From 068ecf94e1dcb3f7cf7987c27a636d3dd9b583b9 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 11 May 2023 11:48:35 -0400 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...host-range-check-chdboff-and-erdboff.patch | 59 ++++++ ...remove-duplicate-ee-check-for-syserr.patch | 50 +++++ ...-mhi_tryset_pm_state-for-setting-fw-.patch | 85 ++++++++ ...move-host-mhi-code-to-host-directory.patch | 189 ++++++++++++++++++ ...-psp-interrupt-status-register-befor.patch | 74 +++++++ ...tch-to-flexible-array-to-simplify-co.patch | 56 ++++++ ...box-zynqmp-fix-counts-of-child-nodes.patch | 45 +++++ ...re-proper-resetting-of-atomic-variab.patch | 87 ++++++++ queue-5.15/series | 10 + ...dlock-when-setting-xattr-for-encrypt.patch | 186 +++++++++++++++++ .../ubifs-fix-memory-leak-in-do_rename.patch | 80 ++++++++ 11 files changed, 921 insertions(+) create mode 100644 queue-5.15/bus-mhi-host-range-check-chdboff-and-erdboff.patch create mode 100644 queue-5.15/bus-mhi-host-remove-duplicate-ee-check-for-syserr.patch create mode 100644 queue-5.15/bus-mhi-host-use-mhi_tryset_pm_state-for-setting-fw-.patch create mode 100644 queue-5.15/bus-mhi-move-host-mhi-code-to-host-directory.patch create mode 100644 queue-5.15/crypto-ccp-clear-psp-interrupt-status-register-befor.patch create mode 100644 queue-5.15/mailbox-zynq-switch-to-flexible-array-to-simplify-co.patch create mode 100644 queue-5.15/mailbox-zynqmp-fix-counts-of-child-nodes.patch create mode 100644 queue-5.15/ring-buffer-ensure-proper-resetting-of-atomic-variab.patch create mode 100644 queue-5.15/series create mode 100644 queue-5.15/ubifs-fix-aa-deadlock-when-setting-xattr-for-encrypt.patch create mode 100644 queue-5.15/ubifs-fix-memory-leak-in-do_rename.patch diff --git a/queue-5.15/bus-mhi-host-range-check-chdboff-and-erdboff.patch b/queue-5.15/bus-mhi-host-range-check-chdboff-and-erdboff.patch new file mode 100644 index 00000000000..d4a1b5233e0 --- /dev/null +++ b/queue-5.15/bus-mhi-host-range-check-chdboff-and-erdboff.patch @@ -0,0 +1,59 @@ +From 1ad27815ed3f303714d0a1d7fb940c59ad5d4397 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Mar 2023 10:13:04 -0600 +Subject: bus: mhi: host: Range check CHDBOFF and ERDBOFF + +From: Jeffrey Hugo + +[ Upstream commit 6a0c637bfee69a74c104468544d9f2a6579626d0 ] + +If the value read from the CHDBOFF and ERDBOFF registers is outside the +range of the MHI register space then an invalid address might be computed +which later causes a kernel panic. Range check the read value to prevent +a crash due to bad data from the device. + +Fixes: 6cd330ae76ff ("bus: mhi: core: Add support for ringing channel/event ring doorbells") +Cc: stable@vger.kernel.org +Signed-off-by: Jeffrey Hugo +Reviewed-by: Pranjal Ramajor Asha Kanojiya +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/1679674384-27209-1-git-send-email-quic_jhugo@quicinc.com +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Sasha Levin +--- + drivers/bus/mhi/host/init.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/bus/mhi/host/init.c b/drivers/bus/mhi/host/init.c +index d8787aaa176ba..829d4fca7ddc9 100644 +--- a/drivers/bus/mhi/host/init.c ++++ b/drivers/bus/mhi/host/init.c +@@ -517,6 +517,12 @@ int mhi_init_mmio(struct mhi_controller *mhi_cntrl) + return -EIO; + } + ++ if (val >= mhi_cntrl->reg_len - (8 * MHI_DEV_WAKE_DB)) { ++ dev_err(dev, "CHDB offset: 0x%x is out of range: 0x%zx\n", ++ val, mhi_cntrl->reg_len - (8 * MHI_DEV_WAKE_DB)); ++ return -ERANGE; ++ } ++ + /* Setup wake db */ + mhi_cntrl->wake_db = base + val + (8 * MHI_DEV_WAKE_DB); + mhi_cntrl->wake_set = false; +@@ -534,6 +540,12 @@ int mhi_init_mmio(struct mhi_controller *mhi_cntrl) + return -EIO; + } + ++ if (val >= mhi_cntrl->reg_len - (8 * mhi_cntrl->total_ev_rings)) { ++ dev_err(dev, "ERDB offset: 0x%x is out of range: 0x%zx\n", ++ val, mhi_cntrl->reg_len - (8 * mhi_cntrl->total_ev_rings)); ++ return -ERANGE; ++ } ++ + /* Setup event db address for each ev_ring */ + mhi_event = mhi_cntrl->mhi_event; + for (i = 0; i < mhi_cntrl->total_ev_rings; i++, val += 8, mhi_event++) { +-- +2.39.2 + diff --git a/queue-5.15/bus-mhi-host-remove-duplicate-ee-check-for-syserr.patch b/queue-5.15/bus-mhi-host-remove-duplicate-ee-check-for-syserr.patch new file mode 100644 index 00000000000..4ac11b3025f --- /dev/null +++ b/queue-5.15/bus-mhi-host-remove-duplicate-ee-check-for-syserr.patch @@ -0,0 +1,50 @@ +From 3d612ebd5ab4e12d219dab2b168be344a0f01f67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Apr 2023 09:58:11 -0600 +Subject: bus: mhi: host: Remove duplicate ee check for syserr + +From: Jeffrey Hugo + +[ Upstream commit d469d9448a0f1a33c175d3280b1542fa0158ad7a ] + +If we detect a system error via intvec, we only process the syserr if the +current ee is different than the last observed ee. The reason for this +check is to prevent bhie from running multiple times, but with the single +queue handling syserr, that is not possible. + +The check can cause an issue with device recovery. If PBL loads a bad SBL +via BHI, but that SBL hangs before notifying the host of an ee change, +then issuing soc_reset to crash the device and retry (after supplying a +fixed SBL) will not recover the device as the host will observe a PBL->PBL +transition and not process the syserr. The device will be stuck until +either the driver is reloaded, or the host is rebooted. Instead, remove +the check so that we can attempt to recover the device. + +Fixes: ef2126c4e2ea ("bus: mhi: core: Process execution environment changes serially") +Cc: stable@vger.kernel.org +Signed-off-by: Jeffrey Hugo +Reviewed-by: Carl Vanderlip +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/1681142292-27571-2-git-send-email-quic_jhugo@quicinc.com +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Sasha Levin +--- + drivers/bus/mhi/host/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bus/mhi/host/main.c b/drivers/bus/mhi/host/main.c +index 9a94b8d66f575..6b36689999427 100644 +--- a/drivers/bus/mhi/host/main.c ++++ b/drivers/bus/mhi/host/main.c +@@ -489,7 +489,7 @@ irqreturn_t mhi_intvec_threaded_handler(int irq_number, void *priv) + } + write_unlock_irq(&mhi_cntrl->pm_lock); + +- if (pm_state != MHI_PM_SYS_ERR_DETECT || ee == mhi_cntrl->ee) ++ if (pm_state != MHI_PM_SYS_ERR_DETECT) + goto exit_intvec; + + switch (ee) { +-- +2.39.2 + diff --git a/queue-5.15/bus-mhi-host-use-mhi_tryset_pm_state-for-setting-fw-.patch b/queue-5.15/bus-mhi-host-use-mhi_tryset_pm_state-for-setting-fw-.patch new file mode 100644 index 00000000000..cfec4e646d3 --- /dev/null +++ b/queue-5.15/bus-mhi-host-use-mhi_tryset_pm_state-for-setting-fw-.patch @@ -0,0 +1,85 @@ +From b89a366f582d97e962cd46365bb2c66cdaaf3bcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Apr 2023 09:58:12 -0600 +Subject: bus: mhi: host: Use mhi_tryset_pm_state() for setting fw error state + +From: Jeffrey Hugo + +[ Upstream commit 1d1493bdc25f498468a606a4ece947d155cfa3a9 ] + +If firmware loading fails, the controller's pm_state is updated to +MHI_PM_FW_DL_ERR unconditionally. This can corrupt the pm_state as the +update is not done under the proper lock, and also does not validate +the state transition. The firmware loading can fail due to a detected +syserr, but if MHI_PM_FW_DL_ERR is unconditionally set as the pm_state, +the handling of the syserr can break when it attempts to transition from +syserr detect, to syserr process. + +By grabbing the lock, we ensure we don't race with some other pm_state +update. By using mhi_try_set_pm_state(), we check that the transition +to MHI_PM_FW_DL_ERR is valid via the state machine logic. If it is not +valid, then some other transition is occurring like syserr processing, and +we assume that will resolve the firmware loading error. + +Fixes: 12e050c77be0 ("bus: mhi: core: Move to an error state on any firmware load failure") +Cc: stable@vger.kernel.org +Signed-off-by: Jeffrey Hugo +Reviewed-by: Carl Vanderlip +Reviewed-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/1681142292-27571-3-git-send-email-quic_jhugo@quicinc.com +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Sasha Levin +--- + drivers/bus/mhi/host/boot.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/drivers/bus/mhi/host/boot.c b/drivers/bus/mhi/host/boot.c +index 0a972620a4030..c9dfb1a48ad6d 100644 +--- a/drivers/bus/mhi/host/boot.c ++++ b/drivers/bus/mhi/host/boot.c +@@ -390,6 +390,7 @@ void mhi_fw_load_handler(struct mhi_controller *mhi_cntrl) + { + const struct firmware *firmware = NULL; + struct device *dev = &mhi_cntrl->mhi_dev->dev; ++ enum mhi_pm_state new_state; + const char *fw_name; + void *buf; + dma_addr_t dma_addr; +@@ -507,14 +508,18 @@ void mhi_fw_load_handler(struct mhi_controller *mhi_cntrl) + } + + error_fw_load: +- mhi_cntrl->pm_state = MHI_PM_FW_DL_ERR; +- wake_up_all(&mhi_cntrl->state_event); ++ write_lock_irq(&mhi_cntrl->pm_lock); ++ new_state = mhi_tryset_pm_state(mhi_cntrl, MHI_PM_FW_DL_ERR); ++ write_unlock_irq(&mhi_cntrl->pm_lock); ++ if (new_state == MHI_PM_FW_DL_ERR) ++ wake_up_all(&mhi_cntrl->state_event); + } + + int mhi_download_amss_image(struct mhi_controller *mhi_cntrl) + { + struct image_info *image_info = mhi_cntrl->fbc_image; + struct device *dev = &mhi_cntrl->mhi_dev->dev; ++ enum mhi_pm_state new_state; + int ret; + + if (!image_info) +@@ -525,8 +530,11 @@ int mhi_download_amss_image(struct mhi_controller *mhi_cntrl) + &image_info->mhi_buf[image_info->entries - 1]); + if (ret) { + dev_err(dev, "MHI did not load AMSS, ret:%d\n", ret); +- mhi_cntrl->pm_state = MHI_PM_FW_DL_ERR; +- wake_up_all(&mhi_cntrl->state_event); ++ write_lock_irq(&mhi_cntrl->pm_lock); ++ new_state = mhi_tryset_pm_state(mhi_cntrl, MHI_PM_FW_DL_ERR); ++ write_unlock_irq(&mhi_cntrl->pm_lock); ++ if (new_state == MHI_PM_FW_DL_ERR) ++ wake_up_all(&mhi_cntrl->state_event); + } + + return ret; +-- +2.39.2 + diff --git a/queue-5.15/bus-mhi-move-host-mhi-code-to-host-directory.patch b/queue-5.15/bus-mhi-move-host-mhi-code-to-host-directory.patch new file mode 100644 index 00000000000..d6fa31e5637 --- /dev/null +++ b/queue-5.15/bus-mhi-move-host-mhi-code-to-host-directory.patch @@ -0,0 +1,189 @@ +From 15961ecfb1f212e55861e0584c1c45508293890c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Mar 2022 21:33:02 +0530 +Subject: bus: mhi: Move host MHI code to "host" directory + +From: Manivannan Sadhasivam + +[ Upstream commit a0f5a630668cb8b2ebf5204f08e957875e991780 ] + +In preparation of the endpoint MHI support, let's move the host MHI code +to its own "host" directory and adjust the toplevel MHI Kconfig & Makefile. + +While at it, let's also move the "pci_generic" driver to "host" directory +as it is a host MHI controller driver. + +Reviewed-by: Hemant Kumar +Reviewed-by: Alex Elder +Signed-off-by: Manivannan Sadhasivam +Link: https://lore.kernel.org/r/20220301160308.107452-5-manivannan.sadhasivam@linaro.org +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: d469d9448a0f ("bus: mhi: host: Remove duplicate ee check for syserr") +Signed-off-by: Sasha Levin +--- + drivers/bus/Makefile | 2 +- + drivers/bus/mhi/Kconfig | 27 ++------------------ + drivers/bus/mhi/Makefile | 8 ++---- + drivers/bus/mhi/host/Kconfig | 31 +++++++++++++++++++++++ + drivers/bus/mhi/{core => host}/Makefile | 4 ++- + drivers/bus/mhi/{core => host}/boot.c | 0 + drivers/bus/mhi/{core => host}/debugfs.c | 0 + drivers/bus/mhi/{core => host}/init.c | 0 + drivers/bus/mhi/{core => host}/internal.h | 0 + drivers/bus/mhi/{core => host}/main.c | 0 + drivers/bus/mhi/{ => host}/pci_generic.c | 0 + drivers/bus/mhi/{core => host}/pm.c | 0 + 12 files changed, 39 insertions(+), 33 deletions(-) + create mode 100644 drivers/bus/mhi/host/Kconfig + rename drivers/bus/mhi/{core => host}/Makefile (54%) + rename drivers/bus/mhi/{core => host}/boot.c (100%) + rename drivers/bus/mhi/{core => host}/debugfs.c (100%) + rename drivers/bus/mhi/{core => host}/init.c (100%) + rename drivers/bus/mhi/{core => host}/internal.h (100%) + rename drivers/bus/mhi/{core => host}/main.c (100%) + rename drivers/bus/mhi/{ => host}/pci_generic.c (100%) + rename drivers/bus/mhi/{core => host}/pm.c (100%) + +diff --git a/drivers/bus/Makefile b/drivers/bus/Makefile +index 52c2f35a26a99..16da51130d1a1 100644 +--- a/drivers/bus/Makefile ++++ b/drivers/bus/Makefile +@@ -39,4 +39,4 @@ obj-$(CONFIG_VEXPRESS_CONFIG) += vexpress-config.o + obj-$(CONFIG_DA8XX_MSTPRI) += da8xx-mstpri.o + + # MHI +-obj-$(CONFIG_MHI_BUS) += mhi/ ++obj-y += mhi/ +diff --git a/drivers/bus/mhi/Kconfig b/drivers/bus/mhi/Kconfig +index da5cd0c9fc620..4748df7f9cd58 100644 +--- a/drivers/bus/mhi/Kconfig ++++ b/drivers/bus/mhi/Kconfig +@@ -2,30 +2,7 @@ + # + # MHI bus + # +-# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved. ++# Copyright (c) 2021, Linaro Ltd. + # + +-config MHI_BUS +- tristate "Modem Host Interface (MHI) bus" +- help +- Bus driver for MHI protocol. Modem Host Interface (MHI) is a +- communication protocol used by the host processors to control +- and communicate with modem devices over a high speed peripheral +- bus or shared memory. +- +-config MHI_BUS_DEBUG +- bool "Debugfs support for the MHI bus" +- depends on MHI_BUS && DEBUG_FS +- help +- Enable debugfs support for use with the MHI transport. Allows +- reading and/or modifying some values within the MHI controller +- for debug and test purposes. +- +-config MHI_BUS_PCI_GENERIC +- tristate "MHI PCI controller driver" +- depends on MHI_BUS +- depends on PCI +- help +- This driver provides MHI PCI controller driver for devices such as +- Qualcomm SDX55 based PCIe modems. +- ++source "drivers/bus/mhi/host/Kconfig" +diff --git a/drivers/bus/mhi/Makefile b/drivers/bus/mhi/Makefile +index 0a2d778d6fb42..5f5708a249f54 100644 +--- a/drivers/bus/mhi/Makefile ++++ b/drivers/bus/mhi/Makefile +@@ -1,6 +1,2 @@ +-# core layer +-obj-y += core/ +- +-obj-$(CONFIG_MHI_BUS_PCI_GENERIC) += mhi_pci_generic.o +-mhi_pci_generic-y += pci_generic.o +- ++# Host MHI stack ++obj-y += host/ +diff --git a/drivers/bus/mhi/host/Kconfig b/drivers/bus/mhi/host/Kconfig +new file mode 100644 +index 0000000000000..da5cd0c9fc620 +--- /dev/null ++++ b/drivers/bus/mhi/host/Kconfig +@@ -0,0 +1,31 @@ ++# SPDX-License-Identifier: GPL-2.0 ++# ++# MHI bus ++# ++# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved. ++# ++ ++config MHI_BUS ++ tristate "Modem Host Interface (MHI) bus" ++ help ++ Bus driver for MHI protocol. Modem Host Interface (MHI) is a ++ communication protocol used by the host processors to control ++ and communicate with modem devices over a high speed peripheral ++ bus or shared memory. ++ ++config MHI_BUS_DEBUG ++ bool "Debugfs support for the MHI bus" ++ depends on MHI_BUS && DEBUG_FS ++ help ++ Enable debugfs support for use with the MHI transport. Allows ++ reading and/or modifying some values within the MHI controller ++ for debug and test purposes. ++ ++config MHI_BUS_PCI_GENERIC ++ tristate "MHI PCI controller driver" ++ depends on MHI_BUS ++ depends on PCI ++ help ++ This driver provides MHI PCI controller driver for devices such as ++ Qualcomm SDX55 based PCIe modems. ++ +diff --git a/drivers/bus/mhi/core/Makefile b/drivers/bus/mhi/host/Makefile +similarity index 54% +rename from drivers/bus/mhi/core/Makefile +rename to drivers/bus/mhi/host/Makefile +index c3feb4130aa37..859c2f38451c6 100644 +--- a/drivers/bus/mhi/core/Makefile ++++ b/drivers/bus/mhi/host/Makefile +@@ -1,4 +1,6 @@ + obj-$(CONFIG_MHI_BUS) += mhi.o +- + mhi-y := init.o main.o pm.o boot.o + mhi-$(CONFIG_MHI_BUS_DEBUG) += debugfs.o ++ ++obj-$(CONFIG_MHI_BUS_PCI_GENERIC) += mhi_pci_generic.o ++mhi_pci_generic-y += pci_generic.o +diff --git a/drivers/bus/mhi/core/boot.c b/drivers/bus/mhi/host/boot.c +similarity index 100% +rename from drivers/bus/mhi/core/boot.c +rename to drivers/bus/mhi/host/boot.c +diff --git a/drivers/bus/mhi/core/debugfs.c b/drivers/bus/mhi/host/debugfs.c +similarity index 100% +rename from drivers/bus/mhi/core/debugfs.c +rename to drivers/bus/mhi/host/debugfs.c +diff --git a/drivers/bus/mhi/core/init.c b/drivers/bus/mhi/host/init.c +similarity index 100% +rename from drivers/bus/mhi/core/init.c +rename to drivers/bus/mhi/host/init.c +diff --git a/drivers/bus/mhi/core/internal.h b/drivers/bus/mhi/host/internal.h +similarity index 100% +rename from drivers/bus/mhi/core/internal.h +rename to drivers/bus/mhi/host/internal.h +diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/host/main.c +similarity index 100% +rename from drivers/bus/mhi/core/main.c +rename to drivers/bus/mhi/host/main.c +diff --git a/drivers/bus/mhi/pci_generic.c b/drivers/bus/mhi/host/pci_generic.c +similarity index 100% +rename from drivers/bus/mhi/pci_generic.c +rename to drivers/bus/mhi/host/pci_generic.c +diff --git a/drivers/bus/mhi/core/pm.c b/drivers/bus/mhi/host/pm.c +similarity index 100% +rename from drivers/bus/mhi/core/pm.c +rename to drivers/bus/mhi/host/pm.c +-- +2.39.2 + diff --git a/queue-5.15/crypto-ccp-clear-psp-interrupt-status-register-befor.patch b/queue-5.15/crypto-ccp-clear-psp-interrupt-status-register-befor.patch new file mode 100644 index 00000000000..83c730f29a9 --- /dev/null +++ b/queue-5.15/crypto-ccp-clear-psp-interrupt-status-register-befor.patch @@ -0,0 +1,74 @@ +From c5d3e5d2ac7c888140a35baac37ccfa06f2e0799 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Mar 2023 15:16:36 +0000 +Subject: crypto: ccp - Clear PSP interrupt status register before calling + handler + +From: Jeremi Piotrowski + +[ Upstream commit 45121ad4a1750ca47ce3f32bd434bdb0cdbf0043 ] + +The PSP IRQ is edge-triggered (MSI or MSI-X) in all cases supported by +the psp module so clear the interrupt status register early in the +handler to prevent missed interrupts. sev_irq_handler() calls wake_up() +on a wait queue, which can result in a new command being submitted from +a different CPU. This then races with the clearing of isr and can result +in missed interrupts. A missed interrupt results in a command waiting +until it times out, which results in the psp being declared dead. + +This is unlikely on bare metal, but has been observed when running +virtualized. In the cases where this is observed, sev->cmdresp_reg has +PSP_CMDRESP_RESP set which indicates that the command was processed +correctly but no interrupt was asserted. + +The full sequence of events looks like this: + +CPU 1: submits SEV cmd #1 +CPU 1: calls wait_event_timeout() +CPU 0: enters psp_irq_handler() +CPU 0: calls sev_handler()->wake_up() +CPU 1: wakes up; finishes processing cmd #1 +CPU 1: submits SEV cmd #2 +CPU 1: calls wait_event_timeout() +PSP: finishes processing cmd #2; interrupt status is still set; no interrupt +CPU 0: clears intsts +CPU 0: exits psp_irq_handler() +CPU 1: wait_event_timeout() times out; psp_dead=true + +Fixes: 200664d5237f ("crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support") +Cc: stable@vger.kernel.org +Signed-off-by: Jeremi Piotrowski +Acked-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/psp-dev.