From: Sasha Levin Date: Sun, 20 Mar 2022 00:56:15 +0000 (-0400) Subject: Fixes for 5.16 X-Git-Tag: v4.9.308~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f4c498d3059c9ed3e92defb0ded3578094c3b7b5;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.16 Signed-off-by: Sasha Levin --- diff --git a/queue-5.16/alx-acquire-mutex-for-alx_reinit-in-alx_change_mtu.patch b/queue-5.16/alx-acquire-mutex-for-alx_reinit-in-alx_change_mtu.patch new file mode 100644 index 00000000000..5d55d1d37ff --- /dev/null +++ b/queue-5.16/alx-acquire-mutex-for-alx_reinit-in-alx_change_mtu.patch @@ -0,0 +1,49 @@ +From 9135c175a0c7ca4b4509859901f3e568f44ef721 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Mar 2022 00:27:08 +0100 +Subject: alx: acquire mutex for alx_reinit in alx_change_mtu + +From: Niels Dossche + +[ Upstream commit 46b348fd2d81a341b15fb3f3f986204b038f5c42 ] + +alx_reinit has a lockdep assertion that the alx->mtx mutex must be held. +alx_reinit is called from two places: alx_reset and alx_change_mtu. +alx_reset does acquire alx->mtx before calling alx_reinit. +alx_change_mtu does not acquire this mutex, nor do its callers or any +path towards alx_change_mtu. +Acquire the mutex in alx_change_mtu. + +The issue was introduced when the fine-grained locking was introduced +to the code to replace the RTNL. The same commit also introduced the +lockdep assertion. + +Fixes: 4a5fe57e7751 ("alx: use fine-grained locking instead of RTNL") +Signed-off-by: Niels Dossche +Link: https://lore.kernel.org/r/20220310232707.44251-1-dossche.niels@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/alx/main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c +index 4ad3fc72e74e..a89b93cb4e26 100644 +--- a/drivers/net/ethernet/atheros/alx/main.c ++++ b/drivers/net/ethernet/atheros/alx/main.c +@@ -1181,8 +1181,11 @@ static int alx_change_mtu(struct net_device *netdev, int mtu) + alx->hw.mtu = mtu; + alx->rxbuf_size = max(max_frame, ALX_DEF_RXBUF_SIZE); + netdev_update_features(netdev); +- if (netif_running(netdev)) ++ if (netif_running(netdev)) { ++ mutex_lock(&alx->mtx); + alx_reinit(alx); ++ mutex_unlock(&alx->mtx); ++ } + return 0; + } + +-- +2.34.1 + diff --git a/queue-5.16/arm64-fix-clang-warning-about-tramp_valias.patch b/queue-5.16/arm64-fix-clang-warning-about-tramp_valias.patch new file mode 100644 index 00000000000..52eee30eec4 --- /dev/null +++ b/queue-5.16/arm64-fix-clang-warning-about-tramp_valias.patch @@ -0,0 +1,51 @@ +From 9744db115ea0849073fdb2c2475be1d273fc7bed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 19:38:18 +0100 +Subject: arm64: fix clang warning about TRAMP_VALIAS + +From: Arnd Bergmann + +[ Upstream commit 7f34b43e07cb512b28543fdcb9f35d1fbfda9ebc ] + +The newly introduced TRAMP_VALIAS definition causes a build warning +with clang-14: + +arch/arm64/include/asm/vectors.h:66:31: error: arithmetic on a null pointer treated as a cast from integer to pointer is a GNU extension [-Werror,-Wnull-pointer-arithmetic] + return (char *)TRAMP_VALIAS + SZ_2K * slot; + +Change the addition to something clang does not complain about. + +Fixes: bd09128d16fa ("arm64: Add percpu vectors for EL1") +Signed-off-by: Arnd Bergmann +Acked-by: James Morse +Link: https://lore.kernel.org/r/20220316183833.1563139-1-arnd@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/vectors.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/include/asm/vectors.h b/arch/arm64/include/asm/vectors.h +index f64613a96d53..bc9a2145f419 100644 +--- a/arch/arm64/include/asm/vectors.h ++++ b/arch/arm64/include/asm/vectors.h +@@ -56,14 +56,14 @@ enum arm64_bp_harden_el1_vectors { + DECLARE_PER_CPU_READ_MOSTLY(const char *, this_cpu_vector); + + #ifndef CONFIG_UNMAP_KERNEL_AT_EL0 +-#define TRAMP_VALIAS 0 ++#define TRAMP_VALIAS 0ul + #endif + + static inline const char * + arm64_get_bp_hardening_vector(enum arm64_bp_harden_el1_vectors slot) + { + if (arm64_kernel_unmapped_at_el0()) +- return (char *)TRAMP_VALIAS + SZ_2K * slot; ++ return (char *)(TRAMP_VALIAS + SZ_2K * slot); + + WARN_ON_ONCE(slot == EL1_VECTOR_KPTI); + +-- +2.34.1 + diff --git a/queue-5.16/atm-eni-add-check-for-dma_map_single.patch b/queue-5.16/atm-eni-add-check-for-dma_map_single.patch new file mode 100644 index 00000000000..807057a6857 --- /dev/null +++ b/queue-5.16/atm-eni-add-check-for-dma_map_single.patch @@ -0,0 +1,37 @@ +From 68dec0df4af5feb8864d041787e1af73b17f1ad5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Mar 2022 09:34:48 +0800 +Subject: atm: eni: Add check for dma_map_single + +From: Jiasheng Jiang + +[ Upstream commit 0f74b29a4f53627376cf5a5fb7b0b3fa748a0b2b ] + +As the potential failure of the dma_map_single(), +it should be better to check it and return error +if fails. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/eni.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c +index 422753d52244..a31ffe16e626 100644 +--- a/drivers/atm/eni.c ++++ b/drivers/atm/eni.c +@@ -1112,6 +1112,8 @@ DPRINTK("iovcnt = %d\n",skb_shinfo(skb)->nr_frags); + skb_data3 = skb->data[3]; + paddr = dma_map_single(&eni_dev->pci_dev->dev,skb->data,skb->len, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&eni_dev->pci_dev->dev, paddr)) ++ return enq_next; + ENI_PRV_PADDR(skb) = paddr; + /* prepare DMA queue entries */ + j = 0; +-- +2.34.1 + diff --git a/queue-5.16/bnx2x-fix-built-in-kernel-driver-load-failure.patch b/queue-5.16/bnx2x-fix-built-in-kernel-driver-load-failure.patch new file mode 100644 index 00000000000..745bd1d136b --- /dev/null +++ b/queue-5.16/bnx2x-fix-built-in-kernel-driver-load-failure.patch @@ -0,0 +1,160 @@ +From 14fc8c15c0d41309bcd366de8f024712e8b72311 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 14:46:13 -0700 +Subject: bnx2x: fix built-in kernel driver load failure + +From: Manish Chopra + +[ Upstream commit 424e7834e293936a54fcf05173f2884171adc5a3 ] + +Commit b7a49f73059f ("bnx2x: Utilize firmware 7.13.21.0") +added request_firmware() logic in probe() which caused +load failure when firmware file is not present in initrd (below), +as access to firmware file is not feasible during probe. + + Direct firmware load for bnx2x/bnx2x-e2-7.13.15.0.fw failed with error -2 + Direct firmware load for bnx2x/bnx2x-e2-7.13.21.0.fw failed with error -2 + +This patch fixes this issue by - + +1. Removing request_firmware() logic from the probe() + such that .ndo_open() handle it as it used to handle + it earlier + +2. Given request_firmware() is removed from probe(), so + driver has to relax FW version comparisons a bit against + the already loaded FW version (by some other PFs of same + adapter) to allow different compatible/close enough FWs with which + multiple PFs may run with (in different environments), as the + given PF who is in probe flow has no idea now with which firmware + file version it is going to initialize the device in ndo_open() + +Link: https://lore.kernel.org/all/46f2d9d9-ae7f-b332-ddeb-b59802be2bab@molgen.mpg.de/ +Reported-by: Paul Menzel +Tested-by: Paul Menzel +Fixes: b7a49f73059f ("bnx2x: Utilize firmware 7.13.21.0") +Signed-off-by: Manish Chopra +Signed-off-by: Ariel Elior +Link: https://lore.kernel.org/r/20220316214613.6884-1-manishc@marvell.