From 179756d16045dc3812227354f3432c061f4403aa Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 14 Nov 2021 21:43:12 -0500 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- ...i-ac-quirk-gk45-to-skip-reading-_psr.patch | 96 ++ ...ept-charges-over-the-design-capacity.patch | 44 + ...ce-wakeup-power-reference-counting-e.patch | 44 + ...ix-sharing-of-wakeup-power-resources.patch | 168 ++++ ...rn-off-unused-wakeup-power-resources.patch | 67 ++ ...ntel_pmic_regs_handler-read-accesses.patch | 141 +++ ...dd-dmi-based-legacy-irq-override-qui.patch | 112 +++ ...dd-one-more-medion-model-in-irq-over.patch | 44 + ...e-pm-resources-blocked-by-unused-obj.patch | 99 ++ ...luating-methods-too-early-during-sys.patch | 130 +++ ...uce-udelay-at-skl-position-reporting.patch | 116 +++ ...da-use-position-buffer-for-skl-again.patch | 72 ++ ...tch-call-with-null-snd_dma_buffer-po.patch | 37 + ...nctional-regression-for-mackie-onyx-.patch | 106 ++ ...ix-possible-race-at-sync-of-urb-comp.patch | 101 ++ queue-5.15/apparmor-fix-error-check.patch | 60 ++ ...-fix-kernel-builds-for-compiler-test.patch | 49 + ...m-9136-1-armv7-m-uses-be-8-not-be-32.patch | 47 + ...kasan-work-around-lpae-build-warning.patch | 57 ++ ...t-rely-on-lr-register-for-stacktrace.patch | 46 + ...se850-the-emac-phy-interface-is-rmii.patch | 39 + ...-dts-bcm5301x-fix-memory-nodes-names.patch | 188 ++++ ...-omap3-gta04a4-accelerometer-irq-fix.patch | 36 + ...8974-add-xo_board-reference-clock-to.patch | 40 + ...x-av96-board-sai2-pin-muxing-on-stm3.patch | 65 ++ ...m32-fix-sai-sub-nodes-register-range.patch | 102 ++ ...x-stusb1600-type-c-irq-level-on-stm3.patch | 37 + ...duce-dhcor-spi-nor-frequency-to-50-m.patch | 48 + ...4xx-fix-return-value-check-for-s3c24.patch | 60 ++ ...reg-name-may-not-be-a-human-readable.patch | 68 ++ ...broadcom-bcm4908-fix-uart-clock-name.patch | 38 + ...g12a-fix-the-pwm-regulator-supply-pr.patch | 75 ++ ...g12b-fix-the-pwm-regulator-supply-pr.patch | 110 ++ ...sm1-add-ethernet-phy-reset-line-for-.patch | 50 + ...sm1-fix-the-pwm-regulator-supply-pro.patch | 92 ++ ...msm8916-fix-secondary-mi2s-bit-clock.patch | 65 ++ ...m8916-remove-wrong-reg-names-for-rtc.patch | 46 + ...mi8994-fix-eternal-external-typo-in-.patch | 41 + ...c7180-base-dynamic-cpu-power-coeffic.patch | 357 +++++++ ...c7280-fix-display-port-phy-reg-prope.patch | 50 + ...dm845-fix-qualcomm-crypto-engine-bus.patch | 37 + ...dm845-use-rpmh_ce_clk-macro-directly.patch | 52 + ...renesas-beacon-fix-ethernet-phy-mode.patch | 38 + ...ip-fix-gpu-register-width-for-rk3328.patch | 40 + ...64-dts-rockchip-fix-rk3568-mbi-alias.patch | 38 + ...chip-move-rk3568-dtsi-to-rk356x-dtsi.patch | 29 + ...00-main-fix-bus-range-upto-256-bus-n.patch | 41 + ...00-main-fix-vendor-id-device-id-prop.patch | 42 + ...j721e-main-fix-bus-range-upto-256-bu.patch | 68 ++ ...j721e-main-fix-max-virtual-functions.patch | 68 ++ ...-update-max_pfn-after-memory-hotplug.patch | 48 + ...ke-__pte_to_phys-__phys_to_pte_val-i.patch | 67 ++ ...press-error-message-for-make-mrprope.patch | 52 + ...lways-configure-both-asp-tx-channels.patch | 52 + ...rect-configuring-of-switch-inversion.patch | 85 ++ ...correct-some-register-default-values.patch | 45 + ...er-probe-if-request_threaded_irq-ret.patch | 43 + ...-error-handling-path-in-rsnd_node_co.patch | 39 + ...y-do-not-power-down-primary-core-dur.patch | 50 + ...x-stub-for-snd_soc_tplg_component_re.patch | 40 + ...-correct-version-to-initialize-class.patch | 40 + ...flop-remove-ataflop_probe_lock-mutex.patch | 144 +++ ...detector-fix-possible-null-pointer-d.patch | 53 + ...ays-treat-modem-stop-events-as-crash.patch | 200 ++++ .../ath10k-fix-max-antenna-gain-unit.patch | 86 ++ ...ng-frame-timestamp-for-beacon-probe-.patch | 44 + ...e-load-regression-with-iram-recovery.patch | 135 +++ ...high-latency-fixes-for-beacon-buffer.patch | 84 ++ ...missing-bh-locking-around-napi_schdu.patch | 71 ++ ...er-for-scan-event-wmi_scan_event_deq.patch | 54 + ...ss_chan_info-structure-with-firmware.patch | 73 ++ ...th11k-avoid-race-during-regd-updates.patch | 157 +++ ...-rules-update-during-firmware-recove.patch | 79 ++ ...a_from_device-to-dma_to_device-when-.patch | 54 + ...y-leak-in-ath11k_qmi_driver_event_wo.patch | 44 + ...t-drops-due-to-incorrect-6-ghz-freq-.patch | 85 ++ ...11k-fix-some-sleeping-in-atomic-bugs.patch | 93 ++ ...ntial-interrupt-storm-on-queue-reset.patch | 99 ++ ...y-ht16k33-connect-backlight-to-fbdev.patch | 107 ++ ...k33-fix-frame-buffer-device-blanking.patch | 59 ++ ...scii-lcd-fix-lock-up-when-displaying.patch | 53 + queue-5.15/b43-fix-a-lower-bounds-test.patch | 47 + .../b43legacy-fix-a-lower-bounds-test.patch | 47 + ...ronize-blkg-creation-against-policy-.patch | 160 +++ ...null-pointer-dereference-in-wb_timer.patch | 79 ++ ...d-registration-bool-before-calling-d.patch | 68 ++ ...x-breakage-introduced-at-blk-mq-refa.patch | 118 +++ ...taflop-more-blk-mq-refactoring-fixes.patch | 218 ++++ ...ovide-a-helper-for-cleanup-up-an-ata.patch | 88 ++ ...flop-use-the-blk_cleanup_disk-helper.patch | 46 + ...-plugged-deferred-size-from-16-to-32.patch | 84 ++ ..._add_disk-kobject_create_and_add-err.patch | 53 + ...lock-remove-inaccurate-requeue-check.patch | 40 + ...art-fix-a-memleak-in-mtk_hci_wmt_syn.patch | 68 ++ ...ll-sock_hold-earlier-in-sco_conn_del.patch | 47 + ...it-and-cleanup-of-sco_conn.timeout_w.patch | 66 ++ ...e-after-free-error-in-lock_sock_nest.patch | 139 +++ ...-fix-runtime-suspend-issues-on-rtl87.patch | 86 ++ ...luetooth-hci_uart-fix-gpf-in-h5_recv.patch | 46 + ...x-lock_sock-blockage-by-memcpy_from_.patch | 96 ++ ...vlink-allocation-and-registration-st.patch | 136 +++ ...e-after-free-problem-when-bond_sysfs.patch | 200 ++++ ...s-in-__bpf_prog_run-for-32bit-arches.patch | 219 ++++ ...ion-of-bounds-from-64-bit-min-max-in.patch | 69 ++ ...ion-of-signed-bounds-from-64-bit-min.patch | 40 + ...le-race-in-update_prog_stats-for-32b.patch | 47 + ...race-in-ingress-receive-verdict-with.patch | 191 ++++ ...ve-unhash-handler-for-bpf-sockmap-us.patch | 48 + ...kb-data_end-access-incorrect-when-sr.patch | 125 +++ ...arser-and-tls-are-reusing-qdisc_skb_.patch | 150 +++ ...s-fix-error-in-tail-call-limit-tests.patch | 120 +++ ...aking-the-json-writer-prepared-for-p.patch | 69 ++ ...-nvram-filename-quirk-for-cyberbook-.patch | 50 + ...ke-the-uuid_mutex-in-btrfs_rm_device.patch | 237 +++++ ...itialize-return-value-to-0-in-btrfs_.patch | 39 + ...ke-btrfs_submit_compressed_write-com.patch | 44 + ...timekeeping_suspended-warning-on-res.patch | 131 +++ ...n_fixup_bittiming-change-type-of-tse.patch | 38 + ...s58x_rx_err_msg-fix-memory-leak-in-e.patch | 63 ++ ...p251xfd_chip_start-fix-error-handlin.patch | 37 + ...always-free-wiphy-specific-regdomain.patch | 51 + ...ootcg-cpu.stat-guest-double-counting.patch | 39 + ...nd_subsystems-disable-v2-controllers.patch | 120 +++ ...mc-node-status-before-registering-sy.patch | 49 + ...-master-check-if-div-or-pres-is-zero.patch | 49 + ...-at91-clk-master-fix-prescaler-logic.patch | 39 + ...am9x60-pll-use-div_round_closest_ull.patch | 41 + ...-clk-fix-a-memory-leak-in-error-hand.patch | 78 ++ ...-drivers-timer-ti-dm-select-timer_of.patch | 49 + ...q-fix-parameter-in-parse_perf_domain.patch | 36 + ...tate-clear-hwp-desired-on-suspend-sh.patch | 94 ++ ...tate-fix-cpu-pstate.turbo_freq-initi.patch | 41 + ...ake-policy-min-max-hard-requirements.patch | 63 ++ ...-kobject-memory-leaks-in-error-paths.patch | 70 ++ ...sni-check-walk.nbytes-instead-of-err.patch | 43 + ...built-in-testing-dependency-failures.patch | 297 ++++++ ...ypto-caam-disable-pkc-for-non-e-socs.patch | 89 ++ ...oid-out-of-range-warnings-from-clang.patch | 52 + ...cc-fix-crypto_default_rng-dependency.patch | 50 + ...tx2-set-assoclen-in-aead_do_fallback.patch | 35 + ...to-pcrypt-delay-write-to-padata-info.patch | 85 ++ ...-qat-detect-pfvf-collision-after-ack.patch | 46 + ...t-disregard-spurious-pfvf-interrupts.patch | 75 ++ .../crypto-qat-power-up-4xxx-device.patch | 157 +++ ...do-not-change-section-of-ck-and-sbox.patch | 58 ++ ...x-skcipher-multi-buffer-tests-for-14.patch | 55 + ...-len-when-diagnostics-not-implemente.patch | 61 ++ ...dmabuf-release-with-pending-attachme.patch | 56 ++ ...ac-call-at_xdmac_axi_config-on-resum.patch | 110 ++ ...at_xdmac-fix-at_xdmac_cc_perid-macro.patch | 41 + ...ine_desc_callback_valid-check-for-ca.patch | 64 ++ ...ix-resource-leak-on-dmaengine-driver.patch | 45 + ...ove-out-percpu_ref_exit-to-ensure-it.patch | 60 ++ ...econfig-device-after-device-reset-co.patch | 38 + ...dma-avoid-64-bit-division-in-stm32_d.patch | 72 ++ ...dma-fix-burst-in-case-of-unaligned-m.patch | 66 ++ ...tm32-dma-fix-stm32_dma_get_max_width.patch | 46 + ...gra210-adma-fix-pm-runtime-unbalance.patch | 43 + ...ix-resource-free-ordering-on-driver-.patch | 130 +++ ...possible-memory-leak-in-device_link_.patch | 69 ++ ...dcn20_resource_construct-reduce-scop.patch | 111 +++ ...fix-null-pointer-deref-when-plugging.patch | 39 + ...fix-null-pointer-dereference-for-enc.patch | 57 ++ ...pass-display_pipe_params_st-as-const.patch | 715 +++++++++++++ ...-potential-memory-leak-in-amdgpu_dev.patch | 40 + ...crash-on-device-remove-driver-unload.patch | 382 +++++++ ...rm-amdgpu-fix-mmio-access-page-fault.patch | 94 ++ ...vd-crash-on-polaris12-during-driver-.patch | 69 ++ ...mdgpu-fix-warning-for-overflow-check.patch | 62 ++ ...gmc6-fix-dma-mask-from-44-to-40-bits.patch | 47 + ...amdgpu_virt_release_full_gpu-to-fini.patch | 55 + ...e-iommu_resume-before-ip-init-resume.patch | 39 + ...operly-handle-sclk-for-profiling-mod.patch | 173 ++++ ...play-fix-sysfs_emit-sysfs_emit_at-ha.patch | 307 ++++++ ...n-inappropriate-error-handling-in-al.patch | 38 + ...esume-error-when-iommu-disabled-in-p.patch | 38 + ...-resv-on-validation-to-avoid-deadloc.patch | 61 ++ ...25-propagate-errors-from-sp_tx_rst_a.patch | 70 ++ ...66121-fix-return-value-it66121_probe.patch | 64 ++ ...t66121-initialize-device-vendor-_ids.patch | 46 + ...21-wait-for-next-bridge-to-be-probed.patch | 42 + ...um-lt9611uxc-fix-provided-connector-.patch | 54 + ...wl-dsi-add-atomic_get_input_bus_fmts.patch | 88 ++ ...m-fb_helper-fix-config_fb-dependency.patch | 44 + ..._helper-improve-config_fb-dependency.patch | 50 + ...rounding-error-in-subsampled-plane-s.patch | 44 + ...ot-enable-irq-handler-before-powerin.patch | 168 ++++ ...m-dsi-fix-wrong-type-in-msm_dsi_host.patch | 112 +++ ...otential-null-dereference-in-cleanup.patch | 37 + ...tential-null-dereference-in-dpu-sspp.patch | 54 + ...potential-oops-in-a6xx_gmu_rpmh_init.patch | 56 ++ ...al-error-pointer-dereference-in-init.patch | 42 + ...null-dereference-in-msm_gpu_crashsta.patch | 54 + ...itialized-variable-in-msm_gem_import.patch | 52 + ...-unlock-on-error-in-get_sched_entity.patch | 35 + ...fix-refcount-leak-bug-and-missing-ch.patch | 60 ++ ...ation-quirks-add-quirk-for-kd-kurio-.patch | 42 + ...ation-quirks-add-quirk-for-the-samsu.patch | 54 + ...entation-quirks-add-valve-steam-deck.patch | 46 + ...ation-quirks-update-the-lenovo-ideap.patch | 59 ++ ...-fix-uninitialized-variable-referenc.patch | 46 + ...drm-ttm-remove-ttm_bo_vm_insert_huge.patch | 365 +++++++ ...-stop-calling-tt_swapin-in-vm_access.patch | 62 ++ ...ix-wait-for-tmu-write-combiner-flush.patch | 48 + ...dyndbg-make-dyndbg-a-known-cli-param.patch | 58 ++ ...-handle-three-rank-interleaving-mode.patch | 94 ++ ...rigger-warn-when-decompression-fails.patch | 42 + ...ool-msg-len-calculation-for-pause-st.patch | 74 ++ ...ase-pci-device-s-runtime-pm-ref-duri.patch | 114 +++ ...m-fix-error-retval-in-__qcom_scm_is_.patch | 45 + queue-5.15/fix-user-namespace-leak.patch | 33 + ...isk-assumption-on-exit-due-to-new-de.patch | 74 ++ ...ng-platform_device_unregister-on-inv.patch | 76 ++ queue-5.15/floppy-use-blk_cleanup_disk.patch | 43 + ...ped-strcpy-compile-time-write-overfl.patch | 42 + ...error-return-code-of-orangefs_revali.patch | 41 + ...-fix-idle-time-reporting-in-proc-upt.patch | 104 ++ ...256-bit-master-keys-with-aes-256-xts.patch | 214 ++++ ...u-checking-after-preemption-disabled.patch | 92 ++ ...el-remote-delete-work-asynchronously.patch | 61 ++ .../gfs2-fix-glock_hash_walk-bugs.patch | 87 ++ ...ealtek-otto-fix-gpio-line-irq-offset.patch | 37 + ...nerate-link-local-addr-if-addr_gen_m.patch | 44 + ...e-dqo-avoid-unused-variable-warnings.patch | 310 ++++++ ...gve-fix-off-by-one-in-gve_tx_timeout.patch | 37 + ...r-from-queue-stall-due-to-missed-irq.patch | 136 +++ ...-track-rx-buffer-allocation-failures.patch | 42 + ...ify-error-check-and-length-calculati.patch | 62 ++ ...erly-handle-timeouts-in-usb_submit_u.patch | 38 + ...le-memleak-in-__hwmon_device_registe.patch | 68 ++ ...066-let-compiler-determine-outer-dim.patch | 38 + ...k-force-runtime-pm-ops-for-sleep-ops.patch | 53 + ...-bus-rescan-mutex-to-protect-p2sb-ac.patch | 59 ++ ...fixing-the-incorrect-register-offset.patch | 39 + ...source-leak-in-the-error-handling-pa.patch | 51 + ...64_cmpxchg_debug-without-config_prin.patch | 53 + queue-5.15/ibmvnic-delay-complete.patch | 86 ++ .../ibmvnic-don-t-stop-queue-in-xmit.patch | 52 + ...ocess-crqs-after-enabling-interrupts.patch | 44 + ...e-fix-not-stopping-tx-queues-for-vfs.patch | 118 +++ ...g-vf-hardware-mac-to-existing-mac-fi.patch | 68 ++ ...ce-move-devlink-port-to-pf-vf-struct.patch | 306 ++++++ ...adis-do-not-disabe-irqs-in-adis_init.patch | 62 ++ ...ouble-free-in-iio_buffers_alloc_sysf.patch | 48 + ...spi-add-missing-entries-spi-to-devic.patch | 42 + ...isable-regulators-after-device-unreg.patch | 183 ++++ ...ck-when-traversing-ima_default_rules.patch | 143 +++ ...inet-remove-races-in-inet-6-_getname.patch | 167 ++++ ...n-command-line-param-message-clearer.patch | 53 + ...el-pwrbutton-add-spi-device-id-table.patch | 50 + ...t-st1232-increase-wait-ready-timeout.patch | 51 + ...rkers-not-correctly-set-on-multi-nod.patch | 74 ++ ...uplicate-code-in-io_workqueue_create.patch | 66 ++ .../iommu-dma-fix-arch_sync_dma-for-map.patch | 84 ++ ...correct-error-return-on-iommu-deferr.patch | 47 + .../iommu-dma-fix-sync_sg-with-swiotlb.patch | 89 ++ ...-fix-out-of-range-warning-with-clang.patch | 47 + ..._iter_get_pages-_alloc-page-fault-re.patch | 52 + ...sable-some-operations-during-a-panic.patch | 103 ++ ...-a-memory-leak-in-the-error-handling.patch | 46 + .../irq-mips-avoid-nested-irq_enter.patch | 52 + ...ange-all-jnp-to-no-160-configuration.patch | 48 + ...vm-disable-rx-diversity-in-powersave.patch | 39 + ...eset-pm-state-on-unsuccessful-resume.patch | 56 ++ ...pnvm-don-t-kmemdup-more-than-we-have.patch | 49 + ...vm-read-efi-data-only-if-long-enough.patch | 46 + queue-5.15/jfs-fix-memleak-in-jfs_mount.patch | 158 +++ ...dopt-scheduler-s-task-classification.patch | 404 ++++++++ ...-sched_fork-access-an-invalid-sched_.patch | 168 ++++ ...se-local-variable-when-creating-debu.patch | 60 ++ ...-add-missed-icmp.sh-test-to-makefile.patch | 39 + ...dd-missed-setup_loopback.sh-setup_ve.patch | 42 + ...kselftests-net-add-missed-srv6-tests.patch | 42 + ...dd-missed-toeplitz.sh-toeplitz_clien.patch | 42 + ...dd-missed-vrf_strict_mode_test.sh-te.patch | 38 + ...ts-sched-cleanup-the-child-processes.patch | 132 +++ ...ate-errors-from-__pkvm_prot_finalize.patch | 78 ++ ...-fix-handle_sske-page-fault-handling.patch | 46 + ...90-pv-avoid-double-free-of-sida-page.patch | 68 ++ ...avoid-stalls-for-kvm_s390_pv_init_vm.patch | 43 + ...x-nested-svm-tests-when-built-with-c.patch | 67 ++ ...sses-always-print-a-trailing-newline.patch | 44 + ...se-rcu-to-protect-the-led_cdevs-list.patch | 165 +++ ...rlapping-memcpy-with-invalid-input-w.patch | 91 ++ ...the-value-before-assigning-it-to-an-.patch | 51 + ...sh-on-object-files-with-no-symbol-ta.patch | 51 + ...libbpf-fix-btf-header-parsing-checks.patch | 54 + ...nness-detection-in-bpf_core_read_bit.patch | 40 + ...p_and_delete_elem_flags-error-report.patch | 47 + ...libbpf-fix-memory-leak-in-btf__dedup.patch | 43 + ...ff-by-one-bug-in-bpf_core_apply_relo.patch | 36 + ...pf-fix-overflow-in-btf-sanity-checks.patch | 46 + ...internal.h-to-set-errno-on-loader-re.patch | 54 + ...sible-memory-leak-in-probe-and-disco.patch | 72 ++ ...possible-memory-leak-in-probe-and-di.patch | 72 ++ ...x-a-double-free-in-the-remove-functi.patch | 36 + ...bound-array-index-in-llc_sk_dev_hash.patch | 68 ++ ..._is_held_type-detect-recursive-read-.patch | 44 + ...ckdep-avoid-rcu-induced-noinstr-fail.patch | 34 + ...sable-preemption-for-spinning-region.patch | 114 +++ ...t-a-default-value-for-memory_reserve.patch | 50 + ...-t-use-potentially-unaligned-pointer.patch | 46 + ...ox-mtk-cmdq-fix-local-clock-id-usage.patch | 56 ++ ...-mtk-cmdq-validate-alias_id-on-probe.patch | 38 + ...arn_on-for-async_cb.cb-in-cmdq_exec_.patch | 39 + ...lock-after-changing-rdev-flags-in-st.patch | 82 ++ ...nore-interrupt-if-mailbox-is-not-ini.patch | 50 + ...a-atmel-fix-the-ispck-initialization.patch | 253 +++++ ...-atomisp-fix-error-handling-in-probe.patch | 123 +++ ...x-snd_card_free-call-on-null-card-po.patch | 50 + ...i-fix-a-null-pointer-dereference-on-.patch | 43 + ...nds-mn88443x-handle-errors-of-clk_pr.patch | 80 ++ ...-fix-ununit-value-in-az6027_rc_query.patch | 39 + ...x-add-missing-em28xx_close_extension.patch | 44 + ...-don-t-use-ops-suspend-if-it-is-null.patch | 43 + .../media-i2c-ths8200-needs-v4l2_async.patch | 44 + ...ix-possible-null-pointer-dereference.patch | 38 + ...ix-the-error-handling-path-of-mxc_jp.patch | 40 + ...x-set-a-media_device-bus_info-string.patch | 41 + ...a-imx258-fix-getting-clock-frequency.patch | 52 + ...u3-imgu-imgu_fmt-handle-properly-try.patch | 41 + ...u3-imgu-vidioc_querycap-fix-bus_info.patch | 48 + ...ignment-to-be16-should-be-of-correct.patch | 37 + queue-5.15/media-ivtv-fix-build-for-uml.patch | 88 ++ ...urn-without-resubmitting-urb-in-case.patch | 40 + ...-fix-rotation-parameter-changes-dete.patch | 45 + ...x-corrupted-frame-after-restarting-s.patch | 89 ++ ...-venc-fix-return-value-when-start_st.patch | 51 + ...x-a-resource-leak-in-the-error-handl.patch | 52 + ...vb-handle-interrupt-properly-accordi.patch | 178 ++++ ...io-wl1273-avoid-card-name-truncation.patch | 39 + ...add-checking-to-rcsi2_start_receiver.patch | 45 + ...se-user-provided-buffers-when-starti.patch | 56 ++ ...5p-mfc-add-checking-to-s5p_mfc_probe.patch | 41 + ...x-possible-null-pointer-dereference-.patch | 49 + ...ia-si470x-avoid-card-name-truncation.patch | 54 + ...ntial-null-pointer-dereference-in-dc.patch | 94 ++ ...allow-the-video-device-to-be-open-mu.patch | 54 + ...andle-short-reads-of-hdmi-info-frame.patch | 74 ++ ...ia-tm6000-avoid-card-name-truncation.patch | 40 + ...-avoid-release-of-non-acquired-mutex.patch | 69 ++ ...b-fix-uninit-value-bug-in-dibusb_rea.patch | 41 + ...cvideo-return-eio-for-control-errors.patch | 48 + ...a-uvcvideo-set-capability-in-s_param.patch | 47 + ...o-set-unique-vdev-name-based-in-type.patch | 67 ++ ...-ioctl-s_ctrl-output-the-right-value.patch | 61 ++ ...vpp-frequency-calculation-for-decode.patch | 51 + ...dia-videobuf2-rework-vb2_mem_ops-api.patch | 555 +++++++++++ ...edia-vidtv-fix-memory-leak-in-remove.patch | 37 + ...ix-leak-of-irq-and-nand_irq-in-fsl_i.patch | 73 ++ .../memstick-avoid-out-of-range-warning.patch | 44 + ...ms-use-appropriate-free-function-in-.patch | 40 + ...x-a-uaf-bug-when-removing-the-driver.patch | 80 ++ ...r-fix-a-mistake-caused-by-resource_s.patch | 42 + ...ssing-of_node_put-for-loop-iteration.patch | 47 + .../mfd-cpcap-add-spi-device-id-table.patch | 52 + .../mfd-sprd-add-spi-device-id-table.patch | 52 + ...to-bitfield-api-to-fix-out-of-bounds.patch | 142 +++ ...ntiq-dma-add-small-delay-after-reset.patch | 43 + ...-lantiq-dma-fix-burst-length-for-deu.patch | 52 + ...-dma-reset-correct-number-of-channel.patch | 79 ++ ...make-cpu_loongson64-depends-on-mips_.patch | 50 + ...t-define-pc_iobase-but-increase-io_s.patch | 47 + ...ose-race-window-between-zs_pool_dec_.patch | 65 ++ ...eference-count-leaks-in-moxart_probe.patch | 74 ++ ...ble-regulator-on-error-and-in-the-re.patch | 55 + .../mmc-sdhci-omap-fix-context-restore.patch | 78 ++ ...ix-null-pointer-exception-if-regulat.patch | 55 + ...o-not-shrink-snd_nxt-when-recovering.patch | 147 +++ ...gtk-rekey-offload-failure-on-wpa-mix.patch | 66 ++ ...-fix-mt76_connac_gtk_rekey_tlv-usage.patch | 48 + ...possible-null-pointer-dereference-in.patch | 90 ++ ...rror-implicit-enumeration-conversion.patch | 59 ++ ...endianness-warning-in-mt7615_mac_wri.patch | 53 + ...hwmon-temp-sensor-mem-use-after-free.patch | 44 + ...615-fix-monitor-mode-tear-down-crash.patch | 118 +++ ...mt7615-mt7622-fix-ibss-and-meshpoint.patch | 65 ++ ...-endianness-warnings-in-mt76x02_mac..patch | 87 ++ ...mt7915-fix-an-off-by-one-bound-check.patch | 34 + ...t7915-fix-bit-fields-for-ht-rate-idx.patch | 39 + ...endianness-warning-in-mt7915_mac_add.patch | 40 + ...hwmon-temp-sensor-mem-use-after-free.patch | 55 + ...-info-leak-in-mt7915_mcu_set_pre_cal.patch | 37 + ...muar_idx-in-mt7915_mcu_alloc_sta_req.patch | 35 + ...possible-infinite-loop-release-semap.patch | 36 + ...potential-overflow-of-eeprom-page-in.patch | 62 ++ ...mt76-mt7915-fix-sta_rec_wtbl-tag-len.patch | 36 + ...ys-wake-device-if-necessary-in-debug.patch | 63 ++ .../mt76-mt7921-fix-dma-hang-in-rmmod.patch | 49 + ...endianness-in-mt7921_mcu_tx_done_eve.patch | 69 ++ ...endianness-warning-in-mt7921_update_.patch | 41 + ...firmware-usage-of-ra-info-using-lega.patch | 71 ++ ...kernel-warning-from-cfg80211_calcula.patch | 96 ++ ...out-of-order-process-by-invalid-even.patch | 46 + ...retrying-release-semaphore-without-e.patch | 38 + ...t76-mt7921-fix-survey-dump-reporting.patch | 65 ++ .../mt76-mt7921-report-he-mu-radiotap.patch | 187 ++++ ...erwrite-default-reg_ops-if-necessary.patch | 173 ++++ ...emove-debugfs-directory-if-device-is.patch | 48 + ...an-prevent-an-unsupported-configurat.patch | 58 ++ ...l-fix-potential-buffer-overflow-in-p.patch | 51 + ...-sfc-remove-excessive-clk_disable_un.patch | 42 + ...-initialize-private-structure-on-int.patch | 65 ++ ...bss_mode-when-changing-from-p2p-to-s.patch | 77 ++ ...end-delba-requests-according-to-spec.patch | 56 ++ ...after-free-in-mwl8k_fw_state_machine.patch | 61 ++ .../nbd-fix-max-value-for-first_minor.patch | 66 ++ ...-overflow-for-first_minor-in-nbd_dev.patch | 45 + .../nbd-fix-use-after-free-in-pid_show.patch | 135 +++ ...ggle-pll-settings-during-rate-change.patch | 110 ++ ...t-annotate-data-race-in-neigh_output.patch | 148 +++ ...ninitialized-variables-when-bridge_c.patch | 46 + ...ci_emac-fix-interrupt-pacing-disable.patch | 59 ++ ...fcount-warnings-when-port_-fdb-mdb-_.patch | 52 + ...x-broken-vlan-tagged-ptp-under-vlan-.patch | 183 ++++ ...itchdev-workqueue-when-leaving-the-b.patch | 81 ++ ...swip-serialize-access-to-the-pce-tab.patch | 121 +++ ...x-don-t-support-1g-speeds-on-6191x-o.patch | 46 + ...-rtl8366-fix-a-bug-in-deleting-vlans.patch | 46 + ...net-dsa-rtl8366rb-fix-off-by-one-bug.patch | 50 + ...et-enetc-unmap-dma-in-enetc_send_cmd.patch | 92 ++ ...cpsw_ale-fix-access-to-un-initialize.patch | 43 + queue-5.15/net-fealnx-fix-build-for-uml.patch | 51 + ...w-configure-ets-bandwidth-of-all-tcs.patch | 66 ++ ...nel-crash-when-unload-vf-while-it-is.patch | 105 ++ ...-packet-number-incorrect-after-query.patch | 225 +++++ ...e-base-interrupt-vector-initializati.patch | 109 ++ .../net-intel-igc_ptp-fix-build-for-uml.patch | 57 ++ ...2-fix-wrong-serdes-reconfiguration-o.patch | 199 ++++ ...devlink-user-input-after-driver-init.patch | 275 +++++ ...-and-unpublish-all-devlink-parameter.patch | 114 +++ ...f_ext_learned-in-combination-with-nt.patch | 111 +++ ...e-fix-undefined-member-in-key_remove.patch | 47 + ...ex-out-of-sync-problem-while-changin.patch | 53 + ...crel-make-skew-ps-check-more-lenient.patch | 43 + ...d-mvneta-warning-when-setting-pause-.patch | 44 + ...t-call-netif_carrier_off-with-null-n.patch | 42 + ...prio-fix-undefined-behavior-in-ktime.patch | 138 +++ ...-default-qdisc-visibility-after-tx-q.patch | 186 ++++ ...efcnt-underflow-on-linkdown-and-fall.patch | 110 ++ ...-allow-a-tc-taprio-base-time-of-zero.patch | 41 + ...-purge-sk_error_queue-in-sk_stream_k.patch | 68 ++ ...t-to-restart-the-syscall-if-it-will-.patch | 161 +++ ...-tulip-winbond-840-fix-build-for-uml.patch | 52 + ...-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch | 86 ++ ...ack-set-on-ips_assured-if-flows-ente.patch | 83 ++ ...ink_queue-fix-oob-when-mac-header-wa.patch | 55 + ...nset-relax-superfluous-check-on-set-.patch | 46 + ...uble-free-when-pn533_fill_fragment_s.patch | 59 ++ ...nter-access-when-scheduling-dim-work.patch | 49 + ...ial-deadlock-when-canceling-dim-work.patch | 56 ++ ...ge_attr_type-to-nfs4_change_type_is_.patch | 75 ++ ...s_ino_data_inval_defer-and-nfs_ino_i.patch | 46 + ...-an-oops-in-pnfs_mark_request_commit.patch | 68 ++ ...ix-deadlocks-in-nfs_scan_commit_list.patch | 66 ++ .../nfs-fix-dentry-verifier-races.patch | 47 + queue-5.15/nfs-fix-up-commit-deadlocks.patch | 107 ++ ...irectory-size-when-marking-for-reval.patch | 37 + ...-under-spinlock-in-rpc_parse_scope_i.patch | 90 ++ ...ession-in-nfs_set_open_stateid_locke.patch | 55 + ...o-not-call-del_gendisk-if-not-needed.patch | 37 + ...nup-the-disk-if-pmem_release_disk-is.patch | 65 ++ ...ock-and-always-kick-requeue-list-whe.patch | 74 ++ ...x-error-code-in-nvme_rdma_setup_ctrl.patch | 43 + ...se-after-free-when-a-port-is-removed.patch | 42 + ...se-after-free-when-a-port-is-removed.patch | 69 ++ ...se-after-free-when-a-port-is-removed.patch | 62 ++ ...ool-handle-__sanitize_cov-tail-calls.patch | 295 ++++++ ...ble-promisc-allmulti-match-mcam-entr.patch | 142 +++ ...teontx2-pf-select-config_net_devlink.patch | 47 + ...-fix-expect-text-for-gpio-hog-errors.patch | 88 ++ ...p-tlb-flush-null-pointer-dereference.patch | 80 ++ ...opp-fix-return-in-_opp_add_static_v2.patch | 38 + .../parisc-fix-warning-in-flush_tlb_all.patch | 68 ++ ...kgdb_roundup-to-make-kgdb-work-with-.patch | 78 ++ ...x-unwinder-when-config_64bit-is-enab.patch | 101 ++ ...don-t-spam-about-pio-response-status.patch | 42 + ...-preserving-pci_exp_rtctl_crssve-fla.patch | 50 + .../pci-do-not-enable-atomicops-on-vfs.patch | 69 ++ ...721e-fix-j721e_pcie_probe-error-path.patch | 44 + ...ialize-intx-masking-unmasking-and-fi.patch | 104 ++ ...sing-free-to-bpf_event__print_bpf_pr.patch | 60 ++ ...ix-icl-spr-inst_retired.prec_dist-en.patch | 80 ++ ...ncore-fix-intel-spr-cha-event-constr.patch | 37 + ...ncore-fix-intel-spr-iio-event-constr.patch | 36 + ...ncore-fix-intel-spr-m2pcie-event-con.patch | 45 + ...ncore-fix-intel-spr-m3upi-event-cons.patch | 36 + ...ksz8041nl-do-not-use-power-down-mode.patch | 57 ++ ...ther-fix-for-the-sc8180x-pcie-defini.patch | 43 + ...com-qusb2-fix-a-memory-leak-on-probe.patch | 94 ++ .../phy-qcom-snps-correct-the-fsel_mask.patch | 40 + ...erdes-fix-return-value-check-in-spar.patch | 44 + ...sel-check-of_get_address-for-failure.patch | 38 + ...ium-fix-function-addition-in-multipl.patch | 49 + ...checker-fix-off-by-one-bug-in-drive-.patch | 39 + ...-rzg2l-fix-missing-port-register-21h.patch | 37 + ...nkpad_acpi-fix-bitwise-vs.-logical-w.patch | 50 + ...6-wmi-do-not-fail-if-disabling-fails.patch | 52 + ...-em-fix-inefficient-states-detection.patch | 77 ++ .../pm-hibernate-fix-sparse-warnings.patch | 52 + ...-block-device-exclusively-in-swsusp_.patch | 100 ++ ...ix-misplaced-barrier-in-nfs4_ff_layo.patch | 74 ++ ...-reset-check-properly-the-return-val.patch | 47 + ...7xxx-fix-kernel-crash-on-irq-handler.patch | 45 + ...17040-fix-null-ptr-deref-in-max17040.patch | 53 + ...033_battery-change-voltage-values-to.patch | 42 + ...rpc-44x-fsp2-add-missing-of_node_put.patch | 48 + ...e-fix-set_memory_x-and-set_memory_nx.patch | 171 ++++ ...sable-strict_kernel_rwx-debug_pageal.patch | 60 ++ ...ovide-__kernel_map_pages-without-arc.patch | 44 + ...lanced-node-refcount-in-check_kvm_gu.patch | 49 + ...arch-powerpc-mm-mem.c-53-12-error-no.patch | 43 + ...ix-__ptep_set_access_flags-and-ptep_.patch | 121 +++ ...-correct-preempt-debug-splat-in-vcpu.patch | 73 ++ ...-cycles-instructions-as-pm_cyc-pm_in.patch | 182 ++++ .../powerpc-xmon-fix-task-state-output.patch | 39 + ...t-ignore-devlink-allocation-failures.patch | 71 ++ ...nline-rcu_dynticks_task-_-enter-exit.patch | 73 ++ ...-exp-request-check-in-sync_sched_exp.patch | 45 + ..._dynticks_curr_cpu_in_eqs-vs-noinstr.patch | 40 + ...tgs_wait_cbs-to-beginning-of-rcu_tas.patch | 46 + ...-problematic-critical-section-nestin.patch | 128 +++ .../rdma-bnxt_re-fix-query-srq-failure.patch | 43 + ...e-the-driver-to-set-the-iova-correct.patch | 54 + ...table-nents-when-using-ib_dma_virt_m.patch | 49 + .../rdma-hns-fix-initial-arm_st-of-cq.patch | 39 + ...the-value-of-max_lp_msg_len-to-meet-.patch | 44 + ...-missed-an-error-if-device-doesn-t-s.patch | 42 + .../rdma-rxe-fix-wrong-port_cap_flags.patch | 39 + ...-memory-leak-in-an-error-handling-pa.patch | 57 ++ ...roc-imx_rproc-fix-tcm-io-memory-type.patch | 164 +++ ...nnotate-dma-fence-critical-section-i.patch | 63 ++ ...36xx-enable-firmware-link-monitoring.patch | 53 + ...create_ept-return-when-rpmsg-config-.patch | 38 + ...firstly-in-rsi_91x_init-error-handli.patch | 61 ++ queue-5.15/rtc-ds1302-add-spi-id-table.patch | 50 + queue-5.15/rtc-ds1390-add-spi-id-table.patch | 51 + queue-5.15/rtc-mcp795-add-spi-id-table.patch | 51 + queue-5.15/rtc-pcf2123-add-spi-id-table.patch | 53 + ...rror-handling-in-rv3032_clkout_set_r.patch | 42 + ...x-clock-gate-setting-while-fifo-dump.patch | 66 ++ ..._to_jiffies-by-using-usecs_to_jiffie.patch | 39 + ...unconditionally-call-pte_unmap_unloc.patch | 48 + ...s390-gmap-validate-vma-in-__gmap_zap.patch | 66 ++ ...and-page-table-handling-code-in-stor.patch | 170 ++++ ...-vma-in-pgste-manipulation-functions.patch | 90 ++ ...lidate-the-vma-before-calling-follow.patch | 46 + ...fix-application-of-sizeof-to-pointer.patch | 50 + ...es-fix-return-value-if-register_kret.patch | 49 + ...r-for-get_wchan-to-keep-task-blocked.patch | 943 ++++++++++++++++++ ...n-vmalloc-poison-in-scs_free-process.patch | 97 ++ ...no-when-scsi_bsg_register_queue-fail.patch | 39 + ...initialized-data-in-csio_ln_vnp_read.patch | 40 + .../scsi-dc395-fix-error-case-unwinding.patch | 43 + ...me-i-o-failover-to-non-optimized-pat.patch | 45 + ...or-successful-restart-of-sli3-adapte.patch | 54 + ...s-fix-concurrent-access-to-isr-betwe.patch | 74 ++ ...-lockup-in-outbound-queue-management.patch | 234 +++++ ...misleading-log-statement-in-pm8001_m.patch | 40 + ...csi-qla2xxx-edif-fix-app-start-delay.patch | 127 +++ ...scsi-qla2xxx-edif-fix-app-start-fail.patch | 102 ++ .../scsi-qla2xxx-edif-fix-edif-bsg.patch | 162 +++ ...f-flush-stale-events-and-msgs-on-ses.patch | 181 ++++ ...si-qla2xxx-edif-increase-els-payload.patch | 105 ++ ...x-edif-use-link-event-to-wake-up-app.patch | 59 ++ ...scsi-qla2xxx-fix-gnl-list-corruption.patch | 79 ++ ...xx-relogin-during-fabric-disturbance.patch | 95 ++ ...rn-off-target-reset-during-issue_lip.patch | 131 +++ ...-remove-from-tmr_list-during-lun-unl.patch | 172 ++++ ...fs-core-fix-null-pointer-dereference.patch | 103 ++ ...x-ufshcd_probe_hba-prototype-to-matc.patch | 40 + ...s-core-stop-clearing-unit-attentions.patch | 346 +++++++ ...pltfrm-fix-memory-leak-due-to-probe-.patch | 85 ++ ...fshpb-properly-handle-max-single-cmd.patch | 109 ++ ...shpb-use-proper-power-management-api.patch | 59 ++ ...agmentation-when-plpmtud-enters-erro.patch | 92 ++ ...be_timer-in-sctp_transport_pl_update.patch | 43 + ...-only-for-pathmtu-update-in-sctp_tra.patch | 63 ++ ...ctphdr-len-in-sctp_transport_pl_hlen.patch | 56 ++ ...x-fclose-pclose-mismatch-in-test_pro.patch | 47 + ...bpf-fix-fd-cleanup-in-sk_lookup-test.patch | 56 ++ ...ests-bpf-fix-memory-leak-in-test_ima.patch | 45 + ...x-perf_buffer-test-on-system-with-of.patch | 60 ++ ...f-fix-strobemeta-selftest-regression.patch | 109 ++ ...p_redirect_multi-give-tcpdump-a-chan.patch | 47 + ...p_redirect_multi-limit-the-tests-in-.patch | 129 +++ ...p_redirect_multi-put-the-logs-to-tmp.patch | 137 +++ ...p_redirect_multi-use-arping-to-accur.patch | 57 ++ ...ix-conflicting-types-compile-error-f.patch | 55 + ...vm-fix-mismatched-fclose-after-popen.patch | 48 + ...fix-proto-type-in-link_failure-tests.patch | 37 + ...idge-update-igmp-mld-membership-inte.patch | 92 ++ ...b_nexthops-wait-before-checking-repo.patch | 45 + ...roperly-support-ipv6-in-gso-gre-test.patch | 76 ++ ...et-udpgso_bench_rx-fix-port-argument.patch | 67 ++ ..._file-fix-passing-wrong-private-data.patch | 48 + ...l-8250_dw-drop-wrong-use-of-acpi_ptr.patch | 40 + ...protect-udbg-definitions-by-config_s.patch | 58 ++ ...-fix-detach-attach-of-serial-console.patch | 126 +++ ...rtps-fix-race-condition-causing-stuc.patch | 69 ++ queue-5.15/series | 670 +++++++++++++ ...rce_sig-sigkill-instead-of-do_group_.patch | 63 ++ ...-offset-info-in-sk_psock_skb_ingress.patch | 210 ++++ ...use-after-free-in-netlbl_catmap_walk.patch | 55 + ...s-use-__gfp_nofail-for-smk_cipso_doi.patch | 41 + ...bl_cfg_cipsov4_del-for-deleting-cips.patch | 41 + ...nsole-free-buffer-before-returning-f.patch | 38 + ...om-apr-add-of_node_put-before-return.patch | 48 + ...c-qcom-llcc-disable-mmuhwt-retention.patch | 38 + ...-rpmhpd-fix-sm8350_mxc-s-peer-domain.patch | 38 + ...make-power_on-actually-enable-the-do.patch | 102 ++ ...com-socinfo-add-two-missing-pmic-ids.patch | 39 + ...-error-handling-path-in-tegra_powerg.patch | 41 + ...op-dereferencing-invalid-slave-point.patch | 55 + ...s-use-controller-id-and-link_id-for-.patch | 43 + ...g-force-target-when-using-if_changed.patch | 65 ++ ...-missing-clk_disable_unprepare-on-er.patch | 55 + ...e-a-spi_device_id-for-each-dt-compat.patch | 91 ++ .../spi-fixed-division-by-zero-warning.patch | 82 ++ ...-check-return-value-of-rpcif_sw_init.patch | 42 + ...elect-crypto_hash-crypto_michael_mic.patch | 47 + ...2-do-not-double-register-the-same-de.patch | 189 ++++ ...188eu-fix-memory-leak-in-rtw_set_key.patch | 37 + ...nd_of_stack-for-architectures-with-u.patch | 44 + ...-fin-sk_buff-in-tcp_remove_empty_skb.patch | 65 ++ ...rphan_count-to-bare-per-cpu-counters.patch | 374 +++++++ ...-a-uaf-bug-in-__thermal_cooling_devi.patch | 95 ++ ...-null-pointer-dereference-in-thermal.patch | 68 ++ ...qcom-lmh-make-qcom_lmh-depends-on-qc.patch | 53 + ...tsens-add-timeout-to-get_temp_tsens_.patch | 70 ++ ...-int340x-fix-build-on-32-bit-targets.patch | 53 + ...llector-use-correct-size-when-writin.patch | 45 + ...m-crash-caused-by-too-frequent-queri.patch | 171 ++++ .../tpm_tis_spi-add-missing-spi-id.patch | 44 + ...cefs-directories-not-set-oth-permiss.patch | 47 + ...cmp_entries_-functions-signature-mis.patch | 134 +++ ...other-permission-bits-in-the-tracefs.patch | 688 +++++++++++++ ...ing-trace_boot_init_histograms-kstrd.patch | 48 + ...w-so_mark-ctrl-msg-to-affect-routing.patch | 49 + ...-dwc2_drd_role_sw_set-when-clock-cou.patch | 74 ++ ...-dwc2_force_mode-call-in-dwc2_ovr_in.patch | 48 + ...et-current-session-before-setting-th.patch | 48 + ...skip-resizing-ep-s-tx-fifo-if-alread.patch | 105 ++ ...dget-hid-fix-error-code-in-do_config.patch | 40 + ...generic_phy-instead-of-depending-on-.patch | 47 + ...c-stusb160x-should-select-regmap_i2c.patch | 50 + ...earing-of-virtio_net_f_mac-feature-b.patch | 45 + ...psfb-use-memset_io-instead-of-memset.patch | 84 ++ ...x-possible-memory-allocation-failure.patch | 55 + ...k-desc-null-when-using-indirect-with.patch | 63 ++ ...k-only-in-context-of-lower-physdev-f.patch | 141 +++ ...necessary-refcnt-inc-for-nonblocking.patch | 42 + ..._wdt-fix-inaccurate-report-in-wdioc_.patch | 53 + ...roper-dma-memory-barriers-in-rx-path.patch | 66 ++ ...nel-list-update-before-hardware-scan.patch | 212 ++++ ...xx-correct-band-freq-reporting-on-rx.patch | 91 ++ ...36xx-fix-antenna-diversity-switching.patch | 150 +++ ...arded-frames-due-to-wrong-sequence-n.patch | 74 ++ .../wcn36xx-fix-packet-drop-on-resume.patch | 61 ++ ...sible-memory-leak-in-cfg_scan_result.patch | 41 + ...ysfs-of-unbound-kworker-cpumask-more.patch | 71 ++ .../x86-fix-__get_wchan-for-stacktrace.patch | 61 ++ ...et_wchan-to-support-the-orc-unwinder.patch | 96 ++ ...ct-set_hv_tscchange_cb-against-getti.patch | 72 ++ .../x86-increase-exception-stack-sizes.patch | 37 + ...-use-get_unaligned-instead-of-memcpy.patch | 137 +++ ...m-64-improve-stack-overflow-warnings.patch | 289 ++++++ ...tack-type-check-in-vc_switch_off_ist.patch | 39 + ..._bringup_and_idle-as-dead_end_functi.patch | 47 + ...n-pciback-fix-return-in-pm_ctrl_init.patch | 40 + .../zram-off-by-one-in-read_block_state.patch | 44 + 671 files changed, 53530 insertions(+) create mode 100644 queue-5.15/acpi-ac-quirk-gk45-to-skip-reading-_psr.patch create mode 100644 queue-5.15/acpi-battery-accept-charges-over-the-design-capacity.patch create mode 100644 queue-5.15/acpi-pm-fix-device-wakeup-power-reference-counting-e.patch create mode 100644 queue-5.15/acpi-pm-fix-sharing-of-wakeup-power-resources.patch create mode 100644 queue-5.15/acpi-pm-turn-off-unused-wakeup-power-resources.patch create mode 100644 queue-5.15/acpi-pmic-fix-intel_pmic_regs_handler-read-accesses.patch create mode 100644 queue-5.15/acpi-resources-add-dmi-based-legacy-irq-override-qui.patch create mode 100644 queue-5.15/acpi-resources-add-one-more-medion-model-in-irq-over.patch create mode 100644 queue-5.15/acpi-scan-release-pm-resources-blocked-by-unused-obj.patch create mode 100644 queue-5.15/acpica-avoid-evaluating-methods-too-early-during-sys.patch create mode 100644 queue-5.15/alsa-hda-reduce-udelay-at-skl-position-reporting.patch create mode 100644 queue-5.15/alsa-hda-use-position-buffer-for-skl-again.patch create mode 100644 queue-5.15/alsa-memalloc-catch-call-with-null-snd_dma_buffer-po.patch create mode 100644 queue-5.15/alsa-oxfw-fix-functional-regression-for-mackie-onyx-.patch create mode 100644 queue-5.15/alsa-usb-audio-fix-possible-race-at-sync-of-urb-comp.patch create mode 100644 queue-5.15/apparmor-fix-error-check.patch create mode 100644 queue-5.15/ar7-fix-kernel-builds-for-compiler-test.patch create mode 100644 queue-5.15/arm-9136-1-armv7-m-uses-be-8-not-be-32.patch create mode 100644 queue-5.15/arm-9142-1-kasan-work-around-lpae-build-warning.patch create mode 100644 queue-5.15/arm-clang-do-not-rely-on-lr-register-for-stacktrace.patch create mode 100644 queue-5.15/arm-dts-at91-tse850-the-emac-phy-interface-is-rmii.patch create mode 100644 queue-5.15/arm-dts-bcm5301x-fix-memory-nodes-names.patch create mode 100644 queue-5.15/arm-dts-omap3-gta04a4-accelerometer-irq-fix.patch create mode 100644 queue-5.15/arm-dts-qcom-msm8974-add-xo_board-reference-clock-to.patch create mode 100644 queue-5.15/arm-dts-stm32-fix-av96-board-sai2-pin-muxing-on-stm3.patch create mode 100644 queue-5.15/arm-dts-stm32-fix-sai-sub-nodes-register-range.patch create mode 100644 queue-5.15/arm-dts-stm32-fix-stusb1600-type-c-irq-level-on-stm3.patch create mode 100644 queue-5.15/arm-dts-stm32-reduce-dhcor-spi-nor-frequency-to-50-m.patch create mode 100644 queue-5.15/arm-s3c-irq-s3c24xx-fix-return-value-check-for-s3c24.patch create mode 100644 queue-5.15/arm64-arm64_ftr_reg-name-may-not-be-a-human-readable.patch create mode 100644 queue-5.15/arm64-dts-broadcom-bcm4908-fix-uart-clock-name.patch create mode 100644 queue-5.15/arm64-dts-meson-g12a-fix-the-pwm-regulator-supply-pr.patch create mode 100644 queue-5.15/arm64-dts-meson-g12b-fix-the-pwm-regulator-supply-pr.patch create mode 100644 queue-5.15/arm64-dts-meson-sm1-add-ethernet-phy-reset-line-for-.patch create mode 100644 queue-5.15/arm64-dts-meson-sm1-fix-the-pwm-regulator-supply-pro.patch create mode 100644 queue-5.15/arm64-dts-qcom-msm8916-fix-secondary-mi2s-bit-clock.patch create mode 100644 queue-5.15/arm64-dts-qcom-pm8916-remove-wrong-reg-names-for-rtc.patch create mode 100644 queue-5.15/arm64-dts-qcom-pmi8994-fix-eternal-external-typo-in-.patch create mode 100644 queue-5.15/arm64-dts-qcom-sc7180-base-dynamic-cpu-power-coeffic.patch create mode 100644 queue-5.15/arm64-dts-qcom-sc7280-fix-display-port-phy-reg-prope.patch create mode 100644 queue-5.15/arm64-dts-qcom-sdm845-fix-qualcomm-crypto-engine-bus.patch create mode 100644 queue-5.15/arm64-dts-qcom-sdm845-use-rpmh_ce_clk-macro-directly.patch create mode 100644 queue-5.15/arm64-dts-renesas-beacon-fix-ethernet-phy-mode.patch create mode 100644 queue-5.15/arm64-dts-rockchip-fix-gpu-register-width-for-rk3328.patch create mode 100644 queue-5.15/arm64-dts-rockchip-fix-rk3568-mbi-alias.patch create mode 100644 queue-5.15/arm64-dts-rockchip-move-rk3568-dtsi-to-rk356x-dtsi.patch create mode 100644 queue-5.15/arm64-dts-ti-j7200-main-fix-bus-range-upto-256-bus-n.patch create mode 100644 queue-5.15/arm64-dts-ti-j7200-main-fix-vendor-id-device-id-prop.patch create mode 100644 queue-5.15/arm64-dts-ti-k3-j721e-main-fix-bus-range-upto-256-bu.patch create mode 100644 queue-5.15/arm64-dts-ti-k3-j721e-main-fix-max-virtual-functions.patch create mode 100644 queue-5.15/arm64-mm-update-max_pfn-after-memory-hotplug.patch create mode 100644 queue-5.15/arm64-pgtable-make-__pte_to_phys-__phys_to_pte_val-i.patch create mode 100644 queue-5.15/arm64-vdso32-suppress-error-message-for-make-mrprope.patch create mode 100644 queue-5.15/asoc-cs42l42-always-configure-both-asp-tx-channels.patch create mode 100644 queue-5.15/asoc-cs42l42-correct-configuring-of-switch-inversion.patch create mode 100644 queue-5.15/asoc-cs42l42-correct-some-register-default-values.patch create mode 100644 queue-5.15/asoc-cs42l42-defer-probe-if-request_threaded_irq-ret.patch create mode 100644 queue-5.15/asoc-rsnd-fix-an-error-handling-path-in-rsnd_node_co.patch create mode 100644 queue-5.15/asoc-sof-topology-do-not-power-down-primary-core-dur.patch create mode 100644 queue-5.15/asoc-topology-fix-stub-for-snd_soc_tplg_component_re.patch create mode 100644 queue-5.15/asoc-wcd9335-use-correct-version-to-initialize-class.patch create mode 100644 queue-5.15/ataflop-remove-ataflop_probe_lock-mutex.patch create mode 100644 queue-5.15/ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch create mode 100644 queue-5.15/ath10k-don-t-always-treat-modem-stop-events-as-crash.patch create mode 100644 queue-5.15/ath10k-fix-max-antenna-gain-unit.patch create mode 100644 queue-5.15/ath10k-fix-missing-frame-timestamp-for-beacon-probe-.patch create mode 100644 queue-5.15/ath10k-fix-module-load-regression-with-iram-recovery.patch create mode 100644 queue-5.15/ath10k-high-latency-fixes-for-beacon-buffer.patch create mode 100644 queue-5.15/ath10k-sdio-add-missing-bh-locking-around-napi_schdu.patch create mode 100644 queue-5.15/ath11k-add-handler-for-scan-event-wmi_scan_event_deq.patch create mode 100644 queue-5.15/ath11k-align-bss_chan_info-structure-with-firmware.patch create mode 100644 queue-5.15/ath11k-avoid-race-during-regd-updates.patch create mode 100644 queue-5.15/ath11k-avoid-reg-rules-update-during-firmware-recove.patch create mode 100644 queue-5.15/ath11k-change-dma_from_device-to-dma_to_device-when-.patch create mode 100644 queue-5.15/ath11k-fix-memory-leak-in-ath11k_qmi_driver_event_wo.patch create mode 100644 queue-5.15/ath11k-fix-packet-drops-due-to-incorrect-6-ghz-freq-.patch create mode 100644 queue-5.15/ath11k-fix-some-sleeping-in-atomic-bugs.patch create mode 100644 queue-5.15/ath9k-fix-potential-interrupt-storm-on-queue-reset.patch create mode 100644 queue-5.15/auxdisplay-ht16k33-connect-backlight-to-fbdev.patch create mode 100644 queue-5.15/auxdisplay-ht16k33-fix-frame-buffer-device-blanking.patch create mode 100644 queue-5.15/auxdisplay-img-ascii-lcd-fix-lock-up-when-displaying.patch create mode 100644 queue-5.15/b43-fix-a-lower-bounds-test.patch create mode 100644 queue-5.15/b43legacy-fix-a-lower-bounds-test.patch create mode 100644 queue-5.15/blk-cgroup-synchronize-blkg-creation-against-policy-.patch create mode 100644 queue-5.15/blk-wbt-prevent-null-pointer-dereference-in-wb_timer.patch create mode 100644 queue-5.15/block-ataflop-add-registration-bool-before-calling-d.patch create mode 100644 queue-5.15/block-ataflop-fix-breakage-introduced-at-blk-mq-refa.patch create mode 100644 queue-5.15/block-ataflop-more-blk-mq-refactoring-fixes.patch create mode 100644 queue-5.15/block-ataflop-provide-a-helper-for-cleanup-up-an-ata.patch create mode 100644 queue-5.15/block-ataflop-use-the-blk_cleanup_disk-helper.patch create mode 100644 queue-5.15/block-bump-max-plugged-deferred-size-from-16-to-32.patch create mode 100644 queue-5.15/block-fix-device_add_disk-kobject_create_and_add-err.patch create mode 100644 queue-5.15/block-remove-inaccurate-requeue-check.patch create mode 100644 queue-5.15/bluetooth-btmtkuart-fix-a-memleak-in-mtk_hci_wmt_syn.patch create mode 100644 queue-5.15/bluetooth-call-sock_hold-earlier-in-sco_conn_del.patch create mode 100644 queue-5.15/bluetooth-fix-init-and-cleanup-of-sco_conn.timeout_w.patch create mode 100644 queue-5.15/bluetooth-fix-use-after-free-error-in-lock_sock_nest.patch create mode 100644 queue-5.15/bluetooth-hci_h5-fix-runtime-suspend-issues-on-rtl87.patch create mode 100644 queue-5.15/bluetooth-hci_uart-fix-gpf-in-h5_recv.patch create mode 100644 queue-5.15/bluetooth-sco-fix-lock_sock-blockage-by-memcpy_from_.patch create mode 100644 queue-5.15/bnxt_en-check-devlink-allocation-and-registration-st.patch create mode 100644 queue-5.15/bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch create mode 100644 queue-5.15/bpf-avoid-races-in-__bpf_prog_run-for-32bit-arches.patch create mode 100644 queue-5.15/bpf-fix-propagation-of-bounds-from-64-bit-min-max-in.patch create mode 100644 queue-5.15/bpf-fix-propagation-of-signed-bounds-from-64-bit-min.patch create mode 100644 queue-5.15/bpf-fixes-possible-race-in-update_prog_stats-for-32b.patch create mode 100644 queue-5.15/bpf-sockmap-fix-race-in-ingress-receive-verdict-with.patch create mode 100644 queue-5.15/bpf-sockmap-remove-unhash-handler-for-bpf-sockmap-us.patch create mode 100644 queue-5.15/bpf-sockmap-sk_skb-data_end-access-incorrect-when-sr.patch create mode 100644 queue-5.15/bpf-sockmap-strparser-and-tls-are-reusing-qdisc_skb_.patch create mode 100644 queue-5.15/bpf-tests-fix-error-in-tail-call-limit-tests.patch create mode 100644 queue-5.15/bpftool-avoid-leaking-the-json-writer-prepared-for-p.patch create mode 100644 queue-5.15/brcmfmac-add-dmi-nvram-filename-quirk-for-cyberbook-.patch create mode 100644 queue-5.15/btrfs-do-not-take-the-uuid_mutex-in-btrfs_rm_device.patch create mode 100644 queue-5.15/btrfs-reflink-initialize-return-value-to-0-in-btrfs_.patch create mode 100644 queue-5.15/btrfs-subpage-make-btrfs_submit_compressed_write-com.patch create mode 100644 queue-5.15/bus-ti-sysc-fix-timekeeping_suspended-warning-on-res.patch create mode 100644 queue-5.15/can-bittiming-can_fixup_bittiming-change-type-of-tse.patch create mode 100644 queue-5.15/can-etas_es58x-es58x_rx_err_msg-fix-memory-leak-in-e.patch create mode 100644 queue-5.15/can-mcp251xfd-mcp251xfd_chip_start-fix-error-handlin.patch create mode 100644 queue-5.15/cfg80211-always-free-wiphy-specific-regdomain.patch create mode 100644 queue-5.15/cgroup-fix-rootcg-cpu.stat-guest-double-counting.patch create mode 100644 queue-5.15/cgroup-make-rebind_subsystems-disable-v2-controllers.patch create mode 100644 queue-5.15/clk-at91-check-pmc-node-status-before-registering-sy.patch create mode 100644 queue-5.15/clk-at91-clk-master-check-if-div-or-pres-is-zero.patch create mode 100644 queue-5.15/clk-at91-clk-master-fix-prescaler-logic.patch create mode 100644 queue-5.15/clk-at91-sam9x60-pll-use-div_round_closest_ull.patch create mode 100644 queue-5.15/clk-mvebu-ap-cpu-clk-fix-a-memory-leak-in-error-hand.patch create mode 100644 queue-5.15/clocksource-drivers-timer-ti-dm-select-timer_of.patch create mode 100644 queue-5.15/cpufreq-fix-parameter-in-parse_perf_domain.patch create mode 100644 queue-5.15/cpufreq-intel_pstate-clear-hwp-desired-on-suspend-sh.patch create mode 100644 queue-5.15/cpufreq-intel_pstate-fix-cpu-pstate.turbo_freq-initi.patch create mode 100644 queue-5.15/cpufreq-make-policy-min-max-hard-requirements.patch create mode 100644 queue-5.15/cpuidle-fix-kobject-memory-leaks-in-error-paths.patch create mode 100644 queue-5.15/crypto-aesni-check-walk.nbytes-instead-of-err.patch create mode 100644 queue-5.15/crypto-api-fix-built-in-testing-dependency-failures.patch create mode 100644 queue-5.15/crypto-caam-disable-pkc-for-non-e-socs.patch create mode 100644 queue-5.15/crypto-ccree-avoid-out-of-range-warnings-from-clang.patch create mode 100644 queue-5.15/crypto-ecc-fix-crypto_default_rng-dependency.patch create mode 100644 queue-5.15/crypto-octeontx2-set-assoclen-in-aead_do_fallback.patch create mode 100644 queue-5.15/crypto-pcrypt-delay-write-to-padata-info.patch create mode 100644 queue-5.15/crypto-qat-detect-pfvf-collision-after-ack.patch create mode 100644 queue-5.15/crypto-qat-disregard-spurious-pfvf-interrupts.patch create mode 100644 queue-5.15/crypto-qat-power-up-4xxx-device.patch create mode 100644 queue-5.15/crypto-sm4-do-not-change-section-of-ck-and-sbox.patch create mode 100644 queue-5.15/crypto-tcrypt-fix-skcipher-multi-buffer-tests-for-14.patch create mode 100644 queue-5.15/cxgb4-fix-eeprom-len-when-diagnostics-not-implemente.patch create mode 100644 queue-5.15/dma-buf-warn-on-dmabuf-release-with-pending-attachme.patch create mode 100644 queue-5.15/dmaengine-at_xdmac-call-at_xdmac_axi_config-on-resum.patch create mode 100644 queue-5.15/dmaengine-at_xdmac-fix-at_xdmac_cc_perid-macro.patch create mode 100644 queue-5.15/dmaengine-dmaengine_desc_callback_valid-check-for-ca.patch create mode 100644 queue-5.15/dmaengine-idxd-fix-resource-leak-on-dmaengine-driver.patch create mode 100644 queue-5.15/dmaengine-idxd-move-out-percpu_ref_exit-to-ensure-it.patch create mode 100644 queue-5.15/dmaengine-idxd-reconfig-device-after-device-reset-co.patch create mode 100644 queue-5.15/dmaengine-stm32-dma-avoid-64-bit-division-in-stm32_d.patch create mode 100644 queue-5.15/dmaengine-stm32-dma-fix-burst-in-case-of-unaligned-m.patch create mode 100644 queue-5.15/dmaengine-stm32-dma-fix-stm32_dma_get_max_width.patch create mode 100644 queue-5.15/dmaengine-tegra210-adma-fix-pm-runtime-unbalance.patch create mode 100644 queue-5.15/dmanegine-idxd-fix-resource-free-ordering-on-driver-.patch create mode 100644 queue-5.15/driver-core-fix-possible-memory-leak-in-device_link_.patch create mode 100644 queue-5.15/drm-amd-display-dcn20_resource_construct-reduce-scop.patch create mode 100644 queue-5.15/drm-amd-display-fix-null-pointer-deref-when-plugging.patch create mode 100644 queue-5.15/drm-amd-display-fix-null-pointer-dereference-for-enc.patch create mode 100644 queue-5.15/drm-amd-display-pass-display_pipe_params_st-as-const.patch create mode 100644 queue-5.15/drm-amdgpu-fix-a-potential-memory-leak-in-amdgpu_dev.patch create mode 100644 queue-5.15/drm-amdgpu-fix-crash-on-device-remove-driver-unload.patch create mode 100644 queue-5.15/drm-amdgpu-fix-mmio-access-page-fault.patch create mode 100644 queue-5.15/drm-amdgpu-fix-uvd-crash-on-polaris12-during-driver-.patch create mode 100644 queue-5.15/drm-amdgpu-fix-warning-for-overflow-check.patch create mode 100644 queue-5.15/drm-amdgpu-gmc6-fix-dma-mask-from-44-to-40-bits.patch create mode 100644 queue-5.15/drm-amdgpu-move-amdgpu_virt_release_full_gpu-to-fini.patch create mode 100644 queue-5.15/drm-amdgpu-move-iommu_resume-before-ip-init-resume.patch create mode 100644 queue-5.15/drm-amdgpu-pm-properly-handle-sclk-for-profiling-mod.patch create mode 100644 queue-5.15/drm-amdgpu-powerplay-fix-sysfs_emit-sysfs_emit_at-ha.patch create mode 100644 queue-5.15/drm-amdkfd-fix-an-inappropriate-error-handling-in-al.patch create mode 100644 queue-5.15/drm-amdkfd-fix-resume-error-when-iommu-disabled-in-p.patch create mode 100644 queue-5.15/drm-amdkfd-rm-bo-resv-on-validation-to-avoid-deadloc.patch create mode 100644 queue-5.15/drm-bridge-anx7625-propagate-errors-from-sp_tx_rst_a.patch create mode 100644 queue-5.15/drm-bridge-it66121-fix-return-value-it66121_probe.patch create mode 100644 queue-5.15/drm-bridge-it66121-initialize-device-vendor-_ids.patch create mode 100644 queue-5.15/drm-bridge-it66121-wait-for-next-bridge-to-be-probed.patch create mode 100644 queue-5.15/drm-bridge-lontium-lt9611uxc-fix-provided-connector-.patch create mode 100644 queue-5.15/drm-bridge-nwl-dsi-add-atomic_get_input_bus_fmts.patch create mode 100644 queue-5.15/drm-fb_helper-fix-config_fb-dependency.patch create mode 100644 queue-5.15/drm-fb_helper-improve-config_fb-dependency.patch create mode 100644 queue-5.15/drm-i915-fb-fix-rounding-error-in-subsampled-plane-s.patch create mode 100644 queue-5.15/drm-msm-dsi-do-not-enable-irq-handler-before-powerin.patch create mode 100644 queue-5.15/drm-msm-dsi-fix-wrong-type-in-msm_dsi_host.patch create mode 100644 queue-5.15/drm-msm-fix-potential-null-dereference-in-cleanup.patch create mode 100644 queue-5.15/drm-msm-fix-potential-null-dereference-in-dpu-sspp.patch create mode 100644 queue-5.15/drm-msm-fix-potential-oops-in-a6xx_gmu_rpmh_init.patch create mode 100644 queue-5.15/drm-msm-potential-error-pointer-dereference-in-init.patch create mode 100644 queue-5.15/drm-msm-prevent-null-dereference-in-msm_gpu_crashsta.patch create mode 100644 queue-5.15/drm-msm-uninitialized-variable-in-msm_gem_import.patch create mode 100644 queue-5.15/drm-msm-unlock-on-error-in-get_sched_entity.patch create mode 100644 queue-5.15/drm-nouveau-svm-fix-refcount-leak-bug-and-missing-ch.patch create mode 100644 queue-5.15/drm-panel-orientation-quirks-add-quirk-for-kd-kurio-.patch create mode 100644 queue-5.15/drm-panel-orientation-quirks-add-quirk-for-the-samsu.patch create mode 100644 queue-5.15/drm-panel-orientation-quirks-add-valve-steam-deck.patch create mode 100644 queue-5.15/drm-panel-orientation-quirks-update-the-lenovo-ideap.patch create mode 100644 queue-5.15/drm-plane-helper-fix-uninitialized-variable-referenc.patch create mode 100644 queue-5.15/drm-ttm-remove-ttm_bo_vm_insert_huge.patch create mode 100644 queue-5.15/drm-ttm-stop-calling-tt_swapin-in-vm_access.patch create mode 100644 queue-5.15/drm-v3d-fix-wait-for-tmu-write-combiner-flush.patch create mode 100644 queue-5.15/dyndbg-make-dyndbg-a-known-cli-param.patch create mode 100644 queue-5.15/edac-amd64-handle-three-rank-interleaving-mode.patch create mode 100644 queue-5.15/erofs-don-t-trigger-warn-when-decompression-fails.patch create mode 100644 queue-5.15/ethtool-fix-ethtool-msg-len-calculation-for-pause-st.patch create mode 100644 queue-5.15/fbdev-efifb-release-pci-device-s-runtime-pm-ref-duri.patch create mode 100644 queue-5.15/firmware-qcom_scm-fix-error-retval-in-__qcom_scm_is_.patch create mode 100644 queue-5.15/fix-user-namespace-leak.patch create mode 100644 queue-5.15/floppy-fix-add_disk-assumption-on-exit-due-to-new-de.patch create mode 100644 queue-5.15/floppy-fix-calling-platform_device_unregister-on-inv.patch create mode 100644 queue-5.15/floppy-use-blk_cleanup_disk.patch create mode 100644 queue-5.15/fortify-fix-dropped-strcpy-compile-time-write-overfl.patch create mode 100644 queue-5.15/fs-orangefs-fix-error-return-code-of-orangefs_revali.patch create mode 100644 queue-5.15/fs-proc-uptime.c-fix-idle-time-reporting-in-proc-upt.patch create mode 100644 queue-5.15/fscrypt-allow-256-bit-master-keys-with-aes-256-xts.patch create mode 100644 queue-5.15/ftrace-do-cpu-checking-after-preemption-disabled.patch create mode 100644 queue-5.15/gfs2-cancel-remote-delete-work-asynchronously.patch create mode 100644 queue-5.15/gfs2-fix-glock_hash_walk-bugs.patch create mode 100644 queue-5.15/gpio-realtek-otto-fix-gpio-line-irq-offset.patch create mode 100644 queue-5.15/gre-sit-don-t-generate-link-local-addr-if-addr_gen_m.patch create mode 100644 queue-5.15/gve-dqo-avoid-unused-variable-warnings.patch create mode 100644 queue-5.15/gve-fix-off-by-one-in-gve_tx_timeout.patch create mode 100644 queue-5.15/gve-recover-from-queue-stall-due-to-missed-irq.patch create mode 100644 queue-5.15/gve-track-rx-buffer-allocation-failures.patch create mode 100644 queue-5.15/hid-u2fzero-clarify-error-check-and-length-calculati.patch create mode 100644 queue-5.15/hid-u2fzero-properly-handle-timeouts-in-usb_submit_u.patch create mode 100644 queue-5.15/hwmon-fix-possible-memleak-in-__hwmon_device_registe.patch create mode 100644 queue-5.15/hwmon-pmbus-lm25066-let-compiler-determine-outer-dim.patch create mode 100644 queue-5.15/hwrng-mtk-force-runtime-pm-ops-for-sleep-ops.patch create mode 100644 queue-5.15/i2c-i801-use-pci-bus-rescan-mutex-to-protect-p2sb-ac.patch create mode 100644 queue-5.15/i2c-mediatek-fixing-the-incorrect-register-offset.patch create mode 100644 queue-5.15/i2c-xlr-fix-a-resource-leak-in-the-error-handling-pa.patch create mode 100644 queue-5.15/ia64-don-t-do-ia64_cmpxchg_debug-without-config_prin.patch create mode 100644 queue-5.15/ibmvnic-delay-complete.patch create mode 100644 queue-5.15/ibmvnic-don-t-stop-queue-in-xmit.patch create mode 100644 queue-5.15/ibmvnic-process-crqs-after-enabling-interrupts.patch create mode 100644 queue-5.15/ice-fix-not-stopping-tx-queues-for-vfs.patch create mode 100644 queue-5.15/ice-fix-replacing-vf-hardware-mac-to-existing-mac-fi.patch create mode 100644 queue-5.15/ice-move-devlink-port-to-pf-vf-struct.patch create mode 100644 queue-5.15/iio-adis-do-not-disabe-irqs-in-adis_init.patch create mode 100644 queue-5.15/iio-buffer-fix-double-free-in-iio_buffers_alloc_sysf.patch create mode 100644 queue-5.15/iio-st_pressure_spi-add-missing-entries-spi-to-devic.patch create mode 100644 queue-5.15/iio-st_sensors-disable-regulators-after-device-unreg.patch create mode 100644 queue-5.15/ima-fix-deadlock-when-traversing-ima_default_rules.patch create mode 100644 queue-5.15/inet-remove-races-in-inet-6-_getname.patch create mode 100644 queue-5.15/init-make-unknown-command-line-param-message-clearer.patch create mode 100644 queue-5.15/input-ariel-pwrbutton-add-spi-device-id-table.patch create mode 100644 queue-5.15/input-st1232-increase-wait-ready-timeout.patch create mode 100644 queue-5.15/io-wq-fix-max-workers-not-correctly-set-on-multi-nod.patch create mode 100644 queue-5.15/io-wq-remove-duplicate-code-in-io_workqueue_create.patch create mode 100644 queue-5.15/iommu-dma-fix-arch_sync_dma-for-map.patch create mode 100644 queue-5.15/iommu-dma-fix-incorrect-error-return-on-iommu-deferr.patch create mode 100644 queue-5.15/iommu-dma-fix-sync_sg-with-swiotlb.patch create mode 100644 queue-5.15/iommu-mediatek-fix-out-of-range-warning-with-clang.patch create mode 100644 queue-5.15/iov_iter-fix-iov_iter_get_pages-_alloc-page-fault-re.patch create mode 100644 queue-5.15/ipmi-disable-some-operations-during-a-panic.patch create mode 100644 queue-5.15/ipmi-kcs_bmc-fix-a-memory-leak-in-the-error-handling.patch create mode 100644 queue-5.15/irq-mips-avoid-nested-irq_enter.patch create mode 100644 queue-5.15/iwlwifi-change-all-jnp-to-no-160-configuration.patch create mode 100644 queue-5.15/iwlwifi-mvm-disable-rx-diversity-in-powersave.patch create mode 100644 queue-5.15/iwlwifi-mvm-reset-pm-state-on-unsuccessful-resume.patch create mode 100644 queue-5.15/iwlwifi-pnvm-don-t-kmemdup-more-than-we-have.patch create mode 100644 queue-5.15/iwlwifi-pnvm-read-efi-data-only-if-long-enough.patch create mode 100644 queue-5.15/jfs-fix-memleak-in-jfs_mount.patch create mode 100644 queue-5.15/kdb-adopt-scheduler-s-task-classification.patch create mode 100644 queue-5.15/kernel-sched-fix-sched_fork-access-an-invalid-sched_.patch create mode 100644 queue-5.15/kprobes-do-not-use-local-variable-when-creating-debu.patch create mode 100644 queue-5.15/kselftests-net-add-missed-icmp.sh-test-to-makefile.patch create mode 100644 queue-5.15/kselftests-net-add-missed-setup_loopback.sh-setup_ve.patch create mode 100644 queue-5.15/kselftests-net-add-missed-srv6-tests.patch create mode 100644 queue-5.15/kselftests-net-add-missed-toeplitz.sh-toeplitz_clien.patch create mode 100644 queue-5.15/kselftests-net-add-missed-vrf_strict_mode_test.sh-te.patch create mode 100644 queue-5.15/kselftests-sched-cleanup-the-child-processes.patch create mode 100644 queue-5.15/kvm-arm64-propagate-errors-from-__pkvm_prot_finalize.patch create mode 100644 queue-5.15/kvm-s390-fix-handle_sske-page-fault-handling.patch create mode 100644 queue-5.15/kvm-s390-pv-avoid-double-free-of-sida-page.patch create mode 100644 queue-5.15/kvm-s390-pv-avoid-stalls-for-kvm_s390_pv_init_vm.patch create mode 100644 queue-5.15/kvm-selftests-fix-nested-svm-tests-when-built-with-c.patch create mode 100644 queue-5.15/leaking_addresses-always-print-a-trailing-newline.patch create mode 100644 queue-5.15/leds-trigger-use-rcu-to-protect-the-led_cdevs-list.patch create mode 100644 queue-5.15/lib-xz-avoid-overlapping-memcpy-with-invalid-input-w.patch create mode 100644 queue-5.15/lib-xz-validate-the-value-before-assigning-it-to-an-.patch create mode 100644 queue-5.15/libbpf-don-t-crash-on-object-files-with-no-symbol-ta.patch create mode 100644 queue-5.15/libbpf-fix-btf-header-parsing-checks.patch create mode 100644 queue-5.15/libbpf-fix-endianness-detection-in-bpf_core_read_bit.patch create mode 100644 queue-5.15/libbpf-fix-lookup_and_delete_elem_flags-error-report.patch create mode 100644 queue-5.15/libbpf-fix-memory-leak-in-btf__dedup.patch create mode 100644 queue-5.15/libbpf-fix-off-by-one-bug-in-bpf_core_apply_relo.patch create mode 100644 queue-5.15/libbpf-fix-overflow-in-btf-sanity-checks.patch create mode 100644 queue-5.15/libbpf-fix-skel_internal.h-to-set-errno-on-loader-re.patch create mode 100644 queue-5.15/libertas-fix-possible-memory-leak-in-probe-and-disco.patch create mode 100644 queue-5.15/libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch create mode 100644 queue-5.15/litex_liteeth-fix-a-double-free-in-the-remove-functi.patch create mode 100644 queue-5.15/llc-fix-out-of-bound-array-index-in-llc_sk_dev_hash.patch create mode 100644 queue-5.15/lockdep-let-lock_is_held_type-detect-recursive-read-.patch create mode 100644 queue-5.15/locking-lockdep-avoid-rcu-induced-noinstr-fail.patch create mode 100644 queue-5.15/locking-rwsem-disable-preemption-for-spinning-region.patch create mode 100644 queue-5.15/m68k-set-a-default-value-for-memory_reserve.patch create mode 100644 queue-5.15/mac80211-twt-don-t-use-potentially-unaligned-pointer.patch create mode 100644 queue-5.15/mailbox-mtk-cmdq-fix-local-clock-id-usage.patch create mode 100644 queue-5.15/mailbox-mtk-cmdq-validate-alias_id-on-probe.patch create mode 100644 queue-5.15/mailbox-remove-warn_on-for-async_cb.cb-in-cmdq_exec_.patch create mode 100644 queue-5.15/md-update-superblock-after-changing-rdev-flags-in-st.patch create mode 100644 queue-5.15/media-allegro-ignore-interrupt-if-mailbox-is-not-ini.patch create mode 100644 queue-5.15/media-atmel-fix-the-ispck-initialization.patch create mode 100644 queue-5.15/media-atomisp-fix-error-handling-in-probe.patch create mode 100644 queue-5.15/media-cx23885-fix-snd_card_free-call-on-null-card-po.patch create mode 100644 queue-5.15/media-cxd2880-spi-fix-a-null-pointer-dereference-on-.patch create mode 100644 queue-5.15/media-dvb-frontends-mn88443x-handle-errors-of-clk_pr.patch create mode 100644 queue-5.15/media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch create mode 100644 queue-5.15/media-em28xx-add-missing-em28xx_close_extension.patch create mode 100644 queue-5.15/media-em28xx-don-t-use-ops-suspend-if-it-is-null.patch create mode 100644 queue-5.15/media-i2c-ths8200-needs-v4l2_async.patch create mode 100644 queue-5.15/media-imx-jpeg-fix-possible-null-pointer-dereference.patch create mode 100644 queue-5.15/media-imx-jpeg-fix-the-error-handling-path-of-mxc_jp.patch create mode 100644 queue-5.15/media-imx-set-a-media_device-bus_info-string.patch create mode 100644 queue-5.15/media-imx258-fix-getting-clock-frequency.patch create mode 100644 queue-5.15/media-ipu3-imgu-imgu_fmt-handle-properly-try.patch create mode 100644 queue-5.15/media-ipu3-imgu-vidioc_querycap-fix-bus_info.patch create mode 100644 queue-5.15/media-ir_toy-assignment-to-be16-should-be-of-correct.patch create mode 100644 queue-5.15/media-ivtv-fix-build-for-uml.patch create mode 100644 queue-5.15/media-mceusb-return-without-resubmitting-urb-in-case.patch create mode 100644 queue-5.15/media-meson-ge2d-fix-rotation-parameter-changes-dete.patch create mode 100644 queue-5.15/media-mt9p031-fix-corrupted-frame-after-restarting-s.patch create mode 100644 queue-5.15/media-mtk-vcodec-venc-fix-return-value-when-start_st.patch create mode 100644 queue-5.15/media-mtk-vpu-fix-a-resource-leak-in-the-error-handl.patch create mode 100644 queue-5.15/media-netup_unidvb-handle-interrupt-properly-accordi.patch create mode 100644 queue-5.15/media-radio-wl1273-avoid-card-name-truncation.patch create mode 100644 queue-5.15/media-rcar-csi2-add-checking-to-rcsi2_start_receiver.patch create mode 100644 queue-5.15/media-rcar-vin-use-user-provided-buffers-when-starti.patch create mode 100644 queue-5.15/media-s5p-mfc-add-checking-to-s5p_mfc_probe.patch create mode 100644 queue-5.15/media-s5p-mfc-fix-possible-null-pointer-dereference-.patch create mode 100644 queue-5.15/media-si470x-avoid-card-name-truncation.patch create mode 100644 queue-5.15/media-stm32-potential-null-pointer-dereference-in-dc.patch create mode 100644 queue-5.15/media-sun6i-csi-allow-the-video-device-to-be-open-mu.patch create mode 100644 queue-5.15/media-tda1997x-handle-short-reads-of-hdmi-info-frame.patch create mode 100644 queue-5.15/media-tm6000-avoid-card-name-truncation.patch create mode 100644 queue-5.15/media-ttusb-dec-avoid-release-of-non-acquired-mutex.patch create mode 100644 queue-5.15/media-usb-dvd-usb-fix-uninit-value-bug-in-dibusb_rea.patch create mode 100644 queue-5.15/media-uvcvideo-return-eio-for-control-errors.patch create mode 100644 queue-5.15/media-uvcvideo-set-capability-in-s_param.patch create mode 100644 queue-5.15/media-uvcvideo-set-unique-vdev-name-based-in-type.patch create mode 100644 queue-5.15/media-v4l2-ioctl-s_ctrl-output-the-right-value.patch create mode 100644 queue-5.15/media-venus-fix-vpp-frequency-calculation-for-decode.patch create mode 100644 queue-5.15/media-videobuf2-rework-vb2_mem_ops-api.patch create mode 100644 queue-5.15/media-vidtv-fix-memory-leak-in-remove.patch create mode 100644 queue-5.15/memory-fsl_ifc-fix-leak-of-irq-and-nand_irq-in-fsl_i.patch create mode 100644 queue-5.15/memstick-avoid-out-of-range-warning.patch create mode 100644 queue-5.15/memstick-jmb38x_ms-use-appropriate-free-function-in-.patch create mode 100644 queue-5.15/memstick-r592-fix-a-uaf-bug-when-removing-the-driver.patch create mode 100644 queue-5.15/mfd-altera-sysmgr-fix-a-mistake-caused-by-resource_s.patch create mode 100644 queue-5.15/mfd-core-add-missing-of_node_put-for-loop-iteration.patch create mode 100644 queue-5.15/mfd-cpcap-add-spi-device-id-table.patch create mode 100644 queue-5.15/mfd-sprd-add-spi-device-id-table.patch create mode 100644 queue-5.15/mips-cm-convert-to-bitfield-api-to-fix-out-of-bounds.patch create mode 100644 queue-5.15/mips-lantiq-dma-add-small-delay-after-reset.patch create mode 100644 queue-5.15/mips-lantiq-dma-fix-burst-length-for-deu.patch create mode 100644 queue-5.15/mips-lantiq-dma-reset-correct-number-of-channel.patch create mode 100644 queue-5.15/mips-loongson64-make-cpu_loongson64-depends-on-mips_.patch create mode 100644 queue-5.15/mips-ralink-don-t-define-pc_iobase-but-increase-io_s.patch create mode 100644 queue-5.15/mm-zsmalloc.c-close-race-window-between-zs_pool_dec_.patch create mode 100644 queue-5.15/mmc-moxart-fix-reference-count-leaks-in-moxart_probe.patch create mode 100644 queue-5.15/mmc-mxs-mmc-disable-regulator-on-error-and-in-the-re.patch create mode 100644 queue-5.15/mmc-sdhci-omap-fix-context-restore.patch create mode 100644 queue-5.15/mmc-sdhci-omap-fix-null-pointer-exception-if-regulat.patch create mode 100644 queue-5.15/mptcp-do-not-shrink-snd_nxt-when-recovering.patch create mode 100644 queue-5.15/mt76-connac-fix-gtk-rekey-offload-failure-on-wpa-mix.patch create mode 100644 queue-5.15/mt76-connac-fix-mt76_connac_gtk_rekey_tlv-usage.patch create mode 100644 queue-5.15/mt76-connac-fix-possible-null-pointer-dereference-in.patch create mode 100644 queue-5.15/mt76-fix-build-error-implicit-enumeration-conversion.patch create mode 100644 queue-5.15/mt76-mt7615-fix-endianness-warning-in-mt7615_mac_wri.patch create mode 100644 queue-5.15/mt76-mt7615-fix-hwmon-temp-sensor-mem-use-after-free.patch create mode 100644 queue-5.15/mt76-mt7615-fix-monitor-mode-tear-down-crash.patch create mode 100644 queue-5.15/mt76-mt7615-mt7622-fix-ibss-and-meshpoint.patch create mode 100644 queue-5.15/mt76-mt76x02-fix-endianness-warnings-in-mt76x02_mac..patch create mode 100644 queue-5.15/mt76-mt7915-fix-an-off-by-one-bound-check.patch create mode 100644 queue-5.15/mt76-mt7915-fix-bit-fields-for-ht-rate-idx.patch create mode 100644 queue-5.15/mt76-mt7915-fix-endianness-warning-in-mt7915_mac_add.patch create mode 100644 queue-5.15/mt76-mt7915-fix-hwmon-temp-sensor-mem-use-after-free.patch create mode 100644 queue-5.15/mt76-mt7915-fix-info-leak-in-mt7915_mcu_set_pre_cal.patch create mode 100644 queue-5.15/mt76-mt7915-fix-muar_idx-in-mt7915_mcu_alloc_sta_req.patch create mode 100644 queue-5.15/mt76-mt7915-fix-possible-infinite-loop-release-semap.patch create mode 100644 queue-5.15/mt76-mt7915-fix-potential-overflow-of-eeprom-page-in.patch create mode 100644 queue-5.15/mt76-mt7915-fix-sta_rec_wtbl-tag-len.patch create mode 100644 queue-5.15/mt76-mt7921-always-wake-device-if-necessary-in-debug.patch create mode 100644 queue-5.15/mt76-mt7921-fix-dma-hang-in-rmmod.patch create mode 100644 queue-5.15/mt76-mt7921-fix-endianness-in-mt7921_mcu_tx_done_eve.patch create mode 100644 queue-5.15/mt76-mt7921-fix-endianness-warning-in-mt7921_update_.patch create mode 100644 queue-5.15/mt76-mt7921-fix-firmware-usage-of-ra-info-using-lega.patch create mode 100644 queue-5.15/mt76-mt7921-fix-kernel-warning-from-cfg80211_calcula.patch create mode 100644 queue-5.15/mt76-mt7921-fix-out-of-order-process-by-invalid-even.patch create mode 100644 queue-5.15/mt76-mt7921-fix-retrying-release-semaphore-without-e.patch create mode 100644 queue-5.15/mt76-mt7921-fix-survey-dump-reporting.patch create mode 100644 queue-5.15/mt76-mt7921-report-he-mu-radiotap.patch create mode 100644 queue-5.15/mt76-overwrite-default-reg_ops-if-necessary.patch create mode 100644 queue-5.15/mtd-core-don-t-remove-debugfs-directory-if-device-is.patch create mode 100644 queue-5.15/mtd-rawnand-arasan-prevent-an-unsupported-configurat.patch create mode 100644 queue-5.15/mtd-rawnand-intel-fix-potential-buffer-overflow-in-p.patch create mode 100644 queue-5.15/mtd-spi-nor-hisi-sfc-remove-excessive-clk_disable_un.patch create mode 100644 queue-5.15/mwifiex-properly-initialize-private-structure-on-int.patch create mode 100644 queue-5.15/mwifiex-run-set_bss_mode-when-changing-from-p2p-to-s.patch create mode 100644 queue-5.15/mwifiex-send-delba-requests-according-to-spec.patch create mode 100644 queue-5.15/mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch create mode 100644 queue-5.15/nbd-fix-max-value-for-first_minor.patch create mode 100644 queue-5.15/nbd-fix-possible-overflow-for-first_minor-in-nbd_dev.patch create mode 100644 queue-5.15/nbd-fix-use-after-free-in-pid_show.patch create mode 100644 queue-5.15/net-amd-xgbe-toggle-pll-settings-during-rate-change.patch create mode 100644 queue-5.15/net-annotate-data-race-in-neigh_output.patch create mode 100644 queue-5.15/net-bridge-fix-uninitialized-variables-when-bridge_c.patch create mode 100644 queue-5.15/net-davinci_emac-fix-interrupt-pacing-disable.patch create mode 100644 queue-5.15/net-dsa-avoid-refcount-warnings-when-port_-fdb-mdb-_.patch create mode 100644 queue-5.15/net-dsa-felix-fix-broken-vlan-tagged-ptp-under-vlan-.patch create mode 100644 queue-5.15/net-dsa-flush-switchdev-workqueue-when-leaving-the-b.patch create mode 100644 queue-5.15/net-dsa-lantiq_gswip-serialize-access-to-the-pce-tab.patch create mode 100644 queue-5.15/net-dsa-mv88e6xxx-don-t-support-1g-speeds-on-6191x-o.patch create mode 100644 queue-5.15/net-dsa-rtl8366-fix-a-bug-in-deleting-vlans.patch create mode 100644 queue-5.15/net-dsa-rtl8366rb-fix-off-by-one-bug.patch create mode 100644 queue-5.15/net-enetc-unmap-dma-in-enetc_send_cmd.patch create mode 100644 queue-5.15/net-ethernet-ti-cpsw_ale-fix-access-to-un-initialize.patch create mode 100644 queue-5.15/net-fealnx-fix-build-for-uml.patch create mode 100644 queue-5.15/net-hns3-allow-configure-ets-bandwidth-of-all-tcs.patch create mode 100644 queue-5.15/net-hns3-fix-kernel-crash-when-unload-vf-while-it-is.patch create mode 100644 queue-5.15/net-hns3-fix-pfc-packet-number-incorrect-after-query.patch create mode 100644 queue-5.15/net-hns3-fix-roce-base-interrupt-vector-initializati.patch create mode 100644 queue-5.15/net-intel-igc_ptp-fix-build-for-uml.patch create mode 100644 queue-5.15/net-marvell-mvpp2-fix-wrong-serdes-reconfiguration-o.patch create mode 100644 queue-5.15/net-mlx5-accept-devlink-user-input-after-driver-init.patch create mode 100644 queue-5.15/net-mlx5-publish-and-unpublish-all-devlink-parameter.patch create mode 100644 queue-5.15/net-neigh-fix-ntf_ext_learned-in-combination-with-nt.patch create mode 100644 queue-5.15/net-net_namespace-fix-undefined-member-in-key_remove.patch create mode 100644 queue-5.15/net-phy-fix-duplex-out-of-sync-problem-while-changin.patch create mode 100644 queue-5.15/net-phy-micrel-make-skew-ps-check-more-lenient.patch create mode 100644 queue-5.15/net-phylink-avoid-mvneta-warning-when-setting-pause-.patch create mode 100644 queue-5.15/net-phylink-don-t-call-netif_carrier_off-with-null-n.patch create mode 100644 queue-5.15/net-sched-sch_taprio-fix-undefined-behavior-in-ktime.patch create mode 100644 queue-5.15/net-sched-update-default-qdisc-visibility-after-tx-q.patch create mode 100644 queue-5.15/net-smc-fix-sk_refcnt-underflow-on-linkdown-and-fall.patch create mode 100644 queue-5.15/net-stmmac-allow-a-tc-taprio-base-time-of-zero.patch create mode 100644 queue-5.15/net-stream-don-t-purge-sk_error_queue-in-sk_stream_k.patch create mode 100644 queue-5.15/net-sysfs-try-not-to-restart-the-syscall-if-it-will-.patch create mode 100644 queue-5.15/net-tulip-winbond-840-fix-build-for-uml.patch create mode 100644 queue-5.15/net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch create mode 100644 queue-5.15/netfilter-conntrack-set-on-ips_assured-if-flows-ente.patch create mode 100644 queue-5.15/netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch create mode 100644 queue-5.15/netfilter-nft_dynset-relax-superfluous-check-on-set-.patch create mode 100644 queue-5.15/nfc-pn533-fix-double-free-when-pn533_fill_fragment_s.patch create mode 100644 queue-5.15/nfp-fix-null-pointer-access-when-scheduling-dim-work.patch create mode 100644 queue-5.15/nfp-fix-potential-deadlock-when-canceling-dim-work.patch create mode 100644 queue-5.15/nfs-default-change_attr_type-to-nfs4_change_type_is_.patch create mode 100644 queue-5.15/nfs-don-t-set-nfs_ino_data_inval_defer-and-nfs_ino_i.patch create mode 100644 queue-5.15/nfs-fix-an-oops-in-pnfs_mark_request_commit.patch create mode 100644 queue-5.15/nfs-fix-deadlocks-in-nfs_scan_commit_list.patch create mode 100644 queue-5.15/nfs-fix-dentry-verifier-races.patch create mode 100644 queue-5.15/nfs-fix-up-commit-deadlocks.patch create mode 100644 queue-5.15/nfs-ignore-the-directory-size-when-marking-for-reval.patch create mode 100644 queue-5.15/nfsd-don-t-alloc-under-spinlock-in-rpc_parse_scope_i.patch create mode 100644 queue-5.15/nfsv4-fix-a-regression-in-nfs_set_open_stateid_locke.patch create mode 100644 queue-5.15/nvdimm-btt-do-not-call-del_gendisk-if-not-needed.patch create mode 100644 queue-5.15/nvdimm-pmem-cleanup-the-disk-if-pmem_release_disk-is.patch create mode 100644 queue-5.15/nvme-drop-scan_lock-and-always-kick-requeue-list-whe.patch create mode 100644 queue-5.15/nvme-rdma-fix-error-code-in-nvme_rdma_setup_ctrl.patch create mode 100644 queue-5.15/nvmet-fix-use-after-free-when-a-port-is-removed.patch create mode 100644 queue-5.15/nvmet-rdma-fix-use-after-free-when-a-port-is-removed.patch create mode 100644 queue-5.15/nvmet-tcp-fix-use-after-free-when-a-port-is-removed.patch create mode 100644 queue-5.15/objtool-handle-__sanitize_cov-tail-calls.patch create mode 100644 queue-5.15/octeontx2-pf-enable-promisc-allmulti-match-mcam-entr.patch create mode 100644 queue-5.15/octeontx2-pf-select-config_net_devlink.patch create mode 100644 queue-5.15/of-unittest-fix-expect-text-for-gpio-hog-errors.patch create mode 100644 queue-5.15/openrisc-fix-smp-tlb-flush-null-pointer-dereference.patch create mode 100644 queue-5.15/opp-fix-return-in-_opp_add_static_v2.patch create mode 100644 queue-5.15/parisc-fix-warning-in-flush_tlb_all.patch create mode 100644 queue-5.15/parisc-kgdb-add-kgdb_roundup-to-make-kgdb-work-with-.patch create mode 100644 queue-5.15/parisc-unwind-fix-unwinder-when-config_64bit-is-enab.patch create mode 100644 queue-5.15/pci-aardvark-don-t-spam-about-pio-response-status.patch create mode 100644 queue-5.15/pci-aardvark-fix-preserving-pci_exp_rtctl_crssve-fla.patch create mode 100644 queue-5.15/pci-do-not-enable-atomicops-on-vfs.patch create mode 100644 queue-5.15/pci-j721e-fix-j721e_pcie_probe-error-path.patch create mode 100644 queue-5.15/pci-uniphier-serialize-intx-masking-unmasking-and-fi.patch create mode 100644 queue-5.15/perf-bpf-add-missing-free-to-bpf_event__print_bpf_pr.patch create mode 100644 queue-5.15/perf-x86-intel-fix-icl-spr-inst_retired.prec_dist-en.patch create mode 100644 queue-5.15/perf-x86-intel-uncore-fix-intel-spr-cha-event-constr.patch create mode 100644 queue-5.15/perf-x86-intel-uncore-fix-intel-spr-iio-event-constr.patch create mode 100644 queue-5.15/perf-x86-intel-uncore-fix-intel-spr-m2pcie-event-con.patch create mode 100644 queue-5.15/perf-x86-intel-uncore-fix-intel-spr-m3upi-event-cons.patch create mode 100644 queue-5.15/phy-micrel-ksz8041nl-do-not-use-power-down-mode.patch create mode 100644 queue-5.15/phy-qcom-qmp-another-fix-for-the-sc8180x-pcie-defini.patch create mode 100644 queue-5.15/phy-qcom-qusb2-fix-a-memory-leak-on-probe.patch create mode 100644 queue-5.15/phy-qcom-snps-correct-the-fsel_mask.patch create mode 100644 queue-5.15/phy-sparx5-eth-serdes-fix-return-value-check-in-spar.patch create mode 100644 queue-5.15/phy-ti-gmii-sel-check-of_get_address-for-failure.patch create mode 100644 queue-5.15/pinctrl-equilibrium-fix-function-addition-in-multipl.patch create mode 100644 queue-5.15/pinctrl-renesas-checker-fix-off-by-one-bug-in-drive-.patch create mode 100644 queue-5.15/pinctrl-renesas-rzg2l-fix-missing-port-register-21h.patch create mode 100644 queue-5.15/platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch create mode 100644 queue-5.15/platform-x86-wmi-do-not-fail-if-disabling-fails.patch create mode 100644 queue-5.15/pm-em-fix-inefficient-states-detection.patch create mode 100644 queue-5.15/pm-hibernate-fix-sparse-warnings.patch create mode 100644 queue-5.15/pm-hibernate-get-block-device-exclusively-in-swsusp_.patch create mode 100644 queue-5.15/pnfs-flexfiles-fix-misplaced-barrier-in-nfs4_ff_layo.patch create mode 100644 queue-5.15/power-reset-at91-reset-check-properly-the-return-val.patch create mode 100644 queue-5.15/power-supply-bq27xxx-fix-kernel-crash-on-irq-handler.patch create mode 100644 queue-5.15/power-supply-max17040-fix-null-ptr-deref-in-max17040.patch create mode 100644 queue-5.15/power-supply-rt5033_battery-change-voltage-values-to.patch create mode 100644 queue-5.15/powerpc-44x-fsp2-add-missing-of_node_put.patch create mode 100644 queue-5.15/powerpc-book3e-fix-set_memory_x-and-set_memory_nx.patch create mode 100644 queue-5.15/powerpc-booke-disable-strict_kernel_rwx-debug_pageal.patch create mode 100644 queue-5.15/powerpc-don-t-provide-__kernel_map_pages-without-arc.patch create mode 100644 queue-5.15/powerpc-fix-unbalanced-node-refcount-in-check_kvm_gu.patch create mode 100644 queue-5.15/powerpc-mem-fix-arch-powerpc-mm-mem.c-53-12-error-no.patch create mode 100644 queue-5.15/powerpc-nohash-fix-__ptep_set_access_flags-and-ptep_.patch create mode 100644 queue-5.15/powerpc-paravirt-correct-preempt-debug-splat-in-vcpu.patch create mode 100644 queue-5.15/powerpc-perf-fix-cycles-instructions-as-pm_cyc-pm_in.patch create mode 100644 queue-5.15/powerpc-xmon-fix-task-state-output.patch create mode 100644 queue-5.15/qed-don-t-ignore-devlink-allocation-failures.patch create mode 100644 queue-5.15/rcu-always-inline-rcu_dynticks_task-_-enter-exit.patch create mode 100644 queue-5.15/rcu-fix-existing-exp-request-check-in-sync_sched_exp.patch create mode 100644 queue-5.15/rcu-fix-rcu_dynticks_curr_cpu_in_eqs-vs-noinstr.patch create mode 100644 queue-5.15/rcu-tasks-move-rtgs_wait_cbs-to-beginning-of-rcu_tas.patch create mode 100644 queue-5.15/rcutorture-avoid-problematic-critical-section-nestin.patch create mode 100644 queue-5.15/rdma-bnxt_re-fix-query-srq-failure.patch create mode 100644 queue-5.15/rdma-core-require-the-driver-to-set-the-iova-correct.patch create mode 100644 queue-5.15/rdma-core-set-sgtable-nents-when-using-ib_dma_virt_m.patch create mode 100644 queue-5.15/rdma-hns-fix-initial-arm_st-of-cq.patch create mode 100644 queue-5.15/rdma-hns-modify-the-value-of-max_lp_msg_len-to-meet-.patch create mode 100644 queue-5.15/rdma-mlx4-return-missed-an-error-if-device-doesn-t-s.patch create mode 100644 queue-5.15/rdma-rxe-fix-wrong-port_cap_flags.patch create mode 100644 queue-5.15/remoteproc-fix-a-memory-leak-in-an-error-handling-pa.patch create mode 100644 queue-5.15/remoteproc-imx_rproc-fix-tcm-io-memory-type.patch create mode 100644 queue-5.15/revert-drm-imx-annotate-dma-fence-critical-section-i.patch create mode 100644 queue-5.15/revert-wcn36xx-enable-firmware-link-monitoring.patch create mode 100644 queue-5.15/rpmsg-fix-rpmsg_create_ept-return-when-rpmsg-config-.patch create mode 100644 queue-5.15/rsi-stop-thread-firstly-in-rsi_91x_init-error-handli.patch create mode 100644 queue-5.15/rtc-ds1302-add-spi-id-table.patch create mode 100644 queue-5.15/rtc-ds1390-add-spi-id-table.patch create mode 100644 queue-5.15/rtc-mcp795-add-spi-id-table.patch create mode 100644 queue-5.15/rtc-pcf2123-add-spi-id-table.patch create mode 100644 queue-5.15/rtc-rv3032-fix-error-handling-in-rv3032_clkout_set_r.patch create mode 100644 queue-5.15/rtw88-fix-rx-clock-gate-setting-while-fifo-dump.patch create mode 100644 queue-5.15/rxrpc-fix-_usecs_to_jiffies-by-using-usecs_to_jiffie.patch create mode 100644 queue-5.15/s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch create mode 100644 queue-5.15/s390-gmap-validate-vma-in-__gmap_zap.patch create mode 100644 queue-5.15/s390-mm-fix-vma-and-page-table-handling-code-in-stor.patch create mode 100644 queue-5.15/s390-mm-validate-vma-in-pgste-manipulation-functions.patch create mode 100644 queue-5.15/s390-uv-fully-validate-the-vma-before-calling-follow.patch create mode 100644 queue-5.15/samples-bpf-fix-application-of-sizeof-to-pointer.patch create mode 100644 queue-5.15/samples-kretprobes-fix-return-value-if-register_kret.patch create mode 100644 queue-5.15/sched-add-wrapper-for-get_wchan-to-keep-task-blocked.patch create mode 100644 queue-5.15/scs-release-kasan-vmalloc-poison-in-scs_free-process.patch create mode 100644 queue-5.15/scsi-bsg-fix-errno-when-scsi_bsg_register_queue-fail.patch create mode 100644 queue-5.15/scsi-csiostor-uninitialized-data-in-csio_ln_vnp_read.patch create mode 100644 queue-5.15/scsi-dc395-fix-error-case-unwinding.patch create mode 100644 queue-5.15/scsi-lpfc-fix-nvme-i-o-failover-to-non-optimized-pat.patch create mode 100644 queue-5.15/scsi-lpfc-wait-for-successful-restart-of-sli3-adapte.patch create mode 100644 queue-5.15/scsi-megaraid_sas-fix-concurrent-access-to-isr-betwe.patch create mode 100644 queue-5.15/scsi-pm80xx-fix-lockup-in-outbound-queue-management.patch create mode 100644 queue-5.15/scsi-pm80xx-fix-misleading-log-statement-in-pm8001_m.patch create mode 100644 queue-5.15/scsi-qla2xxx-edif-fix-app-start-delay.patch create mode 100644 queue-5.15/scsi-qla2xxx-edif-fix-app-start-fail.patch create mode 100644 queue-5.15/scsi-qla2xxx-edif-fix-edif-bsg.patch create mode 100644 queue-5.15/scsi-qla2xxx-edif-flush-stale-events-and-msgs-on-ses.patch create mode 100644 queue-5.15/scsi-qla2xxx-edif-increase-els-payload.patch create mode 100644 queue-5.15/scsi-qla2xxx-edif-use-link-event-to-wake-up-app.patch create mode 100644 queue-5.15/scsi-qla2xxx-fix-gnl-list-corruption.patch create mode 100644 queue-5.15/scsi-qla2xxx-relogin-during-fabric-disturbance.patch create mode 100644 queue-5.15/scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch create mode 100644 queue-5.15/scsi-target-core-remove-from-tmr_list-during-lun-unl.patch create mode 100644 queue-5.15/scsi-ufs-core-fix-null-pointer-dereference.patch create mode 100644 queue-5.15/scsi-ufs-core-fix-ufshcd_probe_hba-prototype-to-matc.patch create mode 100644 queue-5.15/scsi-ufs-core-stop-clearing-unit-attentions.patch create mode 100644 queue-5.15/scsi-ufs-ufshcd-pltfrm-fix-memory-leak-due-to-probe-.patch create mode 100644 queue-5.15/scsi-ufs-ufshpb-properly-handle-max-single-cmd.patch create mode 100644 queue-5.15/scsi-ufs-ufshpb-use-proper-power-management-api.patch create mode 100644 queue-5.15/sctp-allow-ip-fragmentation-when-plpmtud-enters-erro.patch create mode 100644 queue-5.15/sctp-reset-probe_timer-in-sctp_transport_pl_update.patch create mode 100644 queue-5.15/sctp-return-true-only-for-pathmtu-update-in-sctp_tra.patch create mode 100644 queue-5.15/sctp-subtract-sctphdr-len-in-sctp_transport_pl_hlen.patch create mode 100644 queue-5.15/selftests-bpf-fix-fclose-pclose-mismatch-in-test_pro.patch create mode 100644 queue-5.15/selftests-bpf-fix-fd-cleanup-in-sk_lookup-test.patch create mode 100644 queue-5.15/selftests-bpf-fix-memory-leak-in-test_ima.patch create mode 100644 queue-5.15/selftests-bpf-fix-perf_buffer-test-on-system-with-of.patch create mode 100644 queue-5.15/selftests-bpf-fix-strobemeta-selftest-regression.patch create mode 100644 queue-5.15/selftests-bpf-xdp_redirect_multi-give-tcpdump-a-chan.patch create mode 100644 queue-5.15/selftests-bpf-xdp_redirect_multi-limit-the-tests-in-.patch create mode 100644 queue-5.15/selftests-bpf-xdp_redirect_multi-put-the-logs-to-tmp.patch create mode 100644 queue-5.15/selftests-bpf-xdp_redirect_multi-use-arping-to-accur.patch create mode 100644 queue-5.15/selftests-core-fix-conflicting-types-compile-error-f.patch create mode 100644 queue-5.15/selftests-kvm-fix-mismatched-fclose-after-popen.patch create mode 100644 queue-5.15/selftests-mptcp-fix-proto-type-in-link_failure-tests.patch create mode 100644 queue-5.15/selftests-net-bridge-update-igmp-mld-membership-inte.patch create mode 100644 queue-5.15/selftests-net-fib_nexthops-wait-before-checking-repo.patch create mode 100644 queue-5.15/selftests-net-properly-support-ipv6-in-gso-gre-test.patch create mode 100644 queue-5.15/selftests-net-udpgso_bench_rx-fix-port-argument.patch create mode 100644 queue-5.15/seq_file-fix-passing-wrong-private-data.patch create mode 100644 queue-5.15/serial-8250_dw-drop-wrong-use-of-acpi_ptr.patch create mode 100644 queue-5.15/serial-cpm_uart-protect-udbg-definitions-by-config_s.patch create mode 100644 queue-5.15/serial-imx-fix-detach-attach-of-serial-console.patch create mode 100644 queue-5.15/serial-xilinx_uartps-fix-race-condition-causing-stuc.patch create mode 100644 queue-5.15/signal-sh-use-force_sig-sigkill-instead-of-do_group_.patch create mode 100644 queue-5.15/skmsg-lose-offset-info-in-sk_psock_skb_ingress.patch create mode 100644 queue-5.15/smackfs-fix-use-after-free-in-netlbl_catmap_walk.patch create mode 100644 queue-5.15/smackfs-use-__gfp_nofail-for-smk_cipso_doi.patch create mode 100644 queue-5.15/smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch create mode 100644 queue-5.15/soc-fsl-dpaa2-console-free-buffer-before-returning-f.patch create mode 100644 queue-5.15/soc-qcom-apr-add-of_node_put-before-return.patch create mode 100644 queue-5.15/soc-qcom-llcc-disable-mmuhwt-retention.patch create mode 100644 queue-5.15/soc-qcom-rpmhpd-fix-sm8350_mxc-s-peer-domain.patch create mode 100644 queue-5.15/soc-qcom-rpmhpd-make-power_on-actually-enable-the-do.patch create mode 100644 queue-5.15/soc-qcom-socinfo-add-two-missing-pmic-ids.patch create mode 100644 queue-5.15/soc-tegra-fix-an-error-handling-path-in-tegra_powerg.patch create mode 100644 queue-5.15/soundwire-bus-stop-dereferencing-invalid-slave-point.patch create mode 100644 queue-5.15/soundwire-debugfs-use-controller-id-and-link_id-for-.patch create mode 100644 queue-5.15/sparc-add-missing-force-target-when-using-if_changed.patch create mode 100644 queue-5.15/spi-bcm-qspi-fix-missing-clk_disable_unprepare-on-er.patch create mode 100644 queue-5.15/spi-check-we-have-a-spi_device_id-for-each-dt-compat.patch create mode 100644 queue-5.15/spi-fixed-division-by-zero-warning.patch create mode 100644 queue-5.15/spi-spi-rpc-if-check-return-value-of-rpcif_sw_init.patch create mode 100644 queue-5.15/staging-ks7010-select-crypto_hash-crypto_michael_mic.patch create mode 100644 queue-5.15/staging-most-dim2-do-not-double-register-the-same-de.patch create mode 100644 queue-5.15/staging-r8188eu-fix-memory-leak-in-rtw_set_key.patch create mode 100644 queue-5.15/task_stack-fix-end_of_stack-for-architectures-with-u.patch create mode 100644 queue-5.15/tcp-don-t-free-a-fin-sk_buff-in-tcp_remove_empty_skb.patch create mode 100644 queue-5.15/tcp-switch-orphan_count-to-bare-per-cpu-counters.patch create mode 100644 queue-5.15/thermal-core-fix-a-uaf-bug-in-__thermal_cooling_devi.patch create mode 100644 queue-5.15/thermal-core-fix-null-pointer-dereference-in-thermal.patch create mode 100644 queue-5.15/thermal-drivers-qcom-lmh-make-qcom_lmh-depends-on-qc.patch create mode 100644 queue-5.15/thermal-drivers-tsens-add-timeout-to-get_temp_tsens_.patch create mode 100644 queue-5.15/thermal-int340x-fix-build-on-32-bit-targets.patch create mode 100644 queue-5.15/tools-latency-collector-use-correct-size-when-writin.patch create mode 100644 queue-5.15/tpm-fix-atmel-tpm-crash-caused-by-too-frequent-queri.patch create mode 100644 queue-5.15/tpm_tis_spi-add-missing-spi-id.patch create mode 100644 queue-5.15/tracefs-have-tracefs-directories-not-set-oth-permiss.patch create mode 100644 queue-5.15/tracing-cfi-fix-cmp_entries_-functions-signature-mis.patch create mode 100644 queue-5.15/tracing-disable-other-permission-bits-in-the-tracefs.patch create mode 100644 queue-5.15/tracing-fix-missing-trace_boot_init_histograms-kstrd.patch create mode 100644 queue-5.15/udp6-allow-so_mark-ctrl-msg-to-affect-routing.patch create mode 100644 queue-5.15/usb-dwc2-drd-fix-dwc2_drd_role_sw_set-when-clock-cou.patch create mode 100644 queue-5.15/usb-dwc2-drd-fix-dwc2_force_mode-call-in-dwc2_ovr_in.patch create mode 100644 queue-5.15/usb-dwc2-drd-reset-current-session-before-setting-th.patch create mode 100644 queue-5.15/usb-dwc3-gadget-skip-resizing-ep-s-tx-fifo-if-alread.patch create mode 100644 queue-5.15/usb-gadget-hid-fix-error-code-in-do_config.patch create mode 100644 queue-5.15/usb-musb-select-generic_phy-instead-of-depending-on-.patch create mode 100644 queue-5.15/usb-typec-stusb160x-should-select-regmap_i2c.patch create mode 100644 queue-5.15/vdpa-mlx5-fix-clearing-of-virtio_net_f_mac-feature-b.patch create mode 100644 queue-5.15/video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch create mode 100644 queue-5.15/virtio-gpu-fix-possible-memory-allocation-failure.patch create mode 100644 queue-5.15/virtio_ring-check-desc-null-when-using-indirect-with.patch create mode 100644 queue-5.15/vrf-run-conntrack-only-in-context-of-lower-physdev-f.patch create mode 100644 queue-5.15/vsock-prevent-unnecessary-refcnt-inc-for-nonblocking.patch create mode 100644 queue-5.15/watchdog-f71808e_wdt-fix-inaccurate-report-in-wdioc_.patch create mode 100644 queue-5.15/wcn36xx-add-proper-dma-memory-barriers-in-rx-path.patch create mode 100644 queue-5.15/wcn36xx-channel-list-update-before-hardware-scan.patch create mode 100644 queue-5.15/wcn36xx-correct-band-freq-reporting-on-rx.patch create mode 100644 queue-5.15/wcn36xx-fix-antenna-diversity-switching.patch create mode 100644 queue-5.15/wcn36xx-fix-discarded-frames-due-to-wrong-sequence-n.patch create mode 100644 queue-5.15/wcn36xx-fix-packet-drop-on-resume.patch create mode 100644 queue-5.15/wilc1000-fix-possible-memory-leak-in-cfg_scan_result.patch create mode 100644 queue-5.15/workqueue-make-sysfs-of-unbound-kworker-cpumask-more.patch create mode 100644 queue-5.15/x86-fix-__get_wchan-for-stacktrace.patch create mode 100644 queue-5.15/x86-fix-get_wchan-to-support-the-orc-unwinder.patch create mode 100644 queue-5.15/x86-hyperv-protect-set_hv_tscchange_cb-against-getti.patch create mode 100644 queue-5.15/x86-increase-exception-stack-sizes.patch create mode 100644 queue-5.15/x86-insn-use-get_unaligned-instead-of-memcpy.patch create mode 100644 queue-5.15/x86-mm-64-improve-stack-overflow-warnings.patch create mode 100644 queue-5.15/x86-sev-fix-stack-type-check-in-vc_switch_off_ist.patch create mode 100644 queue-5.15/x86-xen-mark-cpu_bringup_and_idle-as-dead_end_functi.patch create mode 100644 queue-5.15/xen-pciback-fix-return-in-pm_ctrl_init.patch create mode 100644 queue-5.15/zram-off-by-one-in-read_block_state.patch diff --git a/queue-5.15/acpi-ac-quirk-gk45-to-skip-reading-_psr.patch b/queue-5.15/acpi-ac-quirk-gk45-to-skip-reading-_psr.patch new file mode 100644 index 00000000000..a774faa9c67 --- /dev/null +++ b/queue-5.15/acpi-ac-quirk-gk45-to-skip-reading-_psr.patch @@ -0,0 +1,96 @@ +From b944ba8dbcc2d5e6007ec5b8228d326cea9106be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Oct 2021 15:04:45 -0700 +Subject: ACPI: AC: Quirk GK45 to skip reading _PSR + +From: Stefan Schaeckeler + +[ Upstream commit 3d730ee686800d71ecc5c3cb8460dcdcdeaf38a3 ] + +Let GK45 not go into BIOS for determining the AC power state. + +The BIOS wrongly returns 0, so hardcode the power state to 1. + +The mini PC GK45 by Besstar Tech Lld. (aka Kodlix) just runs +off AC. It does not include any batteries. Nevertheless BIOS +reports AC off: + +root@kodlix:/usr/src/linux# cat /sys/class/power_supply/ADP1/online +0 + +root@kodlix:/usr/src/linux# modprobe acpi_dbg +root@kodlix:/usr/src/linux# tools/power/acpi/acpidbg + +- find _PSR + \_SB.PCI0.SBRG.H_EC.ADP1._PSR Method 000000009283cee8 001 Args 0 Len 001C Aml 00000000f54e5f67 + +- execute \_SB.PCI0.SBRG.H_EC.ADP1._PSR +Evaluating \_SB.PCI0.SBRG.H_EC.ADP1._PSR +Evaluation of \_SB.PCI0.SBRG.H_EC.ADP1._PSR returned object 00000000dc08c187, external buffer length 18 + [Integer] = 0000000000000000 + +that should be + + [Integer] = 0000000000000001 + +Signed-off-by: Stefan Schaeckeler +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/ac.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/acpi/ac.c b/drivers/acpi/ac.c +index b0cb662233f1a..81aff651a0d49 100644 +--- a/drivers/acpi/ac.c ++++ b/drivers/acpi/ac.c +@@ -61,6 +61,7 @@ static SIMPLE_DEV_PM_OPS(acpi_ac_pm, NULL, acpi_ac_resume); + + static int ac_sleep_before_get_state_ms; + static int ac_check_pmic = 1; ++static int ac_only; + + static struct acpi_driver acpi_ac_driver = { + .name = "ac", +@@ -93,6 +94,11 @@ static int acpi_ac_get_state(struct acpi_ac *ac) + if (!ac) + return -EINVAL; + ++ if (ac_only) { ++ ac->state = 1; ++ return 0; ++ } ++ + status = acpi_evaluate_integer(ac->device->handle, "_PSR", NULL, + &ac->state); + if (ACPI_FAILURE(status)) { +@@ -200,6 +206,12 @@ static int __init ac_do_not_check_pmic_quirk(const struct dmi_system_id *d) + return 0; + } + ++static int __init ac_only_quirk(const struct dmi_system_id *d) ++{ ++ ac_only = 1; ++ return 0; ++} ++ + /* Please keep this list alphabetically sorted */ + static const struct dmi_system_id ac_dmi_table[] __initconst = { + { +@@ -209,6 +221,13 @@ static const struct dmi_system_id ac_dmi_table[] __initconst = { + DMI_MATCH(DMI_PRODUCT_NAME, "EF20EA"), + }, + }, ++ { ++ /* Kodlix GK45 returning incorrect state */ ++ .callback = ac_only_quirk, ++ .matches = { ++ DMI_MATCH(DMI_PRODUCT_NAME, "GK45"), ++ }, ++ }, + { + /* Lenovo Ideapad Miix 320, AXP288 PMIC, separate fuel-gauge */ + .callback = ac_do_not_check_pmic_quirk, +-- +2.33.0 + diff --git a/queue-5.15/acpi-battery-accept-charges-over-the-design-capacity.patch b/queue-5.15/acpi-battery-accept-charges-over-the-design-capacity.patch new file mode 100644 index 00000000000..7ca99caaf70 --- /dev/null +++ b/queue-5.15/acpi-battery-accept-charges-over-the-design-capacity.patch @@ -0,0 +1,44 @@ +From 4172740fec1edee6da5a92e1f58b5070f7aadbe5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Oct 2021 00:05:29 -0300 +Subject: ACPI: battery: Accept charges over the design capacity as full +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: André Almeida + +[ Upstream commit 2835f327bd1240508db2c89fe94a056faa53c49a ] + +Some buggy firmware and/or brand new batteries can support a charge that's +slightly over the reported design capacity. In such cases, the kernel will +report to userspace that the charging state of the battery is "Unknown", +when in reality the battery charge is "Full", at least from the design +capacity point of view. Make the fallback condition accepts capacities +over the designed capacity so userspace knows that is full. + +Signed-off-by: André Almeida +Reviewed-by: Hans de Goede +Reviewed-by: Sebastian Reichel +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/battery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c +index dae91f906cea9..8afa85d6eb6a7 100644 +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -169,7 +169,7 @@ static int acpi_battery_is_charged(struct acpi_battery *battery) + return 1; + + /* fallback to using design values for broken batteries */ +- if (battery->design_capacity == battery->capacity_now) ++ if (battery->design_capacity <= battery->capacity_now) + return 1; + + /* we don't do any sort of metric based on percentages */ +-- +2.33.0 + diff --git a/queue-5.15/acpi-pm-fix-device-wakeup-power-reference-counting-e.patch b/queue-5.15/acpi-pm-fix-device-wakeup-power-reference-counting-e.patch new file mode 100644 index 00000000000..d8f978fef8b --- /dev/null +++ b/queue-5.15/acpi-pm-fix-device-wakeup-power-reference-counting-e.patch @@ -0,0 +1,44 @@ +From 1d09e3b0062423466cefbca032e6a71462db7a23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Nov 2021 22:54:17 +0100 +Subject: ACPI: PM: Fix device wakeup power reference counting error + +From: Rafael J. Wysocki + +[ Upstream commit 452a3e723f75880757acf87b053935c43aa89f89 ] + +Fix a device wakeup power reference counting error introduced by +commit a2d7b2e004af ("ACPI: PM: Fix sharing of wakeup power +resources") because of a coding mistake. + +Fixes: a2d7b2e004af ("ACPI: PM: Fix sharing of wakeup power resources") +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/power.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/acpi/power.c b/drivers/acpi/power.c +index 4b42debeed455..c95eedd58f5bf 100644 +--- a/drivers/acpi/power.c ++++ b/drivers/acpi/power.c +@@ -755,13 +755,11 @@ int acpi_disable_wakeup_device_power(struct acpi_device *dev) + + mutex_lock(&acpi_device_lock); + +- if (dev->wakeup.prepare_count > 1) { +- dev->wakeup.prepare_count--; ++ /* Do nothing if wakeup power has not been enabled for this device. */ ++ if (dev->wakeup.prepare_count <= 0) + goto out; +- } + +- /* Do nothing if wakeup power has not been enabled for this device. */ +- if (!dev->wakeup.prepare_count) ++ if (--dev->wakeup.prepare_count > 0) + goto out; + + err = acpi_device_sleep_wake(dev, 0, 0, 0); +-- +2.33.0 + diff --git a/queue-5.15/acpi-pm-fix-sharing-of-wakeup-power-resources.patch b/queue-5.15/acpi-pm-fix-sharing-of-wakeup-power-resources.patch new file mode 100644 index 00000000000..93b06d9283f --- /dev/null +++ b/queue-5.15/acpi-pm-fix-sharing-of-wakeup-power-resources.patch @@ -0,0 +1,168 @@ +From 7f7ce0851d4f0f7f70e7958d0c8a65342305d86b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 12:11:08 +0200 +Subject: ACPI: PM: Fix sharing of wakeup power resources + +From: Rafael J. Wysocki + +[ Upstream commit a2d7b2e004af6b09f21ac3d10f8f4456c16a8ddf ] + +If an ACPI wakeup power resource is shared between multiple devices, +it may not be managed correctly. + +Suppose, for example, that two devices, A and B, share a wakeup power +resource P whose wakeup_enabled flag is 0 initially. Next, suppose +that wakeup power is enabled for A and B, in this order, and disabled +for B. When wakeup power is enabled for A, P will be turned on and +its wakeup_enabled flag will be set. Next, when wakeup power is +enabled for B, P will not be touched, because its wakeup_enabled flag +is set. Now, when wakeup power is disabled for B, P will be turned +off which is incorrect, because A will still need P in order to signal +wakeup. + +Moreover, if wakeup power is enabled for A and then disabled for B, +the latter will cause P to be turned off incorrectly (it will be still +needed by A), because acpi_disable_wakeup_device_power() is allowed +to manipulate power resources when the wakeup.prepare_count counter +of the given device is 0. + +While the first issue could be addressed by changing the +wakeup_enabled power resource flag into a counter, addressing the +second one requires modifying acpi_disable_wakeup_device_power() to +do nothing when the target device's wakeup.prepare_count reference +counter is zero and that would cause the new counter to be redundant. +Namely, if acpi_disable_wakeup_device_power() is modified as per the +above, every change of the new counter following a wakeup.prepare_count +change would be reflected by the analogous change of the main reference +counter of the given power resource. + +Accordingly, modify acpi_disable_wakeup_device_power() to do nothing +when the target device's wakeup.prepare_count reference counter is +zero and drop the power resource wakeup_enabled flag altogether. + +While at it, ensure that all of the power resources that can be +turned off will be turned off when disabling device wakeup due to +a power resource manipulation error, to prevent energy from being +wasted. + +Fixes: b5d667eb392e ("ACPI / PM: Take unusual configurations of power resources into account") +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/power.c | 69 +++++++++++++++----------------------------- + 1 file changed, 24 insertions(+), 45 deletions(-) + +diff --git a/drivers/acpi/power.c b/drivers/acpi/power.c +index 3d34cee0cc101..4b42debeed455 100644 +--- a/drivers/acpi/power.c ++++ b/drivers/acpi/power.c +@@ -52,7 +52,6 @@ struct acpi_power_resource { + u32 order; + unsigned int ref_count; + u8 state; +- bool wakeup_enabled; + struct mutex resource_lock; + struct list_head dependents; + }; +@@ -710,7 +709,6 @@ int acpi_device_sleep_wake(struct acpi_device *dev, + */ + int acpi_enable_wakeup_device_power(struct acpi_device *dev, int sleep_state) + { +- struct acpi_power_resource_entry *entry; + int err = 0; + + if (!dev || !dev->wakeup.flags.valid) +@@ -721,26 +719,13 @@ int acpi_enable_wakeup_device_power(struct acpi_device *dev, int sleep_state) + if (dev->wakeup.prepare_count++) + goto out; + +- list_for_each_entry(entry, &dev->wakeup.resources, node) { +- struct acpi_power_resource *resource = entry->resource; +- +- mutex_lock(&resource->resource_lock); +- +- if (!resource->wakeup_enabled) { +- err = acpi_power_on_unlocked(resource); +- if (!err) +- resource->wakeup_enabled = true; +- } +- +- mutex_unlock(&resource->resource_lock); +- +- if (err) { +- dev_err(&dev->dev, +- "Cannot turn wakeup power resources on\n"); +- dev->wakeup.flags.valid = 0; +- goto out; +- } ++ err = acpi_power_on_list(&dev->wakeup.resources); ++ if (err) { ++ dev_err(&dev->dev, "Cannot turn on wakeup power resources\n"); ++ dev->wakeup.flags.valid = 0; ++ goto out; + } ++ + /* + * Passing 3 as the third argument below means the device may be + * put into arbitrary power state afterward. +@@ -770,39 +755,33 @@ int acpi_disable_wakeup_device_power(struct acpi_device *dev) + + mutex_lock(&acpi_device_lock); + +- if (--dev->wakeup.prepare_count > 0) ++ if (dev->wakeup.prepare_count > 1) { ++ dev->wakeup.prepare_count--; + goto out; ++ } + +- /* +- * Executing the code below even if prepare_count is already zero when +- * the function is called may be useful, for example for initialisation. +- */ +- if (dev->wakeup.prepare_count < 0) +- dev->wakeup.prepare_count = 0; ++ /* Do nothing if wakeup power has not been enabled for this device. */ ++ if (!dev->wakeup.prepare_count) ++ goto out; + + err = acpi_device_sleep_wake(dev, 0, 0, 0); + if (err) + goto out; + ++ /* ++ * All of the power resources in the list need to be turned off even if ++ * there are errors. ++ */ + list_for_each_entry(entry, &dev->wakeup.resources, node) { +- struct acpi_power_resource *resource = entry->resource; +- +- mutex_lock(&resource->resource_lock); +- +- if (resource->wakeup_enabled) { +- err = acpi_power_off_unlocked(resource); +- if (!err) +- resource->wakeup_enabled = false; +- } +- +- mutex_unlock(&resource->resource_lock); ++ int ret; + +- if (err) { +- dev_err(&dev->dev, +- "Cannot turn wakeup power resources off\n"); +- dev->wakeup.flags.valid = 0; +- break; +- } ++ ret = acpi_power_off(entry->resource); ++ if (ret && !err) ++ err = ret; ++ } ++ if (err) { ++ dev_err(&dev->dev, "Cannot turn off wakeup power resources\n"); ++ dev->wakeup.flags.valid = 0; + } + + out: +-- +2.33.0 + diff --git a/queue-5.15/acpi-pm-turn-off-unused-wakeup-power-resources.patch b/queue-5.15/acpi-pm-turn-off-unused-wakeup-power-resources.patch new file mode 100644 index 00000000000..18321363dd5 --- /dev/null +++ b/queue-5.15/acpi-pm-turn-off-unused-wakeup-power-resources.patch @@ -0,0 +1,67 @@ +From 8e9d98059a8af9e4ec4e7383f5083b3f2563a49d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 19:01:28 +0200 +Subject: ACPI: PM: Turn off unused wakeup power resources + +From: Rafael J. Wysocki + +[ Upstream commit 7a63296d6f579a02b2675b4b0fe5b1cd3235e8d3 ] + +If an ACPI power resource is found to be "on" during the +initialization of the list of wakeup power resources of a device, +it is reference counted and its wakeup_enabled flag is set, which is +problematic if the deivce in question is the only user of the given +power resource, it is never runtime-suspended and it is not allowed +to wake up the system from sleep, because in that case the given +power resource will stay "on" until the system reboots and energy +will be wasted. + +It is better to simply turn off wakeup power resources that are "on" +during the initialization unless their reference counters are not +zero, because that may be the only opportunity to prevent them from +staying in the "on" state all the time. + +Fixes: b5d667eb392e ("ACPI / PM: Take unusual configurations of power resources into account") +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/power.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/drivers/acpi/power.c b/drivers/acpi/power.c +index f0ed4414edb1f..3d34cee0cc101 100644 +--- a/drivers/acpi/power.c ++++ b/drivers/acpi/power.c +@@ -615,20 +615,19 @@ int acpi_power_wakeup_list_init(struct list_head *list, int *system_level_p) + + list_for_each_entry(entry, list, node) { + struct acpi_power_resource *resource = entry->resource; +- int result; + u8 state; + + mutex_lock(&resource->resource_lock); + +- result = acpi_power_get_state(resource, &state); +- if (result) { +- mutex_unlock(&resource->resource_lock); +- return result; +- } +- if (state == ACPI_POWER_RESOURCE_STATE_ON) { +- resource->ref_count++; +- resource->wakeup_enabled = true; +- } ++ /* ++ * Make sure that the power resource state and its reference ++ * counter value are consistent with each other. ++ */ ++ if (!resource->ref_count && ++ !acpi_power_get_state(resource, &state) && ++ state == ACPI_POWER_RESOURCE_STATE_ON) ++ __acpi_power_off(resource); ++ + if (system_level > resource->system_level) + system_level = resource->system_level; + +-- +2.33.0 + diff --git a/queue-5.15/acpi-pmic-fix-intel_pmic_regs_handler-read-accesses.patch b/queue-5.15/acpi-pmic-fix-intel_pmic_regs_handler-read-accesses.patch new file mode 100644 index 00000000000..0695bab51b3 --- /dev/null +++ b/queue-5.15/acpi-pmic-fix-intel_pmic_regs_handler-read-accesses.patch @@ -0,0 +1,141 @@ +From 4896acc0645bb3d8eedabcd8466e12ffca634a79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Oct 2021 16:31:35 +0100 +Subject: ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses + +From: Hans de Goede + +[ Upstream commit 009a789443fe4c8e6b1ecb7c16b4865c026184cd ] + +The handling of PMIC register reads through writing 0 to address 4 +of the OpRegion is wrong. Instead of returning the read value +through the value64, which is a no-op for function == ACPI_WRITE calls, +store the value and then on a subsequent function == ACPI_READ with +address == 3 (the address for the value field of the OpRegion) +return the stored value. + +This has been tested on a Xiaomi Mi Pad 2 and makes the ACPI battery dev +there mostly functional (unfortunately there are still other issues). + +Here are the SET() / GET() functions of the PMIC ACPI device, +which use this OpRegion, which clearly show the new behavior to +be correct: + +OperationRegion (REGS, 0x8F, Zero, 0x50) +Field (REGS, ByteAcc, NoLock, Preserve) +{ + CLNT, 8, + SA, 8, + OFF, 8, + VAL, 8, + RWM, 8 +} + +Method (GET, 3, Serialized) +{ + If ((AVBE == One)) + { + CLNT = Arg0 + SA = Arg1 + OFF = Arg2 + RWM = Zero + If ((AVBG == One)) + { + GPRW = Zero + } + } + + Return (VAL) /* \_SB_.PCI0.I2C7.PMI5.VAL_ */ +} + +Method (SET, 4, Serialized) +{ + If ((AVBE == One)) + { + CLNT = Arg0 + SA = Arg1 + OFF = Arg2 + VAL = Arg3 + RWM = One + If ((AVBG == One)) + { + GPRW = One + } + } +} + +Fixes: 0afa877a5650 ("ACPI / PMIC: intel: add REGS operation region support") +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/pmic/intel_pmic.c | 51 +++++++++++++++++++--------------- + 1 file changed, 28 insertions(+), 23 deletions(-) + +diff --git a/drivers/acpi/pmic/intel_pmic.c b/drivers/acpi/pmic/intel_pmic.c +index a371f273f99dd..9cde299eba880 100644 +--- a/drivers/acpi/pmic/intel_pmic.c ++++ b/drivers/acpi/pmic/intel_pmic.c +@@ -211,31 +211,36 @@ static acpi_status intel_pmic_regs_handler(u32 function, + void *handler_context, void *region_context) + { + struct intel_pmic_opregion *opregion = region_context; +- int result = 0; ++ int result = -EINVAL; ++ ++ if (function == ACPI_WRITE) { ++ switch (address) { ++ case 0: ++ return AE_OK; ++ case 1: ++ opregion->ctx.addr |= (*value64 & 0xff) << 8; ++ return AE_OK; ++ case 2: ++ opregion->ctx.addr |= *value64 & 0xff; ++ return AE_OK; ++ case 3: ++ opregion->ctx.val = *value64 & 0xff; ++ return AE_OK; ++ case 4: ++ if (*value64) { ++ result = regmap_write(opregion->regmap, opregion->ctx.addr, ++ opregion->ctx.val); ++ } else { ++ result = regmap_read(opregion->regmap, opregion->ctx.addr, ++ &opregion->ctx.val); ++ } ++ opregion->ctx.addr = 0; ++ } ++ } + +- switch (address) { +- case 0: +- return AE_OK; +- case 1: +- opregion->ctx.addr |= (*value64 & 0xff) << 8; +- return AE_OK; +- case 2: +- opregion->ctx.addr |= *value64 & 0xff; ++ if (function == ACPI_READ && address == 3) { ++ *value64 = opregion->ctx.val; + return AE_OK; +- case 3: +- opregion->ctx.val = *value64 & 0xff; +- return AE_OK; +- case 4: +- if (*value64) { +- result = regmap_write(opregion->regmap, opregion->ctx.addr, +- opregion->ctx.val); +- } else { +- result = regmap_read(opregion->regmap, opregion->ctx.addr, +- &opregion->ctx.val); +- if (result == 0) +- *value64 = opregion->ctx.val; +- } +- memset(&opregion->ctx, 0x00, sizeof(opregion->ctx)); + } + + if (result < 0) { +-- +2.33.0 + diff --git a/queue-5.15/acpi-resources-add-dmi-based-legacy-irq-override-qui.patch b/queue-5.15/acpi-resources-add-dmi-based-legacy-irq-override-qui.patch new file mode 100644 index 00000000000..42b46fa9ab8 --- /dev/null +++ b/queue-5.15/acpi-resources-add-dmi-based-legacy-irq-override-qui.patch @@ -0,0 +1,112 @@ +From f771e0acdebc95c355b3ab21a5bfe3bb6df23dac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 21:09:05 +0800 +Subject: ACPI: resources: Add DMI-based legacy IRQ override quirk + +From: Hui Wang + +[ Upstream commit 892a012699fc0b91a2ed6309078936191447f480 ] + +After the commit 0ec4e55e9f57 ("ACPI: resources: Add checks for ACPI +IRQ override") is reverted, the keyboard on Medion laptops can't +work again. + +To fix the keyboard issue, add a DMI-based override check that will +not affect other machines along the lines of prt_quirks[] in +drivers/acpi/pci_irq.c. + +If similar issues are seen on other platforms, the quirk table could +be expanded in the future. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213031 +BugLink: http://bugs.launchpad.net/bugs/1909814 +Suggested-by: Rafael J. Wysocki +Reported-by: Manuel Krause +Tested-by: Manuel Krause +Signed-off-by: Hui Wang +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 49 +++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 47 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index ee78a210c6068..7bf38652e6aca 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + + #ifdef CONFIG_X86 + #define valid_IRQ(i) (((i) != 0) && ((i) != 2)) +@@ -380,9 +381,51 @@ unsigned int acpi_dev_get_irq_type(int triggering, int polarity) + } + EXPORT_SYMBOL_GPL(acpi_dev_get_irq_type); + ++static const struct dmi_system_id medion_laptop[] = { ++ { ++ .ident = "MEDION P15651", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "MEDION"), ++ DMI_MATCH(DMI_BOARD_NAME, "M15T"), ++ }, ++ }, ++ { } ++}; ++ ++struct irq_override_cmp { ++ const struct dmi_system_id *system; ++ unsigned char irq; ++ unsigned char triggering; ++ unsigned char polarity; ++ unsigned char shareable; ++}; ++ ++static const struct irq_override_cmp skip_override_table[] = { ++ { medion_laptop, 1, ACPI_LEVEL_SENSITIVE, ACPI_ACTIVE_LOW, 0 }, ++}; ++ ++static bool acpi_dev_irq_override(u32 gsi, u8 triggering, u8 polarity, ++ u8 shareable) ++{ ++ int i; ++ ++ for (i = 0; i < ARRAY_SIZE(skip_override_table); i++) { ++ const struct irq_override_cmp *entry = &skip_override_table[i]; ++ ++ if (dmi_check_system(entry->system) && ++ entry->irq == gsi && ++ entry->triggering == triggering && ++ entry->polarity == polarity && ++ entry->shareable == shareable) ++ return false; ++ } ++ ++ return true; ++} ++ + static void acpi_dev_get_irqresource(struct resource *res, u32 gsi, + u8 triggering, u8 polarity, u8 shareable, +- bool legacy) ++ bool check_override) + { + int irq, p, t; + +@@ -401,7 +444,9 @@ static void acpi_dev_get_irqresource(struct resource *res, u32 gsi, + * using extended IRQ descriptors we take the IRQ configuration + * from _CRS directly. + */ +- if (legacy && !acpi_get_override_irq(gsi, &t, &p)) { ++ if (check_override && ++ acpi_dev_irq_override(gsi, triggering, polarity, shareable) && ++ !acpi_get_override_irq(gsi, &t, &p)) { + u8 trig = t ? ACPI_LEVEL_SENSITIVE : ACPI_EDGE_SENSITIVE; + u8 pol = p ? ACPI_ACTIVE_LOW : ACPI_ACTIVE_HIGH; + +-- +2.33.0 + diff --git a/queue-5.15/acpi-resources-add-one-more-medion-model-in-irq-over.patch b/queue-5.15/acpi-resources-add-one-more-medion-model-in-irq-over.patch new file mode 100644 index 00000000000..abff00db8d6 --- /dev/null +++ b/queue-5.15/acpi-resources-add-one-more-medion-model-in-irq-over.patch @@ -0,0 +1,44 @@ +From f8b03bd0bfd2acb10ed3c7f8c22f78d53f44da91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 14:16:01 +0800 +Subject: ACPI: resources: Add one more Medion model in IRQ override quirk + +From: Hui Wang + +[ Upstream commit 1b26ae40092b43bb6e9c5df376227382b390b953 ] + +The Medion s17 series laptops have the same issue on the keyboard +as the s15 series, if skipping to call acpi_get_override_irq(), the +keyboard could work well. So put the DMI info of s17 series in the +IRQ override quirk table as well. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213031 +Tested-by: dirksche +Signed-off-by: Hui Wang +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/resource.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c +index 7bf38652e6aca..3c25ce8c95ba1 100644 +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -389,6 +389,13 @@ static const struct dmi_system_id medion_laptop[] = { + DMI_MATCH(DMI_BOARD_NAME, "M15T"), + }, + }, ++ { ++ .ident = "MEDION S17405", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "MEDION"), ++ DMI_MATCH(DMI_BOARD_NAME, "M17T"), ++ }, ++ }, + { } + }; + +-- +2.33.0 + diff --git a/queue-5.15/acpi-scan-release-pm-resources-blocked-by-unused-obj.patch b/queue-5.15/acpi-scan-release-pm-resources-blocked-by-unused-obj.patch new file mode 100644 index 00000000000..438e1797a12 --- /dev/null +++ b/queue-5.15/acpi-scan-release-pm-resources-blocked-by-unused-obj.patch @@ -0,0 +1,99 @@ +From 445ff66bc9f188dc5628637960959f60467c6358 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Oct 2021 16:22:09 +0200 +Subject: ACPI: scan: Release PM resources blocked by unused objects + +From: Rafael J. Wysocki + +[ Upstream commit c10383e8ddf4810b9a5c1595404c2724d925a0a6 ] + +On some systems the ACPI namespace contains device objects that are +not used in certain configurations of the system. If they start off +in the D0 power state configuration, they will stay in it until the +system reboots, because of the lack of any mechanism possibly causing +their configuration to change. If that happens, they may prevent +some power resources from being turned off or generally they may +prevent the platform from getting into the deepest low-power states +thus causing some energy to be wasted. + +Address this issue by changing the configuration of unused ACPI +device objects to the D3cold power state one after carrying out +the ACPI-based enumeration of devices. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214091 +Link: https://lore.kernel.org/linux-acpi/20211007205126.11769-1-mario.limonciello@amd.com/ +Reported-by: Mario Limonciello +Signed-off-by: Rafael J. Wysocki +Tested-by: Mario Limonciello +Signed-off-by: Sasha Levin +--- + drivers/acpi/glue.c | 25 +++++++++++++++++++++++++ + drivers/acpi/internal.h | 1 + + drivers/acpi/scan.c | 6 ++++++ + 3 files changed, 32 insertions(+) + +diff --git a/drivers/acpi/glue.c b/drivers/acpi/glue.c +index 7a33a6d985f89..1cfafa254e3d4 100644 +--- a/drivers/acpi/glue.c ++++ b/drivers/acpi/glue.c +@@ -340,3 +340,28 @@ void acpi_device_notify_remove(struct device *dev) + + acpi_unbind_one(dev); + } ++ ++int acpi_dev_turn_off_if_unused(struct device *dev, void *not_used) ++{ ++ struct acpi_device *adev = to_acpi_device(dev); ++ ++ /* ++ * Skip device objects with device IDs, because they may be in use even ++ * if they are not companions of any physical device objects. ++ */ ++ if (adev->pnp.type.hardware_id) ++ return 0; ++ ++ mutex_lock(&adev->physical_node_lock); ++ ++ /* ++ * Device objects without device IDs are not in use if they have no ++ * corresponding physical device objects. ++ */ ++ if (list_empty(&adev->physical_node_list)) ++ acpi_device_set_power(adev, ACPI_STATE_D3_COLD); ++ ++ mutex_unlock(&adev->physical_node_lock); ++ ++ return 0; ++} +diff --git a/drivers/acpi/internal.h b/drivers/acpi/internal.h +index d91b560e88674..8fbdc172864b0 100644 +--- a/drivers/acpi/internal.h ++++ b/drivers/acpi/internal.h +@@ -117,6 +117,7 @@ bool acpi_device_is_battery(struct acpi_device *adev); + bool acpi_device_is_first_physical_node(struct acpi_device *adev, + const struct device *dev); + int acpi_bus_register_early_device(int type); ++int acpi_dev_turn_off_if_unused(struct device *dev, void *not_used); + + /* -------------------------------------------------------------------------- + Device Matching and Notification +diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c +index 5b54c80b9d32a..770b82483d74d 100644 +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -2559,6 +2559,12 @@ int __init acpi_scan_init(void) + } + } + ++ /* ++ * Make sure that power management resources are not blocked by ACPI ++ * device objects with no users. ++ */ ++ bus_for_each_dev(&acpi_bus_type, NULL, NULL, acpi_dev_turn_off_if_unused); ++ + acpi_turn_off_unused_power_resources(); + + acpi_scan_initialized = true; +-- +2.33.0 + diff --git a/queue-5.15/acpica-avoid-evaluating-methods-too-early-during-sys.patch b/queue-5.15/acpica-avoid-evaluating-methods-too-early-during-sys.patch new file mode 100644 index 00000000000..753e62f44ed --- /dev/null +++ b/queue-5.15/acpica-avoid-evaluating-methods-too-early-during-sys.patch @@ -0,0 +1,130 @@ +From 2c4fe4823ebc398d88958f2e10a1c29b78db6160 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 18:31:25 +0200 +Subject: ACPICA: Avoid evaluating methods too early during system resume + +From: Rafael J. Wysocki + +[ Upstream commit d3c4b6f64ad356c0d9ddbcf73fa471e6a841cc5c ] + +ACPICA commit 0762982923f95eb652cf7ded27356b247c9774de + +During wakeup from system-wide sleep states, acpi_get_sleep_type_data() +is called and it tries to get memory from the slab allocator in order +to evaluate a control method, but if KFENCE is enabled in the kernel, +the memory allocation attempt causes an IRQ work to be queued and a +self-IPI to be sent to the CPU running the code which requires the +memory controller to be ready, so if that happens too early in the +wakeup path, it doesn't work. + +Prevent that from taking place by calling acpi_get_sleep_type_data() +for S0 upfront, when preparing to enter a given sleep state, and +saving the data obtained by it for later use during system wakeup. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214271 +Reported-by: Reik Keutterling +Tested-by: Reik Keutterling +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/acglobal.h | 2 ++ + drivers/acpi/acpica/hwesleep.c | 8 ++------ + drivers/acpi/acpica/hwsleep.c | 11 ++++------- + drivers/acpi/acpica/hwxfsleep.c | 7 +++++++ + 4 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/acpi/acpica/acglobal.h b/drivers/acpi/acpica/acglobal.h +index d41b810e367c4..4366d36ef1198 100644 +--- a/drivers/acpi/acpica/acglobal.h ++++ b/drivers/acpi/acpica/acglobal.h +@@ -226,6 +226,8 @@ extern struct acpi_bit_register_info + acpi_gbl_bit_register_info[ACPI_NUM_BITREG]; + ACPI_GLOBAL(u8, acpi_gbl_sleep_type_a); + ACPI_GLOBAL(u8, acpi_gbl_sleep_type_b); ++ACPI_GLOBAL(u8, acpi_gbl_sleep_type_a_s0); ++ACPI_GLOBAL(u8, acpi_gbl_sleep_type_b_s0); + + /***************************************************************************** + * +diff --git a/drivers/acpi/acpica/hwesleep.c b/drivers/acpi/acpica/hwesleep.c +index 803402aefaeb6..808fdf54aeebf 100644 +--- a/drivers/acpi/acpica/hwesleep.c ++++ b/drivers/acpi/acpica/hwesleep.c +@@ -147,17 +147,13 @@ acpi_status acpi_hw_extended_sleep(u8 sleep_state) + + acpi_status acpi_hw_extended_wake_prep(u8 sleep_state) + { +- acpi_status status; + u8 sleep_type_value; + + ACPI_FUNCTION_TRACE(hw_extended_wake_prep); + +- status = acpi_get_sleep_type_data(ACPI_STATE_S0, +- &acpi_gbl_sleep_type_a, +- &acpi_gbl_sleep_type_b); +- if (ACPI_SUCCESS(status)) { ++ if (acpi_gbl_sleep_type_a_s0 != ACPI_SLEEP_TYPE_INVALID) { + sleep_type_value = +- ((acpi_gbl_sleep_type_a << ACPI_X_SLEEP_TYPE_POSITION) & ++ ((acpi_gbl_sleep_type_a_s0 << ACPI_X_SLEEP_TYPE_POSITION) & + ACPI_X_SLEEP_TYPE_MASK); + + (void)acpi_write((u64)(sleep_type_value | ACPI_X_SLEEP_ENABLE), +diff --git a/drivers/acpi/acpica/hwsleep.c b/drivers/acpi/acpica/hwsleep.c +index 14baa13bf8482..34a3825f25d37 100644 +--- a/drivers/acpi/acpica/hwsleep.c ++++ b/drivers/acpi/acpica/hwsleep.c +@@ -179,7 +179,7 @@ acpi_status acpi_hw_legacy_sleep(u8 sleep_state) + + acpi_status acpi_hw_legacy_wake_prep(u8 sleep_state) + { +- acpi_status status; ++ acpi_status status = AE_OK; + struct acpi_bit_register_info *sleep_type_reg_info; + struct acpi_bit_register_info *sleep_enable_reg_info; + u32 pm1a_control; +@@ -192,10 +192,7 @@ acpi_status acpi_hw_legacy_wake_prep(u8 sleep_state) + * This is unclear from the ACPI Spec, but it is required + * by some machines. + */ +- status = acpi_get_sleep_type_data(ACPI_STATE_S0, +- &acpi_gbl_sleep_type_a, +- &acpi_gbl_sleep_type_b); +- if (ACPI_SUCCESS(status)) { ++ if (acpi_gbl_sleep_type_a_s0 != ACPI_SLEEP_TYPE_INVALID) { + sleep_type_reg_info = + acpi_hw_get_bit_register_info(ACPI_BITREG_SLEEP_TYPE); + sleep_enable_reg_info = +@@ -216,9 +213,9 @@ acpi_status acpi_hw_legacy_wake_prep(u8 sleep_state) + + /* Insert the SLP_TYP bits */ + +- pm1a_control |= (acpi_gbl_sleep_type_a << ++ pm1a_control |= (acpi_gbl_sleep_type_a_s0 << + sleep_type_reg_info->bit_position); +- pm1b_control |= (acpi_gbl_sleep_type_b << ++ pm1b_control |= (acpi_gbl_sleep_type_b_s0 << + sleep_type_reg_info->bit_position); + + /* Write the control registers and ignore any errors */ +diff --git a/drivers/acpi/acpica/hwxfsleep.c b/drivers/acpi/acpica/hwxfsleep.c +index 89b12afed564e..e4cde23a29061 100644 +--- a/drivers/acpi/acpica/hwxfsleep.c ++++ b/drivers/acpi/acpica/hwxfsleep.c +@@ -217,6 +217,13 @@ acpi_status acpi_enter_sleep_state_prep(u8 sleep_state) + return_ACPI_STATUS(status); + } + ++ status = acpi_get_sleep_type_data(ACPI_STATE_S0, ++ &acpi_gbl_sleep_type_a_s0, ++ &acpi_gbl_sleep_type_b_s0); ++ if (ACPI_FAILURE(status)) { ++ acpi_gbl_sleep_type_a_s0 = ACPI_SLEEP_TYPE_INVALID; ++ } ++ + /* Execute the _PTS method (Prepare To Sleep) */ + + arg_list.count = 1; +-- +2.33.0 + diff --git a/queue-5.15/alsa-hda-reduce-udelay-at-skl-position-reporting.patch b/queue-5.15/alsa-hda-reduce-udelay-at-skl-position-reporting.patch new file mode 100644 index 00000000000..49677fa97da --- /dev/null +++ b/queue-5.15/alsa-hda-reduce-udelay-at-skl-position-reporting.patch @@ -0,0 +1,116 @@ +From 7582668acb7b1f3800a64dde847831a284d76d7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 09:29:33 +0200 +Subject: ALSA: hda: Reduce udelay() at SKL+ position reporting + +From: Takashi Iwai + +[ Upstream commit 46243b85b0ec5d2cee7545e5ce18c015ce91957e ] + +The position reporting on Intel Skylake and later chips via +azx_get_pos_skl() contains a udelay(20) call for the capture streams. +A call for this alone doesn't sound too harmful. However, as the +pointer PCM ops is one of the hottest path in the PCM operations -- +especially for the timer-scheduled operations like PulseAudio -- such +a delay hogs CPU usage significantly in the total performance. + +The code there was taken from the original code in ASoC SST Skylake +driver blindly. The udelay() is a workaround for the case where the +reported position is behind the period boundary at the timing +triggered from interrupts; applications often expect that the full +data is available for the whole period when returned (and also that's +the definition of the ALSA PCM period). + +OTOH, HD-audio (legacy) driver has already some workarounds for the +delayed position reporting due to its relatively large FIFO, such as +the BDL position adjustment and the delayed period-elapsed call in the +work. That said, the udelay() is almost superfluous for HD-audio +driver unlike SST, and we can drop the udelay(). + +Though, the current code doesn't guarantee the full period readiness +as mentioned in the above, but rather it checks the wallclock and +detects the unexpected jump. That's one missing piece, and the drop +of udelay() needs a bit more sanity checks for the delayed handling. + +This patch implements those: the drop of udelay() call in +azx_get_pos_skl() and the more proper check of hwptr in +azx_position_ok(). The latter change is applied only for the case +where the stream is running in the normal mode without +no_period_wakeup flag. When no_period_wakeup is set, it essentially +ignores the period handling and rather concentrates only on the +current position; which implies that we don't need to care about the +period boundary at all. + +Fixes: f87e7f25893d ("ALSA: hda - Improved position reporting on SKL+") +Reported-by: Jens Axboe +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210929072934.6809-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index b278706630fcb..95b9a615c47ca 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -638,13 +638,17 @@ static int azx_position_check(struct azx *chip, struct azx_dev *azx_dev) + * the update-IRQ timing. The IRQ is issued before actually the + * data is processed. So, we need to process it afterwords in a + * workqueue. ++ * ++ * Returns 1 if OK to proceed, 0 for delay handling, -1 for skipping update + */ + static int azx_position_ok(struct azx *chip, struct azx_dev *azx_dev) + { + struct snd_pcm_substream *substream = azx_dev->core.substream; ++ struct snd_pcm_runtime *runtime = substream->runtime; + int stream = substream->stream; + u32 wallclk; + unsigned int pos; ++ snd_pcm_uframes_t hwptr, target; + + wallclk = azx_readl(chip, WALLCLK) - azx_dev->core.start_wallclk; + if (wallclk < (azx_dev->core.period_wallclk * 2) / 3) +@@ -681,6 +685,24 @@ static int azx_position_ok(struct azx *chip, struct azx_dev *azx_dev) + /* NG - it's below the first next period boundary */ + return chip->bdl_pos_adj ? 0 : -1; + azx_dev->core.start_wallclk += wallclk; ++ ++ if (azx_dev->core.no_period_wakeup) ++ return 1; /* OK, no need to check period boundary */ ++ ++ if (runtime->hw_ptr_base != runtime->hw_ptr_interrupt) ++ return 1; /* OK, already in hwptr updating process */ ++ ++ /* check whether the period gets really elapsed */ ++ pos = bytes_to_frames(runtime, pos); ++ hwptr = runtime->hw_ptr_base + pos; ++ if (hwptr < runtime->status->hw_ptr) ++ hwptr += runtime->buffer_size; ++ target = runtime->hw_ptr_interrupt + runtime->period_size; ++ if (hwptr < target) { ++ /* too early wakeup, process it later */ ++ return chip->bdl_pos_adj ? 0 : -1; ++ } ++ + return 1; /* OK, it's fine */ + } + +@@ -875,11 +897,7 @@ static unsigned int azx_get_pos_skl(struct azx *chip, struct azx_dev *azx_dev) + if (azx_dev->core.substream->stream == SNDRV_PCM_STREAM_PLAYBACK) + return azx_skl_get_dpib_pos(chip, azx_dev); + +- /* For capture, we need to read posbuf, but it requires a delay +- * for the possible boundary overlap; the read of DPIB fetches the +- * actual posbuf +- */ +- udelay(20); ++ /* read of DPIB fetches the actual posbuf */ + azx_skl_get_dpib_pos(chip, azx_dev); + return azx_get_pos_posbuf(chip, azx_dev); + } +-- +2.33.0 + diff --git a/queue-5.15/alsa-hda-use-position-buffer-for-skl-again.patch b/queue-5.15/alsa-hda-use-position-buffer-for-skl-again.patch new file mode 100644 index 00000000000..75944b4ca83 --- /dev/null +++ b/queue-5.15/alsa-hda-use-position-buffer-for-skl-again.patch @@ -0,0 +1,72 @@ +From 41c8ae6be915f69f87c3bf7ce881e488ff47398c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 09:29:34 +0200 +Subject: ALSA: hda: Use position buffer for SKL+ again + +From: Takashi Iwai + +[ Upstream commit c4ca3871e21fa085096316f5f8d9975cf3dfde1d ] + +The commit f87e7f25893d ("ALSA: hda - Improved position reporting on +SKL+") changed the PCM position report for SKL+ chips to use DPIB, but +according to Pierre, DPIB is no best choice for the accurate position +reports and it often reports too early. The recommended method is +rather the classical position buffer. + +This patch makes the PCM position reporting on SKL+ back to the +position buffer again. + +Fixes: f87e7f25893d ("ALSA: hda - Improved position reporting on SKL+") +Suggested-by: Pierre-Louis Bossart +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210929072934.6809-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_intel.c | 23 +---------------------- + 1 file changed, 1 insertion(+), 22 deletions(-) + +diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c +index 95b9a615c47ca..90e9263ac0bd7 100644 +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -881,27 +881,6 @@ static int azx_get_delay_from_fifo(struct azx *chip, struct azx_dev *azx_dev, + return substream->runtime->delay; + } + +-static unsigned int azx_skl_get_dpib_pos(struct azx *chip, +- struct azx_dev *azx_dev) +-{ +- return _snd_hdac_chip_readl(azx_bus(chip), +- AZX_REG_VS_SDXDPIB_XBASE + +- (AZX_REG_VS_SDXDPIB_XINTERVAL * +- azx_dev->core.index)); +-} +- +-/* get the current DMA position with correction on SKL+ chips */ +-static unsigned int azx_get_pos_skl(struct azx *chip, struct azx_dev *azx_dev) +-{ +- /* DPIB register gives a more accurate position for playback */ +- if (azx_dev->core.substream->stream == SNDRV_PCM_STREAM_PLAYBACK) +- return azx_skl_get_dpib_pos(chip, azx_dev); +- +- /* read of DPIB fetches the actual posbuf */ +- azx_skl_get_dpib_pos(chip, azx_dev); +- return azx_get_pos_posbuf(chip, azx_dev); +-} +- + static void __azx_shutdown_chip(struct azx *chip, bool skip_link_reset) + { + azx_stop_chip(chip); +@@ -1591,7 +1570,7 @@ static void assign_position_fix(struct azx *chip, int fix) + [POS_FIX_POSBUF] = azx_get_pos_posbuf, + [POS_FIX_VIACOMBO] = azx_via_get_position, + [POS_FIX_COMBO] = azx_get_pos_lpib, +- [POS_FIX_SKL] = azx_get_pos_skl, ++ [POS_FIX_SKL] = azx_get_pos_posbuf, + [POS_FIX_FIFO] = azx_get_pos_fifo, + }; + +-- +2.33.0 + diff --git a/queue-5.15/alsa-memalloc-catch-call-with-null-snd_dma_buffer-po.patch b/queue-5.15/alsa-memalloc-catch-call-with-null-snd_dma_buffer-po.patch new file mode 100644 index 00000000000..09cb30b90f6 --- /dev/null +++ b/queue-5.15/alsa-memalloc-catch-call-with-null-snd_dma_buffer-po.patch @@ -0,0 +1,37 @@ +From d4533fcc7b1628350fca4a94519ce718acb166a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 11:21:03 +0100 +Subject: ALSA: memalloc: Catch call with NULL snd_dma_buffer pointer + +From: Takashi Iwai + +[ Upstream commit dce9446192439eaac81c21f517325fb473735e53 ] + +Although we've covered all calls with NULL dma buffer pointer, so far, +there may be still some else in the wild. For catching such a case +more easily, add a WARN_ON_ONCE() in snd_dma_get_ops(). + +Fixes: 37af81c5998f ("ALSA: core: Abstract memory alloc helpers") +Link: https://lore.kernel.org/r/20211105102103.28148-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/memalloc.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/core/memalloc.c b/sound/core/memalloc.c +index 0b8a1c3eae1b4..2d842982576bb 100644 +--- a/sound/core/memalloc.c ++++ b/sound/core/memalloc.c +@@ -494,6 +494,8 @@ static const struct snd_malloc_ops *dma_ops[] = { + + static const struct snd_malloc_ops *snd_dma_get_ops(struct snd_dma_buffer *dmab) + { ++ if (WARN_ON_ONCE(!dmab)) ++ return NULL; + if (WARN_ON_ONCE(dmab->dev.type <= SNDRV_DMA_TYPE_UNKNOWN || + dmab->dev.type >= ARRAY_SIZE(dma_ops))) + return NULL; +-- +2.33.0 + diff --git a/queue-5.15/alsa-oxfw-fix-functional-regression-for-mackie-onyx-.patch b/queue-5.15/alsa-oxfw-fix-functional-regression-for-mackie-onyx-.patch new file mode 100644 index 00000000000..0d2ab4e6d2c --- /dev/null +++ b/queue-5.15/alsa-oxfw-fix-functional-regression-for-mackie-onyx-.patch @@ -0,0 +1,106 @@ +From 0dc16823b4e6e167046132ef25ae6d154396de67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 22:03:25 +0900 +Subject: ALSA: oxfw: fix functional regression for Mackie Onyx 1640i in v5.14 + or later + +From: Takashi Sakamoto + +[ Upstream commit cddcd5472abb7b8a9c37ccbcf0908b79740a01b5 ] + +A user reports functional regression for Mackie Onyx 1640i that the device +generates slow sound with ALSA oxfw driver which supports media clock +recovery. Although the device is based on OXFW971 ASIC, it does not +transfer isochronous packet with own event frequency as expected. The +device seems to adjust event frequency according to events in received +isochronous packets in the beginning of packet streaming. This is +unknown quirk. + +This commit fixes the regression to turn the recovery off in driver +side. As a result, nominal frequency is used in duplex packet streaming +between device and driver. For stability of sampling rate in events of +transferred isochronous packet, 4,000 isochronous packets are skipped +in the beginning of packet streaming. + +Reference: https://github.com/takaswie/snd-firewire-improve/issues/38 +Fixes: 029ffc429440 ("ALSA: oxfw: perform sequence replay for media clock recovery") +Signed-off-by: Takashi Sakamoto +Link: https://lore.kernel.org/r/20211028130325.45772-1-o-takashi@sakamocchi.jp +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/oxfw/oxfw-stream.c | 7 ++++++- + sound/firewire/oxfw/oxfw.c | 8 ++++++++ + sound/firewire/oxfw/oxfw.h | 5 +++++ + 3 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/sound/firewire/oxfw/oxfw-stream.c b/sound/firewire/oxfw/oxfw-stream.c +index fff18b5d4e052..f4a702def3979 100644 +--- a/sound/firewire/oxfw/oxfw-stream.c ++++ b/sound/firewire/oxfw/oxfw-stream.c +@@ -9,7 +9,7 @@ + #include + + #define AVC_GENERIC_FRAME_MAXIMUM_BYTES 512 +-#define READY_TIMEOUT_MS 200 ++#define READY_TIMEOUT_MS 600 + + /* + * According to datasheet of Oxford Semiconductor: +@@ -367,6 +367,11 @@ int snd_oxfw_stream_start_duplex(struct snd_oxfw *oxfw) + // Just after changing sampling transfer frequency, many cycles are + // skipped for packet transmission. + tx_init_skip_cycles = 400; ++ } else if (oxfw->quirks & SND_OXFW_QUIRK_VOLUNTARY_RECOVERY) { ++ // It takes a bit time for target device to adjust event frequency ++ // according to nominal event frequency in isochronous packets from ++ // ALSA oxfw driver. ++ tx_init_skip_cycles = 4000; + } else { + replay_seq = true; + } +diff --git a/sound/firewire/oxfw/oxfw.c b/sound/firewire/oxfw/oxfw.c +index daf731364695b..b496f87841aec 100644 +--- a/sound/firewire/oxfw/oxfw.c ++++ b/sound/firewire/oxfw/oxfw.c +@@ -25,6 +25,7 @@ + #define MODEL_SATELLITE 0x00200f + #define MODEL_SCS1M 0x001000 + #define MODEL_DUET_FW 0x01dddd ++#define MODEL_ONYX_1640I 0x001640 + + #define SPECIFIER_1394TA 0x00a02d + #define VERSION_AVC 0x010001 +@@ -192,6 +193,13 @@ static int detect_quirks(struct snd_oxfw *oxfw, const struct ieee1394_device_id + // OXFW971-based models may transfer events by blocking method. + if (!(oxfw->quirks & SND_OXFW_QUIRK_JUMBO_PAYLOAD)) + oxfw->quirks |= SND_OXFW_QUIRK_BLOCKING_TRANSMISSION; ++ ++ if (model == MODEL_ONYX_1640I) { ++ //Unless receiving packets without NOINFO packet, the device transfers ++ //mostly half of events in packets than expected. ++ oxfw->quirks |= SND_OXFW_QUIRK_IGNORE_NO_INFO_PACKET | ++ SND_OXFW_QUIRK_VOLUNTARY_RECOVERY; ++ } + } + + return 0; +diff --git a/sound/firewire/oxfw/oxfw.h b/sound/firewire/oxfw/oxfw.h +index c13034f6c2ca5..d728e451a25c6 100644 +--- a/sound/firewire/oxfw/oxfw.h ++++ b/sound/firewire/oxfw/oxfw.h +@@ -47,6 +47,11 @@ enum snd_oxfw_quirk { + // the device to process audio data even if the value is invalid in a point of + // IEC 61883-1/6. + SND_OXFW_QUIRK_IGNORE_NO_INFO_PACKET = 0x10, ++ // Loud Technologies Mackie Onyx 1640i seems to configure OXFW971 ASIC so that it decides ++ // event frequency according to events in received isochronous packets. The device looks to ++ // performs media clock recovery voluntarily. In the recovery, the packets with NO_INFO ++ // are ignored, thus driver should transfer packets with timestamp. ++ SND_OXFW_QUIRK_VOLUNTARY_RECOVERY = 0x20, + }; + + /* This is an arbitrary number for convinience. */ +-- +2.33.0 + diff --git a/queue-5.15/alsa-usb-audio-fix-possible-race-at-sync-of-urb-comp.patch b/queue-5.15/alsa-usb-audio-fix-possible-race-at-sync-of-urb-comp.patch new file mode 100644 index 00000000000..b99f55f3942 --- /dev/null +++ b/queue-5.15/alsa-usb-audio-fix-possible-race-at-sync-of-urb-comp.patch @@ -0,0 +1,101 @@ +From 669e5a7b6c6d0ffad6a7857a2678d66c7b0ce98e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 10:08:37 +0200 +Subject: ALSA: usb-audio: Fix possible race at sync of urb completions + +From: Takashi Iwai + +[ Upstream commit 86a42ad07905110f82648853c0ea3434b4eab173 ] + +USB-audio driver tries to sync with the clear of all pending URBs in +wait_clear_urbs(), and it waits for all bits in active_mask getting +cleared. This works fine for the normal operations, but when a stream +is managed in the implicit feedback mode, there is still a very thin +race window: namely, in snd_complete_usb(), the active_mask bit for +the current URB is once cleared before re-submitted in +queue_pending_output_urbs(). If wait_clear_urbs() is called during +that period, it may pass the test and go forward even though there may +be a still pending URB. + +For covering it, this patch adds a new counter to each endpoint to +keep the number of in-flight URBs, and changes wait_clear_urbs() +checking this number instead. The counter is decremented at the end +of URB complete, hence the reference is kept as long as the URB +complete is in process. + +Link: https://lore.kernel.org/r/20210929080844.11583-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/card.h | 1 + + sound/usb/endpoint.c | 7 ++++++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/sound/usb/card.h b/sound/usb/card.h +index 5b19901f305a3..860faaf249ea6 100644 +--- a/sound/usb/card.h ++++ b/sound/usb/card.h +@@ -97,6 +97,7 @@ struct snd_usb_endpoint { + unsigned int nominal_queue_size; /* total buffer sizes in URBs */ + unsigned long active_mask; /* bitmask of active urbs */ + unsigned long unlink_mask; /* bitmask of unlinked urbs */ ++ atomic_t submitted_urbs; /* currently submitted urbs */ + char *syncbuf; /* sync buffer for all sync URBs */ + dma_addr_t sync_dma; /* DMA address of syncbuf */ + +diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c +index 533919a28856f..ba2d7e6884207 100644 +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -451,6 +451,7 @@ static void queue_pending_output_urbs(struct snd_usb_endpoint *ep) + } + + set_bit(ctx->index, &ep->active_mask); ++ atomic_inc(&ep->submitted_urbs); + } + } + +@@ -488,6 +489,7 @@ static void snd_complete_urb(struct urb *urb) + clear_bit(ctx->index, &ep->active_mask); + spin_unlock_irqrestore(&ep->lock, flags); + queue_pending_output_urbs(ep); ++ atomic_dec(&ep->submitted_urbs); /* decrement at last */ + return; + } + +@@ -513,6 +515,7 @@ static void snd_complete_urb(struct urb *urb) + + exit_clear: + clear_bit(ctx->index, &ep->active_mask); ++ atomic_dec(&ep->submitted_urbs); + } + + /* +@@ -596,6 +599,7 @@ int snd_usb_add_endpoint(struct snd_usb_audio *chip, int ep_num, int type) + ep->type = type; + ep->ep_num = ep_num; + INIT_LIST_HEAD(&ep->ready_playback_urbs); ++ atomic_set(&ep->submitted_urbs, 0); + + is_playback = ((ep_num & USB_ENDPOINT_DIR_MASK) == USB_DIR_OUT); + ep_num &= USB_ENDPOINT_NUMBER_MASK; +@@ -859,7 +863,7 @@ static int wait_clear_urbs(struct snd_usb_endpoint *ep) + return 0; + + do { +- alive = bitmap_weight(&ep->active_mask, ep->nurbs); ++ alive = atomic_read(&ep->submitted_urbs); + if (!alive) + break; + +@@ -1420,6 +1424,7 @@ int snd_usb_endpoint_start(struct snd_usb_endpoint *ep) + goto __error; + } + set_bit(i, &ep->active_mask); ++ atomic_inc(&ep->submitted_urbs); + } + + usb_audio_dbg(ep->chip, "%d URBs submitted for EP 0x%x\n", +-- +2.33.0 + diff --git a/queue-5.15/apparmor-fix-error-check.patch b/queue-5.15/apparmor-fix-error-check.patch new file mode 100644 index 00000000000..25556346188 --- /dev/null +++ b/queue-5.15/apparmor-fix-error-check.patch @@ -0,0 +1,60 @@ +From 607fa0ed0626ce9b92b919ccc576f6ee089f2500 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Oct 2020 07:24:22 -0700 +Subject: apparmor: fix error check + +From: Tom Rix + +[ Upstream commit d108370c644b153382632b3e5511ade575c91c86 ] + +clang static analysis reports this representative problem: + +label.c:1463:16: warning: Assigned value is garbage or undefined + label->hname = name; + ^ ~~~~ + +In aa_update_label_name(), this the problem block of code + + if (aa_label_acntsxprint(&name, ...) == -1) + return res; + +On failure, aa_label_acntsxprint() has a more complicated return +that just -1. So check for a negative return. + +It was also noted that the aa_label_acntsxprint() main comment refers +to a nonexistent parameter, so clean up the comment. + +Fixes: f1bd904175e8 ("apparmor: add the base fns() for domain labels") +Signed-off-by: Tom Rix +Reviewed-by: Nick Desaulniers +Signed-off-by: John Johansen +Signed-off-by: Sasha Levin +--- + security/apparmor/label.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/apparmor/label.c b/security/apparmor/label.c +index e68bcedca976b..6222fdfebe4e5 100644 +--- a/security/apparmor/label.c ++++ b/security/apparmor/label.c +@@ -1454,7 +1454,7 @@ bool aa_update_label_name(struct aa_ns *ns, struct aa_label *label, gfp_t gfp) + if (label->hname || labels_ns(label) != ns) + return res; + +- if (aa_label_acntsxprint(&name, ns, label, FLAGS_NONE, gfp) == -1) ++ if (aa_label_acntsxprint(&name, ns, label, FLAGS_NONE, gfp) < 0) + return res; + + ls = labels_set(label); +@@ -1704,7 +1704,7 @@ int aa_label_asxprint(char **strp, struct aa_ns *ns, struct aa_label *label, + + /** + * aa_label_acntsxprint - allocate a __counted string buffer and print label +- * @strp: buffer to write to. (MAY BE NULL if @size == 0) ++ * @strp: buffer to write to. + * @ns: namespace profile is being viewed from + * @label: label to view (NOT NULL) + * @flags: flags controlling what label info is printed +-- +2.33.0 + diff --git a/queue-5.15/ar7-fix-kernel-builds-for-compiler-test.patch b/queue-5.15/ar7-fix-kernel-builds-for-compiler-test.patch new file mode 100644 index 00000000000..e7acf1befda --- /dev/null +++ b/queue-5.15/ar7-fix-kernel-builds-for-compiler-test.patch @@ -0,0 +1,49 @@ +From b892be29f8570d42b43bfccddd6d6261aa09a361 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 10:49:04 +0800 +Subject: ar7: fix kernel builds for compiler test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jackie Liu + +[ Upstream commit 28b7ee33a2122569ac065cad578bf23f50cc65c3 ] + +TI AR7 Watchdog Timer is only build for 32bit. + +Avoid error like: +In file included from drivers/watchdog/ar7_wdt.c:29: +./arch/mips/include/asm/mach-ar7/ar7.h: In function ‘ar7_is_titan’: +./arch/mips/include/asm/mach-ar7/ar7.h:111:24: error: implicit declaration of function ‘KSEG1ADDR’; did you mean ‘CKSEG1ADDR’? [-Werror=implicit-function-declaration] + 111 | return (readl((void *)KSEG1ADDR(AR7_REGS_GPIO + 0x24)) & 0xffff) == + | ^~~~~~~~~ + | CKSEG1ADDR + +Fixes: da2a68b3eb47 ("watchdog: Enable COMPILE_TEST where possible") +Signed-off-by: Jackie Liu +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/20210907024904.4127611-1-liu.yun@linux.dev +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/watchdog/Kconfig b/drivers/watchdog/Kconfig +index bf59faeb3de1b..d937f957f8df8 100644 +--- a/drivers/watchdog/Kconfig ++++ b/drivers/watchdog/Kconfig +@@ -1679,7 +1679,7 @@ config SIBYTE_WDOG + + config AR7_WDT + tristate "TI AR7 Watchdog Timer" +- depends on AR7 || (MIPS && COMPILE_TEST) ++ depends on AR7 || (MIPS && 32BIT && COMPILE_TEST) + help + Hardware driver for the TI AR7 Watchdog Timer. + +-- +2.33.0 + diff --git a/queue-5.15/arm-9136-1-armv7-m-uses-be-8-not-be-32.patch b/queue-5.15/arm-9136-1-armv7-m-uses-be-8-not-be-32.patch new file mode 100644 index 00000000000..e719036b4b3 --- /dev/null +++ b/queue-5.15/arm-9136-1-armv7-m-uses-be-8-not-be-32.patch @@ -0,0 +1,47 @@ +From 38efbc07aa8f05a02b95095e31eda650aa41ba05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 15:30:06 +0100 +Subject: ARM: 9136/1: ARMv7-M uses BE-8, not BE-32 + +From: Arnd Bergmann + +[ Upstream commit 345dac33f58894a56d17b92a41be10e16585ceff ] + +When configuring the kernel for big-endian, we set either BE-8 or BE-32 +based on the CPU architecture level. Until linux-4.4, we did not have +any ARMv7-M platform allowing big-endian builds, but now i.MX/Vybrid +is in that category, adn we get a build error because of this: + +arch/arm/kernel/module-plts.c: In function 'get_module_plt': +arch/arm/kernel/module-plts.c:60:46: error: implicit declaration of function '__opcode_to_mem_thumb32' [-Werror=implicit-function-declaration] + +This comes down to picking the wrong default, ARMv7-M uses BE8 +like ARMv7-A does. Changing the default gets the kernel to compile +and presumably works. + +https://lore.kernel.org/all/1455804123-2526139-2-git-send-email-arnd@arndb.de/ + +Tested-by: Vladimir Murzin +Signed-off-by: Arnd Bergmann +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig +index 8355c38958942..82aa990c4180c 100644 +--- a/arch/arm/mm/Kconfig ++++ b/arch/arm/mm/Kconfig +@@ -750,7 +750,7 @@ config CPU_BIG_ENDIAN + config CPU_ENDIAN_BE8 + bool + depends on CPU_BIG_ENDIAN +- default CPU_V6 || CPU_V6K || CPU_V7 ++ default CPU_V6 || CPU_V6K || CPU_V7 || CPU_V7M + help + Support for the BE-8 (big-endian) mode on ARMv6 and ARMv7 processors. + +-- +2.33.0 + diff --git a/queue-5.15/arm-9142-1-kasan-work-around-lpae-build-warning.patch b/queue-5.15/arm-9142-1-kasan-work-around-lpae-build-warning.patch new file mode 100644 index 00000000000..7d48362d315 --- /dev/null +++ b/queue-5.15/arm-9142-1-kasan-work-around-lpae-build-warning.patch @@ -0,0 +1,57 @@ +From 4833f0aa447e2c04bb04abe9cdd95403e6c8b587 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 15:30:38 +0100 +Subject: ARM: 9142/1: kasan: work around LPAE build warning + +From: Arnd Bergmann + +[ Upstream commit c2e6df3eaaf120cde5e7c3a70590dd82e427458a ] + +pgd_page_vaddr() returns an 'unsigned long' address, causing a warning +with the memcpy() call in kasan_init(): + +arch/arm/mm/kasan_init.c: In function 'kasan_init': +include/asm-generic/pgtable-nop4d.h:44:50: error: passing argument 2 of '__memcpy' makes pointer from integer without a cast [-Werror=int-conversion] + 44 | #define pgd_page_vaddr(pgd) ((unsigned long)(p4d_pgtable((p4d_t){ pgd }))) + | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + | | + | long unsigned int +arch/arm/include/asm/string.h:58:45: note: in definition of macro 'memcpy' + 58 | #define memcpy(dst, src, len) __memcpy(dst, src, len) + | ^~~ +arch/arm/mm/kasan_init.c:229:16: note: in expansion of macro 'pgd_page_vaddr' + 229 | pgd_page_vaddr(*pgd_offset_k(KASAN_SHADOW_START)), + | ^~~~~~~~~~~~~~ +arch/arm/include/asm/string.h:21:47: note: expected 'const void *' but argument is of type 'long unsigned int' + 21 | extern void *__memcpy(void *dest, const void *src, __kernel_size_t n); + | ~~~~~~~~~~~~^~~ + +Avoid this by adding an explicit typecast. + +Link: https://lore.kernel.org/all/CACRpkdb3DMvof3-xdtss0Pc6KM36pJA-iy=WhvtNVnsDpeJ24Q@mail.gmail.com/ + +Fixes: 5615f69bc209 ("ARM: 9016/2: Initialize the mapping of KASan shadow memory") +Reviewed-by: Linus Walleij +Signed-off-by: Arnd Bergmann +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mm/kasan_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mm/kasan_init.c b/arch/arm/mm/kasan_init.c +index 9c348042a7244..4b1619584b23c 100644 +--- a/arch/arm/mm/kasan_init.c ++++ b/arch/arm/mm/kasan_init.c +@@ -226,7 +226,7 @@ void __init kasan_init(void) + BUILD_BUG_ON(pgd_index(KASAN_SHADOW_START) != + pgd_index(KASAN_SHADOW_END)); + memcpy(tmp_pmd_table, +- pgd_page_vaddr(*pgd_offset_k(KASAN_SHADOW_START)), ++ (void*)pgd_page_vaddr(*pgd_offset_k(KASAN_SHADOW_START)), + sizeof(tmp_pmd_table)); + set_pgd(&tmp_pgd_table[pgd_index(KASAN_SHADOW_START)], + __pgd(__pa(tmp_pmd_table) | PMD_TYPE_TABLE | L_PGD_SWAPPER)); +-- +2.33.0 + diff --git a/queue-5.15/arm-clang-do-not-rely-on-lr-register-for-stacktrace.patch b/queue-5.15/arm-clang-do-not-rely-on-lr-register-for-stacktrace.patch new file mode 100644 index 00000000000..821d982cfc2 --- /dev/null +++ b/queue-5.15/arm-clang-do-not-rely-on-lr-register-for-stacktrace.patch @@ -0,0 +1,46 @@ +From 84962b59f6c90285dc543640141aa028a123c4ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Oct 2021 09:55:17 +0900 +Subject: ARM: clang: Do not rely on lr register for stacktrace + +From: Masami Hiramatsu + +[ Upstream commit b3ea5d56f212ad81328c82454829a736197ebccc ] + +Currently the stacktrace on clang compiled arm kernel uses the 'lr' +register to find the first frame address from pt_regs. However, that +is wrong after calling another function, because the 'lr' register +is used by 'bl' instruction and never be recovered. + +As same as gcc arm kernel, directly use the frame pointer (r11) of +the pt_regs to find the first frame address. + +Note that this fixes kretprobe stacktrace issue only with +CONFIG_UNWINDER_FRAME_POINTER=y. For the CONFIG_UNWINDER_ARM, +we need another fix. + +Signed-off-by: Masami Hiramatsu +Reviewed-by: Nick Desaulniers +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/stacktrace.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c +index 76ea4178a55cb..db798eac74315 100644 +--- a/arch/arm/kernel/stacktrace.c ++++ b/arch/arm/kernel/stacktrace.c +@@ -54,8 +54,7 @@ int notrace unwind_frame(struct stackframe *frame) + + frame->sp = frame->fp; + frame->fp = *(unsigned long *)(fp); +- frame->pc = frame->lr; +- frame->lr = *(unsigned long *)(fp + 4); ++ frame->pc = *(unsigned long *)(fp + 4); + #else + /* check current frame pointer is within bounds */ + if (fp < low + 12 || fp > high - 4) +-- +2.33.0 + diff --git a/queue-5.15/arm-dts-at91-tse850-the-emac-phy-interface-is-rmii.patch b/queue-5.15/arm-dts-at91-tse850-the-emac-phy-interface-is-rmii.patch new file mode 100644 index 00000000000..5ef5a4b7558 --- /dev/null +++ b/queue-5.15/arm-dts-at91-tse850-the-emac-phy-interface-is-rmii.patch @@ -0,0 +1,39 @@ +From 39ff43781929d6c51d5276dded095ac0e326858a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Sep 2021 22:37:38 +0200 +Subject: ARM: dts: at91: tse850: the emac<->phy interface is rmii + +From: Peter Rosin + +[ Upstream commit dcdbc335a91a26e022a803e1a6b837266989c032 ] + +This went unnoticed until commit 7897b071ac3b ("net: macb: convert +to phylink") which tickled the problem. The sama5d3 emac has never +been capable of rgmii, and it all just happened to work before that +commit. + +Fixes: 21dd0ece34c2 ("ARM: dts: at91: add devicetree for the Axentia TSE-850") +Signed-off-by: Peter Rosin +Signed-off-by: Nicolas Ferre +Link: https://lore.kernel.org/r/ea781f5e-422f-6cbf-3cf4-d5a7bac9392d@axentia.se +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/at91-tse850-3.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/at91-tse850-3.dts b/arch/arm/boot/dts/at91-tse850-3.dts +index 3ca97b47c69ce..7e5c598e7e68f 100644 +--- a/arch/arm/boot/dts/at91-tse850-3.dts ++++ b/arch/arm/boot/dts/at91-tse850-3.dts +@@ -262,7 +262,7 @@ + &macb1 { + status = "okay"; + +- phy-mode = "rgmii"; ++ phy-mode = "rmii"; + + #address-cells = <1>; + #size-cells = <0>; +-- +2.33.0 + diff --git a/queue-5.15/arm-dts-bcm5301x-fix-memory-nodes-names.patch b/queue-5.15/arm-dts-bcm5301x-fix-memory-nodes-names.patch new file mode 100644 index 00000000000..94169b53563 --- /dev/null +++ b/queue-5.15/arm-dts-bcm5301x-fix-memory-nodes-names.patch @@ -0,0 +1,188 @@ +From d3c9cb1d92914493416b3de702c2f8007cc7fd09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 08:57:02 +0200 +Subject: ARM: dts: BCM5301X: Fix memory nodes names +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit c5e1df3276d7a500678da9453be31a66ad115150 ] + +Thix fixes: +arch/arm/boot/dts/bcm4708-netgear-r6250.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728], [2281701376, 134217728]]} +arch/arm/boot/dts/bcm4709-asus-rt-ac87u.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728], [2281701376, 134217728]]} +arch/arm/boot/dts/bcm4709-buffalo-wxr-1900dhp.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728], [2281701376, 402653184]]} +arch/arm/boot/dts/bcm4709-linksys-ea9200.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728], [2281701376, 134217728]]} +arch/arm/boot/dts/bcm4709-netgear-r7000.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728], [2281701376, 134217728]]} +arch/arm/boot/dts/bcm4709-netgear-r8000.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728], [2281701376, 134217728]]} +arch/arm/boot/dts/bcm4709-tplink-archer-c9-v1.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728]]} +arch/arm/boot/dts/bcm47094-luxul-xwc-2000.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728], [2281701376, 402653184]]} +arch/arm/boot/dts/bcm53016-meraki-mr32.dt.yaml: /: memory: False schema does not allow {'reg': [[0, 134217728]], 'device_type': ['memory']} +arch/arm/boot/dts/bcm94708.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728]]} +arch/arm/boot/dts/bcm94709.dt.yaml: /: memory: False schema does not allow {'device_type': ['memory'], 'reg': [[0, 134217728]]} + +Signed-off-by: Rafał Miłecki +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/bcm4708-netgear-r6250.dts | 2 +- + arch/arm/boot/dts/bcm4709-asus-rt-ac87u.dts | 2 +- + arch/arm/boot/dts/bcm4709-buffalo-wxr-1900dhp.dts | 2 +- + arch/arm/boot/dts/bcm4709-linksys-ea9200.dts | 2 +- + arch/arm/boot/dts/bcm4709-netgear-r7000.dts | 2 +- + arch/arm/boot/dts/bcm4709-netgear-r8000.dts | 2 +- + arch/arm/boot/dts/bcm4709-tplink-archer-c9-v1.dts | 2 +- + arch/arm/boot/dts/bcm47094-luxul-xwc-2000.dts | 2 +- + arch/arm/boot/dts/bcm53016-meraki-mr32.dts | 2 +- + arch/arm/boot/dts/bcm94708.dts | 2 +- + arch/arm/boot/dts/bcm94709.dts | 2 +- + 11 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/arch/arm/boot/dts/bcm4708-netgear-r6250.dts b/arch/arm/boot/dts/bcm4708-netgear-r6250.dts +index 61c7b137607e5..7900aac4f35a9 100644 +--- a/arch/arm/boot/dts/bcm4708-netgear-r6250.dts ++++ b/arch/arm/boot/dts/bcm4708-netgear-r6250.dts +@@ -20,7 +20,7 @@ + bootargs = "console=ttyS0,115200 earlycon"; + }; + +- memory { ++ memory@0 { + device_type = "memory"; + reg = <0x00000000 0x08000000>, + <0x88000000 0x08000000>; +diff --git a/arch/arm/boot/dts/bcm4709-asus-rt-ac87u.dts b/arch/arm/boot/dts/bcm4709-asus-rt-ac87u.dts +index 6c6bb7b17d27a..7546c8d07bcd7 100644 +--- a/arch/arm/boot/dts/bcm4709-asus-rt-ac87u.dts ++++ b/arch/arm/boot/dts/bcm4709-asus-rt-ac87u.dts +@@ -19,7 +19,7 @@ + bootargs = "console=ttyS0,115200"; + }; + +- memory { ++ memory@0 { + device_type = "memory"; + reg = <0x00000000 0x08000000>, + <0x88000000 0x08000000>; +diff --git a/arch/arm/boot/dts/bcm4709-buffalo-wxr-1900dhp.dts b/arch/arm/boot/dts/bcm4709-buffalo-wxr-1900dhp.dts +index d29e7f80ea6aa..beae9eab9cb8c 100644 +--- a/arch/arm/boot/dts/bcm4709-buffalo-wxr-1900dhp.dts ++++ b/arch/arm/boot/dts/bcm4709-buffalo-wxr-1900dhp.dts +@@ -19,7 +19,7 @@ + bootargs = "console=ttyS0,115200"; + }; + +- memory { ++ memory@0 { + device_type = "memory"; + reg = <0x00000000 0x08000000>, + <0x88000000 0x18000000>; +diff --git a/arch/arm/boot/dts/bcm4709-linksys-ea9200.dts b/arch/arm/boot/dts/bcm4709-linksys-ea9200.dts +index 9b6887d477d86..7879f7d7d9c33 100644 +--- a/arch/arm/boot/dts/bcm4709-linksys-ea9200.dts ++++ b/arch/arm/boot/dts/bcm4709-linksys-ea9200.dts +@@ -16,7 +16,7 @@ + bootargs = "console=ttyS0,115200"; + }; + +- memory { ++ memory@0 { + device_type = "memory"; + reg = <0x00000000 0x08000000>, + <0x88000000 0x08000000>; +diff --git a/arch/arm/boot/dts/bcm4709-netgear-r7000.dts b/arch/arm/boot/dts/bcm4709-netgear-r7000.dts +index 7989a53597d4f..56d309dbc6b0d 100644 +--- a/arch/arm/boot/dts/bcm4709-netgear-r7000.dts ++++ b/arch/arm/boot/dts/bcm4709-netgear-r7000.dts +@@ -19,7 +19,7 @@ + bootargs = "console=ttyS0,115200"; + }; + +- memory { ++ memory@0 { + device_type = "memory"; + reg = <0x00000000 0x08000000>, + <0x88000000 0x08000000>; +diff --git a/arch/arm/boot/dts/bcm4709-netgear-r8000.dts b/arch/arm/boot/dts/bcm4709-netgear-r8000.dts +index 87b655be674c5..184e3039aa864 100644 +--- a/arch/arm/boot/dts/bcm4709-netgear-r8000.dts ++++ b/arch/arm/boot/dts/bcm4709-netgear-r8000.dts +@@ -30,7 +30,7 @@ + bootargs = "console=ttyS0,115200"; + }; + +- memory { ++ memory@0 { + device_type = "memory"; + reg = <0x00000000 0x08000000>, + <0x88000000 0x08000000>; +diff --git a/arch/arm/boot/dts/bcm4709-tplink-archer-c9-v1.dts b/arch/arm/boot/dts/bcm4709-tplink-archer-c9-v1.dts +index f806be5da7237..c2a266a439d05 100644 +--- a/arch/arm/boot/dts/bcm4709-tplink-archer-c9-v1.dts ++++ b/arch/arm/boot/dts/bcm4709-tplink-archer-c9-v1.dts +@@ -15,7 +15,7 @@ + bootargs = "console=ttyS0,115200 earlycon"; + }; + +- memory { ++ memory@0 { + device_type = "memory"; + reg = <0x00000000 0x08000000>; + }; +diff --git a/arch/arm/boot/dts/bcm47094-luxul-xwc-2000.dts b/arch/arm/boot/dts/bcm47094-luxul-xwc-2000.dts +index 452b8d0ab180e..b0d8a688141d3 100644 +--- a/arch/arm/boot/dts/bcm47094-luxul-xwc-2000.dts ++++ b/arch/arm/boot/dts/bcm47094-luxul-xwc-2000.dts +@@ -16,7 +16,7 @@ + bootargs = "earlycon"; + }; + +- memory { ++ memory@0 { + device_type = "memory"; + reg = <0x00000000 0x08000000>, + <0x88000000 0x18000000>; +diff --git a/arch/arm/boot/dts/bcm53016-meraki-mr32.dts b/arch/arm/boot/dts/bcm53016-meraki-mr32.dts +index 3b978dc8997a4..612d61852bfb9 100644 +--- a/arch/arm/boot/dts/bcm53016-meraki-mr32.dts ++++ b/arch/arm/boot/dts/bcm53016-meraki-mr32.dts +@@ -20,7 +20,7 @@ + bootargs = " console=ttyS0,115200n8 earlycon"; + }; + +- memory { ++ memory@0 { + reg = <0x00000000 0x08000000>; + device_type = "memory"; + }; +diff --git a/arch/arm/boot/dts/bcm94708.dts b/arch/arm/boot/dts/bcm94708.dts +index 3d13e46c69494..d9eb2040b9631 100644 +--- a/arch/arm/boot/dts/bcm94708.dts ++++ b/arch/arm/boot/dts/bcm94708.dts +@@ -38,7 +38,7 @@ + model = "NorthStar SVK (BCM94708)"; + compatible = "brcm,bcm94708", "brcm,bcm4708"; + +- memory { ++ memory@0 { + device_type = "memory"; + reg = <0x00000000 0x08000000>; + }; +diff --git a/arch/arm/boot/dts/bcm94709.dts b/arch/arm/boot/dts/bcm94709.dts +index 5017b7b259cbe..618c812eef73e 100644 +--- a/arch/arm/boot/dts/bcm94709.dts ++++ b/arch/arm/boot/dts/bcm94709.dts +@@ -38,7 +38,7 @@ + model = "NorthStar SVK (BCM94709)"; + compatible = "brcm,bcm94709", "brcm,bcm4709", "brcm,bcm4708"; + +- memory { ++ memory@0 { + device_type = "memory"; + reg = <0x00000000 0x08000000>; + }; +-- +2.33.0 + diff --git a/queue-5.15/arm-dts-omap3-gta04a4-accelerometer-irq-fix.patch b/queue-5.15/arm-dts-omap3-gta04a4-accelerometer-irq-fix.patch new file mode 100644 index 00000000000..3f3a3584ea8 --- /dev/null +++ b/queue-5.15/arm-dts-omap3-gta04a4-accelerometer-irq-fix.patch @@ -0,0 +1,36 @@ +From 1a4f04e290174ac409c43c2ea94e2317cabd89a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Oct 2021 09:34:15 +0200 +Subject: arm: dts: omap3-gta04a4: accelerometer irq fix + +From: Andreas Kemnade + +[ Upstream commit 884ea75d79a36faf3731ad9d6b9c29f58697638d ] + +Fix typo in pinctrl. It did only work because the bootloader +seems to have initialized it. + +Fixes: ee327111953b ("ARM: dts: omap3-gta04: Define and use bma180 irq pin") +Signed-off-by: Andreas Kemnade +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap3-gta04.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/omap3-gta04.dtsi b/arch/arm/boot/dts/omap3-gta04.dtsi +index 938cc691bb2fe..23ab27fe4ee5d 100644 +--- a/arch/arm/boot/dts/omap3-gta04.dtsi ++++ b/arch/arm/boot/dts/omap3-gta04.dtsi +@@ -515,7 +515,7 @@ + compatible = "bosch,bma180"; + reg = <0x41>; + pinctrl-names = "default"; +- pintcrl-0 = <&bma180_pins>; ++ pinctrl-0 = <&bma180_pins>; + interrupt-parent = <&gpio4>; + interrupts = <19 IRQ_TYPE_LEVEL_HIGH>; /* GPIO_115 */ + }; +-- +2.33.0 + diff --git a/queue-5.15/arm-dts-qcom-msm8974-add-xo_board-reference-clock-to.patch b/queue-5.15/arm-dts-qcom-msm8974-add-xo_board-reference-clock-to.patch new file mode 100644 index 00000000000..1fc505eee88 --- /dev/null +++ b/queue-5.15/arm-dts-qcom-msm8974-add-xo_board-reference-clock-to.patch @@ -0,0 +1,40 @@ +From 4f2716372e924f0dd6074ddb8e3c2fcd5634bb3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Aug 2021 19:57:39 +0200 +Subject: ARM: dts: qcom: msm8974: Add xo_board reference clock to DSI0 PHY + +From: Marijn Suijten + +[ Upstream commit 8ccecf6c710b8c048eecc65709640642e5357d6e ] + +According to YAML validation, and for a future patchset putting this +xo_board reference clock to use as VCO reference parent, add the missing +clock to dsi_phy0. + +Fixes: 5a9fc531f6ec ("ARM: dts: msm8974: add display support") +Signed-off-by: Marijn Suijten +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20210830175739.143401-1-marijn.suijten@somainline.org +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-msm8974.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/qcom-msm8974.dtsi b/arch/arm/boot/dts/qcom-msm8974.dtsi +index 78ec496d5bc30..2b01bc29ddf23 100644 +--- a/arch/arm/boot/dts/qcom-msm8974.dtsi ++++ b/arch/arm/boot/dts/qcom-msm8974.dtsi +@@ -1589,8 +1589,8 @@ + #phy-cells = <0>; + qcom,dsi-phy-index = <0>; + +- clocks = <&mmcc MDSS_AHB_CLK>; +- clock-names = "iface"; ++ clocks = <&mmcc MDSS_AHB_CLK>, <&xo_board>; ++ clock-names = "iface", "ref"; + }; + }; + +-- +2.33.0 + diff --git a/queue-5.15/arm-dts-stm32-fix-av96-board-sai2-pin-muxing-on-stm3.patch b/queue-5.15/arm-dts-stm32-fix-av96-board-sai2-pin-muxing-on-stm3.patch new file mode 100644 index 00000000000..308f09fc584 --- /dev/null +++ b/queue-5.15/arm-dts-stm32-fix-av96-board-sai2-pin-muxing-on-stm3.patch @@ -0,0 +1,65 @@ +From 13421765ca6b79c6964a6f87a197b7af7018dd8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Oct 2021 11:03:04 +0200 +Subject: ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15 + +From: Olivier Moysan + +[ Upstream commit 1a9a9d226f0f0ef5d9bf588ab432e0d679bb1954 ] + +Fix SAI2A and SAI2B pin muxings for AV96 board on STM32MP15. +Change sai2a-4 & sai2a-5 to sai2a-2 & sai2a-2. +Change sai2a-4 & sai2a-sleep-5 to sai2b-2 & sai2b-sleep-2 + +Fixes: dcf185ca8175 ("ARM: dts: stm32: Add alternate pinmux for SAI2 pins on stm32mp15") + +Signed-off-by: Olivier Moysan +Reviewed-by: Marek Vasut +Signed-off-by: Alexandre Torgue +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32mp15-pinctrl.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/boot/dts/stm32mp15-pinctrl.dtsi b/arch/arm/boot/dts/stm32mp15-pinctrl.dtsi +index 5b60ecbd718f0..2ebafe27a865b 100644 +--- a/arch/arm/boot/dts/stm32mp15-pinctrl.dtsi ++++ b/arch/arm/boot/dts/stm32mp15-pinctrl.dtsi +@@ -1179,7 +1179,7 @@ + }; + }; + +- sai2a_pins_c: sai2a-4 { ++ sai2a_pins_c: sai2a-2 { + pins { + pinmux = , /* SAI2_SCK_A */ + , /* SAI2_SD_A */ +@@ -1190,7 +1190,7 @@ + }; + }; + +- sai2a_sleep_pins_c: sai2a-5 { ++ sai2a_sleep_pins_c: sai2a-2 { + pins { + pinmux = , /* SAI2_SCK_A */ + , /* SAI2_SD_A */ +@@ -1235,14 +1235,14 @@ + }; + }; + +- sai2b_pins_c: sai2a-4 { ++ sai2b_pins_c: sai2b-2 { + pins1 { + pinmux = ; /* SAI2_SD_B */ + bias-disable; + }; + }; + +- sai2b_sleep_pins_c: sai2a-sleep-5 { ++ sai2b_sleep_pins_c: sai2b-sleep-2 { + pins { + pinmux = ; /* SAI2_SD_B */ + }; +-- +2.33.0 + diff --git a/queue-5.15/arm-dts-stm32-fix-sai-sub-nodes-register-range.patch b/queue-5.15/arm-dts-stm32-fix-sai-sub-nodes-register-range.patch new file mode 100644 index 00000000000..7489c6ea702 --- /dev/null +++ b/queue-5.15/arm-dts-stm32-fix-sai-sub-nodes-register-range.patch @@ -0,0 +1,102 @@ +From 24b24a6bca3754c45b2641c2004b0e95ae88da2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Sep 2021 18:02:21 +0200 +Subject: ARM: dts: stm32: fix SAI sub nodes register range + +From: Olivier Moysan + +[ Upstream commit 6f87a74d31277f0896dcf8c0850ec14bde03c423 ] + +The STM32 SAI subblocks registers offsets are in the range +0x0004 (SAIx_CR1) to 0x0020 (SAIx_DR). +The corresponding range length is 0x20 instead of 0x1c. +Change reg property accordingly. + +Fixes: 5afd65c3a060 ("ARM: dts: stm32: add sai support on stm32mp157c") + +Signed-off-by: Olivier Moysan +Signed-off-by: Alexandre Torgue +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32mp151.dtsi | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/arch/arm/boot/dts/stm32mp151.dtsi b/arch/arm/boot/dts/stm32mp151.dtsi +index bd289bf5d2690..6992a4b0ba79b 100644 +--- a/arch/arm/boot/dts/stm32mp151.dtsi ++++ b/arch/arm/boot/dts/stm32mp151.dtsi +@@ -824,7 +824,7 @@ + #sound-dai-cells = <0>; + + compatible = "st,stm32-sai-sub-a"; +- reg = <0x4 0x1c>; ++ reg = <0x4 0x20>; + clocks = <&rcc SAI1_K>; + clock-names = "sai_ck"; + dmas = <&dmamux1 87 0x400 0x01>; +@@ -834,7 +834,7 @@ + sai1b: audio-controller@4400a024 { + #sound-dai-cells = <0>; + compatible = "st,stm32-sai-sub-b"; +- reg = <0x24 0x1c>; ++ reg = <0x24 0x20>; + clocks = <&rcc SAI1_K>; + clock-names = "sai_ck"; + dmas = <&dmamux1 88 0x400 0x01>; +@@ -855,7 +855,7 @@ + sai2a: audio-controller@4400b004 { + #sound-dai-cells = <0>; + compatible = "st,stm32-sai-sub-a"; +- reg = <0x4 0x1c>; ++ reg = <0x4 0x20>; + clocks = <&rcc SAI2_K>; + clock-names = "sai_ck"; + dmas = <&dmamux1 89 0x400 0x01>; +@@ -865,7 +865,7 @@ + sai2b: audio-controller@4400b024 { + #sound-dai-cells = <0>; + compatible = "st,stm32-sai-sub-b"; +- reg = <0x24 0x1c>; ++ reg = <0x24 0x20>; + clocks = <&rcc SAI2_K>; + clock-names = "sai_ck"; + dmas = <&dmamux1 90 0x400 0x01>; +@@ -886,7 +886,7 @@ + sai3a: audio-controller@4400c004 { + #sound-dai-cells = <0>; + compatible = "st,stm32-sai-sub-a"; +- reg = <0x04 0x1c>; ++ reg = <0x04 0x20>; + clocks = <&rcc SAI3_K>; + clock-names = "sai_ck"; + dmas = <&dmamux1 113 0x400 0x01>; +@@ -896,7 +896,7 @@ + sai3b: audio-controller@4400c024 { + #sound-dai-cells = <0>; + compatible = "st,stm32-sai-sub-b"; +- reg = <0x24 0x1c>; ++ reg = <0x24 0x20>; + clocks = <&rcc SAI3_K>; + clock-names = "sai_ck"; + dmas = <&dmamux1 114 0x400 0x01>; +@@ -1271,7 +1271,7 @@ + sai4a: audio-controller@50027004 { + #sound-dai-cells = <0>; + compatible = "st,stm32-sai-sub-a"; +- reg = <0x04 0x1c>; ++ reg = <0x04 0x20>; + clocks = <&rcc SAI4_K>; + clock-names = "sai_ck"; + dmas = <&dmamux1 99 0x400 0x01>; +@@ -1281,7 +1281,7 @@ + sai4b: audio-controller@50027024 { + #sound-dai-cells = <0>; + compatible = "st,stm32-sai-sub-b"; +- reg = <0x24 0x1c>; ++ reg = <0x24 0x20>; + clocks = <&rcc SAI4_K>; + clock-names = "sai_ck"; + dmas = <&dmamux1 100 0x400 0x01>; +-- +2.33.0 + diff --git a/queue-5.15/arm-dts-stm32-fix-stusb1600-type-c-irq-level-on-stm3.patch b/queue-5.15/arm-dts-stm32-fix-stusb1600-type-c-irq-level-on-stm3.patch new file mode 100644 index 00000000000..d513a28e3a9 --- /dev/null +++ b/queue-5.15/arm-dts-stm32-fix-stusb1600-type-c-irq-level-on-stm3.patch @@ -0,0 +1,37 @@ +From f2e58f335c5a778b5a324904cc5982814ae221b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Sep 2021 15:34:49 +0200 +Subject: ARM: dts: stm32: fix STUSB1600 Type-C irq level on stm32mp15xx-dkx + +From: Fabrice Gasnier + +[ Upstream commit 3d4fb3d4c431f45272bf8c308d3cbe030817f046 ] + +STUSB1600 IRQ (Alert pin) is active low (open drain). Interrupts may get +lost currently, so fix the IRQ type. + +Fixes: 83686162c0eb ("ARM: dts: stm32: add STUSB1600 Type-C using I2C4 on stm32mp15xx-dkx") + +Signed-off-by: Fabrice Gasnier +Signed-off-by: Alexandre Torgue +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32mp15xx-dkx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/stm32mp15xx-dkx.dtsi b/arch/arm/boot/dts/stm32mp15xx-dkx.dtsi +index 899bfe04aeb91..48beed0f1f30a 100644 +--- a/arch/arm/boot/dts/stm32mp15xx-dkx.dtsi ++++ b/arch/arm/boot/dts/stm32mp15xx-dkx.dtsi +@@ -249,7 +249,7 @@ + stusb1600@28 { + compatible = "st,stusb1600"; + reg = <0x28>; +- interrupts = <11 IRQ_TYPE_EDGE_FALLING>; ++ interrupts = <11 IRQ_TYPE_LEVEL_LOW>; + interrupt-parent = <&gpioi>; + pinctrl-names = "default"; + pinctrl-0 = <&stusb1600_pins_a>; +-- +2.33.0 + diff --git a/queue-5.15/arm-dts-stm32-reduce-dhcor-spi-nor-frequency-to-50-m.patch b/queue-5.15/arm-dts-stm32-reduce-dhcor-spi-nor-frequency-to-50-m.patch new file mode 100644 index 00000000000..00c75a9e640 --- /dev/null +++ b/queue-5.15/arm-dts-stm32-reduce-dhcor-spi-nor-frequency-to-50-m.patch @@ -0,0 +1,48 @@ +From 1009c50874745b42332d27be040c4279b1e2c71b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 14:13:24 +0200 +Subject: ARM: dts: stm32: Reduce DHCOR SPI NOR frequency to 50 MHz + +From: Marek Vasut + +[ Upstream commit 2012579b31293d0a8cf2024e9dab66810bf1a15e ] + +The SPI NOR is a bit further away from the SoC on DHCOR than on DHCOM, +which causes additional signal delay. At 108 MHz, this delay triggers +a sporadic issue where the first bit of RX data is not received by the +QSPI controller. + +There are two options of addressing this problem, either by using the +DLYB block to compensate the extra delay, or by reducing the QSPI bus +clock frequency. The former requires calibration and that is overly +complex, so opt for the second option. + +Fixes: 76045bc457104 ("ARM: dts: stm32: Add QSPI NOR on AV96") +Signed-off-by: Marek Vasut +Cc: Alexandre Torgue +Cc: Patrice Chotard +Cc: Patrick Delaunay +Cc: linux-stm32@st-md-mailman.stormreply.com +To: linux-arm-kernel@lists.infradead.org +Signed-off-by: Alexandre Torgue +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi b/arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi +index 2b0ac605549d7..44ecc47085871 100644 +--- a/arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi ++++ b/arch/arm/boot/dts/stm32mp15xx-dhcor-som.dtsi +@@ -202,7 +202,7 @@ + compatible = "jedec,spi-nor"; + reg = <0>; + spi-rx-bus-width = <4>; +- spi-max-frequency = <108000000>; ++ spi-max-frequency = <50000000>; + #address-cells = <1>; + #size-cells = <1>; + }; +-- +2.33.0 + diff --git a/queue-5.15/arm-s3c-irq-s3c24xx-fix-return-value-check-for-s3c24.patch b/queue-5.15/arm-s3c-irq-s3c24xx-fix-return-value-check-for-s3c24.patch new file mode 100644 index 00000000000..8469a3345ec --- /dev/null +++ b/queue-5.15/arm-s3c-irq-s3c24xx-fix-return-value-check-for-s3c24.patch @@ -0,0 +1,60 @@ +From 73b340aae68cceb0fde66094a5cea74785bb85ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 20:35:57 +0800 +Subject: ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc() + +From: Jackie Liu + +[ Upstream commit 2aa717473ce96c93ae43a5dc8c23cedc8ce7dd9f ] + +The s3c24xx_init_intc() returns an error pointer upon failure, not NULL. +let's add an error pointer check in s3c24xx_handle_irq. + +s3c_intc[0] is not NULL or ERR, we can simplify the code. + +Fixes: 1f629b7a3ced ("ARM: S3C24XX: transform irq handling into a declarative form") +Signed-off-by: Jackie Liu +Link: https://lore.kernel.org/r/20210901123557.1043953-1-liu.yun@linux.dev +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/mach-s3c/irq-s3c24xx.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/mach-s3c/irq-s3c24xx.c b/arch/arm/mach-s3c/irq-s3c24xx.c +index 3edc5f614eefc..c1c2f041ad3b1 100644 +--- a/arch/arm/mach-s3c/irq-s3c24xx.c ++++ b/arch/arm/mach-s3c/irq-s3c24xx.c +@@ -361,11 +361,25 @@ static inline int s3c24xx_handle_intc(struct s3c_irq_intc *intc, + static asmlinkage void __exception_irq_entry s3c24xx_handle_irq(struct pt_regs *regs) + { + do { +- if (likely(s3c_intc[0])) +- if (s3c24xx_handle_intc(s3c_intc[0], regs, 0)) +- continue; ++ /* ++ * For platform based machines, neither ERR nor NULL can happen here. ++ * The s3c24xx_handle_irq() will be set as IRQ handler iff this succeeds: ++ * ++ * s3c_intc[0] = s3c24xx_init_intc() ++ * ++ * If this fails, the next calls to s3c24xx_init_intc() won't be executed. ++ * ++ * For DT machine, s3c_init_intc_of() could set the IRQ handler without ++ * setting s3c_intc[0] only if it was called with num_ctrl=0. There is no ++ * such code path, so again the s3c_intc[0] will have a valid pointer if ++ * set_handle_irq() is called. ++ * ++ * Therefore in s3c24xx_handle_irq(), the s3c_intc[0] is always something. ++ */ ++ if (s3c24xx_handle_intc(s3c_intc[0], regs, 0)) ++ continue; + +- if (s3c_intc[2]) ++ if (!IS_ERR_OR_NULL(s3c_intc[2])) + if (s3c24xx_handle_intc(s3c_intc[2], regs, 64)) + continue; + +-- +2.33.0 + diff --git a/queue-5.15/arm64-arm64_ftr_reg-name-may-not-be-a-human-readable.patch b/queue-5.15/arm64-arm64_ftr_reg-name-may-not-be-a-human-readable.patch new file mode 100644 index 00000000000..04a4cacbf4a --- /dev/null +++ b/queue-5.15/arm64-arm64_ftr_reg-name-may-not-be-a-human-readable.patch @@ -0,0 +1,68 @@ +From 5e49ee1da1ca3bb37ecf7d48055bf07b43fbc5a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Oct 2021 21:54:21 -0700 +Subject: arm64: arm64_ftr_reg->name may not be a human-readable string + +From: Reiji Watanabe + +[ Upstream commit 9dc232a8ab18bb20f1dcb03c8e049e3607f3ed15 ] + +The id argument of ARM64_FTR_REG_OVERRIDE() is used for two purposes: +one as the system register encoding (used for the sys_id field of +__ftr_reg_entry), and the other as the register name (stringified +and used for the name field of arm64_ftr_reg), which is debug +information. The id argument is supposed to be a macro that +indicates an encoding of the register (eg. SYS_ID_AA64PFR0_EL1, etc). + +ARM64_FTR_REG(), which also has the same id argument, +uses ARM64_FTR_REG_OVERRIDE() and passes the id to the macro. +Since the id argument is completely macro-expanded before it is +substituted into a macro body of ARM64_FTR_REG_OVERRIDE(), +the stringified id in the body of ARM64_FTR_REG_OVERRIDE is not +a human-readable register name, but a string of numeric bitwise +operations. + +Fix this so that human-readable register names are available as +debug information. + +Fixes: 8f266a5d878a ("arm64: cpufeature: Add global feature override facility") +Signed-off-by: Reiji Watanabe +Reviewed-by: Oliver Upton +Acked-by: Marc Zyngier +Link: https://lore.kernel.org/r/20211101045421.2215822-1-reijiw@google.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/cpufeature.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c +index 6ec7036ef7e18..7553c98f379fc 100644 +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -573,15 +573,19 @@ static const struct arm64_ftr_bits ftr_raz[] = { + ARM64_FTR_END, + }; + +-#define ARM64_FTR_REG_OVERRIDE(id, table, ovr) { \ ++#define __ARM64_FTR_REG_OVERRIDE(id_str, id, table, ovr) { \ + .sys_id = id, \ + .reg = &(struct arm64_ftr_reg){ \ +- .name = #id, \ ++ .name = id_str, \ + .override = (ovr), \ + .ftr_bits = &((table)[0]), \ + }} + +-#define ARM64_FTR_REG(id, table) ARM64_FTR_REG_OVERRIDE(id, table, &no_override) ++#define ARM64_FTR_REG_OVERRIDE(id, table, ovr) \ ++ __ARM64_FTR_REG_OVERRIDE(#id, id, table, ovr) ++ ++#define ARM64_FTR_REG(id, table) \ ++ __ARM64_FTR_REG_OVERRIDE(#id, id, table, &no_override) + + struct arm64_ftr_override __ro_after_init id_aa64mmfr1_override; + struct arm64_ftr_override __ro_after_init id_aa64pfr1_override; +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-broadcom-bcm4908-fix-uart-clock-name.patch b/queue-5.15/arm64-dts-broadcom-bcm4908-fix-uart-clock-name.patch new file mode 100644 index 00000000000..fbed6cec408 --- /dev/null +++ b/queue-5.15/arm64-dts-broadcom-bcm4908-fix-uart-clock-name.patch @@ -0,0 +1,38 @@ +From 5c16b11bc912c29e16d4dd3a07ea414294564f66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 17:37:02 +0200 +Subject: arm64: dts: broadcom: bcm4908: Fix UART clock name +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +[ Upstream commit 6c38c39ab2141f53786d73e706675e8819a3f2cb ] + +According to the binding the correct clock name is "refclk". + +Fixes: 2961f69f151c ("arm64: dts: broadcom: add BCM4908 and Asus GT-AC5300 early DTS files") +Signed-off-by: Rafał Miłecki +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/broadcom/bcm4908/bcm4908.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/broadcom/bcm4908/bcm4908.dtsi b/arch/arm64/boot/dts/broadcom/bcm4908/bcm4908.dtsi +index a5a64d17d9ea6..f6b93bbb49228 100644 +--- a/arch/arm64/boot/dts/broadcom/bcm4908/bcm4908.dtsi ++++ b/arch/arm64/boot/dts/broadcom/bcm4908/bcm4908.dtsi +@@ -292,7 +292,7 @@ + reg = <0x640 0x18>; + interrupts = ; + clocks = <&periph_clk>; +- clock-names = "periph"; ++ clock-names = "refclk"; + status = "okay"; + }; + +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-meson-g12a-fix-the-pwm-regulator-supply-pr.patch b/queue-5.15/arm64-dts-meson-g12a-fix-the-pwm-regulator-supply-pr.patch new file mode 100644 index 00000000000..68f17343ed3 --- /dev/null +++ b/queue-5.15/arm64-dts-meson-g12a-fix-the-pwm-regulator-supply-pr.patch @@ -0,0 +1,75 @@ +From 3f551bf858f187ac184564afd4504e6e8673cba2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Sep 2021 20:29:09 +0000 +Subject: arm64: dts: meson-g12a: Fix the pwm regulator supply properties + +From: Anand Moon + +[ Upstream commit 085675117ecf5e02c4220698fd549024ec64ad2c ] + +After enabling CONFIG_REGULATOR_DEBUG=y we observe below debug logs. +Changes help link VDDCPU pwm regulator to 12V regulator supply +instead of dummy regulator. + +[ 11.602281] pwm-regulator regulator-vddcpu: Looking up pwm-supply property + in node /regulator-vddcpu failed +[ 11.602344] VDDCPU: supplied by regulator-dummy +[ 11.602365] regulator-dummy: could not add device link regulator.11: -ENOENT +[ 11.602548] VDDCPU: 721 <--> 1022 mV at 1022 mV, enabled + +Fixes: e9bc0765cc12 ("arm64: dts: meson-g12a: enable DVFS on G12A boards") + +Cc: Neil Armstrong +Signed-off-by: Anand Moon +Reviewed-by: Martin Blumenstingl +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20210919202918.3556-2-linux.amoon@gmail.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-g12a-sei510.dts | 2 +- + arch/arm64/boot/dts/amlogic/meson-g12a-u200.dts | 2 +- + arch/arm64/boot/dts/amlogic/meson-g12a-x96-max.dts | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-g12a-sei510.dts b/arch/arm64/boot/dts/amlogic/meson-g12a-sei510.dts +index 81269ccc24968..d8838dde0f0f4 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-g12a-sei510.dts ++++ b/arch/arm64/boot/dts/amlogic/meson-g12a-sei510.dts +@@ -139,7 +139,7 @@ + regulator-min-microvolt = <721000>; + regulator-max-microvolt = <1022000>; + +- vin-supply = <&dc_in>; ++ pwm-supply = <&dc_in>; + + pwms = <&pwm_AO_cd 1 1250 0>; + pwm-dutycycle-range = <100 0>; +diff --git a/arch/arm64/boot/dts/amlogic/meson-g12a-u200.dts b/arch/arm64/boot/dts/amlogic/meson-g12a-u200.dts +index a26bfe72550fe..4b5d11e56364d 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-g12a-u200.dts ++++ b/arch/arm64/boot/dts/amlogic/meson-g12a-u200.dts +@@ -139,7 +139,7 @@ + regulator-min-microvolt = <721000>; + regulator-max-microvolt = <1022000>; + +- vin-supply = <&main_12v>; ++ pwm-supply = <&main_12v>; + + pwms = <&pwm_AO_cd 1 1250 0>; + pwm-dutycycle-range = <100 0>; +diff --git a/arch/arm64/boot/dts/amlogic/meson-g12a-x96-max.dts b/arch/arm64/boot/dts/amlogic/meson-g12a-x96-max.dts +index 579f3d02d613e..b4e86196e3468 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-g12a-x96-max.dts ++++ b/arch/arm64/boot/dts/amlogic/meson-g12a-x96-max.dts +@@ -139,7 +139,7 @@ + regulator-min-microvolt = <721000>; + regulator-max-microvolt = <1022000>; + +- vin-supply = <&dc_in>; ++ pwm-supply = <&dc_in>; + + pwms = <&pwm_AO_cd 1 1250 0>; + pwm-dutycycle-range = <100 0>; +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-meson-g12b-fix-the-pwm-regulator-supply-pr.patch b/queue-5.15/arm64-dts-meson-g12b-fix-the-pwm-regulator-supply-pr.patch new file mode 100644 index 00000000000..1ef702035da --- /dev/null +++ b/queue-5.15/arm64-dts-meson-g12b-fix-the-pwm-regulator-supply-pr.patch @@ -0,0 +1,110 @@ +From 0723d85c9d7cd40ddbaf9090eae04df568a0edac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Sep 2021 20:29:10 +0000 +Subject: arm64: dts: meson-g12b: Fix the pwm regulator supply properties + +From: Anand Moon + +[ Upstream commit 62183863f708c2464769e0d477c8ce9f3d326feb ] + +After enabling CONFIG_REGULATOR_DEBUG=y we observer below debug logs. +Changes help link VDDCP_A and VDDCPU_B pwm regulator to 12V regulator +supply instead of dummy regulator. + +[ 4.147196] VDDCPU_A: will resolve supply early: pwm +[ 4.147216] pwm-regulator regulator-vddcpu-a: Looking up pwm-supply from device tree +[ 4.147227] pwm-regulator regulator-vddcpu-a: Looking up pwm-supply property in node /regulator-vddcpu-a failed +[ 4.147258] VDDCPU_A: supplied by regulator-dummy +[ 4.147288] regulator-dummy: could not add device link regulator.12: -ENOENT +[ 4.147353] VDDCPU_A: 721 <--> 1022 mV at 871 mV, enabled +[ 4.152014] VDDCPU_B: will resolve supply early: pwm +[ 4.152035] pwm-regulator regulator-vddcpu-b: Looking up pwm-supply from device tree +[ 4.152047] pwm-regulator regulator-vddcpu-b: Looking up pwm-supply property in node /regulator-vddcpu-b failed +[ 4.152079] VDDCPU_B: supplied by regulator-dummy +[ 4.152108] regulator-dummy: could not add device link regulator.13: -ENOENT + +Fixes: c6d29c66e582 ("arm64: dts: meson-g12b-khadas-vim3: add initial device-tree") +Fixes: d14734a04a8a ("arm64: dts: meson-g12b-odroid-n2: enable DVFS") +Fixes: 3cb74db9b256 ("arm64: dts: meson: convert ugoos-am6 to common w400 dtsi") + +Cc: Neil Armstrong +Signed-off-by: Anand Moon +Reviewed-by: Martin Blumenstingl +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20210919202918.3556-3-linux.amoon@gmail.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-g12b-khadas-vim3.dtsi | 4 ++-- + arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi | 4 ++-- + arch/arm64/boot/dts/amlogic/meson-g12b-w400.dtsi | 4 ++-- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-g12b-khadas-vim3.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12b-khadas-vim3.dtsi +index f42cf4b8af2d4..16dd409051b40 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-g12b-khadas-vim3.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-g12b-khadas-vim3.dtsi +@@ -18,7 +18,7 @@ + regulator-min-microvolt = <690000>; + regulator-max-microvolt = <1050000>; + +- vin-supply = <&dc_in>; ++ pwm-supply = <&dc_in>; + + pwms = <&pwm_ab 0 1250 0>; + pwm-dutycycle-range = <100 0>; +@@ -37,7 +37,7 @@ + regulator-min-microvolt = <690000>; + regulator-max-microvolt = <1050000>; + +- vin-supply = <&vsys_3v3>; ++ pwm-supply = <&vsys_3v3>; + + pwms = <&pwm_AO_cd 1 1250 0>; + pwm-dutycycle-range = <100 0>; +diff --git a/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi +index 344573e157a7b..4f33820aba1f1 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dtsi +@@ -130,7 +130,7 @@ + regulator-min-microvolt = <721000>; + regulator-max-microvolt = <1022000>; + +- vin-supply = <&main_12v>; ++ pwm-supply = <&main_12v>; + + pwms = <&pwm_ab 0 1250 0>; + pwm-dutycycle-range = <100 0>; +@@ -149,7 +149,7 @@ + regulator-min-microvolt = <721000>; + regulator-max-microvolt = <1022000>; + +- vin-supply = <&main_12v>; ++ pwm-supply = <&main_12v>; + + pwms = <&pwm_AO_cd 1 1250 0>; + pwm-dutycycle-range = <100 0>; +diff --git a/arch/arm64/boot/dts/amlogic/meson-g12b-w400.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12b-w400.dtsi +index feb0885047400..b40d2c1002c92 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-g12b-w400.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-g12b-w400.dtsi +@@ -96,7 +96,7 @@ + regulator-min-microvolt = <721000>; + regulator-max-microvolt = <1022000>; + +- vin-supply = <&main_12v>; ++ pwm-supply = <&main_12v>; + + pwms = <&pwm_ab 0 1250 0>; + pwm-dutycycle-range = <100 0>; +@@ -115,7 +115,7 @@ + regulator-min-microvolt = <721000>; + regulator-max-microvolt = <1022000>; + +- vin-supply = <&main_12v>; ++ pwm-supply = <&main_12v>; + + pwms = <&pwm_AO_cd 1 1250 0>; + pwm-dutycycle-range = <100 0>; +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-meson-sm1-add-ethernet-phy-reset-line-for-.patch b/queue-5.15/arm64-dts-meson-sm1-add-ethernet-phy-reset-line-for-.patch new file mode 100644 index 00000000000..d334ce41f3a --- /dev/null +++ b/queue-5.15/arm64-dts-meson-sm1-add-ethernet-phy-reset-line-for-.patch @@ -0,0 +1,50 @@ +From 3ad54c3221b429db446b71f15ea50db9b06bd7ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Aug 2021 12:28:32 +0900 +Subject: arm64: dts: meson: sm1: add Ethernet PHY reset line for ODROID-C4/HC4 + +From: Dongjin Kim + +[ Upstream commit 9d02214f8332d5dbbcce3d6c5c915e54d43a0c46 ] + +This patch is to fix an issue that the ethernet link doesn't come up +when using ip link set down/up: + [ 11.428114] meson8b-dwmac ff3f0000.ethernet eth0: Link is Down + [ 14.428595] meson8b-dwmac ff3f0000.ethernet eth0: PHY [0.0:00] driver [RTL8211F Gigabit Ethernet] (irq=31) + [ 14.428610] meson8b-dwmac ff3f0000.ethernet: Failed to reset the dma + [ 14.428974] meson8b-dwmac ff3f0000.ethernet eth0: stmmac_hw_setup: DMA engine initialization failed + [ 14.711185] meson8b-dwmac ff3f0000.ethernet eth0: stmmac_open: Hw setup failed + +This fix refers to two commits applied for ODROID-N2 (G12B). + commit 658e4129bb81 ("arm64: dts: meson: g12b: odroid-n2: add the Ethernet PHY reset line") + commit 1c7412530d5d0 ("arm64: dts: meson: g12b: odroid-n2: fix PHY deassert timing requirements") + +Fixes: 88d537bc92ca ("arm64: dts: meson: convert meson-sm1-odroid-c4 to dtsi") +Signed-off-by: Dongjin Kim +Reviewed-by: Martin Blumenstingl +[narmstrong: added fixes tag and typo in commit log] +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/YScKYFWlYymgGw3l@anyang-linuxfactory-or-kr +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-sm1-odroid.dtsi | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-sm1-odroid.dtsi b/arch/arm64/boot/dts/amlogic/meson-sm1-odroid.dtsi +index fd0ad85c165ba..45e7fcb062f96 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-sm1-odroid.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-sm1-odroid.dtsi +@@ -263,6 +263,10 @@ + reg = <0>; + max-speed = <1000>; + ++ reset-assert-us = <10000>; ++ reset-deassert-us = <80000>; ++ reset-gpios = <&gpio GPIOZ_15 (GPIO_ACTIVE_LOW | GPIO_OPEN_DRAIN)>; ++ + interrupt-parent = <&gpio_intc>; + /* MAC_INTR on GPIOZ_14 */ + interrupts = <26 IRQ_TYPE_LEVEL_LOW>; +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-meson-sm1-fix-the-pwm-regulator-supply-pro.patch b/queue-5.15/arm64-dts-meson-sm1-fix-the-pwm-regulator-supply-pro.patch new file mode 100644 index 00000000000..def29906ea4 --- /dev/null +++ b/queue-5.15/arm64-dts-meson-sm1-fix-the-pwm-regulator-supply-pro.patch @@ -0,0 +1,92 @@ +From c9ac13b5767c7a6cd44b6561465936a62f2aeba0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Sep 2021 20:29:11 +0000 +Subject: arm64: dts: meson-sm1: Fix the pwm regulator supply properties + +From: Anand Moon + +[ Upstream commit 0b26fa8a02c2834f1fa8a206a285b9f84c4ad764 ] + +After enabling CONFIG_REGULATOR_DEBUG=y we observe below debug logs. +Changes help link VDDCPU pwm regulator to 12V regulator supply +instead of dummy regulator. + +[ 11.602281] pwm-regulator regulator-vddcpu: Looking up pwm-supply property + in node /regulator-vddcpu failed +[ 11.602344] VDDCPU: supplied by regulator-dummy +[ 11.602365] regulator-dummy: could not add device link regulator.11: -ENOENT +[ 11.602548] VDDCPU: 721 <--> 1022 mV at 1022 mV, enabled + +Fixes: 88d537bc92ca ("arm64: dts: meson: convert meson-sm1-odroid-c4 to dtsi") +Fixes: 700ab8d83927 ("arm64: dts: khadas-vim3: add support for the SM1 based VIM3L") +Fixes: 3d9e76483049 ("arm64: dts: meson-sm1-sei610: enable DVFS") +Fixes: 976e920183e4 ("arm64: dts: meson-sm1: add Banana PI BPI-M5 board dts") + +Cc: Neil Armstrong +Signed-off-by: Anand Moon +Reviewed-by: Martin Blumenstingl +Signed-off-by: Neil Armstrong +Link: https://lore.kernel.org/r/20210919202918.3556-4-linux.amoon@gmail.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-sm1-bananapi-m5.dts | 2 +- + arch/arm64/boot/dts/amlogic/meson-sm1-khadas-vim3l.dts | 2 +- + arch/arm64/boot/dts/amlogic/meson-sm1-odroid.dtsi | 2 +- + arch/arm64/boot/dts/amlogic/meson-sm1-sei610.dts | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-sm1-bananapi-m5.dts b/arch/arm64/boot/dts/amlogic/meson-sm1-bananapi-m5.dts +index effaa138b5f98..212c6aa5a3b86 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-sm1-bananapi-m5.dts ++++ b/arch/arm64/boot/dts/amlogic/meson-sm1-bananapi-m5.dts +@@ -173,7 +173,7 @@ + regulator-min-microvolt = <690000>; + regulator-max-microvolt = <1050000>; + +- vin-supply = <&dc_in>; ++ pwm-supply = <&dc_in>; + + pwms = <&pwm_AO_cd 1 1250 0>; + pwm-dutycycle-range = <100 0>; +diff --git a/arch/arm64/boot/dts/amlogic/meson-sm1-khadas-vim3l.dts b/arch/arm64/boot/dts/amlogic/meson-sm1-khadas-vim3l.dts +index f2c0981435944..9c0b544e22098 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-sm1-khadas-vim3l.dts ++++ b/arch/arm64/boot/dts/amlogic/meson-sm1-khadas-vim3l.dts +@@ -24,7 +24,7 @@ + regulator-min-microvolt = <690000>; + regulator-max-microvolt = <1050000>; + +- vin-supply = <&vsys_3v3>; ++ pwm-supply = <&vsys_3v3>; + + pwms = <&pwm_AO_cd 1 1250 0>; + pwm-dutycycle-range = <100 0>; +diff --git a/arch/arm64/boot/dts/amlogic/meson-sm1-odroid.dtsi b/arch/arm64/boot/dts/amlogic/meson-sm1-odroid.dtsi +index 45e7fcb062f96..5779e70caccd3 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-sm1-odroid.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-sm1-odroid.dtsi +@@ -116,7 +116,7 @@ + regulator-min-microvolt = <721000>; + regulator-max-microvolt = <1022000>; + +- vin-supply = <&main_12v>; ++ pwm-supply = <&main_12v>; + + pwms = <&pwm_AO_cd 1 1250 0>; + pwm-dutycycle-range = <100 0>; +diff --git a/arch/arm64/boot/dts/amlogic/meson-sm1-sei610.dts b/arch/arm64/boot/dts/amlogic/meson-sm1-sei610.dts +index 2194a778973f1..427475846fc70 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-sm1-sei610.dts ++++ b/arch/arm64/boot/dts/amlogic/meson-sm1-sei610.dts +@@ -185,7 +185,7 @@ + regulator-min-microvolt = <690000>; + regulator-max-microvolt = <1050000>; + +- vin-supply = <&dc_in>; ++ pwm-supply = <&dc_in>; + + pwms = <&pwm_AO_cd 1 1500 0>; + pwm-dutycycle-range = <100 0>; +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-qcom-msm8916-fix-secondary-mi2s-bit-clock.patch b/queue-5.15/arm64-dts-qcom-msm8916-fix-secondary-mi2s-bit-clock.patch new file mode 100644 index 00000000000..2fe52228731 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-msm8916-fix-secondary-mi2s-bit-clock.patch @@ -0,0 +1,65 @@ +From a58438e7468b245ccf35d09d71aa719389c2ac78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Aug 2021 20:18:10 +0200 +Subject: arm64: dts: qcom: msm8916: Fix Secondary MI2S bit clock + +From: Stephan Gerhold + +[ Upstream commit 8199a0b31e76d158ac14841e7119890461f8c595 ] + +At the moment, playing audio on Secondary MI2S will just end up getting +stuck, without actually playing any audio. This happens because the wrong +bit clock is configured when playing audio on Secondary MI2S. + +The PRI_I2S_CLK (better name: SPKR_I2S_CLK) is used by the SPKR audio mux +block that provides both Primary and Secondary MI2S. + +The SEC_I2S_CLK (better name: MIC_I2S_CLK) is used by the MIC audio mux +block that provides Tertiary MI2S. Quaternary MI2S is also part of the +MIC audio mux but has its own clock (AUX_I2S_CLK). + +This means that (quite confusingly) the SEC_I2S_CLK is not actually +used for Secondary MI2S as the name would suggest. Secondary MI2S +needs to have the same clock as Primary MI2S configured. + +Fix the clock list for the lpass node in the device tree and add +a comment to clarify this confusing naming. With these changes, +audio can be played correctly on Secondary MI2S. + +Cc: Srinivas Kandagatla +Fixes: 3761a3618f55 ("arm64: dts: qcom: add lpass node") +Tested-by: Vincent Knecht +Signed-off-by: Stephan Gerhold +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20210816181810.2242-1-stephan@gerhold.net +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index 3f85e34a8ce6f..fbff712639513 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -1384,11 +1384,17 @@ + lpass: audio-controller@7708000 { + status = "disabled"; + compatible = "qcom,lpass-cpu-apq8016"; ++ ++ /* ++ * Note: Unlike the name would suggest, the SEC_I2S_CLK ++ * is actually only used by Tertiary MI2S while ++ * Primary/Secondary MI2S both use the PRI_I2S_CLK. ++ */ + clocks = <&gcc GCC_ULTAUDIO_AHBFABRIC_IXFABRIC_CLK>, + <&gcc GCC_ULTAUDIO_PCNOC_MPORT_CLK>, + <&gcc GCC_ULTAUDIO_PCNOC_SWAY_CLK>, + <&gcc GCC_ULTAUDIO_LPAIF_PRI_I2S_CLK>, +- <&gcc GCC_ULTAUDIO_LPAIF_SEC_I2S_CLK>, ++ <&gcc GCC_ULTAUDIO_LPAIF_PRI_I2S_CLK>, + <&gcc GCC_ULTAUDIO_LPAIF_SEC_I2S_CLK>, + <&gcc GCC_ULTAUDIO_LPAIF_AUX_I2S_CLK>; + +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-qcom-pm8916-remove-wrong-reg-names-for-rtc.patch b/queue-5.15/arm64-dts-qcom-pm8916-remove-wrong-reg-names-for-rtc.patch new file mode 100644 index 00000000000..be41b3a9d86 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-pm8916-remove-wrong-reg-names-for-rtc.patch @@ -0,0 +1,46 @@ +From 9401afce5c06e52e8ea85c4e692ec1f6c2bdb680 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 13:29:43 +0200 +Subject: arm64: dts: qcom: pm8916: Remove wrong reg-names for rtc@6000 + +From: Stephan Gerhold + +[ Upstream commit 483de2b44cd3a168458f8f9ff237e78a434729bc ] + +While removing the size from the "reg" properties in pm8916.dtsi, +commit bd6429e81010 ("ARM64: dts: qcom: Remove size elements from +pmic reg properties") mistakenly also removed the second register +address for the rtc@6000 device. That one did not represent the size +of the register region but actually the address of the second "alarm" +register region of the rtc@6000 device. + +Now there are "reg-names" for two "reg" elements, but there is actually +only one "reg" listed. + +Since the DT schema for "qcom,pm8941-rtc" only expects one "reg" +element anyway, just drop the "reg-names" entirely to fix this. + +Fixes: bd6429e81010 ("ARM64: dts: qcom: Remove size elements from pmic reg properties") +Signed-off-by: Stephan Gerhold +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20210928112945.25310-1-stephan@gerhold.net +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/pm8916.dtsi | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/pm8916.dtsi b/arch/arm64/boot/dts/qcom/pm8916.dtsi +index f931cb0de231f..42180f1b5dbbb 100644 +--- a/arch/arm64/boot/dts/qcom/pm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/pm8916.dtsi +@@ -86,7 +86,6 @@ + rtc@6000 { + compatible = "qcom,pm8941-rtc"; + reg = <0x6000>; +- reg-names = "rtc", "alarm"; + interrupts = <0x0 0x61 0x1 IRQ_TYPE_EDGE_RISING>; + }; + +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-qcom-pmi8994-fix-eternal-external-typo-in-.patch b/queue-5.15/arm64-dts-qcom-pmi8994-fix-eternal-external-typo-in-.patch new file mode 100644 index 00000000000..3b503e69185 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-pmi8994-fix-eternal-external-typo-in-.patch @@ -0,0 +1,41 @@ +From 998a2808906751afc5ce12db9d7942b06ff4533e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 23:33:57 +0200 +Subject: arm64: dts: qcom: pmi8994: Fix "eternal"->"external" typo in WLED + node + +From: Marijn Suijten + +[ Upstream commit b110dfa5ad42be93ebf73540d16430878dfb26bb ] + +The property is named "qcom,external-pfet", as found by +dt_binding_check: + + 'qcom,eternal-pfet' does not match any of the regexes + +Fixes: 37aa540cbd30 ("arm64: dts: qcom: pmi8994: Add WLED node") +Signed-off-by: Marijn Suijten +Reviewed-By: AngeloGioacchino Del Regno +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211007213400.258371-11-marijn.suijten@somainline.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/pmi8994.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/pmi8994.dtsi b/arch/arm64/boot/dts/qcom/pmi8994.dtsi +index b4ac900ab115f..a06ea9adae810 100644 +--- a/arch/arm64/boot/dts/qcom/pmi8994.dtsi ++++ b/arch/arm64/boot/dts/qcom/pmi8994.dtsi +@@ -42,7 +42,7 @@ + /* Yes, all four strings *have to* be defined or things won't work. */ + qcom,enabled-strings = <0 1 2 3>; + qcom,cabc; +- qcom,eternal-pfet; ++ qcom,external-pfet; + status = "disabled"; + }; + }; +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-qcom-sc7180-base-dynamic-cpu-power-coeffic.patch b/queue-5.15/arm64-dts-qcom-sc7180-base-dynamic-cpu-power-coeffic.patch new file mode 100644 index 00000000000..4a3cfa77370 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sc7180-base-dynamic-cpu-power-coeffic.patch @@ -0,0 +1,357 @@ +From fe9d42004e4f28800d0ab93c9f30b074b762cec4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 14:51:37 -0700 +Subject: arm64: dts: qcom: sc7180: Base dynamic CPU power coefficients in + reality + +From: Douglas Anderson + +[ Upstream commit 82ea7d411d43f60dce878252558e926f957109f0 ] + +The sc7180's dynamic-power-coefficient violates the device tree bindings. +The bindings (arm/cpus.yaml) say that the units for the +dynamic-power-coefficient are supposed to be "uW/MHz/V^2". The ones for +sc7180 aren't this. Qualcomm arbitrarily picked 100 for the "little" CPUs +and then picked a number for the big CPU based on this. + +At the time, there was a giant dicussion about this. Apparently Qualcomm +Engineers were instructed not to share the actual numbers here. As part +of the discussion, I pointed out [1] that these numbers shouldn't really +be secret since once a device is shipping anyone can just run a script +and produce them. This patch is the result of running the script I posted +in that discussion on sc7180-trogdor-coachz, which is currently available +for purchase by consumers. + +[1] https://lore.kernel.org/r/CAD=FV=U1FP0e3_AVHpauUUZtD-5X3XCwh5aT9fH_8S_FFML2Uw@mail.gmail.com/ + +I ran the script four times, measuring little, big, little, big. I used +the 64-bit version of dhrystone 2.2 in my test. I got these results: + +576 kHz, 596 mV, 20 mW, 88 Cx +768 kHz, 596 mV, 32 mW, 122 Cx +1017 kHz, 660 mV, 45 mW, 97 Cx +1248 kHz, 720 mV, 87 mW, 139 Cx +1324 kHz, 756 mV, 109 mW, 148 Cx +1516 kHz, 828 mV, 150 mW, 148 Cx +1612 kHz, 884 mV, 182 mW, 147 Cx +1708 kHz, 884 mV, 192 mW, 146 Cx +1804 kHz, 884 mV, 207 mW, 149 Cx +Your dynamic-power-coefficient for cpu 0: 132 + +825 kHz, 596 mV, 142 mW, 401 Cx +979 kHz, 628 mV, 183 mW, 427 Cx +1113 kHz, 656 mV, 224 mW, 433 Cx +1267 kHz, 688 mV, 282 mW, 449 Cx +1555 kHz, 812 mV, 475 mW, 450 Cx +1708 kHz, 828 mV, 566 mW, 478 Cx +1843 kHz, 884 mV, 692 mW, 476 Cx +1900 kHz, 884 mV, 722 mW, 482 Cx +1996 kHz, 916 mV, 814 mW, 482 Cx +2112 kHz, 916 mV, 862 mW, 483 Cx +2208 kHz, 916 mV, 962 mW, 521 Cx +2323 kHz, 940 mV, 1060 mW, 517 Cx +2400 kHz, 956 mV, 1133 mW, 518 Cx +Your dynamic-power-coefficient for cpu 6: 471 + +576 kHz, 596 mV, 26 mW, 103 Cx +768 kHz, 596 mV, 40 mW, 147 Cx +1017 kHz, 660 mV, 54 mW, 114 Cx +1248 kHz, 720 mV, 97 mW, 151 Cx +1324 kHz, 756 mV, 113 mW, 150 Cx +1516 kHz, 828 mV, 154 mW, 148 Cx +1612 kHz, 884 mV, 194 mW, 155 Cx +1708 kHz, 884 mV, 203 mW, 152 Cx +1804 kHz, 884 mV, 219 mW, 155 Cx +Your dynamic-power-coefficient for cpu 0: 142 + +825 kHz, 596 mV, 148 mW, 530 Cx +979 kHz, 628 mV, 189 mW, 475 Cx +1113 kHz, 656 mV, 230 mW, 461 Cx +1267 kHz, 688 mV, 287 mW, 466 Cx +1555 kHz, 812 mV, 469 mW, 445 Cx +1708 kHz, 828 mV, 567 mW, 480 Cx +1843 kHz, 884 mV, 699 mW, 482 Cx +1900 kHz, 884 mV, 719 mW, 480 Cx +1996 kHz, 916 mV, 814 mW, 484 Cx +2112 kHz, 916 mV, 861 mW, 483 Cx +2208 kHz, 916 mV, 963 mW, 522 Cx +2323 kHz, 940 mV, 1063 mW, 520 Cx +2400 kHz, 956 mV, 1135 mW, 519 Cx +Your dynamic-power-coefficient for cpu 6: 489 + +As you can see, the calculations aren't perfectly consistent but +roughly you could say about 480 for big and 137 for little. + +The ratio between these numbers isn't quite the same as the ratio +between the two numbers that Qualcomm used. Perhaps this is because +Qualcomm measured something slightly different than the 64-bit version +of dhrystone 2.2 or perhaps it's because they fudged these numbers a +bit (and fudged the capacity-dmips-mhz). As per discussion [2], let's +use the numbers I came up with and also un-fudge +capacity-dmips-mhz. While unfudging capacity-dmips-mhz, let's scale it +so that bigs are 1024 which seems to be the common practice. + +In general these numbers don't need to be perfectly exact. In fact, +they can't be since the CPU power depends a lot on what's being run on +the CPU and the big/little CPUs are each more or less efficient in +different operations. Historically running the 32-bit vs. 64-bit +versions of dhrystone produced notably different numbers, though I +didn't test this time. + +We also need to scale all of the sustainable-power numbers by the same +amount. I scale ones related to the big CPUs by the adjustment I made +to the big dynamic-power-coefficient and the ones related to the +little CPUs by the adjustment I made to the little +dynamic-power-coefficient. + +[2] https://lore.kernel.org/r/0a865b6e-be34-6371-f9f2-9913ee1c5608@codeaurora.org/ + +Fixes: 71f873169a80 ("arm64: dts: qcom: sc7180: Add dynamic CPU power coefficients") +Signed-off-by: Douglas Anderson +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20210902145127.v2.1.I049b30065f3c715234b6303f55d72c059c8625eb@changeid +Signed-off-by: Sasha Levin +--- + .../boot/dts/qcom/sc7180-trogdor-coachz.dtsi | 2 +- + .../boot/dts/qcom/sc7180-trogdor-pompom.dtsi | 8 +-- + arch/arm64/boot/dts/qcom/sc7180.dtsi | 52 +++++++++---------- + 3 files changed, 31 insertions(+), 31 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc7180-trogdor-coachz.dtsi b/arch/arm64/boot/dts/qcom/sc7180-trogdor-coachz.dtsi +index a758e4d226122..81098aa9687ba 100644 +--- a/arch/arm64/boot/dts/qcom/sc7180-trogdor-coachz.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7180-trogdor-coachz.dtsi +@@ -33,7 +33,7 @@ ap_h1_spi: &spi0 {}; + polling-delay = <0>; + + thermal-sensors = <&pm6150_adc_tm 1>; +- sustainable-power = <814>; ++ sustainable-power = <965>; + + trips { + skin_temp_alert0: trip-point0 { +diff --git a/arch/arm64/boot/dts/qcom/sc7180-trogdor-pompom.dtsi b/arch/arm64/boot/dts/qcom/sc7180-trogdor-pompom.dtsi +index a246dbd74cc11..b7b5264888b7c 100644 +--- a/arch/arm64/boot/dts/qcom/sc7180-trogdor-pompom.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7180-trogdor-pompom.dtsi +@@ -44,7 +44,7 @@ ap_h1_spi: &spi0 {}; + }; + + &cpu6_thermal { +- sustainable-power = <948>; ++ sustainable-power = <1124>; + }; + + &cpu7_alert0 { +@@ -56,7 +56,7 @@ ap_h1_spi: &spi0 {}; + }; + + &cpu7_thermal { +- sustainable-power = <948>; ++ sustainable-power = <1124>; + }; + + &cpu8_alert0 { +@@ -68,7 +68,7 @@ ap_h1_spi: &spi0 {}; + }; + + &cpu8_thermal { +- sustainable-power = <948>; ++ sustainable-power = <1124>; + }; + + &cpu9_alert0 { +@@ -80,7 +80,7 @@ ap_h1_spi: &spi0 {}; + }; + + &cpu9_thermal { +- sustainable-power = <948>; ++ sustainable-power = <1124>; + }; + + &gpio_keys { +diff --git a/arch/arm64/boot/dts/qcom/sc7180.dtsi b/arch/arm64/boot/dts/qcom/sc7180.dtsi +index c8921e2d6480f..495c15deacb7d 100644 +--- a/arch/arm64/boot/dts/qcom/sc7180.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7180.dtsi +@@ -137,8 +137,8 @@ + cpu-idle-states = <&LITTLE_CPU_SLEEP_0 + &LITTLE_CPU_SLEEP_1 + &CLUSTER_SLEEP_0>; +- capacity-dmips-mhz = <1024>; +- dynamic-power-coefficient = <100>; ++ capacity-dmips-mhz = <415>; ++ dynamic-power-coefficient = <137>; + operating-points-v2 = <&cpu0_opp_table>; + interconnects = <&gem_noc MASTER_APPSS_PROC 3 &mc_virt SLAVE_EBI1 3>, + <&osm_l3 MASTER_OSM_L3_APPS &osm_l3 SLAVE_OSM_L3>; +@@ -162,8 +162,8 @@ + cpu-idle-states = <&LITTLE_CPU_SLEEP_0 + &LITTLE_CPU_SLEEP_1 + &CLUSTER_SLEEP_0>; +- capacity-dmips-mhz = <1024>; +- dynamic-power-coefficient = <100>; ++ capacity-dmips-mhz = <415>; ++ dynamic-power-coefficient = <137>; + next-level-cache = <&L2_100>; + operating-points-v2 = <&cpu0_opp_table>; + interconnects = <&gem_noc MASTER_APPSS_PROC 3 &mc_virt SLAVE_EBI1 3>, +@@ -184,8 +184,8 @@ + cpu-idle-states = <&LITTLE_CPU_SLEEP_0 + &LITTLE_CPU_SLEEP_1 + &CLUSTER_SLEEP_0>; +- capacity-dmips-mhz = <1024>; +- dynamic-power-coefficient = <100>; ++ capacity-dmips-mhz = <415>; ++ dynamic-power-coefficient = <137>; + next-level-cache = <&L2_200>; + operating-points-v2 = <&cpu0_opp_table>; + interconnects = <&gem_noc MASTER_APPSS_PROC 3 &mc_virt SLAVE_EBI1 3>, +@@ -206,8 +206,8 @@ + cpu-idle-states = <&LITTLE_CPU_SLEEP_0 + &LITTLE_CPU_SLEEP_1 + &CLUSTER_SLEEP_0>; +- capacity-dmips-mhz = <1024>; +- dynamic-power-coefficient = <100>; ++ capacity-dmips-mhz = <415>; ++ dynamic-power-coefficient = <137>; + next-level-cache = <&L2_300>; + operating-points-v2 = <&cpu0_opp_table>; + interconnects = <&gem_noc MASTER_APPSS_PROC 3 &mc_virt SLAVE_EBI1 3>, +@@ -228,8 +228,8 @@ + cpu-idle-states = <&LITTLE_CPU_SLEEP_0 + &LITTLE_CPU_SLEEP_1 + &CLUSTER_SLEEP_0>; +- capacity-dmips-mhz = <1024>; +- dynamic-power-coefficient = <100>; ++ capacity-dmips-mhz = <415>; ++ dynamic-power-coefficient = <137>; + next-level-cache = <&L2_400>; + operating-points-v2 = <&cpu0_opp_table>; + interconnects = <&gem_noc MASTER_APPSS_PROC 3 &mc_virt SLAVE_EBI1 3>, +@@ -250,8 +250,8 @@ + cpu-idle-states = <&LITTLE_CPU_SLEEP_0 + &LITTLE_CPU_SLEEP_1 + &CLUSTER_SLEEP_0>; +- capacity-dmips-mhz = <1024>; +- dynamic-power-coefficient = <100>; ++ capacity-dmips-mhz = <415>; ++ dynamic-power-coefficient = <137>; + next-level-cache = <&L2_500>; + operating-points-v2 = <&cpu0_opp_table>; + interconnects = <&gem_noc MASTER_APPSS_PROC 3 &mc_virt SLAVE_EBI1 3>, +@@ -272,8 +272,8 @@ + cpu-idle-states = <&BIG_CPU_SLEEP_0 + &BIG_CPU_SLEEP_1 + &CLUSTER_SLEEP_0>; +- capacity-dmips-mhz = <1740>; +- dynamic-power-coefficient = <405>; ++ capacity-dmips-mhz = <1024>; ++ dynamic-power-coefficient = <480>; + next-level-cache = <&L2_600>; + operating-points-v2 = <&cpu6_opp_table>; + interconnects = <&gem_noc MASTER_APPSS_PROC 3 &mc_virt SLAVE_EBI1 3>, +@@ -294,8 +294,8 @@ + cpu-idle-states = <&BIG_CPU_SLEEP_0 + &BIG_CPU_SLEEP_1 + &CLUSTER_SLEEP_0>; +- capacity-dmips-mhz = <1740>; +- dynamic-power-coefficient = <405>; ++ capacity-dmips-mhz = <1024>; ++ dynamic-power-coefficient = <480>; + next-level-cache = <&L2_700>; + operating-points-v2 = <&cpu6_opp_table>; + interconnects = <&gem_noc MASTER_APPSS_PROC 3 &mc_virt SLAVE_EBI1 3>, +@@ -3616,7 +3616,7 @@ + polling-delay = <0>; + + thermal-sensors = <&tsens0 1>; +- sustainable-power = <768>; ++ sustainable-power = <1052>; + + trips { + cpu0_alert0: trip-point0 { +@@ -3665,7 +3665,7 @@ + polling-delay = <0>; + + thermal-sensors = <&tsens0 2>; +- sustainable-power = <768>; ++ sustainable-power = <1052>; + + trips { + cpu1_alert0: trip-point0 { +@@ -3714,7 +3714,7 @@ + polling-delay = <0>; + + thermal-sensors = <&tsens0 3>; +- sustainable-power = <768>; ++ sustainable-power = <1052>; + + trips { + cpu2_alert0: trip-point0 { +@@ -3763,7 +3763,7 @@ + polling-delay = <0>; + + thermal-sensors = <&tsens0 4>; +- sustainable-power = <768>; ++ sustainable-power = <1052>; + + trips { + cpu3_alert0: trip-point0 { +@@ -3812,7 +3812,7 @@ + polling-delay = <0>; + + thermal-sensors = <&tsens0 5>; +- sustainable-power = <768>; ++ sustainable-power = <1052>; + + trips { + cpu4_alert0: trip-point0 { +@@ -3861,7 +3861,7 @@ + polling-delay = <0>; + + thermal-sensors = <&tsens0 6>; +- sustainable-power = <768>; ++ sustainable-power = <1052>; + + trips { + cpu5_alert0: trip-point0 { +@@ -3910,7 +3910,7 @@ + polling-delay = <0>; + + thermal-sensors = <&tsens0 9>; +- sustainable-power = <1202>; ++ sustainable-power = <1425>; + + trips { + cpu6_alert0: trip-point0 { +@@ -3951,7 +3951,7 @@ + polling-delay = <0>; + + thermal-sensors = <&tsens0 10>; +- sustainable-power = <1202>; ++ sustainable-power = <1425>; + + trips { + cpu7_alert0: trip-point0 { +@@ -3992,7 +3992,7 @@ + polling-delay = <0>; + + thermal-sensors = <&tsens0 11>; +- sustainable-power = <1202>; ++ sustainable-power = <1425>; + + trips { + cpu8_alert0: trip-point0 { +@@ -4033,7 +4033,7 @@ + polling-delay = <0>; + + thermal-sensors = <&tsens0 12>; +- sustainable-power = <1202>; ++ sustainable-power = <1425>; + + trips { + cpu9_alert0: trip-point0 { +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-qcom-sc7280-fix-display-port-phy-reg-prope.patch b/queue-5.15/arm64-dts-qcom-sc7280-fix-display-port-phy-reg-prope.patch new file mode 100644 index 00000000000..f73adee6a9a --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sc7280-fix-display-port-phy-reg-prope.patch @@ -0,0 +1,50 @@ +From e0c4be58a79ae29061a5fabe3aefa815944df07c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Sep 2021 12:49:58 -0700 +Subject: arm64: dts: qcom: sc7280: fix display port phy reg property + +From: Kuogee Hsieh + +[ Upstream commit 425f30cc843c727bc7753a0d33710d1e4a999168 ] + +Existing display port phy reg property is derived from usb phy which +map display port phy pcs to wrong address which cause aux init +with wrong address and prevent both dpcd read and write from working. +Fix this problem by assigning correct pcs address to display port +phy reg property. + +Fixes: bb9efa59c665 ("arm64: dts: qcom: sc7280: Add USB related nodes") +Signed-off-by: Kuogee Hsieh +Reviewed-by: Stephen Boyd +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/1631216998-10049-1-git-send-email-khsieh@codeaurora.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sc7280.dtsi | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sc7280.dtsi b/arch/arm64/boot/dts/qcom/sc7280.dtsi +index fd78f16181ddd..f58336536a92a 100644 +--- a/arch/arm64/boot/dts/qcom/sc7280.dtsi ++++ b/arch/arm64/boot/dts/qcom/sc7280.dtsi +@@ -1258,15 +1258,11 @@ + dp_phy: dp-phy@88ea200 { + reg = <0 0x088ea200 0 0x200>, + <0 0x088ea400 0 0x200>, +- <0 0x088eac00 0 0x400>, ++ <0 0x088eaa00 0 0x200>, + <0 0x088ea600 0 0x200>, +- <0 0x088ea800 0 0x200>, +- <0 0x088eaa00 0 0x100>; ++ <0 0x088ea800 0 0x200>; + #phy-cells = <0>; + #clock-cells = <1>; +- clocks = <&gcc GCC_USB3_PRIM_PHY_PIPE_CLK>; +- clock-names = "pipe0"; +- clock-output-names = "usb3_phy_pipe_clk_src"; + }; + }; + +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-qcom-sdm845-fix-qualcomm-crypto-engine-bus.patch b/queue-5.15/arm64-dts-qcom-sdm845-fix-qualcomm-crypto-engine-bus.patch new file mode 100644 index 00000000000..11e5c9e549c --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sdm845-fix-qualcomm-crypto-engine-bus.patch @@ -0,0 +1,37 @@ +From 4ee51e0f6e11c9dc04fe5532460af5873926de17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 12:55:34 +0300 +Subject: arm64: dts: qcom: sdm845: Fix Qualcomm crypto engine bus clock + +From: Vladimir Zapolskiy + +[ Upstream commit d5240f8e23641c70bc70892d7999398b081ccb7e ] + +The change corrects the described bus clock of the QCE. + +Fixes: 3e482859f1ef ("dts: qcom: sdm845: Add dt entries to support crypto engine.") +Signed-off-by: Vladimir Zapolskiy +Reviewed-by: Thara Gopinath +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211011095534.1580406-1-vladimir.zapolskiy@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845.dtsi b/arch/arm64/boot/dts/qcom/sdm845.dtsi +index 98370d474f646..a810adc1a707f 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi +@@ -2331,7 +2331,7 @@ + compatible = "qcom,crypto-v5.4"; + reg = <0 0x01dfa000 0 0x6000>; + clocks = <&gcc GCC_CE1_AHB_CLK>, +- <&gcc GCC_CE1_AHB_CLK>, ++ <&gcc GCC_CE1_AXI_CLK>, + <&rpmhcc RPMH_CE_CLK>; + clock-names = "iface", "bus", "core"; + dmas = <&cryptobam 6>, <&cryptobam 7>; +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-qcom-sdm845-use-rpmh_ce_clk-macro-directly.patch b/queue-5.15/arm64-dts-qcom-sdm845-use-rpmh_ce_clk-macro-directly.patch new file mode 100644 index 00000000000..ea5c31a6666 --- /dev/null +++ b/queue-5.15/arm64-dts-qcom-sdm845-use-rpmh_ce_clk-macro-directly.patch @@ -0,0 +1,52 @@ +From 6d678dbadf814681e74ed3db00309cbdbcc5c727 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 20:06:50 +0530 +Subject: arm64: dts: qcom: sdm845: Use RPMH_CE_CLK macro directly + +From: Bhupesh Sharma + +[ Upstream commit eed1d9b6e36b06faa53c6dc74134ec21b1336d94 ] + +In commit 3e482859f1ef ("dts: qcom: sdm845: Add dt entries +to support crypto engine."), we decided to use the value indicated +by constant RPMH_CE_CLK rather than using it directly. + +Now that the same RPMH clock value might be used for other +SoCs (in addition to sdm845), let's use the constant +RPMH_CE_CLK to make sure that this dtsi is compatible with the +other qcom ones. + +Signed-off-by: Bhupesh Sharma +Reviewed-by: Thara Gopinath +Link: https://lore.kernel.org/r/20210519143700.27392-8-bhupesh.sharma@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/sdm845.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/sdm845.dtsi b/arch/arm64/boot/dts/qcom/sdm845.dtsi +index b3b9119261844..98370d474f646 100644 +--- a/arch/arm64/boot/dts/qcom/sdm845.dtsi ++++ b/arch/arm64/boot/dts/qcom/sdm845.dtsi +@@ -2316,7 +2316,7 @@ + compatible = "qcom,bam-v1.7.0"; + reg = <0 0x01dc4000 0 0x24000>; + interrupts = ; +- clocks = <&rpmhcc 15>; ++ clocks = <&rpmhcc RPMH_CE_CLK>; + clock-names = "bam_clk"; + #dma-cells = <1>; + qcom,ee = <0>; +@@ -2332,7 +2332,7 @@ + reg = <0 0x01dfa000 0 0x6000>; + clocks = <&gcc GCC_CE1_AHB_CLK>, + <&gcc GCC_CE1_AHB_CLK>, +- <&rpmhcc 15>; ++ <&rpmhcc RPMH_CE_CLK>; + clock-names = "iface", "bus", "core"; + dmas = <&cryptobam 6>, <&cryptobam 7>; + dma-names = "rx", "tx"; +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-renesas-beacon-fix-ethernet-phy-mode.patch b/queue-5.15/arm64-dts-renesas-beacon-fix-ethernet-phy-mode.patch new file mode 100644 index 00000000000..0f7327d0bee --- /dev/null +++ b/queue-5.15/arm64-dts-renesas-beacon-fix-ethernet-phy-mode.patch @@ -0,0 +1,38 @@ +From 3603598678320204bba9cb8c156bbe79c9015c54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Sep 2021 08:50:23 +0200 +Subject: arm64: dts: renesas: beacon: Fix Ethernet PHY mode + +From: Geert Uytterhoeven + +[ Upstream commit 59a8bda062f8646d99ff8c4956adf37dee1cb75e ] + +While networking works fine in RGMII mode when using the Linux generic +PHY driver, it fails when using the Atheros PHY driver. +Fix this by correcting the Ethernet PHY mode to RGMII-RXID, which works +fine with both drivers. + +Fixes: a5200e63af57d05e ("arm64: dts: renesas: rzg2: Convert EtherAVB to explicit delay handling") +Reported-by: Adam Ford +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/2a4c15b2df23bb63f15abf9dfb88860477f4f523.1632465965.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/renesas/beacon-renesom-som.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm64/boot/dts/renesas/beacon-renesom-som.dtsi b/arch/arm64/boot/dts/renesas/beacon-renesom-som.dtsi +index 090dc9c4f57b5..937d17a426b66 100644 +--- a/arch/arm64/boot/dts/renesas/beacon-renesom-som.dtsi ++++ b/arch/arm64/boot/dts/renesas/beacon-renesom-som.dtsi +@@ -50,6 +50,7 @@ + &avb { + pinctrl-0 = <&avb_pins>; + pinctrl-names = "default"; ++ phy-mode = "rgmii-rxid"; + phy-handle = <&phy0>; + rx-internal-delay-ps = <1800>; + tx-internal-delay-ps = <2000>; +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-rockchip-fix-gpu-register-width-for-rk3328.patch b/queue-5.15/arm64-dts-rockchip-fix-gpu-register-width-for-rk3328.patch new file mode 100644 index 00000000000..c59ac7ae102 --- /dev/null +++ b/queue-5.15/arm64-dts-rockchip-fix-gpu-register-width-for-rk3328.patch @@ -0,0 +1,40 @@ +From b814fe7da727dfc17b2fece8733fff96a8b66c9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jun 2021 13:59:26 +0200 +Subject: arm64: dts: rockchip: Fix GPU register width for RK3328 + +From: Alex Bee + +[ Upstream commit 932b4610f55b49f3a158b0db451137bab7ed0e1f ] + +As can be seen in RK3328's TRM the register range for the GPU is +0xff300000 to 0xff330000. +It would (and does in vendor kernel) overlap with the registers of +the HEVC encoder (node/driver do not exist yet in upstream kernel). +See already existing h265e_mmu node. + +Fixes: 752fbc0c8da7 ("arm64: dts: rockchip: add rk3328 mali gpu node") +Signed-off-by: Alex Bee +Link: https://lore.kernel.org/r/20210623115926.164861-1-knaerzche@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk3328.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3328.dtsi b/arch/arm64/boot/dts/rockchip/rk3328.dtsi +index 8c821acb21ffb..da84be6f4715e 100644 +--- a/arch/arm64/boot/dts/rockchip/rk3328.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3328.dtsi +@@ -599,7 +599,7 @@ + + gpu: gpu@ff300000 { + compatible = "rockchip,rk3328-mali", "arm,mali-450"; +- reg = <0x0 0xff300000 0x0 0x40000>; ++ reg = <0x0 0xff300000 0x0 0x30000>; + interrupts = , + , + , +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-rockchip-fix-rk3568-mbi-alias.patch b/queue-5.15/arm64-dts-rockchip-fix-rk3568-mbi-alias.patch new file mode 100644 index 00000000000..e9021cc7518 --- /dev/null +++ b/queue-5.15/arm64-dts-rockchip-fix-rk3568-mbi-alias.patch @@ -0,0 +1,38 @@ +From 66364be9ec7ea25b23bdd7346802a72245190110 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jul 2021 14:00:27 -0400 +Subject: arm64: dts: rockchip: fix rk3568 mbi-alias + +From: Peter Geis + +[ Upstream commit b6c1a590148c63f822091912b4c09c79fbb13971 ] + +The mbi-alias incorrectly points to 0xfd100000 when it should point to +0xfd410000. +This fixes MSIs on rk3568. + +Fixes: a3adc0b9071d ("arm64: dts: rockchip: add core dtsi for RK3568 SoC") +Signed-off-by: Peter Geis +Link: https://lore.kernel.org/r/20210728180034.717953-2-pgwipeout@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/rk356x.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/rockchip/rk356x.dtsi b/arch/arm64/boot/dts/rockchip/rk356x.dtsi +index d225e6a45d5cb..fdfe283b7a30d 100644 +--- a/arch/arm64/boot/dts/rockchip/rk356x.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk356x.dtsi +@@ -201,7 +201,7 @@ + interrupts = ; + interrupt-controller; + #interrupt-cells = <3>; +- mbi-alias = <0x0 0xfd100000>; ++ mbi-alias = <0x0 0xfd410000>; + mbi-ranges = <296 24>; + msi-controller; + }; +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-rockchip-move-rk3568-dtsi-to-rk356x-dtsi.patch b/queue-5.15/arm64-dts-rockchip-move-rk3568-dtsi-to-rk356x-dtsi.patch new file mode 100644 index 00000000000..5f03d56d94b --- /dev/null +++ b/queue-5.15/arm64-dts-rockchip-move-rk3568-dtsi-to-rk356x-dtsi.patch @@ -0,0 +1,29 @@ +From 4a788809d87d83f4b6e75620571931a003ebd854 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Jul 2021 11:10:31 -0400 +Subject: arm64: dts: rockchip: move rk3568 dtsi to rk356x dtsi + +From: Peter Geis + +[ Upstream commit 4e50d2173b67115a5574f4f4ce64ec9c5d9c136e ] + +In preparation for separating the rk3568 and rk3566 device trees, move +the base rk3568 dtsi to rk356x dtsi. +This will allow us to strip out the rk3568 specific nodes. + +Signed-off-by: Peter Geis +Link: https://lore.kernel.org/r/20210710151034.32857-2-pgwipeout@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/rockchip/{rk3568.dtsi => rk356x.dtsi} | 0 + 1 file changed, 0 insertions(+), 0 deletions(-) + rename arch/arm64/boot/dts/rockchip/{rk3568.dtsi => rk356x.dtsi} (100%) + +diff --git a/arch/arm64/boot/dts/rockchip/rk3568.dtsi b/arch/arm64/boot/dts/rockchip/rk356x.dtsi +similarity index 100% +rename from arch/arm64/boot/dts/rockchip/rk3568.dtsi +rename to arch/arm64/boot/dts/rockchip/rk356x.dtsi +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-ti-j7200-main-fix-bus-range-upto-256-bus-n.patch b/queue-5.15/arm64-dts-ti-j7200-main-fix-bus-range-upto-256-bus-n.patch new file mode 100644 index 00000000000..ef74af1b386 --- /dev/null +++ b/queue-5.15/arm64-dts-ti-j7200-main-fix-bus-range-upto-256-bus-n.patch @@ -0,0 +1,41 @@ +From e32cfb12d8b99b65cf3282f33ad8f550555fb269 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 11:23:56 +0530 +Subject: arm64: dts: ti: j7200-main: Fix "bus-range" upto 256 bus number for + PCIe + +From: Kishon Vijay Abraham I + +[ Upstream commit 8bb8429290c0043a78804ae48294b53f781ee426 ] + +commit 3276d9f53cf6 ("arm64: dts: ti: k3-j7200-main: Add PCIe device +tree node") incorrectly added PCIe bus numbers from 0 to 15 (copy-paste +from J721E node). Enable all the supported bus numbers from 0 to 255 +defined in PCIe spec here. + +Fixes: 3276d9f53cf6 ("arm64: dts: ti: k3-j7200-main: Add PCIe device tree node") +Signed-off-by: Kishon Vijay Abraham I +Reviewed-by: Aswath Govindraju +Signed-off-by: Nishanth Menon +Link: https://lore.kernel.org/r/20210915055358.19997-5-kishon@ti.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-j7200-main.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi b/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi +index 521a56316fa5c..874cba75e9a5a 100644 +--- a/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi ++++ b/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi +@@ -606,7 +606,7 @@ + clock-names = "fck"; + #address-cells = <3>; + #size-cells = <2>; +- bus-range = <0x0 0xf>; ++ bus-range = <0x0 0xff>; + cdns,no-bar-match-nbits = <64>; + vendor-id = <0x104c>; + device-id = <0xb00f>; +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-ti-j7200-main-fix-vendor-id-device-id-prop.patch b/queue-5.15/arm64-dts-ti-j7200-main-fix-vendor-id-device-id-prop.patch new file mode 100644 index 00000000000..b2096b41406 --- /dev/null +++ b/queue-5.15/arm64-dts-ti-j7200-main-fix-vendor-id-device-id-prop.patch @@ -0,0 +1,42 @@ +From 6c5c6ee1f6aabe65f69dab70c5a59d6cd7600cd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 11:23:55 +0530 +Subject: arm64: dts: ti: j7200-main: Fix "vendor-id"/"device-id" properties of + pcie node + +From: Kishon Vijay Abraham I + +[ Upstream commit 0d553792726a61ced760422e74ea67552ac69cdb ] + +commit 3276d9f53cf6 ("arm64: dts: ti: k3-j7200-main: Add PCIe device +tree node") incorrectly added "vendor-id" and "device-id" as 16-bit +properties though both of them are 32-bit properties. Fix it here. + +Fixes: 3276d9f53cf6 ("arm64: dts: ti: k3-j7200-main: Add PCIe device tree node") +Signed-off-by: Kishon Vijay Abraham I +Reviewed-by: Aswath Govindraju +Signed-off-by: Nishanth Menon +Link: https://lore.kernel.org/r/20210915055358.19997-4-kishon@ti.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-j7200-main.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi b/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi +index e8a41d09b45f2..521a56316fa5c 100644 +--- a/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi ++++ b/arch/arm64/boot/dts/ti/k3-j7200-main.dtsi +@@ -608,8 +608,8 @@ + #size-cells = <2>; + bus-range = <0x0 0xf>; + cdns,no-bar-match-nbits = <64>; +- vendor-id = /bits/ 16 <0x104c>; +- device-id = /bits/ 16 <0xb00f>; ++ vendor-id = <0x104c>; ++ device-id = <0xb00f>; + msi-map = <0x0 &gic_its 0x0 0x10000>; + dma-coherent; + ranges = <0x01000000 0x0 0x18001000 0x00 0x18001000 0x0 0x0010000>, +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-ti-k3-j721e-main-fix-bus-range-upto-256-bu.patch b/queue-5.15/arm64-dts-ti-k3-j721e-main-fix-bus-range-upto-256-bu.patch new file mode 100644 index 00000000000..827eb43e3d2 --- /dev/null +++ b/queue-5.15/arm64-dts-ti-k3-j721e-main-fix-bus-range-upto-256-bu.patch @@ -0,0 +1,68 @@ +From 34f1fb2048959ce3b2d14e989b8234b4d5300304 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 11:23:54 +0530 +Subject: arm64: dts: ti: k3-j721e-main: Fix "bus-range" upto 256 bus number + for PCIe + +From: Kishon Vijay Abraham I + +[ Upstream commit 5f46633565b1c1e1840a927676065d72b442dac4 ] + +commit 4e5833884f66 ("arm64: dts: ti: k3-j721e-main: Add PCIe device +tree nodes") restricted PCIe bus numbers from 0 to 15 (due to SMMU +restriction in J721E). However since SMMU is not enabled, allow the full +supported bus numbers from 0 to 255. + +Fixes: 4e5833884f66 ("arm64: dts: ti: k3-j721e-main: Add PCIe device tree nodes") +Signed-off-by: Kishon Vijay Abraham I +Reviewed-by: Aswath Govindraju +Signed-off-by: Nishanth Menon +Link: https://lore.kernel.org/r/20210915055358.19997-3-kishon@ti.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-j721e-main.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi +index 43be5d23130b4..08c8d1b47dcd9 100644 +--- a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi ++++ b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi +@@ -610,7 +610,7 @@ + clock-names = "fck"; + #address-cells = <3>; + #size-cells = <2>; +- bus-range = <0x0 0xf>; ++ bus-range = <0x0 0xff>; + vendor-id = <0x104c>; + device-id = <0xb00d>; + msi-map = <0x0 &gic_its 0x0 0x10000>; +@@ -658,7 +658,7 @@ + clock-names = "fck"; + #address-cells = <3>; + #size-cells = <2>; +- bus-range = <0x0 0xf>; ++ bus-range = <0x0 0xff>; + vendor-id = <0x104c>; + device-id = <0xb00d>; + msi-map = <0x0 &gic_its 0x10000 0x10000>; +@@ -706,7 +706,7 @@ + clock-names = "fck"; + #address-cells = <3>; + #size-cells = <2>; +- bus-range = <0x0 0xf>; ++ bus-range = <0x0 0xff>; + vendor-id = <0x104c>; + device-id = <0xb00d>; + msi-map = <0x0 &gic_its 0x20000 0x10000>; +@@ -754,7 +754,7 @@ + clock-names = "fck"; + #address-cells = <3>; + #size-cells = <2>; +- bus-range = <0x0 0xf>; ++ bus-range = <0x0 0xff>; + vendor-id = <0x104c>; + device-id = <0xb00d>; + msi-map = <0x0 &gic_its 0x30000 0x10000>; +-- +2.33.0 + diff --git a/queue-5.15/arm64-dts-ti-k3-j721e-main-fix-max-virtual-functions.patch b/queue-5.15/arm64-dts-ti-k3-j721e-main-fix-max-virtual-functions.patch new file mode 100644 index 00000000000..bbca6b980bf --- /dev/null +++ b/queue-5.15/arm64-dts-ti-k3-j721e-main-fix-max-virtual-functions.patch @@ -0,0 +1,68 @@ +From d760590fa2d9e753afc137a93fade593b308c8c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 11:23:53 +0530 +Subject: arm64: dts: ti: k3-j721e-main: Fix "max-virtual-functions" in PCIe EP + nodes + +From: Kishon Vijay Abraham I + +[ Upstream commit 9af3ef954975c383eeb667aee207d9ce6fbef8c4 ] + +commit 4e5833884f66 ("arm64: dts: ti: k3-j721e-main: Add PCIe device +tree nodes") added "max-virtual-functions" to have 16 bit values. +Fix "max-virtual-functions" in PCIe endpoint (EP) nodes to have 8 bit +values instead of 16. + +Fixes: 4e5833884f66 ("arm64: dts: ti: k3-j721e-main: Add PCIe device tree nodes") +Signed-off-by: Kishon Vijay Abraham I +Reviewed-by: Aswath Govindraju +Signed-off-by: Nishanth Menon +Link: https://lore.kernel.org/r/20210915055358.19997-2-kishon@ti.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/ti/k3-j721e-main.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi +index cf3482376c1e6..43be5d23130b4 100644 +--- a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi ++++ b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi +@@ -636,7 +636,7 @@ + clocks = <&k3_clks 239 1>; + clock-names = "fck"; + max-functions = /bits/ 8 <6>; +- max-virtual-functions = /bits/ 16 <4 4 4 4 0 0>; ++ max-virtual-functions = /bits/ 8 <4 4 4 4 0 0>; + dma-coherent; + }; + +@@ -684,7 +684,7 @@ + clocks = <&k3_clks 240 1>; + clock-names = "fck"; + max-functions = /bits/ 8 <6>; +- max-virtual-functions = /bits/ 16 <4 4 4 4 0 0>; ++ max-virtual-functions = /bits/ 8 <4 4 4 4 0 0>; + dma-coherent; + }; + +@@ -732,7 +732,7 @@ + clocks = <&k3_clks 241 1>; + clock-names = "fck"; + max-functions = /bits/ 8 <6>; +- max-virtual-functions = /bits/ 16 <4 4 4 4 0 0>; ++ max-virtual-functions = /bits/ 8 <4 4 4 4 0 0>; + dma-coherent; + }; + +@@ -780,7 +780,7 @@ + clocks = <&k3_clks 242 1>; + clock-names = "fck"; + max-functions = /bits/ 8 <6>; +- max-virtual-functions = /bits/ 16 <4 4 4 4 0 0>; ++ max-virtual-functions = /bits/ 8 <4 4 4 4 0 0>; + dma-coherent; + #address-cells = <2>; + #size-cells = <2>; +-- +2.33.0 + diff --git a/queue-5.15/arm64-mm-update-max_pfn-after-memory-hotplug.patch b/queue-5.15/arm64-mm-update-max_pfn-after-memory-hotplug.patch new file mode 100644 index 00000000000..b5d83a3c178 --- /dev/null +++ b/queue-5.15/arm64-mm-update-max_pfn-after-memory-hotplug.patch @@ -0,0 +1,48 @@ +From 3afe826c728a83c72497d1bfcfa8c012786787a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 11:51:49 -0700 +Subject: arm64: mm: update max_pfn after memory hotplug + +From: Sudarshan Rajagopalan + +[ Upstream commit 8fac67ca236b961b573355e203dbaf62a706a2e5 ] + +After new memory blocks have been hotplugged, max_pfn and max_low_pfn +needs updating to reflect on new PFNs being hot added to system. +Without this patch, debug-related functions that use max_pfn such as +get_max_dump_pfn() or read_page_owner() will not work with any page in +memory that is hot-added after boot. + +Fixes: 4ab215061554 ("arm64: Add memory hotplug support") +Signed-off-by: Sudarshan Rajagopalan +Signed-off-by: Chris Goldsworthy +Acked-by: David Hildenbrand +Cc: Florian Fainelli +Cc: Georgi Djakov +Tested-by: Georgi Djakov +Link: https://lore.kernel.org/r/a51a27ee7be66024b5ce626310d673f24107bcb8.1632853776.git.quic_cgoldswo@quicinc.