiasheng@iscas.ac.cn +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index 743142e15b4c1..c59764f156f94 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -1877,6 +1877,9 @@ int msm_dsi_host_init(struct msm_dsi *msm_dsi) + + /* setup workqueue */ + msm_host->workqueue = alloc_ordered_workqueue("dsi_drm_work", 0); ++ if (!msm_host->workqueue) ++ return -ENOMEM; ++ + INIT_WORK(&msm_host->err_work, dsi_err_worker); + INIT_WORK(&msm_host->hpd_work, dsi_hpd_worker); + +-- +2.39.2 + diff --git a/queue-5.4/drm-msm-hdmi-add-missing-check-for-alloc_ordered_wor.patch b/queue-5.4/drm-msm-hdmi-add-missing-check-for-alloc_ordered_wor.patch new file mode 100644 index 00000000000..44acfe8043d --- /dev/null +++ b/queue-5.4/drm-msm-hdmi-add-missing-check-for-alloc_ordered_wor.patch @@ -0,0 +1,42 @@ +From 7cdc0c40e9a0bcb9e53b92b6e2958f736343400d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jan 2023 10:30:11 +0800 +Subject: drm/msm/hdmi: Add missing check for alloc_ordered_workqueue + +From: Jiasheng Jiang + +[ Upstream commit afe4cb96153a0d8003e4e4ebd91b5c543e10df84 ] + +Add check for the return value of alloc_ordered_workqueue as it may return +NULL pointer and cause NULL pointer dereference in `hdmi_hdcp.c` and +`hdmi_hpd.c`. + +Fixes: c6a57a50ad56 ("drm/msm/hdmi: add hdmi hdcp support (V3)") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/517211/ +Link: https://lore.kernel.org/r/20230106023011.3985-1-jiasheng@iscas.ac.cn +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/hdmi/hdmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.c b/drivers/gpu/drm/msm/hdmi/hdmi.c +index 74759bcc68ff0..74b806b3e65f4 100644 +--- a/drivers/gpu/drm/msm/hdmi/hdmi.c ++++ b/drivers/gpu/drm/msm/hdmi/hdmi.c +@@ -248,6 +248,10 @@ static struct hdmi *msm_hdmi_init(struct platform_device *pdev) + pm_runtime_enable(&pdev->dev); + + hdmi->workq = alloc_ordered_workqueue("msm_hdmi", 0); ++ if (!hdmi->workq) { ++ ret = -ENOMEM; ++ goto fail; ++ } + + hdmi->i2c = msm_hdmi_i2c_init(hdmi); + if (IS_ERR(hdmi->i2c)) { +-- +2.39.2 + diff --git a/queue-5.4/drm-msm-mdp5-add-check-for-kzalloc.patch b/queue-5.4/drm-msm-mdp5-add-check-for-kzalloc.patch new file mode 100644 index 00000000000..0c11888bff2 --- /dev/null +++ b/queue-5.4/drm-msm-mdp5-add-check-for-kzalloc.patch @@ -0,0 +1,43 @@ +From 382cb688aaa4d69d275215256a9f1da7706c82ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 15:48:19 +0800 +Subject: drm/msm/mdp5: Add check for kzalloc + +From: Jiasheng Jiang + +[ Upstream commit 13fcfcb2a9a4787fe4e49841d728f6f2e9fa6911 ] + +As kzalloc may fail and return NULL pointer, +it should be better to check the return value +in order to avoid the NULL pointer dereference. + +Fixes: 1cff7440a86e ("drm/msm: Convert to using __drm_atomic_helper_crtc_reset() for reset.") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/514154/ +Link: https://lore.kernel.org/r/20221206074819.18134-1-jiasheng@iscas.ac.cn +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c +index 03d60eb092577..cc60842b47e99 100644 +--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c ++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c +@@ -1050,7 +1050,10 @@ static void mdp5_crtc_reset(struct drm_crtc *crtc) + if (crtc->state) + mdp5_crtc_destroy_state(crtc, crtc->state); + +- __drm_atomic_helper_crtc_reset(crtc, &mdp5_cstate->base); ++ if (mdp5_cstate) ++ __drm_atomic_helper_crtc_reset(crtc, &mdp5_cstate->base); ++ else ++ __drm_atomic_helper_crtc_reset(crtc, NULL); + + drm_crtc_vblank_reset(crtc); + } +-- +2.39.2 + diff --git a/queue-5.4/drm-msm-use-strscpy-instead-of-strncpy.patch b/queue-5.4/drm-msm-use-strscpy-instead-of-strncpy.patch new file mode 100644 index 00000000000..6edac2ef84c --- /dev/null +++ b/queue-5.4/drm-msm-use-strscpy-instead-of-strncpy.patch @@ -0,0 +1,47 @@ +From cc1eadd3fe39f1fcdfa91dece0281a331e4ce28e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 04:01:52 +0200 +Subject: drm/msm: use strscpy instead of strncpy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dmitry Baryshkov + +[ Upstream commit d7fd8634f48d76aa799ed57beb7d87dab91bde80 ] + +Using strncpy can result in non-NULL-terminated destination string. Use +strscpy instead. This fixes following warning: + +drivers/gpu/drm/msm/msm_fence.c: In function ‘msm_fence_context_alloc’: +drivers/gpu/drm/msm/msm_fence.c:25:9: warning: ‘strncpy’ specified bound 32 equals destination size [-Wstringop-truncation] + 25 | strncpy(fctx->name, name, sizeof(fctx->name)); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fixes: f97decac5f4c ("drm/msm: Support multiple ringbuffers") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/518787/ +Link: https://lore.kernel.org/r/20230118020152.1689213-1-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_fence.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_fence.c b/drivers/gpu/drm/msm/msm_fence.c +index cd59a59180385..50a25c119f4d9 100644 +--- a/drivers/gpu/drm/msm/msm_fence.c ++++ b/drivers/gpu/drm/msm/msm_fence.c +@@ -20,7 +20,7 @@ msm_fence_context_alloc(struct drm_device *dev, const char *name) + return ERR_PTR(-ENOMEM); + + fctx->dev = dev; +- strncpy(fctx->name, name, sizeof(fctx->name)); ++ strscpy(fctx->name, name, sizeof(fctx->name)); + fctx->context = dma_fence_context_alloc(1); + init_waitqueue_head(&fctx->event); + spin_lock_init(&fctx->spinlock); +-- +2.39.2 + diff --git a/queue-5.4/drm-mxsfb-drm_mxsfb-should-depend-on-arch_mxs-arch_m.patch b/queue-5.4/drm-mxsfb-drm_mxsfb-should-depend-on-arch_mxs-arch_m.patch new file mode 100644 index 00000000000..03a2ea56dc0 --- /dev/null +++ b/queue-5.4/drm-mxsfb-drm_mxsfb-should-depend-on-arch_mxs-arch_m.patch @@ -0,0 +1,39 @@ +From 71a19784954b08ded88152308ba14c9a7ba2f206 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 16:59:55 +0100 +Subject: drm: mxsfb: DRM_MXSFB should depend on ARCH_MXS || ARCH_MXC + +From: Geert Uytterhoeven + +[ Upstream commit 7783cc67862f9166c901bfa0f80b717aa8d354dd ] + +Freescale/NXP i.MX LCDIF and eLCDIF LCD controllers are only present on +Freescale/NXP i.MX SoCs. Hence add a dependency on ARCH_MXS || +ARCH_MXC, to prevent asking the user about this driver when configuring +a kernel without Freescale/NXP i.MX support. + +Fixes: 45d59d704080cc0c ("drm: Add new driver for MXSFB controller") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Marek Vasut +Signed-off-by: Marek Vasut +Link: https://patchwork.freedesktop.org/patch/msgid/98e74779ca2bc575d91afff03369e86b080c01ac.1669046358.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mxsfb/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/mxsfb/Kconfig b/drivers/gpu/drm/mxsfb/Kconfig +index 33916b7b2c501..e8cb02803d9b6 100644 +--- a/drivers/gpu/drm/mxsfb/Kconfig ++++ b/drivers/gpu/drm/mxsfb/Kconfig +@@ -8,6 +8,7 @@ config DRM_MXSFB + tristate "i.MX23/i.MX28/i.MX6SX MXSFB LCD controller" + depends on DRM && OF + depends on COMMON_CLK ++ depends on ARCH_MXS || ARCH_MXC || COMPILE_TEST + select DRM_MXS + select DRM_KMS_HELPER + select DRM_KMS_CMA_HELPER +-- +2.39.2 + diff --git a/queue-5.4/drm-omap-dsi-fix-excessive-stack-usage.patch b/queue-5.4/drm-omap-dsi-fix-excessive-stack-usage.patch new file mode 100644 index 00000000000..42bfceb6200 --- /dev/null +++ b/queue-5.4/drm-omap-dsi-fix-excessive-stack-usage.patch @@ -0,0 +1,100 @@ +From 095b04027d39485f7f0dd3fa8007ffb813d93ecb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 11:22:05 +0300 +Subject: drm/omap: dsi: Fix excessive stack usage + +From: Tomi Valkeinen + +[ Upstream commit cfca78971b9233aef0891507a98fba62046d4542 ] + +dsi_dump_dsi_irqs(), a function used for debugfs prints, has a large +struct in its frame, which can result in: + +drivers/gpu/drm/omapdrm/dss/dsi.c:1126:1: warning: the frame size of 1060 bytes is larger than 1024 bytes [-Wframe-larger-than=] + +As the performance of the function is of no concern, let's allocate the +struct with kmalloc instead. + +Compile-tested only. + +Signed-off-by: Tomi Valkeinen +Reported-by: kernel test robot +Reviewed-by: Arnd Bergmann +Link: https://patchwork.freedesktop.org/patch/msgid/20220916082206.167427-1-tomi.valkeinen@ideasonboard.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/omapdrm/dss/dsi.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/drivers/gpu/drm/omapdrm/dss/dsi.c b/drivers/gpu/drm/omapdrm/dss/dsi.c +index b30fcaa2d0f55..993d48fb8064d 100644 +--- a/drivers/gpu/drm/omapdrm/dss/dsi.c ++++ b/drivers/gpu/drm/omapdrm/dss/dsi.c +@@ -1444,22 +1444,26 @@ static int dsi_dump_dsi_irqs(struct seq_file *s, void *p) + { + struct dsi_data *dsi = s->private; + unsigned long flags; +- struct dsi_irq_stats stats; ++ struct dsi_irq_stats *stats; ++ ++ stats = kmalloc(sizeof(*stats), GFP_KERNEL); ++ if (!stats) ++ return -ENOMEM; + + spin_lock_irqsave(&dsi->irq_stats_lock, flags); + +- stats = dsi->irq_stats; ++ *stats = dsi->irq_stats; + memset(&dsi->irq_stats, 0, sizeof(dsi->irq_stats)); + dsi->irq_stats.last_reset = jiffies; + + spin_unlock_irqrestore(&dsi->irq_stats_lock, flags); + + seq_printf(s, "period %u ms\n", +- jiffies_to_msecs(jiffies - stats.last_reset)); ++ jiffies_to_msecs(jiffies - stats->last_reset)); + +- seq_printf(s, "irqs %d\n", stats.irq_count); ++ seq_printf(s, "irqs %d\n", stats->irq_count); + #define PIS(x) \ +- seq_printf(s, "%-20s %10d\n", #x, stats.dsi_irqs[ffs(DSI_IRQ_##x)-1]); ++ seq_printf(s, "%-20s %10d\n", #x, stats->dsi_irqs[ffs(DSI_IRQ_##x)-1]); + + seq_printf(s, "-- DSI%d interrupts --\n", dsi->module_id + 1); + PIS(VC0); +@@ -1483,10 +1487,10 @@ static int dsi_dump_dsi_irqs(struct seq_file *s, void *p) + + #define PIS(x) \ + seq_printf(s, "%-20s %10d %10d %10d %10d\n", #x, \ +- stats.vc_irqs[0][ffs(DSI_VC_IRQ_##x)-1], \ +- stats.vc_irqs[1][ffs(DSI_VC_IRQ_##x)-1], \ +- stats.vc_irqs[2][ffs(DSI_VC_IRQ_##x)-1], \ +- stats.vc_irqs[3][ffs(DSI_VC_IRQ_##x)-1]); ++ stats->vc_irqs[0][ffs(DSI_VC_IRQ_##x)-1], \ ++ stats->vc_irqs[1][ffs(DSI_VC_IRQ_##x)-1], \ ++ stats->vc_irqs[2][ffs(DSI_VC_IRQ_##x)-1], \ ++ stats->vc_irqs[3][ffs(DSI_VC_IRQ_##x)-1]); + + seq_printf(s, "-- VC interrupts --\n"); + PIS(CS); +@@ -1502,7 +1506,7 @@ static int dsi_dump_dsi_irqs(struct seq_file *s, void *p) + + #define PIS(x) \ + seq_printf(s, "%-20s %10d\n", #x, \ +- stats.cio_irqs[ffs(DSI_CIO_IRQ_##x)-1]); ++ stats->cio_irqs[ffs(DSI_CIO_IRQ_##x)-1]); + + seq_printf(s, "-- CIO interrupts --\n"); + PIS(ERRSYNCESC1); +@@ -1527,6 +1531,8 @@ static int dsi_dump_dsi_irqs(struct seq_file *s, void *p) + PIS(ULPSACTIVENOT_ALL1); + #undef PIS + ++ kfree(stats); ++ + return 0; + } + #endif +-- +2.39.2 + diff --git a/queue-5.4/drm-panel-orientation-quirks-add-quirk-for-lenovo-id.patch b/queue-5.4/drm-panel-orientation-quirks-add-quirk-for-lenovo-id.patch new file mode 100644 index 00000000000..1b0e986444e --- /dev/null +++ b/queue-5.4/drm-panel-orientation-quirks-add-quirk-for-lenovo-id.patch @@ -0,0 +1,42 @@ +From 2f62bb030618d6973f27f4d3bb5904c5db839b6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 16:46:59 +0000 +Subject: drm: panel-orientation-quirks: Add quirk for Lenovo IdeaPad Duet 3 + 10IGL5 + +From: Darrell Kavanagh + +[ Upstream commit 38b2d8efd03d2e56431b611e3523f0158306451d ] + +Another Lenovo convertable where the panel is installed landscape but is +reported to the kernel as portrait. + +Signed-off-by: Darrell Kavanagh +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20230214164659.3583-1-darrell.kavanagh@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index ce739ba45c551..8768073794fbf 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -278,6 +278,12 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad D330-10IGL"), + }, + .driver_data = (void *)&lcd800x1280_rightside_up, ++ }, { /* Lenovo IdeaPad Duet 3 10IGL5 */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "IdeaPad Duet 3 10IGL5"), ++ }, ++ .driver_data = (void *)&lcd1200x1920_rightside_up, + }, { /* Lenovo Yoga Book X90F / X91F / X91L */ + .matches = { + /* Non exact match to match all versions */ +-- +2.39.2 + diff --git a/queue-5.4/drm-radeon-free-iio-for-atombios-when-driver-shutdow.patch b/queue-5.4/drm-radeon-free-iio-for-atombios-when-driver-shutdow.patch new file mode 100644 index 00000000000..2481489d596 --- /dev/null +++ b/queue-5.4/drm-radeon-free-iio-for-atombios-when-driver-shutdow.patch @@ -0,0 +1,60 @@ +From 8eb7c0ac13e77babdc05624dfa444ef6773257b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jan 2023 17:47:29 +0800 +Subject: drm/radeon: free iio for atombios when driver shutdown + +From: Liwei Song + +[ Upstream commit 4773fadedca918faec443daaca5e4ea1c0ced144 ] + +Fix below kmemleak when unload radeon driver: + +unreferenced object 0xffff9f8608ede200 (size 512): + comm "systemd-udevd", pid 326, jiffies 4294682822 (age 716.338s) + hex dump (first 32 bytes): + 00 00 00 00 c4 aa ec aa 14 ab 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000062fadebe>] kmem_cache_alloc_trace+0x2f1/0x500 + [<00000000b6883cea>] atom_parse+0x117/0x230 [radeon] + [<00000000158c23fd>] radeon_atombios_init+0xab/0x170 [radeon] + [<00000000683f672e>] si_init+0x57/0x750 [radeon] + [<00000000566cc31f>] radeon_device_init+0x559/0x9c0 [radeon] + [<0000000046efabb3>] radeon_driver_load_kms+0xc1/0x1a0 [radeon] + [<00000000b5155064>] drm_dev_register+0xdd/0x1d0 + [<0000000045fec835>] radeon_pci_probe+0xbd/0x100 [radeon] + [<00000000e69ecca3>] pci_device_probe+0xe1/0x160 + [<0000000019484b76>] really_probe.part.0+0xc1/0x2c0 + [<000000003f2649da>] __driver_probe_device+0x96/0x130 + [<00000000231c5bb1>] driver_probe_device+0x24/0xf0 + [<0000000000a42377>] __driver_attach+0x77/0x190 + [<00000000d7574da6>] bus_for_each_dev+0x7f/0xd0 + [<00000000633166d2>] driver_attach+0x1e/0x30 + [<00000000313b05b8>] bus_add_driver+0x12c/0x1e0 + +iio was allocated in atom_index_iio() called by atom_parse(), +but it doesn't got released when the dirver is shutdown. +Fix this kmemleak by free it in radeon_atombios_fini(). + +Signed-off-by: Liwei Song +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c +index e892582e847b5..0d0ae89a85686 100644 +--- a/drivers/gpu/drm/radeon/radeon_device.c ++++ b/drivers/gpu/drm/radeon/radeon_device.c +@@ -1022,6 +1022,7 @@ void radeon_atombios_fini(struct radeon_device *rdev) + { + if (rdev->mode_info.atom_context) { + kfree(rdev->mode_info.atom_context->scratch); ++ kfree(rdev->mode_info.atom_context->iio); + } + kfree(rdev->mode_info.atom_context); + rdev->mode_info.atom_context = NULL; +-- +2.39.2 + diff --git a/queue-5.4/drm-vc4-dpi-add-option-for-inverting-pixel-clock-and.patch b/queue-5.4/drm-vc4-dpi-add-option-for-inverting-pixel-clock-and.patch new file mode 100644 index 00000000000..efb9640e5ad --- /dev/null +++ b/queue-5.4/drm-vc4-dpi-add-option-for-inverting-pixel-clock-and.patch @@ -0,0 +1,104 @@ +From 40c913e826c366131a985e72c236a4dd8e59cd50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 16:47:36 +0200 +Subject: drm/vc4: dpi: Add option for inverting pixel clock and output enable + +From: Dave Stevenson + +[ Upstream commit 3c2707632146b22e97b0fbf6778bab8add2eaa1d ] + +DRM provides flags for inverting pixel clock and output enable +signals, but these were not mapped to the relevant registers. + +Add those mappings. + +Signed-off-by: Dave Stevenson +Link: https://lore.kernel.org/r/20220613144800.326124-10-maxime@cerno.tech +Signed-off-by: Maxime Ripard +Stable-dep-of: 0870d86eac8a ("drm/vc4: dpi: Fix format mapping for RGB565") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_dpi.c | 66 ++++++++++++++++++++--------------- + 1 file changed, 38 insertions(+), 28 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_dpi.c b/drivers/gpu/drm/vc4/vc4_dpi.c +index 8a27a6acee61c..c567396f050e9 100644 +--- a/drivers/gpu/drm/vc4/vc4_dpi.c ++++ b/drivers/gpu/drm/vc4/vc4_dpi.c +@@ -151,35 +151,45 @@ static void vc4_dpi_encoder_enable(struct drm_encoder *encoder) + } + drm_connector_list_iter_end(&conn_iter); + +- if (connector && connector->display_info.num_bus_formats) { +- u32 bus_format = connector->display_info.bus_formats[0]; +- +- switch (bus_format) { +- case MEDIA_BUS_FMT_RGB888_1X24: +- dpi_c |= VC4_SET_FIELD(DPI_FORMAT_24BIT_888_RGB, +- DPI_FORMAT); +- break; +- case MEDIA_BUS_FMT_BGR888_1X24: +- dpi_c |= VC4_SET_FIELD(DPI_FORMAT_24BIT_888_RGB, +- DPI_FORMAT); +- dpi_c |= VC4_SET_FIELD(DPI_ORDER_BGR, DPI_ORDER); +- break; +- case MEDIA_BUS_FMT_RGB666_1X24_CPADHI: +- dpi_c |= VC4_SET_FIELD(DPI_FORMAT_18BIT_666_RGB_2, +- DPI_FORMAT); +- break; +- case MEDIA_BUS_FMT_RGB666_1X18: +- dpi_c |= VC4_SET_FIELD(DPI_FORMAT_18BIT_666_RGB_1, +- DPI_FORMAT); +- break; +- case MEDIA_BUS_FMT_RGB565_1X16: +- dpi_c |= VC4_SET_FIELD(DPI_FORMAT_16BIT_565_RGB_3, +- DPI_FORMAT); +- break; +- default: +- DRM_ERROR("Unknown media bus format %d\n", bus_format); +- break; ++ if (connector) { ++ if (connector->display_info.num_bus_formats) { ++ u32 bus_format = connector->display_info.bus_formats[0]; ++ ++ switch (bus_format) { ++ case MEDIA_BUS_FMT_RGB888_1X24: ++ dpi_c |= VC4_SET_FIELD(DPI_FORMAT_24BIT_888_RGB, ++ DPI_FORMAT); ++ break; ++ case MEDIA_BUS_FMT_BGR888_1X24: ++ dpi_c |= VC4_SET_FIELD(DPI_FORMAT_24BIT_888_RGB, ++ DPI_FORMAT); ++ dpi_c |= VC4_SET_FIELD(DPI_ORDER_BGR, ++ DPI_ORDER); ++ break; ++ case MEDIA_BUS_FMT_RGB666_1X24_CPADHI: ++ dpi_c |= VC4_SET_FIELD(DPI_FORMAT_18BIT_666_RGB_2, ++ DPI_FORMAT); ++ break; ++ case MEDIA_BUS_FMT_RGB666_1X18: ++ dpi_c |= VC4_SET_FIELD(DPI_FORMAT_18BIT_666_RGB_1, ++ DPI_FORMAT); ++ break; ++ case MEDIA_BUS_FMT_RGB565_1X16: ++ dpi_c |= VC4_SET_FIELD(DPI_FORMAT_16BIT_565_RGB_3, ++ DPI_FORMAT); ++ break; ++ default: ++ DRM_ERROR("Unknown media bus format %d\n", ++ bus_format); ++ break; ++ } + } ++ ++ if (connector->display_info.bus_flags & DRM_BUS_FLAG_PIXDATA_DRIVE_NEGEDGE) ++ dpi_c |= DPI_PIXEL_CLK_INVERT; ++ ++ if (connector->display_info.bus_flags & DRM_BUS_FLAG_DE_LOW) ++ dpi_c |= DPI_OUTPUT_ENABLE_INVERT; + } else { + /* Default to 24bit if no connector found. */ + dpi_c |= VC4_SET_FIELD(DPI_FORMAT_24BIT_888_RGB, DPI_FORMAT); +-- +2.39.2 + diff --git a/queue-5.4/drm-vc4-dpi-fix-format-mapping-for-rgb565.patch b/queue-5.4/drm-vc4-dpi-fix-format-mapping-for-rgb565.patch new file mode 100644 index 00000000000..e98024aca26 --- /dev/null +++ b/queue-5.4/drm-vc4-dpi-fix-format-mapping-for-rgb565.patch @@ -0,0 +1,38 @@ +From d13f6f62ee45ed7164bedb21cfe78bd576b874cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 09:42:52 +0100 +Subject: drm/vc4: dpi: Fix format mapping for RGB565 + +From: Dave Stevenson + +[ Upstream commit 0870d86eac8a9abd89a0be1b719d5dc5bac936f0 ] + +The mapping is incorrect for RGB565_1X16 as it should be +DPI_FORMAT_18BIT_666_RGB_1 instead of DPI_FORMAT_18BIT_666_RGB_3. + +Fixes: 08302c35b59d ("drm/vc4: Add DPI driver") +Signed-off-by: Dave Stevenson +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/20221013-rpi-dpi-improvements-v3-7-eb76e26a772d@cerno.tech +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_dpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_dpi.c b/drivers/gpu/drm/vc4/vc4_dpi.c +index c567396f050e9..9ea2e7beef0ce 100644 +--- a/drivers/gpu/drm/vc4/vc4_dpi.c ++++ b/drivers/gpu/drm/vc4/vc4_dpi.c +@@ -175,7 +175,7 @@ static void vc4_dpi_encoder_enable(struct drm_encoder *encoder) + DPI_FORMAT); + break; + case MEDIA_BUS_FMT_RGB565_1X16: +- dpi_c |= VC4_SET_FIELD(DPI_FORMAT_16BIT_565_RGB_3, ++ dpi_c |= VC4_SET_FIELD(DPI_FORMAT_16BIT_565_RGB_1, + DPI_FORMAT); + break; + default: +-- +2.39.2 + diff --git a/queue-5.4/genirq-fix-the-return-type-of-kstat_cpu_irqs_sum.patch b/queue-5.4/genirq-fix-the-return-type-of-kstat_cpu_irqs_sum.patch new file mode 100644 index 00000000000..a6cc31c38c5 --- /dev/null +++ b/queue-5.4/genirq-fix-the-return-type-of-kstat_cpu_irqs_sum.patch @@ -0,0 +1,44 @@ +From acfc1443f8003f0c5107dcdc20f5ddd705ca3293 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 17:25:03 +0800 +Subject: genirq: Fix the return type of kstat_cpu_irqs_sum() + +From: Zhen Lei + +[ Upstream commit 47904aed898a08f028572b9b5a5cc101ddfb2d82 ] + +The type of member ->irqs_sum is unsigned long, but kstat_cpu_irqs_sum() +returns int, which can result in truncation. Therefore, change the +kstat_cpu_irqs_sum() function's return value to unsigned long to avoid +truncation. + +Fixes: f2c66cd8eedd ("/proc/stat: scalability of irq num per cpu") +Reported-by: Elliott, Robert (Servers) +Signed-off-by: Zhen Lei +Cc: Tejun Heo +Cc: "Peter Zijlstra (Intel)" +Cc: Josh Don +Cc: Andrew Morton +Reviewed-by: Frederic Weisbecker +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + include/linux/kernel_stat.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/kernel_stat.h b/include/linux/kernel_stat.h +index 7ee2bb43b251a..f7f20cf1bd3b1 100644 +--- a/include/linux/kernel_stat.h ++++ b/include/linux/kernel_stat.h +@@ -73,7 +73,7 @@ extern unsigned int kstat_irqs_usr(unsigned int irq); + /* + * Number of interrupts per cpu, since bootup + */ +-static inline unsigned int kstat_cpu_irqs_sum(unsigned int cpu) ++static inline unsigned long kstat_cpu_irqs_sum(unsigned int cpu) + { + return kstat_cpu(cpu).irqs_sum; + } +-- +2.39.2 + diff --git a/queue-5.4/gfs2-jdata-writepage-fix.patch b/queue-5.4/gfs2-jdata-writepage-fix.patch new file mode 100644 index 00000000000..4fe5b95d5a9 --- /dev/null +++ b/queue-5.4/gfs2-jdata-writepage-fix.patch @@ -0,0 +1,45 @@ +From 9a4da7a47ef068c29f276993e449e57a090f4c1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 15:08:50 +0100 +Subject: gfs2: jdata writepage fix + +From: Andreas Gruenbacher + +[ Upstream commit cbb60951ce18c9b6e91d2eb97deb41d8ff616622 ] + +The ->writepage() and ->writepages() operations are supposed to write +entire pages. However, on filesystems with a block size smaller than +PAGE_SIZE, __gfs2_jdata_writepage() only adds the first block to the +current transaction instead of adding the entire page. Fix that. + +Fixes: 18ec7d5c3f43 ("[GFS2] Make journaled data files identical to normal files on disk") +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/aops.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/gfs2/aops.c b/fs/gfs2/aops.c +index b9fe975d7625a..c21383fab33b7 100644 +--- a/fs/gfs2/aops.c ++++ b/fs/gfs2/aops.c +@@ -156,7 +156,6 @@ static int __gfs2_jdata_writepage(struct page *page, struct writeback_control *w + { + struct inode *inode = page->mapping->host; + struct gfs2_inode *ip = GFS2_I(inode); +- struct gfs2_sbd *sdp = GFS2_SB(inode); + + if (PageChecked(page)) { + ClearPageChecked(page); +@@ -164,7 +163,7 @@ static int __gfs2_jdata_writepage(struct page *page, struct writeback_control *w + create_empty_buffers(page, inode->i_sb->s_blocksize, + BIT(BH_Dirty)|BIT(BH_Uptodate)); + } +- gfs2_page_add_databufs(ip, page, 0, sdp->sd_vfs->s_blocksize); ++ gfs2_page_add_databufs(ip, page, 0, PAGE_SIZE); + } + return gfs2_write_full_page(page, gfs2_get_block_noalloc, wbc); + } +-- +2.39.2 + diff --git a/queue-5.4/gpio-vf610-connect-gpio-label-to-dev-name.patch b/queue-5.4/gpio-vf610-connect-gpio-label-to-dev-name.patch new file mode 100644 index 00000000000..4bad49b90a7 --- /dev/null +++ b/queue-5.4/gpio-vf610-connect-gpio-label-to-dev-name.patch @@ -0,0 +1,38 @@ +From 3ba19aeee4779b4c34fa5ef35d3d09e0e6ca0890 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Dec 2022 17:02:47 +0800 +Subject: gpio: vf610: connect GPIO label to dev name + +From: Haibo Chen + +[ Upstream commit 6f8ecb7f85f441eb7d78ba2a4df45ee8a821934e ] + +Current GPIO label is fixed, so can't distinguish different GPIO +controllers through labels. Use dev name instead. + +Fixes: 7f2691a19627 ("gpio: vf610: add gpiolib/IRQ chip driver for Vybrid") +Signed-off-by: Clark Wang +Signed-off-by: Haibo Chen +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-vf610.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-vf610.c b/drivers/gpio/gpio-vf610.c +index 1ae612c796eef..396a687e020f5 100644 +--- a/drivers/gpio/gpio-vf610.c ++++ b/drivers/gpio/gpio-vf610.c +@@ -304,7 +304,7 @@ static int vf610_gpio_probe(struct platform_device *pdev) + gc = &port->gc; + gc->of_node = np; + gc->parent = dev; +- gc->label = "vf610-gpio"; ++ gc->label = dev_name(dev); + gc->ngpio = VF610_GPIO_PER_PORT; + gc->base = of_alias_get_id(np, "gpio") * VF610_GPIO_PER_PORT; + +-- +2.39.2 + diff --git a/queue-5.4/gpu-host1x-don-t-skip-assigning-syncpoints-to-channe.patch b/queue-5.4/gpu-host1x-don-t-skip-assigning-syncpoints-to-channe.patch new file mode 100644 index 00000000000..301a4f662f5 --- /dev/null +++ b/queue-5.4/gpu-host1x-don-t-skip-assigning-syncpoints-to-channe.patch @@ -0,0 +1,40 @@ +From 2e7377cbedaf688512619f31c31eb4aad33ab1ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 15:39:00 +0200 +Subject: gpu: host1x: Don't skip assigning syncpoints to channels + +From: Mikko Perttunen + +[ Upstream commit eb258cc1fd458e584082be987dbc6ec42668c05e ] + +The code to write the syncpoint channel assignment register +incorrectly skips the write if hypervisor registers are not available. + +The register, however, is within the guest aperture so remove the +check and assign syncpoints properly even on virtualized systems. + +Fixes: c3f52220f276 ("gpu: host1x: Enable Tegra186 syncpoint protection") +Signed-off-by: Mikko Perttunen +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/gpu/host1x/hw/syncpt_hw.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/gpu/host1x/hw/syncpt_hw.c b/drivers/gpu/host1x/hw/syncpt_hw.c +index dd39d67ccec36..8cf35b2eff3db 100644 +--- a/drivers/gpu/host1x/hw/syncpt_hw.c ++++ b/drivers/gpu/host1x/hw/syncpt_hw.c +@@ -106,9 +106,6 @@ static void syncpt_assign_to_channel(struct host1x_syncpt *sp, + #if HOST1X_HW >= 6 + struct host1x *host = sp->host; + +- if (!host->hv_regs) +- return; +- + host1x_sync_writel(host, + HOST1X_SYNC_SYNCPT_CH_APP_CH(ch ? ch->id : 0xff), + HOST1X_SYNC_SYNCPT_CH_APP(sp->id)); +-- +2.39.2 + diff --git a/queue-5.4/gpu-ipu-v3-common-add-of_node_put-for-reference-retu.patch b/queue-5.4/gpu-ipu-v3-common-add-of_node_put-for-reference-retu.patch new file mode 100644 index 00000000000..f4ee551891a --- /dev/null +++ b/queue-5.4/gpu-ipu-v3-common-add-of_node_put-for-reference-retu.patch @@ -0,0 +1,39 @@ +From b7485e50361bb675c0b21e22ce7cae69c2a4f0b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jul 2022 23:22:27 +0800 +Subject: gpu: ipu-v3: common: Add of_node_put() for reference returned by + of_graph_get_port_by_id() + +From: Liang He + +[ Upstream commit 9afdf98cfdfa2ba8ec068cf08c5fcdc1ed8daf3f ] + +In ipu_add_client_devices(), we need to call of_node_put() for +reference returned by of_graph_get_port_by_id() in fail path. + +Fixes: 17e052175039 ("gpu: ipu-v3: Do not bail out on missing optional port nodes") +Signed-off-by: Liang He +Reviewed-by: Philipp Zabel +Link: https://lore.kernel.org/r/20220720152227.1288413-1-windhl@126.com +Signed-off-by: Philipp Zabel +Link: https://patchwork.freedesktop.org/patch/msgid/20220720152227.1288413-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/ipu-v3/ipu-common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c +index b3dae9ec1a38b..528812bf84da7 100644 +--- a/drivers/gpu/ipu-v3/ipu-common.c ++++ b/drivers/gpu/ipu-v3/ipu-common.c +@@ -1235,6 +1235,7 @@ static int ipu_add_client_devices(struct ipu_soc *ipu, unsigned long ipu_base) + pdev = platform_device_alloc(reg->name, id++); + if (!pdev) { + ret = -ENOMEM; ++ of_node_put(of_node); + goto err_register; + } + +-- +2.39.2 + diff --git a/queue-5.4/hid-add-mapping-for-system-microphone-mute.patch b/queue-5.4/hid-add-mapping-for-system-microphone-mute.patch new file mode 100644 index 00000000000..c978e65686b --- /dev/null +++ b/queue-5.4/hid-add-mapping-for-system-microphone-mute.patch @@ -0,0 +1,58 @@ +From c39e07177ab36d39c8ce24b723735218d4cda567 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Dec 2022 22:53:30 +0000 +Subject: HID: Add Mapping for System Microphone Mute + +From: Jingyuan Liang + +[ Upstream commit 2d60f9f4f26785a00273cb81fe60eff129ebd449 ] + +HUTRR110 added a new usage code for a key that is supposed to +mute/unmute microphone system-wide. + +Map the new usage code(0x01 0xa9) to keycode KEY_MICMUTE. +Additionally hid-debug is adjusted to recognize this keycode as well. + +Signed-off-by: Jingyuan Liang +Reviewed-by: Dmitry Torokhov +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-debug.c | 1 + + drivers/hid/hid-input.c | 8 ++++++++ + 2 files changed, 9 insertions(+) + +diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c +index 419d8dec7e498..0066eab60576c 100644 +--- a/drivers/hid/hid-debug.c ++++ b/drivers/hid/hid-debug.c +@@ -933,6 +933,7 @@ static const char *keys[KEY_MAX + 1] = { + [KEY_VOICECOMMAND] = "VoiceCommand", + [KEY_EMOJI_PICKER] = "EmojiPicker", + [KEY_DICTATE] = "Dictate", ++ [KEY_MICMUTE] = "MicrophoneMute", + [KEY_BRIGHTNESS_MIN] = "BrightnessMin", + [KEY_BRIGHTNESS_MAX] = "BrightnessMax", + [KEY_BRIGHTNESS_AUTO] = "BrightnessAuto", +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index d1ba6fafe960f..004aa3cdeacc7 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -671,6 +671,14 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + break; + } + ++ if ((usage->hid & 0xf0) == 0xa0) { /* SystemControl */ ++ switch (usage->hid & 0xf) { ++ case 0x9: map_key_clear(KEY_MICMUTE); break; ++ default: goto ignore; ++ } ++ break; ++ } ++ + if ((usage->hid & 0xf0) == 0xb0) { /* SC - Display */ + switch (usage->hid & 0xf) { + case 0x05: map_key_clear(KEY_SWITCHVIDEOMODE); break; +-- +2.39.2 + diff --git a/queue-5.4/hid-asus-add-report_size-to-struct-asus_touchpad_inf.patch b/queue-5.4/hid-asus-add-report_size-to-struct-asus_touchpad_inf.patch new file mode 100644 index 00000000000..c6649bff161 --- /dev/null +++ b/queue-5.4/hid-asus-add-report_size-to-struct-asus_touchpad_inf.patch @@ -0,0 +1,92 @@ +From 2f00af1db607913086c006b5ef865c60c642f4e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2020 16:22:52 +0200 +Subject: HID: asus: Add report_size to struct asus_touchpad_info + +From: Hans de Goede + +[ Upstream commit a61f9e428bf092349fdfebeee37ddefedd3f0fd1 ] + +Add the report_size to struct asus_touchpad_info instead of calculating it. + +This is a preparation patch for adding support for the multi-touch touchpad +found on the Medion Akoya E1239T's keyboard-dock, which uses the same +custom multi-touch protocol as the Asus keyboard-docks (same chipset +vendor, Integrated Technology Express / ITE). + +The only difference in that the Akoya E1239T keyboard-dock's input-reports +have a 5 byte footer instead of a 1 byte footer, which requires the +report_size to be configurable per touchpad-model. + +Signed-off-by: Hans de Goede +Signed-off-by: Jiri Kosina +Stable-dep-of: 4ab3a086d10e ("HID: asus: use spinlock to safely schedule workers") +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-asus.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c +index 5ea4d678b7413..4d877b4581b40 100644 +--- a/drivers/hid/hid-asus.c ++++ b/drivers/hid/hid-asus.c +@@ -103,6 +103,7 @@ struct asus_touchpad_info { + int res_y; + int contact_size; + int max_contacts; ++ int report_size; + }; + + struct asus_drvdata { +@@ -127,6 +128,7 @@ static const struct asus_touchpad_info asus_i2c_tp = { + .max_y = 1758, + .contact_size = 5, + .max_contacts = 5, ++ .report_size = 28 /* 2 byte header + 5 * 5 + 1 byte footer */, + }; + + static const struct asus_touchpad_info asus_t100ta_tp = { +@@ -136,6 +138,7 @@ static const struct asus_touchpad_info asus_t100ta_tp = { + .res_y = 27, /* units/mm */ + .contact_size = 5, + .max_contacts = 5, ++ .report_size = 28 /* 2 byte header + 5 * 5 + 1 byte footer */, + }; + + static const struct asus_touchpad_info asus_t100ha_tp = { +@@ -145,6 +148,7 @@ static const struct asus_touchpad_info asus_t100ha_tp = { + .res_y = 29, /* units/mm */ + .contact_size = 5, + .max_contacts = 5, ++ .report_size = 28 /* 2 byte header + 5 * 5 + 1 byte footer */, + }; + + static const struct asus_touchpad_info asus_t200ta_tp = { +@@ -154,6 +158,7 @@ static const struct asus_touchpad_info asus_t200ta_tp = { + .res_y = 28, /* units/mm */ + .contact_size = 5, + .max_contacts = 5, ++ .report_size = 28 /* 2 byte header + 5 * 5 + 1 byte footer */, + }; + + static const struct asus_touchpad_info asus_t100chi_tp = { +@@ -163,6 +168,7 @@ static const struct asus_touchpad_info asus_t100chi_tp = { + .res_y = 29, /* units/mm */ + .contact_size = 3, + .max_contacts = 4, ++ .report_size = 15 /* 2 byte header + 3 * 4 + 1 byte footer */, + }; + + static void asus_report_contact_down(struct asus_drvdata *drvdat, +@@ -230,7 +236,7 @@ static int asus_report_input(struct asus_drvdata *drvdat, u8 *data, int size) + int i, toolType = MT_TOOL_FINGER; + u8 *contactData = data + 2; + +- if (size != 3 + drvdat->tp->contact_size * drvdat->tp->max_contacts) ++ if (size != drvdat->tp->report_size) + return 0; + + for (i = 0; i < drvdat->tp->max_contacts; i++) { +-- +2.39.2 + diff --git a/queue-5.4/hid-asus-add-support-for-multi-touch-touchpad-on-med.patch b/queue-5.4/hid-asus-add-support-for-multi-touch-touchpad-on-med.patch new file mode 100644 index 00000000000..6cf4b59699a --- /dev/null +++ b/queue-5.4/hid-asus-add-support-for-multi-touch-touchpad-on-med.patch @@ -0,0 +1,106 @@ +From 7265ab9d113cf357952a9fd0beef485ca67e3b75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2020 16:22:53 +0200 +Subject: HID: asus: Add support for multi-touch touchpad on Medion Akoya + E1239T + +From: Hans de Goede + +[ Upstream commit e271f6c2df78d60dd4873c790a51dba40e6dfb72 ] + +The multi-touch touchpad found on the Medion Akoya E1239T's keyboard-dock, +uses the same custom multi-touch protocol as the Asus keyboard-docks +(same chipset vendor, Integrated Technology Express / ITE). + +Add support for this using the existing multi-touch touchpad support in +the hid-asus driver. + +Signed-off-by: Hans de Goede +Signed-off-by: Jiri Kosina +Stable-dep-of: 4ab3a086d10e ("HID: asus: use spinlock to safely schedule workers") +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-asus.c | 26 +++++++++++++++++++++++++- + drivers/hid/hid-ids.h | 1 + + 2 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c +index 4d877b4581b40..bfe754419253e 100644 +--- a/drivers/hid/hid-asus.c ++++ b/drivers/hid/hid-asus.c +@@ -40,6 +40,7 @@ MODULE_AUTHOR("Frederik Wenigwieser "); + MODULE_DESCRIPTION("Asus HID Keyboard and TouchPad"); + + #define T100_TPAD_INTF 2 ++#define MEDION_E1239T_TPAD_INTF 1 + + #define T100CHI_MOUSE_REPORT_ID 0x06 + #define FEATURE_REPORT_ID 0x0d +@@ -77,6 +78,7 @@ MODULE_DESCRIPTION("Asus HID Keyboard and TouchPad"); + #define QUIRK_G752_KEYBOARD BIT(8) + #define QUIRK_T101HA_DOCK BIT(9) + #define QUIRK_T90CHI BIT(10) ++#define QUIRK_MEDION_E1239T BIT(11) + + #define I2C_KEYBOARD_QUIRKS (QUIRK_FIX_NOTEBOOK_REPORT | \ + QUIRK_NO_INIT_REPORTS | \ +@@ -171,6 +173,16 @@ static const struct asus_touchpad_info asus_t100chi_tp = { + .report_size = 15 /* 2 byte header + 3 * 4 + 1 byte footer */, + }; + ++static const struct asus_touchpad_info medion_e1239t_tp = { ++ .max_x = 2640, ++ .max_y = 1380, ++ .res_x = 29, /* units/mm */ ++ .res_y = 28, /* units/mm */ ++ .contact_size = 5, ++ .max_contacts = 5, ++ .report_size = 32 /* 2 byte header + 5 * 5 + 5 byte footer */, ++}; ++ + static void asus_report_contact_down(struct asus_drvdata *drvdat, + int toolType, u8 *data) + { +@@ -903,6 +915,17 @@ static int asus_probe(struct hid_device *hdev, const struct hid_device_id *id) + drvdata->tp = &asus_t100chi_tp; + } + ++ if ((drvdata->quirks & QUIRK_MEDION_E1239T) && ++ hid_is_using_ll_driver(hdev, &usb_hid_driver)) { ++ struct usb_host_interface *alt = ++ to_usb_interface(hdev->dev.parent)->altsetting; ++ ++ if (alt->desc.bInterfaceNumber == MEDION_E1239T_TPAD_INTF) { ++ drvdata->quirks |= QUIRK_SKIP_INPUT_MAPPING; ++ drvdata->tp = &medion_e1239t_tp; ++ } ++ } ++ + if (drvdata->quirks & QUIRK_NO_INIT_REPORTS) + hdev->quirks |= HID_QUIRK_NO_INIT_REPORTS; + +@@ -1086,7 +1109,8 @@ static const struct hid_device_id asus_devices[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_JESS, USB_DEVICE_ID_ASUS_MD_5112) }, + { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ASUSTEK, + USB_DEVICE_ID_ASUSTEK_T100CHI_KEYBOARD), QUIRK_T100CHI }, +- ++ { HID_USB_DEVICE(USB_VENDOR_ID_ITE, USB_DEVICE_ID_ITE_MEDION_E1239T), ++ QUIRK_MEDION_E1239T }, + { } + }; + MODULE_DEVICE_TABLE(hid, asus_devices); +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 1c034c397e3e7..b883423a89c5d 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -650,6 +650,7 @@ + #define I2C_DEVICE_ID_ITE_LENOVO_LEGION_Y720 0x837a + #define USB_DEVICE_ID_ITE_LENOVO_YOGA900 0x8396 + #define USB_DEVICE_ID_ITE8595 0x8595 ++#define USB_DEVICE_ID_ITE_MEDION_E1239T 0xce50 + + #define USB_VENDOR_ID_JABRA 0x0b0e + #define USB_DEVICE_ID_JABRA_SPEAK_410 0x0412 +-- +2.39.2 + diff --git a/queue-5.4/hid-asus-fix-mute-and-touchpad-toggle-keys-on-medion.patch b/queue-5.4/hid-asus-fix-mute-and-touchpad-toggle-keys-on-medion.patch new file mode 100644 index 00000000000..762465c7679 --- /dev/null +++ b/queue-5.4/hid-asus-fix-mute-and-touchpad-toggle-keys-on-medion.patch @@ -0,0 +1,145 @@ +From 777dd68ec79ed5afec1de82841f2a4bd78140f15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2020 16:22:54 +0200 +Subject: HID: asus: Fix mute and touchpad-toggle keys on Medion Akoya E1239T + +From: Hans de Goede + +[ Upstream commit 350bd245fc180032b442633d40ab37ff8e60e8eb ] + +The mute key, is broken. All the consumer keys on the keyboard USB +interface work normally, except for mute which only sends press events +and never sends release events. + +The touchpad key sends the otherwise unused input report with a report-id +of 5 on the touchpad interface. It too only sends press events. This also +requires extra special handling since the multi-touch touchpad events and +the KEY_F21 events for the touchpad toggle must not be send from the same +input_dev (userspace cannot handle this). + +This commit adds special handlig for both, fixing these keys not working. + +Signed-off-by: Hans de Goede +Signed-off-by: Jiri Kosina +Stable-dep-of: 4ab3a086d10e ("HID: asus: use spinlock to safely schedule workers") +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-asus.c | 60 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 60 insertions(+) + +diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c +index bfe754419253e..e15ba7f5fe0a0 100644 +--- a/drivers/hid/hid-asus.c ++++ b/drivers/hid/hid-asus.c +@@ -42,6 +42,7 @@ MODULE_DESCRIPTION("Asus HID Keyboard and TouchPad"); + #define T100_TPAD_INTF 2 + #define MEDION_E1239T_TPAD_INTF 1 + ++#define E1239T_TP_TOGGLE_REPORT_ID 0x05 + #define T100CHI_MOUSE_REPORT_ID 0x06 + #define FEATURE_REPORT_ID 0x0d + #define INPUT_REPORT_ID 0x5d +@@ -112,6 +113,7 @@ struct asus_drvdata { + unsigned long quirks; + struct hid_device *hdev; + struct input_dev *input; ++ struct input_dev *tp_kbd_input; + struct asus_kbd_leds *kbd_backlight; + const struct asus_touchpad_info *tp; + bool enable_backlight; +@@ -276,6 +278,34 @@ static int asus_report_input(struct asus_drvdata *drvdat, u8 *data, int size) + return 1; + } + ++static int asus_e1239t_event(struct asus_drvdata *drvdat, u8 *data, int size) ++{ ++ if (size != 3) ++ return 0; ++ ++ /* Handle broken mute key which only sends press events */ ++ if (!drvdat->tp && ++ data[0] == 0x02 && data[1] == 0xe2 && data[2] == 0x00) { ++ input_report_key(drvdat->input, KEY_MUTE, 1); ++ input_sync(drvdat->input); ++ input_report_key(drvdat->input, KEY_MUTE, 0); ++ input_sync(drvdat->input); ++ return 1; ++ } ++ ++ /* Handle custom touchpad toggle key which only sends press events */ ++ if (drvdat->tp_kbd_input && ++ data[0] == 0x05 && data[1] == 0x02 && data[2] == 0x28) { ++ input_report_key(drvdat->tp_kbd_input, KEY_F21, 1); ++ input_sync(drvdat->tp_kbd_input); ++ input_report_key(drvdat->tp_kbd_input, KEY_F21, 0); ++ input_sync(drvdat->tp_kbd_input); ++ return 1; ++ } ++ ++ return 0; ++} ++ + static int asus_event(struct hid_device *hdev, struct hid_field *field, + struct hid_usage *usage, __s32 value) + { +@@ -300,6 +330,9 @@ static int asus_raw_event(struct hid_device *hdev, + if (drvdata->tp && data[0] == INPUT_REPORT_ID) + return asus_report_input(drvdata, data, size); + ++ if (drvdata->quirks & QUIRK_MEDION_E1239T) ++ return asus_e1239t_event(drvdata, data, size); ++ + return 0; + } + +@@ -653,6 +686,21 @@ static int asus_input_configured(struct hid_device *hdev, struct hid_input *hi) + hi->report->id != T100CHI_MOUSE_REPORT_ID) + return 0; + ++ /* Handle MULTI_INPUT on E1239T mouse/touchpad USB interface */ ++ if (drvdata->tp && (drvdata->quirks & QUIRK_MEDION_E1239T)) { ++ switch (hi->report->id) { ++ case E1239T_TP_TOGGLE_REPORT_ID: ++ input_set_capability(input, EV_KEY, KEY_F21); ++ input->name = "Asus Touchpad Keys"; ++ drvdata->tp_kbd_input = input; ++ return 0; ++ case INPUT_REPORT_ID: ++ break; /* Touchpad report, handled below */ ++ default: ++ return 0; /* Ignore other reports */ ++ } ++ } ++ + if (drvdata->tp) { + int ret; + +@@ -820,6 +868,16 @@ static int asus_input_mapping(struct hid_device *hdev, + } + } + ++ /* ++ * The mute button is broken and only sends press events, we ++ * deal with this in our raw_event handler, so do not map it. ++ */ ++ if ((drvdata->quirks & QUIRK_MEDION_E1239T) && ++ usage->hid == (HID_UP_CONSUMER | 0xe2)) { ++ input_set_capability(hi->input, EV_KEY, KEY_MUTE); ++ return -1; ++ } ++ + return 0; + } + +@@ -921,6 +979,8 @@ static int asus_probe(struct hid_device *hdev, const struct hid_device_id *id) + to_usb_interface(hdev->dev.parent)->altsetting; + + if (alt->desc.bInterfaceNumber == MEDION_E1239T_TPAD_INTF) { ++ /* For separate input-devs for tp and tp toggle key */ ++ hdev->quirks |= HID_QUIRK_MULTI_INPUT; + drvdata->quirks |= QUIRK_SKIP_INPUT_MAPPING; + drvdata->tp = &medion_e1239t_tp; + } +-- +2.39.2 + diff --git a/queue-5.4/hid-asus-only-set-ev_rep-if-we-are-adding-a-mapping.patch b/queue-5.4/hid-asus-only-set-ev_rep-if-we-are-adding-a-mapping.patch new file mode 100644 index 00000000000..450f8a51265 --- /dev/null +++ b/queue-5.4/hid-asus-only-set-ev_rep-if-we-are-adding-a-mapping.patch @@ -0,0 +1,65 @@ +From 7529127c9d5ab2f3b1b16d123495edf670f4fe28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Apr 2020 16:22:49 +0200 +Subject: HID: asus: Only set EV_REP if we are adding a mapping + +From: Hans de Goede + +[ Upstream commit 4e4c60f826772dfeaacdf718f64afa38f46b6875 ] + +Make asus_input_mapping() only set EV_REP if we are adding a mapping. + +The T100CHI bluetooth keyboard dock has a few input reports for which +we do not create any mappings (these input-reports are present in the +descriptors but never send). + +The hid-asus code relies on the HID core not creating input devices for +input-reports without any mappings. But the present of the EV_REP but +counts as a mapping causing 6 /dev/input/event# nodes to be created for +the T100CHI bluetooth keyboard dock. This change brings the amount of +created /dev/input/event# nodes / input-devices down to 4. + +Signed-off-by: Hans de Goede +Signed-off-by: Jiri Kosina +Stable-dep-of: 4ab3a086d10e ("HID: asus: use spinlock to safely schedule workers") +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-asus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-asus.c b/drivers/hid/hid-asus.c +index e1e27d87c86be..5ea4d678b7413 100644 +--- a/drivers/hid/hid-asus.c ++++ b/drivers/hid/hid-asus.c +@@ -714,7 +714,6 @@ static int asus_input_mapping(struct hid_device *hdev, + + /* ASUS-specific keyboard hotkeys */ + if ((usage->hid & HID_USAGE_PAGE) == 0xff310000) { +- set_bit(EV_REP, hi->input->evbit); + switch (usage->hid & HID_USAGE) { + case 0x10: asus_map_key_clear(KEY_BRIGHTNESSDOWN); break; + case 0x20: asus_map_key_clear(KEY_BRIGHTNESSUP); break; +@@ -757,11 +756,11 @@ static int asus_input_mapping(struct hid_device *hdev, + if (drvdata->quirks & QUIRK_USE_KBD_BACKLIGHT) + drvdata->enable_backlight = true; + ++ set_bit(EV_REP, hi->input->evbit); + return 1; + } + + if ((usage->hid & HID_USAGE_PAGE) == HID_UP_MSVENDOR) { +- set_bit(EV_REP, hi->input->evbit); + switch (usage->hid & HID_USAGE) { + case 0xff01: asus_map_key_clear(BTN_1); break; + case 0xff02: asus_map_key_clear(BTN_2); break; +@@ -784,6 +783,7 @@ static int asus_input_mapping(struct hid_device *hdev, + return 0; + } + ++ set_bit(EV_REP, hi->input->evbit); + return 1; + } + +-- +2.39.2 + diff --git a/queue-5.4/hid-bigben-use-spinlock-to-protect-concurrent-access.patch b/queue-5.4/hid-bigben-use-spinlock-to-protect-concurrent-access.patch new file mode 100644 index 00000000000..f6ac72bdfae --- /dev/null +++ b/queue-5.4/hid-bigben-use-spinlock-to-protect-concurrent-access.patch @@ -0,0 +1,173 @@ +From e6e5a856d7dc8f588ea58c55fc7fe71fac2de26b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Feb 2023 18:59:59 +0000 +Subject: HID: bigben: use spinlock to protect concurrent accesses + +From: Pietro Borrello + +[ Upstream commit 9fefb6201c4f8dd9f58c581b2a66e5cde2895ea2 ] + +bigben driver has a worker that may access data concurrently. +Proct the accesses using a spinlock. + +Fixes: 256a90ed9e46 ("HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad") +Signed-off-by: Pietro Borrello +Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-1-7860c5763c38@diag.uniroma1.it +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-bigbenff.c | 52 ++++++++++++++++++++++++++++++++++++-- + 1 file changed, 50 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c +index e8b16665860d6..ed3d2d7bc1dd4 100644 +--- a/drivers/hid/hid-bigbenff.c ++++ b/drivers/hid/hid-bigbenff.c +@@ -174,6 +174,7 @@ static __u8 pid0902_rdesc_fixed[] = { + struct bigben_device { + struct hid_device *hid; + struct hid_report *report; ++ spinlock_t lock; + bool removed; + u8 led_state; /* LED1 = 1 .. LED4 = 8 */ + u8 right_motor_on; /* right motor off/on 0/1 */ +@@ -190,12 +191,27 @@ static void bigben_worker(struct work_struct *work) + struct bigben_device *bigben = container_of(work, + struct bigben_device, worker); + struct hid_field *report_field = bigben->report->field[0]; ++ bool do_work_led = false; ++ bool do_work_ff = false; ++ u8 *buf; ++ u32 len; ++ unsigned long flags; + + if (bigben->removed || !report_field) + return; + ++ buf = hid_alloc_report_buf(bigben->report, GFP_KERNEL); ++ if (!buf) ++ return; ++ ++ len = hid_report_len(bigben->report); ++ ++ /* LED work */ ++ spin_lock_irqsave(&bigben->lock, flags); ++ + if (bigben->work_led) { + bigben->work_led = false; ++ do_work_led = true; + report_field->value[0] = 0x01; /* 1 = led message */ + report_field->value[1] = 0x08; /* reserved value, always 8 */ + report_field->value[2] = bigben->led_state; +@@ -204,11 +220,22 @@ static void bigben_worker(struct work_struct *work) + report_field->value[5] = 0x00; /* padding */ + report_field->value[6] = 0x00; /* padding */ + report_field->value[7] = 0x00; /* padding */ +- hid_hw_request(bigben->hid, bigben->report, HID_REQ_SET_REPORT); ++ hid_output_report(bigben->report, buf); ++ } ++ ++ spin_unlock_irqrestore(&bigben->lock, flags); ++ ++ if (do_work_led) { ++ hid_hw_raw_request(bigben->hid, bigben->report->id, buf, len, ++ bigben->report->type, HID_REQ_SET_REPORT); + } + ++ /* FF work */ ++ spin_lock_irqsave(&bigben->lock, flags); ++ + if (bigben->work_ff) { + bigben->work_ff = false; ++ do_work_ff = true; + report_field->value[0] = 0x02; /* 2 = rumble effect message */ + report_field->value[1] = 0x08; /* reserved value, always 8 */ + report_field->value[2] = bigben->right_motor_on; +@@ -217,8 +244,17 @@ static void bigben_worker(struct work_struct *work) + report_field->value[5] = 0x00; /* padding */ + report_field->value[6] = 0x00; /* padding */ + report_field->value[7] = 0x00; /* padding */ +- hid_hw_request(bigben->hid, bigben->report, HID_REQ_SET_REPORT); ++ hid_output_report(bigben->report, buf); ++ } ++ ++ spin_unlock_irqrestore(&bigben->lock, flags); ++ ++ if (do_work_ff) { ++ hid_hw_raw_request(bigben->hid, bigben->report->id, buf, len, ++ bigben->report->type, HID_REQ_SET_REPORT); + } ++ ++ kfree(buf); + } + + static int hid_bigben_play_effect(struct input_dev *dev, void *data, +@@ -228,6 +264,7 @@ static int hid_bigben_play_effect(struct input_dev *dev, void *data, + struct bigben_device *bigben = hid_get_drvdata(hid); + u8 right_motor_on; + u8 left_motor_force; ++ unsigned long flags; + + if (!bigben) { + hid_err(hid, "no device data\n"); +@@ -242,9 +279,12 @@ static int hid_bigben_play_effect(struct input_dev *dev, void *data, + + if (right_motor_on != bigben->right_motor_on || + left_motor_force != bigben->left_motor_force) { ++ spin_lock_irqsave(&bigben->lock, flags); + bigben->right_motor_on = right_motor_on; + bigben->left_motor_force = left_motor_force; + bigben->work_ff = true; ++ spin_unlock_irqrestore(&bigben->lock, flags); ++ + schedule_work(&bigben->worker); + } + +@@ -259,6 +299,7 @@ static void bigben_set_led(struct led_classdev *led, + struct bigben_device *bigben = hid_get_drvdata(hid); + int n; + bool work; ++ unsigned long flags; + + if (!bigben) { + hid_err(hid, "no device data\n"); +@@ -267,6 +308,7 @@ static void bigben_set_led(struct led_classdev *led, + + for (n = 0; n < NUM_LEDS; n++) { + if (led == bigben->leds[n]) { ++ spin_lock_irqsave(&bigben->lock, flags); + if (value == LED_OFF) { + work = (bigben->led_state & BIT(n)); + bigben->led_state &= ~BIT(n); +@@ -274,6 +316,7 @@ static void bigben_set_led(struct led_classdev *led, + work = !