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x.h | 2 -- + .../net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 28 +++++++++++-------- + .../net/ethernet/broadcom/bnx2x/bnx2x_main.c | 15 ++-------- + 3 files changed, 19 insertions(+), 26 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h +index a19dd6797070..2209d99b3404 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h +@@ -2533,6 +2533,4 @@ void bnx2x_register_phc(struct bnx2x *bp); + * Meant for implicit re-load flows. + */ + int bnx2x_vlan_reconfigure_vid(struct bnx2x *bp); +-int bnx2x_init_firmware(struct bnx2x *bp); +-void bnx2x_release_firmware(struct bnx2x *bp); + #endif /* bnx2x.h */ +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +index e57fe0034ce2..b1ad62774897 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -2363,24 +2363,30 @@ int bnx2x_compare_fw_ver(struct bnx2x *bp, u32 load_code, bool print_err) + /* is another pf loaded on this engine? */ + if (load_code != FW_MSG_CODE_DRV_LOAD_COMMON_CHIP && + load_code != FW_MSG_CODE_DRV_LOAD_COMMON) { +- /* build my FW version dword */ +- u32 my_fw = (bp->fw_major) + (bp->fw_minor << 8) + +- (bp->fw_rev << 16) + (bp->fw_eng << 24); ++ u8 loaded_fw_major, loaded_fw_minor, loaded_fw_rev, loaded_fw_eng; ++ u32 loaded_fw; + + /* read loaded FW from chip */ +- u32 loaded_fw = REG_RD(bp, XSEM_REG_PRAM); ++ loaded_fw = REG_RD(bp, XSEM_REG_PRAM); + +- DP(BNX2X_MSG_SP, "loaded fw %x, my fw %x\n", +- loaded_fw, my_fw); ++ loaded_fw_major = loaded_fw & 0xff; ++ loaded_fw_minor = (loaded_fw >> 8) & 0xff; ++ loaded_fw_rev = (loaded_fw >> 16) & 0xff; ++ loaded_fw_eng = (loaded_fw >> 24) & 0xff; ++ ++ DP(BNX2X_MSG_SP, "loaded fw 0x%x major 0x%x minor 0x%x rev 0x%x eng 0x%x\n", ++ loaded_fw, loaded_fw_major, loaded_fw_minor, loaded_fw_rev, loaded_fw_eng); + + /* abort nic load if version mismatch */ +- if (my_fw != loaded_fw) { ++ if (loaded_fw_major != BCM_5710_FW_MAJOR_VERSION || ++ loaded_fw_minor != BCM_5710_FW_MINOR_VERSION || ++ loaded_fw_eng != BCM_5710_FW_ENGINEERING_VERSION || ++ loaded_fw_rev < BCM_5710_FW_REVISION_VERSION_V15) { + if (print_err) +- BNX2X_ERR("bnx2x with FW %x was already loaded which mismatches my %x FW. Aborting\n", +- loaded_fw, my_fw); ++ BNX2X_ERR("loaded FW incompatible. Aborting\n"); + else +- BNX2X_DEV_INFO("bnx2x with FW %x was already loaded which mismatches my %x FW, possibly due to MF UNDI\n", +- loaded_fw, my_fw); ++ BNX2X_DEV_INFO("loaded FW incompatible, possibly due to MF UNDI\n"); ++ + return -EBUSY; + } + } +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +index 4ce596daeaae..569004c961d4 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -12319,15 +12319,6 @@ static int bnx2x_init_bp(struct bnx2x *bp) + + bnx2x_read_fwinfo(bp); + +- if (IS_PF(bp)) { +- rc = bnx2x_init_firmware(bp); +- +- if (rc) { +- bnx2x_free_mem_bp(bp); +- return rc; +- } +- } +- + func = BP_FUNC(bp); + + /* need to reset chip if undi was active */ +@@ -12340,7 +12331,6 @@ static int bnx2x_init_bp(struct bnx2x *bp) + + rc = bnx2x_prev_unload(bp); + if (rc) { +- bnx2x_release_firmware(bp); + bnx2x_free_mem_bp(bp); + return rc; + } +@@ -13420,7 +13410,7 @@ do { \ + (u8 *)bp->arr, len); \ + } while (0) + +-int bnx2x_init_firmware(struct bnx2x *bp) ++static int bnx2x_init_firmware(struct bnx2x *bp) + { + const char *fw_file_name, *fw_file_name_v15; + struct bnx2x_fw_file_hdr *fw_hdr; +@@ -13520,7 +13510,7 @@ int bnx2x_init_firmware(struct bnx2x *bp) + return rc; + } + +-void bnx2x_release_firmware(struct bnx2x *bp) ++static void bnx2x_release_firmware(struct bnx2x *bp) + { + kfree(bp->init_ops_offsets); + kfree(bp->init_ops); +@@ -14037,7 +14027,6 @@ static int bnx2x_init_one(struct pci_dev *pdev, + return 0; + + init_one_freemem: +- bnx2x_release_firmware(bp); + bnx2x_free_mem_bp(bp); + + init_one_exit: +-- +2.34.1 + diff --git a/queue-5.16/drm-don-t-make-drm_panel_bridge-dependent-on-drm_kms.patch b/queue-5.16/drm-don-t-make-drm_panel_bridge-dependent-on-drm_kms.patch new file mode 100644 index 00000000000..5d24576e005 --- /dev/null +++ b/queue-5.16/drm-don-t-make-drm_panel_bridge-dependent-on-drm_kms.patch @@ -0,0 +1,94 @@ +From bcdfc429b10c82e994d1aba0e3c366fb06a1fce6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Mar 2022 09:45:59 +0100 +Subject: drm: Don't make DRM_PANEL_BRIDGE dependent on DRM_KMS_HELPERS + +From: Thomas Zimmermann + +[ Upstream commit 3c3384050d68570f9de0fec9e58824decfefba7a ] + +Fix a number of undefined references to drm_kms_helper.ko in +drm_dp_helper.ko: + + arm-suse-linux-gnueabi-ld: drivers/gpu/drm/dp/drm_dp_mst_topology.o: in function `drm_dp_mst_duplicate_state': + drm_dp_mst_topology.c:(.text+0x2df0): undefined reference to `__drm_atomic_helper_private_obj_duplicate_state' + arm-suse-linux-gnueabi-ld: drivers/gpu/drm/dp/drm_dp_mst_topology.o: in function `drm_dp_delayed_destroy_work': + drm_dp_mst_topology.c:(.text+0x370c): undefined reference to `drm_kms_helper_hotplug_event' + arm-suse-linux-gnueabi-ld: drivers/gpu/drm/dp/drm_dp_mst_topology.o: in function `drm_dp_mst_up_req_work': + drm_dp_mst_topology.c:(.text+0x7938): undefined reference to `drm_kms_helper_hotplug_event' + arm-suse-linux-gnueabi-ld: drivers/gpu/drm/dp/drm_dp_mst_topology.o: in function `drm_dp_mst_link_probe_work': + drm_dp_mst_topology.c:(.text+0x82e0): undefined reference to `drm_kms_helper_hotplug_event' + +This happens if panel-edp.ko has been configured with + + DRM_PANEL_EDP=y + DRM_DP_HELPER=y + DRM_KMS_HELPER=m + +which builds DP helpers into the kernel and KMS helpers sa a module. +Making DRM_PANEL_EDP select DRM_KMS_HELPER resolves this problem. + +To avoid a resulting cyclic dependency with DRM_PANEL_BRIDGE, don't +make the latter depend on DRM_KMS_HELPER and fix the one DRM bridge +drivers that doesn't already select DRM_KMS_HELPER. As KMS helpers +cannot be selected directly by the user, config symbols should avoid +depending on it anyway. + +Signed-off-by: Thomas Zimmermann +Fixes: 3755d35ee1d2 ("drm/panel: Select DRM_DP_HELPER for DRM_PANEL_EDP") +Acked-by: Sam Ravnborg +Tested-by: Brian Masney +Reported-by: kernel test robot +Cc: Thomas Zimmermann +Cc: Naresh Kamboju +Cc: Linux Kernel Functional Testing +Cc: Lyude Paul +Cc: Sam Ravnborg +Cc: Daniel Vetter +Cc: Maarten Lankhorst +Cc: Maxime Ripard +Cc: dri-devel@lists.freedesktop.org +Cc: Dave Airlie +Cc: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/478296/ +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/Kconfig | 2 +- + drivers/gpu/drm/panel/Kconfig | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/Kconfig b/drivers/gpu/drm/bridge/Kconfig +index 431b6e12a81f..68ec45abc1fb 100644 +--- a/drivers/gpu/drm/bridge/Kconfig ++++ b/drivers/gpu/drm/bridge/Kconfig +@@ -8,7 +8,6 @@ config DRM_BRIDGE + config DRM_PANEL_BRIDGE + def_bool y + depends on DRM_BRIDGE +- depends on DRM_KMS_HELPER + select DRM_PANEL + help + DRM bridge wrapper of DRM panels +@@ -30,6 +29,7 @@ config DRM_CDNS_DSI + config DRM_CHIPONE_ICN6211 + tristate "Chipone ICN6211 MIPI-DSI/RGB Converter bridge" + depends on OF ++ select DRM_KMS_HELPER + select DRM_MIPI_DSI + select DRM_PANEL_BRIDGE + help +diff --git a/drivers/gpu/drm/panel/Kconfig b/drivers/gpu/drm/panel/Kconfig +index 0d3798354e6a..42011d884202 100644 +--- a/drivers/gpu/drm/panel/Kconfig ++++ b/drivers/gpu/drm/panel/Kconfig +@@ -96,6 +96,7 @@ config DRM_PANEL_EDP + select VIDEOMODE_HELPERS + select DRM_DP_AUX_BUS + select DRM_DP_HELPER ++ select DRM_KMS_HELPER + help + DRM panel driver for dumb eDP panels that need at most a regulator and + a GPIO to be powered up. Optionally a backlight can be attached so +-- +2.34.1 + diff --git a/queue-5.16/drm-imx-parallel-display-remove-bus-flags-check-in-i.patch b/queue-5.16/drm-imx-parallel-display-remove-bus-flags-check-in-i.patch