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/mm/mmu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c +index cfd9deb347c38..fd85b51b9d50f 100644 +--- a/arch/arm64/mm/mmu.c ++++ b/arch/arm64/mm/mmu.c +@@ -1499,6 +1499,11 @@ int arch_add_memory(int nid, u64 start, u64 size, + if (ret) + __remove_pgd_mapping(swapper_pg_dir, + __phys_to_virt(start), size); ++ else { ++ max_pfn = PFN_UP(start + size); ++ max_low_pfn = max_pfn; ++ } ++ + return ret; + } + +-- +2.33.0 + diff --git a/queue-5.15/arm64-pgtable-make-__pte_to_phys-__phys_to_pte_val-i.patch b/queue-5.15/arm64-pgtable-make-__pte_to_phys-__phys_to_pte_val-i.patch new file mode 100644 index 00000000000..b807e3648ab --- /dev/null +++ b/queue-5.15/arm64-pgtable-make-__pte_to_phys-__phys_to_pte_val-i.patch @@ -0,0 +1,67 @@ +From 711c31f5f845b8844ed7160659674efd4f9a3464 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 08:54:03 +0100 +Subject: arm64: pgtable: make __pte_to_phys/__phys_to_pte_val inline functions + +From: Arnd Bergmann + +[ Upstream commit c7c386fbc20262c1d911c615c65db6a58667d92c ] + +gcc warns about undefined behavior the vmalloc code when building +with CONFIG_ARM64_PA_BITS_52, when the 'idx++' in the argument to +__phys_to_pte_val() is evaluated twice: + +mm/vmalloc.c: In function 'vmap_pfn_apply': +mm/vmalloc.c:2800:58: error: operation on 'data->idx' may be undefined [-Werror=sequence-point] + 2800 | *pte = pte_mkspecial(pfn_pte(data->pfns[data->idx++], data->prot)); + | ~~~~~~~~~^~ +arch/arm64/include/asm/pgtable-types.h:25:37: note: in definition of macro '__pte' + 25 | #define __pte(x) ((pte_t) { (x) } ) + | ^ +arch/arm64/include/asm/pgtable.h:80:15: note: in expansion of macro '__phys_to_pte_val' + 80 | __pte(__phys_to_pte_val((phys_addr_t)(pfn) << PAGE_SHIFT) | pgprot_val(prot)) + | ^~~~~~~~~~~~~~~~~ +mm/vmalloc.c:2800:30: note: in expansion of macro 'pfn_pte' + 2800 | *pte = pte_mkspecial(pfn_pte(data->pfns[data->idx++], data->prot)); + | ^~~~~~~ + +I have no idea why this never showed up earlier, but the safest +workaround appears to be changing those macros into inline functions +so the arguments get evaluated only once. + +Cc: Matthew Wilcox +Fixes: 75387b92635e ("arm64: handle 52-bit physical addresses in page table entries") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20211105075414.2553155-1-arnd@kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/include/asm/pgtable.h | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/include/asm/pgtable.h b/arch/arm64/include/asm/pgtable.h +index dfa76afa0ccff..72f95c6a70519 100644 +--- a/arch/arm64/include/asm/pgtable.h ++++ b/arch/arm64/include/asm/pgtable.h +@@ -67,9 +67,15 @@ extern unsigned long empty_zero_page[PAGE_SIZE / sizeof(unsigned long)]; + * page table entry, taking care of 52-bit addresses. + */ + #ifdef CONFIG_ARM64_PA_BITS_52 +-#define __pte_to_phys(pte) \ +- ((pte_val(pte) & PTE_ADDR_LOW) | ((pte_val(pte) & PTE_ADDR_HIGH) << 36)) +-#define __phys_to_pte_val(phys) (((phys) | ((phys) >> 36)) & PTE_ADDR_MASK) ++static inline phys_addr_t __pte_to_phys(pte_t pte) ++{ ++ return (pte_val(pte) & PTE_ADDR_LOW) | ++ ((pte_val(pte) & PTE_ADDR_HIGH) << 36); ++} ++static inline pteval_t __phys_to_pte_val(phys_addr_t phys) ++{ ++ return (phys | (phys >> 36)) & PTE_ADDR_MASK; ++} + #else + #define __pte_to_phys(pte) (pte_val(pte) & PTE_ADDR_MASK) + #define __phys_to_pte_val(phys) (phys) +-- +2.33.0 + diff --git a/queue-5.15/arm64-vdso32-suppress-error-message-for-make-mrprope.patch b/queue-5.15/arm64-vdso32-suppress-error-message-for-make-mrprope.patch new file mode 100644 index 00000000000..2981471bdf1 --- /dev/null +++ b/queue-5.15/arm64-vdso32-suppress-error-message-for-make-mrprope.patch @@ -0,0 +1,52 @@ +From b6c697a6aff1dff41a379cc02d88c7ce750c90b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 15:36:45 -0700 +Subject: arm64: vdso32: suppress error message for 'make mrproper' + +From: Nick Desaulniers + +[ Upstream commit 14831fad73f5ac30ac61760487d95a538e6ab3cb ] + +When running the following command without arm-linux-gnueabi-gcc in +one's $PATH, the following warning is observed: + +$ ARCH=arm64 CROSS_COMPILE_COMPAT=arm-linux-gnueabi- make -j72 LLVM=1 mrproper +make[1]: arm-linux-gnueabi-gcc: No such file or directory + +This is because KCONFIG is not run for mrproper, so CONFIG_CC_IS_CLANG +is not set, and we end up eagerly evaluating various variables that try +to invoke CC_COMPAT. + +This is a similar problem to what was observed in +commit dc960bfeedb0 ("h8300: suppress error messages for 'make clean'") + +Reported-by: Lucas Henneman +Suggested-by: Masahiro Yamada +Signed-off-by: Nick Desaulniers +Reviewed-by: Vincenzo Frascino +Reviewed-by: Nathan Chancellor +Tested-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20211019223646.1146945-4-ndesaulniers@google.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/vdso32/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/arm64/kernel/vdso32/Makefile b/arch/arm64/kernel/vdso32/Makefile +index 3dba0c4f8f42b..764d1900d5aab 100644 +--- a/arch/arm64/kernel/vdso32/Makefile ++++ b/arch/arm64/kernel/vdso32/Makefile +@@ -40,7 +40,8 @@ cc32-as-instr = $(call try-run,\ + # As a result we set our own flags here. + + # KBUILD_CPPFLAGS and NOSTDINC_FLAGS from top-level Makefile +-VDSO_CPPFLAGS := -DBUILD_VDSO -D__KERNEL__ -nostdinc -isystem $(shell $(CC_COMPAT) -print-file-name=include) ++VDSO_CPPFLAGS := -DBUILD_VDSO -D__KERNEL__ -nostdinc ++VDSO_CPPFLAGS += -isystem $(shell $(CC_COMPAT) -print-file-name=include 2>/dev/null) + VDSO_CPPFLAGS += $(LINUXINCLUDE) + + # Common C and assembly flags +-- +2.33.0 + diff --git a/queue-5.15/asoc-cs42l42-always-configure-both-asp-tx-channels.patch b/queue-5.15/asoc-cs42l42-always-configure-both-asp-tx-channels.patch new file mode 100644 index 00000000000..d6551cb07ca --- /dev/null +++ b/queue-5.15/asoc-cs42l42-always-configure-both-asp-tx-channels.patch @@ -0,0 +1,52 @@ +From 20c4505ad5ab3317b728ece52e422238e1bda55d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 14:36:05 +0100 +Subject: ASoC: cs42l42: Always configure both ASP TX channels + +From: Richard Fitzgerald + +[ Upstream commit 6e6825801ab926360f7f4f2dbcfd107d5ab8f025 ] + +An I2S frame always has two slots (left and right) even when sending +mono. The right channel (channel 2) of ASP TX will always have the +same bit width as the left channel and will always be on the high +phase of LRCLK. + +The previous implementation always passed the field masks for both +channels to snd_soc_component_update_bits() but for mono the written value +only contained the settings for channel 1. The result was that for mono +channel 2 was set to 8-bit (which is an invalid configuration) with both +channels on the low phase of LRCLK. + +Signed-off-by: Richard Fitzgerald +Fixes: 585e7079de0e ("ASoC: cs42l42: Add Capture Support") +Link: https://lore.kernel.org/r/20211015133619.4698-3-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l42.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c +index 9a463ab54bddc..4548dae7ed834 100644 +--- a/sound/soc/codecs/cs42l42.c ++++ b/sound/soc/codecs/cs42l42.c +@@ -853,11 +853,10 @@ static int cs42l42_pcm_hw_params(struct snd_pcm_substream *substream, + + switch(substream->stream) { + case SNDRV_PCM_STREAM_CAPTURE: +- if (channels == 2) { +- val |= CS42L42_ASP_TX_CH2_AP_MASK; +- val |= width << CS42L42_ASP_TX_CH2_RES_SHIFT; +- } +- val |= width << CS42L42_ASP_TX_CH1_RES_SHIFT; ++ /* channel 2 on high LRCLK */ ++ val = CS42L42_ASP_TX_CH2_AP_MASK | ++ (width << CS42L42_ASP_TX_CH2_RES_SHIFT) | ++ (width << CS42L42_ASP_TX_CH1_RES_SHIFT); + + snd_soc_component_update_bits(component, CS42L42_ASP_TX_CH_AP_RES, + CS42L42_ASP_TX_CH1_AP_MASK | CS42L42_ASP_TX_CH2_AP_MASK | +-- +2.33.0 + diff --git a/queue-5.15/asoc-cs42l42-correct-configuring-of-switch-inversion.patch b/queue-5.15/asoc-cs42l42-correct-configuring-of-switch-inversion.patch new file mode 100644 index 00000000000..58e7d532627 --- /dev/null +++ b/queue-5.15/asoc-cs42l42-correct-configuring-of-switch-inversion.patch @@ -0,0 +1,85 @@ +From 5fd0c49d44a71bb62862647752fc0ed2b8ec0e76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 15:09:01 +0100 +Subject: ASoC: cs42l42: Correct configuring of switch inversion from ts-inv + +From: Richard Fitzgerald + +[ Upstream commit 778a0cbef5fb76bf506f84938517bb77e7a1c478 ] + +The setting from the cirrus,ts-inv property should be applied to the +TIP_SENSE_INV bit, as this is the one that actually affects the jack +detect block. The TS_INV bit only swaps the meaning of the PLUG and +UNPLUG interrupts and should always be 1 for the interrupts to have +the normal meaning. + +Due to some misunderstanding the driver had been implemented to +configure the TS_INV bit based on the jack switch polarity. This made +the interrupts behave the correct way around, but left the jack detect +block, button detect and analogue circuits always interpreting an open +switch as unplugged. + +The signal chain inside the codec is: + +SENSE pin -> TIP_SENSE_INV -> TS_INV -> (invert) -> interrupts + | + v + Jack detect, + button detect and + analog control + +As the TIP_SENSE_INV already performs the necessary inversion the +TS_INV bit never needs to change. It must always be 1 to yield the +expected interrupt behaviour. + +Some extra confusion has arisen because of the additional invert in the +interrupt path, meaning that a value applied to the TS_INV bit produces +the opposite effect of applying it to the TIP_SENSE_INV bit. The ts-inv +property has therefore always had the opposite effect to what might be +expected (0 = inverted, 1 = not inverted). To maintain the meaning of +the ts-inv property it must be inverted when applied to TIP_SENSE_INV. + +Signed-off-by: Richard Fitzgerald +Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec") +Link: https://lore.kernel.org/r/20211028140902.11786-3-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l42.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c +index 6034e439d3132..762d9de73dbc2 100644 +--- a/sound/soc/codecs/cs42l42.c ++++ b/sound/soc/codecs/cs42l42.c +@@ -1684,12 +1684,15 @@ static void cs42l42_setup_hs_type_detect(struct cs42l42_private *cs42l42) + (1 << CS42L42_HS_CLAMP_DISABLE_SHIFT)); + + /* Enable the tip sense circuit */ ++ regmap_update_bits(cs42l42->regmap, CS42L42_TSENSE_CTL, ++ CS42L42_TS_INV_MASK, CS42L42_TS_INV_MASK); ++ + regmap_update_bits(cs42l42->regmap, CS42L42_TIPSENSE_CTL, + CS42L42_TIP_SENSE_CTRL_MASK | + CS42L42_TIP_SENSE_INV_MASK | + CS42L42_TIP_SENSE_DEBOUNCE_MASK, + (3 << CS42L42_TIP_SENSE_CTRL_SHIFT) | +- (0 << CS42L42_TIP_SENSE_INV_SHIFT) | ++ (!cs42l42->ts_inv << CS42L42_TIP_SENSE_INV_SHIFT) | + (2 << CS42L42_TIP_SENSE_DEBOUNCE_SHIFT)); + + /* Save the initial status of the tip sense */ +@@ -1733,10 +1736,6 @@ static int cs42l42_handle_device_data(struct device *dev, + cs42l42->ts_inv = CS42L42_TS_INV_DIS; + } + +- regmap_update_bits(cs42l42->regmap, CS42L42_TSENSE_CTL, +- CS42L42_TS_INV_MASK, +- (cs42l42->ts_inv << CS42L42_TS_INV_SHIFT)); +- + ret = device_property_read_u32(dev, "cirrus,ts-dbnc-rise", &val); + if (!ret) { + switch (val) { +-- +2.33.0 + diff --git a/queue-5.15/asoc-cs42l42-correct-some-register-default-values.patch b/queue-5.15/asoc-cs42l42-correct-some-register-default-values.patch new file mode 100644 index 00000000000..c5fc8876764 --- /dev/null +++ b/queue-5.15/asoc-cs42l42-correct-some-register-default-values.patch @@ -0,0 +1,45 @@ +From 3f34f439114c0e30db035c8d64fb2b781d1179c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 14:36:06 +0100 +Subject: ASoC: cs42l42: Correct some register default values + +From: Richard Fitzgerald + +[ Upstream commit d591d4b32aa9552af14a0c7c586a2d3fe9ecc6e0 ] + +Some registers had wrong default values in cs42l42_reg_defaults[]. + +Signed-off-by: Richard Fitzgerald +Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec") +Link: https://lore.kernel.org/r/20211015133619.4698-4-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l42.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c +index 4548dae7ed834..205f81d27c30f 100644 +--- a/sound/soc/codecs/cs42l42.c ++++ b/sound/soc/codecs/cs42l42.c +@@ -93,7 +93,7 @@ static const struct reg_default cs42l42_reg_defaults[] = { + { CS42L42_ASP_RX_INT_MASK, 0x1F }, + { CS42L42_ASP_TX_INT_MASK, 0x0F }, + { CS42L42_CODEC_INT_MASK, 0x03 }, +- { CS42L42_SRCPL_INT_MASK, 0xFF }, ++ { CS42L42_SRCPL_INT_MASK, 0x7F }, + { CS42L42_VPMON_INT_MASK, 0x01 }, + { CS42L42_PLL_LOCK_INT_MASK, 0x01 }, + { CS42L42_TSRS_PLUG_INT_MASK, 0x0F }, +@@ -130,7 +130,7 @@ static const struct reg_default cs42l42_reg_defaults[] = { + { CS42L42_MIXER_CHA_VOL, 0x3F }, + { CS42L42_MIXER_ADC_VOL, 0x3F }, + { CS42L42_MIXER_CHB_VOL, 0x3F }, +- { CS42L42_EQ_COEF_IN0, 0x22 }, ++ { CS42L42_EQ_COEF_IN0, 0x00 }, + { CS42L42_EQ_COEF_IN1, 0x00 }, + { CS42L42_EQ_COEF_IN2, 0x00 }, + { CS42L42_EQ_COEF_IN3, 0x00 }, +-- +2.33.0 + diff --git a/queue-5.15/asoc-cs42l42-defer-probe-if-request_threaded_irq-ret.patch b/queue-5.15/asoc-cs42l42-defer-probe-if-request_threaded_irq-ret.patch new file mode 100644 index 00000000000..aac5be6f100 --- /dev/null +++ b/queue-5.15/asoc-cs42l42-defer-probe-if-request_threaded_irq-ret.patch @@ -0,0 +1,43 @@ +From 7ed28c5c0ec652a7d3cab8e09a6f1d26977abada Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 14:36:08 +0100 +Subject: ASoC: cs42l42: Defer probe if request_threaded_irq() returns + EPROBE_DEFER + +From: Richard Fitzgerald + +[ Upstream commit 0306988789d9d91a18ff70bd2bf165d3ae0ef1dd ] + +The driver can run without an interrupt so if devm_request_threaded_irq() +failed, the probe() just carried on. But if this was EPROBE_DEFER the +driver would continue without an interrupt instead of deferring to wait +for the interrupt to become available. + +Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec") +Signed-off-by: Richard Fitzgerald +Link: https://lore.kernel.org/r/20211015133619.4698-6-rf@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l42.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/cs42l42.c b/sound/soc/codecs/cs42l42.c +index 205f81d27c30f..6034e439d3132 100644 +--- a/sound/soc/codecs/cs42l42.c ++++ b/sound/soc/codecs/cs42l42.c +@@ -1947,8 +1947,9 @@ static int cs42l42_i2c_probe(struct i2c_client *i2c_client, + NULL, cs42l42_irq_thread, + IRQF_ONESHOT | IRQF_TRIGGER_LOW, + "cs42l42", cs42l42); +- +- if (ret != 0) ++ if (ret == -EPROBE_DEFER) ++ goto err_disable; ++ else if (ret != 0) + dev_err(&i2c_client->dev, + "Failed to request IRQ: %d\n", ret); + +-- +2.33.0 + diff --git a/queue-5.15/asoc-rsnd-fix-an-error-handling-path-in-rsnd_node_co.patch b/queue-5.15/asoc-rsnd-fix-an-error-handling-path-in-rsnd_node_co.patch new file mode 100644 index 00000000000..fdab411b06b --- /dev/null +++ b/queue-5.15/asoc-rsnd-fix-an-error-handling-path-in-rsnd_node_co.patch @@ -0,0 +1,39 @@ +From afa485544ac385e91fa2f0b32cf6d1db243b73d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 21:44:16 +0200 +Subject: ASoC: rsnd: Fix an error handling path in 'rsnd_node_count()' + +From: Christophe JAILLET + +[ Upstream commit 173632358fde7a567f28e07c4549b959ee857986 ] + +If we return before the end of the 'for_each_child_of_node()' iterator, the +reference taken on 'np' must be released. + +Add the missing 'of_node_put()' call. + +Fixes: c413983eb66a ("ASoC: rsnd: adjust disabled module") +Signed-off-by: Christophe JAILLET +Reviewed-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/4c0e893cbfa21dc76c1ede0b6f4f8cff42209299.1634586167.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sh/rcar/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/sh/rcar/core.c b/sound/soc/sh/rcar/core.c +index 978bd0406729a..6a8fe0da7670b 100644 +--- a/sound/soc/sh/rcar/core.c ++++ b/sound/soc/sh/rcar/core.c +@@ -1225,6 +1225,7 @@ int rsnd_node_count(struct rsnd_priv *priv, struct device_node *node, char *name + if (i < 0) { + dev_err(dev, "strange node numbering (%s)", + of_node_full_name(node)); ++ of_node_put(np); + return 0; + } + i++; +-- +2.33.0 + diff --git a/queue-5.15/asoc-sof-topology-do-not-power-down-primary-core-dur.patch b/queue-5.15/asoc-sof-topology-do-not-power-down-primary-core-dur.patch new file mode 100644 index 00000000000..8ffdc2e8e07 --- /dev/null +++ b/queue-5.15/asoc-sof-topology-do-not-power-down-primary-core-dur.patch @@ -0,0 +1,50 @@ +From 569f4b388933ff333af96ed8764d2ac277f68763 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 13:40:41 +0300 +Subject: ASoC: SOF: topology: do not power down primary core during topology + removal + +From: Ranjani Sridharan + +[ Upstream commit ec626334eaffe101df9ed79e161eba95124e64ad ] + +When removing the topology components, do not power down +the primary core. Doing so will result in an IPC timeout +when the SOF PCI device runtime suspends. + +Fixes: 0dcdf84289fb ("ASoC: SOF: add a "core" parameter to widget loading functions") + +Signed-off-by: Ranjani Sridharan +Reviewed-by: Pierre-Louis Bossart +Reviewed-by: Kai Vehmanen +Signed-off-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/20211006104041.27183-1-peter.ujfalusi@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/sof/topology.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/sound/soc/sof/topology.c b/sound/soc/sof/topology.c +index cc9585bfa4e9f..1bb2dcf37ffe9 100644 +--- a/sound/soc/sof/topology.c ++++ b/sound/soc/sof/topology.c +@@ -2598,6 +2598,15 @@ static int sof_widget_unload(struct snd_soc_component *scomp, + + /* power down the pipeline schedule core */ + pipeline = swidget->private; ++ ++ /* ++ * Runtime PM should still function normally if topology loading fails and ++ * it's components are unloaded. Do not power down the primary core so that the ++ * CTX_SAVE IPC can succeed during runtime suspend. ++ */ ++ if (pipeline->core == SOF_DSP_PRIMARY_CORE) ++ break; ++ + ret = snd_sof_dsp_core_power_down(sdev, 1 << pipeline->core); + if (ret < 0) + dev_err(scomp->dev, "error: powering down pipeline schedule core %d\n", +-- +2.33.0 + diff --git a/queue-5.15/asoc-topology-fix-stub-for-snd_soc_tplg_component_re.patch b/queue-5.15/asoc-topology-fix-stub-for-snd_soc_tplg_component_re.patch new file mode 100644 index 00000000000..1c68533169b --- /dev/null +++ b/queue-5.15/asoc-topology-fix-stub-for-snd_soc_tplg_component_re.patch @@ -0,0 +1,40 @@ +From b829eb5742075a7c7379bed2f09ae213162c8cbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 16:48:44 +0100 +Subject: ASoC: topology: Fix stub for snd_soc_tplg_component_remove() + +From: Mark Brown + +[ Upstream commit 1198ff12cbdd5f42c032cba1d96ebc7af8024cf9 ] + +When removing the index argument from snd_soc_topology_component_remove() +commit a5b8f71c5477f (ASoC: topology: Remove multistep topology loading) +forgot to update the stub for !SND_SOC_TOPOLOGY use, causing build failures +for anything that tries to make use of it. + +Fixes: a5b8f71c5477f (ASoC: topology: Remove multistep topology loading) +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20211025154844.2342120-1-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + include/sound/soc-topology.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/include/sound/soc-topology.h b/include/sound/soc-topology.h +index 4afd667e124c2..3e8a85e1e8094 100644 +--- a/include/sound/soc-topology.h ++++ b/include/sound/soc-topology.h +@@ -188,8 +188,7 @@ int snd_soc_tplg_widget_bind_event(struct snd_soc_dapm_widget *w, + + #else + +-static inline int snd_soc_tplg_component_remove(struct snd_soc_component *comp, +- u32 index) ++static inline int snd_soc_tplg_component_remove(struct snd_soc_component *comp) + { + return 0; + } +-- +2.33.0 + diff --git a/queue-5.15/asoc-wcd9335-use-correct-version-to-initialize-class.patch b/queue-5.15/asoc-wcd9335-use-correct-version-to-initialize-class.patch new file mode 100644 index 00000000000..cd18744cb32 --- /dev/null +++ b/queue-5.15/asoc-wcd9335-use-correct-version-to-initialize-class.patch @@ -0,0 +1,40 @@ +From 03fa47469e8f25bb9f4a0a5c138356b009493b76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Sep 2021 02:24:19 +0000 +Subject: ASoC: wcd9335: Use correct version to initialize Class H + +From: Yassine Oudjana + +[ Upstream commit a270bd9abdc3cd04ec194f1f3164823cbb5a905c ] + +The versioning scheme was changed in an earlier patch, which caused the version +being used to initialize WCD9335 to be interpreted as if it was WCD937X, which +changed code paths causing broken headphones output. Pass WCD9335 instead of +WCD9335_VERSION_2_0 to wcd_clsh_ctrl_alloc to fix it. + +Fixes: 19c5d1f6a0c3 ("ASoC: codecs: wcd-clsh: add new version support") +Signed-off-by: Yassine Oudjana +Reviewed-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20210925022339.786296-1-y.oudjana@protonmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wcd9335.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c +index d885ced34f606..bc5d68c53e5ab 100644 +--- a/sound/soc/codecs/wcd9335.c ++++ b/sound/soc/codecs/wcd9335.c +@@ -4859,7 +4859,7 @@ static int wcd9335_codec_probe(struct snd_soc_component *component) + + snd_soc_component_init_regmap(component, wcd->regmap); + /* Class-H Init*/ +- wcd->clsh_ctrl = wcd_clsh_ctrl_alloc(component, wcd->version); ++ wcd->clsh_ctrl = wcd_clsh_ctrl_alloc(component, WCD9335); + if (IS_ERR(wcd->clsh_ctrl)) + return PTR_ERR(wcd->clsh_ctrl); + +-- +2.33.0 + diff --git a/queue-5.15/ataflop-remove-ataflop_probe_lock-mutex.patch b/queue-5.15/ataflop-remove-ataflop_probe_lock-mutex.patch new file mode 100644 index 00000000000..06c69169a54 --- /dev/null +++ b/queue-5.15/ataflop-remove-ataflop_probe_lock-mutex.patch @@ -0,0 +1,144 @@ +From 3f39fbe9d24baf184ba597ae890adfab9fea9b4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 16:04:33 -0700 +Subject: ataflop: remove ataflop_probe_lock mutex + +From: Tetsuo Handa + +[ Upstream commit 4ddb85d36613c45bde00d368bf9f357bd0708a0c ] + +Commit bf9c0538e485b591 ("ataflop: use a separate gendisk for each media +format") introduced ataflop_probe_lock mutex, but forgot to unlock the +mutex when atari_floppy_init() (i.e. module loading) succeeded. This will +result in double lock deadlock if ataflop_probe() is called. Also, +unregister_blkdev() must not be called from atari_floppy_init() with +ataflop_probe_lock held when atari_floppy_init() failed, for +ataflop_probe() waits for ataflop_probe_lock with major_names_lock held +(i.e. AB-BA deadlock). + +__register_blkdev() needs to be called last in order to avoid calling +ataflop_probe() when atari_floppy_init() is about to fail, for memory for +completing already-started ataflop_probe() safely will be released as soon +as atari_floppy_init() released ataflop_probe_lock mutex. + +As with commit 8b52d8be86d72308 ("loop: reorder loop_exit"), +unregister_blkdev() needs to be called first in order to avoid calling +ataflop_alloc_disk() from ataflop_probe() after del_gendisk() from +atari_floppy_exit(). + +By relocating __register_blkdev() / unregister_blkdev() as explained above, +we can remove ataflop_probe_lock mutex, for probe function and __exit +function are serialized by major_names_lock mutex. + +Signed-off-by: Tetsuo Handa +Fixes: bf9c0538e485b591 ("ataflop: use a separate gendisk for each media format") +Reviewed-by: Luis Chamberlain +Tested-by: Michael Schmitz +Link: https://lore.kernel.org/r/20211103230437.1639990-11-mcgrof@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ataflop.c | 47 +++++++++++++++++++++++------------------ + 1 file changed, 27 insertions(+), 20 deletions(-) + +diff --git a/drivers/block/ataflop.c b/drivers/block/ataflop.c +index 123ad58193098..aab48b292a3bb 100644 +--- a/drivers/block/ataflop.c ++++ b/drivers/block/ataflop.c +@@ -2008,8 +2008,6 @@ static int ataflop_alloc_disk(unsigned int drive, unsigned int type) + return 0; + } + +-static DEFINE_MUTEX(ataflop_probe_lock); +- + static void ataflop_probe(dev_t dev) + { + int drive = MINOR(dev) & 3; +@@ -2020,14 +2018,32 @@ static void ataflop_probe(dev_t dev) + + if (drive >= FD_MAX_UNITS || type >= NUM_DISK_MINORS) + return; +- mutex_lock(&ataflop_probe_lock); + if (!unit[drive].disk[type]) { + if (ataflop_alloc_disk(drive, type) == 0) { + add_disk(unit[drive].disk[type]); + unit[drive].registered[type] = true; + } + } +- mutex_unlock(&ataflop_probe_lock); ++} ++ ++static void atari_floppy_cleanup(void) ++{ ++ int i; ++ int type; ++ ++ for (i = 0; i < FD_MAX_UNITS; i++) { ++ for (type = 0; type < NUM_DISK_MINORS; type++) { ++ if (!unit[i].disk[type]) ++ continue; ++ del_gendisk(unit[i].disk[type]); ++ blk_cleanup_queue(unit[i].disk[type]->queue); ++ put_disk(unit[i].disk[type]); ++ } ++ blk_mq_free_tag_set(&unit[i].tag_set); ++ } ++ ++ del_timer_sync(&fd_timer); ++ atari_stram_free(DMABuffer); + } + + static void atari_cleanup_floppy_disk(struct atari_floppy_struct *fs) +@@ -2053,11 +2069,6 @@ static int __init atari_floppy_init (void) + /* Amiga, Mac, ... don't have Atari-compatible floppy :-) */ + return -ENODEV; + +- mutex_lock(&ataflop_probe_lock); +- ret = __register_blkdev(FLOPPY_MAJOR, "fd", ataflop_probe); +- if (ret) +- goto out_unlock; +- + for (i = 0; i < FD_MAX_UNITS; i++) { + memset(&unit[i].tag_set, 0, sizeof(unit[i].tag_set)); + unit[i].tag_set.ops = &ataflop_mq_ops; +@@ -2111,15 +2122,17 @@ static int __init atari_floppy_init (void) + UseTrackbuffer ? "" : "no "); + config_types(); + +- return 0; ++ ret = __register_blkdev(FLOPPY_MAJOR, "fd", ataflop_probe); ++ if (ret) { ++ printk(KERN_ERR "atari_floppy_init: cannot register block device\n"); ++ atari_floppy_cleanup(); ++ } ++ return ret; + + err: + while (--i >= 0) + atari_cleanup_floppy_disk(&unit[i]); + +- unregister_blkdev(FLOPPY_MAJOR, "fd"); +-out_unlock: +- mutex_unlock(&ataflop_probe_lock); + return ret; + } + +@@ -2164,14 +2177,8 @@ __setup("floppy=", atari_floppy_setup); + + static void __exit atari_floppy_exit(void) + { +- int i; +- +- for (i = 0; i < FD_MAX_UNITS; i++) +- atari_cleanup_floppy_disk(&unit[i]); + unregister_blkdev(FLOPPY_MAJOR, "fd"); +- +- del_timer_sync(&fd_timer); +- atari_stram_free( DMABuffer ); ++ atari_floppy_cleanup(); + } + + module_init(atari_floppy_init) +-- +2.33.0 + diff --git a/queue-5.15/ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch b/queue-5.15/ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch new file mode 100644 index 00000000000..a14a67caa36 --- /dev/null +++ b/queue-5.15/ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch @@ -0,0 +1,53 @@ +From 7f3c8cfb990f01af97001c6b8b9a357c32d15650 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Aug 2021 08:38:53 -0700 +Subject: ath: dfs_pattern_detector: Fix possible null-pointer dereference in + channel_detector_create() + +From: Tuo Li + +[ Upstream commit 4b6012a7830b813799a7faf40daa02a837e0fd5b ] + +kzalloc() is used to allocate memory for cd->detectors, and if it fails, +channel_detector_exit() behind the label fail will be called: + channel_detector_exit(dpd, cd); + +In channel_detector_exit(), cd->detectors is dereferenced through: + struct pri_detector *de = cd->detectors[i]; + +To fix this possible null-pointer dereference, check cd->detectors before +the for loop to dereference cd->detectors. + +Reported-by: TOTE Robot +Signed-off-by: Tuo Li +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210805153854.154066-1-islituo@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/dfs_pattern_detector.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c +index 80390495ea250..75cb53a3ec15e 100644 +--- a/drivers/net/wireless/ath/dfs_pattern_detector.c ++++ b/drivers/net/wireless/ath/dfs_pattern_detector.c +@@ -183,10 +183,12 @@ static void channel_detector_exit(struct dfs_pattern_detector *dpd, + if (cd == NULL) + return; + list_del(&cd->head); +- for (i = 0; i < dpd->num_radar_types; i++) { +- struct pri_detector *de = cd->detectors[i]; +- if (de != NULL) +- de->exit(de); ++ if (cd->detectors) { ++ for (i = 0; i < dpd->num_radar_types; i++) { ++ struct pri_detector *de = cd->detectors[i]; ++ if (de != NULL) ++ de->exit(de); ++ } + } + kfree(cd->detectors); + kfree(cd); +-- +2.33.0 + diff --git a/queue-5.15/ath10k-don-t-always-treat-modem-stop-events-as-crash.patch b/queue-5.15/ath10k-don-t-always-treat-modem-stop-events-as-crash.patch new file mode 100644 index 00000000000..b0e32547329 --- /dev/null +++ b/queue-5.15/ath10k-don-t-always-treat-modem-stop-events-as-crash.patch @@ -0,0 +1,200 @@ +From aac2ad41d156c0b740cdb5b90ce0b1571ff0f96a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 16:55:53 +0300 +Subject: ath10k: Don't always treat modem stop events as crashes + +From: Stephen Boyd + +[ Upstream commit 747ff7d3d7424876111b7559b7f6704762f89796 ] + +When rebooting on sc7180 Trogdor devices I see the following crash from +the wifi driver. + + ath10k_snoc 18800000.wifi: firmware crashed! (guid 83493570-29a2-4e98-a83e-70048c47669c) + +This is because a modem stop event looks just like a firmware crash to +the driver, the qmi connection is closed in both cases. Use the qcom ssr +notifier block to stop treating the qmi connection close event as a +firmware crash signal when the modem hasn't actually crashed. See +ath10k_qmi_event_server_exit() for more details. + +This silences the crash message seen during every reboot. + +Fixes: 3f14b73c3843 ("ath10k: Enable MSA region dump support for WCN3990") +Cc: Youghandhar Chintala +Cc: Abhishek Kumar +Cc: Steev Klimaszewski +Cc: Matthias Kaehlcke +Cc: Rakesh Pillai +Signed-off-by: Stephen Boyd +Reviewed-by: Rakesh Pillai +Tested-By: Youghandhar Chintala +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210922233341.182624-1-swboyd@chromium.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/qmi.c | 3 +- + drivers/net/wireless/ath/ath10k/snoc.c | 77 ++++++++++++++++++++++++++ + drivers/net/wireless/ath/ath10k/snoc.h | 5 ++ + 3 files changed, 84 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/qmi.c b/drivers/net/wireless/ath/ath10k/qmi.c +index 07e478f9a808c..80fcb917fe4e1 100644 +--- a/drivers/net/wireless/ath/ath10k/qmi.c ++++ b/drivers/net/wireless/ath/ath10k/qmi.c +@@ -864,7 +864,8 @@ static void ath10k_qmi_event_server_exit(struct ath10k_qmi *qmi) + + ath10k_qmi_remove_msa_permission(qmi); + ath10k_core_free_board_files(ar); +- if (!test_bit(ATH10K_SNOC_FLAG_UNREGISTERING, &ar_snoc->flags)) ++ if (!test_bit(ATH10K_SNOC_FLAG_UNREGISTERING, &ar_snoc->flags) && ++ !test_bit(ATH10K_SNOC_FLAG_MODEM_STOPPED, &ar_snoc->flags)) + ath10k_snoc_fw_crashed_dump(ar); + + ath10k_snoc_fw_indication(ar, ATH10K_QMI_EVENT_FW_DOWN_IND); +diff --git a/drivers/net/wireless/ath/ath10k/snoc.c b/drivers/net/wireless/ath/ath10k/snoc.c +index ea00fbb156015..9513ab696fff1 100644 +--- a/drivers/net/wireless/ath/ath10k/snoc.c ++++ b/drivers/net/wireless/ath/ath10k/snoc.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -1477,6 +1478,74 @@ void ath10k_snoc_fw_crashed_dump(struct ath10k *ar) + mutex_unlock(&ar->dump_mutex); + } + ++static int ath10k_snoc_modem_notify(struct notifier_block *nb, unsigned long action, ++ void *data) ++{ ++ struct ath10k_snoc *ar_snoc = container_of(nb, struct ath10k_snoc, nb); ++ struct ath10k *ar = ar_snoc->ar; ++ struct qcom_ssr_notify_data *notify_data = data; ++ ++ switch (action) { ++ case QCOM_SSR_BEFORE_POWERUP: ++ ath10k_dbg(ar, ATH10K_DBG_SNOC, "received modem starting event\n"); ++ clear_bit(ATH10K_SNOC_FLAG_MODEM_STOPPED, &ar_snoc->flags); ++ break; ++ ++ case QCOM_SSR_AFTER_POWERUP: ++ ath10k_dbg(ar, ATH10K_DBG_SNOC, "received modem running event\n"); ++ break; ++ ++ case QCOM_SSR_BEFORE_SHUTDOWN: ++ ath10k_dbg(ar, ATH10K_DBG_SNOC, "received modem %s event\n", ++ notify_data->crashed ? "crashed" : "stopping"); ++ if (!notify_data->crashed) ++ set_bit(ATH10K_SNOC_FLAG_MODEM_STOPPED, &ar_snoc->flags); ++ else ++ clear_bit(ATH10K_SNOC_FLAG_MODEM_STOPPED, &ar_snoc->flags); ++ break; ++ ++ case QCOM_SSR_AFTER_SHUTDOWN: ++ ath10k_dbg(ar, ATH10K_DBG_SNOC, "received modem offline event\n"); ++ break; ++ ++ default: ++ ath10k_err(ar, "received unrecognized event %lu\n", action); ++ break; ++ } ++ ++ return NOTIFY_OK; ++} ++ ++static int ath10k_modem_init(struct ath10k *ar) ++{ ++ struct ath10k_snoc *ar_snoc = ath10k_snoc_priv(ar); ++ void *notifier; ++ int ret; ++ ++ ar_snoc->nb.notifier_call = ath10k_snoc_modem_notify; ++ ++ notifier = qcom_register_ssr_notifier("mpss", &ar_snoc->nb); ++ if (IS_ERR(notifier)) { ++ ret = PTR_ERR(notifier); ++ ath10k_err(ar, "failed to initialize modem notifier: %d\n", ret); ++ return ret; ++ } ++ ++ ar_snoc->notifier = notifier; ++ ++ return 0; ++} ++ ++static void ath10k_modem_deinit(struct ath10k *ar) ++{ ++ int ret; ++ struct ath10k_snoc *ar_snoc = ath10k_snoc_priv(ar); ++ ++ ret = qcom_unregister_ssr_notifier(ar_snoc->notifier, &ar_snoc->nb); ++ if (ret) ++ ath10k_err(ar, "error %d unregistering notifier\n", ret); ++} ++ + static int ath10k_setup_msa_resources(struct ath10k *ar, u32 msa_size) + { + struct device *dev = ar->dev; +@@ -1740,10 +1809,17 @@ static int ath10k_snoc_probe(struct platform_device *pdev) + goto err_fw_deinit; + } + ++ ret = ath10k_modem_init(ar); ++ if (ret) ++ goto err_qmi_deinit; ++ + ath10k_dbg(ar, ATH10K_DBG_SNOC, "snoc probe\n"); + + return 0; + ++err_qmi_deinit: ++ ath10k_qmi_deinit(ar); ++ + err_fw_deinit: + ath10k_fw_deinit(ar); + +@@ -1771,6 +1847,7 @@ static int ath10k_snoc_free_resources(struct ath10k *ar) + ath10k_fw_deinit(ar); + ath10k_snoc_free_irq(ar); + ath10k_snoc_release_resource(ar); ++ ath10k_modem_deinit(ar); + ath10k_qmi_deinit(ar); + ath10k_core_destroy(ar); + +diff --git a/drivers/net/wireless/ath/ath10k/snoc.h b/drivers/net/wireless/ath/ath10k/snoc.h +index 5095d1893681b..d4bce17076960 100644 +--- a/drivers/net/wireless/ath/ath10k/snoc.h ++++ b/drivers/net/wireless/ath/ath10k/snoc.h +@@ -6,6 +6,8 @@ + #ifndef _SNOC_H_ + #define _SNOC_H_ + ++#include ++ + #include "hw.h" + #include "ce.h" + #include "qmi.h" +@@ -45,6 +47,7 @@ struct ath10k_snoc_ce_irq { + enum ath10k_snoc_flags { + ATH10K_SNOC_FLAG_REGISTERED, + ATH10K_SNOC_FLAG_UNREGISTERING, ++ ATH10K_SNOC_FLAG_MODEM_STOPPED, + ATH10K_SNOC_FLAG_RECOVERY, + ATH10K_SNOC_FLAG_8BIT_HOST_CAP_QUIRK, + }; +@@ -75,6 +78,8 @@ struct ath10k_snoc { + struct clk_bulk_data *clks; + size_t num_clks; + struct ath10k_qmi *qmi; ++ struct notifier_block nb; ++ void *notifier; + unsigned long flags; + bool xo_cal_supported; + u32 xo_cal_data; +-- +2.33.0 + diff --git a/queue-5.15/ath10k-fix-max-antenna-gain-unit.patch b/queue-5.15/ath10k-fix-max-antenna-gain-unit.patch new file mode 100644 index 00000000000..a516976ce3b --- /dev/null +++ b/queue-5.15/ath10k-fix-max-antenna-gain-unit.patch @@ -0,0 +1,86 @@ +From 317fbec19325991bd1bc898b5f8075cca914ac40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Jun 2019 19:21:31 +0200 +Subject: ath10k: fix max antenna gain unit + +From: Sven Eckelmann + +[ Upstream commit 0a491167fe0cf9f26062462de2a8688b96125d48 ] + +Most of the txpower for the ath10k firmware is stored as twicepower (0.5 dB +steps). This isn't the case for max_antenna_gain - which is still expected +by the firmware as dB. + +The firmware is converting it from dB to the internal (twicepower) +representation when it calculates the limits of a channel. This can be seen +in tpc_stats when configuring "12" as max_antenna_gain. Instead of the +expected 12 (6 dB), the tpc_stats shows 24 (12 dB). + +Tested on QCA9888 and IPQ4019 with firmware 10.4-3.5.3-00057. + +Fixes: 02256930d9b8 ("ath10k: use proper tx power unit") +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20190611172131.6064-1-sven@narfation.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 6 +++--- + drivers/net/wireless/ath/ath10k/wmi.h | 3 +++ + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 7ca68c81d9b61..5ec19d91cf372 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -1052,7 +1052,7 @@ static int ath10k_monitor_vdev_start(struct ath10k *ar, int vdev_id) + arg.channel.min_power = 0; + arg.channel.max_power = channel->max_power * 2; + arg.channel.max_reg_power = channel->max_reg_power * 2; +- arg.channel.max_antenna_gain = channel->max_antenna_gain * 2; ++ arg.channel.max_antenna_gain = channel->max_antenna_gain; + + reinit_completion(&ar->vdev_setup_done); + reinit_completion(&ar->vdev_delete_done); +@@ -1498,7 +1498,7 @@ static int ath10k_vdev_start_restart(struct ath10k_vif *arvif, + arg.channel.min_power = 0; + arg.channel.max_power = chandef->chan->max_power * 2; + arg.channel.max_reg_power = chandef->chan->max_reg_power * 2; +- arg.channel.max_antenna_gain = chandef->chan->max_antenna_gain * 2; ++ arg.channel.max_antenna_gain = chandef->chan->max_antenna_gain; + + if (arvif->vdev_type == WMI_VDEV_TYPE_AP) { + arg.ssid = arvif->u.ap.ssid; +@@ -3426,7 +3426,7 @@ static int ath10k_update_channel_list(struct ath10k *ar) + ch->min_power = 0; + ch->max_power = channel->max_power * 2; + ch->max_reg_power = channel->max_reg_power * 2; +- ch->max_antenna_gain = channel->max_antenna_gain * 2; ++ ch->max_antenna_gain = channel->max_antenna_gain; + ch->reg_class_id = 0; /* FIXME */ + + /* FIXME: why use only legacy modes, why not any +diff --git a/drivers/net/wireless/ath/ath10k/wmi.h b/drivers/net/wireless/ath/ath10k/wmi.h +index 41c1a3d339c25..01bfd09a9d88c 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.h ++++ b/drivers/net/wireless/ath/ath10k/wmi.h +@@ -2066,7 +2066,9 @@ struct wmi_channel { + union { + __le32 reginfo1; + struct { ++ /* note: power unit is 1 dBm */ + u8 antenna_max; ++ /* note: power unit is 0.5 dBm */ + u8 max_tx_power; + } __packed; + } __packed; +@@ -2086,6 +2088,7 @@ struct wmi_channel_arg { + u32 min_power; + u32 max_power; + u32 max_reg_power; ++ /* note: power unit is 1 dBm */ + u32 max_antenna_gain; + u32 reg_class_id; + enum wmi_phy_mode mode; +-- +2.33.0 + diff --git a/queue-5.15/ath10k-fix-missing-frame-timestamp-for-beacon-probe-.patch b/queue-5.15/ath10k-fix-missing-frame-timestamp-for-beacon-probe-.patch new file mode 100644 index 00000000000..07d6afd2e6b --- /dev/null +++ b/queue-5.15/ath10k-fix-missing-frame-timestamp-for-beacon-probe-.patch @@ -0,0 +1,44 @@ +From 2c97dd0f9f05211e202f41c0db48008164434bce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 14:00:47 +0300 +Subject: ath10k: Fix missing frame timestamp for beacon/probe-resp + +From: Loic Poulain + +[ Upstream commit e6dfbc3ba90cc2b619229be56b485f085a0a8e1c ] + +When receiving a beacon or probe response, we should update the +boottime_ns field which is the timestamp the frame was received at. +(cf mac80211.h) + +This fixes a scanning issue with Android since it relies on this +timestamp to determine when the AP has been seen for the last time +(via the nl80211 BSS_LAST_SEEN_BOOTTIME parameter). + +Fixes: 5e3dd157d7e7 ("ath10k: mac80211 driver for Qualcomm Atheros 802.11ac CQA98xx devices") +Signed-off-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1629811733-7927-1-git-send-email-loic.poulain@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/wmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c +index b8a4bbfe10b87..7c1c2658cb5f8 100644 +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -2610,6 +2610,10 @@ int ath10k_wmi_event_mgmt_rx(struct ath10k *ar, struct sk_buff *skb) + if (ieee80211_is_beacon(hdr->frame_control)) + ath10k_mac_handle_beacon(ar, skb); + ++ if (ieee80211_is_beacon(hdr->frame_control) || ++ ieee80211_is_probe_resp(hdr->frame_control)) ++ status->boottime_ns = ktime_get_boottime_ns(); ++ + ath10k_dbg(ar, ATH10K_DBG_MGMT, + "event mgmt rx skb %pK len %d ftype %02x stype %02x\n", + skb, skb->len, +-- +2.33.0 + diff --git a/queue-5.15/ath10k-fix-module-load-regression-with-iram-recovery.patch b/queue-5.15/ath10k-fix-module-load-regression-with-iram-recovery.patch new file mode 100644 index 00000000000..d6bc67fad79 --- /dev/null +++ b/queue-5.15/ath10k-fix-module-load-regression-with-iram-recovery.patch @@ -0,0 +1,135 @@ +From 411fa466245995b6288c3c5f1bb958556835579e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 11:59:07 +0300 +Subject: ath10k: fix module load regression with iram-recovery feature + +From: Abinaya Kalaiselvan + +[ Upstream commit 6f8c8bf4c7c9be1c42088689fd4370e06b46608a ] + +Commit 9af7c32ceca8 ("ath10k: add target IRAM recovery feature support") +introduced a new firmware feature flag ATH10K_FW_FEATURE_IRAM_RECOVERY. But +this caused ath10k_pci module load to fail if ATH10K_FW_CRASH_DUMP_RAM_DATA bit +was not enabled in the ath10k coredump_mask module parameter: + +[ 2209.328190] ath10k_pci 0000:02:00.0: qca9984/qca9994 hw1.0 target 0x01000000 chip_id 0x00000000 sub 168c:cafe +[ 2209.434414] ath10k_pci 0000:02:00.0: kconfig debug 1 debugfs 1 tracing 1 dfs 1 testmode 1 +[ 2209.547191] ath10k_pci 0000:02:00.0: firmware ver 10.4-3.9.0.2-00099 api 5 features no-p2p,mfp,peer-flow-ctrl,btcoex-param,allows-mesh-bcast,no-ps,peer-fixed-rate,iram-recovery crc32 cbade90a +[ 2210.896485] ath10k_pci 0000:02:00.0: board_file api 1 bmi_id 0:1 crc32 a040efc2 +[ 2213.603339] ath10k_pci 0000:02:00.0: failed to copy target iram contents: -12 +[ 2213.839027] ath10k_pci 0000:02:00.0: could not init core (-12) +[ 2213.933910] ath10k_pci 0000:02:00.0: could not probe fw (-12) + +And by default coredump_mask does not have ATH10K_FW_CRASH_DUMP_RAM_DATA +enabled so anyone using a firmware with iram-recovery feature would fail. To my +knowledge only QCA9984 firmwares starting from release 10.4-3.9.0.2-00099 +enabled the feature. + +The reason for regression was that ath10k_core_copy_target_iram() used +ath10k_coredump_get_mem_layout() to get the memory layout, but when +ATH10K_FW_CRASH_DUMP_RAM_DATA was disabled it would get just NULL and bail out +with an error. + +While looking at all this I noticed another bug: if CONFIG_DEV_COREDUMP is +disabled but the firmware has iram-recovery enabled the module load fails with +similar error messages. I fixed that by returning 0 from +ath10k_core_copy_target_iram() when _ath10k_coredump_get_mem_layout() returns +NULL. + +Tested-on: QCA9984 hw2.0 PCI 10.4-3.9.0.2-00139 + +Fixes: 9af7c32ceca8 ("ath10k: add target IRAM recovery feature support") +Signed-off-by: Abinaya Kalaiselvan +Signed-off-by: Jouni Malinen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211020075054.23061-1-kvalo@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/core.c | 11 +++++++++-- + drivers/net/wireless/ath/ath10k/coredump.c | 11 ++++++++--- + drivers/net/wireless/ath/ath10k/coredump.h | 7 +++++++ + 3 files changed, 24 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/core.c b/drivers/net/wireless/ath/ath10k/core.c +index 2f9be182fbfbb..64c7145b51a2e 100644 +--- a/drivers/net/wireless/ath/ath10k/core.c ++++ b/drivers/net/wireless/ath/ath10k/core.c +@@ -2690,9 +2690,16 @@ static int ath10k_core_copy_target_iram(struct ath10k *ar) + int i, ret; + u32 len, remaining_len; + +- hw_mem = ath10k_coredump_get_mem_layout(ar); ++ /* copy target iram feature must work also when ++ * ATH10K_FW_CRASH_DUMP_RAM_DATA is disabled, so ++ * _ath10k_coredump_get_mem_layout() to accomplist that ++ */ ++ hw_mem = _ath10k_coredump_get_mem_layout(ar); + if (!hw_mem) +- return -ENOMEM; ++ /* if CONFIG_DEV_COREDUMP is disabled we get NULL, then ++ * just silently disable the feature by doing nothing ++ */ ++ return 0; + + for (i = 0; i < hw_mem->region_table.size; i++) { + tmp = &hw_mem->region_table.regions[i]; +diff --git a/drivers/net/wireless/ath/ath10k/coredump.c b/drivers/net/wireless/ath/ath10k/coredump.c +index 7eb72290a925c..55e7e11d06d94 100644 +--- a/drivers/net/wireless/ath/ath10k/coredump.c ++++ b/drivers/net/wireless/ath/ath10k/coredump.c +@@ -1447,11 +1447,17 @@ static u32 ath10k_coredump_get_ramdump_size(struct ath10k *ar) + + const struct ath10k_hw_mem_layout *ath10k_coredump_get_mem_layout(struct ath10k *ar) + { +- int i; +- + if (!test_bit(ATH10K_FW_CRASH_DUMP_RAM_DATA, &ath10k_coredump_mask)) + return NULL; + ++ return _ath10k_coredump_get_mem_layout(ar); ++} ++EXPORT_SYMBOL(ath10k_coredump_get_mem_layout); ++ ++const struct ath10k_hw_mem_layout *_ath10k_coredump_get_mem_layout(struct ath10k *ar) ++{ ++ int i; ++ + if (WARN_ON(ar->target_version == 0)) + return NULL; + +@@ -1464,7 +1470,6 @@ const struct ath10k_hw_mem_layout *ath10k_coredump_get_mem_layout(struct ath10k + + return NULL; + } +-EXPORT_SYMBOL(ath10k_coredump_get_mem_layout); + + struct ath10k_fw_crash_data *ath10k_coredump_new(struct ath10k *ar) + { +diff --git a/drivers/net/wireless/ath/ath10k/coredump.h b/drivers/net/wireless/ath/ath10k/coredump.h +index 42404e246e0e9..240d705150888 100644 +--- a/drivers/net/wireless/ath/ath10k/coredump.h ++++ b/drivers/net/wireless/ath/ath10k/coredump.h +@@ -176,6 +176,7 @@ int ath10k_coredump_register(struct ath10k *ar); + void ath10k_coredump_unregister(struct ath10k *ar); + void ath10k_coredump_destroy(struct ath10k *ar); + ++const struct ath10k_hw_mem_layout *_ath10k_coredump_get_mem_layout(struct ath10k *ar); + const struct ath10k_hw_mem_layout *ath10k_coredump_get_mem_layout(struct ath10k *ar); + + #else /* CONFIG_DEV_COREDUMP */ +@@ -214,6 +215,12 @@ ath10k_coredump_get_mem_layout(struct ath10k *ar) + return NULL; + } + ++static inline const struct ath10k_hw_mem_layout * ++_ath10k_coredump_get_mem_layout(struct ath10k *ar) ++{ ++ return NULL; ++} ++ + #endif /* CONFIG_DEV_COREDUMP */ + + #endif /* _COREDUMP_H_ */ +-- +2.33.0 + diff --git a/queue-5.15/ath10k-high-latency-fixes-for-beacon-buffer.patch b/queue-5.15/ath10k-high-latency-fixes-for-beacon-buffer.patch new file mode 100644 index 00000000000..8a64f4b8f02 --- /dev/null +++ b/queue-5.15/ath10k-high-latency-fixes-for-beacon-buffer.patch @@ -0,0 +1,84 @@ +From 934f1f245708ad60bbae89c4c899648b1abd74d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 14:00:47 +0300 +Subject: ath10k: high latency fixes for beacon buffer + +From: Alagu Sankar + +[ Upstream commit e263bdab9c0e8025fb7f41f153709a9cda51f6b6 ] + +Beacon buffer for high latency devices does not use DMA. other similar +buffer allocation methods in the driver have already been modified for +high latency path. Fix the beacon buffer allocation left out in the +earlier high latency changes. + +Signed-off-by: Alagu Sankar +Signed-off-by: Erik Stromdahl +[fabio: adapt it to use ar->bus_param.dev_type ] +Signed-off-by: Fabio Estevam +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210818232627.2040121-1-festevam@denx.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 31 ++++++++++++++++++++------- + 1 file changed, 23 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index c272b290fa73d..7ca68c81d9b61 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -993,8 +993,12 @@ static void ath10k_mac_vif_beacon_cleanup(struct ath10k_vif *arvif) + ath10k_mac_vif_beacon_free(arvif); + + if (arvif->beacon_buf) { +- dma_free_coherent(ar->dev, IEEE80211_MAX_FRAME_LEN, +- arvif->beacon_buf, arvif->beacon_paddr); ++ if (ar->bus_param.dev_type == ATH10K_DEV_TYPE_HL) ++ kfree(arvif->beacon_buf); ++ else ++ dma_free_coherent(ar->dev, IEEE80211_MAX_FRAME_LEN, ++ arvif->beacon_buf, ++ arvif->beacon_paddr); + arvif->beacon_buf = NULL; + } + } +@@ -5576,10 +5580,17 @@ static int ath10k_add_interface(struct ieee80211_hw *hw, + if (vif->type == NL80211_IFTYPE_ADHOC || + vif->type == NL80211_IFTYPE_MESH_POINT || + vif->type == NL80211_IFTYPE_AP) { +- arvif->beacon_buf = dma_alloc_coherent(ar->dev, +- IEEE80211_MAX_FRAME_LEN, +- &arvif->beacon_paddr, +- GFP_ATOMIC); ++ if (ar->bus_param.dev_type == ATH10K_DEV_TYPE_HL) { ++ arvif->beacon_buf = kmalloc(IEEE80211_MAX_FRAME_LEN, ++ GFP_KERNEL); ++ arvif->beacon_paddr = (dma_addr_t)arvif->beacon_buf; ++ } else { ++ arvif->beacon_buf = ++ dma_alloc_coherent(ar->dev, ++ IEEE80211_MAX_FRAME_LEN, ++ &arvif->beacon_paddr, ++ GFP_ATOMIC); ++ } + if (!arvif->beacon_buf) { + ret = -ENOMEM; + ath10k_warn(ar, "failed to allocate beacon buffer: %d\n", +@@ -5794,8 +5805,12 @@ err_vdev_delete: + + err: + if (arvif->beacon_buf) { +- dma_free_coherent(ar->dev, IEEE80211_MAX_FRAME_LEN, +- arvif->beacon_buf, arvif->beacon_paddr); ++ if (ar->bus_param.dev_type == ATH10K_DEV_TYPE_HL) ++ kfree(arvif->beacon_buf); ++ else ++ dma_free_coherent(ar->dev, IEEE80211_MAX_FRAME_LEN, ++ arvif->beacon_buf, ++ arvif->beacon_paddr); + arvif->beacon_buf = NULL; + } + +-- +2.33.0 + diff --git a/queue-5.15/ath10k-sdio-add-missing-bh-locking-around-napi_schdu.patch b/queue-5.15/ath10k-sdio-add-missing-bh-locking-around-napi_schdu.patch new file mode 100644 index 00000000000..74c80de560b --- /dev/null +++ b/queue-5.15/ath10k-sdio-add-missing-bh-locking-around-napi_schdu.patch @@ -0,0 +1,71 @@ +From d37861a0f08c075987724c6e4c62787567a4e340 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 14:00:47 +0300 +Subject: ath10k: sdio: Add missing BH locking around napi_schdule() + +From: Fabio Estevam + +[ Upstream commit 019edd01d174ce4bb2e517dd332922514d176601 ] + +On a i.MX-based board with a QCA9377 Wifi chip, the following errors +are seen after launching the 'hostapd' application: + +hostapd /etc/wifi.conf +Configuration file: /etc/wifi.conf +wlan0: interface state UNINITIALIZED->COUNTRY_UPDATE +NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!! +Using interface wlan0 with hwaddr 00:1f:7b:31:04:a0 and ssid "thessid" +IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready +wlan0: interface state COUNTRY_UPDATE->ENABLED +wlan0: AP-ENABLED +NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!! +NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!! +NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!! +NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!! +... + +Fix this problem by adding the BH locking around napi-schedule(), +in the same way it was done in commit e63052a5dd3c ("mlx5e: add +add missing BH locking around napi_schdule()"). + +Its commit log provides the following explanation: + +"It's not correct to call napi_schedule() in pure process +context. Because we use __raise_softirq_irqoff() we require +callers to be in a context which will eventually lead to +softirq handling (hardirq, bh disabled, etc.). + +With code as is users will see: + +NOHZ tick-stop error: Non-RCU local softirq work is pending, handler #08!!! +" + +Fixes: cfee8793a74d ("ath10k: enable napi on RX path for sdio") +Signed-off-by: Fabio Estevam +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210824144339.2796122-1-festevam@denx.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/sdio.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c +index b746052737e0b..eb705214f3f0a 100644 +--- a/drivers/net/wireless/ath/ath10k/sdio.c ++++ b/drivers/net/wireless/ath/ath10k/sdio.c +@@ -1363,8 +1363,11 @@ static void ath10k_rx_indication_async_work(struct work_struct *work) + ep->ep_ops.ep_rx_complete(ar, skb); + } + +- if (test_bit(ATH10K_FLAG_CORE_REGISTERED, &ar->dev_flags)) ++ if (test_bit(ATH10K_FLAG_CORE_REGISTERED, &ar->dev_flags)) { ++ local_bh_disable(); + napi_schedule(&ar->napi); ++ local_bh_enable(); ++ } + } + + static int ath10k_sdio_read_rtc_state(struct ath10k_sdio *ar_sdio, unsigned char *state) +-- +2.33.0 + diff --git a/queue-5.15/ath11k-add-handler-for-scan-event-wmi_scan_event_deq.patch b/queue-5.15/ath11k-add-handler-for-scan-event-wmi_scan_event_deq.patch new file mode 100644 index 00000000000..3955639dba0 --- /dev/null +++ b/queue-5.15/ath11k-add-handler-for-scan-event-wmi_scan_event_deq.patch @@ -0,0 +1,54 @@ +From f213be1a7c4b6ffc977509eacb75a7270415593b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 14:00:45 +0300 +Subject: ath11k: add handler for scan event WMI_SCAN_EVENT_DEQUEUED + +From: Wen Gong + +[ Upstream commit 441b3b5911f8ead7f2fe2336587b340a33044d58 ] + +When wlan interface is up, 11d scan is sent to the firmware, and the +firmware needs to spend couple of seconds to complete the 11d scan. If +immediately a normal scan from user space arrives to ath11k, then the +normal scan request is also sent to the firmware, but the scan started +event will be reported to ath11k until the 11d scan complete. When timed +out for the scan started in ath11k, ath11k stops the normal scan and the +firmware reports WMI_SCAN_EVENT_DEQUEUED to ath11k for the normal scan. +ath11k has no handler for the event and then timed out for the scan +completed in ath11k_scan_stop(), and ath11k prints the following error +message. + +[ 1491.604750] ath11k_pci 0000:02:00.0: failed to receive scan abort comple: timed out +[ 1491.604756] ath11k_pci 0000:02:00.0: failed to stop scan: -110 +[ 1491.604758] ath11k_pci 0000:02:00.0: failed to start hw scan: -110 + +Add a handler for WMI_SCAN_EVENT_DEQUEUED and then complete the scan to +get rid of the above error message. + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 + +Signed-off-by: Wen Gong +Signed-off-by: Jouni Malinen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210914164226.38843-1-jouni@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/wmi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c +index fa27115483c6c..72da1283f2ccb 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -6313,6 +6313,8 @@ static void ath11k_scan_event(struct ath11k_base *ab, struct sk_buff *skb) + ath11k_wmi_event_scan_start_failed(ar); + break; + case WMI_SCAN_EVENT_DEQUEUED: ++ __ath11k_mac_scan_finish(ar); ++ break; + case WMI_SCAN_EVENT_PREEMPTED: + case WMI_SCAN_EVENT_RESTARTED: + case WMI_SCAN_EVENT_FOREIGN_CHAN_EXIT: +-- +2.33.0 + diff --git a/queue-5.15/ath11k-align-bss_chan_info-structure-with-firmware.patch b/queue-5.15/ath11k-align-bss_chan_info-structure-with-firmware.patch new file mode 100644 index 00000000000..b694bc986f9 --- /dev/null +++ b/queue-5.15/ath11k-align-bss_chan_info-structure-with-firmware.patch @@ -0,0 +1,73 @@ +From e102950e82086ad560da190a76d4708520108447 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 00:49:22 +0300 +Subject: ath11k: Align bss_chan_info structure with firmware + +From: Seevalamuthu Mariappan + +[ Upstream commit feab5bb8f1d4621025dceae7eef62d5f92de34ac ] + +pdev_id in structure 'wmi_pdev_bss_chan_info_event' is wrongly placed +at the beginning. This causes invalid values in survey dump. Hence, align +the structure with the firmware. + +Note: The firmware releases follow this order since the feature was +implemented. Also, it is not changing across the branches including +QCA6390. + +Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01228-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Ritesh Singh +Signed-off-by: Seevalamuthu Mariappan +Signed-off-by: Jouni Malinen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210720214922.118078-3-jouni@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/wmi.c | 1 + + drivers/net/wireless/ath/ath11k/wmi.h | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c +index 6c253eae9d069..27c060dd3fb47 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -1339,6 +1339,7 @@ int ath11k_wmi_pdev_bss_chan_info_request(struct ath11k *ar, + WMI_TAG_PDEV_BSS_CHAN_INFO_REQUEST) | + FIELD_PREP(WMI_TLV_LEN, sizeof(*cmd) - TLV_HDR_SIZE); + cmd->req_type = type; ++ cmd->pdev_id = ar->pdev->pdev_id; + + ath11k_dbg(ar->ab, ATH11K_DBG_WMI, + "WMI bss chan info req type %d\n", type); +diff --git a/drivers/net/wireless/ath/ath11k/wmi.h b/drivers/net/wireless/ath/ath11k/wmi.h +index d35c47e0b19d4..0b7d337b36930 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.h ++++ b/drivers/net/wireless/ath/ath11k/wmi.h +@@ -2960,6 +2960,7 @@ struct wmi_pdev_bss_chan_info_req_cmd { + u32 tlv_header; + /* ref wmi_bss_chan_info_req_type */ + u32 req_type; ++ u32 pdev_id; + } __packed; + + struct wmi_ap_ps_peer_cmd { +@@ -4056,7 +4057,6 @@ struct wmi_vdev_stopped_event { + } __packed; + + struct wmi_pdev_bss_chan_info_event { +- u32 pdev_id; + u32 freq; /* Units in MHz */ + u32 noise_floor; /* units are dBm */ + /* rx clear - how often the channel was unused */ +@@ -4074,6 +4074,7 @@ struct wmi_pdev_bss_chan_info_event { + /*rx_cycle cnt for my bss in 64bits format */ + u32 rx_bss_cycle_count_low; + u32 rx_bss_cycle_count_high; ++ u32 pdev_id; + } __packed; + + #define WMI_VDEV_INSTALL_KEY_COMPL_STATUS_SUCCESS 0 +-- +2.33.0 + diff --git a/queue-5.15/ath11k-avoid-race-during-regd-updates.patch b/queue-5.15/ath11k-avoid-race-during-regd-updates.patch new file mode 100644 index 00000000000..d1e9cd5760a --- /dev/null +++ b/queue-5.15/ath11k-avoid-race-during-regd-updates.patch @@ -0,0 +1,157 @@ +From e9846c5b602655262188ab9f723275a706641be6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 12:05:40 +0300 +Subject: ath11k: Avoid race during regd updates + +From: Sriram R + +[ Upstream commit 1db2b0d0a39102238fcbf9092cefa65a710642e9 ] + +Whenever ath11k is bootup with a user country already set, cfg80211 +notifies this country info to ath11k soon after registration, where the +notification is sent to the firmware for fetching the rules of this user +country input. + +Multiple race conditions could be seen in this scenario where a new +request is either lost as pointed in [1] or a new regd overwrites the +default regd provided by the firmware during bootup. Note that, the +default regd is used for intersection purpose and hence it should not be +overwritten. + +The main reason as pointed by [1] is the usage of ATH11K_FLAG_REGISTERED +flag which is updated after completion of core registration, whereas the +reg notification from cfg80211 and wmi events for the corresponding +request can happen much before that. Since the ATH11K_FLAG_REGISTERED is +currently used to determine if the event containing reg rules belong to +default regd or for user request, there is a possibility of the default +regd getting overwritten. + +Since the default reg rules will be received only once per pdev on +firmware load, the above flag based check can be replaced with a check +to see if default_regd is already set, so that we can now always update +the new_regd. Also if the new_regd is set, this will be always used to +update the reg rules for the registered phy. + +[1] https://patchwork.kernel.org/project/linux-wireless/patch/1829665.1PRlr7bOQj@ripper/ + +Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01460-QCAHKSWPL_SILICONZ-1 +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") + +Signed-off-by: Sriram R +Signed-off-by: Jouni Malinen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210721212029.142388-4-jouni@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 2 +- + drivers/net/wireless/ath/ath11k/reg.c | 11 ++++++----- + drivers/net/wireless/ath/ath11k/reg.h | 2 +- + drivers/net/wireless/ath/ath11k/wmi.c | 16 ++++++---------- + 4 files changed, 14 insertions(+), 17 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index e9b3689331ec2..89a64ebd620f3 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -6590,7 +6590,7 @@ static int __ath11k_mac_register(struct ath11k *ar) + ar->hw->wiphy->interface_modes &= ~BIT(NL80211_IFTYPE_MONITOR); + + /* Apply the regd received during initialization */ +- ret = ath11k_regd_update(ar, true); ++ ret = ath11k_regd_update(ar); + if (ret) { + ath11k_err(ar->ab, "ath11k regd update failed: %d\n", ret); + goto err_unregister_hw; +diff --git a/drivers/net/wireless/ath/ath11k/reg.c b/drivers/net/wireless/ath/ath11k/reg.c +index e1a1df169034b..92c59009a8ac2 100644 +--- a/drivers/net/wireless/ath/ath11k/reg.c ++++ b/drivers/net/wireless/ath/ath11k/reg.c +@@ -198,7 +198,7 @@ static void ath11k_copy_regd(struct ieee80211_regdomain *regd_orig, + sizeof(struct ieee80211_reg_rule)); + } + +-int ath11k_regd_update(struct ath11k *ar, bool init) ++int ath11k_regd_update(struct ath11k *ar) + { + struct ieee80211_regdomain *regd, *regd_copy = NULL; + int ret, regd_len, pdev_id; +@@ -209,7 +209,10 @@ int ath11k_regd_update(struct ath11k *ar, bool init) + + spin_lock_bh(&ab->base_lock); + +- if (init) { ++ /* Prefer the latest regd update over default if it's available */ ++ if (ab->new_regd[pdev_id]) { ++ regd = ab->new_regd[pdev_id]; ++ } else { + /* Apply the regd received during init through + * WMI_REG_CHAN_LIST_CC event. In case of failure to + * receive the regd, initialize with a default world +@@ -222,8 +225,6 @@ int ath11k_regd_update(struct ath11k *ar, bool init) + "failed to receive default regd during init\n"); + regd = (struct ieee80211_regdomain *)&ath11k_world_regd; + } +- } else { +- regd = ab->new_regd[pdev_id]; + } + + if (!regd) { +@@ -683,7 +684,7 @@ void ath11k_regd_update_work(struct work_struct *work) + regd_update_work); + int ret; + +- ret = ath11k_regd_update(ar, false); ++ ret = ath11k_regd_update(ar); + if (ret) { + /* Firmware has already moved to the new regd. We need + * to maintain channel consistency across FW, Host driver +diff --git a/drivers/net/wireless/ath/ath11k/reg.h b/drivers/net/wireless/ath/ath11k/reg.h +index 65d56d44796f6..5fb9dc03a74e8 100644 +--- a/drivers/net/wireless/ath/ath11k/reg.h ++++ b/drivers/net/wireless/ath/ath11k/reg.h +@@ -31,6 +31,6 @@ void ath11k_regd_update_work(struct work_struct *work); + struct ieee80211_regdomain * + ath11k_reg_build_regd(struct ath11k_base *ab, + struct cur_regulatory_info *reg_info, bool intersect); +-int ath11k_regd_update(struct ath11k *ar, bool init); ++int ath11k_regd_update(struct ath11k *ar); + int ath11k_reg_update_chan_list(struct ath11k *ar); + #endif +diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c +index 72da1283f2ccb..a53eef8e2631c 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -5841,10 +5841,10 @@ static int ath11k_reg_chan_list_event(struct ath11k_base *ab, struct sk_buff *sk + } + + spin_lock(&ab->base_lock); +- if (test_bit(ATH11K_FLAG_REGISTERED, &ab->dev_flags)) { +- /* Once mac is registered, ar is valid and all CC events from +- * fw is considered to be received due to user requests +- * currently. ++ if (ab->default_regd[pdev_idx]) { ++ /* The initial rules from FW after WMI Init is to build ++ * the default regd. From then on, any rules updated for ++ * the pdev could be due to user reg changes. + * Free previously built regd before assigning the newly + * generated regd to ar. NULL pointer handling will be + * taken care by kfree itself. +@@ -5854,13 +5854,9 @@ static int ath11k_reg_chan_list_event(struct ath11k_base *ab, struct sk_buff *sk + ab->new_regd[pdev_idx] = regd; + ieee80211_queue_work(ar->hw, &ar->regd_update_work); + } else { +- /* Multiple events for the same *ar is not expected. But we +- * can still clear any previously stored default_regd if we +- * are receiving this event for the same radio by mistake. +- * NULL pointer handling will be taken care by kfree itself. ++ /* This regd would be applied during mac registration and is ++ * held constant throughout for regd intersection purpose + */ +- kfree(ab->default_regd[pdev_idx]); +- /* This regd would be applied during mac registration */ + ab->default_regd[pdev_idx] = regd; + } + ab->dfs_region = reg_info->dfs_region; +-- +2.33.0 + diff --git a/queue-5.15/ath11k-avoid-reg-rules-update-during-firmware-recove.patch b/queue-5.15/ath11k-avoid-reg-rules-update-during-firmware-recove.patch new file mode 100644 index 00000000000..45c51051ba6 --- /dev/null +++ b/queue-5.15/ath11k-avoid-reg-rules-update-during-firmware-recove.patch @@ -0,0 +1,79 @@ +From 20ae38531f1918e3d132e2785ad7eb963ab1260d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 12:05:40 +0300 +Subject: ath11k: Avoid reg rules update during firmware recovery + +From: Sriram R + +[ Upstream commit 69a0fcf8a9f2273040d03e5ee77c9689c09e9d3a ] + +During firmware recovery, the default reg rules which are +received via WMI_REG_CHAN_LIST_CC_EVENT can overwrite +the currently configured user regd. + +See below snap for example, + +root@OpenWrt:/# iw reg get | grep country +country FR: DFS-ETSI +country FR: DFS-ETSI +country FR: DFS-ETSI +country FR: DFS-ETSI + +root@OpenWrt:/# echo assert > /sys/kernel/debug/ath11k/ipq8074\ hw2.0/simulate_f +w_crash + +[ 5290.471696] ath11k c000000.wifi1: pdev 1 successfully recovered + +root@OpenWrt:/# iw reg get | grep country +country FR: DFS-ETSI +country US: DFS-FCC +country US: DFS-FCC +country US: DFS-FCC + +In the above, the user configured country 'FR' is overwritten +when the rules of default country 'US' are received and updated during +recovery. Hence avoid processing of these rules in general +during firmware recovery as they have been already applied during +driver registration or after last set user country is configured. + +This scenario applies for both AP and STA devices basically because +cfg80211 is not aware of the recovery and only the driver recovers, but +changing or resetting of the reg domain during recovery is not needed so +as to continue with the configured regdomain currently in use. + +Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01460-QCAHKSWPL_SILICONZ-1 + +Signed-off-by: Sriram R +Signed-off-by: Jouni Malinen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210721212029.142388-3-jouni@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/wmi.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c +index 27c060dd3fb47..fa27115483c6c 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -5793,6 +5793,17 @@ static int ath11k_reg_chan_list_event(struct ath11k_base *ab, struct sk_buff *sk + + pdev_idx = reg_info->phy_id; + ++ /* Avoid default reg rule updates sent during FW recovery if ++ * it is already available ++ */ ++ spin_lock(&ab->base_lock); ++ if (test_bit(ATH11K_FLAG_RECOVERY, &ab->dev_flags) && ++ ab->default_regd[pdev_idx]) { ++ spin_unlock(&ab->base_lock); ++ goto mem_free; ++ } ++ spin_unlock(&ab->base_lock); ++ + if (pdev_idx >= ab->num_radios) { + /* Process the event for phy0 only if single_pdev_only + * is true. If pdev_idx is valid but not 0, discard the +-- +2.33.0 + diff --git a/queue-5.15/ath11k-change-dma_from_device-to-dma_to_device-when-.patch b/queue-5.15/ath11k-change-dma_from_device-to-dma_to_device-when-.patch new file mode 100644 index 00000000000..e12e8f6f2fa --- /dev/null +++ b/queue-5.15/ath11k-change-dma_from_device-to-dma_to_device-when-.patch @@ -0,0 +1,54 @@ +From 903c9431ff2515683e5fd2d8277c0b21b4df2723 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 14:00:46 +0300 +Subject: ath11k: Change DMA_FROM_DEVICE to DMA_TO_DEVICE when map reinjected + packets + +From: Baochen Qiang + +[ Upstream commit 86a03dad0f5ad8182ed5fcf7bf3eec71cd96577c ] + +For fragmented packets, ath11k reassembles each fragment as a normal +packet and then reinjects it into HW ring. In this case, the DMA +direction should be DMA_TO_DEVICE, not DMA_FROM_DEVICE, otherwise +invalid payload will be reinjected to HW and then delivered to host. +What is more, since arbitrary memory could be allocated to the frame, we +don't know what kind of data is contained in the buffer reinjected. +Thus, as a bad result, private info may be leaked. + +Note that this issue is only found on Intel platform. + +Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 +Signed-off-by: Baochen Qiang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210916064617.20006-1-bqiang@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/dp_rx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c +index 9a224817630ae..af0a600ea067c 100644 +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -3310,7 +3310,7 @@ static int ath11k_dp_rx_h_defrag_reo_reinject(struct ath11k *ar, struct dp_rx_ti + + paddr = dma_map_single(ab->dev, defrag_skb->data, + defrag_skb->len + skb_tailroom(defrag_skb), +- DMA_FROM_DEVICE); ++ DMA_TO_DEVICE); + if (dma_mapping_error(ab->dev, paddr)) + return -ENOMEM; + +@@ -3375,7 +3375,7 @@ err_free_idr: + spin_unlock_bh(&rx_refill_ring->idr_lock); + err_unmap_dma: + dma_unmap_single(ab->dev, paddr, defrag_skb->len + skb_tailroom(defrag_skb), +- DMA_FROM_DEVICE); ++ DMA_TO_DEVICE); + return ret; + } + +-- +2.33.0 + diff --git a/queue-5.15/ath11k-fix-memory-leak-in-ath11k_qmi_driver_event_wo.patch b/queue-5.15/ath11k-fix-memory-leak-in-ath11k_qmi_driver_event_wo.patch new file mode 100644 index 00000000000..ac39fec9381 --- /dev/null +++ b/queue-5.15/ath11k-fix-memory-leak-in-ath11k_qmi_driver_event_wo.patch @@ -0,0 +1,44 @@ +From 54f182ea5d7ea965dd8808ac732672c66d397c89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 14:00:44 +0300 +Subject: ath11k: Fix memory leak in ath11k_qmi_driver_event_work + +From: Baochen Qiang + +[ Upstream commit 72de799aa9e3e064b35238ef053d2f0a49db055a ] + +The buffer pointed to by event is not freed in case +ATH11K_FLAG_UNREGISTERING bit is set, resulting in +memory leak, so fix it. + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Baochen Qiang +Signed-off-by: Jouni Malinen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210913180246.193388-4-jouni@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/qmi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/qmi.c b/drivers/net/wireless/ath/ath11k/qmi.c +index b5e34d670715e..4c5071b7d11dc 100644 +--- a/drivers/net/wireless/ath/ath11k/qmi.c ++++ b/drivers/net/wireless/ath/ath11k/qmi.c +@@ -2707,8 +2707,10 @@ static void ath11k_qmi_driver_event_work(struct work_struct *work) + list_del(&event->list); + spin_unlock(&qmi->event_lock); + +- if (test_bit(ATH11K_FLAG_UNREGISTERING, &ab->dev_flags)) ++ if (test_bit(ATH11K_FLAG_UNREGISTERING, &ab->dev_flags)) { ++ kfree(event); + return; ++ } + + switch (event->type) { + case ATH11K_QMI_EVENT_SERVER_ARRIVE: +-- +2.33.0 + diff --git a/queue-5.15/ath11k-fix-packet-drops-due-to-incorrect-6-ghz-freq-.patch b/queue-5.15/ath11k-fix-packet-drops-due-to-incorrect-6-ghz-freq-.patch new file mode 100644 index 00000000000..600166397b1 --- /dev/null +++ b/queue-5.15/ath11k-fix-packet-drops-due-to-incorrect-6-ghz-freq-.patch @@ -0,0 +1,85 @@ +From 62187b9ed1cb5ce1991fddeb044a08f2af2bfb35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 14:00:43 +0300 +Subject: ath11k: fix packet drops due to incorrect 6 GHz freq value in rx + status + +From: Pradeep Kumar Chitrapu + +[ Upstream commit 9d6ae1f5cf733c0e8d7f904c501fd015c4b9f0f4 ] + +Frequency in rx status is being filled incorrectly in the 6 GHz band as +channel number received is invalid in this case which is causing packet +drops. So fix that. + +Fixes: 5dcf42f8b79d ("ath11k: Use freq instead of channel number in rx path") +Signed-off-by: Pradeep Kumar Chitrapu +Signed-off-by: Jouni Malinen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210722102054.43419-2-jouni@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/dp_rx.c | 9 ++++++--- + drivers/net/wireless/ath/ath11k/wmi.c | 10 +++++++--- + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c +index af0a600ea067c..0ae6bebff801d 100644 +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -2337,8 +2337,10 @@ static void ath11k_dp_rx_h_ppdu(struct ath11k *ar, struct hal_rx_desc *rx_desc, + channel_num = meta_data; + center_freq = meta_data >> 16; + +- if (center_freq >= 5935 && center_freq <= 7105) { ++ if (center_freq >= ATH11K_MIN_6G_FREQ && ++ center_freq <= ATH11K_MAX_6G_FREQ) { + rx_status->band = NL80211_BAND_6GHZ; ++ rx_status->freq = center_freq; + } else if (channel_num >= 1 && channel_num <= 14) { + rx_status->band = NL80211_BAND_2GHZ; + } else if (channel_num >= 36 && channel_num <= 173) { +@@ -2356,8 +2358,9 @@ static void ath11k_dp_rx_h_ppdu(struct ath11k *ar, struct hal_rx_desc *rx_desc, + rx_desc, sizeof(struct hal_rx_desc)); + } + +- rx_status->freq = ieee80211_channel_to_frequency(channel_num, +- rx_status->band); ++ if (rx_status->band != NL80211_BAND_6GHZ) ++ rx_status->freq = ieee80211_channel_to_frequency(channel_num, ++ rx_status->band); + + ath11k_dp_rx_h_rate(ar, rx_desc, rx_status); + } +diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c +index a53eef8e2631c..99c0b81e496bf 100644 +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -6127,8 +6127,10 @@ static void ath11k_mgmt_rx_event(struct ath11k_base *ab, struct sk_buff *skb) + if (rx_ev.status & WMI_RX_STATUS_ERR_MIC) + status->flag |= RX_FLAG_MMIC_ERROR; + +- if (rx_ev.chan_freq >= ATH11K_MIN_6G_FREQ) { ++ if (rx_ev.chan_freq >= ATH11K_MIN_6G_FREQ && ++ rx_ev.chan_freq <= ATH11K_MAX_6G_FREQ) { + status->band = NL80211_BAND_6GHZ; ++ status->freq = rx_ev.chan_freq; + } else if (rx_ev.channel >= 1 && rx_ev.channel <= 14) { + status->band = NL80211_BAND_2GHZ; + } else if (rx_ev.channel >= 36 && rx_ev.channel <= ATH11K_MAX_5G_CHAN) { +@@ -6149,8 +6151,10 @@ static void ath11k_mgmt_rx_event(struct ath11k_base *ab, struct sk_buff *skb) + + sband = &ar->mac.sbands[status->band]; + +- status->freq = ieee80211_channel_to_frequency(rx_ev.channel, +- status->band); ++ if (status->band != NL80211_BAND_6GHZ) ++ status->freq = ieee80211_channel_to_frequency(rx_ev.channel, ++ status->band); ++ + status->signal = rx_ev.snr + ATH11K_DEFAULT_NOISE_FLOOR; + status->rate_idx = ath11k_mac_bitrate_to_idx(sband, rx_ev.rate / 100); + +-- +2.33.0 + diff --git a/queue-5.15/ath11k-fix-some-sleeping-in-atomic-bugs.patch b/queue-5.15/ath11k-fix-some-sleeping-in-atomic-bugs.patch new file mode 100644 index 00000000000..f1f43ad387a --- /dev/null +++ b/queue-5.15/ath11k-fix-some-sleeping-in-atomic-bugs.patch @@ -0,0 +1,93 @@ +From 3960f9565d131b627cbdded50a6c249146b5cbfd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 12:05:43 +0300 +Subject: ath11k: fix some sleeping in atomic bugs + +From: Dan Carpenter + +[ Upstream commit aadf7c81a0771b8f1c97dabca6a48bae1b387779 ] + +The ath11k_dbring_bufs_replenish() and ath11k_dbring_fill_bufs() +take a "gfp" parameter but they since they take spinlocks, the +allocations they do have to be atomic. This causes a bug because +ath11k_dbring_buf_setup passes GFP_KERNEL for the gfp flags. + +The fix is to use GFP_ATOMIC and remove the unused parameters. + +Fixes: bd6478559e27 ("ath11k: Add direct buffer ring support") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210812070434.GE31863@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/dbring.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/dbring.c b/drivers/net/wireless/ath/ath11k/dbring.c +index 5e1f5437b4185..fd98ba5b1130b 100644 +--- a/drivers/net/wireless/ath/ath11k/dbring.c ++++ b/drivers/net/wireless/ath/ath11k/dbring.c +@@ -8,8 +8,7 @@ + + static int ath11k_dbring_bufs_replenish(struct ath11k *ar, + struct ath11k_dbring *ring, +- struct ath11k_dbring_element *buff, +- gfp_t gfp) ++ struct ath11k_dbring_element *buff) + { + struct ath11k_base *ab = ar->ab; + struct hal_srng *srng; +@@ -35,7 +34,7 @@ static int ath11k_dbring_bufs_replenish(struct ath11k *ar, + goto err; + + spin_lock_bh(&ring->idr_lock); +- buf_id = idr_alloc(&ring->bufs_idr, buff, 0, ring->bufs_max, gfp); ++ buf_id = idr_alloc(&ring->bufs_idr, buff, 0, ring->bufs_max, GFP_ATOMIC); + spin_unlock_bh(&ring->idr_lock); + if (buf_id < 0) { + ret = -ENOBUFS; +@@ -72,8 +71,7 @@ err: + } + + static int ath11k_dbring_fill_bufs(struct ath11k *ar, +- struct ath11k_dbring *ring, +- gfp_t gfp) ++ struct ath11k_dbring *ring) + { + struct ath11k_dbring_element *buff; + struct hal_srng *srng; +@@ -92,11 +90,11 @@ static int ath11k_dbring_fill_bufs(struct ath11k *ar, + size = sizeof(*buff) + ring->buf_sz + align - 1; + + while (num_remain > 0) { +- buff = kzalloc(size, gfp); ++ buff = kzalloc(size, GFP_ATOMIC); + if (!buff) + break; + +- ret = ath11k_dbring_bufs_replenish(ar, ring, buff, gfp); ++ ret = ath11k_dbring_bufs_replenish(ar, ring, buff); + if (ret) { + ath11k_warn(ar->ab, "failed to replenish db ring num_remain %d req_ent %d\n", + num_remain, req_entries); +@@ -176,7 +174,7 @@ int ath11k_dbring_buf_setup(struct ath11k *ar, + ring->hp_addr = ath11k_hal_srng_get_hp_addr(ar->ab, srng); + ring->tp_addr = ath11k_hal_srng_get_tp_addr(ar->ab, srng); + +- ret = ath11k_dbring_fill_bufs(ar, ring, GFP_KERNEL); ++ ret = ath11k_dbring_fill_bufs(ar, ring); + + return ret; + } +@@ -322,7 +320,7 @@ int ath11k_dbring_buffer_release_event(struct ath11k_base *ab, + } + + memset(buff, 0, size); +- ath11k_dbring_bufs_replenish(ar, ring, buff, GFP_ATOMIC); ++ ath11k_dbring_bufs_replenish(ar, ring, buff); + } + + spin_unlock_bh(&srng->lock); +-- +2.33.0 + diff --git a/queue-5.15/ath9k-fix-potential-interrupt-storm-on-queue-reset.patch b/queue-5.15/ath9k-fix-potential-interrupt-storm-on-queue-reset.patch new file mode 100644 index 00000000000..b6f494798cf --- /dev/null +++ b/queue-5.15/ath9k-fix-potential-interrupt-storm-on-queue-reset.patch @@ -0,0 +1,99 @@ +From 8772eb75b2f7eed16f2a62cf69236a0436b57fe9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 16:55:53 +0300 +Subject: ath9k: Fix potential interrupt storm on queue reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 4925642d541278575ad1948c5924d71ffd57ef14 ] + +In tests with two Lima boards from 8devices (QCA4531 based) on OpenWrt +19.07 we could force a silent restart of a device with no serial +output when we were sending a high amount of UDP traffic (iperf3 at 80 +MBit/s in both directions from external hosts, saturating the wifi and +causing a load of about 4.5 to 6) and were then triggering an +ath9k_queue_reset(). + +Further debugging showed that the restart was caused by the ath79 +watchdog. With disabled watchdog we could observe that the device was +constantly going into ath_isr() interrupt handler and was returning +early after the ATH_OP_HW_RESET flag test, without clearing any +interrupts. Even though ath9k_queue_reset() calls +ath9k_hw_kill_interrupts(). + +With JTAG we could observe the following race condition: + +1) ath9k_queue_reset() + ... + -> ath9k_hw_kill_interrupts() + -> set_bit(ATH_OP_HW_RESET, &common->op_flags); + ... + <- returns + + 2) ath9k_tasklet() + ... + -> ath9k_hw_resume_interrupts() + ... + <- returns + + 3) loops around: + ... + handle_int() + -> ath_isr() + ... + -> if (test_bit(ATH_OP_HW_RESET, + &common->op_flags)) + return IRQ_HANDLED; + + x) ath_reset_internal(): + => never reached <= + +And in ath_isr() we would typically see the following interrupts / +interrupt causes: + +* status: 0x00111030 or 0x00110030 +* async_cause: 2 (AR_INTR_MAC_IPQ) +* sync_cause: 0 + +So the ath9k_tasklet() reenables the ath9k interrupts +through ath9k_hw_resume_interrupts() which ath9k_queue_reset() had just +disabled. And ath_isr() then keeps firing because it returns IRQ_HANDLED +without actually clearing the interrupt. + +To fix this IRQ storm also clear/disable the interrupts again when we +are in reset state. + +Cc: Sven Eckelmann +Cc: Simon Wunderlich +Cc: Linus Lüssing +Fixes: 872b5d814f99 ("ath9k: do not access hardware on IRQs during reset") +Signed-off-by: Linus Lüssing +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210914192515.9273-3-linus.luessing@c0d3.blue +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index 139831539da37..98090e40e1cf4 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -533,8 +533,10 @@ irqreturn_t ath_isr(int irq, void *dev) + ath9k_debug_sync_cause(sc, sync_cause); + status &= ah->imask; /* discard unasked-for bits */ + +- if (test_bit(ATH_OP_HW_RESET, &common->op_flags)) ++ if (test_bit(ATH_OP_HW_RESET, &common->op_flags)) { ++ ath9k_hw_kill_interrupts(sc->sc_ah); + return IRQ_HANDLED; ++ } + + /* + * If there are no status bits set, then this interrupt was not +-- +2.33.0 + diff --git a/queue-5.15/auxdisplay-ht16k33-connect-backlight-to-fbdev.patch b/queue-5.15/auxdisplay-ht16k33-connect-backlight-to-fbdev.patch new file mode 100644 index 00000000000..c0794c5ae38 --- /dev/null +++ b/queue-5.15/auxdisplay-ht16k33-connect-backlight-to-fbdev.patch @@ -0,0 +1,107 @@ +From e30e57680ffe66b4a1b39209cb7f9194e42d3fe6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 16:45:08 +0200 +Subject: auxdisplay: ht16k33: Connect backlight to fbdev + +From: Geert Uytterhoeven + +[ Upstream commit 80f9eb70fd9276938f0a131f76d438021bfd8b34 ] + +Currently /sys/class/graphics/fb0/bl_curve is not accessible (-ENODEV), +as the driver does not connect the backlight to the frame buffer device. +Fix this moving backlight initialization up, and filling in +fb_info.bl_dev. + +Fixes: 8992da44c6805d53 ("auxdisplay: ht16k33: Driver for LED controller") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Robin van der Gracht +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + drivers/auxdisplay/ht16k33.c | 56 ++++++++++++++++++------------------ + 1 file changed, 28 insertions(+), 28 deletions(-) + +diff --git a/drivers/auxdisplay/ht16k33.c b/drivers/auxdisplay/ht16k33.c +index 1e69cc6d21a0d..2b630e194570f 100644 +--- a/drivers/auxdisplay/ht16k33.c ++++ b/drivers/auxdisplay/ht16k33.c +@@ -413,6 +413,33 @@ static int ht16k33_probe(struct i2c_client *client, + if (err) + return err; + ++ /* Backlight */ ++ memset(&bl_props, 0, sizeof(struct backlight_properties)); ++ bl_props.type = BACKLIGHT_RAW; ++ bl_props.max_brightness = MAX_BRIGHTNESS; ++ ++ bl = devm_backlight_device_register(&client->dev, DRIVER_NAME"-bl", ++ &client->dev, priv, ++ &ht16k33_bl_ops, &bl_props); ++ if (IS_ERR(bl)) { ++ dev_err(&client->dev, "failed to register backlight\n"); ++ return PTR_ERR(bl); ++ } ++ ++ err = of_property_read_u32(node, "default-brightness-level", ++ &dft_brightness); ++ if (err) { ++ dft_brightness = MAX_BRIGHTNESS; ++ } else if (dft_brightness > MAX_BRIGHTNESS) { ++ dev_warn(&client->dev, ++ "invalid default brightness level: %u, using %u\n", ++ dft_brightness, MAX_BRIGHTNESS); ++ dft_brightness = MAX_BRIGHTNESS; ++ } ++ ++ bl->props.brightness = dft_brightness; ++ ht16k33_bl_update_status(bl); ++ + /* Framebuffer (2 bytes per column) */ + BUILD_BUG_ON(PAGE_SIZE < HT16K33_FB_SIZE); + fbdev->buffer = (unsigned char *) get_zeroed_page(GFP_KERNEL); +@@ -445,6 +472,7 @@ static int ht16k33_probe(struct i2c_client *client, + fbdev->info->screen_size = HT16K33_FB_SIZE; + fbdev->info->fix = ht16k33_fb_fix; + fbdev->info->var = ht16k33_fb_var; ++ fbdev->info->bl_dev = bl; + fbdev->info->pseudo_palette = NULL; + fbdev->info->flags = FBINFO_FLAG_DEFAULT; + fbdev->info->par = priv; +@@ -460,34 +488,6 @@ static int ht16k33_probe(struct i2c_client *client, + goto err_fbdev_unregister; + } + +- /* Backlight */ +- memset(&bl_props, 0, sizeof(struct backlight_properties)); +- bl_props.type = BACKLIGHT_RAW; +- bl_props.max_brightness = MAX_BRIGHTNESS; +- +- bl = devm_backlight_device_register(&client->dev, DRIVER_NAME"-bl", +- &client->dev, priv, +- &ht16k33_bl_ops, &bl_props); +- if (IS_ERR(bl)) { +- dev_err(&client->dev, "failed to register backlight\n"); +- err = PTR_ERR(bl); +- goto err_fbdev_unregister; +- } +- +- err = of_property_read_u32(node, "default-brightness-level", +- &dft_brightness); +- if (err) { +- dft_brightness = MAX_BRIGHTNESS; +- } else if (dft_brightness > MAX_BRIGHTNESS) { +- dev_warn(&client->dev, +- "invalid default brightness level: %u, using %u\n", +- dft_brightness, MAX_BRIGHTNESS); +- dft_brightness = MAX_BRIGHTNESS; +- } +- +- bl->props.brightness = dft_brightness; +- ht16k33_bl_update_status(bl); +- + ht16k33_fb_queue(priv); + return 0; + +-- +2.33.0 + diff --git a/queue-5.15/auxdisplay-ht16k33-fix-frame-buffer-device-blanking.patch b/queue-5.15/auxdisplay-ht16k33-fix-frame-buffer-device-blanking.patch new file mode 100644 index 00000000000..442c2b4cdce --- /dev/null +++ b/queue-5.15/auxdisplay-ht16k33-fix-frame-buffer-device-blanking.patch @@ -0,0 +1,59 @@ +From 549cf1304c389469e9bebe770d35865077f693ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 16:45:09 +0200 +Subject: auxdisplay: ht16k33: Fix frame buffer device blanking + +From: Geert Uytterhoeven + +[ Upstream commit 840fe258332544aa7321921e1723d37b772af7a9 ] + +As the ht16k33 frame buffer sub-driver does not register an +fb_ops.fb_blank() handler, blanking does not work: + + $ echo 1 > /sys/class/graphics/fb0/blank + sh: write error: Invalid argument + +Fix this by providing a handler that always returns zero, to make sure +blank events will be sent to the actual device handling the backlight. + +Reported-by: Robin van der Gracht +Suggested-by: Robin van der Gracht +Fixes: 8992da44c6805d53 ("auxdisplay: ht16k33: Driver for LED controller") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + drivers/auxdisplay/ht16k33.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/auxdisplay/ht16k33.c b/drivers/auxdisplay/ht16k33.c +index 2b630e194570f..ed58083499907 100644 +--- a/drivers/auxdisplay/ht16k33.c ++++ b/drivers/auxdisplay/ht16k33.c +@@ -219,6 +219,15 @@ static const struct backlight_ops ht16k33_bl_ops = { + .check_fb = ht16k33_bl_check_fb, + }; + ++/* ++ * Blank events will be passed to the actual device handling the backlight when ++ * we return zero here. ++ */ ++static int ht16k33_blank(int blank, struct fb_info *info) ++{ ++ return 0; ++} ++ + static int ht16k33_mmap(struct fb_info *info, struct vm_area_struct *vma) + { + struct ht16k33_priv *priv = info->par; +@@ -231,6 +240,7 @@ static const struct fb_ops ht16k33_fb_ops = { + .owner = THIS_MODULE, + .fb_read = fb_sys_read, + .fb_write = fb_sys_write, ++ .fb_blank = ht16k33_blank, + .fb_fillrect = sys_fillrect, + .fb_copyarea = sys_copyarea, + .fb_imageblit = sys_imageblit, +-- +2.33.0 + diff --git a/queue-5.15/auxdisplay-img-ascii-lcd-fix-lock-up-when-displaying.patch b/queue-5.15/auxdisplay-img-ascii-lcd-fix-lock-up-when-displaying.patch new file mode 100644 index 00000000000..7ce2c04ca6b --- /dev/null +++ b/queue-5.15/auxdisplay-img-ascii-lcd-fix-lock-up-when-displaying.patch @@ -0,0 +1,53 @@ +From 5a3c78222c8e94491c5b8e5b4e5c2bc10f25980c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 16:45:02 +0200 +Subject: auxdisplay: img-ascii-lcd: Fix lock-up when displaying empty string + +From: Geert Uytterhoeven + +[ Upstream commit afcb5a811ff3ab3969f09666535eb6018a160358 ] + +While writing an empty string to a device attribute is a no-op, and thus +does not need explicit safeguards, the user can still write a single +newline to an attribute file: + + echo > .../message + +If that happens, img_ascii_lcd_display() trims the newline, yielding an +empty string, and causing an infinite loop in img_ascii_lcd_scroll(). + +Fix this by adding a check for empty strings. Clear the display in case +one is encountered. + +Fixes: 0cad855fbd083ee5 ("auxdisplay: img-ascii-lcd: driver for simple ASCII LCD displays") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Miguel Ojeda +Signed-off-by: Sasha Levin +--- + drivers/auxdisplay/img-ascii-lcd.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/auxdisplay/img-ascii-lcd.c b/drivers/auxdisplay/img-ascii-lcd.c +index 1cce409ce5cac..e33ce0151cdfd 100644 +--- a/drivers/auxdisplay/img-ascii-lcd.c ++++ b/drivers/auxdisplay/img-ascii-lcd.c +@@ -280,6 +280,16 @@ static int img_ascii_lcd_display(struct img_ascii_lcd_ctx *ctx, + if (msg[count - 1] == '\n') + count--; + ++ if (!count) { ++ /* clear the LCD */ ++ devm_kfree(&ctx->pdev->dev, ctx->message); ++ ctx->message = NULL; ++ ctx->message_len = 0; ++ memset(ctx->curr, ' ', ctx->cfg->num_chars); ++ ctx->cfg->update(ctx); ++ return 0; ++ } ++ + new_msg = devm_kmalloc(&ctx->pdev->dev, count + 1, GFP_KERNEL); + if (!new_msg) + return -ENOMEM; +-- +2.33.0 + diff --git a/queue-5.15/b43-fix-a-lower-bounds-test.patch b/queue-5.15/b43-fix-a-lower-bounds-test.patch new file mode 100644 index 00000000000..7b8a94cf0c4 --- /dev/null +++ b/queue-5.15/b43-fix-a-lower-bounds-test.patch @@ -0,0 +1,47 @@ +From 71a8926e2b06379c8bc5973fa51620593e383dc3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 10:36:22 +0300 +Subject: b43: fix a lower bounds test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +[ Upstream commit 9b793db5fca44d01f72d3564a168171acf7c4076 ] + +The problem is that "channel" is an unsigned int, when it's less 5 the +value of "channel - 5" is not a negative number as one would expect but +is very high positive value instead. + +This means that "start" becomes a very high positive value. The result +of that is that we never enter the "for (i = start; i <= end; i++) {" +loop. Instead of storing the result from b43legacy_radio_aci_detect() +it just uses zero. + +Fixes: ef1a628d83fc ("b43: Implement dynamic PHY API") +Signed-off-by: Dan Carpenter +Acked-by: Michael Büsch +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211006073621.GE8404@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43/phy_g.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/b43/phy_g.c b/drivers/net/wireless/broadcom/b43/phy_g.c +index d5a1a5c582366..ac72ca39e409b 100644 +--- a/drivers/net/wireless/broadcom/b43/phy_g.c ++++ b/drivers/net/wireless/broadcom/b43/phy_g.c +@@ -2297,7 +2297,7 @@ static u8 b43_gphy_aci_scan(struct b43_wldev *dev) + b43_phy_mask(dev, B43_PHY_G_CRS, 0x7FFF); + b43_set_all_gains(dev, 3, 8, 1); + +- start = (channel - 5 > 0) ? channel - 5 : 1; ++ start = (channel > 5) ? channel - 5 : 1; + end = (channel + 5 < 14) ? channel + 5 : 13; + + for (i = start; i <= end; i++) { +-- +2.33.0 + diff --git a/queue-5.15/b43legacy-fix-a-lower-bounds-test.patch b/queue-5.15/b43legacy-fix-a-lower-bounds-test.patch new file mode 100644 index 00000000000..d63cd408c0d --- /dev/null +++ b/queue-5.15/b43legacy-fix-a-lower-bounds-test.patch @@ -0,0 +1,47 @@ +From 5631e663a800db6f90cd4055512d1f6450f11e81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 10:35:42 +0300 +Subject: b43legacy: fix a lower bounds test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +[ Upstream commit c1c8380b0320ab757e60ed90efc8b1992a943256 ] + +The problem is that "channel" is an unsigned int, when it's less 5 the +value of "channel - 5" is not a negative number as one would expect but +is very high positive value instead. + +This means that "start" becomes a very high positive value. The result +of that is that we never enter the "for (i = start; i <= end; i++) {" +loop. Instead of storing the result from b43legacy_radio_aci_detect() +it just uses zero. + +Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices") +Signed-off-by: Dan Carpenter +Acked-by: Michael Büsch +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211006073542.GD8404@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/b43legacy/radio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/b43legacy/radio.c b/drivers/net/wireless/broadcom/b43legacy/radio.c +index 06891b4f837b9..fdf78c10a05c2 100644 +--- a/drivers/net/wireless/broadcom/b43legacy/radio.c ++++ b/drivers/net/wireless/broadcom/b43legacy/radio.c +@@ -283,7 +283,7 @@ u8 b43legacy_radio_aci_scan(struct b43legacy_wldev *dev) + & 0x7FFF); + b43legacy_set_all_gains(dev, 3, 8, 1); + +- start = (channel - 5 > 0) ? channel - 5 : 1; ++ start = (channel > 5) ? channel - 5 : 1; + end = (channel + 5 < 14) ? channel + 5 : 13; + + for (i = start; i <= end; i++) { +-- +2.33.0 + diff --git a/queue-5.15/blk-cgroup-synchronize-blkg-creation-against-policy-.patch b/queue-5.15/blk-cgroup-synchronize-blkg-creation-against-policy-.patch new file mode 100644 index 00000000000..7f428f703ab --- /dev/null +++ b/queue-5.15/blk-cgroup-synchronize-blkg-creation-against-policy-.patch @@ -0,0 +1,160 @@ +From 9c23220972569ec9d0f1fcd18f2666ea265af1bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 09:40:36 +0800 +Subject: blk-cgroup: synchronize blkg creation against policy deactivation + +From: Yu Kuai + +[ Upstream commit 0c9d338c8443b06da8e8d3bfce824c5ea6d3488f ] + +Our test reports a null pointer dereference: + +[ 168.534653] ================================================================== +[ 168.535614] Disabling lock debugging due to kernel taint +[ 168.536346] BUG: kernel NULL pointer dereference, address: 0000000000000008 +[ 168.537274] #PF: supervisor read access in kernel mode +[ 168.537964] #PF: error_code(0x0000) - not-present page +[ 168.538667] PGD 0 P4D 0 +[ 168.539025] Oops: 0000 [#1] PREEMPT SMP KASAN +[ 168.539656] CPU: 13 PID: 759 Comm: bash Tainted: G B 5.15.0-rc2-next-202100 +[ 168.540954] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_0738364 +[ 168.542736] RIP: 0010:bfq_pd_init+0x88/0x1e0 +[ 168.543318] Code: 98 00 00 00 e8 c9 e4 5b ff 4c 8b 65 00 49 8d 7c 24 08 e8 bb e4 5b ff 4d0 +[ 168.545803] RSP: 0018:ffff88817095f9c0 EFLAGS: 00010002 +[ 168.546497] RAX: 0000000000000001 RBX: ffff888101a1c000 RCX: 0000000000000000 +[ 168.547438] RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff888106553428 +[ 168.548402] RBP: ffff888106553400 R08: ffffffff961bcaf4 R09: 0000000000000001 +[ 168.549365] R10: ffffffffa2e16c27 R11: fffffbfff45c2d84 R12: 0000000000000000 +[ 168.550291] R13: ffff888101a1c098 R14: ffff88810c7a08c8 R15: ffffffffa55541a0 +[ 168.551221] FS: 00007fac75227700(0000) GS:ffff88839ba80000(0000) knlGS:0000000000000000 +[ 168.552278] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 168.553040] CR2: 0000000000000008 CR3: 0000000165ce7000 CR4: 00000000000006e0 +[ 168.554000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 168.554929] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 168.555888] Call Trace: +[ 168.556221] +[ 168.556510] blkg_create+0x1c0/0x8c0 +[ 168.556989] blkg_conf_prep+0x574/0x650 +[ 168.557502] ? stack_trace_save+0x99/0xd0 +[ 168.558033] ? blkcg_conf_open_bdev+0x1b0/0x1b0 +[ 168.558629] tg_set_conf.constprop.0+0xb9/0x280 +[ 168.559231] ? kasan_set_track+0x29/0x40 +[ 168.559758] ? kasan_set_free_info+0x30/0x60 +[ 168.560344] ? tg_set_limit+0xae0/0xae0 +[ 168.560853] ? do_sys_openat2+0x33b/0x640 +[ 168.561383] ? do_sys_open+0xa2/0x100 +[ 168.561877] ? __x64_sys_open+0x4e/0x60 +[ 168.562383] ? __kasan_check_write+0x20/0x30 +[ 168.562951] ? copyin+0x48/0x70 +[ 168.563390] ? _copy_from_iter+0x234/0x9e0 +[ 168.563948] tg_set_conf_u64+0x17/0x20 +[ 168.564467] cgroup_file_write+0x1ad/0x380 +[ 168.565014] ? cgroup_file_poll+0x80/0x80 +[ 168.565568] ? __mutex_lock_slowpath+0x30/0x30 +[ 168.566165] ? pgd_free+0x100/0x160 +[ 168.566649] kernfs_fop_write_iter+0x21d/0x340 +[ 168.567246] ? cgroup_file_poll+0x80/0x80 +[ 168.567796] new_sync_write+0x29f/0x3c0 +[ 168.568314] ? new_sync_read+0x410/0x410 +[ 168.568840] ? __handle_mm_fault+0x1c97/0x2d80 +[ 168.569425] ? copy_page_range+0x2b10/0x2b10 +[ 168.570007] ? _raw_read_lock_bh+0xa0/0xa0 +[ 168.570622] vfs_write+0x46e/0x630 +[ 168.571091] ksys_write+0xcd/0x1e0 +[ 168.571563] ? __x64_sys_read+0x60/0x60 +[ 168.572081] ? __kasan_check_write+0x20/0x30 +[ 168.572659] ? do_user_addr_fault+0x446/0xff0 +[ 168.573264] __x64_sys_write+0x46/0x60 +[ 168.573774] do_syscall_64+0x35/0x80 +[ 168.574264] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 168.574960] RIP: 0033:0x7fac74915130 +[ 168.575456] Code: 73 01 c3 48 8b 0d 58 ed 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 444 +[ 168.577969] RSP: 002b:00007ffc3080e288 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[ 168.578986] RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007fac74915130 +[ 168.579937] RDX: 0000000000000009 RSI: 000056007669f080 RDI: 0000000000000001 +[ 168.580884] RBP: 000056007669f080 R08: 000000000000000a R09: 00007fac75227700 +[ 168.581841] R10: 000056007655c8f0 R11: 0000000000000246 R12: 0000000000000009 +[ 168.582796] R13: 0000000000000001 R14: 00007fac74be55e0 R15: 00007fac74be08c0 +[ 168.583757] +[ 168.584063] Modules linked in: +[ 168.584494] CR2: 0000000000000008 +[ 168.584964] ---[ end trace 2475611ad0f77a1a ]--- + +This is because blkg_alloc() is called from blkg_conf_prep() without +holding 'q->queue_lock', and elevator is exited before blkg_create(): + +thread 1 thread 2 +blkg_conf_prep + spin_lock_irq(&q->queue_lock); + blkg_lookup_check -> return NULL + spin_unlock_irq(&q->queue_lock); + + blkg_alloc + blkcg_policy_enabled -> true + pd = ->pd_alloc_fn + blkg->pd[i] = pd + blk_mq_exit_sched + bfq_exit_queue + blkcg_deactivate_policy + spin_lock_irq(&q->queue_lock); + __clear_bit(pol->plid, q->blkcg_pols); + spin_unlock_irq(&q->queue_lock); + q->elevator = NULL; + spin_lock_irq(&q->queue_lock); + blkg_create + if (blkg->pd[i]) + ->pd_init_fn -> q->elevator is NULL + spin_unlock_irq(&q->queue_lock); + +Because blkcg_deactivate_policy() requires queue to be frozen, we can +grab q_usage_counter to synchoronize blkg_conf_prep() against +blkcg_deactivate_policy(). + +Fixes: e21b7a0b9887 ("block, bfq: add full hierarchical scheduling and cgroups support") +Signed-off-by: Yu Kuai +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20211020014036.2141723-1-yukuai3@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-cgroup.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c +index 9a1c5839dd469..ebff1af402e5b 100644 +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -633,6 +633,14 @@ int blkg_conf_prep(struct blkcg *blkcg, const struct blkcg_policy *pol, + + q = bdev->bd_disk->queue; + ++ /* ++ * blkcg_deactivate_policy() requires queue to be frozen, we can grab ++ * q_usage_counter to prevent concurrent with blkcg_deactivate_policy(). ++ */ ++ ret = blk_queue_enter(q, 0); ++ if (ret) ++ return ret; ++ + rcu_read_lock(); + spin_lock_irq(&q->queue_lock); + +@@ -702,6 +710,7 @@ int blkg_conf_prep(struct blkcg *blkcg, const struct blkcg_policy *pol, + goto success; + } + success: ++ blk_queue_exit(q); + ctx->bdev = bdev; + ctx->blkg = blkg; + ctx->body = input; +@@ -714,6 +723,7 @@ fail_unlock: + rcu_read_unlock(); + fail: + blkdev_put_no_open(bdev); ++ blk_queue_exit(q); + /* + * If queue was bypassing, we should retry. Do so after a + * short msleep(). It isn't strictly necessary but queue +-- +2.33.0 + diff --git a/queue-5.15/blk-wbt-prevent-null-pointer-dereference-in-wb_timer.patch b/queue-5.15/blk-wbt-prevent-null-pointer-dereference-in-wb_timer.patch new file mode 100644 index 00000000000..755abf8580c --- /dev/null +++ b/queue-5.15/blk-wbt-prevent-null-pointer-dereference-in-wb_timer.patch @@ -0,0 +1,79 @@ +From d5c16d438c7e2767b4f617245b41298e486ddc45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 11:20:26 +0200 +Subject: blk-wbt: prevent NULL pointer dereference in wb_timer_fn + +From: Andrea Righi + +[ Upstream commit 480d42dc001bbfe953825a92073012fcd5a99161 ] + +The timer callback used to evaluate if the latency is exceeded can be +executed after the corresponding disk has been released, causing the +following NULL pointer dereference: + +[ 119.987108] BUG: kernel NULL pointer dereference, address: 0000000000000098 +[ 119.987617] #PF: supervisor read access in kernel mode +[ 119.987971] #PF: error_code(0x0000) - not-present page +[ 119.988325] PGD 7c4a4067 P4D 7c4a4067 PUD 7bf63067 PMD 0 +[ 119.988697] Oops: 0000 [#1] SMP NOPTI +[ 119.988959] CPU: 1 PID: 9353 Comm: cloud-init Not tainted 5.15-rc5+arighi #rc5+arighi +[ 119.989520] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 +[ 119.990055] RIP: 0010:wb_timer_fn+0x44/0x3c0 +[ 119.990376] Code: 41 8b 9c 24 98 00 00 00 41 8b 94 24 b8 00 00 00 41 8b 84 24 d8 00 00 00 4d 8b 74 24 28 01 d3 01 c3 49 8b 44 24 60 48 8b 40 78 <4c> 8b b8 98 00 00 00 4d 85 f6 0f 84 c4 00 00 00 49 83 7c 24 30 00 +[ 119.991578] RSP: 0000:ffffb5f580957da8 EFLAGS: 00010246 +[ 119.991937] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004 +[ 119.992412] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88f476d7f780 +[ 119.992895] RBP: ffffb5f580957dd0 R08: 0000000000000000 R09: 0000000000000000 +[ 119.993371] R10: 0000000000000004 R11: 0000000000000002 R12: ffff88f476c84500 +[ 119.993847] R13: ffff88f4434390c0 R14: 0000000000000000 R15: ffff88f4bdc98c00 +[ 119.994323] FS: 00007fb90bcd9c00(0000) GS:ffff88f4bdc80000(0000) knlGS:0000000000000000 +[ 119.994952] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 119.995380] CR2: 0000000000000098 CR3: 000000007c0d6000 CR4: 00000000000006e0 +[ 119.995906] Call Trace: +[ 119.996130] ? blk_stat_free_callback_rcu+0x30/0x30 +[ 119.996505] blk_stat_timer_fn+0x138/0x140 +[ 119.996830] call_timer_fn+0x2b/0x100 +[ 119.997136] __run_timers.part.0+0x1d1/0x240 +[ 119.997470] ? kvm_clock_get_cycles+0x11/0x20 +[ 119.997826] ? ktime_get+0x3e/0xa0 +[ 119.998110] ? native_apic_msr_write+0x2c/0x30 +[ 119.998456] ? lapic_next_event+0x20/0x30 +[ 119.998779] ? clockevents_program_event+0x94/0xf0 +[ 119.999150] run_timer_softirq+0x2a/0x50 +[ 119.999465] __do_softirq+0xcb/0x26f +[ 119.999764] irq_exit_rcu+0x8c/0xb0 +[ 120.000057] sysvec_apic_timer_interrupt+0x43/0x90 +[ 120.000429] ? asm_sysvec_apic_timer_interrupt+0xa/0x20 +[ 120.000836] asm_sysvec_apic_timer_interrupt+0x12/0x20 + +In this case simply return from the timer callback (no action +required) to prevent the NULL pointer dereference. + +BugLink: https://bugs.launchpad.net/bugs/1947557 +Link: https://lore.kernel.org/linux-mm/YWRNVTk9N8K0RMst@arighi-desktop/ +Fixes: 34dbad5d26e2 ("blk-stat: convert to callback-based statistics reporting") +Signed-off-by: Andrea Righi +Link: https://lore.kernel.org/r/YW6N2qXpBU3oc50q@arighi-desktop +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-wbt.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/block/blk-wbt.c b/block/blk-wbt.c +index 874c1c37bf0c6..0c119be0e8133 100644 +--- a/block/blk-wbt.c ++++ b/block/blk-wbt.c +@@ -357,6 +357,9 @@ static void wb_timer_fn(struct blk_stat_callback *cb) + unsigned int inflight = wbt_inflight(rwb); + int status; + ++ if (!rwb->rqos.q->disk) ++ return; ++ + status = latency_exceeded(rwb, cb->stat); + + trace_wbt_timer(rwb->rqos.q->disk->bdi, status, rqd->scale_step, +-- +2.33.0 + diff --git a/queue-5.15/block-ataflop-add-registration-bool-before-calling-d.patch b/queue-5.15/block-ataflop-add-registration-bool-before-calling-d.patch new file mode 100644 index 00000000000..e0751c066b9 --- /dev/null +++ b/queue-5.15/block-ataflop-add-registration-bool-before-calling-d.patch @@ -0,0 +1,68 @@ +From ed39fb875c810768a58a0c4b3238a071c9d7456c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 15:03:00 -0700 +Subject: block/ataflop: add registration bool before calling del_gendisk() + +From: Luis Chamberlain + +[ Upstream commit 573effb298011d3fcabc9b12025cf637f8a07911 ] + +The ataflop assumes del_gendisk() is safe to call, this is only +true because add_disk() does not return a failure, but that will +change soon. And so, before we get to adding error handling for +that case, let's make sure we keep track of which disks actually +get registered. Then we use this to only call del_gendisk for them. + +Signed-off-by: Luis Chamberlain +Link: https://lore.kernel.org/r/20210927220302.1073499-13-mcgrof@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ataflop.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/ataflop.c b/drivers/block/ataflop.c +index 1a908455ff96f..55f6d6f6dbd34 100644 +--- a/drivers/block/ataflop.c ++++ b/drivers/block/ataflop.c +@@ -298,6 +298,7 @@ static struct atari_floppy_struct { + disk change detection) */ + int flags; /* flags */ + struct gendisk *disk[NUM_DISK_MINORS]; ++ bool registered[NUM_DISK_MINORS]; + int ref; + int type; + struct blk_mq_tag_set tag_set; +@@ -2021,8 +2022,10 @@ static void ataflop_probe(dev_t dev) + return; + mutex_lock(&ataflop_probe_lock); + if (!unit[drive].disk[type]) { +- if (ataflop_alloc_disk(drive, type) == 0) ++ if (ataflop_alloc_disk(drive, type) == 0) { + add_disk(unit[drive].disk[type]); ++ unit[drive].registered[type] = true; ++ } + } + mutex_unlock(&ataflop_probe_lock); + } +@@ -2086,6 +2089,7 @@ static int __init atari_floppy_init (void) + unit[i].track = -1; + unit[i].flags = 0; + add_disk(unit[i].disk[0]); ++ unit[i].registered[0] = true; + } + + printk(KERN_INFO "Atari floppy driver: max. %cD, %strack buffering\n", +@@ -2154,7 +2158,8 @@ static void __exit atari_floppy_exit(void) + for (type = 0; type < NUM_DISK_MINORS; type++) { + if (!unit[i].disk[type]) + continue; +- del_gendisk(unit[i].disk[type]); ++ if (unit[i].registered[type]) ++ del_gendisk(unit[i].disk[type]); + blk_cleanup_disk(unit[i].disk[type]); + } + blk_mq_free_tag_set(&unit[i].tag_set); +-- +2.33.0 + diff --git a/queue-5.15/block-ataflop-fix-breakage-introduced-at-blk-mq-refa.patch b/queue-5.15/block-ataflop-fix-breakage-introduced-at-blk-mq-refa.patch new file mode 100644 index 00000000000..2c91e8dd433 --- /dev/null +++ b/queue-5.15/block-ataflop-fix-breakage-introduced-at-blk-mq-refa.patch @@ -0,0 +1,118 @@ +From fefc89d829a13ef1e1c4048a607e2dd3d52eb46a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 19:13:21 +1300 +Subject: block: ataflop: fix breakage introduced at blk-mq refactoring + +From: Michael Schmitz + +[ Upstream commit 86d46fdaa12ae5befc16b8d73fc85a3ca0399ea6 ] + +Refactoring of the Atari floppy driver when converting to blk-mq +has broken the state machine in not-so-subtle ways: + +finish_fdc() must be called when operations on the floppy device +have completed. This is crucial in order to relase the ST-DMA +lock, which protects against concurrent access to the ST-DMA +controller by other drivers (some DMA related, most just related +to device register access - broken beyond compare, I know). + +When rewriting the driver's old do_request() function, the fact +that finish_fdc() was called only when all queued requests had +completed appears to have been overlooked. Instead, the new +request function calls finish_fdc() immediately after the last +request has been queued. finish_fdc() executes a dummy seek after +most requests, and this overwrites the state machine's interrupt +hander that was set up to wait for completion of the read/write +request just prior. To make matters worse, finish_fdc() is called +before device interrupts are re-enabled, making certain that the +read/write interupt is missed. + +Shifting the finish_fdc() call into the read/write request +completion handler ensures the driver waits for the request to +actually complete. With a queue depth of 2, we won't see long +request sequences, so calling finish_fdc() unconditionally just +adds a little overhead for the dummy seeks, and keeps the code +simple. + +While we're at it, kill ataflop_commit_rqs() which does nothing +but run finish_fdc() unconditionally, again likely wiping out an +in-flight request. + +Signed-off-by: Michael Schmitz +Fixes: 6ec3938cff95 ("ataflop: convert to blk-mq") +CC: linux-block@vger.kernel.org +CC: Tetsuo Handa +Link: https://lore.kernel.org/r/20211019061321.26425-1-schmitzmic@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ataflop.c | 18 +++--------------- + 1 file changed, 3 insertions(+), 15 deletions(-) + +diff --git a/drivers/block/ataflop.c b/drivers/block/ataflop.c +index a093644ac39fb..bbb64331cf8f4 100644 +--- a/drivers/block/ataflop.c ++++ b/drivers/block/ataflop.c +@@ -653,9 +653,6 @@ static inline void copy_buffer(void *from, void *to) + *p2++ = *p1++; + } + +- +- +- + /* General Interrupt Handling */ + + static void (*FloppyIRQHandler)( int status ) = NULL; +@@ -1228,6 +1225,7 @@ static void fd_rwsec_done1(int status) + } + else { + /* all sectors finished */ ++ finish_fdc(); + fd_end_request_cur(BLK_STS_OK); + } + return; +@@ -1475,15 +1473,6 @@ static void setup_req_params( int drive ) + ReqTrack, ReqSector, (unsigned long)ReqData )); + } + +-static void ataflop_commit_rqs(struct blk_mq_hw_ctx *hctx) +-{ +- spin_lock_irq(&ataflop_lock); +- atari_disable_irq(IRQ_MFP_FDC); +- finish_fdc(); +- atari_enable_irq(IRQ_MFP_FDC); +- spin_unlock_irq(&ataflop_lock); +-} +- + static blk_status_t ataflop_queue_rq(struct blk_mq_hw_ctx *hctx, + const struct blk_mq_queue_data *bd) + { +@@ -1491,6 +1480,8 @@ static blk_status_t ataflop_queue_rq(struct blk_mq_hw_ctx *hctx, + int drive = floppy - unit; + int type = floppy->type; + ++ DPRINT(("Queue request: drive %d type %d last %d\n", drive, type, bd->last)); ++ + spin_lock_irq(&ataflop_lock); + if (fd_request) { + spin_unlock_irq(&ataflop_lock); +@@ -1550,8 +1541,6 @@ static blk_status_t ataflop_queue_rq(struct blk_mq_hw_ctx *hctx, + setup_req_params( drive ); + do_fd_action( drive ); + +- if (bd->last) +- finish_fdc(); + atari_enable_irq( IRQ_MFP_FDC ); + + out: +@@ -1962,7 +1951,6 @@ static const struct block_device_operations floppy_fops = { + + static const struct blk_mq_ops ataflop_mq_ops = { + .queue_rq = ataflop_queue_rq, +- .commit_rqs = ataflop_commit_rqs, + }; + + static int ataflop_alloc_disk(unsigned int drive, unsigned int type) +-- +2.33.0 + diff --git a/queue-5.15/block-ataflop-more-blk-mq-refactoring-fixes.patch b/queue-5.15/block-ataflop-more-blk-mq-refactoring-fixes.patch new file mode 100644 index 00000000000..b22236bba88 --- /dev/null +++ b/queue-5.15/block-ataflop-more-blk-mq-refactoring-fixes.patch @@ -0,0 +1,218 @@ +From 71f22acc8f58559111c2fc4857ae8700b51c357b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Oct 2021 13:20:13 +1300 +Subject: block: ataflop: more blk-mq refactoring fixes + +From: Michael Schmitz + +[ Upstream commit d28e4dff085c5a87025c9a0a85fb798bd8e9ca17 ] + +As it turns out, my earlier patch in commit 86d46fdaa12a (block: +ataflop: fix breakage introduced at blk-mq refactoring) was +incomplete. This patch fixes any remaining issues found during +more testing and code review. + +Requests exceeding 4 k are handled in 4k segments but +__blk_mq_end_request() is never called on these (still +sectors outstanding on the request). With redo_fd_request() +removed, there is no provision to kick off processing of the +next segment, causing requests exceeding 4k to hang. (By +setting /sys/block/fd0/queue/max_sectors_k <= 4 as workaround, +this behaviour can be avoided). + +Instead of reintroducing redo_fd_request(), requeue the remainder +of the request by calling blk_mq_requeue_request() on incomplete +requests (i.e. when blk_update_request() still returns true), and +rely on the block layer to queue the residual as new request. + +Both error handling and formatting needs to release the +ST-DMA lock, so call finish_fdc() on these (this was previously +handled by redo_fd_request()). finish_fdc() may be called +legitimately without the ST-DMA lock held - make sure we only +release the lock if we actually held it. In a similar way, +early exit due to errors in ataflop_queue_rq() must release +the lock. + +After minor errors, fd_error sets up to recalibrate the drive +but never re-runs the current operation (another task handled by +redo_fd_request() before). Call do_fd_action() to get the next +steps (seek, retry read/write) underway. + +Signed-off-by: Michael Schmitz +Fixes: 6ec3938cff95f (ataflop: convert to blk-mq) +CC: linux-block@vger.kernel.org +Link: https://lore.kernel.org/r/20211024002013.9332-1-schmitzmic@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ataflop.c | 45 +++++++++++++++++++++++++++++++++++------ + 1 file changed, 39 insertions(+), 6 deletions(-) + +diff --git a/drivers/block/ataflop.c b/drivers/block/ataflop.c +index bbb64331cf8f4..4947e41f89b7d 100644 +--- a/drivers/block/ataflop.c ++++ b/drivers/block/ataflop.c +@@ -456,10 +456,20 @@ static DEFINE_TIMER(fd_timer, check_change); + + static void fd_end_request_cur(blk_status_t err) + { ++ DPRINT(("fd_end_request_cur(), bytes %d of %d\n", ++ blk_rq_cur_bytes(fd_request), ++ blk_rq_bytes(fd_request))); ++ + if (!blk_update_request(fd_request, err, + blk_rq_cur_bytes(fd_request))) { ++ DPRINT(("calling __blk_mq_end_request()\n")); + __blk_mq_end_request(fd_request, err); + fd_request = NULL; ++ } else { ++ /* requeue rest of request */ ++ DPRINT(("calling blk_mq_requeue_request()\n")); ++ blk_mq_requeue_request(fd_request, true); ++ fd_request = NULL; + } + } + +@@ -697,12 +707,21 @@ static void fd_error( void ) + if (fd_request->error_count >= MAX_ERRORS) { + printk(KERN_ERR "fd%d: too many errors.\n", SelectedDrive ); + fd_end_request_cur(BLK_STS_IOERR); ++ finish_fdc(); ++ return; + } + else if (fd_request->error_count == RECALIBRATE_ERRORS) { + printk(KERN_WARNING "fd%d: recalibrating\n", SelectedDrive ); + if (SelectedDrive != -1) + SUD.track = -1; + } ++ /* need to re-run request to recalibrate */ ++ atari_disable_irq( IRQ_MFP_FDC ); ++ ++ setup_req_params( SelectedDrive ); ++ do_fd_action( SelectedDrive ); ++ ++ atari_enable_irq( IRQ_MFP_FDC ); + } + + +@@ -729,8 +748,10 @@ static int do_format(int drive, int type, struct atari_format_descr *desc) + if (type) { + type--; + if (type >= NUM_DISK_MINORS || +- minor2disktype[type].drive_types > DriveType) ++ minor2disktype[type].drive_types > DriveType) { ++ finish_fdc(); + return -EINVAL; ++ } + } + + q = unit[drive].disk[type]->queue; +@@ -748,6 +769,7 @@ static int do_format(int drive, int type, struct atari_format_descr *desc) + } + + if (!UDT || desc->track >= UDT->blocks/UDT->spt/2 || desc->head >= 2) { ++ finish_fdc(); + ret = -EINVAL; + goto out; + } +@@ -788,6 +810,7 @@ static int do_format(int drive, int type, struct atari_format_descr *desc) + + wait_for_completion(&format_wait); + ++ finish_fdc(); + ret = FormatError ? -EIO : 0; + out: + blk_mq_unquiesce_queue(q); +@@ -822,6 +845,7 @@ static void do_fd_action( int drive ) + else { + /* all sectors finished */ + fd_end_request_cur(BLK_STS_OK); ++ finish_fdc(); + return; + } + } +@@ -1225,8 +1249,8 @@ static void fd_rwsec_done1(int status) + } + else { + /* all sectors finished */ +- finish_fdc(); + fd_end_request_cur(BLK_STS_OK); ++ finish_fdc(); + } + return; + +@@ -1348,7 +1372,7 @@ static void fd_times_out(struct timer_list *unused) + + static void finish_fdc( void ) + { +- if (!NeedSeek) { ++ if (!NeedSeek || !stdma_is_locked_by(floppy_irq)) { + finish_fdc_done( 0 ); + } + else { +@@ -1383,7 +1407,8 @@ static void finish_fdc_done( int dummy ) + start_motor_off_timer(); + + local_irq_save(flags); +- stdma_release(); ++ if (stdma_is_locked_by(floppy_irq)) ++ stdma_release(); + local_irq_restore(flags); + + DPRINT(("finish_fdc() finished\n")); +@@ -1480,7 +1505,9 @@ static blk_status_t ataflop_queue_rq(struct blk_mq_hw_ctx *hctx, + int drive = floppy - unit; + int type = floppy->type; + +- DPRINT(("Queue request: drive %d type %d last %d\n", drive, type, bd->last)); ++ DPRINT(("Queue request: drive %d type %d sectors %d of %d last %d\n", ++ drive, type, blk_rq_cur_sectors(bd->rq), ++ blk_rq_sectors(bd->rq), bd->last)); + + spin_lock_irq(&ataflop_lock); + if (fd_request) { +@@ -1502,6 +1529,7 @@ static blk_status_t ataflop_queue_rq(struct blk_mq_hw_ctx *hctx, + /* drive not connected */ + printk(KERN_ERR "Unknown Device: fd%d\n", drive ); + fd_end_request_cur(BLK_STS_IOERR); ++ stdma_release(); + goto out; + } + +@@ -1518,11 +1546,13 @@ static blk_status_t ataflop_queue_rq(struct blk_mq_hw_ctx *hctx, + if (--type >= NUM_DISK_MINORS) { + printk(KERN_WARNING "fd%d: invalid disk format", drive ); + fd_end_request_cur(BLK_STS_IOERR); ++ stdma_release(); + goto out; + } + if (minor2disktype[type].drive_types > DriveType) { + printk(KERN_WARNING "fd%d: unsupported disk format", drive ); + fd_end_request_cur(BLK_STS_IOERR); ++ stdma_release(); + goto out; + } + type = minor2disktype[type].index; +@@ -1623,6 +1653,7 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, + /* what if type > 0 here? Overwrite specified entry ? */ + if (type) { + /* refuse to re-set a predefined type for now */ ++ finish_fdc(); + return -EINVAL; + } + +@@ -1690,8 +1721,10 @@ static int fd_locked_ioctl(struct block_device *bdev, fmode_t mode, + + /* sanity check */ + if (setprm.track != dtp->blocks/dtp->spt/2 || +- setprm.head != 2) ++ setprm.head != 2) { ++ finish_fdc(); + return -EINVAL; ++ } + + UDT = dtp; + set_capacity(disk, UDT->blocks); +-- +2.33.0 + diff --git a/queue-5.15/block-ataflop-provide-a-helper-for-cleanup-up-an-ata.patch b/queue-5.15/block-ataflop-provide-a-helper-for-cleanup-up-an-ata.patch new file mode 100644 index 00000000000..b0da3f89148 --- /dev/null +++ b/queue-5.15/block-ataflop-provide-a-helper-for-cleanup-up-an-ata.patch @@ -0,0 +1,88 @@ +From 7b50493aa0dee6049c53cf67aedbaf2152b8d742 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 15:03:01 -0700 +Subject: block/ataflop: provide a helper for cleanup up an atari disk + +From: Luis Chamberlain + +[ Upstream commit deae1138d04758c7f8939fcb8aee330bc37e3015 ] + +Instead of using two separate code paths for cleaning up an atari disk, +use one. We take the more careful approach to check for *all* disk +types, as is done on exit. The init path didn't have that check as +the alternative disk types are only probed for later, they are not +initialized by default. + +Yes, there is a shared tag for all disks. + +Signed-off-by: Luis Chamberlain +Link: https://lore.kernel.org/r/20210927220302.1073499-14-mcgrof@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ataflop.c | 34 +++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +diff --git a/drivers/block/ataflop.c b/drivers/block/ataflop.c +index 55f6d6f6dbd34..123ad58193098 100644 +--- a/drivers/block/ataflop.c ++++ b/drivers/block/ataflop.c +@@ -2030,6 +2030,20 @@ static void ataflop_probe(dev_t dev) + mutex_unlock(&ataflop_probe_lock); + } + ++static void atari_cleanup_floppy_disk(struct atari_floppy_struct *fs) ++{ ++ int type; ++ ++ for (type = 0; type < NUM_DISK_MINORS; type++) { ++ if (!fs->disk[type]) ++ continue; ++ if (fs->registered[type]) ++ del_gendisk(fs->disk[type]); ++ blk_cleanup_disk(fs->disk[type]); ++ } ++ blk_mq_free_tag_set(&fs->tag_set); ++} ++ + static int __init atari_floppy_init (void) + { + int i; +@@ -2100,10 +2114,8 @@ static int __init atari_floppy_init (void) + return 0; + + err: +- while (--i >= 0) { +- blk_cleanup_disk(unit[i].disk[0]); +- blk_mq_free_tag_set(&unit[i].tag_set); +- } ++ while (--i >= 0) ++ atari_cleanup_floppy_disk(&unit[i]); + + unregister_blkdev(FLOPPY_MAJOR, "fd"); + out_unlock: +@@ -2152,18 +2164,10 @@ __setup("floppy=", atari_floppy_setup); + + static void __exit atari_floppy_exit(void) + { +- int i, type; ++ int i; + +- for (i = 0; i < FD_MAX_UNITS; i++) { +- for (type = 0; type < NUM_DISK_MINORS; type++) { +- if (!unit[i].disk[type]) +- continue; +- if (unit[i].registered[type]) +- del_gendisk(unit[i].disk[type]); +- blk_cleanup_disk(unit[i].disk[type]); +- } +- blk_mq_free_tag_set(&unit[i].tag_set); +- } ++ for (i = 0; i < FD_MAX_UNITS; i++) ++ atari_cleanup_floppy_disk(&unit[i]); + unregister_blkdev(FLOPPY_MAJOR, "fd"); + + del_timer_sync(&fd_timer); +-- +2.33.0 + diff --git a/queue-5.15/block-ataflop-use-the-blk_cleanup_disk-helper.patch b/queue-5.15/block-ataflop-use-the-blk_cleanup_disk-helper.patch new file mode 100644 index 00000000000..54fa0428dea --- /dev/null +++ b/queue-5.15/block-ataflop-use-the-blk_cleanup_disk-helper.patch @@ -0,0 +1,46 @@ +From 3341314cb0dfb216461c0e9fdeca6aed76f36f61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 15:02:59 -0700 +Subject: block/ataflop: use the blk_cleanup_disk() helper + +From: Luis Chamberlain + +[ Upstream commit 44a469b6acae6ad05c4acca8429467d1d50a8b8d ] + +Use the helper to replace two lines with one. + +Signed-off-by: Luis Chamberlain +Link: https://lore.kernel.org/r/20210927220302.1073499-12-mcgrof@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/ataflop.