(bigben->led_state & BIT(n)); + bigben->led_state |= BIT(n); + } ++ spin_unlock_irqrestore(&bigben->lock, flags); + + if (work) { + bigben->work_led = true; +@@ -307,8 +350,12 @@ static enum led_brightness bigben_get_led(struct led_classdev *led) + static void bigben_remove(struct hid_device *hid) + { + struct bigben_device *bigben = hid_get_drvdata(hid); ++ unsigned long flags; + ++ spin_lock_irqsave(&bigben->lock, flags); + bigben->removed = true; ++ spin_unlock_irqrestore(&bigben->lock, flags); ++ + cancel_work_sync(&bigben->worker); + hid_hw_stop(hid); + } +@@ -362,6 +409,7 @@ static int bigben_probe(struct hid_device *hid, + set_bit(FF_RUMBLE, hidinput->input->ffbit); + + INIT_WORK(&bigben->worker, bigben_worker); ++ spin_lock_init(&bigben->lock); + + error = input_ff_create_memless(hidinput->input, NULL, + hid_bigben_play_effect); +-- +2.39.2 + diff --git a/queue-5.4/hid-bigben-use-spinlock-to-safely-schedule-workers.patch b/queue-5.4/hid-bigben-use-spinlock-to-safely-schedule-workers.patch new file mode 100644 index 00000000000..ab092ea6954 --- /dev/null +++ b/queue-5.4/hid-bigben-use-spinlock-to-safely-schedule-workers.patch @@ -0,0 +1,83 @@ +From 5aa258b04fd22cf7c59725f678e327faecf6a4a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Feb 2023 19:00:01 +0000 +Subject: HID: bigben: use spinlock to safely schedule workers + +From: Pietro Borrello + +[ Upstream commit 76ca8da989c7d97a7f76c75d475fe95a584439d7 ] + +Use spinlocks to deal with workers introducing a wrapper +bigben_schedule_work(), and several spinlock checks. +Otherwise, bigben_set_led() may schedule bigben->worker after the +structure has been freed, causing a use-after-free. + +Fixes: 4eb1b01de5b9 ("HID: hid-bigbenff: fix race condition for scheduled work during removal") +Signed-off-by: Pietro Borrello +Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-3-7860c5763c38@diag.uniroma1.it +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-bigbenff.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c +index b98c5f31c184b..9d6560db762b1 100644 +--- a/drivers/hid/hid-bigbenff.c ++++ b/drivers/hid/hid-bigbenff.c +@@ -185,6 +185,15 @@ struct bigben_device { + struct work_struct worker; + }; + ++static inline void bigben_schedule_work(struct bigben_device *bigben) ++{ ++ unsigned long flags; ++ ++ spin_lock_irqsave(&bigben->lock, flags); ++ if (!bigben->removed) ++ schedule_work(&bigben->worker); ++ spin_unlock_irqrestore(&bigben->lock, flags); ++} + + static void bigben_worker(struct work_struct *work) + { +@@ -197,9 +206,6 @@ static void bigben_worker(struct work_struct *work) + u32 len; + unsigned long flags; + +- if (bigben->removed) +- return; +- + buf = hid_alloc_report_buf(bigben->report, GFP_KERNEL); + if (!buf) + return; +@@ -285,7 +291,7 @@ static int hid_bigben_play_effect(struct input_dev *dev, void *data, + bigben->work_ff = true; + spin_unlock_irqrestore(&bigben->lock, flags); + +- schedule_work(&bigben->worker); ++ bigben_schedule_work(bigben); + } + + return 0; +@@ -320,7 +326,7 @@ static void bigben_set_led(struct led_classdev *led, + + if (work) { + bigben->work_led = true; +- schedule_work(&bigben->worker); ++ bigben_schedule_work(bigben); + } + return; + } +@@ -450,7 +456,7 @@ static int bigben_probe(struct hid_device *hid, + bigben->left_motor_force = 0; + bigben->work_led = true; + bigben->work_ff = true; +- schedule_work(&bigben->worker); ++ bigben_schedule_work(bigben); + + hid_info(hid, "LED and force feedback support for BigBen gamepad\n"); + +-- +2.39.2 + diff --git a/queue-5.4/hid-bigben_probe-validate-report-count.patch b/queue-5.4/hid-bigben_probe-validate-report-count.patch new file mode 100644 index 00000000000..a29bcc43592 --- /dev/null +++ b/queue-5.4/hid-bigben_probe-validate-report-count.patch @@ -0,0 +1,57 @@ +From 766a94015bc36a7805e4d40767fd83e52e267466 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Feb 2023 00:01:44 +0000 +Subject: hid: bigben_probe(): validate report count + +From: Pietro Borrello + +[ Upstream commit b94335f899542a0da5fafc38af8edcaf90195843 ] + +bigben_probe() does not validate that the output report has the +needed report values in the first field. +A malicious device registering a report with one field and a single +value causes an head OOB write in bigben_worker() when +accessing report_field->value[1] to report_field->value[7]. +Use hid_validate_values() which takes care of all the needed checks. + +Fixes: 256a90ed9e46 ("HID: hid-bigbenff: driver for BigBen Interactive PS3OFMINIPAD gamepad") +Signed-off-by: Pietro Borrello +Link: https://lore.kernel.org/r/20230211-bigben-oob-v1-1-d2849688594c@diag.uniroma1.it +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-bigbenff.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c +index 9d6560db762b1..a02cb517b4c47 100644 +--- a/drivers/hid/hid-bigbenff.c ++++ b/drivers/hid/hid-bigbenff.c +@@ -371,7 +371,6 @@ static int bigben_probe(struct hid_device *hid, + { + struct bigben_device *bigben; + struct hid_input *hidinput; +- struct list_head *report_list; + struct led_classdev *led; + char *name; + size_t name_sz; +@@ -396,14 +395,12 @@ static int bigben_probe(struct hid_device *hid, + return error; + } + +- report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; +- if (list_empty(report_list)) { ++ bigben->report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 8); ++ if (!bigben->report) { + hid_err(hid, "no output report found\n"); + error = -ENODEV; + goto error_hw_stop; + } +- bigben->report = list_entry(report_list->next, +- struct hid_report, list); + + if (list_empty(&hid->inputs)) { + hid_err(hid, "no inputs found\n"); +-- +2.39.2 + diff --git a/queue-5.4/hid-bigben_worker-remove-unneeded-check-on-report_fi.patch b/queue-5.4/hid-bigben_worker-remove-unneeded-check-on-report_fi.patch new file mode 100644 index 00000000000..16cb585d57c --- /dev/null +++ b/queue-5.4/hid-bigben_worker-remove-unneeded-check-on-report_fi.patch @@ -0,0 +1,44 @@ +From a7a77422c34f71c0eac510c2ec7826cefc4114a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Feb 2023 19:00:00 +0000 +Subject: HID: bigben_worker() remove unneeded check on report_field + +From: Pietro Borrello + +[ Upstream commit 27d2a2fd844ec7da70d19fabb482304fd1e0595b ] + +bigben_worker() checks report_field to be non-NULL. +The check has been added in commit +918aa1ef104d ("HID: bigbenff: prevent null pointer dereference") +to prevent a NULL pointer crash. +However, the true root cause was a missing check for output +reports, patched in commit +c7bf714f8755 ("HID: check empty report_list in bigben_probe()"), +where the type-confused report list_entry was overlapping with +a NULL pointer, which was then causing the crash. + +Fixes: 918aa1ef104d ("HID: bigbenff: prevent null pointer dereference") +Signed-off-by: Pietro Borrello +Link: https://lore.kernel.org/r/20230125-hid-unregister-leds-v4-2-7860c5763c38@diag.uniroma1.it +Signed-off-by: Benjamin Tissoires +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-bigbenff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-bigbenff.c b/drivers/hid/hid-bigbenff.c +index ed3d2d7bc1dd4..b98c5f31c184b 100644 +--- a/drivers/hid/hid-bigbenff.c ++++ b/drivers/hid/hid-bigbenff.c +@@ -197,7 +197,7 @@ static void bigben_worker(struct work_struct *work) + u32 len; + unsigned long flags; + +- if (bigben->removed || !report_field) ++ if (bigben->removed) + return; + + buf = hid_alloc_report_buf(bigben->report, GFP_KERNEL); +-- +2.39.2 + diff --git a/queue-5.4/hwmon-coretemp-simplify-platform-device-handling.patch b/queue-5.4/hwmon-coretemp-simplify-platform-device-handling.patch new file mode 100644 index 00000000000..941952629c0 --- /dev/null +++ b/queue-5.4/hwmon-coretemp-simplify-platform-device-handling.patch @@ -0,0 +1,280 @@ +From 6efd10a792e5a3926b5377d6bc9c51dae07aba55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jan 2023 12:46:20 +0100 +Subject: hwmon: (coretemp) Simplify platform device handling + +From: Robin Murphy + +[ Upstream commit 6d03bbff456befeccdd4d663177c4d6c75d0c4ff ] + +Coretemp's platform driver is unconventional. All the real work is done +globally by the initcall and CPU hotplug notifiers, while the "driver" +effectively just wraps an allocation and the registration of the hwmon +interface in a long-winded round-trip through the driver core. The whole +logic of dynamically creating and destroying platform devices to bring +the interfaces up and down is error prone, since it assumes +platform_device_add() will synchronously bind the driver and set drvdata +before it returns, thus results in a NULL dereference if drivers_autoprobe +is turned off for the platform bus. Furthermore, the unusual approach of +doing that from within a CPU hotplug notifier, already commented in the +code that it deadlocks suspend, also causes lockdep issues for other +drivers or subsystems which may want to legitimately register a CPU +hotplug notifier from a platform bus notifier. + +All of these issues can be solved by ripping this unusual behaviour out +completely, simply tying the platform devices to the lifetime of the +module itself, and directly managing the hwmon interfaces from the +hotplug notifiers. There is a slight user-visible change in that +/sys/bus/platform/drivers/coretemp will no longer appear, and +/sys/devices/platform/coretemp.n will remain present if package n is +hotplugged off, but hwmon users should really only be looking for the +presence of the hwmon interfaces, whose behaviour remains unchanged. + +Link: https://lore.kernel.org/lkml/20220922101036.87457-1-janusz.krzysztofik@linux.intel.com/ +Link: https://gitlab.freedesktop.org/drm/intel/issues/6641 +Signed-off-by: Robin Murphy +Signed-off-by: Janusz Krzysztofik +Link: https://lore.kernel.org/r/20230103114620.15319-1-janusz.krzysztofik@linux.intel.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/coretemp.c | 128 ++++++++++++++++++--------------------- + 1 file changed, 58 insertions(+), 70 deletions(-) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index 7a64ff6a8779c..e232f44f6c9ac 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -550,66 +550,49 @@ static void coretemp_remove_core(struct platform_data *pdata, int indx) + ida_free(&pdata->ida, indx - BASE_SYSFS_ATTR_NO); + } + +-static int coretemp_probe(struct platform_device *pdev) ++static int coretemp_device_add(int zoneid) + { +- struct device *dev = &pdev->dev; ++ struct platform_device *pdev; + struct platform_data *pdata; ++ int err; + + /* Initialize the per-zone data structures */ +- pdata = devm_kzalloc(dev, sizeof(struct platform_data), GFP_KERNEL); ++ pdata = kzalloc(sizeof(*pdata), GFP_KERNEL); + if (!pdata) + return -ENOMEM; + +- pdata->pkg_id = pdev->id; ++ pdata->pkg_id = zoneid; + ida_init(&pdata->ida); +- platform_set_drvdata(pdev, pdata); + +- pdata->hwmon_dev = devm_hwmon_device_register_with_groups(dev, DRVNAME, +- pdata, NULL); +- return PTR_ERR_OR_ZERO(pdata->hwmon_dev); +-} +- +-static int coretemp_remove(struct platform_device *pdev) +-{ +- struct platform_data *pdata = platform_get_drvdata(pdev); +- int i; ++ pdev = platform_device_alloc(DRVNAME, zoneid); ++ if (!pdev) { ++ err = -ENOMEM; ++ goto err_free_pdata; ++ } + +- for (i = MAX_CORE_DATA - 1; i >= 0; --i) +- if (pdata->core_data[i]) +- coretemp_remove_core(pdata, i); ++ err = platform_device_add(pdev); ++ if (err) ++ goto err_put_dev; + +- ida_destroy(&pdata->ida); ++ platform_set_drvdata(pdev, pdata); ++ zone_devices[zoneid] = pdev; + return 0; +-} + +-static struct platform_driver coretemp_driver = { +- .driver = { +- .name = DRVNAME, +- }, +- .probe = coretemp_probe, +- .remove = coretemp_remove, +-}; ++err_put_dev: ++ platform_device_put(pdev); ++err_free_pdata: ++ kfree(pdata); ++ return err; ++} + +-static struct platform_device *coretemp_device_add(unsigned int cpu) ++static void coretemp_device_remove(int zoneid) + { +- int err, zoneid = topology_logical_die_id(cpu); +- struct platform_device *pdev; +- +- if (zoneid < 0) +- return ERR_PTR(-ENOMEM); +- +- pdev = platform_device_alloc(DRVNAME, zoneid); +- if (!pdev) +- return ERR_PTR(-ENOMEM); +- +- err = platform_device_add(pdev); +- if (err) { +- platform_device_put(pdev); +- return ERR_PTR(err); +- } ++ struct platform_device *pdev = zone_devices[zoneid]; ++ struct platform_data *pdata = platform_get_drvdata(pdev); + +- zone_devices[zoneid] = pdev; +- return pdev; ++ ida_destroy(&pdata->ida); ++ kfree(pdata); ++ platform_device_unregister(pdev); + } + + static int coretemp_cpu_online(unsigned int cpu) +@@ -633,7 +616,10 @@ static int coretemp_cpu_online(unsigned int cpu) + if (!cpu_has(c, X86_FEATURE_DTHERM)) + return -ENODEV; + +- if (!pdev) { ++ pdata = platform_get_drvdata(pdev); ++ if (!pdata->hwmon_dev) { ++ struct device *hwmon; ++ + /* Check the microcode version of the CPU */ + if (chk_ucode_version(cpu)) + return -EINVAL; +@@ -644,9 +630,11 @@ static int coretemp_cpu_online(unsigned int cpu) + * online. So, initialize per-pkg data structures and + * then bring this core online. + */ +- pdev = coretemp_device_add(cpu); +- if (IS_ERR(pdev)) +- return PTR_ERR(pdev); ++ hwmon = hwmon_device_register_with_groups(&pdev->dev, DRVNAME, ++ pdata, NULL); ++ if (IS_ERR(hwmon)) ++ return PTR_ERR(hwmon); ++ pdata->hwmon_dev = hwmon; + + /* + * Check whether pkgtemp support is available. +@@ -656,7 +644,6 @@ static int coretemp_cpu_online(unsigned int cpu) + coretemp_add_core(pdev, cpu, 1); + } + +- pdata = platform_get_drvdata(pdev); + /* + * Check whether a thread sibling is already online. If not add the + * interface for this CPU core. +@@ -675,18 +662,14 @@ static int coretemp_cpu_offline(unsigned int cpu) + struct temp_data *tdata; + int i, indx = -1, target; + +- /* +- * Don't execute this on suspend as the device remove locks +- * up the machine. +- */ ++ /* No need to tear down any interfaces for suspend */ + if (cpuhp_tasks_frozen) + return 0; + + /* If the physical CPU device does not exist, just return */ +- if (!pdev) +- return 0; +- + pd = platform_get_drvdata(pdev); ++ if (!pd->hwmon_dev) ++ return 0; + + for (i = 0; i < NUM_REAL_CORES; i++) { + if (pd->cpu_map[i] == topology_core_id(cpu)) { +@@ -718,13 +701,14 @@ static int coretemp_cpu_offline(unsigned int cpu) + } + + /* +- * If all cores in this pkg are offline, remove the device. This +- * will invoke the platform driver remove function, which cleans up +- * the rest. ++ * If all cores in this pkg are offline, remove the interface. + */ ++ tdata = pd->core_data[PKG_SYSFS_ATTR_NO]; + if (cpumask_empty(&pd->cpumask)) { +- zone_devices[topology_logical_die_id(cpu)] = NULL; +- platform_device_unregister(pdev); ++ if (tdata) ++ coretemp_remove_core(pd, PKG_SYSFS_ATTR_NO); ++ hwmon_device_unregister(pd->hwmon_dev); ++ pd->hwmon_dev = NULL; + return 0; + } + +@@ -732,7 +716,6 @@ static int coretemp_cpu_offline(unsigned int cpu) + * Check whether this core is the target for the package + * interface. We need to assign it to some other cpu. + */ +- tdata = pd->core_data[PKG_SYSFS_ATTR_NO]; + if (tdata && tdata->cpu == cpu) { + target = cpumask_first(&pd->cpumask); + mutex_lock(&tdata->update_lock); +@@ -751,7 +734,7 @@ static enum cpuhp_state coretemp_hp_online; + + static int __init coretemp_init(void) + { +- int err; ++ int i, err; + + /* + * CPUID.06H.EAX[0] indicates whether the CPU has thermal +@@ -767,20 +750,22 @@ static int __init coretemp_init(void) + if (!zone_devices) + return -ENOMEM; + +- err = platform_driver_register(&coretemp_driver); +- if (err) +- goto outzone; ++ for (i = 0; i < max_zones; i++) { ++ err = coretemp_device_add(i); ++ if (err) ++ goto outzone; ++ } + + err = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "hwmon/coretemp:online", + coretemp_cpu_online, coretemp_cpu_offline); + if (err < 0) +- goto outdrv; ++ goto outzone; + coretemp_hp_online = err; + return 0; + +-outdrv: +- platform_driver_unregister(&coretemp_driver); + outzone: ++ while (i--) ++ coretemp_device_remove(i); + kfree(zone_devices); + return err; + } +@@ -788,8 +773,11 @@ module_init(coretemp_init) + + static void __exit coretemp_exit(void) + { ++ int i; ++ + cpuhp_remove_state(coretemp_hp_online); +- platform_driver_unregister(&coretemp_driver); ++ for (i = 0; i < max_zones; i++) ++ coretemp_device_remove(i); + kfree(zone_devices); + } + module_exit(coretemp_exit) +-- +2.39.2 + diff --git a/queue-5.4/hwmon-ltc2945-handle-error-case-in-ltc2945_value_sto.patch b/queue-5.4/hwmon-ltc2945-handle-error-case-in-ltc2945_value_sto.patch new file mode 100644 index 00000000000..01bd06e3b60 --- /dev/null +++ b/queue-5.4/hwmon-ltc2945-handle-error-case-in-ltc2945_value_sto.patch @@ -0,0 +1,38 @@ +From 9245ee03eccec6c2b26b4b2a2db82bf6064785e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 17:32:25 -0500 +Subject: hwmon: (ltc2945) Handle error case in ltc2945_value_store + +From: Jonathan Cormier + +[ Upstream commit 178b01eccfb0b8149682f61388400bd3d903dddc ] + +ltc2945_val_to_reg errors were not being handled +which would have resulted in register being set to +0 (clamped) instead of being left alone. + +Fixes: 6700ce035f83 ("hwmon: Driver for Linear Technologies LTC2945") + +Signed-off-by: Jonathan Cormier +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ltc2945.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hwmon/ltc2945.c b/drivers/hwmon/ltc2945.c +index 2818276ed3d6b..a1dd1ef40b565 100644 +--- a/drivers/hwmon/ltc2945.c ++++ b/drivers/hwmon/ltc2945.c +@@ -248,6 +248,8 @@ static ssize_t ltc2945_value_store(struct device *dev, + + /* convert to register value, then clamp and write result */ + regval = ltc2945_val_to_reg(dev, reg, val); ++ if (regval < 0) ++ return regval; + if (is_power_reg(reg)) { + regval = clamp_val(regval, 0, 0xffffff); + regbuf[0] = regval >> 16; +-- +2.39.2 + diff --git a/queue-5.4/hwmon-mlxreg-fan-return-zero-speed-for-broken-fan.patch b/queue-5.4/hwmon-mlxreg-fan-return-zero-speed-for-broken-fan.patch new file mode 100644 index 00000000000..6ee71cd69db --- /dev/null +++ b/queue-5.4/hwmon-mlxreg-fan-return-zero-speed-for-broken-fan.patch @@ -0,0 +1,46 @@ +From 3f650004e4326c18a7538087d311d2a23a3680aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Feb 2023 16:57:30 +0200 +Subject: hwmon: (mlxreg-fan) Return zero speed for broken fan + +From: Vadim Pasternak + +[ Upstream commit a1ffd3c46267ee5c807acd780e15df9bb692223f ] + +Currently for broken fan driver returns value calculated based on error +code (0xFF) in related fan speed register. +Thus, for such fan user gets fan{n}_fault to 1 and fan{n}_input with +misleading value. + +Add check for fan fault prior return speed value and return zero if +fault is detected. + +Fixes: 65afb4c8e7e4 ("hwmon: (mlxreg-fan) Add support for Mellanox FAN driver") +Signed-off-by: Vadim Pasternak +Link: https://lore.kernel.org/r/20230212145730.24247-1-vadimp@nvidia.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/mlxreg-fan.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/hwmon/mlxreg-fan.c b/drivers/hwmon/mlxreg-fan.c +index bd8f5a3aaad9c..052c897a635d5 100644 +--- a/drivers/hwmon/mlxreg-fan.c ++++ b/drivers/hwmon/mlxreg-fan.c +@@ -127,6 +127,12 @@ mlxreg_fan_read(struct device *dev, enum hwmon_sensor_types type, u32 attr, + if (err) + return err; + ++ if (MLXREG_FAN_GET_FAULT(regval, tacho->mask)) { ++ /* FAN is broken - return zero for FAN speed. */ ++ *val = 0; ++ return 0; ++ } ++ + *val = MLXREG_FAN_GET_RPM(regval, fan->divider, + fan->samples); + break; +-- +2.39.2 + diff --git a/queue-5.4/ice-add-missing-checks-for-pf-vsi-type.patch b/queue-5.4/ice-add-missing-checks-for-pf-vsi-type.patch new file mode 100644 index 00000000000..c8508d67808 --- /dev/null +++ b/queue-5.4/ice-add-missing-checks-for-pf-vsi-type.patch @@ -0,0 +1,72 @@ +From 757e3400f72d476b664e67bd63d1fb151ae383d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Dec 2022 16:01:31 -0800 +Subject: ice: add missing checks for PF vsi type + +From: Jesse Brandeburg + +[ Upstream commit 6a8d013e904ad9a66706fcc926ec9993bed7d190 ] + +There were a few places we had missed checking the VSI type to make sure +it was definitely a PF VSI, before calling setup functions intended only +for the PF VSI. + +This doesn't fix any explicit bugs but cleans up the code in a few +places and removes one explicit != vsi->type check that can be +superseded by this code (it's a super set) + +Signed-off-by: Jesse Brandeburg +Tested-by: Gurucharan G (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index ae1d305672259..209ae96875849 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -3492,15 +3492,12 @@ int ice_vsi_cfg(struct ice_vsi *vsi) + { + int err; + +- if (vsi->netdev) { ++ if (vsi->netdev && vsi->type == ICE_VSI_PF) { + ice_set_rx_mode(vsi->netdev); + +- if (vsi->type != ICE_VSI_LB) { +- err = ice_vsi_vlan_setup(vsi); +- +- if (err) +- return err; +- } ++ err = ice_vsi_vlan_setup(vsi); ++ if (err) ++ return err; + } + ice_vsi_cfg_dcb_rings(vsi); + +@@ -3557,7 +3554,7 @@ static int ice_up_complete(struct ice_vsi *vsi) + + if (vsi->port_info && + (vsi->port_info->phy.link_info.link_info & ICE_AQ_LINK_UP) && +- vsi->netdev) { ++ vsi->netdev && vsi->type == ICE_VSI_PF) { + ice_print_link_msg(vsi, true); + netif_tx_start_all_queues(vsi->netdev); + netif_carrier_on(vsi->netdev); +@@ -3567,7 +3564,9 @@ static int ice_up_complete(struct ice_vsi *vsi) + * set the baseline so counters are ready when interface is up + */ + ice_update_eth_stats(vsi); +- ice_service_task_schedule(pf); ++ ++ if (vsi->type == ICE_VSI_PF) ++ ice_service_task_schedule(pf); + + return 0; + } +-- +2.39.2 + diff --git a/queue-5.4/inet-fix-fast-path-in-__inet_hash_connect.patch b/queue-5.4/inet-fix-fast-path-in-__inet_hash_connect.patch new file mode 100644 index 00000000000..069f0a03caf --- /dev/null +++ b/queue-5.4/inet-fix-fast-path-in-__inet_hash_connect.patch @@ -0,0 +1,56 @@ +From 02cf402a74a6a1c3b35652148af2ac390c616946 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jan 2023 13:11:41 +0000 +Subject: inet: fix fast path in __inet_hash_connect() + +From: Pietro Borrello + +[ Upstream commit 21cbd90a6fab7123905386985e3e4a80236b8714 ] + +__inet_hash_connect() has a fast path taken if sk_head(&tb->owners) is +equal to the sk parameter. +sk_head() returns the hlist_entry() with respect to the sk_node field. +However entries in the tb->owners list are inserted with respect to the +sk_bind_node field with sk_add_bind_node(). +Thus the check would never pass and the fast path never execute. + +This fast path has never been executed or tested as this bug seems +to be present since commit 1da177e4c3f4 ("Linux-2.6.12-rc2"), thus +remove it to reduce code complexity. + +Signed-off-by: Pietro Borrello +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230112-inet_hash_connect_bind_head-v3-1-b591fd212b93@diag.uniroma1.it +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 33292983b8cfb..9d14b3289f003 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -714,17 +714,7 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row, + u32 index; + + if (port) { +- head = &hinfo->bhash[inet_bhashfn(net, port, +- hinfo->bhash_size)]; +- tb = inet_csk(sk)->icsk_bind_hash; +- spin_lock_bh(&head->lock); +- if (sk_head(&tb->owners) == sk && !sk->sk_bind_node.next) { +- inet_ehash_nolisten(sk, NULL, NULL); +- spin_unlock_bh(&head->lock); +- return 0; +- } +- spin_unlock(&head->lock); +- /* No definite answer... Walk to established hash table */ ++ local_bh_disable(); + ret = check_established(death_row, sk, port, NULL); + local_bh_enable(); + return ret; +-- +2.39.2 + diff --git a/queue-5.4/input-ads7846-don-t-check-penirq-immediately-for-784.patch b/queue-5.4/input-ads7846-don-t-check-penirq-immediately-for-784.patch new file mode 100644 index 00000000000..50ede715684 --- /dev/null +++ b/queue-5.4/input-ads7846-don-t-check-penirq-immediately-for-784.patch @@ -0,0 +1,46 @@ +From 4461386c62bdd8aac69169e073c23eb3631b79d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 11:52:27 +0100 +Subject: Input: ads7846 - don't check penirq immediately for 7845 + +From: Luca Ellero + +[ Upstream commit fa9f4275b20ec7b2a8fb05c66362d10b36f9efec ] + +To discard false readings, one should use "ti,penirq-recheck-delay-usecs". +Checking get_pendown_state() at the beginning, most of the time fails +causing malfunctioning. + +Fixes: ffa458c1bd9b ("spi: ads7846 driver") +Signed-off-by: Luca Ellero +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230126105227.47648-4-l.ellero@asem.it +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/ads7846.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/drivers/input/touchscreen/ads7846.c b/drivers/input/touchscreen/ads7846.c +index feaacd86d19e4..0506115211dd4 100644 +--- a/drivers/input/touchscreen/ads7846.c ++++ b/drivers/input/touchscreen/ads7846.c +@@ -790,14 +790,8 @@ static void ads7846_report_state(struct ads7846 *ts) + if (x == MAX_12BIT) + x = 0; + +- if (ts->model == 7843) { ++ if (ts->model == 7843 || ts->model == 7845) { + Rt = ts->pressure_max / 2; +- } else if (ts->model == 7845) { +- if (get_pendown_state(ts)) +- Rt = ts->pressure_max / 2; +- else +- Rt = 0; +- dev_vdbg(&ts->spi->dev, "x/y: %d/%d, PD %d\n", x, y, Rt); + } else if (likely(x && z1)) { + /* compute touch pressure resistance using equation #2 */ + Rt = z2; +-- +2.39.2 + diff --git a/queue-5.4/input-ads7846-don-t-report-pressure-for-ads7845.patch b/queue-5.4/input-ads7846-don-t-report-pressure-for-ads7845.patch new file mode 100644 index 00000000000..f846f649cbe --- /dev/null +++ b/queue-5.4/input-ads7846-don-t-report-pressure-for-ads7845.patch @@ -0,0 +1,42 @@ +From 6415827a38a81dd4669cb516aa752ebc73cce968 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 11:52:25 +0100 +Subject: Input: ads7846 - don't report pressure for ads7845 + +From: Luca Ellero + +[ Upstream commit d50584d783313c8b05b84d0b07a2142f1bde46dd ] + +ADS7845 doesn't support pressure. +Avoid the following error reported by libinput-list-devices: +"ADS7845 Touchscreen: kernel bug: device has min == max on ABS_PRESSURE". + +Fixes: ffa458c1bd9b ("spi: ads7846 driver") +Signed-off-by: Luca Ellero +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230126105227.47648-2-l.ellero@asem.it +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/ads7846.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/touchscreen/ads7846.c b/drivers/input/touchscreen/ads7846.c +index d247d0ae82d26..feaacd86d19e4 100644 +--- a/drivers/input/touchscreen/ads7846.c ++++ b/drivers/input/touchscreen/ads7846.c +@@ -1376,8 +1376,9 @@ static int ads7846_probe(struct spi_device *spi) + pdata->y_min ? : 0, + pdata->y_max ? : MAX_12BIT, + 0, 0); +- input_set_abs_params(input_dev, ABS_PRESSURE, +- pdata->pressure_min, pdata->pressure_max, 0, 0); ++ if (ts->model != 7845) ++ input_set_abs_params(input_dev, ABS_PRESSURE, ++ pdata->pressure_min, pdata->pressure_max, 0, 0); + + /* + * Parse common framework properties. Must be done here to ensure the +-- +2.39.2 + diff --git a/queue-5.4/ipw2x00-switch-from-pci_-to-dma_-api.patch b/queue-5.4/ipw2x00-switch-from-pci_-to-dma_-api.patch new file mode 100644 index 00000000000..956f882ad0c --- /dev/null +++ b/queue-5.4/ipw2x00-switch-from-pci_-to-dma_-api.patch @@ -0,0 +1,603 @@ +From a9e30306b84f65015a3351520f3613c8591e2605 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jul 2020 12:17:16 +0200 +Subject: ipw2x00: switch from 'pci_' to 'dma_' API + +From: Christophe JAILLET + +[ Upstream commit e52525c0c320076deab35409a6b2cff6388959b8 ] + +The wrappers in include/linux/pci-dma-compat.h should go away. + +The patch has been generated with the coccinelle script below and has been +hand modified to replace GFP_ with a correct flag. +It has been compile tested. + +When memory is allocated in 'ipw2100_msg_allocate()' (ipw2100.c), +GFP_KERNEL can be used because it is called from the probe function. +The call chain is: + ipw2100_pci_init_one (the probe function) + --> ipw2100_queues_allocate + --> ipw2100_msg_allocate +Moreover, 'ipw2100_msg_allocate()' already uses GFP_KERNEL for some other +memory allocations. + +When memory is allocated in 'status_queue_allocate()' (ipw2100.c), +GFP_KERNEL can be used because it is called from the probe function. +The call chain is: + ipw2100_pci_init_one (the probe function) + --> ipw2100_queues_allocate + --> ipw2100_rx_allocate + --> status_queue_allocate +Moreover, 'ipw2100_rx_allocate()' already uses GFP_KERNEL for some other +memory allocations. + +When memory is allocated in 'bd_queue_allocate()' (ipw2100.c), +GFP_KERNEL can be used because it is called from the probe function. +The call chain is: + ipw2100_pci_init_one (the probe function) + --> ipw2100_queues_allocate + --> ipw2100_rx_allocate + --> bd_queue_allocate +Moreover, 'ipw2100_rx_allocate()' already uses GFP_KERNEL for some other +memory allocations. + +When memory is allocated in 'ipw2100_tx_allocate()' (ipw2100.c), +GFP_KERNEL can be used because it is called from the probe function. +The call chain is: + ipw2100_pci_init_one (the probe function) + --> ipw2100_queues_allocate + --> ipw2100_tx_allocate +Moreover, 'ipw2100_tx_allocate()' already uses GFP_KERNEL for some other +memory allocations. + +When memory is allocated in 'ipw_queue_tx_init()' (ipw2200.c), +GFP_KERNEL can be used because it is called from a call chain that already +uses GFP_KERNEL and no spin_lock is taken in the between. +The call chain is: + ipw_up + --> ipw_load + --> ipw_queue_reset + --> ipw_queue_tx_init +'ipw_up()' already uses GFP_KERNEL for some other memory allocations. + +@@ +@@ +- PCI_DMA_BIDIRECTIONAL ++ DMA_BIDIRECTIONAL + +@@ +@@ +- PCI_DMA_TODEVICE ++ DMA_TO_DEVICE + +@@ +@@ +- PCI_DMA_FROMDEVICE ++ DMA_FROM_DEVICE + +@@ +@@ +- PCI_DMA_NONE ++ DMA_NONE + +@@ +expression e1, e2, e3; +@@ +- pci_alloc_consistent(e1, e2, e3) ++ dma_alloc_coherent(&e1->dev, e2, e3, GFP_) + +@@ +expression e1, e2, e3; +@@ +- pci_zalloc_consistent(e1, e2, e3) ++ dma_alloc_coherent(&e1->dev, e2, e3, GFP_) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_free_consistent(e1, e2, e3, e4) ++ dma_free_coherent(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_map_single(e1, e2, e3, e4) ++ dma_map_single(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_single(e1, e2, e3, e4) ++ dma_unmap_single(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4, e5; +@@ +- pci_map_page(e1, e2, e3, e4, e5) ++ dma_map_page(&e1->dev, e2, e3, e4, e5) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_page(e1, e2, e3, e4) ++ dma_unmap_page(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_map_sg(e1, e2, e3, e4) ++ dma_map_sg(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_unmap_sg(e1, e2, e3, e4) ++ dma_unmap_sg(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_single_for_cpu(e1, e2, e3, e4) ++ dma_sync_single_for_cpu(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_single_for_device(e1, e2, e3, e4) ++ dma_sync_single_for_device(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_sg_for_cpu(e1, e2, e3, e4) ++ dma_sync_sg_for_cpu(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2, e3, e4; +@@ +- pci_dma_sync_sg_for_device(e1, e2, e3, e4) ++ dma_sync_sg_for_device(&e1->dev, e2, e3, e4) + +@@ +expression e1, e2; +@@ +- pci_dma_mapping_error(e1, e2) ++ dma_mapping_error(&e1->dev, e2) + +@@ +expression e1, e2; +@@ +- pci_set_dma_mask(e1, e2) ++ dma_set_mask(&e1->dev, e2) + +@@ +expression e1, e2; +@@ +- pci_set_consistent_dma_mask(e1, e2) ++ dma_set_coherent_mask(&e1->dev, e2) + +Signed-off-by: Christophe JAILLET +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200722101716.26185-1-christophe.jaillet@wanadoo.fr +Stable-dep-of: 45fc6d7461f1 ("wifi: ipw2x00: don't call dev_kfree_skb() under spin_lock_irqsave()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/ipw2x00/ipw2100.c | 121 +++++++++---------- + drivers/net/wireless/intel/ipw2x00/ipw2200.c | 56 ++++----- + 2 files changed, 88 insertions(+), 89 deletions(-) + +diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2100.c b/drivers/net/wireless/intel/ipw2x00/ipw2100.c +index a162146a43a72..752489331e1e2 100644 +--- a/drivers/net/wireless/intel/ipw2x00/ipw2100.c ++++ b/drivers/net/wireless/intel/ipw2x00/ipw2100.c +@@ -2294,10 +2294,11 @@ static int ipw2100_alloc_skb(struct ipw2100_priv *priv, + return -ENOMEM; + + packet->rxp = (struct ipw2100_rx *)packet->skb->data; +- packet->dma_addr = pci_map_single(priv->pci_dev, packet->skb->data, ++ packet->dma_addr = dma_map_single(&priv->pci_dev->dev, ++ packet->skb->data, + sizeof(struct ipw2100_rx), +- PCI_DMA_FROMDEVICE); +- if (pci_dma_mapping_error(priv->pci_dev, packet->dma_addr)) { ++ DMA_FROM_DEVICE); ++ if (dma_mapping_error(&priv->pci_dev->dev, packet->dma_addr)) { + dev_kfree_skb(packet->skb); + return -ENOMEM; + } +@@ -2478,9 +2479,8 @@ static void isr_rx(struct ipw2100_priv *priv, int i, + return; + } + +- pci_unmap_single(priv->pci_dev, +- packet->dma_addr, +- sizeof(struct ipw2100_rx), PCI_DMA_FROMDEVICE); ++ dma_unmap_single(&priv->pci_dev->dev, packet->dma_addr, ++ sizeof(struct ipw2100_rx), DMA_FROM_DEVICE); + + skb_put(packet->skb, status->frame_size); + +@@ -2562,8 +2562,8 @@ static void isr_rx_monitor(struct ipw2100_priv *priv, int i, + return; + } + +- pci_unmap_single(priv->pci_dev, packet->dma_addr, +- sizeof(struct ipw2100_rx), PCI_DMA_FROMDEVICE); ++ dma_unmap_single(&priv->pci_dev->dev, packet->dma_addr, ++ sizeof(struct ipw2100_rx), DMA_FROM_DEVICE); + memmove(packet->skb->data + sizeof(struct ipw_rt_hdr), + packet->skb->data, status->frame_size); + +@@ -2688,9 +2688,9 @@ static void __ipw2100_rx_process(struct ipw2100_priv *priv) + + /* Sync the DMA for the RX buffer so CPU is sure to get + * the correct values */ +- pci_dma_sync_single_for_cpu(priv->pci_dev, packet->dma_addr, +- sizeof(struct ipw2100_rx), +- PCI_DMA_FROMDEVICE); ++ dma_sync_single_for_cpu(&priv->pci_dev->dev, packet->dma_addr, ++ sizeof(struct ipw2100_rx), ++ DMA_FROM_DEVICE); + + if (unlikely(ipw2100_corruption_check(priv, i))) { + ipw2100_corruption_detected(priv, i); +@@ -2922,9 +2922,8 @@ static int __ipw2100_tx_process(struct ipw2100_priv *priv) + (packet->index + 1 + i) % txq->entries, + tbd->host_addr, tbd->buf_length); + +- pci_unmap_single(priv->pci_dev, +- tbd->host_addr, +- tbd->buf_length, PCI_DMA_TODEVICE); ++ dma_unmap_single(&priv->pci_dev->dev, tbd->host_addr, ++ tbd->buf_length, DMA_TO_DEVICE); + } + + libipw_txb_free(packet->info.d_struct.txb); +@@ -3164,15 +3163,13 @@ static void ipw2100_tx_send_data(struct ipw2100_priv *priv) + tbd->buf_length = packet->info.d_struct.txb-> + fragments[i]->len - LIBIPW_3ADDR_LEN; + +- tbd->host_addr = pci_map_single(priv->pci_dev, ++ tbd->host_addr = dma_map_single(&priv->pci_dev->dev, + packet->info.d_struct. +- txb->fragments[i]-> +- data + ++ txb->fragments[i]->data + + LIBIPW_3ADDR_LEN, + tbd->buf_length, +- PCI_DMA_TODEVICE); +- if (pci_dma_mapping_error(priv->pci_dev, +- tbd->host_addr)) { ++ DMA_TO_DEVICE); ++ if (dma_mapping_error(&priv->pci_dev->dev, tbd->host_addr)) { + IPW_DEBUG_TX("dma mapping error\n"); + break; + } +@@ -3181,10 +3178,10 @@ static void ipw2100_tx_send_data(struct ipw2100_priv *priv) + txq->next, tbd->host_addr, + tbd->buf_length); + +- pci_dma_sync_single_for_device(priv->pci_dev, +- tbd->host_addr, +- tbd->buf_length, +- PCI_DMA_TODEVICE); ++ dma_sync_single_for_device(&priv->pci_dev->dev, ++ tbd->host_addr, ++ tbd->buf_length, ++ DMA_TO_DEVICE); + + txq->next++; + txq->next %= txq->entries; +@@ -3439,9 +3436,9 @@ static int ipw2100_msg_allocate(struct ipw2100_priv *priv) + return -ENOMEM; + + for (i = 0; i < IPW_COMMAND_POOL_SIZE; i++) { +- v = pci_zalloc_consistent(priv->pci_dev, +- sizeof(struct ipw2100_cmd_header), +- &p); ++ v = dma_alloc_coherent(&priv->pci_dev->dev, ++ sizeof(struct ipw2100_cmd_header), &p, ++ GFP_KERNEL); + if (!v) { + printk(KERN_ERR DRV_NAME ": " + "%s: PCI alloc failed for msg " +@@ -3460,11 +3457,10 @@ static int ipw2100_msg_allocate(struct ipw2100_priv *priv) + return 0; + + for (j = 0; j < i; j++) { +- pci_free_consistent(priv->pci_dev, +- sizeof(struct ipw2100_cmd_header), +- priv->msg_buffers[j].info.c_struct.cmd, +- priv->msg_buffers[j].info.c_struct. +- cmd_phys); ++ dma_free_coherent(&priv->pci_dev->dev, ++ sizeof(struct ipw2100_cmd_header), ++ priv->msg_buffers[j].info.c_struct.cmd, ++ priv->msg_buffers[j].info.c_struct.cmd_phys); + } + + kfree(priv->msg_buffers); +@@ -3495,11 +3491,10 @@ static void ipw2100_msg_free(struct ipw2100_priv *priv) + return; + + for (i = 0; i < IPW_COMMAND_POOL_SIZE; i++) { +- pci_free_consistent(priv->pci_dev, +- sizeof(struct ipw2100_cmd_header), +- priv->msg_buffers[i].info.c_struct.cmd, +- priv->msg_buffers[i].info.c_struct. +- cmd_phys); ++ dma_free_coherent(&priv->pci_dev->dev, ++ sizeof(struct ipw2100_cmd_header), ++ priv->msg_buffers[i].info.c_struct.cmd, ++ priv->msg_buffers[i].info.c_struct.cmd_phys); + } + + kfree(priv->msg_buffers); +@@ -4322,7 +4317,8 @@ static int status_queue_allocate(struct ipw2100_priv *priv, int entries) + IPW_DEBUG_INFO("enter\n"); + + q->size = entries * sizeof(struct ipw2100_status); +- q->drv = pci_zalloc_consistent(priv->pci_dev, q->size, &q->nic); ++ q->drv = dma_alloc_coherent(&priv->pci_dev->dev, q->size, &q->nic, ++ GFP_KERNEL); + if (!q->drv) { + IPW_DEBUG_WARNING("Can not allocate status queue.\n"); + return -ENOMEM; +@@ -4338,9 +4334,10 @@ static void status_queue_free(struct ipw2100_priv *priv) + IPW_DEBUG_INFO("enter\n"); + + if (priv->status_queue.drv) { +- pci_free_consistent(priv->pci_dev, priv->status_queue.size, +- priv->status_queue.drv, +- priv->status_queue.nic); ++ dma_free_coherent(&priv->pci_dev->dev, ++ priv->status_queue.size, ++ priv->status_queue.drv, ++ priv->status_queue.nic); + priv->status_queue.drv = NULL; + } + +@@ -4356,7 +4353,8 @@ static int bd_queue_allocate(struct ipw2100_priv *priv, + + q->entries = entries; + q->size = entries * sizeof(struct ipw2100_bd); +- q->drv = pci_zalloc_consistent(priv->pci_dev, q->size, &q->nic); ++ q->drv = dma_alloc_coherent(&priv->pci_dev->dev, q->size, &q->nic, ++ GFP_KERNEL); + if (!q->drv) { + IPW_DEBUG_INFO + ("can't allocate shared memory for buffer descriptors\n"); +@@ -4376,7 +4374,8 @@ static void bd_queue_free(struct ipw2100_priv *priv, struct ipw2100_bd_queue *q) + return; + + if (q->drv) { +- pci_free_consistent(priv->pci_dev, q->size, q->drv, q->nic); ++ dma_free_coherent(&priv->pci_dev->dev, q->size, q->drv, ++ q->nic); + q->drv = NULL; + } + +@@ -4436,9 +4435,9 @@ static int ipw2100_tx_allocate(struct ipw2100_priv *priv) + } + + for (i = 0; i < TX_PENDED_QUEUE_LENGTH; i++) { +- v = pci_alloc_consistent(priv->pci_dev, +- sizeof(struct ipw2100_data_header), +- &p); ++ v = dma_alloc_coherent(&priv->pci_dev->dev, ++ sizeof(struct ipw2100_data_header), &p, ++ GFP_KERNEL); + if (!v) { + printk(KERN_ERR DRV_NAME + ": %s: PCI alloc failed for tx " "buffers.\n", +@@ -4458,11 +4457,10 @@ static int ipw2100_tx_allocate(struct ipw2100_priv *priv) + return 0; + + for (j = 0; j < i; j++) { +- pci_free_consistent(priv->pci_dev, +- sizeof(struct ipw2100_data_header), +- priv->tx_buffers[j].info.d_struct.data, +- priv->tx_buffers[j].info.d_struct. +- data_phys); ++ dma_free_coherent(&priv->pci_dev->dev, ++ sizeof(struct ipw2100_data_header), ++ priv->tx_buffers[j].info.d_struct.data, ++ priv->tx_buffers[j].info.d_struct.data_phys); + } + + kfree(priv->tx_buffers); +@@ -4539,12 +4537,10 @@ static void ipw2100_tx_free(struct ipw2100_priv *priv) + priv->tx_buffers[i].info.d_struct.txb = NULL; + } + if (priv->tx_buffers[i].info.d_struct.data) +- pci_free_consistent(priv->pci_dev, +- sizeof(struct ipw2100_data_header), +- priv->tx_buffers[i].info.d_struct. +- data, +- priv->tx_buffers[i].info.d_struct. +- data_phys); ++ dma_free_coherent(&priv->pci_dev->dev, ++ sizeof(struct ipw2100_data_header), ++ priv->tx_buffers[i].info.d_struct.data, ++ priv->tx_buffers[i].info.d_struct.data_phys); + } + + kfree(priv->tx_buffers); +@@ -4607,9 +4603,10 @@ static int ipw2100_rx_allocate(struct ipw2100_priv *priv) + return 0; + + for (j = 0; j < i; j++) { +- pci_unmap_single(priv->pci_dev, priv->rx_buffers[j].dma_addr, ++ dma_unmap_single(&priv->pci_dev->dev, ++ priv->rx_buffers[j].dma_addr, + sizeof(struct ipw2100_rx_packet), +- PCI_DMA_FROMDEVICE); ++ DMA_FROM_DEVICE); + dev_kfree_skb(priv->rx_buffers[j].skb); + } + +@@ -4661,10 +4658,10 @@ static void ipw2100_rx_free(struct ipw2100_priv *priv) + + for (i = 0; i < RX_QUEUE_LENGTH; i++) { + if (priv->rx_buffers[i].rxp) { +- pci_unmap_single(priv->pci_dev, ++ dma_unmap_single(&priv->pci_dev->dev, + priv->rx_buffers[i].dma_addr, + sizeof(struct ipw2100_rx), +- PCI_DMA_FROMDEVICE); ++ DMA_FROM_DEVICE); + dev_kfree_skb(priv->rx_buffers[i].skb); + } + } +@@ -6196,7 +6193,7 @@ static int ipw2100_pci_init_one(struct pci_dev *pci_dev, + pci_set_master(pci_dev); + pci_set_drvdata(pci_dev, priv); + +- err = pci_set_dma_mask(pci_dev, DMA_BIT_MASK(32)); ++ err = dma_set_mask(&pci_dev->dev, DMA_BIT_MASK(32)); + if (err) { + printk(KERN_WARNING DRV_NAME + "Error calling pci_set_dma_mask.\n"); +diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2200.c b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +index ac5f797fb1ad1..fc9c2930f08cf 100644 +--- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c ++++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +@@ -3442,8 +3442,9 @@ static void ipw_rx_queue_reset(struct ipw_priv *priv, + /* In the reset function, these buffers may have been allocated + * to an SKB, so we need to unmap and free potential storage */ + if (rxq->pool[i].skb != NULL) { +- pci_unmap_single(priv->pci_dev, rxq->pool[i].dma_addr, +- IPW_RX_BUF_SIZE, PCI_DMA_FROMDEVICE); ++ dma_unmap_single(&priv->pci_dev->dev, ++ rxq->pool[i].dma_addr, ++ IPW_RX_BUF_SIZE, DMA_FROM_DEVICE); + dev_kfree_skb(rxq->pool[i].skb); + rxq->pool[i].skb = NULL; + } +@@ -3776,7 +3777,8 @@ static int ipw_queue_tx_init(struct ipw_priv *priv, + } + + q->bd = +- pci_alloc_consistent(dev, sizeof(q->bd[0]) * count, &q->q.dma_addr); ++ dma_alloc_coherent(&dev->dev, sizeof(q->bd[0]) * count, ++ &q->q.dma_addr, GFP_KERNEL); + if (!q->bd) { + IPW_ERROR("pci_alloc_consistent(%zd) failed\n", + sizeof(q->bd[0]) * count); +@@ -3818,9 +3820,10 @@ static void ipw_queue_tx_free_tfd(struct ipw_priv *priv, + + /* unmap chunks if any */ + for (i = 0; i < le32_to_cpu(bd->u.data.num_chunks); i++) { +- pci_unmap_single(dev, le32_to_cpu(bd->u.data.chunk_ptr[i]), ++ dma_unmap_single(&dev->dev, ++ le32_to_cpu(bd->u.data.chunk_ptr[i]), + le16_to_cpu(bd->u.data.chunk_len[i]), +- PCI_DMA_TODEVICE); ++ DMA_TO_DEVICE); + if (txq->txb[txq->q.last_used]) { + libipw_txb_free(txq->txb[txq->q.last_used]); + txq->txb[txq->q.last_used] = NULL; +@@ -3852,8 +3855,8 @@ static void ipw_queue_tx_free(struct ipw_priv *priv, struct clx2_tx_queue *txq) + } + + /* free buffers belonging to queue itself */ +- pci_free_consistent(dev, sizeof(txq->bd[0]) * q->n_bd, txq->bd, +- q->dma_addr); ++ dma_free_coherent(&dev->dev, sizeof(txq->bd[0]) * q->n_bd, txq->bd, ++ q->dma_addr); + kfree(txq->txb); + + /* 0 fill whole structure */ +@@ -5198,8 +5201,8 @@ static void ipw_rx_queue_replenish(void *data) + list_del(element); + + rxb->dma_addr = +- pci_map_single(priv->pci_dev, rxb->skb->data, +- IPW_RX_BUF_SIZE, PCI_DMA_FROMDEVICE); ++ dma_map_single(&priv->pci_dev->dev, rxb->skb->data, ++ IPW_RX_BUF_SIZE, DMA_FROM_DEVICE); + + list_add_tail(&rxb->list, &rxq->rx_free); + rxq->free_count++; +@@ -5232,8 +5235,9 @@ static void ipw_rx_queue_free(struct ipw_priv *priv, struct ipw_rx_queue *rxq) + + for (i = 0; i < RX_QUEUE_SIZE + RX_FREE_BUFFERS; i++) { + if (rxq->pool[i].skb != NULL) { +- pci_unmap_single(priv->pci_dev, rxq->pool[i].dma_addr, +- IPW_RX_BUF_SIZE, PCI_DMA_FROMDEVICE); ++ dma_unmap_single(&priv->pci_dev->dev, ++ rxq->pool[i].dma_addr, ++ IPW_RX_BUF_SIZE, DMA_FROM_DEVICE); + dev_kfree_skb(rxq->pool[i].skb); + } + } +@@ -8271,9 +8275,8 @@ static void ipw_rx(struct ipw_priv *priv) + } + priv->rxq->queue[i] = NULL; + +- pci_dma_sync_single_for_cpu(priv->pci_dev, rxb->dma_addr, +- IPW_RX_BUF_SIZE, +- PCI_DMA_FROMDEVICE); ++ dma_sync_single_for_cpu(&priv->pci_dev->dev, rxb->dma_addr, ++ IPW_RX_BUF_SIZE, DMA_FROM_DEVICE); + + pkt = (struct ipw_rx_packet *)rxb->skb->data; + IPW_DEBUG_RX("Packet: type=%02X seq=%02X bits=%02X\n", +@@ -8425,8 +8428,8 @@ static void ipw_rx(struct ipw_priv *priv) + rxb->skb = NULL; + } + +- pci_unmap_single(priv->pci_dev, rxb->dma_addr, +- IPW_RX_BUF_SIZE, PCI_DMA_FROMDEVICE); ++ dma_unmap_single(&priv->pci_dev->dev, rxb->dma_addr, ++ IPW_RX_BUF_SIZE, DMA_FROM_DEVICE); + list_add_tail(&rxb->list, &priv->rxq->rx_used); + + i = (i + 1) % RX_QUEUE_SIZE; +@@ -10225,11 +10228,10 @@ static int ipw_tx_skb(struct ipw_priv *priv, struct libipw_txb *txb, + txb->fragments[i]->len - hdr_len); + + tfd->u.data.chunk_ptr[i] = +- cpu_to_le32(pci_map_single +- (priv->pci_dev, +- txb->fragments[i]->data + hdr_len, +- txb->fragments[i]->len - hdr_len, +- PCI_DMA_TODEVICE)); ++ cpu_to_le32(dma_map_single(&priv->pci_dev->dev, ++ txb->fragments[i]->data + hdr_len, ++ txb->fragments[i]->len - hdr_len, ++ DMA_TO_DEVICE)); + tfd->u.data.chunk_len[i] = + cpu_to_le16(txb->fragments[i]->len - hdr_len); + } +@@ -10259,10 +10261,10 @@ static int ipw_tx_skb(struct ipw_priv *priv, struct libipw_txb *txb, + dev_kfree_skb_any(txb->fragments[i]); + txb->fragments[i] = skb; + tfd->u.data.chunk_ptr[i] = +- cpu_to_le32(pci_map_single +- (priv->pci_dev, skb->data, +- remaining_bytes, +- PCI_DMA_TODEVICE)); ++ cpu_to_le32(dma_map_single(&priv->pci_dev->dev, ++ skb->data, ++ remaining_bytes, ++ DMA_TO_DEVICE)); + + le32_add_cpu(&tfd->u.data.num_chunks, 1); + } +@@ -11632,9 +11634,9 @@ static int ipw_pci_probe(struct pci_dev *pdev, + + pci_set_master(pdev); + +- err = pci_set_dma_mask(pdev, DMA_BIT_MASK(32)); ++ err = dma_set_mask(&pdev->dev, DMA_BIT_MASK(32)); + if (!err) +- err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(32)); ++ err = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); + if (err) { + printk(KERN_WARNING DRV_NAME ": No suitable DMA available.