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/ccp/psp-dev.c b/drivers/crypto/ccp/psp-dev.c +index ae7b445999144..4bf9eaab4456f 100644 +--- a/drivers/crypto/ccp/psp-dev.c ++++ b/drivers/crypto/ccp/psp-dev.c +@@ -42,6 +42,9 @@ static irqreturn_t psp_irq_handler(int irq, void *data) + /* Read the interrupt status: */ + status = ioread32(psp->io_regs + psp->vdata->intsts_reg); + ++ /* Clear the interrupt status by writing the same value we read. */ ++ iowrite32(status, psp->io_regs + psp->vdata->intsts_reg); ++ + /* invoke subdevice interrupt handlers */ + if (status) { + if (psp->sev_irq_handler) +@@ -51,9 +54,6 @@ static irqreturn_t psp_irq_handler(int irq, void *data) + psp->tee_irq_handler(irq, psp->tee_irq_data, status); + } + +- /* Clear the interrupt status by writing the same value we read. */ +- iowrite32(status, psp->io_regs + psp->vdata->intsts_reg); +- + return IRQ_HANDLED; + } + +-- +2.39.2 + diff --git a/queue-5.15/mailbox-zynq-switch-to-flexible-array-to-simplify-co.patch b/queue-5.15/mailbox-zynq-switch-to-flexible-array-to-simplify-co.patch new file mode 100644 index 00000000000..623d51b64a0 --- /dev/null +++ b/queue-5.15/mailbox-zynq-switch-to-flexible-array-to-simplify-co.patch @@ -0,0 +1,56 @@ +From 00000fdcb880b13a3d502bca613d306e8447f58d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Nov 2022 09:25:54 +0100 +Subject: mailbox: zynq: Switch to flexible array to simplify code + +From: Christophe JAILLET + +[ Upstream commit 043f85ce81cb1714e14d31c322c5646513dde3fb ] + +Using flexible array is more straight forward. It + - saves 1 pointer in the 'zynqmp_ipi_pdata' structure + - saves an indirection when using this array + - saves some LoC and avoids some always spurious pointer arithmetic + +Signed-off-by: Christophe JAILLET +Signed-off-by: Jassi Brar +Stable-dep-of: f72f805e7288 ("mailbox: zynqmp: Fix counts of child nodes") +Signed-off-by: Sasha Levin +--- + drivers/mailbox/zynqmp-ipi-mailbox.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/mailbox/zynqmp-ipi-mailbox.c b/drivers/mailbox/zynqmp-ipi-mailbox.c +index 05e36229622e3..136a84ad871cc 100644 +--- a/drivers/mailbox/zynqmp-ipi-mailbox.c ++++ b/drivers/mailbox/zynqmp-ipi-mailbox.c +@@ -110,7 +110,7 @@ struct zynqmp_ipi_pdata { + unsigned int method; + u32 local_id; + int num_mboxes; +- struct zynqmp_ipi_mbox *ipi_mboxes; ++ struct zynqmp_ipi_mbox ipi_mboxes[]; + }; + + static struct device_driver zynqmp_ipi_mbox_driver = { +@@ -635,7 +635,7 @@ static int zynqmp_ipi_probe(struct platform_device *pdev) + int num_mboxes, ret = -EINVAL; + + num_mboxes = of_get_child_count(np); +- pdata = devm_kzalloc(dev, sizeof(*pdata) + (num_mboxes * sizeof(*mbox)), ++ pdata = devm_kzalloc(dev, struct_size(pdata, ipi_mboxes, num_mboxes), + GFP_KERNEL); + if (!pdata) + return -ENOMEM; +@@ -649,8 +649,6 @@ static int zynqmp_ipi_probe(struct platform_device *pdev) + } + + pdata->num_mboxes = num_mboxes; +- pdata->ipi_mboxes = (struct zynqmp_ipi_mbox *) +- ((char *)pdata + sizeof(*pdata)); + + mbox = pdata->ipi_mboxes; + for_each_available_child_of_node(np, nc) { +-- +2.39.2 + diff --git a/queue-5.15/mailbox-zynqmp-fix-counts-of-child-nodes.patch b/queue-5.15/mailbox-zynqmp-fix-counts-of-child-nodes.patch new file mode 100644 index 00000000000..90cdbc17d0a --- /dev/null +++ b/queue-5.15/mailbox-zynqmp-fix-counts-of-child-nodes.patch @@ -0,0 +1,45 @@ +From 678ff34519fd2c1595a777ab64fdbd1c37bac020 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Mar 2023 17:24:04 -0800 +Subject: mailbox: zynqmp: Fix counts of child nodes + +From: Tanmay Shah + +[ Upstream commit f72f805e72882c361e2a612c64a6e549f3da7152 ] + +If child mailbox node status is disabled it causes +crash in interrupt handler. Fix this by assigning +only available child node during driver probe. + +Fixes: 4981b82ba2ff ("mailbox: ZynqMP IPI mailbox controller") +Signed-off-by: Tanmay Shah +Acked-by: Michal Simek +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20230311012407.1292118-2-tanmay.shah@amd.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +--- + drivers/mailbox/zynqmp-ipi-mailbox.