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/block/ataflop.c b/drivers/block/ataflop.c +index 4947e41f89b7d..1a908455ff96f 100644 +--- a/drivers/block/ataflop.c ++++ b/drivers/block/ataflop.c +@@ -2097,8 +2097,7 @@ static int __init atari_floppy_init (void) + + err: + while (--i >= 0) { +- blk_cleanup_queue(unit[i].disk[0]->queue); +- put_disk(unit[i].disk[0]); ++ blk_cleanup_disk(unit[i].disk[0]); + blk_mq_free_tag_set(&unit[i].tag_set); + } + +@@ -2156,8 +2155,7 @@ static void __exit atari_floppy_exit(void) + if (!unit[i].disk[type]) + continue; + del_gendisk(unit[i].disk[type]); +- blk_cleanup_queue(unit[i].disk[type]->queue); +- put_disk(unit[i].disk[type]); ++ blk_cleanup_disk(unit[i].disk[type]); + } + blk_mq_free_tag_set(&unit[i].tag_set); + } +-- +2.33.0 + diff --git a/queue-5.15/block-bump-max-plugged-deferred-size-from-16-to-32.patch b/queue-5.15/block-bump-max-plugged-deferred-size-from-16-to-32.patch new file mode 100644 index 00000000000..a94e6629701 --- /dev/null +++ b/queue-5.15/block-bump-max-plugged-deferred-size-from-16-to-32.patch @@ -0,0 +1,84 @@ +From 6fb9f8aa63b500cbb059f70179cae03468ddc196 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 12:01:07 -0600 +Subject: block: bump max plugged deferred size from 16 to 32 + +From: Jens Axboe + +[ Upstream commit ba0ffdd8ce48ad7f7e85191cd29f9674caca3745 ] + +Particularly for NVMe with efficient deferred submission for many +requests, there are nice benefits to be seen by bumping the default max +plug count from 16 to 32. This is especially true for virtualized setups, +where the submit part is more expensive. But can be noticed even on +native hardware. + +Reduce the multiple queue factor from 4 to 2, since we're changing the +default size. + +While changing it, move the defines into the block layer private header. +These aren't values that anyone outside of the block layer uses, or +should use. + +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 4 ++-- + block/blk.h | 6 ++++++ + include/linux/blkdev.h | 2 -- + 3 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 652a31fc3bb38..49587c181e3fd 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -2148,14 +2148,14 @@ static void blk_add_rq_to_plug(struct blk_plug *plug, struct request *rq) + } + + /* +- * Allow 4x BLK_MAX_REQUEST_COUNT requests on plug queue for multiple ++ * Allow 2x BLK_MAX_REQUEST_COUNT requests on plug queue for multiple + * queues. This is important for md arrays to benefit from merging + * requests. + */ + static inline unsigned short blk_plug_max_rq_count(struct blk_plug *plug) + { + if (plug->multiple_queues) +- return BLK_MAX_REQUEST_COUNT * 4; ++ return BLK_MAX_REQUEST_COUNT * 2; + return BLK_MAX_REQUEST_COUNT; + } + +diff --git a/block/blk.h b/block/blk.h +index 6c3c00a8fe19d..aab72194d2266 100644 +--- a/block/blk.h ++++ b/block/blk.h +@@ -184,6 +184,12 @@ bool blk_bio_list_merge(struct request_queue *q, struct list_head *list, + void blk_account_io_start(struct request *req); + void blk_account_io_done(struct request *req, u64 now); + ++/* ++ * Plug flush limits ++ */ ++#define BLK_MAX_REQUEST_COUNT 32 ++#define BLK_PLUG_FLUSH_SIZE (128 * 1024) ++ + /* + * Internal elevator interface + */ +diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h +index 12b9dbcc980ee..683aee3654200 100644 +--- a/include/linux/blkdev.h ++++ b/include/linux/blkdev.h +@@ -1198,8 +1198,6 @@ struct blk_plug { + bool multiple_queues; + bool nowait; + }; +-#define BLK_MAX_REQUEST_COUNT 16 +-#define BLK_PLUG_FLUSH_SIZE (128 * 1024) + + struct blk_plug_cb; + typedef void (*blk_plug_cb_fn)(struct blk_plug_cb *, bool); +-- +2.33.0 + diff --git a/queue-5.15/block-fix-device_add_disk-kobject_create_and_add-err.patch b/queue-5.15/block-fix-device_add_disk-kobject_create_and_add-err.patch new file mode 100644 index 00000000000..3e12075031a --- /dev/null +++ b/queue-5.15/block-fix-device_add_disk-kobject_create_and_add-err.patch @@ -0,0 +1,53 @@ +From 651a980e22c8eaa47a09837733cbf14337d4a26e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 09:40:23 -0700 +Subject: block: fix device_add_disk() kobject_create_and_add() error handling + +From: Luis Chamberlain + +[ Upstream commit fe7d064fa3faec5d8157029fb8720b4fddc9e1e8 ] + +Commit 83cbce957446 ("block: add error handling for device_add_disk / +add_disk") added error handling to device_add_disk(), however the goto +label for the kobject_create_and_add() failure did not set the return +value correctly, and so we can end up in a situation where +kobject_create_and_add() fails but we report success. + +Fixes: 83cbce957446 ("block: add error handling for device_add_disk / add_disk") +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Signed-off-by: Luis Chamberlain +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20211103164023.1384821-1-mcgrof@kernel.org +[axboe: fold in followup fix from Wu Bo ] +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/genhd.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/block/genhd.c b/block/genhd.c +index ab12ae6e636e8..6accd0b185e9e 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -467,11 +467,15 @@ int device_add_disk(struct device *parent, struct gendisk *disk, + + disk->part0->bd_holder_dir = + kobject_create_and_add("holders", &ddev->kobj); +- if (!disk->part0->bd_holder_dir) ++ if (!disk->part0->bd_holder_dir) { ++ ret = -ENOMEM; + goto out_del_integrity; ++ } + disk->slave_dir = kobject_create_and_add("slaves", &ddev->kobj); +- if (!disk->slave_dir) ++ if (!disk->slave_dir) { ++ ret = -ENOMEM; + goto out_put_holder_dir; ++ } + + ret = bd_register_pending_holders(disk); + if (ret < 0) +-- +2.33.0 + diff --git a/queue-5.15/block-remove-inaccurate-requeue-check.patch b/queue-5.15/block-remove-inaccurate-requeue-check.patch new file mode 100644 index 00000000000..f7dc50d44d7 --- /dev/null +++ b/queue-5.15/block-remove-inaccurate-requeue-check.patch @@ -0,0 +1,40 @@ +From ac6ac7daa876ca8212300224771586bd2c5346d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 08:21:40 -0600 +Subject: block: remove inaccurate requeue check + +From: Jens Axboe + +[ Upstream commit 037057a5a979c7eeb2ee5d12cf4c24b805192c75 ] + +This check is meant to catch cases where a requeue is attempted on a +request that is still inserted. It's never really been useful to catch any +misuse, and now it's actively wrong. Outside of that, this should not be a +BUG_ON() to begin with. + +Remove the check as it's now causing active harm, as requeue off the plug +path will trigger it even though the request state is just fine. + +Reported-by: Yi Zhang +Link: https://lore.kernel.org/linux-block/CAHj4cs80zAUc2grnCZ015-2Rvd-=gXRfB_dFKy=RTm+wRo09HQ@mail.gmail.com/ +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/block/blk-mq.c b/block/blk-mq.c +index 49587c181e3fd..c8a9d10f7c18b 100644 +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -763,7 +763,6 @@ void blk_mq_requeue_request(struct request *rq, bool kick_requeue_list) + /* this request will be re-inserted to io scheduler queue */ + blk_mq_sched_requeue_request(rq); + +- BUG_ON(!list_empty(&rq->queuelist)); + blk_mq_add_to_requeue_list(rq, true, kick_requeue_list); + } + EXPORT_SYMBOL(blk_mq_requeue_request); +-- +2.33.0 + diff --git a/queue-5.15/bluetooth-btmtkuart-fix-a-memleak-in-mtk_hci_wmt_syn.patch b/queue-5.15/bluetooth-btmtkuart-fix-a-memleak-in-mtk_hci_wmt_syn.patch new file mode 100644 index 00000000000..5710dd7d6ba --- /dev/null +++ b/queue-5.15/bluetooth-btmtkuart-fix-a-memleak-in-mtk_hci_wmt_syn.patch @@ -0,0 +1,68 @@ +From c54cfe517dcd519d921d71ba34c1568c88245775 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Sep 2021 21:49:45 +0800 +Subject: Bluetooth: btmtkuart: fix a memleak in mtk_hci_wmt_sync + +From: Dinghao Liu + +[ Upstream commit 3e5f2d90c28f9454e421108554707620bc23269d ] + +bdev->evt_skb will get freed in the normal path and one error path +of mtk_hci_wmt_sync, while the other error paths do not free it, +which may cause a memleak. This bug is suggested by a static analysis +tool, please advise. + +Fixes: e0b67035a90b ("Bluetooth: mediatek: update the common setup between MT7622 and other devices") +Signed-off-by: Dinghao Liu +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btmtkuart.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/bluetooth/btmtkuart.c b/drivers/bluetooth/btmtkuart.c +index e9d91d7c0db48..9ba22b13b4fa0 100644 +--- a/drivers/bluetooth/btmtkuart.c ++++ b/drivers/bluetooth/btmtkuart.c +@@ -158,8 +158,10 @@ static int mtk_hci_wmt_sync(struct hci_dev *hdev, + int err; + + hlen = sizeof(*hdr) + wmt_params->dlen; +- if (hlen > 255) +- return -EINVAL; ++ if (hlen > 255) { ++ err = -EINVAL; ++ goto err_free_skb; ++ } + + hdr = (struct mtk_wmt_hdr *)&wc; + hdr->dir = 1; +@@ -173,7 +175,7 @@ static int mtk_hci_wmt_sync(struct hci_dev *hdev, + err = __hci_cmd_send(hdev, 0xfc6f, hlen, &wc); + if (err < 0) { + clear_bit(BTMTKUART_TX_WAIT_VND_EVT, &bdev->tx_state); +- return err; ++ goto err_free_skb; + } + + /* The vendor specific WMT commands are all answered by a vendor +@@ -190,13 +192,14 @@ static int mtk_hci_wmt_sync(struct hci_dev *hdev, + if (err == -EINTR) { + bt_dev_err(hdev, "Execution of wmt command interrupted"); + clear_bit(BTMTKUART_TX_WAIT_VND_EVT, &bdev->tx_state); +- return err; ++ goto err_free_skb; + } + + if (err) { + bt_dev_err(hdev, "Execution of wmt command timed out"); + clear_bit(BTMTKUART_TX_WAIT_VND_EVT, &bdev->tx_state); +- return -ETIMEDOUT; ++ err = -ETIMEDOUT; ++ goto err_free_skb; + } + + /* Parse and handle the return WMT event */ +-- +2.33.0 + diff --git a/queue-5.15/bluetooth-call-sock_hold-earlier-in-sco_conn_del.patch b/queue-5.15/bluetooth-call-sock_hold-earlier-in-sco_conn_del.patch new file mode 100644 index 00000000000..4ac44145170 --- /dev/null +++ b/queue-5.15/bluetooth-call-sock_hold-earlier-in-sco_conn_del.patch @@ -0,0 +1,47 @@ +From 7d2ac4d152abbd0b16166328dee84099bb79013f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 23:13:05 -0400 +Subject: Bluetooth: call sock_hold earlier in sco_conn_del + +From: Desmond Cheong Zhi Xi + +[ Upstream commit f4712fa993f688d0a48e0c28728fcdeb88c1ea58 ] + +In sco_conn_del, conn->sk is read while holding on to the +sco_conn.lock to avoid races with a socket that could be released +concurrently. + +However, in between unlocking sco_conn.lock and calling sock_hold, +it's possible for the socket to be freed, which would cause a +use-after-free write when sock_hold is finally called. + +To fix this, the reference count of the socket should be increased +while the sco_conn.lock is still held. + +Signed-off-by: Desmond Cheong Zhi Xi +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/sco.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index b62c91c627e2c..4a057f99b60aa 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -187,10 +187,11 @@ static void sco_conn_del(struct hci_conn *hcon, int err) + /* Kill socket */ + sco_conn_lock(conn); + sk = conn->sk; ++ if (sk) ++ sock_hold(sk); + sco_conn_unlock(conn); + + if (sk) { +- sock_hold(sk); + lock_sock(sk); + sco_sock_clear_timer(sk); + sco_chan_del(sk, err); +-- +2.33.0 + diff --git a/queue-5.15/bluetooth-fix-init-and-cleanup-of-sco_conn.timeout_w.patch b/queue-5.15/bluetooth-fix-init-and-cleanup-of-sco_conn.timeout_w.patch new file mode 100644 index 00000000000..12f312ca4ad --- /dev/null +++ b/queue-5.15/bluetooth-fix-init-and-cleanup-of-sco_conn.timeout_w.patch @@ -0,0 +1,66 @@ +From a313d42808be5a6d967742f42a9a0cb911662f6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 23:13:06 -0400 +Subject: Bluetooth: fix init and cleanup of sco_conn.timeout_work + +From: Desmond Cheong Zhi Xi + +[ Upstream commit 49d8a5606428ca0962d09050a5af81461ff90fbb ] + +Before freeing struct sco_conn, all delayed timeout work should be +cancelled. Otherwise, sco_sock_timeout could potentially use the +sco_conn after it has been freed. + +Additionally, sco_conn.timeout_work should be initialized when the +connection is allocated, not when the channel is added. This is +because an sco_conn can create channels with multiple sockets over its +lifetime, which happens if sockets are released but the connection +isn't deleted. + +Fixes: ba316be1b6a0 ("Bluetooth: schedule SCO timeouts with delayed_work") +Signed-off-by: Desmond Cheong Zhi Xi +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/sco.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index 4a057f99b60aa..6e047e178c0ab 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -133,6 +133,7 @@ static struct sco_conn *sco_conn_add(struct hci_conn *hcon) + return NULL; + + spin_lock_init(&conn->lock); ++ INIT_DELAYED_WORK(&conn->timeout_work, sco_sock_timeout); + + hcon->sco_data = conn; + conn->hcon = hcon; +@@ -197,11 +198,11 @@ static void sco_conn_del(struct hci_conn *hcon, int err) + sco_chan_del(sk, err); + release_sock(sk); + sock_put(sk); +- +- /* Ensure no more work items will run before freeing conn. */ +- cancel_delayed_work_sync(&conn->timeout_work); + } + ++ /* Ensure no more work items will run before freeing conn. */ ++ cancel_delayed_work_sync(&conn->timeout_work); ++ + hcon->sco_data = NULL; + kfree(conn); + } +@@ -214,8 +215,6 @@ static void __sco_chan_add(struct sco_conn *conn, struct sock *sk, + sco_pi(sk)->conn = conn; + conn->sk = sk; + +- INIT_DELAYED_WORK(&conn->timeout_work, sco_sock_timeout); +- + if (parent) + bt_accept_enqueue(parent, sk, true); + } +-- +2.33.0 + diff --git a/queue-5.15/bluetooth-fix-use-after-free-error-in-lock_sock_nest.patch b/queue-5.15/bluetooth-fix-use-after-free-error-in-lock_sock_nest.patch new file mode 100644 index 00000000000..e19c0a2d2f2 --- /dev/null +++ b/queue-5.15/bluetooth-fix-use-after-free-error-in-lock_sock_nest.patch @@ -0,0 +1,139 @@ +From dfd54b445c1ffeae95a9ccf6b4557df7280b81ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Aug 2021 17:35:37 -0700 +Subject: Bluetooth: fix use-after-free error in lock_sock_nested() + +From: Wang ShaoBo + +[ Upstream commit 1bff51ea59a9afb67d2dd78518ab0582a54a472c ] + +use-after-free error in lock_sock_nested is reported: + +[ 179.140137][ T3731] ===================================================== +[ 179.142675][ T3731] BUG: KMSAN: use-after-free in lock_sock_nested+0x280/0x2c0 +[ 179.145494][ T3731] CPU: 4 PID: 3731 Comm: kworker/4:2 Not tainted 5.12.0-rc6+ #54 +[ 179.148432][ T3731] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +[ 179.151806][ T3731] Workqueue: events l2cap_chan_timeout +[ 179.152730][ T3731] Call Trace: +[ 179.153301][ T3731] dump_stack+0x24c/0x2e0 +[ 179.154063][ T3731] kmsan_report+0xfb/0x1e0 +[ 179.154855][ T3731] __msan_warning+0x5c/0xa0 +[ 179.155579][ T3731] lock_sock_nested+0x280/0x2c0 +[ 179.156436][ T3731] ? kmsan_get_metadata+0x116/0x180 +[ 179.157257][ T3731] l2cap_sock_teardown_cb+0xb8/0x890 +[ 179.158154][ T3731] ? __msan_metadata_ptr_for_load_8+0x10/0x20 +[ 179.159141][ T3731] ? kmsan_get_metadata+0x116/0x180 +[ 179.159994][ T3731] ? kmsan_get_shadow_origin_ptr+0x84/0xb0 +[ 179.160959][ T3731] ? l2cap_sock_recv_cb+0x420/0x420 +[ 179.161834][ T3731] l2cap_chan_del+0x3e1/0x1d50 +[ 179.162608][ T3731] ? kmsan_get_metadata+0x116/0x180 +[ 179.163435][ T3731] ? kmsan_get_shadow_origin_ptr+0x84/0xb0 +[ 179.164406][ T3731] l2cap_chan_close+0xeea/0x1050 +[ 179.165189][ T3731] ? kmsan_internal_unpoison_shadow+0x42/0x70 +[ 179.166180][ T3731] l2cap_chan_timeout+0x1da/0x590 +[ 179.167066][ T3731] ? __msan_metadata_ptr_for_load_8+0x10/0x20 +[ 179.168023][ T3731] ? l2cap_chan_create+0x560/0x560 +[ 179.168818][ T3731] process_one_work+0x121d/0x1ff0 +[ 179.169598][ T3731] worker_thread+0x121b/0x2370 +[ 179.170346][ T3731] kthread+0x4ef/0x610 +[ 179.171010][ T3731] ? process_one_work+0x1ff0/0x1ff0 +[ 179.171828][ T3731] ? kthread_blkcg+0x110/0x110 +[ 179.172587][ T3731] ret_from_fork+0x1f/0x30 +[ 179.173348][ T3731] +[ 179.173752][ T3731] Uninit was created at: +[ 179.174409][ T3731] kmsan_internal_poison_shadow+0x5c/0xf0 +[ 179.175373][ T3731] kmsan_slab_free+0x76/0xc0 +[ 179.176060][ T3731] kfree+0x3a5/0x1180 +[ 179.176664][ T3731] __sk_destruct+0x8af/0xb80 +[ 179.177375][ T3731] __sk_free+0x812/0x8c0 +[ 179.178032][ T3731] sk_free+0x97/0x130 +[ 179.178686][ T3731] l2cap_sock_release+0x3d5/0x4d0 +[ 179.179457][ T3731] sock_close+0x150/0x450 +[ 179.180117][ T3731] __fput+0x6bd/0xf00 +[ 179.180787][ T3731] ____fput+0x37/0x40 +[ 179.181481][ T3731] task_work_run+0x140/0x280 +[ 179.182219][ T3731] do_exit+0xe51/0x3e60 +[ 179.182930][ T3731] do_group_exit+0x20e/0x450 +[ 179.183656][ T3731] get_signal+0x2dfb/0x38f0 +[ 179.184344][ T3731] arch_do_signal_or_restart+0xaa/0xe10 +[ 179.185266][ T3731] exit_to_user_mode_prepare+0x2d2/0x560 +[ 179.186136][ T3731] syscall_exit_to_user_mode+0x35/0x60 +[ 179.186984][ T3731] do_syscall_64+0xc5/0x140 +[ 179.187681][ T3731] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 179.188604][ T3731] ===================================================== + +In our case, there are two Thread A and B: + +Context: Thread A: Context: Thread B: + +l2cap_chan_timeout() __se_sys_shutdown() + l2cap_chan_close() l2cap_sock_shutdown() + l2cap_chan_del() l2cap_chan_close() + l2cap_sock_teardown_cb() l2cap_sock_teardown_cb() + +Once l2cap_sock_teardown_cb() excuted, this sock will be marked as SOCK_ZAPPED, +and can be treated as killable in l2cap_sock_kill() if sock_orphan() has +excuted, at this time we close sock through sock_close() which end to call +l2cap_sock_kill() like Thread C: + +Context: Thread C: + +sock_close() + l2cap_sock_release() + sock_orphan() + l2cap_sock_kill() #free sock if refcnt is 1 + +If C completed, Once A or B reaches l2cap_sock_teardown_cb() again, +use-after-free happened. + +We should set chan->data to NULL if sock is destructed, for telling teardown +operation is not allowed in l2cap_sock_teardown_cb(), and also we should +avoid killing an already killed socket in l2cap_sock_close_cb(). + +Signed-off-by: Wang ShaoBo +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index c99d65ef13b1e..160c016a5dfb9 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1508,6 +1508,9 @@ static void l2cap_sock_close_cb(struct l2cap_chan *chan) + { + struct sock *sk = chan->data; + ++ if (!sk) ++ return; ++ + l2cap_sock_kill(sk); + } + +@@ -1516,6 +1519,9 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) + struct sock *sk = chan->data; + struct sock *parent; + ++ if (!sk) ++ return; ++ + BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); + + /* This callback can be called both for server (BT_LISTEN) +@@ -1707,8 +1713,10 @@ static void l2cap_sock_destruct(struct sock *sk) + { + BT_DBG("sk %p", sk); + +- if (l2cap_pi(sk)->chan) ++ if (l2cap_pi(sk)->chan) { ++ l2cap_pi(sk)->chan->data = NULL; + l2cap_chan_put(l2cap_pi(sk)->chan); ++ } + + if (l2cap_pi(sk)->rx_busy_skb) { + kfree_skb(l2cap_pi(sk)->rx_busy_skb); +-- +2.33.0 + diff --git a/queue-5.15/bluetooth-hci_h5-fix-runtime-suspend-issues-on-rtl87.patch b/queue-5.15/bluetooth-hci_h5-fix-runtime-suspend-issues-on-rtl87.patch new file mode 100644 index 00000000000..9b63e4e75d2 --- /dev/null +++ b/queue-5.15/bluetooth-hci_h5-fix-runtime-suspend-issues-on-rtl87.patch @@ -0,0 +1,86 @@ +From 1665f718fee5b9823eaeccc8c866dbddddd676f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Sep 2021 14:57:39 +0200 +Subject: Bluetooth: hci_h5: Fix (runtime)suspend issues on RTL8723BS HCIs + +From: Hans de Goede + +[ Upstream commit 9a9023f314873241a43b5a2b96e9c0caaa958433 ] + +The recently added H5_WAKEUP_DISABLE h5->flags flag gets checked in +h5_btrtl_open(), but it gets set in h5_serdev_probe() *after* +calling hci_uart_register_device() and thus after h5_btrtl_open() +is called, set this flag earlier. + +Also on devices where suspend/resume involves fully re-probing the HCI, +runtime-pm suspend should not be used, make the runtime-pm setup +conditional on the H5_WAKEUP_DISABLE flag too. + +This fixes the HCI being removed and then re-added every 10 seconds +because it was being reprobed as soon as it was runtime-suspended. + +Fixes: 66f077dde749 ("Bluetooth: hci_h5: add WAKEUP_DISABLE flag") +Fixes: d9dd833cf6d2 ("Bluetooth: hci_h5: Add runtime suspend") +Signed-off-by: Hans de Goede +Reviewed-by: Archie Pusaka +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_h5.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c +index eb0099a212888..d49a39d17d7dc 100644 +--- a/drivers/bluetooth/hci_h5.c ++++ b/drivers/bluetooth/hci_h5.c +@@ -848,6 +848,8 @@ static int h5_serdev_probe(struct serdev_device *serdev) + h5->vnd = data->vnd; + } + ++ if (data->driver_info & H5_INFO_WAKEUP_DISABLE) ++ set_bit(H5_WAKEUP_DISABLE, &h5->flags); + + h5->enable_gpio = devm_gpiod_get_optional(dev, "enable", GPIOD_OUT_LOW); + if (IS_ERR(h5->enable_gpio)) +@@ -862,9 +864,6 @@ static int h5_serdev_probe(struct serdev_device *serdev) + if (err) + return err; + +- if (data->driver_info & H5_INFO_WAKEUP_DISABLE) +- set_bit(H5_WAKEUP_DISABLE, &h5->flags); +- + return 0; + } + +@@ -964,11 +963,13 @@ static void h5_btrtl_open(struct h5 *h5) + serdev_device_set_parity(h5->hu->serdev, SERDEV_PARITY_EVEN); + serdev_device_set_baudrate(h5->hu->serdev, 115200); + +- pm_runtime_set_active(&h5->hu->serdev->dev); +- pm_runtime_use_autosuspend(&h5->hu->serdev->dev); +- pm_runtime_set_autosuspend_delay(&h5->hu->serdev->dev, +- SUSPEND_TIMEOUT_MS); +- pm_runtime_enable(&h5->hu->serdev->dev); ++ if (!test_bit(H5_WAKEUP_DISABLE, &h5->flags)) { ++ pm_runtime_set_active(&h5->hu->serdev->dev); ++ pm_runtime_use_autosuspend(&h5->hu->serdev->dev); ++ pm_runtime_set_autosuspend_delay(&h5->hu->serdev->dev, ++ SUSPEND_TIMEOUT_MS); ++ pm_runtime_enable(&h5->hu->serdev->dev); ++ } + + /* The controller needs up to 500ms to wakeup */ + gpiod_set_value_cansleep(h5->enable_gpio, 1); +@@ -978,7 +979,8 @@ static void h5_btrtl_open(struct h5 *h5) + + static void h5_btrtl_close(struct h5 *h5) + { +- pm_runtime_disable(&h5->hu->serdev->dev); ++ if (!test_bit(H5_WAKEUP_DISABLE, &h5->flags)) ++ pm_runtime_disable(&h5->hu->serdev->dev); + + gpiod_set_value_cansleep(h5->device_wake_gpio, 0); + gpiod_set_value_cansleep(h5->enable_gpio, 0); +-- +2.33.0 + diff --git a/queue-5.15/bluetooth-hci_uart-fix-gpf-in-h5_recv.patch b/queue-5.15/bluetooth-hci_uart-fix-gpf-in-h5_recv.patch new file mode 100644 index 00000000000..64168419140 --- /dev/null +++ b/queue-5.15/bluetooth-hci_uart-fix-gpf-in-h5_recv.patch @@ -0,0 +1,46 @@ +From e0905b6d37d2eeb75c9cb4a272c661681bbbf4a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 23:27:56 +0300 +Subject: Bluetooth: hci_uart: fix GPF in h5_recv + +From: Pavel Skripkin + +[ Upstream commit 2fc7acb69fa3573d4bf7a90c323296d840daf330 ] + +Syzbot hit general protection fault in h5_recv(). The problem was in +missing NULL check. + +hu->serdev can be NULL and we cannot blindly pass &serdev->dev +somewhere, since it can cause GPF. + +Fixes: d9dd833cf6d2 ("Bluetooth: hci_h5: Add runtime suspend") +Reported-and-tested-by: syzbot+7d41312fe3f123a6f605@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_h5.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c +index 0c0dedece59c5..eb0099a212888 100644 +--- a/drivers/bluetooth/hci_h5.c ++++ b/drivers/bluetooth/hci_h5.c +@@ -587,9 +587,11 @@ static int h5_recv(struct hci_uart *hu, const void *data, int count) + count -= processed; + } + +- pm_runtime_get(&hu->serdev->dev); +- pm_runtime_mark_last_busy(&hu->serdev->dev); +- pm_runtime_put_autosuspend(&hu->serdev->dev); ++ if (hu->serdev) { ++ pm_runtime_get(&hu->serdev->dev); ++ pm_runtime_mark_last_busy(&hu->serdev->dev); ++ pm_runtime_put_autosuspend(&hu->serdev->dev); ++ } + + return 0; + } +-- +2.33.0 + diff --git a/queue-5.15/bluetooth-sco-fix-lock_sock-blockage-by-memcpy_from_.patch b/queue-5.15/bluetooth-sco-fix-lock_sock-blockage-by-memcpy_from_.patch new file mode 100644 index 00000000000..cab165339c5 --- /dev/null +++ b/queue-5.15/bluetooth-sco-fix-lock_sock-blockage-by-memcpy_from_.patch @@ -0,0 +1,96 @@ +From acb86c88d32ff62d864f5776465922bfcd828299 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Aug 2021 18:18:18 +0200 +Subject: Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() + +From: Takashi Iwai + +[ Upstream commit 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ] + +The sco_send_frame() also takes lock_sock() during memcpy_from_msg() +call that may be endlessly blocked by a task with userfaultd +technique, and this will result in a hung task watchdog trigger. + +Just like the similar fix for hci_sock_sendmsg() in commit +92c685dc5de0 ("Bluetooth: reorganize functions..."), this patch moves +the memcpy_from_msg() out of lock_sock() for addressing the hang. + +This should be the last piece for fixing CVE-2021-3640 after a few +already queued fixes. + +Signed-off-by: Takashi Iwai +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/sco.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index 98a8815865128..b62c91c627e2c 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -280,7 +280,8 @@ static int sco_connect(struct hci_dev *hdev, struct sock *sk) + return err; + } + +-static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len) ++static int sco_send_frame(struct sock *sk, void *buf, int len, ++ unsigned int msg_flags) + { + struct sco_conn *conn = sco_pi(sk)->conn; + struct sk_buff *skb; +@@ -292,15 +293,11 @@ static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len) + + BT_DBG("sk %p len %d", sk, len); + +- skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err); ++ skb = bt_skb_send_alloc(sk, len, msg_flags & MSG_DONTWAIT, &err); + if (!skb) + return err; + +- if (memcpy_from_msg(skb_put(skb, len), msg, len)) { +- kfree_skb(skb); +- return -EFAULT; +- } +- ++ memcpy(skb_put(skb, len), buf, len); + hci_send_sco(conn->hcon, skb); + + return len; +@@ -725,6 +722,7 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg, + size_t len) + { + struct sock *sk = sock->sk; ++ void *buf; + int err; + + BT_DBG("sock %p, sk %p", sock, sk); +@@ -736,14 +734,24 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg, + if (msg->msg_flags & MSG_OOB) + return -EOPNOTSUPP; + ++ buf = kmalloc(len, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ ++ if (memcpy_from_msg(buf, msg, len)) { ++ kfree(buf); ++ return -EFAULT; ++ } ++ + lock_sock(sk); + + if (sk->sk_state == BT_CONNECTED) +- err = sco_send_frame(sk, msg, len); ++ err = sco_send_frame(sk, buf, len, msg->msg_flags); + else + err = -ENOTCONN; + + release_sock(sk); ++ kfree(buf); + return err; + } + +-- +2.33.0 + diff --git a/queue-5.15/bnxt_en-check-devlink-allocation-and-registration-st.patch b/queue-5.15/bnxt_en-check-devlink-allocation-and-registration-st.patch new file mode 100644 index 00000000000..f82921425f8 --- /dev/null +++ b/queue-5.15/bnxt_en-check-devlink-allocation-and-registration-st.patch @@ -0,0 +1,136 @@ +From f45774a8cb27a2bedf5d20f54a40beaedaf2161e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 21:12:48 +0300 +Subject: bnxt_en: Check devlink allocation and registration status + +From: Leon Romanovsky + +[ Upstream commit e624c70e1131e145bd0510b8a700b5e2d112e377 ] + +devlink is a software interface that doesn't depend on any hardware +capabilities. The failure in SW means memory issues, wrong parameters, +programmer error e.t.c. + +Like any other such interface in the kernel, the returned status of +devlink APIs should be checked and propagated further and not ignored. + +Fixes: 4ab0c6a8ffd7 ("bnxt_en: add support to enable VF-representors") +Signed-off-by: Leon Romanovsky +Reviewed-by: Edwin Peer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 5 ++++- + drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c | 13 ++++++------- + drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.h | 13 ------------- + 3 files changed, 10 insertions(+), 21 deletions(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index 62f84cc91e4d1..0fba01db336cc 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -13370,7 +13370,9 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + } + + bnxt_inv_fw_health_reg(bp); +- bnxt_dl_register(bp); ++ rc = bnxt_dl_register(bp); ++ if (rc) ++ goto init_err_dl; + + rc = register_netdev(dev); + if (rc) +@@ -13390,6 +13392,7 @@ static int bnxt_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + + init_err_cleanup: + bnxt_dl_unregister(bp); ++init_err_dl: + bnxt_shutdown_tc(bp); + bnxt_clear_int_mode(bp); + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c +index 9576547df4aba..2a80882971e3d 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.c +@@ -134,7 +134,7 @@ void bnxt_dl_fw_reporters_create(struct bnxt *bp) + { + struct bnxt_fw_health *health = bp->fw_health; + +- if (!bp->dl || !health) ++ if (!health) + return; + + if (!(bp->fw_cap & BNXT_FW_CAP_HOT_RESET) || health->fw_reset_reporter) +@@ -188,7 +188,7 @@ void bnxt_dl_fw_reporters_destroy(struct bnxt *bp, bool all) + { + struct bnxt_fw_health *health = bp->fw_health; + +- if (!bp->dl || !health) ++ if (!health) + return; + + if ((all || !(bp->fw_cap & BNXT_FW_CAP_HOT_RESET)) && +@@ -781,6 +781,7 @@ int bnxt_dl_register(struct bnxt *bp) + { + const struct devlink_ops *devlink_ops; + struct devlink_port_attrs attrs = {}; ++ struct bnxt_dl *bp_dl; + struct devlink *dl; + int rc; + +@@ -795,7 +796,9 @@ int bnxt_dl_register(struct bnxt *bp) + return -ENOMEM; + } + +- bnxt_link_bp_to_dl(bp, dl); ++ bp->dl = dl; ++ bp_dl = devlink_priv(dl); ++ bp_dl->bp = bp; + + /* Add switchdev eswitch mode setting, if SRIOV supported */ + if (pci_find_ext_capability(bp->pdev, PCI_EXT_CAP_ID_SRIOV) && +@@ -833,7 +836,6 @@ err_dl_port_unreg: + err_dl_unreg: + devlink_unregister(dl); + err_dl_free: +- bnxt_link_bp_to_dl(bp, NULL); + devlink_free(dl); + return rc; + } +@@ -842,9 +844,6 @@ void bnxt_dl_unregister(struct bnxt *bp) + { + struct devlink *dl = bp->dl; + +- if (!dl) +- return; +- + if (BNXT_PF(bp)) { + bnxt_dl_params_unregister(bp); + devlink_port_unregister(&bp->dl_port); +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.h b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.h +index d889f240da2b2..406dc655a5fc9 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_devlink.h +@@ -20,19 +20,6 @@ static inline struct bnxt *bnxt_get_bp_from_dl(struct devlink *dl) + return ((struct bnxt_dl *)devlink_priv(dl))->bp; + } + +-/* To clear devlink pointer from bp, pass NULL dl */ +-static inline void bnxt_link_bp_to_dl(struct bnxt *bp, struct devlink *dl) +-{ +- bp->dl = dl; +- +- /* add a back pointer in dl to bp */ +- if (dl) { +- struct bnxt_dl *bp_dl = devlink_priv(dl); +- +- bp_dl->bp = bp; +- } +-} +- + #define NVM_OFF_MSIX_VEC_PER_PF_MAX 108 + #define NVM_OFF_MSIX_VEC_PER_PF_MIN 114 + #define NVM_OFF_IGNORE_ARI 164 +-- +2.33.0 + diff --git a/queue-5.15/bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch b/queue-5.15/bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch new file mode 100644 index 00000000000..15a3d14eade --- /dev/null +++ b/queue-5.15/bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch @@ -0,0 +1,200 @@ +From 071e67e468b9a161648615cdbdd9cce5c776c5c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 17:37:33 +0800 +Subject: bonding: Fix a use-after-free problem when bond_sysfs_slave_add() + failed + +From: Huang Guobin + +[ Upstream commit b93c6a911a3fe926b00add28f3b932007827c4ca ] + +When I do fuzz test for bonding device interface, I got the following +use-after-free Calltrace: + +================================================================== +BUG: KASAN: use-after-free in bond_enslave+0x1521/0x24f0 +Read of size 8 at addr ffff88825bc11c00 by task ifenslave/7365 + +CPU: 5 PID: 7365 Comm: ifenslave Tainted: G E 5.15.0-rc1+ #13 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 +Call Trace: + dump_stack_lvl+0x6c/0x8b + print_address_description.constprop.0+0x48/0x70 + kasan_report.cold+0x82/0xdb + __asan_load8+0x69/0x90 + bond_enslave+0x1521/0x24f0 + bond_do_ioctl+0x3e0/0x450 + dev_ifsioc+0x2ba/0x970 + dev_ioctl+0x112/0x710 + sock_do_ioctl+0x118/0x1b0 + sock_ioctl+0x2e0/0x490 + __x64_sys_ioctl+0x118/0x150 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7f19159cf577 +Code: b3 66 90 48 8b 05 11 89 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 78 +RSP: 002b:00007ffeb3083c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007ffeb3084bca RCX: 00007f19159cf577 +RDX: 00007ffeb3083ce0 RSI: 0000000000008990 RDI: 0000000000000003 +RBP: 00007ffeb3084bc4 R08: 0000000000000040 R09: 0000000000000000 +R10: 00007ffeb3084bc0 R11: 0000000000000246 R12: 00007ffeb3083ce0 +R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffeb3083cb0 + +Allocated by task 7365: + kasan_save_stack+0x23/0x50 + __kasan_kmalloc+0x83/0xa0 + kmem_cache_alloc_trace+0x22e/0x470 + bond_enslave+0x2e1/0x24f0 + bond_do_ioctl+0x3e0/0x450 + dev_ifsioc+0x2ba/0x970 + dev_ioctl+0x112/0x710 + sock_do_ioctl+0x118/0x1b0 + sock_ioctl+0x2e0/0x490 + __x64_sys_ioctl+0x118/0x150 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Freed by task 7365: + kasan_save_stack+0x23/0x50 + kasan_set_track+0x20/0x30 + kasan_set_free_info+0x24/0x40 + __kasan_slab_free+0xf2/0x130 + kfree+0xd1/0x5c0 + slave_kobj_release+0x61/0x90 + kobject_put+0x102/0x180 + bond_sysfs_slave_add+0x7a/0xa0 + bond_enslave+0x11b6/0x24f0 + bond_do_ioctl+0x3e0/0x450 + dev_ifsioc+0x2ba/0x970 + dev_ioctl+0x112/0x710 + sock_do_ioctl+0x118/0x1b0 + sock_ioctl+0x2e0/0x490 + __x64_sys_ioctl+0x118/0x150 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Last potentially related work creation: + kasan_save_stack+0x23/0x50 + kasan_record_aux_stack+0xb7/0xd0 + insert_work+0x43/0x190 + __queue_work+0x2e3/0x970 + delayed_work_timer_fn+0x3e/0x50 + call_timer_fn+0x148/0x470 + run_timer_softirq+0x8a8/0xc50 + __do_softirq+0x107/0x55f + +Second to last potentially related work creation: + kasan_save_stack+0x23/0x50 + kasan_record_aux_stack+0xb7/0xd0 + insert_work+0x43/0x190 + __queue_work+0x2e3/0x970 + __queue_delayed_work+0x130/0x180 + queue_delayed_work_on+0xa7/0xb0 + bond_enslave+0xe25/0x24f0 + bond_do_ioctl+0x3e0/0x450 + dev_ifsioc+0x2ba/0x970 + dev_ioctl+0x112/0x710 + sock_do_ioctl+0x118/0x1b0 + sock_ioctl+0x2e0/0x490 + __x64_sys_ioctl+0x118/0x150 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The buggy address belongs to the object at ffff88825bc11c00 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 0 bytes inside of + 1024-byte region [ffff88825bc11c00, ffff88825bc12000) +The buggy address belongs to the page: +page:ffffea00096f0400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25bc10 +head:ffffea00096f0400 order:3 compound_mapcount:0 compound_pincount:0 +flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff) +raw: 057ff00000010200 ffffea0009a71c08 ffff888240001968 ffff88810004dbc0 +raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88825bc11b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88825bc11b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88825bc11c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88825bc11c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88825bc11d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Put new_slave in bond_sysfs_slave_add() will cause use-after-free problems +when new_slave is accessed in the subsequent error handling process. Since +new_slave will be put in the subsequent error handling process, remove the +unnecessary put to fix it. +In addition, when sysfs_create_file() fails, if some files have been crea- +ted successfully, we need to call sysfs_remove_file() to remove them. +Since there are sysfs_create_files() & sysfs_remove_files() can be used, +use these two functions instead. + +Fixes: 7afcaec49696 (bonding: use kobject_put instead of _del after kobject_add) +Signed-off-by: Huang Guobin +Reviewed-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_sysfs_slave.c | 36 ++++++++------------------ + 1 file changed, 11 insertions(+), 25 deletions(-) + +diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c +index fd07561da0348..6a6cdd0bb2585 100644 +--- a/drivers/net/bonding/bond_sysfs_slave.c ++++ b/drivers/net/bonding/bond_sysfs_slave.c +@@ -108,15 +108,15 @@ static ssize_t ad_partner_oper_port_state_show(struct slave *slave, char *buf) + } + static SLAVE_ATTR_RO(ad_partner_oper_port_state); + +-static const struct slave_attribute *slave_attrs[] = { +- &slave_attr_state, +- &slave_attr_mii_status, +- &slave_attr_link_failure_count, +- &slave_attr_perm_hwaddr, +- &slave_attr_queue_id, +- &slave_attr_ad_aggregator_id, +- &slave_attr_ad_actor_oper_port_state, +- &slave_attr_ad_partner_oper_port_state, ++static const struct attribute *slave_attrs[] = { ++ &slave_attr_state.attr, ++ &slave_attr_mii_status.attr, ++ &slave_attr_link_failure_count.attr, ++ &slave_attr_perm_hwaddr.attr, ++ &slave_attr_queue_id.attr, ++ &slave_attr_ad_aggregator_id.attr, ++ &slave_attr_ad_actor_oper_port_state.attr, ++ &slave_attr_ad_partner_oper_port_state.attr, + NULL + }; + +@@ -137,24 +137,10 @@ const struct sysfs_ops slave_sysfs_ops = { + + int bond_sysfs_slave_add(struct slave *slave) + { +- const struct slave_attribute **a; +- int err; +- +- for (a = slave_attrs; *a; ++a) { +- err = sysfs_create_file(&slave->kobj, &((*a)->attr)); +- if (err) { +- kobject_put(&slave->kobj); +- return err; +- } +- } +- +- return 0; ++ return sysfs_create_files(&slave->kobj, slave_attrs); + } + + void bond_sysfs_slave_del(struct slave *slave) + { +- const struct slave_attribute **a; +- +- for (a = slave_attrs; *a; ++a) +- sysfs_remove_file(&slave->kobj, &((*a)->attr)); ++ sysfs_remove_files(&slave->kobj, slave_attrs); + } +-- +2.33.0 + diff --git a/queue-5.15/bpf-avoid-races-in-__bpf_prog_run-for-32bit-arches.patch b/queue-5.15/bpf-avoid-races-in-__bpf_prog_run-for-32bit-arches.patch new file mode 100644 index 00000000000..a441d1e1ed4 --- /dev/null +++ b/queue-5.15/bpf-avoid-races-in-__bpf_prog_run-for-32bit-arches.patch @@ -0,0 +1,219 @@ +From 5f5ec537cef5581fdbb9cc53c91b0569abb9bcaf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 14:41:31 -0700 +Subject: bpf: Avoid races in __bpf_prog_run() for 32bit arches + +From: Eric Dumazet + +[ Upstream commit f941eadd8d6d4ee2f8c9aeab8e1da5e647533a7d ] + +__bpf_prog_run() can run from non IRQ contexts, meaning +it could be re entered if interrupted. + +This calls for the irq safe variant of u64_stats_update_{begin|end}, +or risk a deadlock. + +This patch is a nop on 64bit arches, fortunately. + +syzbot report: + +WARNING: inconsistent lock state +5.12.0-rc3-syzkaller #0 Not tainted +-------------------------------- +inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage. +udevd/4013 [HC0[0]:SC0[0]:HE1:SE1] takes: +ff7c9dec (&(&pstats->syncp)->seq){+.?.}-{0:0}, at: sk_filter include/linux/filter.h:867 [inline] +ff7c9dec (&(&pstats->syncp)->seq){+.?.}-{0:0}, at: do_one_broadcast net/netlink/af_netlink.c:1468 [inline] +ff7c9dec (&(&pstats->syncp)->seq){+.?.}-{0:0}, at: netlink_broadcast_filtered+0x27c/0x4fc net/netlink/af_netlink.c:1520 +{IN-SOFTIRQ-W} state was registered at: + lock_acquire.part.0+0xf0/0x41c kernel/locking/lockdep.c:5510 + lock_acquire+0x6c/0x74 kernel/locking/lockdep.c:5483 + do_write_seqcount_begin_nested include/linux/seqlock.h:520 [inline] + do_write_seqcount_begin include/linux/seqlock.h:545 [inline] + u64_stats_update_begin include/linux/u64_stats_sync.h:129 [inline] + bpf_prog_run_pin_on_cpu include/linux/filter.h:624 [inline] + bpf_prog_run_clear_cb+0x1bc/0x270 include/linux/filter.h:755 + run_filter+0xa0/0x17c net/packet/af_packet.c:2031 + packet_rcv+0xc0/0x3e0 net/packet/af_packet.c:2104 + dev_queue_xmit_nit+0x2bc/0x39c net/core/dev.c:2387 + xmit_one net/core/dev.c:3588 [inline] + dev_hard_start_xmit+0x94/0x518 net/core/dev.c:3609 + sch_direct_xmit+0x11c/0x1f0 net/sched/sch_generic.c:313 + qdisc_restart net/sched/sch_generic.c:376 [inline] + __qdisc_run+0x194/0x7f8 net/sched/sch_generic.c:384 + qdisc_run include/net/pkt_sched.h:136 [inline] + qdisc_run include/net/pkt_sched.h:128 [inline] + __dev_xmit_skb net/core/dev.c:3795 [inline] + __dev_queue_xmit+0x65c/0xf84 net/core/dev.c:4150 + dev_queue_xmit+0x14/0x18 net/core/dev.c:4215 + neigh_resolve_output net/core/neighbour.c:1491 [inline] + neigh_resolve_output+0x170/0x228 net/core/neighbour.c:1471 + neigh_output include/net/neighbour.h:510 [inline] + ip6_finish_output2+0x2e4/0x9fc net/ipv6/ip6_output.c:117 + __ip6_finish_output net/ipv6/ip6_output.c:182 [inline] + __ip6_finish_output+0x164/0x3f8 net/ipv6/ip6_output.c:161 + ip6_finish_output+0x2c/0xb0 net/ipv6/ip6_output.c:192 + NF_HOOK_COND include/linux/netfilter.h:290 [inline] + ip6_output+0x74/0x294 net/ipv6/ip6_output.c:215 + dst_output include/net/dst.h:448 [inline] + NF_HOOK include/linux/netfilter.h:301 [inline] + NF_HOOK include/linux/netfilter.h:295 [inline] + mld_sendpack+0x2a8/0x7e4 net/ipv6/mcast.c:1679 + mld_send_cr net/ipv6/mcast.c:1975 [inline] + mld_ifc_timer_expire+0x1e8/0x494 net/ipv6/mcast.c:2474 + call_timer_fn+0xd0/0x570 kernel/time/timer.c:1431 + expire_timers kernel/time/timer.c:1476 [inline] + __run_timers kernel/time/timer.c:1745 [inline] + run_timer_softirq+0x2e4/0x384 kernel/time/timer.c:1758 + __do_softirq+0x204/0x7ac kernel/softirq.c:345 + do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline] + invoke_softirq kernel/softirq.c:228 [inline] + __irq_exit_rcu+0x1d8/0x200 kernel/softirq.c:422 + irq_exit+0x10/0x3c kernel/softirq.c:446 + __handle_domain_irq+0xb4/0x120 kernel/irq/irqdesc.c:692 + handle_domain_irq include/linux/irqdesc.h:176 [inline] + gic_handle_irq+0x84/0xac drivers/irqchip/irq-gic.c:370 + __irq_svc+0x5c/0x94 arch/arm/kernel/entry-armv.S:205 + debug_smp_processor_id+0x0/0x24 lib/smp_processor_id.c:53 + rcu_read_lock_held_common kernel/rcu/update.c:108 [inline] + rcu_read_lock_sched_held+0x24/0x7c kernel/rcu/update.c:123 + trace_lock_acquire+0x24c/0x278 include/trace/events/lock.h:13 + lock_acquire+0x3c/0x74 kernel/locking/lockdep.c:5481 + rcu_lock_acquire include/linux/rcupdate.h:267 [inline] + rcu_read_lock include/linux/rcupdate.h:656 [inline] + avc_has_perm_noaudit+0x6c/0x260 security/selinux/avc.c:1150 + selinux_inode_permission+0x140/0x220 security/selinux/hooks.c:3141 + security_inode_permission+0x44/0x60 security/security.c:1268 + inode_permission.part.0+0x5c/0x13c fs/namei.c:521 + inode_permission fs/namei.c:494 [inline] + may_lookup fs/namei.c:1652 [inline] + link_path_walk.part.0+0xd4/0x38c fs/namei.c:2208 + link_path_walk fs/namei.c:2189 [inline] + path_lookupat+0x3c/0x1b8 fs/namei.c:2419 + filename_lookup+0xa8/0x1a4 fs/namei.c:2453 + user_path_at_empty+0x74/0x90 fs/namei.c:2733 + do_readlinkat+0x5c/0x12c fs/stat.c:417 + __do_sys_readlink fs/stat.c:450 [inline] + sys_readlink+0x24/0x28 fs/stat.c:447 + ret_fast_syscall+0x0/0x2c arch/arm/mm/proc-v7.S:64 + 0x7eaa4974 +irq event stamp: 298277 +hardirqs last enabled at (298277): [<802000d0>] no_work_pending+0x4/0x34 +hardirqs last disabled at (298276): [<8020c9b8>] do_work_pending+0x9c/0x648 arch/arm/kernel/signal.c:676 +softirqs last enabled at (298216): [<8020167c>] __do_softirq+0x584/0x7ac kernel/softirq.c:372 +softirqs last disabled at (298201): [<8024dff4>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline] +softirqs last disabled at (298201): [<8024dff4>] invoke_softirq kernel/softirq.c:228 [inline] +softirqs last disabled at (298201): [<8024dff4>] __irq_exit_rcu+0x1d8/0x200 kernel/softirq.c:422 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&(&pstats->syncp)->seq); + + lock(&(&pstats->syncp)->seq); + + *** DEADLOCK *** + +1 lock held by udevd/4013: + #0: 82b09c5c (rcu_read_lock){....}-{1:2}, at: sk_filter_trim_cap+0x54/0x434 net/core/filter.c:139 + +stack backtrace: +CPU: 1 PID: 4013 Comm: udevd Not tainted 5.12.0-rc3-syzkaller #0 +Hardware name: ARM-Versatile Express +Backtrace: +[<81802550>] (dump_backtrace) from [<818027c4>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:252) + r7:00000080 r6:600d0093 r5:00000000 r4:82b58344 +[<818027ac>] (show_stack) from [<81809e98>] (__dump_stack lib/dump_stack.c:79 [inline]) +[<818027ac>] (show_stack) from [<81809e98>] (dump_stack+0xb8/0xe8 lib/dump_stack.c:120) +[<81809de0>] (dump_stack) from [<81804a00>] (print_usage_bug.part.0+0x228/0x230 kernel/locking/lockdep.c:3806) + r7:86bcb768 r6:81a0326c r5:830f96a8 r4:86bcb0c0 +[<818047d8>] (print_usage_bug.part.0) from [<802bb1b8>] (print_usage_bug kernel/locking/lockdep.c:3776 [inline]) +[<818047d8>] (print_usage_bug.part.0) from [<802bb1b8>] (valid_state kernel/locking/lockdep.c:3818 [inline]) +[<818047d8>] (print_usage_bug.part.0) from [<802bb1b8>] (mark_lock_irq kernel/locking/lockdep.c:4021 [inline]) +[<818047d8>] (print_usage_bug.part.0) from [<802bb1b8>] (mark_lock.part.0+0xc34/0x136c kernel/locking/lockdep.c:4478) + r10:83278fe8 r9:82c6d748 r8:00000000 r7:82c6d2d4 r6:00000004 r5:86bcb768 + r4:00000006 +[<802ba584>] (mark_lock.part.0) from [<802bc644>] (mark_lock kernel/locking/lockdep.c:4442 [inline]) +[<802ba584>] (mark_lock.part.0) from [<802bc644>] (mark_usage kernel/locking/lockdep.c:4391 [inline]) +[<802ba584>] (mark_lock.part.0) from [<802bc644>] (__lock_acquire+0x9bc/0x3318 kernel/locking/lockdep.c:4854) + r10:86bcb768 r9:86bcb0c0 r8:00000001 r7:00040000 r6:0000075a r5:830f96a8 + r4:00000000 +[<802bbc88>] (__lock_acquire) from [<802bfb90>] (lock_acquire.part.0+0xf0/0x41c kernel/locking/lockdep.c:5510) + r10:00000000 r9:600d0013 r8:00000000 r7:00000000 r6:828a2680 r5:828a2680 + r4:861e5bc8 +[<802bfaa0>] (lock_acquire.part.0) from [<802bff28>] (lock_acquire+0x6c/0x74 kernel/locking/lockdep.c:5483) + r10:8146137c r9:00000000 r8:00000001 r7:00000000 r6:00000000 r5:00000000 + r4:ff7c9dec +[<802bfebc>] (lock_acquire) from [<81381eb4>] (do_write_seqcount_begin_nested include/linux/seqlock.h:520 [inline]) +[<802bfebc>] (lock_acquire) from [<81381eb4>] (do_write_seqcount_begin include/linux/seqlock.h:545 [inline]) +[<802bfebc>] (lock_acquire) from [<81381eb4>] (u64_stats_update_begin include/linux/u64_stats_sync.h:129 [inline]) +[<802bfebc>] (lock_acquire) from [<81381eb4>] (__bpf_prog_run_save_cb include/linux/filter.h:727 [inline]) +[<802bfebc>] (lock_acquire) from [<81381eb4>] (bpf_prog_run_save_cb include/linux/filter.h:741 [inline]) +[<802bfebc>] (lock_acquire) from [<81381eb4>] (sk_filter_trim_cap+0x26c/0x434 net/core/filter.c:149) + r10:a4095dd0 r9:ff7c9dd0 r8:e44be000 r7:8146137c r6:00000001 r5:8611ba80 + r4:00000000 +[<81381c48>] (sk_filter_trim_cap) from [<8146137c>] (sk_filter include/linux/filter.h:867 [inline]) +[<81381c48>] (sk_filter_trim_cap) from [<8146137c>] (do_one_broadcast net/netlink/af_netlink.c:1468 [inline]) +[<81381c48>] (sk_filter_trim_cap) from [<8146137c>] (netlink_broadcast_filtered+0x27c/0x4fc net/netlink/af_netlink.c:1520) + r10:00000001 r9:833d6b1c r8:00000000 r7:8572f864 r6:8611ba80 r5:8698d800 + r4:8572f800 +[<81461100>] (netlink_broadcast_filtered) from [<81463e60>] (netlink_broadcast net/netlink/af_netlink.c:1544 [inline]) +[<81461100>] (netlink_broadcast_filtered) from [<81463e60>] (netlink_sendmsg+0x3d0/0x478 net/netlink/af_netlink.c:1925) + r10:00000000 r9:00000002 r8:8698d800 r7:000000b7 r6:8611b900 r5:861e5f50 + r4:86aa3000 +[<81463a90>] (netlink_sendmsg) from [<81321f54>] (sock_sendmsg_nosec net/socket.c:654 [inline]) +[<81463a90>] (netlink_sendmsg) from [<81321f54>] (sock_sendmsg+0x3c/0x4c net/socket.c:674) + r10:00000000 r9:861e5dd4 r8:00000000 r7:86570000 r6:00000000 r5:86570000 + r4:861e5f50 +[<81321f18>] (sock_sendmsg) from [<813234d0>] (____sys_sendmsg+0x230/0x29c net/socket.c:2350) + r5:00000040 r4:861e5f50 +[<813232a0>] (____sys_sendmsg) from [<8132549c>] (___sys_sendmsg+0xac/0xe4 net/socket.c:2404) + r10:00000128 r9:861e4000 r8:00000000 r7:00000000 r6:86570000 r5:861e5f50 + r4:00000000 +[<813253f0>] (___sys_sendmsg) from [<81325684>] (__sys_sendmsg net/socket.c:2433 [inline]) +[<813253f0>] (___sys_sendmsg) from [<81325684>] (__do_sys_sendmsg net/socket.c:2442 [inline]) +[<813253f0>] (___sys_sendmsg) from [<81325684>] (sys_sendmsg+0x58/0xa0 net/socket.c:2440) + r8:80200224 r7:00000128 r6:00000000 r5:7eaa541c r4:86570000 +[<8132562c>] (sys_sendmsg) from [<80200060>] (ret_fast_syscall+0x0/0x2c arch/arm/mm/proc-v7.S:64) +Exception stack(0x861e5fa8 to 0x861e5ff0) +5fa0: 00000000 00000000 0000000c 7eaa541c 00000000 00000000 +5fc0: 00000000 00000000 76fbf840 00000128 00000000 0000008f 7eaa541c 000563f8 +5fe0: 00056110 7eaa53e0 00036cec 76c9bf44 + r6:76fbf840 r5:00000000 r4:00000000 + +Fixes: 492ecee892c2 ("bpf: enable program stats") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20211026214133.3114279-2-eric.dumazet@gmail.com +Signed-off-by: Sasha Levin +--- + include/linux/filter.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/include/linux/filter.h b/include/linux/filter.h +index ef03ff34234d8..28391de6cc445 100644 +--- a/include/linux/filter.h ++++ b/include/linux/filter.h +@@ -613,13 +613,14 @@ static __always_inline u32 __bpf_prog_run(const struct bpf_prog *prog, + if (static_branch_unlikely(&bpf_stats_enabled_key)) { + struct bpf_prog_stats *stats; + u64 start = sched_clock(); ++ unsigned long flags; + + ret = dfunc(ctx, prog->insnsi, prog->bpf_func); + stats = this_cpu_ptr(prog->stats); +- u64_stats_update_begin(&stats->syncp); ++ flags = u64_stats_update_begin_irqsave(&stats->syncp); + stats->cnt++; + stats->nsecs += sched_clock() - start; +- u64_stats_update_end(&stats->syncp); ++ u64_stats_update_end_irqrestore(&stats->syncp, flags); + } else { + ret = dfunc(ctx, prog->insnsi, prog->bpf_func); + } +-- +2.33.0 + diff --git a/queue-5.15/bpf-fix-propagation-of-bounds-from-64-bit-min-max-in.patch b/queue-5.15/bpf-fix-propagation-of-bounds-from-64-bit-min-max-in.patch new file mode 100644 index 00000000000..054091f96f6 --- /dev/null +++ b/queue-5.15/bpf-fix-propagation-of-bounds-from-64-bit-min-max-in.patch @@ -0,0 +1,69 @@ +From a9558ab077d1740a5487c3d5836a2d6bd152cf22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Nov 2021 15:21:51 -0700 +Subject: bpf: Fix propagation of bounds from 64-bit min/max into 32-bit and + var_off. + +From: Alexei Starovoitov + +[ Upstream commit b9979db8340154526d9ab38a1883d6f6ba9b6d47 ] + +Before this fix: +166: (b5) if r2 <= 0x1 goto pc+22 +from 166 to 189: R2=invP(id=1,umax_value=1,var_off=(0x0; 0xffffffff)) + +After this fix: +166: (b5) if r2 <= 0x1 goto pc+22 +from 166 to 189: R2=invP(id=1,umax_value=1,var_off=(0x0; 0x1)) + +While processing BPF_JLE the reg_set_min_max() would set true_reg->umax_value = 1 +and call __reg_combine_64_into_32(true_reg). + +Without the fix it would not pass the condition: +if (__reg64_bound_u32(reg->umin_value) && __reg64_bound_u32(reg->umax_value)) + +since umin_value == 0 at this point. +Before commit 10bf4e83167c the umin was incorrectly ingored. +The commit 10bf4e83167c fixed the correctness issue, but pessimized +propagation of 64-bit min max into 32-bit min max and corresponding var_off. + +Fixes: 10bf4e83167c ("bpf: Fix propagation of 32 bit unsigned bounds from 64 bit bounds") +Signed-off-by: Alexei Starovoitov +Signed-off-by: Andrii Nakryiko +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20211101222153.78759-1-alexei.starovoitov@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 2 +- + tools/testing/selftests/bpf/verifier/array_access.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index e76b559179054..055012faca94e 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -1411,7 +1411,7 @@ static bool __reg64_bound_s32(s64 a) + + static bool __reg64_bound_u32(u64 a) + { +- return a > U32_MIN && a < U32_MAX; ++ return a >= U32_MIN && a <= U32_MAX; + } + + static void __reg_combine_64_into_32(struct bpf_reg_state *reg) +diff --git a/tools/testing/selftests/bpf/verifier/array_access.c b/tools/testing/selftests/bpf/verifier/array_access.c +index 1b1c798e92489..1b138cd2b187d 100644 +--- a/tools/testing/selftests/bpf/verifier/array_access.c ++++ b/tools/testing/selftests/bpf/verifier/array_access.c +@@ -186,7 +186,7 @@ + }, + .fixup_map_hash_48b = { 3 }, + .errstr_unpriv = "R0 leaks addr", +- .errstr = "R0 unbounded memory access", ++ .errstr = "invalid access to map value, value_size=48 off=44 size=8", + .result_unpriv = REJECT, + .result = REJECT, + .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, +-- +2.33.0 + diff --git a/queue-5.15/bpf-fix-propagation-of-signed-bounds-from-64-bit-min.patch b/queue-5.15/bpf-fix-propagation-of-signed-bounds-from-64-bit-min.patch new file mode 100644 index 00000000000..6697a08d7e1 --- /dev/null +++ b/queue-5.15/bpf-fix-propagation-of-signed-bounds-from-64-bit-min.patch @@ -0,0 +1,40 @@ +From 96c3a23e82a1f9dfa0f47fda03eb847f295925ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Nov 2021 15:21:52 -0700 +Subject: bpf: Fix propagation of signed bounds from 64-bit min/max into + 32-bit. + +From: Alexei Starovoitov + +[ Upstream commit 388e2c0b978339dee9b0a81a2e546f8979e021e2 ] + +Similar to unsigned bounds propagation fix signed bounds. +The 'Fixes' tag is a hint. There is no security bug here. +The verifier was too conservative. + +Fixes: 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") +Signed-off-by: Alexei Starovoitov +Signed-off-by: Andrii Nakryiko +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20211101222153.78759-2-alexei.starovoitov@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/verifier.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 055012faca94e..ddba80554fef3 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -1406,7 +1406,7 @@ static void __reg_combine_32_into_64(struct bpf_reg_state *reg) + + static bool __reg64_bound_s32(s64 a) + { +- return a > S32_MIN && a < S32_MAX; ++ return a >= S32_MIN && a <= S32_MAX; + } + + static bool __reg64_bound_u32(u64 a) +-- +2.33.0 + diff --git a/queue-5.15/bpf-fixes-possible-race-in-update_prog_stats-for-32b.patch b/queue-5.15/bpf-fixes-possible-race-in-update_prog_stats-for-32b.patch new file mode 100644 index 00000000000..6bf912e4ccd --- /dev/null +++ b/queue-5.15/bpf-fixes-possible-race-in-update_prog_stats-for-32b.patch @@ -0,0 +1,47 @@ +From 2645264295ee092a6a21cf5f508181f165ae9c10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 14:41:32 -0700 +Subject: bpf: Fixes possible race in update_prog_stats() for 32bit arches + +From: Eric Dumazet + +[ Upstream commit d979617aa84d96acca44c2f5778892b4565e322f ] + +It seems update_prog_stats() suffers from same issue fixed +in the prior patch: + +As it can run while interrupts are enabled, it could +be re-entered and the u64_stats syncp could be mangled. + +Fixes: fec56f5890d9 ("bpf: Introduce BPF trampoline") +Signed-off-by: Eric Dumazet +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20211026214133.3114279-3-eric.dumazet@gmail.com +Signed-off-by: Sasha Levin +--- + kernel/bpf/trampoline.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c +index fe1e857324e66..d3a307a8c42b9 100644 +--- a/kernel/bpf/trampoline.c ++++ b/kernel/bpf/trampoline.c +@@ -585,11 +585,13 @@ static void notrace update_prog_stats(struct bpf_prog *prog, + * Hence check that 'start' is valid. + */ + start > NO_START_TIME) { ++ unsigned long flags; ++ + stats = this_cpu_ptr(prog->stats); +- u64_stats_update_begin(&stats->syncp); ++ flags = u64_stats_update_begin_irqsave(&stats->syncp); + stats->cnt++; + stats->nsecs += sched_clock() - start; +- u64_stats_update_end(&stats->syncp); ++ u64_stats_update_end_irqrestore(&stats->syncp, flags); + } + } + +-- +2.33.0 + diff --git a/queue-5.15/bpf-sockmap-fix-race-in-ingress-receive-verdict-with.patch b/queue-5.15/bpf-sockmap-fix-race-in-ingress-receive-verdict-with.patch new file mode 100644 index 00000000000..98d43bfad76 --- /dev/null +++ b/queue-5.15/bpf-sockmap-fix-race-in-ingress-receive-verdict-with.patch @@ -0,0 +1,191 @@ +From 55fe13d1d001fae3fb8448ca3a30966ad7a04a17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 13:47:34 -0700 +Subject: bpf, sockmap: Fix race in ingress receive verdict with redirect to + self + +From: John Fastabend + +[ Upstream commit c5d2177a72a1659554922728fc407f59950aa929 ] + +A socket in a sockmap may have different combinations of programs attached +depending on configuration. There can be no programs in which case the socket +acts as a sink only. There can be a TX program in this case a BPF program is +attached to sending side, but no RX program is attached. There can be an RX +program only where sends have no BPF program attached, but receives are hooked +with BPF. And finally, both TX and RX programs may be attached. Giving us the +permutations: + + None, Tx, Rx, and TxRx + +To date most of our use cases have been TX case being used as a fast datapath +to directly copy between local application and a userspace proxy. Or Rx cases +and TxRX applications that are operating an in kernel based proxy. The traffic +in the first case where we hook applications into a userspace application looks +like this: + + AppA redirect AppB + Tx <-----------> Rx + | | + + + + TCP <--> lo <--> TCP + +In this case all traffic from AppA (after 3whs) is copied into the AppB +ingress queue and no traffic is ever on the TCP recieive_queue. + +In the second case the application never receives, except in some rare error +cases, traffic on the actual user space socket. Instead the send happens in +the kernel. + + AppProxy socket pool + sk0 ------------->{sk1,sk2, skn} + ^ | + | | + | v + ingress lb egress + TCP TCP + +Here because traffic is never read off the socket with userspace recv() APIs +there is only ever one reader on the sk receive_queue. Namely the BPF programs. + +However, we've started to introduce a third configuration where the BPF program +on receive should process the data, but then the normal case is to push the +data into the receive queue of AppB. + + AppB + recv() (userspace) + ----------------------- + tcp_bpf_recvmsg() (kernel) + | | + | | + | | + ingress_msgQ | + | | + RX_BPF | + | | + v v + sk->receive_queue + +This is different from the App{A,B} redirect because traffic is first received +on the sk->receive_queue. + +Now for the issue. The tcp_bpf_recvmsg() handler first checks the ingress_msg +queue for any data handled by the BPF rx program and returned with PASS code +so that it was enqueued on the ingress msg queue. Then if no data exists on +that queue it checks the socket receive queue. Unfortunately, this is the same +receive_queue the BPF program is reading data off of. So we get a race. Its +possible for the recvmsg() hook to pull data off the receive_queue before the +BPF hook has a chance to read it. It typically happens when an application is +banging on recv() and getting EAGAINs. Until they manage to race with the RX +BPF program. + +To fix this we note that before this patch at attach time when the socket is +loaded into the map we check if it needs a TX program or just the base set of +proto bpf hooks. Then it uses the above general RX hook regardless of if we +have a BPF program attached at rx or not. This patch now extends this check to +handle all cases enumerated above, TX, RX, TXRX, and none. And to fix above +race when an RX program is attached we use a new hook that is nearly identical +to the old one except now we do not let the recv() call skip the RX BPF program. +Now only the BPF program pulls data from sk->receive_queue and recv() only +pulls data from the ingress msgQ post BPF program handling. + +With this resolved our AppB from above has been up and running for many hours +without detecting any errors. We do this by correlating counters in RX BPF +events and the AppB to ensure data is never skipping the BPF program. Selftests, +was not able to detect this because we only run them for a short period of time +on well ordered send/recvs so we don't get any of the noise we see in real +application environments. + +Fixes: 51199405f9672 ("bpf: skb_verdict, support SK_PASS on RX BPF path") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Tested-by: Jussi Maki +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20211103204736.248403-4-john.fastabend@gmail.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 47 insertions(+) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index 246f725b78c9b..f70aa0932bd6c 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -172,6 +172,41 @@ static int tcp_msg_wait_data(struct sock *sk, struct sk_psock *psock, + return ret; + } + ++static int tcp_bpf_recvmsg_parser(struct sock *sk, ++ struct msghdr *msg, ++ size_t len, ++ int nonblock, ++ int flags, ++ int *addr_len) ++{ ++ struct sk_psock *psock; ++ int copied; ++ ++ if (unlikely(flags & MSG_ERRQUEUE)) ++ return inet_recv_error(sk, msg, len, addr_len); ++ ++ psock = sk_psock_get(sk); ++ if (unlikely(!psock)) ++ return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len); ++ ++ lock_sock(sk); ++msg_bytes_ready: ++ copied = sk_msg_recvmsg(sk, psock, msg, len, flags); ++ if (!copied) { ++ long timeo; ++ int data; ++ ++ timeo = sock_rcvtimeo(sk, nonblock); ++ data = tcp_msg_wait_data(sk, psock, timeo); ++ if (data && !sk_psock_queue_empty(psock)) ++ goto msg_bytes_ready; ++ copied = -EAGAIN; ++ } ++ release_sock(sk); ++ sk_psock_put(sk, psock); ++ return copied; ++} ++ + static int tcp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, + int nonblock, int flags, int *addr_len) + { +@@ -464,6 +499,8 @@ enum { + enum { + TCP_BPF_BASE, + TCP_BPF_TX, ++ TCP_BPF_RX, ++ TCP_BPF_TXRX, + TCP_BPF_NUM_CFGS, + }; + +@@ -482,6 +519,12 @@ static void tcp_bpf_rebuild_protos(struct proto prot[TCP_BPF_NUM_CFGS], + prot[TCP_BPF_TX] = prot[TCP_BPF_BASE]; + prot[TCP_BPF_TX].sendmsg = tcp_bpf_sendmsg; + prot[TCP_BPF_TX].sendpage = tcp_bpf_sendpage; ++ ++ prot[TCP_BPF_RX] = prot[TCP_BPF_BASE]; ++ prot[TCP_BPF_RX].recvmsg = tcp_bpf_recvmsg_parser; ++ ++ prot[TCP_BPF_TXRX] = prot[TCP_BPF_TX]; ++ prot[TCP_BPF_TXRX].recvmsg = tcp_bpf_recvmsg_parser; + } + + static void tcp_bpf_check_v6_needs_rebuild(struct proto *ops) +@@ -519,6 +562,10 @@ int tcp_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool restore) + int family = sk->sk_family == AF_INET6 ? TCP_BPF_IPV6 : TCP_BPF_IPV4; + int config = psock->progs.msg_parser ? TCP_BPF_TX : TCP_BPF_BASE; + ++ if (psock->progs.stream_verdict || psock->progs.skb_verdict) { ++ config = (config == TCP_BPF_TX) ? TCP_BPF_TXRX : TCP_BPF_RX; ++ } ++ + if (restore) { + if (inet_csk_has_ulp(sk)) { + /* TLS does not have an unhash proto in SW cases, +-- +2.33.0 + diff --git a/queue-5.15/bpf-sockmap-remove-unhash-handler-for-bpf-sockmap-us.patch b/queue-5.15/bpf-sockmap-remove-unhash-handler-for-bpf-sockmap-us.patch new file mode 100644 index 00000000000..f0ffbd2fab7 --- /dev/null +++ b/queue-5.15/bpf-sockmap-remove-unhash-handler-for-bpf-sockmap-us.patch @@ -0,0 +1,48 @@ +From 2b460a4442cf8ea19142cd8f88f7f59cf1fbc85c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 13:47:33 -0700 +Subject: bpf, sockmap: Remove unhash handler for BPF sockmap usage + +From: John Fastabend + +[ Upstream commit b8b8315e39ffaca82e79d86dde26e9144addf66b ] + +We do not need to handle unhash from BPF side we can simply wait for the +close to happen. The original concern was a socket could transition from +ESTABLISHED state to a new state while the BPF hook was still attached. +But, we convinced ourself this is no longer possible and we also improved +BPF sockmap to handle listen sockets so this is no longer a problem. + +More importantly though there are cases where unhash is called when data is +in the receive queue. The BPF unhash logic will flush this data which is +wrong. To be correct it should keep the data in the receive queue and allow +a receiving application to continue reading the data. This may happen when +tcp_abort() is received for example. Instead of complicating the logic in +unhash simply moving all this to tcp_close() hook solves this. + +Fixes: 51199405f9672 ("bpf: skb_verdict, support SK_PASS on RX BPF path") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Tested-by: Jussi Maki +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20211103204736.248403-3-john.fastabend@gmail.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_bpf.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index 5f4d6f45d87f7..246f725b78c9b 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -475,7 +475,6 @@ static void tcp_bpf_rebuild_protos(struct proto prot[TCP_BPF_NUM_CFGS], + struct proto *base) + { + prot[TCP_BPF_BASE] = *base; +- prot[TCP_BPF_BASE].unhash = sock_map_unhash; + prot[TCP_BPF_BASE].close = sock_map_close; + prot[TCP_BPF_BASE].recvmsg = tcp_bpf_recvmsg; + prot[TCP_BPF_BASE].sock_is_readable = sk_msg_is_readable; +-- +2.33.0 + diff --git a/queue-5.15/bpf-sockmap-sk_skb-data_end-access-incorrect-when-sr.patch b/queue-5.15/bpf-sockmap-sk_skb-data_end-access-incorrect-when-sr.patch new file mode 100644 index 00000000000..f52be4a13cd --- /dev/null +++ b/queue-5.15/bpf-sockmap-sk_skb-data_end-access-incorrect-when-sr.patch @@ -0,0 +1,125 @@ +From d060b0f0ae2ada73311aeb1570300c9fe32526aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 13:47:36 -0700 +Subject: bpf, sockmap: sk_skb data_end access incorrect when src_reg = dst_reg + +From: Jussi Maki + +[ Upstream commit b2c4618162ec615a15883a804cce7e27afecfa58 ] + +The current conversion of skb->data_end reads like this: + + ; data_end = (void*)(long)skb->data_end; + 559: (79) r1 = *(u64 *)(r2 +200) ; r1 = skb->data + 560: (61) r11 = *(u32 *)(r2 +112) ; r11 = skb->len + 561: (0f) r1 += r11 + 562: (61) r11 = *(u32 *)(r2 +116) + 563: (1f) r1 -= r11 + +But similar to the case in 84f44df664e9 ("bpf: sock_ops sk access may stomp +registers when dst_reg = src_reg"), the code will read an incorrect skb->len +when src == dst. In this case we end up generating this xlated code: + + ; data_end = (void*)(long)skb->data_end; + 559: (79) r1 = *(u64 *)(r1 +200) ; r1 = skb->data + 560: (61) r11 = *(u32 *)(r1 +112) ; r11 = (skb->data)->len + 561: (0f) r1 += r11 + 562: (61) r11 = *(u32 *)(r1 +116) + 563: (1f) r1 -= r11 + +... where line 560 is the reading 4B of (skb->data + 112) instead of the +intended skb->len Here the skb pointer in r1 gets set to skb->data and the +later deref for skb->len ends up following skb->data instead of skb. + +This fixes the issue similarly to the patch mentioned above by creating an +additional temporary variable and using to store the register when dst_reg = +src_reg. We name the variable bpf_temp_reg and place it in the cb context for +sk_skb. Then we restore from the temp to ensure nothing is lost. + +Fixes: 16137b09a66f2 ("bpf: Compute data_end dynamically with JIT code") +Signed-off-by: Jussi Maki +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20211103204736.248403-6-john.fastabend@gmail.com +Signed-off-by: Sasha Levin +--- + include/net/strparser.h | 4 ++++ + net/core/filter.c | 36 ++++++++++++++++++++++++++++++------ + 2 files changed, 34 insertions(+), 6 deletions(-) + +diff --git a/include/net/strparser.h b/include/net/strparser.h +index bec1439bd3be6..732b7097d78e4 100644 +--- a/include/net/strparser.h ++++ b/include/net/strparser.h +@@ -66,6 +66,10 @@ struct sk_skb_cb { + #define SK_SKB_CB_PRIV_LEN 20 + unsigned char data[SK_SKB_CB_PRIV_LEN]; + struct _strp_msg strp; ++ /* temp_reg is a temporary register used for bpf_convert_data_end_access ++ * when dst_reg == src_reg. ++ */ ++ u64 temp_reg; + }; + + static inline struct strp_msg *strp_msg(struct sk_buff *skb) +diff --git a/net/core/filter.c b/net/core/filter.c +index 23a9bf92b5bb9..f4a63af45f008 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -9735,22 +9735,46 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type, + static struct bpf_insn *bpf_convert_data_end_access(const struct bpf_insn *si, + struct bpf_insn *insn) + { +- /* si->dst_reg = skb->data */ ++ int reg; ++ int temp_reg_off = offsetof(struct sk_buff, cb) + ++ offsetof(struct sk_skb_cb, temp_reg); ++ ++ if (si->src_reg == si->dst_reg) { ++ /* We need an extra register, choose and save a register. */ ++ reg = BPF_REG_9; ++ if (si->src_reg == reg || si->dst_reg == reg) ++ reg--; ++ if (si->src_reg == reg || si->dst_reg == reg) ++ reg--; ++ *insn++ = BPF_STX_MEM(BPF_DW, si->src_reg, reg, temp_reg_off); ++ } else { ++ reg = si->dst_reg; ++ } ++ ++ /* reg = skb->data */ + *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, data), +- si->dst_reg, si->src_reg, ++ reg, si->src_reg, + offsetof(struct sk_buff, data)); + /* AX = skb->len */ + *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, len), + BPF_REG_AX, si->src_reg, + offsetof(struct sk_buff, len)); +- /* si->dst_reg = skb->data + skb->len */ +- *insn++ = BPF_ALU64_REG(BPF_ADD, si->dst_reg, BPF_REG_AX); ++ /* reg = skb->data + skb->len */ ++ *insn++ = BPF_ALU64_REG(BPF_ADD, reg, BPF_REG_AX); + /* AX = skb->data_len */ + *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, data_len), + BPF_REG_AX, si->src_reg, + offsetof(struct sk_buff, data_len)); +- /* si->dst_reg = skb->data + skb->len - skb->data_len */ +- *insn++ = BPF_ALU64_REG(BPF_SUB, si->dst_reg, BPF_REG_AX); ++ ++ /* reg = skb->data + skb->len - skb->data_len */ ++ *insn++ = BPF_ALU64_REG(BPF_SUB, reg, BPF_REG_AX); ++ ++ if (si->src_reg == si->dst_reg) { ++ /* Restore the saved register */ ++ *insn++ = BPF_MOV64_REG(BPF_REG_AX, si->src_reg); ++ *insn++ = BPF_MOV64_REG(si->dst_reg, reg); ++ *insn++ = BPF_LDX_MEM(BPF_DW, reg, BPF_REG_AX, temp_reg_off); ++ } + + return insn; + } +-- +2.33.0 + diff --git a/queue-5.15/bpf-sockmap-strparser-and-tls-are-reusing-qdisc_skb_.patch b/queue-5.15/bpf-sockmap-strparser-and-tls-are-reusing-qdisc_skb_.patch new file mode 100644 index 00000000000..102578fc6ca --- /dev/null +++ b/queue-5.15/bpf-sockmap-strparser-and-tls-are-reusing-qdisc_skb_.patch @@ -0,0 +1,150 @@ +From 7d603ca790fc96ef61e96aabc1a58d31f40e1442 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 13:47:35 -0700 +Subject: bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and + colliding + +From: John Fastabend + +[ Upstream commit e0dc3b93bd7bcff8c3813d1df43e0908499c7cf0 ] + +Strparser is reusing the qdisc_skb_cb struct to stash the skb message handling +progress, e.g. offset and length of the skb. First this is poorly named and +inherits a struct from qdisc that doesn't reflect the actual usage of cb[] at +this layer. + +But, more importantly strparser is using the following to access its metadata. + + (struct _strp_msg *)((void *)skb->cb + offsetof(struct qdisc_skb_cb, data)) + +Where _strp_msg is defined as: + + struct _strp_msg { + struct strp_msg strp; /* 0 8 */ + int accum_len; /* 8 4 */ + + /* size: 12, cachelines: 1, members: 2 */ + /* last cacheline: 12 bytes */ + }; + +So we use 12 bytes of ->data[] in struct. However in BPF code running parser +and verdict the user has read capabilities into the data[] array as well. Its +not too problematic, but we should not be exposing internal state to BPF +program. If its really needed then we can use the probe_read() APIs which allow +reading kernel memory. And I don't believe cb[] layer poses any API breakage by +moving this around because programs can't depend on cb[] across layers. + +In order to fix another issue with a ctx rewrite we need to stash a temp +variable somewhere. To make this work cleanly this patch builds a cb struct +for sk_skb types called sk_skb_cb struct. Then we can use this consistently +in the strparser, sockmap space. Additionally we can start allowing ->cb[] +write access after this. + +Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Tested-by: Jussi Maki +Reviewed-by: Jakub Sitnicki +Link: https://lore.kernel.org/bpf/20211103204736.248403-5-john.fastabend@gmail.com +Signed-off-by: Sasha Levin +--- + include/net/strparser.h | 16 +++++++++++++++- + net/core/filter.c | 22 ++++++++++++++++++++++ + net/strparser/strparser.c | 10 +--------- + 3 files changed, 38 insertions(+), 10 deletions(-) + +diff --git a/include/net/strparser.h b/include/net/strparser.h +index 1d20b98493a10..bec1439bd3be6 100644 +--- a/include/net/strparser.h ++++ b/include/net/strparser.h +@@ -54,10 +54,24 @@ struct strp_msg { + int offset; + }; + ++struct _strp_msg { ++ /* Internal cb structure. struct strp_msg must be first for passing ++ * to upper layer. ++ */ ++ struct strp_msg strp; ++ int accum_len; ++}; ++ ++struct sk_skb_cb { ++#define SK_SKB_CB_PRIV_LEN 20 ++ unsigned char data[SK_SKB_CB_PRIV_LEN]; ++ struct _strp_msg strp; ++}; ++ + static inline struct strp_msg *strp_msg(struct sk_buff *skb) + { + return (struct strp_msg *)((void *)skb->cb + +- offsetof(struct qdisc_skb_cb, data)); ++ offsetof(struct sk_skb_cb, strp)); + } + + /* Structure for an attached lower socket */ +diff --git a/net/core/filter.c b/net/core/filter.c +index 2e32cee2c4690..23a9bf92b5bb9 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -9761,11 +9761,33 @@ static u32 sk_skb_convert_ctx_access(enum bpf_access_type type, + struct bpf_prog *prog, u32 *target_size) + { + struct bpf_insn *insn = insn_buf; ++ int off; + + switch (si->off) { + case offsetof(struct __sk_buff, data_end): + insn = bpf_convert_data_end_access(si, insn); + break; ++ case offsetof(struct __sk_buff, cb[0]) ... ++ offsetofend(struct __sk_buff, cb[4]) - 1: ++ BUILD_BUG_ON(sizeof_field(struct sk_skb_cb, data) < 20); ++ BUILD_BUG_ON((offsetof(struct sk_buff, cb) + ++ offsetof(struct sk_skb_cb, data)) % ++ sizeof(__u64)); ++ ++ prog->cb_access = 1; ++ off = si->off; ++ off -= offsetof(struct __sk_buff, cb[0]); ++ off += offsetof(struct sk_buff, cb); ++ off += offsetof(struct sk_skb_cb, data); ++ if (type == BPF_WRITE) ++ *insn++ = BPF_STX_MEM(BPF_SIZE(si->code), si->dst_reg, ++ si->src_reg, off); ++ else ++ *insn++ = BPF_LDX_MEM(BPF_SIZE(si->code), si->dst_reg, ++ si->src_reg, off); ++ break; ++ ++ + default: + return bpf_convert_ctx_access(type, si, insn_buf, prog, + target_size); +diff --git a/net/strparser/strparser.c b/net/strparser/strparser.c +index 9c0343568d2a0..1a72c67afed5e 100644 +--- a/net/strparser/strparser.c ++++ b/net/strparser/strparser.c +@@ -27,18 +27,10 @@ + + static struct workqueue_struct *strp_wq; + +-struct _strp_msg { +- /* Internal cb structure. struct strp_msg must be first for passing +- * to upper layer. +- */ +- struct strp_msg strp; +- int accum_len; +-}; +- + static inline struct _strp_msg *_strp_msg(struct sk_buff *skb) + { + return (struct _strp_msg *)((void *)skb->cb + +- offsetof(struct qdisc_skb_cb, data)); ++ offsetof(struct sk_skb_cb, strp)); + } + + /* Lower lock held */ +-- +2.33.0 + diff --git a/queue-5.15/bpf-tests-fix-error-in-tail-call-limit-tests.patch b/queue-5.15/bpf-tests-fix-error-in-tail-call-limit-tests.patch new file mode 100644 index 00000000000..651c22e6a24 --- /dev/null +++ b/queue-5.15/bpf-tests-fix-error-in-tail-call-limit-tests.patch @@ -0,0 +1,120 @@ +From 786d9c8abad24efc8672e0df098f845f5093e52c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 11:18:41 +0200 +Subject: bpf/tests: Fix error in tail call limit tests + +From: Johan Almbladh + +[ Upstream commit 18935a72eb25525b655262579e1652362a3b29bb ] + +This patch fixes an error in the tail call limit test that caused the +test to fail on for x86-64 JIT. Previously, the register R0 was used to +report the total number of tail calls made. However, after a tail call +fall-through, the value of the R0 register is undefined. Now, all tail +call error path tests instead use context state to store the count. + +Fixes: 874be05f525e ("bpf, tests: Add tail call test suite") +Reported-by: Paul Chaignon +Reported-by: Tiezhu Yang +Signed-off-by: Johan Almbladh +Signed-off-by: Daniel Borkmann +Tested-by: Tiezhu Yang +Link: https://lore.kernel.org/bpf/20210914091842.4186267-14-johan.almbladh@anyfinetworks.com +Signed-off-by: Sasha Levin +--- + lib/test_bpf.c | 37 +++++++++++++++++++++++++++---------- + 1 file changed, 27 insertions(+), 10 deletions(-) + +diff --git a/lib/test_bpf.c b/lib/test_bpf.c +index 830a18ecffc88..68d125b409f20 100644 +--- a/lib/test_bpf.c ++++ b/lib/test_bpf.c +@@ -8992,10 +8992,15 @@ static __init int test_bpf(void) + struct tail_call_test { + const char *descr; + struct bpf_insn insns[MAX_INSNS]; ++ int flags; + int result; + int stack_depth; + }; + ++/* Flags that can be passed to tail call test cases */ ++#define FLAG_NEED_STATE BIT(0) ++#define FLAG_RESULT_IN_STATE BIT(1) ++ + /* + * Magic marker used in test snippets for tail calls below. + * BPF_LD/MOV to R2 and R2 with this immediate value is replaced +@@ -9065,32 +9070,38 @@ static struct tail_call_test tail_call_tests[] = { + { + "Tail call error path, max count reached", + .insns = { +- BPF_ALU64_IMM(BPF_ADD, R1, 1), +- BPF_ALU64_REG(BPF_MOV, R0, R1), ++ BPF_LDX_MEM(BPF_W, R2, R1, 0), ++ BPF_ALU64_IMM(BPF_ADD, R2, 1), ++ BPF_STX_MEM(BPF_W, R1, R2, 0), + TAIL_CALL(0), + BPF_EXIT_INSN(), + }, +- .result = MAX_TAIL_CALL_CNT + 1, ++ .flags = FLAG_NEED_STATE | FLAG_RESULT_IN_STATE, ++ .result = (MAX_TAIL_CALL_CNT + 1 + 1) * MAX_TESTRUNS, + }, + { + "Tail call error path, NULL target", + .insns = { +- BPF_ALU64_IMM(BPF_MOV, R0, -1), ++ BPF_LDX_MEM(BPF_W, R2, R1, 0), ++ BPF_ALU64_IMM(BPF_ADD, R2, 1), ++ BPF_STX_MEM(BPF_W, R1, R2, 0), + TAIL_CALL(TAIL_CALL_NULL), +- BPF_ALU64_IMM(BPF_MOV, R0, 1), + BPF_EXIT_INSN(), + }, +- .result = 1, ++ .flags = FLAG_NEED_STATE | FLAG_RESULT_IN_STATE, ++ .result = MAX_TESTRUNS, + }, + { + "Tail call error path, index out of range", + .insns = { +- BPF_ALU64_IMM(BPF_MOV, R0, -1), ++ BPF_LDX_MEM(BPF_W, R2, R1, 0), ++ BPF_ALU64_IMM(BPF_ADD, R2, 1), ++ BPF_STX_MEM(BPF_W, R1, R2, 0), + TAIL_CALL(TAIL_CALL_INVALID), +- BPF_ALU64_IMM(BPF_MOV, R0, 1), + BPF_EXIT_INSN(), + }, +- .result = 1, ++ .flags = FLAG_NEED_STATE | FLAG_RESULT_IN_STATE, ++ .result = MAX_TESTRUNS, + }, + }; + +@@ -9196,6 +9207,8 @@ static __init int test_tail_calls(struct bpf_array *progs) + for (i = 0; i < ARRAY_SIZE(tail_call_tests); i++) { + struct tail_call_test *test = &tail_call_tests[i]; + struct bpf_prog *fp = progs->ptrs[i]; ++ int *data = NULL; ++ int state = 0; + u64 duration; + int ret; + +@@ -9212,7 +9225,11 @@ static __init int test_tail_calls(struct bpf_array *progs) + if (fp->jited) + jit_cnt++; + +- ret = __run_one(fp, NULL, MAX_TESTRUNS, &duration); ++ if (test->flags & FLAG_NEED_STATE) ++ data = &state; ++ ret = __run_one(fp, data, MAX_TESTRUNS, &duration); ++ if (test->flags & FLAG_RESULT_IN_STATE) ++ ret = state; + if (ret == test->result) { + pr_cont("%lld PASS", duration); + pass_cnt++; +-- +2.33.0 + diff --git a/queue-5.15/bpftool-avoid-leaking-the-json-writer-prepared-for-p.patch b/queue-5.15/bpftool-avoid-leaking-the-json-writer-prepared-for-p.patch new file mode 100644 index 00000000000..b21e285f7ed --- /dev/null +++ b/queue-5.15/bpftool-avoid-leaking-the-json-writer-prepared-for-p.patch @@ -0,0 +1,69 @@ +From 327170ee896d0a29fd196f911059f3d13a0ce4a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Oct 2021 10:47:43 +0100 +Subject: bpftool: Avoid leaking the JSON writer prepared for program metadata + +From: Quentin Monnet + +[ Upstream commit e89ef634f81c9d90e1824ab183721f3b361472e6 ] + +Bpftool creates a new JSON object for writing program metadata in plain +text mode, regardless of metadata being present or not. Then this writer +is freed if any metadata has been found and printed, but it leaks +otherwise. We cannot destroy the object unconditionally, because the +destructor prints an undesirable line break. Instead, make sure the +writer is created only after we have found program metadata to print. + +Found with valgrind. + +Fixes: aff52e685eb3 ("bpftool: Support dumping metadata") +Signed-off-by: Quentin Monnet +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20211022094743.11052-1-quentin@isovalent.com +Signed-off-by: Sasha Levin +--- + tools/bpf/bpftool/prog.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c +index 9c3e343b7d872..fe59404e87046 100644 +--- a/tools/bpf/bpftool/prog.c ++++ b/tools/bpf/bpftool/prog.c +@@ -308,18 +308,12 @@ static void show_prog_metadata(int fd, __u32 num_maps) + if (printed_header) + jsonw_end_object(json_wtr); + } else { +- json_writer_t *btf_wtr = jsonw_new(stdout); ++ json_writer_t *btf_wtr; + struct btf_dumper d = { + .btf = btf, +- .jw = btf_wtr, + .is_plain_text = true, + }; + +- if (!btf_wtr) { +- p_err("jsonw alloc failed"); +- goto out_free; +- } +- + for (i = 0; i < vlen; i++, vsi++) { + t_var = btf__type_by_id(btf, vsi->type); + name = btf__name_by_offset(btf, t_var->name_off); +@@ -329,6 +323,14 @@ static void show_prog_metadata(int fd, __u32 num_maps) + + if (!printed_header) { + printf("\tmetadata:"); ++ ++ btf_wtr = jsonw_new(stdout); ++ if (!btf_wtr) { ++ p_err("jsonw alloc failed"); ++ goto out_free; ++ } ++ d.jw = btf_wtr, ++ + printed_header = true; + } + +-- +2.33.0 + diff --git a/queue-5.15/brcmfmac-add-dmi-nvram-filename-quirk-for-cyberbook-.patch b/queue-5.15/brcmfmac-add-dmi-nvram-filename-quirk-for-cyberbook-.patch new file mode 100644 index 00000000000..e8bd2f4257a --- /dev/null +++ b/queue-5.15/brcmfmac-add-dmi-nvram-filename-quirk-for-cyberbook-.patch @@ -0,0 +1,50 @@ +From 5336286c858dccc75e73a02eb22f6c07c7ed1607 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 18:06:33 +0200 +Subject: brcmfmac: Add DMI nvram filename quirk for Cyberbook T116 tablet + +From: Hans de Goede + +[ Upstream commit 49c3eb3036e6359c5c20fe76c611a2c0e0d4710e ] + +The Cyberbook T116 tablet contains quite generic names in the sys_vendor +and product_name DMI strings, without this patch brcmfmac will try to load: +"brcmfmac43455-sdio.Default string-Default string.txt" as nvram file which +is way too generic. + +The nvram file shipped on the factory Android image contains the exact +same settings as those used on the AcePC T8 mini PC, so point the new +DMI nvram filename quirk to the acepc-t8 nvram file. + +Signed-off-by: Hans de Goede +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210928160633.96928-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c +index 6d5188b78f2de..0af452dca7664 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c +@@ -75,6 +75,16 @@ static const struct dmi_system_id dmi_platform_data[] = { + }, + .driver_data = (void *)&acepc_t8_data, + }, ++ { ++ /* Cyberbook T116 rugged tablet */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "Default string"), ++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "Cherry Trail CR"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_SKU, "20170531"), ++ }, ++ /* The factory image nvram file is identical to the ACEPC T8 one */ ++ .driver_data = (void *)&acepc_t8_data, ++ }, + { + /* Match for the GPDwin which unfortunately uses somewhat + * generic dmi strings, which is why we test for 4 strings. +-- +2.33.0 + diff --git a/queue-5.15/btrfs-do-not-take-the-uuid_mutex-in-btrfs_rm_device.patch b/queue-5.15/btrfs-do-not-take-the-uuid_mutex-in-btrfs_rm_device.patch new file mode 100644 index 00000000000..15a463961e0 --- /dev/null +++ b/queue-5.15/btrfs-do-not-take-the-uuid_mutex-in-btrfs_rm_device.patch @@ -0,0 +1,237 @@ +From aac70d2535a7fbdabaecdad869c453c7152efa4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jul 2021 17:01:14 -0400 +Subject: btrfs: do not take the uuid_mutex in btrfs_rm_device + +From: Josef Bacik + +[ Upstream commit 8ef9dc0f14ba6124c62547a4fdc59b163d8b864e ] + +We got the following lockdep splat while running fstests (specifically +btrfs/003 and btrfs/020 in a row) with the new rc. This was uncovered +by 87579e9b7d8d ("loop: use worker per cgroup instead of kworker") which +converted loop to using workqueues, which comes with lockdep +annotations that don't exist with kworkers. The lockdep splat is as +follows: + + WARNING: possible circular locking dependency detected + 5.14.0-rc2-custom+ #34 Not tainted + ------------------------------------------------------ + losetup/156417 is trying to acquire lock: + ffff9c7645b02d38 ((wq_completion)loop0){+.+.}-{0:0}, at: flush_workqueue+0x84/0x600 + + but task is already holding lock: + ffff9c7647395468 (&lo->lo_mutex){+.+.}-{3:3}, at: __loop_clr_fd+0x41/0x650 [loop] + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #5 (&lo->lo_mutex){+.+.}-{3:3}: + __mutex_lock+0xba/0x7c0 + lo_open+0x28/0x60 [loop] + blkdev_get_whole+0x28/0xf0 + blkdev_get_by_dev.part.0+0x168/0x3c0 + blkdev_open+0xd2/0xe0 + do_dentry_open+0x163/0x3a0 + path_openat+0x74d/0xa40 + do_filp_open+0x9c/0x140 + do_sys_openat2+0xb1/0x170 + __x64_sys_openat+0x54/0x90 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + -> #4 (&disk->open_mutex){+.+.}-{3:3}: + __mutex_lock+0xba/0x7c0 + blkdev_get_by_dev.part.0+0xd1/0x3c0 + blkdev_get_by_path+0xc0/0xd0 + btrfs_scan_one_device+0x52/0x1f0 [btrfs] + btrfs_control_ioctl+0xac/0x170 [btrfs] + __x64_sys_ioctl+0x83/0xb0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + -> #3 (uuid_mutex){+.+.}-{3:3}: + __mutex_lock+0xba/0x7c0 + btrfs_rm_device+0x48/0x6a0 [btrfs] + btrfs_ioctl+0x2d1c/0x3110 [btrfs] + __x64_sys_ioctl+0x83/0xb0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + -> #2 (sb_writers#11){.+.+}-{0:0}: + lo_write_bvec+0x112/0x290 [loop] + loop_process_work+0x25f/0xcb0 [loop] + process_one_work+0x28f/0x5d0 + worker_thread+0x55/0x3c0 + kthread+0x140/0x170 + ret_from_fork+0x22/0x30 + + -> #1 ((work_completion)(&lo->rootcg_work)){+.+.}-{0:0}: + process_one_work+0x266/0x5d0 + worker_thread+0x55/0x3c0 + kthread+0x140/0x170 + ret_from_fork+0x22/0x30 + + -> #0 ((wq_completion)loop0){+.+.}-{0:0}: + __lock_acquire+0x1130/0x1dc0 + lock_acquire+0xf5/0x320 + flush_workqueue+0xae/0x600 + drain_workqueue+0xa0/0x110 + destroy_workqueue+0x36/0x250 + __loop_clr_fd+0x9a/0x650 [loop] + lo_ioctl+0x29d/0x780 [loop] + block_ioctl+0x3f/0x50 + __x64_sys_ioctl+0x83/0xb0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + other info that might help us debug this: + Chain exists of: + (wq_completion)loop0 --> &disk->open_mutex --> &lo->lo_mutex + Possible unsafe locking scenario: + CPU0 CPU1 + ---- ---- + lock(&lo->lo_mutex); + lock(&disk->open_mutex); + lock(&lo->lo_mutex); + lock((wq_completion)loop0); + + *** DEADLOCK *** + 1 lock held by losetup/156417: + #0: ffff9c7647395468 (&lo->lo_mutex){+.+.}-{3:3}, at: __loop_clr_fd+0x41/0x650 [loop] + + stack backtrace: + CPU: 8 PID: 156417 Comm: losetup Not tainted 5.14.0-rc2-custom+ #34 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 + Call Trace: + dump_stack_lvl+0x57/0x72 + check_noncircular+0x10a/0x120 + __lock_acquire+0x1130/0x1dc0 + lock_acquire+0xf5/0x320 + ? flush_workqueue+0x84/0x600 + flush_workqueue+0xae/0x600 + ? flush_workqueue+0x84/0x600 + drain_workqueue+0xa0/0x110 + destroy_workqueue+0x36/0x250 + __loop_clr_fd+0x9a/0x650 [loop] + lo_ioctl+0x29d/0x780 [loop] + ? __lock_acquire+0x3a0/0x1dc0 + ? update_dl_rq_load_avg+0x152/0x360 + ? lock_is_held_type+0xa5/0x120 + ? find_held_lock.constprop.0+0x2b/0x80 + block_ioctl+0x3f/0x50 + __x64_sys_ioctl+0x83/0xb0 + do_syscall_64+0x3b/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7f645884de6b + +Usually the uuid_mutex exists to protect the fs_devices that map +together all of the devices that match a specific uuid. In rm_device +we're messing with the uuid of a device, so it makes sense to protect +that here. + +However in doing that it pulls in a whole host of lockdep dependencies, +as we call mnt_may_write() on the sb before we grab the uuid_mutex, thus +we end up with the dependency chain under the uuid_mutex being added +under the normal sb write dependency chain, which causes problems with +loop devices. + +We don't need the uuid mutex here however. If we call +btrfs_scan_one_device() before we scratch the super block we will find +the fs_devices and not find the device itself and return EBUSY because +the fs_devices is open. If we call it after the scratch happens it will +not appear to be a valid btrfs file system. + +We do not need to worry about other fs_devices modifying operations here +because we're protected by the exclusive operations locking. + +So drop the uuid_mutex here in order to fix the lockdep splat. + +A more detailed explanation from the discussion: + +We are worried about rm and scan racing with each other, before this +change we'll zero the device out under the UUID mutex so when scan does +run it'll make sure that it can go through the whole device scan thing +without rm messing with us. + +We aren't worried if the scratch happens first, because the result is we +don't think this is a btrfs device and we bail out. + +The only case we are concerned with is we scratch _after_ scan is able +to read the superblock and gets a seemingly valid super block, so lets +consider this case. + +Scan will call device_list_add() with the device we're removing. We'll +call find_fsid_with_metadata_uuid() and get our fs_devices for this +UUID. At this point we lock the fs_devices->device_list_mutex. This is +what protects us in this case, but we have two cases here. + +1. We aren't to the device removal part of the RM. We found our device, + and device name matches our path, we go down and we set total_devices + to our super number of devices, which doesn't affect anything because + we haven't done the remove yet. + +2. We are past the device removal part, which is protected by the + device_list_mutex. Scan doesn't find the device, it goes down and + does the + + if (fs_devices->opened) + return -EBUSY; + + check and we bail out. + +Nothing about this situation is ideal, but the lockdep splat is real, +and the fix is safe, tho admittedly a bit scary looking. + +Reviewed-by: Anand Jain +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +[ copy more from the discussion ] +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/volumes.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c +index 56252cc5c5f7b..6afebc5b10c84 100644 +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -2083,8 +2083,11 @@ int btrfs_rm_device(struct btrfs_fs_info *fs_info, const char *device_path, + u64 num_devices; + int ret = 0; + +- mutex_lock(&uuid_mutex); +- ++ /* ++ * The device list in fs_devices is accessed without locks (neither ++ * uuid_mutex nor device_list_mutex) as it won't change on a mounted ++ * filesystem and another device rm cannot run. ++ */ + num_devices = btrfs_num_devices(fs_info); + + ret = btrfs_check_raid_min_devices(fs_info, num_devices - 1); +@@ -2128,11 +2131,9 @@ int btrfs_rm_device(struct btrfs_fs_info *fs_info, const char *device_path, + mutex_unlock(&fs_info->chunk_mutex); + } + +- mutex_unlock(&uuid_mutex); + ret = btrfs_shrink_device(device, 0); + if (!ret) + btrfs_reada_remove_dev(device); +- mutex_lock(&uuid_mutex); + if (ret) + goto error_undo; + +@@ -2219,7 +2220,6 @@ int btrfs_rm_device(struct btrfs_fs_info *fs_info, const char *device_path, + } + + out: +- mutex_unlock(&uuid_mutex); + return ret; + + error_undo: +-- +2.33.0 + diff --git a/queue-5.15/btrfs-reflink-initialize-return-value-to-0-in-btrfs_.patch b/queue-5.15/btrfs-reflink-initialize-return-value-to-0-in-btrfs_.patch new file mode 100644 index 00000000000..361d12a119f --- /dev/null +++ b/queue-5.15/btrfs-reflink-initialize-return-value-to-0-in-btrfs_.patch @@ -0,0 +1,39 @@ +From 0edff81386ec8e0ecb09e860291fbebbe17c716c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Aug 2021 14:44:36 +0000 +Subject: btrfs: reflink: initialize return value to 0 in btrfs_extent_same() + +From: Sidong Yang + +[ Upstream commit 44bee215f72f13874c0e734a0712c2e3264c0108 ] + +Fix a warning reported by smatch that ret could be returned without +initialized. The dedupe operations are supposed to to return 0 for a 0 +length range but the caller does not pass olen == 0. To keep this +behaviour and also fix the warning initialize ret to 0. + +Reviewed-by: Filipe Manana +Signed-off-by: Sidong Yang +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/reflink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/btrfs/reflink.c b/fs/btrfs/reflink.c +index 9b0814318e726..c71e49782e86d 100644 +--- a/fs/btrfs/reflink.c ++++ b/fs/btrfs/reflink.c +@@ -649,7 +649,7 @@ static int btrfs_extent_same_range(struct inode *src, u64 loff, u64 len, + static int btrfs_extent_same(struct inode *src, u64 loff, u64 olen, + struct inode *dst, u64 dst_loff) + { +- int ret; ++ int ret = 0; + u64 i, tail_len, chunk_count; + struct btrfs_root *root_dst = BTRFS_I(dst)->root; + +-- +2.33.0 + diff --git a/queue-5.15/btrfs-subpage-make-btrfs_submit_compressed_write-com.patch b/queue-5.15/btrfs-subpage-make-btrfs_submit_compressed_write-com.patch new file mode 100644 index 00000000000..09dc899bdfc --- /dev/null +++ b/queue-5.15/btrfs-subpage-make-btrfs_submit_compressed_write-com.patch @@ -0,0 +1,44 @@ +From 672c2e0c104c9543e01c6badc8d8264a5eb3989f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 15:22:00 +0800 +Subject: btrfs: subpage: make btrfs_submit_compressed_write() compatible + +From: Qu Wenruo + +[ Upstream commit bbbff01a47bfe1b7733c5ccac6a78ff6d7a8954f ] + +There is a WARN_ON() checking if @start is aligned to PAGE_SIZE, not +sectorsize, which will cause false alert for subpage. Fix it to check +against sectorsize. + +Furthermore: + +- Use ASSERT() to do the check + So that in the future we may skip the check for production build + +- Also check alignment for @len + +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/compression.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c +index 0913ee50e6c34..d0a1fe4c6e8cf 100644 +--- a/fs/btrfs/compression.c ++++ b/fs/btrfs/compression.c +@@ -404,7 +404,8 @@ blk_status_t btrfs_submit_compressed_write(struct btrfs_inode *inode, u64 start, + const bool use_append = btrfs_use_zone_append(inode, disk_start); + const unsigned int bio_op = use_append ? REQ_OP_ZONE_APPEND : REQ_OP_WRITE; + +- WARN_ON(!PAGE_ALIGNED(start)); ++ ASSERT(IS_ALIGNED(start, fs_info->sectorsize) && ++ IS_ALIGNED(len, fs_info->sectorsize)); + cb = kmalloc(compressed_bio_size(fs_info, compressed_len), GFP_NOFS); + if (!cb) + return BLK_STS_RESOURCE; +-- +2.33.0 + diff --git a/queue-5.15/bus-ti-sysc-fix-timekeeping_suspended-warning-on-res.patch b/queue-5.15/bus-ti-sysc-fix-timekeeping_suspended-warning-on-res.patch new file mode 100644 index 00000000000..af5529ea84a --- /dev/null +++ b/queue-5.15/bus-ti-sysc-fix-timekeeping_suspended-warning-on-res.patch @@ -0,0 +1,131 @@ +From b51f41dd0b77cf1f2e7069014e5c63c02edfdc68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Sep 2021 12:42:25 +0300 +Subject: bus: ti-sysc: Fix timekeeping_suspended warning on resume + +From: Tony Lindgren + +[ Upstream commit b3e9431854e8f305385d5de225441c0477b936cb ] + +On resume we can get a warning at kernel/time/timekeeping.c:824 for +timekeeping_suspended. + +Let's fix this by adding separate functions for sysc_poll_reset_sysstatus() +and sysc_poll_reset_sysconfig() and have the new functions handle also +timekeeping_suspended. + +If iopoll at some point supports timekeeping_suspended, we can just drop +the custom handling from these functions. + +Fixes: d46f9fbec719 ("bus: ti-sysc: Use optional clocks on for enable and wait for softreset bit") +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 65 +++++++++++++++++++++++++++++++++++-------- + 1 file changed, 53 insertions(+), 12 deletions(-) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index 6a8b7fb5be58d..f47c7e20cc271 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -223,37 +224,77 @@ static u32 sysc_read_sysstatus(struct sysc *ddata) + return sysc_read(ddata, offset); + } + +-/* Poll on reset status */ +-static int sysc_wait_softreset(struct sysc *ddata) ++static int sysc_poll_reset_sysstatus(struct sysc *ddata) + { +- u32 sysc_mask, syss_done, rstval; +- int syss_offset, error = 0; +- +- if (ddata->cap->regbits->srst_shift < 0) +- return 0; +- +- syss_offset = ddata->offsets[SYSC_SYSSTATUS]; +- sysc_mask = BIT(ddata->cap->regbits->srst_shift); ++ int error, retries; ++ u32 syss_done, rstval; + + if (ddata->cfg.quirks & SYSS_QUIRK_RESETDONE_INVERTED) + syss_done = 0; + else + syss_done = ddata->cfg.syss_mask; + +- if (syss_offset >= 0) { ++ if (likely(!timekeeping_suspended)) { + error = readx_poll_timeout_atomic(sysc_read_sysstatus, ddata, + rstval, (rstval & ddata->cfg.syss_mask) == + syss_done, 100, MAX_MODULE_SOFTRESET_WAIT); ++ } else { ++ retries = MAX_MODULE_SOFTRESET_WAIT; ++ while (retries--) { ++ rstval = sysc_read_sysstatus(ddata); ++ if ((rstval & ddata->cfg.syss_mask) == syss_done) ++ return 0; ++ udelay(2); /* Account for udelay flakeyness */ ++ } ++ error = -ETIMEDOUT; ++ } + +- } else if (ddata->cfg.quirks & SYSC_QUIRK_RESET_STATUS) { ++ return error; ++} ++ ++static int sysc_poll_reset_sysconfig(struct sysc *ddata) ++{ ++ int error, retries; ++ u32 sysc_mask, rstval; ++ ++ sysc_mask = BIT(ddata->cap->regbits->srst_shift); ++ ++ if (likely(!timekeeping_suspended)) { + error = readx_poll_timeout_atomic(sysc_read_sysconfig, ddata, + rstval, !(rstval & sysc_mask), + 100, MAX_MODULE_SOFTRESET_WAIT); ++ } else { ++ retries = MAX_MODULE_SOFTRESET_WAIT; ++ while (retries--) { ++ rstval = sysc_read_sysconfig(ddata); ++ if (!(rstval & sysc_mask)) ++ return 0; ++ udelay(2); /* Account for udelay flakeyness */ ++ } ++ error = -ETIMEDOUT; + } + + return error; + } + ++/* Poll on reset status */ ++static int sysc_wait_softreset(struct sysc *ddata) ++{ ++ int syss_offset, error = 0; ++ ++ if (ddata->cap->regbits->srst_shift < 0) ++ return 0; ++ ++ syss_offset = ddata->offsets[SYSC_SYSSTATUS]; ++ ++ if (syss_offset >= 0) ++ error = sysc_poll_reset_sysstatus(ddata); ++ else if (ddata->cfg.quirks & SYSC_QUIRK_RESET_STATUS) ++ error = sysc_poll_reset_sysconfig(ddata); ++ ++ return error; ++} ++ + static int sysc_add_named_clock_from_child(struct sysc *ddata, + const char *name, + const char *optfck_name) +-- +2.33.0 + diff --git a/queue-5.15/can-bittiming-can_fixup_bittiming-change-type-of-tse.patch b/queue-5.15/can-bittiming-can_fixup_bittiming-change-type-of-tse.patch new file mode 100644 index 00000000000..d15debf20f1 --- /dev/null +++ b/queue-5.15/can-bittiming-can_fixup_bittiming-change-type-of-tse.patch @@ -0,0 +1,38 @@ +From 34fabc8a0bf0fbab74036adeabe333699e35cb1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 15:00:10 +0200 +Subject: can: bittiming: can_fixup_bittiming(): change type of tseg1 and + alltseg to unsigned int + +From: Marc Kleine-Budde + +[ Upstream commit e346290439609a8ac67122418ca2efbad8d0a7e7 ] + +All timing calculation is done with unsigned integers, so change type +of tseg1 and alltseg to unsigned int, too. + +Link: https://lore.kernel.org/all/20211013130653.1513627-1-mkl@pengutronix.de +Link: https://github.com/linux-can/can-utils/pull/314 +Reported-by: Gary Bisson +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/dev/bittiming.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/dev/bittiming.c b/drivers/net/can/dev/bittiming.c +index f49170eadd547..b1b5a82f08299 100644 +--- a/drivers/net/can/dev/bittiming.c ++++ b/drivers/net/can/dev/bittiming.c +@@ -209,7 +209,7 @@ static int can_fixup_bittiming(struct net_device *dev, struct can_bittiming *bt, + const struct can_bittiming_const *btc) + { + struct can_priv *priv = netdev_priv(dev); +- int tseg1, alltseg; ++ unsigned int tseg1, alltseg; + u64 brp64; + + tseg1 = bt->prop_seg + bt->phase_seg1; +-- +2.33.0 + diff --git a/queue-5.15/can-etas_es58x-es58x_rx_err_msg-fix-memory-leak-in-e.patch b/queue-5.15/can-etas_es58x-es58x_rx_err_msg-fix-memory-leak-in-e.patch new file mode 100644 index 00000000000..bf56278a348 --- /dev/null +++ b/queue-5.15/can-etas_es58x-es58x_rx_err_msg-fix-memory-leak-in-e.patch @@ -0,0 +1,63 @@ +From fe2e550f90bb6a6fbe1dfa134bd3388f4baf2885 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 03:07:40 +0900 +Subject: can: etas_es58x: es58x_rx_err_msg(): fix memory leak in error path + +From: Vincent Mailhol + +[ Upstream commit d9447f768bc8c60623e4bb3ce65b8f4654d33a50 ] + +In es58x_rx_err_msg(), if can->do_set_mode() fails, the function +directly returns without calling netif_rx(skb). This means that the +skb previously allocated by alloc_can_err_skb() is not freed. In other +terms, this is a memory leak. + +This patch simply removes the return statement in the error branch and +let the function continue. + +Issue was found with GCC -fanalyzer, please follow the link below for +details. + +Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces") +Link: https://lore.kernel.org/all/20211026180740.1953265-1-mailhol.vincent@wanadoo.fr +Signed-off-by: Vincent Mailhol +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/etas_es58x/es58x_core.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c +index 96a13c770e4a1..24627ab146261 100644 +--- a/drivers/net/can/usb/etas_es58x/es58x_core.c ++++ b/drivers/net/can/usb/etas_es58x/es58x_core.c +@@ -664,7 +664,7 @@ int es58x_rx_err_msg(struct net_device *netdev, enum es58x_err error, + struct can_device_stats *can_stats = &can->can_stats; + struct can_frame *cf = NULL; + struct sk_buff *skb; +- int ret; ++ int ret = 0; + + if (!netif_running(netdev)) { + if (net_ratelimit()) +@@ -823,8 +823,6 @@ int es58x_rx_err_msg(struct net_device *netdev, enum es58x_err error, + can->state = CAN_STATE_BUS_OFF; + can_bus_off(netdev); + ret = can->do_set_mode(netdev, CAN_MODE_STOP); +- if (ret) +- return ret; + } + break; + +@@ -881,7 +879,7 @@ int es58x_rx_err_msg(struct net_device *netdev, enum es58x_err error, + ES58X_EVENT_BUSOFF, timestamp); + } + +- return 0; ++ return ret; + } + + /** +-- +2.33.0 + diff --git a/queue-5.15/can-mcp251xfd-mcp251xfd_chip_start-fix-error-handlin.patch b/queue-5.15/can-mcp251xfd-mcp251xfd_chip_start-fix-error-handlin.patch new file mode 100644 index 00000000000..72407f4f55d --- /dev/null +++ b/queue-5.15/can-mcp251xfd-mcp251xfd_chip_start-fix-error-handlin.patch @@ -0,0 +1,37 @@ +From d0cb721bb4ea7986cdfec881c868fa496ebbae51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 17:00:04 +0200 +Subject: can: mcp251xfd: mcp251xfd_chip_start(): fix error handling for + mcp251xfd_chip_rx_int_enable() + +From: Marc Kleine-Budde + +[ Upstream commit 69c55f6e7669d46bb40e41f6e2b218428178368a ] + +This patch fixes the error handling for mcp251xfd_chip_rx_int_enable(). +Instead just returning the error, properly shut down the chip. + +Link: https://lore.kernel.org/all/20211106201526.44292-2-mkl@pengutronix.de +Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c +index 212fcd1554e4f..e16dc482f3270 100644 +--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c ++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c +@@ -1092,7 +1092,7 @@ static int mcp251xfd_chip_start(struct mcp251xfd_priv *priv) + + err = mcp251xfd_chip_rx_int_enable(priv); + if (err) +- return err; ++ goto out_chip_stop; + + err = mcp251xfd_chip_ecc_init(priv); + if (err) +-- +2.33.0 + diff --git a/queue-5.15/cfg80211-always-free-wiphy-specific-regdomain.patch b/queue-5.15/cfg80211-always-free-wiphy-specific-regdomain.patch new file mode 100644 index 00000000000..9edc20b856b --- /dev/null +++ b/queue-5.15/cfg80211-always-free-wiphy-specific-regdomain.patch @@ -0,0 +1,51 @@ +From 18d99257dfd10bc982747190879c13c238aeea61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 13:11:06 +0200 +Subject: cfg80211: always free wiphy specific regdomain + +From: Johannes Berg + +[ Upstream commit e53e9828a8d2c6545e01ff9711f1221f2fd199ce ] + +In the (somewhat unlikely) event that we allocate a wiphy, then +add a regdomain to it, and then fail registration, we leak the +regdomain. Fix this by just always freeing it at the end, in the +normal cases we'll free (and NULL) it during wiphy_unregister(). +This happened when the wiphy settings were bad, and since they +can be controlled by userspace with hwsim, syzbot was able to +find this issue. + +Reported-by: syzbot+1638e7c770eef6b6c0d0@syzkaller.appspotmail.com +Fixes: 3e0c3ff36c4c ("cfg80211: allow multiple driver regulatory_hints()") +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20210927131105.68b70cef4674.I4b9f0aa08c2af28555963b9fe3d34395bb72e0cc@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/core.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/net/wireless/core.c b/net/wireless/core.c +index aaba847d79eb2..eb297e1015e05 100644 +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -1081,6 +1081,16 @@ void cfg80211_dev_free(struct cfg80211_registered_device *rdev) + list_for_each_entry_safe(scan, tmp, &rdev->bss_list, list) + cfg80211_put_bss(&rdev->wiphy, &scan->pub); + mutex_destroy(&rdev->wiphy.mtx); ++ ++ /* ++ * The 'regd' can only be non-NULL if we never finished ++ * initializing the wiphy and thus never went through the ++ * unregister path - e.g. in failure scenarios. Thus, it ++ * cannot have been visible to anyone if non-NULL, so we ++ * can just free it here. ++ */ ++ kfree(rcu_dereference_raw(rdev->wiphy.regd)); ++ + kfree(rdev); + } + +-- +2.33.0 + diff --git a/queue-5.15/cgroup-fix-rootcg-cpu.stat-guest-double-counting.patch b/queue-5.15/cgroup-fix-rootcg-cpu.stat-guest-double-counting.patch new file mode 100644 index 00000000000..bc235ffd0f8 --- /dev/null +++ b/queue-5.15/cgroup-fix-rootcg-cpu.stat-guest-double-counting.patch @@ -0,0 +1,39 @@ +From f54898e35389eab18be3752ee21d92bf53b4da17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 15:15:27 -0700 +Subject: cgroup: Fix rootcg cpu.stat guest double counting + +From: Dan Schatzberg + +[ Upstream commit 81c49d39aea8a10e6d05d3aa1cb65ceb721e19b0 ] + +In account_guest_time in kernel/sched/cputime.c guest time is +attributed to both CPUTIME_NICE and CPUTIME_USER in addition to +CPUTIME_GUEST_NICE and CPUTIME_GUEST respectively. Therefore, adding +both to calculate usage results in double counting any guest time at +the rootcg. + +Fixes: 936f2a70f207 ("cgroup: add cpu.stat file to root cgroup") +Signed-off-by: Dan Schatzberg +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/rstat.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/kernel/cgroup/rstat.c b/kernel/cgroup/rstat.c +index b264ab5652ba9..1486768f23185 100644 +--- a/kernel/cgroup/rstat.c ++++ b/kernel/cgroup/rstat.c +@@ -433,8 +433,6 @@ static void root_cgroup_cputime(struct task_cputime *cputime) + cputime->sum_exec_runtime += user; + cputime->sum_exec_runtime += sys; + cputime->sum_exec_runtime += cpustat[CPUTIME_STEAL]; +- cputime->sum_exec_runtime += cpustat[CPUTIME_GUEST]; +- cputime->sum_exec_runtime += cpustat[CPUTIME_GUEST_NICE]; + } + } + +-- +2.33.0 + diff --git a/queue-5.15/cgroup-make-rebind_subsystems-disable-v2-controllers.patch b/queue-5.15/cgroup-make-rebind_subsystems-disable-v2-controllers.patch new file mode 100644 index 00000000000..a472c15d7f2 --- /dev/null +++ b/queue-5.15/cgroup-make-rebind_subsystems-disable-v2-controllers.patch @@ -0,0 +1,120 @@ +From 3a63c8573107e2e17ab78db2e6c2c370d7a1ad03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Sep 2021 18:53:08 -0400 +Subject: cgroup: Make rebind_subsystems() disable v2 controllers all at once + +From: Waiman Long + +[ Upstream commit 7ee285395b211cad474b2b989db52666e0430daf ] + +It was found that the following warning was displayed when remounting +controllers from cgroup v2 to v1: + +[ 8042.997778] WARNING: CPU: 88 PID: 80682 at kernel/cgroup/cgroup.c:3130 cgroup_apply_control_disable+0x158/0x190 + : +[ 8043.091109] RIP: 0010:cgroup_apply_control_disable+0x158/0x190 +[ 8043.096946] Code: ff f6 45 54 01 74 39 48 8d 7d 10 48 c7 c6 e0 46 5a a4 e8 7b 67 33 00 e9 41 ff ff ff 49 8b 84 24 e8 01 00 00 0f b7 40 08 eb 95 <0f> 0b e9 5f ff ff ff 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 +[ 8043.115692] RSP: 0018:ffffba8a47c23d28 EFLAGS: 00010202 +[ 8043.120916] RAX: 0000000000000036 RBX: ffffffffa624ce40 RCX: 000000000000181a +[ 8043.128047] RDX: ffffffffa63c43e0 RSI: ffffffffa63c43e0 RDI: ffff9d7284ee1000 +[ 8043.135180] RBP: ffff9d72874c5800 R08: ffffffffa624b090 R09: 0000000000000004 +[ 8043.142314] R10: ffffffffa624b080 R11: 0000000000002000 R12: ffff9d7284ee1000 +[ 8043.149447] R13: ffff9d7284ee1000 R14: ffffffffa624ce70 R15: ffffffffa6269e20 +[ 8043.156576] FS: 00007f7747cff740(0000) GS:ffff9d7a5fc00000(0000) knlGS:0000000000000000 +[ 8043.164663] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 8043.170409] CR2: 00007f7747e96680 CR3: 0000000887d60001 CR4: 00000000007706e0 +[ 8043.177539] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 8043.184673] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 8043.191804] PKRU: 55555554 +[ 8043.194517] Call Trace: +[ 8043.196970] rebind_subsystems+0x18c/0x470 +[ 8043.201070] cgroup_setup_root+0x16c/0x2f0 +[ 8043.205177] cgroup1_root_to_use+0x204/0x2a0 +[ 8043.209456] cgroup1_get_tree+0x3e/0x120 +[ 8043.213384] vfs_get_tree+0x22/0xb0 +[ 8043.216883] do_new_mount+0x176/0x2d0 +[ 8043.220550] __x64_sys_mount+0x103/0x140 +[ 8043.224474] do_syscall_64+0x38/0x90 +[ 8043.228063] entry_SYSCALL_64_after_hwframe+0x44/0xae + +It was caused by the fact that rebind_subsystem() disables +controllers to be rebound one by one. If more than one disabled +controllers are originally from the default hierarchy, it means that +cgroup_apply_control_disable() will be called multiple times for the +same default hierarchy. A controller may be killed by css_kill() in +the first round. In the second round, the killed controller may not be +completely dead yet leading to the warning. + +To avoid this problem, we collect all the ssid's of controllers that +needed to be disabled from the default hierarchy and then disable them +in one go instead of one by one. + +Fixes: 334c3679ec4b ("cgroup: reimplement rebind_subsystems() using cgroup_apply_control() and friends") +Signed-off-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/cgroup/cgroup.c | 31 +++++++++++++++++++++++++++---- + 1 file changed, 27 insertions(+), 4 deletions(-) + +diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c +index ea08f01d0111a..d6ea872b23aad 100644 +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -1740,6 +1740,7 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask) + struct cgroup *dcgrp = &dst_root->cgrp; + struct cgroup_subsys *ss; + int ssid, i, ret; ++ u16 dfl_disable_ss_mask = 0; + + lockdep_assert_held(&cgroup_mutex); + +@@ -1756,8 +1757,28 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask) + /* can't move between two non-dummy roots either */ + if (ss->root != &cgrp_dfl_root && dst_root != &cgrp_dfl_root) + return -EBUSY; ++ ++ /* ++ * Collect ssid's that need to be disabled from default ++ * hierarchy. ++ */ ++ if (ss->root == &cgrp_dfl_root) ++ dfl_disable_ss_mask |= 1 << ssid; ++ + } while_each_subsys_mask(); + ++ if (dfl_disable_ss_mask) { ++ struct cgroup *scgrp = &cgrp_dfl_root.cgrp; ++ ++ /* ++ * Controllers from default hierarchy that need to be rebound ++ * are all disabled together in one go. ++ */ ++ cgrp_dfl_root.subsys_mask &= ~dfl_disable_ss_mask; ++ WARN_ON(cgroup_apply_control(scgrp)); ++ cgroup_finalize_control(scgrp, 0); ++ } ++ + do_each_subsys_mask(ss, ssid, ss_mask) { + struct cgroup_root *src_root = ss->root; + struct cgroup *scgrp = &src_root->cgrp; +@@ -1766,10 +1787,12 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask) + + WARN_ON(!css || cgroup_css(dcgrp, ss)); + +- /* disable from the source */ +- src_root->subsys_mask &= ~(1 << ssid); +- WARN_ON(cgroup_apply_control(scgrp)); +- cgroup_finalize_control(scgrp, 0); ++ if (src_root != &cgrp_dfl_root) { ++ /* disable from the source */ ++ src_root->subsys_mask &= ~(1 << ssid); ++ WARN_ON(cgroup_apply_control(scgrp)); ++ cgroup_finalize_control(scgrp, 0); ++ } + + /* rebind */ + RCU_INIT_POINTER(scgrp->subsys[ssid], NULL); +-- +2.33.0 + diff --git a/queue-5.15/clk-at91-check-pmc-node-status-before-registering-sy.patch b/queue-5.15/clk-at91-check-pmc-node-status-before-registering-sy.patch new file mode 100644 index 00000000000..71914e845ff --- /dev/null +++ b/queue-5.15/clk-at91-check-pmc-node-status-before-registering-sy.patch @@ -0,0 +1,49 @@ +From b2252732411b15b5ebec3eb5fd130038ac68f135 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Sep 2021 10:26:33 +0200 +Subject: clk: at91: check pmc node status before registering syscore ops +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Clément Léger + +[ Upstream commit c405f5c15e9f6094f2fa1658e73e56f3058e2122 ] + +Currently, at91 pmc driver always register the syscore_ops whatever +the status of the pmc node that has been found. When set as secure +and disabled, the pmc should not be accessed or this will generate +abort exceptions. +To avoid this, add a check on node availability before registering +the syscore operations. + +Signed-off-by: Clément Léger +Link: https://lore.kernel.org/r/20210913082633.110168-1-clement.leger@bootlin.com +Acked-by: Nicolas Ferre +Reviewed-by: Claudiu Beznea +Fixes: b3b02eac33ed ("clk: at91: Add sama5d2 suspend/resume") +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/pmc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/clk/at91/pmc.c b/drivers/clk/at91/pmc.c +index 20ee9dccee787..b40035b011d0a 100644 +--- a/drivers/clk/at91/pmc.c ++++ b/drivers/clk/at91/pmc.c +@@ -267,6 +267,11 @@ static int __init pmc_register_ops(void) + if (!np) + return -ENODEV; + ++ if (!of_device_is_available(np)) { ++ of_node_put(np); ++ return -ENODEV; ++ } ++ + pmcreg = device_node_to_regmap(np); + of_node_put(np); + if (IS_ERR(pmcreg)) +-- +2.33.0 + diff --git a/queue-5.15/clk-at91-clk-master-check-if-div-or-pres-is-zero.patch b/queue-5.15/clk-at91-clk-master-check-if-div-or-pres-is-zero.patch new file mode 100644 index 00000000000..aacd4efbb63 --- /dev/null +++ b/queue-5.15/clk-at91-clk-master-check-if-div-or-pres-is-zero.patch @@ -0,0 +1,49 @@ +From ed6fc38e97cb892e09c0381a32e390ee1e011723 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 14:27:12 +0300 +Subject: clk: at91: clk-master: check if div or pres is zero + +From: Claudiu Beznea + +[ Upstream commit c2910c00fee4cbb7b222d6e02846adef9ae4135a ] + +Check if div or pres is zero before using it as argument for ffs(). +In case div is zero ffs() will return 0 and thus substracting from +zero will lead to invalid values to be setup in registers. + +Fixes: 7a110b9107ed8 ("clk: at91: clk-master: re-factor master clock") +Fixes: 75c88143f3b87 ("clk: at91: clk-master: add master clock support for SAMA7G5") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20211011112719.3951784-9-claudiu.beznea@microchip.com +Acked-by: Nicolas Ferre +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-master.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/at91/clk-master.c b/drivers/clk/at91/clk-master.c +index a80427980bf73..2e410815a3405 100644 +--- a/drivers/clk/at91/clk-master.c ++++ b/drivers/clk/at91/clk-master.c +@@ -280,7 +280,7 @@ static int clk_master_pres_set_rate(struct clk_hw *hw, unsigned long rate, + + else if (pres == 3) + pres = MASTER_PRES_MAX; +- else ++ else if (pres) + pres = ffs(pres) - 1; + + spin_lock_irqsave(master->lock, flags); +@@ -610,7 +610,7 @@ static int clk_sama7g5_master_set_rate(struct clk_hw *hw, unsigned long rate, + + if (div == 3) + div = MASTER_PRES_MAX; +- else ++ else if (div) + div = ffs(div) - 1; + + spin_lock_irqsave(master->lock, flags); +-- +2.33.0 + diff --git a/queue-5.15/clk-at91-clk-master-fix-prescaler-logic.patch b/queue-5.15/clk-at91-clk-master-fix-prescaler-logic.patch new file mode 100644 index 00000000000..0d053b083dc --- /dev/null +++ b/queue-5.15/clk-at91-clk-master-fix-prescaler-logic.patch @@ -0,0 +1,39 @@ +From 2eebee5b4578fe58d5f3e52d9226633aad262053 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 14:27:14 +0300 +Subject: clk: at91: clk-master: fix prescaler logic + +From: Claudiu Beznea + +[ Upstream commit 0ef99f8202c5078a72c05af76bfaed2ea4daab19 ] + +When prescaler value read from register is MASTER_PRES_MAX it means +that the input clock will be divided by 3. Fix the code to reflect +this. + +Fixes: 7a110b9107ed8 ("clk: at91: clk-master: re-factor master clock") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20211011112719.3951784-11-claudiu.beznea@microchip.com +Acked-by: Nicolas Ferre +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-master.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/at91/clk-master.c b/drivers/clk/at91/clk-master.c +index 2e410815a3405..04d0dd8385945 100644 +--- a/drivers/clk/at91/clk-master.c ++++ b/drivers/clk/at91/clk-master.c +@@ -309,7 +309,7 @@ static unsigned long clk_master_pres_recalc_rate(struct clk_hw *hw, + spin_unlock_irqrestore(master->lock, flags); + + pres = (val >> master->layout->pres_shift) & MASTER_PRES_MASK; +- if (pres == 3 && characteristics->have_div3_pres) ++ if (pres == MASTER_PRES_MAX && characteristics->have_div3_pres) + pres = 3; + else + pres = (1 << pres); +-- +2.33.0 + diff --git a/queue-5.15/clk-at91-sam9x60-pll-use-div_round_closest_ull.patch b/queue-5.15/clk-at91-sam9x60-pll-use-div_round_closest_ull.patch new file mode 100644 index 00000000000..b42e710653a --- /dev/null +++ b/queue-5.15/clk-at91-sam9x60-pll-use-div_round_closest_ull.patch @@ -0,0 +1,41 @@ +From 1c08afad44328abf9ece093fb6bc1550a9c14aea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 14:27:11 +0300 +Subject: clk: at91: sam9x60-pll: use DIV_ROUND_CLOSEST_ULL + +From: Claudiu Beznea + +[ Upstream commit f12d028b743bb6136da60b17228a1b6162886444 ] + +Use DIV_ROUND_CLOSEST_ULL() to avoid any inconsistency b/w the rate +computed in sam9x60_frac_pll_recalc_rate() and the one computed in +sam9x60_frac_pll_compute_mul_frac(). + +Fixes: 43b1bb4a9b3e1 ("clk: at91: clk-sam9x60-pll: re-factor to support plls with multiple outputs") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20211011112719.3951784-8-claudiu.beznea@microchip.com +Acked-by: Nicolas Ferre +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/at91/clk-sam9x60-pll.