new file mode 100644 index 00000000000..70f6d8faaaf --- /dev/null +++ b/queue-5.16/drm-imx-parallel-display-remove-bus-flags-check-in-i.patch @@ -0,0 +1,69 @@ +From ba7a89b483ba873a2f2a01062969aafe907f30b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Feb 2022 12:36:43 +0100 +Subject: drm/imx: parallel-display: Remove bus flags check in + imx_pd_bridge_atomic_check() + +From: Christoph Niedermaier + +[ Upstream commit 6061806a863e8b65b109eb06a280041cc7525442 ] + +If display timings were read from the devicetree using +of_get_display_timing() and pixelclk-active is defined +there, the flag DISPLAY_FLAGS_SYNC_POSEDGE/NEGEDGE is +automatically generated. Through the function +drm_bus_flags_from_videomode() e.g. called in the +panel-simple driver this flag got into the bus flags, +but then in imx_pd_bridge_atomic_check() the bus flag +check failed and will not initialize the display. The +original commit fe141cedc433 does not explain why this +check was introduced. So remove the bus flags check, +because it stops the initialization of the display with +valid bus flags. + +Fixes: fe141cedc433 ("drm/imx: pd: Use bus format/flags provided by the bridge when available") +Signed-off-by: Christoph Niedermaier +Cc: Marek Vasut +Cc: Boris Brezillon +Cc: Philipp Zabel +Cc: David Airlie +Cc: Daniel Vetter +Cc: Shawn Guo +Cc: Sascha Hauer +Cc: Pengutronix Kernel Team +Cc: Fabio Estevam +Cc: NXP Linux Team +Cc: linux-arm-kernel@lists.infradead.org +To: dri-devel@lists.freedesktop.org +Tested-by: Max Krummenacher +Acked-by: Boris Brezillon +Signed-off-by: Marek Vasut +Link: https://patchwork.freedesktop.org/patch/msgid/20220201113643.4638-1-cniedermaier@dh-electronics.com +Signed-off-by: Maarten Lankhorst +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imx/parallel-display.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/drivers/gpu/drm/imx/parallel-display.c b/drivers/gpu/drm/imx/parallel-display.c +index a8aba0141ce7..06cb1a59b9bc 100644 +--- a/drivers/gpu/drm/imx/parallel-display.c ++++ b/drivers/gpu/drm/imx/parallel-display.c +@@ -217,14 +217,6 @@ static int imx_pd_bridge_atomic_check(struct drm_bridge *bridge, + if (!imx_pd_format_supported(bus_fmt)) + return -EINVAL; + +- if (bus_flags & +- ~(DRM_BUS_FLAG_DE_LOW | DRM_BUS_FLAG_DE_HIGH | +- DRM_BUS_FLAG_PIXDATA_DRIVE_POSEDGE | +- DRM_BUS_FLAG_PIXDATA_DRIVE_NEGEDGE)) { +- dev_warn(imxpd->dev, "invalid bus_flags (%x)\n", bus_flags); +- return -EINVAL; +- } +- + bridge_state->output_bus_cfg.flags = bus_flags; + bridge_state->input_bus_cfg.flags = bus_flags; + imx_crtc_state->bus_flags = bus_flags; +-- +2.34.1 + diff --git a/queue-5.16/drm-panel-simple-fix-innolux-g070y2-l01-bpp-settings.patch b/queue-5.16/drm-panel-simple-fix-innolux-g070y2-l01-bpp-settings.patch new file mode 100644 index 00000000000..b59c0840ea6 --- /dev/null +++ b/queue-5.16/drm-panel-simple-fix-innolux-g070y2-l01-bpp-settings.patch @@ -0,0 +1,49 @@ +From 72ee6407a3d344238eed90bfa12d742cf927e575 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Feb 2022 05:07:18 +0100 +Subject: drm/panel: simple: Fix Innolux G070Y2-L01 BPP settings + +From: Marek Vasut + +[ Upstream commit fc1b6ef7bfb3d1d4df868b1c3e0480cacda6cd81 ] + +The Innolux G070Y2-L01 supports two modes of operation: +1) FRC=Low/NC ... MEDIA_BUS_FMT_RGB666_1X7X3_SPWG ... BPP=6 +2) FRC=High ..... MEDIA_BUS_FMT_RGB888_1X7X4_SPWG ... BPP=8 + +Currently the panel description mixes both, BPP from 1) and bus +format from 2), which triggers a warning at panel-simple.c:615. + +Pick the later, set bpp=8, fix the warning. + +Fixes: a5d2ade627dca ("drm/panel: simple: Add support for Innolux G070Y2-L01") +Signed-off-by: Marek Vasut +Cc: Christoph Fritz +Cc: Laurent Pinchart +Cc: Maxime Ripard +Cc: Sam Ravnborg +Cc: Thomas Zimmermann +Reviewed-by: Laurent Pinchart +Link: https://patchwork.freedesktop.org/patch/msgid/20220220040718.532866-1-marex@denx.de +Signed-off-by: Maarten Lankhorst +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-simple.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c +index 87f30bced7b7..6a820b698f5a 100644 +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -2017,7 +2017,7 @@ static const struct display_timing innolux_g070y2_l01_timing = { + static const struct panel_desc innolux_g070y2_l01 = { + .timings = &innolux_g070y2_l01_timing, + .num_timings = 1, +- .bpc = 6, ++ .bpc = 8, + .size = { + .width = 152, + .height = 91, +-- +2.34.1 + diff --git a/queue-5.16/efi-fix-return-value-of-__setup-handlers.patch b/queue-5.16/efi-fix-return-value-of-__setup-handlers.patch new file mode 100644 index 00000000000..08dd3d77083 --- /dev/null +++ b/queue-5.16/efi-fix-return-value-of-__setup-handlers.patch @@ -0,0 +1,82 @@ +From 8c4368b3c6d657c6d1ecc7f738567eb14f9d4a5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Feb 2022 20:18:51 -0800 +Subject: efi: fix return value of __setup handlers + +From: Randy Dunlap + +[ Upstream commit 9feaf8b387ee0ece9c1d7add308776b502a35d0c ] + +When "dump_apple_properties" is used on the kernel boot command line, +it causes an Unknown parameter message and the string is added to init's +argument strings: + + Unknown kernel command line parameters "dump_apple_properties + BOOT_IMAGE=/boot/bzImage-517rc6 efivar_ssdt=newcpu_ssdt", will be + passed to user space. + + Run /sbin/init as init process + with arguments: + /sbin/init + dump_apple_properties + with environment: + HOME=/ + TERM=linux + BOOT_IMAGE=/boot/bzImage-517rc6 + efivar_ssdt=newcpu_ssdt + +Similarly when "efivar_ssdt=somestring" is used, it is added to the +Unknown parameter message and to init's environment strings, polluting +them (see examples above). + +Change the return value of the __setup functions to 1 to indicate +that the __setup options have been handled. + +Fixes: 58c5475aba67 ("x86/efi: Retrieve and assign Apple device properties") +Fixes: 475fb4e8b2f4 ("efi / ACPI: load SSTDs from EFI variables") +Signed-off-by: Randy Dunlap +Reported-by: Igor Zhbanov +Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru +Cc: Ard Biesheuvel +Cc: linux-efi@vger.kernel.org +Cc: Lukas Wunner +Cc: Octavian Purdila +Cc: "Rafael J. Wysocki" +Cc: Matt Fleming +Link: https://lore.kernel.org/r/20220301041851.12459-1-rdunlap@infradead.org +Signed-off-by: Ard Biesheuvel +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/apple-properties.c | 2 +- + drivers/firmware/efi/efi.