\n"); + goto out_pci_disable_device; +-- +2.39.2 + diff --git a/queue-5.4/irqchip-alpine-msi-fix-refcount-leak-in-alpine_msix_.patch b/queue-5.4/irqchip-alpine-msi-fix-refcount-leak-in-alpine_msix_.patch new file mode 100644 index 00000000000..aede88d152e --- /dev/null +++ b/queue-5.4/irqchip-alpine-msi-fix-refcount-leak-in-alpine_msix_.patch @@ -0,0 +1,37 @@ +From 5af04e929dad8ffcc52cb54f9f484880077de107 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jan 2023 12:28:10 +0400 +Subject: irqchip/alpine-msi: Fix refcount leak in alpine_msix_init_domains + +From: Miaoqian Lin + +[ Upstream commit 071d068b89e95d1b078aa6bbcb9d0961b77d6aa1 ] + +of_irq_find_parent() returns a node pointer with refcount incremented, +We should use of_node_put() on it when not needed anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: e6b78f2c3e14 ("irqchip: Add the Alpine MSIX interrupt controller") +Signed-off-by: Miaoqian Lin +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230102082811.3947760-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-alpine-msi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/irq-alpine-msi.c b/drivers/irqchip/irq-alpine-msi.c +index ede02dc2bcd0b..1819bb1d27230 100644 +--- a/drivers/irqchip/irq-alpine-msi.c ++++ b/drivers/irqchip/irq-alpine-msi.c +@@ -199,6 +199,7 @@ static int alpine_msix_init_domains(struct alpine_msix_data *priv, + } + + gic_domain = irq_find_host(gic_node); ++ of_node_put(gic_node); + if (!gic_domain) { + pr_err("Failed to find the GIC domain\n"); + return -ENXIO; +-- +2.39.2 + diff --git a/queue-5.4/irqchip-irq-bcm7120-l2-set-irq_level-for-level-trigg.patch b/queue-5.4/irqchip-irq-bcm7120-l2-set-irq_level-for-level-trigg.patch new file mode 100644 index 00000000000..e6de884cf06 --- /dev/null +++ b/queue-5.4/irqchip-irq-bcm7120-l2-set-irq_level-for-level-trigg.patch @@ -0,0 +1,44 @@ +From e6cfe630945f29307b3ce34ce49aff4b9436baca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Dec 2022 15:09:34 -0800 +Subject: irqchip/irq-bcm7120-l2: Set IRQ_LEVEL for level triggered interrupts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florian Fainelli + +[ Upstream commit 13a157b38ca5b4f9eed81442b8821db293755961 ] + +When support for the interrupt controller was added with a5042de2688d, +we forgot to update the flags to be set to contain IRQ_LEVEL. While the +flow handler is correct, the output from /proc/interrupts does not show +such interrupts as being level triggered when they are, correct that. + +Fixes: a5042de2688d ("irqchip: bcm7120-l2: Add Broadcom BCM7120-style Level 2 interrupt controller") +Signed-off-by: Florian Fainelli +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20221216230934.2478345-3-f.fainelli@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-bcm7120-l2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-bcm7120-l2.c b/drivers/irqchip/irq-bcm7120-l2.c +index 586df3587be06..d308bbe6f5286 100644 +--- a/drivers/irqchip/irq-bcm7120-l2.c ++++ b/drivers/irqchip/irq-bcm7120-l2.c +@@ -268,7 +268,8 @@ static int __init bcm7120_l2_intc_probe(struct device_node *dn, + flags |= IRQ_GC_BE_IO; + + ret = irq_alloc_domain_generic_chips(data->domain, IRQS_PER_WORD, 1, +- dn->full_name, handle_level_irq, clr, 0, flags); ++ dn->full_name, handle_level_irq, clr, ++ IRQ_LEVEL, flags); + if (ret) { + pr_err("failed to allocate generic irq chip\n"); + goto out_free_domain; +-- +2.39.2 + diff --git a/queue-5.4/irqchip-irq-brcmstb-l2-set-irq_level-for-level-trigg.patch b/queue-5.4/irqchip-irq-brcmstb-l2-set-irq_level-for-level-trigg.patch new file mode 100644 index 00000000000..56a750bfdf5 --- /dev/null +++ b/queue-5.4/irqchip-irq-brcmstb-l2-set-irq_level-for-level-trigg.patch @@ -0,0 +1,57 @@ +From cc491c41e617544d5145f57914ac6025e6996bea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Dec 2022 15:09:33 -0800 +Subject: irqchip/irq-brcmstb-l2: Set IRQ_LEVEL for level triggered interrupts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florian Fainelli + +[ Upstream commit 94debe03e8afa1267f95a9001786a6aa506b9ff3 ] + +When support for the level triggered interrupt controller flavor was +added with c0ca7262088e, we forgot to update the flags to be set to +contain IRQ_LEVEL. While the flow handler is correct, the output from +/proc/interrupts does not show such interrupts as being level triggered +when they are, correct that. + +Fixes: c0ca7262088e ("irqchip/brcmstb-l2: Add support for the BCM7271 L2 controller") +Signed-off-by: Florian Fainelli +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20221216230934.2478345-2-f.fainelli@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-brcmstb-l2.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-brcmstb-l2.c b/drivers/irqchip/irq-brcmstb-l2.c +index 0298ede67e51b..f803ecb6a0fac 100644 +--- a/drivers/irqchip/irq-brcmstb-l2.c ++++ b/drivers/irqchip/irq-brcmstb-l2.c +@@ -161,6 +161,7 @@ static int __init brcmstb_l2_intc_of_init(struct device_node *np, + *init_params) + { + unsigned int clr = IRQ_NOREQUEST | IRQ_NOPROBE | IRQ_NOAUTOEN; ++ unsigned int set = 0; + struct brcmstb_l2_intc_data *data; + struct irq_chip_type *ct; + int ret; +@@ -208,9 +209,12 @@ static int __init brcmstb_l2_intc_of_init(struct device_node *np, + if (IS_ENABLED(CONFIG_MIPS) && IS_ENABLED(CONFIG_CPU_BIG_ENDIAN)) + flags |= IRQ_GC_BE_IO; + ++ if (init_params->handler == handle_level_irq) ++ set |= IRQ_LEVEL; ++ + /* Allocate a single Generic IRQ chip for this node */ + ret = irq_alloc_domain_generic_chips(data->domain, 32, 1, +- np->full_name, init_params->handler, clr, 0, flags); ++ np->full_name, init_params->handler, clr, set, flags); + if (ret) { + pr_err("failed to allocate generic irq chip\n"); + goto out_free_domain; +-- +2.39.2 + diff --git a/queue-5.4/irqchip-irq-mvebu-gicp-fix-refcount-leak-in-mvebu_gi.patch b/queue-5.4/irqchip-irq-mvebu-gicp-fix-refcount-leak-in-mvebu_gi.patch new file mode 100644 index 00000000000..070679d5728 --- /dev/null +++ b/queue-5.4/irqchip-irq-mvebu-gicp-fix-refcount-leak-in-mvebu_gi.patch @@ -0,0 +1,37 @@ +From 90730250484076f809bd7719c205b0ef75ad101a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jan 2023 12:42:08 +0400 +Subject: irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe + +From: Miaoqian Lin + +[ Upstream commit 9419e700021a393f67be36abd0c4f3acc6139041 ] + +of_irq_find_parent() returns a node pointer with refcount incremented, +We should use of_node_put() on it when not needed anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: a68a63cb4dfc ("irqchip/irq-mvebu-gicp: Add new driver for Marvell GICP") +Signed-off-by: Miaoqian Lin +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230102084208.3951758-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-mvebu-gicp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/irq-mvebu-gicp.c b/drivers/irqchip/irq-mvebu-gicp.c +index 3be5c5dba1dab..5caec411059f5 100644 +--- a/drivers/irqchip/irq-mvebu-gicp.c ++++ b/drivers/irqchip/irq-mvebu-gicp.c +@@ -223,6 +223,7 @@ static int mvebu_gicp_probe(struct platform_device *pdev) + } + + parent_domain = irq_find_host(irq_parent_dn); ++ of_node_put(irq_parent_dn); + if (!parent_domain) { + dev_err(&pdev->dev, "failed to find parent IRQ domain\n"); + return -ENODEV; +-- +2.39.2 + diff --git a/queue-5.4/irqchip-ti-sci-fix-refcount-leak-in-ti_sci_intr_irq_.patch b/queue-5.4/irqchip-ti-sci-fix-refcount-leak-in-ti_sci_intr_irq_.patch new file mode 100644 index 00000000000..9f7bb9c0089 --- /dev/null +++ b/queue-5.4/irqchip-ti-sci-fix-refcount-leak-in-ti_sci_intr_irq_.patch @@ -0,0 +1,37 @@ +From 36400ba8fe249bf28702ca7a849c76897f3266e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jan 2023 12:56:10 +0400 +Subject: irqchip/ti-sci: Fix refcount leak in ti_sci_intr_irq_domain_probe + +From: Miaoqian Lin + +[ Upstream commit 02298b7bae12936ca313975b02e7f98b06670d37 ] + +of_irq_find_parent() returns a node pointer with refcount incremented, +We should use of_node_put() on it when not needed anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: cd844b0715ce ("irqchip/ti-sci-intr: Add support for Interrupt Router driver") +Signed-off-by: Miaoqian Lin +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230102085611.3955984-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-ti-sci-intr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/irq-ti-sci-intr.c b/drivers/irqchip/irq-ti-sci-intr.c +index 59d51a20bbd86..7d0163d85fb9b 100644 +--- a/drivers/irqchip/irq-ti-sci-intr.c ++++ b/drivers/irqchip/irq-ti-sci-intr.c +@@ -205,6 +205,7 @@ static int ti_sci_intr_irq_domain_probe(struct platform_device *pdev) + } + + parent_domain = irq_find_host(parent_node); ++ of_node_put(parent_node); + if (!parent_domain) { + dev_err(dev, "Failed to find IRQ parent domain\n"); + return -ENODEV; +-- +2.39.2 + diff --git a/queue-5.4/lib-mpi-fix-buffer-overrun-when-sg-is-too-long.patch b/queue-5.4/lib-mpi-fix-buffer-overrun-when-sg-is-too-long.patch new file mode 100644 index 00000000000..f536c488c7c --- /dev/null +++ b/queue-5.4/lib-mpi-fix-buffer-overrun-when-sg-is-too-long.patch @@ -0,0 +1,41 @@ +From e564d28587537ac1a98b83d867465b9ea4b24bfe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Dec 2022 15:27:39 +0100 +Subject: lib/mpi: Fix buffer overrun when SG is too long + +From: Herbert Xu + +[ Upstream commit 7361d1bc307b926cbca214ab67b641123c2d6357 ] + +The helper mpi_read_raw_from_sgl sets the number of entries in +the SG list according to nbytes. However, if the last entry +in the SG list contains more data than nbytes, then it may overrun +the buffer because it only allocates enough memory for nbytes. + +Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") +Reported-by: Roberto Sassu +Signed-off-by: Herbert Xu +Reviewed-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + lib/mpi/mpicoder.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/mpi/mpicoder.c b/lib/mpi/mpicoder.c +index eead4b3394668..4f73db248009e 100644 +--- a/lib/mpi/mpicoder.c ++++ b/lib/mpi/mpicoder.c +@@ -397,7 +397,8 @@ MPI mpi_read_raw_from_sgl(struct scatterlist *sgl, unsigned int nbytes) + + while (sg_miter_next(&miter)) { + buff = miter.addr; +- len = miter.length; ++ len = min_t(unsigned, miter.length, nbytes); ++ nbytes -= len; + + for (x = 0; x < len; x++) { + a <<= 8; +-- +2.39.2 + diff --git a/queue-5.4/libbpf-fix-alen-calculation-in-libbpf_nla_dump_error.patch b/queue-5.4/libbpf-fix-alen-calculation-in-libbpf_nla_dump_error.patch new file mode 100644 index 00000000000..03ee1d0fa43 --- /dev/null +++ b/queue-5.4/libbpf-fix-alen-calculation-in-libbpf_nla_dump_error.patch @@ -0,0 +1,38 @@ +From 33624d24e163cc708e4edf5ba483e858b3c98bc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Feb 2023 01:12:01 +0100 +Subject: libbpf: Fix alen calculation in libbpf_nla_dump_errormsg() + +From: Ilya Leoshkevich + +[ Upstream commit 17bcd27a08a21397698edf143084d7c87ce17946 ] + +The code assumes that everything that comes after nlmsgerr are nlattrs. +When calculating their size, it does not account for the initial +nlmsghdr. This may lead to accessing uninitialized memory. + +Fixes: bbf48c18ee0c ("libbpf: add error reporting in XDP") +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20230210001210.395194-8-iii@linux.ibm.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/nlattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/nlattr.c b/tools/lib/bpf/nlattr.c +index 1e69c0c8d413f..e610becd03e85 100644 +--- a/tools/lib/bpf/nlattr.c ++++ b/tools/lib/bpf/nlattr.c +@@ -177,7 +177,7 @@ int libbpf_nla_dump_errormsg(struct nlmsghdr *nlh) + hlen += nlmsg_len(&err->msg); + + attr = (struct nlattr *) ((void *) err + hlen); +- alen = nlh->nlmsg_len - hlen; ++ alen = (void *)nlh + nlh->nlmsg_len - (void *)attr; + + if (libbpf_nla_parse(tb, NLMSGERR_ATTR_MAX, attr, alen, + extack_policy) != 0) { +-- +2.39.2 + diff --git a/queue-5.4/m68k-check-syscall_trace_enter-return-code.patch b/queue-5.4/m68k-check-syscall_trace_enter-return-code.patch new file mode 100644 index 00000000000..ce2e33acb85 --- /dev/null +++ b/queue-5.4/m68k-check-syscall_trace_enter-return-code.patch @@ -0,0 +1,72 @@ +From a8346bed7d53ce8295bef22a12d7a402bd4f90ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 16:55:27 +1300 +Subject: m68k: Check syscall_trace_enter() return code + +From: Michael Schmitz + +[ Upstream commit 2ca8a1de4437f21562e57f9ac123914747a8e7a1 ] + +Check return code of syscall_trace_enter(), and skip syscall +if -1. Return code will be left at what had been set by +ptrace or seccomp (in regs->d0). + +No regression seen in testing with strace on ARAnyM. + +Signed-off-by: Michael Schmitz +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230112035529.13521-2-schmitzmic@gmail.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/68000/entry.S | 2 ++ + arch/m68k/coldfire/entry.S | 2 ++ + arch/m68k/kernel/entry.S | 3 +++ + 3 files changed, 7 insertions(+) + +diff --git a/arch/m68k/68000/entry.S b/arch/m68k/68000/entry.S +index 259b3661b6141..94abf3d8afc52 100644 +--- a/arch/m68k/68000/entry.S ++++ b/arch/m68k/68000/entry.S +@@ -47,6 +47,8 @@ do_trace: + jbsr syscall_trace_enter + RESTORE_SWITCH_STACK + addql #4,%sp ++ addql #1,%d0 ++ jeq ret_from_exception + movel %sp@(PT_OFF_ORIG_D0),%d1 + movel #-ENOSYS,%d0 + cmpl #NR_syscalls,%d1 +diff --git a/arch/m68k/coldfire/entry.S b/arch/m68k/coldfire/entry.S +index 52d312d5b4d4f..fb3b065677459 100644 +--- a/arch/m68k/coldfire/entry.S ++++ b/arch/m68k/coldfire/entry.S +@@ -92,6 +92,8 @@ ENTRY(system_call) + jbsr syscall_trace_enter + RESTORE_SWITCH_STACK + addql #4,%sp ++ addql #1,%d0 ++ jeq ret_from_exception + movel %d3,%a0 + jbsr %a0@ + movel %d0,%sp@(PT_OFF_D0) /* save the return value */ +diff --git a/arch/m68k/kernel/entry.S b/arch/m68k/kernel/entry.S +index 97cd3ea5f10b8..9a66657773beb 100644 +--- a/arch/m68k/kernel/entry.S ++++ b/arch/m68k/kernel/entry.S +@@ -160,9 +160,12 @@ do_trace_entry: + jbsr syscall_trace + RESTORE_SWITCH_STACK + addql #4,%sp ++ addql #1,%d0 | optimization for cmpil #-1,%d0 ++ jeq ret_from_syscall + movel %sp@(PT_OFF_ORIG_D0),%d0 + cmpl #NR_syscalls,%d0 + jcs syscall ++ jra ret_from_syscall + badsys: + movel #-ENOSYS,%sp@(PT_OFF_D0) + jra ret_from_syscall +-- +2.39.2 + diff --git a/queue-5.4/m68k-proc-hardware-should-depend-on-proc_fs.patch b/queue-5.4/m68k-proc-hardware-should-depend-on-proc_fs.patch new file mode 100644 index 00000000000..39808f01052 --- /dev/null +++ b/queue-5.4/m68k-proc-hardware-should-depend-on-proc_fs.patch @@ -0,0 +1,42 @@ +From c047e7b0866a238580f3a1b2d9adc860b9a9d898 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Feb 2023 17:08:25 -0800 +Subject: m68k: /proc/hardware should depend on PROC_FS + +From: Randy Dunlap + +[ Upstream commit 1e5b5df65af99013b4d31607ddb3ca5731dbe44d ] + +When CONFIG_PROC_FS is not set, there is a build error for an unused +function. Make PROC_HARDWARE depend on PROC_FS to prevent this error. + +In file included from ../arch/m68k/kernel/setup.c:3: +../arch/m68k/kernel/setup_mm.c:477:12: error: 'hardware_proc_show' defined but not used [-Werror=unused-function] + 477 | static int hardware_proc_show(struct seq_file *m, void *v) + | ^~~~~~~~~~~~~~~~~~ + +Fixes: 66d857b08b8c ("m68k: merge m68k and m68knommu arch directories") # v3.0 +Signed-off-by: Randy Dunlap +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230209010825.24136-1-rdunlap@infradead.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/Kconfig.devices | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/m68k/Kconfig.devices b/arch/m68k/Kconfig.devices +index 3e9b0b826f8a1..6fb693bb0771c 100644 +--- a/arch/m68k/Kconfig.devices ++++ b/arch/m68k/Kconfig.devices +@@ -19,6 +19,7 @@ config HEARTBEAT + # We have a dedicated heartbeat LED. :-) + config PROC_HARDWARE + bool "/proc/hardware support" ++ depends on PROC_FS + help + Say Y here to support the /proc/hardware file, which gives you + access to information about the machine you're running on, +-- +2.39.2 + diff --git a/queue-5.4/media-i2c-ov7670-0-instead-of-einval-was-returned.patch b/queue-5.4/media-i2c-ov7670-0-instead-of-einval-was-returned.patch new file mode 100644 index 00000000000..bd79650a2c8 --- /dev/null +++ b/queue-5.4/media-i2c-ov7670-0-instead-of-einval-was-returned.patch @@ -0,0 +1,41 @@ +From 05e72bde73bab2e5fe788ee8af31806881fcf16e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 14:03:51 +0100 +Subject: media: i2c: ov7670: 0 instead of -EINVAL was returned + +From: Hans Verkuil + +[ Upstream commit 6a4c664539e6de9b32b65ddcf767ec1bcc1d7f8a ] + +If the media bus is unsupported, then return -EINVAL. Instead it +returned 'ret' which happened to be 0. + +This fixes a smatch warning: + +ov7670.c:1843 ov7670_parse_dt() warn: missing error code? 'ret' + +Signed-off-by: Hans Verkuil +Fixes: 01b8444828fc ("media: v4l2: i2c: ov7670: Implement OF mbus configuration") +Acked-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov7670.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/ov7670.c b/drivers/media/i2c/ov7670.c +index 154776d0069ea..e47800cb6c0f7 100644 +--- a/drivers/media/i2c/ov7670.c ++++ b/drivers/media/i2c/ov7670.c +@@ -1824,7 +1824,7 @@ static int ov7670_parse_dt(struct device *dev, + + if (bus_cfg.bus_type != V4L2_MBUS_PARALLEL) { + dev_err(dev, "Unsupported media bus type\n"); +- return ret; ++ return -EINVAL; + } + info->mbus_config = bus_cfg.bus.parallel.flags; + +-- +2.39.2 + diff --git a/queue-5.4/media-i2c-ov772x-fix-memleak-in-ov772x_probe.patch b/queue-5.4/media-i2c-ov772x-fix-memleak-in-ov772x_probe.patch new file mode 100644 index 00000000000..7d92817ee66 --- /dev/null +++ b/queue-5.4/media-i2c-ov772x-fix-memleak-in-ov772x_probe.patch @@ -0,0 +1,94 @@ +From a66c17825f03f6a36a6d2f6c6a1a6bd98db0f666 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 09:06:25 +0100 +Subject: media: i2c: ov772x: Fix memleak in ov772x_probe() + +From: Yuan Can + +[ Upstream commit 7485edb2b6ca5960205c0a49bedfd09bba30e521 ] + +A memory leak was reported when testing ov772x with bpf mock device: + +AssertionError: unreferenced object 0xffff888109afa7a8 (size 8): + comm "python3", pid 279, jiffies 4294805921 (age 20.681s) + hex dump (first 8 bytes): + 80 22 88 15 81 88 ff ff ."...... + backtrace: + [<000000009990b438>] __kmalloc_node+0x44/0x1b0 + [<000000009e32f7d7>] kvmalloc_node+0x34/0x180 + [<00000000faf48134>] v4l2_ctrl_handler_init_class+0x11d/0x180 [videodev] + [<00000000da376937>] ov772x_probe+0x1c3/0x68c [ov772x] + [<000000003f0d225e>] i2c_device_probe+0x28d/0x680 + [<00000000e0b6db89>] really_probe+0x17c/0x3f0 + [<000000001b19fcee>] __driver_probe_device+0xe3/0x170 + [<0000000048370519>] driver_probe_device+0x49/0x120 + [<000000005ead07a0>] __device_attach_driver+0xf7/0x150 + [<0000000043f452b8>] bus_for_each_drv+0x114/0x180 + [<00000000358e5596>] __device_attach+0x1e5/0x2d0 + [<0000000043f83c5d>] bus_probe_device+0x126/0x140 + [<00000000ee0f3046>] device_add+0x810/0x1130 + [<00000000e0278184>] i2c_new_client_device+0x359/0x4f0 + [<0000000070baf34f>] of_i2c_register_device+0xf1/0x110 + [<00000000a9f2159d>] of_i2c_notify+0x100/0x160 +unreferenced object 0xffff888119825c00 (size 256): + comm "python3", pid 279, jiffies 4294805921 (age 20.681s) + hex dump (first 32 bytes): + 00 b4 a5 17 81 88 ff ff 00 5e 82 19 81 88 ff ff .........^...... + 10 5c 82 19 81 88 ff ff 10 5c 82 19 81 88 ff ff .\.......\...... + backtrace: + [<000000009990b438>] __kmalloc_node+0x44/0x1b0 + [<000000009e32f7d7>] kvmalloc_node+0x34/0x180 + [<0000000073d88e0b>] v4l2_ctrl_new.cold+0x19b/0x86f [videodev] + [<00000000b1f576fb>] v4l2_ctrl_new_std+0x16f/0x210 [videodev] + [<00000000caf7ac99>] ov772x_probe+0x1fa/0x68c [ov772x] + [<000000003f0d225e>] i2c_device_probe+0x28d/0x680 + [<00000000e0b6db89>] really_probe+0x17c/0x3f0 + [<000000001b19fcee>] __driver_probe_device+0xe3/0x170 + [<0000000048370519>] driver_probe_device+0x49/0x120 + [<000000005ead07a0>] __device_attach_driver+0xf7/0x150 + [<0000000043f452b8>] bus_for_each_drv+0x114/0x180 + [<00000000358e5596>] __device_attach+0x1e5/0x2d0 + [<0000000043f83c5d>] bus_probe_device+0x126/0x140 + [<00000000ee0f3046>] device_add+0x810/0x1130 + [<00000000e0278184>] i2c_new_client_device+0x359/0x4f0 + [<0000000070baf34f>] of_i2c_register_device+0xf1/0x110 + +The reason is that if priv->hdl.error is set, ov772x_probe() jumps to the +error_mutex_destroy without doing v4l2_ctrl_handler_free(), and all +resources allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() +are leaked. + +Fixes: 1112babde214 ("media: i2c: Copy ov772x soc_camera sensor driver") +Signed-off-by: Yuan Can +Reviewed-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov772x.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/i2c/ov772x.c b/drivers/media/i2c/ov772x.c +index 2cc6a678069a2..5033950a48ab6 100644 +--- a/drivers/media/i2c/ov772x.c ++++ b/drivers/media/i2c/ov772x.c +@@ -1397,7 +1397,7 @@ static int ov772x_probe(struct i2c_client *client) + priv->subdev.ctrl_handler = &priv->hdl; + if (priv->hdl.error) { + ret = priv->hdl.error; +- goto error_mutex_destroy; ++ goto error_ctrl_free; + } + + priv->clk = clk_get(&client->dev, NULL); +@@ -1446,7 +1446,6 @@ static int ov772x_probe(struct i2c_client *client) + clk_put(priv->clk); + error_ctrl_free: + v4l2_ctrl_handler_free(&priv->hdl); +-error_mutex_destroy: + mutex_destroy(&priv->lock); + + return ret; +-- +2.39.2 + diff --git a/queue-5.4/media-ov5675-fix-memleak-in-ov5675_init_controls.patch b/queue-5.4/media-ov5675-fix-memleak-in-ov5675_init_controls.patch new file mode 100644 index 00000000000..dbffa8b7c49 --- /dev/null +++ b/queue-5.4/media-ov5675-fix-memleak-in-ov5675_init_controls.patch @@ -0,0 +1,67 @@ +From e6f15f01ad4ab450b92f064e746fc890279f7c30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 08:59:38 +0100 +Subject: media: ov5675: Fix memleak in ov5675_init_controls() + +From: Shang XiaoJing + +[ Upstream commit dd74ed6c213003533e3abf4c204374ef01d86978 ] + +There is a kmemleak when testing the media/i2c/ov5675.c with bpf mock +device: + +AssertionError: unreferenced object 0xffff888107362160 (size 16): + comm "python3", pid 277, jiffies 4294832798 (age 20.722s) + hex dump (first 16 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000abe7d67c>] __kmalloc_node+0x44/0x1b0 + [<000000008a725aac>] kvmalloc_node+0x34/0x180 + [<000000009a53cd11>] v4l2_ctrl_handler_init_class+0x11d/0x180 +[videodev] + [<0000000055b46db0>] ov5675_probe+0x38b/0x897 [ov5675] + [<00000000153d886c>] i2c_device_probe+0x28d/0x680 + [<000000004afb7e8f>] really_probe+0x17c/0x3f0 + [<00000000ff2f18e4>] __driver_probe_device+0xe3/0x170 + [<000000000a001029>] driver_probe_device+0x49/0x120 + [<00000000e39743c7>] __device_attach_driver+0xf7/0x150 + [<00000000d32fd070>] bus_for_each_drv+0x114/0x180 + [<000000009083ac41>] __device_attach+0x1e5/0x2d0 + [<0000000015b4a830>] bus_probe_device+0x126/0x140 + [<000000007813deaf>] device_add+0x810/0x1130 + [<000000007becb867>] i2c_new_client_device+0x386/0x540 + [<000000007f9cf4b4>] of_i2c_register_device+0xf1/0x110 + [<00000000ebfdd032>] of_i2c_notify+0xfc/0x1f0 + +ov5675_init_controls() won't clean all the allocated resources in fail +path, which may causes the memleaks. Add v4l2_ctrl_handler_free() to +prevent memleak. + +Fixes: bf27502b1f3b ("media: ov5675: Add support for OV5675 sensor") +Signed-off-by: Shang XiaoJing +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ov5675.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/ov5675.c b/drivers/media/i2c/ov5675.c +index 1ae252378799e..477f61b8559c2 100644 +--- a/drivers/media/i2c/ov5675.c ++++ b/drivers/media/i2c/ov5675.c +@@ -722,8 +722,10 @@ static int ov5675_init_controls(struct ov5675 *ov5675) + V4L2_CID_TEST_PATTERN, + ARRAY_SIZE(ov5675_test_pattern_menu) - 1, + 0, 0, ov5675_test_pattern_menu); +- if (ctrl_hdlr->error) ++ if (ctrl_hdlr->error) { ++ v4l2_ctrl_handler_free(ctrl_hdlr); + return ctrl_hdlr->error; ++ } + + ov5675->sd.ctrl_handler = ctrl_hdlr; + +-- +2.39.2 + diff --git a/queue-5.4/media-platform-ti-add-missing-check-for-devm_regulat.patch b/queue-5.4/media-platform-ti-add-missing-check-for-devm_regulat.patch new file mode 100644 index 00000000000..837db07c806 --- /dev/null +++ b/queue-5.4/media-platform-ti-add-missing-check-for-devm_regulat.patch @@ -0,0 +1,45 @@ +From 436c64fbe97e3e54d50c997bf69141b325dbf933 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jan 2023 09:55:37 +0100 +Subject: media: platform: ti: Add missing check for devm_regulator_get + +From: Jiasheng Jiang + +[ Upstream commit da8e05f84a11c3cc3b0ba0a3c62d20e358002d99 ] + +Add check for the return value of devm_regulator_get since it may return +error pointer. + +Fixes: 448de7e7850b ("[media] omap3isp: OMAP3 ISP core") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/omap3isp/isp.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c +index dce6b3685e135..88d491a8e326b 100644 +--- a/drivers/media/platform/omap3isp/isp.c ++++ b/drivers/media/platform/omap3isp/isp.c +@@ -2312,7 +2312,16 @@ static int isp_probe(struct platform_device *pdev) + + /* Regulators */ + isp->isp_csiphy1.vdd = devm_regulator_get(&pdev->dev, "vdd-csiphy1"); ++ if (IS_ERR(isp->isp_csiphy1.vdd)) { ++ ret = PTR_ERR(isp->isp_csiphy1.vdd); ++ goto error; ++ } ++ + isp->isp_csiphy2.vdd = devm_regulator_get(&pdev->dev, "vdd-csiphy2"); ++ if (IS_ERR(isp->isp_csiphy2.vdd)) { ++ ret = PTR_ERR(isp->isp_csiphy2.vdd); ++ goto error; ++ } + + /* Clocks + * +-- +2.39.2 + diff --git a/queue-5.4/media-rc-fix-use-after-free-bugs-caused-by-ene_tx_ir.patch b/queue-5.4/media-rc-fix-use-after-free-bugs-caused-by-ene_tx_ir.patch new file mode 100644 index 00000000000..c2132cc4895 --- /dev/null +++ b/queue-5.4/media-rc-fix-use-after-free-bugs-caused-by-ene_tx_ir.patch @@ -0,0 +1,83 @@ +From cf44d2c21cc08920e1afef36e7777e0a57696d92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 08:55:33 +0100 +Subject: media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() + +From: Duoming Zhou + +[ Upstream commit 29b0589a865b6f66d141d79b2dd1373e4e50fe17 ] + +When the ene device is detaching, function ene_remove() will +be called. But there is no function to cancel tx_sim_timer +in ene_remove(), the timer handler ene_tx_irqsim() could race +with ene_remove(). As a result, the UAF bugs could happen, +the process is shown below. + + (cleanup routine) | (timer routine) + | mod_timer(&dev->tx_sim_timer, ..) +ene_remove() | (wait a time) + | ene_tx_irqsim() + | dev->hw_lock //USE + | ene_tx_sample(dev) //USE + +Fix by adding del_timer_sync(&dev->tx_sim_timer) in ene_remove(), +The tx_sim_timer could stop before ene device is deallocated. + +What's more, The rc_unregister_device() and del_timer_sync() +should be called first in ene_remove() and the deallocated +functions such as free_irq(), release_region() and so on +should be called behind them. Because the rc_unregister_device() +is well synchronized. Otherwise, race conditions may happen. The +situations that may lead to race conditions are shown below. + +Firstly, the rx receiver is disabled with ene_rx_disable() +before rc_unregister_device() in ene_remove(), which means it +can be enabled again if a process opens /dev/lirc0 between +ene_rx_disable() and rc_unregister_device(). + +Secondly, the irqaction descriptor is freed by free_irq() +before the rc device is unregistered, which means irqaction +descriptor may be accessed again after it is deallocated. + +Thirdly, the timer can call ene_tx_sample() that can write +to the io ports, which means the io ports could be accessed +again after they are deallocated by release_region(). + +Therefore, the rc_unregister_device() and del_timer_sync() +should be called first in ene_remove(). + +Suggested by: Sean Young + +Fixes: 9ea53b74df9c ("V4L/DVB: STAGING: remove lirc_ene0100 driver") +Signed-off-by: Duoming Zhou +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/ene_ir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/rc/ene_ir.c b/drivers/media/rc/ene_ir.c +index 82867a2a60b0e..20cadff242cf9 100644 +--- a/drivers/media/rc/ene_ir.c ++++ b/drivers/media/rc/ene_ir.c +@@ -1106,6 +1106,8 @@ static void ene_remove(struct pnp_dev *pnp_dev) + struct ene_device *dev = pnp_get_drvdata(pnp_dev); + unsigned long flags; + ++ rc_unregister_device(dev->rdev); ++ del_timer_sync(&dev->tx_sim_timer); + spin_lock_irqsave(&dev->hw_lock, flags); + ene_rx_disable(dev); + ene_rx_restore_hw_buffer(dev); +@@ -1113,7 +1115,6 @@ static void ene_remove(struct pnp_dev *pnp_dev) + + free_irq(dev->irq, dev); + release_region(dev->hw_io, ENE_IO_SIZE); +- rc_unregister_device(dev->rdev); + kfree(dev); + } + +-- +2.39.2 + diff --git a/queue-5.4/media-usb-siano-fix-use-after-free-bugs-caused-by-do.patch b/queue-5.4/media-usb-siano-fix-use-after-free-bugs-caused-by-do.patch new file mode 100644 index 00000000000..83bce67b107 --- /dev/null +++ b/queue-5.4/media-usb-siano-fix-use-after-free-bugs-caused-by-do.patch @@ -0,0 +1,233 @@ +From 3e8c49c07036e324d8c76a802d4f3f5ce8b1551b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 03:04:38 +0100 +Subject: media: usb: siano: Fix use after free bugs caused by do_submit_urb + +From: Duoming Zhou + +[ Upstream commit ebad8e731c1c06adf04621d6fd327b860c0861b5 ] + +There are UAF bugs caused by do_submit_urb(). One of the KASan reports +is shown below: + +[ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890 +[ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49 +[ 36.408316] +[ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8 +[ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 +[ 36.416157] Workqueue: 0x0 (events) +[ 36.417654] Call Trace: +[ 36.418546] +[ 36.419320] dump_stack_lvl+0x96/0xd0 +[ 36.420522] print_address_description+0x75/0x350 +[ 36.421992] print_report+0x11b/0x250 +[ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0 +[ 36.424806] ? __virt_addr_valid+0xcf/0x170 +[ 36.426069] ? worker_thread+0x4a2/0x890 +[ 36.427355] kasan_report+0x131/0x160 +[ 36.428556] ? worker_thread+0x4a2/0x890 +[ 36.430053] worker_thread+0x4a2/0x890 +[ 36.431297] ? worker_clr_flags+0x90/0x90 +[ 36.432479] kthread+0x166/0x190 +[ 36.433493] ? kthread_blkcg+0x50/0x50 +[ 36.434669] ret_from_fork+0x22/0x30 +[ 36.435923] +[ 36.436684] +[ 36.437215] Allocated by task 24: +[ 36.438289] kasan_set_track+0x50/0x80 +[ 36.439436] __kasan_kmalloc+0x89/0xa0 +[ 36.440566] smsusb_probe+0x374/0xc90 +[ 36.441920] usb_probe_interface+0x2d1/0x4c0 +[ 36.443253] really_probe+0x1d5/0x580 +[ 36.444539] __driver_probe_device+0xe3/0x130 +[ 36.446085] driver_probe_device+0x49/0x220 +[ 36.447423] __device_attach_driver+0x19e/0x1b0 +[ 36.448931] bus_for_each_drv+0xcb/0x110 +[ 36.450217] __device_attach+0x132/0x1f0 +[ 36.451470] bus_probe_device+0x59/0xf0 +[ 36.452563] device_add+0x4ec/0x7b0 +[ 36.453830] usb_set_configuration+0xc63/0xe10 +[ 36.455230] usb_generic_driver_probe+0x3b/0x80 +[ 36.456166] printk: console [ttyGS0] disabled +[ 36.456569] usb_probe_device+0x90/0x110 +[ 36.459523] really_probe+0x1d5/0x580 +[ 36.461027] __driver_probe_device+0xe3/0x130 +[ 36.462465] driver_probe_device+0x49/0x220 +[ 36.463847] __device_attach_driver+0x19e/0x1b0 +[ 36.465229] bus_for_each_drv+0xcb/0x110 +[ 36.466466] __device_attach+0x132/0x1f0 +[ 36.467799] bus_probe_device+0x59/0xf0 +[ 36.469010] device_add+0x4ec/0x7b0 +[ 36.470125] usb_new_device+0x863/0xa00 +[ 36.471374] hub_event+0x18c7/0x2220 +[ 36.472746] process_one_work+0x34c/0x5b0 +[ 36.474041] worker_thread+0x4b7/0x890 +[ 36.475216] kthread+0x166/0x190 +[ 36.476267] ret_from_fork+0x22/0x30 +[ 36.477447] +[ 36.478160] Freed by task 24: +[ 36.479239] kasan_set_track+0x50/0x80 +[ 36.480512] kasan_save_free_info+0x2b/0x40 +[ 36.481808] ____kasan_slab_free+0x122/0x1a0 +[ 36.483173] __kmem_cache_free+0xc4/0x200 +[ 36.484563] smsusb_term_device+0xcd/0xf0 +[ 36.485896] smsusb_probe+0xc85/0xc90 +[ 36.486976] usb_probe_interface+0x2d1/0x4c0 +[ 36.488303] really_probe+0x1d5/0x580 +[ 36.489498] __driver_probe_device+0xe3/0x130 +[ 36.491140] driver_probe_device+0x49/0x220 +[ 36.492475] __device_attach_driver+0x19e/0x1b0 +[ 36.493988] bus_for_each_drv+0xcb/0x110 +[ 36.495171] __device_attach+0x132/0x1f0 +[ 36.496617] bus_probe_device+0x59/0xf0 +[ 36.497875] device_add+0x4ec/0x7b0 +[ 36.498972] usb_set_configuration+0xc63/0xe10 +[ 36.500264] usb_generic_driver_probe+0x3b/0x80 +[ 36.501740] usb_probe_device+0x90/0x110 +[ 36.503084] really_probe+0x1d5/0x580 +[ 36.504241] __driver_probe_device+0xe3/0x130 +[ 36.505548] driver_probe_device+0x49/0x220 +[ 36.506766] __device_attach_driver+0x19e/0x1b0 +[ 36.508368] bus_for_each_drv+0xcb/0x110 +[ 36.509646] __device_attach+0x132/0x1f0 +[ 36.510911] bus_probe_device+0x59/0xf0 +[ 36.512103] device_add+0x4ec/0x7b0 +[ 36.513215] usb_new_device+0x863/0xa00 +[ 36.514736] hub_event+0x18c7/0x2220 +[ 36.516130] process_one_work+0x34c/0x5b0 +[ 36.517396] worker_thread+0x4b7/0x890 +[ 36.518591] kthread+0x166/0x190 +[ 36.519599] ret_from_fork+0x22/0x30 +[ 36.520851] +[ 36.521405] Last potentially related work creation: +[ 36.523143] kasan_save_stack+0x3f/0x60 +[ 36.524275] kasan_record_aux_stack_noalloc+0x9d/0xb0 +[ 36.525831] insert_work+0x25/0x130 +[ 36.527039] __queue_work+0x4d4/0x620 +[ 36.528236] queue_work_on+0x72/0xb0 +[ 36.529344] __usb_hcd_giveback_urb+0x13f/0x1b0 +[ 36.530819] dummy_timer+0x350/0x1a40 +[ 36.532149] call_timer_fn+0x2c/0x190 +[ 36.533567] expire_timers+0x69/0x1f0 +[ 36.534736] __run_timers+0x289/0x2d0 +[ 36.535841] run_timer_softirq+0x2d/0x60 +[ 36.537110] __do_softirq+0x116/0x380 +[ 36.538377] +[ 36.538950] Second to last potentially related work creation: +[ 36.540855] kasan_save_stack+0x3f/0x60 +[ 36.542084] kasan_record_aux_stack_noalloc+0x9d/0xb0 +[ 36.543592] insert_work+0x25/0x130 +[ 36.544891] __queue_work+0x4d4/0x620 +[ 36.546168] queue_work_on+0x72/0xb0 +[ 36.547328] __usb_hcd_giveback_urb+0x13f/0x1b0 +[ 36.548805] dummy_timer+0x350/0x1a40 +[ 36.550116] call_timer_fn+0x2c/0x190 +[ 36.551570] expire_timers+0x69/0x1f0 +[ 36.552762] __run_timers+0x289/0x2d0 +[ 36.553916] run_timer_softirq+0x2d/0x60 +[ 36.555118] __do_softirq+0x116/0x380 +[ 36.556239] +[ 36.556807] The buggy address belongs to the object at ffff888005960000 +[ 36.556807] which belongs to the cache kmalloc-4k of size 4096 +[ 36.560652] The buggy address is located 232 bytes inside of +[ 36.560652] 4096-byte region [ffff888005960000, ffff888005961000) +[ 36.564791] +[ 36.565355] The buggy address belongs to the physical page: +[ 36.567212] page:000000004f0a0731 refcount:1 mapcount:0 mapping:0000000000000000 index:0x00 +[ 36.570534] head:000000004f0a0731 order:3 compound_mapcount:0 subpages_mapcount:0 compound0 +[ 36.573717] flags: 0x100000000010200(slab|head|node=0|zone=1) +[ 36.575481] raw: 0100000000010200 ffff888001042140 dead000000000122 0000000000000000 +[ 36.577842] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 +[ 36.580175] page dumped because: kasan: bad access detected +[ 36.581994] +[ 36.582548] Memory state around the buggy address: +[ 36.583983] ffff88800595ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 36.586240] ffff888005960000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 36.588884] >ffff888005960080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 36.591071] ^ +[ 36.593295] ffff888005960100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 36.595705] ffff888005960180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 36.598026] ================================================================== +[ 36.600224] Disabling lock debugging due to kernel taint +[ 36.602681] general protection fault, probably for non-canonical address 0x43600a000000060I +[ 36.607129] CPU: 0 PID: 49 Comm: kworker/0:2 Tainted: G B 6.2.0-rc3-15798-8 +[ 36.611115] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 +[ 36.615026] Workqueue: events do_submit_urb +[ 36.616290] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 +[ 36.618107] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 +[ 36.623522] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 +[ 36.625072] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 +[ 36.627206] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 +[ 36.629813] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f +[ 36.631974] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 +[ 36.634285] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 +[ 36.636438] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 +[ 36.639092] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 36.640951] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 +[ 36.643411] Call Trace: +[ 36.644215] +[ 36.644902] smscore_getbuffer+0x3e/0x1e0 +[ 36.646147] do_submit_urb+0x4f/0x190 +[ 36.647449] process_one_work+0x34c/0x5b0 +[ 36.648777] worker_thread+0x4b7/0x890 +[ 36.649984] ? worker_clr_flags+0x90/0x90 +[ 36.651166] kthread+0x166/0x190 +[ 36.652151] ? kthread_blkcg+0x50/0x50 +[ 36.653547] ret_from_fork+0x22/0x30 +[ 36.655051] +[ 36.655733] Modules linked in: +[ 36.656787] ---[ end trace 0000000000000000 ]--- +[ 36.658328] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 +[ 36.660045] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 +[ 36.665730] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 +[ 36.667448] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 +[ 36.669675] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 +[ 36.672645] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f +[ 36.674921] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 +[ 36.677034] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 +[ 36.679184] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 +[ 36.681655] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 36.683383] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 +[ 36.685733] Kernel panic - not syncing: Fatal exception +[ 36.688585] Kernel Offset: 0x1d400000 from 0xffffffff81000000 (relocation range: 0xfffffff) +[ 36.692199] ---[ end Kernel panic - not syncing: Fatal exception ]--- + +When the siano device is plugged in, it may call the following functions +to initialize the device. + +smsusb_probe()-->smsusb_init_device()-->smscore_start_device(). + +When smscore_start_device() gets failed, the function smsusb_term_device() +will be called and smsusb_device_t will be deallocated. Although we use +usb_kill_urb() in smsusb_stop_streaming() to cancel transfer requests +and wait for them to finish, the worker threads that are scheduled by +smsusb_onresponse() may be still running. As a result, the UAF bugs +could happen. + +We add cancel_work_sync() in smsusb_stop_streaming() in order that the +worker threads could finish before the smsusb_device_t is deallocated. + +Fixes: dd47fbd40e6e ("[media] smsusb: don't sleep while atomic") +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/siano/smsusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c +index 9ba3a2ae36e54..1db232a1063b9 100644 +--- a/drivers/media/usb/siano/smsusb.c ++++ b/drivers/media/usb/siano/smsusb.c +@@ -179,6 +179,7 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev) + + for (i = 0; i < MAX_URBS; i++) { + usb_kill_urb(&dev->surbs[i].urb); ++ cancel_work_sync(&dev->surbs[i].wq); + + if (dev->surbs[i].cb) { + smscore_putbuffer(dev->coredev, dev->surbs[i].cb); +-- +2.39.2 + diff --git a/queue-5.4/mfd-pcf50633-adc-fix-potential-memleak-in-pcf50633_a.patch b/queue-5.4/mfd-pcf50633-adc-fix-potential-memleak-in-pcf50633_a.patch new file mode 100644 index 00000000000..b9d62fad4eb --- /dev/null +++ b/queue-5.4/mfd-pcf50633-adc-fix-potential-memleak-in-pcf50633_a.patch @@ -0,0 +1,50 @@ +From a6b233c386241993a4ea8fc15dd689dd1f9676c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 14:15:55 +0800 +Subject: mfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read() + +From: Qiheng Lin + +[ Upstream commit 8b450dcff23aa254844492831a8e2b508a9d522d ] + +`req` is allocated in pcf50633_adc_async_read(), but +adc_enqueue_request() could fail to insert the `req` into queue. +We need to check the return value and free it in the case of failure. + +Fixes: 08c3e06a5eb2 ("mfd: PCF50633 adc driver") +Signed-off-by: Qiheng Lin +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20221208061555.8776-1-linqiheng@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/pcf50633-adc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/pcf50633-adc.c b/drivers/mfd/pcf50633-adc.c +index 5cd653e615125..191b1bc6141c2 100644 +--- a/drivers/mfd/pcf50633-adc.c ++++ b/drivers/mfd/pcf50633-adc.c +@@ -136,6 +136,7 @@ int pcf50633_adc_async_read(struct pcf50633 *pcf, int mux, int avg, + void *callback_param) + { + struct pcf50633_adc_request *req; ++ int ret; + + /* req is freed when the result is ready, in interrupt handler */ + req = kmalloc(sizeof(*req), GFP_KERNEL); +@@ -147,7 +148,11 @@ int pcf50633_adc_async_read(struct pcf50633 *pcf, int mux, int avg, + req->callback = callback; + req->callback_param = callback_param; + +- return adc_enqueue_request(pcf, req); ++ ret = adc_enqueue_request(pcf, req); ++ if (ret) ++ kfree(req); ++ ++ return ret; + } + EXPORT_SYMBOL_GPL(pcf50633_adc_async_read); + +-- +2.39.2 + diff --git a/queue-5.4/mips-smp-cps-fix-build-error-when-hotplug_cpu-not-se.patch b/queue-5.4/mips-smp-cps-fix-build-error-when-hotplug_cpu-not-se.patch new file mode 100644 index 00000000000..248fc8105ac --- /dev/null +++ b/queue-5.4/mips-smp-cps-fix-build-error-when-hotplug_cpu-not-se.patch @@ -0,0 +1,54 @@ +From bda2e1356a5316b0d97a1fdf35df09d2cf0ad7ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Feb 2023 12:07:49 -0800 +Subject: MIPS: SMP-CPS: fix build error when HOTPLUG_CPU not set + +From: Randy Dunlap + +[ Upstream commit 6f02e39fa40f16c24e7a5c599a854c0d1682788d ] + +When MIPS_CPS=y, MIPS_CPS_PM is not set, HOTPLUG_CPU is not set, and +KEXEC=y, cps_shutdown_this_cpu() attempts to call cps_pm_enter_state(), +which is not built when MIPS_CPS_PM is not set. +Conditionally execute the else branch based on CONFIG_HOTPLUG_CPU +to remove the build error. +This build failure is from a randconfig file. + +mips-linux-ld: arch/mips/kernel/smp-cps.o: in function `$L162': +smp-cps.c:(.text.cps_kexec_nonboot_cpu+0x31c): undefined reference to `cps_pm_enter_state' + +Fixes: 1447864bee4c ("MIPS: kexec: CPS systems to halt nonboot CPUs") +Signed-off-by: Randy Dunlap +Cc: Dengcheng Zhu +Cc: Paul Burton +Cc: Thomas Bogendoerfer +Cc: linux-mips@vger.kernel.org +Cc: Sergei Shtylyov +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/smp-cps.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/arch/mips/kernel/smp-cps.c b/arch/mips/kernel/smp-cps.c +index dbb3f1fc71ab6..f659adb681bc3 100644 +--- a/arch/mips/kernel/smp-cps.c ++++ b/arch/mips/kernel/smp-cps.c +@@ -423,9 +423,11 @@ static void cps_shutdown_this_cpu(enum cpu_death death) + wmb(); + } + } else { +- pr_debug("Gating power to core %d\n", core); +- /* Power down the core */ +- cps_pm_enter_state(CPS_PM_POWER_GATED); ++ if (IS_ENABLED(CONFIG_HOTPLUG_CPU)) { ++ pr_debug("Gating power to core %d\n", core); ++ /* Power down the core */ ++ cps_pm_enter_state(CPS_PM_POWER_GATED); ++ } + } + } + +-- +2.39.2 + diff --git a/queue-5.4/mips-vpe-mt-drop-physical_memsize.patch b/queue-5.4/mips-vpe-mt-drop-physical_memsize.patch new file mode 100644 index 00000000000..bae86015003 --- /dev/null +++ b/queue-5.4/mips-vpe-mt-drop-physical_memsize.patch @@ -0,0 +1,99 @@ +From 50d6a059901d1d8a756fa69d3447ab075a7c747d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Feb 2023 15:15:25 -0800 +Subject: MIPS: vpe-mt: drop physical_memsize +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 91dc288f4edf0d768e46c2c6d33e0ab703403459 ] + +When neither LANTIQ nor MIPS_MALTA is set, 'physical_memsize' is not +declared. This causes the build to fail with: + +mips-linux-ld: arch/mips/kernel/vpe-mt.o: in function `vpe_run': +arch/mips/kernel/vpe-mt.c:(.text.vpe_run+0x280): undefined reference to `physical_memsize' + +LANTIQ is not using 'physical_memsize' and MIPS_MALTA's use of it is +self-contained in mti-malta/malta-dtshim.c. +Use of physical_memsize in vpe-mt.c appears to be unused, so eliminate +this loader mode completely and require VPE programs to be compiled with +DFLT_STACK_SIZE and DFLT_HEAP_SIZE defined. + +Fixes: 9050d50e2244 ("MIPS: lantiq: Set physical_memsize") +Fixes: 1a2a6d7e8816 ("MIPS: APRP: Split VPE loader into separate files.") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Link: https://lore.kernel.org/all/202302030625.2g3E98sY-lkp@intel.com/ +Cc: Dengcheng Zhu +Cc: John Crispin +Cc: Thomas Bogendoerfer +Cc: Philippe Mathieu-Daudé +Cc: "Steven J. Hill" +Cc: Qais Yousef +Cc: Yang Yingliang +Cc: Hauke Mehrtens +Cc: James Hogan +Cc: linux-mips@vger.kernel.org +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/vpe.h | 1 - + arch/mips/kernel/vpe-mt.c | 7 +++---- + arch/mips/lantiq/prom.c | 6 ------ + 3 files changed, 3 insertions(+), 11 deletions(-) + +diff --git a/arch/mips/include/asm/vpe.h b/arch/mips/include/asm/vpe.h +index 80e70dbd1f641..012731546cf60 100644 +--- a/arch/mips/include/asm/vpe.h ++++ b/arch/mips/include/asm/vpe.h +@@ -104,7 +104,6 @@ struct vpe_control { + struct list_head tc_list; /* Thread contexts */ + }; + +-extern unsigned long physical_memsize; + extern struct vpe_control vpecontrol; + extern const struct file_operations vpe_fops; + +diff --git a/arch/mips/kernel/vpe-mt.c b/arch/mips/kernel/vpe-mt.c +index 9fd7cd48ea1d2..496ed8f362f62 100644 +--- a/arch/mips/kernel/vpe-mt.c ++++ b/arch/mips/kernel/vpe-mt.c +@@ -92,12 +92,11 @@ int vpe_run(struct vpe *v) + write_tc_c0_tchalt(read_tc_c0_tchalt() & ~TCHALT_H); + + /* +- * The sde-kit passes 'memsize' to __start in $a3, so set something +- * here... Or set $a3 to zero and define DFLT_STACK_SIZE and +- * DFLT_HEAP_SIZE when you compile your program ++ * We don't pass the memsize here, so VPE programs need to be ++ * compiled with DFLT_STACK_SIZE and DFLT_HEAP_SIZE defined. + */ ++ mttgpr(7, 0); + mttgpr(6, v->ntcs); +- mttgpr(7, physical_memsize); + + /* set up VPE1 */ + /* +diff --git a/arch/mips/lantiq/prom.c b/arch/mips/lantiq/prom.c +index 3f568f5aae2d1..2729a4b63e187 100644 +--- a/arch/mips/lantiq/prom.c ++++ b/arch/mips/lantiq/prom.c +@@ -22,12 +22,6 @@ + DEFINE_SPINLOCK(ebu_lock); + EXPORT_SYMBOL_GPL(ebu_lock); + +-/* +- * This is needed by the VPE loader code, just set it to 0 and assume +- * that the firmware hardcodes this value to something useful. +- */ +-unsigned long physical_memsize = 0L; +- + /* + * this struct is filled by the soc specific detection code and holds + * information about the specific soc type, revision and name +-- +2.39.2 + diff --git a/queue-5.4/mptcp-add-sk_stop_timer_sync-helper.patch b/queue-5.4/mptcp-add-sk_stop_timer_sync-helper.patch new file mode 100644 index 00000000000..1a585654347 --- /dev/null +++ b/queue-5.4/mptcp-add-sk_stop_timer_sync-helper.patch @@ -0,0 +1,57 @@ +From 9ff3f04ce51f1f2319be0ad8b7570cc0643ea49a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 08:30:01 +0800 +Subject: mptcp: add sk_stop_timer_sync helper + +From: Geliang Tang + +[ Upstream commit 08b81d873126b413cda511b1ea1cbb0e99938bbd ] + +This patch added a new helper sk_stop_timer_sync, it deactivates a timer +like sk_stop_timer, but waits for the handler to finish. + +Acked-by: Paolo Abeni +Signed-off-by: Geliang Tang +Reviewed-by: Mat Martineau +Signed-off-by: David S. Miller +Stable-dep-of: 584f3742890e ("net: add sock_init_data_uid()") +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 2 ++ + net/core/sock.c | 7 +++++++ + 2 files changed, 9 insertions(+) + +diff --git a/include/net/sock.h b/include/net/sock.h +index 976433438c6f2..c65baac40548a 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2185,6 +2185,8 @@ void sk_reset_timer(struct sock *sk, struct timer_list *timer, + + void sk_stop_timer(struct sock *sk, struct timer_list *timer); + ++void sk_stop_timer_sync(struct sock *sk, struct timer_list *timer); ++ + int __sk_queue_drop_skb(struct sock *sk, struct sk_buff_head *sk_queue, + struct sk_buff *skb, unsigned int flags, + void (*destructor)(struct sock *sk, +diff --git a/net/core/sock.c b/net/core/sock.c +index a2b12a5cf42bc..6cca1ebf904ae 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2882,6 +2882,13 @@ void sk_stop_timer(struct sock *sk, struct timer_list* timer) + } + EXPORT_SYMBOL(sk_stop_timer); + ++void sk_stop_timer_sync(struct sock *sk, struct timer_list *timer) ++{ ++ if (del_timer_sync(timer)) ++ __sock_put(sk); ++} ++EXPORT_SYMBOL(sk_stop_timer_sync); ++ + void sock_init_data(struct socket *sock, struct sock *sk) + { + sk_init_common(sk); +-- +2.39.2 + diff --git a/queue-5.4/mtd-rawnand-fsl_elbc-propagate-hw-ecc-settings-to-hw.patch b/queue-5.4/mtd-rawnand-fsl_elbc-propagate-hw-ecc-settings-to-hw.patch new file mode 100644 index 00000000000..c8b0d3e5071 --- /dev/null +++ b/queue-5.4/mtd-rawnand-fsl_elbc-propagate-hw-ecc-settings-to-hw.patch @@ -0,0 +1,69 @@ +From 839c09472742b383f65eb7c1f7e576ebfb6a1f62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Jan 2023 14:41:11 +0100 +Subject: mtd: rawnand: fsl_elbc: Propagate HW ECC settings to HW +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit b56265257d38af5abf43bd5461ca166b401c35a5 ] + +It is possible that current chip->ecc.engine_type value does not match to +configured HW value (if HW ECC checking and generating is enabled or not). + +This can happen with old U-Boot bootloader version which either does not +initialize NAND (and let it in some default unusable state) or initialize +NAND with different parameters than what is specified in kernel DTS file. + +So if kernel chose to use some chip->ecc.engine_type settings (e.g. from +DTS file) then do not depend on bootloader HW configuration and configures +HW ECC settings according to chip->ecc.engine_type value. + +BR_DECC must be set to BR_DECC_CHK_GEN when HW is doing ECC (both +generating and checking), or to BR_DECC_OFF when HW is not doing ECC. + +This change fixes usage of SW ECC support in case bootloader explicitly +enabled HW ECC support and kernel DTS file has specified to use SW ECC. +(Of course this works only in case when NAND is not a boot device and both +bootloader and kernel are loaded from different location, e.g. FLASH NOR.) + +Fixes: f6424c22aa36 ("mtd: rawnand: fsl_elbc: Make SW ECC work") +Signed-off-by: Pali Rohár +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20230128134111.32559-1-pali@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/fsl_elbc_nand.