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/at91/clk-sam9x60-pll.c b/drivers/clk/at91/clk-sam9x60-pll.c +index 34e3ab13741ac..1f52409475e9c 100644 +--- a/drivers/clk/at91/clk-sam9x60-pll.c ++++ b/drivers/clk/at91/clk-sam9x60-pll.c +@@ -71,8 +71,8 @@ static unsigned long sam9x60_frac_pll_recalc_rate(struct clk_hw *hw, + struct sam9x60_pll_core *core = to_sam9x60_pll_core(hw); + struct sam9x60_frac *frac = to_sam9x60_frac(core); + +- return (parent_rate * (frac->mul + 1) + +- ((u64)parent_rate * frac->frac >> 22)); ++ return parent_rate * (frac->mul + 1) + ++ DIV_ROUND_CLOSEST_ULL((u64)parent_rate * frac->frac, (1 << 22)); + } + + static int sam9x60_frac_pll_prepare(struct clk_hw *hw) +-- +2.33.0 + diff --git a/queue-5.15/clk-mvebu-ap-cpu-clk-fix-a-memory-leak-in-error-hand.patch b/queue-5.15/clk-mvebu-ap-cpu-clk-fix-a-memory-leak-in-error-hand.patch new file mode 100644 index 00000000000..230ccbee7ee --- /dev/null +++ b/queue-5.15/clk-mvebu-ap-cpu-clk-fix-a-memory-leak-in-error-hand.patch @@ -0,0 +1,78 @@ +From 7b723e65b3184bea563fd7adf19d509cffcaf5eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Apr 2021 09:02:26 +0200 +Subject: clk: mvebu: ap-cpu-clk: Fix a memory leak in error handling paths + +From: Christophe JAILLET + +[ Upstream commit af9617b419f77cf0b99702a7b2b0519da0d27715 ] + +If we exit the for_each_of_cpu_node loop early, the reference on the +current node must be decremented, otherwise there is a leak. + +Fixes: f756e362d938 ("clk: mvebu: add CPU clock driver for Armada 7K/8K") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/545df946044fc1fc05a4217cdf0054be7a79e49e.1619161112.git.christophe.jaillet@wanadoo.fr +Reviewed-by: Dan Carpenter +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/mvebu/ap-cpu-clk.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/mvebu/ap-cpu-clk.c b/drivers/clk/mvebu/ap-cpu-clk.c +index 08ba59ec3fb17..71bdd7c3ff034 100644 +--- a/drivers/clk/mvebu/ap-cpu-clk.c ++++ b/drivers/clk/mvebu/ap-cpu-clk.c +@@ -256,12 +256,15 @@ static int ap_cpu_clock_probe(struct platform_device *pdev) + int cpu, err; + + err = of_property_read_u32(dn, "reg", &cpu); +- if (WARN_ON(err)) ++ if (WARN_ON(err)) { ++ of_node_put(dn); + return err; ++ } + + /* If cpu2 or cpu3 is enabled */ + if (cpu & APN806_CLUSTER_NUM_MASK) { + nclusters = 2; ++ of_node_put(dn); + break; + } + } +@@ -288,8 +291,10 @@ static int ap_cpu_clock_probe(struct platform_device *pdev) + int cpu, err; + + err = of_property_read_u32(dn, "reg", &cpu); +- if (WARN_ON(err)) ++ if (WARN_ON(err)) { ++ of_node_put(dn); + return err; ++ } + + cluster_index = cpu & APN806_CLUSTER_NUM_MASK; + cluster_index >>= APN806_CLUSTER_NUM_OFFSET; +@@ -301,6 +306,7 @@ static int ap_cpu_clock_probe(struct platform_device *pdev) + parent = of_clk_get(np, cluster_index); + if (IS_ERR(parent)) { + dev_err(dev, "Could not get the clock parent\n"); ++ of_node_put(dn); + return -EINVAL; + } + parent_name = __clk_get_name(parent); +@@ -319,8 +325,10 @@ static int ap_cpu_clock_probe(struct platform_device *pdev) + init.parent_names = &parent_name; + + ret = devm_clk_hw_register(dev, &ap_cpu_clk[cluster_index].hw); +- if (ret) ++ if (ret) { ++ of_node_put(dn); + return ret; ++ } + ap_cpu_data->hws[cluster_index] = &ap_cpu_clk[cluster_index].hw; + } + +-- +2.33.0 + diff --git a/queue-5.15/clocksource-drivers-timer-ti-dm-select-timer_of.patch b/queue-5.15/clocksource-drivers-timer-ti-dm-select-timer_of.patch new file mode 100644 index 00000000000..32fc08c36aa --- /dev/null +++ b/queue-5.15/clocksource-drivers-timer-ti-dm-select-timer_of.patch @@ -0,0 +1,49 @@ +From 0b6ee2e9e6079f7c43ec2a7b24c8574b6440e96b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Aug 2021 10:57:47 -0700 +Subject: clocksource/drivers/timer-ti-dm: Select TIMER_OF + +From: Kees Cook + +[ Upstream commit eda9a4f7af6ee47e9e131f20e4f8a41a97379293 ] + +When building OMAP_DM_TIMER without TIMER_OF, there are orphan sections +due to the use of TIMER_OF_DELCARE() without CONFIG_TIMER_OF. Select +CONFIG_TIMER_OF when enaling OMAP_DM_TIMER: + +arm-linux-gnueabi-ld: warning: orphan section `__timer_of_table' from `drivers/clocksource/timer-ti-dm-systimer.o' being placed in section `__timer_of_table' + +Reported-by: kernel test robot +Link: https://lore.kernel.org/lkml/202108282255.tkdt4ani-lkp@intel.com/ +Cc: Tony Lindgren +Cc: Daniel Lezcano +Cc: Keerthy +Cc: Sebastian Reichel +Cc: Ladislav Michl +Cc: Grygorii Strashko +Cc: linux-omap@vger.kernel.org +Fixes: 52762fbd1c47 ("clocksource/drivers/timer-ti-dm: Add clockevent and clocksource support") +Signed-off-by: Kees Cook +Acked-by: Tony Lindgren +Link: https://lore.kernel.org/r/20210828175747.3777891-1-keescook@chromium.org +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clocksource/Kconfig b/drivers/clocksource/Kconfig +index 0f5e3983951a8..08f8cb944a2ac 100644 +--- a/drivers/clocksource/Kconfig ++++ b/drivers/clocksource/Kconfig +@@ -24,6 +24,7 @@ config I8253_LOCK + + config OMAP_DM_TIMER + bool ++ select TIMER_OF + + config CLKBLD_I8253 + def_bool y if CLKSRC_I8253 || CLKEVT_I8253 || I8253_LOCK +-- +2.33.0 + diff --git a/queue-5.15/cpufreq-fix-parameter-in-parse_perf_domain.patch b/queue-5.15/cpufreq-fix-parameter-in-parse_perf_domain.patch new file mode 100644 index 00000000000..155981cb264 --- /dev/null +++ b/queue-5.15/cpufreq-fix-parameter-in-parse_perf_domain.patch @@ -0,0 +1,36 @@ +From 46684c9372b65ed3a92a034c14c856062c60cd11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Oct 2021 22:42:33 +0800 +Subject: cpufreq: Fix parameter in parse_perf_domain() + +From: Hector.Yuan + +[ Upstream commit 4a08e3271c55f8b5d56906a8aa5bd041911cf897 ] + +Pass cpu to parse_perf_domain() instead of pcpu. + +Fixes: 8486a32dd484 ("cpufreq: Add of_perf_domain_get_sharing_cpumask") +Signed-off-by: Hector.Yuan +[ Viresh: Massaged changelog ] +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + include/linux/cpufreq.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/cpufreq.h b/include/linux/cpufreq.h +index ff88bb3e44fca..66a1f495f01a6 100644 +--- a/include/linux/cpufreq.h ++++ b/include/linux/cpufreq.h +@@ -1041,7 +1041,7 @@ static inline int of_perf_domain_get_sharing_cpumask(int pcpu, const char *list_ + if (cpu == pcpu) + continue; + +- ret = parse_perf_domain(pcpu, list_name, cell_name); ++ ret = parse_perf_domain(cpu, list_name, cell_name); + if (ret < 0) + continue; + +-- +2.33.0 + diff --git a/queue-5.15/cpufreq-intel_pstate-clear-hwp-desired-on-suspend-sh.patch b/queue-5.15/cpufreq-intel_pstate-clear-hwp-desired-on-suspend-sh.patch new file mode 100644 index 00000000000..daa804bcb1e --- /dev/null +++ b/queue-5.15/cpufreq-intel_pstate-clear-hwp-desired-on-suspend-sh.patch @@ -0,0 +1,94 @@ +From a8e640754ea0b889c294775082f1bcc0c173231a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 19:43:47 +0100 +Subject: cpufreq: intel_pstate: Clear HWP desired on suspend/shutdown and + offline + +From: Rafael J. Wysocki + +[ Upstream commit dbea75fe18f60e364de6d994fc938a24ba249d81 ] + +Commit a365ab6b9dfb ("cpufreq: intel_pstate: Implement the +->adjust_perf() callback") caused intel_pstate to use nonzero HWP +desired values in certain usage scenarios, but it did not prevent +them from being leaked into the confugirations in which HWP desired +is expected to be 0. + +The failing scenarios are switching the driver from the passive +mode to the active mode and starting a new kernel via kexec() while +intel_pstate is running in the passive mode. + +To address this issue, ensure that HWP desired will be cleared on +offline and suspend/shutdown. + +Fixes: a365ab6b9dfb ("cpufreq: intel_pstate: Implement the ->adjust_perf() callback") +Reported-by: Julia Lawall +Tested-by: Julia Lawall +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/intel_pstate.c | 32 ++++++++++++++++++++++++++++++-- + 1 file changed, 30 insertions(+), 2 deletions(-) + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index fc7a429f22d33..dafa631582bac 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -999,9 +999,16 @@ static void intel_pstate_hwp_offline(struct cpudata *cpu) + */ + value &= ~GENMASK_ULL(31, 24); + value |= HWP_ENERGY_PERF_PREFERENCE(cpu->epp_cached); +- WRITE_ONCE(cpu->hwp_req_cached, value); + } + ++ /* ++ * Clear the desired perf field in the cached HWP request value to ++ * prevent nonzero desired values from being leaked into the active ++ * mode. ++ */ ++ value &= ~HWP_DESIRED_PERF(~0L); ++ WRITE_ONCE(cpu->hwp_req_cached, value); ++ + value &= ~GENMASK_ULL(31, 0); + min_perf = HWP_LOWEST_PERF(READ_ONCE(cpu->hwp_cap_cached)); + +@@ -2903,6 +2910,27 @@ static int intel_cpufreq_cpu_exit(struct cpufreq_policy *policy) + return intel_pstate_cpu_exit(policy); + } + ++static int intel_cpufreq_suspend(struct cpufreq_policy *policy) ++{ ++ intel_pstate_suspend(policy); ++ ++ if (hwp_active) { ++ struct cpudata *cpu = all_cpu_data[policy->cpu]; ++ u64 value = READ_ONCE(cpu->hwp_req_cached); ++ ++ /* ++ * Clear the desired perf field in MSR_HWP_REQUEST in case ++ * intel_cpufreq_adjust_perf() is in use and the last value ++ * written by it may not be suitable. ++ */ ++ value &= ~HWP_DESIRED_PERF(~0L); ++ wrmsrl_on_cpu(cpu->cpu, MSR_HWP_REQUEST, value); ++ WRITE_ONCE(cpu->hwp_req_cached, value); ++ } ++ ++ return 0; ++} ++ + static struct cpufreq_driver intel_cpufreq = { + .flags = CPUFREQ_CONST_LOOPS, + .verify = intel_cpufreq_verify_policy, +@@ -2912,7 +2940,7 @@ static struct cpufreq_driver intel_cpufreq = { + .exit = intel_cpufreq_cpu_exit, + .offline = intel_cpufreq_cpu_offline, + .online = intel_pstate_cpu_online, +- .suspend = intel_pstate_suspend, ++ .suspend = intel_cpufreq_suspend, + .resume = intel_pstate_resume, + .update_limits = intel_pstate_update_limits, + .name = "intel_cpufreq", +-- +2.33.0 + diff --git a/queue-5.15/cpufreq-intel_pstate-fix-cpu-pstate.turbo_freq-initi.patch b/queue-5.15/cpufreq-intel_pstate-fix-cpu-pstate.turbo_freq-initi.patch new file mode 100644 index 00000000000..5290b4e1e2f --- /dev/null +++ b/queue-5.15/cpufreq-intel_pstate-fix-cpu-pstate.turbo_freq-initi.patch @@ -0,0 +1,41 @@ +From 290bc3b6a8abf5ea9c8a13dcec1431900377c28c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 16:32:42 +0800 +Subject: cpufreq: intel_pstate: Fix cpu->pstate.turbo_freq initialization + +From: Zhang Rui + +[ Upstream commit c72bcf0ab87a92634e58af62e89af0f40dfd0b88 ] + +Fix a problem in active mode that cpu->pstate.turbo_freq is initialized +only if HWP-to-frequency scaling factor is refined. + +In passive mode, this problem is not exposed, because +cpu->pstate.turbo_freq is set again, later in +intel_cpufreq_cpu_init()->intel_pstate_get_hwp_cap(). + +Fixes: eb3693f0521e ("cpufreq: intel_pstate: hybrid: CPU-specific scaling factor") +Signed-off-by: Zhang Rui +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/intel_pstate.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index 8c176b7dae415..fc7a429f22d33 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -537,7 +537,8 @@ static void intel_pstate_hybrid_hwp_adjust(struct cpudata *cpu) + * scaling factor is too high, so recompute it to make the HWP_CAP + * highest performance correspond to the maximum turbo frequency. + */ +- if (turbo_freq < cpu->pstate.turbo_pstate * scaling) { ++ cpu->pstate.turbo_freq = cpu->pstate.turbo_pstate * scaling; ++ if (turbo_freq < cpu->pstate.turbo_freq) { + cpu->pstate.turbo_freq = turbo_freq; + scaling = DIV_ROUND_UP(turbo_freq, cpu->pstate.turbo_pstate); + cpu->pstate.scaling = scaling; +-- +2.33.0 + diff --git a/queue-5.15/cpufreq-make-policy-min-max-hard-requirements.patch b/queue-5.15/cpufreq-make-policy-min-max-hard-requirements.patch new file mode 100644 index 00000000000..67a594cb386 --- /dev/null +++ b/queue-5.15/cpufreq-make-policy-min-max-hard-requirements.patch @@ -0,0 +1,63 @@ +From 03578ba9a7cb50b6db2c8288d51a28de613f1247 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 15:05:26 +0100 +Subject: cpufreq: Make policy min/max hard requirements + +From: Vincent Donnefort + +[ Upstream commit 15171769069408789a72f9aa9a52cc931b839b56 ] + +When applying the policy min/max limits, the requested frequency is +simply clamped to not be out of range. It means, however, if one of the +boundaries isn't an available frequency, the frequency resolution can +return a value out of those limits, depending on the relation used. + +e.g. freq{0,1,2} being available frequencies. + + freq0 policy->min freq1 policy->max freq2 + | | | | | + 17kHz 18kHz 19kHz 20kHz 21kHz + + __resolve_freq(21kHz, CPUFREQ_RELATION_L) -> 21kHz (out of bounds) + __resolve_freq(17kHz, CPUFREQ_RELATION_H) -> 17kHz (out of bounds) + +If, during the policy init, we resolve the requested min/max to existing +frequencies, we ensure that any CPUFREQ_RELATION_* would resolve to a +frequency which is inside the policy min/max range. + +Making the policy limits rigid helps to introduce the inefficient +frequencies support. Resolving an inefficient frequency to an efficient +one should not transgress policy->max (which can be set for thermal +reason) and having a value we can trust simplify this comparison. + +Signed-off-by: Vincent Donnefort +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/cpufreq.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c +index 5782b15a8caad..284e940084c61 100644 +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -2523,8 +2523,15 @@ static int cpufreq_set_policy(struct cpufreq_policy *policy, + if (ret) + return ret; + ++ /* ++ * Resolve policy min/max to available frequencies. It ensures ++ * no frequency resolution will neither overshoot the requested maximum ++ * nor undershoot the requested minimum. ++ */ + policy->min = new_data.min; + policy->max = new_data.max; ++ policy->min = __resolve_freq(policy, policy->min, CPUFREQ_RELATION_L); ++ policy->max = __resolve_freq(policy, policy->max, CPUFREQ_RELATION_H); + trace_cpu_frequency_limits(policy); + + policy->cached_target_freq = UINT_MAX; +-- +2.33.0 + diff --git a/queue-5.15/cpuidle-fix-kobject-memory-leaks-in-error-paths.patch b/queue-5.15/cpuidle-fix-kobject-memory-leaks-in-error-paths.patch new file mode 100644 index 00000000000..d2bd4de7669 --- /dev/null +++ b/queue-5.15/cpuidle-fix-kobject-memory-leaks-in-error-paths.patch @@ -0,0 +1,70 @@ +From 09c0939a3081549f1473c29d12aecc0972e0b454 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 18:34:40 +0000 +Subject: cpuidle: Fix kobject memory leaks in error paths + +From: Anel Orazgaliyeva + +[ Upstream commit e5f5a66c9aa9c331da5527c2e3fd9394e7091e01 ] + +Commit c343bf1ba5ef ("cpuidle: Fix three reference count leaks") +fixes the cleanup of kobjects; however, it removes kfree() calls +altogether, leading to memory leaks. + +Fix those and also defer the initialization of dev->kobj_dev until +after the error check, so that we do not end up with a dangling +pointer. + +Fixes: c343bf1ba5ef ("cpuidle: Fix three reference count leaks") +Signed-off-by: Anel Orazgaliyeva +Suggested-by: Aman Priyadarshi +[ rjw: Subject edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/sysfs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c +index 53ec9585ccd44..469e18547d06c 100644 +--- a/drivers/cpuidle/sysfs.c ++++ b/drivers/cpuidle/sysfs.c +@@ -488,6 +488,7 @@ static int cpuidle_add_state_sysfs(struct cpuidle_device *device) + &kdev->kobj, "state%d", i); + if (ret) { + kobject_put(&kobj->kobj); ++ kfree(kobj); + goto error_state; + } + cpuidle_add_s2idle_attr_group(kobj); +@@ -619,6 +620,7 @@ static int cpuidle_add_driver_sysfs(struct cpuidle_device *dev) + &kdev->kobj, "driver"); + if (ret) { + kobject_put(&kdrv->kobj); ++ kfree(kdrv); + return ret; + } + +@@ -705,7 +707,6 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev) + if (!kdev) + return -ENOMEM; + kdev->dev = dev; +- dev->kobj_dev = kdev; + + init_completion(&kdev->kobj_unregister); + +@@ -713,9 +714,11 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev) + "cpuidle"); + if (error) { + kobject_put(&kdev->kobj); ++ kfree(kdev); + return error; + } + ++ dev->kobj_dev = kdev; + kobject_uevent(&kdev->kobj, KOBJ_ADD); + + return 0; +-- +2.33.0 + diff --git a/queue-5.15/crypto-aesni-check-walk.nbytes-instead-of-err.patch b/queue-5.15/crypto-aesni-check-walk.nbytes-instead-of-err.patch new file mode 100644 index 00000000000..a206e645415 --- /dev/null +++ b/queue-5.15/crypto-aesni-check-walk.nbytes-instead-of-err.patch @@ -0,0 +1,43 @@ +From ce1e4df0b73e9f339dabf99a2d1fbf6e9fbd1c32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Sep 2021 16:37:59 +0530 +Subject: crypto: aesni - check walk.nbytes instead of err + +From: Shreyansh Chouhan + +[ Upstream commit a2d3cbc80d2527b435154ff0f89b56ef4b84370f ] + +In the code for xts_crypt(), we check for the err value returned by +skcipher_walk_virt() and return from the function if it is non zero. +However, skcipher_walk_virt() can set walk.nbytes to 0, which would cause +us to call kernel_fpu_begin(), and then skip the kernel_fpu_end() call. + +This patch checks for the walk.nbytes value instead, and returns if +walk.nbytes is 0. This prevents us from calling kernel_fpu_begin() in +the first place and also covers the case of having a non zero err value +returned from skcipher_walk_virt(). + +Reported-by: Dan Carpenter +Signed-off-by: Shreyansh Chouhan +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + arch/x86/crypto/aesni-intel_glue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c +index 0fc961bef299c..e09f4672dd382 100644 +--- a/arch/x86/crypto/aesni-intel_glue.c ++++ b/arch/x86/crypto/aesni-intel_glue.c +@@ -866,7 +866,7 @@ static int xts_crypt(struct skcipher_request *req, bool encrypt) + req = &subreq; + + err = skcipher_walk_virt(&walk, req, false); +- if (err) ++ if (!walk.nbytes) + return err; + } else { + tail = 0; +-- +2.33.0 + diff --git a/queue-5.15/crypto-api-fix-built-in-testing-dependency-failures.patch b/queue-5.15/crypto-api-fix-built-in-testing-dependency-failures.patch new file mode 100644 index 00000000000..96458f3cdd3 --- /dev/null +++ b/queue-5.15/crypto-api-fix-built-in-testing-dependency-failures.patch @@ -0,0 +1,297 @@ +From 9e6984e5169f8646ae0d3784ce7c7a70e878ada8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Sep 2021 08:26:19 +0800 +Subject: crypto: api - Fix built-in testing dependency failures + +From: Herbert Xu + +[ Upstream commit adad556efcdd42a1d9e060cbe5f6161cccf1fa28 ] + +When complex algorithms that depend on other algorithms are built +into the kernel, the order of registration must be done such that +the underlying algorithms are ready before the ones on top are +registered. As otherwise they would fail during the self-test +which is required during registration. + +In the past we have used subsystem initialisation ordering to +guarantee this. The number of such precedence levels are limited +and they may cause ripple effects in other subsystems. + +This patch solves this problem by delaying all self-tests during +boot-up for built-in algorithms. They will be tested either when +something else in the kernel requests for them, or when we have +finished registering all built-in algorithms, whichever comes +earlier. + +Reported-by: Vladis Dronov +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/algapi.c | 73 +++++++++++++++++++++++++++++++++-------------- + crypto/api.c | 52 +++++++++++++++++++++++++++++---- + crypto/internal.h | 10 +++++++ + 3 files changed, 108 insertions(+), 27 deletions(-) + +diff --git a/crypto/algapi.c b/crypto/algapi.c +index 43f999dba4dc0..422bdca214e1c 100644 +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -389,29 +389,10 @@ void crypto_remove_final(struct list_head *list) + } + EXPORT_SYMBOL_GPL(crypto_remove_final); + +-static void crypto_wait_for_test(struct crypto_larval *larval) +-{ +- int err; +- +- err = crypto_probing_notify(CRYPTO_MSG_ALG_REGISTER, larval->adult); +- if (err != NOTIFY_STOP) { +- if (WARN_ON(err != NOTIFY_DONE)) +- goto out; +- crypto_alg_tested(larval->alg.cra_driver_name, 0); +- } +- +- err = wait_for_completion_killable(&larval->completion); +- WARN_ON(err); +- if (!err) +- crypto_notify(CRYPTO_MSG_ALG_LOADED, larval); +- +-out: +- crypto_larval_kill(&larval->alg); +-} +- + int crypto_register_alg(struct crypto_alg *alg) + { + struct crypto_larval *larval; ++ bool test_started; + int err; + + alg->cra_flags &= ~CRYPTO_ALG_DEAD; +@@ -421,12 +402,15 @@ int crypto_register_alg(struct crypto_alg *alg) + + down_write(&crypto_alg_sem); + larval = __crypto_register_alg(alg); ++ test_started = static_key_enabled(&crypto_boot_test_finished); ++ larval->test_started = test_started; + up_write(&crypto_alg_sem); + + if (IS_ERR(larval)) + return PTR_ERR(larval); + +- crypto_wait_for_test(larval); ++ if (test_started) ++ crypto_wait_for_test(larval); + return 0; + } + EXPORT_SYMBOL_GPL(crypto_register_alg); +@@ -633,6 +617,8 @@ int crypto_register_instance(struct crypto_template *tmpl, + if (IS_ERR(larval)) + goto unlock; + ++ larval->test_started = true; ++ + hlist_add_head(&inst->list, &tmpl->instances); + inst->tmpl = tmpl; + +@@ -1261,9 +1247,48 @@ void crypto_stats_skcipher_decrypt(unsigned int cryptlen, int ret, + EXPORT_SYMBOL_GPL(crypto_stats_skcipher_decrypt); + #endif + ++static void __init crypto_start_tests(void) ++{ ++ for (;;) { ++ struct crypto_larval *larval = NULL; ++ struct crypto_alg *q; ++ ++ down_write(&crypto_alg_sem); ++ ++ list_for_each_entry(q, &crypto_alg_list, cra_list) { ++ struct crypto_larval *l; ++ ++ if (!crypto_is_larval(q)) ++ continue; ++ ++ l = (void *)q; ++ ++ if (!crypto_is_test_larval(l)) ++ continue; ++ ++ if (l->test_started) ++ continue; ++ ++ l->test_started = true; ++ larval = l; ++ break; ++ } ++ ++ up_write(&crypto_alg_sem); ++ ++ if (!larval) ++ break; ++ ++ crypto_wait_for_test(larval); ++ } ++ ++ static_branch_enable(&crypto_boot_test_finished); ++} ++ + static int __init crypto_algapi_init(void) + { + crypto_init_proc(); ++ crypto_start_tests(); + return 0; + } + +@@ -1272,7 +1297,11 @@ static void __exit crypto_algapi_exit(void) + crypto_exit_proc(); + } + +-module_init(crypto_algapi_init); ++/* ++ * We run this at late_initcall so that all the built-in algorithms ++ * have had a chance to register themselves first. ++ */ ++late_initcall(crypto_algapi_init); + module_exit(crypto_algapi_exit); + + MODULE_LICENSE("GPL"); +diff --git a/crypto/api.c b/crypto/api.c +index c4eda56cff891..1cf1f03347cc3 100644 +--- a/crypto/api.c ++++ b/crypto/api.c +@@ -12,6 +12,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -30,6 +31,8 @@ EXPORT_SYMBOL_GPL(crypto_alg_sem); + BLOCKING_NOTIFIER_HEAD(crypto_chain); + EXPORT_SYMBOL_GPL(crypto_chain); + ++DEFINE_STATIC_KEY_FALSE(crypto_boot_test_finished); ++ + static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg); + + struct crypto_alg *crypto_mod_get(struct crypto_alg *alg) +@@ -47,11 +50,6 @@ void crypto_mod_put(struct crypto_alg *alg) + } + EXPORT_SYMBOL_GPL(crypto_mod_put); + +-static inline int crypto_is_test_larval(struct crypto_larval *larval) +-{ +- return larval->alg.cra_driver_name[0]; +-} +- + static struct crypto_alg *__crypto_alg_lookup(const char *name, u32 type, + u32 mask) + { +@@ -163,11 +161,55 @@ void crypto_larval_kill(struct crypto_alg *alg) + } + EXPORT_SYMBOL_GPL(crypto_larval_kill); + ++void crypto_wait_for_test(struct crypto_larval *larval) ++{ ++ int err; ++ ++ err = crypto_probing_notify(CRYPTO_MSG_ALG_REGISTER, larval->adult); ++ if (err != NOTIFY_STOP) { ++ if (WARN_ON(err != NOTIFY_DONE)) ++ goto out; ++ crypto_alg_tested(larval->alg.cra_driver_name, 0); ++ } ++ ++ err = wait_for_completion_killable(&larval->completion); ++ WARN_ON(err); ++ if (!err) ++ crypto_notify(CRYPTO_MSG_ALG_LOADED, larval); ++ ++out: ++ crypto_larval_kill(&larval->alg); ++} ++EXPORT_SYMBOL_GPL(crypto_wait_for_test); ++ ++static void crypto_start_test(struct crypto_larval *larval) ++{ ++ if (!crypto_is_test_larval(larval)) ++ return; ++ ++ if (larval->test_started) ++ return; ++ ++ down_write(&crypto_alg_sem); ++ if (larval->test_started) { ++ up_write(&crypto_alg_sem); ++ return; ++ } ++ ++ larval->test_started = true; ++ up_write(&crypto_alg_sem); ++ ++ crypto_wait_for_test(larval); ++} ++ + static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg) + { + struct crypto_larval *larval = (void *)alg; + long timeout; + ++ if (!static_branch_likely(&crypto_boot_test_finished)) ++ crypto_start_test(larval); ++ + timeout = wait_for_completion_killable_timeout( + &larval->completion, 60 * HZ); + +diff --git a/crypto/internal.h b/crypto/internal.h +index f00869af689f5..c08385571853e 100644 +--- a/crypto/internal.h ++++ b/crypto/internal.h +@@ -10,6 +10,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -27,6 +28,7 @@ struct crypto_larval { + struct crypto_alg *adult; + struct completion completion; + u32 mask; ++ bool test_started; + }; + + enum { +@@ -45,6 +47,8 @@ extern struct list_head crypto_alg_list; + extern struct rw_semaphore crypto_alg_sem; + extern struct blocking_notifier_head crypto_chain; + ++DECLARE_STATIC_KEY_FALSE(crypto_boot_test_finished); ++ + #ifdef CONFIG_PROC_FS + void __init crypto_init_proc(void); + void __exit crypto_exit_proc(void); +@@ -70,6 +74,7 @@ struct crypto_alg *crypto_alg_mod_lookup(const char *name, u32 type, u32 mask); + + struct crypto_larval *crypto_larval_alloc(const char *name, u32 type, u32 mask); + void crypto_larval_kill(struct crypto_alg *alg); ++void crypto_wait_for_test(struct crypto_larval *larval); + void crypto_alg_tested(const char *name, int err); + + void crypto_remove_spawns(struct crypto_alg *alg, struct list_head *list, +@@ -156,5 +161,10 @@ static inline void crypto_yield(u32 flags) + cond_resched(); + } + ++static inline int crypto_is_test_larval(struct crypto_larval *larval) ++{ ++ return larval->alg.cra_driver_name[0]; ++} ++ + #endif /* _CRYPTO_INTERNAL_H */ + +-- +2.33.0 + diff --git a/queue-5.15/crypto-caam-disable-pkc-for-non-e-socs.patch b/queue-5.15/crypto-caam-disable-pkc-for-non-e-socs.patch new file mode 100644 index 00000000000..183a3122fcd --- /dev/null +++ b/queue-5.15/crypto-caam-disable-pkc-for-non-e-socs.patch @@ -0,0 +1,89 @@ +From bb91298ac697b717b536a3d176954a0c268a0533 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 00:03:07 +0200 +Subject: crypto: caam - disable pkc for non-E SoCs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Walle + +[ Upstream commit f20311cc9c58052e0b215013046cbf390937910c ] + +On newer CAAM versions, not all accelerators are disabled if the SoC is +a non-E variant. While the driver checks most of the modules for +availability, there is one - PKHA - which sticks out. On non-E variants +it is still reported as available, that is the number of instances is +non-zero, but it has limited functionality. In particular it doesn't +support encryption and decryption, but just signing and verifying. This +is indicated by a bit in the PKHA_MISC field. Take this bit into account +if we are checking for availability. + +This will the following error: +[ 8.167817] caam_jr 8020000.jr: 20000b0f: CCB: desc idx 11: : Invalid CHA selected. + +Tested on an NXP LS1028A (non-E) SoC. + +Fixes: d239b10d4ceb ("crypto: caam - add register map changes cf. Era 10") +Signed-off-by: Michael Walle +Reviewed-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/caam/caampkc.c | 19 +++++++++++++++---- + drivers/crypto/caam/regs.h | 3 +++ + 2 files changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/crypto/caam/caampkc.c b/drivers/crypto/caam/caampkc.c +index e313233ec6de7..bf6275ffc4aad 100644 +--- a/drivers/crypto/caam/caampkc.c ++++ b/drivers/crypto/caam/caampkc.c +@@ -1153,16 +1153,27 @@ static struct caam_akcipher_alg caam_rsa = { + int caam_pkc_init(struct device *ctrldev) + { + struct caam_drv_private *priv = dev_get_drvdata(ctrldev); +- u32 pk_inst; ++ u32 pk_inst, pkha; + int err; + init_done = false; + + /* Determine public key hardware accelerator presence. */ +- if (priv->era < 10) ++ if (priv->era < 10) { + pk_inst = (rd_reg32(&priv->ctrl->perfmon.cha_num_ls) & + CHA_ID_LS_PK_MASK) >> CHA_ID_LS_PK_SHIFT; +- else +- pk_inst = rd_reg32(&priv->ctrl->vreg.pkha) & CHA_VER_NUM_MASK; ++ } else { ++ pkha = rd_reg32(&priv->ctrl->vreg.pkha); ++ pk_inst = pkha & CHA_VER_NUM_MASK; ++ ++ /* ++ * Newer CAAMs support partially disabled functionality. If this is the ++ * case, the number is non-zero, but this bit is set to indicate that ++ * no encryption or decryption is supported. Only signing and verifying ++ * is supported. ++ */ ++ if (pkha & CHA_VER_MISC_PKHA_NO_CRYPT) ++ pk_inst = 0; ++ } + + /* Do not register algorithms if PKHA is not present. */ + if (!pk_inst) +diff --git a/drivers/crypto/caam/regs.h b/drivers/crypto/caam/regs.h +index af61f3a2c0d46..3738625c02509 100644 +--- a/drivers/crypto/caam/regs.h ++++ b/drivers/crypto/caam/regs.h +@@ -322,6 +322,9 @@ struct version_regs { + /* CHA Miscellaneous Information - AESA_MISC specific */ + #define CHA_VER_MISC_AES_GCM BIT(1 + CHA_VER_MISC_SHIFT) + ++/* CHA Miscellaneous Information - PKHA_MISC specific */ ++#define CHA_VER_MISC_PKHA_NO_CRYPT BIT(7 + CHA_VER_MISC_SHIFT) ++ + /* + * caam_perfmon - Performance Monitor/Secure Memory Status/ + * CAAM Global Status/Component Version IDs +-- +2.33.0 + diff --git a/queue-5.15/crypto-ccree-avoid-out-of-range-warnings-from-clang.patch b/queue-5.15/crypto-ccree-avoid-out-of-range-warnings-from-clang.patch new file mode 100644 index 00000000000..cf0c458d111 --- /dev/null +++ b/queue-5.15/crypto-ccree-avoid-out-of-range-warnings-from-clang.patch @@ -0,0 +1,52 @@ +From deaf2a39cb889ef5d32ce484ca78b0a30ac2f65c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 14:18:03 +0200 +Subject: crypto: ccree - avoid out-of-range warnings from clang + +From: Arnd Bergmann + +[ Upstream commit cfd6fb45cfaf46fa9547421d8da387dc9c7997d4 ] + +clang points out inconsistencies in the FIELD_PREP() invocation in +this driver that result from the 'mask' being a 32-bit value: + +drivers/crypto/ccree/cc_driver.c:117:18: error: result of comparison of constant 18446744073709551615 with expression of type 'u32' (aka 'unsigned int') is always false [-Werror,-Wtautological-constant-out-of-range-compare] + cache_params |= FIELD_PREP(mask, val); + ^~~~~~~~~~~~~~~~~~~~~ +include/linux/bitfield.h:94:3: note: expanded from macro 'FIELD_PREP' + __BF_FIELD_CHECK(_mask, 0ULL, _val, "FIELD_PREP: "); \ + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +include/linux/bitfield.h:52:28: note: expanded from macro '__BF_FIELD_CHECK' + BUILD_BUG_ON_MSG((_mask) > (typeof(_reg))~0ull, \ + ~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This does not happen in other places that just pass a constant here. + +Work around the warnings by widening the type of the temporary variable. + +Fixes: 05c2a705917b ("crypto: ccree - rework cache parameters handling") +Signed-off-by: Arnd Bergmann +Acked-by: Gilad ben-Yossef +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccree/cc_driver.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/ccree/cc_driver.c b/drivers/crypto/ccree/cc_driver.c +index e599ac6dc162a..790fa9058a36d 100644 +--- a/drivers/crypto/ccree/cc_driver.c ++++ b/drivers/crypto/ccree/cc_driver.c +@@ -103,7 +103,8 @@ MODULE_DEVICE_TABLE(of, arm_ccree_dev_of_match); + static void init_cc_cache_params(struct cc_drvdata *drvdata) + { + struct device *dev = drvdata_to_dev(drvdata); +- u32 cache_params, ace_const, val, mask; ++ u32 cache_params, ace_const, val; ++ u64 mask; + + /* compute CC_AXIM_CACHE_PARAMS */ + cache_params = cc_ioread(drvdata, CC_REG(AXIM_CACHE_PARAMS)); +-- +2.33.0 + diff --git a/queue-5.15/crypto-ecc-fix-crypto_default_rng-dependency.patch b/queue-5.15/crypto-ecc-fix-crypto_default_rng-dependency.patch new file mode 100644 index 00000000000..e7b46df7ee8 --- /dev/null +++ b/queue-5.15/crypto-ecc-fix-crypto_default_rng-dependency.patch @@ -0,0 +1,50 @@ +From dc6f631a26d7b3274314d0160a6a3eb6e6041ca0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Sep 2021 12:05:35 +0200 +Subject: crypto: ecc - fix CRYPTO_DEFAULT_RNG dependency + +From: Arnd Bergmann + +[ Upstream commit 38aa192a05f22f9778f9420e630f0322525ef12e ] + +The ecc.c file started out as part of the ECDH algorithm but got +moved out into a standalone module later. It does not build without +CRYPTO_DEFAULT_RNG, so now that other modules are using it as well we +can run into this link error: + +aarch64-linux-ld: ecc.c:(.text+0xfc8): undefined reference to `crypto_default_rng' +aarch64-linux-ld: ecc.c:(.text+0xff4): undefined reference to `crypto_put_default_rng' + +Move the 'select CRYPTO_DEFAULT_RNG' statement into the correct symbol. + +Fixes: 0d7a78643f69 ("crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithm") +Fixes: 4e6602916bc6 ("crypto: ecdsa - Add support for ECDSA signature verification") +Signed-off-by: Arnd Bergmann +Reviewed-by: Stefan Berger +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/Kconfig b/crypto/Kconfig +index 536df4b6b825c..285f82647d2b7 100644 +--- a/crypto/Kconfig ++++ b/crypto/Kconfig +@@ -233,12 +233,12 @@ config CRYPTO_DH + + config CRYPTO_ECC + tristate ++ select CRYPTO_RNG_DEFAULT + + config CRYPTO_ECDH + tristate "ECDH algorithm" + select CRYPTO_ECC + select CRYPTO_KPP +- select CRYPTO_RNG_DEFAULT + help + Generic implementation of the ECDH algorithm + +-- +2.33.0 + diff --git a/queue-5.15/crypto-octeontx2-set-assoclen-in-aead_do_fallback.patch b/queue-5.15/crypto-octeontx2-set-assoclen-in-aead_do_fallback.patch new file mode 100644 index 00000000000..c25b15dd402 --- /dev/null +++ b/queue-5.15/crypto-octeontx2-set-assoclen-in-aead_do_fallback.patch @@ -0,0 +1,35 @@ +From 7c8a4c8c9dbc2049d811ceb9f73a2c641976bcec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Oct 2021 19:36:42 +0300 +Subject: crypto: octeontx2 - set assoclen in aead_do_fallback() + +From: Ovidiu Panait + +[ Upstream commit 06f6e365e2ecf799c249bb464aa9d5f055e88b56 ] + +Currently, in case of aead fallback, no associated data info is set in the +fallback request. To fix this, call aead_request_set_ad() to pass the assoclen. + +Fixes: 6f03f0e8b6c8 ("crypto: octeontx2 - register with linux crypto framework") +Signed-off-by: Ovidiu Panait +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c b/drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c +index a72723455df72..877a948469bd1 100644 +--- a/drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c ++++ b/drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c +@@ -1274,6 +1274,7 @@ static int aead_do_fallback(struct aead_request *req, bool is_enc) + req->base.complete, req->base.data); + aead_request_set_crypt(&rctx->fbk_req, req->src, + req->dst, req->cryptlen, req->iv); ++ aead_request_set_ad(&rctx->fbk_req, req->assoclen); + ret = is_enc ? crypto_aead_encrypt(&rctx->fbk_req) : + crypto_aead_decrypt(&rctx->fbk_req); + } else { +-- +2.33.0 + diff --git a/queue-5.15/crypto-pcrypt-delay-write-to-padata-info.patch b/queue-5.15/crypto-pcrypt-delay-write-to-padata-info.patch new file mode 100644 index 00000000000..57115288dbd --- /dev/null +++ b/queue-5.15/crypto-pcrypt-delay-write-to-padata-info.patch @@ -0,0 +1,85 @@ +From 6e5dc6b135da0613ed433d1b50446ffc8ea855b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Oct 2021 14:30:28 -0400 +Subject: crypto: pcrypt - Delay write to padata->info + +From: Daniel Jordan + +[ Upstream commit 68b6dea802cea0dbdd8bd7ccc60716b5a32a5d8a ] + +These three events can race when pcrypt is used multiple times in a +template ("pcrypt(pcrypt(...))"): + + 1. [taskA] The caller makes the crypto request via crypto_aead_encrypt() + 2. [kworkerB] padata serializes the inner pcrypt request + 3. [kworkerC] padata serializes the outer pcrypt request + +3 might finish before the call to crypto_aead_encrypt() returns in 1, +resulting in two possible issues. + +First, a use-after-free of the crypto request's memory when, for +example, taskA writes to the outer pcrypt request's padata->info in +pcrypt_aead_enc() after kworkerC completes the request. + +Second, the outer pcrypt request overwrites the inner pcrypt request's +return code with -EINPROGRESS, making a successful request appear to +fail. For instance, kworkerB writes the outer pcrypt request's +padata->info in pcrypt_aead_done() and then taskA overwrites it +in pcrypt_aead_enc(). + +Avoid both situations by delaying the write of padata->info until after +the inner crypto request's return code is checked. This prevents the +use-after-free by not touching the crypto request's memory after the +next-inner crypto request is made, and stops padata->info from being +overwritten. + +Fixes: 5068c7a883d16 ("crypto: pcrypt - Add pcrypt crypto parallelization wrapper") +Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com +Signed-off-by: Daniel Jordan +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/pcrypt.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c +index d569c7ed6c800..9d10b846ccf73 100644 +--- a/crypto/pcrypt.c ++++ b/crypto/pcrypt.c +@@ -78,12 +78,14 @@ static void pcrypt_aead_enc(struct padata_priv *padata) + { + struct pcrypt_request *preq = pcrypt_padata_request(padata); + struct aead_request *req = pcrypt_request_ctx(preq); ++ int ret; + +- padata->info = crypto_aead_encrypt(req); ++ ret = crypto_aead_encrypt(req); + +- if (padata->info == -EINPROGRESS) ++ if (ret == -EINPROGRESS) + return; + ++ padata->info = ret; + padata_do_serial(padata); + } + +@@ -123,12 +125,14 @@ static void pcrypt_aead_dec(struct padata_priv *padata) + { + struct pcrypt_request *preq = pcrypt_padata_request(padata); + struct aead_request *req = pcrypt_request_ctx(preq); ++ int ret; + +- padata->info = crypto_aead_decrypt(req); ++ ret = crypto_aead_decrypt(req); + +- if (padata->info == -EINPROGRESS) ++ if (ret == -EINPROGRESS) + return; + ++ padata->info = ret; + padata_do_serial(padata); + } + +-- +2.33.0 + diff --git a/queue-5.15/crypto-qat-detect-pfvf-collision-after-ack.patch b/queue-5.15/crypto-qat-detect-pfvf-collision-after-ack.patch new file mode 100644 index 00000000000..469e82c8969 --- /dev/null +++ b/queue-5.15/crypto-qat-detect-pfvf-collision-after-ack.patch @@ -0,0 +1,46 @@ +From 555e87811dabe39815571243a9c0feeb2e491234 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 12:44:29 +0100 +Subject: crypto: qat - detect PFVF collision after ACK + +From: Giovanni Cabiddu + +[ Upstream commit 9b768e8a3909ac1ab39ed44a3933716da7761a6f ] + +Detect a PFVF collision between the local and the remote function by +checking if the message on the PFVF CSR has been overwritten. +This is done after the remote function confirms that the message has +been received, by clearing the interrupt bit, or the maximum number of +attempts (ADF_IOV_MSG_ACK_MAX_RETRY) to check the CSR has been exceeded. + +Fixes: ed8ccaef52fa ("crypto: qat - Add support for SRIOV") +Signed-off-by: Giovanni Cabiddu +Co-developed-by: Marco Chiappero +Signed-off-by: Marco Chiappero +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +index 976b9ab7617cd..789a4135e28c0 100644 +--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c ++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +@@ -156,6 +156,13 @@ static int __adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr) + val = ADF_CSR_RD(pmisc_bar_addr, pf2vf_offset); + } while ((val & int_bit) && (count++ < ADF_IOV_MSG_ACK_MAX_RETRY)); + ++ if (val != msg) { ++ dev_dbg(&GET_DEV(accel_dev), ++ "Collision - PFVF CSR overwritten by remote function\n"); ++ ret = -EIO; ++ goto out; ++ } ++ + if (val & int_bit) { + dev_dbg(&GET_DEV(accel_dev), "ACK not received from remote\n"); + val &= ~int_bit; +-- +2.33.0 + diff --git a/queue-5.15/crypto-qat-disregard-spurious-pfvf-interrupts.patch b/queue-5.15/crypto-qat-disregard-spurious-pfvf-interrupts.patch new file mode 100644 index 00000000000..8dfb481a864 --- /dev/null +++ b/queue-5.15/crypto-qat-disregard-spurious-pfvf-interrupts.patch @@ -0,0 +1,75 @@ +From 0b3ea68c2a6e0fcfd982f25387ccd9eb74d3bc4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 12:44:30 +0100 +Subject: crypto: qat - disregard spurious PFVF interrupts + +From: Giovanni Cabiddu + +[ Upstream commit 18fcba469ba5359c1de7e3fb16f7b9e8cd1b8e02 ] + +Upon receiving a PFVF message, check if the interrupt bit is set in the +message. If it is not, that means that the interrupt was probably +triggered by a collision. In this case, disregard the message and +re-enable the interrupts. + +Fixes: ed8ccaef52fa ("crypto: qat - Add support for SRIOV") +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Marco Chiappero +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 6 ++++++ + drivers/crypto/qat/qat_common/adf_vf_isr.c | 6 ++++++ + 2 files changed, 12 insertions(+) + +diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +index 789a4135e28c0..5a41beb8f20f6 100644 +--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c ++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +@@ -211,6 +211,11 @@ void adf_vf2pf_req_hndl(struct adf_accel_vf_info *vf_info) + + /* Read message from the VF */ + msg = ADF_CSR_RD(pmisc_addr, hw_data->get_pf2vf_offset(vf_nr)); ++ if (!(msg & ADF_VF2PF_INT)) { ++ dev_info(&GET_DEV(accel_dev), ++ "Spurious VF2PF interrupt, msg %X. Ignored\n", msg); ++ goto out; ++ } + + /* To ACK, clear the VF2PFINT bit */ + msg &= ~ADF_VF2PF_INT; +@@ -294,6 +299,7 @@ void adf_vf2pf_req_hndl(struct adf_accel_vf_info *vf_info) + if (resp && adf_iov_putmsg(accel_dev, resp, vf_nr)) + dev_err(&GET_DEV(accel_dev), "Failed to send response to VF\n"); + ++out: + /* re-enable interrupt on PF from this VF */ + adf_enable_vf2pf_interrupts(accel_dev, (1 << vf_nr)); + +diff --git a/drivers/crypto/qat/qat_common/adf_vf_isr.c b/drivers/crypto/qat/qat_common/adf_vf_isr.c +index 7828a6573f3e2..2e300c255ab94 100644 +--- a/drivers/crypto/qat/qat_common/adf_vf_isr.c ++++ b/drivers/crypto/qat/qat_common/adf_vf_isr.c +@@ -101,6 +101,11 @@ static void adf_pf2vf_bh_handler(void *data) + + /* Read the message from PF */ + msg = ADF_CSR_RD(pmisc_bar_addr, hw_data->get_pf2vf_offset(0)); ++ if (!(msg & ADF_PF2VF_INT)) { ++ dev_info(&GET_DEV(accel_dev), ++ "Spurious PF2VF interrupt, msg %X. Ignored\n", msg); ++ goto out; ++ } + + if (!(msg & ADF_PF2VF_MSGORIGIN_SYSTEM)) + /* Ignore legacy non-system (non-kernel) PF2VF messages */ +@@ -149,6 +154,7 @@ static void adf_pf2vf_bh_handler(void *data) + msg &= ~ADF_PF2VF_INT; + ADF_CSR_WR(pmisc_bar_addr, hw_data->get_pf2vf_offset(0), msg); + ++out: + /* Re-enable PF2VF interrupts */ + adf_enable_pf2vf_interrupts(accel_dev); + return; +-- +2.33.0 + diff --git a/queue-5.15/crypto-qat-power-up-4xxx-device.patch b/queue-5.15/crypto-qat-power-up-4xxx-device.patch new file mode 100644 index 00000000000..df56458c54d --- /dev/null +++ b/queue-5.15/crypto-qat-power-up-4xxx-device.patch @@ -0,0 +1,157 @@ +From e3757ef0a44e357415a76b04054a5ae87824bb2e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 15:45:41 +0100 +Subject: crypto: qat - power up 4xxx device + +From: Giovanni Cabiddu + +[ Upstream commit ca605f97dae4bf070b7c584aec23c1c922e4d823 ] + +After reset or boot, QAT 4xxx devices are inactive and require to be +explicitly activated. +This is done by writing the DRV_ACTIVE bit in the PM_INTERRUPT register +and polling the PM_INIT_STATE to make sure that the transaction has +completed properly. + +If this is not done, the driver will fail the initialization sequence +reporting the following message: + [ 22.081193] 4xxx 0000:f7:00.0: enabling device (0140 -> 0142) + [ 22.720285] QAT: AE0 is inactive!! + [ 22.720287] QAT: failed to get device out of reset + [ 22.720288] 4xxx 0000:f7:00.0: qat_hal_clr_reset error + [ 22.720290] 4xxx 0000:f7:00.0: Failed to init the AEs + [ 22.720290] 4xxx 0000:f7:00.0: Failed to initialise Acceleration Engine + [ 22.720789] 4xxx 0000:f7:00.0: Resetting device qat_dev0 + [ 22.825099] 4xxx: probe of 0000:f7:00.0 failed with error -14 + +The patch also temporarily disables the power management source of +interrupt, to avoid possible spurious interrupts as the power management +feature is not fully supported. + +The device init function has been added to adf_dev_init(), and not in the +probe of 4xxx to make sure that the device is re-enabled in case of +reset. + +Note that the error code reported by hw_data->init_device() in +adf_dev_init() has been shadowed for consistency with the other calls +in the same function. + +Fixes: 8c8268166e83 ("crypto: qat - add qat_4xxx driver") +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Wojciech Ziemba +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + .../crypto/qat/qat_4xxx/adf_4xxx_hw_data.c | 31 +++++++++++++++++++ + .../crypto/qat/qat_4xxx/adf_4xxx_hw_data.h | 10 ++++++ + .../crypto/qat/qat_common/adf_accel_devices.h | 1 + + drivers/crypto/qat/qat_common/adf_init.c | 5 +++ + 4 files changed, 47 insertions(+) + +diff --git a/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c b/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c +index 33d8e50dcbdac..88c0ded411f15 100644 +--- a/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c ++++ b/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.c +@@ -1,5 +1,6 @@ + // SPDX-License-Identifier: (BSD-3-Clause OR GPL-2.0-only) + /* Copyright(c) 2020 Intel Corporation */ ++#include + #include + #include + #include +@@ -161,6 +162,35 @@ static void adf_enable_ints(struct adf_accel_dev *accel_dev) + ADF_CSR_WR(addr, ADF_4XXX_SMIAPF_MASK_OFFSET, 0); + } + ++static int adf_init_device(struct adf_accel_dev *accel_dev) ++{ ++ void __iomem *addr; ++ u32 status; ++ u32 csr; ++ int ret; ++ ++ addr = (&GET_BARS(accel_dev)[ADF_4XXX_PMISC_BAR])->virt_addr; ++ ++ /* Temporarily mask PM interrupt */ ++ csr = ADF_CSR_RD(addr, ADF_4XXX_ERRMSK2); ++ csr |= ADF_4XXX_PM_SOU; ++ ADF_CSR_WR(addr, ADF_4XXX_ERRMSK2, csr); ++ ++ /* Set DRV_ACTIVE bit to power up the device */ ++ ADF_CSR_WR(addr, ADF_4XXX_PM_INTERRUPT, ADF_4XXX_PM_DRV_ACTIVE); ++ ++ /* Poll status register to make sure the device is powered up */ ++ ret = read_poll_timeout(ADF_CSR_RD, status, ++ status & ADF_4XXX_PM_INIT_STATE, ++ ADF_4XXX_PM_POLL_DELAY_US, ++ ADF_4XXX_PM_POLL_TIMEOUT_US, true, addr, ++ ADF_4XXX_PM_STATUS); ++ if (ret) ++ dev_err(&GET_DEV(accel_dev), "Failed to power up the device\n"); ++ ++ return ret; ++} ++ + static int adf_enable_pf2vf_comms(struct adf_accel_dev *accel_dev) + { + return 0; +@@ -215,6 +245,7 @@ void adf_init_hw_data_4xxx(struct adf_hw_device_data *hw_data) + hw_data->exit_arb = adf_exit_arb; + hw_data->get_arb_mapping = adf_get_arbiter_mapping; + hw_data->enable_ints = adf_enable_ints; ++ hw_data->init_device = adf_init_device; + hw_data->reset_device = adf_reset_flr; + hw_data->admin_ae_mask = ADF_4XXX_ADMIN_AE_MASK; + hw_data->uof_get_num_objs = uof_get_num_objs; +diff --git a/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.h b/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.h +index 4fe2a776293c2..924bac6feb372 100644 +--- a/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.h ++++ b/drivers/crypto/qat/qat_4xxx/adf_4xxx_hw_data.h +@@ -62,6 +62,16 @@ + #define ADF_4XXX_ADMINMSGLR_OFFSET (0x500578) + #define ADF_4XXX_MAILBOX_BASE_OFFSET (0x600970) + ++/* Power management */ ++#define ADF_4XXX_PM_POLL_DELAY_US 20 ++#define ADF_4XXX_PM_POLL_TIMEOUT_US USEC_PER_SEC ++#define ADF_4XXX_PM_STATUS (0x50A00C) ++#define ADF_4XXX_PM_INTERRUPT (0x50A028) ++#define ADF_4XXX_PM_DRV_ACTIVE BIT(20) ++#define ADF_4XXX_PM_INIT_STATE BIT(21) ++/* Power management source in ERRSOU2 and ERRMSK2 */ ++#define ADF_4XXX_PM_SOU BIT(18) ++ + /* Firmware Binaries */ + #define ADF_4XXX_FW "qat_4xxx.bin" + #define ADF_4XXX_MMP "qat_4xxx_mmp.bin" +diff --git a/drivers/crypto/qat/qat_common/adf_accel_devices.h b/drivers/crypto/qat/qat_common/adf_accel_devices.h +index 38c0af6d4e43e..580566cfcb04c 100644 +--- a/drivers/crypto/qat/qat_common/adf_accel_devices.h ++++ b/drivers/crypto/qat/qat_common/adf_accel_devices.h +@@ -166,6 +166,7 @@ struct adf_hw_device_data { + int (*init_arb)(struct adf_accel_dev *accel_dev); + void (*exit_arb)(struct adf_accel_dev *accel_dev); + const u32 *(*get_arb_mapping)(void); ++ int (*init_device)(struct adf_accel_dev *accel_dev); + void (*disable_iov)(struct adf_accel_dev *accel_dev); + void (*configure_iov_threads)(struct adf_accel_dev *accel_dev, + bool enable); +diff --git a/drivers/crypto/qat/qat_common/adf_init.c b/drivers/crypto/qat/qat_common/adf_init.c +index 60bc7b991d351..e3749e5817d94 100644 +--- a/drivers/crypto/qat/qat_common/adf_init.c ++++ b/drivers/crypto/qat/qat_common/adf_init.c +@@ -79,6 +79,11 @@ int adf_dev_init(struct adf_accel_dev *accel_dev) + return -EFAULT; + } + ++ if (hw_data->init_device && hw_data->init_device(accel_dev)) { ++ dev_err(&GET_DEV(accel_dev), "Failed to initialize device\n"); ++ return -EFAULT; ++ } ++ + if (hw_data->init_admin_comms && hw_data->init_admin_comms(accel_dev)) { + dev_err(&GET_DEV(accel_dev), "Failed initialize admin comms\n"); + return -EFAULT; +-- +2.33.0 + diff --git a/queue-5.15/crypto-sm4-do-not-change-section-of-ck-and-sbox.patch b/queue-5.15/crypto-sm4-do-not-change-section-of-ck-and-sbox.patch new file mode 100644 index 00000000000..10df5919050 --- /dev/null +++ b/queue-5.15/crypto-sm4-do-not-change-section-of-ck-and-sbox.patch @@ -0,0 +1,58 @@ +From 7bfb32904b42aca9f1e138ad268b9a96850b69ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Aug 2021 13:38:59 -0700 +Subject: crypto: sm4 - Do not change section of ck and sbox + +From: Nathan Chancellor + +[ Upstream commit 4a7e1e5fc294687a8941fa3eeb4a7e8539ca5e2f ] + +When building with clang and GNU as, there is a warning about ignored +changed section attributes: + +/tmp/sm4-c916c8.s: Assembler messages: +/tmp/sm4-c916c8.s:677: Warning: ignoring changed section attributes for +.data..cacheline_aligned + +"static const" places the data in .rodata but __cacheline_aligned has +the section attribute to place it in .data..cacheline_aligned, in +addition to the aligned attribute. + +To keep the alignment but avoid attempting to change sections, use the +____cacheline_aligned attribute, which is just the aligned attribute. + +Fixes: 2b31277af577 ("crypto: sm4 - create SM4 library based on sm4 generic code") +Link: https://github.com/ClangBuiltLinux/linux/issues/1441 +Signed-off-by: Nathan Chancellor +Reviewed-by: Tianjia Zhang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + lib/crypto/sm4.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/crypto/sm4.c b/lib/crypto/sm4.c +index 633b59fed9db8..284e62576d0c6 100644 +--- a/lib/crypto/sm4.c ++++ b/lib/crypto/sm4.c +@@ -15,7 +15,7 @@ static const u32 fk[4] = { + 0xa3b1bac6, 0x56aa3350, 0x677d9197, 0xb27022dc + }; + +-static const u32 __cacheline_aligned ck[32] = { ++static const u32 ____cacheline_aligned ck[32] = { + 0x00070e15, 0x1c232a31, 0x383f464d, 0x545b6269, + 0x70777e85, 0x8c939aa1, 0xa8afb6bd, 0xc4cbd2d9, + 0xe0e7eef5, 0xfc030a11, 0x181f262d, 0x343b4249, +@@ -26,7 +26,7 @@ static const u32 __cacheline_aligned ck[32] = { + 0x10171e25, 0x2c333a41, 0x484f565d, 0x646b7279 + }; + +-static const u8 __cacheline_aligned sbox[256] = { ++static const u8 ____cacheline_aligned sbox[256] = { + 0xd6, 0x90, 0xe9, 0xfe, 0xcc, 0xe1, 0x3d, 0xb7, + 0x16, 0xb6, 0x14, 0xc2, 0x28, 0xfb, 0x2c, 0x05, + 0x2b, 0x67, 0x9a, 0x76, 0x2a, 0xbe, 0x04, 0xc3, +-- +2.33.0 + diff --git a/queue-5.15/crypto-tcrypt-fix-skcipher-multi-buffer-tests-for-14.patch b/queue-5.15/crypto-tcrypt-fix-skcipher-multi-buffer-tests-for-14.patch new file mode 100644 index 00000000000..3226ca8155c --- /dev/null +++ b/queue-5.15/crypto-tcrypt-fix-skcipher-multi-buffer-tests-for-14.patch @@ -0,0 +1,55 @@ +From e96d717a63e62c9af961eb45060ae892af8580f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 10:39:18 +0300 +Subject: crypto: tcrypt - fix skcipher multi-buffer tests for 1420B blocks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Horia Geantă + +[ Upstream commit 3ae88f676aa63366ffa9eebb8ae787c7e19f0c57 ] + +Commit ad6d66bcac77e ("crypto: tcrypt - include 1420 byte blocks in aead and skcipher benchmarks") +mentions: +> power-of-2 block size. So let's add 1420 bytes explicitly, and round +> it up to the next blocksize multiple of the algo in question if it +> does not support 1420 byte blocks. +but misses updating skcipher multi-buffer tests. + +Fix this by using the proper (rounded) input size. + +Fixes: ad6d66bcac77e ("crypto: tcrypt - include 1420 byte blocks in aead and skcipher benchmarks") +Signed-off-by: Horia Geantă +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/tcrypt.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c +index 82b0400985a51..00149657a4bc1 100644 +--- a/crypto/tcrypt.c ++++ b/crypto/tcrypt.c +@@ -1333,7 +1333,7 @@ static void test_mb_skcipher_speed(const char *algo, int enc, int secs, + + if (bs > XBUFSIZE * PAGE_SIZE) { + pr_err("template (%u) too big for buffer (%lu)\n", +- *b_size, XBUFSIZE * PAGE_SIZE); ++ bs, XBUFSIZE * PAGE_SIZE); + goto out; + } + +@@ -1386,8 +1386,7 @@ static void test_mb_skcipher_speed(const char *algo, int enc, int secs, + memset(cur->xbuf[p], 0xff, k); + + skcipher_request_set_crypt(cur->req, cur->sg, +- cur->sg, *b_size, +- iv); ++ cur->sg, bs, iv); + } + + if (secs) { +-- +2.33.0 + diff --git a/queue-5.15/cxgb4-fix-eeprom-len-when-diagnostics-not-implemente.patch b/queue-5.15/cxgb4-fix-eeprom-len-when-diagnostics-not-implemente.patch new file mode 100644 index 00000000000..f823f2ccdcf --- /dev/null +++ b/queue-5.15/cxgb4-fix-eeprom-len-when-diagnostics-not-implemente.patch @@ -0,0 +1,61 @@ +From 2f80fe360ca796e49c1d4edb81f8e76956b7270c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Nov 2021 15:55:16 +0530 +Subject: cxgb4: fix eeprom len when diagnostics not implemented + +From: Rahul Lakkireddy + +[ Upstream commit 4ca110bf8d9b31a60f8f8ff6706ea147d38ad97c ] + +Ensure diagnostics monitoring support is implemented for the SFF 8472 +compliant port module and set the correct length for ethtool port +module eeprom read. + +Fixes: f56ec6766dcf ("cxgb4: Add support for ethtool i2c dump") +Signed-off-by: Manoj Malviya +Signed-off-by: Rahul Lakkireddy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c | 7 +++++-- + drivers/net/ethernet/chelsio/cxgb4/t4_hw.h | 2 ++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c +index 5903bdb78916f..129352bbe1143 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_ethtool.c +@@ -2015,12 +2015,15 @@ static int cxgb4_get_module_info(struct net_device *dev, + if (ret) + return ret; + +- if (!sff8472_comp || (sff_diag_type & 4)) { ++ if (!sff8472_comp || (sff_diag_type & SFP_DIAG_ADDRMODE)) { + modinfo->type = ETH_MODULE_SFF_8079; + modinfo->eeprom_len = ETH_MODULE_SFF_8079_LEN; + } else { + modinfo->type = ETH_MODULE_SFF_8472; +- modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN; ++ if (sff_diag_type & SFP_DIAG_IMPLEMENTED) ++ modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN; ++ else ++ modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN / 2; + } + break; + +diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.h b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.h +index 002fc62ea7262..63bc956d20376 100644 +--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.h ++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.h +@@ -293,6 +293,8 @@ enum { + #define I2C_PAGE_SIZE 0x100 + #define SFP_DIAG_TYPE_ADDR 0x5c + #define SFP_DIAG_TYPE_LEN 0x1 ++#define SFP_DIAG_ADDRMODE BIT(2) ++#define SFP_DIAG_IMPLEMENTED BIT(6) + #define SFF_8472_COMP_ADDR 0x5e + #define SFF_8472_COMP_LEN 0x1 + #define SFF_REV_ADDR 0x1 +-- +2.33.0 + diff --git a/queue-5.15/dma-buf-warn-on-dmabuf-release-with-pending-attachme.patch b/queue-5.15/dma-buf-warn-on-dmabuf-release-with-pending-attachme.patch new file mode 100644 index 00000000000..0436257982c --- /dev/null +++ b/queue-5.15/dma-buf-warn-on-dmabuf-release-with-pending-attachme.patch @@ -0,0 +1,56 @@ +From 8064631b7385b5d9f3624973a854d8cc1e693c5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Jul 2021 18:01:08 +0530 +Subject: dma-buf: WARN on dmabuf release with pending attachments +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Charan Teja Reddy + +[ Upstream commit f492283b157053e9555787262f058ae33096f568 ] + +It is expected from the clients to follow the below steps on an imported +dmabuf fd: +a) dmabuf = dma_buf_get(fd) // Get the dmabuf from fd +b) dma_buf_attach(dmabuf); // Clients attach to the dmabuf + o Here the kernel does some slab allocations, say for +dma_buf_attachment and may be some other slab allocation in the +dmabuf->ops->attach(). +c) Client may need to do dma_buf_map_attachment(). +d) Accordingly dma_buf_unmap_attachment() should be called. +e) dma_buf_detach () // Clients detach to the dmabuf. + o Here the slab allocations made in b) are freed. +f) dma_buf_put(dmabuf) // Can free the dmabuf if it is the last +reference. + +Now say an erroneous client failed at step c) above thus it directly +called dma_buf_put(), step f) above. Considering that it may be the last +reference to the dmabuf, buffer will be freed with pending attachments +left to the dmabuf which can show up as the 'memory leak'. This should +at least be reported as the WARN(). + +Signed-off-by: Charan Teja Reddy +Reviewed-by: Christian König +Link: https://patchwork.freedesktop.org/patch/msgid/1627043468-16381-1-git-send-email-charante@codeaurora.org +Signed-off-by: Christian König +Signed-off-by: Sasha Levin +--- + drivers/dma-buf/dma-buf.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c +index 9f68f76c985e3..61e20ae7b08b7 100644 +--- a/drivers/dma-buf/dma-buf.c ++++ b/drivers/dma-buf/dma-buf.c +@@ -82,6 +82,7 @@ static void dma_buf_release(struct dentry *dentry) + if (dmabuf->resv == (struct dma_resv *)&dmabuf[1]) + dma_resv_fini(dmabuf->resv); + ++ WARN_ON(!list_empty(&dmabuf->attachments)); + module_put(dmabuf->owner); + kfree(dmabuf->name); + kfree(dmabuf); +-- +2.33.0 + diff --git a/queue-5.15/dmaengine-at_xdmac-call-at_xdmac_axi_config-on-resum.patch b/queue-5.15/dmaengine-at_xdmac-call-at_xdmac_axi_config-on-resum.patch new file mode 100644 index 00000000000..3afa52a9293 --- /dev/null +++ b/queue-5.15/dmaengine-at_xdmac-call-at_xdmac_axi_config-on-resum.patch @@ -0,0 +1,110 @@ +From 50d7088c3bc8da9c5c33975353b4211fe15380a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 14:12:27 +0300 +Subject: dmaengine: at_xdmac: call at_xdmac_axi_config() on resume path + +From: Claudiu Beznea + +[ Upstream commit fa5270ec2f2688d98a82895be7039b81c87d856c ] + +at_xdmac could be used on SoCs which supports backup mode (where most +of the SoC power, including power to DMA controller, is closed at suspend +time). Thus, on resume, the settings which were previously done need to be +restored. Do the same for axi configuration. + +Fixes: f40566f220a1 ("dmaengine: at_xdmac: add AXI priority support and recommended settings") +Signed-off-by: Claudiu Beznea +Reviewed-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20211007111230.2331837-2-claudiu.beznea@microchip.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/at_xdmac.c | 51 ++++++++++++++++++++++-------------------- + 1 file changed, 27 insertions(+), 24 deletions(-) + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index ab78e0f6afd70..c66ad5706cb5a 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -1926,6 +1926,30 @@ static void at_xdmac_free_chan_resources(struct dma_chan *chan) + return; + } + ++static void at_xdmac_axi_config(struct platform_device *pdev) ++{ ++ struct at_xdmac *atxdmac = (struct at_xdmac *)platform_get_drvdata(pdev); ++ bool dev_m2m = false; ++ u32 dma_requests; ++ ++ if (!atxdmac->layout->axi_config) ++ return; /* Not supported */ ++ ++ if (!of_property_read_u32(pdev->dev.of_node, "dma-requests", ++ &dma_requests)) { ++ dev_info(&pdev->dev, "controller in mem2mem mode.\n"); ++ dev_m2m = true; ++ } ++ ++ if (dev_m2m) { ++ at_xdmac_write(atxdmac, AT_XDMAC_GCFG, AT_XDMAC_GCFG_M2M); ++ at_xdmac_write(atxdmac, AT_XDMAC_GWAC, AT_XDMAC_GWAC_M2M); ++ } else { ++ at_xdmac_write(atxdmac, AT_XDMAC_GCFG, AT_XDMAC_GCFG_P2M); ++ at_xdmac_write(atxdmac, AT_XDMAC_GWAC, AT_XDMAC_GWAC_P2M); ++ } ++} ++ + #ifdef CONFIG_PM + static int atmel_xdmac_prepare(struct device *dev) + { +@@ -1975,6 +1999,7 @@ static int atmel_xdmac_resume(struct device *dev) + struct at_xdmac *atxdmac = dev_get_drvdata(dev); + struct at_xdmac_chan *atchan; + struct dma_chan *chan, *_chan; ++ struct platform_device *pdev = container_of(dev, struct platform_device, dev); + int i; + int ret; + +@@ -1982,6 +2007,8 @@ static int atmel_xdmac_resume(struct device *dev) + if (ret) + return ret; + ++ at_xdmac_axi_config(pdev); ++ + /* Clear pending interrupts. */ + for (i = 0; i < atxdmac->dma.chancnt; i++) { + atchan = &atxdmac->chan[i]; +@@ -2007,30 +2034,6 @@ static int atmel_xdmac_resume(struct device *dev) + } + #endif /* CONFIG_PM_SLEEP */ + +-static void at_xdmac_axi_config(struct platform_device *pdev) +-{ +- struct at_xdmac *atxdmac = (struct at_xdmac *)platform_get_drvdata(pdev); +- bool dev_m2m = false; +- u32 dma_requests; +- +- if (!atxdmac->layout->axi_config) +- return; /* Not supported */ +- +- if (!of_property_read_u32(pdev->dev.of_node, "dma-requests", +- &dma_requests)) { +- dev_info(&pdev->dev, "controller in mem2mem mode.\n"); +- dev_m2m = true; +- } +- +- if (dev_m2m) { +- at_xdmac_write(atxdmac, AT_XDMAC_GCFG, AT_XDMAC_GCFG_M2M); +- at_xdmac_write(atxdmac, AT_XDMAC_GWAC, AT_XDMAC_GWAC_M2M); +- } else { +- at_xdmac_write(atxdmac, AT_XDMAC_GCFG, AT_XDMAC_GCFG_P2M); +- at_xdmac_write(atxdmac, AT_XDMAC_GWAC, AT_XDMAC_GWAC_P2M); +- } +-} +- + static int at_xdmac_probe(struct platform_device *pdev) + { + struct at_xdmac *atxdmac; +-- +2.33.0 + diff --git a/queue-5.15/dmaengine-at_xdmac-fix-at_xdmac_cc_perid-macro.patch b/queue-5.15/dmaengine-at_xdmac-fix-at_xdmac_cc_perid-macro.patch new file mode 100644 index 00000000000..41cae5309d1 --- /dev/null +++ b/queue-5.15/dmaengine-at_xdmac-fix-at_xdmac_cc_perid-macro.patch @@ -0,0 +1,41 @@ +From befea834dc25c9c0b531079d8ac5938129209b23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 14:12:28 +0300 +Subject: dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro + +From: Claudiu Beznea + +[ Upstream commit 320c88a3104dc955f928a1eecebd551ff89530c0 ] + +AT_XDMAC_CC_PERID() should be used to setup bits 24..30 of XDMAC_CC +register. Using it without parenthesis around 0x7f & (i) will lead to +setting all the time zero for bits 24..30 of XDMAC_CC as the << operator +has higher precedence over bitwise &. Thus, add paranthesis around +0x7f & (i). + +Fixes: 15a03850ab8f ("dmaengine: at_xdmac: fix macro typo") +Signed-off-by: Claudiu Beznea +Reviewed-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20211007111230.2331837-3-claudiu.beznea@microchip.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/at_xdmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index c66ad5706cb5a..e18abbd56fb51 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -155,7 +155,7 @@ + #define AT_XDMAC_CC_WRIP (0x1 << 23) /* Write in Progress (read only) */ + #define AT_XDMAC_CC_WRIP_DONE (0x0 << 23) + #define AT_XDMAC_CC_WRIP_IN_PROGRESS (0x1 << 23) +-#define AT_XDMAC_CC_PERID(i) (0x7f & (i) << 24) /* Channel Peripheral Identifier */ ++#define AT_XDMAC_CC_PERID(i) ((0x7f & (i)) << 24) /* Channel Peripheral Identifier */ + #define AT_XDMAC_CDS_MSP 0x2C /* Channel Data Stride Memory Set Pattern */ + #define AT_XDMAC_CSUS 0x30 /* Channel Source Microblock Stride */ + #define AT_XDMAC_CDUS 0x34 /* Channel Destination Microblock Stride */ +-- +2.33.0 + diff --git a/queue-5.15/dmaengine-dmaengine_desc_callback_valid-check-for-ca.patch b/queue-5.15/dmaengine-dmaengine_desc_callback_valid-check-for-ca.patch new file mode 100644 index 00000000000..a89feeadd01 --- /dev/null +++ b/queue-5.15/dmaengine-dmaengine_desc_callback_valid-check-for-ca.patch @@ -0,0 +1,64 @@ +From 27db1cba85b926bb21a48df75c95e337462ff984 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Oct 2021 15:41:01 +0200 +Subject: dmaengine: dmaengine_desc_callback_valid(): Check for + `callback_result` + +From: Lars-Peter Clausen + +[ Upstream commit e7e1e880b114ca640a2f280b0d5d38aed98f98c6 ] + +Before the `callback_result` callback was introduced drivers coded their +invocation to the callback in a similar way to: + + if (cb->callback) { + spin_unlock(&dma->lock); + cb->callback(cb->callback_param); + spin_lock(&dma->lock); + } + +With the introduction of `callback_result` two helpers where introduced to +transparently handle both types of callbacks. And drivers where updated to +look like this: + + if (dmaengine_desc_callback_valid(cb)) { + spin_unlock(&dma->lock); + dmaengine_desc_callback_invoke(cb, ...); + spin_lock(&dma->lock); + } + +dmaengine_desc_callback_invoke() correctly handles both `callback_result` +and `callback`. But we forgot to update the dmaengine_desc_callback_valid() +function to check for `callback_result`. As a result DMA descriptors that +use the `callback_result` rather than `callback` don't have their callback +invoked by drivers that follow the pattern above. + +Fix this by checking for both `callback` and `callback_result` in +dmaengine_desc_callback_valid(). + +Fixes: f067025bc676 ("dmaengine: add support to provide error result from a DMA transation") +Signed-off-by: Lars-Peter Clausen +Acked-by: Dave Jiang +Link: https://lore.kernel.org/r/20211023134101.28042-1-lars@metafoo.de +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/dmaengine.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/dmaengine.h b/drivers/dma/dmaengine.h +index 1bfbd64b13717..53f16d3f00294 100644 +--- a/drivers/dma/dmaengine.h ++++ b/drivers/dma/dmaengine.h +@@ -176,7 +176,7 @@ dmaengine_desc_get_callback_invoke(struct dma_async_tx_descriptor *tx, + static inline bool + dmaengine_desc_callback_valid(struct dmaengine_desc_callback *cb) + { +- return (cb->callback) ? true : false; ++ return cb->callback || cb->callback_result; + } + + struct dma_chan *dma_get_slave_channel(struct dma_chan *chan); +-- +2.33.0 + diff --git a/queue-5.15/dmaengine-idxd-fix-resource-leak-on-dmaengine-driver.patch b/queue-5.15/dmaengine-idxd-fix-resource-leak-on-dmaengine-driver.patch new file mode 100644 index 00000000000..a0b22131e81 --- /dev/null +++ b/queue-5.15/dmaengine-idxd-fix-resource-leak-on-dmaengine-driver.patch @@ -0,0 +1,45 @@ +From 2e73d5e4921aa77b4a35a2ef1a154bc8e721d4df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 08:01:04 -0700 +Subject: dmaengine: idxd: fix resource leak on dmaengine driver disable + +From: Dave Jiang + +[ Upstream commit a3e340c1574b6679f5b333221284d0959095da52 ] + +The wq resources needs to be released before the kernel type is reset by +__drv_disable_wq(). With dma channels unregistered and wq quiesced, all the +wq resources for dmaengine can be freed. There is no need to wait until wq +is disabled. With the wq->type being reset to "unknown", the driver is +skipping the freeing of the resources. + +Fixes: 0cda4f6986a3 ("dmaengine: idxd: create dmaengine driver for wq 'device'") +Reported-by: Jacob Pan +Tested-by: Jacob Pan +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/163517405099.3484556.12521975053711345244.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/dma.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/dma/idxd/dma.c b/drivers/dma/idxd/dma.c +index b90b085d18cff..c39e9483206ad 100644 +--- a/drivers/dma/idxd/dma.c ++++ b/drivers/dma/idxd/dma.c +@@ -329,10 +329,9 @@ static void idxd_dmaengine_drv_remove(struct idxd_dev *idxd_dev) + mutex_lock(&wq->wq_lock); + idxd_wq_quiesce(wq); + idxd_unregister_dma_channel(wq); ++ idxd_wq_free_resources(wq); + __drv_disable_wq(wq); + percpu_ref_exit(&wq->wq_active); +- idxd_wq_free_resources(wq); +- wq->type = IDXD_WQT_NONE; + mutex_unlock(&wq->wq_lock); + } + +-- +2.33.0 + diff --git a/queue-5.15/dmaengine-idxd-move-out-percpu_ref_exit-to-ensure-it.patch b/queue-5.15/dmaengine-idxd-move-out-percpu_ref_exit-to-ensure-it.patch new file mode 100644 index 00000000000..ad79850b728 --- /dev/null +++ b/queue-5.15/dmaengine-idxd-move-out-percpu_ref_exit-to-ensure-it.patch @@ -0,0 +1,60 @@ +From 4ceaf5b1da7e27b41c55ca041fd909c1c55c0402 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 12:15:38 -0700 +Subject: dmaengine: idxd: move out percpu_ref_exit() to ensure it's outside + submission + +From: Dave Jiang + +[ Upstream commit 85f604af9c83a4656b1d07bec73298c3ba7d7c1e ] + +percpu_ref_tryget_live() is safe to call as long as ref is between init and +exit according to the function comment. Move percpu_ref_exit() so it is +called after the dma channel is no longer valid to ensure this holds true. + +Fixes: 93a40a6d7428 ("dmaengine: idxd: add percpu_ref to descriptor submission path") +Suggested-by: Kevin Tian +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/163294293832.914350.10326422026738506152.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/device.c | 1 - + drivers/dma/idxd/dma.c | 2 ++ + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c +index 83a5ff2ecf2a0..cbbfa17d8d11b 100644 +--- a/drivers/dma/idxd/device.c ++++ b/drivers/dma/idxd/device.c +@@ -427,7 +427,6 @@ void idxd_wq_quiesce(struct idxd_wq *wq) + { + percpu_ref_kill(&wq->wq_active); + wait_for_completion(&wq->wq_dead); +- percpu_ref_exit(&wq->wq_active); + } + + /* Device control bits */ +diff --git a/drivers/dma/idxd/dma.c b/drivers/dma/idxd/dma.c +index e0f056c1d1f56..b90b085d18cff 100644 +--- a/drivers/dma/idxd/dma.c ++++ b/drivers/dma/idxd/dma.c +@@ -311,6 +311,7 @@ static int idxd_dmaengine_drv_probe(struct idxd_dev *idxd_dev) + + err_dma: + idxd_wq_quiesce(wq); ++ percpu_ref_exit(&wq->wq_active); + err_ref: + idxd_wq_free_resources(wq); + err_res_alloc: +@@ -329,6 +330,7 @@ static void idxd_dmaengine_drv_remove(struct idxd_dev *idxd_dev) + idxd_wq_quiesce(wq); + idxd_unregister_dma_channel(wq); + __drv_disable_wq(wq); ++ percpu_ref_exit(&wq->wq_active); + idxd_wq_free_resources(wq); + wq->type = IDXD_WQT_NONE; + mutex_unlock(&wq->wq_lock); +-- +2.33.0 + diff --git a/queue-5.15/dmaengine-idxd-reconfig-device-after-device-reset-co.patch b/queue-5.15/dmaengine-idxd-reconfig-device-after-device-reset-co.patch new file mode 100644 index 00000000000..52253c95bae --- /dev/null +++ b/queue-5.15/dmaengine-idxd-reconfig-device-after-device-reset-co.patch @@ -0,0 +1,38 @@ +From 74f15f215af4ed47e54a13fc7e1241344b867ce0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 17:18:05 -0700 +Subject: dmaengine: idxd: reconfig device after device reset command + +From: Dave Jiang + +[ Upstream commit e530a9f3db4188d1f4e3704b0948ef69c04d5ca6 ] + +Device reset clears the MSIXPERM table and the device registers. Re-program +the MSIXPERM table and re-enable the error interrupts post reset. + +Fixes: 745e92a6d816 ("dmaengine: idxd: idxd: move remove() bits for idxd 'struct device' to device.c") +Reported-by: Sanjay Kumar +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/163054188513.2853562.12077053294595278181.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/device.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/dma/idxd/device.c b/drivers/dma/idxd/device.c +index cbbfa17d8d11b..419b206f8a42d 100644 +--- a/drivers/dma/idxd/device.c ++++ b/drivers/dma/idxd/device.c +@@ -583,6 +583,8 @@ void idxd_device_reset(struct idxd_device *idxd) + spin_lock(&idxd->dev_lock); + idxd_device_clear_state(idxd); + idxd->state = IDXD_DEV_DISABLED; ++ idxd_unmask_error_interrupts(idxd); ++ idxd_msix_perm_setup(idxd); + spin_unlock(&idxd->dev_lock); + } + +-- +2.33.0 + diff --git a/queue-5.15/dmaengine-stm32-dma-avoid-64-bit-division-in-stm32_d.patch b/queue-5.15/dmaengine-stm32-dma-avoid-64-bit-division-in-stm32_d.patch new file mode 100644 index 00000000000..5d50fba048a --- /dev/null +++ b/queue-5.15/dmaengine-stm32-dma-avoid-64-bit-division-in-stm32_d.patch @@ -0,0 +1,72 @@ +From 4577086ed03ca96e71303a2a745527124b2e1a7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 16:33:12 +0100 +Subject: dmaengine: stm32-dma: avoid 64-bit division in + stm32_dma_get_max_width + +From: Arnd Bergmann + +[ Upstream commit 2498363310e9b5e5de0e104709adc35c9f3ff7d9 ] + +Using the % operator on a 64-bit variable is expensive and can +cause a link failure: + +arm-linux-gnueabi-ld: drivers/dma/stm32-dma.o: in function `stm32_dma_get_max_width': +stm32-dma.c:(.text+0x170): undefined reference to `__aeabi_uldivmod' +arm-linux-gnueabi-ld: drivers/dma/stm32-dma.o: in function `stm32_dma_set_xfer_param': +stm32-dma.c:(.text+0x1cd4): undefined reference to `__aeabi_uldivmod' + +As we know that we just want to check the alignment in +stm32_dma_get_max_width(), there is no need for a full division, and +using a simple mask is a faster replacement. + +Same in stm32_dma_set_xfer_param(), change this to only allow burst +transfers if the address is a multiple of the length. +stm32_dma_get_best_burst just after will take buf_len into account to fix +burst in case of misalignment. + +Fixes: b20fd5fa310c ("dmaengine: stm32-dma: fix stm32_dma_get_max_width") +Reported-by: kernel test robot +Signed-off-by: Arnd Bergmann +Signed-off-by: Amelie Delaunay +Link: https://lore.kernel.org/r/20211103153312.41483-1-amelie.delaunay@foss.st.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/stm32-dma.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma/stm32-dma.c b/drivers/dma/stm32-dma.c +index c276a39aa7930..7dfc743ac4338 100644 +--- a/drivers/dma/stm32-dma.c ++++ b/drivers/dma/stm32-dma.c +@@ -280,7 +280,7 @@ static enum dma_slave_buswidth stm32_dma_get_max_width(u32 buf_len, + max_width > DMA_SLAVE_BUSWIDTH_1_BYTE) + max_width = max_width >> 1; + +- if (buf_addr % max_width) ++ if (buf_addr & (max_width - 1)) + max_width = DMA_SLAVE_BUSWIDTH_1_BYTE; + + return max_width; +@@ -756,7 +756,7 @@ static int stm32_dma_set_xfer_param(struct stm32_dma_chan *chan, + * Set memory burst size - burst not possible if address is not aligned on + * the address boundary equal to the size of the transfer + */ +- if (buf_addr % buf_len) ++ if (buf_addr & (buf_len - 1)) + src_maxburst = 1; + else + src_maxburst = STM32_DMA_MAX_BURST; +@@ -812,7 +812,7 @@ static int stm32_dma_set_xfer_param(struct stm32_dma_chan *chan, + * Set memory burst size - burst not possible if address is not aligned on + * the address boundary equal to the size of the transfer + */ +- if (buf_addr % buf_len) ++ if (buf_addr & (buf_len - 1)) + dst_maxburst = 1; + else + dst_maxburst = STM32_DMA_MAX_BURST; +-- +2.33.0 + diff --git a/queue-5.15/dmaengine-stm32-dma-fix-burst-in-case-of-unaligned-m.patch b/queue-5.15/dmaengine-stm32-dma-fix-burst-in-case-of-unaligned-m.patch new file mode 100644 index 00000000000..91d63a6c2f2 --- /dev/null +++ b/queue-5.15/dmaengine-stm32-dma-fix-burst-in-case-of-unaligned-m.patch @@ -0,0 +1,66 @@ +From 1664313df3b5a3b88b46971fcb12f43636a693bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 11:42:59 +0200 +Subject: dmaengine: stm32-dma: fix burst in case of unaligned memory address + +From: Amelie Delaunay + +[ Upstream commit af229d2c2557b5cf2a3b1eb39847ec1de7446873 ] + +Theorically, address pointers used by STM32 DMA must be chosen so as to +ensure that all transfers within a burst block are aligned on the address +boundary equal to the size of the transfer. +If this is always the case for peripheral addresses on STM32, it is not for +memory addresses if the user doesn't respect this alignment constraint. +To avoid a weird behavior of the DMA controller in this case (no error +triggered but data are not transferred as expected), force no burst. + +Signed-off-by: Amelie Delaunay +Link: https://lore.kernel.org/r/20211011094259.315023-4-amelie.delaunay@foss.st.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/stm32-dma.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/drivers/dma/stm32-dma.c b/drivers/dma/stm32-dma.c +index fdda916555ec5..c276a39aa7930 100644 +--- a/drivers/dma/stm32-dma.c ++++ b/drivers/dma/stm32-dma.c +@@ -752,8 +752,14 @@ static int stm32_dma_set_xfer_param(struct stm32_dma_chan *chan, + if (src_bus_width < 0) + return src_bus_width; + +- /* Set memory burst size */ +- src_maxburst = STM32_DMA_MAX_BURST; ++ /* ++ * Set memory burst size - burst not possible if address is not aligned on ++ * the address boundary equal to the size of the transfer ++ */ ++ if (buf_addr % buf_len) ++ src_maxburst = 1; ++ else ++ src_maxburst = STM32_DMA_MAX_BURST; + src_best_burst = stm32_dma_get_best_burst(buf_len, + src_maxburst, + fifoth, +@@ -802,8 +808,14 @@ static int stm32_dma_set_xfer_param(struct stm32_dma_chan *chan, + if (dst_bus_width < 0) + return dst_bus_width; + +- /* Set memory burst size */ +- dst_maxburst = STM32_DMA_MAX_BURST; ++ /* ++ * Set memory burst size - burst not possible if address is not aligned on ++ * the address boundary equal to the size of the transfer ++ */ ++ if (buf_addr % buf_len) ++ dst_maxburst = 1; ++ else ++ dst_maxburst = STM32_DMA_MAX_BURST; + dst_best_burst = stm32_dma_get_best_burst(buf_len, + dst_maxburst, + fifoth, +-- +2.33.0 + diff --git a/queue-5.15/dmaengine-stm32-dma-fix-stm32_dma_get_max_width.patch b/queue-5.15/dmaengine-stm32-dma-fix-stm32_dma_get_max_width.patch new file mode 100644 index 00000000000..d0900bd497c --- /dev/null +++ b/queue-5.15/dmaengine-stm32-dma-fix-stm32_dma_get_max_width.patch @@ -0,0 +1,46 @@ +From aac2d24fba9f0e9c845c70194ff665b29902033c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 11:42:58 +0200 +Subject: dmaengine: stm32-dma: fix stm32_dma_get_max_width + +From: Amelie Delaunay + +[ Upstream commit b20fd5fa310cbf7ec367f263a34382a24c4cee73 ] + +buf_addr parameter of stm32_dma_set_xfer_param function is a dma_addr_t. +We only need to check the remainder of buf_addr/max_width, so, no need to +use do_div and extra u64 addr. Use '%' instead. + +Fixes: e0ebdbdcb42a ("dmaengine: stm32-dma: take address into account when computing max width") +Signed-off-by: Amelie Delaunay +Link: https://lore.kernel.org/r/20211011094259.315023-3-amelie.delaunay@foss.st.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/stm32-dma.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/dma/stm32-dma.c b/drivers/dma/stm32-dma.c +index 9063c727962ed..fdda916555ec5 100644 +--- a/drivers/dma/stm32-dma.c ++++ b/drivers/dma/stm32-dma.c +@@ -270,7 +270,6 @@ static enum dma_slave_buswidth stm32_dma_get_max_width(u32 buf_len, + u32 threshold) + { + enum dma_slave_buswidth max_width; +- u64 addr = buf_addr; + + if (threshold == STM32_DMA_FIFO_THRESHOLD_FULL) + max_width = DMA_SLAVE_BUSWIDTH_4_BYTES; +@@ -281,7 +280,7 @@ static enum dma_slave_buswidth stm32_dma_get_max_width(u32 buf_len, + max_width > DMA_SLAVE_BUSWIDTH_1_BYTE) + max_width = max_width >> 1; + +- if (do_div(addr, max_width)) ++ if (buf_addr % max_width) + max_width = DMA_SLAVE_BUSWIDTH_1_BYTE; + + return max_width; +-- +2.33.0 + diff --git a/queue-5.15/dmaengine-tegra210-adma-fix-pm-runtime-unbalance.patch b/queue-5.15/dmaengine-tegra210-adma-fix-pm-runtime-unbalance.patch new file mode 100644 index 00000000000..cb005780967 --- /dev/null +++ b/queue-5.15/dmaengine-tegra210-adma-fix-pm-runtime-unbalance.patch @@ -0,0 +1,43 @@ +From a8696d771487870aceecd38991b9cd69b8c36b3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Oct 2021 11:05:38 +0800 +Subject: dmaengine: tegra210-adma: fix pm runtime unbalance + +From: Dongliang Mu + +[ Upstream commit c5a51fc89c0103c03b8a54cf12dac7d014b3a2bf ] + +The previous commit 059e969c2a7d ("dmaengine: tegra210-adma: Using +pm_runtime_resume_and_get to replace open coding") forgets to replace +the pm_runtime_get_sync in the tegra_adma_probe, but removes the +pm_runtime_put_noidle. + +Fix this by continuing to replace pm_runtime_get_sync with +pm_runtime_resume_and_get in tegra_adma_probe. + +Fixes: 059e969c2a7d ("dmaengine: tegra210-adma: Using pm_runtime_resume_and_get to replace open coding") +Signed-off-by: Dongliang Mu +Reviewed-by: Jon Hunter +Link: https://lore.kernel.org/r/20211021030538.3465287-1-mudongliangabcd@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/tegra210-adma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c +index b1115a6d1935c..d1dff3a29db59 100644 +--- a/drivers/dma/tegra210-adma.c ++++ b/drivers/dma/tegra210-adma.c +@@ -867,7 +867,7 @@ static int tegra_adma_probe(struct platform_device *pdev) + + pm_runtime_enable(&pdev->dev); + +- ret = pm_runtime_get_sync(&pdev->dev); ++ ret = pm_runtime_resume_and_get(&pdev->dev); + if (ret < 0) + goto rpm_disable; + +-- +2.33.0 + diff --git a/queue-5.15/dmanegine-idxd-fix-resource-free-ordering-on-driver-.patch b/queue-5.15/dmanegine-idxd-fix-resource-free-ordering-on-driver-.patch new file mode 100644 index 00000000000..76c1fb433bc --- /dev/null +++ b/queue-5.15/dmanegine-idxd-fix-resource-free-ordering-on-driver-.patch @@ -0,0 +1,130 @@ +From 37c5be72fd1afe36fea3f3d83ee22372e96ddaf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Sep 2021 13:15:58 -0700 +Subject: dmanegine: idxd: fix resource free ordering on driver removal + +From: Dave Jiang + +[ Upstream commit 98da0106aac0d3c5d4a3c95d238f1ff88957bbfc ] + +Fault triggers on ioread32() when pci driver unbind is envoked. The +placement of idxd sub-driver removal causes the probing of the device mmio +region after the mmio mapping being torn down. The driver needs the +sub-drivers to be unbound but not release the idxd context until all +shutdown activities has been done. Move the sub-driver unregistering up +before the remove() calls shutdown(). But take a device ref on the +idxd->conf_dev so that the memory does not get freed in ->release(). When +all cleanup activities has been done, release the ref to allow the idxd +memory to be freed. + +[57159.542766] RIP: 0010:ioread32+0x27/0x60 +[57159.547097] Code: 00 66 90 48 81 ff ff ff 03 00 77 1e 48 81 ff 00 00 01 00 76 05 0f + b7 d7 ed c3 8b 15 03 50 41 01 b8 ff ff ff ff 85 d2 75 04 c3 <8b> 07 c3 55 83 ea 01 48 + 89 fe 48 c7 c7 00 70 5f 82 48 89 e5 48 83 +[57159.566647] RSP: 0018:ffffc900011abb60 EFLAGS: 00010292 +[57159.572295] RAX: ffffc900011e0000 RBX: ffff888107d39800 RCX: 0000000000000000 +[57159.579842] RDX: 0000000000000000 RSI: ffffffff82b1e448 RDI: ffffc900011e0090 +[57159.587421] RBP: ffffc900011abb88 R08: 0000000000000000 R09: 0000000000000001 +[57159.594972] R10: 0000000000000001 R11: 0000000000000000 R12: ffff8881019840d0 +[57159.602533] R13: ffff8881097e9000 R14: ffffffffa08542a0 R15: 00000000000003a8 +[57159.610093] FS: 00007f991e0a8740(0000) GS:ffff888459900000(0000) knlGS:00000000000 +00000 +[57159.618614] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[57159.624814] CR2: ffffc900011e0090 CR3: 000000010862a002 CR4: 00000000003706e0 +[57159.632397] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[57159.639973] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[57159.647601] Call Trace: +[57159.650502] ? idxd_device_disable+0x41/0x110 [idxd] +[57159.655948] idxd_device_drv_remove+0x2b/0x80 [idxd] +[57159.661374] idxd_config_bus_remove+0x16/0x20 +[57159.666191] __device_release_driver+0x163/0x240 +[57159.671320] device_release_driver+0x2b/0x40 +[57159.676052] bus_remove_device+0xf5/0x160 +[57159.680524] device_del+0x19c/0x400 +[57159.684440] device_unregister+0x18/0x60 +[57159.688792] idxd_remove+0x140/0x1c0 [idxd] +[57159.693406] pci_device_remove+0x3e/0xb0 +[57159.697758] __device_release_driver+0x163/0x240 +[57159.702788] device_driver_detach+0x43/0xb0 +[57159.707424] unbind_store+0x11e/0x130 +[57159.711537] drv_attr_store+0x24/0x30 +[57159.715646] sysfs_kf_write+0x4b/0x60 +[57159.719710] kernfs_fop_write_iter+0x153/0x1e0 +[57159.724563] new_sync_write+0x120/0x1b0 +[57159.728812] vfs_write+0x23e/0x350 +[57159.732624] ksys_write+0x70/0xf0 +[57159.736335] __x64_sys_write+0x1a/0x20 +[57159.740492] do_syscall_64+0x3b/0x90 +[57159.744465] entry_SYSCALL_64_after_hwframe+0x44/0xae +[57159.749908] RIP: 0033:0x7f991e19c387 +[57159.753898] Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e + fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 + c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 +[57159.773564] RSP: 002b:00007ffc2ce2d6a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +[57159.781550] RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007f991e19c387 +[57159.789133] RDX: 000000000000000c RSI: 000055ee2630e140 RDI: 0000000000000001 +[57159.796695] RBP: 000055ee2630e140 R08: 0000000000000000 R09: 00007f991e2324e0 +[57159.804246] R10: 00007f991e2323e0 R11: 0000000000000246 R12: 000000000000000c +[57159.811800] R13: 00007f991e26f520 R14: 000000000000000c R15: 00007f991e26f700 +[57159.819373] Modules linked in: idxd bridge stp llc bnep sunrpc nls_iso8859_1 intel_ +rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp snd_hda_code +c_realtek iTCO_wdt 8250_dw snd_hda_codec_generic kvm_intel ledtrig_audio iTCO_vendor_s +upport snd_hda_intel snd_intel_dspcfg ppdev kvm snd_hda_codec intel_wmi_thunderbolt sn +d_hwdep irqbypass iwlwifi btusb snd_hda_core rapl btrtl intel_cstate snd_seq btbcm snd +_seq_device btintel snd_pcm cfg80211 bluetooth pcspkr psmouse input_leds snd_timer int +el_lpss_pci mei_me intel_lpss snd ecdh_generic ecc mei ucsi_acpi i2c_i801 idma64 i2c_s +mbus virt_dma soundcore typec_ucsi typec wmi parport_pc parport video mac_hid acpi_pad + sch_fq_codel drm ip_tables x_tables crct10dif_pclmul crc32_pclmul ghash_clmulni_intel + usbkbd hid_generic usbmouse aesni_intel usbhid crypto_simd cryptd e1000e hid serio_ra +w ahci libahci pinctrl_sunrisepoint fuse msr autofs4 [last unloaded: idxd] +[57159.904082] CR2: ffffc900011e0090 +[57159.907877] ---[ end trace b4e32f49ce9176a4 ]--- + +Fixes: 49c4959f04b5 ("dmaengine: idxd: fix sequence for pci driver remove() and shutdown()") +Reported-by: Ziye Yang +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/163225535868.4152687.9318737776682088722.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/idxd/init.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c +index eb09bc591c316..7bf03f371ce19 100644 +--- a/drivers/dma/idxd/init.c ++++ b/drivers/dma/idxd/init.c +@@ -797,11 +797,19 @@ static void idxd_remove(struct pci_dev *pdev) + int msixcnt = pci_msix_vec_count(pdev); + int i; + +- dev_dbg(&pdev->dev, "%s called\n", __func__); ++ idxd_unregister_devices(idxd); ++ /* ++ * When ->release() is called for the idxd->conf_dev, it frees all the memory related ++ * to the idxd context. The driver still needs those bits in order to do the rest of ++ * the cleanup. However, we do need to unbound the idxd sub-driver. So take a ref ++ * on the device here to hold off the freeing while allowing the idxd sub-driver ++ * to unbind. ++ */ ++ get_device(idxd_confdev(idxd)); ++ device_unregister(idxd_confdev(idxd)); + idxd_shutdown(pdev); + if (device_pasid_enabled(idxd)) + idxd_disable_system_pasid(idxd); +- idxd_unregister_devices(idxd); + + for (i = 0; i < msixcnt; i++) { + irq_entry = &idxd->irq_entries[i]; +@@ -815,7 +823,7 @@ static void idxd_remove(struct pci_dev *pdev) + pci_disable_device(pdev); + destroy_workqueue(idxd->wq); + perfmon_pmu_remove(idxd); +- device_unregister(idxd_confdev(idxd)); ++ put_device(idxd_confdev(idxd)); + } + + static struct pci_driver idxd_pci_driver = { +-- +2.33.0 + diff --git a/queue-5.15/driver-core-fix-possible-memory-leak-in-device_link_.patch b/queue-5.15/driver-core-fix-possible-memory-leak-in-device_link_.patch new file mode 100644 index 00000000000..f06d67de1b2 --- /dev/null +++ b/queue-5.15/driver-core-fix-possible-memory-leak-in-device_link_.patch @@ -0,0 +1,69 @@ +From 95d1ffaa303e49027b6dbf4071eec4f163c2c8de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Sep 2021 16:57:14 +0800 +Subject: driver core: Fix possible memory leak in device_link_add() + +From: Yang Yingliang + +[ Upstream commit df0a18149474c7e6b21f6367fbc6bc8d0f192444 ] + +I got memory leak as follows: + +unreferenced object 0xffff88801f0b2200 (size 64): + comm "i2c-lis2hh12-21", pid 5455, jiffies 4294944606 (age 15.224s) + hex dump (first 32 bytes): + 72 65 67 75 6c 61 74 6f 72 3a 72 65 67 75 6c 61 regulator:regula + 74 6f 72 2e 30 2d 2d 69 32 63 3a 31 2d 30 30 31 tor.0--i2c:1-001 + backtrace: + [<00000000bf5b0c3b>] __kmalloc_track_caller+0x19f/0x3a0 + [<0000000050da42d9>] kvasprintf+0xb5/0x150 + [<000000004bbbed13>] kvasprintf_const+0x60/0x190 + [<00000000cdac7480>] kobject_set_name_vargs+0x56/0x150 + [<00000000bf83f8e8>] dev_set_name+0xc0/0x100 + [<00000000cc1cf7e3>] device_link_add+0x6b4/0x17c0 + [<000000009db9faed>] _regulator_get+0x297/0x680 + [<00000000845e7f2b>] _devm_regulator_get+0x5b/0xe0 + [<000000003958ee25>] st_sensors_power_enable+0x71/0x1b0 [st_sensors] + [<000000005f450f52>] st_accel_i2c_probe+0xd9/0x150 [st_accel_i2c] + [<00000000b5f2ab33>] i2c_device_probe+0x4d8/0xbe0 + [<0000000070fb977b>] really_probe+0x299/0xc30 + [<0000000088e226ce>] __driver_probe_device+0x357/0x500 + [<00000000c21dda32>] driver_probe_device+0x4e/0x140 + [<000000004e650441>] __device_attach_driver+0x257/0x340 + [<00000000cf1891b8>] bus_for_each_drv+0x166/0x1e0 + +When device_register() returns an error, the name allocated in dev_set_name() +will be leaked, the put_device() should be used instead of kfree() to give up +the device reference, then the name will be freed in kobject_cleanup() and the +references of consumer and supplier will be decreased in device_link_release_fn(). + +Fixes: 287905e68dd2 ("driver core: Expose device link details in sysfs") +Reported-by: Hulk Robot +Reviewed-by: Saravana Kannan +Reviewed-by: Rafael J. Wysocki +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20210930085714.2057460-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/core.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/base/core.c b/drivers/base/core.c +index 249da496581a0..63577de268565 100644 +--- a/drivers/base/core.c ++++ b/drivers/base/core.c +@@ -821,9 +821,7 @@ struct device_link *device_link_add(struct device *consumer, + dev_bus_name(supplier), dev_name(supplier), + dev_bus_name(consumer), dev_name(consumer)); + if (device_register(&link->link_dev)) { +- put_device(consumer); +- put_device(supplier); +- kfree(link); ++ put_device(&link->link_dev); + link = NULL; + goto out; + } +-- +2.33.0 + diff --git a/queue-5.15/drm-amd-display-dcn20_resource_construct-reduce-scop.patch b/queue-5.15/drm-amd-display-dcn20_resource_construct-reduce-scop.patch new file mode 100644 index 00000000000..61dbcc6db67 --- /dev/null +++ b/queue-5.15/drm-amd-display-dcn20_resource_construct-reduce-scop.patch @@ -0,0 +1,111 @@ +From 6096a65c3f48c50c68f0708a37cda9fa54064d9d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Sep 2021 18:29:36 -0400 +Subject: drm/amd/display: dcn20_resource_construct reduce scope of FPU enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anson Jacob + +[ Upstream commit bc39a69a2ac484e6575a958567c162ef56c9f278 ] + +Limit when FPU is enabled to only functions that does FPU operations for +dcn20_resource_construct, which gets called during driver +initialization. + +Enabling FPU operation disables preemption. Sleeping functions(mutex +(un)lock, memory allocation using GFP_KERNEL, etc.) should not be called +when preemption is disabled. + +Fixes the following case caught by enabling +CONFIG_DEBUG_ATOMIC_SLEEP in kernel config +[ 1.338434] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:281 +[ 1.347395] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 197, name: systemd-udevd +[ 1.356356] CPU: 7 PID: 197 Comm: systemd-udevd Not tainted 5.13.0+ #3 +[ 1.356358] Hardware name: System manufacturer System Product Name/PRIME X570-PRO, BIOS 3405 02/01/2021 +[ 1.356360] Call Trace: +[ 1.356361] dump_stack+0x6b/0x86 +[ 1.356366] ___might_sleep.cold+0x87/0x98 +[ 1.356370] __might_sleep+0x4b/0x80 +[ 1.356372] mutex_lock+0x21/0x50 +[ 1.356376] smu_get_uclk_dpm_states+0x3f/0x80 [amdgpu] +[ 1.356538] pp_nv_get_uclk_dpm_states+0x35/0x50 [amdgpu] +[ 1.356711] init_soc_bounding_box+0xf9/0x210 [amdgpu] +[ 1.356892] ? create_object+0x20d/0x340 +[ 1.356897] ? dcn20_resource_construct+0x46f/0xd30 [amdgpu] +[ 1.357077] dcn20_resource_construct+0x4b1/0xd30 [amdgpu] +... + +Tested on: 5700XT (NAVI10 0x1002:0x731F 0x1DA2:0xE410 0xC1) + +Cc: Christian König +Cc: Hersen Wu +Cc: Anson Jacob +Cc: Harry Wentland + +Reviewed-by: Rodrigo Siqueira +Tested-by: Daniel Wheeler +Acked-by: Agustin Gutierrez +Signed-off-by: Anson Jacob +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/display/dc/dcn20/dcn20_resource.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c +index e3e01b17c164e..f2f258e70f9da 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c +@@ -3668,16 +3668,22 @@ static bool init_soc_bounding_box(struct dc *dc, + clock_limits_available = (status == PP_SMU_RESULT_OK); + } + +- if (clock_limits_available && uclk_states_available && num_states) ++ if (clock_limits_available && uclk_states_available && num_states) { ++ DC_FP_START(); + dcn20_update_bounding_box(dc, loaded_bb, &max_clocks, uclk_states, num_states); +- else if (clock_limits_available) ++ DC_FP_END(); ++ } else if (clock_limits_available) { ++ DC_FP_START(); + dcn20_cap_soc_clocks(loaded_bb, max_clocks); ++ DC_FP_END(); ++ } + } + + loaded_ip->max_num_otg = pool->base.res_cap->num_timing_generator; + loaded_ip->max_num_dpp = pool->base.pipe_count; ++ DC_FP_START(); + dcn20_patch_bounding_box(dc, loaded_bb); +- ++ DC_FP_END(); + return true; + } + +@@ -3697,8 +3703,6 @@ static bool dcn20_resource_construct( + enum dml_project dml_project_version = + get_dml_project_version(ctx->asic_id.hw_internal_rev); + +- DC_FP_START(); +- + ctx->dc_bios->regs = &bios_regs; + pool->base.funcs = &dcn20_res_pool_funcs; + +@@ -4047,12 +4051,10 @@ static bool dcn20_resource_construct( + pool->base.oem_device = NULL; + } + +- DC_FP_END(); + return true; + + create_fail: + +- DC_FP_END(); + dcn20_resource_destruct(pool); + + return false; +-- +2.33.0 + diff --git a/queue-5.15/drm-amd-display-fix-null-pointer-deref-when-plugging.patch b/queue-5.15/drm-amd-display-fix-null-pointer-deref-when-plugging.patch new file mode 100644 index 00000000000..902e20aec25 --- /dev/null +++ b/queue-5.15/drm-amd-display-fix-null-pointer-deref-when-plugging.patch @@ -0,0 +1,39 @@ +From 0dc33c6dd5cd7be0753ee5a4c50a44ce38e42962 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Oct 2021 16:07:45 -0400 +Subject: drm/amd/display: fix null pointer deref when plugging in display + +From: Aurabindo Pillai + +[ Upstream commit 1f3b22e4eb162e0b1d423106a47484943a22a309 ] + +[Why&How] +When system boots in headless mode, connecting a 4k display creates a +null pointer dereference due to hubp for a certain plane being null. +Add a condition to check for null hubp before dereferencing it. + +Signed-off-by: Aurabindo Pillai +Reviewed-by: Harry Wentland +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c +index fafed1e4a998d..0950784bafa49 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c +@@ -1002,7 +1002,8 @@ void dcn30_set_disp_pattern_generator(const struct dc *dc, + /* turning off DPG */ + pipe_ctx->plane_res.hubp->funcs->set_blank(pipe_ctx->plane_res.hubp, false); + for (mpcc_pipe = pipe_ctx->bottom_pipe; mpcc_pipe; mpcc_pipe = mpcc_pipe->bottom_pipe) +- mpcc_pipe->plane_res.hubp->funcs->set_blank(mpcc_pipe->plane_res.hubp, false); ++ if (mpcc_pipe->plane_res.hubp) ++ mpcc_pipe->plane_res.hubp->funcs->set_blank(mpcc_pipe->plane_res.hubp, false); + + stream_res->opp->funcs->opp_set_disp_pattern_generator(stream_res->opp, test_pattern, color_space, + color_depth, solid_color, width, height, offset); +-- +2.33.0 + diff --git a/queue-5.15/drm-amd-display-fix-null-pointer-dereference-for-enc.patch b/queue-5.15/drm-amd-display-fix-null-pointer-dereference-for-enc.patch new file mode 100644 index 00000000000..798c8dba658 --- /dev/null +++ b/queue-5.15/drm-amd-display-fix-null-pointer-dereference-for-enc.patch @@ -0,0 +1,57 @@ +From 8f5e924becfa27105687d9bc7f45f77dd0ba17ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Sep 2021 11:21:52 -0400 +Subject: drm/amd/display: Fix null pointer dereference for encoders + +From: Jimmy Kizito + +[ Upstream commit 60f39edd897ea134a4ddb789a6795681691c3183 ] + +[Why] +Links which are dynamically assigned link encoders have their link +encoder set to NULL. + +[How] +Check that a pointer to a link_encoder object is non-NULL before using +it. + +Reviewed-by: Aric Cyr +Reviewed-by: Meenakshikumar Somasundaram +Acked-by: Rodrigo Siqueira +Signed-off-by: Jimmy Kizito +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c | 2 +- + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c +index 6d655e158267a..61c18637f84dc 100644 +--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c ++++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c +@@ -4690,7 +4690,7 @@ enum dc_status dp_set_fec_ready(struct dc_link *link, bool ready) + link_enc->funcs->fec_set_ready(link_enc, true); + link->fec_state = dc_link_fec_ready; + } else { +- link_enc->funcs->fec_set_ready(link->link_enc, false); ++ link_enc->funcs->fec_set_ready(link_enc, false); + link->fec_state = dc_link_fec_not_ready; + dm_error("dpcd write failed to set fec_ready"); + } +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +index df8a7718a85fc..3af49cdf89ebd 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c +@@ -1522,7 +1522,7 @@ void dcn10_power_down_on_boot(struct dc *dc) + for (i = 0; i < dc->link_count; i++) { + struct dc_link *link = dc->links[i]; + +- if (link->link_enc->funcs->is_dig_enabled && ++ if (link->link_enc && link->link_enc->funcs->is_dig_enabled && + link->link_enc->funcs->is_dig_enabled(link->link_enc) && + dc->hwss.power_down) { + dc->hwss.power_down(dc); +-- +2.33.0 + diff --git a/queue-5.15/drm-amd-display-pass-display_pipe_params_st-as-const.patch b/queue-5.15/drm-amd-display-pass-display_pipe_params_st-as-const.patch new file mode 100644 index 00000000000..ba9e7bfd8b3 --- /dev/null +++ b/queue-5.15/drm-amd-display-pass-display_pipe_params_st-as-const.patch @@ -0,0 +1,715 @@ +From dc32ce5068001b3e63dcba0f0f9c08c5f501d21e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 19:40:06 -0400 +Subject: drm/amd/display: Pass display_pipe_params_st as const in DML +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Harry Wentland + +[ Upstream commit 22667e6ec6b2ce9ca706e9061660b059725d009c ] + +[Why] +This neither needs to be on the stack nor passed by value +to each function call. In fact, when building with clang +it seems to break the Linux's default 1024 byte stack +frame limit. + +[How] +We can simply pass this as a const pointer. + +This patch fixes these Coverity IDs +Addresses-Coverity-ID: 1424031: ("Big parameter passed by value") +Addresses-Coverity-ID: 1423970: ("Big parameter passed by value") +Addresses-Coverity-ID: 1423941: ("Big parameter passed by value") +Addresses-Coverity-ID: 1451742: ("Big parameter passed by value") +Addresses-Coverity-ID: 1451887: ("Big parameter passed by value") +Addresses-Coverity-ID: 1454146: ("Big parameter passed by value") +Addresses-Coverity-ID: 1454152: ("Big parameter passed by value") +Addresses-Coverity-ID: 1454413: ("Big parameter passed by value") +Addresses-Coverity-ID: 1466144: ("Big parameter passed by value") +Addresses-Coverity-ID: 1487237: ("Big parameter passed by value") + +Signed-off-by: Harry Wentland +Fixes: 3fe617ccafd6 ("Enable '-Werror' by default for all kernel builds") +Cc: Nick Desaulniers +Cc: Linus Torvalds +Cc: amd-gfx@lists.freedesktop.org +Cc: Linux Kernel Mailing List +Cc: Arnd Bergmann +Cc: Leo Li +Cc: Alex Deucher +Cc: Christian König +Cc: Xinhui Pan +Cc: Nathan Chancellor +Cc: Guenter Roeck +Cc: llvm@lists.linux.dev +Acked-by: Christian König +Build-tested-by: Nathan Chancellor +Reviewed-by: Leo Li +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../drm/amd/display/dc/dcn20/dcn20_resource.c | 2 +- + .../dc/dml/dcn20/display_rq_dlg_calc_20.c | 6 +- + .../dc/dml/dcn20/display_rq_dlg_calc_20.h | 4 +- + .../dc/dml/dcn20/display_rq_dlg_calc_20v2.c | 6 +- + .../dc/dml/dcn20/display_rq_dlg_calc_20v2.h | 4 +- + .../dc/dml/dcn21/display_rq_dlg_calc_21.c | 62 ++++++++-------- + .../dc/dml/dcn21/display_rq_dlg_calc_21.h | 4 +- + .../dc/dml/dcn30/display_rq_dlg_calc_30.c | 72 +++++++++---------- + .../dc/dml/dcn30/display_rq_dlg_calc_30.h | 4 +- + .../dc/dml/dcn31/display_rq_dlg_calc_31.c | 68 +++++++++--------- + .../dc/dml/dcn31/display_rq_dlg_calc_31.h | 4 +- + .../drm/amd/display/dc/dml/display_mode_lib.h | 4 +- + 12 files changed, 120 insertions(+), 120 deletions(-) + +diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c +index f2f258e70f9da..34a126816133e 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c +@@ -3152,7 +3152,7 @@ void dcn20_calculate_dlg_params( + + context->bw_ctx.dml.funcs.rq_dlg_get_rq_reg(&context->bw_ctx.dml, + &context->res_ctx.pipe_ctx[i].rq_regs, +- pipes[pipe_idx].pipe); ++ &pipes[pipe_idx].pipe); + pipe_idx++; + } + } +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.c b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.c +index 2091dd8c252da..8c168f348a27f 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.c +@@ -768,12 +768,12 @@ static void dml20_rq_dlg_get_rq_params(struct display_mode_lib *mode_lib, + + void dml20_rq_dlg_get_rq_reg(struct display_mode_lib *mode_lib, + display_rq_regs_st *rq_regs, +- const display_pipe_params_st pipe_param) ++ const display_pipe_params_st *pipe_param) + { + display_rq_params_st rq_param = {0}; + + memset(rq_regs, 0, sizeof(*rq_regs)); +- dml20_rq_dlg_get_rq_params(mode_lib, &rq_param, pipe_param.src); ++ dml20_rq_dlg_get_rq_params(mode_lib, &rq_param, pipe_param->src); + extract_rq_regs(mode_lib, rq_regs, rq_param); + + print__rq_regs_st(mode_lib, *rq_regs); +@@ -1549,7 +1549,7 @@ static void dml20_rq_dlg_get_dlg_params(struct display_mode_lib *mode_lib, + void dml20_rq_dlg_get_dlg_reg(struct display_mode_lib *mode_lib, + display_dlg_regs_st *dlg_regs, + display_ttu_regs_st *ttu_regs, +- display_e2e_pipe_params_st *e2e_pipe_param, ++ const display_e2e_pipe_params_st *e2e_pipe_param, + const unsigned int num_pipes, + const unsigned int pipe_idx, + const bool cstate_en, +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.h b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.h +index d0b90947f5409..8b23867e97c18 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.h ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20.h +@@ -43,7 +43,7 @@ struct display_mode_lib; + void dml20_rq_dlg_get_rq_reg( + struct display_mode_lib *mode_lib, + display_rq_regs_st *rq_regs, +- const display_pipe_params_st pipe_param); ++ const display_pipe_params_st *pipe_param); + + + // Function: dml_rq_dlg_get_dlg_reg +@@ -61,7 +61,7 @@ void dml20_rq_dlg_get_dlg_reg( + struct display_mode_lib *mode_lib, + display_dlg_regs_st *dlg_regs, + display_ttu_regs_st *ttu_regs, +- display_e2e_pipe_params_st *e2e_pipe_param, ++ const display_e2e_pipe_params_st *e2e_pipe_param, + const unsigned int num_pipes, + const unsigned int pipe_idx, + const bool cstate_en, +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c +index 1a0c14e465faa..26ececfd40cdc 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c +@@ -768,12 +768,12 @@ static void dml20v2_rq_dlg_get_rq_params(struct display_mode_lib *mode_lib, + + void dml20v2_rq_dlg_get_rq_reg(struct display_mode_lib *mode_lib, + display_rq_regs_st *rq_regs, +- const display_pipe_params_st pipe_param) ++ const display_pipe_params_st *pipe_param) + { + display_rq_params_st rq_param = {0}; + + memset(rq_regs, 0, sizeof(*rq_regs)); +- dml20v2_rq_dlg_get_rq_params(mode_lib, &rq_param, pipe_param.src); ++ dml20v2_rq_dlg_get_rq_params(mode_lib, &rq_param, pipe_param->src); + extract_rq_regs(mode_lib, rq_regs, rq_param); + + print__rq_regs_st(mode_lib, *rq_regs); +@@ -1550,7 +1550,7 @@ static void dml20v2_rq_dlg_get_dlg_params(struct display_mode_lib *mode_lib, + void dml20v2_rq_dlg_get_dlg_reg(struct display_mode_lib *mode_lib, + display_dlg_regs_st *dlg_regs, + display_ttu_regs_st *ttu_regs, +- display_e2e_pipe_params_st *e2e_pipe_param, ++ const display_e2e_pipe_params_st *e2e_pipe_param, + const unsigned int num_pipes, + const unsigned int pipe_idx, + const bool cstate_en, +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.h b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.h +index 27cf8bed9376f..2b4e46ea1c3df 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.h ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.h +@@ -43,7 +43,7 @@ struct display_mode_lib; + void dml20v2_rq_dlg_get_rq_reg( + struct display_mode_lib *mode_lib, + display_rq_regs_st *rq_regs, +- const display_pipe_params_st pipe_param); ++ const display_pipe_params_st *pipe_param); + + + // Function: dml_rq_dlg_get_dlg_reg +@@ -61,7 +61,7 @@ void dml20v2_rq_dlg_get_dlg_reg( + struct display_mode_lib *mode_lib, + display_dlg_regs_st *dlg_regs, + display_ttu_regs_st *ttu_regs, +- display_e2e_pipe_params_st *e2e_pipe_param, ++ const display_e2e_pipe_params_st *e2e_pipe_param, + const unsigned int num_pipes, + const unsigned int pipe_idx, + const bool cstate_en, +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c b/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c +index 287e31052b307..736978c4d40a1 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c +@@ -694,7 +694,7 @@ static void get_surf_rq_param( + display_data_rq_sizing_params_st *rq_sizing_param, + display_data_rq_dlg_params_st *rq_dlg_param, + display_data_rq_misc_params_st *rq_misc_param, +- const display_pipe_params_st pipe_param, ++ const display_pipe_params_st *pipe_param, + bool is_chroma) + { + bool mode_422 = false; +@@ -706,30 +706,30 @@ static void get_surf_rq_param( + + // FIXME check if ppe apply for both luma and chroma in 422 case + if (is_chroma) { +- vp_width = pipe_param.src.viewport_width_c / ppe; +- vp_height = pipe_param.src.viewport_height_c; +- data_pitch = pipe_param.src.data_pitch_c; +- meta_pitch = pipe_param.src.meta_pitch_c; ++ vp_width = pipe_param->src.viewport_width_c / ppe; ++ vp_height = pipe_param->src.viewport_height_c; ++ data_pitch = pipe_param->src.data_pitch_c; ++ meta_pitch = pipe_param->src.meta_pitch_c; + } else { +- vp_width = pipe_param.src.viewport_width / ppe; +- vp_height = pipe_param.src.viewport_height; +- data_pitch = pipe_param.src.data_pitch; +- meta_pitch = pipe_param.src.meta_pitch; ++ vp_width = pipe_param->src.viewport_width / ppe; ++ vp_height = pipe_param->src.viewport_height; ++ data_pitch = pipe_param->src.data_pitch; ++ meta_pitch = pipe_param->src.meta_pitch; + } + +- if (pipe_param.dest.odm_combine) { ++ if (pipe_param->dest.odm_combine) { + unsigned int access_dir; + unsigned int full_src_vp_width; + unsigned int hactive_half; + unsigned int src_hactive_half; +- access_dir = (pipe_param.src.source_scan == dm_vert); // vp access direction: horizontal or vertical accessed +- hactive_half = pipe_param.dest.hactive / 2; ++ access_dir = (pipe_param->src.source_scan == dm_vert); // vp access direction: horizontal or vertical accessed ++ hactive_half = pipe_param->dest.hactive / 2; + if (is_chroma) { +- full_src_vp_width = pipe_param.scale_ratio_depth.hscl_ratio_c * pipe_param.dest.full_recout_width; +- src_hactive_half = pipe_param.scale_ratio_depth.hscl_ratio_c * hactive_half; ++ full_src_vp_width = pipe_param->scale_ratio_depth.hscl_ratio_c * pipe_param->dest.full_recout_width; ++ src_hactive_half = pipe_param->scale_ratio_depth.hscl_ratio_c * hactive_half; + } else { +- full_src_vp_width = pipe_param.scale_ratio_depth.hscl_ratio * pipe_param.dest.full_recout_width; +- src_hactive_half = pipe_param.scale_ratio_depth.hscl_ratio * hactive_half; ++ full_src_vp_width = pipe_param->scale_ratio_depth.hscl_ratio * pipe_param->dest.full_recout_width; ++ src_hactive_half = pipe_param->scale_ratio_depth.hscl_ratio * hactive_half; + } + + if (access_dir == 0) { +@@ -754,7 +754,7 @@ static void get_surf_rq_param( + rq_sizing_param->meta_chunk_bytes = 2048; + rq_sizing_param->min_meta_chunk_bytes = 256; + +- if (pipe_param.src.hostvm) ++ if (pipe_param->src.hostvm) + rq_sizing_param->mpte_group_bytes = 512; + else + rq_sizing_param->mpte_group_bytes = 2048; +@@ -768,23 +768,23 @@ static void get_surf_rq_param( + vp_height, + data_pitch, + meta_pitch, +- pipe_param.src.source_format, +- pipe_param.src.sw_mode, +- pipe_param.src.macro_tile_size, +- pipe_param.src.source_scan, +- pipe_param.src.hostvm, ++ pipe_param->src.source_format, ++ pipe_param->src.sw_mode, ++ pipe_param->src.macro_tile_size, ++ pipe_param->src.source_scan, ++ pipe_param->src.hostvm, + is_chroma); + } + + static void dml_rq_dlg_get_rq_params( + struct display_mode_lib *mode_lib, + display_rq_params_st *rq_param, +- const display_pipe_params_st pipe_param) ++ const display_pipe_params_st *pipe_param) + { + // get param for luma surface +- rq_param->yuv420 = pipe_param.src.source_format == dm_420_8 +- || pipe_param.src.source_format == dm_420_10; +- rq_param->yuv420_10bpc = pipe_param.src.source_format == dm_420_10; ++ rq_param->yuv420 = pipe_param->src.source_format == dm_420_8 ++ || pipe_param->src.source_format == dm_420_10; ++ rq_param->yuv420_10bpc = pipe_param->src.source_format == dm_420_10; + + get_surf_rq_param( + mode_lib, +@@ -794,7 +794,7 @@ static void dml_rq_dlg_get_rq_params( + pipe_param, + 0); + +- if (is_dual_plane((enum source_format_class) (pipe_param.src.source_format))) { ++ if (is_dual_plane((enum source_format_class) (pipe_param->src.source_format))) { + // get param for chroma surface + get_surf_rq_param( + mode_lib, +@@ -806,14 +806,14 @@ static void dml_rq_dlg_get_rq_params( + } + + // calculate how to split the det buffer space between luma and chroma +- handle_det_buf_split(mode_lib, rq_param, pipe_param.src); ++ handle_det_buf_split(mode_lib, rq_param, pipe_param->src); + print__rq_params_st(mode_lib, *rq_param); + } + + void dml21_rq_dlg_get_rq_reg( + struct display_mode_lib *mode_lib, + display_rq_regs_st *rq_regs, +- const display_pipe_params_st pipe_param) ++ const display_pipe_params_st *pipe_param) + { + display_rq_params_st rq_param = {0}; + +@@ -1658,7 +1658,7 @@ void dml21_rq_dlg_get_dlg_reg( + struct display_mode_lib *mode_lib, + display_dlg_regs_st *dlg_regs, + display_ttu_regs_st *ttu_regs, +- display_e2e_pipe_params_st *e2e_pipe_param, ++ const display_e2e_pipe_params_st *e2e_pipe_param, + const unsigned int num_pipes, + const unsigned int pipe_idx, + const bool cstate_en, +@@ -1696,7 +1696,7 @@ void dml21_rq_dlg_get_dlg_reg( + // system parameter calculation done + + dml_print("DML_DLG: Calculation for pipe[%d] start\n\n", pipe_idx); +- dml_rq_dlg_get_rq_params(mode_lib, &rq_param, e2e_pipe_param[pipe_idx].pipe); ++ dml_rq_dlg_get_rq_params(mode_lib, &rq_param, &e2e_pipe_param[pipe_idx].pipe); + dml_rq_dlg_get_dlg_params( + mode_lib, + e2e_pipe_param, +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.h b/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.h +index e8f7785e3fc63..af6ad0ca9cf8a 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.h ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.h +@@ -44,7 +44,7 @@ struct display_mode_lib; + void dml21_rq_dlg_get_rq_reg( + struct display_mode_lib *mode_lib, + display_rq_regs_st *rq_regs, +- const display_pipe_params_st pipe_param); ++ const display_pipe_params_st *pipe_param); + + // Function: dml_rq_dlg_get_dlg_reg + // Calculate and return DLG and TTU register struct given the system setting +@@ -61,7 +61,7 @@ void dml21_rq_dlg_get_dlg_reg( + struct display_mode_lib *mode_lib, + display_dlg_regs_st *dlg_regs, + display_ttu_regs_st *ttu_regs, +- display_e2e_pipe_params_st *e2e_pipe_param, ++ const display_e2e_pipe_params_st *e2e_pipe_param, + const unsigned int num_pipes, + const unsigned int pipe_idx, + const bool cstate_en, +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_rq_dlg_calc_30.c b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_rq_dlg_calc_30.c +index 0d934fae1c3a6..2120e0941a095 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_rq_dlg_calc_30.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_rq_dlg_calc_30.c +@@ -747,7 +747,7 @@ static void get_surf_rq_param(struct display_mode_lib *mode_lib, + display_data_rq_sizing_params_st *rq_sizing_param, + display_data_rq_dlg_params_st *rq_dlg_param, + display_data_rq_misc_params_st *rq_misc_param, +- const display_pipe_params_st pipe_param, ++ const display_pipe_params_st *pipe_param, + bool is_chroma, + bool is_alpha) + { +@@ -761,32 +761,32 @@ static void get_surf_rq_param(struct display_mode_lib *mode_lib, + + // FIXME check if ppe apply for both luma and chroma in 422 case + if (is_chroma | is_alpha) { +- vp_width = pipe_param.src.viewport_width_c / ppe; +- vp_height = pipe_param.src.viewport_height_c; +- data_pitch = pipe_param.src.data_pitch_c; +- meta_pitch = pipe_param.src.meta_pitch_c; +- surface_height = pipe_param.src.surface_height_y / 2.0; ++ vp_width = pipe_param->src.viewport_width_c / ppe; ++ vp_height = pipe_param->src.viewport_height_c; ++ data_pitch = pipe_param->src.data_pitch_c; ++ meta_pitch = pipe_param->src.meta_pitch_c; ++ surface_height = pipe_param->src.surface_height_y / 2.0; + } else { +- vp_width = pipe_param.src.viewport_width / ppe; +- vp_height = pipe_param.src.viewport_height; +- data_pitch = pipe_param.src.data_pitch; +- meta_pitch = pipe_param.src.meta_pitch; +- surface_height = pipe_param.src.surface_height_y; ++ vp_width = pipe_param->src.viewport_width / ppe; ++ vp_height = pipe_param->src.viewport_height; ++ data_pitch = pipe_param->src.data_pitch; ++ meta_pitch = pipe_param->src.meta_pitch; ++ surface_height = pipe_param->src.surface_height_y; + } + +- if (pipe_param.dest.odm_combine) { ++ if (pipe_param->dest.odm_combine) { + unsigned int access_dir = 0; + unsigned int full_src_vp_width = 0; + unsigned int hactive_odm = 0; + unsigned int src_hactive_odm = 0; +- access_dir = (pipe_param.src.source_scan == dm_vert); // vp access direction: horizontal or vertical accessed +- hactive_odm = pipe_param.dest.hactive / ((unsigned int)pipe_param.dest.odm_combine*2); ++ access_dir = (pipe_param->src.source_scan == dm_vert); // vp access direction: horizontal or vertical accessed ++ hactive_odm = pipe_param->dest.hactive / ((unsigned int) pipe_param->dest.odm_combine*2); + if (is_chroma) { +- full_src_vp_width = pipe_param.scale_ratio_depth.hscl_ratio_c * pipe_param.dest.full_recout_width; +- src_hactive_odm = pipe_param.scale_ratio_depth.hscl_ratio_c * hactive_odm; ++ full_src_vp_width = pipe_param->scale_ratio_depth.hscl_ratio_c * pipe_param->dest.full_recout_width; ++ src_hactive_odm = pipe_param->scale_ratio_depth.hscl_ratio_c * hactive_odm; + } else { +- full_src_vp_width = pipe_param.scale_ratio_depth.hscl_ratio * pipe_param.dest.full_recout_width; +- src_hactive_odm = pipe_param.scale_ratio_depth.hscl_ratio * hactive_odm; ++ full_src_vp_width = pipe_param->scale_ratio_depth.hscl_ratio * pipe_param->dest.full_recout_width; ++ src_hactive_odm = pipe_param->scale_ratio_depth.hscl_ratio * hactive_odm; + } + + if (access_dir == 0) { +@@ -815,7 +815,7 @@ static void get_surf_rq_param(struct display_mode_lib *mode_lib, + rq_sizing_param->meta_chunk_bytes = 2048; + rq_sizing_param->min_meta_chunk_bytes = 256; + +- if (pipe_param.src.hostvm) ++ if (pipe_param->src.hostvm) + rq_sizing_param->mpte_group_bytes = 512; + else + rq_sizing_param->mpte_group_bytes = 2048; +@@ -828,28 +828,28 @@ static void get_surf_rq_param(struct display_mode_lib *mode_lib, + vp_height, + data_pitch, + meta_pitch, +- pipe_param.src.source_format, +- pipe_param.src.sw_mode, +- pipe_param.src.macro_tile_size, +- pipe_param.src.source_scan, +- pipe_param.src.hostvm, ++ pipe_param->src.source_format, ++ pipe_param->src.sw_mode, ++ pipe_param->src.macro_tile_size, ++ pipe_param->src.source_scan, ++ pipe_param->src.hostvm, + is_chroma, + surface_height); + } + + static void dml_rq_dlg_get_rq_params(struct display_mode_lib *mode_lib, + display_rq_params_st *rq_param, +- const display_pipe_params_st pipe_param) ++ const display_pipe_params_st *pipe_param) + { + // get param for luma surface +- rq_param->yuv420 = pipe_param.src.source_format == dm_420_8 +- || pipe_param.src.source_format == dm_420_10 +- || pipe_param.src.source_format == dm_rgbe_alpha +- || pipe_param.src.source_format == dm_420_12; ++ rq_param->yuv420 = pipe_param->src.source_format == dm_420_8 ++ || pipe_param->src.source_format == dm_420_10 ++ || pipe_param->src.source_format == dm_rgbe_alpha ++ || pipe_param->src.source_format == dm_420_12; + +- rq_param->yuv420_10bpc = pipe_param.src.source_format == dm_420_10; ++ rq_param->yuv420_10bpc = pipe_param->src.source_format == dm_420_10; + +- rq_param->rgbe_alpha = (pipe_param.src.source_format == dm_rgbe_alpha)?1:0; ++ rq_param->rgbe_alpha = (pipe_param->src.source_format == dm_rgbe_alpha)?1:0; + + get_surf_rq_param(mode_lib, + &(rq_param->sizing.rq_l), +@@ -859,7 +859,7 @@ static void dml_rq_dlg_get_rq_params(struct display_mode_lib *mode_lib, + 0, + 0); + +- if (is_dual_plane((enum source_format_class)(pipe_param.src.source_format))) { ++ if (is_dual_plane((enum source_format_class)(pipe_param->src.source_format))) { + // get param for chroma surface + get_surf_rq_param(mode_lib, + &(rq_param->sizing.rq_c), +@@ -871,13 +871,13 @@ static void dml_rq_dlg_get_rq_params(struct display_mode_lib *mode_lib, + } + + // calculate how to split the det buffer space between luma and chroma +- handle_det_buf_split(mode_lib, rq_param, pipe_param.src); ++ handle_det_buf_split(mode_lib, rq_param, pipe_param->src); + print__rq_params_st(mode_lib, *rq_param); + } + + void dml30_rq_dlg_get_rq_reg(struct display_mode_lib *mode_lib, + display_rq_regs_st *rq_regs, +- const display_pipe_params_st pipe_param) ++ const display_pipe_params_st *pipe_param) + { + display_rq_params_st rq_param = { 0 }; + +@@ -1831,7 +1831,7 @@ static void dml_rq_dlg_get_dlg_params(struct display_mode_lib *mode_lib, + void dml30_rq_dlg_get_dlg_reg(struct display_mode_lib *mode_lib, + display_dlg_regs_st *dlg_regs, + display_ttu_regs_st *ttu_regs, +- display_e2e_pipe_params_st *e2e_pipe_param, ++ const display_e2e_pipe_params_st *e2e_pipe_param, + const unsigned int num_pipes, + const unsigned int pipe_idx, + const bool cstate_en, +@@ -1866,7 +1866,7 @@ void dml30_rq_dlg_get_dlg_reg(struct display_mode_lib *mode_lib, + // system parameter calculation done + + dml_print("DML_DLG: Calculation for pipe[%d] start\n\n", pipe_idx); +- dml_rq_dlg_get_rq_params(mode_lib, &rq_param, e2e_pipe_param[pipe_idx].pipe); ++ dml_rq_dlg_get_rq_params(mode_lib, &rq_param, &e2e_pipe_param[pipe_idx].pipe); + dml_rq_dlg_get_dlg_params(mode_lib, + e2e_pipe_param, + num_pipes, +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_rq_dlg_calc_30.h b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_rq_dlg_calc_30.h +index c04965cceff35..625e41f8d5751 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_rq_dlg_calc_30.h ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn30/display_rq_dlg_calc_30.h +@@ -41,7 +41,7 @@ struct display_mode_lib; + // See also: + void dml30_rq_dlg_get_rq_reg(struct display_mode_lib *mode_lib, + display_rq_regs_st *rq_regs, +- const display_pipe_params_st pipe_param); ++ const display_pipe_params_st *pipe_param); + + // Function: dml_rq_dlg_get_dlg_reg + // Calculate and return DLG and TTU register struct given the system setting +@@ -57,7 +57,7 @@ void dml30_rq_dlg_get_rq_reg(struct display_mode_lib *mode_lib, + void dml30_rq_dlg_get_dlg_reg(struct display_mode_lib *mode_lib, + display_dlg_regs_st *dlg_regs, + display_ttu_regs_st *ttu_regs, +- display_e2e_pipe_params_st *e2e_pipe_param, ++ const display_e2e_pipe_params_st *e2e_pipe_param, + const unsigned int num_pipes, + const unsigned int pipe_idx, + const bool cstate_en, +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_rq_dlg_calc_31.c b/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_rq_dlg_calc_31.c +index c23905bc733ae..57bd4e3f8a823 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_rq_dlg_calc_31.