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/efi/apple-properties.c b/drivers/firmware/efi/apple-properties.c +index 4c3201e290e2..ea84108035eb 100644 +--- a/drivers/firmware/efi/apple-properties.c ++++ b/drivers/firmware/efi/apple-properties.c +@@ -24,7 +24,7 @@ static bool dump_properties __initdata; + static int __init dump_properties_enable(char *arg) + { + dump_properties = true; +- return 0; ++ return 1; + } + + __setup("dump_apple_properties", dump_properties_enable); +diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c +index 7de3f5b6e8d0..5502e176d51b 100644 +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -212,7 +212,7 @@ static int __init efivar_ssdt_setup(char *str) + memcpy(efivar_ssdt, str, strlen(str)); + else + pr_warn("efivar_ssdt: name too long: %s\n", str); +- return 0; ++ return 1; + } + __setup("efivar_ssdt=", efivar_ssdt_setup); + +-- +2.34.1 + diff --git a/queue-5.16/esp6-fix-check-on-ipv6_skip_exthdr-s-return-value.patch b/queue-5.16/esp6-fix-check-on-ipv6_skip_exthdr-s-return-value.patch new file mode 100644 index 00000000000..be5cf87dc57 --- /dev/null +++ b/queue-5.16/esp6-fix-check-on-ipv6_skip_exthdr-s-return-value.patch @@ -0,0 +1,57 @@ +From 724c60c2856390c82e9daaa1ecea7e4bee6644f7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Mar 2022 11:49:00 +0100 +Subject: esp6: fix check on ipv6_skip_exthdr's return value + +From: Sabrina Dubroca + +[ Upstream commit 4db4075f92af2b28f415fc979ab626e6b37d67b6 ] + +Commit 5f9c55c8066b ("ipv6: check return value of ipv6_skip_exthdr") +introduced an incorrect check, which leads to all ESP packets over +either TCPv6 or UDPv6 encapsulation being dropped. In this particular +case, offset is negative, since skb->data points to the ESP header in +the following chain of headers, while skb->network_header points to +the IPv6 header: + + IPv6 | ext | ... | ext | UDP | ESP | ... + +That doesn't seem to be a problem, especially considering that if we +reach esp6_input_done2, we're guaranteed to have a full set of headers +available (otherwise the packet would have been dropped earlier in the +stack). However, it means that the return value will (intentionally) +be negative. We can make the test more specific, as the expected +return value of ipv6_skip_exthdr will be the (negated) size of either +a UDP header, or a TCP header with possible options. + +In the future, we should probably either make ipv6_skip_exthdr +explicitly accept negative offsets (and adjust its return value for +error cases), or make ipv6_skip_exthdr only take non-negative +offsets (and audit all callers). + +Fixes: 5f9c55c8066b ("ipv6: check return value of ipv6_skip_exthdr") +Reported-by: Xiumei Mu +Signed-off-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/esp6.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c +index b7b573085bd5..5023f59a5b96 100644 +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -813,8 +813,7 @@ int esp6_input_done2(struct sk_buff *skb, int err) + struct tcphdr *th; + + offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); +- +- if (offset < 0) { ++ if (offset == -1) { + err = -EINVAL; + goto out; + } +-- +2.34.1 + diff --git a/queue-5.16/hv_netvsc-add-check-for-kvmalloc_array.patch b/queue-5.16/hv_netvsc-add-check-for-kvmalloc_array.patch new file mode 100644 index 00000000000..3d4e2f28819 --- /dev/null +++ b/queue-5.16/hv_netvsc-add-check-for-kvmalloc_array.patch @@ -0,0 +1,40 @@ +From 7a18dc6d2ecc59dd8b34a2a210ff8cf3088a5112 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Mar 2022 10:01:25 +0800 +Subject: hv_netvsc: Add check for kvmalloc_array + +From: Jiasheng Jiang + +[ Upstream commit 886e44c9298a6b428ae046e2fa092ca52e822e6a ] + +As the potential failure of the kvmalloc_array(), +it should be better to check and restore the 'data' +if fails in order to avoid the dereference of the +NULL pointer. + +Fixes: 6ae746711263 ("hv_netvsc: Add per-cpu ethtool stats for netvsc") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20220314020125.2365084-1-jiasheng@iscas.ac.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/netvsc_drv.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index 7e66ae1d2a59..7117187dfbd7 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -1587,6 +1587,9 @@ static void netvsc_get_ethtool_stats(struct net_device *dev, + pcpu_sum = kvmalloc_array(num_possible_cpus(), + sizeof(struct netvsc_ethtool_pcpu_stats), + GFP_KERNEL); ++ if (!pcpu_sum) ++ return; ++ + netvsc_get_pcpu_stats(dev, pcpu_sum); + for_each_present_cpu(cpu) { + struct netvsc_ethtool_pcpu_stats *this_sum = &pcpu_sum[cpu]; +-- +2.34.1 + diff --git a/queue-5.16/iavf-fix-double-free-in-iavf_reset_task.patch b/queue-5.16/iavf-fix-double-free-in-iavf_reset_task.patch new file mode 100644 index 00000000000..5eb15bcf11c --- /dev/null +++ b/queue-5.16/iavf-fix-double-free-in-iavf_reset_task.patch @@ -0,0 +1,55 @@ +From 01e701f7128b1afd44c7988aacfe680131606673 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 16:37:39 +0100 +Subject: iavf: Fix double free in iavf_reset_task + +From: Przemyslaw Patynowski + +[ Upstream commit 16b2dd8cdf6f4e0597c34899de74b4d012b78188 ] + +Fix double free possibility in iavf_disable_vf, as crit_lock is +freed in caller, iavf_reset_task. Add kernel-doc for iavf_disable_vf. +Remove mutex_unlock in iavf_disable_vf. +Without this patch there is double free scenario, when calling +iavf_reset_task. + +Fixes: e85ff9c631e1 ("iavf: Fix deadlock in iavf_reset_task") +Signed-off-by: Przemyslaw Patynowski +Suggested-by: Dan Carpenter +Signed-off-by: Mateusz Palczewski +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index 138db07bdfa8..f2ce30366484 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -2133,6 +2133,13 @@ static void iavf_watchdog_task(struct work_struct *work) + queue_delayed_work(iavf_wq, &adapter->watchdog_task, HZ * 2); + } + ++/** ++ * iavf_disable_vf - disable VF ++ * @adapter: board private structure ++ * ++ * Set communication failed flag and free all resources. ++ * NOTE: This function is expected to be called with crit_lock being held. ++ **/ + static void iavf_disable_vf(struct iavf_adapter *adapter) + { + struct iavf_mac_filter *f, *ftmp; +@@ -2187,7 +2194,6 @@ static void iavf_disable_vf(struct iavf_adapter *adapter) + memset(adapter->vf_res, 0, IAVF_VIRTCHNL_VF_RESOURCE_SIZE); + iavf_shutdown_adminq(&adapter->hw); + adapter->netdev->flags &= ~IFF_UP; +- mutex_unlock(&adapter->crit_lock); + adapter->flags &= ~IAVF_FLAG_RESET_PENDING; + iavf_change_state(adapter, __IAVF_DOWN); + wake_up(&adapter->down_waitqueue); +-- +2.34.1 + diff --git a/queue-5.16/iavf-fix-hang-during-reboot-shutdown.patch b/queue-5.16/iavf-fix-hang-during-reboot-shutdown.patch new file mode 100644 index 00000000000..da574d4fb59 --- /dev/null +++ b/queue-5.16/iavf-fix-hang-during-reboot-shutdown.patch @@ -0,0 +1,85 @@ +From 4ba716288e137d73eba4def5582ae918cc19cf30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Mar 2022 11:45:24 +0100 +Subject: iavf: Fix hang during reboot/shutdown + +From: Ivan Vecera + +[ Upstream commit b04683ff8f0823b869c219c78ba0d974bddea0b5 ] + +Recent commit 974578017fc1 ("iavf: Add waiting so the port is +initialized in remove") adds a wait-loop at the beginning of +iavf_remove() to ensure that port initialization is finished +prior unregistering net device. This causes a regression +in reboot/shutdown scenario because in this case callback +iavf_shutdown() is called and this callback detaches the device, +makes it down if it is running and sets its state to __IAVF_REMOVE. +Later shutdown callback of associated PF driver (e.g. ice_shutdown) +is called. That callback calls among other things sriov_disable() +that calls indirectly iavf_remove() (see stack trace below). +As the adapter state is already __IAVF_REMOVE then the mentioned +loop is end-less and shutdown process hangs. + +The patch fixes this by checking adapter's state at the beginning +of iavf_remove() and skips the rest of the function if the adapter +is already in remove state (shutdown is in progress). + +Reproducer: +1. Create VF on PF driven by ice or i40e driver +2. Ensure that the VF is bound to iavf driver +3. Reboot + +[52625.981294] sysrq: SysRq : Show Blocked State +[52625.988377] task:reboot state:D stack: 0 pid:17359 ppid: 1 f2 +[52625.996732] Call Trace: +[52625.999187] __schedule+0x2d1/0x830 +[52626.007400] schedule+0x35/0xa0 +[52626.010545] schedule_hrtimeout_range_clock+0x83/0x100 +[52626.020046] usleep_range+0x5b/0x80 +[52626.023540] iavf_remove+0x63/0x5b0 [iavf] +[52626.027645] pci_device_remove+0x3b/0xc0 +[52626.031572] device_release_driver_internal+0x103/0x1f0 +[52626.036805] pci_stop_bus_device+0x72/0xa0 +[52626.040904] pci_stop_and_remove_bus_device+0xe/0x20 +[52626.045870] pci_iov_remove_virtfn+0xba/0x120 +[52626.050232] sriov_disable+0x2f/0xe0 +[52626.053813] ice_free_vfs+0x7c/0x340 [ice] +[52626.057946] ice_remove+0x220/0x240 [ice] +[52626.061967] ice_shutdown+0x16/0x50 [ice] +[52626.065987] pci_device_shutdown+0x34/0x60 +[52626.070086] device_shutdown+0x165/0x1c5 +[52626.074011] kernel_restart+0xe/0x30 +[52626.077593] __do_sys_reboot+0x1d2/0x210 +[52626.093815] do_syscall_64+0x5b/0x1a0 +[52626.097483] entry_SYSCALL_64_after_hwframe+0x65/0xca + +Fixes: 974578017fc1 ("iavf: Add waiting so the port is initialized in remove") +Signed-off-by: Ivan Vecera +Link: https://lore.kernel.org/r/20220317104524.2802848-1-ivecera@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/iavf/iavf_main.