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/mtd/nand/raw/fsl_elbc_nand.c b/drivers/mtd/nand/raw/fsl_elbc_nand.c +index 634c550db13a7..e900c0eddc21d 100644 +--- a/drivers/mtd/nand/raw/fsl_elbc_nand.c ++++ b/drivers/mtd/nand/raw/fsl_elbc_nand.c +@@ -727,6 +727,7 @@ static int fsl_elbc_attach_chip(struct nand_chip *chip) + struct fsl_lbc_ctrl *ctrl = priv->ctrl; + struct fsl_lbc_regs __iomem *lbc = ctrl->regs; + unsigned int al; ++ u32 br; + + switch (chip->ecc.mode) { + /* +@@ -762,6 +763,13 @@ static int fsl_elbc_attach_chip(struct nand_chip *chip) + return -EINVAL; + } + ++ /* enable/disable HW ECC checking and generating based on if HW ECC was chosen */ ++ br = in_be32(&lbc->bank[priv->bank].br) & ~BR_DECC; ++ if (chip->ecc.engine_type == NAND_ECC_ENGINE_TYPE_ON_HOST) ++ out_be32(&lbc->bank[priv->bank].br, br | BR_DECC_CHK_GEN); ++ else ++ out_be32(&lbc->bank[priv->bank].br, br | BR_DECC_OFF); ++ + /* calculate FMR Address Length field */ + al = 0; + if (chip->pagemask & 0xffff0000) +-- +2.39.2 + diff --git a/queue-5.4/mtd-rawnand-sunxi-fix-the-size-of-the-last-oob-regio.patch b/queue-5.4/mtd-rawnand-sunxi-fix-the-size-of-the-last-oob-regio.patch new file mode 100644 index 00000000000..505c3d781c6 --- /dev/null +++ b/queue-5.4/mtd-rawnand-sunxi-fix-the-size-of-the-last-oob-regio.patch @@ -0,0 +1,37 @@ +From c6210c75e31571d13d616b7a824129cb0c67c60c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Dec 2022 12:15:24 -0600 +Subject: mtd: rawnand: sunxi: Fix the size of the last OOB region + +From: Samuel Holland + +[ Upstream commit 34569d869532b54d6e360d224a0254dcdd6a1785 ] + +The previous code assigned to the wrong structure member. + +Fixes: c66811e6d350 ("mtd: nand: sunxi: switch to mtd_ooblayout_ops") +Signed-off-by: Samuel Holland +Acked-By: Dhruva Gole +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20221229181526.53766-6-samuel@sholland.org +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/sunxi_nand.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/raw/sunxi_nand.c b/drivers/mtd/nand/raw/sunxi_nand.c +index 45c376fc571af..0f3bce3fb00b7 100644 +--- a/drivers/mtd/nand/raw/sunxi_nand.c ++++ b/drivers/mtd/nand/raw/sunxi_nand.c +@@ -1587,7 +1587,7 @@ static int sunxi_nand_ooblayout_free(struct mtd_info *mtd, int section, + if (section < ecc->steps) + oobregion->length = 4; + else +- oobregion->offset = mtd->oobsize - oobregion->offset; ++ oobregion->length = mtd->oobsize - oobregion->offset; + + return 0; + } +-- +2.39.2 + diff --git a/queue-5.4/net-add-sock_init_data_uid.patch b/queue-5.4/net-add-sock_init_data_uid.patch new file mode 100644 index 00000000000..5d838b0764c --- /dev/null +++ b/queue-5.4/net-add-sock_init_data_uid.patch @@ -0,0 +1,89 @@ +From 966f80bb506c4dc5521f2d46fa14426ad28815de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Feb 2023 17:39:20 +0000 +Subject: net: add sock_init_data_uid() + +From: Pietro Borrello + +[ Upstream commit 584f3742890e966d2f0a1f3c418c9ead70b2d99e ] + +Add sock_init_data_uid() to explicitly initialize the socket uid. +To initialise the socket uid, sock_init_data() assumes a the struct +socket* sock is always embedded in a struct socket_alloc, used to +access the corresponding inode uid. This may not be true. +Examples are sockets created in tun_chr_open() and tap_open(). + +Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") +Signed-off-by: Pietro Borrello +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sock.h | 7 ++++++- + net/core/sock.c | 15 ++++++++++++--- + 2 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/include/net/sock.h b/include/net/sock.h +index c65baac40548a..26dd07e47a7c7 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1706,7 +1706,12 @@ void sk_common_release(struct sock *sk); + * Default socket callbacks and setup code + */ + +-/* Initialise core socket variables */ ++/* Initialise core socket variables using an explicit uid. */ ++void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid); ++ ++/* Initialise core socket variables. ++ * Assumes struct socket *sock is embedded in a struct socket_alloc. ++ */ + void sock_init_data(struct socket *sock, struct sock *sk); + + /* +diff --git a/net/core/sock.c b/net/core/sock.c +index 6cca1ebf904ae..7f6f1a0bf8a13 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2889,7 +2889,7 @@ void sk_stop_timer_sync(struct sock *sk, struct timer_list *timer) + } + EXPORT_SYMBOL(sk_stop_timer_sync); + +-void sock_init_data(struct socket *sock, struct sock *sk) ++void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid) + { + sk_init_common(sk); + sk->sk_send_head = NULL; +@@ -2908,11 +2908,10 @@ void sock_init_data(struct socket *sock, struct sock *sk) + sk->sk_type = sock->type; + RCU_INIT_POINTER(sk->sk_wq, &sock->wq); + sock->sk = sk; +- sk->sk_uid = SOCK_INODE(sock)->i_uid; + } else { + RCU_INIT_POINTER(sk->sk_wq, NULL); +- sk->sk_uid = make_kuid(sock_net(sk)->user_ns, 0); + } ++ sk->sk_uid = uid; + + rwlock_init(&sk->sk_callback_lock); + if (sk->sk_kern_sock) +@@ -2970,6 +2969,16 @@ void sock_init_data(struct socket *sock, struct sock *sk) + refcount_set(&sk->sk_refcnt, 1); + atomic_set(&sk->sk_drops, 0); + } ++EXPORT_SYMBOL(sock_init_data_uid); ++ ++void sock_init_data(struct socket *sock, struct sock *sk) ++{ ++ kuid_t uid = sock ? ++ SOCK_INODE(sock)->i_uid : ++ make_kuid(sock_net(sk)->user_ns, 0); ++ ++ sock_init_data_uid(sock, sk, uid); ++} + EXPORT_SYMBOL(sock_init_data); + + void lock_sock_nested(struct sock *sk, int subclass) +-- +2.39.2 + diff --git a/queue-5.4/net-bcmgenet-add-a-check-for-oversized-packets.patch b/queue-5.4/net-bcmgenet-add-a-check-for-oversized-packets.patch new file mode 100644 index 00000000000..271417acc1f --- /dev/null +++ b/queue-5.4/net-bcmgenet-add-a-check-for-oversized-packets.patch @@ -0,0 +1,43 @@ +From fcea3442a9f8b55554d090a4f58cefeacfd00bc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 16:08:19 -0800 +Subject: net: bcmgenet: Add a check for oversized packets + +From: Florian Fainelli + +[ Upstream commit 5c0862c2c962052ed5055220a00ac1cefb92fbcd ] + +Occasionnaly we may get oversized packets from the hardware which +exceed the nomimal 2KiB buffer size we allocate SKBs with. Add an early +check which drops the packet to avoid invoking skb_over_panic() and move +on to processing the next packet. + +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index e03e2bfcc6a10..1b725a021455b 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -1823,6 +1823,14 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring, + __func__, p_index, ring->c_index, + ring->read_ptr, dma_length_status); + ++ if (unlikely(len > RX_BUF_LENGTH)) { ++ netif_err(priv, rx_status, dev, "oversized packet\n"); ++ dev->stats.rx_length_errors++; ++ dev->stats.rx_errors++; ++ dev_kfree_skb_any(skb); ++ goto next; ++ } ++ + if (unlikely(!(dma_flag & DMA_EOP) || !(dma_flag & DMA_SOP))) { + netif_err(priv, rx_status, dev, + "dropping fragmented packet!\n"); +-- +2.39.2 + diff --git a/queue-5.4/net-mlx5-enhance-debug-print-in-page-allocation-fail.patch b/queue-5.4/net-mlx5-enhance-debug-print-in-page-allocation-fail.patch new file mode 100644 index 00000000000..87665b9f992 --- /dev/null +++ b/queue-5.4/net-mlx5-enhance-debug-print-in-page-allocation-fail.patch @@ -0,0 +1,38 @@ +From 07c9e03d77e9656954cb24abf226d5952db540db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 19:57:04 +0200 +Subject: net/mlx5: Enhance debug print in page allocation failure + +From: Jack Morgenstein + +[ Upstream commit 7eef93003e5d20e1a6a6e59e12d914b5431cbda2 ] + +Provide more details to aid debugging. + +Fixes: bf0bf77f6519 ("mlx5: Support communicating arbitrary host page size to firmware") +Signed-off-by: Eran Ben Elisha +Signed-off-by: Majd Dibbiny +Signed-off-by: Jack Morgenstein +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c +index db76c92b75e29..7f7693b709d72 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c +@@ -167,7 +167,8 @@ static int alloc_4k(struct mlx5_core_dev *dev, u64 *addr) + fp = list_entry(dev->priv.free_list.next, struct fw_page, list); + n = find_first_bit(&fp->bitmask, 8 * sizeof(fp->bitmask)); + if (n >= MLX5_NUM_4K_IN_PAGE) { +- mlx5_core_warn(dev, "alloc 4k bug\n"); ++ mlx5_core_warn(dev, "alloc 4k bug: fw page = 0x%llx, n = %u, bitmask: %lu, max num of 4K pages: %d\n", ++ fp->addr, n, fp->bitmask, MLX5_NUM_4K_IN_PAGE); + return -ENOENT; + } + clear_bit(n, &fp->bitmask); +-- +2.39.2 + diff --git a/queue-5.4/net-mlx5-fw_tracer-fix-debug-print.patch b/queue-5.4/net-mlx5-fw_tracer-fix-debug-print.patch new file mode 100644 index 00000000000..15cfe1b3876 --- /dev/null +++ b/queue-5.4/net-mlx5-fw_tracer-fix-debug-print.patch @@ -0,0 +1,36 @@ +From 1c771b9df41fdf596234db815e34ca06787fc6f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 13:34:02 +0200 +Subject: net/mlx5: fw_tracer: Fix debug print + +From: Shay Drory + +[ Upstream commit 988c2352273997a242f15c4fc3711773515006a2 ] + +The debug message specify tdsn, but takes as an argument the +tmsn. The correct argument is tmsn, hence, fix the print. + +Signed-off-by: Shay Drory +Reviewed-by: Moshe Shemesh +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +index db9ecc3a8c67a..fcf5fef7c195d 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c +@@ -600,7 +600,7 @@ static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer, + } else { + cur_string = mlx5_tracer_message_get(tracer, tracer_event); + if (!cur_string) { +- pr_debug("%s Got string event for unknown string tdsm: %d\n", ++ pr_debug("%s Got string event for unknown string tmsn: %d\n", + __func__, tracer_event->string_event.tmsn); + return -1; + } +-- +2.39.2 + diff --git a/queue-5.4/net-wireless-delete-unnecessary-checks-before-the-ma.patch b/queue-5.4/net-wireless-delete-unnecessary-checks-before-the-ma.patch new file mode 100644 index 00000000000..03875ab4122 --- /dev/null +++ b/queue-5.4/net-wireless-delete-unnecessary-checks-before-the-ma.patch @@ -0,0 +1,128 @@ +From 18b996353273e1e9dc1dc303b809d29f9e57f0cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Aug 2019 10:20:10 +0200 +Subject: =?UTF-8?q?net/wireless:=20Delete=20unnecessary=20checks=20before?= + =?UTF-8?q?=20the=20macro=20call=20=E2=80=9Cdev=5Fkfree=5Fskb=E2=80=9D?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Markus Elfring + +[ Upstream commit 868ad21496020ef83d41fdeed3b0a63de2a3caa5 ] + +The dev_kfree_skb() function performs also input parameter validation. +Thus the test around the shown calls is not needed. + +This issue was detected by using the Coccinelle software. + +Signed-off-by: Markus Elfring +Signed-off-by: Kalle Valo +Stable-dep-of: 0c1528675d7a ("wifi: iwlegacy: common: don't call dev_kfree_skb() under spin_lock_irqsave()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wmi.c | 4 +--- + drivers/net/wireless/intel/iwlegacy/3945-mac.c | 8 ++------ + drivers/net/wireless/intel/iwlegacy/common.c | 8 ++------ + drivers/net/wireless/mediatek/mt76/mt76x02_beacon.c | 5 +---- + drivers/net/wireless/st/cw1200/scan.c | 3 +-- + 5 files changed, 7 insertions(+), 21 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index 796bd93c599b1..4adbe3ab9c870 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -9462,7 +9462,5 @@ void ath10k_wmi_detach(struct ath10k *ar) + } + + cancel_work_sync(&ar->svc_rdy_work); +- +- if (ar->svc_rdy_skb) +- dev_kfree_skb(ar->svc_rdy_skb); ++ dev_kfree_skb(ar->svc_rdy_skb); + } +diff --git a/drivers/net/wireless/intel/iwlegacy/3945-mac.c b/drivers/net/wireless/intel/iwlegacy/3945-mac.c +index e2e9c3e8fff51..206b43b9dff86 100644 +--- a/drivers/net/wireless/intel/iwlegacy/3945-mac.c ++++ b/drivers/net/wireless/intel/iwlegacy/3945-mac.c +@@ -2302,9 +2302,7 @@ __il3945_down(struct il_priv *il) + il3945_hw_txq_ctx_free(il); + exit: + memset(&il->card_alive, 0, sizeof(struct il_alive_resp)); +- +- if (il->beacon_skb) +- dev_kfree_skb(il->beacon_skb); ++ dev_kfree_skb(il->beacon_skb); + il->beacon_skb = NULL; + + /* clear out any free frames */ +@@ -3847,9 +3845,7 @@ il3945_pci_remove(struct pci_dev *pdev) + il_free_channel_map(il); + il_free_geos(il); + kfree(il->scan_cmd); +- if (il->beacon_skb) +- dev_kfree_skb(il->beacon_skb); +- ++ dev_kfree_skb(il->beacon_skb); + ieee80211_free_hw(il->hw); + } + +diff --git a/drivers/net/wireless/intel/iwlegacy/common.c b/drivers/net/wireless/intel/iwlegacy/common.c +index 1107b96a8a880..525479f1bef7f 100644 +--- a/drivers/net/wireless/intel/iwlegacy/common.c ++++ b/drivers/net/wireless/intel/iwlegacy/common.c +@@ -5182,8 +5182,7 @@ il_mac_reset_tsf(struct ieee80211_hw *hw, struct ieee80211_vif *vif) + memset(&il->current_ht_config, 0, sizeof(struct il_ht_config)); + + /* new association get rid of ibss beacon skb */ +- if (il->beacon_skb) +- dev_kfree_skb(il->beacon_skb); ++ dev_kfree_skb(il->beacon_skb); + il->beacon_skb = NULL; + il->timestamp = 0; + +@@ -5302,10 +5301,7 @@ il_beacon_update(struct ieee80211_hw *hw, struct ieee80211_vif *vif) + } + + spin_lock_irqsave(&il->lock, flags); +- +- if (il->beacon_skb) +- dev_kfree_skb(il->beacon_skb); +- ++ dev_kfree_skb(il->beacon_skb); + il->beacon_skb = skb; + + timestamp = ((struct ieee80211_mgmt *)skb->data)->u.beacon.timestamp; +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_beacon.c b/drivers/net/wireless/mediatek/mt76/mt76x02_beacon.c +index 92305bd31aa1a..4209209ac940d 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x02_beacon.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_beacon.c +@@ -77,10 +77,7 @@ int mt76x02_mac_set_beacon(struct mt76x02_dev *dev, u8 vif_idx, + for (i = 0; i < ARRAY_SIZE(dev->beacons); i++) { + if (vif_idx == i) { + force_update = !!dev->beacons[i] ^ !!skb; +- +- if (dev->beacons[i]) +- dev_kfree_skb(dev->beacons[i]); +- ++ dev_kfree_skb(dev->beacons[i]); + dev->beacons[i] = skb; + __mt76x02_mac_set_beacon(dev, bcn_idx, skb); + } else if (force_update && dev->beacons[i]) { +diff --git a/drivers/net/wireless/st/cw1200/scan.c b/drivers/net/wireless/st/cw1200/scan.c +index c46b044b7f7be..988581cc134b7 100644 +--- a/drivers/net/wireless/st/cw1200/scan.c ++++ b/drivers/net/wireless/st/cw1200/scan.c +@@ -120,8 +120,7 @@ int cw1200_hw_scan(struct ieee80211_hw *hw, + ++priv->scan.n_ssids; + } + +- if (frame.skb) +- dev_kfree_skb(frame.skb); ++ dev_kfree_skb(frame.skb); + mutex_unlock(&priv->conf_mutex); + queue_work(priv->workqueue, &priv->scan.work); + return 0; +-- +2.39.2 + diff --git a/queue-5.4/nfsd-fix-race-to-check-ls_layouts.patch b/queue-5.4/nfsd-fix-race-to-check-ls_layouts.patch new file mode 100644 index 00000000000..1b293d909a2 --- /dev/null +++ b/queue-5.4/nfsd-fix-race-to-check-ls_layouts.patch @@ -0,0 +1,46 @@ +From 0e9cf079735ba04ff4b65c4f0af2777b96321d4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jan 2023 11:18:56 -0500 +Subject: nfsd: fix race to check ls_layouts + +From: Benjamin Coddington + +[ Upstream commit fb610c4dbc996415d57d7090957ecddd4fd64fb6 ] + +Its possible for __break_lease to find the layout's lease before we've +added the layout to the owner's ls_layouts list. In that case, setting +ls_recalled = true without actually recalling the layout will cause the +server to never send a recall callback. + +Move the check for ls_layouts before setting ls_recalled. + +Fixes: c5c707f96fc9 ("nfsd: implement pNFS layout recalls") +Signed-off-by: Benjamin Coddington +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4layouts.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/nfsd/nfs4layouts.c b/fs/nfsd/nfs4layouts.c +index e12409eca7cc4..215362144aece 100644 +--- a/fs/nfsd/nfs4layouts.c ++++ b/fs/nfsd/nfs4layouts.c +@@ -322,11 +322,11 @@ nfsd4_recall_file_layout(struct nfs4_layout_stateid *ls) + if (ls->ls_recalled) + goto out_unlock; + +- ls->ls_recalled = true; +- atomic_inc(&ls->ls_stid.sc_file->fi_lo_recalls); + if (list_empty(&ls->ls_layouts)) + goto out_unlock; + ++ ls->ls_recalled = true; ++ atomic_inc(&ls->ls_stid.sc_file->fi_lo_recalls); + trace_nfsd_layout_recall(&ls->ls_stid.sc_stateid); + + refcount_inc(&ls->ls_stid.sc_count); +-- +2.39.2 + diff --git a/queue-5.4/nfsd-zero-out-pointers-after-putting-nfsd_files-on-c.patch b/queue-5.4/nfsd-zero-out-pointers-after-putting-nfsd_files-on-c.patch new file mode 100644 index 00000000000..83fd8f4af83 --- /dev/null +++ b/queue-5.4/nfsd-zero-out-pointers-after-putting-nfsd_files-on-c.patch @@ -0,0 +1,42 @@ +From f073369154d2883b32b0d452ea2e60d1b97904ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 14:38:30 -0500 +Subject: nfsd: zero out pointers after putting nfsd_files on COPY setup error + +From: Jeff Layton + +[ Upstream commit 1f0001d43d0c0ac2a19a34a914f6595ad97cbc1d ] + +At first, I thought this might be a source of nfsd_file overputs, but +the current callers seem to avoid an extra put when nfsd4_verify_copy +returns an error. + +Still, it's "bad form" to leave the pointers filled out when we don't +have a reference to them anymore, and that might lead to bugs later. +Zero them out as a defensive coding measure. + +Signed-off-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4proc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index 452ed633a2c76..bd7846758947b 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1059,8 +1059,10 @@ nfsd4_verify_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + return status; + out_put_dst: + nfsd_file_put(*dst); ++ *dst = NULL; + out_put_src: + nfsd_file_put(*src); ++ *src = NULL; + goto out; + } + +-- +2.39.2 + diff --git a/queue-5.4/opp-fix-error-checking-in-opp_migrate_dentry.patch b/queue-5.4/opp-fix-error-checking-in-opp_migrate_dentry.patch new file mode 100644 index 00000000000..2ad059bf780 --- /dev/null +++ b/queue-5.4/opp-fix-error-checking-in-opp_migrate_dentry.patch @@ -0,0 +1,38 @@ +From 2180e4f8fda20905b634bcbc68ce474e2acd8f60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Feb 2023 12:00:37 +0800 +Subject: OPP: fix error checking in opp_migrate_dentry() + +From: Qi Zheng + +[ Upstream commit eca4c0eea53432ec4b711b2a8ad282cbad231b4f ] + +Since commit ff9fb72bc077 ("debugfs: return error values, +not NULL") changed return value of debugfs_rename() in +error cases from %NULL to %ERR_PTR(-ERROR), we should +also check error values instead of NULL. + +Fixes: ff9fb72bc077 ("debugfs: return error values, not NULL") +Signed-off-by: Qi Zheng +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/opp/debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/opp/debugfs.c b/drivers/opp/debugfs.c +index 609665e339b6b..c7647410316e6 100644 +--- a/drivers/opp/debugfs.c ++++ b/drivers/opp/debugfs.c +@@ -162,7 +162,7 @@ static void opp_migrate_dentry(struct opp_device *opp_dev, + + dentry = debugfs_rename(rootdir, opp_dev->dentry, rootdir, + opp_table->dentry_name); +- if (!dentry) { ++ if (IS_ERR(dentry)) { + dev_err(dev, "%s: Failed to rename link from: %s to %s\n", + __func__, dev_name(opp_dev->dev), dev_name(dev)); + return; +-- +2.39.2 + diff --git a/queue-5.4/perf-llvm-fix-inadvertent-file-creation.patch b/queue-5.4/perf-llvm-fix-inadvertent-file-creation.patch new file mode 100644 index 00000000000..22a53654194 --- /dev/null +++ b/queue-5.4/perf-llvm-fix-inadvertent-file-creation.patch @@ -0,0 +1,91 @@ +From e9f49ddfd61e1a2237979d55c254e47f099aba45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jan 2023 00:26:09 -0800 +Subject: perf llvm: Fix inadvertent file creation + +From: Ian Rogers + +[ Upstream commit 9f19aab47ced012eddef1e2bc96007efc7713b61 ] + +The LLVM template is first echo-ed into command_out and then +command_out executed. The echo surrounds the template with double +quotes, however, the template itself may contain quotes. This is +generally innocuous but in tools/perf/tests/bpf-script-test-prologue.c +we see: +... +SEC("func=null_lseek file->f_mode offset orig") +... +where the first double quote ends the double quote of the echo, then +the > redirects output into a file called f_mode. + +To avoid this inadvertent behavior substitute redirects and similar +characters to be ASCII control codes, then substitute the output in +the echo back again. + +Fixes: 5eab5a7ee032acaa ("perf llvm: Display eBPF compiling command in debug output") +Signed-off-by: Ian Rogers +Cc: Alexander Shishkin +Cc: Andrii Nakryiko +Cc: bpf@vger.kernel.org +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: llvm@lists.linux.dev +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: Peter Zijlstra +Cc: Tom Rix +Link: https://lore.kernel.org/r/20230105082609.344538-1-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/llvm-utils.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/llvm-utils.c b/tools/perf/util/llvm-utils.c +index e7c7e3232fc5a..b275a1b297c30 100644 +--- a/tools/perf/util/llvm-utils.c ++++ b/tools/perf/util/llvm-utils.c +@@ -523,14 +523,37 @@ int llvm__compile_bpf(const char *path, void **p_obj_buf, + + pr_debug("llvm compiling command template: %s\n", template); + ++ /* ++ * Below, substitute control characters for values that can cause the ++ * echo to misbehave, then substitute the values back. ++ */ + err = -ENOMEM; +- if (asprintf(&command_echo, "echo -n \"%s\"", template) < 0) ++ if (asprintf(&command_echo, "echo -n \a%s\a", template) < 0) + goto errout; + ++#define SWAP_CHAR(a, b) do { if (*p == a) *p = b; } while (0) ++ for (char *p = command_echo; *p; p++) { ++ SWAP_CHAR('<', '\001'); ++ SWAP_CHAR('>', '\002'); ++ SWAP_CHAR('"', '\003'); ++ SWAP_CHAR('\'', '\004'); ++ SWAP_CHAR('|', '\005'); ++ SWAP_CHAR('&', '\006'); ++ SWAP_CHAR('\a', '"'); ++ } + err = read_from_pipe(command_echo, (void **) &command_out, NULL); + if (err) + goto errout; + ++ for (char *p = command_out; *p; p++) { ++ SWAP_CHAR('\001', '<'); ++ SWAP_CHAR('\002', '>'); ++ SWAP_CHAR('\003', '"'); ++ SWAP_CHAR('\004', '\''); ++ SWAP_CHAR('\005', '|'); ++ SWAP_CHAR('\006', '&'); ++ } ++#undef SWAP_CHAR + pr_debug("llvm compiling command : %s\n", command_out); + + err = read_from_pipe(template, &obj_buf, &obj_buf_sz); +-- +2.39.2 + diff --git a/queue-5.4/perf-tools-fix-auto-complete-on-aarch64.patch b/queue-5.4/perf-tools-fix-auto-complete-on-aarch64.patch new file mode 100644 index 00000000000..9290d8054a5 --- /dev/null +++ b/queue-5.4/perf-tools-fix-auto-complete-on-aarch64.patch @@ -0,0 +1,72 @@ +From fb954d8e32daa2639514bbc52d829703eb83aad4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Feb 2023 11:50:57 +0800 +Subject: perf tools: Fix auto-complete on aarch64 + +From: Yicong Yang + +[ Upstream commit ffd1240e8f0814262ceb957dbe961f6e0aef1e7a ] + +On aarch64 CPU related events are not under event_source/devices/cpu/events, +they're under event_source/devices/armv8_pmuv3_0/events on my machine. +Using current auto-complete script will generate below error: + + [root@localhost bin]# perf stat -e + ls: cannot access '/sys/bus/event_source/devices/cpu/events': No such file or directory + +Fix this by not testing /sys/bus/event_source/devices/cpu/events on +aarch64 machine. + +Fixes: 74cd5815d9af6e6c ("perf tool: Improve bash command line auto-complete for multiple events with comma") +Reviewed-by: James Clark +Signed-off-by: Yicong Yang +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Mark Rutland +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: linux-arm-kernel@lists.infradead.org +Cc: linuxarm@huawei.com +Cc: prime.zeng@hisilicon.com +Link: https://lore.kernel.org/r/20230207035057.43394-1-yangyicong@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/perf-completion.sh | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/tools/perf/perf-completion.sh b/tools/perf/perf-completion.sh +index fdf75d45efff7..978249d7868c2 100644 +--- a/tools/perf/perf-completion.sh ++++ b/tools/perf/perf-completion.sh +@@ -165,7 +165,12 @@ __perf_main () + + local cur1=${COMP_WORDS[COMP_CWORD]} + local raw_evts=$($cmd list --raw-dump) +- local arr s tmp result ++ local arr s tmp result cpu_evts ++ ++ # aarch64 doesn't have /sys/bus/event_source/devices/cpu/events ++ if [[ `uname -m` != aarch64 ]]; then ++ cpu_evts=$(ls /sys/bus/event_source/devices/cpu/events) ++ fi + + if [[ "$cur1" == */* && ${cur1#*/} =~ ^[A-Z] ]]; then + OLD_IFS="$IFS" +@@ -183,9 +188,9 @@ __perf_main () + fi + done + +- evts=${result}" "$(ls /sys/bus/event_source/devices/cpu/events) ++ evts=${result}" "${cpu_evts} + else +- evts=${raw_evts}" "$(ls /sys/bus/event_source/devices/cpu/events) ++ evts=${raw_evts}" "${cpu_evts} + fi + + if [[ "$cur1" == , ]]; then +-- +2.39.2 + diff --git a/queue-5.4/pinctrl-at91-use-devm_kasprintf-to-avoid-potential-l.patch b/queue-5.4/pinctrl-at91-use-devm_kasprintf-to-avoid-potential-l.patch new file mode 100644 index 00000000000..d5c66702256 --- /dev/null +++ b/queue-5.4/pinctrl-at91-use-devm_kasprintf-to-avoid-potential-l.patch @@ -0,0 +1,53 @@ +From 69416a19a95706d5e8a42b80606a06f930dcaae9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Feb 2023 15:27:14 +0200 +Subject: pinctrl: at91: use devm_kasprintf() to avoid potential leaks + +From: Claudiu Beznea + +[ Upstream commit 1c4e5c470a56f7f7c649c0c70e603abc1eab15c4 ] + +Use devm_kasprintf() instead of kasprintf() to avoid any potential +leaks. At the moment drivers have no remove functionality thus +there is no need for fixes tag. + +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230203132714.1931596-1-claudiu.beznea@microchip.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-at91-pio4.c | 4 ++-- + drivers/pinctrl/pinctrl-at91.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-at91-pio4.c b/drivers/pinctrl/pinctrl-at91-pio4.c +index d6de4d360cd4f..4ee3fcc6c91fe 100644 +--- a/drivers/pinctrl/pinctrl-at91-pio4.c ++++ b/drivers/pinctrl/pinctrl-at91-pio4.c +@@ -1011,8 +1011,8 @@ static int atmel_pinctrl_probe(struct platform_device *pdev) + + pin_desc[i].number = i; + /* Pin naming convention: P(bank_name)(bank_pin_number). */ +- pin_desc[i].name = kasprintf(GFP_KERNEL, "P%c%d", +- bank + 'A', line); ++ pin_desc[i].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "P%c%d", ++ bank + 'A', line); + + group->name = group_names[i] = pin_desc[i].name; + group->pin = pin_desc[i].number; +diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c +index d6e7e9f0ddec2..39a55fd85b192 100644 +--- a/drivers/pinctrl/pinctrl-at91.c ++++ b/drivers/pinctrl/pinctrl-at91.c +@@ -1891,7 +1891,7 @@ static int at91_gpio_probe(struct platform_device *pdev) + } + + for (i = 0; i < chip->ngpio; i++) +- names[i] = kasprintf(GFP_KERNEL, "pio%c%d", alias_idx + 'A', i); ++ names[i] = devm_kasprintf(&pdev->dev, GFP_KERNEL, "pio%c%d", alias_idx + 'A', i); + + chip->names = (const char *const *)names; + +-- +2.39.2 + diff --git a/queue-5.4/pinctrl-stm32-fix-refcount-leak-in-stm32_pctrl_get_i.patch b/queue-5.4/pinctrl-stm32-fix-refcount-leak-in-stm32_pctrl_get_i.patch new file mode 100644 index 00000000000..7d66def379e --- /dev/null +++ b/queue-5.4/pinctrl-stm32-fix-refcount-leak-in-stm32_pctrl_get_i.patch @@ -0,0 +1,37 @@ +From dfea4b2e69b91068d75e3b8e6657b2f4cd327e11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jan 2023 12:24:56 +0400 +Subject: pinctrl: stm32: Fix refcount leak in stm32_pctrl_get_irq_domain + +From: Miaoqian Lin + +[ Upstream commit dcef18c8ac40aa85bb339f64c1dd31dd458b06fb ] + +of_irq_find_parent() returns a node pointer with refcount incremented, +We should use of_node_put() on it when not needed anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: d86f4d71e42a ("pinctrl: stm32: check irq controller availability at probe") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20230102082503.3944927-1-linmq006@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/stm32/pinctrl-stm32.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c +index e8149ff1d401c..10595b43360bd 100644 +--- a/drivers/pinctrl/stm32/pinctrl-stm32.c ++++ b/drivers/pinctrl/stm32/pinctrl-stm32.c +@@ -1250,6 +1250,7 @@ static struct irq_domain *stm32_pctrl_get_irq_domain(struct device_node *np) + return ERR_PTR(-ENXIO); + + domain = irq_find_host(parent); ++ of_node_put(parent); + if (!domain) + /* domain not registered yet */ + return ERR_PTR(-EPROBE_DEFER); +-- +2.39.2 + diff --git a/queue-5.4/powercap-fix-possible-name-leak-in-powercap_register.patch b/queue-5.4/powercap-fix-possible-name-leak-in-powercap_register.patch new file mode 100644 index 00000000000..3b4e17aeb2d --- /dev/null +++ b/queue-5.4/powercap-fix-possible-name-leak-in-powercap_register.patch @@ -0,0 +1,60 @@ +From b342eea3378788de7d61746544b4fcb3c6753e1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jan 2023 20:57:26 +0800 +Subject: powercap: fix possible name leak in powercap_register_zone() + +From: Yang Yingliang + +[ Upstream commit 1b6599f741a4525ca761ecde46e5885ff1e6ba58 ] + +In the error path after calling dev_set_name(), the device +name is leaked. To fix this, calling dev_set_name() before +device_register(), and call put_device() if it returns error. + +All the resources is released in powercap_release(), so it +can return from powercap_register_zone() directly. + +Fixes: 75d2364ea0ca ("PowerCap: Add class driver") +Signed-off-by: Yang Yingliang +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/powercap/powercap_sys.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c +index 3f0b8e2ef3d46..7a3109a538813 100644 +--- a/drivers/powercap/powercap_sys.c ++++ b/drivers/powercap/powercap_sys.c +@@ -530,9 +530,6 @@ struct powercap_zone *powercap_register_zone( + power_zone->name = kstrdup(name, GFP_KERNEL); + if (!power_zone->name) + goto err_name_alloc; +- dev_set_name(&power_zone->dev, "%s:%x", +- dev_name(power_zone->dev.parent), +- power_zone->id); + power_zone->constraints = kcalloc(nr_constraints, + sizeof(*power_zone->constraints), + GFP_KERNEL); +@@ -555,9 +552,16 @@ struct powercap_zone *powercap_register_zone( + power_zone->dev_attr_groups[0] = &power_zone->dev_zone_attr_group; + power_zone->dev_attr_groups[1] = NULL; + power_zone->dev.groups = power_zone->dev_attr_groups; ++ dev_set_name(&power_zone->dev, "%s:%x", ++ dev_name(power_zone->dev.parent), ++ power_zone->id); + result = device_register(&power_zone->dev); +- if (result) +- goto err_dev_ret; ++ if (result) { ++ put_device(&power_zone->dev); ++ mutex_unlock(&control_type->lock); ++ ++ return ERR_PTR(result); ++ } + + control_type->nr_zones++; + mutex_unlock(&control_type->lock); +-- +2.39.2 + diff --git a/queue-5.4/powerpc-eeh-set-channel-state-after-notifying-the-dr.patch b/queue-5.4/powerpc-eeh-set-channel-state-after-notifying-the-dr.patch new file mode 100644 index 00000000000..0d9e05532bb --- /dev/null +++ b/queue-5.4/powerpc-eeh-set-channel-state-after-notifying-the-dr.patch @@ -0,0 +1,83 @@ +From 526c417da48eb033454759c4a3ac3fc9b4fe5e6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Feb 2023 16:26:49 +0530 +Subject: powerpc/eeh: Set channel state after notifying the drivers + +From: Ganesh Goudar + +[ Upstream commit 9efcdaac36e1643a1b7f5337e6143ce142d381b1 ] + +When a PCI error is encountered 6th time in an hour we +set the channel state to perm_failure and notify the +driver about the permanent failure. + +However, after upstream commit 38ddc011478e ("powerpc/eeh: +Make permanently failed devices non-actionable"), EEH handler +stops calling any routine once the device is marked as +permanent failure. This issue can lead to fatal consequences +like kernel hang with certain PCI devices. + +Following log is observed with lpfc driver, with and without +this change, Without this change kernel hangs, If PCI error +is encountered 6 times for a device in an hour. + +Without the change + + EEH: Beginning: 'error_detected(permanent failure)' + PCI 0132:60:00.0#600000: EEH: not actionable (1,1,1) + PCI 0132:60:00.1#600000: EEH: not actionable (1,1,1) + EEH: Finished:'error_detected(permanent failure)' + +With the change + + EEH: Beginning: 'error_detected(permanent failure)' + EEH: Invoking lpfc->error_detected(permanent failure) + EEH: lpfc driver reports: 'disconnect' + EEH: Invoking lpfc->error_detected(permanent failure) + EEH: lpfc driver reports: 'disconnect' + EEH: Finished:'error_detected(permanent failure)' + +To fix the issue, set channel state to permanent failure after +notifying the drivers. + +Fixes: 38ddc011478e ("powerpc/eeh: Make permanently failed devices non-actionable") +Suggested-by: Mahesh Salgaonkar +Signed-off-by: Ganesh Goudar +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20230209105649.127707-1-ganeshgr@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh_driver.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c +index ee12e335fed8f..68decc2bf42bc 100644 +--- a/arch/powerpc/kernel/eeh_driver.c ++++ b/arch/powerpc/kernel/eeh_driver.c +@@ -1087,10 +1087,10 @@ void eeh_handle_normal_event(struct eeh_pe *pe) + eeh_slot_error_detail(pe, EEH_LOG_PERM); + + /* Notify all devices that they're about to go down. */ +- eeh_set_channel_state(pe, pci_channel_io_perm_failure); + eeh_set_irq_state(pe, false); + eeh_pe_report("error_detected(permanent failure)", pe, + eeh_report_failure, NULL); ++ eeh_set_channel_state(pe, pci_channel_io_perm_failure); + + /* Mark the PE to be removed permanently */ + eeh_pe_state_mark(pe, EEH_PE_REMOVED); +@@ -1207,10 +1207,10 @@ void eeh_handle_special_event(void) + + /* Notify all devices to be down */ + eeh_pe_state_clear(pe, EEH_PE_PRI_BUS, true); +- eeh_set_channel_state(pe, pci_channel_io_perm_failure); + eeh_pe_report( + "error_detected(permanent failure)", pe, + eeh_report_failure, NULL); ++ eeh_set_channel_state(pe, pci_channel_io_perm_failure); + + pci_lock_rescan_remove(); + list_for_each_entry(hose, &hose_list, list_node) { +-- +2.39.2 + diff --git a/queue-5.4/powerpc-eeh-small-refactor-of-eeh_handle_normal_even.patch b/queue-5.4/powerpc-eeh-small-refactor-of-eeh_handle_normal_even.patch new file mode 100644 index 00000000000..914b39a0ec9 --- /dev/null +++ b/queue-5.4/powerpc-eeh-small-refactor-of-eeh_handle_normal_even.patch @@ -0,0 +1,112 @@ +From 7f050d95705dae24a07692957aad1c988aa8ef4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 18:06:27 +1100 +Subject: powerpc/eeh: Small refactor of eeh_handle_normal_event() + +From: Daniel Axtens + +[ Upstream commit 10b34ece132ee46dc4e6459c765d180c422a09fa ] + +The control flow of eeh_handle_normal_event() is a bit tricky. + +Break out one of the error handling paths - rather than be in an else +block, we'll make it part of the regular body of the function and put a +'goto out;' in the true limb of the if. + +Signed-off-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211015070628.1331635-1-dja@axtens.net +Stable-dep-of: 9efcdaac36e1 ("powerpc/eeh: Set channel state after notifying the drivers") +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh_driver.c | 69 ++++++++++++++++---------------- + 1 file changed, 35 insertions(+), 34 deletions(-) + +diff --git a/arch/powerpc/kernel/eeh_driver.c b/arch/powerpc/kernel/eeh_driver.c +index 4fd7efdf2a53a..ee12e335fed8f 100644 +--- a/arch/powerpc/kernel/eeh_driver.c ++++ b/arch/powerpc/kernel/eeh_driver.c +@@ -1072,45 +1072,46 @@ void eeh_handle_normal_event(struct eeh_pe *pe) + } + + pr_info("EEH: Recovery successful.\n"); +- } else { +- /* +- * About 90% of all real-life EEH failures in the field +- * are due to poorly seated PCI cards. Only 10% or so are +- * due to actual, failed cards. +- */ +- pr_err("EEH: Unable to recover from failure from PHB#%x-PE#%x.\n" +- "Please try reseating or replacing it\n", +- pe->phb->global_number, pe->addr); ++ goto out; ++ } + +- eeh_slot_error_detail(pe, EEH_LOG_PERM); ++ /* ++ * About 90% of all real-life EEH failures in the field ++ * are due to poorly seated PCI cards. Only 10% or so are ++ * due to actual, failed cards. ++ */ ++ pr_err("EEH: Unable to recover from failure from PHB#%x-PE#%x.\n" ++ "Please try reseating or replacing it\n", ++ pe->phb->global_number, pe->addr); + +- /* Notify all devices that they're about to go down. */ +- eeh_set_channel_state(pe, pci_channel_io_perm_failure); +- eeh_set_irq_state(pe, false); +- eeh_pe_report("error_detected(permanent failure)", pe, +- eeh_report_failure, NULL); ++ eeh_slot_error_detail(pe, EEH_LOG_PERM); + +- /* Mark the PE to be removed permanently */ +- eeh_pe_state_mark(pe, EEH_PE_REMOVED); ++ /* Notify all devices that they're about to go down. */ ++ eeh_set_channel_state(pe, pci_channel_io_perm_failure); ++ eeh_set_irq_state(pe, false); ++ eeh_pe_report("error_detected(permanent failure)", pe, ++ eeh_report_failure, NULL); + +- /* +- * Shut down the device drivers for good. We mark +- * all removed devices correctly to avoid access +- * the their PCI config any more. +- */ +- if (pe->type & EEH_PE_VF) { +- eeh_pe_dev_traverse(pe, eeh_rmv_device, NULL); +- eeh_pe_dev_mode_mark(pe, EEH_DEV_REMOVED); +- } else { +- eeh_pe_state_clear(pe, EEH_PE_PRI_BUS, true); +- eeh_pe_dev_mode_mark(pe, EEH_DEV_REMOVED); ++ /* Mark the PE to be removed permanently */ ++ eeh_pe_state_mark(pe, EEH_PE_REMOVED); + +- pci_lock_rescan_remove(); +- pci_hp_remove_devices(bus); +- pci_unlock_rescan_remove(); +- /* The passed PE should no longer be used */ +- return; +- } ++ /* ++ * Shut down the device drivers for good. We mark ++ * all removed devices correctly to avoid access ++ * the their PCI config any more. ++ */ ++ if (pe->type & EEH_PE_VF) { ++ eeh_pe_dev_traverse(pe, eeh_rmv_device, NULL); ++ eeh_pe_dev_mode_mark(pe, EEH_DEV_REMOVED); ++ } else { ++ eeh_pe_state_clear(pe, EEH_PE_PRI_BUS, true); ++ eeh_pe_dev_mode_mark(pe, EEH_DEV_REMOVED); ++ ++ pci_lock_rescan_remove(); ++ pci_hp_remove_devices(bus); ++ pci_unlock_rescan_remove(); ++ /* The passed PE should no longer be used */ ++ return; + } + + out: +-- +2.39.2 + diff --git a/queue-5.4/powerpc-powernv-ioda-skip-unallocated-resources-when.patch b/queue-5.4/powerpc-powernv-ioda-skip-unallocated-resources-when.patch new file mode 100644 index 00000000000..7c207c4fd27 --- /dev/null +++ b/queue-5.4/powerpc-powernv-ioda-skip-unallocated-resources-when.patch @@ -0,0 +1,93 @@ +From 7b4dfe94e5741356e92933d73ecf8698c4a7b010 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 10:32:15 +0100 +Subject: powerpc/powernv/ioda: Skip unallocated resources when mapping to PE + +From: Frederic Barrat + +[ Upstream commit e64e71056f323a1e178dccf04d4c0f032d84436c ] + +pnv_ioda_setup_pe_res() calls opal to map a resource with a PE. However, +the code assumes the resource is allocated and it uses the resource +address to find out the segment(s) which need to be mapped to the +PE. In the unlikely case where the resource hasn't been allocated, the +computation for the segment number is garbage, which can lead to +invalid memory access and potentially a kernel crash, such as: + +[ ] pci_bus 0002:02: Configuring PE for bus +[ ] pci 0002:02 : [PE# fc] Secondary bus 0x0000000000000002..0x0000000000000002 associated with PE#fc +[ ] BUG: Kernel NULL pointer dereference on write at 0x00000000 +[ ] Faulting instruction address: 0xc00000000005eac4 +[ ] Oops: Kernel access of bad area, sig: 7 [#1] +[ ] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV +[ ] Modules linked in: +[ ] CPU: 12 PID: 1 Comm: swapper/20 Not tainted 5.10.50-openpower1 #2 +[ ] NIP: c00000000005eac4 LR: c00000000005ea44 CTR: 0000000030061b9c +[ ] REGS: c000200007383650 TRAP: 0300 Not tainted (5.10.50-openpower1) +[ ] MSR: 9000000000009033 CR: 44000224 XER: 20040000 +[ ] CFAR: c00000000005eaa0 DAR: 0000000000000000 DSISR: 02080000 IRQMASK: 0 +[ ] GPR00: c00000000005dd98 c0002000073838e0 c00000000185de00 c000200fff018960 +[ ] GPR04: 00000000000000fc 0000000000000003 0000000000000000 0000000000000000 +[ ] GPR08: 0000000000000000 0000000000000000 0000000000000000 9000000000001033 +[ ] GPR12: 0000000031cb0000 c000000ffffe6a80 c000000000010a58 0000000000000000 +[ ] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +[ ] GPR20: 0000000000000000 0000000000000000 0000000000000000 c00000000711e200 +[ ] GPR24: 0000000000000100 c000200009501120 c00020000cee2800 00000000000003ff +[ ] GPR28: c000200fff018960 0000000000000000 c000200ffcb7fd00 0000000000000000 +[ ] NIP [c00000000005eac4] pnv_ioda_setup_pe_res+0x94/0x1a0 +[ ] LR [c00000000005ea44] pnv_ioda_setup_pe_res+0x14/0x1a0 +[ ] Call Trace: +[ ] [c0002000073838e0] [c00000000005eb98] pnv_ioda_setup_pe_res+0x168/0x1a0 (unreliable) +[ ] [c000200007383970] [c00000000005dd98] pnv_pci_ioda_dma_dev_setup+0x43c/0x970 +[ ] [c000200007383a60] [c000000000032cdc] pcibios_bus_add_device+0x78/0x18c +[ ] [c000200007383aa0] [c00000000028f2bc] pci_bus_add_device+0x28/0xbc +[ ] [c000200007383b10] [c00000000028f3a0] pci_bus_add_devices+0x50/0x7c +[ ] [c000200007383b50] [c00000000028f3c4] pci_bus_add_devices+0x74/0x7c +[ ] [c000200007383b90] [c00000000028f3c4] pci_bus_add_devices+0x74/0x7c +[ ] [c000200007383bd0] [c00000000069ad0c] pcibios_init+0xf0/0x104 +[ ] [c000200007383c50] [c0000000000106d8] do_one_initcall+0x84/0x1c4 +[ ] [c000200007383d20] [c0000000006910b8] kernel_init_freeable+0x264/0x268 +[ ] [c000200007383dc0] [c000000000010a68] kernel_init+0x18/0x138 +[ ] [c000200007383e20] [c00000000000cbfc] ret_from_kernel_thread+0x5c/0x80 +[ ] Instruction dump: +[ ] 7f89e840 409d000c 7fbbf840 409c000c 38210090 4848f448 809c002c e95e0120 +[ ] 7ba91764 38a00003 57a7043e 38c00000 <7c8a492e> 5484043e e87e0018 4bff23bd + +Hitting the problem is not that easy. It was seen with a (semi-bogus) +PCI device with a class code of 0. The generic PCI framework doesn't +allocate resources in such a case. + +The patch is simply skipping resources which are still flagged with +IORESOURCE_UNSET. + +We don't have the problem with 64-bit mem resources, as the address of +the resource is checked to be within the range of the 64-bit mmio +window. See pnv_ioda_reserve_dev_m64_pe() and pnv_pci_is_m64(). + +Reported-by: Andrew Jeffery +Fixes: 23e79425fe7c ("powerpc/powernv: Simplify pnv_ioda_setup_pe_seg()") +Signed-off-by: Frederic Barrat +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20230120093215.19496-1-fbarrat@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/pci-ioda.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/powernv/pci-ioda.c b/arch/powerpc/platforms/powernv/pci-ioda.c +index 058223233088e..df4457e743d33 100644 +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -3008,7 +3008,8 @@ static void pnv_ioda_setup_pe_res(struct pnv_ioda_pe *pe, + int index; + int64_t rc; + +- if (!res || !res->flags || res->start > res->end) ++ if (!res || !res->flags || res->start > res->end || ++ res->flags & IORESOURCE_UNSET) + return; + + if (res->flags & IORESOURCE_IO) { +-- +2.39.2 + diff --git a/queue-5.4/powerpc-pseries-lpar-add-missing-rtas-retry-status-h.patch b/queue-5.4/powerpc-pseries-lpar-add-missing-rtas-retry-status-h.patch new file mode 100644 index 00000000000..6448bd1991d --- /dev/null +++ b/queue-5.4/powerpc-pseries-lpar-add-missing-rtas-retry-status-h.patch @@ -0,0 +1,67 @@ +From 8c32b629b02dc7d97b4f1e808a729655a7e05ef7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Feb 2023 12:41:51 -0600 +Subject: powerpc/pseries/lpar: add missing RTAS retry status handling + +From: Nathan Lynch + +[ Upstream commit daa8ab59044610aa8ef2ee45a6c157b5e11635e9 ] + +The ibm,get-system-parameter RTAS function may return -2 or 990x, +which indicate that the caller should try again. + +pseries_lpar_read_hblkrm_characteristics() ignores this, making it +possible to incorrectly detect TLB block invalidation characteristics +at boot. + +Move the RTAS call into a coventional rtas_busy_delay()-based loop. + +Signed-off-by: Nathan Lynch +Fixes: 1211ee61b4a8 ("powerpc/pseries: Read TLB Block Invalidate Characteristics") +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20230125-b4-powerpc-rtas-queue-v3-3-26929c8cce78@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/lpar.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c +index c93b9a3bf237e..55af0e4cf355b 100644 +--- a/arch/powerpc/platforms/pseries/lpar.c ++++ b/arch/powerpc/platforms/pseries/lpar.c +@@ -1416,22 +1416,22 @@ static inline void __init check_lp_set_hblkrm(unsigned int lp, + + void __init pseries_lpar_read_hblkrm_characteristics(void) + { ++ const s32 token = rtas_token("ibm,get-system-parameter"); + unsigned char local_buffer[SPLPAR_TLB_BIC_MAXLENGTH]; + int call_status, len, idx, bpsize; + + if (!firmware_has_feature(FW_FEATURE_BLOCK_REMOVE)) + return; + +- spin_lock(&rtas_data_buf_lock); +- memset(rtas_data_buf, 0, RTAS_DATA_BUF_SIZE); +- call_status = rtas_call(rtas_token("ibm,get-system-parameter"), 3, 1, +- NULL, +- SPLPAR_TLB_BIC_TOKEN, +- __pa(rtas_data_buf), +- RTAS_DATA_BUF_SIZE); +- memcpy(local_buffer, rtas_data_buf, SPLPAR_TLB_BIC_MAXLENGTH); +- local_buffer[SPLPAR_TLB_BIC_MAXLENGTH - 1] = '\0'; +- spin_unlock(&rtas_data_buf_lock); ++ do { ++ spin_lock(&rtas_data_buf_lock); ++ memset(rtas_data_buf, 0, RTAS_DATA_BUF_SIZE); ++ call_status = rtas_call(token, 3, 1, NULL, SPLPAR_TLB_BIC_TOKEN, ++ __pa(rtas_data_buf), RTAS_DATA_BUF_SIZE); ++ memcpy(local_buffer, rtas_data_buf, SPLPAR_TLB_BIC_MAXLENGTH); ++ local_buffer[SPLPAR_TLB_BIC_MAXLENGTH - 1] = '\0'; ++ spin_unlock(&rtas_data_buf_lock); ++ } while (rtas_busy_delay(call_status)); + + if (call_status != 0) { + pr_warn("%s %s Error calling get-system-parameter (0x%x)\n", +-- +2.39.2 + diff --git a/queue-5.4/powerpc-pseries-lparcfg-add-missing-rtas-retry-statu.patch b/queue-5.4/powerpc-pseries-lparcfg-add-missing-rtas-retry-statu.patch new file mode 100644 index 00000000000..a3b0f2c2452 --- /dev/null +++ b/queue-5.4/powerpc-pseries-lparcfg-add-missing-rtas-retry-statu.patch @@ -0,0 +1,67 @@ +From 88073d11ff7960497f20530e366a99d747824911 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Feb 2023 12:41:52 -0600 +Subject: powerpc/pseries/lparcfg: add missing RTAS retry status handling + +From: Nathan Lynch + +[ Upstream commit 5d08633e5f6564b60f1cbe09af3af40a74d66431 ] + +The ibm,get-system-parameter RTAS function may return -2 or 990x, +which indicate that the caller should try again. + +lparcfg's parse_system_parameter_string() ignores this, making it +possible to intermittently report incorrect SPLPAR characteristics. + +Move the RTAS call into a coventional rtas_busy_delay()-based loop. + +Signed-off-by: Nathan Lynch +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20230125-b4-powerpc-rtas-queue-v3-4-26929c8cce78@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/lparcfg.