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_rq_dlg_calc_31.c +@@ -738,7 +738,7 @@ static void get_surf_rq_param( + display_data_rq_sizing_params_st *rq_sizing_param, + display_data_rq_dlg_params_st *rq_dlg_param, + display_data_rq_misc_params_st *rq_misc_param, +- const display_pipe_params_st pipe_param, ++ const display_pipe_params_st *pipe_param, + bool is_chroma, + bool is_alpha) + { +@@ -752,33 +752,33 @@ static void get_surf_rq_param( + + // FIXME check if ppe apply for both luma and chroma in 422 case + if (is_chroma | is_alpha) { +- vp_width = pipe_param.src.viewport_width_c / ppe; +- vp_height = pipe_param.src.viewport_height_c; +- data_pitch = pipe_param.src.data_pitch_c; +- meta_pitch = pipe_param.src.meta_pitch_c; +- surface_height = pipe_param.src.surface_height_y / 2.0; ++ vp_width = pipe_param->src.viewport_width_c / ppe; ++ vp_height = pipe_param->src.viewport_height_c; ++ data_pitch = pipe_param->src.data_pitch_c; ++ meta_pitch = pipe_param->src.meta_pitch_c; ++ surface_height = pipe_param->src.surface_height_y / 2.0; + } else { +- vp_width = pipe_param.src.viewport_width / ppe; +- vp_height = pipe_param.src.viewport_height; +- data_pitch = pipe_param.src.data_pitch; +- meta_pitch = pipe_param.src.meta_pitch; +- surface_height = pipe_param.src.surface_height_y; ++ vp_width = pipe_param->src.viewport_width / ppe; ++ vp_height = pipe_param->src.viewport_height; ++ data_pitch = pipe_param->src.data_pitch; ++ meta_pitch = pipe_param->src.meta_pitch; ++ surface_height = pipe_param->src.surface_height_y; + } + +- if (pipe_param.dest.odm_combine) { ++ if (pipe_param->dest.odm_combine) { + unsigned int access_dir; + unsigned int full_src_vp_width; + unsigned int hactive_odm; + unsigned int src_hactive_odm; + +- access_dir = (pipe_param.src.source_scan == dm_vert); // vp access direction: horizontal or vertical accessed +- hactive_odm = pipe_param.dest.hactive / ((unsigned int) pipe_param.dest.odm_combine * 2); ++ access_dir = (pipe_param->src.source_scan == dm_vert); // vp access direction: horizontal or vertical accessed ++ hactive_odm = pipe_param->dest.hactive / ((unsigned int) pipe_param->dest.odm_combine * 2); + if (is_chroma) { +- full_src_vp_width = pipe_param.scale_ratio_depth.hscl_ratio_c * pipe_param.dest.full_recout_width; +- src_hactive_odm = pipe_param.scale_ratio_depth.hscl_ratio_c * hactive_odm; ++ full_src_vp_width = pipe_param->scale_ratio_depth.hscl_ratio_c * pipe_param->dest.full_recout_width; ++ src_hactive_odm = pipe_param->scale_ratio_depth.hscl_ratio_c * hactive_odm; + } else { +- full_src_vp_width = pipe_param.scale_ratio_depth.hscl_ratio * pipe_param.dest.full_recout_width; +- src_hactive_odm = pipe_param.scale_ratio_depth.hscl_ratio * hactive_odm; ++ full_src_vp_width = pipe_param->scale_ratio_depth.hscl_ratio * pipe_param->dest.full_recout_width; ++ src_hactive_odm = pipe_param->scale_ratio_depth.hscl_ratio * hactive_odm; + } + + if (access_dir == 0) { +@@ -808,7 +808,7 @@ static void get_surf_rq_param( + rq_sizing_param->meta_chunk_bytes = 2048; + rq_sizing_param->min_meta_chunk_bytes = 256; + +- if (pipe_param.src.hostvm) ++ if (pipe_param->src.hostvm) + rq_sizing_param->mpte_group_bytes = 512; + else + rq_sizing_param->mpte_group_bytes = 2048; +@@ -822,38 +822,38 @@ static void get_surf_rq_param( + vp_height, + data_pitch, + meta_pitch, +- pipe_param.src.source_format, +- pipe_param.src.sw_mode, +- pipe_param.src.macro_tile_size, +- pipe_param.src.source_scan, +- pipe_param.src.hostvm, ++ pipe_param->src.source_format, ++ pipe_param->src.sw_mode, ++ pipe_param->src.macro_tile_size, ++ pipe_param->src.source_scan, ++ pipe_param->src.hostvm, + is_chroma, + surface_height); + } + +-static void dml_rq_dlg_get_rq_params(struct display_mode_lib *mode_lib, display_rq_params_st *rq_param, const display_pipe_params_st pipe_param) ++static void dml_rq_dlg_get_rq_params(struct display_mode_lib *mode_lib, display_rq_params_st *rq_param, const display_pipe_params_st *pipe_param) + { + // get param for luma surface +- rq_param->yuv420 = pipe_param.src.source_format == dm_420_8 || pipe_param.src.source_format == dm_420_10 || pipe_param.src.source_format == dm_rgbe_alpha +- || pipe_param.src.source_format == dm_420_12; ++ rq_param->yuv420 = pipe_param->src.source_format == dm_420_8 || pipe_param->src.source_format == dm_420_10 || pipe_param->src.source_format == dm_rgbe_alpha ++ || pipe_param->src.source_format == dm_420_12; + +- rq_param->yuv420_10bpc = pipe_param.src.source_format == dm_420_10; ++ rq_param->yuv420_10bpc = pipe_param->src.source_format == dm_420_10; + +- rq_param->rgbe_alpha = (pipe_param.src.source_format == dm_rgbe_alpha) ? 1 : 0; ++ rq_param->rgbe_alpha = (pipe_param->src.source_format == dm_rgbe_alpha) ? 1 : 0; + + get_surf_rq_param(mode_lib, &(rq_param->sizing.rq_l), &(rq_param->dlg.rq_l), &(rq_param->misc.rq_l), pipe_param, 0, 0); + +- if (is_dual_plane((enum source_format_class) (pipe_param.src.source_format))) { ++ if (is_dual_plane((enum source_format_class) (pipe_param->src.source_format))) { + // get param for chroma surface + get_surf_rq_param(mode_lib, &(rq_param->sizing.rq_c), &(rq_param->dlg.rq_c), &(rq_param->misc.rq_c), pipe_param, 1, rq_param->rgbe_alpha); + } + + // calculate how to split the det buffer space between luma and chroma +- handle_det_buf_split(mode_lib, rq_param, pipe_param.src); ++ handle_det_buf_split(mode_lib, rq_param, pipe_param->src); + print__rq_params_st(mode_lib, *rq_param); + } + +-void dml31_rq_dlg_get_rq_reg(struct display_mode_lib *mode_lib, display_rq_regs_st *rq_regs, const display_pipe_params_st pipe_param) ++void dml31_rq_dlg_get_rq_reg(struct display_mode_lib *mode_lib, display_rq_regs_st *rq_regs, const display_pipe_params_st *pipe_param) + { + display_rq_params_st rq_param = {0}; + +@@ -1677,7 +1677,7 @@ void dml31_rq_dlg_get_dlg_reg( + struct display_mode_lib *mode_lib, + display_dlg_regs_st *dlg_regs, + display_ttu_regs_st *ttu_regs, +- display_e2e_pipe_params_st *e2e_pipe_param, ++ const display_e2e_pipe_params_st *e2e_pipe_param, + const unsigned int num_pipes, + const unsigned int pipe_idx, + const bool cstate_en, +@@ -1704,7 +1704,7 @@ void dml31_rq_dlg_get_dlg_reg( + // system parameter calculation done + + dml_print("DML_DLG: Calculation for pipe[%d] start\n\n", pipe_idx); +- dml_rq_dlg_get_rq_params(mode_lib, &rq_param, e2e_pipe_param[pipe_idx].pipe); ++ dml_rq_dlg_get_rq_params(mode_lib, &rq_param, &e2e_pipe_param[pipe_idx].pipe); + dml_rq_dlg_get_dlg_params( + mode_lib, + e2e_pipe_param, +diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_rq_dlg_calc_31.h b/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_rq_dlg_calc_31.h +index adf8518f761f9..8ee991351699d 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_rq_dlg_calc_31.h ++++ b/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_rq_dlg_calc_31.h +@@ -41,7 +41,7 @@ struct display_mode_lib; + // See also: + void dml31_rq_dlg_get_rq_reg(struct display_mode_lib *mode_lib, + display_rq_regs_st *rq_regs, +- const display_pipe_params_st pipe_param); ++ const display_pipe_params_st *pipe_param); + + // Function: dml_rq_dlg_get_dlg_reg + // Calculate and return DLG and TTU register struct given the system setting +@@ -57,7 +57,7 @@ void dml31_rq_dlg_get_rq_reg(struct display_mode_lib *mode_lib, + void dml31_rq_dlg_get_dlg_reg(struct display_mode_lib *mode_lib, + display_dlg_regs_st *dlg_regs, + display_ttu_regs_st *ttu_regs, +- display_e2e_pipe_params_st *e2e_pipe_param, ++ const display_e2e_pipe_params_st *e2e_pipe_param, + const unsigned int num_pipes, + const unsigned int pipe_idx, + const bool cstate_en, +diff --git a/drivers/gpu/drm/amd/display/dc/dml/display_mode_lib.h b/drivers/gpu/drm/amd/display/dc/dml/display_mode_lib.h +index d42a0aeca6be2..72b1957022aa2 100644 +--- a/drivers/gpu/drm/amd/display/dc/dml/display_mode_lib.h ++++ b/drivers/gpu/drm/amd/display/dc/dml/display_mode_lib.h +@@ -49,7 +49,7 @@ struct dml_funcs { + struct display_mode_lib *mode_lib, + display_dlg_regs_st *dlg_regs, + display_ttu_regs_st *ttu_regs, +- display_e2e_pipe_params_st *e2e_pipe_param, ++ const display_e2e_pipe_params_st *e2e_pipe_param, + const unsigned int num_pipes, + const unsigned int pipe_idx, + const bool cstate_en, +@@ -60,7 +60,7 @@ struct dml_funcs { + void (*rq_dlg_get_rq_reg)( + struct display_mode_lib *mode_lib, + display_rq_regs_st *rq_regs, +- const display_pipe_params_st pipe_param); ++ const display_pipe_params_st *pipe_param); + void (*recalculate)(struct display_mode_lib *mode_lib); + void (*validate)(struct display_mode_lib *mode_lib); + }; +-- +2.33.0 + diff --git a/queue-5.15/drm-amdgpu-fix-a-potential-memory-leak-in-amdgpu_dev.patch b/queue-5.15/drm-amdgpu-fix-a-potential-memory-leak-in-amdgpu_dev.patch new file mode 100644 index 00000000000..ebacc0b099a --- /dev/null +++ b/queue-5.15/drm-amdgpu-fix-a-potential-memory-leak-in-amdgpu_dev.patch @@ -0,0 +1,40 @@ +From 003476d3809e5bf6e50ba451e27cc2b14a37cf33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Oct 2021 14:36:36 +0800 +Subject: drm/amdgpu: fix a potential memory leak in amdgpu_device_fini_sw() + +From: Lang Yu + +[ Upstream commit a5c5d8d50ecf5874be90a76e1557279ff8a30c9e ] + +amdgpu_fence_driver_sw_fini() should be executed before +amdgpu_device_ip_fini(), otherwise fence driver resource +won't be properly freed as adev->rings have been tore down. + +Fixes: 72c8c97b1522 ("drm/amdgpu: Split amdgpu_device_fini into early and late") + +Signed-off-by: Lang Yu +Reviewed-by: Andrey Grodzovsky +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index f7a98e9e68d88..c1e34aa5925b2 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -3877,8 +3877,8 @@ void amdgpu_device_fini_hw(struct amdgpu_device *adev) + + void amdgpu_device_fini_sw(struct amdgpu_device *adev) + { +- amdgpu_device_ip_fini(adev); + amdgpu_fence_driver_sw_fini(adev); ++ amdgpu_device_ip_fini(adev); + release_firmware(adev->firmware.gpu_info_fw); + adev->firmware.gpu_info_fw = NULL; + adev->accel_working = false; +-- +2.33.0 + diff --git a/queue-5.15/drm-amdgpu-fix-crash-on-device-remove-driver-unload.patch b/queue-5.15/drm-amdgpu-fix-crash-on-device-remove-driver-unload.patch new file mode 100644 index 00000000000..207de8a7f5c --- /dev/null +++ b/queue-5.15/drm-amdgpu-fix-crash-on-device-remove-driver-unload.patch @@ -0,0 +1,382 @@ +From 5d117db5eb6f9cddf43b38bea6fcceaed3fd4175 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 15:27:18 -0400 +Subject: drm/amdgpu: Fix crash on device remove/driver unload + +From: Andrey Grodzovsky + +[ Upstream commit d82e2c249c8ffaec20fa618611ea2ab4dcfd4d01 ] + +Crash: +BUG: unable to handle page fault for address: 00000000000010e1 +RIP: 0010:vega10_power_gate_vce+0x26/0x50 [amdgpu] +Call Trace: +pp_set_powergating_by_smu+0x16a/0x2b0 [amdgpu] +amdgpu_dpm_set_powergating_by_smu+0x92/0xf0 [amdgpu] +amdgpu_dpm_enable_vce+0x2e/0xc0 [amdgpu] +vce_v4_0_hw_fini+0x95/0xa0 [amdgpu] +amdgpu_device_fini_hw+0x232/0x30d [amdgpu] +amdgpu_driver_unload_kms+0x5c/0x80 [amdgpu] +amdgpu_pci_remove+0x27/0x40 [amdgpu] +pci_device_remove+0x3e/0xb0 +device_release_driver_internal+0x103/0x1d0 +device_release_driver+0x12/0x20 +pci_stop_bus_device+0x79/0xa0 +pci_stop_and_remove_bus_device_locked+0x1b/0x30 +remove_store+0x7b/0x90 +dev_attr_store+0x17/0x30 +sysfs_kf_write+0x4b/0x60 +kernfs_fop_write_iter+0x151/0x1e0 + +Why: +VCE/UVD had dependency on SMC block for their suspend but +SMC block is the first to do HW fini due to some constraints + +How: +Since the original patch was dealing with suspend issues +move the SMC block dependency back into suspend hooks as +was done in V1 of the original patches. +Keep flushing idle work both in suspend and HW fini seuqnces +since it's essential in both cases. + +Fixes: 859e4659273f1d ("drm/amdgpu: add missing cleanups for more ASICs on UVD/VCE suspend") +Fixes: bf756fb833cbe8 ("drm/amdgpu: add missing cleanups for Polaris12 UVD/VCE on suspend") +Signed-off-by: Andrey Grodzovsky +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c | 24 ++++++++------- + drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c | 24 ++++++++------- + drivers/gpu/drm/amd/amdgpu/uvd_v5_0.c | 24 ++++++++------- + drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c | 32 ++++++++++--------- + drivers/gpu/drm/amd/amdgpu/vce_v2_0.c | 19 +++++++----- + drivers/gpu/drm/amd/amdgpu/vce_v3_0.c | 28 +++++++++-------- + drivers/gpu/drm/amd/amdgpu/vce_v4_0.c | 44 ++++++++++++++------------- + 7 files changed, 105 insertions(+), 90 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c b/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c +index 7232241e3bfb2..0fef925b66024 100644 +--- a/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c ++++ b/drivers/gpu/drm/amd/amdgpu/uvd_v3_1.c +@@ -698,6 +698,19 @@ static int uvd_v3_1_hw_fini(void *handle) + { + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + ++ cancel_delayed_work_sync(&adev->uvd.idle_work); ++ ++ if (RREG32(mmUVD_STATUS) != 0) ++ uvd_v3_1_stop(adev); ++ ++ return 0; ++} ++ ++static int uvd_v3_1_suspend(void *handle) ++{ ++ int r; ++ struct amdgpu_device *adev = (struct amdgpu_device *)handle; ++ + /* + * Proper cleanups before halting the HW engine: + * - cancel the delayed idle work +@@ -722,17 +735,6 @@ static int uvd_v3_1_hw_fini(void *handle) + AMD_CG_STATE_GATE); + } + +- if (RREG32(mmUVD_STATUS) != 0) +- uvd_v3_1_stop(adev); +- +- return 0; +-} +- +-static int uvd_v3_1_suspend(void *handle) +-{ +- int r; +- struct amdgpu_device *adev = (struct amdgpu_device *)handle; +- + r = uvd_v3_1_hw_fini(adev); + if (r) + return r; +diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c b/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c +index 52d6de969f462..c108b83817951 100644 +--- a/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c ++++ b/drivers/gpu/drm/amd/amdgpu/uvd_v4_2.c +@@ -212,6 +212,19 @@ static int uvd_v4_2_hw_fini(void *handle) + { + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + ++ cancel_delayed_work_sync(&adev->uvd.idle_work); ++ ++ if (RREG32(mmUVD_STATUS) != 0) ++ uvd_v4_2_stop(adev); ++ ++ return 0; ++} ++ ++static int uvd_v4_2_suspend(void *handle) ++{ ++ int r; ++ struct amdgpu_device *adev = (struct amdgpu_device *)handle; ++ + /* + * Proper cleanups before halting the HW engine: + * - cancel the delayed idle work +@@ -236,17 +249,6 @@ static int uvd_v4_2_hw_fini(void *handle) + AMD_CG_STATE_GATE); + } + +- if (RREG32(mmUVD_STATUS) != 0) +- uvd_v4_2_stop(adev); +- +- return 0; +-} +- +-static int uvd_v4_2_suspend(void *handle) +-{ +- int r; +- struct amdgpu_device *adev = (struct amdgpu_device *)handle; +- + r = uvd_v4_2_hw_fini(adev); + if (r) + return r; +diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v5_0.c b/drivers/gpu/drm/amd/amdgpu/uvd_v5_0.c +index db6d06758e4d4..563493d1f8306 100644 +--- a/drivers/gpu/drm/amd/amdgpu/uvd_v5_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/uvd_v5_0.c +@@ -210,6 +210,19 @@ static int uvd_v5_0_hw_fini(void *handle) + { + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + ++ cancel_delayed_work_sync(&adev->uvd.idle_work); ++ ++ if (RREG32(mmUVD_STATUS) != 0) ++ uvd_v5_0_stop(adev); ++ ++ return 0; ++} ++ ++static int uvd_v5_0_suspend(void *handle) ++{ ++ int r; ++ struct amdgpu_device *adev = (struct amdgpu_device *)handle; ++ + /* + * Proper cleanups before halting the HW engine: + * - cancel the delayed idle work +@@ -234,17 +247,6 @@ static int uvd_v5_0_hw_fini(void *handle) + AMD_CG_STATE_GATE); + } + +- if (RREG32(mmUVD_STATUS) != 0) +- uvd_v5_0_stop(adev); +- +- return 0; +-} +- +-static int uvd_v5_0_suspend(void *handle) +-{ +- int r; +- struct amdgpu_device *adev = (struct amdgpu_device *)handle; +- + r = uvd_v5_0_hw_fini(adev); + if (r) + return r; +diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c b/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c +index b6e82d75561f6..1fd9ca21a091b 100644 +--- a/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/uvd_v7_0.c +@@ -606,6 +606,23 @@ static int uvd_v7_0_hw_fini(void *handle) + { + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + ++ cancel_delayed_work_sync(&adev->uvd.idle_work); ++ ++ if (!amdgpu_sriov_vf(adev)) ++ uvd_v7_0_stop(adev); ++ else { ++ /* full access mode, so don't touch any UVD register */ ++ DRM_DEBUG("For SRIOV client, shouldn't do anything.\n"); ++ } ++ ++ return 0; ++} ++ ++static int uvd_v7_0_suspend(void *handle) ++{ ++ int r; ++ struct amdgpu_device *adev = (struct amdgpu_device *)handle; ++ + /* + * Proper cleanups before halting the HW engine: + * - cancel the delayed idle work +@@ -630,21 +647,6 @@ static int uvd_v7_0_hw_fini(void *handle) + AMD_CG_STATE_GATE); + } + +- if (!amdgpu_sriov_vf(adev)) +- uvd_v7_0_stop(adev); +- else { +- /* full access mode, so don't touch any UVD register */ +- DRM_DEBUG("For SRIOV client, shouldn't do anything.\n"); +- } +- +- return 0; +-} +- +-static int uvd_v7_0_suspend(void *handle) +-{ +- int r; +- struct amdgpu_device *adev = (struct amdgpu_device *)handle; +- + r = uvd_v7_0_hw_fini(adev); + if (r) + return r; +diff --git a/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c b/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c +index b70c17f0c52e8..98952fd387e73 100644 +--- a/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vce_v2_0.c +@@ -479,6 +479,17 @@ static int vce_v2_0_hw_fini(void *handle) + { + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + ++ cancel_delayed_work_sync(&adev->vce.idle_work); ++ ++ return 0; ++} ++ ++static int vce_v2_0_suspend(void *handle) ++{ ++ int r; ++ struct amdgpu_device *adev = (struct amdgpu_device *)handle; ++ ++ + /* + * Proper cleanups before halting the HW engine: + * - cancel the delayed idle work +@@ -502,14 +513,6 @@ static int vce_v2_0_hw_fini(void *handle) + AMD_CG_STATE_GATE); + } + +- return 0; +-} +- +-static int vce_v2_0_suspend(void *handle) +-{ +- int r; +- struct amdgpu_device *adev = (struct amdgpu_device *)handle; +- + r = vce_v2_0_hw_fini(adev); + if (r) + return r; +diff --git a/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c b/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c +index 9de66893ccd6d..8fb5df7181e09 100644 +--- a/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c +@@ -490,6 +490,21 @@ static int vce_v3_0_hw_fini(void *handle) + int r; + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + ++ cancel_delayed_work_sync(&adev->vce.idle_work); ++ ++ r = vce_v3_0_wait_for_idle(handle); ++ if (r) ++ return r; ++ ++ vce_v3_0_stop(adev); ++ return vce_v3_0_set_clockgating_state(adev, AMD_CG_STATE_GATE); ++} ++ ++static int vce_v3_0_suspend(void *handle) ++{ ++ int r; ++ struct amdgpu_device *adev = (struct amdgpu_device *)handle; ++ + /* + * Proper cleanups before halting the HW engine: + * - cancel the delayed idle work +@@ -513,19 +528,6 @@ static int vce_v3_0_hw_fini(void *handle) + AMD_CG_STATE_GATE); + } + +- r = vce_v3_0_wait_for_idle(handle); +- if (r) +- return r; +- +- vce_v3_0_stop(adev); +- return vce_v3_0_set_clockgating_state(adev, AMD_CG_STATE_GATE); +-} +- +-static int vce_v3_0_suspend(void *handle) +-{ +- int r; +- struct amdgpu_device *adev = (struct amdgpu_device *)handle; +- + r = vce_v3_0_hw_fini(adev); + if (r) + return r; +diff --git a/drivers/gpu/drm/amd/amdgpu/vce_v4_0.c b/drivers/gpu/drm/amd/amdgpu/vce_v4_0.c +index fec902b800c28..70b8c88d30513 100644 +--- a/drivers/gpu/drm/amd/amdgpu/vce_v4_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vce_v4_0.c +@@ -542,29 +542,8 @@ static int vce_v4_0_hw_fini(void *handle) + { + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + +- /* +- * Proper cleanups before halting the HW engine: +- * - cancel the delayed idle work +- * - enable powergating +- * - enable clockgating +- * - disable dpm +- * +- * TODO: to align with the VCN implementation, move the +- * jobs for clockgating/powergating/dpm setting to +- * ->set_powergating_state(). +- */ + cancel_delayed_work_sync(&adev->vce.idle_work); + +- if (adev->pm.dpm_enabled) { +- amdgpu_dpm_enable_vce(adev, false); +- } else { +- amdgpu_asic_set_vce_clocks(adev, 0, 0); +- amdgpu_device_ip_set_powergating_state(adev, AMD_IP_BLOCK_TYPE_VCE, +- AMD_PG_STATE_GATE); +- amdgpu_device_ip_set_clockgating_state(adev, AMD_IP_BLOCK_TYPE_VCE, +- AMD_CG_STATE_GATE); +- } +- + if (!amdgpu_sriov_vf(adev)) { + /* vce_v4_0_wait_for_idle(handle); */ + vce_v4_0_stop(adev); +@@ -594,6 +573,29 @@ static int vce_v4_0_suspend(void *handle) + drm_dev_exit(idx); + } + ++ /* ++ * Proper cleanups before halting the HW engine: ++ * - cancel the delayed idle work ++ * - enable powergating ++ * - enable clockgating ++ * - disable dpm ++ * ++ * TODO: to align with the VCN implementation, move the ++ * jobs for clockgating/powergating/dpm setting to ++ * ->set_powergating_state(). ++ */ ++ cancel_delayed_work_sync(&adev->vce.idle_work); ++ ++ if (adev->pm.dpm_enabled) { ++ amdgpu_dpm_enable_vce(adev, false); ++ } else { ++ amdgpu_asic_set_vce_clocks(adev, 0, 0); ++ amdgpu_device_ip_set_powergating_state(adev, AMD_IP_BLOCK_TYPE_VCE, ++ AMD_PG_STATE_GATE); ++ amdgpu_device_ip_set_clockgating_state(adev, AMD_IP_BLOCK_TYPE_VCE, ++ AMD_CG_STATE_GATE); ++ } ++ + r = vce_v4_0_hw_fini(adev); + if (r) + return r; +-- +2.33.0 + diff --git a/queue-5.15/drm-amdgpu-fix-mmio-access-page-fault.patch b/queue-5.15/drm-amdgpu-fix-mmio-access-page-fault.patch new file mode 100644 index 00000000000..ad9abb34153 --- /dev/null +++ b/queue-5.15/drm-amdgpu-fix-mmio-access-page-fault.patch @@ -0,0 +1,94 @@ +From e49c227e9df8fcfd558598bfb4eab1cff5e2b296 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 12:54:07 -0400 +Subject: drm/amdgpu: Fix MMIO access page fault + +From: Andrey Grodzovsky + +[ Upstream commit c03509cbc01559549700e14c4a6239f2572ab4ba ] + +Add more guards to MMIO access post device +unbind/unplug + +Bug: https://bugs.archlinux.org/task/72092?project=1&order=dateopened&sort=desc&pagenum=1 +Signed-off-by: Andrey Grodzovsky +Reviewed-by: James Zhu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 8 ++++++-- + drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c | 17 +++++++++++------ + 2 files changed, 17 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c b/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c +index f4686e918e0d1..c405075a572c1 100644 +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c +@@ -22,6 +22,7 @@ + */ + + #include ++#include + + #include "amdgpu.h" + #include "amdgpu_vcn.h" +@@ -192,11 +193,14 @@ static int vcn_v2_0_sw_init(void *handle) + */ + static int vcn_v2_0_sw_fini(void *handle) + { +- int r; ++ int r, idx; + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + volatile struct amdgpu_fw_shared *fw_shared = adev->vcn.inst->fw_shared_cpu_addr; + +- fw_shared->present_flag_0 = 0; ++ if (drm_dev_enter(&adev->ddev, &idx)) { ++ fw_shared->present_flag_0 = 0; ++ drm_dev_exit(idx); ++ } + + amdgpu_virt_free_mm_table(adev); + +diff --git a/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c b/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c +index e0c0c3734432e..a0956d8623770 100644 +--- a/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c ++++ b/drivers/gpu/drm/amd/amdgpu/vcn_v2_5.c +@@ -22,6 +22,7 @@ + */ + + #include ++#include + + #include "amdgpu.h" + #include "amdgpu_vcn.h" +@@ -233,17 +234,21 @@ static int vcn_v2_5_sw_init(void *handle) + */ + static int vcn_v2_5_sw_fini(void *handle) + { +- int i, r; ++ int i, r, idx; + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + volatile struct amdgpu_fw_shared *fw_shared; + +- for (i = 0; i < adev->vcn.num_vcn_inst; i++) { +- if (adev->vcn.harvest_config & (1 << i)) +- continue; +- fw_shared = adev->vcn.inst[i].fw_shared_cpu_addr; +- fw_shared->present_flag_0 = 0; ++ if (drm_dev_enter(&adev->ddev, &idx)) { ++ for (i = 0; i < adev->vcn.num_vcn_inst; i++) { ++ if (adev->vcn.harvest_config & (1 << i)) ++ continue; ++ fw_shared = adev->vcn.inst[i].fw_shared_cpu_addr; ++ fw_shared->present_flag_0 = 0; ++ } ++ drm_dev_exit(idx); + } + ++ + if (amdgpu_sriov_vf(adev)) + amdgpu_virt_free_mm_table(adev); + +-- +2.33.0 + diff --git a/queue-5.15/drm-amdgpu-fix-uvd-crash-on-polaris12-during-driver-.patch b/queue-5.15/drm-amdgpu-fix-uvd-crash-on-polaris12-during-driver-.patch new file mode 100644 index 00000000000..cca1a4f4a24 --- /dev/null +++ b/queue-5.15/drm-amdgpu-fix-uvd-crash-on-polaris12-during-driver-.patch @@ -0,0 +1,69 @@ +From be76f2c05676032e00cd12b46322dbb19e697f3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Oct 2021 17:35:36 +0800 +Subject: drm/amdgpu: fix uvd crash on Polaris12 during driver unloading + +From: Evan Quan + +[ Upstream commit 4fc30ea780e0a5c1c019bc2e44f8523e1eed9051 ] + +There was a change(below) target for such issue: +d82e2c249c8f ("drm/amdgpu: Fix crash on device remove/driver unload") +But the fix for VI ASICs was missing there. This is a supplement for +that. + +Fixes: d82e2c249c8f ("drm/amdgpu: Fix crash on device remove/driver unload") + +Signed-off-by: Evan Quan +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c b/drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c +index bc571833632ea..72f8762907681 100644 +--- a/drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c +@@ -543,6 +543,19 @@ static int uvd_v6_0_hw_fini(void *handle) + { + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + ++ cancel_delayed_work_sync(&adev->uvd.idle_work); ++ ++ if (RREG32(mmUVD_STATUS) != 0) ++ uvd_v6_0_stop(adev); ++ ++ return 0; ++} ++ ++static int uvd_v6_0_suspend(void *handle) ++{ ++ int r; ++ struct amdgpu_device *adev = (struct amdgpu_device *)handle; ++ + /* + * Proper cleanups before halting the HW engine: + * - cancel the delayed idle work +@@ -567,17 +580,6 @@ static int uvd_v6_0_hw_fini(void *handle) + AMD_CG_STATE_GATE); + } + +- if (RREG32(mmUVD_STATUS) != 0) +- uvd_v6_0_stop(adev); +- +- return 0; +-} +- +-static int uvd_v6_0_suspend(void *handle) +-{ +- int r; +- struct amdgpu_device *adev = (struct amdgpu_device *)handle; +- + r = uvd_v6_0_hw_fini(adev); + if (r) + return r; +-- +2.33.0 + diff --git a/queue-5.15/drm-amdgpu-fix-warning-for-overflow-check.patch b/queue-5.15/drm-amdgpu-fix-warning-for-overflow-check.patch new file mode 100644 index 00000000000..23b09ceb920 --- /dev/null +++ b/queue-5.15/drm-amdgpu-fix-warning-for-overflow-check.patch @@ -0,0 +1,62 @@ +From d30fcf07526482a3153aa8d18167eb4a7f534e7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 14:58:10 +0200 +Subject: drm/amdgpu: fix warning for overflow check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +[ Upstream commit 335aea75b0d95518951cad7c4c676e6f1c02c150 ] + +The overflow check in amdgpu_bo_list_create() causes a warning with +clang-14 on 64-bit architectures, since the limit can never be +exceeded. + +drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c:74:18: error: result of comparison of constant 256204778801521549 with expression of type 'unsigned int' is always false [-Werror,-Wtautological-constant-out-of-range-compare] + if (num_entries > (SIZE_MAX - sizeof(struct amdgpu_bo_list)) + ~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The check remains useful for 32-bit architectures, so just avoid the +warning by using size_t as the type for the count. + +Fixes: 920990cb080a ("drm/amdgpu: allocate the bo_list array after the list") +Reviewed-by: Christian König +Signed-off-by: Arnd Bergmann +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 2 +- + drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c +index 15c45b2a39835..714178f1b6c6e 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c +@@ -61,7 +61,7 @@ static void amdgpu_bo_list_free(struct kref *ref) + + int amdgpu_bo_list_create(struct amdgpu_device *adev, struct drm_file *filp, + struct drm_amdgpu_bo_list_entry *info, +- unsigned num_entries, struct amdgpu_bo_list **result) ++ size_t num_entries, struct amdgpu_bo_list **result) + { + unsigned last_entry = 0, first_userptr = num_entries; + struct amdgpu_bo_list_entry *array; +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h +index c905a4cfc173d..044b41f0bfd9c 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h +@@ -61,7 +61,7 @@ int amdgpu_bo_create_list_entry_array(struct drm_amdgpu_bo_list_in *in, + int amdgpu_bo_list_create(struct amdgpu_device *adev, + struct drm_file *filp, + struct drm_amdgpu_bo_list_entry *info, +- unsigned num_entries, ++ size_t num_entries, + struct amdgpu_bo_list **list); + + static inline struct amdgpu_bo_list_entry * +-- +2.33.0 + diff --git a/queue-5.15/drm-amdgpu-gmc6-fix-dma-mask-from-44-to-40-bits.patch b/queue-5.15/drm-amdgpu-gmc6-fix-dma-mask-from-44-to-40-bits.patch new file mode 100644 index 00000000000..710a33d622b --- /dev/null +++ b/queue-5.15/drm-amdgpu-gmc6-fix-dma-mask-from-44-to-40-bits.patch @@ -0,0 +1,47 @@ +From 8b41b34f2067c3c37ede1151f7fb1a8363732c6c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 13:26:19 -0400 +Subject: drm/amdgpu/gmc6: fix DMA mask from 44 to 40 bits +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +[ Upstream commit 403475be6d8b122c3e6b8a47e075926d7299e5ef ] + +The DMA mask on SI parts is 40 bits not 44. Copy +paste typo. + +Fixes: 244511f386ccb9 ("drm/amdgpu: simplify and cleanup setting the dma mask") +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1762 +Acked-by: Christian König +Tested-by: Paul Menzel +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/gmc_v6_0.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/gmc_v6_0.c b/drivers/gpu/drm/amd/amdgpu/gmc_v6_0.c +index 0e81e03e9b498..0fe714f54cca9 100644 +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v6_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v6_0.c +@@ -841,12 +841,12 @@ static int gmc_v6_0_sw_init(void *handle) + + adev->gmc.mc_mask = 0xffffffffffULL; + +- r = dma_set_mask_and_coherent(adev->dev, DMA_BIT_MASK(44)); ++ r = dma_set_mask_and_coherent(adev->dev, DMA_BIT_MASK(40)); + if (r) { + dev_warn(adev->dev, "No suitable DMA available.\n"); + return r; + } +- adev->need_swiotlb = drm_need_swiotlb(44); ++ adev->need_swiotlb = drm_need_swiotlb(40); + + r = gmc_v6_0_init_microcode(adev); + if (r) { +-- +2.33.0 + diff --git a/queue-5.15/drm-amdgpu-move-amdgpu_virt_release_full_gpu-to-fini.patch b/queue-5.15/drm-amdgpu-move-amdgpu_virt_release_full_gpu-to-fini.patch new file mode 100644 index 00000000000..293a3b7f004 --- /dev/null +++ b/queue-5.15/drm-amdgpu-move-amdgpu_virt_release_full_gpu-to-fini.patch @@ -0,0 +1,55 @@ +From 2c3e265911ce894bd5d90d16896a3f7f5aa4ecd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Sep 2021 13:43:41 +0800 +Subject: drm/amdgpu: move amdgpu_virt_release_full_gpu to fini_early stage + +From: Guchun Chen + +[ Upstream commit 6effad8abe0ba4db3d9c58ed585127858a990f35 ] + +adev->rmmio is set to be NULL in amdgpu_device_unmap_mmio to prevent +access after pci_remove, however, in SRIOV case, amdgpu_virt_release_full_gpu +will still use adev->rmmio for access after amdgpu_device_unmap_mmio. +The patch is to move such SRIOV calling earlier to fini_early stage. + +Fixes: 07775fc13878 ("drm/amdgpu: Unmap all MMIO mappings") +Cc: Andrey Grodzovsky +Signed-off-by: Leslie Shi +Signed-off-by: Guchun Chen +Reviewed-by: Andrey Grodzovsky +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index 5b88c873c8a89..f7a98e9e68d88 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -2745,6 +2745,11 @@ static int amdgpu_device_ip_fini_early(struct amdgpu_device *adev) + adev->ip_blocks[i].status.hw = false; + } + ++ if (amdgpu_sriov_vf(adev)) { ++ if (amdgpu_virt_release_full_gpu(adev, false)) ++ DRM_ERROR("failed to release exclusive mode on fini\n"); ++ } ++ + return 0; + } + +@@ -2805,10 +2810,6 @@ static int amdgpu_device_ip_fini(struct amdgpu_device *adev) + + amdgpu_ras_fini(adev); + +- if (amdgpu_sriov_vf(adev)) +- if (amdgpu_virt_release_full_gpu(adev, false)) +- DRM_ERROR("failed to release exclusive mode on fini\n"); +- + return 0; + } + +-- +2.33.0 + diff --git a/queue-5.15/drm-amdgpu-move-iommu_resume-before-ip-init-resume.patch b/queue-5.15/drm-amdgpu-move-iommu_resume-before-ip-init-resume.patch new file mode 100644 index 00000000000..0178a147aff --- /dev/null +++ b/queue-5.15/drm-amdgpu-move-iommu_resume-before-ip-init-resume.patch @@ -0,0 +1,39 @@ +From d7389154bcda2328d1941e4aa40bb0d1fbfe5199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 11:32:22 -0400 +Subject: drm/amdgpu: move iommu_resume before ip init/resume + +From: James Zhu + +[ Upstream commit 9cec53c18a3170c7e5673c414da56aeecee94832 ] + +Separate iommu_resume from kfd_resume, and move it before +other amdgpu ip init/resume. + +Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211277 +Signed-off-by: James Zhu +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +index b8d9004fb1635..5b88c873c8a89 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -2394,6 +2394,10 @@ static int amdgpu_device_ip_init(struct amdgpu_device *adev) + if (r) + goto init_failed; + ++ r = amdgpu_amdkfd_resume_iommu(adev); ++ if (r) ++ goto init_failed; ++ + r = amdgpu_device_ip_hw_init_phase1(adev); + if (r) + goto init_failed; +-- +2.33.0 + diff --git a/queue-5.15/drm-amdgpu-pm-properly-handle-sclk-for-profiling-mod.patch b/queue-5.15/drm-amdgpu-pm-properly-handle-sclk-for-profiling-mod.patch new file mode 100644 index 00000000000..f4cb61b3063 --- /dev/null +++ b/queue-5.15/drm-amdgpu-pm-properly-handle-sclk-for-profiling-mod.patch @@ -0,0 +1,173 @@ +From e4607cbe6ef1ba23619adef6bf06553cc178d323 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Oct 2021 11:33:00 -0400 +Subject: drm/amdgpu/pm: properly handle sclk for profiling modes on vangogh + +From: Alex Deucher + +[ Upstream commit 68e3871dcd6e547f6c47454492bc452356cb9eac ] + +When selecting between levels in the force performance levels interface +sclk (gfxclk) was not set correctly for all levels. Select the proper +sclk settings for all levels. + +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1726 +Reviewed-by: Evan Quan +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c | 89 ++++++------------- + 1 file changed, 29 insertions(+), 60 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c +index f6ef0ce6e9e2c..a9dceef4a7011 100644 +--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c ++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/vangogh_ppt.c +@@ -1386,52 +1386,38 @@ static int vangogh_set_performance_level(struct smu_context *smu, + uint32_t soc_mask, mclk_mask, fclk_mask; + uint32_t vclk_mask = 0, dclk_mask = 0; + ++ smu->cpu_actual_soft_min_freq = smu->cpu_default_soft_min_freq; ++ smu->cpu_actual_soft_max_freq = smu->cpu_default_soft_max_freq; ++ + switch (level) { + case AMD_DPM_FORCED_LEVEL_HIGH: +- smu->gfx_actual_hard_min_freq = smu->gfx_default_hard_min_freq; ++ smu->gfx_actual_hard_min_freq = smu->gfx_default_soft_max_freq; + smu->gfx_actual_soft_max_freq = smu->gfx_default_soft_max_freq; + +- smu->cpu_actual_soft_min_freq = smu->cpu_default_soft_min_freq; +- smu->cpu_actual_soft_max_freq = smu->cpu_default_soft_max_freq; + + ret = vangogh_force_dpm_limit_value(smu, true); ++ if (ret) ++ return ret; + break; + case AMD_DPM_FORCED_LEVEL_LOW: + smu->gfx_actual_hard_min_freq = smu->gfx_default_hard_min_freq; +- smu->gfx_actual_soft_max_freq = smu->gfx_default_soft_max_freq; +- +- smu->cpu_actual_soft_min_freq = smu->cpu_default_soft_min_freq; +- smu->cpu_actual_soft_max_freq = smu->cpu_default_soft_max_freq; ++ smu->gfx_actual_soft_max_freq = smu->gfx_default_hard_min_freq; + + ret = vangogh_force_dpm_limit_value(smu, false); ++ if (ret) ++ return ret; + break; + case AMD_DPM_FORCED_LEVEL_AUTO: + smu->gfx_actual_hard_min_freq = smu->gfx_default_hard_min_freq; + smu->gfx_actual_soft_max_freq = smu->gfx_default_soft_max_freq; + +- smu->cpu_actual_soft_min_freq = smu->cpu_default_soft_min_freq; +- smu->cpu_actual_soft_max_freq = smu->cpu_default_soft_max_freq; +- + ret = vangogh_unforce_dpm_levels(smu); +- break; +- case AMD_DPM_FORCED_LEVEL_PROFILE_STANDARD: +- smu->gfx_actual_hard_min_freq = smu->gfx_default_hard_min_freq; +- smu->gfx_actual_soft_max_freq = smu->gfx_default_soft_max_freq; +- +- smu->cpu_actual_soft_min_freq = smu->cpu_default_soft_min_freq; +- smu->cpu_actual_soft_max_freq = smu->cpu_default_soft_max_freq; +- +- ret = smu_cmn_send_smc_msg_with_param(smu, +- SMU_MSG_SetHardMinGfxClk, +- VANGOGH_UMD_PSTATE_STANDARD_GFXCLK, NULL); +- if (ret) +- return ret; +- +- ret = smu_cmn_send_smc_msg_with_param(smu, +- SMU_MSG_SetSoftMaxGfxClk, +- VANGOGH_UMD_PSTATE_STANDARD_GFXCLK, NULL); + if (ret) + return ret; ++ break; ++ case AMD_DPM_FORCED_LEVEL_PROFILE_STANDARD: ++ smu->gfx_actual_hard_min_freq = VANGOGH_UMD_PSTATE_STANDARD_GFXCLK; ++ smu->gfx_actual_soft_max_freq = VANGOGH_UMD_PSTATE_STANDARD_GFXCLK; + + ret = vangogh_get_profiling_clk_mask(smu, level, + &vclk_mask, +@@ -1446,32 +1432,15 @@ static int vangogh_set_performance_level(struct smu_context *smu, + vangogh_force_clk_levels(smu, SMU_SOCCLK, 1 << soc_mask); + vangogh_force_clk_levels(smu, SMU_VCLK, 1 << vclk_mask); + vangogh_force_clk_levels(smu, SMU_DCLK, 1 << dclk_mask); +- + break; + case AMD_DPM_FORCED_LEVEL_PROFILE_MIN_SCLK: + smu->gfx_actual_hard_min_freq = smu->gfx_default_hard_min_freq; +- smu->gfx_actual_soft_max_freq = smu->gfx_default_soft_max_freq; +- +- smu->cpu_actual_soft_min_freq = smu->cpu_default_soft_min_freq; +- smu->cpu_actual_soft_max_freq = smu->cpu_default_soft_max_freq; +- +- ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_SetHardMinVcn, +- VANGOGH_UMD_PSTATE_PEAK_DCLK, NULL); +- if (ret) +- return ret; +- +- ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_SetSoftMaxVcn, +- VANGOGH_UMD_PSTATE_PEAK_DCLK, NULL); +- if (ret) +- return ret; ++ smu->gfx_actual_soft_max_freq = smu->gfx_default_hard_min_freq; + break; + case AMD_DPM_FORCED_LEVEL_PROFILE_MIN_MCLK: + smu->gfx_actual_hard_min_freq = smu->gfx_default_hard_min_freq; + smu->gfx_actual_soft_max_freq = smu->gfx_default_soft_max_freq; + +- smu->cpu_actual_soft_min_freq = smu->cpu_default_soft_min_freq; +- smu->cpu_actual_soft_max_freq = smu->cpu_default_soft_max_freq; +- + ret = vangogh_get_profiling_clk_mask(smu, level, + NULL, + NULL, +@@ -1484,29 +1453,29 @@ static int vangogh_set_performance_level(struct smu_context *smu, + vangogh_force_clk_levels(smu, SMU_FCLK, 1 << fclk_mask); + break; + case AMD_DPM_FORCED_LEVEL_PROFILE_PEAK: +- smu->gfx_actual_hard_min_freq = smu->gfx_default_hard_min_freq; +- smu->gfx_actual_soft_max_freq = smu->gfx_default_soft_max_freq; +- +- smu->cpu_actual_soft_min_freq = smu->cpu_default_soft_min_freq; +- smu->cpu_actual_soft_max_freq = smu->cpu_default_soft_max_freq; +- +- ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_SetHardMinGfxClk, +- VANGOGH_UMD_PSTATE_PEAK_GFXCLK, NULL); +- if (ret) +- return ret; ++ smu->gfx_actual_hard_min_freq = VANGOGH_UMD_PSTATE_PEAK_GFXCLK; ++ smu->gfx_actual_soft_max_freq = VANGOGH_UMD_PSTATE_PEAK_GFXCLK; + +- ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_SetSoftMaxGfxClk, +- VANGOGH_UMD_PSTATE_PEAK_GFXCLK, NULL); ++ ret = vangogh_set_peak_clock_by_device(smu); + if (ret) + return ret; +- +- ret = vangogh_set_peak_clock_by_device(smu); + break; + case AMD_DPM_FORCED_LEVEL_MANUAL: + case AMD_DPM_FORCED_LEVEL_PROFILE_EXIT: + default: +- break; ++ return 0; + } ++ ++ ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_SetHardMinGfxClk, ++ smu->gfx_actual_hard_min_freq, NULL); ++ if (ret) ++ return ret; ++ ++ ret = smu_cmn_send_smc_msg_with_param(smu, SMU_MSG_SetSoftMaxGfxClk, ++ smu->gfx_actual_soft_max_freq, NULL); ++ if (ret) ++ return ret; ++ + return ret; + } + +-- +2.33.0 + diff --git a/queue-5.15/drm-amdgpu-powerplay-fix-sysfs_emit-sysfs_emit_at-ha.patch b/queue-5.15/drm-amdgpu-powerplay-fix-sysfs_emit-sysfs_emit_at-ha.patch new file mode 100644 index 00000000000..85cbfa2a431 --- /dev/null +++ b/queue-5.15/drm-amdgpu-powerplay-fix-sysfs_emit-sysfs_emit_at-ha.patch @@ -0,0 +1,307 @@ +From 5871e4934f0d69503583e21a116e02382b63dcdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 15:52:53 -0400 +Subject: drm/amdgpu/powerplay: fix sysfs_emit/sysfs_emit_at handling + +From: Alex Deucher + +[ Upstream commit e9c76719c1e99caf95e70de74170291b9457bbc1 ] + +sysfs_emit and sysfs_emit_at requrie a page boundary +aligned buf address. Make them happy! + +v2: fix sysfs_emit -> sysfs_emit_at missed conversions + +Cc: Lang Yu +Cc: Darren Powell +Fixes: 6db0c87a0a8e ("amdgpu/pm: Replace hwmgr smu usage of sprintf with sysfs_emit") +Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1774 +Reviewed-by: Lang Yu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c | 8 ++++++-- + .../gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c | 10 +++++++--- + .../gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c | 2 ++ + .../gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.h | 13 +++++++++++++ + .../gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c | 12 +++++++++--- + .../gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c | 4 ++++ + .../gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c | 14 ++++++++++---- + 7 files changed, 51 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c +index 1de3ae77e03ed..258c573acc979 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.c +@@ -1024,6 +1024,8 @@ static int smu10_print_clock_levels(struct pp_hwmgr *hwmgr, + uint32_t min_freq, max_freq = 0; + uint32_t ret = 0; + ++ phm_get_sysfs_buf(&buf, &size); ++ + switch (type) { + case PP_SCLK: + smum_send_msg_to_smc(hwmgr, PPSMC_MSG_GetGfxclkFrequency, &now); +@@ -1065,7 +1067,7 @@ static int smu10_print_clock_levels(struct pp_hwmgr *hwmgr, + if (ret) + return ret; + +- size = sysfs_emit(buf, "%s:\n", "OD_SCLK"); ++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_SCLK"); + size += sysfs_emit_at(buf, size, "0: %10uMhz\n", + (data->gfx_actual_soft_min_freq > 0) ? data->gfx_actual_soft_min_freq : min_freq); + size += sysfs_emit_at(buf, size, "1: %10uMhz\n", +@@ -1081,7 +1083,7 @@ static int smu10_print_clock_levels(struct pp_hwmgr *hwmgr, + if (ret) + return ret; + +- size = sysfs_emit(buf, "%s:\n", "OD_RANGE"); ++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_RANGE"); + size += sysfs_emit_at(buf, size, "SCLK: %7uMHz %10uMHz\n", + min_freq, max_freq); + } +@@ -1456,6 +1458,8 @@ static int smu10_get_power_profile_mode(struct pp_hwmgr *hwmgr, char *buf) + if (!buf) + return -EINVAL; + ++ phm_get_sysfs_buf(&buf, &size); ++ + size += sysfs_emit_at(buf, size, "%s %16s %s %s %s %s\n",title[0], + title[1], title[2], title[3], title[4], title[5]); + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c +index e7803ce8f67aa..aceebf5842253 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu7_hwmgr.c +@@ -4914,6 +4914,8 @@ static int smu7_print_clock_levels(struct pp_hwmgr *hwmgr, + int size = 0; + uint32_t i, now, clock, pcie_speed; + ++ phm_get_sysfs_buf(&buf, &size); ++ + switch (type) { + case PP_SCLK: + smum_send_msg_to_smc(hwmgr, PPSMC_MSG_API_GetSclkFrequency, &clock); +@@ -4963,7 +4965,7 @@ static int smu7_print_clock_levels(struct pp_hwmgr *hwmgr, + break; + case OD_SCLK: + if (hwmgr->od_enabled) { +- size = sysfs_emit(buf, "%s:\n", "OD_SCLK"); ++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_SCLK"); + for (i = 0; i < odn_sclk_table->num_of_pl; i++) + size += sysfs_emit_at(buf, size, "%d: %10uMHz %10umV\n", + i, odn_sclk_table->entries[i].clock/100, +@@ -4972,7 +4974,7 @@ static int smu7_print_clock_levels(struct pp_hwmgr *hwmgr, + break; + case OD_MCLK: + if (hwmgr->od_enabled) { +- size = sysfs_emit(buf, "%s:\n", "OD_MCLK"); ++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_MCLK"); + for (i = 0; i < odn_mclk_table->num_of_pl; i++) + size += sysfs_emit_at(buf, size, "%d: %10uMHz %10umV\n", + i, odn_mclk_table->entries[i].clock/100, +@@ -4981,7 +4983,7 @@ static int smu7_print_clock_levels(struct pp_hwmgr *hwmgr, + break; + case OD_RANGE: + if (hwmgr->od_enabled) { +- size = sysfs_emit(buf, "%s:\n", "OD_RANGE"); ++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_RANGE"); + size += sysfs_emit_at(buf, size, "SCLK: %7uMHz %10uMHz\n", + data->golden_dpm_table.sclk_table.dpm_levels[0].value/100, + hwmgr->platform_descriptor.overdriveLimit.engineClock/100); +@@ -5518,6 +5520,8 @@ static int smu7_get_power_profile_mode(struct pp_hwmgr *hwmgr, char *buf) + if (!buf) + return -EINVAL; + ++ phm_get_sysfs_buf(&buf, &size); ++ + size += sysfs_emit_at(buf, size, "%s %16s %16s %16s %16s %16s %16s %16s\n", + title[0], title[1], title[2], title[3], + title[4], title[5], title[6], title[7]); +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c +index b94a77e4e7147..8e28a8eecefc6 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu8_hwmgr.c +@@ -1550,6 +1550,8 @@ static int smu8_print_clock_levels(struct pp_hwmgr *hwmgr, + uint32_t i, now; + int size = 0; + ++ phm_get_sysfs_buf(&buf, &size); ++ + switch (type) { + case PP_SCLK: + now = PHM_GET_FIELD(cgs_read_ind_register(hwmgr->device, +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.h b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.h +index ad33983a8064e..2a75da1e9f035 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.h ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu_helper.h +@@ -109,6 +109,19 @@ int phm_irq_process(struct amdgpu_device *adev, + struct amdgpu_irq_src *source, + struct amdgpu_iv_entry *entry); + ++/* ++ * Helper function to make sysfs_emit_at() happy. Align buf to ++ * the current page boundary and record the offset. ++ */ ++static inline void phm_get_sysfs_buf(char **buf, int *offset) ++{ ++ if (!*buf || !offset) ++ return; ++ ++ *offset = offset_in_page(*buf); ++ *buf -= *offset; ++} ++ + int smu9_register_irq_handlers(struct pp_hwmgr *hwmgr); + + void *smu_atom_get_data_table(void *dev, uint32_t table, uint16_t *size, +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c +index c152a61ddd2c9..c981fc2882f01 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega10_hwmgr.c +@@ -4548,6 +4548,8 @@ static int vega10_get_ppfeature_status(struct pp_hwmgr *hwmgr, char *buf) + int ret = 0; + int size = 0; + ++ phm_get_sysfs_buf(&buf, &size); ++ + ret = vega10_get_enabled_smc_features(hwmgr, &features_enabled); + PP_ASSERT_WITH_CODE(!ret, + "[EnableAllSmuFeatures] Failed to get enabled smc features!", +@@ -4637,6 +4639,8 @@ static int vega10_print_clock_levels(struct pp_hwmgr *hwmgr, + + int i, now, size = 0, count = 0; + ++ phm_get_sysfs_buf(&buf, &size); ++ + switch (type) { + case PP_SCLK: + if (data->registry_data.sclk_dpm_key_disabled) +@@ -4717,7 +4721,7 @@ static int vega10_print_clock_levels(struct pp_hwmgr *hwmgr, + + case OD_SCLK: + if (hwmgr->od_enabled) { +- size = sysfs_emit(buf, "%s:\n", "OD_SCLK"); ++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_SCLK"); + podn_vdd_dep = &data->odn_dpm_table.vdd_dep_on_sclk; + for (i = 0; i < podn_vdd_dep->count; i++) + size += sysfs_emit_at(buf, size, "%d: %10uMhz %10umV\n", +@@ -4727,7 +4731,7 @@ static int vega10_print_clock_levels(struct pp_hwmgr *hwmgr, + break; + case OD_MCLK: + if (hwmgr->od_enabled) { +- size = sysfs_emit(buf, "%s:\n", "OD_MCLK"); ++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_MCLK"); + podn_vdd_dep = &data->odn_dpm_table.vdd_dep_on_mclk; + for (i = 0; i < podn_vdd_dep->count; i++) + size += sysfs_emit_at(buf, size, "%d: %10uMhz %10umV\n", +@@ -4737,7 +4741,7 @@ static int vega10_print_clock_levels(struct pp_hwmgr *hwmgr, + break; + case OD_RANGE: + if (hwmgr->od_enabled) { +- size = sysfs_emit(buf, "%s:\n", "OD_RANGE"); ++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_RANGE"); + size += sysfs_emit_at(buf, size, "SCLK: %7uMHz %10uMHz\n", + data->golden_dpm_table.gfx_table.dpm_levels[0].value/100, + hwmgr->platform_descriptor.overdriveLimit.engineClock/100); +@@ -5112,6 +5116,8 @@ static int vega10_get_power_profile_mode(struct pp_hwmgr *hwmgr, char *buf) + if (!buf) + return -EINVAL; + ++ phm_get_sysfs_buf(&buf, &size); ++ + size += sysfs_emit_at(buf, size, "%s %16s %s %s %s %s\n",title[0], + title[1], title[2], title[3], title[4], title[5]); + +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c +index 8558718e15a8f..f7e783e1c888f 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega12_hwmgr.c +@@ -2141,6 +2141,8 @@ static int vega12_get_ppfeature_status(struct pp_hwmgr *hwmgr, char *buf) + int ret = 0; + int size = 0; + ++ phm_get_sysfs_buf(&buf, &size); ++ + ret = vega12_get_enabled_smc_features(hwmgr, &features_enabled); + PP_ASSERT_WITH_CODE(!ret, + "[EnableAllSmuFeatures] Failed to get enabled smc features!", +@@ -2244,6 +2246,8 @@ static int vega12_print_clock_levels(struct pp_hwmgr *hwmgr, + int i, now, size = 0; + struct pp_clock_levels_with_latency clocks; + ++ phm_get_sysfs_buf(&buf, &size); ++ + switch (type) { + case PP_SCLK: + PP_ASSERT_WITH_CODE( +diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c +index 0cf39c1244b1c..03e63be4ee275 100644 +--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c ++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c +@@ -3238,6 +3238,8 @@ static int vega20_get_ppfeature_status(struct pp_hwmgr *hwmgr, char *buf) + int ret = 0; + int size = 0; + ++ phm_get_sysfs_buf(&buf, &size); ++ + ret = vega20_get_enabled_smc_features(hwmgr, &features_enabled); + PP_ASSERT_WITH_CODE(!ret, + "[EnableAllSmuFeatures] Failed to get enabled smc features!", +@@ -3364,6 +3366,8 @@ static int vega20_print_clock_levels(struct pp_hwmgr *hwmgr, + int ret = 0; + uint32_t gen_speed, lane_width, current_gen_speed, current_lane_width; + ++ phm_get_sysfs_buf(&buf, &size); ++ + switch (type) { + case PP_SCLK: + ret = vega20_get_current_clk_freq(hwmgr, PPCLK_GFXCLK, &now); +@@ -3479,7 +3483,7 @@ static int vega20_print_clock_levels(struct pp_hwmgr *hwmgr, + case OD_SCLK: + if (od8_settings[OD8_SETTING_GFXCLK_FMIN].feature_id && + od8_settings[OD8_SETTING_GFXCLK_FMAX].feature_id) { +- size = sysfs_emit(buf, "%s:\n", "OD_SCLK"); ++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_SCLK"); + size += sysfs_emit_at(buf, size, "0: %10uMhz\n", + od_table->GfxclkFmin); + size += sysfs_emit_at(buf, size, "1: %10uMhz\n", +@@ -3489,7 +3493,7 @@ static int vega20_print_clock_levels(struct pp_hwmgr *hwmgr, + + case OD_MCLK: + if (od8_settings[OD8_SETTING_UCLK_FMAX].feature_id) { +- size = sysfs_emit(buf, "%s:\n", "OD_MCLK"); ++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_MCLK"); + size += sysfs_emit_at(buf, size, "1: %10uMhz\n", + od_table->UclkFmax); + } +@@ -3503,7 +3507,7 @@ static int vega20_print_clock_levels(struct pp_hwmgr *hwmgr, + od8_settings[OD8_SETTING_GFXCLK_VOLTAGE1].feature_id && + od8_settings[OD8_SETTING_GFXCLK_VOLTAGE2].feature_id && + od8_settings[OD8_SETTING_GFXCLK_VOLTAGE3].feature_id) { +- size = sysfs_emit(buf, "%s:\n", "OD_VDDC_CURVE"); ++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_VDDC_CURVE"); + size += sysfs_emit_at(buf, size, "0: %10uMhz %10dmV\n", + od_table->GfxclkFreq1, + od_table->GfxclkVolt1 / VOLTAGE_SCALE); +@@ -3518,7 +3522,7 @@ static int vega20_print_clock_levels(struct pp_hwmgr *hwmgr, + break; + + case OD_RANGE: +- size = sysfs_emit(buf, "%s:\n", "OD_RANGE"); ++ size += sysfs_emit_at(buf, size, "%s:\n", "OD_RANGE"); + + if (od8_settings[OD8_SETTING_GFXCLK_FMIN].feature_id && + od8_settings[OD8_SETTING_GFXCLK_FMAX].feature_id) { +@@ -4003,6 +4007,8 @@ static int vega20_get_power_profile_mode(struct pp_hwmgr *hwmgr, char *buf) + if (!buf) + return -EINVAL; + ++ phm_get_sysfs_buf(&buf, &size); ++ + size += sysfs_emit_at(buf, size, "%16s %s %s %s %s %s %s %s %s %s %s\n", + title[0], title[1], title[2], title[3], title[4], title[5], + title[6], title[7], title[8], title[9], title[10]); +-- +2.33.0 + diff --git a/queue-5.15/drm-amdkfd-fix-an-inappropriate-error-handling-in-al.patch b/queue-5.15/drm-amdkfd-fix-an-inappropriate-error-handling-in-al.patch new file mode 100644 index 00000000000..b6b4fa849d1 --- /dev/null +++ b/queue-5.15/drm-amdkfd-fix-an-inappropriate-error-handling-in-al.patch @@ -0,0 +1,38 @@ +From 86e784ba9f45ff299ab9a307d71944e73a0d7326 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 13:57:25 +0800 +Subject: drm/amdkfd: Fix an inappropriate error handling in allloc memory of + gpu + +From: Lang Yu + +[ Upstream commit 5aeeac6fa38fca450faed9770f75b1470c0e2073 ] + +We should unreference a gem object instead of an amdgpu bo here. + +Fixes: fd9a9f8801de ("drm/amdgpu: Use GEM obj reference for KFD BOs") + +Signed-off-by: Lang Yu +Reviewed-by: Felix Kuehling +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +index 054c1a224defb..cdf46bd0d8d5b 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c +@@ -1503,7 +1503,7 @@ allocate_init_user_pages_failed: + remove_kgd_mem_from_kfd_bo_list(*mem, avm->process_info); + drm_vma_node_revoke(&gobj->vma_node, drm_priv); + err_node_allow: +- amdgpu_bo_unref(&bo); ++ drm_gem_object_put(gobj); + /* Don't unreserve system mem limit twice */ + goto err_reserve_limit; + err_bo_create: +-- +2.33.0 + diff --git a/queue-5.15/drm-amdkfd-fix-resume-error-when-iommu-disabled-in-p.patch b/queue-5.15/drm-amdkfd-fix-resume-error-when-iommu-disabled-in-p.patch new file mode 100644 index 00000000000..0e26e6a5a9b --- /dev/null +++ b/queue-5.15/drm-amdkfd-fix-resume-error-when-iommu-disabled-in-p.patch @@ -0,0 +1,38 @@ +From 4cc9d3d17b98e1a4d8409c9756fd59aef683d5d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 20:42:31 +0800 +Subject: drm/amdkfd: fix resume error when iommu disabled in Picasso + +From: Yifan Zhang + +[ Upstream commit 6f4b590aae217da16cfa44039a2abcfb209137ab ] + +When IOMMU disabled in sbios and kfd in iommuv2 path, +IOMMU resume failure blocks system resume. Don't allow kfd to +use iommu v2 when iommu is disabled. + +Reported-by: youling +Tested-by: youling +Signed-off-by: Yifan Zhang +Reviewed-by: James Zhu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c +index a6afacc3b10cd..88c483f699894 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c +@@ -916,6 +916,7 @@ bool kgd2kfd_device_init(struct kfd_dev *kfd, + kfd_double_confirm_iommu_support(kfd); + + if (kfd_iommu_device_init(kfd)) { ++ kfd->use_iommu_v2 = false; + dev_err(kfd_device, "Error initializing iommuv2\n"); + goto device_iommu_error; + } +-- +2.33.0 + diff --git a/queue-5.15/drm-amdkfd-rm-bo-resv-on-validation-to-avoid-deadloc.patch b/queue-5.15/drm-amdkfd-rm-bo-resv-on-validation-to-avoid-deadloc.patch new file mode 100644 index 00000000000..8024cc05c97 --- /dev/null +++ b/queue-5.15/drm-amdkfd-rm-bo-resv-on-validation-to-avoid-deadloc.patch @@ -0,0 +1,61 @@ +From 66873e282d719b425554ffcc0fe35e3550e48129 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 12:04:09 -0500 +Subject: drm/amdkfd: rm BO resv on validation to avoid deadlock + +From: Alex Sierra + +[ Upstream commit ec6abe831a843208e99a59adf108adba22166b3f ] + +This fix the deadlock with the BO reservations during SVM_BO evictions +while allocations in VRAM are concurrently performed. More specific, +while the ttm waits for the fence to be signaled (ttm_bo_wait), it +already has the BO reserved. In parallel, the restore worker might be +running, prefetching memory to VRAM. This also requires to reserve the +BO, but blocks the mmap semaphore first. The deadlock happens when the +SVM_BO eviction worker kicks in and waits for the mmap semaphore held +in restore worker. Preventing signal the fence back, causing the +deadlock until the ttm times out. + +We don't need to hold the BO reservation anymore during validation +and mapping. Now the physical addresses are taken from hmm_range_fault. +We also take migrate_mutex to prevent range migration while +validate_and_map update GPU page table. + +Signed-off-by: Alex Sierra +Signed-off-by: Felix Kuehling +Reviewed-by: Philip Yang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +index 9d0f65a90002d..179080329af89 100644 +--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c +@@ -1307,7 +1307,7 @@ struct svm_validate_context { + struct svm_range *prange; + bool intr; + unsigned long bitmap[MAX_GPU_INSTANCE]; +- struct ttm_validate_buffer tv[MAX_GPU_INSTANCE+1]; ++ struct ttm_validate_buffer tv[MAX_GPU_INSTANCE]; + struct list_head validate_list; + struct ww_acquire_ctx ticket; + }; +@@ -1334,11 +1334,6 @@ static int svm_range_reserve_bos(struct svm_validate_context *ctx) + ctx->tv[gpuidx].num_shared = 4; + list_add(&ctx->tv[gpuidx].head, &ctx->validate_list); + } +- if (ctx->prange->svm_bo && ctx->prange->ttm_res) { +- ctx->tv[MAX_GPU_INSTANCE].bo = &ctx->prange->svm_bo->bo->tbo; +- ctx->tv[MAX_GPU_INSTANCE].num_shared = 1; +- list_add(&ctx->tv[MAX_GPU_INSTANCE].head, &ctx->validate_list); +- } + + r = ttm_eu_reserve_buffers(&ctx->ticket, &ctx->validate_list, + ctx->intr, NULL); +-- +2.33.0 + diff --git a/queue-5.15/drm-bridge-anx7625-propagate-errors-from-sp_tx_rst_a.patch b/queue-5.15/drm-bridge-anx7625-propagate-errors-from-sp_tx_rst_a.patch new file mode 100644 index 00000000000..af70559e6ba --- /dev/null +++ b/queue-5.15/drm-bridge-anx7625-propagate-errors-from-sp_tx_rst_a.patch @@ -0,0 +1,70 @@ +From 6ce3fc48bf4c51fb8ac5f00450e4323eca67aea2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 19:13:17 +0200 +Subject: drm/bridge: anx7625: Propagate errors from sp_tx_rst_aux() + +From: Robert Foss + +[ Upstream commit 7f16d0f3b8e2d13f940e944cd17044ca8eeb8b32 ] + +The return value of sp_tx_rst_aux() is not propagated, which means +both compiler warnings and potential errors not being handled. + +Fixes: 8bdfc5dae4e3 ("drm/bridge: anx7625: Add anx7625 MIPI DSI/DPI to DP") + +Reviewed-by: Sam Ravnborg +Reported-by: kernel test robot +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20210818171318.1848272-1-robert.foss@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/analogix/anx7625.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/analogix/anx7625.c b/drivers/gpu/drm/bridge/analogix/anx7625.c +index 14d73fb1dd15b..ea414cd349b5c 100644 +--- a/drivers/gpu/drm/bridge/analogix/anx7625.c ++++ b/drivers/gpu/drm/bridge/analogix/anx7625.c +@@ -720,7 +720,7 @@ static int edid_read(struct anx7625_data *ctx, + ret = sp_tx_aux_rd(ctx, 0xf1); + + if (ret) { +- sp_tx_rst_aux(ctx); ++ ret = sp_tx_rst_aux(ctx); + DRM_DEV_DEBUG_DRIVER(dev, "edid read fail, reset!\n"); + } else { + ret = anx7625_reg_block_read(ctx, ctx->i2c.rx_p0_client, +@@ -735,7 +735,7 @@ static int edid_read(struct anx7625_data *ctx, + if (cnt > EDID_TRY_CNT) + return -EIO; + +- return 0; ++ return ret; + } + + static int segments_edid_read(struct anx7625_data *ctx, +@@ -785,7 +785,7 @@ static int segments_edid_read(struct anx7625_data *ctx, + if (cnt > EDID_TRY_CNT) + return -EIO; + +- return 0; ++ return ret; + } + + static int sp_tx_edid_read(struct anx7625_data *ctx, +@@ -887,7 +887,11 @@ static int sp_tx_edid_read(struct anx7625_data *ctx, + } + + /* Reset aux channel */ +- sp_tx_rst_aux(ctx); ++ ret = sp_tx_rst_aux(ctx); ++ if (ret < 0) { ++ DRM_DEV_ERROR(dev, "Failed to reset aux channel!\n"); ++ return ret; ++ } + + return (blocks_num + 1); + } +-- +2.33.0 + diff --git a/queue-5.15/drm-bridge-it66121-fix-return-value-it66121_probe.patch b/queue-5.15/drm-bridge-it66121-fix-return-value-it66121_probe.patch new file mode 100644 index 00000000000..b494cb17637 --- /dev/null +++ b/queue-5.15/drm-bridge-it66121-fix-return-value-it66121_probe.patch @@ -0,0 +1,64 @@ +From 483ec3e86fdcb5d2802ea932372e90d3c895cb97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Sep 2021 16:04:20 +0200 +Subject: drm: bridge: it66121: Fix return value it66121_probe + +From: Alex Bee + +[ Upstream commit f3bc07eba481942a246926c5b934199e7ccd567b ] + +Currently it66121_probe returns -EPROBE_DEFER if the there is no remote +endpoint found in the device tree which doesn't seem helpful, since this +is not going to change later and it is never checked if the next bridge +has been initialized yet. It will fail in that case later while doing +drm_bridge_attach for the next bridge in it66121_bridge_attach. + +Since the bindings documentation for it66121 bridge driver states +there has to be a remote endpoint defined, its safe to return -EINVAL +in that case. +This additonally adds a check, if the remote endpoint is enabled and +returns -EPROBE_DEFER, if the remote bridge hasn't been initialized +(yet). + +Fixes: 988156dc2fc9 ("drm: bridge: add it66121 driver") +Signed-off-by: Alex Bee +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20210918140420.231346-1-knaerzche@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ite-it66121.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/ite-it66121.c b/drivers/gpu/drm/bridge/ite-it66121.c +index 9dc41a7b91362..06b59b422c696 100644 +--- a/drivers/gpu/drm/bridge/ite-it66121.c ++++ b/drivers/gpu/drm/bridge/ite-it66121.c +@@ -918,11 +918,23 @@ static int it66121_probe(struct i2c_client *client, + return -EINVAL; + + ep = of_graph_get_remote_node(dev->of_node, 1, -1); +- if (!ep) +- return -EPROBE_DEFER; ++ if (!ep) { ++ dev_err(ctx->dev, "The endpoint is unconnected\n"); ++ return -EINVAL; ++ } ++ ++ if (!of_device_is_available(ep)) { ++ of_node_put(ep); ++ dev_err(ctx->dev, "The remote device is disabled\n"); ++ return -ENODEV; ++ } + + ctx->next_bridge = of_drm_find_bridge(ep); + of_node_put(ep); ++ if (!ctx->next_bridge) { ++ dev_dbg(ctx->dev, "Next bridge not found, deferring probe\n"); ++ return -EPROBE_DEFER; ++ } + + if (!ctx->next_bridge) + return -EPROBE_DEFER; +-- +2.33.0 + diff --git a/queue-5.15/drm-bridge-it66121-initialize-device-vendor-_ids.patch b/queue-5.15/drm-bridge-it66121-initialize-device-vendor-_ids.patch new file mode 100644 index 00000000000..f902eac40f2 --- /dev/null +++ b/queue-5.15/drm-bridge-it66121-initialize-device-vendor-_ids.patch @@ -0,0 +1,46 @@ +From d9c9f52a3b682a4dd00a56126551671112e1dbea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Aug 2021 17:39:55 +0100 +Subject: drm/bridge: it66121: Initialize {device,vendor}_ids + +From: Paul Cercueil + +[ Upstream commit 3a5f3d61de657bc1c2b53b77d065c5526f982e10 ] + +These two arrays are populated with data read from the I2C device +through regmap_read(), and the data is then compared with hardcoded +vendor/product ID values of supported chips. + +However, the return value of regmap_read() was never checked. This is +fine, as long as the two arrays are zero-initialized, so that we don't +compare the vendor/product IDs against whatever garbage is left on the +stack. + +Address this issue by zero-initializing these two arrays. + +Signed-off-by: Paul Cercueil +Fixes: 988156dc2fc9 ("drm: bridge: add it66121 driver") +Reviewed-by: Neil Armstrong +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20210827163956.27517-1-paul@crapouillou.net +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ite-it66121.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/ite-it66121.c b/drivers/gpu/drm/bridge/ite-it66121.c +index 2f2a09adb4bc8..b130d01147c6c 100644 +--- a/drivers/gpu/drm/bridge/ite-it66121.c ++++ b/drivers/gpu/drm/bridge/ite-it66121.c +@@ -889,7 +889,7 @@ unlock: + static int it66121_probe(struct i2c_client *client, + const struct i2c_device_id *id) + { +- u32 vendor_ids[2], device_ids[2], revision_id; ++ u32 revision_id, vendor_ids[2] = { 0 }, device_ids[2] = { 0 }; + struct device_node *ep; + int ret; + struct it66121_ctx *ctx; +-- +2.33.0 + diff --git a/queue-5.15/drm-bridge-it66121-wait-for-next-bridge-to-be-probed.patch b/queue-5.15/drm-bridge-it66121-wait-for-next-bridge-to-be-probed.patch new file mode 100644 index 00000000000..181dac63ad2 --- /dev/null +++ b/queue-5.15/drm-bridge-it66121-wait-for-next-bridge-to-be-probed.patch @@ -0,0 +1,42 @@ +From a8ba8bdb35be959bf9bdfcbd5538f93d4407d996 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Aug 2021 17:39:56 +0100 +Subject: drm/bridge: it66121: Wait for next bridge to be probed + +From: Paul Cercueil + +[ Upstream commit 8b03e3fc79189b17d31a82f5e175698802a11e87 ] + +If run before the next bridge is initialized, of_drm_find_bridge() will +give us a NULL pointer. + +If that's the case, return -EPROBE_DEFER; we may have more luck next +time. + +Signed-off-by: Paul Cercueil +Fixes: 988156dc2fc9 ("drm: bridge: add it66121 driver") +Reviewed-by: Neil Armstrong +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20210827163956.27517-2-paul@crapouillou.net +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/ite-it66121.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/bridge/ite-it66121.c b/drivers/gpu/drm/bridge/ite-it66121.c +index b130d01147c6c..9dc41a7b91362 100644 +--- a/drivers/gpu/drm/bridge/ite-it66121.c ++++ b/drivers/gpu/drm/bridge/ite-it66121.c +@@ -924,6 +924,9 @@ static int it66121_probe(struct i2c_client *client, + ctx->next_bridge = of_drm_find_bridge(ep); + of_node_put(ep); + ++ if (!ctx->next_bridge) ++ return -EPROBE_DEFER; ++ + i2c_set_clientdata(client, ctx); + mutex_init(&ctx->lock); + +-- +2.33.0 + diff --git a/queue-5.15/drm-bridge-lontium-lt9611uxc-fix-provided-connector-.patch b/queue-5.15/drm-bridge-lontium-lt9611uxc-fix-provided-connector-.patch new file mode 100644 index 00000000000..7ee4ab760e5 --- /dev/null +++ b/queue-5.15/drm-bridge-lontium-lt9611uxc-fix-provided-connector-.patch @@ -0,0 +1,54 @@ +From 5e050552e93cc5b3977ce993126cf5eaf0d569f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 02:03:29 +0300 +Subject: drm/bridge/lontium-lt9611uxc: fix provided connector suport + +From: Dmitry Baryshkov + +[ Upstream commit 15184965783aab3ca7ee4f939e2598943b3f40f9 ] + +- set DRM_CONNECTOR_POLL_HPD as the connector will generate hotplug + events on its own + +- do not call drm_kms_helper_hotplug_event() unless mode_config.funcs + pointer is not NULL to remove possible kernel oops. + +Fixes: bc6fa8676ebb ("drm/bridge/lontium-lt9611uxc: move HPD notification out of IRQ handler") +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20210708230329.395976-1-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/lontium-lt9611uxc.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c +index 3cac16db970f0..010657ea7af78 100644 +--- a/drivers/gpu/drm/bridge/lontium-lt9611uxc.c ++++ b/drivers/gpu/drm/bridge/lontium-lt9611uxc.c +@@ -167,9 +167,10 @@ static void lt9611uxc_hpd_work(struct work_struct *work) + struct lt9611uxc *lt9611uxc = container_of(work, struct lt9611uxc, work); + bool connected; + +- if (lt9611uxc->connector.dev) +- drm_kms_helper_hotplug_event(lt9611uxc->connector.dev); +- else { ++ if (lt9611uxc->connector.dev) { ++ if (lt9611uxc->connector.dev->mode_config.funcs) ++ drm_kms_helper_hotplug_event(lt9611uxc->connector.dev); ++ } else { + + mutex_lock(<9611uxc->ocm_lock); + connected = lt9611uxc->hdmi_connected; +@@ -339,6 +340,8 @@ static int lt9611uxc_connector_init(struct drm_bridge *bridge, struct lt9611uxc + return -ENODEV; + } + ++ lt9611uxc->connector.polled = DRM_CONNECTOR_POLL_HPD; ++ + drm_connector_helper_add(<9611uxc->connector, + <9611uxc_bridge_connector_helper_funcs); + ret = drm_connector_init(bridge->dev, <9611uxc->connector, +-- +2.33.0 + diff --git a/queue-5.15/drm-bridge-nwl-dsi-add-atomic_get_input_bus_fmts.patch b/queue-5.15/drm-bridge-nwl-dsi-add-atomic_get_input_bus_fmts.patch new file mode 100644 index 00000000000..80b51048a7d --- /dev/null +++ b/queue-5.15/drm-bridge-nwl-dsi-add-atomic_get_input_bus_fmts.patch @@ -0,0 +1,88 @@ +From 0087077a0c47564f71b512e6f7418241f943046b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 15:41:23 +0200 +Subject: drm/bridge: nwl-dsi: Add atomic_get_input_bus_fmts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Guido Günther + +[ Upstream commit 2f1495fac8d38bfade18bd7e31fa787cd7815626 ] + +Components further up in the chain might ask us for supported formats. + +Without this MEDIA_BUS_FMT_FIXED is assumed which then breaks display +output with mxsfb since it can't determine a proper bus format. + +We handle the bus formats that correspond to the DSI formats the bridge +can potentially output (see chapter 13.6 of the i.MX 8MQ reference +manual) - which matches what xsfb can input. + +Fixes: b776b0f00f24 ("drm: mxsfb: Use bus_format from the nearest bridge if present") + +Signed-off-by: Guido Günther +Reviewed-by: Lucas Stach +Reviewed-by: Sam Ravnborg +Link: https://patchwork.freedesktop.org/patch/msgid/1712f2b952694fd4484dfd8576fbc5b4d7adf042.1633959458.git.agx@sigxcpu.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/nwl-dsi.c | 35 ++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/drivers/gpu/drm/bridge/nwl-dsi.c b/drivers/gpu/drm/bridge/nwl-dsi.c +index ed8ac5059cd26..a7389a0facfb4 100644 +--- a/drivers/gpu/drm/bridge/nwl-dsi.c ++++ b/drivers/gpu/drm/bridge/nwl-dsi.c +@@ -939,6 +939,40 @@ static void nwl_dsi_bridge_detach(struct drm_bridge *bridge) + drm_of_panel_bridge_remove(dsi->dev->of_node, 1, 0); + } + ++static u32 *nwl_bridge_atomic_get_input_bus_fmts(struct drm_bridge *bridge, ++ struct drm_bridge_state *bridge_state, ++ struct drm_crtc_state *crtc_state, ++ struct drm_connector_state *conn_state, ++ u32 output_fmt, ++ unsigned int *num_input_fmts) ++{ ++ u32 *input_fmts, input_fmt; ++ ++ *num_input_fmts = 0; ++ ++ switch (output_fmt) { ++ /* If MEDIA_BUS_FMT_FIXED is tested, return default bus format */ ++ case MEDIA_BUS_FMT_FIXED: ++ input_fmt = MEDIA_BUS_FMT_RGB888_1X24; ++ break; ++ case MEDIA_BUS_FMT_RGB888_1X24: ++ case MEDIA_BUS_FMT_RGB666_1X18: ++ case MEDIA_BUS_FMT_RGB565_1X16: ++ input_fmt = output_fmt; ++ break; ++ default: ++ return NULL; ++ } ++ ++ input_fmts = kcalloc(1, sizeof(*input_fmts), GFP_KERNEL); ++ if (!input_fmts) ++ return NULL; ++ input_fmts[0] = input_fmt; ++ *num_input_fmts = 1; ++ ++ return input_fmts; ++} ++ + static const struct drm_bridge_funcs nwl_dsi_bridge_funcs = { + .atomic_duplicate_state = drm_atomic_helper_bridge_duplicate_state, + .atomic_destroy_state = drm_atomic_helper_bridge_destroy_state, +@@ -946,6 +980,7 @@ static const struct drm_bridge_funcs nwl_dsi_bridge_funcs = { + .atomic_check = nwl_dsi_bridge_atomic_check, + .atomic_enable = nwl_dsi_bridge_atomic_enable, + .atomic_disable = nwl_dsi_bridge_atomic_disable, ++ .atomic_get_input_bus_fmts = nwl_bridge_atomic_get_input_bus_fmts, + .mode_set = nwl_dsi_bridge_mode_set, + .mode_valid = nwl_dsi_bridge_mode_valid, + .attach = nwl_dsi_bridge_attach, +-- +2.33.0 + diff --git a/queue-5.15/drm-fb_helper-fix-config_fb-dependency.patch b/queue-5.15/drm-fb_helper-fix-config_fb-dependency.patch new file mode 100644 index 00000000000..9e949e0b2c5 --- /dev/null +++ b/queue-5.15/drm-fb_helper-fix-config_fb-dependency.patch @@ -0,0 +1,44 @@ +From 88715dd5b43c1b575ed9ab661d98af4f5c68e37c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 16:28:02 +0200 +Subject: drm: fb_helper: fix CONFIG_FB dependency + +From: Arnd Bergmann + +[ Upstream commit 606b102876e3741851dfb09d53f3ee57f650a52c ] + +With CONFIG_FB=m and CONFIG_DRM=y, we get a link error in the fb helper: + +aarch64-linux-ld: drivers/gpu/drm/drm_fb_helper.o: in function `drm_fb_helper_alloc_fbi': +(.text+0x10cc): undefined reference to `framebuffer_alloc' + +Tighten the dependency so it is only allowed in the case that DRM can +link against FB. + +Fixes: f611b1e7624c ("drm: Avoid circular dependencies for CONFIG_FB") +Link: https://lore.kernel.org/all/20210721152211.2706171-1-arnd@kernel.org/ +Signed-off-by: Arnd Bergmann +Reviewed-by: Kees Cook +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20210927142816.2069269-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/Kconfig b/drivers/gpu/drm/Kconfig +index cea777ae7fb92..9199f53861cac 100644 +--- a/drivers/gpu/drm/Kconfig ++++ b/drivers/gpu/drm/Kconfig +@@ -103,7 +103,7 @@ config DRM_DEBUG_DP_MST_TOPOLOGY_REFS + config DRM_FBDEV_EMULATION + bool "Enable legacy fbdev support for your modesetting driver" + depends on DRM +- depends on FB ++ depends on FB=y || FB=DRM + select DRM_KMS_HELPER + select FB_CFB_FILLRECT + select FB_CFB_COPYAREA +-- +2.33.0 + diff --git a/queue-5.15/drm-fb_helper-improve-config_fb-dependency.patch b/queue-5.15/drm-fb_helper-improve-config_fb-dependency.patch new file mode 100644 index 00000000000..76a944ee21b --- /dev/null +++ b/queue-5.15/drm-fb_helper-improve-config_fb-dependency.patch @@ -0,0 +1,50 @@ +From 72db727da2eb22cf81e81ba1fdf8a34fa11589a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 14:02:38 +0200 +Subject: drm: fb_helper: improve CONFIG_FB dependency + +From: Arnd Bergmann + +[ Upstream commit 9d6366e743f37d36ef69347924ead7bcc596076e ] + +My previous patch correctly addressed the possible link failure, but as +Jani points out, the dependency is now stricter than it needs to be. + +Change it again, to allow DRM_FBDEV_EMULATION to be used when +DRM_KMS_HELPER and FB are both loadable modules and DRM is linked into +the kernel. + +As a side-effect, the option is now only visible when at least one DRM +driver makes use of DRM_KMS_HELPER. This is better, because the option +has no effect otherwise. + +Fixes: 606b102876e3 ("drm: fb_helper: fix CONFIG_FB dependency") +Suggested-by: Acked-by: Jani Nikula +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Arnd Bergmann +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20211029120307.1407047-1-arnd@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/Kconfig | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/Kconfig b/drivers/gpu/drm/Kconfig +index 9199f53861cac..6ae4269118af3 100644 +--- a/drivers/gpu/drm/Kconfig ++++ b/drivers/gpu/drm/Kconfig +@@ -102,9 +102,8 @@ config DRM_DEBUG_DP_MST_TOPOLOGY_REFS + + config DRM_FBDEV_EMULATION + bool "Enable legacy fbdev support for your modesetting driver" +- depends on DRM +- depends on FB=y || FB=DRM +- select DRM_KMS_HELPER ++ depends on DRM_KMS_HELPER ++ depends on FB=y || FB=DRM_KMS_HELPER + select FB_CFB_FILLRECT + select FB_CFB_COPYAREA + select FB_CFB_IMAGEBLIT +-- +2.33.0 + diff --git a/queue-5.15/drm-i915-fb-fix-rounding-error-in-subsampled-plane-s.patch b/queue-5.15/drm-i915-fb-fix-rounding-error-in-subsampled-plane-s.patch new file mode 100644 index 00000000000..ee14b04698b --- /dev/null +++ b/queue-5.15/drm-i915-fb-fix-rounding-error-in-subsampled-plane-s.patch @@ -0,0 +1,44 @@ +From d626d53fd31998d3bce15e5391f5a77b91038730 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 01:50:59 +0300 +Subject: drm/i915/fb: Fix rounding error in subsampled plane size calculation + +From: Imre Deak + +[ Upstream commit 90ab96f3872eae816f4e07deaa77322a91237960 ] + +For NV12 FBs with odd main surface tile-row height the CCS surface +height was incorrectly calculated 1 less than the actual value. Fix this +by rounding up the result of divison. For consistency do the same for +the CCS surface width calculation. + +Fixes: b3e57bccd68a ("drm/i915/tgl: Gen-12 render decompression") +Signed-off-by: Imre Deak +Reviewed-by: Juha-Pekka Heikkila +Link: https://patchwork.freedesktop.org/patch/msgid/20211026225105.2783797-2-imre.deak@intel.com +(cherry picked from commit 2ee5ef9c934ad26376c9282171e731e6c0339815) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/intel_fb.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/display/intel_fb.c b/drivers/gpu/drm/i915/display/intel_fb.c +index c60a81a81c09c..c6413c5409420 100644 +--- a/drivers/gpu/drm/i915/display/intel_fb.c ++++ b/drivers/gpu/drm/i915/display/intel_fb.c +@@ -172,8 +172,9 @@ static void intel_fb_plane_dims(const struct intel_framebuffer *fb, int color_pl + + intel_fb_plane_get_subsampling(&main_hsub, &main_vsub, &fb->base, main_plane); + intel_fb_plane_get_subsampling(&hsub, &vsub, &fb->base, color_plane); +- *w = fb->base.width / main_hsub / hsub; +- *h = fb->base.height / main_vsub / vsub; ++ ++ *w = DIV_ROUND_UP(fb->base.width, main_hsub * hsub); ++ *h = DIV_ROUND_UP(fb->base.height, main_vsub * vsub); + } + + static u32 intel_adjust_tile_offset(int *x, int *y, +-- +2.33.0 + diff --git a/queue-5.15/drm-msm-dsi-do-not-enable-irq-handler-before-powerin.patch b/queue-5.15/drm-msm-dsi-do-not-enable-irq-handler-before-powerin.patch new file mode 100644 index 00000000000..6d3bf453539 --- /dev/null +++ b/queue-5.15/drm-msm-dsi-do-not-enable-irq-handler-before-powerin.patch @@ -0,0 +1,168 @@ +From ff152e674b2741c08bc215fd19577925db50e297 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Oct 2021 04:08:30 +0300 +Subject: drm/msm/dsi: do not enable irq handler before powering up the host + +From: Dmitry Baryshkov + +[ Upstream commit bf94ec093d05e3ed3142d9291b876eeb9997ba5c ] + +The DSI host might be left in some state by the bootloader. If this +state generates an IRQ, it might hang the system by holding the +interrupt line before the driver sets up the DSI host to the known +state. + +Move the request_irq into msm_dsi_host_init and pass IRQF_NO_AUTOEN to +it. Call enable/disable_irq after msm_dsi_host_power_on/_off() +functions, so that we can be sure that the interrupt is delivered when +the host is in the known state. + +It is not possible to defer the interrupt enablement to a later point, +because drm_panel_prepare might need to communicate with the panel over +the DSI link and that requires working interrupt. + +Fixes: a689554ba6ed ("drm/msm: Initial add DSI connector support") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Abhinav Kumar +Link: https://lore.kernel.org/r/20211002010830.647416-1-dmitry.baryshkov@linaro.org +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi.h | 2 ++ + drivers/gpu/drm/msm/dsi/dsi_host.c | 48 +++++++++++++++++---------- + drivers/gpu/drm/msm/dsi/dsi_manager.c | 16 +++++++++ + 3 files changed, 49 insertions(+), 17 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi.h b/drivers/gpu/drm/msm/dsi/dsi.h +index b50db91cb8a7e..569c8ff062ba4 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi.h ++++ b/drivers/gpu/drm/msm/dsi/dsi.h +@@ -107,6 +107,8 @@ void msm_dsi_host_cmd_xfer_commit(struct mipi_dsi_host *host, + u32 dma_base, u32 len); + int msm_dsi_host_enable(struct mipi_dsi_host *host); + int msm_dsi_host_disable(struct mipi_dsi_host *host); ++void msm_dsi_host_enable_irq(struct mipi_dsi_host *host); ++void msm_dsi_host_disable_irq(struct mipi_dsi_host *host); + int msm_dsi_host_power_on(struct mipi_dsi_host *host, + struct msm_dsi_phy_shared_timings *phy_shared_timings, + bool is_bonded_dsi, struct msm_dsi_phy *phy); +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index c86b5090fae60..bccd379bdba75 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -1898,6 +1898,23 @@ int msm_dsi_host_init(struct msm_dsi *msm_dsi) + return ret; + } + ++ msm_host->irq = irq_of_parse_and_map(pdev->dev.of_node, 0); ++ if (msm_host->irq < 0) { ++ ret = msm_host->irq; ++ dev_err(&pdev->dev, "failed to get irq: %d\n", ret); ++ return ret; ++ } ++ ++ /* do not autoenable, will be enabled later */ ++ ret = devm_request_irq(&pdev->dev, msm_host->irq, dsi_host_irq, ++ IRQF_TRIGGER_HIGH | IRQF_ONESHOT | IRQF_NO_AUTOEN, ++ "dsi_isr", msm_host); ++ if (ret < 0) { ++ dev_err(&pdev->dev, "failed to request IRQ%u: %d\n", ++ msm_host->irq, ret); ++ return ret; ++ } ++ + init_completion(&msm_host->dma_comp); + init_completion(&msm_host->video_comp); + mutex_init(&msm_host->dev_mutex); +@@ -1941,25 +1958,8 @@ int msm_dsi_host_modeset_init(struct mipi_dsi_host *host, + { + struct msm_dsi_host *msm_host = to_msm_dsi_host(host); + const struct msm_dsi_cfg_handler *cfg_hnd = msm_host->cfg_hnd; +- struct platform_device *pdev = msm_host->pdev; + int ret; + +- msm_host->irq = irq_of_parse_and_map(pdev->dev.of_node, 0); +- if (msm_host->irq < 0) { +- ret = msm_host->irq; +- DRM_DEV_ERROR(dev->dev, "failed to get irq: %d\n", ret); +- return ret; +- } +- +- ret = devm_request_irq(&pdev->dev, msm_host->irq, +- dsi_host_irq, IRQF_TRIGGER_HIGH | IRQF_ONESHOT, +- "dsi_isr", msm_host); +- if (ret < 0) { +- DRM_DEV_ERROR(&pdev->dev, "failed to request IRQ%u: %d\n", +- msm_host->irq, ret); +- return ret; +- } +- + msm_host->dev = dev; + ret = cfg_hnd->ops->tx_buf_alloc(msm_host, SZ_4K); + if (ret) { +@@ -2315,6 +2315,20 @@ void msm_dsi_host_get_phy_clk_req(struct mipi_dsi_host *host, + clk_req->escclk_rate = msm_host->esc_clk_rate; + } + ++void msm_dsi_host_enable_irq(struct mipi_dsi_host *host) ++{ ++ struct msm_dsi_host *msm_host = to_msm_dsi_host(host); ++ ++ enable_irq(msm_host->irq); ++} ++ ++void msm_dsi_host_disable_irq(struct mipi_dsi_host *host) ++{ ++ struct msm_dsi_host *msm_host = to_msm_dsi_host(host); ++ ++ disable_irq(msm_host->irq); ++} ++ + int msm_dsi_host_enable(struct mipi_dsi_host *host) + { + struct msm_dsi_host *msm_host = to_msm_dsi_host(host); +diff --git a/drivers/gpu/drm/msm/dsi/dsi_manager.c b/drivers/gpu/drm/msm/dsi/dsi_manager.c +index c41d39f5b7cf4..fb4ccffdcfe13 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_manager.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_manager.c +@@ -377,6 +377,14 @@ static void dsi_mgr_bridge_pre_enable(struct drm_bridge *bridge) + } + } + ++ /* ++ * Enable before preparing the panel, disable after unpreparing, so ++ * that the panel can communicate over the DSI link. ++ */ ++ msm_dsi_host_enable_irq(host); ++ if (is_bonded_dsi && msm_dsi1) ++ msm_dsi_host_enable_irq(msm_dsi1->host); ++ + /* Always call panel functions once, because even for dual panels, + * there is only one drm_panel instance. + */ +@@ -411,6 +419,10 @@ host_en_fail: + if (panel) + drm_panel_unprepare(panel); + panel_prep_fail: ++ msm_dsi_host_disable_irq(host); ++ if (is_bonded_dsi && msm_dsi1) ++ msm_dsi_host_disable_irq(msm_dsi1->host); ++ + if (is_bonded_dsi && msm_dsi1) + msm_dsi_host_power_off(msm_dsi1->host); + host1_on_fail: +@@ -523,6 +535,10 @@ static void dsi_mgr_bridge_post_disable(struct drm_bridge *bridge) + id, ret); + } + ++ msm_dsi_host_disable_irq(host); ++ if (is_bonded_dsi && msm_dsi1) ++ msm_dsi_host_disable_irq(msm_dsi1->host); ++ + /* Save PHY status if it is a clock source */ + msm_dsi_phy_pll_save_state(msm_dsi->phy); + +-- +2.33.0 + diff --git a/queue-5.15/drm-msm-dsi-fix-wrong-type-in-msm_dsi_host.patch b/queue-5.15/drm-msm-dsi-fix-wrong-type-in-msm_dsi_host.patch new file mode 100644 index 00000000000..a221e0e0347 --- /dev/null +++ b/queue-5.15/drm-msm-dsi-fix-wrong-type-in-msm_dsi_host.patch @@ -0,0 +1,112 @@ +From 61a58dcb8228e8b50dfcdb3fcbe13bab49f5d82d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 11:34:38 -0700 +Subject: drm/msm/dsi: fix wrong type in msm_dsi_host + +From: Jessica Zhang + +[ Upstream commit 409af447c2a0a6e08ba190993a1153c91d3b11bd ] + +Change byte_clk_rate, pixel_clk_rate, esc_clk_rate, and src_clk_rate +from u32 to unsigned long, since clk_get_rate() returns an unsigned long. + +Fixes: a6bcddbc2ee1 ("drm/msm: dsi: Handle dual-channel for 6G as well") +Reported-by: Dan Carpenter +Signed-off-by: Jessica Zhang +Link: https://lore.kernel.org/r/20211020183438.32263-1-jesszhan@codeaurora.org +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index bccd379bdba75..ea641151e77e7 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -115,16 +115,16 @@ struct msm_dsi_host { + struct clk *pixel_clk_src; + struct clk *byte_intf_clk; + +- u32 byte_clk_rate; +- u32 pixel_clk_rate; +- u32 esc_clk_rate; ++ unsigned long byte_clk_rate; ++ unsigned long pixel_clk_rate; ++ unsigned long esc_clk_rate; + + /* DSI v2 specific clocks */ + struct clk *src_clk; + struct clk *esc_clk_src; + struct clk *dsi_clk_src; + +- u32 src_clk_rate; ++ unsigned long src_clk_rate; + + struct gpio_desc *disp_en_gpio; + struct gpio_desc *te_gpio; +@@ -498,10 +498,10 @@ int msm_dsi_runtime_resume(struct device *dev) + + int dsi_link_clk_set_rate_6g(struct msm_dsi_host *msm_host) + { +- u32 byte_intf_rate; ++ unsigned long byte_intf_rate; + int ret; + +- DBG("Set clk rates: pclk=%d, byteclk=%d", ++ DBG("Set clk rates: pclk=%d, byteclk=%lu", + msm_host->mode->clock, msm_host->byte_clk_rate); + + ret = dev_pm_opp_set_rate(&msm_host->pdev->dev, +@@ -583,7 +583,7 @@ int dsi_link_clk_set_rate_v2(struct msm_dsi_host *msm_host) + { + int ret; + +- DBG("Set clk rates: pclk=%d, byteclk=%d, esc_clk=%d, dsi_src_clk=%d", ++ DBG("Set clk rates: pclk=%d, byteclk=%lu, esc_clk=%lu, dsi_src_clk=%lu", + msm_host->mode->clock, msm_host->byte_clk_rate, + msm_host->esc_clk_rate, msm_host->src_clk_rate); + +@@ -673,10 +673,10 @@ void dsi_link_clk_disable_v2(struct msm_dsi_host *msm_host) + clk_disable_unprepare(msm_host->byte_clk); + } + +-static u32 dsi_get_pclk_rate(struct msm_dsi_host *msm_host, bool is_bonded_dsi) ++static unsigned long dsi_get_pclk_rate(struct msm_dsi_host *msm_host, bool is_bonded_dsi) + { + struct drm_display_mode *mode = msm_host->mode; +- u32 pclk_rate; ++ unsigned long pclk_rate; + + pclk_rate = mode->clock * 1000; + +@@ -696,7 +696,7 @@ static void dsi_calc_pclk(struct msm_dsi_host *msm_host, bool is_bonded_dsi) + { + u8 lanes = msm_host->lanes; + u32 bpp = dsi_get_bpp(msm_host->format); +- u32 pclk_rate = dsi_get_pclk_rate(msm_host, is_bonded_dsi); ++ unsigned long pclk_rate = dsi_get_pclk_rate(msm_host, is_bonded_dsi); + u64 pclk_bpp = (u64)pclk_rate * bpp; + + if (lanes == 0) { +@@ -713,7 +713,7 @@ static void dsi_calc_pclk(struct msm_dsi_host *msm_host, bool is_bonded_dsi) + msm_host->pixel_clk_rate = pclk_rate; + msm_host->byte_clk_rate = pclk_bpp; + +- DBG("pclk=%d, bclk=%d", msm_host->pixel_clk_rate, ++ DBG("pclk=%lu, bclk=%lu", msm_host->pixel_clk_rate, + msm_host->byte_clk_rate); + + } +@@ -772,7 +772,7 @@ int dsi_calc_clk_rate_v2(struct msm_dsi_host *msm_host, bool is_bonded_dsi) + + msm_host->esc_clk_rate = msm_host->byte_clk_rate / esc_div; + +- DBG("esc=%d, src=%d", msm_host->esc_clk_rate, ++ DBG("esc=%lu, src=%lu", msm_host->esc_clk_rate, + msm_host->src_clk_rate); + + return 0; +-- +2.33.0 + diff --git a/queue-5.15/drm-msm-fix-potential-null-dereference-in-cleanup.patch b/queue-5.15/drm-msm-fix-potential-null-dereference-in-cleanup.patch new file mode 100644 index 00000000000..ae0f4d04313 --- /dev/null +++ b/queue-5.15/drm-msm-fix-potential-null-dereference-in-cleanup.patch @@ -0,0 +1,37 @@ +From 6dea211e353165b9a9868973818f31d5e396304f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 11:11:33 +0300 +Subject: drm/msm: fix potential NULL dereference in cleanup + +From: Dan Carpenter + +[ Upstream commit 027d052a36e56789a2134772bacb4fd0860f03a3 ] + +The "msm_obj->node" list needs to be initialized earlier so that the +list_del() in msm_gem_free_object() doesn't experience a NULL pointer +dereference. + +Fixes: 6ed0897cd800 ("drm/msm: Fix debugfs deadlock") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211013081133.GF6010@kili +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c +index 22308a1b66fc3..fd398a4eaf46e 100644 +--- a/drivers/gpu/drm/msm/msm_gem.c ++++ b/drivers/gpu/drm/msm/msm_gem.c +@@ -1132,6 +1132,7 @@ static int msm_gem_new_impl(struct drm_device *dev, + msm_obj->flags = flags; + msm_obj->madv = MSM_MADV_WILLNEED; + ++ INIT_LIST_HEAD(&msm_obj->node); + INIT_LIST_HEAD(&msm_obj->vmas); + + *obj = &msm_obj->base; +-- +2.33.0 + diff --git a/queue-5.15/drm-msm-fix-potential-null-dereference-in-dpu-sspp.patch b/queue-5.15/drm-msm-fix-potential-null-dereference-in-dpu-sspp.patch new file mode 100644 index 00000000000..a83cd81eeaa --- /dev/null +++ b/queue-5.15/drm-msm-fix-potential-null-dereference-in-dpu-sspp.patch @@ -0,0 +1,54 @@ +From 2908f746e745b407e07639e710379a10ec2eba19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 10:57:33 -0700 +Subject: drm/msm: Fix potential NULL dereference in DPU SSPP + +From: Jessica Zhang + +[ Upstream commit 8bf71a5719b6cc5b6ba358096081e5d50ea23ab6 ] + +Move initialization of sblk in _sspp_subblk_offset() after NULL check to +avoid potential NULL pointer dereference. + +Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support") +Reported-by: Dan Carpenter +Signed-off-by: Jessica Zhang +Link: https://lore.kernel.org/r/20211020175733.3379-1-jesszhan@codeaurora.org +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c +index 69eed79324865..f9460672176aa 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_sspp.c +@@ -138,11 +138,13 @@ static int _sspp_subblk_offset(struct dpu_hw_pipe *ctx, + u32 *idx) + { + int rc = 0; +- const struct dpu_sspp_sub_blks *sblk = ctx->cap->sblk; ++ const struct dpu_sspp_sub_blks *sblk; + +- if (!ctx) ++ if (!ctx || !ctx->cap || !ctx->cap->sblk) + return -EINVAL; + ++ sblk = ctx->cap->sblk; ++ + switch (s_id) { + case DPU_SSPP_SRC: + *idx = sblk->src_blk.base; +@@ -419,7 +421,7 @@ static void _dpu_hw_sspp_setup_scaler3(struct dpu_hw_pipe *ctx, + + (void)pe; + if (_sspp_subblk_offset(ctx, DPU_SSPP_SCALER_QSEED3, &idx) || !sspp +- || !scaler3_cfg || !ctx || !ctx->cap || !ctx->cap->sblk) ++ || !scaler3_cfg) + return; + + dpu_hw_setup_scaler3(&ctx->hw, scaler3_cfg, idx, +-- +2.33.0 + diff --git a/queue-5.15/drm-msm-fix-potential-oops-in-a6xx_gmu_rpmh_init.patch b/queue-5.15/drm-msm-fix-potential-oops-in-a6xx_gmu_rpmh_init.patch new file mode 100644 index 00000000000..0cade6e4fb4 --- /dev/null +++ b/queue-5.15/drm-msm-fix-potential-oops-in-a6xx_gmu_rpmh_init.patch @@ -0,0 +1,56 @@ +From 42f75d0c0de9b2da72ab910e9c219857990ff807 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Oct 2021 16:45:30 +0300 +Subject: drm/msm: Fix potential Oops in a6xx_gmu_rpmh_init() + +From: Dan Carpenter + +[ Upstream commit 3d91e50ff58364f6572ad268b508175d27800e51 ] + +There are two problems here: +1) The "seqptr" is used uninitalized when we free it at the end. +2) The a6xx_gmu_get_mmio() function returns error pointers. It never + returns true. + +Fixes: 64245fc55172 ("drm/msm/a6xx: use AOP-initialized PDC for a650") +Fixes: f8fc924e088e ("drm/msm/a6xx: Fix PDC register overlap") +Signed-off-by: Dan Carpenter +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20211004134530.GB11689@kili +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/a6xx_gmu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +index 8b73f70766a47..4347a104755a9 100644 +--- a/drivers/gpu/drm/msm/adreno/a6xx_gmu.c ++++ b/drivers/gpu/drm/msm/adreno/a6xx_gmu.c +@@ -516,11 +516,11 @@ static void a6xx_gmu_rpmh_init(struct a6xx_gmu *gmu) + struct adreno_gpu *adreno_gpu = &a6xx_gpu->base; + struct platform_device *pdev = to_platform_device(gmu->dev); + void __iomem *pdcptr = a6xx_gmu_get_mmio(pdev, "gmu_pdc"); +- void __iomem *seqptr; ++ void __iomem *seqptr = NULL; + uint32_t pdc_address_offset; + bool pdc_in_aop = false; + +- if (!pdcptr) ++ if (IS_ERR(pdcptr)) + goto err; + + if (adreno_is_a650(adreno_gpu) || adreno_is_a660_family(adreno_gpu)) +@@ -532,7 +532,7 @@ static void a6xx_gmu_rpmh_init(struct a6xx_gmu *gmu) + + if (!pdc_in_aop) { + seqptr = a6xx_gmu_get_mmio(pdev, "gmu_pdc_seq"); +- if (!seqptr) ++ if (IS_ERR(seqptr)) + goto err; + } + +-- +2.33.0 + diff --git a/queue-5.15/drm-msm-potential-error-pointer-dereference-in-init.patch b/queue-5.15/drm-msm-potential-error-pointer-dereference-in-init.patch new file mode 100644 index 00000000000..c222b01235a --- /dev/null +++ b/queue-5.15/drm-msm-potential-error-pointer-dereference-in-init.patch @@ -0,0 +1,42 @@ +From c2583cff0aff06bbc639d24f510bac2b4ef7a249 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Oct 2021 13:38:06 +0300 +Subject: drm/msm: potential error pointer dereference in init() + +From: Dan Carpenter + +[ Upstream commit b6816441a14bbe356ba8590de79cfea2de6a085c ] + +The msm_iommu_new() returns error pointers on failure so check for that +to avoid an Oops. + +Fixes: ccac7ce373c1 ("drm/msm: Refactor address space initialization") +Signed-off-by: Dan Carpenter +Reviewed-by: Abhinav Kumar +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20211004103806.GD25015@kili +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +index ae48f41821cfe..ad247c06e198f 100644 +--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c ++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c +@@ -908,6 +908,10 @@ static int _dpu_kms_mmu_init(struct dpu_kms *dpu_kms) + return 0; + + mmu = msm_iommu_new(dpu_kms->dev->dev, domain); ++ if (IS_ERR(mmu)) { ++ iommu_domain_free(domain); ++ return PTR_ERR(mmu); ++ } + aspace = msm_gem_address_space_create(mmu, "dpu1", + 0x1000, 0x100000000 - 0x1000); + +-- +2.33.0 + diff --git a/queue-5.15/drm-msm-prevent-null-dereference-in-msm_gpu_crashsta.patch b/queue-5.15/drm-msm-prevent-null-dereference-in-msm_gpu_crashsta.patch new file mode 100644 index 00000000000..0f3acad2050 --- /dev/null +++ b/queue-5.15/drm-msm-prevent-null-dereference-in-msm_gpu_crashsta.patch @@ -0,0 +1,54 @@ +From 31e00e397e5510eb882cbbf4b737d626fe3d98f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 10:25:54 -0600 +Subject: drm/msm: prevent NULL dereference in msm_gpu_crashstate_capture() + +From: Tim Gardner + +[ Upstream commit b220c154832c5cd0df34cbcbcc19d7135c16e823 ] + +Coverity complains of a possible NULL dereference: + +CID 120718 (#1 of 1): Dereference null return value (NULL_RETURNS) +23. dereference: Dereferencing a pointer that might be NULL state->bos when + calling msm_gpu_crashstate_get_bo. [show details] +301 msm_gpu_crashstate_get_bo(state, submit->bos[i].obj, +302 submit->bos[i].iova, submit->bos[i].flags); + +Fix this by employing the same state->bos NULL check as is used in the next +for loop. + +Cc: Rob Clark +Cc: Sean Paul +Cc: David Airlie +Cc: Daniel Vetter +Cc: linux-arm-msm@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Cc: freedreno@lists.freedesktop.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Tim Gardner +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20210929162554.14295-1-tim.gardner@canonical.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_gpu.c b/drivers/gpu/drm/msm/msm_gpu.c +index 8a3a592da3a4d..2c46cd968ac4c 100644 +--- a/drivers/gpu/drm/msm/msm_gpu.c ++++ b/drivers/gpu/drm/msm/msm_gpu.c +@@ -296,7 +296,7 @@ static void msm_gpu_crashstate_capture(struct msm_gpu *gpu, + state->bos = kcalloc(nr, + sizeof(struct msm_gpu_state_bo), GFP_KERNEL); + +- for (i = 0; i < submit->nr_bos; i++) { ++ for (i = 0; state->bos && i < submit->nr_bos; i++) { + if (should_dump(submit, i)) { + msm_gpu_crashstate_get_bo(state, submit->bos[i].obj, + submit->bos[i].iova, submit->bos[i].flags); +-- +2.33.0 + diff --git a/queue-5.15/drm-msm-uninitialized-variable-in-msm_gem_import.patch b/queue-5.15/drm-msm-uninitialized-variable-in-msm_gem_import.patch new file mode 100644 index 00000000000..88f9b229b81 --- /dev/null +++ b/queue-5.15/drm-msm-uninitialized-variable-in-msm_gem_import.patch @@ -0,0 +1,52 @@ +From dc25dace1abb3c0726d54ac4a9accccadbaa537e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 11:13:15 +0300 +Subject: drm/msm: uninitialized variable in msm_gem_import() + +From: Dan Carpenter + +[ Upstream commit 2203bd0e5c12ffc53ffdd4fbd7b12d6ba27e0424 ] + +The msm_gem_new_impl() function cleans up after itself so there is no +need to call drm_gem_object_put(). Conceptually, it does not make sense +to call a kref_put() function until after the reference counting has +been initialized which happens immediately after this call in the +drm_gem_(private_)object_init() functions. + +In the msm_gem_import() function the "obj" pointer is uninitialized, so +it will lead to a crash. + +Fixes: 05b849111c07 ("drm/msm: prime support") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211013081315.GG6010@kili +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c +index fd398a4eaf46e..bd6ec04f345e1 100644 +--- a/drivers/gpu/drm/msm/msm_gem.c ++++ b/drivers/gpu/drm/msm/msm_gem.c +@@ -1167,7 +1167,7 @@ struct drm_gem_object *msm_gem_new(struct drm_device *dev, uint32_t size, uint32 + + ret = msm_gem_new_impl(dev, size, flags, &obj); + if (ret) +- goto fail; ++ return ERR_PTR(ret); + + msm_obj = to_msm_bo(obj); + +@@ -1251,7 +1251,7 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev, + + ret = msm_gem_new_impl(dev, size, MSM_BO_WC, &obj); + if (ret) +- goto fail; ++ return ERR_PTR(ret); + + drm_gem_private_object_init(dev, obj, size); + +-- +2.33.0 + diff --git a/queue-5.15/drm-msm-unlock-on-error-in-get_sched_entity.patch b/queue-5.15/drm-msm-unlock-on-error-in-get_sched_entity.patch new file mode 100644 index 00000000000..da37846c010 --- /dev/null +++ b/queue-5.15/drm-msm-unlock-on-error-in-get_sched_entity.patch @@ -0,0 +1,35 @@ +From 1c7b058627a0a66f9039691e01e5de06919e43e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 15:40:05 +0300 +Subject: drm/msm: unlock on error in get_sched_entity() + +From: Dan Carpenter + +[ Upstream commit 7425e8167507fe512d8ac0825acda4aebf0a7ca0 ] + +Add a missing unlock on the error path if drm_sched_entity_init() fails. + +Fixes: 68002469e571 ("drm/msm: One sched entity per process per priority") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211011124005.GE15188@kili +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_submitqueue.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/msm/msm_submitqueue.c b/drivers/gpu/drm/msm/msm_submitqueue.c +index b8621c6e05546..7cb158bcbcf67 100644 +--- a/drivers/gpu/drm/msm/msm_submitqueue.c ++++ b/drivers/gpu/drm/msm/msm_submitqueue.c +@@ -101,6 +101,7 @@ get_sched_entity(struct msm_file_private *ctx, struct msm_ringbuffer *ring, + + ret = drm_sched_entity_init(entity, sched_prio, &sched, 1, NULL); + if (ret) { ++ mutex_unlock(&entity_lock); + kfree(entity); + return ERR_PTR(ret); + } +-- +2.33.0 + diff --git a/queue-5.15/drm-nouveau-svm-fix-refcount-leak-bug-and-missing-ch.patch b/queue-5.15/drm-nouveau-svm-fix-refcount-leak-bug-and-missing-ch.patch new file mode 100644 index 00000000000..63be99afd39 --- /dev/null +++ b/queue-5.15/drm-nouveau-svm-fix-refcount-leak-bug-and-missing-ch.patch @@ -0,0 +1,60 @@ +From d9a6c4f71c16098dae02a3388bf9647d04834eb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 20:26:33 +0800 +Subject: drm/nouveau/svm: Fix refcount leak bug and missing check against null + bug + +From: Chenyuan Mi + +[ Upstream commit 6bb8c2d51811eb5e6504f49efe3b089d026009d2 ] + +The reference counting issue happens in one exception handling path of +nouveau_svmm_bind(). When cli->svm.svmm is null, the function forgets +to decrease the refcount of mm increased by get_task_mm(), causing a +refcount leak. + +Fix this issue by using mmput() to decrease the refcount in the +exception handling path. + +Also, the function forgets to do check against null when get mm +by get_task_mm(). + +Fix this issue by adding null check after get mm by get_task_mm(). + +Signed-off-by: Chenyuan Mi +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Fixes: 822cab6150d3 ("drm/nouveau/svm: check for SVM initialized before migrating") +Reviewed-by: Lyude Paul +Reviewed-by: Ben Skeggs +Reviewed-by: Karol Herbst +Signed-off-by: Karol Herbst +Link: https://patchwork.freedesktop.org/patch/msgid/20210907122633.16665-1-cymi20@fudan.edu.cn +Link: https://gitlab.freedesktop.org/drm/nouveau/-/merge_requests/14 +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_svm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_svm.c b/drivers/gpu/drm/nouveau/nouveau_svm.c +index b0c3422cb01fa..9985bfde015a6 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_svm.c ++++ b/drivers/gpu/drm/nouveau/nouveau_svm.c +@@ -162,10 +162,14 @@ nouveau_svmm_bind(struct drm_device *dev, void *data, + */ + + mm = get_task_mm(current); ++ if (!mm) { ++ return -EINVAL; ++ } + mmap_read_lock(mm); + + if (!cli->svm.svmm) { + mmap_read_unlock(mm); ++ mmput(mm); + return -EINVAL; + } + +-- +2.33.0 + diff --git a/queue-5.15/drm-panel-orientation-quirks-add-quirk-for-kd-kurio-.patch b/queue-5.15/drm-panel-orientation-quirks-add-quirk-for-kd-kurio-.patch new file mode 100644 index 00000000000..c9448a38fc6 --- /dev/null +++ b/queue-5.15/drm-panel-orientation-quirks-add-quirk-for-kd-kurio-.patch @@ -0,0 +1,42 @@ +From 126474f2e3835b98c16e416beb5ff7ab6cac0c1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 May 2021 13:04:26 +0200 +Subject: drm: panel-orientation-quirks: Add quirk for KD Kurio Smart C15200 + 2-in-1 + +From: Hans de Goede + +[ Upstream commit a53f1dd3ab9fec715c6c2e8e01bf4d3c07eef8e5 ] + +The KD Kurio Smart C15200 2-in-1 uses a panel which has been mounted 90 +degrees rotated. Add a quirk for this. + +Signed-off-by: Hans de Goede +Acked-by: Simon Ser +Link: https://patchwork.freedesktop.org/patch/msgid/20210530110428.12994-3-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index 5d0942e3985b2..cf4db2cdebbbd 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -205,6 +205,13 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_BOARD_NAME, "TW891"), + }, + .driver_data = (void *)&itworks_tw891, ++ }, { /* KD Kurio Smart C15200 2-in-1 */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "KD Interactive"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Kurio Smart"), ++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "KDM960BCP"), ++ }, ++ .driver_data = (void *)&lcd800x1280_rightside_up, + }, { /* + * Lenovo Ideapad Miix 310 laptop, only some production batches + * have a portrait screen, the resolution checks makes the quirk +-- +2.33.0 + diff --git a/queue-5.15/drm-panel-orientation-quirks-add-quirk-for-the-samsu.patch b/queue-5.15/drm-panel-orientation-quirks-add-quirk-for-the-samsu.patch new file mode 100644 index 00000000000..0628c607c80 --- /dev/null +++ b/queue-5.15/drm-panel-orientation-quirks-add-quirk-for-the-samsu.patch @@ -0,0 +1,54 @@ +From 7d96dadab0ae98d3882bd96a23899c50f77eee43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 May 2021 13:04:27 +0200 +Subject: drm: panel-orientation-quirks: Add quirk for the Samsung Galaxy Book + 10.6 + +From: Hans de Goede + +[ Upstream commit 88fa1fde918951c175ae5ea0f31efc4bb1736ab9 ] + +The Samsung Galaxy Book 10.6 uses a panel which has been mounted +90 degrees rotated. Add a quirk for this. + +Signed-off-by: Hans de Goede +Acked-by: Simon Ser +Link: https://patchwork.freedesktop.org/patch/msgid/20210530110428.12994-4-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index cf4db2cdebbbd..926094b83e2f4 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -109,6 +109,12 @@ static const struct drm_dmi_panel_orientation_data lcd1200x1920_rightside_up = { + .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP, + }; + ++static const struct drm_dmi_panel_orientation_data lcd1280x1920_rightside_up = { ++ .width = 1280, ++ .height = 1920, ++ .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP, ++}; ++ + static const struct dmi_system_id orientation_data[] = { + { /* Acer One 10 (S1003) */ + .matches = { +@@ -249,6 +255,12 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Default string"), + }, + .driver_data = (void *)&onegx1_pro, ++ }, { /* Samsung GalaxyBook 10.6 */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "SAMSUNG ELECTRONICS CO., LTD."), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Galaxy Book 10.6"), ++ }, ++ .driver_data = (void *)&lcd1280x1920_rightside_up, + }, { /* VIOS LTH17 */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "VIOS"), +-- +2.33.0 + diff --git a/queue-5.15/drm-panel-orientation-quirks-add-valve-steam-deck.patch b/queue-5.15/drm-panel-orientation-quirks-add-valve-steam-deck.patch new file mode 100644 index 00000000000..fa68b00aef5 --- /dev/null +++ b/queue-5.15/drm-panel-orientation-quirks-add-valve-steam-deck.patch @@ -0,0 +1,46 @@ +From 1a982214e4fb87dff77ec0f509bdc00912988e36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Sep 2021 10:24:40 +0000 +Subject: drm/panel-orientation-quirks: add Valve Steam Deck + +From: Simon Ser + +[ Upstream commit 9eeb7b4e40bfd69d8aaa920c7e9df751c9e11dce ] + +Valve's Steam Deck has a 800x1280 LCD screen. + +Signed-off-by: Simon Ser +Cc: Jared Baldridge +Cc: Emil Velikov +Cc: Daniel Vetter +Cc: Hans de Goede +Acked-by: Sam Ravnborg +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20210911102430.253986-1-contact@emersion.fr +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index 926094b83e2f4..a950d5db211c5 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -261,6 +261,13 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Galaxy Book 10.6"), + }, + .driver_data = (void *)&lcd1280x1920_rightside_up, ++ }, { /* Valve Steam Deck */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Valve"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Jupiter"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "1"), ++ }, ++ .driver_data = (void *)&lcd800x1280_rightside_up, + }, { /* VIOS LTH17 */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "VIOS"), +-- +2.33.0 + diff --git a/queue-5.15/drm-panel-orientation-quirks-update-the-lenovo-ideap.patch b/queue-5.15/drm-panel-orientation-quirks-update-the-lenovo-ideap.patch new file mode 100644 index 00000000000..2bdcc9b60bc --- /dev/null +++ b/queue-5.15/drm-panel-orientation-quirks-update-the-lenovo-ideap.patch @@ -0,0 +1,59 @@ +From 0b438a72b43dfb7ac92ef68b02d82d77d0a90774 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 May 2021 13:04:25 +0200 +Subject: drm: panel-orientation-quirks: Update the Lenovo Ideapad D330 quirk + (v2) + +From: Hans de Goede + +[ Upstream commit 820a2ab23d5eab4ccfb82581eda8ad4acf18458f ] + +2 improvements to the Lenovo Ideapad D330 panel-orientation quirks: + +1. Some versions of the Lenovo Ideapad D330 have a DMI_PRODUCT_NAME of +"81H3" and others have "81MD". Testing has shown that the "81MD" also has +a 90 degree mounted panel. Drop the DMI_PRODUCT_NAME from the existing +quirk so that the existing quirk matches both variants. + +2. Some of the Lenovo Ideapad D330 models have a HD (800x1280) screen +instead of a FHD (1200x1920) screen (both are mounted right-side-up) add +a second Lenovo Ideapad D330 quirk for the HD version. + +Changes in v2: +- Add a new quirk for Lenovo Ideapad D330 models with a HD screen instead + of a FHD screen + +Link: https://github.com/systemd/systemd/pull/18884 +Acked-by: Simon Ser +Signed-off-by: Hans de Goede +Link: https://patchwork.freedesktop.org/patch/msgid/20210530110428.12994-2-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_panel_orientation_quirks.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c +index e1b2ce4921ae7..5d0942e3985b2 100644 +--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c ++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c +@@ -223,10 +223,15 @@ static const struct dmi_system_id orientation_data[] = { + DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo MIIX 320-10ICR"), + }, + .driver_data = (void *)&lcd800x1280_rightside_up, +- }, { /* Lenovo Ideapad D330 */ ++ }, { /* Lenovo Ideapad D330-10IGM (HD) */ ++ .matches = { ++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad D330-10IGM"), ++ }, ++ .driver_data = (void *)&lcd800x1280_rightside_up, ++ }, { /* Lenovo Ideapad D330-10IGM (FHD) */ + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "81H3"), + DMI_EXACT_MATCH(DMI_PRODUCT_VERSION, "Lenovo ideapad D330-10IGM"), + }, + .driver_data = (void *)&lcd1200x1920_rightside_up, +-- +2.33.0 + diff --git a/queue-5.15/drm-plane-helper-fix-uninitialized-variable-referenc.patch b/queue-5.15/drm-plane-helper-fix-uninitialized-variable-referenc.patch new file mode 100644 index 00000000000..e2a5d545a1a --- /dev/null +++ b/queue-5.15/drm-plane-helper-fix-uninitialized-variable-referenc.patch @@ -0,0 +1,46 @@ +From 306fc3afa92f7c5df75e59bf1d08fa9c015ee3ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 02:37:06 -0400 +Subject: drm/plane-helper: fix uninitialized variable reference + +From: Alex Xu (Hello71) + +[ Upstream commit 7be28bd73f23e53d6e7f5fe891ba9503fc0c7210 ] + +drivers/gpu/drm/drm_plane_helper.c: In function 'drm_primary_helper_update': +drivers/gpu/drm/drm_plane_helper.c:113:32: error: 'visible' is used uninitialized [-Werror=uninitialized] + 113 | struct drm_plane_state plane_state = { + | ^~~~~~~~~~~ +drivers/gpu/drm/drm_plane_helper.c:178:14: note: 'visible' was declared here + 178 | bool visible; + | ^~~~~~~ +cc1: all warnings being treated as errors + +visible is an output, not an input. in practice this use might turn out +OK but it's still UB. + +Fixes: df86af9133b4 ("drm/plane-helper: Add drm_plane_helper_check_state()") +Reviewed-by: Simon Ser +Signed-off-by: Alex Xu (Hello71) +Signed-off-by: Simon Ser +Link: https://patchwork.freedesktop.org/patch/msgid/20211007063706.305984-1-alex_y_xu@yahoo.ca +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_plane_helper.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_plane_helper.c b/drivers/gpu/drm/drm_plane_helper.c +index 5b2d0ca03705c..838b32b70bce6 100644 +--- a/drivers/gpu/drm/drm_plane_helper.c ++++ b/drivers/gpu/drm/drm_plane_helper.c +@@ -123,7 +123,6 @@ static int drm_plane_helper_check_update(struct drm_plane *plane, + .crtc_w = drm_rect_width(dst), + .crtc_h = drm_rect_height(dst), + .rotation = rotation, +- .visible = *visible, + }; + struct drm_crtc_state crtc_state = { + .crtc = crtc, +-- +2.33.0 + diff --git a/queue-5.15/drm-ttm-remove-ttm_bo_vm_insert_huge.patch b/queue-5.15/drm-ttm-remove-ttm_bo_vm_insert_huge.patch new file mode 100644 index 00000000000..197e4632bed --- /dev/null +++ b/queue-5.15/drm-ttm-remove-ttm_bo_vm_insert_huge.patch @@ -0,0 +1,365 @@ +From 13e0c384843e8a566389d1453cd86b33a879751e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 20:27:31 -0300 +Subject: drm/ttm: remove ttm_bo_vm_insert_huge() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jason Gunthorpe + +[ Upstream commit 0d979509539ed1df883a30d442177ca7be609565 ] + +The huge page functionality in TTM does not work safely because PUD and +PMD entries do not have a special bit. + +get_user_pages_fast() considers any page that passed pmd_huge() as +usable: + + if (unlikely(pmd_trans_huge(pmd) || pmd_huge(pmd) || + pmd_devmap(pmd))) { + +And vmf_insert_pfn_pmd_prot() unconditionally sets + + entry = pmd_mkhuge(pfn_t_pmd(pfn, prot)); + +eg on x86 the page will be _PAGE_PRESENT | PAGE_PSE. + +As such gup_huge_pmd() will try to deref a struct page: + + head = try_grab_compound_head(pmd_page(orig), refs, flags); + +and thus crash. + +Thomas further notices that the drivers are not expecting the struct page +to be used by anything - in particular the refcount incr above will cause +them to malfunction. + +Thus everything about this is not able to fully work correctly considering +GUP_fast. Delete it entirely. It can return someday along with a proper +PMD/PUD_SPECIAL bit in the page table itself to gate GUP_fast. + +Fixes: 314b6580adc5 ("drm/ttm, drm/vmwgfx: Support huge TTM pagefaults") +Signed-off-by: Jason Gunthorpe +Reviewed-by: Thomas Hellström +Reviewed-by: Christian König +[danvet: Update subject per Thomas' &Christian's review] +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/0-v2-a44694790652+4ac-ttm_pmd_jgg@nvidia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c | 2 +- + drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- + drivers/gpu/drm/radeon/radeon_gem.c | 2 +- + drivers/gpu/drm/ttm/ttm_bo_vm.c | 94 +--------------------- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 4 - + drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | 72 +---------------- + drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c | 3 - + include/drm/ttm/ttm_bo_api.h | 3 +- + 8 files changed, 7 insertions(+), 175 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c +index d6aa032890ee8..a1e63ba4c54a5 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gem.c +@@ -61,7 +61,7 @@ static vm_fault_t amdgpu_gem_fault(struct vm_fault *vmf) + } + + ret = ttm_bo_vm_fault_reserved(vmf, vmf->vma->vm_page_prot, +- TTM_BO_VM_NUM_PREFAULT, 1); ++ TTM_BO_VM_NUM_PREFAULT); + + drm_dev_exit(idx); + } else { +diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c +index 8c2ecc2827232..c89d5964148fd 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_gem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c +@@ -56,7 +56,7 @@ static vm_fault_t nouveau_ttm_fault(struct vm_fault *vmf) + + nouveau_bo_del_io_reserve_lru(bo); + prot = vm_get_page_prot(vma->vm_flags); +- ret = ttm_bo_vm_fault_reserved(vmf, prot, TTM_BO_VM_NUM_PREFAULT, 1); ++ ret = ttm_bo_vm_fault_reserved(vmf, prot, TTM_BO_VM_NUM_PREFAULT); + nouveau_bo_add_io_reserve_lru(bo); + if (ret == VM_FAULT_RETRY && !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) + return ret; +diff --git a/drivers/gpu/drm/radeon/radeon_gem.c b/drivers/gpu/drm/radeon/radeon_gem.c +index 458f92a708879..a36a4f2c76b09 100644 +--- a/drivers/gpu/drm/radeon/radeon_gem.c ++++ b/drivers/gpu/drm/radeon/radeon_gem.c +@@ -61,7 +61,7 @@ static vm_fault_t radeon_gem_fault(struct vm_fault *vmf) + goto unlock_resv; + + ret = ttm_bo_vm_fault_reserved(vmf, vmf->vma->vm_page_prot, +- TTM_BO_VM_NUM_PREFAULT, 1); ++ TTM_BO_VM_NUM_PREFAULT); + if (ret == VM_FAULT_RETRY && !