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mailbox/zynqmp-ipi-mailbox.c b/drivers/mailbox/zynqmp-ipi-mailbox.c +index 136a84ad871cc..be06de791c544 100644 +--- a/drivers/mailbox/zynqmp-ipi-mailbox.c ++++ b/drivers/mailbox/zynqmp-ipi-mailbox.c +@@ -634,7 +634,12 @@ static int zynqmp_ipi_probe(struct platform_device *pdev) + struct zynqmp_ipi_mbox *mbox; + int num_mboxes, ret = -EINVAL; + +- num_mboxes = of_get_child_count(np); ++ num_mboxes = of_get_available_child_count(np); ++ if (num_mboxes == 0) { ++ dev_err(dev, "mailbox nodes not available\n"); ++ return -EINVAL; ++ } ++ + pdata = devm_kzalloc(dev, struct_size(pdata, ipi_mboxes, num_mboxes), + GFP_KERNEL); + if (!pdata) +-- +2.39.2 + diff --git a/queue-5.15/ring-buffer-ensure-proper-resetting-of-atomic-variab.patch b/queue-5.15/ring-buffer-ensure-proper-resetting-of-atomic-variab.patch new file mode 100644 index 00000000000..1feedeffbda --- /dev/null +++ b/queue-5.15/ring-buffer-ensure-proper-resetting-of-atomic-variab.patch @@ -0,0 +1,87 @@ +From 0d391618e4423c240f8fbe6f754a39047a942fa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Apr 2023 14:20:23 +0800 +Subject: ring-buffer: Ensure proper resetting of atomic variables in + ring_buffer_reset_online_cpus + +From: Tze-nan Wu + +[ Upstream commit 7c339fb4d8577792378136c15fde773cfb863cb8 ] + +In ring_buffer_reset_online_cpus, the buffer_size_kb write operation +may permanently fail if the cpu_online_mask changes between two +for_each_online_buffer_cpu loops. The number of increases and decreases +on both cpu_buffer->resize_disabled and cpu_buffer->record_disabled may be +inconsistent, causing some CPUs to have non-zero values for these atomic +variables after the function returns. + +This issue can be reproduced by "echo 0 > trace" while hotplugging cpu. +After reproducing success, we can find out buffer_size_kb will not be +functional anymore. + +To prevent leaving 'resize_disabled' and 'record_disabled' non-zero after +ring_buffer_reset_online_cpus returns, we ensure that each atomic variable +has been set up before atomic_sub() to it. + +Link: https://lore.kernel.org/linux-trace-kernel/20230426062027.17451-1-Tze-nan.Wu@mediatek.com + +Cc: stable@vger.kernel.org +Cc: +Cc: npiggin@gmail.com +Fixes: b23d7a5f4a07 ("ring-buffer: speed up buffer resets by avoiding synchronize_rcu for each CPU") +Reviewed-by: Cheng-Jui Wang +Signed-off-by: Tze-nan Wu +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/ring_buffer.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c +index bacd1f87f941b..83046c6443f1c 100644 +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -5295,6 +5295,9 @@ void ring_buffer_reset_cpu(struct trace_buffer *buffer, int cpu) + } + EXPORT_SYMBOL_GPL(ring_buffer_reset_cpu); + ++/* Flag to ensure proper resetting of atomic variables */ ++#define RESET_BIT (1 << 30) ++ + /** + * ring_buffer_reset_cpu - reset a ring buffer per CPU buffer + * @buffer: The ring buffer to reset a per cpu buffer of +@@ -5311,20 +5314,27 @@ void ring_buffer_reset_online_cpus(struct trace_buffer *buffer) + for_each_online_buffer_cpu(buffer, cpu) { + cpu_buffer = buffer->buffers[cpu]; + +- atomic_inc(&cpu_buffer->resize_disabled); ++ atomic_add(RESET_BIT, &cpu_buffer->resize_disabled); + atomic_inc(&cpu_buffer->record_disabled); + } + + /* Make sure all commits have finished */ + synchronize_rcu(); + +- for_each_online_buffer_cpu(buffer, cpu) { ++ for_each_buffer_cpu(buffer, cpu) { + cpu_buffer = buffer->buffers[cpu]; + ++ /* ++ * If a CPU came online during the synchronize_rcu(), then ++ * ignore it. ++ */ ++ if (!(atomic_read(&cpu_buffer->resize_disabled) & RESET_BIT)) ++ continue; ++ + reset_disabled_cpu_buffer(cpu_buffer); + + atomic_dec(&cpu_buffer->record_disabled); +- atomic_dec(&cpu_buffer->resize_disabled); ++ atomic_sub(RESET_BIT, &cpu_buffer->resize_disabled); + } + + mutex_unlock(&buffer->mutex); +-- +2.39.2 + diff --git a/queue-5.15/series b/queue-5.15/series new file mode 100644 index 00000000000..1d3d93f66b7 --- /dev/null +++ b/queue-5.15/series @@ -0,0 +1,10 @@ +ring-buffer-ensure-proper-resetting-of-atomic-variab.patch +crypto-ccp-clear-psp-interrupt-status-register-befor.patch +ubifs-fix-aa-deadlock-when-setting-xattr-for-encrypt.patch +ubifs-fix-memory-leak-in-do_rename.patch +bus-mhi-move-host-mhi-code-to-host-directory.patch +bus-mhi-host-remove-duplicate-ee-check-for-syserr.patch +bus-mhi-host-use-mhi_tryset_pm_state-for-setting-fw-.patch +bus-mhi-host-range-check-chdboff-and-erdboff.patch +mailbox-zynq-switch-to-flexible-array-to-simplify-co.patch +mailbox-zynqmp-fix-counts-of-child-nodes.patch diff --git a/queue-5.15/ubifs-fix-aa-deadlock-when-setting-xattr-for-encrypt.patch b/queue-5.15/ubifs-fix-aa-deadlock-when-setting-xattr-for-encrypt.patch new file mode 100644 index 00000000000..2bf6157f109 --- /dev/null +++ b/queue-5.15/ubifs-fix-aa-deadlock-when-setting-xattr-for-encrypt.patch @@ -0,0 +1,186 @@ +From 7ad175dc74363c996cc79fcfe13a191385b1a883 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 16:00:17 +0800 +Subject: ubifs: Fix AA deadlock when setting xattr for encrypted file + +From: Zhihao Cheng + +[ Upstream commit a0c51565730729f0df2ee886e34b4da6d359a10b ] + +Following process: +vfs_setxattr(host) + ubifs_xattr_set + down_write(host_ui->xattr_sem) <- lock first time + create_xattr + ubifs_new_inode(host) + fscrypt_prepare_new_inode(host) + fscrypt_policy_to_inherit(host) + if (IS_ENCRYPTED(inode)) + fscrypt_require_key(host) + fscrypt_get_encryption_info(host) + ubifs_xattr_get(host) + down_read(host_ui->xattr_sem) <- AA deadlock + +, which may trigger an AA deadlock problem: + +[ 102.620871] INFO: task setfattr:1599 blocked for more than 10 seconds. +[ 102.625298] Not tainted 5.19.0-rc7-00001-gb666b6823ce0-dirty #711 +[ 102.628732] task:setfattr state:D stack: 0 pid: 1599 +[ 102.628749] Call Trace: +[ 102.628753] +[ 102.628776] __schedule+0x482/0x1060 +[ 102.629964] schedule+0x92/0x1a0 +[ 102.629976] rwsem_down_read_slowpath+0x287/0x8c0 +[ 102.629996] down_read+0x84/0x170 +[ 102.630585] ubifs_xattr_get+0xd1/0x370 [ubifs] +[ 102.630730] ubifs_crypt_get_context+0x1f/0x30 [ubifs] +[ 102.630791] fscrypt_get_encryption_info+0x7d/0x1c0 +[ 102.630810] fscrypt_policy_to_inherit+0x56/0xc0 +[ 102.630817] fscrypt_prepare_new_inode+0x35/0x160 +[ 102.630830] ubifs_new_inode+0xcc/0x4b0 [ubifs] +[ 102.630873] ubifs_xattr_set+0x591/0x9f0 [ubifs] +[ 102.630961] xattr_set+0x8c/0x3e0 [ubifs] +[ 102.631003] __vfs_setxattr+0x71/0xc0 +[ 102.631026] vfs_setxattr+0x105/0x270 +[ 102.631034] do_setxattr+0x6d/0x110 +[ 102.631041] setxattr+0xa0/0xd0 +[ 102.631087] __x64_sys_setxattr+0x2f/0x40 + +Fetch a reproducer in [Link]. + +Just like ext4 does, which skips encrypting for inode with +EXT4_EA_INODE_FL flag. Stop encypting xattr inode for ubifs. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=216260 +Fixes: f4e3634a3b64222 ("ubifs: Fix races between xattr_{set|get} ...") +Fixes: d475a507457b5ca ("ubifs: Add skeleton for fscrypto") +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Stable-dep-of: 3a36d20e0129 ("ubifs: Fix memory leak in do_rename") +Signed-off-by: Sasha Levin +--- + fs/ubifs/dir.c | 25 ++++++++++++++----------- + fs/ubifs/ubifs.h | 2 +- + fs/ubifs/xattr.c | 2 +- + 3 files changed, 16 insertions(+), 13 deletions(-) + +diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c +index 7717d23906dbe..005566bc6dc13 100644 +--- a/fs/ubifs/dir.c ++++ b/fs/ubifs/dir.c +@@ -68,13 +68,14 @@ static int inherit_flags(const struct inode *dir, umode_t mode) + * @c: UBIFS file-system description object + * @dir: parent directory inode + * @mode: inode mode flags ++ * @is_xattr: whether the inode is xattr inode + * + * This function finds an unused inode number, allocates new inode and + * initializes it. Returns new inode in case of success and an error code in + * case of failure. + */ + struct inode *ubifs_new_inode(struct ubifs_info *c, struct inode *dir, +- umode_t mode) ++ umode_t mode, bool is_xattr) + { + int err; + struct inode *inode; +@@ -99,10 +100,12 @@ struct inode *ubifs_new_inode(struct ubifs_info *c, struct inode *dir, + current_time(inode); + inode->i_mapping->nrpages = 0; + +- err = fscrypt_prepare_new_inode(dir, inode, &encrypted); +- if (err) { +- ubifs_err(c, "fscrypt_prepare_new_inode failed: %i", err); +- goto out_iput; ++ if (!is_xattr) { ++ err = fscrypt_prepare_new_inode(dir, inode, &encrypted); ++ if (err) { ++ ubifs_err(c, "fscrypt_prepare_new_inode failed: %i", err); ++ goto out_iput; ++ } + } + + switch (mode & S_IFMT) { +@@ -309,7 +312,7 @@ static int ubifs_create(struct user_namespace *mnt_userns, struct inode *dir, + + sz_change = CALC_DENT_SIZE(fname_len(&nm)); + +- inode = ubifs_new_inode(c, dir, mode); ++ inode = ubifs_new_inode(c, dir, mode, false); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); + goto out_fname; +@@ -370,7 +373,7 @@ static struct inode *create_whiteout(struct inode *dir, struct dentry *dentry) + if (err) + return ERR_PTR(err); + +- inode = ubifs_new_inode(c, dir, mode); ++ inode = ubifs_new_inode(c, dir, mode, false); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); + goto out_free; +@@ -462,7 +465,7 @@ static int ubifs_tmpfile(struct user_namespace *mnt_userns, struct inode *dir, + return err; + } + +- inode = ubifs_new_inode(c, dir, mode); ++ inode = ubifs_new_inode(c, dir, mode, false); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); + goto out_budg; +@@ -1005,7 +1008,7 @@ static int ubifs_mkdir(struct