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/lparcfg.c b/arch/powerpc/platforms/pseries/lparcfg.c +index 38c306551f76b..e12cf62357f29 100644 +--- a/arch/powerpc/platforms/pseries/lparcfg.c ++++ b/arch/powerpc/platforms/pseries/lparcfg.c +@@ -289,6 +289,7 @@ static void parse_mpp_x_data(struct seq_file *m) + */ + static void parse_system_parameter_string(struct seq_file *m) + { ++ const s32 token = rtas_token("ibm,get-system-parameter"); + int call_status; + + unsigned char *local_buffer = kmalloc(SPLPAR_MAXLENGTH, GFP_KERNEL); +@@ -298,16 +299,15 @@ static void parse_system_parameter_string(struct seq_file *m) + return; + } + +- spin_lock(&rtas_data_buf_lock); +- memset(rtas_data_buf, 0, SPLPAR_MAXLENGTH); +- call_status = rtas_call(rtas_token("ibm,get-system-parameter"), 3, 1, +- NULL, +- SPLPAR_CHARACTERISTICS_TOKEN, +- __pa(rtas_data_buf), +- RTAS_DATA_BUF_SIZE); +- memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH); +- local_buffer[SPLPAR_MAXLENGTH - 1] = '\0'; +- spin_unlock(&rtas_data_buf_lock); ++ do { ++ spin_lock(&rtas_data_buf_lock); ++ memset(rtas_data_buf, 0, SPLPAR_MAXLENGTH); ++ call_status = rtas_call(token, 3, 1, NULL, SPLPAR_CHARACTERISTICS_TOKEN, ++ __pa(rtas_data_buf), RTAS_DATA_BUF_SIZE); ++ memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH); ++ local_buffer[SPLPAR_MAXLENGTH - 1] = '\0'; ++ spin_unlock(&rtas_data_buf_lock); ++ } while (rtas_busy_delay(call_status)); + + if (call_status != 0) { + printk(KERN_INFO +-- +2.39.2 + diff --git a/queue-5.4/powerpc-remove-linker-flag-from-kbuild_aflags.patch b/queue-5.4/powerpc-remove-linker-flag-from-kbuild_aflags.patch new file mode 100644 index 00000000000..4ed7d93608f --- /dev/null +++ b/queue-5.4/powerpc-remove-linker-flag-from-kbuild_aflags.patch @@ -0,0 +1,72 @@ +From 763ea133055d7cf354fd0ef598542e89568ea531 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 20:05:02 -0700 +Subject: powerpc: Remove linker flag from KBUILD_AFLAGS + +From: Nathan Chancellor + +[ Upstream commit 31f48f16264bc70962fb3e7ec62da64d0a2ba04a ] + +When clang's -Qunused-arguments is dropped from KBUILD_CPPFLAGS, it +points out that KBUILD_AFLAGS contains a linker flag, which will be +unused: + + clang: error: -Wl,-a32: 'linker' input unused [-Werror,-Wunused-command-line-argument] + +This was likely supposed to be '-Wa,-a$(BITS)'. However, this change is +unnecessary, as all supported versions of clang and gcc will pass '-a64' +or '-a32' to GNU as based on the value of '-m'; the behavior of the +latest stable release of the oldest supported major version of each +compiler is shown below and each compiler's latest release exhibits the +same behavior (GCC 12.2.0 and Clang 15.0.6). + + $ powerpc64-linux-gcc --version | head -1 + powerpc64-linux-gcc (GCC) 5.5.0 + + $ powerpc64-linux-gcc -m64 -### -x assembler-with-cpp -c -o /dev/null /dev/null &| grep 'as ' + .../as -a64 -mppc64 -many -mbig -o /dev/null /tmp/cctwuBzZ.s + + $ powerpc64-linux-gcc -m32 -### -x assembler-with-cpp -c -o /dev/null /dev/null &| grep 'as ' + .../as -a32 -mppc -many -mbig -o /dev/null /tmp/ccaZP4mF.sg + + $ clang --version | head -1 + Ubuntu clang version 11.1.0-++20211011094159+1fdec59bffc1-1~exp1~20211011214622.5 + + $ clang --target=powerpc64-linux-gnu -fno-integrated-as -m64 -### \ + -x assembler-with-cpp -c -o /dev/null /dev/null &| grep gnu-as + "/usr/bin/powerpc64-linux-gnu-as" "-a64" "-mppc64" "-many" "-o" "/dev/null" "/tmp/null-80267c.s" + + $ clang --target=powerpc64-linux-gnu -fno-integrated-as -m64 -### \ + -x assembler-with-cpp -c -o /dev/null /dev/null &| grep gnu-as + "/usr/bin/powerpc64-linux-gnu-as" "-a32" "-mppc" "-many" "-o" "/dev/null" "/tmp/null-ab8f8d.s" + +Remove this flag altogether to avoid future issues. + +Fixes: 1421dc6d4829 ("powerpc/kbuild: Use flags variables rather than overriding LD/CC/AS") +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Tested-by: Linux Kernel Functional Testing +Tested-by: Anders Roxell +Acked-by: Michael Ellerman +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + arch/powerpc/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/Makefile b/arch/powerpc/Makefile +index 95183a717eb67..6c32ea6dc7558 100644 +--- a/arch/powerpc/Makefile ++++ b/arch/powerpc/Makefile +@@ -93,7 +93,7 @@ aflags-$(CONFIG_CPU_LITTLE_ENDIAN) += -mlittle-endian + + ifeq ($(HAS_BIARCH),y) + KBUILD_CFLAGS += -m$(BITS) +-KBUILD_AFLAGS += -m$(BITS) -Wl,-a$(BITS) ++KBUILD_AFLAGS += -m$(BITS) + KBUILD_LDFLAGS += -m elf$(BITS)$(LDEMULATION) + endif + +-- +2.39.2 + diff --git a/queue-5.4/powerpc-rtas-ensure-4kb-alignment-for-rtas_data_buf.patch b/queue-5.4/powerpc-rtas-ensure-4kb-alignment-for-rtas_data_buf.patch new file mode 100644 index 00000000000..e0e3eea0e75 --- /dev/null +++ b/queue-5.4/powerpc-rtas-ensure-4kb-alignment-for-rtas_data_buf.patch @@ -0,0 +1,57 @@ +From 5a357133b1296460c0925aafce3cd1b19e8e5aba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Feb 2023 12:41:54 -0600 +Subject: powerpc/rtas: ensure 4KB alignment for rtas_data_buf + +From: Nathan Lynch + +[ Upstream commit 836b5b9fcc8e09cea7e8a59a070349a00e818308 ] + +Some RTAS functions that have work area parameters impose alignment +requirements on the work area passed to them by the OS. Examples +include: + +- ibm,configure-connector +- ibm,update-nodes +- ibm,update-properties + +4KB is the greatest alignment required by PAPR for such +buffers. rtas_data_buf used to have a __page_aligned attribute in the +arch/ppc64 days, but that was changed to __cacheline_aligned for +unknown reasons by commit 033ef338b6e0 ("powerpc: Merge rtas.c into +arch/powerpc/kernel"). That works out to 128-byte alignment +on ppc64, which isn't right. + +This was found by inspection and I'm not aware of any real problems +caused by this. Either current RTAS implementations don't enforce the +alignment constraints, or rtas_data_buf is always being placed at a +4KB boundary by accident (or both, perhaps). + +Use __aligned(SZ_4K) to ensure the rtas_data_buf has alignment +appropriate for all users. + +Signed-off-by: Nathan Lynch +Fixes: 033ef338b6e0 ("powerpc: Merge rtas.c into arch/powerpc/kernel") +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20230125-b4-powerpc-rtas-queue-v3-6-26929c8cce78@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/rtas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c +index 8e61984b368d1..ee810df7d522d 100644 +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -53,7 +53,7 @@ EXPORT_SYMBOL(rtas); + DEFINE_SPINLOCK(rtas_data_buf_lock); + EXPORT_SYMBOL_GPL(rtas_data_buf_lock); + +-char rtas_data_buf[RTAS_DATA_BUF_SIZE] __cacheline_aligned; ++char rtas_data_buf[RTAS_DATA_BUF_SIZE] __aligned(SZ_4K); + EXPORT_SYMBOL_GPL(rtas_data_buf); + + unsigned long rtas_rmo_buf; +-- +2.39.2 + diff --git a/queue-5.4/powerpc-rtas-make-all-exports-gpl.patch b/queue-5.4/powerpc-rtas-make-all-exports-gpl.patch new file mode 100644 index 00000000000..478514873e4 --- /dev/null +++ b/queue-5.4/powerpc-rtas-make-all-exports-gpl.patch @@ -0,0 +1,140 @@ +From 637d28b0ed60f591ada6ed5de8fdb065f50d2b54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 08:04:46 -0600 +Subject: powerpc/rtas: make all exports GPL + +From: Nathan Lynch + +[ Upstream commit 9bce6243848dfd0ff7c2be6e8d82ab9b1e6c7858 ] + +The first symbol exports of RTAS functions and data came with the (now +removed) scanlog driver in 2003: + +https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/?id=f92e361842d5251e50562b09664082dcbd0548bb + +At the time this was applied, EXPORT_SYMBOL_GPL() was very new, and +the exports of rtas_call() etc have remained non-GPL. As new APIs have +been added to the RTAS subsystem, their symbol exports have followed +the convention set by existing code. + +However, the historical evidence is that RTAS function exports have been +added over time only to satisfy the needs of in-kernel users, and these +clients must have fairly intimate knowledge of how the APIs work to use +them safely. No out of tree users are known, and future ones seem +unlikely. + +Arguably the default for RTAS symbols should have become +EXPORT_SYMBOL_GPL once it was available. Let's make it so now, and +exceptions can be evaluated as needed. + +Signed-off-by: Nathan Lynch +Reviewed-by: Laurent Dufour +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20230124140448.45938-3-nathanl@linux.ibm.com +Stable-dep-of: 836b5b9fcc8e ("powerpc/rtas: ensure 4KB alignment for rtas_data_buf") +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/rtas.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c +index 139377f37b748..8e61984b368d1 100644 +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -51,10 +51,10 @@ struct rtas_t rtas = { + EXPORT_SYMBOL(rtas); + + DEFINE_SPINLOCK(rtas_data_buf_lock); +-EXPORT_SYMBOL(rtas_data_buf_lock); ++EXPORT_SYMBOL_GPL(rtas_data_buf_lock); + + char rtas_data_buf[RTAS_DATA_BUF_SIZE] __cacheline_aligned; +-EXPORT_SYMBOL(rtas_data_buf); ++EXPORT_SYMBOL_GPL(rtas_data_buf); + + unsigned long rtas_rmo_buf; + +@@ -63,7 +63,7 @@ unsigned long rtas_rmo_buf; + * This is done like this so rtas_flash can be a module. + */ + void (*rtas_flash_term_hook)(int); +-EXPORT_SYMBOL(rtas_flash_term_hook); ++EXPORT_SYMBOL_GPL(rtas_flash_term_hook); + + /* RTAS use home made raw locking instead of spin_lock_irqsave + * because those can be called from within really nasty contexts +@@ -311,7 +311,7 @@ void rtas_progress(char *s, unsigned short hex) + + spin_unlock(&progress_lock); + } +-EXPORT_SYMBOL(rtas_progress); /* needed by rtas_flash module */ ++EXPORT_SYMBOL_GPL(rtas_progress); /* needed by rtas_flash module */ + + int rtas_token(const char *service) + { +@@ -321,7 +321,7 @@ int rtas_token(const char *service) + tokp = of_get_property(rtas.dev, service, NULL); + return tokp ? be32_to_cpu(*tokp) : RTAS_UNKNOWN_SERVICE; + } +-EXPORT_SYMBOL(rtas_token); ++EXPORT_SYMBOL_GPL(rtas_token); + + int rtas_service_present(const char *service) + { +@@ -481,7 +481,7 @@ int rtas_call(int token, int nargs, int nret, int *outputs, ...) + } + return ret; + } +-EXPORT_SYMBOL(rtas_call); ++EXPORT_SYMBOL_GPL(rtas_call); + + /* For RTAS_BUSY (-2), delay for 1 millisecond. For an extended busy status + * code of 990n, perform the hinted delay of 10^n (last digit) milliseconds. +@@ -516,7 +516,7 @@ unsigned int rtas_busy_delay(int status) + + return ms; + } +-EXPORT_SYMBOL(rtas_busy_delay); ++EXPORT_SYMBOL_GPL(rtas_busy_delay); + + static int rtas_error_rc(int rtas_rc) + { +@@ -562,7 +562,7 @@ int rtas_get_power_level(int powerdomain, int *level) + return rtas_error_rc(rc); + return rc; + } +-EXPORT_SYMBOL(rtas_get_power_level); ++EXPORT_SYMBOL_GPL(rtas_get_power_level); + + int rtas_set_power_level(int powerdomain, int level, int *setlevel) + { +@@ -580,7 +580,7 @@ int rtas_set_power_level(int powerdomain, int level, int *setlevel) + return rtas_error_rc(rc); + return rc; + } +-EXPORT_SYMBOL(rtas_set_power_level); ++EXPORT_SYMBOL_GPL(rtas_set_power_level); + + int rtas_get_sensor(int sensor, int index, int *state) + { +@@ -598,7 +598,7 @@ int rtas_get_sensor(int sensor, int index, int *state) + return rtas_error_rc(rc); + return rc; + } +-EXPORT_SYMBOL(rtas_get_sensor); ++EXPORT_SYMBOL_GPL(rtas_get_sensor); + + int rtas_get_sensor_fast(int sensor, int index, int *state) + { +@@ -659,7 +659,7 @@ int rtas_set_indicator(int indicator, int index, int new_value) + return rtas_error_rc(rc); + return rc; + } +-EXPORT_SYMBOL(rtas_set_indicator); ++EXPORT_SYMBOL_GPL(rtas_set_indicator); + + /* + * Ignoring RTAS extended delay +-- +2.39.2 + diff --git a/queue-5.4/rcu-suppress-smp_processor_id-complaint-in-synchroni.patch b/queue-5.4/rcu-suppress-smp_processor_id-complaint-in-synchroni.patch new file mode 100644 index 00000000000..09163a114e8 --- /dev/null +++ b/queue-5.4/rcu-suppress-smp_processor_id-complaint-in-synchroni.patch @@ -0,0 +1,43 @@ +From 09a771582500cc1102499abd2a823722dd76ba39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Dec 2022 15:55:48 -0800 +Subject: rcu: Suppress smp_processor_id() complaint in + synchronize_rcu_expedited_wait() + +From: Paul E. McKenney + +[ Upstream commit 2d7f00b2f01301d6e41fd4a28030dab0442265be ] + +The normal grace period's RCU CPU stall warnings are invoked from the +scheduling-clock interrupt handler, and can thus invoke smp_processor_id() +with impunity, which allows them to directly invoke dump_cpu_task(). +In contrast, the expedited grace period's RCU CPU stall warnings are +invoked from process context, which causes the dump_cpu_task() function's +calls to smp_processor_id() to complain bitterly in debug kernels. + +This commit therefore causes synchronize_rcu_expedited_wait() to disable +preemption around its call to dump_cpu_task(). + +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_exp.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h +index 173e3ce607900..eca3df7f041c5 100644 +--- a/kernel/rcu/tree_exp.h ++++ b/kernel/rcu/tree_exp.h +@@ -523,7 +523,9 @@ static void synchronize_sched_expedited_wait(void) + mask = leaf_node_cpu_bit(rnp, cpu); + if (!(READ_ONCE(rnp->expmask) & mask)) + continue; ++ preempt_disable(); // For smp_processor_id() in dump_cpu_task(). + dump_cpu_task(cpu); ++ preempt_enable(); + } + } + jiffies_stall = 3 * rcu_jiffies_till_stall_check() + 3; +-- +2.39.2 + diff --git a/queue-5.4/rds-rds_rm_zerocopy_callback-correct-order-for-list_.patch b/queue-5.4/rds-rds_rm_zerocopy_callback-correct-order-for-list_.patch new file mode 100644 index 00000000000..032550dd56e --- /dev/null +++ b/queue-5.4/rds-rds_rm_zerocopy_callback-correct-order-for-list_.patch @@ -0,0 +1,38 @@ +From 783c59a4933ff9d2e38521cc787ca9ff00c7f07b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Feb 2023 12:26:23 +0000 +Subject: rds: rds_rm_zerocopy_callback() correct order for list_add_tail() + +From: Pietro Borrello + +[ Upstream commit 68762148d1b011d47bc2ceed7321739b5aea1e63 ] + +rds_rm_zerocopy_callback() uses list_add_tail() with swapped +arguments. This links the list head with the new entry, losing +the references to the remaining part of the list. + +Fixes: 9426bbc6de99 ("rds: use list structure to track information for zerocopy completion notification") +Suggested-by: Paolo Abeni +Signed-off-by: Pietro Borrello +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rds/message.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rds/message.c b/net/rds/message.c +index be6a0a073b12a..75043742d243c 100644 +--- a/net/rds/message.c ++++ b/net/rds/message.c +@@ -118,7 +118,7 @@ static void rds_rm_zerocopy_callback(struct rds_sock *rs, + ck = &info->zcookies; + memset(ck, 0, sizeof(*ck)); + WARN_ON(!rds_zcookie_add(info, cookie)); +- list_add_tail(&q->zcookie_head, &info->rs_zcookie_next); ++ list_add_tail(&info->rs_zcookie_next, &q->zcookie_head); + + spin_unlock_irqrestore(&q->lock, flags); + /* caller invokes rds_wake_sk_sleep() */ +-- +2.39.2 + diff --git a/queue-5.4/regulator-max77802-bounds-check-regulator-id-against.patch b/queue-5.4/regulator-max77802-bounds-check-regulator-id-against.patch new file mode 100644 index 00000000000..801aa9febd8 --- /dev/null +++ b/queue-5.4/regulator-max77802-bounds-check-regulator-id-against.patch @@ -0,0 +1,137 @@ +From 50b5d8eef32840e0f3530bdca3ec3c4b881be61f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jan 2023 14:52:07 -0800 +Subject: regulator: max77802: Bounds check regulator id against opmode + +From: Kees Cook + +[ Upstream commit 4fd8bcec5fd7c0d586206fa2f42bd67b06cdaa7e ] + +Explicitly bounds-check the id before accessing the opmode array. Seen +with GCC 13: + +../drivers/regulator/max77802-regulator.c: In function 'max77802_enable': +../drivers/regulator/max77802-regulator.c:217:29: warning: array subscript [0, 41] is outside array bounds of 'unsigned int[42]' [-Warray-bounds=] + 217 | if (max77802->opmode[id] == MAX77802_OFF_PWRREQ) + | ~~~~~~~~~~~~~~~~^~~~ +../drivers/regulator/max77802-regulator.c:62:22: note: while referencing 'opmode' + 62 | unsigned int opmode[MAX77802_REG_MAX]; + | ^~~~~~ + +Cc: Javier Martinez Canillas +Cc: Liam Girdwood +Cc: Mark Brown +Signed-off-by: Kees Cook +Acked-by: Javier Martinez Canillas +Link: https://lore.kernel.org/r/20230127225203.never.864-kees@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/max77802-regulator.c | 34 ++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/drivers/regulator/max77802-regulator.c b/drivers/regulator/max77802-regulator.c +index 7b8ec8c0bd151..660e179a82a2c 100644 +--- a/drivers/regulator/max77802-regulator.c ++++ b/drivers/regulator/max77802-regulator.c +@@ -95,9 +95,11 @@ static int max77802_set_suspend_disable(struct regulator_dev *rdev) + { + unsigned int val = MAX77802_OFF_PWRREQ; + struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev); +- int id = rdev_get_id(rdev); ++ unsigned int id = rdev_get_id(rdev); + int shift = max77802_get_opmode_shift(id); + ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode))) ++ return -EINVAL; + max77802->opmode[id] = val; + return regmap_update_bits(rdev->regmap, rdev->desc->enable_reg, + rdev->desc->enable_mask, val << shift); +@@ -111,7 +113,7 @@ static int max77802_set_suspend_disable(struct regulator_dev *rdev) + static int max77802_set_mode(struct regulator_dev *rdev, unsigned int mode) + { + struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev); +- int id = rdev_get_id(rdev); ++ unsigned int id = rdev_get_id(rdev); + unsigned int val; + int shift = max77802_get_opmode_shift(id); + +@@ -128,6 +130,9 @@ static int max77802_set_mode(struct regulator_dev *rdev, unsigned int mode) + return -EINVAL; + } + ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode))) ++ return -EINVAL; ++ + max77802->opmode[id] = val; + return regmap_update_bits(rdev->regmap, rdev->desc->enable_reg, + rdev->desc->enable_mask, val << shift); +@@ -136,8 +141,10 @@ static int max77802_set_mode(struct regulator_dev *rdev, unsigned int mode) + static unsigned max77802_get_mode(struct regulator_dev *rdev) + { + struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev); +- int id = rdev_get_id(rdev); ++ unsigned int id = rdev_get_id(rdev); + ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode))) ++ return -EINVAL; + return max77802_map_mode(max77802->opmode[id]); + } + +@@ -161,10 +168,13 @@ static int max77802_set_suspend_mode(struct regulator_dev *rdev, + unsigned int mode) + { + struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev); +- int id = rdev_get_id(rdev); ++ unsigned int id = rdev_get_id(rdev); + unsigned int val; + int shift = max77802_get_opmode_shift(id); + ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode))) ++ return -EINVAL; ++ + /* + * If the regulator has been disabled for suspend + * then is invalid to try setting a suspend mode. +@@ -210,9 +220,11 @@ static int max77802_set_suspend_mode(struct regulator_dev *rdev, + static int max77802_enable(struct regulator_dev *rdev) + { + struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev); +- int id = rdev_get_id(rdev); ++ unsigned int id = rdev_get_id(rdev); + int shift = max77802_get_opmode_shift(id); + ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode))) ++ return -EINVAL; + if (max77802->opmode[id] == MAX77802_OFF_PWRREQ) + max77802->opmode[id] = MAX77802_OPMODE_NORMAL; + +@@ -541,7 +553,7 @@ static int max77802_pmic_probe(struct platform_device *pdev) + + for (i = 0; i < MAX77802_REG_MAX; i++) { + struct regulator_dev *rdev; +- int id = regulators[i].id; ++ unsigned int id = regulators[i].id; + int shift = max77802_get_opmode_shift(id); + int ret; + +@@ -559,10 +571,12 @@ static int max77802_pmic_probe(struct platform_device *pdev) + * the hardware reports OFF as the regulator operating mode. + * Default to operating mode NORMAL in that case. + */ +- if (val == MAX77802_STATUS_OFF) +- max77802->opmode[id] = MAX77802_OPMODE_NORMAL; +- else +- max77802->opmode[id] = val; ++ if (id < ARRAY_SIZE(max77802->opmode)) { ++ if (val == MAX77802_STATUS_OFF) ++ max77802->opmode[id] = MAX77802_OPMODE_NORMAL; ++ else ++ max77802->opmode[id] = val; ++ } + + rdev = devm_regulator_register(&pdev->dev, + ®ulators[i], &config); +-- +2.39.2 + diff --git a/queue-5.4/regulator-s5m8767-bounds-check-id-indexing-into-arra.patch b/queue-5.4/regulator-s5m8767-bounds-check-id-indexing-into-arra.patch new file mode 100644 index 00000000000..12fe8893dae --- /dev/null +++ b/queue-5.4/regulator-s5m8767-bounds-check-id-indexing-into-arra.patch @@ -0,0 +1,55 @@ +From 866c1679a8c200a9f2759be736123935b7a31b83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jan 2023 16:53:58 -0800 +Subject: regulator: s5m8767: Bounds check id indexing into arrays + +From: Kees Cook + +[ Upstream commit e314e15a0b58f9d051c00b25951073bcdae61953 ] + +The compiler has no way to know if "id" is within the array bounds of +the regulators array. Add a check for this and a build-time check that +the regulators and reg_voltage_map arrays are sized the same. Seen with +GCC 13: + +../drivers/regulator/s5m8767.c: In function 's5m8767_pmic_probe': +../drivers/regulator/s5m8767.c:936:35: warning: array subscript [0, 36] is outside array bounds of 'struct regulator_desc[37]' [-Warray-bounds=] + 936 | regulators[id].vsel_reg = + | ~~~~~~~~~~^~~~ + +Cc: Krzysztof Kozlowski +Cc: Liam Girdwood +Cc: Mark Brown +Cc: linux-samsung-soc@vger.kernel.org +Signed-off-by: Kees Cook +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230128005358.never.313-kees@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/s5m8767.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/regulator/s5m8767.c b/drivers/regulator/s5m8767.c +index 1e9f03a2ea1cc..7ff480810cfa2 100644 +--- a/drivers/regulator/s5m8767.c ++++ b/drivers/regulator/s5m8767.c +@@ -924,10 +924,14 @@ static int s5m8767_pmic_probe(struct platform_device *pdev) + + for (i = 0; i < pdata->num_regulators; i++) { + const struct sec_voltage_desc *desc; +- int id = pdata->regulators[i].id; ++ unsigned int id = pdata->regulators[i].id; + int enable_reg, enable_val; + struct regulator_dev *rdev; + ++ BUILD_BUG_ON(ARRAY_SIZE(regulators) != ARRAY_SIZE(reg_voltage_map)); ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(regulators))) ++ continue; ++ + desc = reg_voltage_map[id]; + if (desc) { + regulators[id].n_voltages = +-- +2.39.2 + diff --git a/queue-5.4/remoteproc-qcom_q6v5_mss-use-a-carveout-to-authentic.patch b/queue-5.4/remoteproc-qcom_q6v5_mss-use-a-carveout-to-authentic.patch new file mode 100644 index 00000000000..9a4ef8a19c2 --- /dev/null +++ b/queue-5.4/remoteproc-qcom_q6v5_mss-use-a-carveout-to-authentic.patch @@ -0,0 +1,139 @@ +From 7552c91143423383b31170fd02066b94a7a3fbe5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 14:28:35 +0530 +Subject: remoteproc: qcom_q6v5_mss: Use a carveout to authenticate modem + headers + +From: Sibi Sankar + +[ Upstream commit 57f72170a2b2a362c35bb9407fc844eac5afdec1 ] + +Any access to the dynamically allocated metadata region by the application +processor after assigning it to the remote Q6 will result in a XPU +violation. Fix this by replacing the dynamically allocated memory region +with a no-map carveout and unmap the modem metadata memory region before +passing control to the remote Q6. + +Reported-and-tested-by: Amit Pundir +Fixes: 6c5a9dc2481b ("remoteproc: qcom: Make secure world call for mem ownership switch") +Signed-off-by: Sibi Sankar +Reviewed-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230117085840.32356-7-quic_sibis@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/qcom_q6v5_mss.c | 59 +++++++++++++++++++++++++++--- + 1 file changed, 53 insertions(+), 6 deletions(-) + +diff --git a/drivers/remoteproc/qcom_q6v5_mss.c b/drivers/remoteproc/qcom_q6v5_mss.c +index 5e54e6f5edb1a..49faa90da93f6 100644 +--- a/drivers/remoteproc/qcom_q6v5_mss.c ++++ b/drivers/remoteproc/qcom_q6v5_mss.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -175,6 +176,9 @@ struct q6v5 { + void *mba_region; + size_t mba_size; + ++ phys_addr_t mdata_phys; ++ size_t mdata_size; ++ + phys_addr_t mpss_phys; + phys_addr_t mpss_reloc; + void *mpss_region; +@@ -679,15 +683,35 @@ static int q6v5_mpss_init_image(struct q6v5 *qproc, const struct firmware *fw) + if (IS_ERR(metadata)) + return PTR_ERR(metadata); + +- ptr = dma_alloc_attrs(qproc->dev, size, &phys, GFP_KERNEL, dma_attrs); +- if (!ptr) { +- kfree(metadata); +- dev_err(qproc->dev, "failed to allocate mdt buffer\n"); +- return -ENOMEM; ++ if (qproc->mdata_phys) { ++ if (size > qproc->mdata_size) { ++ ret = -EINVAL; ++ dev_err(qproc->dev, "metadata size outside memory range\n"); ++ goto free_metadata; ++ } ++ ++ phys = qproc->mdata_phys; ++ ptr = memremap(qproc->mdata_phys, size, MEMREMAP_WC); ++ if (!ptr) { ++ ret = -EBUSY; ++ dev_err(qproc->dev, "unable to map memory region: %pa+%zx\n", ++ &qproc->mdata_phys, size); ++ goto free_metadata; ++ } ++ } else { ++ ptr = dma_alloc_attrs(qproc->dev, size, &phys, GFP_KERNEL, dma_attrs); ++ if (!ptr) { ++ ret = -ENOMEM; ++ dev_err(qproc->dev, "failed to allocate mdt buffer\n"); ++ goto free_metadata; ++ } + } + + memcpy(ptr, metadata, size); + ++ if (qproc->mdata_phys) ++ memunmap(ptr); ++ + /* Hypervisor mapping to access metadata by modem */ + mdata_perm = BIT(QCOM_SCM_VMID_HLOS); + ret = q6v5_xfer_mem_ownership(qproc, &mdata_perm, true, phys, size); +@@ -714,7 +738,9 @@ static int q6v5_mpss_init_image(struct q6v5 *qproc, const struct firmware *fw) + "mdt buffer not reclaimed system may become unstable\n"); + + free_dma_attrs: +- dma_free_attrs(qproc->dev, size, ptr, phys, dma_attrs); ++ if (!qproc->mdata_phys) ++ dma_free_attrs(qproc->dev, size, ptr, phys, dma_attrs); ++free_metadata: + kfree(metadata); + + return ret < 0 ? ret : 0; +@@ -1383,6 +1409,7 @@ static int q6v5_init_reset(struct q6v5 *qproc) + static int q6v5_alloc_memory_region(struct q6v5 *qproc) + { + struct device_node *child; ++ struct reserved_mem *rmem; + struct device_node *node; + struct resource r; + int ret; +@@ -1417,6 +1444,26 @@ static int q6v5_alloc_memory_region(struct q6v5 *qproc) + qproc->mpss_phys = qproc->mpss_reloc = r.start; + qproc->mpss_size = resource_size(&r); + ++ if (!child) { ++ node = of_parse_phandle(qproc->dev->of_node, "memory-region", 2); ++ } else { ++ child = of_get_child_by_name(qproc->dev->of_node, "metadata"); ++ node = of_parse_phandle(child, "memory-region", 0); ++ of_node_put(child); ++ } ++ ++ if (!node) ++ return 0; ++ ++ rmem = of_reserved_mem_lookup(node); ++ if (!rmem) { ++ dev_err(qproc->dev, "unable to resolve metadata region\n"); ++ return -EINVAL; ++ } ++ ++ qproc->mdata_phys = rmem->base; ++ qproc->mdata_size = rmem->size; ++ + return 0; + } + +-- +2.39.2 + diff --git a/queue-5.4/revert-scsi-core-run-queue-if-scsi-device-queue-isn-.patch b/queue-5.4/revert-scsi-core-run-queue-if-scsi-device-queue-isn-.patch new file mode 100644 index 00000000000..03bbc7855c8 --- /dev/null +++ b/queue-5.4/revert-scsi-core-run-queue-if-scsi-device-queue-isn-.patch @@ -0,0 +1,54 @@ +From d2198d382957711e482ae33ac1ab2130dc1e0e2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Apr 2020 09:24:54 -0700 +Subject: Revert "scsi: core: run queue if SCSI device queue isn't ready and + queue is idle" + +From: Douglas Anderson + +[ Upstream commit b4fd63f42647110c963d4bfcd526ac48f5a5faff ] + +This reverts commit 7e70aa789d4a0c89dbfbd2c8a974a4df717475ec. + +Now that we have the patches ("blk-mq: In blk_mq_dispatch_rq_list() +"no budget" is a reason to kick") and ("blk-mq: Rerun dispatching in +the case of budget contention") we should no longer need the fix in +the SCSI code. Revert it, resolving conflicts with other patches that +have touched this code. + +With this revert (and the two new patches) I can run the script that +was in commit 7e70aa789d4a ("scsi: core: run queue if SCSI device +queue isn't ready and queue is idle") in a loop with no failure. If I +do this revert without the two new patches I can easily get a failure. + +Signed-off-by: Douglas Anderson +Reviewed-by: Ming Lei +Acked-by: Martin K. Petersen +Signed-off-by: Jens Axboe +Stable-dep-of: c31e76bcc379 ("blk-mq: remove stale comment for blk_mq_sched_mark_restart_hctx") +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_lib.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c +index 98e363d0025b4..490d6c72d8bd6 100644 +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -1645,12 +1645,7 @@ static bool scsi_mq_get_budget(struct blk_mq_hw_ctx *hctx) + struct request_queue *q = hctx->queue; + struct scsi_device *sdev = q->queuedata; + +- if (scsi_dev_queue_ready(q, sdev)) +- return true; +- +- if (atomic_read(&sdev->device_busy) == 0 && !scsi_device_blocked(sdev)) +- blk_mq_delay_run_hw_queue(hctx, SCSI_QUEUE_DELAY); +- return false; ++ return scsi_dev_queue_ready(q, sdev); + } + + static blk_status_t scsi_queue_rq(struct blk_mq_hw_ctx *hctx, +-- +2.39.2 + diff --git a/queue-5.4/risc-v-time-initialize-hrtimer-based-broadcast-clock.patch b/queue-5.4/risc-v-time-initialize-hrtimer-based-broadcast-clock.patch new file mode 100644 index 00000000000..95ea380788d --- /dev/null +++ b/queue-5.4/risc-v-time-initialize-hrtimer-based-broadcast-clock.patch @@ -0,0 +1,63 @@ +From 9e647799c930944cde33231596e76b2f9a2e314d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Jan 2023 19:41:00 +0530 +Subject: RISC-V: time: initialize hrtimer based broadcast clock event device + +From: Conor Dooley + +[ Upstream commit 8b3b8fbb4896984b5564789a42240e4b3caddb61 ] + +Similarly to commit 022eb8ae8b5e ("ARM: 8938/1: kernel: initialize +broadcast hrtimer based clock event device"), RISC-V needs to initiate +hrtimer based broadcast clock event device before C3STOP can be used. +Otherwise, the introduction of C3STOP for the RISC-V arch timer in +commit 232ccac1bd9b ("clocksource/drivers/riscv: Events are stopped +during CPU suspend") leaves us without any broadcast timer registered. +This prevents the kernel from entering oneshot mode, which breaks timer +behaviour, for example clock_nanosleep(). + +A test app that sleeps each cpu for 6, 5, 4, 3 ms respectively, HZ=250 +& C3STOP enabled, the sleep times are rounded up to the next jiffy: +== CPU: 1 == == CPU: 2 == == CPU: 3 == == CPU: 4 == +Mean: 7.974992 Mean: 7.976534 Mean: 7.962591 Mean: 3.952179 +Std Dev: 0.154374 Std Dev: 0.156082 Std Dev: 0.171018 Std Dev: 0.076193 +Hi: 9.472000 Hi: 10.495000 Hi: 8.864000 Hi: 4.736000 +Lo: 6.087000 Lo: 6.380000 Lo: 4.872000 Lo: 3.403000 +Samples: 521 Samples: 521 Samples: 521 Samples: 521 + +Link: https://lore.kernel.org/linux-riscv/YzYTNQRxLr7Q9JR0@spud/ +Fixes: 232ccac1bd9b ("clocksource/drivers/riscv: Events are stopped during CPU suspend") +Suggested-by: Samuel Holland +Signed-off-by: Conor Dooley +Signed-off-by: Anup Patel +Reviewed-by: Samuel Holland +Acked-by: Palmer Dabbelt +Link: https://lore.kernel.org/r/20230103141102.772228-2-apatel@ventanamicro.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + arch/riscv/kernel/time.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/riscv/kernel/time.c b/arch/riscv/kernel/time.c +index 8aa70b519e04f..726860a490f36 100644 +--- a/arch/riscv/kernel/time.c ++++ b/arch/riscv/kernel/time.c +@@ -5,6 +5,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -28,4 +29,6 @@ void __init time_init(void) + + of_clk_init(NULL); + timer_probe(); ++ ++ tick_setup_hrtimer_broadcast(); + } +-- +2.39.2 + diff --git a/queue-5.4/rpmsg-glink-avoid-infinite-loop-on-intent-for-missin.patch b/queue-5.4/rpmsg-glink-avoid-infinite-loop-on-intent-for-missin.patch new file mode 100644 index 00000000000..185cc1d04a0 --- /dev/null +++ b/queue-5.4/rpmsg-glink-avoid-infinite-loop-on-intent-for-missin.patch @@ -0,0 +1,38 @@ +From c2d1570b86b6c63d3f5f74263a164b6d16217509 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 15:42:31 -0800 +Subject: rpmsg: glink: Avoid infinite loop on intent for missing channel + +From: Bjorn Andersson + +[ Upstream commit 3e74ec2f39362bffbd42854acbb67c7f4cb808f9 ] + +In the event that an intent advertisement arrives on an unknown channel +the fifo is not advanced, resulting in the same message being handled +over and over. + +Fixes: dacbb35e930f ("rpmsg: glink: Receive and store the remote intent buffers") +Signed-off-by: Bjorn Andersson +Reviewed-by: Chris Lew +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230214234231.2069751-1-quic_bjorande@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_glink_native.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c +index b240830a0aab0..11ba44dc551e4 100644 +--- a/drivers/rpmsg/qcom_glink_native.c ++++ b/drivers/rpmsg/qcom_glink_native.c +@@ -929,6 +929,7 @@ static void qcom_glink_handle_intent(struct qcom_glink *glink, + spin_unlock_irqrestore(&glink->idr_lock, flags); + if (!channel) { + dev_err(glink->dev, "intents for non-existing channel\n"); ++ qcom_glink_rx_advance(glink, ALIGN(msglen, 8)); + return; + } + +-- +2.39.2 + diff --git a/queue-5.4/rtlwifi-fix-wpointer-sign-warning.patch b/queue-5.4/rtlwifi-fix-wpointer-sign-warning.patch new file mode 100644 index 00000000000..57e5dad916f --- /dev/null +++ b/queue-5.4/rtlwifi-fix-wpointer-sign-warning.patch @@ -0,0 +1,232 @@ +From 0169416a6252bfb793f508dffcb08d18fc1e6563 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Oct 2020 22:29:53 +0100 +Subject: rtlwifi: fix -Wpointer-sign warning + +From: Arnd Bergmann + +[ Upstream commit ef41937631bfee855e2b406e1d536efdaa9ce512 ] + +There are thousands of warnings in a W=2 build from just one file: + +drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c:3788:15: warning: pointer targets in initialization of 'u8 *' {aka 'unsigned char *'} from 'char *' differ in signedness [-Wpointer-sign] + +Change the types to consistently use 'const char *' for the +strings. + +Signed-off-by: Arnd Bergmann +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20201026213040.3889546-6-arnd@kernel.org +Stable-dep-of: 117dbeda22ec ("wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit()") +Signed-off-by: Sasha Levin +--- + .../wireless/realtek/rtlwifi/rtl8821ae/phy.c | 81 ++++++++++--------- + .../realtek/rtlwifi/rtl8821ae/table.c | 4 +- + .../realtek/rtlwifi/rtl8821ae/table.h | 4 +- + 3 files changed, 45 insertions(+), 44 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +index 979e434a4e739..b9c560829a6f8 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +@@ -1587,7 +1587,7 @@ static void _rtl8821ae_phy_txpower_by_rate_configuration(struct ieee80211_hw *hw + } + + /* string is in decimal */ +-static bool _rtl8812ae_get_integer_from_string(char *str, u8 *pint) ++static bool _rtl8812ae_get_integer_from_string(const char *str, u8 *pint) + { + u16 i = 0; + *pint = 0; +@@ -1605,7 +1605,7 @@ static bool _rtl8812ae_get_integer_from_string(char *str, u8 *pint) + return true; + } + +-static bool _rtl8812ae_eq_n_byte(u8 *str1, u8 *str2, u32 num) ++static bool _rtl8812ae_eq_n_byte(const char *str1, const char *str2, u32 num) + { + if (num == 0) + return false; +@@ -1643,10 +1643,11 @@ static s8 _rtl8812ae_phy_get_chnl_idx_of_txpwr_lmt(struct ieee80211_hw *hw, + return channel_index; + } + +-static void _rtl8812ae_phy_set_txpower_limit(struct ieee80211_hw *hw, u8 *pregulation, +- u8 *pband, u8 *pbandwidth, +- u8 *prate_section, u8 *prf_path, +- u8 *pchannel, u8 *ppower_limit) ++static void _rtl8812ae_phy_set_txpower_limit(struct ieee80211_hw *hw, ++ const char *pregulation, ++ const char *pband, const char *pbandwidth, ++ const char *prate_section, const char *prf_path, ++ const char *pchannel, const char *ppower_limit) + { + struct rtl_priv *rtlpriv = rtl_priv(hw); + struct rtl_phy *rtlphy = &rtlpriv->phy; +@@ -1654,8 +1655,8 @@ static void _rtl8812ae_phy_set_txpower_limit(struct ieee80211_hw *hw, u8 *pregul + u8 channel_index; + s8 power_limit = 0, prev_power_limit, ret; + +- if (!_rtl8812ae_get_integer_from_string((char *)pchannel, &channel) || +- !_rtl8812ae_get_integer_from_string((char *)ppower_limit, ++ if (!_rtl8812ae_get_integer_from_string(pchannel, &channel) || ++ !_rtl8812ae_get_integer_from_string(ppower_limit, + &power_limit)) { + RT_TRACE(rtlpriv, COMP_INIT, DBG_TRACE, + "Illegal index of pwr_lmt table [chnl %d][val %d]\n", +@@ -1665,42 +1666,42 @@ static void _rtl8812ae_phy_set_txpower_limit(struct ieee80211_hw *hw, u8 *pregul + power_limit = power_limit > MAX_POWER_INDEX ? + MAX_POWER_INDEX : power_limit; + +- if (_rtl8812ae_eq_n_byte(pregulation, (u8 *)("FCC"), 3)) ++ if (_rtl8812ae_eq_n_byte(pregulation, "FCC", 3)) + regulation = 0; +- else if (_rtl8812ae_eq_n_byte(pregulation, (u8 *)("MKK"), 3)) ++ else if (_rtl8812ae_eq_n_byte(pregulation, "MKK", 3)) + regulation = 1; +- else if (_rtl8812ae_eq_n_byte(pregulation, (u8 *)("ETSI"), 4)) ++ else if (_rtl8812ae_eq_n_byte(pregulation, "ETSI", 4)) + regulation = 2; +- else if (_rtl8812ae_eq_n_byte(pregulation, (u8 *)("WW13"), 4)) ++ else if (_rtl8812ae_eq_n_byte(pregulation, "WW13", 4)) + regulation = 3; + +- if (_rtl8812ae_eq_n_byte(prate_section, (u8 *)("CCK"), 3)) ++ if (_rtl8812ae_eq_n_byte(prate_section, "CCK", 3)) + rate_section = 0; +- else if (_rtl8812ae_eq_n_byte(prate_section, (u8 *)("OFDM"), 4)) ++ else if (_rtl8812ae_eq_n_byte(prate_section, "OFDM", 4)) + rate_section = 1; +- else if (_rtl8812ae_eq_n_byte(prate_section, (u8 *)("HT"), 2) && +- _rtl8812ae_eq_n_byte(prf_path, (u8 *)("1T"), 2)) ++ else if (_rtl8812ae_eq_n_byte(prate_section, "HT", 2) && ++ _rtl8812ae_eq_n_byte(prf_path, "1T", 2)) + rate_section = 2; +- else if (_rtl8812ae_eq_n_byte(prate_section, (u8 *)("HT"), 2) && +- _rtl8812ae_eq_n_byte(prf_path, (u8 *)("2T"), 2)) ++ else if (_rtl8812ae_eq_n_byte(prate_section, "HT", 2) && ++ _rtl8812ae_eq_n_byte(prf_path, "2T", 2)) + rate_section = 3; +- else if (_rtl8812ae_eq_n_byte(prate_section, (u8 *)("VHT"), 3) && +- _rtl8812ae_eq_n_byte(prf_path, (u8 *)("1T"), 2)) ++ else if (_rtl8812ae_eq_n_byte(prate_section, "VHT", 3) && ++ _rtl8812ae_eq_n_byte(prf_path, "1T", 2)) + rate_section = 4; +- else if (_rtl8812ae_eq_n_byte(prate_section, (u8 *)("VHT"), 3) && +- _rtl8812ae_eq_n_byte(prf_path, (u8 *)("2T"), 2)) ++ else if (_rtl8812ae_eq_n_byte(prate_section, "VHT", 3) && ++ _rtl8812ae_eq_n_byte(prf_path, "2T", 2)) + rate_section = 5; + +- if (_rtl8812ae_eq_n_byte(pbandwidth, (u8 *)("20M"), 3)) ++ if (_rtl8812ae_eq_n_byte(pbandwidth, "20M", 3)) + bandwidth = 0; +- else if (_rtl8812ae_eq_n_byte(pbandwidth, (u8 *)("40M"), 3)) ++ else if (_rtl8812ae_eq_n_byte(pbandwidth, "40M", 3)) + bandwidth = 1; +- else if (_rtl8812ae_eq_n_byte(pbandwidth, (u8 *)("80M"), 3)) ++ else if (_rtl8812ae_eq_n_byte(pbandwidth, "80M", 3)) + bandwidth = 2; +- else if (_rtl8812ae_eq_n_byte(pbandwidth, (u8 *)("160M"), 4)) ++ else if (_rtl8812ae_eq_n_byte(pbandwidth, "160M", 4)) + bandwidth = 3; + +- if (_rtl8812ae_eq_n_byte(pband, (u8 *)("2.4G"), 4)) { ++ if (_rtl8812ae_eq_n_byte(pband, "2.4G", 4)) { + ret = _rtl8812ae_phy_get_chnl_idx_of_txpwr_lmt(hw, + BAND_ON_2_4G, + channel); +@@ -1724,7 +1725,7 @@ static void _rtl8812ae_phy_set_txpower_limit(struct ieee80211_hw *hw, u8 *pregul + regulation, bandwidth, rate_section, channel_index, + rtlphy->txpwr_limit_2_4g[regulation][bandwidth] + [rate_section][channel_index][RF90_PATH_A]); +- } else if (_rtl8812ae_eq_n_byte(pband, (u8 *)("5G"), 2)) { ++ } else if (_rtl8812ae_eq_n_byte(pband, "5G", 2)) { + ret = _rtl8812ae_phy_get_chnl_idx_of_txpwr_lmt(hw, + BAND_ON_5G, + channel); +@@ -1755,10 +1756,10 @@ static void _rtl8812ae_phy_set_txpower_limit(struct ieee80211_hw *hw, u8 *pregul + } + + static void _rtl8812ae_phy_config_bb_txpwr_lmt(struct ieee80211_hw *hw, +- u8 *regulation, u8 *band, +- u8 *bandwidth, u8 *rate_section, +- u8 *rf_path, u8 *channel, +- u8 *power_limit) ++ const char *regulation, const char *band, ++ const char *bandwidth, const char *rate_section, ++ const char *rf_path, const char *channel, ++ const char *power_limit) + { + _rtl8812ae_phy_set_txpower_limit(hw, regulation, band, bandwidth, + rate_section, rf_path, channel, +@@ -1771,7 +1772,7 @@ static void _rtl8821ae_phy_read_and_config_txpwr_lmt(struct ieee80211_hw *hw) + struct rtl_hal *rtlhal = rtl_hal(rtlpriv); + u32 i = 0; + u32 array_len; +- u8 **array; ++ const char **array; + + if (rtlhal->hw_type == HARDWARE_TYPE_RTL8812AE) { + array_len = RTL8812AE_TXPWR_LMT_ARRAY_LEN; +@@ -1785,13 +1786,13 @@ static void _rtl8821ae_phy_read_and_config_txpwr_lmt(struct ieee80211_hw *hw) + "\n"); + + for (i = 0; i < array_len; i += 7) { +- u8 *regulation = array[i]; +- u8 *band = array[i+1]; +- u8 *bandwidth = array[i+2]; +- u8 *rate = array[i+3]; +- u8 *rf_path = array[i+4]; +- u8 *chnl = array[i+5]; +- u8 *val = array[i+6]; ++ const char *regulation = array[i]; ++ const char *band = array[i+1]; ++ const char *bandwidth = array[i+2]; ++ const char *rate = array[i+3]; ++ const char *rf_path = array[i+4]; ++ const char *chnl = array[i+5]; ++ const char *val = array[i+6]; + + _rtl8812ae_phy_config_bb_txpwr_lmt(hw, regulation, band, + bandwidth, rate, rf_path, +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c +index ed72a2aeb6c8e..fcaaf664cbec5 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.c +@@ -2894,7 +2894,7 @@ u32 RTL8821AE_AGC_TAB_1TARRAYLEN = ARRAY_SIZE(RTL8821AE_AGC_TAB_ARRAY); + * TXPWR_LMT.TXT + ******************************************************************************/ + +-u8 *RTL8812AE_TXPWR_LMT[] = { ++const char *RTL8812AE_TXPWR_LMT[] = { + "FCC", "2.4G", "20M", "CCK", "1T", "01", "36", + "ETSI", "2.4G", "20M", "CCK", "1T", "01", "32", + "MKK", "2.4G", "20M", "CCK", "1T", "01", "32", +@@ -3463,7 +3463,7 @@ u8 *RTL8812AE_TXPWR_LMT[] = { + + u32 RTL8812AE_TXPWR_LMT_ARRAY_LEN = ARRAY_SIZE(RTL8812AE_TXPWR_LMT); + +-u8 *RTL8821AE_TXPWR_LMT[] = { ++const char *RTL8821AE_TXPWR_LMT[] = { + "FCC", "2.4G", "20M", "CCK", "1T", "01", "32", + "ETSI", "2.4G", "20M", "CCK", "1T", "01", "32", + "MKK", "2.4G", "20M", "CCK", "1T", "01", "32", +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.h b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.h +index 540159c25078a..76c62b7c0fb24 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.h ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/table.h +@@ -28,7 +28,7 @@ extern u32 RTL8821AE_AGC_TAB_ARRAY[]; + extern u32 RTL8812AE_AGC_TAB_1TARRAYLEN; + extern u32 RTL8812AE_AGC_TAB_ARRAY[]; + extern u32 RTL8812AE_TXPWR_LMT_ARRAY_LEN; +-extern u8 *RTL8812AE_TXPWR_LMT[]; ++extern const char *RTL8812AE_TXPWR_LMT[]; + extern u32 RTL8821AE_TXPWR_LMT_ARRAY_LEN; +-extern u8 *RTL8821AE_TXPWR_LMT[]; ++extern const char *RTL8821AE_TXPWR_LMT[]; + #endif +-- +2.39.2 + diff --git a/queue-5.4/s390-dasd-fix-potential-memleak-in-dasd_eckd_init.patch b/queue-5.4/s390-dasd-fix-potential-memleak-in-dasd_eckd_init.patch new file mode 100644 index 00000000000..f014117102b --- /dev/null +++ b/queue-5.4/s390-dasd-fix-potential-memleak-in-dasd_eckd_init.patch @@ -0,0 +1,43 @@ +From d48316979d0159343cdc129c657ff34110fe5d6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Feb 2023 01:02:53 +0100 +Subject: s390/dasd: Fix potential memleak in dasd_eckd_init() + +From: Qiheng Lin + +[ Upstream commit 460e9bed82e49db1b823dcb4e421783854d86c40 ] + +`dasd_reserve_req` is allocated before `dasd_vol_info_req`, and it +also needs to be freed before the error returns, just like the other +cases in this function. + +Fixes: 9e12e54c7a8f ("s390/dasd: Handle out-of-space constraint") +Signed-off-by: Qiheng Lin +Link: https://lore.kernel.org/r/20221208133809.16796-1-linqiheng@huawei.com +Signed-off-by: Stefan Haberland +Link: https://lore.kernel.org/r/20230210000253.1644903-3-sth@linux.ibm.