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c +index f2ce30366484..42e6675078cd 100644 +--- a/drivers/net/ethernet/intel/iavf/iavf_main.c ++++ b/drivers/net/ethernet/intel/iavf/iavf_main.c +@@ -4028,6 +4028,13 @@ static void iavf_remove(struct pci_dev *pdev) + struct iavf_hw *hw = &adapter->hw; + int err; + ++ /* When reboot/shutdown is in progress no need to do anything ++ * as the adapter is already REMOVE state that was set during ++ * iavf_shutdown() callback. ++ */ ++ if (adapter->state == __IAVF_REMOVE) ++ return; ++ + set_bit(__IAVF_IN_REMOVE_TASK, &adapter->crit_section); + /* Wait until port initialization is complete. + * There are flows where register/unregister netdev may race. +-- +2.34.1 + diff --git a/queue-5.16/ice-fix-null-pointer-dereference-in-ice_update_vsi_t.patch b/queue-5.16/ice-fix-null-pointer-dereference-in-ice_update_vsi_t.patch new file mode 100644 index 00000000000..48a35cbdf26 --- /dev/null +++ b/queue-5.16/ice-fix-null-pointer-dereference-in-ice_update_vsi_t.patch @@ -0,0 +1,47 @@ +From 74cea2dc72796aafbb70b161785b39a2ae50e282 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Mar 2022 18:47:39 +0100 +Subject: ice: fix NULL pointer dereference in ice_update_vsi_tx_ring_stats() + +From: Maciej Fijalkowski + +[ Upstream commit f153546913bada41a811722f2c6d17c3243a0333 ] + +It is possible to do NULL pointer dereference in routine that updates +Tx ring stats. Currently only stats and bytes are updated when ring +pointer is valid, but later on ring is accessed to propagate gathered Tx +stats onto VSI stats. + +Change the existing logic to move to next ring when ring is NULL. + +Fixes: e72bba21355d ("ice: split ice_ring onto Tx/Rx separate structs") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Maciej Fijalkowski +Acked-by: Alexander Lobakin +Tested-by: Gurucharan G (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 8a6c3716cdab..b449b3408a1c 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -5972,8 +5972,9 @@ ice_update_vsi_tx_ring_stats(struct ice_vsi *vsi, + u64 pkts = 0, bytes = 0; + + ring = READ_ONCE(rings[i]); +- if (ring) +- ice_fetch_u64_stats_per_ring(&ring->syncp, ring->stats, &pkts, &bytes); ++ if (!ring) ++ continue; ++ ice_fetch_u64_stats_per_ring(&ring->syncp, ring->stats, &pkts, &bytes); + vsi_stats->tx_packets += pkts; + vsi_stats->tx_bytes += bytes; + vsi->tx_restart += ring->tx_stats.restart_q; +-- +2.34.1 + diff --git a/queue-5.16/net-bcmgenet-skip-invalid-partial-checksums.patch b/queue-5.16/net-bcmgenet-skip-invalid-partial-checksums.patch new file mode 100644 index 00000000000..102282e157c --- /dev/null +++ b/queue-5.16/net-bcmgenet-skip-invalid-partial-checksums.patch @@ -0,0 +1,45 @@ +From a9b560f150dc7923b64a0c22d5c4f0f67d049db7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 18:28:12 -0700 +Subject: net: bcmgenet: skip invalid partial checksums + +From: Doug Berger + +[ Upstream commit 0f643c88c8d240eba0ea25c2e095a46515ff46e9 ] + +The RXCHK block will return a partial checksum of 0 if it encounters +a problem while receiving a packet. Since a 1's complement sum can +only produce this result if no bits are set in the received data +stream it is fair to treat it as an invalid partial checksum and +not pass it up the stack. + +Fixes: 810155397890 ("net: bcmgenet: use CHECKSUM_COMPLETE for NETIF_F_RXCSUM") +Signed-off-by: Doug Berger +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/20220317012812.1313196-1-opendmb@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 87f1056e29ff..2da804f84b48 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -2287,8 +2287,10 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring, + dma_length_status = status->length_status; + if (dev->features & NETIF_F_RXCSUM) { + rx_csum = (__force __be16)(status->rx_csum & 0xffff); +- skb->csum = (__force __wsum)ntohs(rx_csum); +- skb->ip_summed = CHECKSUM_COMPLETE; ++ if (rx_csum) { ++ skb->csum = (__force __wsum)ntohs(rx_csum); ++ skb->ip_summed = CHECKSUM_COMPLETE; ++ } + } + + /* DMA flags and length are still valid no matter how +-- +2.34.1 + diff --git a/queue-5.16/net-dsa-add-missing-of_node_put-in-dsa_port_parse_of.patch b/queue-5.16/net-dsa-add-missing-of_node_put-in-dsa_port_parse_of.patch new file mode 100644 index 00000000000..939770a74e3 --- /dev/null +++ b/queue-5.16/net-dsa-add-missing-of_node_put-in-dsa_port_parse_of.patch @@ -0,0 +1,36 @@ +From 822dd2b6d569657d8f87f6b77662df8836a33353 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 08:26:02 +0000 +Subject: net: dsa: Add missing of_node_put() in dsa_port_parse_of + +From: Miaoqian Lin + +[ Upstream commit cb0b430b4e3acc88c85e0ad2e25f2a25a5765262 ] + +The device_node pointer is returned by of_parse_phandle() with refcount +incremented. We should use of_node_put() on it when done. + +Fixes: 6d4e5c570c2d ("net: dsa: get port type at parse time") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220316082602.10785-1-linmq006@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/dsa/dsa2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c +index 7578b1350f18..e64ef196a984 100644 +--- a/net/dsa/dsa2.c ++++ b/net/dsa/dsa2.c +@@ -1327,6 +1327,7 @@ static int dsa_port_parse_of(struct dsa_port *dp, struct device_node *dn) + const char *user_protocol; + + master = of_find_net_device_by_node(ethernet); ++ of_node_put(ethernet); + if (!master) + return -EPROBE_DEFER; + +-- +2.34.1 + diff --git a/queue-5.16/net-handle-arphrd_pimreg-in-dev_is_mac_header_xmit.patch b/queue-5.16/net-handle-arphrd_pimreg-in-dev_is_mac_header_xmit.patch new file mode 100644 index 00000000000..a1d42ee0465 --- /dev/null +++ b/queue-5.16/net-handle-arphrd_pimreg-in-dev_is_mac_header_xmit.patch @@ -0,0 +1,36 @@ +From 427e1fe5318d7a07cc34153c0915ce498652cefe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Mar 2022 10:20:08 +0100 +Subject: net: handle ARPHRD_PIMREG in dev_is_mac_header_xmit() + +From: Nicolas Dichtel + +[ Upstream commit 4ee06de7729d795773145692e246a06448b1eb7a ] + +This kind of interface doesn't have a mac header. This patch fixes +bpf_redirect() to a PIM interface. + +Fixes: 27b29f63058d ("bpf: add bpf_redirect() helper") +Signed-off-by: Nicolas Dichtel +Link: https://lore.kernel.org/r/20220315092008.31423-1-nicolas.dichtel@6wind.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/if_arp.