user_namespace *mnt_userns, struct inode *dir, + + sz_change = CALC_DENT_SIZE(fname_len(&nm)); + +- inode = ubifs_new_inode(c, dir, S_IFDIR | mode); ++ inode = ubifs_new_inode(c, dir, S_IFDIR | mode, false); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); + goto out_fname; +@@ -1092,7 +1095,7 @@ static int ubifs_mknod(struct user_namespace *mnt_userns, struct inode *dir, + + sz_change = CALC_DENT_SIZE(fname_len(&nm)); + +- inode = ubifs_new_inode(c, dir, mode); ++ inode = ubifs_new_inode(c, dir, mode, false); + if (IS_ERR(inode)) { + kfree(dev); + err = PTR_ERR(inode); +@@ -1174,7 +1177,7 @@ static int ubifs_symlink(struct user_namespace *mnt_userns, struct inode *dir, + + sz_change = CALC_DENT_SIZE(fname_len(&nm)); + +- inode = ubifs_new_inode(c, dir, S_IFLNK | S_IRWXUGO); ++ inode = ubifs_new_inode(c, dir, S_IFLNK | S_IRWXUGO, false); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); + goto out_fname; +diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h +index efbb4554a4a6f..398551bef5986 100644 +--- a/fs/ubifs/ubifs.h ++++ b/fs/ubifs/ubifs.h +@@ -2002,7 +2002,7 @@ int ubifs_update_time(struct inode *inode, struct timespec64 *time, int flags); + + /* dir.c */ + struct inode *ubifs_new_inode(struct ubifs_info *c, struct inode *dir, +- umode_t mode); ++ umode_t mode, bool is_xattr); + int ubifs_getattr(struct user_namespace *mnt_userns, const struct path *path, struct kstat *stat, + u32 request_mask, unsigned int flags); + int ubifs_check_dir_empty(struct inode *dir); +diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c +index e4f193eae4b2b..9ff2614bdeca0 100644 +--- a/fs/ubifs/xattr.c ++++ b/fs/ubifs/xattr.c +@@ -110,7 +110,7 @@ static int create_xattr(struct ubifs_info *c, struct inode *host, + if (err) + return err; + +- inode = ubifs_new_inode(c, host, S_IFREG | S_IRWXUGO); ++ inode = ubifs_new_inode(c, host, S_IFREG | S_IRWXUGO, true); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); + goto out_budg; +-- +2.39.2 + diff --git a/queue-5.15/ubifs-fix-memory-leak-in-do_rename.patch b/queue-5.15/ubifs-fix-memory-leak-in-do_rename.patch new file mode 100644 index 00000000000..31fced2655c --- /dev/null +++ b/queue-5.15/ubifs-fix-memory-leak-in-do_rename.patch @@ -0,0 +1,80 @@ +From 03ddd074a181f78e7e372eb645b6d3ffe2fb498e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Mar 2023 16:40:59 +0200 +Subject: ubifs: Fix memory leak in do_rename +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: MÃ¥rten Lindahl + +[ Upstream commit 3a36d20e012903f45714df2731261fdefac900cb ] + +If renaming a file in an encrypted directory, function +fscrypt_setup_filename allocates memory for a file name. This name is +never used, and before returning to the caller the memory for it is not +freed. + +When running kmemleak on it we see that it is registered as a leak. The +report below is triggered by a simple program 'rename' that renames a +file in an encrypted directory: + + unreferenced object 0xffff888101502840 (size 32): + comm "rename", pid 9404, jiffies 4302582475 (age 435.735s) + backtrace: + __kmem_cache_alloc_node + __kmalloc + fscrypt_setup_filename + do_rename + ubifs_rename + vfs_rename + do_renameat2 + +To fix this we can remove the call to fscrypt_setup_filename as it's not +needed. + +Fixes: 278d9a243635f26 ("ubifs: Rename whiteout atomically") +Reported-by: Zhihao Cheng +Signed-off-by: MÃ¥rten Lindahl +Reviewed-by: Zhihao Cheng +Cc: stable@vger.kernel.org +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/ubifs/dir.c | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c +index 005566bc6dc13..6a054df8b991d 100644 +--- a/fs/ubifs/dir.c ++++ b/fs/ubifs/dir.c +@@ -358,7 +358,6 @@ static struct inode *create_whiteout(struct inode *dir, struct dentry *dentry) + umode_t mode = S_IFCHR | WHITEOUT_MODE; + struct inode *inode; + struct ubifs_info *c = dir->i_sb->s_fs_info; +- struct fscrypt_name nm; + + /* + * Create an inode('nlink = 1') for whiteout without updating journal, +@@ -369,10 +368,6 @@ static struct inode *create_whiteout(struct inode *dir, struct dentry *dentry) + dbg_gen("dent '%pd', mode %#hx in dir ino %lu", + dentry, mode, dir->i_ino); + +- err = fscrypt_setup_filename(dir, &dentry->d_name, 0, &nm); +- if (err) +- return ERR_PTR(err); +- + inode = ubifs_new_inode(c, dir, mode, false); + if (IS_ERR(inode)) { + err = PTR_ERR(inode); +@@ -395,7 +390,6 @@ static struct inode *create_whiteout(struct inode *dir, struct dentry *dentry) + make_bad_inode(inode); + iput(inode); + out_free: +- fscrypt_free_filename(&nm); + ubifs_err(c, "cannot create whiteout file, error %d", err); + return ERR_PTR(err); + } +-- +2.39.2 + -- 2.47.3