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) + goto unlock_mclk; + +diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c +index 5b9b7fd01a692..4a655ab23c89d 100644 +--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c ++++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c +@@ -171,89 +171,6 @@ vm_fault_t ttm_bo_vm_reserve(struct ttm_buffer_object *bo, + } + EXPORT_SYMBOL(ttm_bo_vm_reserve); + +-#ifdef CONFIG_TRANSPARENT_HUGEPAGE +-/** +- * ttm_bo_vm_insert_huge - Insert a pfn for PUD or PMD faults +- * @vmf: Fault data +- * @bo: The buffer object +- * @page_offset: Page offset from bo start +- * @fault_page_size: The size of the fault in pages. +- * @pgprot: The page protections. +- * Does additional checking whether it's possible to insert a PUD or PMD +- * pfn and performs the insertion. +- * +- * Return: VM_FAULT_NOPAGE on successful insertion, VM_FAULT_FALLBACK if +- * a huge fault was not possible, or on insertion error. +- */ +-static vm_fault_t ttm_bo_vm_insert_huge(struct vm_fault *vmf, +- struct ttm_buffer_object *bo, +- pgoff_t page_offset, +- pgoff_t fault_page_size, +- pgprot_t pgprot) +-{ +- pgoff_t i; +- vm_fault_t ret; +- unsigned long pfn; +- pfn_t pfnt; +- struct ttm_tt *ttm = bo->ttm; +- bool write = vmf->flags & FAULT_FLAG_WRITE; +- +- /* Fault should not cross bo boundary. */ +- page_offset &= ~(fault_page_size - 1); +- if (page_offset + fault_page_size > bo->resource->num_pages) +- goto out_fallback; +- +- if (bo->resource->bus.is_iomem) +- pfn = ttm_bo_io_mem_pfn(bo, page_offset); +- else +- pfn = page_to_pfn(ttm->pages[page_offset]); +- +- /* pfn must be fault_page_size aligned. */ +- if ((pfn & (fault_page_size - 1)) != 0) +- goto out_fallback; +- +- /* Check that memory is contiguous. */ +- if (!bo->resource->bus.is_iomem) { +- for (i = 1; i < fault_page_size; ++i) { +- if (page_to_pfn(ttm->pages[page_offset + i]) != pfn + i) +- goto out_fallback; +- } +- } else if (bo->bdev->funcs->io_mem_pfn) { +- for (i = 1; i < fault_page_size; ++i) { +- if (ttm_bo_io_mem_pfn(bo, page_offset + i) != pfn + i) +- goto out_fallback; +- } +- } +- +- pfnt = __pfn_to_pfn_t(pfn, PFN_DEV); +- if (fault_page_size == (HPAGE_PMD_SIZE >> PAGE_SHIFT)) +- ret = vmf_insert_pfn_pmd_prot(vmf, pfnt, pgprot, write); +-#ifdef CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD +- else if (fault_page_size == (HPAGE_PUD_SIZE >> PAGE_SHIFT)) +- ret = vmf_insert_pfn_pud_prot(vmf, pfnt, pgprot, write); +-#endif +- else +- WARN_ON_ONCE(ret = VM_FAULT_FALLBACK); +- +- if (ret != VM_FAULT_NOPAGE) +- goto out_fallback; +- +- return VM_FAULT_NOPAGE; +-out_fallback: +- count_vm_event(THP_FAULT_FALLBACK); +- return VM_FAULT_FALLBACK; +-} +-#else +-static vm_fault_t ttm_bo_vm_insert_huge(struct vm_fault *vmf, +- struct ttm_buffer_object *bo, +- pgoff_t page_offset, +- pgoff_t fault_page_size, +- pgprot_t pgprot) +-{ +- return VM_FAULT_FALLBACK; +-} +-#endif +- + /** + * ttm_bo_vm_fault_reserved - TTM fault helper + * @vmf: The struct vm_fault given as argument to the fault callback +@@ -261,7 +178,6 @@ static vm_fault_t ttm_bo_vm_insert_huge(struct vm_fault *vmf, + * @num_prefault: Maximum number of prefault pages. The caller may want to + * specify this based on madvice settings and the size of the GPU object + * backed by the memory. +- * @fault_page_size: The size of the fault in pages. + * + * This function inserts one or more page table entries pointing to the + * memory backing the buffer object, and then returns a return code +@@ -275,8 +191,7 @@ static vm_fault_t ttm_bo_vm_insert_huge(struct vm_fault *vmf, + */ + vm_fault_t ttm_bo_vm_fault_reserved(struct vm_fault *vmf, + pgprot_t prot, +- pgoff_t num_prefault, +- pgoff_t fault_page_size) ++ pgoff_t num_prefault) + { + struct vm_area_struct *vma = vmf->vma; + struct ttm_buffer_object *bo = vma->vm_private_data; +@@ -327,11 +242,6 @@ vm_fault_t ttm_bo_vm_fault_reserved(struct vm_fault *vmf, + prot = pgprot_decrypted(prot); + } + +- /* We don't prefault on huge faults. Yet. */ +- if (IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE) && fault_page_size != 1) +- return ttm_bo_vm_insert_huge(vmf, bo, page_offset, +- fault_page_size, prot); +- + /* + * Speculatively prefault a number of pages. Only error on + * first page. +@@ -429,7 +339,7 @@ vm_fault_t ttm_bo_vm_fault(struct vm_fault *vmf) + + prot = vma->vm_page_prot; + if (drm_dev_enter(ddev, &idx)) { +- ret = ttm_bo_vm_fault_reserved(vmf, prot, TTM_BO_VM_NUM_PREFAULT, 1); ++ ret = ttm_bo_vm_fault_reserved(vmf, prot, TTM_BO_VM_NUM_PREFAULT); + drm_dev_exit(idx); + } else { + ret = ttm_bo_vm_dummy_page(vmf, prot); +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h +index a833751099b55..858aff99a3fe5 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h +@@ -1550,10 +1550,6 @@ void vmw_bo_dirty_unmap(struct vmw_buffer_object *vbo, + pgoff_t start, pgoff_t end); + vm_fault_t vmw_bo_vm_fault(struct vm_fault *vmf); + vm_fault_t vmw_bo_vm_mkwrite(struct vm_fault *vmf); +-#ifdef CONFIG_TRANSPARENT_HUGEPAGE +-vm_fault_t vmw_bo_vm_huge_fault(struct vm_fault *vmf, +- enum page_entry_size pe_size); +-#endif + + /* Transparent hugepage support - vmwgfx_thp.c */ + #ifdef CONFIG_TRANSPARENT_HUGEPAGE +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c b/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c +index e5a9a5cbd01a7..922317d1acc8a 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c +@@ -477,7 +477,7 @@ vm_fault_t vmw_bo_vm_fault(struct vm_fault *vmf) + else + prot = vm_get_page_prot(vma->vm_flags); + +- ret = ttm_bo_vm_fault_reserved(vmf, prot, num_prefault, 1); ++ ret = ttm_bo_vm_fault_reserved(vmf, prot, num_prefault); + if (ret == VM_FAULT_RETRY && !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) + return ret; + +@@ -486,73 +486,3 @@ out_unlock: + + return ret; + } +- +-#ifdef CONFIG_TRANSPARENT_HUGEPAGE +-vm_fault_t vmw_bo_vm_huge_fault(struct vm_fault *vmf, +- enum page_entry_size pe_size) +-{ +- struct vm_area_struct *vma = vmf->vma; +- struct ttm_buffer_object *bo = (struct ttm_buffer_object *) +- vma->vm_private_data; +- struct vmw_buffer_object *vbo = +- container_of(bo, struct vmw_buffer_object, base); +- pgprot_t prot; +- vm_fault_t ret; +- pgoff_t fault_page_size; +- bool write = vmf->flags & FAULT_FLAG_WRITE; +- +- switch (pe_size) { +- case PE_SIZE_PMD: +- fault_page_size = HPAGE_PMD_SIZE >> PAGE_SHIFT; +- break; +-#ifdef CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD +- case PE_SIZE_PUD: +- fault_page_size = HPAGE_PUD_SIZE >> PAGE_SHIFT; +- break; +-#endif +- default: +- WARN_ON_ONCE(1); +- return VM_FAULT_FALLBACK; +- } +- +- /* Always do write dirty-tracking and COW on PTE level. */ +- if (write && (READ_ONCE(vbo->dirty) || is_cow_mapping(vma->vm_flags))) +- return VM_FAULT_FALLBACK; +- +- ret = ttm_bo_vm_reserve(bo, vmf); +- if (ret) +- return ret; +- +- if (vbo->dirty) { +- pgoff_t allowed_prefault; +- unsigned long page_offset; +- +- page_offset = vmf->pgoff - +- drm_vma_node_start(&bo->base.vma_node); +- if (page_offset >= bo->resource->num_pages || +- vmw_resources_clean(vbo, page_offset, +- page_offset + PAGE_SIZE, +- &allowed_prefault)) { +- ret = VM_FAULT_SIGBUS; +- goto out_unlock; +- } +- +- /* +- * Write protect, so we get a new fault on write, and can +- * split. +- */ +- prot = vm_get_page_prot(vma->vm_flags & ~VM_SHARED); +- } else { +- prot = vm_get_page_prot(vma->vm_flags); +- } +- +- ret = ttm_bo_vm_fault_reserved(vmf, prot, 1, fault_page_size); +- if (ret == VM_FAULT_RETRY && !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) +- return ret; +- +-out_unlock: +- dma_resv_unlock(bo->base.resv); +- +- return ret; +-} +-#endif +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c +index e6b1f98ec99f0..0a4c340252ec4 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c +@@ -61,9 +61,6 @@ int vmw_mmap(struct file *filp, struct vm_area_struct *vma) + .fault = vmw_bo_vm_fault, + .open = ttm_bo_vm_open, + .close = ttm_bo_vm_close, +-#ifdef CONFIG_TRANSPARENT_HUGEPAGE +- .huge_fault = vmw_bo_vm_huge_fault, +-#endif + }; + struct drm_file *file_priv = filp->private_data; + struct vmw_private *dev_priv = vmw_priv(file_priv->minor->dev); +diff --git a/include/drm/ttm/ttm_bo_api.h b/include/drm/ttm/ttm_bo_api.h +index f681bbdbc6982..36f7eb9d06639 100644 +--- a/include/drm/ttm/ttm_bo_api.h ++++ b/include/drm/ttm/ttm_bo_api.h +@@ -594,8 +594,7 @@ vm_fault_t ttm_bo_vm_reserve(struct ttm_buffer_object *bo, + + vm_fault_t ttm_bo_vm_fault_reserved(struct vm_fault *vmf, + pgprot_t prot, +- pgoff_t num_prefault, +- pgoff_t fault_page_size); ++ pgoff_t num_prefault); + + vm_fault_t ttm_bo_vm_fault(struct vm_fault *vmf); + +-- +2.33.0 + diff --git a/queue-5.15/drm-ttm-stop-calling-tt_swapin-in-vm_access.patch b/queue-5.15/drm-ttm-stop-calling-tt_swapin-in-vm_access.patch new file mode 100644 index 00000000000..fb8fc70fba2 --- /dev/null +++ b/queue-5.15/drm-ttm-stop-calling-tt_swapin-in-vm_access.patch @@ -0,0 +1,62 @@ +From 83d20d41aa19a33d8aee7454301f16bb65692890 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 12:41:02 +0100 +Subject: drm/ttm: stop calling tt_swapin in vm_access +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Auld + +[ Upstream commit f5d28856b89baab4232a9f841e565763fcebcdf9 ] + +In commit: + +commit 09ac4fcb3f255e9225967c75f5893325c116cdbe +Author: Felix Kuehling +Date: Thu Jul 13 17:01:16 2017 -0400 + + drm/ttm: Implement vm_operations_struct.access v2 + +we added the vm_access hook, where we also directly call tt_swapin for +some reason. If something is swapped-out then the ttm_tt must also be +unpopulated, and since access_kmap should also call tt_populate, if +needed, then swapping-in will already be handled there. + +If anything, calling tt_swapin directly here would likely always fail +since the tt->pages won't yet be populated, or worse since the tt->pages +array is never actually cleared in unpopulate this might lead to a nasty +uaf. + +Fixes: 09ac4fcb3f25 ("drm/ttm: Implement vm_operations_struct.access v2") +Signed-off-by: Matthew Auld +Cc: Thomas Hellström +Cc: Christian König +Reviewed-by: Thomas Hellström +Reviewed-by: Christian König +Link: https://patchwork.freedesktop.org/patch/msgid/20210927114114.152310-1-matthew.auld@intel.com +Signed-off-by: Christian König +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/ttm/ttm_bo_vm.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/drivers/gpu/drm/ttm/ttm_bo_vm.c b/drivers/gpu/drm/ttm/ttm_bo_vm.c +index f56be5bc0861e..5b9b7fd01a692 100644 +--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c ++++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c +@@ -519,11 +519,6 @@ int ttm_bo_vm_access(struct vm_area_struct *vma, unsigned long addr, + + switch (bo->resource->mem_type) { + case TTM_PL_SYSTEM: +- if (unlikely(bo->ttm->page_flags & TTM_PAGE_FLAG_SWAPPED)) { +- ret = ttm_tt_swapin(bo->ttm); +- if (unlikely(ret != 0)) +- return ret; +- } + fallthrough; + case TTM_PL_TT: + ret = ttm_bo_vm_access_kmap(bo, offset, buf, len, write); +-- +2.33.0 + diff --git a/queue-5.15/drm-v3d-fix-wait-for-tmu-write-combiner-flush.patch b/queue-5.15/drm-v3d-fix-wait-for-tmu-write-combiner-flush.patch new file mode 100644 index 00000000000..4613c987e70 --- /dev/null +++ b/queue-5.15/drm-v3d-fix-wait-for-tmu-write-combiner-flush.patch @@ -0,0 +1,48 @@ +From 4c205a092b015ae1245276d90886b5b11f64f45a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 12:05:07 +0200 +Subject: drm/v3d: fix wait for TMU write combiner flush + +From: Iago Toral Quiroga + +[ Upstream commit e4f868191138975f2fdf2f37c11318b47db4acc9 ] + +The hardware sets the TMUWCF bit back to 0 when the TMU write +combiner flush completes so we should be checking for that instead +of the L2TFLS bit. + +v2 (Melissa Wen): + - Add Signed-off-by and Fixes tags. + - Change the error message for the timeout to be more clear. + +Fixes spurious Vulkan CTS failures in: +dEQP-VK.binding_model.descriptorset_random.* + +Fixes: d223f98f02099 ("drm/v3d: Add support for compute shader dispatch.") +Signed-off-by: Iago Toral Quiroga +Reviewed-by: Melissa Wen +Signed-off-by: Melissa Wen +Link: https://patchwork.freedesktop.org/patch/msgid/20210915100507.3945-1-itoral@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/v3d/v3d_gem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c +index 5689da118197e..772b5831bcc6f 100644 +--- a/drivers/gpu/drm/v3d/v3d_gem.c ++++ b/drivers/gpu/drm/v3d/v3d_gem.c +@@ -197,8 +197,8 @@ v3d_clean_caches(struct v3d_dev *v3d) + + V3D_CORE_WRITE(core, V3D_CTL_L2TCACTL, V3D_L2TCACTL_TMUWCF); + if (wait_for(!(V3D_CORE_READ(core, V3D_CTL_L2TCACTL) & +- V3D_L2TCACTL_L2TFLS), 100)) { +- DRM_ERROR("Timeout waiting for L1T write combiner flush\n"); ++ V3D_L2TCACTL_TMUWCF), 100)) { ++ DRM_ERROR("Timeout waiting for TMU write combiner flush\n"); + } + + mutex_lock(&v3d->cache_clean_lock); +-- +2.33.0 + diff --git a/queue-5.15/dyndbg-make-dyndbg-a-known-cli-param.patch b/queue-5.15/dyndbg-make-dyndbg-a-known-cli-param.patch new file mode 100644 index 00000000000..bbe49a1227f --- /dev/null +++ b/queue-5.15/dyndbg-make-dyndbg-a-known-cli-param.patch @@ -0,0 +1,58 @@ +From 5316a14c2ff6b2fff235aa3ee3323d9a45fc0eb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 11:40:20 -0400 +Subject: dyndbg: make dyndbg a known cli param + +From: Andrew Halaney + +[ Upstream commit 5ca173974888368fecfb17ae6fe455df5fd2a9d2 ] + +Right now dyndbg shows up as an unknown parameter if used on boot: + + Unknown command line parameters: dyndbg=+p + +That's because it is unknown, it doesn't sit in the __param +section, so the processing done to warn users supplying an unknown +parameter doesn't think it is legitimate. + +Install a dummy handler to register it. dynamic debug needs to search +the whole command line for modules listed that are currently builtin, +so there's no real work to be done in this callback. + +Fixes: 86d1919a4fb0 ("init: print out unknown kernel parameters") +Tested-by: Jim Cromie +Signed-off-by: Andrew Halaney +Signed-off-by: Jason Baron +Link: https://lore.kernel.org/r/1634139622-20667-2-git-send-email-jbaron@akamai.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + lib/dynamic_debug.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c +index cb5abb42c16a2..84c16309cc637 100644 +--- a/lib/dynamic_debug.c ++++ b/lib/dynamic_debug.c +@@ -761,6 +761,18 @@ static __init int ddebug_setup_query(char *str) + + __setup("ddebug_query=", ddebug_setup_query); + ++/* ++ * Install a noop handler to make dyndbg look like a normal kernel cli param. ++ * This avoids warnings about dyndbg being an unknown cli param when supplied ++ * by a user. ++ */ ++static __init int dyndbg_setup(char *str) ++{ ++ return 1; ++} ++ ++__setup("dyndbg=", dyndbg_setup); ++ + /* + * File_ops->write method for /dynamic_debug/control. Gathers the + * command text from userspace, parses and executes it. +-- +2.33.0 + diff --git a/queue-5.15/edac-amd64-handle-three-rank-interleaving-mode.patch b/queue-5.15/edac-amd64-handle-three-rank-interleaving-mode.patch new file mode 100644 index 00000000000..8ff506ccfdb --- /dev/null +++ b/queue-5.15/edac-amd64-handle-three-rank-interleaving-mode.patch @@ -0,0 +1,94 @@ +From 5e330f993cf55adbf99b1cc1d6b77033b9034f26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 15:44:19 +0000 +Subject: EDAC/amd64: Handle three rank interleaving mode + +From: Yazen Ghannam + +[ Upstream commit 9f4873fb6af7966de8fcbd95c36b61351c1c4b1f ] + +AMD Rome systems and later support interleaving between three identical +ranks within a channel. + +Check for this mode by counting the number of enabled chip selects and +comparing their masks. If there are exactly three enabled chip selects +and their masks are identical, then three rank interleaving is enabled. + +The size of a rank is determined from its mask value. However, three +rank interleaving doesn't follow the method of swapping an interleave +bit with the most significant bit. Rather, the interleave bit is flipped +and the most significant bit remains the same. There is only a single +interleave bit in this case. + +Account for this when determining the chip select size by keeping the +most significant bit at its original value and ignoring any zero bits. +This will return a full bitmask in [MSB:1]. + +Fixes: e53a3b267fb0 ("EDAC/amd64: Find Chip Select memory size using Address Mask") +Signed-off-by: Yazen Ghannam +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20211005154419.2060504-1-yazen.ghannam@amd.com +Signed-off-by: Sasha Levin +--- + drivers/edac/amd64_edac.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c +index 99b06a3e8fb12..4fce75013674f 100644 +--- a/drivers/edac/amd64_edac.c ++++ b/drivers/edac/amd64_edac.c +@@ -1065,12 +1065,14 @@ static void debug_dump_dramcfg_low(struct amd64_pvt *pvt, u32 dclr, int chan) + #define CS_ODD_PRIMARY BIT(1) + #define CS_EVEN_SECONDARY BIT(2) + #define CS_ODD_SECONDARY BIT(3) ++#define CS_3R_INTERLEAVE BIT(4) + + #define CS_EVEN (CS_EVEN_PRIMARY | CS_EVEN_SECONDARY) + #define CS_ODD (CS_ODD_PRIMARY | CS_ODD_SECONDARY) + + static int f17_get_cs_mode(int dimm, u8 ctrl, struct amd64_pvt *pvt) + { ++ u8 base, count = 0; + int cs_mode = 0; + + if (csrow_enabled(2 * dimm, ctrl, pvt)) +@@ -1083,6 +1085,20 @@ static int f17_get_cs_mode(int dimm, u8 ctrl, struct amd64_pvt *pvt) + if (csrow_sec_enabled(2 * dimm + 1, ctrl, pvt)) + cs_mode |= CS_ODD_SECONDARY; + ++ /* ++ * 3 Rank inteleaving support. ++ * There should be only three bases enabled and their two masks should ++ * be equal. ++ */ ++ for_each_chip_select(base, ctrl, pvt) ++ count += csrow_enabled(base, ctrl, pvt); ++ ++ if (count == 3 && ++ pvt->csels[ctrl].csmasks[0] == pvt->csels[ctrl].csmasks[1]) { ++ edac_dbg(1, "3R interleaving in use.\n"); ++ cs_mode |= CS_3R_INTERLEAVE; ++ } ++ + return cs_mode; + } + +@@ -1891,10 +1907,14 @@ static int f17_addr_mask_to_cs_size(struct amd64_pvt *pvt, u8 umc, + * + * The MSB is the number of bits in the full mask because BIT[0] is + * always 0. ++ * ++ * In the special 3 Rank interleaving case, a single bit is flipped ++ * without swapping with the most significant bit. This can be handled ++ * by keeping the MSB where it is and ignoring the single zero bit. + */ + msb = fls(addr_mask_orig) - 1; + weight = hweight_long(addr_mask_orig); +- num_zero_bits = msb - weight; ++ num_zero_bits = msb - weight - !!(cs_mode & CS_3R_INTERLEAVE); + + /* Take the number of zero bits off from the top of the mask. */ + addr_mask_deinterleaved = GENMASK_ULL(msb - num_zero_bits, 1); +-- +2.33.0 + diff --git a/queue-5.15/erofs-don-t-trigger-warn-when-decompression-fails.patch b/queue-5.15/erofs-don-t-trigger-warn-when-decompression-fails.patch new file mode 100644 index 00000000000..f9d08403536 --- /dev/null +++ b/queue-5.15/erofs-don-t-trigger-warn-when-decompression-fails.patch @@ -0,0 +1,42 @@ +From 25faf9be862fb8d57e6b55220f9d954175ef66d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 15:43:11 +0800 +Subject: erofs: don't trigger WARN() when decompression fails + +From: Gao Xiang + +[ Upstream commit a0961f351d82d43ab0b845304caa235dfe249ae9 ] + +syzbot reported a WARNING [1] due to corrupted compressed data. + +As Dmitry said, "If this is not a kernel bug, then the code should +not use WARN. WARN if for kernel bugs and is recognized as such by +all testing systems and humans." + +[1] https://lore.kernel.org/r/000000000000b3586105cf0ff45e@google.com + +Link: https://lore.kernel.org/r/20211025074311.130395-1-hsiangkao@linux.alibaba.com +Cc: Dmitry Vyukov +Reviewed-by: Chao Yu +Reported-by: syzbot+d8aaffc3719597e8cfb4@syzkaller.appspotmail.com +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + fs/erofs/decompressor.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c +index a5bc4b1b7813e..ad3f31380e6b2 100644 +--- a/fs/erofs/decompressor.c ++++ b/fs/erofs/decompressor.c +@@ -233,7 +233,6 @@ static int z_erofs_lz4_decompress(struct z_erofs_decompress_req *rq, u8 *out) + erofs_err(rq->sb, "failed to decompress %d in[%u, %u] out[%u]", + ret, rq->inputsize, inputmargin, rq->outputsize); + +- WARN_ON(1); + print_hex_dump(KERN_DEBUG, "[ in]: ", DUMP_PREFIX_OFFSET, + 16, 1, src + inputmargin, rq->inputsize, true); + print_hex_dump(KERN_DEBUG, "[out]: ", DUMP_PREFIX_OFFSET, +-- +2.33.0 + diff --git a/queue-5.15/ethtool-fix-ethtool-msg-len-calculation-for-pause-st.patch b/queue-5.15/ethtool-fix-ethtool-msg-len-calculation-for-pause-st.patch new file mode 100644 index 00000000000..adefaff7531 --- /dev/null +++ b/queue-5.15/ethtool-fix-ethtool-msg-len-calculation-for-pause-st.patch @@ -0,0 +1,74 @@ +From d96c85872aac9e8f5dae5ea784343f0e01599ad6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 15:02:36 -0700 +Subject: ethtool: fix ethtool msg len calculation for pause stats + +From: Jakub Kicinski + +[ Upstream commit 1aabe578dd86e9f2867c4db4fba9a15f4ba1825d ] + +ETHTOOL_A_PAUSE_STAT_MAX is the MAX attribute id, +so we need to subtract non-stats and add one to +get a count (IOW -2+1 == -1). + +Otherwise we'll see: + + ethnl cmd 21: calculated reply length 40, but consumed 52 + +Fixes: 9a27a33027f2 ("ethtool: add standard pause stats") +Signed-off-by: Jakub Kicinski +Reviewed-by: Saeed Mahameed +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/ethtool_netlink.h | 3 +++ + include/uapi/linux/ethtool_netlink.h | 4 +++- + net/ethtool/pause.c | 3 +-- + 3 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/include/linux/ethtool_netlink.h b/include/linux/ethtool_netlink.h +index 1e7bf78cb3829..aba348d58ff61 100644 +--- a/include/linux/ethtool_netlink.h ++++ b/include/linux/ethtool_netlink.h +@@ -10,6 +10,9 @@ + #define __ETHTOOL_LINK_MODE_MASK_NWORDS \ + DIV_ROUND_UP(__ETHTOOL_LINK_MODE_MASK_NBITS, 32) + ++#define ETHTOOL_PAUSE_STAT_CNT (__ETHTOOL_A_PAUSE_STAT_CNT - \ ++ ETHTOOL_A_PAUSE_STAT_TX_FRAMES) ++ + enum ethtool_multicast_groups { + ETHNL_MCGRP_MONITOR, + }; +diff --git a/include/uapi/linux/ethtool_netlink.h b/include/uapi/linux/ethtool_netlink.h +index 5545f1ca9237c..f7204bdfe8db1 100644 +--- a/include/uapi/linux/ethtool_netlink.h ++++ b/include/uapi/linux/ethtool_netlink.h +@@ -407,7 +407,9 @@ enum { + ETHTOOL_A_PAUSE_STAT_TX_FRAMES, + ETHTOOL_A_PAUSE_STAT_RX_FRAMES, + +- /* add new constants above here */ ++ /* add new constants above here ++ * adjust ETHTOOL_PAUSE_STAT_CNT if adding non-stats! ++ */ + __ETHTOOL_A_PAUSE_STAT_CNT, + ETHTOOL_A_PAUSE_STAT_MAX = (__ETHTOOL_A_PAUSE_STAT_CNT - 1) + }; +diff --git a/net/ethtool/pause.c b/net/ethtool/pause.c +index 9009f412151e7..ee1e5806bc93a 100644 +--- a/net/ethtool/pause.c ++++ b/net/ethtool/pause.c +@@ -56,8 +56,7 @@ static int pause_reply_size(const struct ethnl_req_info *req_base, + + if (req_base->flags & ETHTOOL_FLAG_STATS) + n += nla_total_size(0) + /* _PAUSE_STATS */ +- nla_total_size_64bit(sizeof(u64)) * +- (ETHTOOL_A_PAUSE_STAT_MAX - 2); ++ nla_total_size_64bit(sizeof(u64)) * ETHTOOL_PAUSE_STAT_CNT; + return n; + } + +-- +2.33.0 + diff --git a/queue-5.15/fbdev-efifb-release-pci-device-s-runtime-pm-ref-duri.patch b/queue-5.15/fbdev-efifb-release-pci-device-s-runtime-pm-ref-duri.patch new file mode 100644 index 00000000000..8963f859ebd --- /dev/null +++ b/queue-5.15/fbdev-efifb-release-pci-device-s-runtime-pm-ref-duri.patch @@ -0,0 +1,114 @@ +From e581649874c450284f265931a9c79a3eb2c12708 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 16:31:46 +0300 +Subject: fbdev/efifb: Release PCI device's runtime PM ref during FB destroy + +From: Imre Deak + +[ Upstream commit 55285e21f04517939480966164a33898c34b2af2 ] + +Atm the EFI FB platform driver gets a runtime PM reference for the +associated GFX PCI device during probing the EFI FB platform device and +releases it only when the platform device gets unbound. + +When fbcon switches to the FB provided by the PCI device's driver (for +instance i915/drmfb), the EFI FB will get only unregistered without the +EFI FB platform device getting unbound, keeping the runtime PM reference +acquired during the platform device probing. This reference will prevent +the PCI driver from runtime suspending the device. + +Fix this by releasing the RPM reference from the EFI FB's destroy hook, +called when the FB gets unregistered. + +While at it assert that pm_runtime_get_sync() didn't fail. + +v2: +- Move pm_runtime_get_sync() before register_framebuffer() to avoid its + race wrt. efifb_destroy()->pm_runtime_put(). (Daniel) +- Assert that pm_runtime_get_sync() didn't fail. +- Clarify commit message wrt. platform/PCI device/driver and driver + removal vs. device unbinding. + +Fixes: a6c0fd3d5a8b ("efifb: Ensure graphics device for efifb stays at PCI D0") +Cc: Kai-Heng Feng +Cc: Daniel Vetter +Reviewed-by: Daniel Vetter (v1) +Acked-by: Alex Deucher +Acked-by: Kai-Heng Feng +Signed-off-by: Imre Deak +Link: https://patchwork.freedesktop.org/patch/msgid/20210809133146.2478382-1-imre.deak@intel.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/efifb.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c +index 8ea8f079cde26..edca3703b9640 100644 +--- a/drivers/video/fbdev/efifb.c ++++ b/drivers/video/fbdev/efifb.c +@@ -47,6 +47,8 @@ static bool use_bgrt = true; + static bool request_mem_succeeded = false; + static u64 mem_flags = EFI_MEMORY_WC | EFI_MEMORY_UC; + ++static struct pci_dev *efifb_pci_dev; /* dev with BAR covering the efifb */ ++ + static struct fb_var_screeninfo efifb_defined = { + .activate = FB_ACTIVATE_NOW, + .height = -1, +@@ -243,6 +245,9 @@ static inline void efifb_show_boot_graphics(struct fb_info *info) {} + + static void efifb_destroy(struct fb_info *info) + { ++ if (efifb_pci_dev) ++ pm_runtime_put(&efifb_pci_dev->dev); ++ + if (info->screen_base) { + if (mem_flags & (EFI_MEMORY_UC | EFI_MEMORY_WC)) + iounmap(info->screen_base); +@@ -333,7 +338,6 @@ ATTRIBUTE_GROUPS(efifb); + + static bool pci_dev_disabled; /* FB base matches BAR of a disabled device */ + +-static struct pci_dev *efifb_pci_dev; /* dev with BAR covering the efifb */ + static struct resource *bar_resource; + static u64 bar_offset; + +@@ -569,17 +573,22 @@ static int efifb_probe(struct platform_device *dev) + pr_err("efifb: cannot allocate colormap\n"); + goto err_groups; + } ++ ++ if (efifb_pci_dev) ++ WARN_ON(pm_runtime_get_sync(&efifb_pci_dev->dev) < 0); ++ + err = register_framebuffer(info); + if (err < 0) { + pr_err("efifb: cannot register framebuffer\n"); +- goto err_fb_dealoc; ++ goto err_put_rpm_ref; + } + fb_info(info, "%s frame buffer device\n", info->fix.id); +- if (efifb_pci_dev) +- pm_runtime_get_sync(&efifb_pci_dev->dev); + return 0; + +-err_fb_dealoc: ++err_put_rpm_ref: ++ if (efifb_pci_dev) ++ pm_runtime_put(&efifb_pci_dev->dev); ++ + fb_dealloc_cmap(&info->cmap); + err_groups: + sysfs_remove_groups(&dev->dev.kobj, efifb_groups); +@@ -603,8 +612,6 @@ static int efifb_remove(struct platform_device *pdev) + unregister_framebuffer(info); + sysfs_remove_groups(&pdev->dev.kobj, efifb_groups); + framebuffer_release(info); +- if (efifb_pci_dev) +- pm_runtime_put(&efifb_pci_dev->dev); + + return 0; + } +-- +2.33.0 + diff --git a/queue-5.15/firmware-qcom_scm-fix-error-retval-in-__qcom_scm_is_.patch b/queue-5.15/firmware-qcom_scm-fix-error-retval-in-__qcom_scm_is_.patch new file mode 100644 index 00000000000..2307f7941ea --- /dev/null +++ b/queue-5.15/firmware-qcom_scm-fix-error-retval-in-__qcom_scm_is_.patch @@ -0,0 +1,45 @@ +From db00e6fbbc7b1f3e7ee66a5ae321e277d2f7f4f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 13:00:14 -0700 +Subject: firmware: qcom_scm: Fix error retval in + __qcom_scm_is_call_available() + +From: Guru Das Srinagesh + +[ Upstream commit 38212b2a8a6fc4c3a6fa99d7445b833bedc9a67c ] + +Since __qcom_scm_is_call_available() returns bool, have it return false +instead of -EINVAL if an invalid SMC convention is detected. + +This fixes the Smatch static checker warning: + + drivers/firmware/qcom_scm.c:255 __qcom_scm_is_call_available() + warn: signedness bug returning '(-22)' + +Fixes: 9d11af8b06a8 ("firmware: qcom_scm: Make __qcom_scm_is_call_available() return bool") +Reported-by: Dan Carpenter +Signed-off-by: Guru Das Srinagesh +Reviewed-by: Stephen Boyd +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/1633982414-28347-1-git-send-email-quic_gurus@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/firmware/qcom_scm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/qcom_scm.c b/drivers/firmware/qcom_scm.c +index 2ee97bab74409..27a64de919817 100644 +--- a/drivers/firmware/qcom_scm.c ++++ b/drivers/firmware/qcom_scm.c +@@ -252,7 +252,7 @@ static bool __qcom_scm_is_call_available(struct device *dev, u32 svc_id, + break; + default: + pr_err("Unknown SMC convention being used\n"); +- return -EINVAL; ++ return false; + } + + ret = qcom_scm_call(dev, &desc, &res); +-- +2.33.0 + diff --git a/queue-5.15/fix-user-namespace-leak.patch b/queue-5.15/fix-user-namespace-leak.patch new file mode 100644 index 00000000000..f11bc9317ef --- /dev/null +++ b/queue-5.15/fix-user-namespace-leak.patch @@ -0,0 +1,33 @@ +From 0259296c9e864c0024545702017f4f1de8957f81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Oct 2021 18:02:30 +0200 +Subject: Fix user namespace leak + +From: Alexey Gladkov + +[ Upstream commit d5f458a979650e5ed37212f6134e4ee2b28cb6ed ] + +Fixes: 61ca2c4afd9d ("NFS: Only reference user namespace from nfs4idmap struct instead of cred") +Signed-off-by: Alexey Gladkov +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4idmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4idmap.c b/fs/nfs/nfs4idmap.c +index 8d8aba305ecca..f331866dd4182 100644 +--- a/fs/nfs/nfs4idmap.c ++++ b/fs/nfs/nfs4idmap.c +@@ -487,7 +487,7 @@ nfs_idmap_new(struct nfs_client *clp) + err_destroy_pipe: + rpc_destroy_pipe_data(idmap->idmap_pipe); + err: +- get_user_ns(idmap->user_ns); ++ put_user_ns(idmap->user_ns); + kfree(idmap); + return error; + } +-- +2.33.0 + diff --git a/queue-5.15/floppy-fix-add_disk-assumption-on-exit-due-to-new-de.patch b/queue-5.15/floppy-fix-add_disk-assumption-on-exit-due-to-new-de.patch new file mode 100644 index 00000000000..593cb12a782 --- /dev/null +++ b/queue-5.15/floppy-fix-add_disk-assumption-on-exit-due-to-new-de.patch @@ -0,0 +1,74 @@ +From 381ba3e2d0f8a32816afad4cab09c11a4d6b32b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 15:02:50 -0700 +Subject: floppy: fix add_disk() assumption on exit due to new developments + +From: Luis Chamberlain + +[ Upstream commit 2598a2bb357d64baaa94368133ddbc900b9eb246 ] + +After the patch titled "floppy: use blk_mq_alloc_disk and +blk_cleanup_disk" the floppy driver was modified to allocate +the blk_mq_alloc_disk() which allocates the disk with the +queue. This is further clarified later with the patch titled +"block: remove alloc_disk and alloc_disk_node". This clarifies +that: + + Most drivers should use and have been converted to use + blk_alloc_disk and blk_mq_alloc_disk. Only the scsi + ULPs and dasd still allocate a disk separately from the + request_queue so don't bother with convenience macros for + something that should not see significant new users and + remove these wrappers. + +And then we have the patch titled, "block: hold a request_queue +reference for the lifetime of struct gendisk" which ensures +that a queue is *always* present for sure during the entire +lifetime of a disk. + +In the floppy driver's case then the disk always comes with the +queue. So even if even if the queue was cleaned up on exit, putting +the disk *is* still required, and likewise, blk_cleanup_queue() on +a null queue should not happen now as disk->queue is valid from +disk allocation time on. + +Automatic backport code scrapers should hopefully not cherry pick +this patch as a stable fix candidate without full due dilligence to +ensure all the work done on the block layer to make this happen is +merged first. + +Signed-off-by: Luis Chamberlain +Link: https://lore.kernel.org/r/20210927220302.1073499-3-mcgrof@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index fef79ea52e3ed..3e6390fd5f2be 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -4953,19 +4953,6 @@ static void __exit floppy_module_exit(void) + blk_cleanup_queue(disks[drive][i]->queue); + } + blk_mq_free_tag_set(&tag_sets[drive]); +- +- /* +- * These disks have not called add_disk(). Don't put down +- * queue reference in put_disk(). +- */ +- if (!(allowed_drive_mask & (1 << drive)) || +- fdc_state[FDC(drive)].version == FDC_NONE) { +- for (i = 0; i < ARRAY_SIZE(floppy_type); i++) { +- if (disks[drive][i]) +- disks[drive][i]->queue = NULL; +- } +- } +- + for (i = 0; i < ARRAY_SIZE(floppy_type); i++) { + if (disks[drive][i]) + put_disk(disks[drive][i]); +-- +2.33.0 + diff --git a/queue-5.15/floppy-fix-calling-platform_device_unregister-on-inv.patch b/queue-5.15/floppy-fix-calling-platform_device_unregister-on-inv.patch new file mode 100644 index 00000000000..73dfb7c34de --- /dev/null +++ b/queue-5.15/floppy-fix-calling-platform_device_unregister-on-inv.patch @@ -0,0 +1,76 @@ +From 6e81be0c767d351a569039ea753ca42af1a5ebec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 15:02:52 -0700 +Subject: floppy: fix calling platform_device_unregister() on invalid drives + +From: Luis Chamberlain + +[ Upstream commit 662167e59d2f3c15a44a88088fc6c1a67c8a3650 ] + +platform_device_unregister() should only be called when +a respective platform_device_register() is called. However +the floppy driver currently allows failures when registring +a drive and a bail out could easily cause an invalid call +to platform_device_unregister() where it was not intended. + +Fix this by adding a bool to keep track of when the platform +device was registered for a drive. + +This does not fix any known panic / bug. This issue was found +through code inspection while preparing the driver to use the +up and coming support for device_add_disk() error handling. +From what I can tell from code inspection, chances of this +ever happening should be insanely small, perhaps OOM. + +Signed-off-by: Luis Chamberlain +Link: https://lore.kernel.org/r/20210927220302.1073499-5-mcgrof@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index 9538146e520e0..3592a6277d0bb 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -4478,6 +4478,7 @@ static const struct blk_mq_ops floppy_mq_ops = { + }; + + static struct platform_device floppy_device[N_DRIVE]; ++static bool registered[N_DRIVE]; + + static bool floppy_available(int drive) + { +@@ -4693,6 +4694,8 @@ static int __init do_floppy_init(void) + if (err) + goto out_remove_drives; + ++ registered[drive] = true; ++ + device_add_disk(&floppy_device[drive].dev, disks[drive][0], + NULL); + } +@@ -4703,7 +4706,8 @@ out_remove_drives: + while (drive--) { + if (floppy_available(drive)) { + del_gendisk(disks[drive][0]); +- platform_device_unregister(&floppy_device[drive]); ++ if (registered[drive]) ++ platform_device_unregister(&floppy_device[drive]); + } + } + out_release_dma: +@@ -4946,7 +4950,8 @@ static void __exit floppy_module_exit(void) + if (disks[drive][i]) + del_gendisk(disks[drive][i]); + } +- platform_device_unregister(&floppy_device[drive]); ++ if (registered[drive]) ++ platform_device_unregister(&floppy_device[drive]); + } + for (i = 0; i < ARRAY_SIZE(floppy_type); i++) { + if (disks[drive][i]) +-- +2.33.0 + diff --git a/queue-5.15/floppy-use-blk_cleanup_disk.patch b/queue-5.15/floppy-use-blk_cleanup_disk.patch new file mode 100644 index 00000000000..cf38d192513 --- /dev/null +++ b/queue-5.15/floppy-use-blk_cleanup_disk.patch @@ -0,0 +1,43 @@ +From ec23ce0f12f37d36e449335c30fb95b7f84687b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 15:02:51 -0700 +Subject: floppy: use blk_cleanup_disk() + +From: Luis Chamberlain + +[ Upstream commit 3776339ae7acaf9590c668e86f45005fc9aff014 ] + +Use the blk_cleanup_queue() followed by put_disk() can be +replaced with blk_cleanup_disk(). No need for two separate +loops. + +Signed-off-by: Luis Chamberlain +Link: https://lore.kernel.org/r/20210927220302.1073499-4-mcgrof@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index 3e6390fd5f2be..9538146e520e0 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -4950,13 +4950,9 @@ static void __exit floppy_module_exit(void) + } + for (i = 0; i < ARRAY_SIZE(floppy_type); i++) { + if (disks[drive][i]) +- blk_cleanup_queue(disks[drive][i]->queue); ++ blk_cleanup_disk(disks[drive][i]); + } + blk_mq_free_tag_set(&tag_sets[drive]); +- for (i = 0; i < ARRAY_SIZE(floppy_type); i++) { +- if (disks[drive][i]) +- put_disk(disks[drive][i]); +- } + } + + cancel_delayed_work_sync(&fd_timeout); +-- +2.33.0 + diff --git a/queue-5.15/fortify-fix-dropped-strcpy-compile-time-write-overfl.patch b/queue-5.15/fortify-fix-dropped-strcpy-compile-time-write-overfl.patch new file mode 100644 index 00000000000..66a8e18976a --- /dev/null +++ b/queue-5.15/fortify-fix-dropped-strcpy-compile-time-write-overfl.patch @@ -0,0 +1,42 @@ +From 423fcec1192454c06a69ad01d8ea2a7255b0fe73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Aug 2021 10:25:01 -0700 +Subject: fortify: Fix dropped strcpy() compile-time write overflow check + +From: Kees Cook + +[ Upstream commit 072af0c638dc8a5c7db2edc4dddbd6d44bee3bdb ] + +The implementation for intra-object overflow in str*-family functions +accidentally dropped compile-time write overflow checking in strcpy(), +leaving it entirely to run-time. Add back the intended check. + +Fixes: 6a39e62abbaf ("lib: string.h: detect intra-object overflow in fortified string functions") +Cc: Daniel Axtens +Cc: Francis Laniel +Signed-off-by: Kees Cook +Reviewed-by: Nick Desaulniers +Signed-off-by: Sasha Levin +--- + include/linux/fortify-string.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h +index c1be37437e778..0c70febd03e95 100644 +--- a/include/linux/fortify-string.h ++++ b/include/linux/fortify-string.h +@@ -280,7 +280,10 @@ __FORTIFY_INLINE char *strcpy(char *p, const char *q) + if (p_size == (size_t)-1 && q_size == (size_t)-1) + return __underlying_strcpy(p, q); + size = strlen(q) + 1; +- /* test here to use the more stringent object size */ ++ /* Compile-time check for const size overflow. */ ++ if (__builtin_constant_p(size) && p_size < size) ++ __write_overflow(); ++ /* Run-time check for dynamic size overflow. */ + if (p_size < size) + fortify_panic(__func__); + memcpy(p, q, size); +-- +2.33.0 + diff --git a/queue-5.15/fs-orangefs-fix-error-return-code-of-orangefs_revali.patch b/queue-5.15/fs-orangefs-fix-error-return-code-of-orangefs_revali.patch new file mode 100644 index 00000000000..89873c8b717 --- /dev/null +++ b/queue-5.15/fs-orangefs-fix-error-return-code-of-orangefs_revali.patch @@ -0,0 +1,41 @@ +From b41706d08c329e69b60c96723950cc1a66d41870 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Mar 2021 00:00:20 -0800 +Subject: fs: orangefs: fix error return code of orangefs_revalidate_lookup() + +From: Jia-Ju Bai + +[ Upstream commit 4c2b46c824a78fc8190d8eafaaea5a9078fe7479 ] + +When op_alloc() returns NULL to new_op, no error return code of +orangefs_revalidate_lookup() is assigned. +To fix this bug, ret is assigned with -ENOMEM in this case. + +Fixes: 8bb8aefd5afb ("OrangeFS: Change almost all instances of the string PVFS2 to OrangeFS.") +Reported-by: TOTE Robot +Signed-off-by: Jia-Ju Bai +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/dcache.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/orangefs/dcache.c b/fs/orangefs/dcache.c +index fe484cf93e5cd..8bbe9486e3a62 100644 +--- a/fs/orangefs/dcache.c ++++ b/fs/orangefs/dcache.c +@@ -26,8 +26,10 @@ static int orangefs_revalidate_lookup(struct dentry *dentry) + gossip_debug(GOSSIP_DCACHE_DEBUG, "%s: attempting lookup.\n", __func__); + + new_op = op_alloc(ORANGEFS_VFS_OP_LOOKUP); +- if (!new_op) ++ if (!new_op) { ++ ret = -ENOMEM; + goto out_put_parent; ++ } + + new_op->upcall.req.lookup.sym_follow = ORANGEFS_LOOKUP_LINK_NO_FOLLOW; + new_op->upcall.req.lookup.parent_refn = parent->refn; +-- +2.33.0 + diff --git a/queue-5.15/fs-proc-uptime.c-fix-idle-time-reporting-in-proc-upt.patch b/queue-5.15/fs-proc-uptime.c-fix-idle-time-reporting-in-proc-upt.patch new file mode 100644 index 00000000000..de1e0744674 --- /dev/null +++ b/queue-5.15/fs-proc-uptime.c-fix-idle-time-reporting-in-proc-upt.patch @@ -0,0 +1,104 @@ +From b2a5cb9af1c7c97c42f0e44ae29e1c08cfa6df88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Aug 2021 09:54:38 -0700 +Subject: fs/proc/uptime.c: Fix idle time reporting in /proc/uptime + +From: Josh Don + +[ Upstream commit a130e8fbc7de796eb6e680724d87f4737a26d0ac ] + +/proc/uptime reports idle time by reading the CPUTIME_IDLE field from +the per-cpu kcpustats. However, on NO_HZ systems, idle time is not +continually updated on idle cpus, leading this value to appear +incorrectly small. + +/proc/stat performs an accounting update when reading idle time; we +can use the same approach for uptime. + +With this patch, /proc/stat and /proc/uptime now agree on idle time. +Additionally, the following shows idle time tick up consistently on an +idle machine: + + (while true; do cat /proc/uptime; sleep 1; done) | awk '{print $2-prev; prev=$2}' + +Reported-by: Luigi Rizzo +Signed-off-by: Josh Don +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Eric Dumazet +Link: https://lkml.kernel.org/r/20210827165438.3280779-1-joshdon@google.com +Signed-off-by: Sasha Levin +--- + fs/proc/stat.c | 4 ++-- + fs/proc/uptime.c | 14 +++++++++----- + include/linux/kernel_stat.h | 1 + + 3 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/fs/proc/stat.c b/fs/proc/stat.c +index 6561a06ef9059..4fb8729a68d4e 100644 +--- a/fs/proc/stat.c ++++ b/fs/proc/stat.c +@@ -24,7 +24,7 @@ + + #ifdef arch_idle_time + +-static u64 get_idle_time(struct kernel_cpustat *kcs, int cpu) ++u64 get_idle_time(struct kernel_cpustat *kcs, int cpu) + { + u64 idle; + +@@ -46,7 +46,7 @@ static u64 get_iowait_time(struct kernel_cpustat *kcs, int cpu) + + #else + +-static u64 get_idle_time(struct kernel_cpustat *kcs, int cpu) ++u64 get_idle_time(struct kernel_cpustat *kcs, int cpu) + { + u64 idle, idle_usecs = -1ULL; + +diff --git a/fs/proc/uptime.c b/fs/proc/uptime.c +index 5a1b228964fb7..deb99bc9b7e6b 100644 +--- a/fs/proc/uptime.c ++++ b/fs/proc/uptime.c +@@ -12,18 +12,22 @@ static int uptime_proc_show(struct seq_file *m, void *v) + { + struct timespec64 uptime; + struct timespec64 idle; +- u64 nsec; ++ u64 idle_nsec; + u32 rem; + int i; + +- nsec = 0; +- for_each_possible_cpu(i) +- nsec += (__force u64) kcpustat_cpu(i).cpustat[CPUTIME_IDLE]; ++ idle_nsec = 0; ++ for_each_possible_cpu(i) { ++ struct kernel_cpustat kcs; ++ ++ kcpustat_cpu_fetch(&kcs, i); ++ idle_nsec += get_idle_time(&kcs, i); ++ } + + ktime_get_boottime_ts64(&uptime); + timens_add_boottime(&uptime); + +- idle.tv_sec = div_u64_rem(nsec, NSEC_PER_SEC, &rem); ++ idle.tv_sec = div_u64_rem(idle_nsec, NSEC_PER_SEC, &rem); + idle.tv_nsec = rem; + seq_printf(m, "%lu.%02lu %lu.%02lu\n", + (unsigned long) uptime.tv_sec, +diff --git a/include/linux/kernel_stat.h b/include/linux/kernel_stat.h +index 44ae1a7eb9e39..69ae6b2784645 100644 +--- a/include/linux/kernel_stat.h ++++ b/include/linux/kernel_stat.h +@@ -102,6 +102,7 @@ extern void account_system_index_time(struct task_struct *, u64, + enum cpu_usage_stat); + extern void account_steal_time(u64); + extern void account_idle_time(u64); ++extern u64 get_idle_time(struct kernel_cpustat *kcs, int cpu); + + #ifdef CONFIG_VIRT_CPU_ACCOUNTING_NATIVE + static inline void account_process_tick(struct task_struct *tsk, int user) +-- +2.33.0 + diff --git a/queue-5.15/fscrypt-allow-256-bit-master-keys-with-aes-256-xts.patch b/queue-5.15/fscrypt-allow-256-bit-master-keys-with-aes-256-xts.patch new file mode 100644 index 00000000000..2c2a99b7b0b --- /dev/null +++ b/queue-5.15/fscrypt-allow-256-bit-master-keys-with-aes-256-xts.patch @@ -0,0 +1,214 @@ +From 5b4b04152cf7c463994f0c95fa28f17825511ea3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Sep 2021 20:03:03 -0700 +Subject: fscrypt: allow 256-bit master keys with AES-256-XTS + +From: Eric Biggers + +[ Upstream commit 7f595d6a6cdc336834552069a2e0a4f6d4756ddf ] + +fscrypt currently requires a 512-bit master key when AES-256-XTS is +used, since AES-256-XTS keys are 512-bit and fscrypt requires that the +master key be at least as long any key that will be derived from it. + +However, this is overly strict because AES-256-XTS doesn't actually have +a 512-bit security strength, but rather 256-bit. The fact that XTS +takes twice the expected key size is a quirk of the XTS mode. It is +sufficient to use 256 bits of entropy for AES-256-XTS, provided that it +is first properly expanded into a 512-bit key, which HKDF-SHA512 does. + +Therefore, relax the check of the master key size to use the security +strength of the derived key rather than the size of the derived key +(except for v1 encryption policies, which don't use HKDF). + +Besides making things more flexible for userspace, this is needed in +order for the use of a KDF which only takes a 256-bit key to be +introduced into the fscrypt key hierarchy. This will happen with +hardware-wrapped keys support, as all known hardware which supports that +feature uses an SP800-108 KDF using AES-256-CMAC, so the wrapped keys +are wrapped 256-bit AES keys. Moreover, there is interest in fscrypt +supporting the same type of AES-256-CMAC based KDF in software as an +alternative to HKDF-SHA512. There is no security problem with such +features, so fix the key length check to work properly with them. + +Reviewed-by: Paul Crowley +Link: https://lore.kernel.org/r/20210921030303.5598-1-ebiggers@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Sasha Levin +--- + Documentation/filesystems/fscrypt.rst | 10 ++--- + fs/crypto/fscrypt_private.h | 5 ++- + fs/crypto/hkdf.c | 11 ++++-- + fs/crypto/keysetup.c | 57 +++++++++++++++++++++------ + 4 files changed, 61 insertions(+), 22 deletions(-) + +diff --git a/Documentation/filesystems/fscrypt.rst b/Documentation/filesystems/fscrypt.rst +index 0eb799d9d05a2..7940a45d39522 100644 +--- a/Documentation/filesystems/fscrypt.rst ++++ b/Documentation/filesystems/fscrypt.rst +@@ -176,11 +176,11 @@ Master Keys + + Each encrypted directory tree is protected by a *master key*. Master + keys can be up to 64 bytes long, and must be at least as long as the +-greater of the key length needed by the contents and filenames +-encryption modes being used. For example, if AES-256-XTS is used for +-contents encryption, the master key must be 64 bytes (512 bits). Note +-that the XTS mode is defined to require a key twice as long as that +-required by the underlying block cipher. ++greater of the security strength of the contents and filenames ++encryption modes being used. For example, if any AES-256 mode is ++used, the master key must be at least 256 bits, i.e. 32 bytes. A ++stricter requirement applies if the key is used by a v1 encryption ++policy and AES-256-XTS is used; such keys must be 64 bytes. + + To "unlock" an encrypted directory tree, userspace must provide the + appropriate master key. There can be any number of master keys, each +diff --git a/fs/crypto/fscrypt_private.h b/fs/crypto/fscrypt_private.h +index 3fa965eb3336d..cb25ef0cdf1f3 100644 +--- a/fs/crypto/fscrypt_private.h ++++ b/fs/crypto/fscrypt_private.h +@@ -549,8 +549,9 @@ int __init fscrypt_init_keyring(void); + struct fscrypt_mode { + const char *friendly_name; + const char *cipher_str; +- int keysize; +- int ivsize; ++ int keysize; /* key size in bytes */ ++ int security_strength; /* security strength in bytes */ ++ int ivsize; /* IV size in bytes */ + int logged_impl_name; + enum blk_crypto_mode_num blk_crypto_mode; + }; +diff --git a/fs/crypto/hkdf.c b/fs/crypto/hkdf.c +index e0ec210555053..7607d18b35fc0 100644 +--- a/fs/crypto/hkdf.c ++++ b/fs/crypto/hkdf.c +@@ -16,9 +16,14 @@ + + /* + * HKDF supports any unkeyed cryptographic hash algorithm, but fscrypt uses +- * SHA-512 because it is reasonably secure and efficient; and since it produces +- * a 64-byte digest, deriving an AES-256-XTS key preserves all 64 bytes of +- * entropy from the master key and requires only one iteration of HKDF-Expand. ++ * SHA-512 because it is well-established, secure, and reasonably efficient. ++ * ++ * HKDF-SHA256 was also considered, as its 256-bit security strength would be ++ * sufficient here. A 512-bit security strength is "nice to have", though. ++ * Also, on 64-bit CPUs, SHA-512 is usually just as fast as SHA-256. In the ++ * common case of deriving an AES-256-XTS key (512 bits), that can result in ++ * HKDF-SHA512 being much faster than HKDF-SHA256, as the longer digest size of ++ * SHA-512 causes HKDF-Expand to only need to do one iteration rather than two. + */ + #define HKDF_HMAC_ALG "hmac(sha512)" + #define HKDF_HASHLEN SHA512_DIGEST_SIZE +diff --git a/fs/crypto/keysetup.c b/fs/crypto/keysetup.c +index bca9c6658a7c5..89cd533a88bff 100644 +--- a/fs/crypto/keysetup.c ++++ b/fs/crypto/keysetup.c +@@ -19,6 +19,7 @@ struct fscrypt_mode fscrypt_modes[] = { + .friendly_name = "AES-256-XTS", + .cipher_str = "xts(aes)", + .keysize = 64, ++ .security_strength = 32, + .ivsize = 16, + .blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_256_XTS, + }, +@@ -26,12 +27,14 @@ struct fscrypt_mode fscrypt_modes[] = { + .friendly_name = "AES-256-CTS-CBC", + .cipher_str = "cts(cbc(aes))", + .keysize = 32, ++ .security_strength = 32, + .ivsize = 16, + }, + [FSCRYPT_MODE_AES_128_CBC] = { + .friendly_name = "AES-128-CBC-ESSIV", + .cipher_str = "essiv(cbc(aes),sha256)", + .keysize = 16, ++ .security_strength = 16, + .ivsize = 16, + .blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_128_CBC_ESSIV, + }, +@@ -39,12 +42,14 @@ struct fscrypt_mode fscrypt_modes[] = { + .friendly_name = "AES-128-CTS-CBC", + .cipher_str = "cts(cbc(aes))", + .keysize = 16, ++ .security_strength = 16, + .ivsize = 16, + }, + [FSCRYPT_MODE_ADIANTUM] = { + .friendly_name = "Adiantum", + .cipher_str = "adiantum(xchacha12,aes)", + .keysize = 32, ++ .security_strength = 32, + .ivsize = 32, + .blk_crypto_mode = BLK_ENCRYPTION_MODE_ADIANTUM, + }, +@@ -357,6 +362,45 @@ static int fscrypt_setup_v2_file_key(struct fscrypt_info *ci, + return 0; + } + ++/* ++ * Check whether the size of the given master key (@mk) is appropriate for the ++ * encryption settings which a particular file will use (@ci). ++ * ++ * If the file uses a v1 encryption policy, then the master key must be at least ++ * as long as the derived key, as this is a requirement of the v1 KDF. ++ * ++ * Otherwise, the KDF can accept any size key, so we enforce a slightly looser ++ * requirement: we require that the size of the master key be at least the ++ * maximum security strength of any algorithm whose key will be derived from it ++ * (but in practice we only need to consider @ci->ci_mode, since any other ++ * possible subkeys such as DIRHASH and INODE_HASH will never increase the ++ * required key size over @ci->ci_mode). This allows AES-256-XTS keys to be ++ * derived from a 256-bit master key, which is cryptographically sufficient, ++ * rather than requiring a 512-bit master key which is unnecessarily long. (We ++ * still allow 512-bit master keys if the user chooses to use them, though.) ++ */ ++static bool fscrypt_valid_master_key_size(const struct fscrypt_master_key *mk, ++ const struct fscrypt_info *ci) ++{ ++ unsigned int min_keysize; ++ ++ if (ci->ci_policy.version == FSCRYPT_POLICY_V1) ++ min_keysize = ci->ci_mode->keysize; ++ else ++ min_keysize = ci->ci_mode->security_strength; ++ ++ if (mk->mk_secret.size < min_keysize) { ++ fscrypt_warn(NULL, ++ "key with %s %*phN is too short (got %u bytes, need %u+ bytes)", ++ master_key_spec_type(&mk->mk_spec), ++ master_key_spec_len(&mk->mk_spec), ++ (u8 *)&mk->mk_spec.u, ++ mk->mk_secret.size, min_keysize); ++ return false; ++ } ++ return true; ++} ++ + /* + * Find the master key, then set up the inode's actual encryption key. + * +@@ -422,18 +466,7 @@ static int setup_file_encryption_key(struct fscrypt_info *ci, + goto out_release_key; + } + +- /* +- * Require that the master key be at least as long as the derived key. +- * Otherwise, the derived key cannot possibly contain as much entropy as +- * that required by the encryption mode it will be used for. For v1 +- * policies it's also required for the KDF to work at all. +- */ +- if (mk->mk_secret.size < ci->ci_mode->keysize) { +- fscrypt_warn(NULL, +- "key with %s %*phN is too short (got %u bytes, need %u+ bytes)", +- master_key_spec_type(&mk_spec), +- master_key_spec_len(&mk_spec), (u8 *)&mk_spec.u, +- mk->mk_secret.size, ci->ci_mode->keysize); ++ if (!fscrypt_valid_master_key_size(mk, ci)) { + err = -ENOKEY; + goto out_release_key; + } +-- +2.33.0 + diff --git a/queue-5.15/ftrace-do-cpu-checking-after-preemption-disabled.patch b/queue-5.15/ftrace-do-cpu-checking-after-preemption-disabled.patch new file mode 100644 index 00000000000..cda0c59d484 --- /dev/null +++ b/queue-5.15/ftrace-do-cpu-checking-after-preemption-disabled.patch @@ -0,0 +1,92 @@ +From 08ad2623a1f66eb55ea39f4bc3534b404e518bec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 11:15:11 +0800 +Subject: ftrace: do CPU checking after preemption disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: 王贇 + +[ Upstream commit d33cc657372366a8959f099c619a208b4c5dc664 ] + +With CONFIG_DEBUG_PREEMPT we observed reports like: + + BUG: using smp_processor_id() in preemptible + caller is perf_ftrace_function_call+0x6f/0x2e0 + CPU: 1 PID: 680 Comm: a.out Not tainted + Call Trace: + + dump_stack_lvl+0x8d/0xcf + check_preemption_disabled+0x104/0x110 + ? optimize_nops.isra.7+0x230/0x230 + ? text_poke_bp_batch+0x9f/0x310 + perf_ftrace_function_call+0x6f/0x2e0 + ... + __text_poke+0x5/0x620 + text_poke_bp_batch+0x9f/0x310 + +This telling us the CPU could be changed after task is preempted, and +the checking on CPU before preemption will be invalid. + +Since now ftrace_test_recursion_trylock() will help to disable the +preemption, this patch just do the checking after trylock() to address +the issue. + +Link: https://lkml.kernel.org/r/54880691-5fe2-33e7-d12f-1fa6136f5183@linux.alibaba.com + +CC: Steven Rostedt +Cc: Guo Ren +Cc: Ingo Molnar +Cc: "James E.J. Bottomley" +Cc: Helge Deller +Cc: Michael Ellerman +Cc: Benjamin Herrenschmidt +Cc: Paul Mackerras +Cc: Paul Walmsley +Cc: Palmer Dabbelt +Cc: Albert Ou +Cc: Thomas Gleixner +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Josh Poimboeuf +Cc: Jiri Kosina +Cc: Miroslav Benes +Cc: Petr Mladek +Cc: Joe Lawrence +Cc: Masami Hiramatsu +Cc: "Peter Zijlstra (Intel)" +Cc: Nicholas Piggin +Cc: Jisheng Zhang +Reported-by: Abaci +Signed-off-by: Michael Wang +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_event_perf.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/trace_event_perf.c b/kernel/trace/trace_event_perf.c +index 6aed10e2f7ce0..fba8cb77a73af 100644 +--- a/kernel/trace/trace_event_perf.c ++++ b/kernel/trace/trace_event_perf.c +@@ -441,13 +441,13 @@ perf_ftrace_function_call(unsigned long ip, unsigned long parent_ip, + if (!rcu_is_watching()) + return; + +- if ((unsigned long)ops->private != smp_processor_id()) +- return; +- + bit = ftrace_test_recursion_trylock(ip, parent_ip); + if (bit < 0) + return; + ++ if ((unsigned long)ops->private != smp_processor_id()) ++ goto out; ++ + event = container_of(ops, struct perf_event, ftrace_ops); + + /* +-- +2.33.0 + diff --git a/queue-5.15/gfs2-cancel-remote-delete-work-asynchronously.patch b/queue-5.15/gfs2-cancel-remote-delete-work-asynchronously.patch new file mode 100644 index 00000000000..b0904e11cae --- /dev/null +++ b/queue-5.15/gfs2-cancel-remote-delete-work-asynchronously.patch @@ -0,0 +1,61 @@ +From 76a7766f75d464d533e360ef53640e0f12b317a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 20:53:02 +0200 +Subject: gfs2: Cancel remote delete work asynchronously + +From: Andreas Gruenbacher + +[ Upstream commit 486408d690e130c3adacf816754b97558d715f46 ] + +In gfs2_inode_lookup and gfs2_create_inode, we're calling +gfs2_cancel_delete_work which currently cancels any remote delete work +(delete_work_func) synchronously. This means that if the work is +currently running, it will wait for it to finish. We're doing this to +pevent a previous instance of an inode from having any influence on the +next instance. + +However, delete_work_func uses gfs2_inode_lookup internally, and we can +end up in a deadlock when delete_work_func gets interrupted at the wrong +time. For example, + + (1) An inode's iopen glock has delete work queued, but the inode + itself has been evicted from the inode cache. + + (2) The delete work is preempted before reaching gfs2_inode_lookup. + + (3) Another process recreates the inode (gfs2_create_inode). It tries + to cancel any outstanding delete work, which blocks waiting for + the ongoing delete work to finish. + + (4) The delete work calls gfs2_inode_lookup, which blocks waiting for + gfs2_create_inode to instantiate and unlock the new inode => + deadlock. + +It turns out that when the delete work notices that its inode has been +re-instantiated, it will do nothing. This means that it's safe to +cancel the delete work asynchronously. This prevents the kind of +deadlock described above. + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Signed-off-by: Sasha Levin +--- + fs/gfs2/glock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index e0eaa9cf9fb6f..8ca89adf31a86 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -1919,7 +1919,7 @@ bool gfs2_queue_delete_work(struct gfs2_glock *gl, unsigned long delay) + + void gfs2_cancel_delete_work(struct gfs2_glock *gl) + { +- if (cancel_delayed_work_sync(&gl->gl_delete)) { ++ if (cancel_delayed_work(&gl->gl_delete)) { + clear_bit(GLF_PENDING_DELETE, &gl->gl_flags); + gfs2_glock_put(gl); + } +-- +2.33.0 + diff --git a/queue-5.15/gfs2-fix-glock_hash_walk-bugs.patch b/queue-5.15/gfs2-fix-glock_hash_walk-bugs.patch new file mode 100644 index 00000000000..d8a1ef9292b --- /dev/null +++ b/queue-5.15/gfs2-fix-glock_hash_walk-bugs.patch @@ -0,0 +1,87 @@ +From 35f6245dab9302b3b04b139a2d221562d9524e55 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 15:57:44 +0200 +Subject: gfs2: Fix glock_hash_walk bugs + +From: Andreas Gruenbacher + +[ Upstream commit 7427f3bb49d81525b7dd1d0f7c5f6bbc752e6f0e ] + +So far, glock_hash_walk took a reference on each glock it iterated over, and it +was the examiner's responsibility to drop those references. Dropping the final +reference to a glock can sleep and the examiners are called in a RCU critical +section with spin locks held, so examiners that didn't need the extra reference +had to drop it asynchronously via gfs2_glock_queue_put or similar. This wasn't +done correctly in thaw_glock which did call gfs2_glock_put, and not at all in +dump_glock_func. + +Change glock_hash_walk to not take glock references at all. That way, the +examiners that don't need them won't have to bother with slow asynchronous +puts, and the examiners that do need references can take them themselves. + +Reported-by: Alexander Aring +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/glock.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index 8ca89adf31a86..02cd0ae98208d 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -1893,10 +1893,10 @@ static void glock_hash_walk(glock_examiner examiner, const struct gfs2_sbd *sdp) + do { + rhashtable_walk_start(&iter); + +- while ((gl = rhashtable_walk_next(&iter)) && !IS_ERR(gl)) +- if (gl->gl_name.ln_sbd == sdp && +- lockref_get_not_dead(&gl->gl_lockref)) ++ while ((gl = rhashtable_walk_next(&iter)) && !IS_ERR(gl)) { ++ if (gl->gl_name.ln_sbd == sdp) + examiner(gl); ++ } + + rhashtable_walk_stop(&iter); + } while (cond_resched(), gl == ERR_PTR(-EAGAIN)); +@@ -1938,7 +1938,6 @@ static void flush_delete_work(struct gfs2_glock *gl) + &gl->gl_delete, 0); + } + } +- gfs2_glock_queue_work(gl, 0); + } + + void gfs2_flush_delete_work(struct gfs2_sbd *sdp) +@@ -1955,10 +1954,10 @@ void gfs2_flush_delete_work(struct gfs2_sbd *sdp) + + static void thaw_glock(struct gfs2_glock *gl) + { +- if (!test_and_clear_bit(GLF_FROZEN, &gl->gl_flags)) { +- gfs2_glock_put(gl); ++ if (!test_and_clear_bit(GLF_FROZEN, &gl->gl_flags)) ++ return; ++ if (!lockref_get_not_dead(&gl->gl_lockref)) + return; +- } + set_bit(GLF_REPLY_PENDING, &gl->gl_flags); + gfs2_glock_queue_work(gl, 0); + } +@@ -1974,9 +1973,12 @@ static void clear_glock(struct gfs2_glock *gl) + gfs2_glock_remove_from_lru(gl); + + spin_lock(&gl->gl_lockref.lock); +- if (gl->gl_state != LM_ST_UNLOCKED) +- handle_callback(gl, LM_ST_UNLOCKED, 0, false); +- __gfs2_glock_queue_work(gl, 0); ++ if (!__lockref_is_dead(&gl->gl_lockref)) { ++ gl->gl_lockref.count++; ++ if (gl->gl_state != LM_ST_UNLOCKED) ++ handle_callback(gl, LM_ST_UNLOCKED, 0, false); ++ __gfs2_glock_queue_work(gl, 0); ++ } + spin_unlock(&gl->gl_lockref.lock); + } + +-- +2.33.0 + diff --git a/queue-5.15/gpio-realtek-otto-fix-gpio-line-irq-offset.patch b/queue-5.15/gpio-realtek-otto-fix-gpio-line-irq-offset.patch new file mode 100644 index 00000000000..1c55af74931 --- /dev/null +++ b/queue-5.15/gpio-realtek-otto-fix-gpio-line-irq-offset.patch @@ -0,0 +1,37 @@ +From cd3633e561111bf4d473703aaaf6e5ddcb8d60e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 10:52:43 +0200 +Subject: gpio: realtek-otto: fix GPIO line IRQ offset + +From: Sander Vanheule + +[ Upstream commit 585a07079909ba9061ddd88214c36653e1aef71a ] + +The irqchip uses one domain for all GPIO lines, so the line offset +should be determined w.r.t. the first line of the first port, not the +first line of the triggered port. + +Fixes: 0d82fb1127fb ("gpio: Add Realtek Otto GPIO support") +Signed-off-by: Sander Vanheule +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-realtek-otto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-realtek-otto.c b/drivers/gpio/gpio-realtek-otto.c +index eeeb39bc171dc..bd75401b549d1 100644 +--- a/drivers/gpio/gpio-realtek-otto.c ++++ b/drivers/gpio/gpio-realtek-otto.c +@@ -205,7 +205,7 @@ static void realtek_gpio_irq_handler(struct irq_desc *desc) + status = realtek_gpio_read_isr(ctrl, lines_done / 8); + port_pin_count = min(gc->ngpio - lines_done, 8U); + for_each_set_bit(offset, &status, port_pin_count) +- generic_handle_domain_irq(gc->irq.domain, offset); ++ generic_handle_domain_irq(gc->irq.domain, offset + lines_done); + } + + chained_irq_exit(irq_chip, desc); +-- +2.33.0 + diff --git a/queue-5.15/gre-sit-don-t-generate-link-local-addr-if-addr_gen_m.patch b/queue-5.15/gre-sit-don-t-generate-link-local-addr-if-addr_gen_m.patch new file mode 100644 index 00000000000..ee74cd01e72 --- /dev/null +++ b/queue-5.15/gre-sit-don-t-generate-link-local-addr-if-addr_gen_m.patch @@ -0,0 +1,44 @@ +From df4f83a8ca36c75ffcf53dd2cc1820d299c16b9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 16:06:18 -0400 +Subject: gre/sit: Don't generate link-local addr if addr_gen_mode is + IN6_ADDR_GEN_MODE_NONE + +From: Stephen Suryaputra + +[ Upstream commit 61e18ce7348bfefb5688a8bcd4b4d6b37c0f9b2a ] + +When addr_gen_mode is set to IN6_ADDR_GEN_MODE_NONE, the link-local addr +should not be generated. But it isn't the case for GRE (as well as GRE6) +and SIT tunnels. Make it so that tunnels consider the addr_gen_mode, +especially for IN6_ADDR_GEN_MODE_NONE. + +Do this in add_v4_addrs() to cover both GRE and SIT only if the addr +scope is link. + +Signed-off-by: Stephen Suryaputra +Acked-by: Antonio Quartulli +Link: https://lore.kernel.org/r/20211020200618.467342-1-ssuryaextr@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/addrconf.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index c6a90b7bbb70e..846037e73723f 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -3110,6 +3110,9 @@ static void add_v4_addrs(struct inet6_dev *idev) + memcpy(&addr.s6_addr32[3], idev->dev->dev_addr + offset, 4); + + if (idev->dev->flags&IFF_POINTOPOINT) { ++ if (idev->cnf.addr_gen_mode == IN6_ADDR_GEN_MODE_NONE) ++ return; ++ + addr.s6_addr32[0] = htonl(0xfe800000); + scope = IFA_LINK; + plen = 64; +-- +2.33.0 + diff --git a/queue-5.15/gve-dqo-avoid-unused-variable-warnings.patch b/queue-5.15/gve-dqo-avoid-unused-variable-warnings.patch new file mode 100644 index 00000000000..64886af7177 --- /dev/null +++ b/queue-5.15/gve-dqo-avoid-unused-variable-warnings.patch @@ -0,0 +1,310 @@ +From a302e9e425b75a193793c7ea95f8a31648f3ff97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 16:15:13 +0200 +Subject: gve: DQO: avoid unused variable warnings + +From: Arnd Bergmann + +[ Upstream commit 1e0083bd0777e4a418a6710d9ee04b979cdbe5cc ] + +The use of dma_unmap_addr()/dma_unmap_len() in the driver causes +multiple warnings when these macros are defined as empty, e.g. +in an ARCH=i386 allmodconfig build: + +drivers/net/ethernet/google/gve/gve_tx_dqo.c: In function 'gve_tx_add_skb_no_copy_dqo': +drivers/net/ethernet/google/gve/gve_tx_dqo.c:494:40: error: unused variable 'buf' [-Werror=unused-variable] + 494 | struct gve_tx_dma_buf *buf = + +This is not how the NEED_DMA_MAP_STATE macros are meant to work, +as they rely on never using local variables or a temporary structure +like gve_tx_dma_buf. + +Remote the gve_tx_dma_buf definition and open-code the contents +in all places to avoid the warning. This causes some rather long +lines but otherwise ends up making the driver slightly smaller. + +Fixes: a57e5de476be ("gve: DQO: Add TX path") +Link: https://lore.kernel.org/netdev/20210723231957.1113800-1-bcf@google.com/ +Link: https://lore.kernel.org/netdev/20210721151100.2042139-1-arnd@kernel.org/ +Signed-off-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve.h | 13 ++- + drivers/net/ethernet/google/gve/gve_tx.c | 23 +++--- + drivers/net/ethernet/google/gve/gve_tx_dqo.c | 84 +++++++++----------- + 3 files changed, 54 insertions(+), 66 deletions(-) + +diff --git a/drivers/net/ethernet/google/gve/gve.h b/drivers/net/ethernet/google/gve/gve.h +index 92dc18a4bcc41..2f93ed4705905 100644 +--- a/drivers/net/ethernet/google/gve/gve.h ++++ b/drivers/net/ethernet/google/gve/gve.h +@@ -224,11 +224,6 @@ struct gve_tx_iovec { + u32 iov_padding; /* padding associated with this segment */ + }; + +-struct gve_tx_dma_buf { +- DEFINE_DMA_UNMAP_ADDR(dma); +- DEFINE_DMA_UNMAP_LEN(len); +-}; +- + /* Tracks the memory in the fifo occupied by the skb. Mapped 1:1 to a desc + * ring entry but only used for a pkt_desc not a seg_desc + */ +@@ -236,7 +231,10 @@ struct gve_tx_buffer_state { + struct sk_buff *skb; /* skb for this pkt */ + union { + struct gve_tx_iovec iov[GVE_TX_MAX_IOVEC]; /* segments of this pkt */ +- struct gve_tx_dma_buf buf; ++ struct { ++ DEFINE_DMA_UNMAP_ADDR(dma); ++ DEFINE_DMA_UNMAP_LEN(len); ++ }; + }; + }; + +@@ -280,7 +278,8 @@ struct gve_tx_pending_packet_dqo { + * All others correspond to `skb`'s frags and should be unmapped with + * `dma_unmap_page`. + */ +- struct gve_tx_dma_buf bufs[MAX_SKB_FRAGS + 1]; ++ DEFINE_DMA_UNMAP_ADDR(dma[MAX_SKB_FRAGS + 1]); ++ DEFINE_DMA_UNMAP_LEN(len[MAX_SKB_FRAGS + 1]); + u16 num_bufs; + + /* Linked list index to next element in the list, or -1 if none */ +diff --git a/drivers/net/ethernet/google/gve/gve_tx.c b/drivers/net/ethernet/google/gve/gve_tx.c +index 665ac795a1adf..9922ce46a6351 100644 +--- a/drivers/net/ethernet/google/gve/gve_tx.c ++++ b/drivers/net/ethernet/google/gve/gve_tx.c +@@ -303,15 +303,15 @@ static inline int gve_skb_fifo_bytes_required(struct gve_tx_ring *tx, + static void gve_tx_unmap_buf(struct device *dev, struct gve_tx_buffer_state *info) + { + if (info->skb) { +- dma_unmap_single(dev, dma_unmap_addr(&info->buf, dma), +- dma_unmap_len(&info->buf, len), ++ dma_unmap_single(dev, dma_unmap_addr(info, dma), ++ dma_unmap_len(info, len), + DMA_TO_DEVICE); +- dma_unmap_len_set(&info->buf, len, 0); ++ dma_unmap_len_set(info, len, 0); + } else { +- dma_unmap_page(dev, dma_unmap_addr(&info->buf, dma), +- dma_unmap_len(&info->buf, len), ++ dma_unmap_page(dev, dma_unmap_addr(info, dma), ++ dma_unmap_len(info, len), + DMA_TO_DEVICE); +- dma_unmap_len_set(&info->buf, len, 0); ++ dma_unmap_len_set(info, len, 0); + } + } + +@@ -491,7 +491,6 @@ static int gve_tx_add_skb_no_copy(struct gve_priv *priv, struct gve_tx_ring *tx, + struct gve_tx_buffer_state *info; + bool is_gso = skb_is_gso(skb); + u32 idx = tx->req & tx->mask; +- struct gve_tx_dma_buf *buf; + u64 addr; + u32 len; + int i; +@@ -515,9 +514,8 @@ static int gve_tx_add_skb_no_copy(struct gve_priv *priv, struct gve_tx_ring *tx, + tx->dma_mapping_error++; + goto drop; + } +- buf = &info->buf; +- dma_unmap_len_set(buf, len, len); +- dma_unmap_addr_set(buf, dma, addr); ++ dma_unmap_len_set(info, len, len); ++ dma_unmap_addr_set(info, dma, addr); + + payload_nfrags = shinfo->nr_frags; + if (hlen < len) { +@@ -549,10 +547,9 @@ static int gve_tx_add_skb_no_copy(struct gve_priv *priv, struct gve_tx_ring *tx, + tx->dma_mapping_error++; + goto unmap_drop; + } +- buf = &tx->info[idx].buf; + tx->info[idx].skb = NULL; +- dma_unmap_len_set(buf, len, len); +- dma_unmap_addr_set(buf, dma, addr); ++ dma_unmap_len_set(&tx->info[idx], len, len); ++ dma_unmap_addr_set(&tx->info[idx], dma, addr); + + gve_tx_fill_seg_desc(seg_desc, skb, is_gso, len, addr); + } +diff --git a/drivers/net/ethernet/google/gve/gve_tx_dqo.c b/drivers/net/ethernet/google/gve/gve_tx_dqo.c +index 05ddb6a75c38f..ec394d9916681 100644 +--- a/drivers/net/ethernet/google/gve/gve_tx_dqo.c ++++ b/drivers/net/ethernet/google/gve/gve_tx_dqo.c +@@ -85,18 +85,16 @@ static void gve_tx_clean_pending_packets(struct gve_tx_ring *tx) + int j; + + for (j = 0; j < cur_state->num_bufs; j++) { +- struct gve_tx_dma_buf *buf = &cur_state->bufs[j]; +- + if (j == 0) { + dma_unmap_single(tx->dev, +- dma_unmap_addr(buf, dma), +- dma_unmap_len(buf, len), +- DMA_TO_DEVICE); ++ dma_unmap_addr(cur_state, dma[j]), ++ dma_unmap_len(cur_state, len[j]), ++ DMA_TO_DEVICE); + } else { + dma_unmap_page(tx->dev, +- dma_unmap_addr(buf, dma), +- dma_unmap_len(buf, len), +- DMA_TO_DEVICE); ++ dma_unmap_addr(cur_state, dma[j]), ++ dma_unmap_len(cur_state, len[j]), ++ DMA_TO_DEVICE); + } + } + if (cur_state->skb) { +@@ -457,15 +455,15 @@ static int gve_tx_add_skb_no_copy_dqo(struct gve_tx_ring *tx, + const bool is_gso = skb_is_gso(skb); + u32 desc_idx = tx->dqo_tx.tail; + +- struct gve_tx_pending_packet_dqo *pending_packet; ++ struct gve_tx_pending_packet_dqo *pkt; + struct gve_tx_metadata_dqo metadata; + s16 completion_tag; + int i; + +- pending_packet = gve_alloc_pending_packet(tx); +- pending_packet->skb = skb; +- pending_packet->num_bufs = 0; +- completion_tag = pending_packet - tx->dqo.pending_packets; ++ pkt = gve_alloc_pending_packet(tx); ++ pkt->skb = skb; ++ pkt->num_bufs = 0; ++ completion_tag = pkt - tx->dqo.pending_packets; + + gve_extract_tx_metadata_dqo(skb, &metadata); + if (is_gso) { +@@ -493,8 +491,6 @@ static int gve_tx_add_skb_no_copy_dqo(struct gve_tx_ring *tx, + + /* Map the linear portion of skb */ + { +- struct gve_tx_dma_buf *buf = +- &pending_packet->bufs[pending_packet->num_bufs]; + u32 len = skb_headlen(skb); + dma_addr_t addr; + +@@ -502,9 +498,9 @@ static int gve_tx_add_skb_no_copy_dqo(struct gve_tx_ring *tx, + if (unlikely(dma_mapping_error(tx->dev, addr))) + goto err; + +- dma_unmap_len_set(buf, len, len); +- dma_unmap_addr_set(buf, dma, addr); +- ++pending_packet->num_bufs; ++ dma_unmap_len_set(pkt, len[pkt->num_bufs], len); ++ dma_unmap_addr_set(pkt, dma[pkt->num_bufs], addr); ++ ++pkt->num_bufs; + + gve_tx_fill_pkt_desc_dqo(tx, &desc_idx, skb, len, addr, + completion_tag, +@@ -512,8 +508,6 @@ static int gve_tx_add_skb_no_copy_dqo(struct gve_tx_ring *tx, + } + + for (i = 0; i < shinfo->nr_frags; i++) { +- struct gve_tx_dma_buf *buf = +- &pending_packet->bufs[pending_packet->num_bufs]; + const skb_frag_t *frag = &shinfo->frags[i]; + bool is_eop = i == (shinfo->nr_frags - 1); + u32 len = skb_frag_size(frag); +@@ -523,9 +517,9 @@ static int gve_tx_add_skb_no_copy_dqo(struct gve_tx_ring *tx, + if (unlikely(dma_mapping_error(tx->dev, addr))) + goto err; + +- dma_unmap_len_set(buf, len, len); +- dma_unmap_addr_set(buf, dma, addr); +- ++pending_packet->num_bufs; ++ dma_unmap_len_set(pkt, len[pkt->num_bufs], len); ++ dma_unmap_addr_set(pkt, dma[pkt->num_bufs], addr); ++ ++pkt->num_bufs; + + gve_tx_fill_pkt_desc_dqo(tx, &desc_idx, skb, len, addr, + completion_tag, is_eop, is_gso); +@@ -552,22 +546,23 @@ static int gve_tx_add_skb_no_copy_dqo(struct gve_tx_ring *tx, + return 0; + + err: +- for (i = 0; i < pending_packet->num_bufs; i++) { +- struct gve_tx_dma_buf *buf = &pending_packet->bufs[i]; +- ++ for (i = 0; i < pkt->num_bufs; i++) { + if (i == 0) { +- dma_unmap_single(tx->dev, dma_unmap_addr(buf, dma), +- dma_unmap_len(buf, len), ++ dma_unmap_single(tx->dev, ++ dma_unmap_addr(pkt, dma[i]), ++ dma_unmap_len(pkt, len[i]), + DMA_TO_DEVICE); + } else { +- dma_unmap_page(tx->dev, dma_unmap_addr(buf, dma), +- dma_unmap_len(buf, len), DMA_TO_DEVICE); ++ dma_unmap_page(tx->dev, ++ dma_unmap_addr(pkt, dma[i]), ++ dma_unmap_len(pkt, len[i]), ++ DMA_TO_DEVICE); + } + } + +- pending_packet->skb = NULL; +- pending_packet->num_bufs = 0; +- gve_free_pending_packet(tx, pending_packet); ++ pkt->skb = NULL; ++ pkt->num_bufs = 0; ++ gve_free_pending_packet(tx, pkt); + + return -1; + } +@@ -725,12 +720,12 @@ static void add_to_list(struct gve_tx_ring *tx, struct gve_index_list *list, + + static void remove_from_list(struct gve_tx_ring *tx, + struct gve_index_list *list, +- struct gve_tx_pending_packet_dqo *pending_packet) ++ struct gve_tx_pending_packet_dqo *pkt) + { + s16 prev_index, next_index; + +- prev_index = pending_packet->prev; +- next_index = pending_packet->next; ++ prev_index = pkt->prev; ++ next_index = pkt->next; + + if (prev_index == -1) { + /* Node is head */ +@@ -747,21 +742,18 @@ static void remove_from_list(struct gve_tx_ring *tx, + } + + static void gve_unmap_packet(struct device *dev, +- struct gve_tx_pending_packet_dqo *pending_packet) ++ struct gve_tx_pending_packet_dqo *pkt) + { +- struct gve_tx_dma_buf *buf; + int i; + + /* SKB linear portion is guaranteed to be mapped */ +- buf = &pending_packet->bufs[0]; +- dma_unmap_single(dev, dma_unmap_addr(buf, dma), +- dma_unmap_len(buf, len), DMA_TO_DEVICE); +- for (i = 1; i < pending_packet->num_bufs; i++) { +- buf = &pending_packet->bufs[i]; +- dma_unmap_page(dev, dma_unmap_addr(buf, dma), +- dma_unmap_len(buf, len), DMA_TO_DEVICE); ++ dma_unmap_single(dev, dma_unmap_addr(pkt, dma[0]), ++ dma_unmap_len(pkt, len[0]), DMA_TO_DEVICE); ++ for (i = 1; i < pkt->num_bufs; i++) { ++ dma_unmap_page(dev, dma_unmap_addr(pkt, dma[i]), ++ dma_unmap_len(pkt, len[i]), DMA_TO_DEVICE); + } +- pending_packet->num_bufs = 0; ++ pkt->num_bufs = 0; + } + + /* Completion types and expected behavior: +-- +2.33.0 + diff --git a/queue-5.15/gve-fix-off-by-one-in-gve_tx_timeout.patch b/queue-5.15/gve-fix-off-by-one-in-gve_tx_timeout.patch new file mode 100644 index 00000000000..07b316eaa27 --- /dev/null +++ b/queue-5.15/gve-fix-off-by-one-in-gve_tx_timeout.patch @@ -0,0 +1,37 @@ +From 1480c9eee17d76df465239d1e895b059171ff91b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Nov 2021 14:47:36 +0300 +Subject: gve: Fix off by one in gve_tx_timeout() + +From: Dan Carpenter + +[ Upstream commit 1c360cc1cc883fbdf0a258b4df376571fbeac5ee ] + +The priv->ntfy_blocks[] has "priv->num_ntfy_blks" elements so this > +needs to be >= to prevent an off by one bug. The priv->ntfy_blocks[] +array is allocated in gve_alloc_notify_blocks(). + +Fixes: 87a7f321bb6a ("gve: Recover from queue stall due to missed IRQ") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c +index 8c996e72748d2..959352fceead7 100644 +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -1132,7 +1132,7 @@ static void gve_tx_timeout(struct net_device *dev, unsigned int txqueue) + goto reset; + + ntfy_idx = gve_tx_idx_to_ntfy(priv, txqueue); +- if (ntfy_idx > priv->num_ntfy_blks) ++ if (ntfy_idx >= priv->num_ntfy_blks) + goto reset; + + block = &priv->ntfy_blocks[ntfy_idx]; +-- +2.33.0 + diff --git a/queue-5.15/gve-recover-from-queue-stall-due-to-missed-irq.patch b/queue-5.15/gve-recover-from-queue-stall-due-to-missed-irq.patch new file mode 100644 index 00000000000..707a46ad3d3 --- /dev/null +++ b/queue-5.15/gve-recover-from-queue-stall-due-to-missed-irq.patch @@ -0,0 +1,136 @@ +From 4e6308ab40f7c9db6916b49e06dcd213f92e4e54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 08:36:47 -0700 +Subject: gve: Recover from queue stall due to missed IRQ + +From: John Fraker + +[ Upstream commit 87a7f321bb6a45e54b7d6c90d032ee5636a6ad97 ] + +Don't always reset the driver on a TX timeout. Attempt to +recover by kicking the queue in case an IRQ was missed. + +Fixes: 9e5f7d26a4c08 ("gve: Add workqueue and reset support") +Signed-off-by: John Fraker +Signed-off-by: David Awogbemila +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve.h | 4 +- + drivers/net/ethernet/google/gve/gve_adminq.h | 1 + + drivers/net/ethernet/google/gve/gve_main.c | 48 +++++++++++++++++++- + 3 files changed, 51 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/google/gve/gve.h b/drivers/net/ethernet/google/gve/gve.h +index 2f93ed4705905..c1d4042671f9f 100644 +--- a/drivers/net/ethernet/google/gve/gve.h ++++ b/drivers/net/ethernet/google/gve/gve.h +@@ -30,7 +30,7 @@ + #define GVE_MIN_MSIX 3 + + /* Numbers of gve tx/rx stats in stats report. */ +-#define GVE_TX_STATS_REPORT_NUM 5 ++#define GVE_TX_STATS_REPORT_NUM 6 + #define GVE_RX_STATS_REPORT_NUM 2 + + /* Interval to schedule a stats report update, 20000ms. */ +@@ -413,7 +413,9 @@ struct gve_tx_ring { + u32 q_num ____cacheline_aligned; /* queue idx */ + u32 stop_queue; /* count of queue stops */ + u32 wake_queue; /* count of queue wakes */ ++ u32 queue_timeout; /* count of queue timeouts */ + u32 ntfy_id; /* notification block index */ ++ u32 last_kick_msec; /* Last time the queue was kicked */ + dma_addr_t bus; /* dma address of the descr ring */ + dma_addr_t q_resources_bus; /* dma address of the queue resources */ + dma_addr_t complq_bus_dqo; /* dma address of the dqo.compl_ring */ +diff --git a/drivers/net/ethernet/google/gve/gve_adminq.h b/drivers/net/ethernet/google/gve/gve_adminq.h +index 47c3d8f313fcf..3953f6f7a4273 100644 +--- a/drivers/net/ethernet/google/gve/gve_adminq.h ++++ b/drivers/net/ethernet/google/gve/gve_adminq.h +@@ -270,6 +270,7 @@ enum gve_stat_names { + TX_LAST_COMPLETION_PROCESSED = 5, + RX_NEXT_EXPECTED_SEQUENCE = 6, + RX_BUFFERS_POSTED = 7, ++ TX_TIMEOUT_CNT = 8, + // stats from NIC + RX_QUEUE_DROP_CNT = 65, + RX_NO_BUFFERS_POSTED = 66, +diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c +index bf8a4a7c43f78..8c996e72748d2 100644 +--- a/drivers/net/ethernet/google/gve/gve_main.c ++++ b/drivers/net/ethernet/google/gve/gve_main.c +@@ -24,6 +24,9 @@ + #define GVE_VERSION "1.0.0" + #define GVE_VERSION_PREFIX "GVE-" + ++// Minimum amount of time between queue kicks in msec (10 seconds) ++#define MIN_TX_TIMEOUT_GAP (1000 * 10) ++ + const char gve_version_str[] = GVE_VERSION; + static const char gve_version_prefix[] = GVE_VERSION_PREFIX; + +@@ -1116,9 +1119,47 @@ static void gve_turnup(struct gve_priv *priv) + + static void gve_tx_timeout(struct net_device *dev, unsigned int txqueue) + { +- struct gve_priv *priv = netdev_priv(dev); ++ struct gve_notify_block *block; ++ struct gve_tx_ring *tx = NULL; ++ struct gve_priv *priv; ++ u32 last_nic_done; ++ u32 current_time; ++ u32 ntfy_idx; ++ ++ netdev_info(dev, "Timeout on tx queue, %d", txqueue); ++ priv = netdev_priv(dev); ++ if (txqueue > priv->tx_cfg.num_queues) ++ goto reset; ++ ++ ntfy_idx = gve_tx_idx_to_ntfy(priv, txqueue); ++ if (ntfy_idx > priv->num_ntfy_blks) ++ goto reset; ++ ++ block = &priv->ntfy_blocks[ntfy_idx]; ++ tx = block->tx; + ++ current_time = jiffies_to_msecs(jiffies); ++ if (tx->last_kick_msec + MIN_TX_TIMEOUT_GAP > current_time) ++ goto reset; ++ ++ /* Check to see if there are missed completions, which will allow us to ++ * kick the queue. ++ */ ++ last_nic_done = gve_tx_load_event_counter(priv, tx); ++ if (last_nic_done - tx->done) { ++ netdev_info(dev, "Kicking queue %d", txqueue); ++ iowrite32be(GVE_IRQ_MASK, gve_irq_doorbell(priv, block)); ++ napi_schedule(&block->napi); ++ tx->last_kick_msec = current_time; ++ goto out; ++ } // Else reset. ++ ++reset: + gve_schedule_reset(priv); ++ ++out: ++ if (tx) ++ tx->queue_timeout++; + priv->tx_timeo_cnt++; + } + +@@ -1247,6 +1288,11 @@ void gve_handle_report_stats(struct gve_priv *priv) + .value = cpu_to_be64(last_completion), + .queue_id = cpu_to_be32(idx), + }; ++ stats[stats_idx++] = (struct stats) { ++ .stat_name = cpu_to_be32(TX_TIMEOUT_CNT), ++ .value = cpu_to_be64(priv->tx[idx].queue_timeout), ++ .queue_id = cpu_to_be32(idx), ++ }; + } + } + /* rx stats */ +-- +2.33.0 + diff --git a/queue-5.15/gve-track-rx-buffer-allocation-failures.patch b/queue-5.15/gve-track-rx-buffer-allocation-failures.patch new file mode 100644 index 00000000000..76d31118aee --- /dev/null +++ b/queue-5.15/gve-track-rx-buffer-allocation-failures.patch @@ -0,0 +1,42 @@ +From 8b4eda660b0b32fe82562b2c65dafcea00f5ea43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 08:36:50 -0700 +Subject: gve: Track RX buffer allocation failures + +From: Catherine Sullivan + +[ Upstream commit 1b4d1c9bab091ac6e20a3ff80c30c5cefe192bf4 ] + +The rx_buf_alloc_fail counter wasn't getting updated. + +Fixes: 433e274b8f7b0 ("gve: Add stats for gve.") +Signed-off-by: Catherine Sullivan +Signed-off-by: Jeroen de Borst +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/google/gve/gve_rx.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/google/gve/gve_rx.c b/drivers/net/ethernet/google/gve/gve_rx.c +index 94941d4e47449..16169f291ad9f 100644 +--- a/drivers/net/ethernet/google/gve/gve_rx.c ++++ b/drivers/net/ethernet/google/gve/gve_rx.c +@@ -514,8 +514,13 @@ static bool gve_rx_refill_buffers(struct gve_priv *priv, struct gve_rx_ring *rx) + + gve_rx_free_buffer(dev, page_info, data_slot); + page_info->page = NULL; +- if (gve_rx_alloc_buffer(priv, dev, page_info, data_slot)) ++ if (gve_rx_alloc_buffer(priv, dev, page_info, ++ data_slot)) { ++ u64_stats_update_begin(&rx->statss); ++ rx->rx_buf_alloc_fail++; ++ u64_stats_update_end(&rx->statss); + break; ++ } + } + } + fill_cnt++; +-- +2.33.0 + diff --git a/queue-5.15/hid-u2fzero-clarify-error-check-and-length-calculati.patch b/queue-5.15/hid-u2fzero-clarify-error-check-and-length-calculati.patch new file mode 100644 index 00000000000..82f1eb788d5 --- /dev/null +++ b/queue-5.15/hid-u2fzero-clarify-error-check-and-length-calculati.patch @@ -0,0 +1,62 @@ +From 495f99dcb803144c8d87267f080d09ea9a6c9ec1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 17:29:16 +0200 +Subject: HID: u2fzero: clarify error check and length calculations + +From: Andrej Shadura + +[ Upstream commit b7abf78b7a6c4a29a6e0ba0bb883fe44a2f3d693 ] + +The previous commit fixed handling of incomplete packets but broke error +handling: offsetof returns an unsigned value (size_t), but when compared +against the signed return value, the return value is interpreted as if +it were unsigned, so negative return values are never less than the +offset. + +To make the code easier to read, calculate the minimal packet length +once and separately, and assign it to a signed int variable to eliminate +unsigned math and the need for type casts. It then becomes immediately +obvious how the actual data length is calculated and why the return +value cannot be less than the minimal length. + +Fixes: 22d65765f211 ("HID: u2fzero: ignore incomplete packets without data") +Fixes: 42337b9d4d95 ("HID: add driver for U2F Zero built-in LED and RNG") +Signed-off-by: Andrej Shadura +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-u2fzero.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c +index d70cd3d7f583b..94f78ffb76d04 100644 +--- a/drivers/hid/hid-u2fzero.c ++++ b/drivers/hid/hid-u2fzero.c +@@ -191,6 +191,8 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data, + struct u2f_hid_msg resp; + int ret; + size_t actual_length; ++ /* valid packets must have a correct header */ ++ int min_length = offsetof(struct u2f_hid_msg, init.data); + + if (!dev->present) { + hid_dbg(dev->hdev, "device not present"); +@@ -200,12 +202,12 @@ static int u2fzero_rng_read(struct hwrng *rng, void *data, + ret = u2fzero_recv(dev, &req, &resp); + + /* ignore errors or packets without data */ +- if (ret < offsetof(struct u2f_hid_msg, init.data)) ++ if (ret < min_length) + return 0; + + /* only take the minimum amount of data it is safe to take */ +- actual_length = min3((size_t)ret - offsetof(struct u2f_hid_msg, +- init.data), U2F_HID_MSG_LEN(resp), max); ++ actual_length = min3((size_t)ret - min_length, ++ U2F_HID_MSG_LEN(resp), max); + + memcpy(data, resp.init.data, actual_length); + +-- +2.33.0 + diff --git a/queue-5.15/hid-u2fzero-properly-handle-timeouts-in-usb_submit_u.patch b/queue-5.15/hid-u2fzero-properly-handle-timeouts-in-usb_submit_u.patch new file mode 100644 index 00000000000..fd070cf67a0 --- /dev/null +++ b/queue-5.15/hid-u2fzero-properly-handle-timeouts-in-usb_submit_u.patch @@ -0,0 +1,38 @@ +From 0e22bc6a5b92b94cceb502890d3d8c9a84d28ca4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 17:29:17 +0200 +Subject: HID: u2fzero: properly handle timeouts in usb_submit_urb + +From: Andrej Shadura + +[ Upstream commit 43775e62c4b784f44a159e13ba80e6146a42d502 ] + +The wait_for_completion_timeout function returns 0 if timed out or a +positive value if completed. Hence, "less than zero" comparison always +misses timeouts and doesn't kill the URB as it should, leading to +re-sending it while it is active. + +Fixes: 42337b9d4d95 ("HID: add driver for U2F Zero built-in LED and RNG") +Signed-off-by: Andrej Shadura +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-u2fzero.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-u2fzero.c b/drivers/hid/hid-u2fzero.c +index 94f78ffb76d04..67ae2b18e33ac 100644 +--- a/drivers/hid/hid-u2fzero.c ++++ b/drivers/hid/hid-u2fzero.c +@@ -132,7 +132,7 @@ static int u2fzero_recv(struct u2fzero_device *dev, + + ret = (wait_for_completion_timeout( + &ctx.done, msecs_to_jiffies(USB_CTRL_SET_TIMEOUT))); +- if (ret < 0) { ++ if (ret == 0) { + usb_kill_urb(dev->urb); + hid_err(hdev, "urb submission timed out"); + } else { +-- +2.33.0 + diff --git a/queue-5.15/hwmon-fix-possible-memleak-in-__hwmon_device_registe.patch b/queue-5.15/hwmon-fix-possible-memleak-in-__hwmon_device_registe.patch new file mode 100644 index 00000000000..31ca863476a --- /dev/null +++ b/queue-5.15/hwmon-fix-possible-memleak-in-__hwmon_device_registe.patch @@ -0,0 +1,68 @@ +From 1076780fc3871541bc25a8aed4ac86001d6c1e5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 19:27:58 +0800 +Subject: hwmon: Fix possible memleak in __hwmon_device_register() + +From: Yang Yingliang + +[ Upstream commit ada61aa0b1184a8fda1a89a340c7d6cc4e59aee5 ] + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff888102740438 (size 8): + comm "27", pid 859, jiffies 4295031351 (age 143.992s) + hex dump (first 8 bytes): + 68 77 6d 6f 6e 30 00 00 hwmon0.. + backtrace: + [<00000000544b5996>] __kmalloc_track_caller+0x1a6/0x300 + [<00000000df0d62b9>] kvasprintf+0xad/0x140 + [<00000000d3d2a3da>] kvasprintf_const+0x62/0x190 + [<000000005f8f0f29>] kobject_set_name_vargs+0x56/0x140 + [<00000000b739e4b9>] dev_set_name+0xb0/0xe0 + [<0000000095b69c25>] __hwmon_device_register+0xf19/0x1e50 [hwmon] + [<00000000a7e65b52>] hwmon_device_register_with_info+0xcb/0x110 [hwmon] + [<000000006f181e86>] devm_hwmon_device_register_with_info+0x85/0x100 [hwmon] + [<0000000081bdc567>] tmp421_probe+0x2d2/0x465 [tmp421] + [<00000000502cc3f8>] i2c_device_probe+0x4e1/0xbb0 + [<00000000f90bda3b>] really_probe+0x285/0xc30 + [<000000007eac7b77>] __driver_probe_device+0x35f/0x4f0 + [<000000004953d43d>] driver_probe_device+0x4f/0x140 + [<000000002ada2d41>] __device_attach_driver+0x24c/0x330 + [<00000000b3977977>] bus_for_each_drv+0x15d/0x1e0 + [<000000005bf2a8e3>] __device_attach+0x267/0x410 + +When device_register() returns an error, the name allocated in +dev_set_name() will be leaked, the put_device() should be used +instead of calling hwmon_dev_release() to give up the device +reference, then the name will be freed in kobject_cleanup(). + +Reported-by: Hulk Robot +Fixes: bab2243ce189 ("hwmon: Introduce hwmon_device_register_with_groups") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211012112758.2681084-1-yangyingliang@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/hwmon.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/hwmon.c b/drivers/hwmon/hwmon.c +index 8d3b1dae31df1..3501a3ead4ba6 100644 +--- a/drivers/hwmon/hwmon.c ++++ b/drivers/hwmon/hwmon.c +@@ -796,8 +796,10 @@ __hwmon_device_register(struct device *dev, const char *name, void *drvdata, + dev_set_drvdata(hdev, drvdata); + dev_set_name(hdev, HWMON_ID_FORMAT, id); + err = device_register(hdev); +- if (err) +- goto free_hwmon; ++ if (err) { ++ put_device(hdev); ++ goto ida_remove; ++ } + + INIT_LIST_HEAD(&hwdev->tzdata); + +-- +2.33.0 + diff --git a/queue-5.15/hwmon-pmbus-lm25066-let-compiler-determine-outer-dim.patch b/queue-5.15/hwmon-pmbus-lm25066-let-compiler-determine-outer-dim.patch new file mode 100644 index 00000000000..70c740205c7 --- /dev/null +++ b/queue-5.15/hwmon-pmbus-lm25066-let-compiler-determine-outer-dim.patch @@ -0,0 +1,38 @@ +From cef55a01aaf6407acef424ad8469d40ec788dd02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 02:22:38 -0700 +Subject: hwmon: (pmbus/lm25066) Let compiler determine outer dimension of + lm25066_coeff + +From: Zev Weiss + +[ Upstream commit b7931a7b0e0df4d2a25fedd895ad32c746b77bc1 ] + +Maintaining this manually is error prone (there are currently only +five chips supported, not six); gcc can do it for us automatically. + +Signed-off-by: Zev Weiss +Fixes: 666c14906b49 ("hwmon: (pmbus/lm25066) Drop support for LM25063") +Link: https://lore.kernel.org/r/20210928092242.30036-5-zev@bewilderbeest.net +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/pmbus/lm25066.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/pmbus/lm25066.c b/drivers/hwmon/pmbus/lm25066.c +index 1a660c4cd19f4..66d3e88b54172 100644 +--- a/drivers/hwmon/pmbus/lm25066.c ++++ b/drivers/hwmon/pmbus/lm25066.c +@@ -51,7 +51,7 @@ struct __coeff { + #define PSC_CURRENT_IN_L (PSC_NUM_CLASSES) + #define PSC_POWER_L (PSC_NUM_CLASSES + 1) + +-static struct __coeff lm25066_coeff[6][PSC_NUM_CLASSES + 2] = { ++static struct __coeff lm25066_coeff[][PSC_NUM_CLASSES + 2] = { + [lm25056] = { + [PSC_VOLTAGE_IN] = { + .m = 16296, +-- +2.33.0 + diff --git a/queue-5.15/hwrng-mtk-force-runtime-pm-ops-for-sleep-ops.patch b/queue-5.15/hwrng-mtk-force-runtime-pm-ops-for-sleep-ops.patch new file mode 100644 index 00000000000..0b1ea211118 --- /dev/null +++ b/queue-5.15/hwrng-mtk-force-runtime-pm-ops-for-sleep-ops.patch @@ -0,0 +1,53 @@ +From c85e3914a84226c4eebe239858977ff60a413c60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Sep 2021 21:12:42 +0200 +Subject: hwrng: mtk - Force runtime pm ops for sleep ops + +From: Markus Schneider-Pargmann + +[ Upstream commit b6f5f0c8f72d348b2d07b20d7b680ef13a7ffe98 ] + +Currently mtk_rng_runtime_suspend/resume is called for both runtime pm +and system sleep operations. + +This is wrong as these should only be runtime ops as the name already +suggests. Currently freezing the system will lead to a call to +mtk_rng_runtime_suspend even if the device currently isn't active. This +leads to a clock warning because it is disabled/unprepared although it +isn't enabled/prepared currently. + +This patch fixes this by only setting the runtime pm ops and forces to +call the runtime pm ops from the system sleep ops as well if active but +not otherwise. + +Fixes: 81d2b34508c6 ("hwrng: mtk - add runtime PM support") +Signed-off-by: Markus Schneider-Pargmann +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/mtk-rng.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/hw_random/mtk-rng.c b/drivers/char/hw_random/mtk-rng.c +index 8ad7b515a51b8..6c00ea0085553 100644 +--- a/drivers/char/hw_random/mtk-rng.c ++++ b/drivers/char/hw_random/mtk-rng.c +@@ -166,8 +166,13 @@ static int mtk_rng_runtime_resume(struct device *dev) + return mtk_rng_init(&priv->rng); + } + +-static UNIVERSAL_DEV_PM_OPS(mtk_rng_pm_ops, mtk_rng_runtime_suspend, +- mtk_rng_runtime_resume, NULL); ++static const struct dev_pm_ops mtk_rng_pm_ops = { ++ SET_RUNTIME_PM_OPS(mtk_rng_runtime_suspend, ++ mtk_rng_runtime_resume, NULL) ++ SET_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, ++ pm_runtime_force_resume) ++}; ++ + #define MTK_RNG_PM_OPS (&mtk_rng_pm_ops) + #else /* CONFIG_PM */ + #define MTK_RNG_PM_OPS NULL +-- +2.33.0 + diff --git a/queue-5.15/i2c-i801-use-pci-bus-rescan-mutex-to-protect-p2sb-ac.patch b/queue-5.15/i2c-i801-use-pci-bus-rescan-mutex-to-protect-p2sb-ac.patch new file mode 100644 index 00000000000..0fecaebcb75 --- /dev/null +++ b/queue-5.15/i2c-i801-use-pci-bus-rescan-mutex-to-protect-p2sb-ac.patch @@ -0,0 +1,59 @@ +From 8ea75b453dd9b4e3479f7174d21970aaa803dd2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Sep 2021 17:59:42 +0200 +Subject: i2c: i801: Use PCI bus rescan mutex to protect P2SB access + +From: Heiner Kallweit + +[ Upstream commit 7d6b61c394a42b8385858bb9e306d48a0112823c ] + +As pointed out by Andy in [0] using a local mutex here isn't strictly +wrong but not sufficient. We should hold the PCI rescan lock for P2SB +operations. + +[0] https://www.spinics.net/lists/linux-i2c/msg52717.html + +Fixes: 1a987c69ce2c ("i2c: i801: make p2sb_spinlock a mutex") +Reported-by: Andy Shevchenko +Signed-off-by: Heiner Kallweit +Reviewed-by: Andy Shevchenko +Reviewed-by: Jean Delvare +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-i801.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c +index 89ae78ef1a1cc..1f929e6c30bea 100644 +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -1493,7 +1493,6 @@ static struct platform_device * + i801_add_tco_spt(struct i801_priv *priv, struct pci_dev *pci_dev, + struct resource *tco_res) + { +- static DEFINE_MUTEX(p2sb_mutex); + struct resource *res; + unsigned int devfn; + u64 base64_addr; +@@ -1506,7 +1505,7 @@ i801_add_tco_spt(struct i801_priv *priv, struct pci_dev *pci_dev, + * enumerated by the PCI subsystem, so we need to unhide/hide it + * to lookup the P2SB BAR. + */ +- mutex_lock(&p2sb_mutex); ++ pci_lock_rescan_remove(); + + devfn = PCI_DEVFN(PCI_SLOT(pci_dev->devfn), 1); + +@@ -1524,7 +1523,7 @@ i801_add_tco_spt(struct i801_priv *priv, struct pci_dev *pci_dev, + /* Hide the P2SB device, if it was hidden before */ + if (hidden) + pci_bus_write_config_byte(pci_dev->bus, devfn, 0xe1, hidden); +- mutex_unlock(&p2sb_mutex); ++ pci_unlock_rescan_remove(); + + res = &tco_res[1]; + if (pci_dev->device == PCI_DEVICE_ID_INTEL_DNV_SMBUS) +-- +2.33.0 + diff --git a/queue-5.15/i2c-mediatek-fixing-the-incorrect-register-offset.patch b/queue-5.15/i2c-mediatek-fixing-the-incorrect-register-offset.patch new file mode 100644 index 00000000000..7ed7c8c6c56 --- /dev/null +++ b/queue-5.15/i2c-mediatek-fixing-the-incorrect-register-offset.patch @@ -0,0 +1,39 @@ +From f335d83d242cc5ce143e3a99e886655005c6de2d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Sep 2021 18:14:10 +0800 +Subject: i2c: mediatek: fixing the incorrect register offset + +From: Kewei Xu + +[ Upstream commit b8228aea5a19d5111a7bf44f7de6749d1f5d487a ] + +The reason for the modification here is that the previous +offset information is incorrect, OFFSET_DEBUGSTAT = 0xE4 is +the correct value. + +Fixes: 25708278f810 ("i2c: mediatek: Add i2c support for MediaTek MT8183") +Signed-off-by: Kewei Xu +Reviewed-by: Chen-Yu Tsai +Reviewed-by: Qii Wang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-mt65xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-mt65xx.c b/drivers/i2c/busses/i2c-mt65xx.c +index 7d4b3eb7077ad..72acda59eb399 100644 +--- a/drivers/i2c/busses/i2c-mt65xx.c ++++ b/drivers/i2c/busses/i2c-mt65xx.c +@@ -195,7 +195,7 @@ static const u16 mt_i2c_regs_v2[] = { + [OFFSET_CLOCK_DIV] = 0x48, + [OFFSET_SOFTRESET] = 0x50, + [OFFSET_SCL_MIS_COMP_POINT] = 0x90, +- [OFFSET_DEBUGSTAT] = 0xe0, ++ [OFFSET_DEBUGSTAT] = 0xe4, + [OFFSET_DEBUGCTRL] = 0xe8, + [OFFSET_FIFO_STAT] = 0xf4, + [OFFSET_FIFO_THRESH] = 0xf8, +-- +2.33.0 + diff --git a/queue-5.15/i2c-xlr-fix-a-resource-leak-in-the-error-handling-pa.patch b/queue-5.15/i2c-xlr-fix-a-resource-leak-in-the-error-handling-pa.patch new file mode 100644 index 00000000000..d47e4287e90 --- /dev/null +++ b/queue-5.15/i2c-xlr-fix-a-resource-leak-in-the-error-handling-pa.patch @@ -0,0 +1,51 @@ +From c5f24d0bef4b0e96d158884cc8ca751a5dd7fbd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 22:48:08 +0200 +Subject: i2c: xlr: Fix a resource leak in the error handling path of + 'xlr_i2c_probe()' + +From: Christophe JAILLET + +[ Upstream commit 7f98960c046ee1136e7096aee168eda03aef8a5d ] + +A successful 'clk_prepare()' call should be balanced by a corresponding +'clk_unprepare()' call in the error handling path of the probe, as already +done in the remove function. + +More specifically, 'clk_prepare_enable()' is used, but 'clk_disable()' is +also already called. So just the unprepare step has still to be done. + +Update the error handling path accordingly. + +Fixes: 75d31c2372e4 ("i2c: xlr: add support for Sigma Designs controller variant") +Signed-off-by: Christophe JAILLET +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-xlr.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-xlr.c b/drivers/i2c/busses/i2c-xlr.c +index 126d1393e548b..9ce20652d4942 100644 +--- a/drivers/i2c/busses/i2c-xlr.c ++++ b/drivers/i2c/busses/i2c-xlr.c +@@ -431,11 +431,15 @@ static int xlr_i2c_probe(struct platform_device *pdev) + i2c_set_adapdata(&priv->adap, priv); + ret = i2c_add_numbered_adapter(&priv->adap); + if (ret < 0) +- return ret; ++ goto err_unprepare_clk; + + platform_set_drvdata(pdev, priv); + dev_info(&priv->adap.dev, "Added I2C Bus.\n"); + return 0; ++ ++err_unprepare_clk: ++ clk_unprepare(clk); ++ return ret; + } + + static int xlr_i2c_remove(struct platform_device *pdev) +-- +2.33.0 + diff --git a/queue-5.15/ia64-don-t-do-ia64_cmpxchg_debug-without-config_prin.patch b/queue-5.15/ia64-don-t-do-ia64_cmpxchg_debug-without-config_prin.patch new file mode 100644 index 00000000000..8f583e6938f --- /dev/null +++ b/queue-5.15/ia64-don-t-do-ia64_cmpxchg_debug-without-config_prin.patch @@ -0,0 +1,53 @@ +From 00563c87e58f968d78d2b8d07b16284485c3b95f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Sep 2021 10:12:24 -0700 +Subject: ia64: don't do IA64_CMPXCHG_DEBUG without CONFIG_PRINTK + +From: Randy Dunlap + +[ Upstream commit c15b5fc054c3d6c97e953617605235c5cb8ce979 ] + +When CONFIG_PRINTK is not set, the CMPXCHG_BUGCHECK() macro calls +_printk(), but _printk() is a static inline function, not available +as an extern. +Since the purpose of the macro is to print the BUGCHECK info, +make this config option depend on PRINTK. + +Fixes multiple occurrences of this build error: + +../include/linux/printk.h:208:5: error: static declaration of '_printk' follows non-static declaration + 208 | int _printk(const char *s, ...) + | ^~~~~~~ +In file included from ../arch/ia64/include/asm/cmpxchg.h:5, +../arch/ia64/include/uapi/asm/cmpxchg.h:146:28: note: previous declaration of '_printk' with type 'int(const char *, ...)' + 146 | extern int _printk(const char *fmt, ...); + +Cc: linux-ia64@vger.kernel.org +Cc: Andrew Morton +Cc: Tony Luck +Cc: Chris Down +Cc: Paul Gortmaker +Cc: John Paul Adrian Glaubitz +Signed-off-by: Randy Dunlap +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + arch/ia64/Kconfig.debug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/ia64/Kconfig.debug b/arch/ia64/Kconfig.debug +index 40ca23bd228d6..2ce008e2d1644 100644 +--- a/arch/ia64/Kconfig.debug ++++ b/arch/ia64/Kconfig.debug +@@ -39,7 +39,7 @@ config DISABLE_VHPT + + config IA64_DEBUG_CMPXCHG + bool "Turn on compare-and-exchange bug checking (slow!)" +- depends on DEBUG_KERNEL ++ depends on DEBUG_KERNEL && PRINTK + help + Selecting this option turns on bug checking for the IA-64 + compare-and-exchange instructions. This is slow! Itaniums +-- +2.33.0 + diff --git a/queue-5.15/ibmvnic-delay-complete.patch b/queue-5.15/ibmvnic-delay-complete.patch new file mode 100644 index 00000000000..cc3bdbf075e --- /dev/null +++ b/queue-5.15/ibmvnic-delay-complete.patch @@ -0,0 +1,86 @@ +From 573c9fe217d4c2e50ac88ab821e76fc486d4a9a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 15:03:16 -0700 +Subject: ibmvnic: delay complete() + +From: Sukadev Bhattiprolu + +[ Upstream commit 6b278c0cb378079f3c0c61ae4a369c09ff1a4188 ] + +If we get CRQ_INIT, we set errno to -EIO and first call complete() to +notify the waiter. Then we try to schedule a FAILOVER reset. If this +occurs while adapter is in PROBING state, ibmvnic_reset() changes the +error code to EAGAIN and returns without scheduling the FAILOVER. The +purpose of setting error code to EAGAIN is to ask the waiter to retry. + +But due to the earlier complete() call, the waiter may already have seen +the -EIO response and decided not to retry. This can cause intermittent +failures when bringing up ibmvnic adapters during boot, specially in +in kexec/kdump kernels. + +Defer the complete() call until after scheduling the reset. + +Also streamline the error code to EAGAIN. Don't see why we need EIO +sometimes. All 3 callers of ibmvnic_reset_init() can handle EAGAIN. + +Fixes: 17c8705838a5 ("ibmvnic: Return error code if init interrupted by transport event") +Reported-by: Vaishnavi Bhat +Signed-off-by: Sukadev Bhattiprolu +Reviewed-by: Dany Madden +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 84961a83803b7..352ffe982d849 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -2565,7 +2565,7 @@ static int ibmvnic_reset(struct ibmvnic_adapter *adapter, + + if (adapter->state == VNIC_PROBING) { + netdev_warn(netdev, "Adapter reset during probe\n"); +- adapter->init_done_rc = EAGAIN; ++ adapter->init_done_rc = -EAGAIN; + ret = EAGAIN; + goto err; + } +@@ -5067,11 +5067,6 @@ static void ibmvnic_handle_crq(union ibmvnic_crq *crq, + */ + adapter->login_pending = false; + +- if (!completion_done(&adapter->init_done)) { +- complete(&adapter->init_done); +- adapter->init_done_rc = -EIO; +- } +- + if (adapter->state == VNIC_DOWN) + rc = ibmvnic_reset(adapter, VNIC_RESET_PASSIVE_INIT); + else +@@ -5092,6 +5087,13 @@ static void ibmvnic_handle_crq(union ibmvnic_crq *crq, + rc); + adapter->failover_pending = false; + } ++ ++ if (!completion_done(&adapter->init_done)) { ++ complete(&adapter->init_done); ++ if (!adapter->init_done_rc) ++ adapter->init_done_rc = -EAGAIN; ++ } ++ + break; + case IBMVNIC_CRQ_INIT_COMPLETE: + dev_info(dev, "Partner initialization complete\n"); +@@ -5559,7 +5561,7 @@ static int ibmvnic_probe(struct vio_dev *dev, const struct vio_device_id *id) + } + + rc = ibmvnic_reset_init(adapter, false); +- } while (rc == EAGAIN); ++ } while (rc == -EAGAIN); + + /* We are ignoring the error from ibmvnic_reset_init() assuming that the + * partner is not ready. CRQ is not active. When the partner becomes +-- +2.33.0 + diff --git a/queue-5.15/ibmvnic-don-t-stop-queue-in-xmit.patch b/queue-5.15/ibmvnic-don-t-stop-queue-in-xmit.patch new file mode 100644 index 00000000000..3e3fcfc6181 --- /dev/null +++ b/queue-5.15/ibmvnic-don-t-stop-queue-in-xmit.patch @@ -0,0 +1,52 @@ +From 1bbde3b397cf8a49512e0048950f782e542bc73e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 15:03:14 -0700 +Subject: ibmvnic: don't stop queue in xmit + +From: Sukadev Bhattiprolu + +[ Upstream commit 8878e46fcfd46b19964bd90e13b25dd94cbfc9be ] + +If adapter's resetting bit is on, discard the packet but don't stop the +transmit queue - instead leave that to the reset code. With this change, +it is possible that we may get several calls to ibmvnic_xmit() that simply +discard packets and return. + +But if we stop the queue here, we might end up doing so just after +__ibmvnic_open() started the queues (during a hard/soft reset) and before +the ->resetting bit was cleared. If that happens, there will be no one to +restart queue and transmissions will be blocked indefinitely. + +This can cause a TIMEOUT reset and with auto priority failover enabled, +an unnecessary FAILOVER reset to less favored backing device and then a +FAILOVER back to the most favored backing device. If we hit the window +repeatedly, we can get stuck in a loop of TIMEOUT, FAILOVER, FAILOVER +resets leaving the adapter unusable for extended periods of time. + +Fixes: 7f5b030830fe ("ibmvnic: Free skb's in cases of failure in transmit") +Reported-by: Abdul Haleem +Reported-by: Vaishnavi Bhat +Signed-off-by: Sukadev Bhattiprolu +Reviewed-by: Dany Madden +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 6aa6ff89a7651..7438138c3766a 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1724,8 +1724,6 @@ static netdev_tx_t ibmvnic_xmit(struct sk_buff *skb, struct net_device *netdev) + ind_bufp = &tx_scrq->ind_buf; + + if (test_bit(0, &adapter->resetting)) { +- if (!netif_subqueue_stopped(netdev, skb)) +- netif_stop_subqueue(netdev, queue_num); + dev_kfree_skb_any(skb); + + tx_send_failed++; +-- +2.33.0 + diff --git a/queue-5.15/ibmvnic-process-crqs-after-enabling-interrupts.patch b/queue-5.15/ibmvnic-process-crqs-after-enabling-interrupts.patch new file mode 100644 index 00000000000..5cb5fae5c06 --- /dev/null +++ b/queue-5.15/ibmvnic-process-crqs-after-enabling-interrupts.patch @@ -0,0 +1,44 @@ +From cd277025e974fdff8fc2f10f5b47fae8ed8f22b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 15:03:15 -0700 +Subject: ibmvnic: Process crqs after enabling interrupts + +From: Sukadev Bhattiprolu + +[ Upstream commit 6e20d00158f31f7631d68b86996b7e951c4451c8 ] + +Soon after registering a CRQ it is possible that we get a fail over or +maybe a CRQ_INIT from the VIOS while interrupts were disabled. + +Look for any such CRQs after enabling interrupts. + +Otherwise we can intermittently fail to bring up ibmvnic adapters during +boot, specially in kexec/kdump kernels. + +Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol") +Reported-by: Vaishnavi Bhat +Signed-off-by: Sukadev Bhattiprolu +Reviewed-by: Dany Madden +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmvnic.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/ibm/ibmvnic.c b/drivers/net/ethernet/ibm/ibmvnic.c +index 7438138c3766a..84961a83803b7 100644 +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -5412,6 +5412,9 @@ static int init_crq_queue(struct ibmvnic_adapter *adapter) + crq->cur = 0; + spin_lock_init(&crq->lock); + ++ /* process any CRQs that were queued before we enabled interrupts */ ++ tasklet_schedule(&adapter->tasklet); ++ + return retrc; + + req_irq_failed: +-- +2.33.0 + diff --git a/queue-5.15/ice-fix-not-stopping-tx-queues-for-vfs.patch b/queue-5.15/ice-fix-not-stopping-tx-queues-for-vfs.patch new file mode 100644 index 00000000000..ac1c8fff16a --- /dev/null +++ b/queue-5.15/ice-fix-not-stopping-tx-queues-for-vfs.patch @@ -0,0 +1,118 @@ +From f6611e81541947a2d25db409b3aac8e75e4ee98b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Sep 2021 14:38:08 -0700 +Subject: ice: Fix not stopping Tx queues for VFs + +From: Brett Creeley + +[ Upstream commit b385cca47363316c6d9a74ae9db407bbc281f815 ] + +When a VF is removed and/or reset its Tx queues need to be +stopped from the PF. This is done by calling the ice_dis_vf_qs() +function, which calls ice_vsi_stop_lan_tx_rings(). Currently +ice_dis_vf_qs() is protected by the VF state bit ICE_VF_STATE_QS_ENA. +Unfortunately, this is causing the Tx queues to not be disabled in some +cases and when the VF tries to re-enable/reconfigure its Tx queues over +virtchnl the op is failing. This is because a VF can be reset and/or +removed before the ICE_VF_STATE_QS_ENA bit is set, but the Tx queues +were already configured via ice_vsi_cfg_single_txq() in the +VIRTCHNL_OP_CONFIG_VSI_QUEUES op. However, the ICE_VF_STATE_QS_ENA bit +is set on a successful VIRTCHNL_OP_ENABLE_QUEUES, which will always +happen after the VIRTCHNL_OP_CONFIG_VSI_QUEUES op. + +This was causing the following error message when loading the ice +driver, creating VFs, and modifying VF trust in an endless loop: + +[35274.192484] ice 0000:88:00.0: Failed to set LAN Tx queue context, error: ICE_ERR_PARAM +[35274.193074] ice 0000:88:00.0: VF 0 failed opcode 6, retval: -5 +[35274.193640] iavf 0000:88:01.0: PF returned error -5 (IAVF_ERR_PARAM) to our request 6 + +Fix this by always calling ice_dis_vf_qs() and silencing the error +message in ice_vsi_stop_tx_ring() since the calling code ignores the +return anyway. Also, all other places that call ice_vsi_stop_tx_ring() +catch the error, so this doesn't affect those flows since there was no +change to the values the function returns. + +Other solutions were considered (i.e. tracking which VF queues had been +"started/configured" in VIRTCHNL_OP_CONFIG_VSI_QUEUES, but it seemed +more complicated than it was worth. This solution also brings in the +chance for other unexpected conditions due to invalid state bit checks. +So, the proposed solution seemed like the best option since there is no +harm in failing to stop Tx queues that were never started. + +This issue can be seen using the following commands: + +for i in {0..50}; do + rmmod ice + modprobe ice + + sleep 1 + + echo 1 > /sys/class/net/ens785f0/device/sriov_numvfs + echo 1 > /sys/class/net/ens785f1/device/sriov_numvfs + + ip link set ens785f1 vf 0 trust on + ip link set ens785f0 vf 0 trust on + + sleep 2 + + echo 0 > /sys/class/net/ens785f0/device/sriov_numvfs + echo 0 > /sys/class/net/ens785f1/device/sriov_numvfs + sleep 1 + echo 1 > /sys/class/net/ens785f0/device/sriov_numvfs + echo 1 > /sys/class/net/ens785f1/device/sriov_numvfs + + ip link set ens785f1 vf 0 trust on + ip link set ens785f0 vf 0 trust on +done + +Fixes: 77ca27c41705 ("ice: add support for virtchnl_queue_select.[tx|rx]_queues bitmap") +Signed-off-by: Brett Creeley +Tested-by: Konrad Jankowski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_base.c | 2 +- + drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 6 ++---- + 2 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_base.c b/drivers/net/ethernet/intel/ice/ice_base.c +index c36057efc7ae3..f74610442bda7 100644 +--- a/drivers/net/ethernet/intel/ice/ice_base.c ++++ b/drivers/net/ethernet/intel/ice/ice_base.c +@@ -909,7 +909,7 @@ ice_vsi_stop_tx_ring(struct ice_vsi *vsi, enum ice_disq_rst_src rst_src, + } else if (status == ICE_ERR_DOES_NOT_EXIST) { + dev_dbg(ice_pf_to_dev(vsi->back), "LAN Tx queues do not exist, nothing to disable\n"); + } else if (status) { +- dev_err(ice_pf_to_dev(vsi->back), "Failed to disable LAN Tx queues, error: %s\n", ++ dev_dbg(ice_pf_to_dev(vsi->back), "Failed to disable LAN Tx queues, error: %s\n", + ice_stat_str(status)); + return -ENODEV; + } +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +index 9f5da506d8f4b..7e3ae4cc17a39 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +@@ -634,8 +634,7 @@ void ice_free_vfs(struct ice_pf *pf) + + /* Avoid wait time by stopping all VFs at the same time */ + ice_for_each_vf(pf, i) +- if (test_bit(ICE_VF_STATE_QS_ENA, pf->vf[i].vf_states)) +- ice_dis_vf_qs(&pf->vf[i]); ++ ice_dis_vf_qs(&pf->vf[i]); + + tmp = pf->num_alloc_vfs; + pf->num_qps_per_vf = 0; +@@ -1645,8 +1644,7 @@ bool ice_reset_vf(struct ice_vf *vf, bool is_vflr) + + vsi = ice_get_vf_vsi(vf); + +- if (test_bit(ICE_VF_STATE_QS_ENA, vf->vf_states)) +- ice_dis_vf_qs(vf); ++ ice_dis_vf_qs(vf); + + /* Call Disable LAN Tx queue AQ whether or not queues are + * enabled. This is needed for successful completion of VFR. +-- +2.33.0 + diff --git a/queue-5.15/ice-fix-replacing-vf-hardware-mac-to-existing-mac-fi.patch b/queue-5.15/ice-fix-replacing-vf-hardware-mac-to-existing-mac-fi.patch new file mode 100644 index 00000000000..7d74ed0b0c9 --- /dev/null +++ b/queue-5.15/ice-fix-replacing-vf-hardware-mac-to-existing-mac-fi.patch @@ -0,0 +1,68 @@ +From 7e00b7658dea8b81a14bf1ec3964189bc214225d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 08:40:03 -0700 +Subject: ice: Fix replacing VF hardware MAC to existing MAC filter + +From: Sylwester Dziedziuch + +[ Upstream commit ce572a5b88d5ca6737b5e23da9892792fd708ad3 ] + +VF was not able to change its hardware MAC address in case +the new address was already present in the MAC filter list. +Change the handling of VF add mac request to not return +if requested MAC address is already present on the list +and check if its hardware MAC needs to be updated in this case. + +Fixes: ed4c068d46f6 ("ice: Enable ip link show on the PF to display VF unicast MAC(s)") +Signed-off-by: Sylwester Dziedziuch +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +index a827c6b653a38..9f5da506d8f4b 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +@@ -3762,6 +3762,7 @@ ice_vc_add_mac_addr(struct ice_vf *vf, struct ice_vsi *vsi, + struct device *dev = ice_pf_to_dev(vf->pf); + u8 *mac_addr = vc_ether_addr->addr; + enum ice_status status; ++ int ret = 0; + + /* device MAC already added */ + if (ether_addr_equal(mac_addr, vf->dev_lan_addr.addr)) +@@ -3774,20 +3775,23 @@ ice_vc_add_mac_addr(struct ice_vf *vf, struct ice_vsi *vsi, + + status = ice_fltr_add_mac(vsi, mac_addr, ICE_FWD_TO_VSI); + if (status == ICE_ERR_ALREADY_EXISTS) { +- dev_err(dev, "MAC %pM already exists for VF %d\n", mac_addr, ++ dev_dbg(dev, "MAC %pM already exists for VF %d\n", mac_addr, + vf->vf_id); +- return -EEXIST; ++ /* don't return since we might need to update ++ * the primary MAC in ice_vfhw_mac_add() below ++ */ ++ ret = -EEXIST; + } else if (status) { + dev_err(dev, "Failed to add MAC %pM for VF %d\n, error %s\n", + mac_addr, vf->vf_id, ice_stat_str(status)); + return -EIO; ++ } else { ++ vf->num_mac++; + } + + ice_vfhw_mac_add(vf, vc_ether_addr); + +- vf->num_mac++; +- +- return 0; ++ return ret; + } + + /** +-- +2.33.0 + diff --git a/queue-5.15/ice-move-devlink-port-to-pf-vf-struct.patch b/queue-5.15/ice-move-devlink-port-to-pf-vf-struct.patch new file mode 100644 index 00000000000..375f28dfb35 --- /dev/null +++ b/queue-5.15/ice-move-devlink-port-to-pf-vf-struct.patch @@ -0,0 +1,306 @@ +From 3d3c184e1ba5bd8e08fbbc9863630a41b4b4c197 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 17:08:49 -0700 +Subject: ice: Move devlink port to PF/VF struct + +From: Wojciech Drewek + +[ Upstream commit 2ae0aa4758b0f4a247d45cb3bf01548a7f396751 ] + +Keeping devlink port inside VSI data structure causes some issues. +Since VF VSI is released during reset that means that we have to +unregister devlink port and register it again every time reset is +triggered. With the new changes in devlink API it +might cause deadlock issues. After calling +devlink_port_register/devlink_port_unregister devlink API is going to +lock rtnl_mutex. It's an issue when VF reset is triggered in netlink +operation context (like setting VF MAC address or VLAN), +because rtnl_lock is already taken by netlink. Another call of +rtnl_lock from devlink API results in dead-lock. + +By moving devlink port to PF/VF we avoid creating/destroying it +during reset. Since this patch, devlink ports are created during +ice_probe, destroyed during ice_remove for PF and created during +ice_repr_add, destroyed during ice_repr_rem for VF. + +Signed-off-by: Wojciech Drewek +Tested-by: Sandeep Penigalapati +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice.h | 7 +- + drivers/net/ethernet/intel/ice/ice_devlink.c | 109 +++++++++++++----- + drivers/net/ethernet/intel/ice/ice_devlink.h | 6 +- + drivers/net/ethernet/intel/ice/ice_lib.c | 3 +- + drivers/net/ethernet/intel/ice/ice_main.c | 4 +- + .../net/ethernet/intel/ice/ice_virtchnl_pf.c | 2 +- + .../net/ethernet/intel/ice/ice_virtchnl_pf.h | 9 ++ + 7 files changed, 103 insertions(+), 37 deletions(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice.h b/drivers/net/ethernet/intel/ice/ice.h +index 3c4f08d20414e..8b23fbf3cdf4c 100644 +--- a/drivers/net/ethernet/intel/ice/ice.h ++++ b/drivers/net/ethernet/intel/ice/ice.h +@@ -306,10 +306,6 @@ struct ice_vsi { + spinlock_t arfs_lock; /* protects aRFS hash table and filter state */ + atomic_t *arfs_last_fltr_id; + +- /* devlink port data */ +- struct devlink_port devlink_port; +- bool devlink_port_registered; +- + u16 max_frame; + u16 rx_buf_len; + +@@ -421,6 +417,9 @@ struct ice_pf { + struct devlink_region *nvm_region; + struct devlink_region *devcaps_region; + ++ /* devlink port data */ ++ struct devlink_port devlink_port; ++ + /* OS reserved IRQ details */ + struct msix_entry *msix_entries; + struct ice_res_tracker *irq_tracker; +diff --git a/drivers/net/ethernet/intel/ice/ice_devlink.c b/drivers/net/ethernet/intel/ice/ice_devlink.c +index da7288bdc9a3f..2ec5d5cb72803 100644 +--- a/drivers/net/ethernet/intel/ice/ice_devlink.c ++++ b/drivers/net/ethernet/intel/ice/ice_devlink.c +@@ -526,60 +526,115 @@ void ice_devlink_unregister(struct ice_pf *pf) + } + + /** +- * ice_devlink_create_port - Create a devlink port for this VSI +- * @vsi: the VSI to create a port for ++ * ice_devlink_create_pf_port - Create a devlink port for this PF ++ * @pf: the PF to create a devlink port for + * +- * Create and register a devlink_port for this VSI. ++ * Create and register a devlink_port for this PF. + * + * Return: zero on success or an error code on failure. + */ +-int ice_devlink_create_port(struct ice_vsi *vsi) ++int ice_devlink_create_pf_port(struct ice_pf *pf) + { + struct devlink_port_attrs attrs = {}; +- struct ice_port_info *pi; ++ struct devlink_port *devlink_port; + struct devlink *devlink; ++ struct ice_vsi *vsi; + struct device *dev; +- struct ice_pf *pf; + int err; + +- /* Currently we only create devlink_port instances for PF VSIs */ +- if (vsi->type != ICE_VSI_PF) +- return -EINVAL; +- +- pf = vsi->back; +- devlink = priv_to_devlink(pf); + dev = ice_pf_to_dev(pf); +- pi = pf->hw.port_info; ++ ++ devlink_port = &pf->devlink_port; ++ ++ vsi = ice_get_main_vsi(pf); ++ if (!vsi) ++ return -EIO; + + attrs.flavour = DEVLINK_PORT_FLAVOUR_PHYSICAL; +- attrs.phys.port_number = pi->lport; +- devlink_port_attrs_set(&vsi->devlink_port, &attrs); +- err = devlink_port_register(devlink, &vsi->devlink_port, vsi->idx); ++ attrs.phys.port_number = pf->hw.bus.func; ++ devlink_port_attrs_set(devlink_port, &attrs); ++ devlink = priv_to_devlink(pf); ++ ++ err = devlink_port_register(devlink, devlink_port, vsi->idx); + if (err) { +- dev_err(dev, "devlink_port_register failed: %d\n", err); ++ dev_err(dev, "Failed to create devlink port for PF %d, error %d\n", ++ pf->hw.pf_id, err); + return err; + } + +- vsi->devlink_port_registered = true; ++ return 0; ++} ++ ++/** ++ * ice_devlink_destroy_pf_port - Destroy the devlink_port for this PF ++ * @pf: the PF to cleanup ++ * ++ * Unregisters the devlink_port structure associated with this PF. ++ */ ++void ice_devlink_destroy_pf_port(struct ice_pf *pf) ++{ ++ struct devlink_port *devlink_port; ++ ++ devlink_port = &pf->devlink_port; ++ ++ devlink_port_type_clear(devlink_port); ++ devlink_port_unregister(devlink_port); ++} ++ ++/** ++ * ice_devlink_create_vf_port - Create a devlink port for this VF ++ * @vf: the VF to create a port for ++ * ++ * Create and register a devlink_port for this VF. ++ * ++ * Return: zero on success or an error code on failure. ++ */ ++int ice_devlink_create_vf_port(struct ice_vf *vf) ++{ ++ struct devlink_port_attrs attrs = {}; ++ struct devlink_port *devlink_port; ++ struct devlink *devlink; ++ struct ice_vsi *vsi; ++ struct device *dev; ++ struct ice_pf *pf; ++ int err; ++ ++ pf = vf->pf; ++ dev = ice_pf_to_dev(pf); ++ vsi = ice_get_vf_vsi(vf); ++ devlink_port = &vf->devlink_port; ++ ++ attrs.flavour = DEVLINK_PORT_FLAVOUR_PCI_VF; ++ attrs.pci_vf.pf = pf->hw.bus.func; ++ attrs.pci_vf.vf = vf->vf_id; ++ ++ devlink_port_attrs_set(devlink_port, &attrs); ++ devlink = priv_to_devlink(pf); ++ ++ err = devlink_port_register(devlink, devlink_port, vsi->idx); ++ if (err) { ++ dev_err(dev, "Failed to create devlink port for VF %d, error %d\n", ++ vf->vf_id, err); ++ return err; ++ } + + return 0; + } + + /** +- * ice_devlink_destroy_port - Destroy the devlink_port for this VSI +- * @vsi: the VSI to cleanup ++ * ice_devlink_destroy_vf_port - Destroy the devlink_port for this VF ++ * @vf: the VF to cleanup + * +- * Unregisters the devlink_port structure associated with this VSI. ++ * Unregisters the devlink_port structure associated with this VF. + */ +-void ice_devlink_destroy_port(struct ice_vsi *vsi) ++void ice_devlink_destroy_vf_port(struct ice_vf *vf) + { +- if (!vsi->devlink_port_registered) +- return; ++ struct devlink_port *devlink_port; + +- devlink_port_type_clear(&vsi->devlink_port); +- devlink_port_unregister(&vsi->devlink_port); ++ devlink_port = &vf->devlink_port; + +- vsi->devlink_port_registered = false; ++ devlink_port_type_clear(devlink_port); ++ devlink_port_unregister(devlink_port); + } + + /** +diff --git a/drivers/net/ethernet/intel/ice/ice_devlink.h b/drivers/net/ethernet/intel/ice/ice_devlink.h +index e07e74426bde8..e30284ccbed4c 100644 +--- a/drivers/net/ethernet/intel/ice/ice_devlink.h ++++ b/drivers/net/ethernet/intel/ice/ice_devlink.h +@@ -8,8 +8,10 @@ struct ice_pf *ice_allocate_pf(struct device *dev); + + int ice_devlink_register(struct ice_pf *pf); + void ice_devlink_unregister(struct ice_pf *pf); +-int ice_devlink_create_port(struct ice_vsi *vsi); +-void ice_devlink_destroy_port(struct ice_vsi *vsi); ++int ice_devlink_create_pf_port(struct ice_pf *pf); ++void ice_devlink_destroy_pf_port(struct ice_pf *pf); ++int ice_devlink_create_vf_port(struct ice_vf *vf); ++void ice_devlink_destroy_vf_port(struct ice_vf *vf); + + void ice_devlink_init_regions(struct ice_pf *pf); + void ice_devlink_destroy_regions(struct ice_pf *pf); +diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c +index b718e196af2a4..e47920fe73b88 100644 +--- a/drivers/net/ethernet/intel/ice/ice_lib.c ++++ b/drivers/net/ethernet/intel/ice/ice_lib.c +@@ -2860,7 +2860,8 @@ int ice_vsi_release(struct ice_vsi *vsi) + clear_bit(ICE_VSI_NETDEV_REGISTERED, vsi->state); + } + +- ice_devlink_destroy_port(vsi); ++ if (vsi->type == ICE_VSI_PF) ++ ice_devlink_destroy_pf_port(pf); + + if (test_bit(ICE_FLAG_RSS_ENA, pf->flags)) + ice_rss_clean(vsi); +diff --git a/drivers/net/ethernet/intel/ice/ice_main.c b/drivers/net/ethernet/intel/ice/ice_main.c +index 06fa93e597fbc..30077104d1439 100644 +--- a/drivers/net/ethernet/intel/ice/ice_main.c ++++ b/drivers/net/ethernet/intel/ice/ice_main.c +@@ -4170,11 +4170,11 @@ static int ice_register_netdev(struct ice_pf *pf) + set_bit(ICE_VSI_NETDEV_REGISTERED, vsi->state); + netif_carrier_off(vsi->netdev); + netif_tx_stop_all_queues(vsi->netdev); +- err = ice_devlink_create_port(vsi); ++ err = ice_devlink_create_pf_port(pf); + if (err) + goto err_devlink_create; + +- devlink_port_type_eth_set(&vsi->devlink_port, vsi->netdev); ++ devlink_port_type_eth_set(&pf->devlink_port, vsi->netdev); + + return 0; + err_devlink_create: +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +index e93430ab37f1e..a827c6b653a38 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c +@@ -251,7 +251,7 @@ ice_vc_hash_field_match_type ice_vc_hash_field_list_comms[] = { + * ice_get_vf_vsi - get VF's VSI based on the stored index + * @vf: VF used to get VSI + */ +-static struct ice_vsi *ice_get_vf_vsi(struct ice_vf *vf) ++struct ice_vsi *ice_get_vf_vsi(struct ice_vf *vf) + { + return vf->pf->vsi[vf->lan_vsi_idx]; + } +diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.h b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.h +index 842cb077df861..38b4dc82c5c18 100644 +--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.h ++++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.h +@@ -111,9 +111,13 @@ struct ice_vf { + struct ice_mdd_vf_events mdd_rx_events; + struct ice_mdd_vf_events mdd_tx_events; + DECLARE_BITMAP(opcodes_allowlist, VIRTCHNL_OP_MAX); ++ ++ /* devlink port data */ ++ struct devlink_port devlink_port; + }; + + #ifdef CONFIG_PCI_IOV ++struct ice_vsi *ice_get_vf_vsi(struct ice_vf *vf); + void ice_process_vflr_event(struct ice_pf *pf); + int ice_sriov_configure(struct pci_dev *pdev, int num_vfs); + int ice_set_vf_mac(struct net_device *netdev, int vf_id, u8 *mac); +@@ -171,6 +175,11 @@ static inline void ice_print_vfs_mdd_events(struct ice_pf *pf) { } + static inline void ice_print_vf_rx_mdd_event(struct ice_vf *vf) { } + static inline void ice_restore_all_vfs_msi_state(struct pci_dev *pdev) { } + ++static inline struct ice_vsi *ice_get_vf_vsi(struct ice_vf *vf) ++{ ++ return NULL; ++} ++ + static inline bool + ice_is_malicious_vf(struct ice_pf __always_unused *pf, + struct ice_rq_event_info __always_unused *event, +-- +2.33.0 + diff --git a/queue-5.15/iio-adis-do-not-disabe-irqs-in-adis_init.patch b/queue-5.15/iio-adis-do-not-disabe-irqs-in-adis_init.patch new file mode 100644 index 00000000000..226b1576e5a --- /dev/null +++ b/queue-5.15/iio-adis-do-not-disabe-irqs-in-adis_init.patch @@ -0,0 +1,62 @@ +From d4ab7914ef0481416052442ba0c5cfff2060610c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Sep 2021 16:14:19 +0200 +Subject: iio: adis: do not disabe IRQs in 'adis_init()' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +[ Upstream commit b600bd7eb333554518b4dd36b882b2ae58a5149e ] + +With commit ecb010d441088 ("iio: imu: adis: Refactor adis_initial_startup") +we are doing a HW or SW reset to the device which means that we'll get +the default state of the data ready pin (which is enabled). Hence there's +no point in disabling the IRQ in the init function. Moreover, this +function is intended to initialize internal data structures and not +really do anything on the device. + +As a result of this, some devices were left with the data ready pin enabled +after probe which was not the desired behavior. Thus, we move the call to +'adis_enable_irq()' to the initial startup function where it makes more +sense for it to be. + +Note that for devices that cannot mask/unmask the pin, it makes no sense +to call the function at this point since the IRQ should not have been +yet requested. This will be improved in a follow up change. + +Fixes: ecb010d441088 ("iio: imu: adis: Refactor adis_initial_startup") +Signed-off-by: Nuno Sá +Link: https://lore.kernel.org/r/20210903141423.517028-2-nuno.sa@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/imu/adis.