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/s390/block/dasd_eckd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index d1429936f38c6..c6930c159d2a6 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -6763,8 +6763,10 @@ dasd_eckd_init(void) + return -ENOMEM; + dasd_vol_info_req = kmalloc(sizeof(*dasd_vol_info_req), + GFP_KERNEL | GFP_DMA); +- if (!dasd_vol_info_req) ++ if (!dasd_vol_info_req) { ++ kfree(dasd_reserve_req); + return -ENOMEM; ++ } + pe_handler_worker = kmalloc(sizeof(*pe_handler_worker), + GFP_KERNEL | GFP_DMA); + if (!pe_handler_worker) { +-- +2.39.2 + diff --git a/queue-5.4/s390-dasd-prepare-for-additional-path-event-handling.patch b/queue-5.4/s390-dasd-prepare-for-additional-path-event-handling.patch new file mode 100644 index 00000000000..c86774fd0a0 --- /dev/null +++ b/queue-5.4/s390-dasd-prepare-for-additional-path-event-handling.patch @@ -0,0 +1,236 @@ +From dddebf4ce1660a2d60d27408a66eeec1a13d93b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Oct 2020 15:13:35 +0200 +Subject: s390/dasd: Prepare for additional path event handling +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jan Höppner + +[ Upstream commit b72949328869dfd45f6452c2410647afd7db5f1a ] + +As more path events need to be handled for ECKD the current path +verification infrastructure can be reused. Rename all path verifcation +code to fit the more broadly based task of path event handling and put +the path verification in a new separate function. + +Signed-off-by: Jan Höppner +Signed-off-by: Stefan Haberland +Reviewed-by: Stefan Haberland +Reviewed-by: Cornelia Huck +Signed-off-by: Jens Axboe +Stable-dep-of: 460e9bed82e4 ("s390/dasd: Fix potential memleak in dasd_eckd_init()") +Signed-off-by: Sasha Levin +--- + drivers/s390/block/dasd.c | 4 +- + drivers/s390/block/dasd_eckd.c | 78 +++++++++++++++++++--------------- + drivers/s390/block/dasd_int.h | 1 + + 3 files changed, 47 insertions(+), 36 deletions(-) + +diff --git a/drivers/s390/block/dasd.c b/drivers/s390/block/dasd.c +index e0570cd0e520c..3362f235e8919 100644 +--- a/drivers/s390/block/dasd.c ++++ b/drivers/s390/block/dasd.c +@@ -2128,8 +2128,8 @@ static void __dasd_device_check_path_events(struct dasd_device *device) + if (device->stopped & + ~(DASD_STOPPED_DC_WAIT | DASD_UNRESUMED_PM)) + return; +- rc = device->discipline->verify_path(device, +- dasd_path_get_tbvpm(device)); ++ rc = device->discipline->pe_handler(device, ++ dasd_path_get_tbvpm(device)); + if (rc) + dasd_device_set_timer(device, 50); + else +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index 53d22975a32fd..d1429936f38c6 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -103,7 +103,7 @@ struct ext_pool_exhaust_work_data { + }; + + /* definitions for the path verification worker */ +-struct path_verification_work_data { ++struct pe_handler_work_data { + struct work_struct worker; + struct dasd_device *device; + struct dasd_ccw_req cqr; +@@ -112,8 +112,8 @@ struct path_verification_work_data { + int isglobal; + __u8 tbvpm; + }; +-static struct path_verification_work_data *path_verification_worker; +-static DEFINE_MUTEX(dasd_path_verification_mutex); ++static struct pe_handler_work_data *pe_handler_worker; ++static DEFINE_MUTEX(dasd_pe_handler_mutex); + + struct check_attention_work_data { + struct work_struct worker; +@@ -1219,7 +1219,7 @@ static int verify_fcx_max_data(struct dasd_device *device, __u8 lpm) + } + + static int rebuild_device_uid(struct dasd_device *device, +- struct path_verification_work_data *data) ++ struct pe_handler_work_data *data) + { + struct dasd_eckd_private *private = device->private; + __u8 lpm, opm = dasd_path_get_opm(device); +@@ -1257,10 +1257,9 @@ static int rebuild_device_uid(struct dasd_device *device, + return rc; + } + +-static void do_path_verification_work(struct work_struct *work) ++static void dasd_eckd_path_available_action(struct dasd_device *device, ++ struct pe_handler_work_data *data) + { +- struct path_verification_work_data *data; +- struct dasd_device *device; + struct dasd_eckd_private path_private; + struct dasd_uid *uid; + __u8 path_rcd_buf[DASD_ECKD_RCD_DATA_SIZE]; +@@ -1269,19 +1268,6 @@ static void do_path_verification_work(struct work_struct *work) + char print_uid[60]; + int rc; + +- data = container_of(work, struct path_verification_work_data, worker); +- device = data->device; +- +- /* delay path verification until device was resumed */ +- if (test_bit(DASD_FLAG_SUSPENDED, &device->flags)) { +- schedule_work(work); +- return; +- } +- /* check if path verification already running and delay if so */ +- if (test_and_set_bit(DASD_FLAG_PATH_VERIFY, &device->flags)) { +- schedule_work(work); +- return; +- } + opm = 0; + npm = 0; + ppm = 0; +@@ -1418,30 +1404,54 @@ static void do_path_verification_work(struct work_struct *work) + dasd_path_add_nohpfpm(device, hpfpm); + spin_unlock_irqrestore(get_ccwdev_lock(device->cdev), flags); + } ++} ++ ++static void do_pe_handler_work(struct work_struct *work) ++{ ++ struct pe_handler_work_data *data; ++ struct dasd_device *device; ++ ++ data = container_of(work, struct pe_handler_work_data, worker); ++ device = data->device; ++ ++ /* delay path verification until device was resumed */ ++ if (test_bit(DASD_FLAG_SUSPENDED, &device->flags)) { ++ schedule_work(work); ++ return; ++ } ++ /* check if path verification already running and delay if so */ ++ if (test_and_set_bit(DASD_FLAG_PATH_VERIFY, &device->flags)) { ++ schedule_work(work); ++ return; ++ } ++ ++ dasd_eckd_path_available_action(device, data); ++ + clear_bit(DASD_FLAG_PATH_VERIFY, &device->flags); + dasd_put_device(device); + if (data->isglobal) +- mutex_unlock(&dasd_path_verification_mutex); ++ mutex_unlock(&dasd_pe_handler_mutex); + else + kfree(data); + } + +-static int dasd_eckd_verify_path(struct dasd_device *device, __u8 lpm) ++static int dasd_eckd_pe_handler(struct dasd_device *device, __u8 lpm) + { +- struct path_verification_work_data *data; ++ struct pe_handler_work_data *data; + + data = kmalloc(sizeof(*data), GFP_ATOMIC | GFP_DMA); + if (!data) { +- if (mutex_trylock(&dasd_path_verification_mutex)) { +- data = path_verification_worker; ++ if (mutex_trylock(&dasd_pe_handler_mutex)) { ++ data = pe_handler_worker; + data->isglobal = 1; +- } else ++ } else { + return -ENOMEM; ++ } + } else { + memset(data, 0, sizeof(*data)); + data->isglobal = 0; + } +- INIT_WORK(&data->worker, do_path_verification_work); ++ INIT_WORK(&data->worker, do_pe_handler_work); + dasd_get_device(device); + data->device = device; + data->tbvpm = lpm; +@@ -6694,7 +6704,7 @@ static struct dasd_discipline dasd_eckd_discipline = { + .check_device = dasd_eckd_check_characteristics, + .uncheck_device = dasd_eckd_uncheck_device, + .do_analysis = dasd_eckd_do_analysis, +- .verify_path = dasd_eckd_verify_path, ++ .pe_handler = dasd_eckd_pe_handler, + .basic_to_ready = dasd_eckd_basic_to_ready, + .online_to_ready = dasd_eckd_online_to_ready, + .basic_to_known = dasd_eckd_basic_to_known, +@@ -6755,16 +6765,16 @@ dasd_eckd_init(void) + GFP_KERNEL | GFP_DMA); + if (!dasd_vol_info_req) + return -ENOMEM; +- path_verification_worker = kmalloc(sizeof(*path_verification_worker), +- GFP_KERNEL | GFP_DMA); +- if (!path_verification_worker) { ++ pe_handler_worker = kmalloc(sizeof(*pe_handler_worker), ++ GFP_KERNEL | GFP_DMA); ++ if (!pe_handler_worker) { + kfree(dasd_reserve_req); + kfree(dasd_vol_info_req); + return -ENOMEM; + } + rawpadpage = (void *)__get_free_page(GFP_KERNEL); + if (!rawpadpage) { +- kfree(path_verification_worker); ++ kfree(pe_handler_worker); + kfree(dasd_reserve_req); + kfree(dasd_vol_info_req); + return -ENOMEM; +@@ -6773,7 +6783,7 @@ dasd_eckd_init(void) + if (!ret) + wait_for_device_probe(); + else { +- kfree(path_verification_worker); ++ kfree(pe_handler_worker); + kfree(dasd_reserve_req); + kfree(dasd_vol_info_req); + free_page((unsigned long)rawpadpage); +@@ -6785,7 +6795,7 @@ static void __exit + dasd_eckd_cleanup(void) + { + ccw_driver_unregister(&dasd_eckd_driver); +- kfree(path_verification_worker); ++ kfree(pe_handler_worker); + kfree(dasd_reserve_req); + free_page((unsigned long)rawpadpage); + } +diff --git a/drivers/s390/block/dasd_int.h b/drivers/s390/block/dasd_int.h +index 9d9685c25253d..e8a06d85d6f72 100644 +--- a/drivers/s390/block/dasd_int.h ++++ b/drivers/s390/block/dasd_int.h +@@ -299,6 +299,7 @@ struct dasd_discipline { + * configuration. + */ + int (*verify_path)(struct dasd_device *, __u8); ++ int (*pe_handler)(struct dasd_device *, __u8); + + /* + * Last things to do when a device is set online, and first things +-- +2.39.2 + diff --git a/queue-5.4/sched-deadline-rt-remove-unused-parameter-from-pick_.patch b/queue-5.4/sched-deadline-rt-remove-unused-parameter-from-pick_.patch new file mode 100644 index 00000000000..0a847ed834f --- /dev/null +++ b/queue-5.4/sched-deadline-rt-remove-unused-parameter-from-pick_.patch @@ -0,0 +1,72 @@ +From c02eec27c1a2dfa592380b649c7e40c6b85b225b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Mar 2022 19:34:33 +0100 +Subject: sched/deadline,rt: Remove unused parameter from + pick_next_[rt|dl]_entity() + +From: Dietmar Eggemann + +[ Upstream commit 821aecd09e5ad2f8d4c3d8195333d272b392f7d3 ] + +The `struct rq *rq` parameter isn't used. Remove it. + +Signed-off-by: Dietmar Eggemann +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Juri Lelli +Link: https://lore.kernel.org/r/20220302183433.333029-7-dietmar.eggemann@arm.com +Stable-dep-of: 7c4a5b89a0b5 ("sched/rt: pick_next_rt_entity(): check list_entry") +Signed-off-by: Sasha Levin +--- + kernel/sched/deadline.c | 5 ++--- + kernel/sched/rt.c | 5 ++--- + 2 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c +index d8052c2d87e49..ba3d7c223999e 100644 +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -1793,8 +1793,7 @@ static void set_next_task_dl(struct rq *rq, struct task_struct *p, bool first) + deadline_queue_push_tasks(rq); + } + +-static struct sched_dl_entity *pick_next_dl_entity(struct rq *rq, +- struct dl_rq *dl_rq) ++static struct sched_dl_entity *pick_next_dl_entity(struct dl_rq *dl_rq) + { + struct rb_node *left = rb_first_cached(&dl_rq->root); + +@@ -1816,7 +1815,7 @@ pick_next_task_dl(struct rq *rq, struct task_struct *prev, struct rq_flags *rf) + if (!sched_dl_runnable(rq)) + return NULL; + +- dl_se = pick_next_dl_entity(rq, dl_rq); ++ dl_se = pick_next_dl_entity(dl_rq); + BUG_ON(!dl_se); + p = dl_task_of(dl_se); + set_next_task_dl(rq, p, true); +diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c +index c11d3d79d4c31..e5d42947e57ab 100644 +--- a/kernel/sched/rt.c ++++ b/kernel/sched/rt.c +@@ -1550,8 +1550,7 @@ static inline void set_next_task_rt(struct rq *rq, struct task_struct *p, bool f + rt_queue_push_tasks(rq); + } + +-static struct sched_rt_entity *pick_next_rt_entity(struct rq *rq, +- struct rt_rq *rt_rq) ++static struct sched_rt_entity *pick_next_rt_entity(struct rt_rq *rt_rq) + { + struct rt_prio_array *array = &rt_rq->active; + struct sched_rt_entity *next = NULL; +@@ -1573,7 +1572,7 @@ static struct task_struct *_pick_next_task_rt(struct rq *rq) + struct rt_rq *rt_rq = &rq->rt; + + do { +- rt_se = pick_next_rt_entity(rq, rt_rq); ++ rt_se = pick_next_rt_entity(rt_rq); + BUG_ON(!rt_se); + rt_rq = group_rt_rq(rt_se); + } while (rt_rq); +-- +2.39.2 + diff --git a/queue-5.4/sched-fair-sanitize-vruntime-of-entity-being-placed.patch b/queue-5.4/sched-fair-sanitize-vruntime-of-entity-being-placed.patch new file mode 100644 index 00000000000..2c036a69e17 --- /dev/null +++ b/queue-5.4/sched-fair-sanitize-vruntime-of-entity-being-placed.patch @@ -0,0 +1,70 @@ +From 7cf75c4f005171522b77a8b59ba13acb71c92684 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 13:22:16 +0100 +Subject: sched/fair: sanitize vruntime of entity being placed + +From: Zhang Qiao + +[ Upstream commit 829c1651e9c4a6f78398d3e67651cef9bb6b42cc ] + +When a scheduling entity is placed onto cfs_rq, its vruntime is pulled +to the base level (around cfs_rq->min_vruntime), so that the entity +doesn't gain extra boost when placed backwards. + +However, if the entity being placed wasn't executed for a long time, its +vruntime may get too far behind (e.g. while cfs_rq was executing a +low-weight hog), which can inverse the vruntime comparison due to s64 +overflow. This results in the entity being placed with its original +vruntime way forwards, so that it will effectively never get to the cpu. + +To prevent that, ignore the vruntime of the entity being placed if it +didn't execute for much longer than the characteristic sheduler time +scale. + +[rkagan: formatted, adjusted commit log, comments, cutoff value] +Signed-off-by: Zhang Qiao +Co-developed-by: Roman Kagan +Signed-off-by: Roman Kagan +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20230130122216.3555094-1-rkagan@amazon.de +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index d2a68ae7596ec..97ede6b914422 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -3881,6 +3881,7 @@ static void + place_entity(struct cfs_rq *cfs_rq, struct sched_entity *se, int initial) + { + u64 vruntime = cfs_rq->min_vruntime; ++ u64 sleep_time; + + /* + * The 'current' period is already promised to the current tasks, +@@ -3905,8 +3906,18 @@ place_entity(struct cfs_rq *cfs_rq, struct sched_entity *se, int initial) + vruntime -= thresh; + } + +- /* ensure we never gain time by being placed backwards. */ +- se->vruntime = max_vruntime(se->vruntime, vruntime); ++ /* ++ * Pull vruntime of the entity being placed to the base level of ++ * cfs_rq, to prevent boosting it if placed backwards. If the entity ++ * slept for a long time, don't even try to compare its vruntime with ++ * the base as it may be too far off and the comparison may get ++ * inversed due to s64 overflow. ++ */ ++ sleep_time = rq_clock_task(rq_of(cfs_rq)) - se->exec_start; ++ if ((s64)sleep_time > 60LL * NSEC_PER_SEC) ++ se->vruntime = vruntime; ++ else ++ se->vruntime = max_vruntime(se->vruntime, vruntime); + } + + static void check_enqueue_throttle(struct cfs_rq *cfs_rq); +-- +2.39.2 + diff --git a/queue-5.4/sched-rt-pick_next_rt_entity-check-list_entry.patch b/queue-5.4/sched-rt-pick_next_rt_entity-check-list_entry.patch new file mode 100644 index 00000000000..c3cb73e7aca --- /dev/null +++ b/queue-5.4/sched-rt-pick_next_rt_entity-check-list_entry.patch @@ -0,0 +1,55 @@ +From eea370873689637c3dc576a3c7fed9a1969b997d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Feb 2023 22:33:54 +0000 +Subject: sched/rt: pick_next_rt_entity(): check list_entry + +From: Pietro Borrello + +[ Upstream commit 7c4a5b89a0b5a57a64b601775b296abf77a9fe97 ] + +Commit 326587b84078 ("sched: fix goto retry in pick_next_task_rt()") +removed any path which could make pick_next_rt_entity() return NULL. +However, BUG_ON(!rt_se) in _pick_next_task_rt() (the only caller of +pick_next_rt_entity()) still checks the error condition, which can +never happen, since list_entry() never returns NULL. +Remove the BUG_ON check, and instead emit a warning in the only +possible error condition here: the queue being empty which should +never happen. + +Fixes: 326587b84078 ("sched: fix goto retry in pick_next_task_rt()") +Signed-off-by: Pietro Borrello +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Phil Auld +Reviewed-by: Steven Rostedt (Google) +Link: https://lore.kernel.org/r/20230128-list-entry-null-check-sched-v3-1-b1a71bd1ac6b@diag.uniroma1.it +Signed-off-by: Sasha Levin +--- + kernel/sched/rt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c +index e5d42947e57ab..186e7d78ded5c 100644 +--- a/kernel/sched/rt.c ++++ b/kernel/sched/rt.c +@@ -1561,6 +1561,8 @@ static struct sched_rt_entity *pick_next_rt_entity(struct rt_rq *rt_rq) + BUG_ON(idx >= MAX_RT_PRIO); + + queue = array->queue + idx; ++ if (SCHED_WARN_ON(list_empty(queue))) ++ return NULL; + next = list_entry(queue->next, struct sched_rt_entity, run_list); + + return next; +@@ -1573,7 +1575,8 @@ static struct task_struct *_pick_next_task_rt(struct rq *rq) + + do { + rt_se = pick_next_rt_entity(rt_rq); +- BUG_ON(!rt_se); ++ if (unlikely(!rt_se)) ++ return NULL; + rt_rq = group_rt_rq(rt_se); + } while (rt_rq); + +-- +2.39.2 + diff --git a/queue-5.4/scsi-aic94xx-add-missing-check-for-dma_map_single.patch b/queue-5.4/scsi-aic94xx-add-missing-check-for-dma_map_single.patch new file mode 100644 index 00000000000..914b47eaa76 --- /dev/null +++ b/queue-5.4/scsi-aic94xx-add-missing-check-for-dma_map_single.patch @@ -0,0 +1,39 @@ +From 66d391842c3a2a688e8f429094c9547791e638f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Jan 2023 19:08:32 +0800 +Subject: scsi: aic94xx: Add missing check for dma_map_single() + +From: Jiasheng Jiang + +[ Upstream commit 32fe45274edb5926abc0fac7263d9f889d02d9cf ] + +Add check for dma_map_single() and return error if it fails in order to +avoid invalid DMA address. + +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Link: https://lore.kernel.org/r/20230128110832.6792-1-jiasheng@iscas.ac.cn +Signed-off-by: Jiasheng Jiang +Reviewed-by: Jason Yan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aic94xx/aic94xx_task.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/aic94xx/aic94xx_task.c b/drivers/scsi/aic94xx/aic94xx_task.c +index f923ed019d4a1..593b167ceefee 100644 +--- a/drivers/scsi/aic94xx/aic94xx_task.c ++++ b/drivers/scsi/aic94xx/aic94xx_task.c +@@ -50,6 +50,9 @@ static int asd_map_scatterlist(struct sas_task *task, + dma_addr_t dma = dma_map_single(&asd_ha->pcidev->dev, p, + task->total_xfer_len, + task->data_dir); ++ if (dma_mapping_error(&asd_ha->pcidev->dev, dma)) ++ return -ENOMEM; ++ + sg_arr[0].bus_addr = cpu_to_le64((u64)dma); + sg_arr[0].size = cpu_to_le32(task->total_xfer_len); + sg_arr[0].flags |= ASD_SG_EL_LIST_EOL; +-- +2.39.2 + diff --git a/queue-5.4/selftest-fib_tests-always-cleanup-before-exit.patch b/queue-5.4/selftest-fib_tests-always-cleanup-before-exit.patch new file mode 100644 index 00000000000..ff43bd8d455 --- /dev/null +++ b/queue-5.4/selftest-fib_tests-always-cleanup-before-exit.patch @@ -0,0 +1,42 @@ +From eee1b20f975f3f20837086192c1a15e053b3ba14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Feb 2023 12:04:00 +0100 +Subject: selftest: fib_tests: Always cleanup before exit + +From: Roxana Nicolescu + +[ Upstream commit b60417a9f2b890a8094477b2204d4f73c535725e ] + +Usage of `set -e` before executing a command causes immediate exit +on failure, without cleanup up the resources allocated at setup. +This can affect the next tests that use the same resources, +leading to a chain of failures. + +A simple fix is to always call cleanup function when the script exists. +This approach is already used by other existing tests. + +Fixes: 1056691b2680 ("selftests: fib_tests: Make test results more verbose") +Signed-off-by: Roxana Nicolescu +Link: https://lore.kernel.org/r/20230220110400.26737-2-roxana.nicolescu@canonical.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fib_tests.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh +index 6986086035d6c..24d67fa66d037 100644 +--- a/tools/testing/selftests/net/fib_tests.sh ++++ b/tools/testing/selftests/net/fib_tests.sh +@@ -1662,6 +1662,8 @@ EOF + ################################################################################ + # main + ++trap cleanup EXIT ++ + while getopts :t:pPhv o + do + case $o in +-- +2.39.2 + diff --git a/queue-5.4/selftests-ftrace-fix-bash-specific-operator.patch b/queue-5.4/selftests-ftrace-fix-bash-specific-operator.patch new file mode 100644 index 00000000000..300fdcbcc21 --- /dev/null +++ b/queue-5.4/selftests-ftrace-fix-bash-specific-operator.patch @@ -0,0 +1,44 @@ +From f33ae5950cc5749bb72ea36d29a85172f4ced4b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Jan 2023 08:32:50 +0900 +Subject: selftests/ftrace: Fix bash specific "==" operator + +From: Masami Hiramatsu (Google) + +[ Upstream commit 1e6b485c922fbedf41d5a9f4e6449c5aeb923a32 ] + +Since commit a1d6cd88c897 ("selftests/ftrace: event_triggers: wait +longer for test_event_enable") introduced bash specific "==" +comparation operator, that test will fail when we run it on a +posix-shell. `checkbashisms` warned it as below. + +possible bashism in ftrace/func_event_triggers.tc line 45 (should be 'b = a'): + if [ "$e" == $val ]; then + +This replaces it with "=". + +Fixes: a1d6cd88c897 ("selftests/ftrace: event_triggers: wait longer for test_event_enable") +Signed-off-by: Masami Hiramatsu (Google) +Reviewed-by: Steven Rostedt (Google) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + .../selftests/ftrace/test.d/ftrace/func_event_triggers.tc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc +index f261eeccfaf6d..020fbdaa3fba1 100644 +--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc ++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc +@@ -46,7 +46,7 @@ test_event_enabled() { + + while [ $check_times -ne 0 ]; do + e=`cat $EVENT_ENABLE` +- if [ "$e" == $val ]; then ++ if [ "$e" = $val ]; then + return 0 + fi + sleep $SLEEP_TIME +-- +2.39.2 + diff --git a/queue-5.4/selftests-net-interpret-udp_gro-cmsg-data-as-an-int-.patch b/queue-5.4/selftests-net-interpret-udp_gro-cmsg-data-as-an-int-.patch new file mode 100644 index 00000000000..f13179f3114 --- /dev/null +++ b/queue-5.4/selftests-net-interpret-udp_gro-cmsg-data-as-an-int-.patch @@ -0,0 +1,66 @@ +From ac08bec74393c515e25c1385cddb22c943ade5e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 13:43:40 +0100 +Subject: selftests/net: Interpret UDP_GRO cmsg data as an int value + +From: Jakub Sitnicki + +[ Upstream commit 436864095a95fcc611c20c44a111985fa9848730 ] + +Data passed to user-space with a (SOL_UDP, UDP_GRO) cmsg carries an +int (see udp_cmsg_recv), not a u16 value, as strace confirms: + + recvmsg(8, {msg_name=..., + msg_iov=[{iov_base="\0\0..."..., iov_len=96000}], + msg_iovlen=1, + msg_control=[{cmsg_len=20, <-- sizeof(cmsghdr) + 4 + cmsg_level=SOL_UDP, + cmsg_type=0x68}], <-- UDP_GRO + msg_controllen=24, + msg_flags=0}, 0) = 11200 + +Interpreting the data as an u16 value won't work on big-endian platforms. +Since it is too late to back out of this API decision [1], fix the test. + +[1]: https://lore.kernel.org/netdev/20230131174601.203127-1-jakub@cloudflare.com/ + +Fixes: 3327a9c46352 ("selftests: add functionals test for UDP GRO") +Suggested-by: Eric Dumazet +Signed-off-by: Jakub Sitnicki +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgso_bench_rx.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/net/udpgso_bench_rx.c b/tools/testing/selftests/net/udpgso_bench_rx.c +index 4058c7451e70d..f35a924d4a303 100644 +--- a/tools/testing/selftests/net/udpgso_bench_rx.c ++++ b/tools/testing/selftests/net/udpgso_bench_rx.c +@@ -214,11 +214,10 @@ static void do_verify_udp(const char *data, int len) + + static int recv_msg(int fd, char *buf, int len, int *gso_size) + { +- char control[CMSG_SPACE(sizeof(uint16_t))] = {0}; ++ char control[CMSG_SPACE(sizeof(int))] = {0}; + struct msghdr msg = {0}; + struct iovec iov = {0}; + struct cmsghdr *cmsg; +- uint16_t *gsosizeptr; + int ret; + + iov.iov_base = buf; +@@ -237,8 +236,7 @@ static int recv_msg(int fd, char *buf, int len, int *gso_size) + cmsg = CMSG_NXTHDR(&msg, cmsg)) { + if (cmsg->cmsg_level == SOL_UDP + && cmsg->cmsg_type == UDP_GRO) { +- gsosizeptr = (uint16_t *) CMSG_DATA(cmsg); +- *gso_size = *gsosizeptr; ++ *gso_size = *(int *)CMSG_DATA(cmsg); + break; + } + } +-- +2.39.2 + diff --git a/queue-5.4/series b/queue-5.4/series index 9dc81f32691..d35736f1610 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -1,3 +1,213 @@ hid-asus-remove-check-for-same-led-brightness-on-set.patch hid-asus-use-spinlock-to-protect-concurrent-accesses.patch hid-asus-use-spinlock-to-safely-schedule-workers.patch +arm-omap2-fix-memory-leak-in-realtime_counter_init.patch +arm64-dts-qcom-qcs404-use-symbol-names-for-pcie-rese.patch +arm-zynq-fix-refcount-leak-in-zynq_early_slcr_init.patch +arm64-dts-meson-gx-fix-ethernet-mac-address-unit-nam.patch +arm64-dts-meson-g12a-fix-internal-ethernet-phy-unit-.patch +arm64-dts-meson-gx-fix-the-scpi-dvfs-node-name-and-u.patch +arm64-dts-meson-remove-cpu-opps-below-1ghz-for-g12a-.patch +arm-omap1-call-platform_device_put-in-error-case-in-.patch +arm-dts-exynos-correct-wr-active-property-in-exynos3.patch +arm-imx-call-ida_simple_remove-for-ida_simple_get.patch +arm64-dts-amlogic-meson-gx-fix-scpi-clock-dvfs-node-.patch +arm64-dts-amlogic-meson-axg-fix-scpi-clock-dvfs-node.patch +arm64-dts-amlogic-meson-gx-add-missing-scpi-sensors-.patch +arm64-dts-amlogic-meson-gx-add-missing-unit-address-.patch +arm64-dts-amlogic-meson-gxl-add-missing-unit-address.patch +arm64-dts-amlogic-meson-gxl-s905d-phicomm-n1-fix-led.patch +arm-dts-imx7s-correct-iomuxc-gpr-mux-controller-cell.patch +arm64-dts-mediatek-mt7622-add-missing-pwm-cells-to-p.patch +revert-scsi-core-run-queue-if-scsi-device-queue-isn-.patch +block-limit-number-of-items-taken-from-the-i-o-sched.patch +blk-mq-remove-stale-comment-for-blk_mq_sched_mark_re.patch +blk-mq-wait-on-correct-sbitmap_queue-in-blk_mq_mark_.patch +blk-mq-correct-stale-comment-of-.get_budget.patch +s390-dasd-prepare-for-additional-path-event-handling.patch +s390-dasd-fix-potential-memleak-in-dasd_eckd_init.patch +sched-deadline-rt-remove-unused-parameter-from-pick_.patch +sched-rt-pick_next_rt_entity-check-list_entry.patch +block-bio-integrity-copy-flags-when-bio_integrity_pa.patch +wifi-rsi-fix-memory-leak-in-rsi_coex_attach.patch +net-wireless-delete-unnecessary-checks-before-the-ma.patch +wifi-iwlegacy-common-don-t-call-dev_kfree_skb-under-.patch +wifi-libertas-fix-memory-leak-in-lbs_init_adapter.patch +wifi-rtl8xxxu-don-t-call-dev_kfree_skb-under-spin_lo.patch +rtlwifi-fix-wpointer-sign-warning.patch +wifi-rtlwifi-fix-global-out-of-bounds-bug-in-_rtl881.patch +ipw2x00-switch-from-pci_-to-dma_-api.patch +wifi-ipw2x00-don-t-call-dev_kfree_skb-under-spin_loc.patch +wifi-ipw2200-fix-memory-leak-in-ipw_wdev_init.patch +wilc1000-let-wilc_mac_xmit-return-netdev_tx_ok.patch +wifi-wilc1000-fix-potential-memory-leak-in-wilc_mac_.patch +wifi-brcmfmac-fix-potential-memory-leak-in-brcmf_net.patch +wifi-brcmfmac-unmap-dma-buffer-in-brcmf_msgbuf_alloc.patch +wifi-libertas_tf-don-t-call-kfree_skb-under-spin_loc.patch +wifi-libertas-if_usb-don-t-call-kfree_skb-under-spin.patch +wifi-libertas-main-don-t-call-kfree_skb-under-spin_l.patch +wifi-libertas-cmdresp-don-t-call-kfree_skb-under-spi.patch +wifi-wl3501_cs-don-t-call-kfree_skb-under-spin_lock_.patch +crypto-x86-ghash-fix-unaligned-access-in-ghash_setke.patch +acpica-drop-port-i-o-validation-for-some-regions.patch +genirq-fix-the-return-type-of-kstat_cpu_irqs_sum.patch +lib-mpi-fix-buffer-overrun-when-sg-is-too-long.patch +acpica-nsrepair-handle-cases-without-a-return-value-.patch +wifi-orinoco-check-return-value-of-hermes_write_word.patch +wifi-ath9k-htc_hst-free-skb-in-ath9k_htc_rx_msg-if-t.patch +ath9k-hif_usb-simplify-if-if-to-if-else.patch +ath9k-htc-clean-up-statistics-macros.patch +wifi-ath9k-hif_usb-clean-up-skbs-if-ath9k_hif_usb_rx.patch +wifi-ath9k-fix-potential-stack-out-of-bounds-write-i.patch +acpi-battery-fix-missing-nul-termination-with-large-.patch +crypto-ccp-failure-on-re-initialization-due-to-dupli.patch +crypto-essiv-remove-redundant-null-pointer-check-bef.patch +crypto-essiv-handle-ebusy-correctly.patch +crypto-seqiv-handle-ebusy-correctly.patch +powercap-fix-possible-name-leak-in-powercap_register.patch +net-mlx5-enhance-debug-print-in-page-allocation-fail.patch +irqchip-alpine-msi-fix-refcount-leak-in-alpine_msix_.patch +irqchip-irq-mvebu-gicp-fix-refcount-leak-in-mvebu_gi.patch +irqchip-ti-sci-fix-refcount-leak-in-ti_sci_intr_irq_.patch +mptcp-add-sk_stop_timer_sync-helper.patch +net-add-sock_init_data_uid.patch +tun-tun_chr_open-correctly-initialize-socket-uid.patch +tap-tap_open-correctly-initialize-socket-uid.patch +opp-fix-error-checking-in-opp_migrate_dentry.patch +bluetooth-l2cap-fix-potential-user-after-free.patch +libbpf-fix-alen-calculation-in-libbpf_nla_dump_error.patch +rds-rds_rm_zerocopy_callback-correct-order-for-list_.patch +crypto-rsa-pkcs1pad-use-akcipher_request_complete.patch +m68k-proc-hardware-should-depend-on-proc_fs.patch +risc-v-time-initialize-hrtimer-based-broadcast-clock.patch +usb-gadget-udc-avoid-tasklet-passing-a-global.patch +treewide-replace-declare_tasklet-with-declare_taskle.patch +wifi-iwl3945-add-missing-check-for-create_singlethre.patch +wifi-iwl4965-add-missing-check-for-create_singlethre.patch +wifi-mwifiex-fix-loop-iterator-in-mwifiex_update_amp.patch +crypto-crypto4xx-call-dma_unmap_page-when-done.patch +wifi-mac80211-make-rate-u32-in-sta_set_rate_info_rx.patch +thermal-drivers-hisi-drop-second-sensor-hi3660.patch +can-esd_usb-move-mislocated-storage-of-sja1000_ecc_s.patch +irqchip-irq-brcmstb-l2-set-irq_level-for-level-trigg.patch +irqchip-irq-bcm7120-l2-set-irq_level-for-level-trigg.patch +selftests-net-interpret-udp_gro-cmsg-data-as-an-int-.patch +selftest-fib_tests-always-cleanup-before-exit.patch +drm-fourcc-add-missing-big-endian-xrgb1555-and-rgb56.patch +drm-mxsfb-drm_mxsfb-should-depend-on-arch_mxs-arch_m.patch +drm-bridge-megachips-fix-error-handling-in-i2c_regis.patch +drm-vc4-dpi-add-option-for-inverting-pixel-clock-and.patch +drm-vc4-dpi-fix-format-mapping-for-rgb565.patch +gpu-ipu-v3-common-add-of_node_put-for-reference-retu.patch +drm-msm-hdmi-add-missing-check-for-alloc_ordered_wor.patch +pinctrl-stm32-fix-refcount-leak-in-stm32_pctrl_get_i.patch +asoc-fsl_sai-initialize-is_dsp_mode-flag.patch +alsa-hda-ca0132-minor-fix-for-allocation-size.patch +drm-mipi-dsi-fix-byte-order-of-16-bit-dcs-set-get-br.patch +drm-msm-use-strscpy-instead-of-strncpy.patch +drm-msm-dpu-add-check-for-cstate.patch +drm-msm-dpu-add-check-for-pstates.patch +drm-exynos-don-t-reset-bridge-next.patch +drm-bridge-rename-bridge-helpers-targeting-a-bridge-.patch +drm-bridge-introduce-drm_bridge_get_next_bridge.patch +drm-initialize-struct-drm_crtc_state.no_vblank-from-.patch +drm-msm-mdp5-add-check-for-kzalloc.patch +gpu-host1x-don-t-skip-assigning-syncpoints-to-channe.patch +drm-mediatek-remove-cast-to-pointers-passed-to-kfree.patch +drm-mediatek-use-null-instead-of-0-for-null-pointer.patch +drm-mediatek-drop-unbalanced-obj-unref.patch +drm-mediatek-clean-dangling-pointer-on-bind-error-pa.patch +asoc-soc-compress.c-fixup-private_data-on-snd_soc_ne.patch +gpio-vf610-connect-gpio-label-to-dev-name.patch +hwmon-ltc2945-handle-error-case-in-ltc2945_value_sto.patch +scsi-aic94xx-add-missing-check-for-dma_map_single.patch +spi-bcm63xx-hsspi-endianness-fix-for-arm-based-soc.patch +spi-bcm63xx-hsspi-fix-pm_runtime.patch +spi-bcm63xx-hsspi-fix-multi-bit-mode-setting.patch +hwmon-mlxreg-fan-return-zero-speed-for-broken-fan.patch +dm-remove-flush_scheduled_work-during-local_exit.patch +spi-synquacer-fix-timeout-handling-in-synquacer_spi_.patch +asoc-dapm-declare-missing-structure-prototypes.patch +asoc-soc-dapm.h-fixup-warning-struct-snd_pcm_substre.patch +hid-bigben-use-spinlock-to-protect-concurrent-access.patch +hid-bigben_worker-remove-unneeded-check-on-report_fi.patch +hid-bigben-use-spinlock-to-safely-schedule-workers.patch +hid-asus-only-set-ev_rep-if-we-are-adding-a-mapping.patch +hid-asus-add-report_size-to-struct-asus_touchpad_inf.patch +hid-asus-add-support-for-multi-touch-touchpad-on-med.patch +hid-asus-fix-mute-and-touchpad-toggle-keys-on-medion.patch +hid-bigben_probe-validate-report-count.patch +nfsd-fix-race-to-check-ls_layouts.patch +cifs-fix-lost-destroy-smbd-connection-when-mr-alloca.patch +cifs-fix-warning-and-uaf-when-destroy-the-mr-list.patch +gfs2-jdata-writepage-fix.patch +perf-llvm-fix-inadvertent-file-creation.patch +perf-tools-fix-auto-complete-on-aarch64.patch +sparc-allow-pm-configs-for-sparc32-compile_test.patch +selftests-ftrace-fix-bash-specific-operator.patch +mfd-pcf50633-adc-fix-potential-memleak-in-pcf50633_a.patch +clk-qcom-gcc-qcs404-disable-gpll-04-_out_aux-parents.patch +clk-qcom-gcc-qcs404-fix-names-of-the-dsi-clocks-used.patch +mtd-rawnand-sunxi-fix-the-size-of-the-last-oob-regio.patch +clk-renesas-cpg-mssr-fix-use-after-free-if-cpg_mssr_.patch +clk-renesas-cpg-mssr-use-enum-clk_reg_layout-instead.patch +clk-renesas-cpg-mssr-remove-superfluous-check-in-res.patch +input-ads7846-don-t-report-pressure-for-ads7845.patch +input-ads7846-don-t-check-penirq-immediately-for-784.patch +mtd-rawnand-fsl_elbc-propagate-hw-ecc-settings-to-hw.patch +clk-qcom-gpucc-sdm845-fix-clk_dis_wait-being-program.patch +powerpc-powernv-ioda-skip-unallocated-resources-when.patch +clk-honor-clk_ops_parent_enable-in-clk_core_is_enabl.patch +powerpc-pseries-lpar-add-missing-rtas-retry-status-h.patch +powerpc-pseries-lparcfg-add-missing-rtas-retry-statu.patch +powerpc-rtas-make-all-exports-gpl.patch +powerpc-rtas-ensure-4kb-alignment-for-rtas_data_buf.patch +powerpc-eeh-small-refactor-of-eeh_handle_normal_even.patch +powerpc-eeh-set-channel-state-after-notifying-the-dr.patch +mips-smp-cps-fix-build-error-when-hotplug_cpu-not-se.patch +mips-vpe-mt-drop-physical_memsize.patch +remoteproc-qcom_q6v5_mss-use-a-carveout-to-authentic.patch +media-platform-ti-add-missing-check-for-devm_regulat.patch +powerpc-remove-linker-flag-from-kbuild_aflags.patch +media-ov5675-fix-memleak-in-ov5675_init_controls.patch +media-i2c-ov772x-fix-memleak-in-ov772x_probe.patch +media-rc-fix-use-after-free-bugs-caused-by-ene_tx_ir.patch +media-i2c-ov7670-0-instead-of-einval-was-returned.patch +media-usb-siano-fix-use-after-free-bugs-caused-by-do.patch +rpmsg-glink-avoid-infinite-loop-on-intent-for-missin.patch +udf-define-efscorrupted-error-code.patch +arm-dts-exynos-use-exynos5420-compatible-for-the-mip.patch +blk-iocost-fix-divide-by-0-error-in-calc_lcoefs.patch +sched-fair-sanitize-vruntime-of-entity-being-placed.patch +wifi-brcmfmac-fix-potential-stack-out-of-bounds-in-b.patch +rcu-suppress-smp_processor_id-complaint-in-synchroni.patch +thermal-intel-fix-unsigned-comparison-with-less-than.patch +timers-prevent-union-confusion-from-unexpected-resta.patch +x86-bugs-reset-speculation-control-settings-on-init.patch +wifi-brcmfmac-ensure-clm-version-is-null-terminated-.patch +wifi-mt7601u-fix-an-integer-underflow.patch +inet-fix-fast-path-in-__inet_hash_connect.patch +ice-add-missing-checks-for-pf-vsi-type.patch +acpi-don-t-build-acpica-with-os.patch +net-bcmgenet-add-a-check-for-oversized-packets.patch +m68k-check-syscall_trace_enter-return-code.patch +wifi-mt76-dma-free-rx_head-in-mt76_dma_rx_cleanup.patch +acpi-video-fix-lenovo-ideapad-z570-dmi-match.patch +net-mlx5-fw_tracer-fix-debug-print.patch +coda-avoid-partial-allocation-of-sig_inputargs.patch +uaccess-add-minimum-bounds-check-on-kernel-buffer-si.patch +drm-amd-display-fix-potential-null-deref-in-dm_resum.patch +drm-omap-dsi-fix-excessive-stack-usage.patch +hid-add-mapping-for-system-microphone-mute.patch +drm-radeon-free-iio-for-atombios-when-driver-shutdow.patch +drm-msm-dsi-add-missing-check-for-alloc_ordered_work.patch +docs-scripts-gdb-add-necessary-make-scripts_gdb-step.patch +asoc-kirkwood-iterate-over-array-indexes-instead-of-.patch +regulator-max77802-bounds-check-regulator-id-against.patch +regulator-s5m8767-bounds-check-id-indexing-into-arra.patch +hwmon-coretemp-simplify-platform-device-handling.patch +pinctrl-at91-use-devm_kasprintf-to-avoid-potential-l.patch +drm-panel-orientation-quirks-add-quirk-for-lenovo-id.patch +dm-thin-add-cond_resched-to-various-workqueue-loops.patch +dm-cache-add-cond_resched-to-various-workqueue-loops.patch +nfsd-zero-out-pointers-after-putting-nfsd_files-on-c.patch diff --git a/queue-5.4/sparc-allow-pm-configs-for-sparc32-compile_test.patch b/queue-5.4/sparc-allow-pm-configs-for-sparc32-compile_test.patch new file mode 100644 index 00000000000..0bd384909f9 --- /dev/null +++ b/queue-5.4/sparc-allow-pm-configs-for-sparc32-compile_test.patch @@ -0,0 +1,86 @@ +From ec40458198298092772659664230dd3ac264b458 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Feb 2023 16:43:57 -0800 +Subject: sparc: allow PM configs for sparc32 COMPILE_TEST + +From: Randy Dunlap + +[ Upstream commit 7be6a87c2473957090995b7eb541e31d57a2c801 ] + +When doing randconfig builds for sparc32 with COMPILE_TEST, some +(non-Sparc) drivers cause kconfig warnings with the Kconfig symbols PM, +PM_GENERIC_DOMAINS, or PM_GENERIC_DOMAINS_OF. + +This is due to arch/sparc/Kconfig not using the PM Kconfig for +Sparc32: + + if SPARC64 + source "kernel/power/Kconfig" + endif + +Arnd suggested adding "|| COMPILE_TEST" to the conditional, +instead of trying to track down every driver that selects +any of these PM symbols. + +Fixes the following kconfig warnings: + +WARNING: unmet direct dependencies detected for PM + Depends on [n]: SPARC64 [=n] + Selected by [y]: + - SUN20I_PPU [=y] && (ARCH_SUNXI || COMPILE_TEST [=y]) + +WARNING: unmet direct dependencies detected for PM + Depends on [n]: SPARC64 [=n] + Selected by [y]: + - SUN20I_PPU [=y] && (ARCH_SUNXI || COMPILE_TEST [=y]) + +WARNING: unmet direct dependencies detected for PM_GENERIC_DOMAINS + Depends on [n]: SPARC64 [=n] && PM [=y] + Selected by [y]: + - QCOM_GDSC [=y] && COMMON_CLK [=y] && PM [=y] + - SUN20I_PPU [=y] && (ARCH_SUNXI || COMPILE_TEST [=y]) + - MESON_GX_PM_DOMAINS [=y] && (ARCH_MESON || COMPILE_TEST [=y]) && PM [=y] && OF [=y] + - BCM2835_POWER [=y] && (ARCH_BCM2835 || COMPILE_TEST [=y] && OF [=y]) && PM [=y] + - BCM_PMB [=y] && (ARCH_BCMBCA || COMPILE_TEST [=y] && OF [=y]) && PM [=y] + - ROCKCHIP_PM_DOMAINS [=y] && (ARCH_ROCKCHIP || COMPILE_TEST [=y]) && PM [=y] + Selected by [m]: + - ARM_SCPI_POWER_DOMAIN [=m] && (ARM_SCPI_PROTOCOL [=m] || COMPILE_TEST [=y] && OF [=y]) && PM [=y] + - MESON_EE_PM_DOMAINS [=m] && (ARCH_MESON || COMPILE_TEST [=y]) && PM [=y] && OF [=y] + - QCOM_AOSS_QMP [=m] && (ARCH_QCOM || COMPILE_TEST [=y]) && MAILBOX [=y] && COMMON_CLK [=y] && PM [=y] + +WARNING: unmet direct dependencies detected for PM_GENERIC_DOMAINS_OF + Depends on [n]: SPARC64 [=n] && PM_GENERIC_DOMAINS [=y] && OF [=y] + Selected by [y]: + - MESON_GX_PM_DOMAINS [=y] && (ARCH_MESON || COMPILE_TEST [=y]) && PM [=y] && OF [=y] + Selected by [m]: + - MESON_EE_PM_DOMAINS [=m] && (ARCH_MESON || COMPILE_TEST [=y]) && PM [=y] && OF [=y] + +Link: https://lkml.kernel.org/r/20230205004357.29459-1-rdunlap@infradead.org +Fixes: bdde6b3c8ba4 ("sparc64: Hibernation support") +Signed-off-by: Randy Dunlap +Suggested-by: Arnd Bergmann +Acked-by: Sam Ravnborg +Cc: "David S. Miller" +Cc: Kirill Tkhai +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + arch/sparc/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig +index 349e27771ceaf..8cb5bb020b4b6 100644 +--- a/arch/sparc/Kconfig ++++ b/arch/sparc/Kconfig +@@ -321,7 +321,7 @@ config FORCE_MAX_ZONEORDER + This config option is actually maximum order plus one. For example, + a value of 13 means that the largest free memory block is 2^12 pages. + +-if SPARC64 ++if SPARC64 || COMPILE_TEST + source "kernel/power/Kconfig" + endif + +-- +2.39.2 + diff --git a/queue-5.4/spi-bcm63xx-hsspi-endianness-fix-for-arm-based-soc.patch b/queue-5.4/spi-bcm63xx-hsspi-endianness-fix-for-arm-based-soc.patch new file mode 100644 index 00000000000..8d736a06a1d --- /dev/null +++ b/queue-5.4/spi-bcm63xx-hsspi-endianness-fix-for-arm-based-soc.patch @@ -0,0 +1,41 @@ +From 69d60fd26d677a9e0974c1f27f6a274ae6e6ae31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Feb 2023 22:58:17 -0800 +Subject: spi: bcm63xx-hsspi: Endianness fix for ARM based SoC + +From: William Zhang + +[ Upstream commit 85a84a61699990db6a025b5073f337f49933a875 ] + +HSSPI controller uses big endian for the opcode in the message to the +controller ping pong buffer. Use cpu_to_be16 to properly handle the +endianness for both big and little endian host. + +Fixes: 142168eba9dc ("spi: bcm63xx-hsspi: add bcm63xx HSSPI driver") +Signed-off-by: Kursad Oney +Signed-off-by: William Zhang +Acked-by: Florian Fainelli + +Link: https://lore.kernel.org/r/20230207065826.285013-7-william.zhang@broadcom.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx-hsspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c +index 509476a2d79bb..657855c56c1cb 100644 +--- a/drivers/spi/spi-bcm63xx-hsspi.c ++++ b/drivers/spi/spi-bcm63xx-hsspi.c +@@ -192,7 +192,7 @@ static int bcm63xx_hsspi_do_txrx(struct spi_device *spi, struct spi_transfer *t) + tx += curr_step; + } + +- __raw_writew(opcode | curr_step, bs->fifo); ++ __raw_writew((u16)cpu_to_be16(opcode | curr_step), bs->fifo); + + /* enable interrupt */ + __raw_writel(HSSPI_PINGx_CMD_DONE(0), +-- +2.39.2 + diff --git a/queue-5.4/spi-bcm63xx-hsspi-fix-multi-bit-mode-setting.patch b/queue-5.4/spi-bcm63xx-hsspi-fix-multi-bit-mode-setting.patch new file mode 100644 index 00000000000..e6082a92729 --- /dev/null +++ b/queue-5.4/spi-bcm63xx-hsspi-fix-multi-bit-mode-setting.patch @@ -0,0 +1,61 @@ +From b2f340123a54b2a8debd3111fb6c85f60407b87d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Feb 2023 12:02:41 -0800 +Subject: spi: bcm63xx-hsspi: Fix multi-bit mode setting + +From: William Zhang + +[ Upstream commit 811ff802aaf878ebbbaeac0307a0164fa21e7d40 ] + +Currently the driver always sets the controller to dual data bit mode +for both tx and rx data in the profile mode control register even for +single data bit transfer. Luckily the opcode is set correctly according +to SPI transfer data bit width so it does not actually cause issues. + +This change fixes the problem by setting tx and rx data bit mode field +correctly according to the actual SPI transfer tx and rx data bit width. + +Fixes: 142168eba9dc ("spi: bcm63xx-hsspi: add bcm63xx HSSPI driver") +Signed-off-by: William Zhang +Link: https://lore.kernel.org/r/20230209200246.141520-11-william.zhang@broadcom.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx-hsspi.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c +index b2b6ae4749568..3fe41c7de99ba 100644 +--- a/drivers/spi/spi-bcm63xx-hsspi.c ++++ b/drivers/spi/spi-bcm63xx-hsspi.c +@@ -163,6 +163,7 @@ static int bcm63xx_hsspi_do_txrx(struct spi_device *spi, struct spi_transfer *t) + int step_size = HSSPI_BUFFER_LEN; + const u8 *tx = t->tx_buf; + u8 *rx = t->rx_buf; ++ u32 val = 0; + + bcm63xx_hsspi_set_clk(bs, spi, t->speed_hz); + bcm63xx_hsspi_set_cs(bs, spi->chip_select, true); +@@ -178,11 +179,16 @@ static int bcm63xx_hsspi_do_txrx(struct spi_device *spi, struct spi_transfer *t) + step_size -= HSSPI_OPCODE_LEN; + + if ((opcode == HSSPI_OP_READ && t->rx_nbits == SPI_NBITS_DUAL) || +- (opcode == HSSPI_OP_WRITE && t->tx_nbits == SPI_NBITS_DUAL)) ++ (opcode == HSSPI_OP_WRITE && t->tx_nbits == SPI_NBITS_DUAL)) { + opcode |= HSSPI_OP_MULTIBIT; + +- __raw_writel(1 << MODE_CTRL_MULTIDATA_WR_SIZE_SHIFT | +- 1 << MODE_CTRL_MULTIDATA_RD_SIZE_SHIFT | 0xff, ++ if (t->rx_nbits == SPI_NBITS_DUAL) ++ val |= 1 << MODE_CTRL_MULTIDATA_RD_SIZE_SHIFT; ++ if (t->tx_nbits == SPI_NBITS_DUAL) ++ val |= 1 << MODE_CTRL_MULTIDATA_WR_SIZE_SHIFT; ++ } ++ ++ __raw_writel(val | 0xff, + bs->regs + HSSPI_PROFILE_MODE_CTRL_REG(chip_select)); + + while (pending > 0) { +-- +2.39.2 + diff --git a/queue-5.4/spi-bcm63xx-hsspi-fix-pm_runtime.patch b/queue-5.4/spi-bcm63xx-hsspi-fix-pm_runtime.patch new file mode 100644 index 00000000000..569b4f4a9cc --- /dev/null +++ b/queue-5.4/spi-bcm63xx-hsspi-fix-pm_runtime.patch @@ -0,0 +1,60 @@ +From 14cd0a288422b924fd2ee9d5bd361901339fd8b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Feb 2021 16:18:51 +0100 +Subject: spi: bcm63xx-hsspi: fix pm_runtime +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Álvaro Fernández Rojas + +[ Upstream commit 216e8e80057a9f0b6366327881acf88eaf9f1fd4 ] + +The driver sets auto_runtime_pm to true, but it doesn't call +pm_runtime_enable(), which results in "Failed to power device" when PM support +is enabled. + +Signed-off-by: Álvaro Fernández Rojas +Link: https://lore.kernel.org/r/20210223151851.4110-3-noltari@gmail.com +Signed-off-by: Mark Brown +Stable-dep-of: 811ff802aaf8 ("spi: bcm63xx-hsspi: Fix multi-bit mode setting") +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx-hsspi.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c +index 657855c56c1cb..b2b6ae4749568 100644 +--- a/drivers/spi/spi-bcm63xx-hsspi.c ++++ b/drivers/spi/spi-bcm63xx-hsspi.c +@@ -20,6 +20,8 @@ + #include + #include + #include ++#include ++#include + + #define HSSPI_GLOBAL_CTRL_REG 0x0 + #define GLOBAL_CTRL_CS_POLARITY_SHIFT 0 +@@ -428,13 +430,17 @@ static int bcm63xx_hsspi_probe(struct platform_device *pdev) + if (ret) + goto out_put_master; + ++ pm_runtime_enable(&pdev->dev); ++ + /* register and we are done */ + ret = devm_spi_register_master(dev, master); + if (ret) +- goto out_put_master; ++ goto out_pm_disable; + + return 0; + ++out_pm_disable: ++ pm_runtime_disable(&pdev->dev); + out_put_master: + spi_master_put(master); + out_disable_pll_clk: +-- +2.39.2 + diff --git a/queue-5.4/spi-synquacer-fix-timeout-handling-in-synquacer_spi_.patch b/queue-5.4/spi-synquacer-fix-timeout-handling-in-synquacer_spi_.patch new file mode 100644 index 00000000000..73425cf36e7 --- /dev/null +++ b/queue-5.4/spi-synquacer-fix-timeout-handling-in-synquacer_spi_.patch @@ -0,0 +1,47 @@ +From d9a7d7cb19cbf9aef6116f9b44b6cc1f8194122c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Feb 2023 14:01:28 +0100 +Subject: spi: synquacer: Fix timeout handling in synquacer_spi_transfer_one() + +From: Christophe JAILLET + +[ Upstream commit e6a0b671880207566e1ece983bf989dde60bc1d7 ] + +wait_for_completion_timeout() never returns a <0 value. It returns either +on timeout or a positive value (at least 1, or number of jiffies left +till timeout) + +So, fix the error handling path and return -ETIMEDOUT should a timeout +occur. + +Fixes: b0823ee35cf9 ("spi: Add spi driver for Socionext SynQuacer platform") +Signed-off-by: Christophe JAILLET +Acked-by: Jassi Brar +Link: https://lore.kernel.org/r/c2040bf3cfa201fd8890cfab14fa5a701ffeca14.1676466072.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-synquacer.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/spi/spi-synquacer.c b/drivers/spi/spi-synquacer.c +index 1e10af6e10a90..5d6e4a59ce29b 100644 +--- a/drivers/spi/spi-synquacer.c ++++ b/drivers/spi/spi-synquacer.c +@@ -472,10 +472,9 @@ static int synquacer_spi_transfer_one(struct spi_master *master, + read_fifo(sspi); + } + +- if (status < 0) { +- dev_err(sspi->dev, "failed to transfer. status: 0x%x\n", +- status); +- return status; ++ if (status == 0) { ++ dev_err(sspi->dev, "failed to transfer. Timeout.\n"); ++ return -ETIMEDOUT; + } + + return 0; +-- +2.39.2 + diff --git a/queue-5.4/tap-tap_open-correctly-initialize-socket-uid.patch b/queue-5.4/tap-tap_open-correctly-initialize-socket-uid.patch new file mode 100644 index 00000000000..490cf5df8b8 --- /dev/null +++ b/queue-5.4/tap-tap_open-correctly-initialize-socket-uid.patch @@ -0,0 +1,47 @@ +From c4c0954dd70d54fde23973e66975b4e3736e4a10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Feb 2023 17:39:22 +0000 +Subject: tap: tap_open(): correctly initialize socket uid + +From: Pietro Borrello + +[ Upstream commit 66b2c338adce580dfce2199591e65e2bab889cff ] + +sock_init_data() assumes that the `struct socket` passed in input is +contained in a `struct socket_alloc` allocated with sock_alloc(). +However, tap_open() passes a `struct socket` embedded in a `struct +tap_queue` allocated with sk_alloc(). +This causes a type confusion when issuing a container_of() with +SOCK_INODE() in sock_init_data() which results in assigning a wrong +sk_uid to the `struct sock` in input. +On default configuration, the type confused field overlaps with +padding bytes between `int vnet_hdr_sz` and `struct tap_dev __rcu +*tap` in `struct tap_queue`, which makes the uid of all tap sockets 0, +i.e., the root one. +Fix the assignment by using sock_init_data_uid(). + +Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") +Signed-off-by: Pietro Borrello +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/tap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/tap.c b/drivers/net/tap.c +index f870d08bb1f86..a522d1673fa87 100644 +--- a/drivers/net/tap.c ++++ b/drivers/net/tap.c +@@ -525,7 +525,7 @@ static int tap_open(struct inode *inode, struct file *file) + q->sock.state = SS_CONNECTED; + q->sock.file = file; + q->sock.ops = &tap_socket_ops; +- sock_init_data(&q->sock, &q->sk); ++ sock_init_data_uid(&q->sock, &q->sk, inode->i_uid); + q->sk.sk_write_space = tap_sock_write_space; + q->sk.sk_destruct = tap_sock_destruct; + q->flags = IFF_VNET_HDR | IFF_NO_PI | IFF_TAP; +-- +2.39.2 + diff --git a/queue-5.4/thermal-drivers-hisi-drop-second-sensor-hi3660.patch b/queue-5.4/thermal-drivers-hisi-drop-second-sensor-hi3660.patch new file mode 100644 index 00000000000..fab415488e9 --- /dev/null +++ b/queue-5.4/thermal-drivers-hisi-drop-second-sensor-hi3660.patch @@ -0,0 +1,46 @@ +From 17a8cb4758f4df8b59bb8dd6238b10c16cf36506 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Feb 2023 22:15:07 +0800 +Subject: thermal/drivers/hisi: Drop second sensor hi3660 + +From: Yongqin Liu + +[ Upstream commit 15cc25829a97c3957e520e971868aacc84341317 ] + +The commit 74c8e6bffbe1 ("driver core: Add __alloc_size hint to devm +allocators") exposes a panic "BRK handler: Fatal exception" on the +hi3660_thermal_probe funciton. +This is because the function allocates memory for only one +sensors array entry, but tries to fill up a second one. + +Fix this by removing the unneeded second access. + +Fixes: 7d3a2a2bbadb ("thermal/drivers/hisi: Fix number of sensors on hi3660") +Signed-off-by: Yongqin Liu +Link: https://lore.kernel.org/linux-mm/20221101223321.1326815-5-keescook@chromium.org/ +Link: https://lore.kernel.org/r/20230210141507.71014-1-yongqin.liu@linaro.org +Signed-off-by: Daniel Lezcano +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/hisi_thermal.