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/if_arp.h b/include/linux/if_arp.h +index b712217f7030..1ed52441972f 100644 +--- a/include/linux/if_arp.h ++++ b/include/linux/if_arp.h +@@ -52,6 +52,7 @@ static inline bool dev_is_mac_header_xmit(const struct net_device *dev) + case ARPHRD_VOID: + case ARPHRD_NONE: + case ARPHRD_RAWIP: ++ case ARPHRD_PIMREG: + return false; + default: + return true; +-- +2.34.1 + diff --git a/queue-5.16/net-mscc-ocelot-fix-backwards-compatibility-with-sin.patch b/queue-5.16/net-mscc-ocelot-fix-backwards-compatibility-with-sin.patch new file mode 100644 index 00000000000..71bc3b95969 --- /dev/null +++ b/queue-5.16/net-mscc-ocelot-fix-backwards-compatibility-with-sin.patch @@ -0,0 +1,82 @@ +From 1f78fa2ea30749aeac192326a4c1d5c099d4fab2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 21:21:17 +0200 +Subject: net: mscc: ocelot: fix backwards compatibility with single-chain + tc-flower offload + +From: Vladimir Oltean + +[ Upstream commit 8e0341aefcc9133f3f48683873284b169581315b ] + +ACL rules can be offloaded to VCAP IS2 either through chain 0, or, since +the blamed commit, through a chain index whose number encodes a specific +PAG (Policy Action Group) and lookup number. + +The chain number is translated through ocelot_chain_to_pag() into a PAG, +and through ocelot_chain_to_lookup() into a lookup number. + +The problem with the blamed commit is that the above 2 functions don't +have special treatment for chain 0. So ocelot_chain_to_pag(0) returns +filter->pag = 224, which is in fact -32, but the "pag" field is an u8. + +So we end up programming the hardware with VCAP IS2 entries having a PAG +of 224. But the way in which the PAG works is that it defines a subset +of VCAP IS2 filters which should match on a packet. The default PAG is +0, and previous VCAP IS1 rules (which we offload using 'goto') can +modify it. So basically, we are installing filters with a PAG on which +no packet will ever match. This is the hardware equivalent of adding +filters to a chain which has no 'goto' to it. + +Restore the previous functionality by making ACL filters offloaded to +chain 0 go to PAG 0 and lookup number 0. The choice of PAG is clearly +correct, but the choice of lookup number isn't "as before" (which was to +leave the lookup a "don't care"). However, lookup 0 should be fine, +since even though there are ACL actions (policers) which have a +requirement to be used in a specific lookup, that lookup is 0. + +Fixes: 226e9cd82a96 ("net: mscc: ocelot: only install TCAM entries into a specific lookup and PAG") +Signed-off-by: Vladimir Oltean +Link: https://lore.kernel.org/r/20220316192117.2568261-1-vladimir.oltean@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mscc/ocelot_flower.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mscc/ocelot_flower.c b/drivers/net/ethernet/mscc/ocelot_flower.c +index 738dd2be79dc..a3f1f1fbaf7d 100644 +--- a/drivers/net/ethernet/mscc/ocelot_flower.c ++++ b/drivers/net/ethernet/mscc/ocelot_flower.c +@@ -54,6 +54,12 @@ static int ocelot_chain_to_block(int chain, bool ingress) + */ + static int ocelot_chain_to_lookup(int chain) + { ++ /* Backwards compatibility with older, single-chain tc-flower ++ * offload support in Ocelot ++ */ ++ if (chain == 0) ++ return 0; ++ + return (chain / VCAP_LOOKUP) % 10; + } + +@@ -62,7 +68,15 @@ static int ocelot_chain_to_lookup(int chain) + */ + static int ocelot_chain_to_pag(int chain) + { +- int lookup = ocelot_chain_to_lookup(chain); ++ int lookup; ++ ++ /* Backwards compatibility with older, single-chain tc-flower ++ * offload support in Ocelot ++ */ ++ if (chain == 0) ++ return 0; ++ ++ lookup = ocelot_chain_to_lookup(chain); + + /* calculate PAG value as chain index relative to the first PAG */ + return chain - VCAP_IS2_CHAIN(lookup, 0); +-- +2.34.1 + diff --git a/queue-5.16/net-packet-fix-slab-out-of-bounds-access-in-packet_r.patch b/queue-5.16/net-packet-fix-slab-out-of-bounds-access-in-packet_r.patch new file mode 100644 index 00000000000..66e8f81a48e --- /dev/null +++ b/queue-5.16/net-packet-fix-slab-out-of-bounds-access-in-packet_r.patch @@ -0,0 +1,119 @@ +From e8d1aed74c4a8ee30c79a0f2f955de64b6466a34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Mar 2022 15:29:58 -0800 +Subject: net/packet: fix slab-out-of-bounds access in packet_recvmsg() + +From: Eric Dumazet + +[ Upstream commit c700525fcc06b05adfea78039de02628af79e07a ] + +syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH +and mmap operations, tpacket_rcv() is queueing skbs with +garbage in skb->cb[], triggering a too big copy [1] + +Presumably, users of af_packet using mmap() already gets correct +metadata from the mapped buffer, we can simply make sure +to clear 12 bytes that might be copied to user space later. + +BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline] +BUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489 +Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631 + +CPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255 + __kasan_report mm/kasan/report.c:442 [inline] + kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 + check_region_inline mm/kasan/generic.c:183 [inline] + kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 + memcpy+0x39/0x60 mm/kasan/shadow.c:66 + memcpy include/linux/fortify-string.h:225 [inline] + packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489 + sock_recvmsg_nosec net/socket.c:948 [inline] + sock_recvmsg net/socket.c:966 [inline] + sock_recvmsg net/socket.c:962 [inline] + ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632 + ___sys_recvmsg+0x127/0x200 net/socket.c:2674 + __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7fdfd5954c29 +Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29 +RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005 +RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d +R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60 +R13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54 + + +addr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame: + ____sys_recvmsg+0x0/0x600 include/linux/uio.h:246 + +this frame has 1 object: + [32, 160) 'addr' + +Memory state around the buggy address: + ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 + ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 +>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 + ^ + ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 + ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 +================================================================== + +Fixes: 0fb375fb9b93 ("[AF_PACKET]: Allow for > 8 byte hardware addresses.