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/thermal/hisi_thermal.c b/drivers/thermal/hisi_thermal.c +index 2d26ae80e2022..bee6d3524e52a 100644 +--- a/drivers/thermal/hisi_thermal.c ++++ b/drivers/thermal/hisi_thermal.c +@@ -435,10 +435,6 @@ static int hi3660_thermal_probe(struct hisi_thermal_data *data) + data->sensor[0].irq_name = "tsensor_a73"; + data->sensor[0].data = data; + +- data->sensor[1].id = HI3660_LITTLE_SENSOR; +- data->sensor[1].irq_name = "tsensor_a53"; +- data->sensor[1].data = data; +- + return 0; + } + +-- +2.39.2 + diff --git a/queue-5.4/thermal-intel-fix-unsigned-comparison-with-less-than.patch b/queue-5.4/thermal-intel-fix-unsigned-comparison-with-less-than.patch new file mode 100644 index 00000000000..d9a30cf7371 --- /dev/null +++ b/queue-5.4/thermal-intel-fix-unsigned-comparison-with-less-than.patch @@ -0,0 +1,42 @@ +From f36b1525c81ce400f7f386aee07d195639b27b4e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jan 2023 08:59:51 +0800 +Subject: thermal: intel: Fix unsigned comparison with less than zero + +From: Yang Li + +[ Upstream commit e7fcfe67f9f410736b758969477b17ea285e8e6c ] + +The return value from the call to intel_tcc_get_tjmax() is int, which can +be a negative error code. However, the return value is being assigned to +an u32 variable 'tj_max', so making 'tj_max' an int. + +Eliminate the following warning: +./drivers/thermal/intel/intel_soc_dts_iosf.c:394:5-11: WARNING: Unsigned expression compared with zero: tj_max < 0 + +Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=3637 +Reported-by: Abaci Robot +Signed-off-by: Yang Li +Acked-by: Zhang Rui +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/intel/intel_soc_dts_iosf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thermal/intel/intel_soc_dts_iosf.c b/drivers/thermal/intel/intel_soc_dts_iosf.c +index 5716b62e0f732..410f13f6cba48 100644 +--- a/drivers/thermal/intel/intel_soc_dts_iosf.c ++++ b/drivers/thermal/intel/intel_soc_dts_iosf.c +@@ -396,7 +396,7 @@ struct intel_soc_dts_sensors *intel_soc_dts_iosf_init( + { + struct intel_soc_dts_sensors *sensors; + bool notification; +- u32 tj_max; ++ int tj_max; + int ret; + int i; + +-- +2.39.2 + diff --git a/queue-5.4/timers-prevent-union-confusion-from-unexpected-resta.patch b/queue-5.4/timers-prevent-union-confusion-from-unexpected-resta.patch new file mode 100644 index 00000000000..41eb5c78d8a --- /dev/null +++ b/queue-5.4/timers-prevent-union-confusion-from-unexpected-resta.patch @@ -0,0 +1,108 @@ +From adf236f2c7ac50dd68f79aebec1f5a5c69576a69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jan 2023 14:44:03 +0100 +Subject: timers: Prevent union confusion from unexpected restart_syscall() + +From: Jann Horn + +[ Upstream commit 9f76d59173d9d146e96c66886b671c1915a5c5e5 ] + +The nanosleep syscalls use the restart_block mechanism, with a quirk: +The `type` and `rmtp`/`compat_rmtp` fields are set up unconditionally on +syscall entry, while the rest of the restart_block is only set up in the +unlikely case that the syscall is actually interrupted by a signal (or +pseudo-signal) that doesn't have a signal handler. + +If the restart_block was set up by a previous syscall (futex(..., +FUTEX_WAIT, ...) or poll()) and hasn't been invalidated somehow since then, +this will clobber some of the union fields used by futex_wait_restart() and +do_restart_poll(). + +If userspace afterwards wrongly calls the restart_syscall syscall, +futex_wait_restart()/do_restart_poll() will read struct fields that have +been clobbered. + +This doesn't actually lead to anything particularly interesting because +none of the union fields contain trusted kernel data, and +futex(..., FUTEX_WAIT, ...) and poll() aren't syscalls where it makes much +sense to apply seccomp filters to their arguments. + +So the current consequences are just of the "if userspace does bad stuff, +it can damage itself, and that's not a problem" flavor. + +But still, it seems like a hazard for future developers, so invalidate the +restart_block when partly setting it up in the nanosleep syscalls. + +Signed-off-by: Jann Horn +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20230105134403.754986-1-jannh@google.com +Signed-off-by: Sasha Levin +--- + kernel/time/hrtimer.c | 2 ++ + kernel/time/posix-stubs.c | 2 ++ + kernel/time/posix-timers.c | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index e1e8d5dab0c59..8e3c9228aec97 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -2020,6 +2020,7 @@ SYSCALL_DEFINE2(nanosleep, struct __kernel_timespec __user *, rqtp, + if (!timespec64_valid(&tu)) + return -EINVAL; + ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE; + current->restart_block.nanosleep.rmtp = rmtp; + return hrtimer_nanosleep(&tu, HRTIMER_MODE_REL, CLOCK_MONOTONIC); +@@ -2040,6 +2041,7 @@ SYSCALL_DEFINE2(nanosleep_time32, struct old_timespec32 __user *, rqtp, + if (!timespec64_valid(&tu)) + return -EINVAL; + ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE; + current->restart_block.nanosleep.compat_rmtp = rmtp; + return hrtimer_nanosleep(&tu, HRTIMER_MODE_REL, CLOCK_MONOTONIC); +diff --git a/kernel/time/posix-stubs.c b/kernel/time/posix-stubs.c +index 67df65f887ac8..8ddb35d9779cb 100644 +--- a/kernel/time/posix-stubs.c ++++ b/kernel/time/posix-stubs.c +@@ -142,6 +142,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const clockid_t, which_clock, int, flags, + return -EINVAL; + if (flags & TIMER_ABSTIME) + rmtp = NULL; ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE; + current->restart_block.nanosleep.rmtp = rmtp; + return hrtimer_nanosleep(&t, flags & TIMER_ABSTIME ? +@@ -228,6 +229,7 @@ SYSCALL_DEFINE4(clock_nanosleep_time32, clockid_t, which_clock, int, flags, + return -EINVAL; + if (flags & TIMER_ABSTIME) + rmtp = NULL; ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE; + current->restart_block.nanosleep.compat_rmtp = rmtp; + return hrtimer_nanosleep(&t, flags & TIMER_ABSTIME ? +diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c +index 97d4a9dcf3399..efe3873021a37 100644 +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -1224,6 +1224,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const clockid_t, which_clock, int, flags, + return -EINVAL; + if (flags & TIMER_ABSTIME) + rmtp = NULL; ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE; + current->restart_block.nanosleep.rmtp = rmtp; + +@@ -1251,6 +1252,7 @@ SYSCALL_DEFINE4(clock_nanosleep_time32, clockid_t, which_clock, int, flags, + return -EINVAL; + if (flags & TIMER_ABSTIME) + rmtp = NULL; ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE; + current->restart_block.nanosleep.compat_rmtp = rmtp; + +-- +2.39.2 + diff --git a/queue-5.4/treewide-replace-declare_tasklet-with-declare_taskle.patch b/queue-5.4/treewide-replace-declare_tasklet-with-declare_taskle.patch new file mode 100644 index 00000000000..78b84b624f2 --- /dev/null +++ b/queue-5.4/treewide-replace-declare_tasklet-with-declare_taskle.patch @@ -0,0 +1,265 @@ +From 62aa245e2be5e352984f78382e025a15dcb1bee9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jul 2020 15:01:26 -0700 +Subject: treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD() + +From: Kees Cook + +[ Upstream commit b13fecb1c3a603c4b8e99b306fecf4f668c11b32 ] + +This converts all the existing DECLARE_TASKLET() (and ...DISABLED) +macros with DECLARE_TASKLET_OLD() in preparation for refactoring the +tasklet callback type. All existing DECLARE_TASKLET() users had a "0" +data argument, it has been removed here as well. + +Reviewed-by: Greg Kroah-Hartman +Acked-by: Thomas Gleixner +Signed-off-by: Kees Cook +Stable-dep-of: 1fdeb8b9f29d ("wifi: iwl3945: Add missing check for create_singlethread_workqueue") +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/omap-keypad.c | 2 +- + drivers/input/serio/hil_mlc.c | 2 +- + drivers/net/wan/farsync.c | 4 ++-- + drivers/s390/crypto/ap_bus.c | 2 +- + drivers/staging/most/dim2/dim2.c | 2 +- + drivers/staging/octeon/ethernet-tx.c | 2 +- + drivers/tty/vt/keyboard.c | 2 +- + drivers/usb/gadget/udc/snps_udc_core.c | 2 +- + drivers/usb/host/fhci-sched.c | 2 +- + include/linux/interrupt.h | 15 ++++++++++----- + kernel/backtracetest.c | 2 +- + kernel/debug/debug_core.c | 2 +- + kernel/irq/resend.c | 2 +- + net/atm/pppoatm.c | 2 +- + net/iucv/iucv.c | 2 +- + sound/drivers/pcsp/pcsp_lib.c | 2 +- + 16 files changed, 26 insertions(+), 21 deletions(-) + +diff --git a/drivers/input/keyboard/omap-keypad.c b/drivers/input/keyboard/omap-keypad.c +index 5fe7a5633e33b..dbe836c7ff473 100644 +--- a/drivers/input/keyboard/omap-keypad.c ++++ b/drivers/input/keyboard/omap-keypad.c +@@ -46,7 +46,7 @@ struct omap_kp { + unsigned short keymap[]; + }; + +-static DECLARE_TASKLET_DISABLED(kp_tasklet, omap_kp_tasklet, 0); ++static DECLARE_TASKLET_DISABLED_OLD(kp_tasklet, omap_kp_tasklet); + + static unsigned int *row_gpios; + static unsigned int *col_gpios; +diff --git a/drivers/input/serio/hil_mlc.c b/drivers/input/serio/hil_mlc.c +index 4c039e4125d92..d36e89d6fc546 100644 +--- a/drivers/input/serio/hil_mlc.c ++++ b/drivers/input/serio/hil_mlc.c +@@ -77,7 +77,7 @@ static struct timer_list hil_mlcs_kicker; + static int hil_mlcs_probe, hil_mlc_stop; + + static void hil_mlcs_process(unsigned long unused); +-static DECLARE_TASKLET_DISABLED(hil_mlcs_tasklet, hil_mlcs_process, 0); ++static DECLARE_TASKLET_DISABLED_OLD(hil_mlcs_tasklet, hil_mlcs_process); + + + /* #define HIL_MLC_DEBUG */ +diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c +index a2527351f8a7a..6ac6a649d4c2d 100644 +--- a/drivers/net/wan/farsync.c ++++ b/drivers/net/wan/farsync.c +@@ -569,8 +569,8 @@ static void do_bottom_half_rx(struct fst_card_info *card); + static void fst_process_tx_work_q(unsigned long work_q); + static void fst_process_int_work_q(unsigned long work_q); + +-static DECLARE_TASKLET(fst_tx_task, fst_process_tx_work_q, 0); +-static DECLARE_TASKLET(fst_int_task, fst_process_int_work_q, 0); ++static DECLARE_TASKLET_OLD(fst_tx_task, fst_process_tx_work_q); ++static DECLARE_TASKLET_OLD(fst_int_task, fst_process_int_work_q); + + static struct fst_card_info *fst_card_array[FST_MAX_CARDS]; + static spinlock_t fst_work_q_lock; +diff --git a/drivers/s390/crypto/ap_bus.c b/drivers/s390/crypto/ap_bus.c +index 5256e3ce84e56..fb1de363fb288 100644 +--- a/drivers/s390/crypto/ap_bus.c ++++ b/drivers/s390/crypto/ap_bus.c +@@ -91,7 +91,7 @@ static DECLARE_WORK(ap_scan_work, ap_scan_bus); + * Tasklet & timer for AP request polling and interrupts + */ + static void ap_tasklet_fn(unsigned long); +-static DECLARE_TASKLET(ap_tasklet, ap_tasklet_fn, 0); ++static DECLARE_TASKLET_OLD(ap_tasklet, ap_tasklet_fn); + static DECLARE_WAIT_QUEUE_HEAD(ap_poll_wait); + static struct task_struct *ap_poll_kthread; + static DEFINE_MUTEX(ap_poll_thread_mutex); +diff --git a/drivers/staging/most/dim2/dim2.c b/drivers/staging/most/dim2/dim2.c +index 64c979155a49f..774abedad9873 100644 +--- a/drivers/staging/most/dim2/dim2.c ++++ b/drivers/staging/most/dim2/dim2.c +@@ -47,7 +47,7 @@ MODULE_PARM_DESC(fcnt, "Num of frames per sub-buffer for sync channels as a powe + static DEFINE_SPINLOCK(dim_lock); + + static void dim2_tasklet_fn(unsigned long data); +-static DECLARE_TASKLET(dim2_tasklet, dim2_tasklet_fn, 0); ++static DECLARE_TASKLET_OLD(dim2_tasklet, dim2_tasklet_fn); + + /** + * struct hdm_channel - private structure to keep channel specific data +diff --git a/drivers/staging/octeon/ethernet-tx.c b/drivers/staging/octeon/ethernet-tx.c +index fe6e1ae73460a..100b235b5688e 100644 +--- a/drivers/staging/octeon/ethernet-tx.c ++++ b/drivers/staging/octeon/ethernet-tx.c +@@ -41,7 +41,7 @@ + #endif + + static void cvm_oct_tx_do_cleanup(unsigned long arg); +-static DECLARE_TASKLET(cvm_oct_tx_cleanup_tasklet, cvm_oct_tx_do_cleanup, 0); ++static DECLARE_TASKLET_OLD(cvm_oct_tx_cleanup_tasklet, cvm_oct_tx_do_cleanup); + + /* Maximum number of SKBs to try to free per xmit packet. */ + #define MAX_SKB_TO_FREE (MAX_OUT_QUEUE_DEPTH * 2) +diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c +index 68643f61f6f90..0da9e0ab045bd 100644 +--- a/drivers/tty/vt/keyboard.c ++++ b/drivers/tty/vt/keyboard.c +@@ -1241,7 +1241,7 @@ static void kbd_bh(unsigned long dummy) + } + } + +-DECLARE_TASKLET_DISABLED(keyboard_tasklet, kbd_bh, 0); ++DECLARE_TASKLET_DISABLED_OLD(keyboard_tasklet, kbd_bh); + + #if defined(CONFIG_X86) || defined(CONFIG_IA64) || defined(CONFIG_ALPHA) ||\ + defined(CONFIG_MIPS) || defined(CONFIG_PPC) || defined(CONFIG_SPARC) ||\ +diff --git a/drivers/usb/gadget/udc/snps_udc_core.c b/drivers/usb/gadget/udc/snps_udc_core.c +index afdd28f332ced..e76f1a50b0fc9 100644 +--- a/drivers/usb/gadget/udc/snps_udc_core.c ++++ b/drivers/usb/gadget/udc/snps_udc_core.c +@@ -96,7 +96,7 @@ static int stop_pollstall_timer; + static DECLARE_COMPLETION(on_pollstall_exit); + + /* tasklet for usb disconnect */ +-static DECLARE_TASKLET(disconnect_tasklet, udc_tasklet_disconnect, 0); ++static DECLARE_TASKLET_OLD(disconnect_tasklet, udc_tasklet_disconnect); + + /* endpoint names used for print */ + static const char ep0_string[] = "ep0in"; +diff --git a/drivers/usb/host/fhci-sched.c b/drivers/usb/host/fhci-sched.c +index 3235d53074038..5c423f240a1f0 100644 +--- a/drivers/usb/host/fhci-sched.c ++++ b/drivers/usb/host/fhci-sched.c +@@ -677,7 +677,7 @@ static void process_done_list(unsigned long data) + enable_irq(fhci_to_hcd(fhci)->irq); + } + +-DECLARE_TASKLET(fhci_tasklet, process_done_list, 0); ++DECLARE_TASKLET_OLD(fhci_tasklet, process_done_list); + + /* transfer complted callback */ + u32 fhci_transfer_confirm_callback(struct fhci_hcd *fhci) +diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h +index 89fc59dab57d2..30e92536c78cc 100644 +--- a/include/linux/interrupt.h ++++ b/include/linux/interrupt.h +@@ -598,12 +598,17 @@ struct tasklet_struct + unsigned long data; + }; + +-#define DECLARE_TASKLET(name, func, data) \ +-struct tasklet_struct name = { NULL, 0, ATOMIC_INIT(0), func, data } +- +-#define DECLARE_TASKLET_DISABLED(name, func, data) \ +-struct tasklet_struct name = { NULL, 0, ATOMIC_INIT(1), func, data } ++#define DECLARE_TASKLET_OLD(name, _func) \ ++struct tasklet_struct name = { \ ++ .count = ATOMIC_INIT(0), \ ++ .func = _func, \ ++} + ++#define DECLARE_TASKLET_DISABLED_OLD(name, _func) \ ++struct tasklet_struct name = { \ ++ .count = ATOMIC_INIT(1), \ ++ .func = _func, \ ++} + + enum + { +diff --git a/kernel/backtracetest.c b/kernel/backtracetest.c +index a2a97fa3071b1..370217dd7e39a 100644 +--- a/kernel/backtracetest.c ++++ b/kernel/backtracetest.c +@@ -29,7 +29,7 @@ static void backtrace_test_irq_callback(unsigned long data) + complete(&backtrace_work); + } + +-static DECLARE_TASKLET(backtrace_tasklet, &backtrace_test_irq_callback, 0); ++static DECLARE_TASKLET_OLD(backtrace_tasklet, &backtrace_test_irq_callback); + + static void backtrace_test_irq(void) + { +diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c +index 565987557ad89..f88611fadb195 100644 +--- a/kernel/debug/debug_core.c ++++ b/kernel/debug/debug_core.c +@@ -1043,7 +1043,7 @@ static void kgdb_tasklet_bpt(unsigned long ing) + atomic_set(&kgdb_break_tasklet_var, 0); + } + +-static DECLARE_TASKLET(kgdb_tasklet_breakpoint, kgdb_tasklet_bpt, 0); ++static DECLARE_TASKLET_OLD(kgdb_tasklet_breakpoint, kgdb_tasklet_bpt); + + void kgdb_schedule_breakpoint(void) + { +diff --git a/kernel/irq/resend.c b/kernel/irq/resend.c +index 98c04ca5fa43d..b7af39e36341b 100644 +--- a/kernel/irq/resend.c ++++ b/kernel/irq/resend.c +@@ -45,7 +45,7 @@ static void resend_irqs(unsigned long arg) + } + + /* Tasklet to handle resend: */ +-static DECLARE_TASKLET(resend_tasklet, resend_irqs, 0); ++static DECLARE_TASKLET_OLD(resend_tasklet, resend_irqs); + + #endif + +diff --git a/net/atm/pppoatm.c b/net/atm/pppoatm.c +index 45d8e1d5d033e..579b66da1d95d 100644 +--- a/net/atm/pppoatm.c ++++ b/net/atm/pppoatm.c +@@ -393,7 +393,7 @@ static int pppoatm_assign_vcc(struct atm_vcc *atmvcc, void __user *arg) + * Each PPPoATM instance has its own tasklet - this is just a + * prototypical one used to initialize them + */ +- static const DECLARE_TASKLET(tasklet_proto, pppoatm_wakeup_sender, 0); ++ static const DECLARE_TASKLET_OLD(tasklet_proto, pppoatm_wakeup_sender); + if (copy_from_user(&be, arg, sizeof be)) + return -EFAULT; + if (be.encaps != PPPOATM_ENCAPS_AUTODETECT && +diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c +index 9a2d023842fe7..a4d1b5b7a1543 100644 +--- a/net/iucv/iucv.c ++++ b/net/iucv/iucv.c +@@ -128,7 +128,7 @@ static LIST_HEAD(iucv_task_queue); + * The tasklet for fast delivery of iucv interrupts. + */ + static void iucv_tasklet_fn(unsigned long); +-static DECLARE_TASKLET(iucv_tasklet, iucv_tasklet_fn,0); ++static DECLARE_TASKLET_OLD(iucv_tasklet, iucv_tasklet_fn); + + /* + * Queue of interrupt buffers for delivery via a work queue +diff --git a/sound/drivers/pcsp/pcsp_lib.c b/sound/drivers/pcsp/pcsp_lib.c +index 8f0f05bbc0819..ce5bab7425d5e 100644 +--- a/sound/drivers/pcsp/pcsp_lib.c ++++ b/sound/drivers/pcsp/pcsp_lib.c +@@ -36,7 +36,7 @@ static void pcsp_call_pcm_elapsed(unsigned long priv) + } + } + +-static DECLARE_TASKLET(pcsp_pcm_tasklet, pcsp_call_pcm_elapsed, 0); ++static DECLARE_TASKLET_OLD(pcsp_pcm_tasklet, pcsp_call_pcm_elapsed); + + /* write the port and returns the next expire time in ns; + * called at the trigger-start and in hrtimer callback +-- +2.39.2 + diff --git a/queue-5.4/tun-tun_chr_open-correctly-initialize-socket-uid.patch b/queue-5.4/tun-tun_chr_open-correctly-initialize-socket-uid.patch new file mode 100644 index 00000000000..b5091badd0e --- /dev/null +++ b/queue-5.4/tun-tun_chr_open-correctly-initialize-socket-uid.patch @@ -0,0 +1,47 @@ +From 4a599ecc5763a254466201fd4548a35ca178a0aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Feb 2023 17:39:21 +0000 +Subject: tun: tun_chr_open(): correctly initialize socket uid + +From: Pietro Borrello + +[ Upstream commit a096ccca6e503a5c575717ff8a36ace27510ab0a ] + +sock_init_data() assumes that the `struct socket` passed in input is +contained in a `struct socket_alloc` allocated with sock_alloc(). +However, tun_chr_open() passes a `struct socket` embedded in a `struct +tun_file` allocated with sk_alloc(). +This causes a type confusion when issuing a container_of() with +SOCK_INODE() in sock_init_data() which results in assigning a wrong +sk_uid to the `struct sock` in input. +On default configuration, the type confused field overlaps with the +high 4 bytes of `struct tun_struct __rcu *tun` of `struct tun_file`, +NULL at the time of call, which makes the uid of all tun sockets 0, +i.e., the root one. +Fix the assignment by using sock_init_data_uid(). + +Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.") +Signed-off-by: Pietro Borrello +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/tun.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 957e6051c535b..5d94ac0250ecf 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -3525,7 +3525,7 @@ static int tun_chr_open(struct inode *inode, struct file * file) + tfile->socket.file = file; + tfile->socket.ops = &tun_socket_ops; + +- sock_init_data(&tfile->socket, &tfile->sk); ++ sock_init_data_uid(&tfile->socket, &tfile->sk, inode->i_uid); + + tfile->sk.sk_write_space = tun_sock_write_space; + tfile->sk.sk_sndbuf = INT_MAX; +-- +2.39.2 + diff --git a/queue-5.4/uaccess-add-minimum-bounds-check-on-kernel-buffer-si.patch b/queue-5.4/uaccess-add-minimum-bounds-check-on-kernel-buffer-si.patch new file mode 100644 index 00000000000..2ea737afffe --- /dev/null +++ b/queue-5.4/uaccess-add-minimum-bounds-check-on-kernel-buffer-si.patch @@ -0,0 +1,70 @@ +From b7284c9ba5d2555dc0537e6f96116633942c3e37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Jan 2023 17:37:59 -0800 +Subject: uaccess: Add minimum bounds check on kernel buffer size + +From: Kees Cook + +[ Upstream commit 04ffde1319a715bd0550ded3580d4ea3bc003776 ] + +While there is logic about the difference between ksize and usize, +copy_struct_from_user() didn't check the size of the destination buffer +(when it was known) against ksize. Add this check so there is an upper +bounds check on the possible memset() call, otherwise lower bounds +checks made by callers will trigger bounds warnings under -Warray-bounds. +Seen under GCC 13: + +In function 'copy_struct_from_user', + inlined from 'iommufd_fops_ioctl' at +../drivers/iommu/iommufd/main.c:333:8: +../include/linux/fortify-string.h:59:33: warning: '__builtin_memset' offset [57, 4294967294] is out of the bounds [0, 56] of object 'buf' with type 'union ucmd_buffer' [-Warray-bounds=] + 59 | #define __underlying_memset __builtin_memset + | ^ +../include/linux/fortify-string.h:453:9: note: in expansion of macro '__underlying_memset' + 453 | __underlying_memset(p, c, __fortify_size); \ + | ^~~~~~~~~~~~~~~~~~~ +../include/linux/fortify-string.h:461:25: note: in expansion of macro '__fortify_memset_chk' + 461 | #define memset(p, c, s) __fortify_memset_chk(p, c, s, \ + | ^~~~~~~~~~~~~~~~~~~~ +../include/linux/uaccess.h:334:17: note: in expansion of macro 'memset' + 334 | memset(dst + size, 0, rest); + | ^~~~~~ +../drivers/iommu/iommufd/main.c: In function 'iommufd_fops_ioctl': +../drivers/iommu/iommufd/main.c:311:27: note: 'buf' declared here + 311 | union ucmd_buffer buf; + | ^~~ + +Cc: Christian Brauner +Cc: Rasmus Villemoes +Cc: Arnd Bergmann +Cc: Dinh Nguyen +Cc: Catalin Marinas +Cc: Andrew Morton +Cc: Geert Uytterhoeven +Cc: Alexander Potapenko +Acked-by: Aleksa Sarai +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/lkml/20230203193523.never.667-kees@kernel.org/ +Signed-off-by: Sasha Levin +--- + include/linux/uaccess.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h +index 38555435a64a3..70941f49d66ee 100644 +--- a/include/linux/uaccess.h ++++ b/include/linux/uaccess.h +@@ -287,6 +287,10 @@ copy_struct_from_user(void *dst, size_t ksize, const void __user *src, + size_t size = min(ksize, usize); + size_t rest = max(ksize, usize) - size; + ++ /* Double check if ksize is larger than a known object size. */ ++ if (WARN_ON_ONCE(ksize > __builtin_object_size(dst, 1))) ++ return -E2BIG; ++ + /* Deal with trailing bytes. */ + if (usize < ksize) { + memset(dst + size, 0, rest); +-- +2.39.2 + diff --git a/queue-5.4/udf-define-efscorrupted-error-code.patch b/queue-5.4/udf-define-efscorrupted-error-code.patch new file mode 100644 index 00000000000..fe584e57bfb --- /dev/null +++ b/queue-5.4/udf-define-efscorrupted-error-code.patch @@ -0,0 +1,34 @@ +From ad718295a29c271d4948ac09899687272e425158 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 16:34:45 +0200 +Subject: udf: Define EFSCORRUPTED error code + +From: Jan Kara + +[ Upstream commit 3d2d7e61553dbcc8ba45201d8ae4f383742c8202 ] + +Similarly to other filesystems define EFSCORRUPTED error code for +reporting internal filesystem corruption. + +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/udf_sb.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/udf/udf_sb.h b/fs/udf/udf_sb.h +index 8eace7a633d38..d91cbfb08983e 100644 +--- a/fs/udf/udf_sb.h ++++ b/fs/udf/udf_sb.h +@@ -51,6 +51,8 @@ + #define MF_DUPLICATE_MD 0x01 + #define MF_MIRROR_FE_LOADED 0x02 + ++#define EFSCORRUPTED EUCLEAN ++ + struct udf_meta_data { + __u32 s_meta_file_loc; + __u32 s_mirror_file_loc; +-- +2.39.2 + diff --git a/queue-5.4/usb-gadget-udc-avoid-tasklet-passing-a-global.patch b/queue-5.4/usb-gadget-udc-avoid-tasklet-passing-a-global.patch new file mode 100644 index 00000000000..d69c0946f8f --- /dev/null +++ b/queue-5.4/usb-gadget-udc-avoid-tasklet-passing-a-global.patch @@ -0,0 +1,49 @@ +From bca1129972a7d29a1fc1e3c50e39ff0999e2f249 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jul 2020 15:01:33 -0700 +Subject: usb: gadget: udc: Avoid tasklet passing a global + +From: Kees Cook + +[ Upstream commit f9dc3713df1229aa8168169e9cf1010fbac68de5 ] + +There's no reason for the tasklet callback to set an argument since it +always uses a global. Instead, use the global directly, in preparation +for converting the tasklet subsystem to modern callback conventions. + +Reviewed-by: Greg Kroah-Hartman +Acked-by: Thomas Gleixner +Signed-off-by: Kees Cook +Stable-dep-of: 1fdeb8b9f29d ("wifi: iwl3945: Add missing check for create_singlethread_workqueue") +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/snps_udc_core.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/gadget/udc/snps_udc_core.c b/drivers/usb/gadget/udc/snps_udc_core.c +index 3fcded31405a7..afdd28f332ced 100644 +--- a/drivers/usb/gadget/udc/snps_udc_core.c ++++ b/drivers/usb/gadget/udc/snps_udc_core.c +@@ -96,9 +96,7 @@ static int stop_pollstall_timer; + static DECLARE_COMPLETION(on_pollstall_exit); + + /* tasklet for usb disconnect */ +-static DECLARE_TASKLET(disconnect_tasklet, udc_tasklet_disconnect, +- (unsigned long) &udc); +- ++static DECLARE_TASKLET(disconnect_tasklet, udc_tasklet_disconnect, 0); + + /* endpoint names used for print */ + static const char ep0_string[] = "ep0in"; +@@ -1661,7 +1659,7 @@ static void usb_disconnect(struct udc *dev) + /* Tasklet for disconnect to be outside of interrupt context */ + static void udc_tasklet_disconnect(unsigned long par) + { +- struct udc *dev = (struct udc *)(*((struct udc **) par)); ++ struct udc *dev = udc; + u32 tmp; + + DBG(dev, "Tasklet disconnect\n"); +-- +2.39.2 + diff --git a/queue-5.4/wifi-ath9k-fix-potential-stack-out-of-bounds-write-i.patch b/queue-5.4/wifi-ath9k-fix-potential-stack-out-of-bounds-write-i.patch new file mode 100644 index 00000000000..01825be0f1e --- /dev/null +++ b/queue-5.4/wifi-ath9k-fix-potential-stack-out-of-bounds-write-i.patch @@ -0,0 +1,62 @@ +From a81281bc9b25cadea558a83b8bc3b8bfbe71d888 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jan 2023 21:41:30 +0900 +Subject: wifi: ath9k: Fix potential stack-out-of-bounds write in + ath9k_wmi_rsp_callback() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Minsuk Kang + +[ Upstream commit 8a2f35b9830692f7a616f2f627f943bc748af13a ] + +Fix a stack-out-of-bounds write that occurs in a WMI response callback +function that is called after a timeout occurs in ath9k_wmi_cmd(). +The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that +could no longer be valid when a timeout occurs. Set wmi->last_seq_id to +0 when a timeout occurred. + +Found by a modified version of syzkaller. + +BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx +Write of size 4 +Call Trace: + memcpy + ath9k_wmi_ctrl_rx + ath9k_htc_rx_msg + ath9k_hif_usb_reg_in_cb + __usb_hcd_giveback_urb + usb_hcd_giveback_urb + dummy_timer + call_timer_fn + run_timer_softirq + __do_softirq + irq_exit_rcu + sysvec_apic_timer_interrupt + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Signed-off-by: Minsuk Kang +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230104124130.10996-1-linuxlovemin@yonsei.ac.kr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index e7a3127395be9..deb22b8c2065f 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -338,6 +338,7 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, + if (!time_left) { + ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n", + wmi_cmd_to_name(cmd_id)); ++ wmi->last_seq_id = 0; + mutex_unlock(&wmi->op_mutex); + return -ETIMEDOUT; + } +-- +2.39.2 + diff --git a/queue-5.4/wifi-ath9k-hif_usb-clean-up-skbs-if-ath9k_hif_usb_rx.patch b/queue-5.4/wifi-ath9k-hif_usb-clean-up-skbs-if-ath9k_hif_usb_rx.patch new file mode 100644 index 00000000000..09760e41019 --- /dev/null +++ b/queue-5.4/wifi-ath9k-hif_usb-clean-up-skbs-if-ath9k_hif_usb_rx.patch @@ -0,0 +1,125 @@ +From a419405c24539392e0b5ea2b6b13e91795a85fca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jan 2023 15:36:15 +0300 +Subject: wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() + fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit 0af54343a76263a12dbae7fafb64eb47c4a6ad38 ] + +Syzkaller detected a memory leak of skbs in ath9k_hif_usb_rx_stream(). +While processing skbs in ath9k_hif_usb_rx_stream(), the already allocated +skbs in skb_pool are not freed if ath9k_hif_usb_rx_stream() fails. If we +have an incorrect pkt_len or pkt_tag, the input skb is considered invalid +and dropped. All the associated packets already in skb_pool should be +dropped and freed. Added a comment describing this issue. + +The patch also makes remain_skb NULL after being processed so that it +cannot be referenced after potential free. The initialization of hif_dev +fields which are associated with remain_skb (rx_remain_len, +rx_transfer_len and rx_pad_len) is moved after a new remain_skb is +allocated. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 6ce708f54cc8 ("ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream") +Fixes: 44b23b488d44 ("ath9k: hif_usb: Reduce indent 1 column") +Reported-by: syzbot+e9632e3eb038d93d6bc6@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230104123615.51511-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 31 +++++++++++++++++------- + 1 file changed, 22 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index f68e47f9b01e2..e23d58f83dd6f 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -561,11 +561,11 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + memcpy(ptr, skb->data, rx_remain_len); + + rx_pkt_len += rx_remain_len; +- hif_dev->rx_remain_len = 0; + skb_put(remain_skb, rx_pkt_len); + + skb_pool[pool_index++] = remain_skb; +- ++ hif_dev->remain_skb = NULL; ++ hif_dev->rx_remain_len = 0; + } else { + index = rx_remain_len; + } +@@ -584,16 +584,21 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + pkt_len = get_unaligned_le16(ptr + index); + pkt_tag = get_unaligned_le16(ptr + index + 2); + ++ /* It is supposed that if we have an invalid pkt_tag or ++ * pkt_len then the whole input SKB is considered invalid ++ * and dropped; the associated packets already in skb_pool ++ * are dropped, too. ++ */ + if (pkt_tag != ATH_USB_RX_STREAM_MODE_TAG) { + RX_STAT_INC(hif_dev, skb_dropped); +- return; ++ goto invalid_pkt; + } + + if (pkt_len > 2 * MAX_RX_BUF_SIZE) { + dev_err(&hif_dev->udev->dev, + "ath9k_htc: invalid pkt_len (%x)\n", pkt_len); + RX_STAT_INC(hif_dev, skb_dropped); +- return; ++ goto invalid_pkt; + } + + pad_len = 4 - (pkt_len & 0x3); +@@ -605,11 +610,6 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + + if (index > MAX_RX_BUF_SIZE) { + spin_lock(&hif_dev->rx_lock); +- hif_dev->rx_remain_len = index - MAX_RX_BUF_SIZE; +- hif_dev->rx_transfer_len = +- MAX_RX_BUF_SIZE - chk_idx - 4; +- hif_dev->rx_pad_len = pad_len; +- + nskb = __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC); + if (!nskb) { + dev_err(&hif_dev->udev->dev, +@@ -617,6 +617,12 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + spin_unlock(&hif_dev->rx_lock); + goto err; + } ++ ++ hif_dev->rx_remain_len = index - MAX_RX_BUF_SIZE; ++ hif_dev->rx_transfer_len = ++ MAX_RX_BUF_SIZE - chk_idx - 4; ++ hif_dev->rx_pad_len = pad_len; ++ + skb_reserve(nskb, 32); + RX_STAT_INC(hif_dev, skb_allocated); + +@@ -654,6 +660,13 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + skb_pool[i]->len, USB_WLAN_RX_PIPE); + RX_STAT_INC(hif_dev, skb_completed); + } ++ return; ++invalid_pkt: ++ for (i = 0; i < pool_index; i++) { ++ dev_kfree_skb_any(skb_pool[i]); ++ RX_STAT_INC(hif_dev, skb_dropped); ++ } ++ return; + } + + static void ath9k_hif_usb_rx_cb(struct urb *urb) +-- +2.39.2 + diff --git a/queue-5.4/wifi-ath9k-htc_hst-free-skb-in-ath9k_htc_rx_msg-if-t.patch b/queue-5.4/wifi-ath9k-htc_hst-free-skb-in-ath9k_htc_rx_msg-if-t.patch new file mode 100644 index 00000000000..c692088c878 --- /dev/null +++ b/queue-5.4/wifi-ath9k-htc_hst-free-skb-in-ath9k_htc_rx_msg-if-t.patch @@ -0,0 +1,58 @@ +From 8c3f517d9e216dc98f7d5caf8e6929bd8cbce511 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jan 2023 15:35:46 +0300 +Subject: wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no + callback function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit 9b25e3985477ac3f02eca5fc1e0cc6850a3f7e69 ] + +It is stated that ath9k_htc_rx_msg() either frees the provided skb or +passes its management to another callback function. However, the skb is +not freed in case there is no another callback function, and Syzkaller was +able to cause a memory leak. Also minor comment fix. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-by: syzbot+e008dccab31bd3647609@syzkaller.appspotmail.com +Reported-by: syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230104123546.51427-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index ca05b07a45e67..fe62ff668f757 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -391,7 +391,7 @@ static void ath9k_htc_fw_panic_report(struct htc_target *htc_handle, + * HTC Messages are handled directly here and the obtained SKB + * is freed. + * +- * Service messages (Data, WMI) passed to the corresponding ++ * Service messages (Data, WMI) are passed to the corresponding + * endpoint RX handlers, which have to free the SKB. + */ + void ath9k_htc_rx_msg(struct htc_target *htc_handle, +@@ -478,6 +478,8 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle, + if (endpoint->ep_callbacks.rx) + endpoint->ep_callbacks.rx(endpoint->ep_callbacks.priv, + skb, epid); ++ else ++ goto invalid; + } + } + +-- +2.39.2 + diff --git a/queue-5.4/wifi-brcmfmac-ensure-clm-version-is-null-terminated-.patch b/queue-5.4/wifi-brcmfmac-ensure-clm-version-is-null-terminated-.patch new file mode 100644 index 00000000000..a558154f197 --- /dev/null +++ b/queue-5.4/wifi-brcmfmac-ensure-clm-version-is-null-terminated-.patch @@ -0,0 +1,165 @@ +From 65eb8150228405e609ff182a28535ba1ae5f453a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Dec 2022 16:51:39 +0900 +Subject: wifi: brcmfmac: ensure CLM version is null-terminated to prevent + stack-out-of-bounds + +From: Jisoo Jang + +[ Upstream commit 660145d708be52f946a82e5b633c020f58f996de ] + +Fix a stack-out-of-bounds read in brcmfmac that occurs +when 'buf' that is not null-terminated is passed as an argument of +strreplace() in brcmf_c_preinit_dcmds(). This buffer is filled with +a CLM version string by memcpy() in brcmf_fil_iovar_data_get(). +Ensure buf is null-terminated. + +Found by a modified version of syzkaller. + +[ 33.004414][ T1896] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available +[ 33.013486][ T1896] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM43236/3 wl0: Nov 30 2011 17:33:42 version 5.90.188.22 +[ 33.021554][ T1896] ================================================================== +[ 33.022379][ T1896] BUG: KASAN: stack-out-of-bounds in strreplace+0xf2/0x110 +[ 33.023122][ T1896] Read of size 1 at addr ffffc90001d6efc8 by task kworker/0:2/1896 +[ 33.023852][ T1896] +[ 33.024096][ T1896] CPU: 0 PID: 1896 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 +[ 33.024927][ T1896] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +[ 33.026065][ T1896] Workqueue: usb_hub_wq hub_event +[ 33.026581][ T1896] Call Trace: +[ 33.026896][ T1896] dump_stack_lvl+0x57/0x7d +[ 33.027372][ T1896] print_address_description.constprop.0.cold+0xf/0x334 +[ 33.028037][ T1896] ? strreplace+0xf2/0x110 +[ 33.028403][ T1896] ? strreplace+0xf2/0x110 +[ 33.028807][ T1896] kasan_report.cold+0x83/0xdf +[ 33.029283][ T1896] ? strreplace+0xf2/0x110 +[ 33.029666][ T1896] strreplace+0xf2/0x110 +[ 33.029966][ T1896] brcmf_c_preinit_dcmds+0xab1/0xc40 +[ 33.030351][ T1896] ? brcmf_c_set_joinpref_default+0x100/0x100 +[ 33.030787][ T1896] ? rcu_read_lock_sched_held+0xa1/0xd0 +[ 33.031223][ T1896] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 33.031661][ T1896] ? lock_acquire+0x19d/0x4e0 +[ 33.032091][ T1896] ? find_held_lock+0x2d/0x110 +[ 33.032605][ T1896] ? brcmf_usb_deq+0x1a7/0x260 +[ 33.033087][ T1896] ? brcmf_usb_rx_fill_all+0x5a/0xf0 +[ 33.033582][ T1896] brcmf_attach+0x246/0xd40 +[ 33.034022][ T1896] ? wiphy_new_nm+0x1476/0x1d50 +[ 33.034383][ T1896] ? kmemdup+0x30/0x40 +[ 33.034722][ T1896] brcmf_usb_probe+0x12de/0x1690 +[ 33.035223][ T1896] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470 +[ 33.035833][ T1896] usb_probe_interface+0x25f/0x710 +[ 33.036315][ T1896] really_probe+0x1be/0xa90 +[ 33.036656][ T1896] __driver_probe_device+0x2ab/0x460 +[ 33.037026][ T1896] ? usb_match_id.part.0+0x88/0xc0 +[ 33.037383][ T1896] driver_probe_device+0x49/0x120 +[ 33.037790][ T1896] __device_attach_driver+0x18a/0x250 +[ 33.038300][ T1896] ? driver_allows_async_probing+0x120/0x120 +[ 33.038986][ T1896] bus_for_each_drv+0x123/0x1a0 +[ 33.039906][ T1896] ? bus_rescan_devices+0x20/0x20 +[ 33.041412][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 33.041861][ T1896] ? trace_hardirqs_on+0x1c/0x120 +[ 33.042330][ T1896] __device_attach+0x207/0x330 +[ 33.042664][ T1896] ? device_bind_driver+0xb0/0xb0 +[ 33.043026][ T1896] ? kobject_uevent_env+0x230/0x12c0 +[ 33.043515][ T1896] bus_probe_device+0x1a2/0x260 +[ 33.043914][ T1896] device_add+0xa61/0x1ce0 +[ 33.044227][ T1896] ? __mutex_unlock_slowpath+0xe7/0x660 +[ 33.044891][ T1896] ? __fw_devlink_link_to_suppliers+0x550/0x550 +[ 33.045531][ T1896] usb_set_configuration+0x984/0x1770 +[ 33.046051][ T1896] ? kernfs_create_link+0x175/0x230 +[ 33.046548][ T1896] usb_generic_driver_probe+0x69/0x90 +[ 33.046931][ T1896] usb_probe_device+0x9c/0x220 +[ 33.047434][ T1896] really_probe+0x1be/0xa90 +[ 33.047760][ T1896] __driver_probe_device+0x2ab/0x460 +[ 33.048134][ T1896] driver_probe_device+0x49/0x120 +[ 33.048516][ T1896] __device_attach_driver+0x18a/0x250 +[ 33.048910][ T1896] ? driver_allows_async_probing+0x120/0x120 +[ 33.049437][ T1896] bus_for_each_drv+0x123/0x1a0 +[ 33.049814][ T1896] ? bus_rescan_devices+0x20/0x20 +[ 33.050164][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 33.050579][ T1896] ? trace_hardirqs_on+0x1c/0x120 +[ 33.050936][ T1896] __device_attach+0x207/0x330 +[ 33.051399][ T1896] ? device_bind_driver+0xb0/0xb0 +[ 33.051888][ T1896] ? kobject_uevent_env+0x230/0x12c0 +[ 33.052314][ T1896] bus_probe_device+0x1a2/0x260 +[ 33.052688][ T1896] device_add+0xa61/0x1ce0 +[ 33.053121][ T1896] ? __fw_devlink_link_to_suppliers+0x550/0x550 +[ 33.053568][ T1896] usb_new_device.cold+0x463/0xf66 +[ 33.053953][ T1896] ? hub_disconnect+0x400/0x400 +[ 33.054313][ T1896] ? rwlock_bug.part.0+0x90/0x90 +[ 33.054661][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 33.055094][ T1896] hub_event+0x10d5/0x3330 +[ 33.055530][ T1896] ? hub_port_debounce+0x280/0x280 +[ 33.055934][ T1896] ? __lock_acquire+0x1671/0x5790 +[ 33.056387][ T1896] ? wq_calc_node_cpumask+0x170/0x2a0 +[ 33.056924][ T1896] ? lock_release+0x640/0x640 +[ 33.057383][ T1896] ? rcu_read_lock_sched_held+0xa1/0xd0 +[ 33.057916][ T1896] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 33.058402][ T1896] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 33.059019][ T1896] process_one_work+0x873/0x13e0 +[ 33.059488][ T1896] ? lock_release+0x640/0x640 +[ 33.059932][ T1896] ? pwq_dec_nr_in_flight+0x320/0x320 +[ 33.060446][ T1896] ? rwlock_bug.part.0+0x90/0x90 +[ 33.060898][ T1896] worker_thread+0x8b/0xd10 +[ 33.061348][ T1896] ? __kthread_parkme+0xd9/0x1d0 +[ 33.061810][ T1896] ? process_one_work+0x13e0/0x13e0 +[ 33.062288][ T1896] kthread+0x379/0x450 +[ 33.062660][ T1896] ? _raw_spin_unlock_irq+0x24/0x30 +[ 33.063148][ T1896] ? set_kthread_struct+0x100/0x100 +[ 33.063606][ T1896] ret_from_fork+0x1f/0x30 +[ 33.064070][ T1896] +[ 33.064313][ T1896] +[ 33.064545][ T1896] addr ffffc90001d6efc8 is located in stack of task kworker/0:2/1896 at offset 512 in frame: +[ 33.065478][ T1896] brcmf_c_preinit_dcmds+0x0/0xc40 +[ 33.065973][ T1896] +[ 33.066191][ T1896] this frame has 4 objects: +[ 33.066614][ T1896] [48, 56) 'ptr' +[ 33.066618][ T1896] [80, 148) 'revinfo' +[ 33.066957][ T1896] [192, 210) 'eventmask' +[ 33.067338][ T1896] [256, 512) 'buf' +[ 33.067742][ T1896] +[ 33.068304][ T1896] Memory state around the buggy address: +[ 33.068838][ T1896] ffffc90001d6ee80: f2 00 00 02 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 +[ 33.069545][ T1896] ffffc90001d6ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 33.070626][ T1896] >ffffc90001d6ef80: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 +[ 33.072052][ T1896] ^ +[ 33.073043][ T1896] ffffc90001d6f000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 33.074230][ T1896] ffffc90001d6f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 33.074914][ T1896] ================================================================== +[ 33.075713][ T1896] Disabling lock debugging due to kernel taint + +Reviewed-by: Arend van Spriel +Signed-off-by: Jisoo Jang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221230075139.56591-1-jisoo.jang@yonsei.ac.kr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c +index 0c967b45f76f7..e7c97dfd69280 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c +@@ -281,15 +281,17 @@ int brcmf_c_preinit_dcmds(struct brcmf_if *ifp) + if (err) { + brcmf_dbg(TRACE, "retrieving clmver failed, %d\n", err); + } else { ++ buf[sizeof(buf) - 1] = '\0'; + clmver = (char *)buf; +- /* store CLM version for adding it to revinfo debugfs file */ +- memcpy(ifp->drvr->clmver, clmver, sizeof(ifp->drvr->clmver)); + + /* Replace all newline/linefeed characters with space + * character + */ + strreplace(clmver, '\n', ' '); + ++ /* store CLM version for adding it to revinfo debugfs file */ ++ memcpy(ifp->drvr->clmver, clmver, sizeof(ifp->drvr->clmver)); ++ + brcmf_dbg(INFO, "CLM version = %s\n", clmver); + } + +-- +2.39.2 + diff --git a/queue-5.4/wifi-brcmfmac-fix-potential-memory-leak-in-brcmf_net.patch b/queue-5.4/wifi-brcmfmac-fix-potential-memory-leak-in-brcmf_net.patch new file mode 100644 index 00000000000..6610b6ecde6 --- /dev/null +++ b/queue-5.4/wifi-brcmfmac-fix-potential-memory-leak-in-brcmf_net.patch @@ -0,0 +1,39 @@ +From ad1b5d6ae5b4e4cae62392a488c6878f1e014f26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 19:33:01 +0800 +Subject: wifi: brcmfmac: fix potential memory leak in + brcmf_netdev_start_xmit() + +From: Zhang Changzhong + +[ Upstream commit 212fde3fe76e962598ce1d47b97cc78afdfc71b3 ] + +The brcmf_netdev_start_xmit() returns NETDEV_TX_OK without freeing skb +in case of pskb_expand_head() fails, add dev_kfree_skb() to fix it. +Compile tested only. + +Fixes: 270a6c1f65fe ("brcmfmac: rework headroom check in .start_xmit()") +Signed-off-by: Zhang Changzhong +Reviewed-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1668684782-47422-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +index 5b7c1b99273d5..4907a667f963c 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -333,6 +333,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, + bphy_err(drvr, "%s: failed to expand headroom\n", + brcmf_ifname(ifp)); + atomic_inc(&drvr->bus_if->stats.pktcow_failed); ++ dev_kfree_skb(skb); + goto done; + } + } +-- +2.39.2 + diff --git a/queue-5.4/wifi-brcmfmac-fix-potential-stack-out-of-bounds-in-b.patch b/queue-5.4/wifi-brcmfmac-fix-potential-stack-out-of-bounds-in-b.patch new file mode 100644 index 00000000000..67b6944d4a9 --- /dev/null +++ b/queue-5.4/wifi-brcmfmac-fix-potential-stack-out-of-bounds-in-b.patch @@ -0,0 +1,160 @@ +From 04627c6889f55865797aa3680615054705cb0e1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 13:34:58 +0900 +Subject: wifi: brcmfmac: Fix potential stack-out-of-bounds in + brcmf_c_preinit_dcmds() + +From: Jisoo Jang + +[ Upstream commit 0a06cadcc2a0044e4a117cc0e61436fc3a0dad69 ] + +This patch fixes a stack-out-of-bounds read in brcmfmac that occurs +when 'buf' that is not null-terminated is passed as an argument of +strsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware +version string by memcpy() in brcmf_fil_iovar_data_get(). +The patch ensures buf is null-terminated. + +Found by a modified version of syzkaller. + +[ 47.569679][ T1897] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43236b for chip BCM43236/3 +[ 47.582839][ T1897] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available +[ 47.601565][ T1897] ================================================================== +[ 47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0 +[ 47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897 +[ 47.604336][ T1897] +[ 47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G O 5.14.0+ #131 +[ 47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +[ 47.606907][ T1897] Workqueue: usb_hub_wq hub_event +[ 47.607453][ T1897] Call Trace: +[ 47.607801][ T1897] dump_stack_lvl+0x8e/0xd1 +[ 47.608295][ T1897] print_address_description.constprop.0.cold+0xf/0x334 +[ 47.609009][ T1897] ? strsep+0x1b2/0x1f0 +[ 47.609434][ T1897] ? strsep+0x1b2/0x1f0 +[ 47.609863][ T1897] kasan_report.cold+0x83/0xdf +[ 47.610366][ T1897] ? strsep+0x1b2/0x1f0 +[ 47.610882][ T1897] strsep+0x1b2/0x1f0 +[ 47.611300][ T1897] ? brcmf_fil_iovar_data_get+0x3a/0xf0 +[ 47.611883][ T1897] brcmf_c_preinit_dcmds+0x995/0xc40 +[ 47.612434][ T1897] ? brcmf_c_set_joinpref_default+0x100/0x100 +[ 47.613078][ T1897] ? rcu_read_lock_sched_held+0xa1/0xd0 +[ 47.613662][ T1897] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 47.614208][ T1897] ? lock_acquire+0x19d/0x4e0 +[ 47.614704][ T1897] ? find_held_lock+0x2d/0x110 +[ 47.615236][ T1897] ? brcmf_usb_deq+0x1a7/0x260 +[ 47.615741][ T1897] ? brcmf_usb_rx_fill_all+0x5a/0xf0 +[ 47.616288][ T1897] brcmf_attach+0x246/0xd40 +[ 47.616758][ T1897] ? wiphy_new_nm+0x1703/0x1dd0 +[ 47.617280][ T1897] ? kmemdup+0x43/0x50 +[ 47.617720][ T1897] brcmf_usb_probe+0x12de/0x1690 +[ 47.618244][ T1897] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470 +[ 47.618901][ T1897] usb_probe_interface+0x2aa/0x760 +[ 47.619429][ T1897] ? usb_probe_device+0x250/0x250 +[ 47.619950][ T1897] really_probe+0x205/0xb70 +[ 47.620435][ T1897] ? driver_allows_async_probing+0x130/0x130 +[ 47.621048][ T1897] __driver_probe_device+0x311/0x4b0 +[ 47.621595][ T1897] ? driver_allows_async_probing+0x130/0x130 +[ 47.622209][ T1897] driver_probe_device+0x4e/0x150 +[ 47.622739][ T1897] __device_attach_driver+0x1cc/0x2a0 +[ 47.623287][ T1897] bus_for_each_drv+0x156/0x1d0 +[ 47.623796][ T1897] ? bus_rescan_devices+0x30/0x30 +[ 47.624309][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 47.624907][ T1897] ? trace_hardirqs_on+0x46/0x160 +[ 47.625437][ T1897] __device_attach+0x23f/0x3a0 +[ 47.625924][ T1897] ? device_bind_driver+0xd0/0xd0 +[ 47.626433][ T1897] ? kobject_uevent_env+0x287/0x14b0 +[ 47.627057][ T1897] bus_probe_device+0x1da/0x290 +[ 47.627557][ T1897] device_add+0xb7b/0x1eb0 +[ 47.628027][ T1897] ? wait_for_completion+0x290/0x290 +[ 47.628593][ T1897] ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0 +[ 47.629249][ T1897] usb_set_configuration+0xf59/0x16f0 +[ 47.629829][ T1897] usb_generic_driver_probe+0x82/0xa0 +[ 47.630385][ T1897] usb_probe_device+0xbb/0x250 +[ 47.630927][ T1897] ? usb_suspend+0x590/0x590 +[ 47.631397][ T1897] really_probe+0x205/0xb70 +[ 47.631855][ T1897] ? driver_allows_async_probing+0x130/0x130 +[ 47.632469][ T1897] __driver_probe_device+0x311/0x4b0 +[ 47.633002][ T1897] ? usb_generic_driver_match+0x75/0x90 +[ 47.633573][ T1897] ? driver_allows_async_probing+0x130/0x130 +[ 47.634170][ T1897] driver_probe_device+0x4e/0x150 +[ 47.634703][ T1897] __device_attach_driver+0x1cc/0x2a0 +[ 47.635248][ T1897] bus_for_each_drv+0x156/0x1d0 +[ 47.635748][ T1897] ? bus_rescan_devices+0x30/0x30 +[ 47.636271][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 47.636881][ T1897] ? trace_hardirqs_on+0x46/0x160 +[ 47.637396][ T1897] __device_attach+0x23f/0x3a0 +[ 47.637904][ T1897] ? device_bind_driver+0xd0/0xd0 +[ 47.638426][ T1897] ? kobject_uevent_env+0x287/0x14b0 +[ 47.638985][ T1897] bus_probe_device+0x1da/0x290 +[ 47.639512][ T1897] device_add+0xb7b/0x1eb0 +[ 47.639977][ T1897] ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0 +[ 47.640612][ T1897] ? kfree+0x14a/0x6b0 +[ 47.641055][ T1897] ? __usb_get_extra_descriptor+0x116/0x160 +[ 47.641679][ T1897] usb_new_device.cold+0x49c/0x1029 +[ 47.642245][ T1897] ? hub_disconnect+0x450/0x450 +[ 47.642756][ T1897] ? rwlock_bug.part.0+0x90/0x90 +[ 47.643273][ T1897] ? _raw_spin_unlock_irq+0x24/0x30 +[ 47.643822][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 47.644445][ T1897] hub_event+0x1c98/0x3950 +[ 47.644939][ T1897] ? hub_port_debounce+0x2e0/0x2e0 +[ 47.645467][ T1897] ? check_irq_usage+0x861/0xf20 +[ 47.645975][ T1897] ? drain_workqueue+0x280/0x360 +[ 47.646506][ T1897] ? lock_release+0x640/0x640 +[ 47.646994][ T1897] ? rcu_read_lock_sched_held+0xa1/0xd0 +[ 47.647572][ T1897] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 47.648111][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 47.648735][ T1897] process_one_work+0x92b/0x1460 +[ 47.649262][ T1897] ? pwq_dec_nr_in_flight+0x330/0x330 +[ 47.649816][ T1897] ? rwlock_bug.part.0+0x90/0x90 +[ 47.650336][ T1897] worker_thread+0x95/0xe00 +[ 47.650830][ T1897] ? __kthread_parkme+0x115/0x1e0 +[ 47.651361][ T1897] ? process_one_work+0x1460/0x1460 +[ 47.651904][ T1897] kthread+0x3a1/0x480 +[ 47.652329][ T1897] ? set_kthread_struct+0x120/0x120 +[ 47.652878][ T1897] ret_from_fork+0x1f/0x30 +[ 47.653370][ T1897] +[ 47.653608][ T1897] +[ 47.653848][ T1897] addr ffffc90001f6f000 is located in stack of task kworker/0:2/1897 at offset 512 in frame: +[ 47.654891][ T1897] brcmf_c_preinit_dcmds+0x0/0xc40 +[ 47.655442][ T1897] +[ 47.655690][ T1897] this frame has 4 objects: +[ 47.656151][ T1897] [48, 56) 'ptr' +[ 47.656159][ T1897] [80, 148) 'revinfo' +[ 47.656534][ T1897] [192, 210) 'eventmask' +[ 47.656953][ T1897] [256, 512) 'buf' +[ 47.657410][ T1897] +[ 47.658035][ T1897] Memory state around the buggy address: +[ 47.658743][ T1897] ffffc90001f6ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 47.659577][ T1897] ffffc90001f6ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 47.660394][ T1897] >ffffc90001f6f000: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 +[ 47.661199][ T1897] ^ +[ 47.661625][ T1897] ffffc90001f6f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 47.662455][ T1897] ffffc90001f6f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 +[ 47.663318][ T1897] ================================================================== +[ 47.664147][ T1897] Disabling lock debugging due to kernel taint + +Reported-by: Dokyung Song +Reported-by: Jisoo Jang +Reported-by: Minsuk Kang +Signed-off-by: Jisoo Jang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221115043458.37562-1-jisoo.jang@yonsei.ac.kr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c +index dec25e4156199..0c967b45f76f7 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c +@@ -264,6 +264,7 @@ int brcmf_c_preinit_dcmds(struct brcmf_if *ifp) + err); + goto done; + } ++ buf[sizeof(buf) - 1] = '\0'; + ptr = (char *)buf; + strsep(&ptr, "\n"); + +-- +2.39.2 + diff --git a/queue-5.4/wifi-brcmfmac-unmap-dma-buffer-in-brcmf_msgbuf_alloc.patch b/queue-5.4/wifi-brcmfmac-unmap-dma-buffer-in-brcmf_msgbuf_alloc.patch new file mode 100644 index 00000000000..5388dd2688f --- /dev/null +++ b/queue-5.4/wifi-brcmfmac-unmap-dma-buffer-in-brcmf_msgbuf_alloc.patch @@ -0,0 +1,46 @@ +From 5ffa1dea9de3de371673d851c8533417dce17a9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 09:31:14 +0800 +Subject: wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid() + +From: Zhengchao Shao + +[ Upstream commit b9f420032f2ba1e634b22ca7b433e5c40ea663af ] + +After the DMA buffer is mapped to a physical address, address is stored +in pktids in brcmf_msgbuf_alloc_pktid(). Then, pktids is parsed in +brcmf_msgbuf_get_pktid()/brcmf_msgbuf_release_array() to obtain physaddr +and later unmap the DMA buffer. But when count is always equal to +pktids->array_size, physaddr isn't stored in pktids and the DMA buffer +will not be unmapped anyway. + +Fixes: 9a1bb60250d2 ("brcmfmac: Adding msgbuf protocol.") +Signed-off-by: Zhengchao Shao +Reviewed-by: Sebastian Andrzej Siewior +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207013114.1748936-1-shaozhengchao@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +index c2705d7a4247e..fd54acb859246 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +@@ -345,8 +345,11 @@ brcmf_msgbuf_alloc_pktid(struct device *dev, + count++; + } while (count < pktids->array_size); + +- if (count == pktids->array_size) ++ if (count == pktids->array_size) { ++ dma_unmap_single(dev, *physaddr, skb->len - data_offset, ++ pktids->direction); + return -ENOMEM; ++ } + + array[*idx].data_offset = data_offset; + array[*idx].physaddr = *physaddr; +-- +2.39.2 + diff --git a/queue-5.4/wifi-ipw2200-fix-memory-leak-in-ipw_wdev_init.patch b/queue-5.4/wifi-ipw2200-fix-memory-leak-in-ipw_wdev_init.patch new file mode 100644 index 00000000000..6e2436629e3 --- /dev/null +++ b/queue-5.4/wifi-ipw2200-fix-memory-leak-in-ipw_wdev_init.patch @@ -0,0 +1,47 @@ +From 3d3bf0a70c97f09b913d22b23ac254cb434c58d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 09:24:22 +0800 +Subject: wifi: ipw2200: fix memory leak in ipw_wdev_init() + +From: Zhengchao Shao + +[ Upstream commit 9fe21dc626117fb44a8eb393713a86a620128ce3 ] + +In the error path of ipw_wdev_init(), exception value is returned, and +the memory applied for in the function is not released. Also the memory +is not released in ipw_pci_probe(). As a result, memory leakage occurs. +So memory release needs to be added to the error path of ipw_wdev_init(). + +Fixes: a3caa99e6c68 ("libipw: initiate cfg80211 API conversion (v2)") +Signed-off-by: Zhengchao Shao +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221209012422.182669-1-shaozhengchao@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/ipw2x00/ipw2200.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2200.c b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +index b2f7736a79f85..5ce1a4d8fcee7 100644 +--- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c ++++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +@@ -11414,9 +11414,14 @@ static int ipw_wdev_init(struct net_device *dev) + set_wiphy_dev(wdev->wiphy, &priv->pci_dev->dev); + + /* With that information in place, we can now register the wiphy... */ +- if (wiphy_register(wdev->wiphy)) +- rc = -EIO; ++ rc = wiphy_register(wdev->wiphy); ++ if (rc) ++ goto out; ++ ++ return 0; + out: ++ kfree(priv->ieee->a_band.channels); ++ kfree(priv->ieee->bg_band.channels); + return rc; + } + +-- +2.39.2 + diff --git a/queue-5.4/wifi-ipw2x00-don-t-call-dev_kfree_skb-under-spin_loc.patch b/queue-5.4/wifi-ipw2x00-don-t-call-dev_kfree_skb-under-spin_loc.patch new file mode 100644 index 00000000000..cd6e14fc6b4 --- /dev/null +++ b/queue-5.4/wifi-ipw2x00-don-t-call-dev_kfree_skb-under-spin_loc.patch @@ -0,0 +1,46 @@ +From 31c3454a4da8a3c25c42c0c60e8dc1b61b28c877 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 22:38:26 +0800 +Subject: wifi: ipw2x00: don't call dev_kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 45fc6d7461f18df2f238caf0cbc5acc4163203d1 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In this case, dev_kfree_skb() is called to free and drop the SKB when +it's reset, so replace it with dev_kfree_skb_irq(). Compile tested +only. + +Fixes: 43f66a6ce8da ("Add ipw2200 wireless driver.") +Signed-off-by: Yang Yingliang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221208143826.2385218-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/ipw2x00/ipw2200.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2200.c b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +index fc9c2930f08cf..b2f7736a79f85 100644 +--- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c ++++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +@@ -3445,7 +3445,7 @@ static void ipw_rx_queue_reset(struct ipw_priv *priv, + dma_unmap_single(&priv->pci_dev->dev, + rxq->pool[i].dma_addr, + IPW_RX_BUF_SIZE, DMA_FROM_DEVICE); +- dev_kfree_skb(rxq->pool[i].skb); ++ dev_kfree_skb_irq(rxq->pool[i].skb); + rxq->pool[i].skb = NULL; + } + list_add_tail(&rxq->pool[i].list, &rxq->rx_used); +-- +2.39.2 + diff --git a/queue-5.4/wifi-iwl3945-add-missing-check-for-create_singlethre.patch b/queue-5.4/wifi-iwl3945-add-missing-check-for-create_singlethre.patch new file mode 100644 index 00000000000..58e3cd8007f --- /dev/null +++ b/queue-5.4/wifi-iwl3945-add-missing-check-for-create_singlethre.patch @@ -0,0 +1,85 @@ +From 6c6da5b1e82dd4eb84f22f5d2a9ca816aaf9e282 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Feb 2023 14:30:32 +0800 +Subject: wifi: iwl3945: Add missing check for create_singlethread_workqueue + +From: Jiasheng Jiang + +[ Upstream commit 1fdeb8b9f29dfd64805bb49475ac7566a3cb06cb ] + +Add the check for the return value of the create_singlethread_workqueue +in order to avoid NULL pointer dereference. + +Fixes: b481de9ca074 ("[IWLWIFI]: add iwlwifi wireless drivers") +Signed-off-by: Jiasheng Jiang +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230208063032.42763-2-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlegacy/3945-mac.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlegacy/3945-mac.c b/drivers/net/wireless/intel/iwlegacy/3945-mac.c +index 206b43b9dff86..a1bd61d5e024d 100644 +--- a/drivers/net/wireless/intel/iwlegacy/3945-mac.c ++++ b/drivers/net/wireless/intel/iwlegacy/3945-mac.c +@@ -3382,10 +3382,12 @@ static DEVICE_ATTR(dump_errors, 0200, NULL, il3945_dump_error_log); + * + *****************************************************************************/ + +-static void ++static int + il3945_setup_deferred_work(struct il_priv *il) + { + il->workqueue = create_singlethread_workqueue(DRV_NAME); ++ if (!il->workqueue) ++ return -ENOMEM; + + init_waitqueue_head(&il->wait_command_queue); + +@@ -3404,6 +3406,8 @@ il3945_setup_deferred_work(struct il_priv *il) + tasklet_init(&il->irq_tasklet, + il3945_irq_tasklet, + (unsigned long)il); ++ ++ return 0; + } + + static void +@@ -3725,7 +3729,10 @@ il3945_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + } + + il_set_rxon_channel(il, &il->bands[NL80211_BAND_2GHZ].channels[5]); +- il3945_setup_deferred_work(il); ++ err = il3945_setup_deferred_work(il); ++ if (err) ++ goto out_remove_sysfs; ++ + il3945_setup_handlers(il); + il_power_initialize(il); + +@@ -3737,7 +3744,7 @@ il3945_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + err = il3945_setup_mac(il); + if (err) +- goto out_remove_sysfs; ++ goto out_destroy_workqueue; + + il_dbgfs_register(il, DRV_NAME); + +@@ -3746,9 +3753,10 @@ il3945_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + return 0; + +-out_remove_sysfs: ++out_destroy_workqueue: + destroy_workqueue(il->workqueue); + il->workqueue = NULL; ++out_remove_sysfs: + sysfs_remove_group(&pdev->dev.kobj, &il3945_attribute_group); + out_release_irq: + free_irq(il->pci_dev->irq, il); +-- +2.39.2 + diff --git a/queue-5.4/wifi-iwl4965-add-missing-check-for-create_singlethre.patch b/queue-5.4/wifi-iwl4965-add-missing-check-for-create_singlethre.patch new file mode 100644 index 00000000000..53da115ae59 --- /dev/null +++ b/queue-5.4/wifi-iwl4965-add-missing-check-for-create_singlethre.patch @@ -0,0 +1,72 @@ +From 9654d67377394909178c1d37b15f08004d3a601a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Feb 2023 09:07:48 +0800 +Subject: wifi: iwl4965: Add missing check for create_singlethread_workqueue() + +From: Jiasheng Jiang + +[ Upstream commit 26e6775f75517ad6844fe5b79bc5f3fa8c22ee61 ] + +Add the check for the return value of the create_singlethread_workqueue() +in order to avoid NULL pointer dereference. + +Fixes: b481de9ca074 ("[IWLWIFI]: add iwlwifi wireless drivers") +Signed-off-by: Jiasheng Jiang +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230209010748.45454-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlegacy/4965-mac.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +index 5fe17039a3375..feeb57cadc1ca 100644 +--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c +@@ -6217,10 +6217,12 @@ il4965_bg_txpower_work(struct work_struct *work) + mutex_unlock(&il->mutex); + } + +-static void ++static int + il4965_setup_deferred_work(struct il_priv *il) + { + il->workqueue = create_singlethread_workqueue(DRV_NAME); ++ if (!il->workqueue) ++ return -ENOMEM; + + init_waitqueue_head(&il->wait_command_queue); + +@@ -6241,6 +6243,8 @@ il4965_setup_deferred_work(struct il_priv *il) + tasklet_init(&il->irq_tasklet, + il4965_irq_tasklet, + (unsigned long)il); ++ ++ return 0; + } + + static void +@@ -6630,7 +6634,10 @@ il4965_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + goto out_disable_msi; + } + +- il4965_setup_deferred_work(il); ++ err = il4965_setup_deferred_work(il); ++ if (err) ++ goto out_free_irq; ++ + il4965_setup_handlers(il); + + /********************************************* +@@ -6668,6 +6675,7 @@ il4965_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + out_destroy_workqueue: + destroy_workqueue(il->workqueue); + il->workqueue = NULL; ++out_free_irq: + free_irq(il->pci_dev->irq, il); + out_disable_msi: + pci_disable_msi(il->pci_dev); +-- +2.39.2 + diff --git a/queue-5.4/wifi-iwlegacy-common-don-t-call-dev_kfree_skb-under-.patch b/queue-5.4/wifi-iwlegacy-common-don-t-call-dev_kfree_skb-under-.patch new file mode 100644 index 00000000000..ef32f7120ad --- /dev/null +++ b/queue-5.4/wifi-iwlegacy-common-don-t-call-dev_kfree_skb-under-.patch @@ -0,0 +1,49 @@ +From fb66b964d0012990af6efeb0f67cdea5f75df6c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 22:40:13 +0800 +Subject: wifi: iwlegacy: common: don't call dev_kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 0c1528675d7a9787cb516b64d8f6c0f6f8efcb48 ] + +It is not allowed to call consume_skb() from hardware interrupt context +or with interrupts being disabled. So replace dev_kfree_skb() with +dev_consume_skb_irq() under spin_lock_irqsave(). Compile tested only. + +Fixes: 4bc85c1324aa ("Revert "iwlwifi: split the drivers for agn and legacy devices 3945/4965"") +Signed-off-by: Yang Yingliang +Acked-by: Stanislaw Gruszka +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207144013.70210-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlegacy/common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlegacy/common.c b/drivers/net/wireless/intel/iwlegacy/common.c +index 525479f1bef7f..7cfd80d40a653 100644 +--- a/drivers/net/wireless/intel/iwlegacy/common.c ++++ b/drivers/net/wireless/intel/iwlegacy/common.c +@@ -5182,7 +5182,7 @@ il_mac_reset_tsf(struct ieee80211_hw *hw, struct ieee80211_vif *vif) + memset(&il->current_ht_config, 0, sizeof(struct il_ht_config)); + + /* new association get rid of ibss beacon skb */ +- dev_kfree_skb(il->beacon_skb); ++ dev_consume_skb_irq(il->beacon_skb); + il->beacon_skb = NULL; + il->timestamp = 0; + +@@ -5301,7 +5301,7 @@ il_beacon_update(struct ieee80211_hw *hw, struct ieee80211_vif *vif) + } + + spin_lock_irqsave(&il->lock, flags); +- dev_kfree_skb(il->beacon_skb); ++ dev_consume_skb_irq(il->beacon_skb); + il->beacon_skb = skb; + + timestamp = ((struct ieee80211_mgmt *)skb->data)->u.beacon.timestamp; +-- +2.39.2 + diff --git a/queue-5.4/wifi-libertas-cmdresp-don-t-call-kfree_skb-under-spi.patch b/queue-5.4/wifi-libertas-cmdresp-don-t-call-kfree_skb-under-spi.patch new file mode 100644 index 00000000000..baa673970e6 --- /dev/null +++ b/queue-5.4/wifi-libertas-cmdresp-don-t-call-kfree_skb-under-spi.patch @@ -0,0 +1,40 @@ +From 9cd5a240446aca20d52e9719e5d819ecc7aa0264 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 23:00:08 +0800 +Subject: wifi: libertas: cmdresp: don't call kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 708a49a64237f19bd404852f297aaadbc9e7fee0 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile +tested only. + +Fixes: f52b041aed77 ("libertas: Add spinlock to avoid race condition") +Signed-off-by: Yang Yingliang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207150008.111743-5-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/cmdresp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/libertas/cmdresp.c b/drivers/net/wireless/marvell/libertas/cmdresp.c +index b73d083813985..5908f07d62ed7 100644 +--- a/drivers/net/wireless/marvell/libertas/cmdresp.c ++++ b/drivers/net/wireless/marvell/libertas/cmdresp.c +@@ -48,7 +48,7 @@ void lbs_mac_event_disconnected(struct lbs_private *priv, + + /* Free Tx and Rx packets */ + spin_lock_irqsave(&priv->driver_lock, flags); +- kfree_skb(priv->currenttxskb); ++ dev_kfree_skb_irq(priv->currenttxskb); + priv->currenttxskb = NULL; + priv->tx_pending_len = 0; + spin_unlock_irqrestore(&priv->driver_lock, flags); +-- +2.39.2 + diff --git a/queue-5.4/wifi-libertas-fix-memory-leak-in-lbs_init_adapter.patch b/queue-5.4/wifi-libertas-fix-memory-leak-in-lbs_init_adapter.patch new file mode 100644 index 00000000000..fabb7894506 --- /dev/null +++ b/queue-5.4/wifi-libertas-fix-memory-leak-in-lbs_init_adapter.patch @@ -0,0 +1,37 @@ +From 8188524d5400de4d17fc3e47f0b90fda0427a6ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 20:14:48 +0800 +Subject: wifi: libertas: fix memory leak in lbs_init_adapter() + +From: Zhengchao Shao + +[ Upstream commit 16a03958618fb91bb1bc7077cf3211055162cc2f ] + +When kfifo_alloc() failed in lbs_init_adapter(), cmd buffer is not +released. Add free memory to processing error path. + +Fixes: 7919b89c8276 ("libertas: convert libertas driver to use an event/cmdresp queue") +Signed-off-by: Zhengchao Shao +Reviewed-by: Jiri Pirko +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221208121448.2845986-1-shaozhengchao@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/marvell/libertas/main.c b/drivers/net/wireless/marvell/libertas/main.c +index 2233b59cdf444..a94e50eb34bfb 100644 +--- a/drivers/net/wireless/marvell/libertas/main.c ++++ b/drivers/net/wireless/marvell/libertas/main.c +@@ -870,6 +870,7 @@ static int lbs_init_adapter(struct lbs_private *priv) + ret = kfifo_alloc(&priv->event_fifo, sizeof(u32) * 16, GFP_KERNEL); + if (ret) { + pr_err("Out of memory allocating event FIFO buffer\n"); ++ lbs_free_cmd_buffer(priv); + goto out; + } + +-- +2.39.2 + diff --git a/queue-5.4/wifi-libertas-if_usb-don-t-call-kfree_skb-under-spin.patch b/queue-5.4/wifi-libertas-if_usb-don-t-call-kfree_skb-under-spin.patch new file mode 100644 index 00000000000..fea8fb39ebf --- /dev/null +++ b/queue-5.4/wifi-libertas-if_usb-don-t-call-kfree_skb-under-spin.patch @@ -0,0 +1,40 @@ +From 093aa9b937da66315d7cc453136e90669a863c08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 23:00:06 +0800 +Subject: wifi: libertas: if_usb: don't call kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 3968e81ba644f10a7d45bae2539560db9edac501 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile +tested only. + +Fixes: a3128feef6d5 ("libertas: use irqsave() in USB's complete callback") +Signed-off-by: Yang Yingliang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207150008.111743-3-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/if_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/libertas/if_usb.c b/drivers/net/wireless/marvell/libertas/if_usb.c +index 32fdc4150b605..2240b4db8c036 100644 +--- a/drivers/net/wireless/marvell/libertas/if_usb.c ++++ b/drivers/net/wireless/marvell/libertas/if_usb.c +@@ -637,7 +637,7 @@ static inline void process_cmdrequest(int recvlength, uint8_t *recvbuff, + priv->resp_len[i] = (recvlength - MESSAGE_HEADER_LEN); + memcpy(priv->resp_buf[i], recvbuff + MESSAGE_HEADER_LEN, + priv->resp_len[i]); +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + lbs_notify_command_response(priv, i); + + spin_unlock_irqrestore(&priv->driver_lock, flags); +-- +2.39.2 + diff --git a/queue-5.4/wifi-libertas-main-don-t-call-kfree_skb-under-spin_l.patch b/queue-5.4/wifi-libertas-main-don-t-call-kfree_skb-under-spin_l.patch new file mode 100644 index 00000000000..f4bfd3efae7 --- /dev/null +++ b/queue-5.4/wifi-libertas-main-don-t-call-kfree_skb-under-spin_l.patch @@ -0,0 +1,40 @@ +From 3d2f6c5cc20f5e6c40468f9633945ebfeca73565 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 23:00:07 +0800 +Subject: wifi: libertas: main: don't call kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit f393df151540bf858effbd29ff572ab94e76a4c4 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile +tested only. + +Fixes: d2e7b3425c47 ("libertas: disable functionality when interface is down") +Signed-off-by: Yang Yingliang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207150008.111743-4-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/libertas/main.c b/drivers/net/wireless/marvell/libertas/main.c +index a94e50eb34bfb..ff0b3a0e9dcd6 100644 +--- a/drivers/net/wireless/marvell/libertas/main.c ++++ b/drivers/net/wireless/marvell/libertas/main.c +@@ -217,7 +217,7 @@ int lbs_stop_iface(struct lbs_private *priv) + + spin_lock_irqsave(&priv->driver_lock, flags); + priv->iface_running = false; +- kfree_skb(priv->currenttxskb); ++ dev_kfree_skb_irq(priv->currenttxskb); + priv->currenttxskb = NULL; + priv->tx_pending_len = 0; + spin_unlock_irqrestore(&priv->driver_lock, flags); +-- +2.39.2 + diff --git a/queue-5.4/wifi-libertas_tf-don-t-call-kfree_skb-under-spin_loc.patch b/queue-5.4/wifi-libertas_tf-don-t-call-kfree_skb-under-spin_loc.patch new file mode 100644 index 00000000000..57db5162fe7 --- /dev/null +++ b/queue-5.4/wifi-libertas_tf-don-t-call-kfree_skb-under-spin_loc.patch @@ -0,0 +1,39 @@ +From 7878e8a5f7a373757124e1124536c4d638f7614a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 23:00:05 +0800 +Subject: wifi: libertas_tf: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 9388ce97b98216833c969191ee6df61a7201d797 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile +tested only. + +Fixes: fc75122fabb5 ("libertas_tf: use irqsave() in USB's complete callback") +Signed-off-by: Yang Yingliang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207150008.111743-2-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas_tf/if_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/libertas_tf/if_usb.c b/drivers/net/wireless/marvell/libertas_tf/if_usb.c +index b30bcb28503ae..f47db95299f37 100644 +--- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c ++++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c +@@ -613,7 +613,7 @@ static inline void process_cmdrequest(int recvlength, uint8_t *recvbuff, + spin_lock_irqsave(&priv->driver_lock, flags); + memcpy(priv->cmd_resp_buff, recvbuff + MESSAGE_HEADER_LEN, + recvlength - MESSAGE_HEADER_LEN); +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + lbtf_cmd_response_rx(priv); + spin_unlock_irqrestore(&priv->driver_lock, flags); + } +-- +2.39.2 + diff --git a/queue-5.4/wifi-mac80211-make-rate-u32-in-sta_set_rate_info_rx.patch b/queue-5.4/wifi-mac80211-make-rate-u32-in-sta_set_rate_info_rx.patch new file mode 100644 index 00000000000..4b2e74ef14e --- /dev/null +++ b/queue-5.4/wifi-mac80211-make-rate-u32-in-sta_set_rate_info_rx.patch @@ -0,0 +1,38 @@ +From 7dfde2775b4b037514e94d246f293a41d757507d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Feb 2023 19:06:59 +0800 +Subject: wifi: mac80211: make rate u32 in sta_set_rate_info_rx() + +From: Shayne Chen + +[ Upstream commit 59336e07b287d91dc4ec265e07724e8f7e3d0209 ] + +The value of last_rate in ieee80211_sta_rx_stats is degraded from u32 to +u16 after being assigned to rate variable, which causes information loss +in STA_STATS_FIELD_TYPE and later bitfields. + +Signed-off-by: Shayne Chen +Link: https://lore.kernel.org/r/20230209110659.25447-1-shayne.chen@mediatek.com +Fixes: 41cbb0f5a295 ("mac80211: add support for HE") +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/sta_info.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c +index 7b2e8c890381a..4d6890250337d 100644 +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -2121,7 +2121,7 @@ static void sta_stats_decode_rate(struct ieee80211_local *local, u32 rate, + + static int sta_set_rate_info_rx(struct sta_info *sta, struct rate_info *rinfo) + { +- u16 rate = READ_ONCE(sta_get_last_rx_stats(sta)->last_rate); ++ u32 rate = READ_ONCE(sta_get_last_rx_stats(sta)->last_rate); + + if (rate == STA_STATS_RATE_INVALID) + return -EINVAL; +-- +2.39.2 + diff --git a/queue-5.4/wifi-mt76-dma-free-rx_head-in-mt76_dma_rx_cleanup.patch b/queue-5.4/wifi-mt76-dma-free-rx_head-in-mt76_dma_rx_cleanup.patch new file mode 100644 index 00000000000..e06a6805ed0 --- /dev/null +++ b/queue-5.4/wifi-mt76-dma-free-rx_head-in-mt76_dma_rx_cleanup.patch @@ -0,0 +1,60 @@ +From ef7cf10e363a70b9509e3ebc1744065badaaa1cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Jan 2023 12:47:57 +0100 +Subject: wifi: mt76: dma: free rx_head in mt76_dma_rx_cleanup + +From: Lorenzo Bianconi + +[ Upstream commit 1b88b47e898edef0e56e3a2f4e49f052a136153d ] + +Free rx_head skb in mt76_dma_rx_cleanup routine in order to avoid +possible memory leak at module unload. + +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/dma.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c +index d3efcbd48ee1e..50a92aaa221f7 100644 +--- a/drivers/net/wireless/mediatek/mt76/dma.c ++++ b/drivers/net/wireless/mediatek/mt76/dma.c +@@ -411,6 +411,7 @@ mt76_dma_rx_cleanup(struct mt76_dev *dev, struct mt76_queue *q) + bool more; + + spin_lock_bh(&q->lock); ++ + do { + buf = mt76_dma_dequeue(dev, q, true, NULL, NULL, &more); + if (!buf) +@@ -418,6 +419,12 @@ mt76_dma_rx_cleanup(struct mt76_dev *dev, struct mt76_queue *q) + + skb_free_frag(buf); + } while (1); ++ ++ if (q->rx_head) { ++ dev_kfree_skb(q->rx_head); ++ q->rx_head = NULL; ++ } ++ + spin_unlock_bh(&q->lock); + + if (!q->rx_page.va) +@@ -440,12 +447,6 @@ mt76_dma_rx_reset(struct mt76_dev *dev, enum mt76_rxq_id qid) + mt76_dma_rx_cleanup(dev, q); + mt76_dma_sync_idx(dev, q); + mt76_dma_rx_fill(dev, q); +- +- if (!q->rx_head) +- return; +- +- dev_kfree_skb(q->rx_head); +- q->rx_head = NULL; + } + + static void +-- +2.39.2 + diff --git a/queue-5.4/wifi-mt7601u-fix-an-integer-underflow.patch b/queue-5.4/wifi-mt7601u-fix-an-integer-underflow.patch new file mode 100644 index 00000000000..5dbf6a80105 --- /dev/null +++ b/queue-5.4/wifi-mt7601u-fix-an-integer-underflow.patch @@ -0,0 +1,102 @@ +From 6e779e7e372250d6f411948019369ca93e3bad66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Dec 2022 18:29:06 +0900 +Subject: wifi: mt7601u: fix an integer underflow + +From: Jisoo Jang + +[ Upstream commit 803f3176c5df3b5582c27ea690f204abb60b19b9 ] + +Fix an integer underflow that leads to a null pointer dereference in +'mt7601u_rx_skb_from_seg()'. The variable 'dma_len' in the URB packet +could be manipulated, which could trigger an integer underflow of +'seg_len' in 'mt7601u_rx_process_seg()'. This underflow subsequently +causes the 'bad_frame' checks in 'mt7601u_rx_skb_from_seg()' to be +bypassed, eventually leading to a dereference of the pointer 'p', which +is a null pointer. + +Ensure that 'dma_len' is greater than 'min_seg_len'. + +Found by a modified version of syzkaller. + +KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] +CPU: 0 PID: 12 Comm: ksoftirqd/0 Tainted: G W O 5.14.0+ +#139 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +RIP: 0010:skb_add_rx_frag+0x143/0x370 +Code: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44 +89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02 +00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00 +RSP: 0018:ffffc900000cfc90 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000 +RDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8 +RBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010 +R10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000 +R13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008 +FS: 0000000000000000(0000) GS:ffff88811a800000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + mt7601u_rx_tasklet+0xc73/0x1270 + ? mt7601u_submit_rx_buf.isra.0+0x510/0x510 + ? tasklet_action_common.isra.0+0x79/0x2f0 + tasklet_action_common.isra.0+0x206/0x2f0 + __do_softirq+0x1b5/0x880 + ? tasklet_unlock+0x30/0x30 + run_ksoftirqd+0x26/0x50 + smpboot_thread_fn+0x34f/0x7d0 + ? smpboot_register_percpu_thread+0x370/0x370 + kthread+0x3a1/0x480 + ? set_kthread_struct+0x120/0x120 + ret_from_fork+0x1f/0x30 +Modules linked in: 88XXau(O) 88x2bu(O) +---[ end trace 57f34f93b4da0f9b ]--- +RIP: 0010:skb_add_rx_frag+0x143/0x370 +Code: e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 86 01 00 00 4c 8d 7d 08 44 +89 68 08 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02 +00 0f 85 cd 01 00 00 48 8b 45 08 a8 01 0f 85 3d 01 00 00 +RSP: 0018:ffffc900000cfc90 EFLAGS: 00010202 +RAX: dffffc0000000000 RBX: ffff888115520dc0 RCX: 0000000000000000 +RDX: 0000000000000001 RSI: ffff8881118430c0 RDI: ffff8881118430f8 +RBP: 0000000000000000 R08: 0000000000000e09 R09: 0000000000000010 +R10: ffff888111843017 R11: ffffed1022308602 R12: 0000000000000000 +R13: 0000000000000e09 R14: 0000000000000010 R15: 0000000000000008 +FS: 0000000000000000(0000) GS:ffff88811a800000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000004035af40 CR3: 00000001157f2000 CR4: 0000000000750ef0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 + +Signed-off-by: Jisoo Jang +Acked-by: Jakub Kicinski +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221229092906.2328282-1-jisoo.jang@yonsei.ac.kr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt7601u/dma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt7601u/dma.c b/drivers/net/wireless/mediatek/mt7601u/dma.c +index 6f2172be7b66a..072888072b0db 100644 +--- a/drivers/net/wireless/mediatek/mt7601u/dma.c ++++ b/drivers/net/wireless/mediatek/mt7601u/dma.c +@@ -118,7 +118,8 @@ static u16 mt7601u_rx_next_seg_len(u8 *data, u32 data_len) + if (data_len < min_seg_len || + WARN_ON_ONCE(!dma_len) || + WARN_ON_ONCE(dma_len + MT_DMA_HDRS > data_len) || +- WARN_ON_ONCE(dma_len & 0x3)) ++ WARN_ON_ONCE(dma_len & 0x3) || ++ WARN_ON_ONCE(dma_len < min_seg_len)) + return 0; + + return MT_DMA_HDRS + dma_len; +-- +2.39.2 + diff --git a/queue-5.4/wifi-mwifiex-fix-loop-iterator-in-mwifiex_update_amp.patch b/queue-5.4/wifi-mwifiex-fix-loop-iterator-in-mwifiex_update_amp.patch new file mode 100644 index 00000000000..38d327513aa --- /dev/null +++ b/queue-5.4/wifi-mwifiex-fix-loop-iterator-in-mwifiex_update_amp.patch @@ -0,0 +1,48 @@ +From 28c128e04fcf82afba21f6bafa1f3190a061e492 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Feb 2023 17:41:33 +0300 +Subject: wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize() + +From: Dan Carpenter + +[ Upstream commit 3cfb7df24cee0f5fdc4cc5d3176cab9aadfcb430 ] + +This code re-uses "i" to be the iterator for both the inside and outside +loops. It means the outside loop will exit earlier than intended. + +Fixes: d219b7eb3792 ("mwifiex: handle BT coex event to adjust Rx BA window size") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/Y+ERnaDaZD7RtLvX@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/11n.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/11n.c b/drivers/net/wireless/marvell/mwifiex/11n.c +index acbef9f1a83b6..b397a7e85e6b0 100644 +--- a/drivers/net/wireless/marvell/mwifiex/11n.c ++++ b/drivers/net/wireless/marvell/mwifiex/11n.c +@@ -890,7 +890,7 @@ mwifiex_send_delba_txbastream_tbl(struct mwifiex_private *priv, u8 tid) + */ + void mwifiex_update_ampdu_txwinsize(struct mwifiex_adapter *adapter) + { +- u8 i; ++ u8 i, j; + u32 tx_win_size; + struct mwifiex_private *priv; + +@@ -921,8 +921,8 @@ void mwifiex_update_ampdu_txwinsize(struct mwifiex_adapter *adapter) + if (tx_win_size != priv->add_ba_param.tx_win_size) { + if (!priv->media_connected) + continue; +- for (i = 0; i < MAX_NUM_TID; i++) +- mwifiex_send_delba_txbastream_tbl(priv, i); ++ for (j = 0; j < MAX_NUM_TID; j++) ++ mwifiex_send_delba_txbastream_tbl(priv, j); + } + } + } +-- +2.39.2 + diff --git a/queue-5.4/wifi-orinoco-check-return-value-of-hermes_write_word.patch b/queue-5.4/wifi-orinoco-check-return-value-of-hermes_write_word.patch new file mode 100644 index 00000000000..1bba35ebd23 --- /dev/null +++ b/queue-5.4/wifi-orinoco-check-return-value-of-hermes_write_word.patch @@ -0,0 +1,43 @@ +From 487d0f6c8e174799376cf336c415d881e03805c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Dec 2022 16:33:06 +0300 +Subject: wifi: orinoco: check return value of hermes_write_wordrec() + +From: Alexey Kodanev + +[ Upstream commit 1e346cbb096a5351a637ec1992beffbf330547f0 ] + +There is currently no return check for writing an authentication +type (HERMES_AUTH_SHARED_KEY or HERMES_AUTH_OPEN). It looks like +it was accidentally skipped. + +This patch adds a return check similar to the other checks in +__orinoco_hw_setup_enc() for hermes_write_wordrec(). + +Detected using the static analysis tool - Svace. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Alexey Kodanev +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221227133306.201356-1-aleksei.kodanev@bell-sw.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/hw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/intersil/orinoco/hw.c b/drivers/net/wireless/intersil/orinoco/hw.c +index 61af5a28f269f..af49aa421e47f 100644 +--- a/drivers/net/wireless/intersil/orinoco/hw.c ++++ b/drivers/net/wireless/intersil/orinoco/hw.c +@@ -931,6 +931,8 @@ int __orinoco_hw_setup_enc(struct orinoco_private *priv) + err = hermes_write_wordrec(hw, USER_BAP, + HERMES_RID_CNFAUTHENTICATION_AGERE, + auth_flag); ++ if (err) ++ return err; + } + err = hermes_write_wordrec(hw, USER_BAP, + HERMES_RID_CNFWEPENABLED_AGERE, +-- +2.39.2 + diff --git a/queue-5.4/wifi-rsi-fix-memory-leak-in-rsi_coex_attach.patch b/queue-5.4/wifi-rsi-fix-memory-leak-in-rsi_coex_attach.patch new file mode 100644 index 00000000000..e54a8865324 --- /dev/null +++ b/queue-5.4/wifi-rsi-fix-memory-leak-in-rsi_coex_attach.patch @@ -0,0 +1,37 @@ +From 3ec9df6e21168ae70a3c09b1ca566ada1a88a345 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 06:14:41 +0000 +Subject: wifi: rsi: Fix memory leak in rsi_coex_attach() + +From: Yuan Can + +[ Upstream commit 956fb851a6e19da5ab491e19c1bc323bb2c2cf6f ] + +The coex_cb needs to be freed when rsi_create_kthread() failed in +rsi_coex_attach(). + +Fixes: 2108df3c4b18 ("rsi: add coex support") +Signed-off-by: Yuan Can +Reviewed-by: Simon Horman +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221205061441.114632-1-yuancan@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rsi/rsi_91x_coex.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/rsi/rsi_91x_coex.c b/drivers/net/wireless/rsi/rsi_91x_coex.c +index c8ba148f8c6cf..acf4d8cb4b479 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_coex.c ++++ b/drivers/net/wireless/rsi/rsi_91x_coex.c +@@ -160,6 +160,7 @@ int rsi_coex_attach(struct rsi_common *common) + rsi_coex_scheduler_thread, + "Coex-Tx-Thread")) { + rsi_dbg(ERR_ZONE, "%s: Unable to init tx thrd\n", __func__); ++ kfree(coex_cb); + return -EINVAL; + } + return 0; +-- +2.39.2 + diff --git a/queue-5.4/wifi-rtl8xxxu-don-t-call-dev_kfree_skb-under-spin_lo.patch b/queue-5.4/wifi-rtl8xxxu-don-t-call-dev_kfree_skb-under-spin_lo.patch new file mode 100644 index 00000000000..e029aa39248 --- /dev/null +++ b/queue-5.4/wifi-rtl8xxxu-don-t-call-dev_kfree_skb-under-spin_lo.patch @@ -0,0 +1,47 @@ +From 0adc2cbb992c654f4fcdfb37a5c7c4113e0e0a66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 22:35:17 +0800 +Subject: wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 4c2005ac87685907b3719b4f40215b578efd27c4 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In this case, dev_kfree_skb() is called to free and drop the SKB when +it's shutdown, so replace it with dev_kfree_skb_irq(). Compile tested +only. + +Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") +Signed-off-by: Yang Yingliang +Reviewed-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221208143517.2383424-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 0bc747489c55a..9278f4feff745 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5095,7 +5095,7 @@ static void rtl8xxxu_queue_rx_urb(struct rtl8xxxu_priv *priv, + pending = priv->rx_urb_pending_count; + } else { + skb = (struct sk_buff *)rx_urb->urb.context; +- dev_kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + usb_free_urb(&rx_urb->urb); + } + +-- +2.39.2 + diff --git a/queue-5.4/wifi-rtlwifi-fix-global-out-of-bounds-bug-in-_rtl881.patch b/queue-5.4/wifi-rtlwifi-fix-global-out-of-bounds-bug-in-_rtl881.patch new file mode 100644 index 00000000000..46fbb32c90a --- /dev/null +++ b/queue-5.4/wifi-rtlwifi-fix-global-out-of-bounds-bug-in-_rtl881.patch @@ -0,0 +1,158 @@ +From 414ed7dc9b48cdbd498bd6f6ad69ef36dc2a76ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Dec 2022 10:58:12 +0800 +Subject: wifi: rtlwifi: Fix global-out-of-bounds bug in + _rtl8812ae_phy_set_txpower_limit() + +From: Li Zetao + +[ Upstream commit 117dbeda22ec5ea0918254d03b540ef8b8a64d53 ] + +There is a global-out-of-bounds reported by KASAN: + + BUG: KASAN: global-out-of-bounds in + _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] + Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/411 + + CPU: 6 PID: 411 Comm: NetworkManager Tainted: G D + 6.1.0-rc8+ #144 e15588508517267d37 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), + Call Trace: + + ... + kasan_report+0xbb/0x1c0 + _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] + rtl8821ae_phy_bb_config.cold+0x346/0x641 [rtl8821ae] + rtl8821ae_hw_init+0x1f5e/0x79b0 [rtl8821ae] + ... + + +The root cause of the problem is that the comparison order of +"prate_section" in _rtl8812ae_phy_set_txpower_limit() is wrong. The +_rtl8812ae_eq_n_byte() is used to compare the first n bytes of the two +strings from tail to head, which causes the problem. In the +_rtl8812ae_phy_set_txpower_limit(), it was originally intended to meet +this requirement by carefully designing the comparison order. +For example, "pregulation" and "pbandwidth" are compared in order of +length from small to large, first is 3 and last is 4. However, the +comparison order of "prate_section" dose not obey such order requirement, +therefore when "prate_section" is "HT", when comparing from tail to head, +it will lead to access out of bounds in _rtl8812ae_eq_n_byte(). As +mentioned above, the _rtl8812ae_eq_n_byte() has the same function as +strcmp(), so just strcmp() is enough. + +Fix it by removing _rtl8812ae_eq_n_byte() and use strcmp() barely. +Although it can be fixed by adjusting the comparison order of +"prate_section", this may cause the value of "rate_section" to not be +from 0 to 5. In addition, commit "21e4b0726dc6" not only moved driver +from staging to regular tree, but also added setting txpower limit +function during the driver config phase, so the problem was introduced +by this commit. + +Fixes: 21e4b0726dc6 ("rtlwifi: rtl8821ae: Move driver from staging to regular tree") +Signed-off-by: Li Zetao +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221212025812.1541311-1-lizetao1@huawei.com +Signed-off-by: Sasha Levin +--- + .../wireless/realtek/rtlwifi/rtl8821ae/phy.c | 52 +++++++------------ + 1 file changed, 20 insertions(+), 32 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +index b9c560829a6f8..8647db0443661 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/phy.c +@@ -1605,18 +1605,6 @@ static bool _rtl8812ae_get_integer_from_string(const char *str, u8 *pint) + return true; + } + +-static bool _rtl8812ae_eq_n_byte(const char *str1, const char *str2, u32 num) +-{ +- if (num == 0) +- return false; +- while (num > 0) { +- num--; +- if (str1[num] != str2[num]) +- return false; +- } +- return true; +-} +- + static s8 _rtl8812ae_phy_get_chnl_idx_of_txpwr_lmt(struct ieee80211_hw *hw, + u8 band, u8 channel) + { +@@ -1666,42 +1654,42 @@ static void _rtl8812ae_phy_set_txpower_limit(struct ieee80211_hw *hw, + power_limit = power_limit > MAX_POWER_INDEX ? + MAX_POWER_INDEX : power_limit; + +- if (_rtl8812ae_eq_n_byte(pregulation, "FCC", 3)) ++ if (strcmp(pregulation, "FCC") == 0) + regulation = 0; +- else if (_rtl8812ae_eq_n_byte(pregulation, "MKK", 3)) ++ else if (strcmp(pregulation, "MKK") == 0) + regulation = 1; +- else if (_rtl8812ae_eq_n_byte(pregulation, "ETSI", 4)) ++ else if (strcmp(pregulation, "ETSI") == 0) + regulation = 2; +- else if (_rtl8812ae_eq_n_byte(pregulation, "WW13", 4)) ++ else if (strcmp(pregulation, "WW13") == 0) + regulation = 3; + +- if (_rtl8812ae_eq_n_byte(prate_section, "CCK", 3)) ++ if (strcmp(prate_section, "CCK") == 0) + rate_section = 0; +- else if (_rtl8812ae_eq_n_byte(prate_section, "OFDM", 4)) ++ else if (strcmp(prate_section, "OFDM") == 0) + rate_section = 1; +- else if (_rtl8812ae_eq_n_byte(prate_section, "HT", 2) && +- _rtl8812ae_eq_n_byte(prf_path, "1T", 2)) ++ else if (strcmp(prate_section, "HT") == 0 && ++ strcmp(prf_path, "1T") == 0) + rate_section = 2; +- else if (_rtl8812ae_eq_n_byte(prate_section, "HT", 2) && +- _rtl8812ae_eq_n_byte(prf_path, "2T", 2)) ++ else if (strcmp(prate_section, "HT") == 0 && ++ strcmp(prf_path, "2T") == 0) + rate_section = 3; +- else if (_rtl8812ae_eq_n_byte(prate_section, "VHT", 3) && +- _rtl8812ae_eq_n_byte(prf_path, "1T", 2)) ++ else if (strcmp(prate_section, "VHT") == 0 && ++ strcmp(prf_path, "1T") == 0) + rate_section = 4; +- else if (_rtl8812ae_eq_n_byte(prate_section, "VHT", 3) && +- _rtl8812ae_eq_n_byte(prf_path, "2T", 2)) ++ else if (strcmp(prate_section, "VHT") == 0 && ++ strcmp(prf_path, "2T") == 0) + rate_section = 5; + +- if (_rtl8812ae_eq_n_byte(pbandwidth, "20M", 3)) ++ if (strcmp(pbandwidth, "20M") == 0) + bandwidth = 0; +- else if (_rtl8812ae_eq_n_byte(pbandwidth, "40M", 3)) ++ else if (strcmp(pbandwidth, "40M") == 0) + bandwidth = 1; +- else if (_rtl8812ae_eq_n_byte(pbandwidth, "80M", 3)) ++ else if (strcmp(pbandwidth, "80M") == 0) + bandwidth = 2; +- else if (_rtl8812ae_eq_n_byte(pbandwidth, "160M", 4)) ++ else if (strcmp(pbandwidth, "160M") == 0) + bandwidth = 3; + +- if (_rtl8812ae_eq_n_byte(pband, "2.4G", 4)) { ++ if (strcmp(pband, "2.4G") == 0) { + ret = _rtl8812ae_phy_get_chnl_idx_of_txpwr_lmt(hw, + BAND_ON_2_4G, + channel); +@@ -1725,7 +1713,7 @@ static void _rtl8812ae_phy_set_txpower_limit(struct ieee80211_hw *hw, + regulation, bandwidth, rate_section, channel_index, + rtlphy->txpwr_limit_2_4g[regulation][bandwidth] + [rate_section][channel_index][RF90_PATH_A]); +- } else if (_rtl8812ae_eq_n_byte(pband, "5G", 2)) { ++ } else if (strcmp(pband, "5G") == 0) { + ret = _rtl8812ae_phy_get_chnl_idx_of_txpwr_lmt(hw, + BAND_ON_5G, + channel); +-- +2.39.2 + diff --git a/queue-5.4/wifi-wilc1000-fix-potential-memory-leak-in-wilc_mac_.patch b/queue-5.4/wifi-wilc1000-fix-potential-memory-leak-in-wilc_mac_.patch new file mode 100644 index 00000000000..64726a2966b --- /dev/null +++ b/queue-5.4/wifi-wilc1000-fix-potential-memory-leak-in-wilc_mac_.patch @@ -0,0 +1,36 @@ +From 9ee2bcb0f9e07f34794c304b5370e44ef9e62e0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 19:36:03 +0800 +Subject: wifi: wilc1000: fix potential memory leak in wilc_mac_xmit() + +From: Zhang Changzhong + +[ Upstream commit deb962ec9e1c9a81babd3d37542ad4bd6ac3396e ] + +The wilc_mac_xmit() returns NETDEV_TX_OK without freeing skb, add +dev_kfree_skb() to fix it. Compile tested only. + +Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver") +Signed-off-by: Zhang Changzhong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1668684964-48622-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/staging/wilc1000/wilc_netdev.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/staging/wilc1000/wilc_netdev.c b/drivers/staging/wilc1000/wilc_netdev.c +index c8cf88258d06d..f34b1f0d3a803 100644 +--- a/drivers/staging/wilc1000/wilc_netdev.c ++++ b/drivers/staging/wilc1000/wilc_netdev.c +@@ -717,6 +717,7 @@ netdev_tx_t wilc_mac_xmit(struct sk_buff *skb, struct net_device *ndev) + + if (skb->dev != ndev) { + netdev_err(ndev, "Packet not destined to this device\n"); ++ dev_kfree_skb(skb); + return NETDEV_TX_OK; + } + +-- +2.39.2 + diff --git a/queue-5.4/wifi-wl3501_cs-don-t-call-kfree_skb-under-spin_lock_.patch b/queue-5.4/wifi-wl3501_cs-don-t-call-kfree_skb-under-spin_lock_.patch new file mode 100644 index 00000000000..96995f27d86 --- /dev/null +++ b/queue-5.4/wifi-wl3501_cs-don-t-call-kfree_skb-under-spin_lock_.patch @@ -0,0 +1,39 @@ +From 2896d81e0b2bc0406719fca40379cfe77c941b79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 23:04:53 +0800 +Subject: wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 44bacbdf9066c590423259dbd6d520baac99c1a8 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile +tested only. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207150453.114742-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index 122d36439319c..8638c7c72bc30 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1328,7 +1328,7 @@ static netdev_tx_t wl3501_hard_start_xmit(struct sk_buff *skb, + } else { + ++dev->stats.tx_packets; + dev->stats.tx_bytes += skb->len; +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + + if (this->tx_buffer_cnt < 2) + netif_stop_queue(dev); +-- +2.39.2 + diff --git a/queue-5.4/wilc1000-let-wilc_mac_xmit-return-netdev_tx_ok.patch b/queue-5.4/wilc1000-let-wilc_mac_xmit-return-netdev_tx_ok.patch new file mode 100644 index 00000000000..b98aebad0bd --- /dev/null +++ b/queue-5.4/wilc1000-let-wilc_mac_xmit-return-netdev_tx_ok.patch @@ -0,0 +1,57 @@ +From d6c3cd2c0d2059ec6dede3ae4755165e32430103 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 12:40:09 +0200 +Subject: wilc1000: let wilc_mac_xmit() return NETDEV_TX_OK + +From: Luc Van Oostenryck + +[ Upstream commit cce0e08301fe43dc3fe983d5f098393d15f803f0 ] + +The method ndo_start_xmit() is defined as returning an 'netdev_tx_t', +which is a typedef for an enum type defining 'NETDEV_TX_OK' but this +driver returns '0' instead of 'NETDEV_TX_OK'. + +Fix this by returning 'NETDEV_TX_OK' instead of '0'. + +Signed-off-by: Luc Van Oostenryck +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200629104009.84077-1-luc.vanoostenryck@gmail.com +Stable-dep-of: deb962ec9e1c ("wifi: wilc1000: fix potential memory leak in wilc_mac_xmit()") +Signed-off-by: Sasha Levin +--- + drivers/staging/wilc1000/wilc_netdev.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/wilc1000/wilc_netdev.c b/drivers/staging/wilc1000/wilc_netdev.c +index 508acb8bb089f..c8cf88258d06d 100644 +--- a/drivers/staging/wilc1000/wilc_netdev.c ++++ b/drivers/staging/wilc1000/wilc_netdev.c +@@ -717,14 +717,14 @@ netdev_tx_t wilc_mac_xmit(struct sk_buff *skb, struct net_device *ndev) + + if (skb->dev != ndev) { + netdev_err(ndev, "Packet not destined to this device\n"); +- return 0; ++ return NETDEV_TX_OK; + } + + tx_data = kmalloc(sizeof(*tx_data), GFP_ATOMIC); + if (!tx_data) { + dev_kfree_skb(skb); + netif_wake_queue(ndev); +- return 0; ++ return NETDEV_TX_OK; + } + + tx_data->buff = skb->data; +@@ -748,7 +748,7 @@ netdev_tx_t wilc_mac_xmit(struct sk_buff *skb, struct net_device *ndev) + mutex_unlock(&wilc->vif_mutex); + } + +- return 0; ++ return NETDEV_TX_OK; + } + + static int wilc_mac_close(struct net_device *ndev) +-- +2.39.2 + diff --git a/queue-5.4/x86-bugs-reset-speculation-control-settings-on-init.patch b/queue-5.4/x86-bugs-reset-speculation-control-settings-on-init.patch new file mode 100644 index 00000000000..470fcc5dde7 --- /dev/null +++ b/queue-5.4/x86-bugs-reset-speculation-control-settings-on-init.patch @@ -0,0 +1,75 @@ +From ca15322227fcfccde3ef58dcc366b3066ed47c02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 07:31:48 -0800 +Subject: x86/bugs: Reset speculation control settings on init + +From: Breno Leitao + +[ Upstream commit 0125acda7d76b943ca55811df40ed6ec0ecf670f ] + +Currently, x86_spec_ctrl_base is read at boot time and speculative bits +are set if Kconfig items are enabled. For example, IBRS is enabled if +CONFIG_CPU_IBRS_ENTRY is configured, etc. These MSR bits are not cleared +if the mitigations are disabled. + +This is a problem when kexec-ing a kernel that has the mitigation +disabled from a kernel that has the mitigation enabled. In this case, +the MSR bits are not cleared during the new kernel boot. As a result, +this might have some performance degradation that is hard to pinpoint. + +This problem does not happen if the machine is (hard) rebooted because +the bit will be cleared by default. + + [ bp: Massage. ] + +Suggested-by: Pawan Gupta +Signed-off-by: Breno Leitao +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20221128153148.1129350-1-leitao@debian.org +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/msr-index.h | 4 ++++ + arch/x86/kernel/cpu/bugs.c | 10 +++++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h +index 7fa0b213b0079..67d43645a2b6b 100644 +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -50,6 +50,10 @@ + #define SPEC_CTRL_RRSBA_DIS_S_SHIFT 6 /* Disable RRSBA behavior */ + #define SPEC_CTRL_RRSBA_DIS_S BIT(SPEC_CTRL_RRSBA_DIS_S_SHIFT) + ++/* A mask for bits which the kernel toggles when controlling mitigations */ ++#define SPEC_CTRL_MITIGATIONS_MASK (SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_SSBD \ ++ | SPEC_CTRL_RRSBA_DIS_S) ++ + #define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */ + #define PRED_CMD_IBPB BIT(0) /* Indirect Branch Prediction Barrier */ + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 8dca326a9e78a..ab5e91700ab7d 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -135,9 +135,17 @@ void __init check_bugs(void) + * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD + * init code as it is not enumerated and depends on the family. + */ +- if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) ++ if (cpu_feature_enabled(X86_FEATURE_MSR_SPEC_CTRL)) { + rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); + ++ /* ++ * Previously running kernel (kexec), may have some controls ++ * turned ON. Clear them and let the mitigations setup below ++ * rediscover them based on configuration. ++ */ ++ x86_spec_ctrl_base &= ~SPEC_CTRL_MITIGATIONS_MASK; ++ } ++ + /* Select the proper CPU mitigations before patching alternatives: */ + spectre_v1_select_mitigation(); + spectre_v2_select_mitigation(); +-- +2.39.2 +