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://lore.kernel.org/r/20220312232958.3535620-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index fe9b4c04744a..92d180a0db5a 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2316,8 +2316,11 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + copy_skb = skb_get(skb); + skb_head = skb->data; + } +- if (copy_skb) ++ if (copy_skb) { ++ memset(&PACKET_SKB_CB(copy_skb)->sa.ll, 0, ++ sizeof(PACKET_SKB_CB(copy_skb)->sa.ll)); + skb_set_owner_r(copy_skb, sk); ++ } + } + snaplen = po->rx_ring.frame_size - macoff; + if ((int)snaplen < 0) { +@@ -3469,6 +3472,8 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + sock_recv_ts_and_drops(msg, sk, skb); + + if (msg->msg_name) { ++ const size_t max_len = min(sizeof(skb->cb), ++ sizeof(struct sockaddr_storage)); + int copy_len; + + /* If the address length field is there to be filled +@@ -3491,6 +3496,10 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + msg->msg_namelen = sizeof(struct sockaddr_ll); + } + } ++ if (WARN_ON_ONCE(copy_len > max_len)) { ++ copy_len = max_len; ++ msg->msg_namelen = copy_len; ++ } + memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len); + } + +-- +2.34.1 + diff --git a/queue-5.16/net-phy-marvell-fix-invalid-comparison-in-the-resume.patch b/queue-5.16/net-phy-marvell-fix-invalid-comparison-in-the-resume.patch new file mode 100644 index 00000000000..0ddcfcb2823 --- /dev/null +++ b/queue-5.16/net-phy-marvell-fix-invalid-comparison-in-the-resume.patch @@ -0,0 +1,54 @@ +From 5b06f729639c0017b5ad33569967dfc34e472f46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Mar 2022 15:15:13 -0500 +Subject: net: phy: marvell: Fix invalid comparison in the resume and suspend + functions + +From: Kurt Cancemi + +[ Upstream commit 837d9e49402eaf030db55a49f96fc51d73b4b441 ] + +This bug resulted in only the current mode being resumed and suspended when +the PHY supported both fiber and copper modes and when the PHY only supported +copper mode the fiber mode would incorrectly be attempted to be resumed and +suspended. + +Fixes: 3758be3dc162 ("Marvell phy: add functions to suspend and resume both interfaces: fiber and copper links.") +Signed-off-by: Kurt Cancemi +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220312201512.326047-1-kurt@x64architecture.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/marvell.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c +index cfda625dbea5..4d726ee03ce2 100644 +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -1693,8 +1693,8 @@ static int marvell_suspend(struct phy_device *phydev) + int err; + + /* Suspend the fiber mode first */ +- if (!linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, +- phydev->supported)) { ++ if (linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, ++ phydev->supported)) { + err = marvell_set_page(phydev, MII_MARVELL_FIBER_PAGE); + if (err < 0) + goto error; +@@ -1728,8 +1728,8 @@ static int marvell_resume(struct phy_device *phydev) + int err; + + /* Resume the fiber mode first */ +- if (!linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, +- phydev->supported)) { ++ if (linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, ++ phydev->supported)) { + err = marvell_set_page(phydev, MII_MARVELL_FIBER_PAGE); + if (err < 0) + goto error; +-- +2.34.1 + diff --git a/queue-5.16/net-phy-mscc-add-module_firmware-macros.patch b/queue-5.16/net-phy-mscc-add-module_firmware-macros.patch new file mode 100644 index 00000000000..13ade6476dc --- /dev/null +++ b/queue-5.16/net-phy-mscc-add-module_firmware-macros.patch @@ -0,0 +1,35 @@ +From f1fff375f081f38178d4534d7d90fa8de78b0c4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Mar 2022 16:18:35 +0100 +Subject: net: phy: mscc: Add MODULE_FIRMWARE macros + +From: Juerg Haefliger + +[ Upstream commit f1858c277ba40172005b76a31e6bb931bfc19d9c ] + +The driver requires firmware so define MODULE_FIRMWARE so that modinfo +provides the details. + +Fixes: fa164e40c53b ("net: phy: mscc: split the driver into separate files") +Signed-off-by: Juerg Haefliger +Link: https://lore.kernel.org/r/20220316151835.88765-1-juergh@canonical.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mscc/mscc_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c +index ebfeeb3c67c1..7e3017e7a1c0 100644 +--- a/drivers/net/phy/mscc/mscc_main.c ++++ b/drivers/net/phy/mscc/mscc_main.c +@@ -2685,3 +2685,6 @@ MODULE_DEVICE_TABLE(mdio, vsc85xx_tbl); + MODULE_DESCRIPTION("Microsemi VSC85xx PHY driver"); + MODULE_AUTHOR("Nagaraju Lakkaraju"); + MODULE_LICENSE("Dual MIT/GPL"); ++ ++MODULE_FIRMWARE(MSCC_VSC8584_REVB_INT8051_FW); ++MODULE_FIRMWARE(MSCC_VSC8574_REVB_INT8051_FW); +-- +2.34.1 + diff --git a/queue-5.16/nvmet-revert-nvmet-make-discovery-nqn-configurable.patch b/queue-5.16/nvmet-revert-nvmet-make-discovery-nqn-configurable.patch new file mode 100644 index 00000000000..7a95b982359 --- /dev/null +++ b/queue-5.16/nvmet-revert-nvmet-make-discovery-nqn-configurable.patch @@ -0,0 +1,96 @@ +From b7dc38372b33d284beffa13353b6da73ec4396e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Mar 2022 10:14:36 +0100 +Subject: nvmet: revert "nvmet: make discovery NQN configurable" + +From: Hannes Reinecke + +[ Upstream commit 0c48645a7f3988a624767d025fa3275ae24b6ca1 ] + +Revert commit 626851e9225d ("nvmet: make discovery NQN configurable"); +the interface was deemed incorrect and will be replaced with a different +one. + +Fixes: 626851e9225d ("nvmet: make discovery NQN configurable") +Signed-off-by: Hannes Reinecke +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/configfs.c | 39 ---------------------------------- + drivers/nvme/target/core.c | 3 +-- + 2 files changed, 1 insertion(+), 41 deletions(-) + +diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c +index 091a0ca16361..496d775c6770 100644 +--- a/drivers/nvme/target/configfs.c ++++ b/drivers/nvme/target/configfs.c +@@ -1233,44 +1233,6 @@ static ssize_t nvmet_subsys_attr_model_store(struct config_item *item, + } + CONFIGFS_ATTR(nvmet_subsys_, attr_model); + +-static ssize_t nvmet_subsys_attr_discovery_nqn_show(struct config_item *item, +- char *page) +-{ +- return snprintf(page, PAGE_SIZE, "%s\n", +- nvmet_disc_subsys->subsysnqn); +-} +- +-static ssize_t nvmet_subsys_attr_discovery_nqn_store(struct config_item *item, +- const char *page, size_t count) +-{ +- struct nvmet_subsys *subsys = to_subsys(item); +- char *subsysnqn; +- int len; +- +- len = strcspn(page, "\n"); +- if (!len) +- return -EINVAL; +- +- subsysnqn = kmemdup_nul(page, len, GFP_KERNEL); +- if (!subsysnqn) +- return -ENOMEM; +- +- /* +- * The discovery NQN must be different from subsystem NQN. +- */ +- if (!strcmp(subsysnqn, subsys->subsysnqn)) { +- kfree(subsysnqn); +- return -EBUSY; +- } +- down_write(&nvmet_config_sem); +- kfree(nvmet_disc_subsys->subsysnqn); +- nvmet_disc_subsys->subsysnqn = subsysnqn; +- up_write(&nvmet_config_sem); +- +- return count; +-} +-CONFIGFS_ATTR(nvmet_subsys_, attr_discovery_nqn); +- + #ifdef CONFIG_BLK_DEV_INTEGRITY + static ssize_t nvmet_subsys_attr_pi_enable_show(struct config_item *item, + char *page) +@@ -1300,7 +1262,6 @@ static struct configfs_attribute *nvmet_subsys_attrs[] = { + &nvmet_subsys_attr_attr_cntlid_min, + &nvmet_subsys_attr_attr_cntlid_max, + &nvmet_subsys_attr_attr_model, +- &nvmet_subsys_attr_attr_discovery_nqn, + #ifdef CONFIG_BLK_DEV_INTEGRITY + &nvmet_subsys_attr_attr_pi_enable, + #endif +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index 5119c687de68..626caf6f1e4b 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -1493,8 +1493,7 @@ static struct nvmet_subsys *nvmet_find_get_subsys(struct nvmet_port *port, + if (!port) + return NULL; + +- if (!strcmp(NVME_DISC_SUBSYS_NAME, subsysnqn) || +- !strcmp(nvmet_disc_subsys->subsysnqn, subsysnqn)) { ++ if (!strcmp(NVME_DISC_SUBSYS_NAME, subsysnqn)) { + if (!kref_get_unless_zero(&nvmet_disc_subsys->ref)) + return NULL; + return nvmet_disc_subsys; +-- +2.34.1 + diff --git a/queue-5.16/series b/queue-5.16/series index be38eeaed5f..a4fc3607570 100644 --- a/queue-5.16/series +++ b/queue-5.16/series @@ -3,3 +3,25 @@ ocfs2-fix-crash-when-initialize-filecheck-kobj-fails.patch mm-swap-get-rid-of-livelock-in-swapin-readahead.patch block-release-rq-qos-structures-for-queue-without-disk.patch drm-mgag200-fix-pll-setup-for-g200wb-and-g200ew.patch +efi-fix-return-value-of-__setup-handlers.patch +alx-acquire-mutex-for-alx_reinit-in-alx_change_mtu.patch +vsock-each-transport-cycles-only-on-its-own-sockets.patch +esp6-fix-check-on-ipv6_skip_exthdr-s-return-value.patch +net-phy-marvell-fix-invalid-comparison-in-the-resume.patch +net-packet-fix-slab-out-of-bounds-access-in-packet_r.patch +nvmet-revert-nvmet-make-discovery-nqn-configurable.patch +atm-eni-add-check-for-dma_map_single.patch +ice-fix-null-pointer-dereference-in-ice_update_vsi_t.patch +iavf-fix-double-free-in-iavf_reset_task.patch +hv_netvsc-add-check-for-kvmalloc_array.patch +drm-imx-parallel-display-remove-bus-flags-check-in-i.patch +drm-panel-simple-fix-innolux-g070y2-l01-bpp-settings.patch +net-handle-arphrd_pimreg-in-dev_is_mac_header_xmit.patch +drm-don-t-make-drm_panel_bridge-dependent-on-drm_kms.patch +net-dsa-add-missing-of_node_put-in-dsa_port_parse_of.patch +net-phy-mscc-add-module_firmware-macros.patch +bnx2x-fix-built-in-kernel-driver-load-failure.patch +net-bcmgenet-skip-invalid-partial-checksums.patch +net-mscc-ocelot-fix-backwards-compatibility-with-sin.patch +iavf-fix-hang-during-reboot-shutdown.patch +arm64-fix-clang-warning-about-tramp_valias.patch diff --git a/queue-5.16/vsock-each-transport-cycles-only-on-its-own-sockets.patch b/queue-5.16/vsock-each-transport-cycles-only-on-its-own-sockets.patch new file mode 100644 index 00000000000..f05d623ab38 --- /dev/null +++ b/queue-5.16/vsock-each-transport-cycles-only-on-its-own-sockets.patch @@ -0,0 +1,156 @@ +From dd18d6de119c5c63d76085aa54806b10a379b870 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Mar 2022 11:00:16 +0900 +Subject: vsock: each transport cycles only on its own sockets + +From: Jiyong Park + +[ Upstream commit 8e6ed963763fe21429eabfc76c69ce2b0163a3dd ] + +When iterating over sockets using vsock_for_each_connected_socket, make +sure that a transport filters out sockets that don't belong to the +transport. + +There actually was an issue caused by this; in a nested VM +configuration, destroying the nested VM (which often involves the +closing of /dev/vhost-vsock if there was h2g connections to the nested +VM) kills not only the h2g connections, but also all existing g2h +connections to the (outmost) host which are totally unrelated. + +Tested: Executed the following steps on Cuttlefish (Android running on a +VM) [1]: (1) Enter into an `adb shell` session - to have a g2h +connection inside the VM, (2) open and then close /dev/vhost-vsock by +`exec 3< /dev/vhost-vsock && exec 3<&-`, (3) observe that the adb +session is not reset. + +[1] https://android.googlesource.com/device/google/cuttlefish/ + +Fixes: c0cfa2d8a788 ("vsock: add multi-transports support") +Reviewed-by: Stefano Garzarella +Acked-by: Michael S. Tsirkin +Signed-off-by: Jiyong Park +Link: https://lore.kernel.org/r/20220311020017.1509316-1-jiyong@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/vhost/vsock.c | 3 ++- + include/net/af_vsock.h | 3 ++- + net/vmw_vsock/af_vsock.c | 9 +++++++-- + net/vmw_vsock/virtio_transport.c | 7 +++++-- + net/vmw_vsock/vmci_transport.c | 5 ++++- + 5 files changed, 20 insertions(+), 7 deletions(-) + +diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c +index 37f0b4274113..e6c9d41db1de 100644 +--- a/drivers/vhost/vsock.c ++++ b/drivers/vhost/vsock.c +@@ -753,7 +753,8 @@ static int vhost_vsock_dev_release(struct inode *inode, struct file *file) + + /* Iterating over all connections for all CIDs to find orphans is + * inefficient. Room for improvement here. */ +- vsock_for_each_connected_socket(vhost_vsock_reset_orphans); ++ vsock_for_each_connected_socket(&vhost_transport.transport, ++ vhost_vsock_reset_orphans); + + /* Don't check the owner, because we are in the release path, so we + * need to stop the vsock device in any case. +diff --git a/include/net/af_vsock.h b/include/net/af_vsock.h +index ab207677e0a8..f742e50207fb 100644 +--- a/include/net/af_vsock.h ++++ b/include/net/af_vsock.h +@@ -205,7 +205,8 @@ struct sock *vsock_find_bound_socket(struct sockaddr_vm *addr); + struct sock *vsock_find_connected_socket(struct sockaddr_vm *src, + struct sockaddr_vm *dst); + void vsock_remove_sock(struct vsock_sock *vsk); +-void vsock_for_each_connected_socket(void (*fn)(struct sock *sk)); ++void vsock_for_each_connected_socket(struct vsock_transport *transport, ++ void (*fn)(struct sock *sk)); + int vsock_assign_transport(struct vsock_sock *vsk, struct vsock_sock *psk); + bool vsock_find_cid(unsigned int cid); + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 8e4f2a1346be..782aa4209718 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -333,7 +333,8 @@ void vsock_remove_sock(struct vsock_sock *vsk) + } + EXPORT_SYMBOL_GPL(vsock_remove_sock); + +-void vsock_for_each_connected_socket(void (*fn)(struct sock *sk)) ++void vsock_for_each_connected_socket(struct vsock_transport *transport, ++ void (*fn)(struct sock *sk)) + { + int i; + +@@ -342,8 +343,12 @@ void vsock_for_each_connected_socket(void (*fn)(struct sock *sk)) + for (i = 0; i < ARRAY_SIZE(vsock_connected_table); i++) { + struct vsock_sock *vsk; + list_for_each_entry(vsk, &vsock_connected_table[i], +- connected_table) ++ connected_table) { ++ if (vsk->transport != transport) ++ continue; ++ + fn(sk_vsock(vsk)); ++ } + } + + spin_unlock_bh(&vsock_table_lock); +diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c +index 4f7c99dfd16c..dad9ca65f4f9 100644 +--- a/net/vmw_vsock/virtio_transport.c ++++ b/net/vmw_vsock/virtio_transport.c +@@ -24,6 +24,7 @@ + static struct workqueue_struct *virtio_vsock_workqueue; + static struct virtio_vsock __rcu *the_virtio_vsock; + static DEFINE_MUTEX(the_virtio_vsock_mutex); /* protects the_virtio_vsock */ ++static struct virtio_transport virtio_transport; /* forward declaration */ + + struct virtio_vsock { + struct virtio_device *vdev; +@@ -384,7 +385,8 @@ static void virtio_vsock_event_handle(struct virtio_vsock *vsock, + switch (le32_to_cpu(event->id)) { + case VIRTIO_VSOCK_EVENT_TRANSPORT_RESET: + virtio_vsock_update_guest_cid(vsock); +- vsock_for_each_connected_socket(virtio_vsock_reset_sock); ++ vsock_for_each_connected_socket(&virtio_transport.transport, ++ virtio_vsock_reset_sock); + break; + } + } +@@ -662,7 +664,8 @@ static void virtio_vsock_remove(struct virtio_device *vdev) + synchronize_rcu(); + + /* Reset all connected sockets when the device disappear */ +- vsock_for_each_connected_socket(virtio_vsock_reset_sock); ++ vsock_for_each_connected_socket(&virtio_transport.transport, ++ virtio_vsock_reset_sock); + + /* Stop all work handlers to make sure no one is accessing the device, + * so we can safely call vdev->config->reset(). +diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c +index 7aef34e32bdf..b17dc9745188 100644 +--- a/net/vmw_vsock/vmci_transport.c ++++ b/net/vmw_vsock/vmci_transport.c +@@ -75,6 +75,8 @@ static u32 vmci_transport_qp_resumed_sub_id = VMCI_INVALID_ID; + + static int PROTOCOL_OVERRIDE = -1; + ++static struct vsock_transport vmci_transport; /* forward declaration */ ++ + /* Helper function to convert from a VMCI error code to a VSock error code. */ + + static s32 vmci_transport_error_to_vsock_error(s32 vmci_error) +@@ -882,7 +884,8 @@ static void vmci_transport_qp_resumed_cb(u32 sub_id, + const struct vmci_event_data *e_data, + void *client_data) + { +- vsock_for_each_connected_socket(vmci_transport_handle_detach); ++ vsock_for_each_connected_socket(&vmci_transport, ++ vmci_transport_handle_detach); + } + + static void vmci_transport_recv_pkt_work(struct work_struct *work) +-- +2.34.1 +