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/imu/adis.c b/drivers/iio/imu/adis.c +index b9a06ca29beec..d4e692b187cda 100644 +--- a/drivers/iio/imu/adis.c ++++ b/drivers/iio/imu/adis.c +@@ -430,6 +430,8 @@ int __adis_initial_startup(struct adis *adis) + if (ret) + return ret; + ++ adis_enable_irq(adis, false); ++ + if (!adis->data->prod_id_reg) + return 0; + +@@ -526,7 +528,7 @@ int adis_init(struct adis *adis, struct iio_dev *indio_dev, + adis->current_page = 0; + } + +- return adis_enable_irq(adis, false); ++ return 0; + } + EXPORT_SYMBOL_GPL(adis_init); + +-- +2.33.0 + diff --git a/queue-5.15/iio-buffer-fix-double-free-in-iio_buffers_alloc_sysf.patch b/queue-5.15/iio-buffer-fix-double-free-in-iio_buffers_alloc_sysf.patch new file mode 100644 index 00000000000..81647220b5b --- /dev/null +++ b/queue-5.15/iio-buffer-fix-double-free-in-iio_buffers_alloc_sysf.patch @@ -0,0 +1,48 @@ +From 78fed457fbc20d88affce13a740010e656f126e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 12:49:22 +0300 +Subject: iio: buffer: Fix double-free in iio_buffers_alloc_sysfs_and_mask() + +From: Yang Yingliang + +[ Upstream commit 09776d9374e635b1580b3736c19b95b788fbaa85 ] + +When __iio_buffer_alloc_sysfs_and_mask() failed, 'unwind_idx' should be +set to 'i - 1' to prevent double-free when cleanup resources. + +BUG: KASAN: double-free or invalid-free in __iio_buffer_free_sysfs_and_mask+0x32/0xb0 [industrialio] +Call Trace: + kfree+0x117/0x4c0 + __iio_buffer_free_sysfs_and_mask+0x32/0xb0 [industrialio] + iio_buffers_alloc_sysfs_and_mask+0x60d/0x1570 [industrialio] + __iio_device_register+0x483/0x1a30 [industrialio] + ina2xx_probe+0x625/0x980 [ina2xx_adc] + +Reported-by: Hulk Robot +Fixes: ee708e6baacd ("iio: buffer: introduce support for attaching more IIO buffers") +Signed-off-by: Yang Yingliang +Reviewed-by: Alexandru Ardelean +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20211013094923.2473-2-andriy.shevchenko@linux.intel.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/industrialio-buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/industrialio-buffer.c b/drivers/iio/industrialio-buffer.c +index 7f4e3ceaafec6..2f98ba70e3d78 100644 +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -1624,7 +1624,7 @@ int iio_buffers_alloc_sysfs_and_mask(struct iio_dev *indio_dev) + buffer = iio_dev_opaque->attached_buffers[i]; + ret = __iio_buffer_alloc_sysfs_and_mask(buffer, indio_dev, i); + if (ret) { +- unwind_idx = i; ++ unwind_idx = i - 1; + goto error_unwind_sysfs_and_mask; + } + } +-- +2.33.0 + diff --git a/queue-5.15/iio-st_pressure_spi-add-missing-entries-spi-to-devic.patch b/queue-5.15/iio-st_pressure_spi-add-missing-entries-spi-to-devic.patch new file mode 100644 index 00000000000..f39e3c2dab2 --- /dev/null +++ b/queue-5.15/iio-st_pressure_spi-add-missing-entries-spi-to-devic.patch @@ -0,0 +1,42 @@ +From 55839f1f811a1001ced4de8e9978493fb7ca064e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 14:41:53 +0100 +Subject: iio: st_pressure_spi: Add missing entries SPI to device ID table + +From: Mark Brown + +[ Upstream commit 03748d4e003c9f2ad3cd00e3e46f054dcad6b96d ] + +Currently autoloading for SPI devices does not use the DT ID table, it uses +SPI modalises. Supporting OF modalises is going to be difficult if not +impractical, an attempt was made but has been reverted, so ensure that +module autoloading works for this driver by adding SPI IDs for parts that +only have a compatible listed. + +Fixes: 96c8395e2166 ("spi: Revert modalias changes") +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20210927134153.12739-1-broonie@kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/pressure/st_pressure_spi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/iio/pressure/st_pressure_spi.c b/drivers/iio/pressure/st_pressure_spi.c +index 5001aae8f00b8..e220cf0b125f1 100644 +--- a/drivers/iio/pressure/st_pressure_spi.c ++++ b/drivers/iio/pressure/st_pressure_spi.c +@@ -117,6 +117,10 @@ static const struct spi_device_id st_press_id_table[] = { + { LPS33HW_PRESS_DEV_NAME }, + { LPS35HW_PRESS_DEV_NAME }, + { LPS22HH_PRESS_DEV_NAME }, ++ { "lps001wp-press" }, ++ { "lps25h-press", }, ++ { "lps331ap-press" }, ++ { "lps22hb-press" }, + {}, + }; + MODULE_DEVICE_TABLE(spi, st_press_id_table); +-- +2.33.0 + diff --git a/queue-5.15/iio-st_sensors-disable-regulators-after-device-unreg.patch b/queue-5.15/iio-st_sensors-disable-regulators-after-device-unreg.patch new file mode 100644 index 00000000000..2659f52d58d --- /dev/null +++ b/queue-5.15/iio-st_sensors-disable-regulators-after-device-unreg.patch @@ -0,0 +1,183 @@ +From a7b641d21d04fa2a1f9f175c10dbcb7cebf53daa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Aug 2021 14:22:00 +0300 +Subject: iio: st_sensors: disable regulators after device unregistration + +From: Alexandru Ardelean + +[ Upstream commit 9f0b3e0cc0c88618aa9e5cecef747b1337ae0a5d ] + +Up until commit ea7e586bdd331 ("iio: st_sensors: move regulator retrieveal +to core") only the ST pressure driver seems to have had any regulator +disable. After that commit, the regulator handling was moved into the +common st_sensors logic. + +In all instances of this regulator handling, the regulators were disabled +before unregistering the IIO device. +This can cause issues where the device would be powered down and still be +available to userspace, allowing it to send invalid/garbage data. + +This change moves the st_sensors_power_disable() after the common probe +functions. These common probe functions also handle unregistering the IIO +device. + +Fixes: 774487611c949 ("iio: pressure-core: st: Provide support for the Vdd power supply") +Fixes: ea7e586bdd331 ("iio: st_sensors: move regulator retrieveal to core") +Cc: Lee Jones +Cc: Denis CIOCCA +Reviewed-by: Linus Walleij +Reviewed-by: Andy Shevchenko +Signed-off-by: Alexandru Ardelean +Link: https://lore.kernel.org/r/20210823112204.243255-2-aardelean@deviqon.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/st_accel_i2c.c | 4 ++-- + drivers/iio/accel/st_accel_spi.c | 4 ++-- + drivers/iio/gyro/st_gyro_i2c.c | 4 ++-- + drivers/iio/gyro/st_gyro_spi.c | 4 ++-- + drivers/iio/magnetometer/st_magn_i2c.c | 4 ++-- + drivers/iio/magnetometer/st_magn_spi.c | 4 ++-- + drivers/iio/pressure/st_pressure_i2c.c | 4 ++-- + drivers/iio/pressure/st_pressure_spi.c | 4 ++-- + 8 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/drivers/iio/accel/st_accel_i2c.c b/drivers/iio/accel/st_accel_i2c.c +index f711756e41e3d..cba57459e90ab 100644 +--- a/drivers/iio/accel/st_accel_i2c.c ++++ b/drivers/iio/accel/st_accel_i2c.c +@@ -193,10 +193,10 @@ static int st_accel_i2c_remove(struct i2c_client *client) + { + struct iio_dev *indio_dev = i2c_get_clientdata(client); + +- st_sensors_power_disable(indio_dev); +- + st_accel_common_remove(indio_dev); + ++ st_sensors_power_disable(indio_dev); ++ + return 0; + } + +diff --git a/drivers/iio/accel/st_accel_spi.c b/drivers/iio/accel/st_accel_spi.c +index bb45d9ff95b85..5167fae1ee8ec 100644 +--- a/drivers/iio/accel/st_accel_spi.c ++++ b/drivers/iio/accel/st_accel_spi.c +@@ -143,10 +143,10 @@ static int st_accel_spi_remove(struct spi_device *spi) + { + struct iio_dev *indio_dev = spi_get_drvdata(spi); + +- st_sensors_power_disable(indio_dev); +- + st_accel_common_remove(indio_dev); + ++ st_sensors_power_disable(indio_dev); ++ + return 0; + } + +diff --git a/drivers/iio/gyro/st_gyro_i2c.c b/drivers/iio/gyro/st_gyro_i2c.c +index 3ef86e16ee656..a8164fe48b857 100644 +--- a/drivers/iio/gyro/st_gyro_i2c.c ++++ b/drivers/iio/gyro/st_gyro_i2c.c +@@ -106,10 +106,10 @@ static int st_gyro_i2c_remove(struct i2c_client *client) + { + struct iio_dev *indio_dev = i2c_get_clientdata(client); + +- st_sensors_power_disable(indio_dev); +- + st_gyro_common_remove(indio_dev); + ++ st_sensors_power_disable(indio_dev); ++ + return 0; + } + +diff --git a/drivers/iio/gyro/st_gyro_spi.c b/drivers/iio/gyro/st_gyro_spi.c +index 41d835493347c..9d8916871b4bf 100644 +--- a/drivers/iio/gyro/st_gyro_spi.c ++++ b/drivers/iio/gyro/st_gyro_spi.c +@@ -110,10 +110,10 @@ static int st_gyro_spi_remove(struct spi_device *spi) + { + struct iio_dev *indio_dev = spi_get_drvdata(spi); + +- st_sensors_power_disable(indio_dev); +- + st_gyro_common_remove(indio_dev); + ++ st_sensors_power_disable(indio_dev); ++ + return 0; + } + +diff --git a/drivers/iio/magnetometer/st_magn_i2c.c b/drivers/iio/magnetometer/st_magn_i2c.c +index 2dfe4ee99591b..fa78f0a3b53ea 100644 +--- a/drivers/iio/magnetometer/st_magn_i2c.c ++++ b/drivers/iio/magnetometer/st_magn_i2c.c +@@ -102,10 +102,10 @@ static int st_magn_i2c_remove(struct i2c_client *client) + { + struct iio_dev *indio_dev = i2c_get_clientdata(client); + +- st_sensors_power_disable(indio_dev); +- + st_magn_common_remove(indio_dev); + ++ st_sensors_power_disable(indio_dev); ++ + return 0; + } + +diff --git a/drivers/iio/magnetometer/st_magn_spi.c b/drivers/iio/magnetometer/st_magn_spi.c +index fba9787963952..ff43cbf61b056 100644 +--- a/drivers/iio/magnetometer/st_magn_spi.c ++++ b/drivers/iio/magnetometer/st_magn_spi.c +@@ -96,10 +96,10 @@ static int st_magn_spi_remove(struct spi_device *spi) + { + struct iio_dev *indio_dev = spi_get_drvdata(spi); + +- st_sensors_power_disable(indio_dev); +- + st_magn_common_remove(indio_dev); + ++ st_sensors_power_disable(indio_dev); ++ + return 0; + } + +diff --git a/drivers/iio/pressure/st_pressure_i2c.c b/drivers/iio/pressure/st_pressure_i2c.c +index 52fa98f24478d..6215de677017e 100644 +--- a/drivers/iio/pressure/st_pressure_i2c.c ++++ b/drivers/iio/pressure/st_pressure_i2c.c +@@ -119,10 +119,10 @@ static int st_press_i2c_remove(struct i2c_client *client) + { + struct iio_dev *indio_dev = i2c_get_clientdata(client); + +- st_sensors_power_disable(indio_dev); +- + st_press_common_remove(indio_dev); + ++ st_sensors_power_disable(indio_dev); ++ + return 0; + } + +diff --git a/drivers/iio/pressure/st_pressure_spi.c b/drivers/iio/pressure/st_pressure_spi.c +index ee393df54cee8..5001aae8f00b8 100644 +--- a/drivers/iio/pressure/st_pressure_spi.c ++++ b/drivers/iio/pressure/st_pressure_spi.c +@@ -102,10 +102,10 @@ static int st_press_spi_remove(struct spi_device *spi) + { + struct iio_dev *indio_dev = spi_get_drvdata(spi); + +- st_sensors_power_disable(indio_dev); +- + st_press_common_remove(indio_dev); + ++ st_sensors_power_disable(indio_dev); ++ + return 0; + } + +-- +2.33.0 + diff --git a/queue-5.15/ima-fix-deadlock-when-traversing-ima_default_rules.patch b/queue-5.15/ima-fix-deadlock-when-traversing-ima_default_rules.patch new file mode 100644 index 00000000000..2fdb2054c93 --- /dev/null +++ b/queue-5.15/ima-fix-deadlock-when-traversing-ima_default_rules.patch @@ -0,0 +1,143 @@ +From b5ae50edd5253ba512b41d476957210ad217d062 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Oct 2021 18:38:21 +0800 +Subject: ima: fix deadlock when traversing "ima_default_rules". + +From: liqiong + +[ Upstream commit eb0782bbdfd0d7c4786216659277c3fd585afc0e ] + +The current IMA ruleset is identified by the variable "ima_rules" +that default to "&ima_default_rules". When loading a custom policy +for the first time, the variable is updated to "&ima_policy_rules" +instead. That update isn't RCU-safe, and deadlocks are possible. +Indeed, some functions like ima_match_policy() may loop indefinitely +when traversing "ima_default_rules" with list_for_each_entry_rcu(). + +When iterating over the default ruleset back to head, if the list +head is "ima_default_rules", and "ima_rules" have been updated to +"&ima_policy_rules", the loop condition (&entry->list != ima_rules) +stays always true, traversing won't terminate, causing a soft lockup +and RCU stalls. + +Introduce a temporary value for "ima_rules" when iterating over +the ruleset to avoid the deadlocks. + +Signed-off-by: liqiong +Reviewed-by: THOBY Simon +Fixes: 38d859f991f3 ("IMA: policy can now be updated multiple times") +Reported-by: kernel test robot (Fix sparse: incompatible types in comparison expression.) +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_policy.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c +index 87b9b71cb8201..12e8adcd80a2a 100644 +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -228,7 +228,7 @@ static struct ima_rule_entry *arch_policy_entry __ro_after_init; + static LIST_HEAD(ima_default_rules); + static LIST_HEAD(ima_policy_rules); + static LIST_HEAD(ima_temp_rules); +-static struct list_head *ima_rules = &ima_default_rules; ++static struct list_head __rcu *ima_rules = (struct list_head __rcu *)(&ima_default_rules); + + static int ima_policy __initdata; + +@@ -675,12 +675,14 @@ int ima_match_policy(struct user_namespace *mnt_userns, struct inode *inode, + { + struct ima_rule_entry *entry; + int action = 0, actmask = flags | (flags << 1); ++ struct list_head *ima_rules_tmp; + + if (template_desc && !*template_desc) + *template_desc = ima_template_desc_current(); + + rcu_read_lock(); +- list_for_each_entry_rcu(entry, ima_rules, list) { ++ ima_rules_tmp = rcu_dereference(ima_rules); ++ list_for_each_entry_rcu(entry, ima_rules_tmp, list) { + + if (!(entry->action & actmask)) + continue; +@@ -741,9 +743,11 @@ void ima_update_policy_flags(void) + { + struct ima_rule_entry *entry; + int new_policy_flag = 0; ++ struct list_head *ima_rules_tmp; + + rcu_read_lock(); +- list_for_each_entry(entry, ima_rules, list) { ++ ima_rules_tmp = rcu_dereference(ima_rules); ++ list_for_each_entry_rcu(entry, ima_rules_tmp, list) { + /* + * SETXATTR_CHECK rules do not implement a full policy check + * because rule checking would probably have an important +@@ -968,10 +972,10 @@ void ima_update_policy(void) + + list_splice_tail_init_rcu(&ima_temp_rules, policy, synchronize_rcu); + +- if (ima_rules != policy) { ++ if (ima_rules != (struct list_head __rcu *)policy) { + ima_policy_flag = 0; +- ima_rules = policy; + ++ rcu_assign_pointer(ima_rules, policy); + /* + * IMA architecture specific policy rules are specified + * as strings and converted to an array of ima_entry_rules +@@ -1061,7 +1065,7 @@ static int ima_lsm_rule_init(struct ima_rule_entry *entry, + pr_warn("rule for LSM \'%s\' is undefined\n", + entry->lsm[lsm_rule].args_p); + +- if (ima_rules == &ima_default_rules) { ++ if (ima_rules == (struct list_head __rcu *)(&ima_default_rules)) { + kfree(entry->lsm[lsm_rule].args_p); + entry->lsm[lsm_rule].args_p = NULL; + result = -EINVAL; +@@ -1768,9 +1772,11 @@ void *ima_policy_start(struct seq_file *m, loff_t *pos) + { + loff_t l = *pos; + struct ima_rule_entry *entry; ++ struct list_head *ima_rules_tmp; + + rcu_read_lock(); +- list_for_each_entry_rcu(entry, ima_rules, list) { ++ ima_rules_tmp = rcu_dereference(ima_rules); ++ list_for_each_entry_rcu(entry, ima_rules_tmp, list) { + if (!l--) { + rcu_read_unlock(); + return entry; +@@ -1789,7 +1795,8 @@ void *ima_policy_next(struct seq_file *m, void *v, loff_t *pos) + rcu_read_unlock(); + (*pos)++; + +- return (&entry->list == ima_rules) ? NULL : entry; ++ return (&entry->list == &ima_default_rules || ++ &entry->list == &ima_policy_rules) ? NULL : entry; + } + + void ima_policy_stop(struct seq_file *m, void *v) +@@ -2014,6 +2021,7 @@ bool ima_appraise_signature(enum kernel_read_file_id id) + struct ima_rule_entry *entry; + bool found = false; + enum ima_hooks func; ++ struct list_head *ima_rules_tmp; + + if (id >= READING_MAX_ID) + return false; +@@ -2021,7 +2029,8 @@ bool ima_appraise_signature(enum kernel_read_file_id id) + func = read_idmap[id] ?: FILE_CHECK; + + rcu_read_lock(); +- list_for_each_entry_rcu(entry, ima_rules, list) { ++ ima_rules_tmp = rcu_dereference(ima_rules); ++ list_for_each_entry_rcu(entry, ima_rules_tmp, list) { + if (entry->action != APPRAISE) + continue; + +-- +2.33.0 + diff --git a/queue-5.15/inet-remove-races-in-inet-6-_getname.patch b/queue-5.15/inet-remove-races-in-inet-6-_getname.patch new file mode 100644 index 00000000000..7363dd88996 --- /dev/null +++ b/queue-5.15/inet-remove-races-in-inet-6-_getname.patch @@ -0,0 +1,167 @@ +From 5c74750c34c07c30c3c1752b0bdcca0433391beb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 14:30:14 -0700 +Subject: inet: remove races in inet{6}_getname() + +From: Eric Dumazet + +[ Upstream commit 9dfc685e0262d4c5e44e13302f89841fa75173ca ] + +syzbot reported data-races in inet_getname() multiple times, +it is time we fix this instead of pretending applications +should not trigger them. + +getsockname() and getpeername() are not really considered fast path. + +v2: added the missing BPF_CGROUP_RUN_SA_PROG() declaration + needed when CONFIG_CGROUP_BPF=n, as reported by + kernel test robot + +syzbot typical report: + +BUG: KCSAN: data-race in __inet_hash_connect / inet_getname + +write to 0xffff888136d66cf8 of 2 bytes by task 14374 on cpu 1: + __inet_hash_connect+0x7ec/0x950 net/ipv4/inet_hashtables.c:831 + inet_hash_connect+0x85/0x90 net/ipv4/inet_hashtables.c:853 + tcp_v4_connect+0x782/0xbb0 net/ipv4/tcp_ipv4.c:275 + __inet_stream_connect+0x156/0x6e0 net/ipv4/af_inet.c:664 + inet_stream_connect+0x44/0x70 net/ipv4/af_inet.c:728 + __sys_connect_file net/socket.c:1896 [inline] + __sys_connect+0x254/0x290 net/socket.c:1913 + __do_sys_connect net/socket.c:1923 [inline] + __se_sys_connect net/socket.c:1920 [inline] + __x64_sys_connect+0x3d/0x50 net/socket.c:1920 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xa0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +read to 0xffff888136d66cf8 of 2 bytes by task 14408 on cpu 0: + inet_getname+0x11f/0x170 net/ipv4/af_inet.c:790 + __sys_getsockname+0x11d/0x1b0 net/socket.c:1946 + __do_sys_getsockname net/socket.c:1961 [inline] + __se_sys_getsockname net/socket.c:1958 [inline] + __x64_sys_getsockname+0x3e/0x50 net/socket.c:1958 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x44/0xa0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +value changed: 0x0000 -> 0xdee0 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 14408 Comm: syz-executor.3 Not tainted 5.15.0-rc3-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://lore.kernel.org/r/20211026213014.3026708-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + include/linux/bpf-cgroup.h | 1 + + net/ipv4/af_inet.c | 16 +++++++++------- + net/ipv6/af_inet6.c | 21 +++++++++++---------- + 3 files changed, 21 insertions(+), 17 deletions(-) + +diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h +index 2746fd8042162..3536ab432b30c 100644 +--- a/include/linux/bpf-cgroup.h ++++ b/include/linux/bpf-cgroup.h +@@ -517,6 +517,7 @@ static inline int bpf_percpu_cgroup_storage_update(struct bpf_map *map, + + #define cgroup_bpf_enabled(atype) (0) + #define BPF_CGROUP_RUN_SA_PROG_LOCK(sk, uaddr, atype, t_ctx) ({ 0; }) ++#define BPF_CGROUP_RUN_SA_PROG(sk, uaddr, atype) ({ 0; }) + #define BPF_CGROUP_PRE_CONNECT_ENABLED(sk) (0) + #define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk,skb) ({ 0; }) + #define BPF_CGROUP_RUN_PROG_INET_EGRESS(sk,skb) ({ 0; }) +diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c +index 1d816a5fd3eb9..64062b7ce61df 100644 +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -773,26 +773,28 @@ int inet_getname(struct socket *sock, struct sockaddr *uaddr, + DECLARE_SOCKADDR(struct sockaddr_in *, sin, uaddr); + + sin->sin_family = AF_INET; ++ lock_sock(sk); + if (peer) { + if (!inet->inet_dport || + (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_SYN_SENT)) && +- peer == 1)) ++ peer == 1)) { ++ release_sock(sk); + return -ENOTCONN; ++ } + sin->sin_port = inet->inet_dport; + sin->sin_addr.s_addr = inet->inet_daddr; +- BPF_CGROUP_RUN_SA_PROG_LOCK(sk, (struct sockaddr *)sin, +- CGROUP_INET4_GETPEERNAME, +- NULL); ++ BPF_CGROUP_RUN_SA_PROG(sk, (struct sockaddr *)sin, ++ CGROUP_INET4_GETPEERNAME); + } else { + __be32 addr = inet->inet_rcv_saddr; + if (!addr) + addr = inet->inet_saddr; + sin->sin_port = inet->inet_sport; + sin->sin_addr.s_addr = addr; +- BPF_CGROUP_RUN_SA_PROG_LOCK(sk, (struct sockaddr *)sin, +- CGROUP_INET4_GETSOCKNAME, +- NULL); ++ BPF_CGROUP_RUN_SA_PROG(sk, (struct sockaddr *)sin, ++ CGROUP_INET4_GETSOCKNAME); + } ++ release_sock(sk); + memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); + return sizeof(*sin); + } +diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c +index b5878bb8e419d..0c4da163535ad 100644 +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -521,31 +521,32 @@ int inet6_getname(struct socket *sock, struct sockaddr *uaddr, + sin->sin6_family = AF_INET6; + sin->sin6_flowinfo = 0; + sin->sin6_scope_id = 0; ++ lock_sock(sk); + if (peer) { +- if (!inet->inet_dport) +- return -ENOTCONN; +- if (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_SYN_SENT)) && +- peer == 1) ++ if (!inet->inet_dport || ++ (((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_SYN_SENT)) && ++ peer == 1)) { ++ release_sock(sk); + return -ENOTCONN; ++ } + sin->sin6_port = inet->inet_dport; + sin->sin6_addr = sk->sk_v6_daddr; + if (np->sndflow) + sin->sin6_flowinfo = np->flow_label; +- BPF_CGROUP_RUN_SA_PROG_LOCK(sk, (struct sockaddr *)sin, +- CGROUP_INET6_GETPEERNAME, +- NULL); ++ BPF_CGROUP_RUN_SA_PROG(sk, (struct sockaddr *)sin, ++ CGROUP_INET6_GETPEERNAME); + } else { + if (ipv6_addr_any(&sk->sk_v6_rcv_saddr)) + sin->sin6_addr = np->saddr; + else + sin->sin6_addr = sk->sk_v6_rcv_saddr; + sin->sin6_port = inet->inet_sport; +- BPF_CGROUP_RUN_SA_PROG_LOCK(sk, (struct sockaddr *)sin, +- CGROUP_INET6_GETSOCKNAME, +- NULL); ++ BPF_CGROUP_RUN_SA_PROG(sk, (struct sockaddr *)sin, ++ CGROUP_INET6_GETSOCKNAME); + } + sin->sin6_scope_id = ipv6_iface_scope_id(&sin->sin6_addr, + sk->sk_bound_dev_if); ++ release_sock(sk); + return sizeof(*sin); + } + EXPORT_SYMBOL(inet6_getname); +-- +2.33.0 + diff --git a/queue-5.15/init-make-unknown-command-line-param-message-clearer.patch b/queue-5.15/init-make-unknown-command-line-param-message-clearer.patch new file mode 100644 index 00000000000..e430b6aaebb --- /dev/null +++ b/queue-5.15/init-make-unknown-command-line-param-message-clearer.patch @@ -0,0 +1,53 @@ +From 9cc4edb876c8e1a3a43dabaf16b93e58590ba8d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Nov 2021 18:34:27 -0800 +Subject: init: make unknown command line param message clearer + +From: Andrew Halaney + +[ Upstream commit 8bc2b3dca7292347d8e715fb723c587134abe013 ] + +The prior message is confusing users, which is the exact opposite of the +goal. If the message is being seen, one of the following situations is +happening: + + 1. the param is misspelled + 2. the param is not valid due to the kernel configuration + 3. the param is intended for init but isn't after the '--' + delineator on the command line + +To make that more clear to the user, explicitly mention "kernel command +line" and also note that the params are still passed to user space to +avoid causing any alarm over params intended for init. + +Link: https://lkml.kernel.org/r/20211013223502.96756-1-ahalaney@redhat.com +Fixes: 86d1919a4fb0 ("init: print out unknown kernel parameters") +Signed-off-by: Andrew Halaney +Suggested-by: Steven Rostedt (VMware) +Acked-by: Randy Dunlap +Cc: Borislav Petkov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + init/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/init/main.c b/init/main.c +index 3c4054a955458..bcd132d4e7bdd 100644 +--- a/init/main.c ++++ b/init/main.c +@@ -924,7 +924,9 @@ static void __init print_unknown_bootoptions(void) + for (p = &envp_init[2]; *p; p++) + end += sprintf(end, " %s", *p); + +- pr_notice("Unknown command line parameters:%s\n", unknown_options); ++ /* Start at unknown_options[1] to skip the initial space */ ++ pr_notice("Unknown kernel command line parameters \"%s\", will be passed to user space.\n", ++ &unknown_options[1]); + memblock_free_ptr(unknown_options, len); + } + +-- +2.33.0 + diff --git a/queue-5.15/input-ariel-pwrbutton-add-spi-device-id-table.patch b/queue-5.15/input-ariel-pwrbutton-add-spi-device-id-table.patch new file mode 100644 index 00000000000..54c538aaf7b --- /dev/null +++ b/queue-5.15/input-ariel-pwrbutton-add-spi-device-id-table.patch @@ -0,0 +1,50 @@ +From 7678a18f2df567b6425bdf90086bd12ac8c4b9b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Oct 2021 21:20:49 -0700 +Subject: Input: ariel-pwrbutton - add SPI device ID table + +From: Mark Brown + +[ Upstream commit 5c4c2c8e6fac26fa0b80c234d6e9f75d637193af ] + +Currently autoloading for SPI devices does not use the DT ID table, it uses +SPI modalises. Supporting OF modalises is going to be difficult if not +impractical, an attempt was made but has been reverted, so ensure that +module autoloading works for this driver by adding a SPI device ID table. + +Fixes: 96c8395e2166 ("spi: Revert modalias changes") +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20210927134104.38648-1-broonie@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/misc/ariel-pwrbutton.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/input/misc/ariel-pwrbutton.c b/drivers/input/misc/ariel-pwrbutton.c +index 17bbaac8b80c8..cdc80715b5fd6 100644 +--- a/drivers/input/misc/ariel-pwrbutton.c ++++ b/drivers/input/misc/ariel-pwrbutton.c +@@ -149,12 +149,19 @@ static const struct of_device_id ariel_pwrbutton_of_match[] = { + }; + MODULE_DEVICE_TABLE(of, ariel_pwrbutton_of_match); + ++static const struct spi_device_id ariel_pwrbutton_spi_ids[] = { ++ { .name = "wyse-ariel-ec-input" }, ++ { } ++}; ++MODULE_DEVICE_TABLE(spi, ariel_pwrbutton_spi_ids); ++ + static struct spi_driver ariel_pwrbutton_driver = { + .driver = { + .name = "dell-wyse-ariel-ec-input", + .of_match_table = ariel_pwrbutton_of_match, + }, + .probe = ariel_pwrbutton_probe, ++ .id_table = ariel_pwrbutton_spi_ids, + }; + module_spi_driver(ariel_pwrbutton_driver); + +-- +2.33.0 + diff --git a/queue-5.15/input-st1232-increase-wait-ready-timeout.patch b/queue-5.15/input-st1232-increase-wait-ready-timeout.patch new file mode 100644 index 00000000000..b3356375047 --- /dev/null +++ b/queue-5.15/input-st1232-increase-wait-ready-timeout.patch @@ -0,0 +1,51 @@ +From a0cb9926d17c96fe4266f221a595040b83e8c311 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 11:06:03 -0700 +Subject: Input: st1232 - increase "wait ready" timeout + +From: John Keeping + +[ Upstream commit 2667f6b7af99e81958fa97c03bb519fcb09d0055 ] + +I have a ST1633 touch controller which fails to probe due to a timeout +waiting for the controller to become ready. Increasing the minimum +delay to 100ms ensures that the probe sequence completes successfully. + +The ST1633 datasheet says nothing about the maximum delay here and the +ST1232 I2C protocol document says "wait until" with no notion of a +timeout. + +Since this only runs once during probe, being generous with the timout +seems reasonable and most likely the device will become ready +eventually. + +(It may be worth noting that I saw this issue with a PREEMPT_RT patched +kernel which probably has tighter wakeups from usleep_range() than other +preemption models.) + +Fixes: f605be6a57b4 ("Input: st1232 - wait until device is ready before reading resolution") +Signed-off-by: John Keeping +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20210929152609.2421483-1-john@metanate.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/st1232.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/touchscreen/st1232.c b/drivers/input/touchscreen/st1232.c +index 6abae665ca71d..9d1dea6996a22 100644 +--- a/drivers/input/touchscreen/st1232.c ++++ b/drivers/input/touchscreen/st1232.c +@@ -92,7 +92,7 @@ static int st1232_ts_wait_ready(struct st1232_ts_data *ts) + unsigned int retries; + int error; + +- for (retries = 10; retries; retries--) { ++ for (retries = 100; retries; retries--) { + error = st1232_ts_read_data(ts, REG_STATUS, 1); + if (!error) { + switch (ts->read_buf[0]) { +-- +2.33.0 + diff --git a/queue-5.15/io-wq-fix-max-workers-not-correctly-set-on-multi-nod.patch b/queue-5.15/io-wq-fix-max-workers-not-correctly-set-on-multi-nod.patch new file mode 100644 index 00000000000..1169d3cb1f5 --- /dev/null +++ b/queue-5.15/io-wq-fix-max-workers-not-correctly-set-on-multi-nod.patch @@ -0,0 +1,74 @@ +From bd6d5078102f2606b74ecfff0b03b556a4a83406 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 12:32:08 -0600 +Subject: io-wq: fix max-workers not correctly set on multi-node system + +From: Beld Zhang + +[ Upstream commit 71c9ce27bb57c59d8d7f5298e730c8096eef3d1f ] + +In io-wq.c:io_wq_max_workers(), new_count[] was changed right after each +node's value was set. This caused the following node getting the setting +of the previous one. + +Returned values are copied from node 0. + +Fixes: 2e480058ddc2 ("io-wq: provide a way to limit max number of workers") +Signed-off-by: Beld Zhang +[axboe: minor fixups] +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io-wq.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/fs/io-wq.c b/fs/io-wq.c +index 5d189b24a8d4b..8c61315657546 100644 +--- a/fs/io-wq.c ++++ b/fs/io-wq.c +@@ -1318,7 +1318,9 @@ int io_wq_cpu_affinity(struct io_wq *wq, cpumask_var_t mask) + */ + int io_wq_max_workers(struct io_wq *wq, int *new_count) + { +- int i, node, prev = 0; ++ int prev[IO_WQ_ACCT_NR]; ++ bool first_node = true; ++ int i, node; + + BUILD_BUG_ON((int) IO_WQ_ACCT_BOUND != (int) IO_WQ_BOUND); + BUILD_BUG_ON((int) IO_WQ_ACCT_UNBOUND != (int) IO_WQ_UNBOUND); +@@ -1329,6 +1331,9 @@ int io_wq_max_workers(struct io_wq *wq, int *new_count) + new_count[i] = task_rlimit(current, RLIMIT_NPROC); + } + ++ for (i = 0; i < IO_WQ_ACCT_NR; i++) ++ prev[i] = 0; ++ + rcu_read_lock(); + for_each_node(node) { + struct io_wqe *wqe = wq->wqes[node]; +@@ -1337,14 +1342,19 @@ int io_wq_max_workers(struct io_wq *wq, int *new_count) + raw_spin_lock(&wqe->lock); + for (i = 0; i < IO_WQ_ACCT_NR; i++) { + acct = &wqe->acct[i]; +- prev = max_t(int, acct->max_workers, prev); ++ if (first_node) ++ prev[i] = max_t(int, acct->max_workers, prev[i]); + if (new_count[i]) + acct->max_workers = new_count[i]; +- new_count[i] = prev; + } + raw_spin_unlock(&wqe->lock); ++ first_node = false; + } + rcu_read_unlock(); ++ ++ for (i = 0; i < IO_WQ_ACCT_NR; i++) ++ new_count[i] = prev[i]; ++ + return 0; + } + +-- +2.33.0 + diff --git a/queue-5.15/io-wq-remove-duplicate-code-in-io_workqueue_create.patch b/queue-5.15/io-wq-remove-duplicate-code-in-io_workqueue_create.patch new file mode 100644 index 00000000000..016a9c92de0 --- /dev/null +++ b/queue-5.15/io-wq-remove-duplicate-code-in-io_workqueue_create.patch @@ -0,0 +1,66 @@ +From 334cf2045cb016bf99c0ae69f7ffd061360b6054 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Sep 2021 16:58:47 +0800 +Subject: io-wq: Remove duplicate code in io_workqueue_create() + +From: Bixuan Cui + +[ Upstream commit 71e1cef2d794338cc7b979d4c6144e1dc12718b5 ] + +While task_work_add() in io_workqueue_create() is true, +then duplicate code is executed: + + -> clear_bit_unlock(0, &worker->create_state); + -> io_worker_release(worker); + -> atomic_dec(&acct->nr_running); + -> io_worker_ref_put(wq); + -> return false; + + -> clear_bit_unlock(0, &worker->create_state); // back to io_workqueue_create() + -> io_worker_release(worker); + -> kfree(worker); + +The io_worker_release() and clear_bit_unlock() are executed twice. + +Fixes: 3146cba99aa2 ("io-wq: make worker creation resilient against signals") +Signed-off-by: Bixuan Cui +Link: https://lore.kernel.org/r/20210911085847.34849-1-cuibixuan@huawei.com +Reviwed-by: Hao Xu +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io-wq.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/fs/io-wq.c b/fs/io-wq.c +index 203c0e2a5dfae..5d189b24a8d4b 100644 +--- a/fs/io-wq.c ++++ b/fs/io-wq.c +@@ -359,8 +359,10 @@ static bool io_queue_worker_create(struct io_worker *worker, + + init_task_work(&worker->create_work, func); + worker->create_index = acct->index; +- if (!task_work_add(wq->task, &worker->create_work, TWA_SIGNAL)) ++ if (!task_work_add(wq->task, &worker->create_work, TWA_SIGNAL)) { ++ clear_bit_unlock(0, &worker->create_state); + return true; ++ } + clear_bit_unlock(0, &worker->create_state); + fail_release: + io_worker_release(worker); +@@ -765,11 +767,8 @@ static void io_workqueue_create(struct work_struct *work) + struct io_worker *worker = container_of(work, struct io_worker, work); + struct io_wqe_acct *acct = io_wqe_get_acct(worker); + +- if (!io_queue_worker_create(worker, acct, create_worker_cont)) { +- clear_bit_unlock(0, &worker->create_state); +- io_worker_release(worker); ++ if (!io_queue_worker_create(worker, acct, create_worker_cont)) + kfree(worker); +- } + } + + static bool create_io_worker(struct io_wq *wq, struct io_wqe *wqe, int index) +-- +2.33.0 + diff --git a/queue-5.15/iommu-dma-fix-arch_sync_dma-for-map.patch b/queue-5.15/iommu-dma-fix-arch_sync_dma-for-map.patch new file mode 100644 index 00000000000..ae370c9db1f --- /dev/null +++ b/queue-5.15/iommu-dma-fix-arch_sync_dma-for-map.patch @@ -0,0 +1,84 @@ +From b784955a8a64a25db8a208c0429dedcd6f1f047a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 11:32:55 +0900 +Subject: iommu/dma: Fix arch_sync_dma for map + +From: David Stevens + +[ Upstream commit 06e620345d544e559b2961cb5a676ec9c80c8950 ] + +When calling arch_sync_dma, we need to pass it the memory that's +actually being used for dma. When using swiotlb bounce buffers, this is +the bounce buffer. Move arch_sync_dma into the __iommu_dma_map_swiotlb +helper, so it can use the bounce buffer address if necessary. + +Now that iommu_dma_map_sg delegates to a function which takes care of +architectural syncing in the untrusted device case, the call to +iommu_dma_sync_sg_for_device can be moved so it only occurs for trusted +devices. Doing the sync for untrusted devices before mapping never +really worked, since it needs to be able to target swiotlb buffers. + +This also moves the architectural sync to before the call to +__iommu_dma_map, to guarantee that untrusted devices can't see stale +data they shouldn't see. + +Fixes: 82612d66d51d ("iommu: Allow the iommu/dma api to use bounce buffers") +Signed-off-by: David Stevens +Reviewed-by: Christoph Hellwig +Reviewed-by: Robin Murphy +Link: https://lore.kernel.org/r/20210929023300.335969-3-stevensd@google.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/dma-iommu.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c +index c4d205b63c582..19bebacbf1780 100644 +--- a/drivers/iommu/dma-iommu.c ++++ b/drivers/iommu/dma-iommu.c +@@ -593,6 +593,9 @@ static dma_addr_t __iommu_dma_map_swiotlb(struct device *dev, phys_addr_t phys, + memset(padding_start, 0, padding_size); + } + ++ if (!coherent && !(attrs & DMA_ATTR_SKIP_CPU_SYNC)) ++ arch_sync_dma_for_device(phys, org_size, dir); ++ + iova = __iommu_dma_map(dev, phys, aligned_size, prot, dma_mask); + if (iova == DMA_MAPPING_ERROR && is_swiotlb_buffer(dev, phys)) + swiotlb_tbl_unmap_single(dev, phys, org_size, dir, attrs); +@@ -860,14 +863,9 @@ static dma_addr_t iommu_dma_map_page(struct device *dev, struct page *page, + { + phys_addr_t phys = page_to_phys(page) + offset; + bool coherent = dev_is_dma_coherent(dev); +- dma_addr_t dma_handle; + +- dma_handle = __iommu_dma_map_swiotlb(dev, phys, size, dma_get_mask(dev), ++ return __iommu_dma_map_swiotlb(dev, phys, size, dma_get_mask(dev), + coherent, dir, attrs); +- if (!coherent && !(attrs & DMA_ATTR_SKIP_CPU_SYNC) && +- dma_handle != DMA_MAPPING_ERROR) +- arch_sync_dma_for_device(phys, size, dir); +- return dma_handle; + } + + static void iommu_dma_unmap_page(struct device *dev, dma_addr_t dma_handle, +@@ -1012,12 +1010,12 @@ static int iommu_dma_map_sg(struct device *dev, struct scatterlist *sg, + goto out; + } + +- if (!(attrs & DMA_ATTR_SKIP_CPU_SYNC)) +- iommu_dma_sync_sg_for_device(dev, sg, nents, dir); +- + if (dev_is_untrusted(dev)) + return iommu_dma_map_sg_swiotlb(dev, sg, nents, dir, attrs); + ++ if (!(attrs & DMA_ATTR_SKIP_CPU_SYNC)) ++ iommu_dma_sync_sg_for_device(dev, sg, nents, dir); ++ + /* + * Work out how much IOVA space we need, and align the segments to + * IOVA granules for the IOMMU driver to handle. With some clever +-- +2.33.0 + diff --git a/queue-5.15/iommu-dma-fix-incorrect-error-return-on-iommu-deferr.patch b/queue-5.15/iommu-dma-fix-incorrect-error-return-on-iommu-deferr.patch new file mode 100644 index 00000000000..2f6a7a8eead --- /dev/null +++ b/queue-5.15/iommu-dma-fix-incorrect-error-return-on-iommu-deferr.patch @@ -0,0 +1,47 @@ +From d866af7e8606fcf4befe2dffaf7df255a39a9f03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 11:47:57 -0600 +Subject: iommu/dma: Fix incorrect error return on iommu deferred attach + +From: Logan Gunthorpe + +[ Upstream commit ac315f96b3bd6f6b8f18f387816c7c2cc6b32e02 ] + +scsi_dma_map() was reporting a failure during boot on an AMD machine +with the IOMMU enabled. + + scsi_dma_map failed: request for 36 bytes! + +The issue was tracked down to a mistake in logic: should not return +an error if iommu_deferred_attach() returns zero. + +Reported-by: Marshall Midden +Fixes: dabb16f67215 ("iommu/dma: return error code from iommu_dma_map_sg()") +Link: https://lore.kernel.org/all/CAD2CkAWjS8=kKwEEN4cgVNjyFORUibzEiCUA-X+SMtbo0JoMmA@mail.gmail.com +Signed-off-by: Logan Gunthorpe +Cc: Joerg Roedel +Cc: Will Deacon +Link: https://lore.kernel.org/r/20211027174757.119755-1-logang@deltatee.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/dma-iommu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c +index 19bebacbf1780..2d60216440009 100644 +--- a/drivers/iommu/dma-iommu.c ++++ b/drivers/iommu/dma-iommu.c +@@ -1007,7 +1007,8 @@ static int iommu_dma_map_sg(struct device *dev, struct scatterlist *sg, + + if (static_branch_unlikely(&iommu_deferred_attach_enabled)) { + ret = iommu_deferred_attach(dev, domain); +- goto out; ++ if (ret) ++ goto out; + } + + if (dev_is_untrusted(dev)) +-- +2.33.0 + diff --git a/queue-5.15/iommu-dma-fix-sync_sg-with-swiotlb.patch b/queue-5.15/iommu-dma-fix-sync_sg-with-swiotlb.patch new file mode 100644 index 00000000000..1908720b57d --- /dev/null +++ b/queue-5.15/iommu-dma-fix-sync_sg-with-swiotlb.patch @@ -0,0 +1,89 @@ +From 29e89631ce7e9b7df7a93881a0f90fbc82c8196a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 11:32:54 +0900 +Subject: iommu/dma: Fix sync_sg with swiotlb + +From: David Stevens + +[ Upstream commit 08ae5d4a1ae96b72222e7b02d072bb997ff29dac ] + +The is_swiotlb_buffer function takes the physical address of the swiotlb +buffer, not the physical address of the original buffer. The sglist +contains the physical addresses of the original buffer, so for the +sync_sg functions to work properly when a bounce buffer might have been +used, we need to use iommu_iova_to_phys to look up the physical address. +This is what sync_single does, so call that function on each sglist +segment. + +The previous code mostly worked because swiotlb does the transfer on map +and unmap. However, any callers which use DMA_ATTR_SKIP_CPU_SYNC with +sglists or which call sync_sg would not have had anything copied to the +bounce buffer. + +Fixes: 82612d66d51d ("iommu: Allow the iommu/dma api to use bounce buffers") +Signed-off-by: David Stevens +Reviewed-by: Robin Murphy +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20210929023300.335969-2-stevensd@google.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/dma-iommu.c | 33 +++++++++++++-------------------- + 1 file changed, 13 insertions(+), 20 deletions(-) + +diff --git a/drivers/iommu/dma-iommu.c b/drivers/iommu/dma-iommu.c +index 896bea04c347e..c4d205b63c582 100644 +--- a/drivers/iommu/dma-iommu.c ++++ b/drivers/iommu/dma-iommu.c +@@ -828,17 +828,13 @@ static void iommu_dma_sync_sg_for_cpu(struct device *dev, + struct scatterlist *sg; + int i; + +- if (dev_is_dma_coherent(dev) && !dev_is_untrusted(dev)) +- return; +- +- for_each_sg(sgl, sg, nelems, i) { +- if (!dev_is_dma_coherent(dev)) ++ if (dev_is_untrusted(dev)) ++ for_each_sg(sgl, sg, nelems, i) ++ iommu_dma_sync_single_for_cpu(dev, sg_dma_address(sg), ++ sg->length, dir); ++ else if (!dev_is_dma_coherent(dev)) ++ for_each_sg(sgl, sg, nelems, i) + arch_sync_dma_for_cpu(sg_phys(sg), sg->length, dir); +- +- if (is_swiotlb_buffer(dev, sg_phys(sg))) +- swiotlb_sync_single_for_cpu(dev, sg_phys(sg), +- sg->length, dir); +- } + } + + static void iommu_dma_sync_sg_for_device(struct device *dev, +@@ -848,17 +844,14 @@ static void iommu_dma_sync_sg_for_device(struct device *dev, + struct scatterlist *sg; + int i; + +- if (dev_is_dma_coherent(dev) && !dev_is_untrusted(dev)) +- return; +- +- for_each_sg(sgl, sg, nelems, i) { +- if (is_swiotlb_buffer(dev, sg_phys(sg))) +- swiotlb_sync_single_for_device(dev, sg_phys(sg), +- sg->length, dir); +- +- if (!dev_is_dma_coherent(dev)) ++ if (dev_is_untrusted(dev)) ++ for_each_sg(sgl, sg, nelems, i) ++ iommu_dma_sync_single_for_device(dev, ++ sg_dma_address(sg), ++ sg->length, dir); ++ else if (!dev_is_dma_coherent(dev)) ++ for_each_sg(sgl, sg, nelems, i) + arch_sync_dma_for_device(sg_phys(sg), sg->length, dir); +- } + } + + static dma_addr_t iommu_dma_map_page(struct device *dev, struct page *page, +-- +2.33.0 + diff --git a/queue-5.15/iommu-mediatek-fix-out-of-range-warning-with-clang.patch b/queue-5.15/iommu-mediatek-fix-out-of-range-warning-with-clang.patch new file mode 100644 index 00000000000..4bf819336d9 --- /dev/null +++ b/queue-5.15/iommu-mediatek-fix-out-of-range-warning-with-clang.patch @@ -0,0 +1,47 @@ +From 62128b6ab1be6d58fe4c510d25adbc278ee960da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 14:18:44 +0200 +Subject: iommu/mediatek: Fix out-of-range warning with clang + +From: Arnd Bergmann + +[ Upstream commit f13efafc1a2cf30d4a74c00f40210d6de36db2d0 ] + +clang-14 notices that a comparison is never true when +CONFIG_PHYS_ADDR_T_64BIT is disabled: + +drivers/iommu/mtk_iommu.c:553:34: error: result of comparison of constant 5368709120 with expression of type 'phys_addr_t' (aka 'unsigned int') is always false [-Werror,-Wtautological-constant-out-of-range-compare] + if (dom->data->enable_4GB && pa >= MTK_IOMMU_4GB_MODE_REMAP_BASE) + ~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Add an explicit check for the type of the variable to skip the check +and the warning in that case. + +Fixes: b4dad40e4f35 ("iommu/mediatek: Adjust the PA for the 4GB Mode") +Signed-off-by: Arnd Bergmann +Reviewed-by: Yong Wu +Link: https://lore.kernel.org/r/20210927121857.941160-1-arnd@kernel.org +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/mtk_iommu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c +index d837adfd1da55..25b834104790c 100644 +--- a/drivers/iommu/mtk_iommu.c ++++ b/drivers/iommu/mtk_iommu.c +@@ -550,7 +550,9 @@ static phys_addr_t mtk_iommu_iova_to_phys(struct iommu_domain *domain, + phys_addr_t pa; + + pa = dom->iop->iova_to_phys(dom->iop, iova); +- if (dom->data->enable_4GB && pa >= MTK_IOMMU_4GB_MODE_REMAP_BASE) ++ if (IS_ENABLED(CONFIG_PHYS_ADDR_T_64BIT) && ++ dom->data->enable_4GB && ++ pa >= MTK_IOMMU_4GB_MODE_REMAP_BASE) + pa &= ~BIT_ULL(32); + + return pa; +-- +2.33.0 + diff --git a/queue-5.15/iov_iter-fix-iov_iter_get_pages-_alloc-page-fault-re.patch b/queue-5.15/iov_iter-fix-iov_iter_get_pages-_alloc-page-fault-re.patch new file mode 100644 index 00000000000..93e76361e65 --- /dev/null +++ b/queue-5.15/iov_iter-fix-iov_iter_get_pages-_alloc-page-fault-re.patch @@ -0,0 +1,52 @@ +From bf6818e315b3ce43b8fc4247d73e489d897c7951 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jul 2021 19:03:47 +0200 +Subject: iov_iter: Fix iov_iter_get_pages{,_alloc} page fault return value + +From: Andreas Gruenbacher + +[ Upstream commit 814a66741b9ffb5e1ba119e368b178edb0b7322d ] + +Both iov_iter_get_pages and iov_iter_get_pages_alloc return the number +of bytes of the iovec they could get the pages for. When they cannot +get any pages, they're supposed to return 0, but when the start of the +iovec isn't page aligned, the calculation goes wrong and they return a +negative value. Fix both functions. + +In addition, change iov_iter_get_pages_alloc to return NULL in that case +to prevent resource leaks. + +Signed-off-by: Andreas Gruenbacher +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + lib/iov_iter.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/iov_iter.c b/lib/iov_iter.c +index 755c10c5138cd..60b5e6edfbaa7 100644 +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -1488,7 +1488,7 @@ ssize_t iov_iter_get_pages(struct iov_iter *i, + res = get_user_pages_fast(addr, n, + iov_iter_rw(i) != WRITE ? FOLL_WRITE : 0, + pages); +- if (unlikely(res < 0)) ++ if (unlikely(res <= 0)) + return res; + return (res == n ? len : res * PAGE_SIZE) - *start; + } +@@ -1612,8 +1612,9 @@ ssize_t iov_iter_get_pages_alloc(struct iov_iter *i, + return -ENOMEM; + res = get_user_pages_fast(addr, n, + iov_iter_rw(i) != WRITE ? FOLL_WRITE : 0, p); +- if (unlikely(res < 0)) { ++ if (unlikely(res <= 0)) { + kvfree(p); ++ *pages = NULL; + return res; + } + *pages = p; +-- +2.33.0 + diff --git a/queue-5.15/ipmi-disable-some-operations-during-a-panic.patch b/queue-5.15/ipmi-disable-some-operations-during-a-panic.patch new file mode 100644 index 00000000000..f4d50f66fb4 --- /dev/null +++ b/queue-5.15/ipmi-disable-some-operations-during-a-panic.patch @@ -0,0 +1,103 @@ +From e04d2f82554f2f7cf5429f955280194ed360b756 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 11:36:20 -0500 +Subject: ipmi: Disable some operations during a panic + +From: Corey Minyard + +[ Upstream commit b36eb5e7b75a756baa64909a176dd4269ee05a8b ] + +Don't do kfree or other risky things when oops_in_progress is set. +It's easy enough to avoid doing them + +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_msghandler.c | 10 +++++++--- + drivers/char/ipmi/ipmi_watchdog.c | 17 ++++++++++++----- + 2 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c +index e96cb5c4f97a3..a08f53f208bfe 100644 +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -4789,7 +4789,9 @@ static atomic_t recv_msg_inuse_count = ATOMIC_INIT(0); + static void free_smi_msg(struct ipmi_smi_msg *msg) + { + atomic_dec(&smi_msg_inuse_count); +- kfree(msg); ++ /* Try to keep as much stuff out of the panic path as possible. */ ++ if (!oops_in_progress) ++ kfree(msg); + } + + struct ipmi_smi_msg *ipmi_alloc_smi_msg(void) +@@ -4808,7 +4810,9 @@ EXPORT_SYMBOL(ipmi_alloc_smi_msg); + static void free_recv_msg(struct ipmi_recv_msg *msg) + { + atomic_dec(&recv_msg_inuse_count); +- kfree(msg); ++ /* Try to keep as much stuff out of the panic path as possible. */ ++ if (!oops_in_progress) ++ kfree(msg); + } + + static struct ipmi_recv_msg *ipmi_alloc_recv_msg(void) +@@ -4826,7 +4830,7 @@ static struct ipmi_recv_msg *ipmi_alloc_recv_msg(void) + + void ipmi_free_recv_msg(struct ipmi_recv_msg *msg) + { +- if (msg->user) ++ if (msg->user && !oops_in_progress) + kref_put(&msg->user->refcount, free_user); + msg->done(msg); + } +diff --git a/drivers/char/ipmi/ipmi_watchdog.c b/drivers/char/ipmi/ipmi_watchdog.c +index f855a9665c284..883b4a3410122 100644 +--- a/drivers/char/ipmi/ipmi_watchdog.c ++++ b/drivers/char/ipmi/ipmi_watchdog.c +@@ -342,13 +342,17 @@ static atomic_t msg_tofree = ATOMIC_INIT(0); + static DECLARE_COMPLETION(msg_wait); + static void msg_free_smi(struct ipmi_smi_msg *msg) + { +- if (atomic_dec_and_test(&msg_tofree)) +- complete(&msg_wait); ++ if (atomic_dec_and_test(&msg_tofree)) { ++ if (!oops_in_progress) ++ complete(&msg_wait); ++ } + } + static void msg_free_recv(struct ipmi_recv_msg *msg) + { +- if (atomic_dec_and_test(&msg_tofree)) +- complete(&msg_wait); ++ if (atomic_dec_and_test(&msg_tofree)) { ++ if (!oops_in_progress) ++ complete(&msg_wait); ++ } + } + static struct ipmi_smi_msg smi_msg = { + .done = msg_free_smi +@@ -434,8 +438,10 @@ static int _ipmi_set_timeout(int do_heartbeat) + rv = __ipmi_set_timeout(&smi_msg, + &recv_msg, + &send_heartbeat_now); +- if (rv) ++ if (rv) { ++ atomic_set(&msg_tofree, 0); + return rv; ++ } + + wait_for_completion(&msg_wait); + +@@ -580,6 +586,7 @@ restart: + &recv_msg, + 1); + if (rv) { ++ atomic_set(&msg_tofree, 0); + pr_warn("heartbeat send failure: %d\n", rv); + return rv; + } +-- +2.33.0 + diff --git a/queue-5.15/ipmi-kcs_bmc-fix-a-memory-leak-in-the-error-handling.patch b/queue-5.15/ipmi-kcs_bmc-fix-a-memory-leak-in-the-error-handling.patch new file mode 100644 index 00000000000..6abadadb24a --- /dev/null +++ b/queue-5.15/ipmi-kcs_bmc-fix-a-memory-leak-in-the-error-handling.patch @@ -0,0 +1,46 @@ +From a8f04165934c4b307183c3614778616ab9415b89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 23:06:32 +0200 +Subject: ipmi: kcs_bmc: Fix a memory leak in the error handling path of + 'kcs_bmc_serio_add_device()' + +From: Christophe JAILLET + +[ Upstream commit f281d010b87454e72475b668ad66e34961f744e0 ] + +In the unlikely event where 'devm_kzalloc()' fails and 'kzalloc()' +succeeds, 'port' would be leaking. + +Test each allocation separately to avoid the leak. + +Fixes: 3a3d2f6a4c64 ("ipmi: kcs_bmc: Add serio adaptor") +Signed-off-by: Christophe JAILLET +Message-Id: +Reviewed-by: Andrew Jeffery +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/kcs_bmc_serio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/char/ipmi/kcs_bmc_serio.c b/drivers/char/ipmi/kcs_bmc_serio.c +index 7948cabde50b4..7e2067628a6ce 100644 +--- a/drivers/char/ipmi/kcs_bmc_serio.c ++++ b/drivers/char/ipmi/kcs_bmc_serio.c +@@ -73,10 +73,12 @@ static int kcs_bmc_serio_add_device(struct kcs_bmc_device *kcs_bmc) + struct serio *port; + + priv = devm_kzalloc(kcs_bmc->dev, sizeof(*priv), GFP_KERNEL); ++ if (!priv) ++ return -ENOMEM; + + /* Use kzalloc() as the allocation is cleaned up with kfree() via serio_unregister_port() */ + port = kzalloc(sizeof(*port), GFP_KERNEL); +- if (!(priv && port)) ++ if (!port) + return -ENOMEM; + + port->id.type = SERIO_8042; +-- +2.33.0 + diff --git a/queue-5.15/irq-mips-avoid-nested-irq_enter.patch b/queue-5.15/irq-mips-avoid-nested-irq_enter.patch new file mode 100644 index 00000000000..e0eb593e7b9 --- /dev/null +++ b/queue-5.15/irq-mips-avoid-nested-irq_enter.patch @@ -0,0 +1,52 @@ +From aa5010e0f5e51b36a8e869773b1c678e9e0187c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 17:25:22 +0100 +Subject: irq: mips: avoid nested irq_enter() + +From: Mark Rutland + +[ Upstream commit c65b52d02f6c1a06ddb20cba175ad49eccd6410d ] + +As bcm6345_l1_irq_handle() is a chained irqchip handler, it will be +invoked within the context of the root irqchip handler, which must have +entered IRQ context already. + +When bcm6345_l1_irq_handle() calls arch/mips's do_IRQ() , this will nest +another call to irq_enter(), and the resulting nested increment to +`rcu_data.dynticks_nmi_nesting` will cause rcu_is_cpu_rrupt_from_idle() +to fail to identify wakeups from idle, resulting in failure to preempt, +and RCU stalls. + +Chained irqchip handlers must invoke IRQ handlers by way of thee core +irqchip code, i.e. generic_handle_irq() or generic_handle_domain_irq() +and should not call do_IRQ(), which is intended only for root irqchip +handlers. + +Fix bcm6345_l1_irq_handle() by calling generic_handle_irq() directly. + +Fixes: c7c42ec2baa1de7a ("irqchips/bmips: Add bcm6345-l1 interrupt controller") +Signed-off-by: Mark Rutland +Reviewed-by: Marc Zyngier +Acked-by: Thomas Bogendoerfer +Cc: Thomas Gleixner +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-bcm6345-l1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-bcm6345-l1.c b/drivers/irqchip/irq-bcm6345-l1.c +index e3483789f4df3..1bd0621c4ce2a 100644 +--- a/drivers/irqchip/irq-bcm6345-l1.c ++++ b/drivers/irqchip/irq-bcm6345-l1.c +@@ -140,7 +140,7 @@ static void bcm6345_l1_irq_handle(struct irq_desc *desc) + for_each_set_bit(hwirq, &pending, IRQS_PER_WORD) { + irq = irq_linear_revmap(intc->domain, base + hwirq); + if (irq) +- do_IRQ(irq); ++ generic_handle_irq(irq); + else + spurious_interrupt(); + } +-- +2.33.0 + diff --git a/queue-5.15/iwlwifi-change-all-jnp-to-no-160-configuration.patch b/queue-5.15/iwlwifi-change-all-jnp-to-no-160-configuration.patch new file mode 100644 index 00000000000..bb3fa0770c9 --- /dev/null +++ b/queue-5.15/iwlwifi-change-all-jnp-to-no-160-configuration.patch @@ -0,0 +1,48 @@ +From 8aa59506a80bee3c96ab0f271153ae3f441f9aec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 11:43:56 +0300 +Subject: iwlwifi: change all JnP to NO-160 configuration + +From: Yaara Baruch + +[ Upstream commit 70382b0897eeecfcd35ba5f6161dbceeb556ea1e ] + +JnP should not have the 160 MHz. + +Signed-off-by: Yaara Baruch +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20211016114029.ee163f4a7513.I7f87bd969a0b038c7f3a1a962d9695ffd18c5da1@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +index e3996ff99bad5..3b974388d834d 100644 +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -931,9 +931,9 @@ static const struct iwl_dev_info iwl_dev_info_table[] = { + IWL_CFG_ANY, IWL_CFG_ANY, IWL_CFG_NO_CDB, + iwl_qu_b0_hr1_b0, iwl_ax101_name), + _IWL_DEV_INFO(IWL_CFG_ANY, IWL_CFG_ANY, +- IWL_CFG_MAC_TYPE_QU, SILICON_C_STEP, ++ IWL_CFG_MAC_TYPE_QU, SILICON_B_STEP, + IWL_CFG_RF_TYPE_HR2, IWL_CFG_ANY, +- IWL_CFG_ANY, IWL_CFG_ANY, IWL_CFG_NO_CDB, ++ IWL_CFG_NO_160, IWL_CFG_ANY, IWL_CFG_NO_CDB, + iwl_qu_b0_hr_b0, iwl_ax203_name), + + /* Qu C step */ +@@ -945,7 +945,7 @@ static const struct iwl_dev_info iwl_dev_info_table[] = { + _IWL_DEV_INFO(IWL_CFG_ANY, IWL_CFG_ANY, + IWL_CFG_MAC_TYPE_QU, SILICON_C_STEP, + IWL_CFG_RF_TYPE_HR2, IWL_CFG_ANY, +- IWL_CFG_ANY, IWL_CFG_ANY, IWL_CFG_NO_CDB, ++ IWL_CFG_NO_160, IWL_CFG_ANY, IWL_CFG_NO_CDB, + iwl_qu_c0_hr_b0, iwl_ax203_name), + + /* QuZ */ +-- +2.33.0 + diff --git a/queue-5.15/iwlwifi-mvm-disable-rx-diversity-in-powersave.patch b/queue-5.15/iwlwifi-mvm-disable-rx-diversity-in-powersave.patch new file mode 100644 index 00000000000..e877aad1319 --- /dev/null +++ b/queue-5.15/iwlwifi-mvm-disable-rx-diversity-in-powersave.patch @@ -0,0 +1,39 @@ +From b6c0d8061b87022a6b3e4403f1408e4abc47708b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Oct 2021 11:43:40 +0300 +Subject: iwlwifi: mvm: disable RX-diversity in powersave + +From: Johannes Berg + +[ Upstream commit e5322b9ab5f63536c41301150b7ce64605ce52cc ] + +Just like we have default SMPS mode as dynamic in powersave, +we should not enable RX-diversity in powersave, to reduce +power consumption when connected to a non-MIMO AP. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211017113927.fc896bc5cdaa.I1d11da71b8a5cbe921a37058d5f578f1b14a2023@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c +index 4a3d2971a98b7..ec8a223f90e85 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c +@@ -405,6 +405,9 @@ bool iwl_mvm_rx_diversity_allowed(struct iwl_mvm *mvm, + + lockdep_assert_held(&mvm->mutex); + ++ if (iwlmvm_mod_params.power_scheme != IWL_POWER_SCHEME_CAM) ++ return false; ++ + if (num_of_ant(iwl_mvm_get_valid_rx_ant(mvm)) == 1) + return false; + +-- +2.33.0 + diff --git a/queue-5.15/iwlwifi-mvm-reset-pm-state-on-unsuccessful-resume.patch b/queue-5.15/iwlwifi-mvm-reset-pm-state-on-unsuccessful-resume.patch new file mode 100644 index 00000000000..f54d116a041 --- /dev/null +++ b/queue-5.15/iwlwifi-mvm-reset-pm-state-on-unsuccessful-resume.patch @@ -0,0 +1,56 @@ +From 5020df3bfa698d18e5e1fdbd36a2cb67e4eb6da4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 11:43:55 +0300 +Subject: iwlwifi: mvm: reset PM state on unsuccessful resume + +From: Johannes Berg + +[ Upstream commit 2f629a7772e2a7bdaff25178917a40073f79702c ] + +If resume fails for some reason, we need to set the PM state +back to normal so we're able to send commands during firmware +reset, rather than failing all of them because we're in D3. + +Signed-off-by: Johannes Berg +Fixes: 708a39aaca22 ("iwlwifi: mvm: don't send commands during suspend\resume transition") +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20211016114029.7ceb9eaca9f6.If0cbef38c6d07ec1ddce125878a4bdadcb35d2c9@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/d3.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +index 9f706fffb5922..d3013a51a5096 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/d3.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/d3.c +@@ -2336,7 +2336,6 @@ static int __iwl_mvm_resume(struct iwl_mvm *mvm, bool test) + iwl_fw_dbg_collect_desc(&mvm->fwrt, &iwl_dump_desc_assert, + false, 0); + ret = 1; +- mvm->trans->system_pm_mode = IWL_PLAT_PM_MODE_DISABLED; + goto err; + } + +@@ -2385,6 +2384,7 @@ static int __iwl_mvm_resume(struct iwl_mvm *mvm, bool test) + } + } + ++ /* after the successful handshake, we're out of D3 */ + mvm->trans->system_pm_mode = IWL_PLAT_PM_MODE_DISABLED; + + /* +@@ -2455,6 +2455,9 @@ out: + */ + set_bit(IWL_MVM_STATUS_HW_RESTART_REQUESTED, &mvm->status); + ++ /* regardless of what happened, we're now out of D3 */ ++ mvm->trans->system_pm_mode = IWL_PLAT_PM_MODE_DISABLED; ++ + return 1; + } + +-- +2.33.0 + diff --git a/queue-5.15/iwlwifi-pnvm-don-t-kmemdup-more-than-we-have.patch b/queue-5.15/iwlwifi-pnvm-don-t-kmemdup-more-than-we-have.patch new file mode 100644 index 00000000000..36db23b0617 --- /dev/null +++ b/queue-5.15/iwlwifi-pnvm-don-t-kmemdup-more-than-we-have.patch @@ -0,0 +1,49 @@ +From 3b1eb67756a504592121420398be3336b164e9fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 11:43:57 +0300 +Subject: iwlwifi: pnvm: don't kmemdup() more than we have + +From: Johannes Berg + +[ Upstream commit 0f892441d8c353144e3669b7991fa5fe0bd353e9 ] + +We shouldn't kmemdup() more data than we have, that might +cause the code to crash. Fix that by updating the length +before the kmemdup. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20211016114029.ab0e64c3fba9.Ic6a3295fc384750b51b4270bf0b7d94984a139f2@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/pnvm.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c b/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c +index dde22bdc87039..9b0eee53488ab 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c +@@ -284,16 +284,15 @@ int iwl_pnvm_load(struct iwl_trans *trans, + /* First attempt to get the PNVM from BIOS */ + package = iwl_uefi_get_pnvm(trans, &len); + if (!IS_ERR_OR_NULL(package)) { ++ /* we need only the data */ ++ len -= sizeof(*package); + data = kmemdup(package->data, len, GFP_KERNEL); + + /* free package regardless of whether kmemdup succeeded */ + kfree(package); + +- if (data) { +- /* we need only the data size */ +- len -= sizeof(*package); ++ if (data) + goto parse; +- } + } + + /* If it's not available, try from the filesystem */ +-- +2.33.0 + diff --git a/queue-5.15/iwlwifi-pnvm-read-efi-data-only-if-long-enough.patch b/queue-5.15/iwlwifi-pnvm-read-efi-data-only-if-long-enough.patch new file mode 100644 index 00000000000..695af2419bd --- /dev/null +++ b/queue-5.15/iwlwifi-pnvm-read-efi-data-only-if-long-enough.patch @@ -0,0 +1,46 @@ +From ca54ec7317dbe4e70f8e7de2a018c87afe2a838d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 11:43:58 +0300 +Subject: iwlwifi: pnvm: read EFI data only if long enough + +From: Johannes Berg + +[ Upstream commit e864a77f51d0d8113b49cf7d030bc9dc911c8176 ] + +If the data we get from EFI is not even long enough for +the package struct we expect then ignore it entirely. + +Signed-off-by: Johannes Berg +Fixes: a1a6a4cf49ec ("iwlwifi: pnvm: implement reading PNVM from UEFI") +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/iwlwifi.20211016114029.33feba783518.I54a5cf33975d0330792b3d208b225d479e168f32@changeid +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/fw/pnvm.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c b/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c +index 9b0eee53488ab..069fcbc46d2ba 100644 +--- a/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c +@@ -284,9 +284,13 @@ int iwl_pnvm_load(struct iwl_trans *trans, + /* First attempt to get the PNVM from BIOS */ + package = iwl_uefi_get_pnvm(trans, &len); + if (!IS_ERR_OR_NULL(package)) { +- /* we need only the data */ +- len -= sizeof(*package); +- data = kmemdup(package->data, len, GFP_KERNEL); ++ if (len >= sizeof(*package)) { ++ /* we need only the data */ ++ len -= sizeof(*package); ++ data = kmemdup(package->data, len, GFP_KERNEL); ++ } else { ++ data = NULL; ++ } + + /* free package regardless of whether kmemdup succeeded */ + kfree(package); +-- +2.33.0 + diff --git a/queue-5.15/jfs-fix-memleak-in-jfs_mount.patch b/queue-5.15/jfs-fix-memleak-in-jfs_mount.patch new file mode 100644 index 00000000000..653ba8fe990 --- /dev/null +++ b/queue-5.15/jfs-fix-memleak-in-jfs_mount.patch @@ -0,0 +1,158 @@ +From 89fa249e704ef7f1d2e79f96c8f0459e50091bb3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 10:37:41 +0800 +Subject: JFS: fix memleak in jfs_mount + +From: Dongliang Mu + +[ Upstream commit c48a14dca2cb57527dde6b960adbe69953935f10 ] + +In jfs_mount, when diMount(ipaimap2) fails, it goes to errout35. However, +the following code does not free ipaimap2 allocated by diReadSpecial. + +Fix this by refactoring the error handling code of jfs_mount. To be +specific, modify the lable name and free ipaimap2 when the above error +ocurrs. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Dongliang Mu +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_mount.c | 51 ++++++++++++++++++++-------------------------- + 1 file changed, 22 insertions(+), 29 deletions(-) + +diff --git a/fs/jfs/jfs_mount.c b/fs/jfs/jfs_mount.c +index 5d7d7170c03c0..aa4ff7bcaff23 100644 +--- a/fs/jfs/jfs_mount.c ++++ b/fs/jfs/jfs_mount.c +@@ -81,14 +81,14 @@ int jfs_mount(struct super_block *sb) + * (initialize mount inode from the superblock) + */ + if ((rc = chkSuper(sb))) { +- goto errout20; ++ goto out; + } + + ipaimap = diReadSpecial(sb, AGGREGATE_I, 0); + if (ipaimap == NULL) { + jfs_err("jfs_mount: Failed to read AGGREGATE_I"); + rc = -EIO; +- goto errout20; ++ goto out; + } + sbi->ipaimap = ipaimap; + +@@ -99,7 +99,7 @@ int jfs_mount(struct super_block *sb) + */ + if ((rc = diMount(ipaimap))) { + jfs_err("jfs_mount: diMount(ipaimap) failed w/rc = %d", rc); +- goto errout21; ++ goto err_ipaimap; + } + + /* +@@ -108,7 +108,7 @@ int jfs_mount(struct super_block *sb) + ipbmap = diReadSpecial(sb, BMAP_I, 0); + if (ipbmap == NULL) { + rc = -EIO; +- goto errout22; ++ goto err_umount_ipaimap; + } + + jfs_info("jfs_mount: ipbmap:0x%p", ipbmap); +@@ -120,7 +120,7 @@ int jfs_mount(struct super_block *sb) + */ + if ((rc = dbMount(ipbmap))) { + jfs_err("jfs_mount: dbMount failed w/rc = %d", rc); +- goto errout22; ++ goto err_ipbmap; + } + + /* +@@ -139,7 +139,7 @@ int jfs_mount(struct super_block *sb) + if (!ipaimap2) { + jfs_err("jfs_mount: Failed to read AGGREGATE_I"); + rc = -EIO; +- goto errout35; ++ goto err_umount_ipbmap; + } + sbi->ipaimap2 = ipaimap2; + +@@ -151,7 +151,7 @@ int jfs_mount(struct super_block *sb) + if ((rc = diMount(ipaimap2))) { + jfs_err("jfs_mount: diMount(ipaimap2) failed, rc = %d", + rc); +- goto errout35; ++ goto err_ipaimap2; + } + } else + /* Secondary aggregate inode table is not valid */ +@@ -168,7 +168,7 @@ int jfs_mount(struct super_block *sb) + jfs_err("jfs_mount: Failed to read FILESYSTEM_I"); + /* open fileset secondary inode allocation map */ + rc = -EIO; +- goto errout40; ++ goto err_umount_ipaimap2; + } + jfs_info("jfs_mount: ipimap:0x%p", ipimap); + +@@ -178,41 +178,34 @@ int jfs_mount(struct super_block *sb) + /* initialize fileset inode allocation map */ + if ((rc = diMount(ipimap))) { + jfs_err("jfs_mount: diMount failed w/rc = %d", rc); +- goto errout41; ++ goto err_ipimap; + } + +- goto out; ++ return rc; + + /* + * unwind on error + */ +- errout41: /* close fileset inode allocation map inode */ ++err_ipimap: ++ /* close fileset inode allocation map inode */ + diFreeSpecial(ipimap); +- +- errout40: /* fileset closed */ +- ++err_umount_ipaimap2: + /* close secondary aggregate inode allocation map */ +- if (ipaimap2) { ++ if (ipaimap2) + diUnmount(ipaimap2, 1); ++err_ipaimap2: ++ /* close aggregate inodes */ ++ if (ipaimap2) + diFreeSpecial(ipaimap2); +- } +- +- errout35: +- +- /* close aggregate block allocation map */ ++err_umount_ipbmap: /* close aggregate block allocation map */ + dbUnmount(ipbmap, 1); ++err_ipbmap: /* close aggregate inodes */ + diFreeSpecial(ipbmap); +- +- errout22: /* close aggregate inode allocation map */ +- ++err_umount_ipaimap: /* close aggregate inode allocation map */ + diUnmount(ipaimap, 1); +- +- errout21: /* close aggregate inodes */ ++err_ipaimap: /* close aggregate inodes */ + diFreeSpecial(ipaimap); +- errout20: /* aggregate closed */ +- +- out: +- ++out: + if (rc) + jfs_err("Mount JFS Failure: %d", rc); + +-- +2.33.0 + diff --git a/queue-5.15/kdb-adopt-scheduler-s-task-classification.patch b/queue-5.15/kdb-adopt-scheduler-s-task-classification.patch new file mode 100644 index 00000000000..23af32136dc --- /dev/null +++ b/queue-5.15/kdb-adopt-scheduler-s-task-classification.patch @@ -0,0 +1,404 @@ +From cb5b1fe4d75a81cae126712bae2d1aca344e951b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 17:31:58 +0000 +Subject: kdb: Adopt scheduler's task classification + +From: Daniel Thompson + +[ Upstream commit b77dbc86d60459b42ab375e4e23172e7245f2854 ] + +Currently kdb contains some open-coded routines to generate a summary +character for each task. This code currently issues warnings, is +almost certainly broken and won't make sense to any kernel dev who +has ever used /proc to examine task states. + +Fix both the warning and the potential for confusion by adopting the +scheduler's task classification. Whilst doing this we also simplify the +filtering by using mask strings directly (which means we don't have to +guess all the characters the scheduler might give us). + +Unfortunately we can't quite match the scheduler classification completely. +We add four extra states: - for idle loops and i, m and s for sleeping +system daemons (which means kthreads in one of the I, M and S states). +These extra states are used to manage the filters for tools to make the +output of ps and bta less noisy. + +Note: The Fixes below is the last point the original dubious code was + moved; it was not introduced by that patch. However it gives us + the last point to which this patch can be easily backported. + Happily that should be enough to cover the introduction of + CONFIG_WERROR! + +Fixes: 2f064a59a11f ("sched: Change task_struct::state") +Link: https://lore.kernel.org/r/20211102173158.3315227-1-daniel.thompson@linaro.org +Reviewed-by: Douglas Anderson +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/kdb/kdb_bt.c | 16 ++--- + kernel/debug/kdb/kdb_main.c | 37 ++++++----- + kernel/debug/kdb/kdb_private.h | 4 +- + kernel/debug/kdb/kdb_support.c | 118 +++++++-------------------------- + 4 files changed, 53 insertions(+), 122 deletions(-) + +diff --git a/kernel/debug/kdb/kdb_bt.c b/kernel/debug/kdb/kdb_bt.c +index 1f9f0e47aedaa..10b454554ab03 100644 +--- a/kernel/debug/kdb/kdb_bt.c ++++ b/kernel/debug/kdb/kdb_bt.c +@@ -46,7 +46,7 @@ static void kdb_show_stack(struct task_struct *p, void *addr) + * btp Kernel stack for + * btt Kernel stack for task structure at + * +- * bta [DRSTCZEUIMA] All useful processes, optionally ++ * bta [state_chars>|A] All useful processes, optionally + * filtered by state + * btc [] The current process on one cpu, + * default is all cpus +@@ -74,7 +74,7 @@ static void kdb_show_stack(struct task_struct *p, void *addr) + */ + + static int +-kdb_bt1(struct task_struct *p, unsigned long mask, bool btaprompt) ++kdb_bt1(struct task_struct *p, const char *mask, bool btaprompt) + { + char ch; + +@@ -120,7 +120,7 @@ kdb_bt_cpu(unsigned long cpu) + return; + } + +- kdb_bt1(kdb_tsk, ~0UL, false); ++ kdb_bt1(kdb_tsk, "A", false); + } + + int +@@ -138,8 +138,8 @@ kdb_bt(int argc, const char **argv) + if (strcmp(argv[0], "bta") == 0) { + struct task_struct *g, *p; + unsigned long cpu; +- unsigned long mask = kdb_task_state_string(argc ? argv[1] : +- NULL); ++ const char *mask = argc ? argv[1] : kdbgetenv("PS"); ++ + if (argc == 0) + kdb_ps_suppressed(); + /* Run the active tasks first */ +@@ -167,7 +167,7 @@ kdb_bt(int argc, const char **argv) + return diag; + p = find_task_by_pid_ns(pid, &init_pid_ns); + if (p) +- return kdb_bt1(p, ~0UL, false); ++ return kdb_bt1(p, "A", false); + kdb_printf("No process with pid == %ld found\n", pid); + return 0; + } else if (strcmp(argv[0], "btt") == 0) { +@@ -176,7 +176,7 @@ kdb_bt(int argc, const char **argv) + diag = kdbgetularg((char *)argv[1], &addr); + if (diag) + return diag; +- return kdb_bt1((struct task_struct *)addr, ~0UL, false); ++ return kdb_bt1((struct task_struct *)addr, "A", false); + } else if (strcmp(argv[0], "btc") == 0) { + unsigned long cpu = ~0; + if (argc > 1) +@@ -212,7 +212,7 @@ kdb_bt(int argc, const char **argv) + kdb_show_stack(kdb_current_task, (void *)addr); + return 0; + } else { +- return kdb_bt1(kdb_current_task, ~0UL, false); ++ return kdb_bt1(kdb_current_task, "A", false); + } + } + +diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c +index fa6deda894a17..0852a537dad4c 100644 +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -2203,8 +2203,8 @@ static void kdb_cpu_status(void) + state = 'D'; /* cpu is online but unresponsive */ + } else { + state = ' '; /* cpu is responding to kdb */ +- if (kdb_task_state_char(KDB_TSK(i)) == 'I') +- state = 'I'; /* idle task */ ++ if (kdb_task_state_char(KDB_TSK(i)) == '-') ++ state = '-'; /* idle task */ + } + if (state != prev_state) { + if (prev_state != '?') { +@@ -2271,37 +2271,30 @@ static int kdb_cpu(int argc, const char **argv) + void kdb_ps_suppressed(void) + { + int idle = 0, daemon = 0; +- unsigned long mask_I = kdb_task_state_string("I"), +- mask_M = kdb_task_state_string("M"); + unsigned long cpu; + const struct task_struct *p, *g; + for_each_online_cpu(cpu) { + p = kdb_curr_task(cpu); +- if (kdb_task_state(p, mask_I)) ++ if (kdb_task_state(p, "-")) + ++idle; + } + for_each_process_thread(g, p) { +- if (kdb_task_state(p, mask_M)) ++ if (kdb_task_state(p, "ims")) + ++daemon; + } + if (idle || daemon) { + if (idle) +- kdb_printf("%d idle process%s (state I)%s\n", ++ kdb_printf("%d idle process%s (state -)%s\n", + idle, idle == 1 ? "" : "es", + daemon ? " and " : ""); + if (daemon) +- kdb_printf("%d sleeping system daemon (state M) " ++ kdb_printf("%d sleeping system daemon (state [ims]) " + "process%s", daemon, + daemon == 1 ? "" : "es"); + kdb_printf(" suppressed,\nuse 'ps A' to see all.\n"); + } + } + +-/* +- * kdb_ps - This function implements the 'ps' command which shows a +- * list of the active processes. +- * ps [DRSTCZEUIMA] All processes, optionally filtered by state +- */ + void kdb_ps1(const struct task_struct *p) + { + int cpu; +@@ -2330,17 +2323,25 @@ void kdb_ps1(const struct task_struct *p) + } + } + ++/* ++ * kdb_ps - This function implements the 'ps' command which shows a ++ * list of the active processes. ++ * ++ * ps [] Show processes, optionally selecting only those whose ++ * state character is found in . ++ */ + static int kdb_ps(int argc, const char **argv) + { + struct task_struct *g, *p; +- unsigned long mask, cpu; ++ const char *mask; ++ unsigned long cpu; + + if (argc == 0) + kdb_ps_suppressed(); + kdb_printf("%-*s Pid Parent [*] cpu State %-*s Command\n", + (int)(2*sizeof(void *))+2, "Task Addr", + (int)(2*sizeof(void *))+2, "Thread"); +- mask = kdb_task_state_string(argc ? argv[1] : NULL); ++ mask = argc ? argv[1] : kdbgetenv("PS"); + /* Run the active tasks first */ + for_each_online_cpu(cpu) { + if (KDB_FLAG(CMD_INTERRUPT)) +@@ -2742,8 +2743,8 @@ static kdbtab_t maintab[] = { + }, + { .name = "bta", + .func = kdb_bt, +- .usage = "[D|R|S|T|C|Z|E|U|I|M|A]", +- .help = "Backtrace all processes matching state flag", ++ .usage = "[|A]", ++ .help = "Backtrace all processes whose state matches", + .flags = KDB_ENABLE_INSPECT, + }, + { .name = "btc", +@@ -2797,7 +2798,7 @@ static kdbtab_t maintab[] = { + }, + { .name = "ps", + .func = kdb_ps, +- .usage = "[|A]", ++ .usage = "[|A]", + .help = "Display active task list", + .flags = KDB_ENABLE_INSPECT, + }, +diff --git a/kernel/debug/kdb/kdb_private.h b/kernel/debug/kdb/kdb_private.h +index 629590084a0dc..0d2f9feea0a46 100644 +--- a/kernel/debug/kdb/kdb_private.h ++++ b/kernel/debug/kdb/kdb_private.h +@@ -190,10 +190,8 @@ extern char kdb_grep_string[]; + extern int kdb_grep_leading; + extern int kdb_grep_trailing; + extern char *kdb_cmds[]; +-extern unsigned long kdb_task_state_string(const char *); + extern char kdb_task_state_char (const struct task_struct *); +-extern unsigned long kdb_task_state(const struct task_struct *p, +- unsigned long mask); ++extern bool kdb_task_state(const struct task_struct *p, const char *mask); + extern void kdb_ps_suppressed(void); + extern void kdb_ps1(const struct task_struct *p); + extern void kdb_send_sig(struct task_struct *p, int sig); +diff --git a/kernel/debug/kdb/kdb_support.c b/kernel/debug/kdb/kdb_support.c +index 7507d9a8dc6ac..df2bface866ef 100644 +--- a/kernel/debug/kdb/kdb_support.c ++++ b/kernel/debug/kdb/kdb_support.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + #include "kdb_private.h" + + /* +@@ -473,82 +474,7 @@ int kdb_putword(unsigned long addr, unsigned long word, size_t size) + return diag; + } + +-/* +- * kdb_task_state_string - Convert a string containing any of the +- * letters DRSTCZEUIMA to a mask for the process state field and +- * return the value. If no argument is supplied, return the mask +- * that corresponds to environment variable PS, DRSTCZEU by +- * default. +- * Inputs: +- * s String to convert +- * Returns: +- * Mask for process state. +- * Notes: +- * The mask folds data from several sources into a single long value, so +- * be careful not to overlap the bits. TASK_* bits are in the LSB, +- * special cases like UNRUNNABLE are in the MSB. As of 2.6.10-rc1 there +- * is no overlap between TASK_* and EXIT_* but that may not always be +- * true, so EXIT_* bits are shifted left 16 bits before being stored in +- * the mask. +- */ +- +-/* unrunnable is < 0 */ +-#define UNRUNNABLE (1UL << (8*sizeof(unsigned long) - 1)) +-#define RUNNING (1UL << (8*sizeof(unsigned long) - 2)) +-#define IDLE (1UL << (8*sizeof(unsigned long) - 3)) +-#define DAEMON (1UL << (8*sizeof(unsigned long) - 4)) + +-unsigned long kdb_task_state_string(const char *s) +-{ +- long res = 0; +- if (!s) { +- s = kdbgetenv("PS"); +- if (!s) +- s = "DRSTCZEU"; /* default value for ps */ +- } +- while (*s) { +- switch (*s) { +- case 'D': +- res |= TASK_UNINTERRUPTIBLE; +- break; +- case 'R': +- res |= RUNNING; +- break; +- case 'S': +- res |= TASK_INTERRUPTIBLE; +- break; +- case 'T': +- res |= TASK_STOPPED; +- break; +- case 'C': +- res |= TASK_TRACED; +- break; +- case 'Z': +- res |= EXIT_ZOMBIE << 16; +- break; +- case 'E': +- res |= EXIT_DEAD << 16; +- break; +- case 'U': +- res |= UNRUNNABLE; +- break; +- case 'I': +- res |= IDLE; +- break; +- case 'M': +- res |= DAEMON; +- break; +- case 'A': +- res = ~0UL; +- break; +- default: +- kdb_func_printf("unknown flag '%c' ignored\n", *s); +- break; +- } +- ++s; +- } +- return res; +-} + + /* + * kdb_task_state_char - Return the character that represents the task state. +@@ -559,7 +485,6 @@ unsigned long kdb_task_state_string(const char *s) + */ + char kdb_task_state_char (const struct task_struct *p) + { +- unsigned int p_state; + unsigned long tmp; + char state; + int cpu; +@@ -568,25 +493,18 @@ char kdb_task_state_char (const struct task_struct *p) + copy_from_kernel_nofault(&tmp, (char *)p, sizeof(unsigned long))) + return 'E'; + +- cpu = kdb_process_cpu(p); +- p_state = READ_ONCE(p->__state); +- state = (p_state == 0) ? 'R' : +- (p_state < 0) ? 'U' : +- (p_state & TASK_UNINTERRUPTIBLE) ? 'D' : +- (p_state & TASK_STOPPED) ? 'T' : +- (p_state & TASK_TRACED) ? 'C' : +- (p->exit_state & EXIT_ZOMBIE) ? 'Z' : +- (p->exit_state & EXIT_DEAD) ? 'E' : +- (p_state & TASK_INTERRUPTIBLE) ? 'S' : '?'; ++ state = task_state_to_char((struct task_struct *) p); ++ + if (is_idle_task(p)) { + /* Idle task. Is it really idle, apart from the kdb + * interrupt? */ ++ cpu = kdb_process_cpu(p); + if (!kdb_task_has_cpu(p) || kgdb_info[cpu].irq_depth == 1) { + if (cpu != kdb_initial_cpu) +- state = 'I'; /* idle task */ ++ state = '-'; /* idle task */ + } +- } else if (!p->mm && state == 'S') { +- state = 'M'; /* sleeping system daemon */ ++ } else if (!p->mm && strchr("IMS", state)) { ++ state = tolower(state); /* sleeping system daemon */ + } + return state; + } +@@ -596,14 +514,28 @@ char kdb_task_state_char (const struct task_struct *p) + * given by the mask. + * Inputs: + * p struct task for the process +- * mask mask from kdb_task_state_string to select processes ++ * mask set of characters used to select processes; both NULL ++ * and the empty string mean adopt a default filter, which ++ * is to suppress sleeping system daemons and the idle tasks + * Returns: + * True if the process matches at least one criteria defined by the mask. + */ +-unsigned long kdb_task_state(const struct task_struct *p, unsigned long mask) ++bool kdb_task_state(const struct task_struct *p, const char *mask) + { +- char state[] = { kdb_task_state_char(p), '\0' }; +- return (mask & kdb_task_state_string(state)) != 0; ++ char state = kdb_task_state_char(p); ++ ++ /* If there is no mask, then we will filter code that runs when the ++ * scheduler is idling and any system daemons that are currently ++ * sleeping. ++ */ ++ if (!mask || mask[0] == '\0') ++ return !strchr("-ims", state); ++ ++ /* A is a special case that matches all states */ ++ if (strchr(mask, 'A')) ++ return true; ++ ++ return strchr(mask, state); + } + + /* Maintain a small stack of kdb_flags to allow recursion without disturbing +-- +2.33.0 + diff --git a/queue-5.15/kernel-sched-fix-sched_fork-access-an-invalid-sched_.patch b/queue-5.15/kernel-sched-fix-sched_fork-access-an-invalid-sched_.patch new file mode 100644 index 00000000000..09723dd3e12 --- /dev/null +++ b/queue-5.15/kernel-sched-fix-sched_fork-access-an-invalid-sched_.patch @@ -0,0 +1,168 @@ +From df5f9c485c20960341ae8463043545861dd6aab6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 14:40:30 +0800 +Subject: kernel/sched: Fix sched_fork() access an invalid sched_task_group + +From: Zhang Qiao + +[ Upstream commit 4ef0c5c6b5ba1f38f0ea1cedad0cad722f00c14a ] + +There is a small race between copy_process() and sched_fork() +where child->sched_task_group point to an already freed pointer. + + parent doing fork() | someone moving the parent + | to another cgroup + -------------------------------+------------------------------- + copy_process() + + dup_task_struct()<1> + parent move to another cgroup, + and free the old cgroup. <2> + + sched_fork() + + __set_task_cpu()<3> + + task_fork_fair() + + sched_slice()<4> + +In the worst case, this bug can lead to "use-after-free" and +cause panic as shown above: + + (1) parent copy its sched_task_group to child at <1>; + + (2) someone move the parent to another cgroup and free the old + cgroup at <2>; + + (3) the sched_task_group and cfs_rq that belong to the old cgroup + will be accessed at <3> and <4>, which cause a panic: + + [] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + [] PGD 8000001fa0a86067 P4D 8000001fa0a86067 PUD 2029955067 PMD 0 + [] Oops: 0000 [#1] SMP PTI + [] CPU: 7 PID: 648398 Comm: ebizzy Kdump: loaded Tainted: G OE --------- - - 4.18.0.x86_64+ #1 + [] RIP: 0010:sched_slice+0x84/0xc0 + + [] Call Trace: + [] task_fork_fair+0x81/0x120 + [] sched_fork+0x132/0x240 + [] copy_process.part.5+0x675/0x20e0 + [] ? __handle_mm_fault+0x63f/0x690 + [] _do_fork+0xcd/0x3b0 + [] do_syscall_64+0x5d/0x1d0 + [] entry_SYSCALL_64_after_hwframe+0x65/0xca + [] RIP: 0033:0x7f04418cd7e1 + +Between cgroup_can_fork() and cgroup_post_fork(), the cgroup +membership and thus sched_task_group can't change. So update child's +sched_task_group at sched_post_fork() and move task_fork() and +__set_task_cpu() (where accees the sched_task_group) from sched_fork() +to sched_post_fork(). + +Fixes: 8323f26ce342 ("sched: Fix race in task_group") +Signed-off-by: Zhang Qiao +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Tejun Heo +Link: https://lkml.kernel.org/r/20210915064030.2231-1-zhangqiao22@huawei.com +Signed-off-by: Sasha Levin +--- + include/linux/sched/task.h | 3 ++- + kernel/fork.c | 2 +- + kernel/sched/core.c | 43 +++++++++++++++++++------------------- + 3 files changed, 25 insertions(+), 23 deletions(-) + +diff --git a/include/linux/sched/task.h b/include/linux/sched/task.h +index ef02be869cf28..ba88a69874004 100644 +--- a/include/linux/sched/task.h ++++ b/include/linux/sched/task.h +@@ -54,7 +54,8 @@ extern asmlinkage void schedule_tail(struct task_struct *prev); + extern void init_idle(struct task_struct *idle, int cpu); + + extern int sched_fork(unsigned long clone_flags, struct task_struct *p); +-extern void sched_post_fork(struct task_struct *p); ++extern void sched_post_fork(struct task_struct *p, ++ struct kernel_clone_args *kargs); + extern void sched_dead(struct task_struct *p); + + void __noreturn do_task_dead(void); +diff --git a/kernel/fork.c b/kernel/fork.c +index 38681ad44c76b..0e4251dc54361 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -2405,7 +2405,7 @@ static __latent_entropy struct task_struct *copy_process( + write_unlock_irq(&tasklist_lock); + + proc_fork_connector(p); +- sched_post_fork(p); ++ sched_post_fork(p, args); + cgroup_post_fork(p, args); + perf_event_fork(p); + +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index f21714ea3db85..aea60eae21a7f 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -4328,8 +4328,6 @@ int sysctl_schedstats(struct ctl_table *table, int write, void *buffer, + */ + int sched_fork(unsigned long clone_flags, struct task_struct *p) + { +- unsigned long flags; +- + __sched_fork(clone_flags, p); + /* + * We mark the process as NEW here. This guarantees that +@@ -4375,24 +4373,6 @@ int sched_fork(unsigned long clone_flags, struct task_struct *p) + + init_entity_runnable_average(&p->se); + +- /* +- * The child is not yet in the pid-hash so no cgroup attach races, +- * and the cgroup is pinned to this child due to cgroup_fork() +- * is ran before sched_fork(). +- * +- * Silence PROVE_RCU. +- */ +- raw_spin_lock_irqsave(&p->pi_lock, flags); +- rseq_migrate(p); +- /* +- * We're setting the CPU for the first time, we don't migrate, +- * so use __set_task_cpu(). +- */ +- __set_task_cpu(p, smp_processor_id()); +- if (p->sched_class->task_fork) +- p->sched_class->task_fork(p); +- raw_spin_unlock_irqrestore(&p->pi_lock, flags); +- + #ifdef CONFIG_SCHED_INFO + if (likely(sched_info_on())) + memset(&p->sched_info, 0, sizeof(p->sched_info)); +@@ -4408,8 +4388,29 @@ int sched_fork(unsigned long clone_flags, struct task_struct *p) + return 0; + } + +-void sched_post_fork(struct task_struct *p) ++void sched_post_fork(struct task_struct *p, struct kernel_clone_args *kargs) + { ++ unsigned long flags; ++#ifdef CONFIG_CGROUP_SCHED ++ struct task_group *tg; ++#endif ++ ++ raw_spin_lock_irqsave(&p->pi_lock, flags); ++#ifdef CONFIG_CGROUP_SCHED ++ tg = container_of(kargs->cset->subsys[cpu_cgrp_id], ++ struct task_group, css); ++ p->sched_task_group = autogroup_task_group(p, tg); ++#endif ++ rseq_migrate(p); ++ /* ++ * We're setting the CPU for the first time, we don't migrate, ++ * so use __set_task_cpu(). ++ */ ++ __set_task_cpu(p, smp_processor_id()); ++ if (p->sched_class->task_fork) ++ p->sched_class->task_fork(p); ++ raw_spin_unlock_irqrestore(&p->pi_lock, flags); ++ + uclamp_post_fork(p); + } + +-- +2.33.0 + diff --git a/queue-5.15/kprobes-do-not-use-local-variable-when-creating-debu.patch b/queue-5.15/kprobes-do-not-use-local-variable-when-creating-debu.patch new file mode 100644 index 00000000000..77838d6ddda --- /dev/null +++ b/queue-5.15/kprobes-do-not-use-local-variable-when-creating-debu.patch @@ -0,0 +1,60 @@ +From 4b26c72bef1f3f3787da3a6774dceab1c7bb84af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 23:38:37 +0900 +Subject: kprobes: Do not use local variable when creating debugfs file + +From: Punit Agrawal + +[ Upstream commit 8f7262cd66699a4b02eb7549b35c81b2116aad95 ] + +debugfs_create_file() takes a pointer argument that can be used during +file operation callbacks (accessible via i_private in the inode +structure). An obvious requirement is for the pointer to refer to +valid memory when used. + +When creating the debugfs file to dynamically enable / disable +kprobes, a pointer to local variable is passed to +debugfs_create_file(); which will go out of scope when the init +function returns. The reason this hasn't triggered random memory +corruption is because the pointer is not accessed during the debugfs +file callbacks. + +Since the enabled state is managed by the kprobes_all_disabled global +variable, the local variable is not needed. Fix the incorrect (and +unnecessary) usage of local variable during debugfs_file_create() by +passing NULL instead. + +Link: https://lkml.kernel.org/r/163163031686.489837.4476867635937014973.stgit@devnote2 + +Fixes: bf8f6e5b3e51 ("Kprobes: The ON/OFF knob thru debugfs") +Signed-off-by: Punit Agrawal +Acked-by: Masami Hiramatsu +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/kprobes.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/kernel/kprobes.c b/kernel/kprobes.c +index 790a573bbe00c..1cf8bca1ea861 100644 +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -2809,13 +2809,12 @@ static const struct file_operations fops_kp = { + static int __init debugfs_kprobe_init(void) + { + struct dentry *dir; +- unsigned int value = 1; + + dir = debugfs_create_dir("kprobes", NULL); + + debugfs_create_file("list", 0400, dir, NULL, &kprobes_fops); + +- debugfs_create_file("enabled", 0600, dir, &value, &fops_kp); ++ debugfs_create_file("enabled", 0600, dir, NULL, &fops_kp); + + debugfs_create_file("blacklist", 0400, dir, NULL, + &kprobe_blacklist_fops); +-- +2.33.0 + diff --git a/queue-5.15/kselftests-net-add-missed-icmp.sh-test-to-makefile.patch b/queue-5.15/kselftests-net-add-missed-icmp.sh-test-to-makefile.patch new file mode 100644 index 00000000000..e4ce96b8856 --- /dev/null +++ b/queue-5.15/kselftests-net-add-missed-icmp.sh-test-to-makefile.patch @@ -0,0 +1,39 @@ +From c0794e406c74945c9c2e6d83cde09fdac5f467ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 10:44:55 +0800 +Subject: kselftests/net: add missed icmp.sh test to Makefile + +From: Hangbin Liu + +[ Upstream commit ca3676f94b8f40f52d285f9aef36dfd6725bfc14 ] + +When generating the selftests to another folder, the icmp.sh test will +miss as it is not in Makefile, e.g. + + make -C tools/testing/selftests/ install \ + TARGETS="net" INSTALL_PATH=/tmp/kselftests + +Fixes: 7e9838b7915e ("selftests/net: Add icmp.sh for testing ICMP dummy address responses") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile +index 492b273743b4e..9b1c2dfe12530 100644 +--- a/tools/testing/selftests/net/Makefile ++++ b/tools/testing/selftests/net/Makefile +@@ -12,7 +12,7 @@ TEST_PROGS += udpgro_bench.sh udpgro.sh test_vxlan_under_vrf.sh reuseport_addr_a + TEST_PROGS += test_vxlan_fdb_changelink.sh so_txtime.sh ipv6_flowlabel.sh + TEST_PROGS += tcp_fastopen_backup_key.sh fcnal-test.sh l2tp.sh traceroute.sh + TEST_PROGS += fin_ack_lat.sh fib_nexthop_multiprefix.sh fib_nexthops.sh +-TEST_PROGS += altnames.sh icmp_redirect.sh ip6_gre_headroom.sh ++TEST_PROGS += altnames.sh icmp.sh icmp_redirect.sh ip6_gre_headroom.sh + TEST_PROGS += route_localnet.sh + TEST_PROGS += reuseaddr_ports_exhausted.sh + TEST_PROGS += txtimestamp.sh +-- +2.33.0 + diff --git a/queue-5.15/kselftests-net-add-missed-setup_loopback.sh-setup_ve.patch b/queue-5.15/kselftests-net-add-missed-setup_loopback.sh-setup_ve.patch new file mode 100644 index 00000000000..0f3c5953a49 --- /dev/null +++ b/queue-5.15/kselftests-net-add-missed-setup_loopback.sh-setup_ve.patch @@ -0,0 +1,42 @@ +From f48cd8e8bfea0c58327eaffaad2c90171a22e985 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 10:44:56 +0800 +Subject: kselftests/net: add missed setup_loopback.sh/setup_veth.sh to + Makefile + +From: Hangbin Liu + +[ Upstream commit b99ac1841147eefd8d8b52fcf00d7d917949ae7f ] + +When generating the selftests to another folder, the include file +setup_loopback.sh/setup_veth.sh for gro.sh/gre_gro.sh are missing as +they are not in Makefile, e.g. + + make -C tools/testing/selftests/ install \ + TARGETS="net" INSTALL_PATH=/tmp/kselftests + +Fixes: 7d1575014a63 ("selftests/net: GRO coalesce test") +Fixes: 9af771d2ec04 ("selftests/net: allow GRO coalesce test on veth") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile +index 9b1c2dfe12530..63ee01c1437b6 100644 +--- a/tools/testing/selftests/net/Makefile ++++ b/tools/testing/selftests/net/Makefile +@@ -28,7 +28,7 @@ TEST_PROGS += veth.sh + TEST_PROGS += ioam6.sh + TEST_PROGS += gro.sh + TEST_PROGS += gre_gso.sh +-TEST_PROGS_EXTENDED := in_netns.sh ++TEST_PROGS_EXTENDED := in_netns.sh setup_loopback.sh setup_veth.sh + TEST_GEN_FILES = socket nettest + TEST_GEN_FILES += psock_fanout psock_tpacket msg_zerocopy reuseport_addr_any + TEST_GEN_FILES += tcp_mmap tcp_inq psock_snd txring_overwrite +-- +2.33.0 + diff --git a/queue-5.15/kselftests-net-add-missed-srv6-tests.patch b/queue-5.15/kselftests-net-add-missed-srv6-tests.patch new file mode 100644 index 00000000000..456f5731d7c --- /dev/null +++ b/queue-5.15/kselftests-net-add-missed-srv6-tests.patch @@ -0,0 +1,42 @@ +From b36b467a1896e870ca515ff46696f4c1e2a59dc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 10:44:57 +0800 +Subject: kselftests/net: add missed SRv6 tests + +From: Hangbin Liu + +[ Upstream commit 653e7f19b4a0a632cead2390281bde352d3d3273 ] + +When generating the selftests to another folder, the SRv6 tests are +missing as they are not in Makefile, e.g. + + make -C tools/testing/selftests/ install \ + TARGETS="net" INSTALL_PATH=/tmp/kselftests + +Fixes: 03a0b567a03d ("selftests: seg6: add selftest for SRv6 End.DT46 Behavior") +Fixes: 2195444e09b4 ("selftests: add selftest for the SRv6 End.DT4 behavior") +Fixes: 2bc035538e16 ("selftests: add selftest for the SRv6 End.DT6 (VRF) behavior") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile +index 63ee01c1437b6..8a6264da52763 100644 +--- a/tools/testing/selftests/net/Makefile ++++ b/tools/testing/selftests/net/Makefile +@@ -28,6 +28,9 @@ TEST_PROGS += veth.sh + TEST_PROGS += ioam6.sh + TEST_PROGS += gro.sh + TEST_PROGS += gre_gso.sh ++TEST_PROGS += srv6_end_dt46_l3vpn_test.sh ++TEST_PROGS += srv6_end_dt4_l3vpn_test.sh ++TEST_PROGS += srv6_end_dt6_l3vpn_test.sh + TEST_PROGS_EXTENDED := in_netns.sh setup_loopback.sh setup_veth.sh + TEST_GEN_FILES = socket nettest + TEST_GEN_FILES += psock_fanout psock_tpacket msg_zerocopy reuseport_addr_any +-- +2.33.0 + diff --git a/queue-5.15/kselftests-net-add-missed-toeplitz.sh-toeplitz_clien.patch b/queue-5.15/kselftests-net-add-missed-toeplitz.sh-toeplitz_clien.patch new file mode 100644 index 00000000000..c29f0bfe3fc --- /dev/null +++ b/queue-5.15/kselftests-net-add-missed-toeplitz.sh-toeplitz_clien.patch @@ -0,0 +1,42 @@ +From dd666e4b2e94b76e85f09ae436849f52096ecf5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 10:44:59 +0800 +Subject: kselftests/net: add missed toeplitz.sh/toeplitz_client.sh to Makefile + +From: Hangbin Liu + +[ Upstream commit 17b67370c38de2a878debf39dcbc704a206af4d0 ] + +When generating the selftests to another folder, the toeplitz.sh +and toeplitz_client.sh are missing as they are not in Makefile, e.g. + + make -C tools/testing/selftests/ install \ + TARGETS="net" INSTALL_PATH=/tmp/kselftests + +Making them under TEST_PROGS_EXTENDED as they test NIC hardware features +and are not intended to be run from kselftests. + +Fixes: 5ebfb4cc3048 ("selftests/net: toeplitz test") +Reviewed-by: Willem de Bruijn +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile +index 7328bede35f05..6a953ec793ced 100644 +--- a/tools/testing/selftests/net/Makefile ++++ b/tools/testing/selftests/net/Makefile +@@ -33,6 +33,7 @@ TEST_PROGS += srv6_end_dt4_l3vpn_test.sh + TEST_PROGS += srv6_end_dt6_l3vpn_test.sh + TEST_PROGS += vrf_strict_mode_test.sh + TEST_PROGS_EXTENDED := in_netns.sh setup_loopback.sh setup_veth.sh ++TEST_PROGS_EXTENDED += toeplitz_client.sh toeplitz.sh + TEST_GEN_FILES = socket nettest + TEST_GEN_FILES += psock_fanout psock_tpacket msg_zerocopy reuseport_addr_any + TEST_GEN_FILES += tcp_mmap tcp_inq psock_snd txring_overwrite +-- +2.33.0 + diff --git a/queue-5.15/kselftests-net-add-missed-vrf_strict_mode_test.sh-te.patch b/queue-5.15/kselftests-net-add-missed-vrf_strict_mode_test.sh-te.patch new file mode 100644 index 00000000000..3bc9c00ad65 --- /dev/null +++ b/queue-5.15/kselftests-net-add-missed-vrf_strict_mode_test.sh-te.patch @@ -0,0 +1,38 @@ +From 82254db04864a4330d17871900ee90bc71ad0cb7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 10:44:58 +0800 +Subject: kselftests/net: add missed vrf_strict_mode_test.sh test to Makefile + +From: Hangbin Liu + +[ Upstream commit 8883deb50eb6529ae1fd4641e402da8ab4f720d2 ] + +When generating the selftests to another folder, the +vrf_strict_mode_test.sh test will miss as it is not in Makefile, e.g. + + make -C tools/testing/selftests/ install \ + TARGETS="net" INSTALL_PATH=/tmp/kselftests + +Fixes: 8735e6eaa438 ("selftests: add selftest for the VRF strict mode") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/Makefile | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile +index 8a6264da52763..7328bede35f05 100644 +--- a/tools/testing/selftests/net/Makefile ++++ b/tools/testing/selftests/net/Makefile +@@ -31,6 +31,7 @@ TEST_PROGS += gre_gso.sh + TEST_PROGS += srv6_end_dt46_l3vpn_test.sh + TEST_PROGS += srv6_end_dt4_l3vpn_test.sh + TEST_PROGS += srv6_end_dt6_l3vpn_test.sh ++TEST_PROGS += vrf_strict_mode_test.sh + TEST_PROGS_EXTENDED := in_netns.sh setup_loopback.sh setup_veth.sh + TEST_GEN_FILES = socket nettest + TEST_GEN_FILES += psock_fanout psock_tpacket msg_zerocopy reuseport_addr_any +-- +2.33.0 + diff --git a/queue-5.15/kselftests-sched-cleanup-the-child-processes.patch b/queue-5.15/kselftests-sched-cleanup-the-child-processes.patch new file mode 100644 index 00000000000..e0ff4f7fbe9 --- /dev/null +++ b/queue-5.15/kselftests-sched-cleanup-the-child-processes.patch @@ -0,0 +1,132 @@ +From e844013ec27275cb09357348890d30c06162f583 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 10:43:33 +0800 +Subject: kselftests/sched: cleanup the child processes + +From: Li Zhijian + +[ Upstream commit 1c36432b278cecf1499f21fae19836e614954309 ] + +Previously, 'make -C sched run_tests' will block forever when it occurs +something wrong where the *selftests framework* is waiting for its child +processes to exit. + +[root@iaas-rpma sched]# ./cs_prctl_test + + ## Create a thread/process/process group hiearchy +Not a core sched system +tid=74985, / tgid=74985 / pgid=74985: ffffffffffffffff +Not a core sched system + tid=74986, / tgid=74986 / pgid=74985: ffffffffffffffff +Not a core sched system + tid=74988, / tgid=74986 / pgid=74985: ffffffffffffffff +Not a core sched system + tid=74989, / tgid=74986 / pgid=74985: ffffffffffffffff +Not a core sched system + tid=74990, / tgid=74986 / pgid=74985: ffffffffffffffff +Not a core sched system + tid=74987, / tgid=74987 / pgid=74985: ffffffffffffffff +Not a core sched system + tid=74991, / tgid=74987 / pgid=74985: ffffffffffffffff +Not a core sched system + tid=74992, / tgid=74987 / pgid=74985: ffffffffffffffff +Not a core sched system + tid=74993, / tgid=74987 / pgid=74985: ffffffffffffffff + +Not a core sched system +(268) FAILED: get_cs_cookie(0) == 0 + + ## Set a cookie on entire process group +-1 = prctl(62, 1, 0, 2, 0) +core_sched create failed -- PGID: Invalid argument +(cs_prctl_test.c:272) - +[root@iaas-rpma sched]# ps + PID TTY TIME CMD + 4605 pts/2 00:00:00 bash + 74986 pts/2 00:00:00 cs_prctl_test + 74987 pts/2 00:00:00 cs_prctl_test + 74999 pts/2 00:00:00 ps + +Reported-by: kernel test robot +Signed-off-by: Li Zhijian +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Chris Hyser +Link: https://lore.kernel.org/r/20210902024333.75983-1-lizhijian@cn.fujitsu.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/sched/cs_prctl_test.c | 28 ++++++++++++------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +diff --git a/tools/testing/selftests/sched/cs_prctl_test.c b/tools/testing/selftests/sched/cs_prctl_test.c +index 7db9cf822dc75..8109b17dc764c 100644 +--- a/tools/testing/selftests/sched/cs_prctl_test.c ++++ b/tools/testing/selftests/sched/cs_prctl_test.c +@@ -62,6 +62,17 @@ enum pid_type {PIDTYPE_PID = 0, PIDTYPE_TGID, PIDTYPE_PGID}; + + const int THREAD_CLONE_FLAGS = CLONE_THREAD | CLONE_SIGHAND | CLONE_FS | CLONE_VM | CLONE_FILES; + ++struct child_args { ++ int num_threads; ++ int pfd[2]; ++ int cpid; ++ int thr_tids[MAX_THREADS]; ++}; ++ ++static struct child_args procs[MAX_PROCESSES]; ++static int num_processes = 2; ++static int need_cleanup = 0; ++ + static int _prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, + unsigned long arg5) + { +@@ -78,8 +89,14 @@ static int _prctl(int option, unsigned long arg2, unsigned long arg3, unsigned l + #define handle_error(msg) __handle_error(__FILE__, __LINE__, msg) + static void __handle_error(char *fn, int ln, char *msg) + { ++ int pidx; + printf("(%s:%d) - ", fn, ln); + perror(msg); ++ if (need_cleanup) { ++ for (pidx = 0; pidx < num_processes; ++pidx) ++ kill(procs[pidx].cpid, 15); ++ need_cleanup = 0; ++ } + exit(EXIT_FAILURE); + } + +@@ -106,13 +123,6 @@ static unsigned long get_cs_cookie(int pid) + return cookie; + } + +-struct child_args { +- int num_threads; +- int pfd[2]; +- int cpid; +- int thr_tids[MAX_THREADS]; +-}; +- + static int child_func_thread(void __attribute__((unused))*arg) + { + while (1) +@@ -212,10 +222,7 @@ void _validate(int line, int val, char *msg) + + int main(int argc, char *argv[]) + { +- struct child_args procs[MAX_PROCESSES]; +- + int keypress = 0; +- int num_processes = 2; + int num_threads = 3; + int delay = 0; + int res = 0; +@@ -262,6 +269,7 @@ int main(int argc, char *argv[]) + + printf("\n## Create a thread/process/process group hiearchy\n"); + create_processes(num_processes, num_threads, procs); ++ need_cleanup = 1; + disp_processes(num_processes, procs); + validate(get_cs_cookie(0) == 0); + +-- +2.33.0 + diff --git a/queue-5.15/kvm-arm64-propagate-errors-from-__pkvm_prot_finalize.patch b/queue-5.15/kvm-arm64-propagate-errors-from-__pkvm_prot_finalize.patch new file mode 100644 index 00000000000..8453c6292ec --- /dev/null +++ b/queue-5.15/kvm-arm64-propagate-errors-from-__pkvm_prot_finalize.patch @@ -0,0 +1,78 @@ +From 1ba4ced127ae400039200e90e9eb8d52c3d55046 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Oct 2021 14:58:37 +0100 +Subject: KVM: arm64: Propagate errors from __pkvm_prot_finalize hypercall + +From: Will Deacon + +[ Upstream commit 2f2e1a5069679491d18cf9021da19b40c56a17f3 ] + +If the __pkvm_prot_finalize hypercall returns an error, we WARN but fail +to propagate the failure code back to kvm_arch_init(). + +Pass a pointer to a zero-initialised return variable so that failure +to finalise the pKVM protections on a host CPU can be reported back to +KVM. + +Cc: Marc Zyngier +Cc: Quentin Perret +Signed-off-by: Will Deacon +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20211008135839.1193-5-will@kernel.org +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/arm.c | 30 +++++++++++++++++++----------- + 1 file changed, 19 insertions(+), 11 deletions(-) + +diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c +index fe102cd2e5183..9b328bb05596a 100644 +--- a/arch/arm64/kvm/arm.c ++++ b/arch/arm64/kvm/arm.c +@@ -1971,9 +1971,25 @@ out_err: + return err; + } + +-static void _kvm_host_prot_finalize(void *discard) ++static void _kvm_host_prot_finalize(void *arg) + { +- WARN_ON(kvm_call_hyp_nvhe(__pkvm_prot_finalize)); ++ int *err = arg; ++ ++ if (WARN_ON(kvm_call_hyp_nvhe(__pkvm_prot_finalize))) ++ WRITE_ONCE(*err, -EINVAL); ++} ++ ++static int pkvm_drop_host_privileges(void) ++{ ++ int ret = 0; ++ ++ /* ++ * Flip the static key upfront as that may no longer be possible ++ * once the host stage 2 is installed. ++ */ ++ static_branch_enable(&kvm_protected_mode_initialized); ++ on_each_cpu(_kvm_host_prot_finalize, &ret, 1); ++ return ret; + } + + static int finalize_hyp_mode(void) +@@ -1987,15 +2003,7 @@ static int finalize_hyp_mode(void) + * None of other sections should ever be introspected. + */ + kmemleak_free_part(__hyp_bss_start, __hyp_bss_end - __hyp_bss_start); +- +- /* +- * Flip the static key upfront as that may no longer be possible +- * once the host stage 2 is installed. +- */ +- static_branch_enable(&kvm_protected_mode_initialized); +- on_each_cpu(_kvm_host_prot_finalize, NULL, 1); +- +- return 0; ++ return pkvm_drop_host_privileges(); + } + + struct kvm_vcpu *kvm_mpidr_to_vcpu(struct kvm *kvm, unsigned long mpidr) +-- +2.33.0 + diff --git a/queue-5.15/kvm-s390-fix-handle_sske-page-fault-handling.patch b/queue-5.15/kvm-s390-fix-handle_sske-page-fault-handling.patch new file mode 100644 index 00000000000..6eed1228a5c --- /dev/null +++ b/queue-5.15/kvm-s390-fix-handle_sske-page-fault-handling.patch @@ -0,0 +1,46 @@ +From 4a2bd254d7bd1c7bb6bc58e5b76158707b8c4632 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Oct 2021 17:26:48 +0200 +Subject: KVM: s390: Fix handle_sske page fault handling + +From: Janis Schoetterl-Glausch + +[ Upstream commit 85f517b29418158d3e6e90c3f0fc01b306d2f1a1 ] + +If handle_sske cannot set the storage key, because there is no +page table entry or no present large page entry, it calls +fixup_user_fault. +However, currently, if the call succeeds, handle_sske returns +-EAGAIN, without having set the storage key. +Instead, retry by continue'ing the loop without incrementing the +address. +The same issue in handle_pfmf was fixed by +a11bdb1a6b78 ("KVM: s390: Fix pfmf and conditional skey emulation"). + +Fixes: bd096f644319 ("KVM: s390: Add skey emulation fault handling") +Signed-off-by: Janis Schoetterl-Glausch +Reviewed-by: Christian Borntraeger +Reviewed-by: Claudio Imbrenda +Link: https://lore.kernel.org/r/20211022152648.26536-1-scgl@linux.ibm.com +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/priv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/s390/kvm/priv.c b/arch/s390/kvm/priv.c +index 53da4ceb16a3a..417154b314a64 100644 +--- a/arch/s390/kvm/priv.c ++++ b/arch/s390/kvm/priv.c +@@ -397,6 +397,8 @@ static int handle_sske(struct kvm_vcpu *vcpu) + mmap_read_unlock(current->mm); + if (rc == -EFAULT) + return kvm_s390_inject_program_int(vcpu, PGM_ADDRESSING); ++ if (rc == -EAGAIN) ++ continue; + if (rc < 0) + return rc; + start += PAGE_SIZE; +-- +2.33.0 + diff --git a/queue-5.15/kvm-s390-pv-avoid-double-free-of-sida-page.patch b/queue-5.15/kvm-s390-pv-avoid-double-free-of-sida-page.patch new file mode 100644 index 00000000000..777d206c632 --- /dev/null +++ b/queue-5.15/kvm-s390-pv-avoid-double-free-of-sida-page.patch @@ -0,0 +1,68 @@ +From b4627907c6e57aac90b299bd8acb99d47c77b91e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Sep 2021 15:24:50 +0200 +Subject: KVM: s390: pv: avoid double free of sida page + +From: Claudio Imbrenda + +[ Upstream commit d4074324b07a94a1fca476d452dfbb3a4e7bf656 ] + +If kvm_s390_pv_destroy_cpu is called more than once, we risk calling +free_page on a random page, since the sidad field is aliased with the +gbea, which is not guaranteed to be zero. + +This can happen, for example, if userspace calls the KVM_PV_DISABLE +IOCTL, and it fails, and then userspace calls the same IOCTL again. +This scenario is only possible if KVM has some serious bug or if the +hardware is broken. + +The solution is to simply return successfully immediately if the vCPU +was already non secure. + +Signed-off-by: Claudio Imbrenda +Fixes: 19e1227768863a1469797c13ef8fea1af7beac2c ("KVM: S390: protvirt: Introduce instruction data area bounce buffer") +Reviewed-by: Janosch Frank +Reviewed-by: Christian Borntraeger +Message-Id: <20210920132502.36111-3-imbrenda@linux.ibm.com> +Signed-off-by: Janosch Frank +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/pv.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/arch/s390/kvm/pv.c b/arch/s390/kvm/pv.c +index c8841f476e913..0a854115100b4 100644 +--- a/arch/s390/kvm/pv.c ++++ b/arch/s390/kvm/pv.c +@@ -16,18 +16,17 @@ + + int kvm_s390_pv_destroy_cpu(struct kvm_vcpu *vcpu, u16 *rc, u16 *rrc) + { +- int cc = 0; ++ int cc; + +- if (kvm_s390_pv_cpu_get_handle(vcpu)) { +- cc = uv_cmd_nodata(kvm_s390_pv_cpu_get_handle(vcpu), +- UVC_CMD_DESTROY_SEC_CPU, rc, rrc); ++ if (!kvm_s390_pv_cpu_get_handle(vcpu)) ++ return 0; ++ ++ cc = uv_cmd_nodata(kvm_s390_pv_cpu_get_handle(vcpu), UVC_CMD_DESTROY_SEC_CPU, rc, rrc); ++ ++ KVM_UV_EVENT(vcpu->kvm, 3, "PROTVIRT DESTROY VCPU %d: rc %x rrc %x", ++ vcpu->vcpu_id, *rc, *rrc); ++ WARN_ONCE(cc, "protvirt destroy cpu failed rc %x rrc %x", *rc, *rrc); + +- KVM_UV_EVENT(vcpu->kvm, 3, +- "PROTVIRT DESTROY VCPU %d: rc %x rrc %x", +- vcpu->vcpu_id, *rc, *rrc); +- WARN_ONCE(cc, "protvirt destroy cpu failed rc %x rrc %x", +- *rc, *rrc); +- } + /* Intended memory leak for something that should never happen. */ + if (!cc) + free_pages(vcpu->arch.pv.stor_base, +-- +2.33.0 + diff --git a/queue-5.15/kvm-s390-pv-avoid-stalls-for-kvm_s390_pv_init_vm.patch b/queue-5.15/kvm-s390-pv-avoid-stalls-for-kvm_s390_pv_init_vm.patch new file mode 100644 index 00000000000..58ddf14c222 --- /dev/null +++ b/queue-5.15/kvm-s390-pv-avoid-stalls-for-kvm_s390_pv_init_vm.patch @@ -0,0 +1,43 @@ +From d25ebe85a3de766fc9ccc0c5f092ac97bf354e3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Sep 2021 15:24:51 +0200 +Subject: KVM: s390: pv: avoid stalls for kvm_s390_pv_init_vm + +From: Claudio Imbrenda + +[ Upstream commit 1e2aa46de526a5adafe580bca4c25856bb06f09e ] + +When the system is heavily overcommitted, kvm_s390_pv_init_vm might +generate stall notifications. + +Fix this by using uv_call_sched instead of just uv_call. This is ok because +we are not holding spinlocks. + +Signed-off-by: Claudio Imbrenda +Fixes: 214d9bbcd3a672 ("s390/mm: provide memory management functions for protected KVM guests") +Reviewed-by: Christian Borntraeger +Reviewed-by: Janosch Frank +Message-Id: <20210920132502.36111-4-imbrenda@linux.ibm.com> +Signed-off-by: Janosch Frank +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/pv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kvm/pv.c b/arch/s390/kvm/pv.c +index 0a854115100b4..00d272d134c24 100644 +--- a/arch/s390/kvm/pv.c ++++ b/arch/s390/kvm/pv.c +@@ -195,7 +195,7 @@ int kvm_s390_pv_init_vm(struct kvm *kvm, u16 *rc, u16 *rrc) + uvcb.conf_base_stor_origin = (u64)kvm->arch.pv.stor_base; + uvcb.conf_virt_stor_origin = (u64)kvm->arch.pv.stor_var; + +- cc = uv_call(0, (u64)&uvcb); ++ cc = uv_call_sched(0, (u64)&uvcb); + *rc = uvcb.header.rc; + *rrc = uvcb.header.rrc; + KVM_UV_EVENT(kvm, 3, "PROTVIRT CREATE VM: handle %llx len %llx rc %x rrc %x", +-- +2.33.0 + diff --git a/queue-5.15/kvm-selftests-fix-nested-svm-tests-when-built-with-c.patch b/queue-5.15/kvm-selftests-fix-nested-svm-tests-when-built-with-c.patch new file mode 100644 index 00000000000..cdf15f4281f --- /dev/null +++ b/queue-5.15/kvm-selftests-fix-nested-svm-tests-when-built-with-c.patch @@ -0,0 +1,67 @@ +From bf669e00b9246052e9a7de9459de45fb650d4263 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 17:36:49 -0700 +Subject: KVM: selftests: Fix nested SVM tests when built with clang + +From: Jim Mattson + +[ Upstream commit ed290e1c20da19fa100a3e0f421aa31b65984960 ] + +Though gcc conveniently compiles a simple memset to "rep stos," clang +prefers to call the libc version of memset. If a test is dynamically +linked, the libc memset isn't available in L1 (nor is the PLT or the +GOT, for that matter). Even if the test is statically linked, the libc +memset may choose to use some CPU features, like AVX, which may not be +enabled in L1. Note that __builtin_memset doesn't solve the problem, +because (a) the compiler is free to call memset anyway, and (b) +__builtin_memset may also choose to use features like AVX, which may +not be available in L1. + +To avoid a myriad of problems, use an explicit "rep stos" to clear the +VMCB in generic_svm_setup(), which is called both from L0 and L1. + +Reported-by: Ricardo Koller +Signed-off-by: Jim Mattson +Fixes: 20ba262f8631a ("selftests: KVM: AMD Nested test infrastructure") +Message-Id: <20210930003649.4026553-1-jmattson@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kvm/lib/x86_64/svm.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/kvm/lib/x86_64/svm.c b/tools/testing/selftests/kvm/lib/x86_64/svm.c +index 2ac98d70d02bd..161eba7cd1289 100644 +--- a/tools/testing/selftests/kvm/lib/x86_64/svm.c ++++ b/tools/testing/selftests/kvm/lib/x86_64/svm.c +@@ -54,6 +54,18 @@ static void vmcb_set_seg(struct vmcb_seg *seg, u16 selector, + seg->base = base; + } + ++/* ++ * Avoid using memset to clear the vmcb, since libc may not be ++ * available in L1 (and, even if it is, features that libc memset may ++ * want to use, like AVX, may not be enabled). ++ */ ++static void clear_vmcb(struct vmcb *vmcb) ++{ ++ int n = sizeof(*vmcb) / sizeof(u32); ++ ++ asm volatile ("rep stosl" : "+c"(n), "+D"(vmcb) : "a"(0) : "memory"); ++} ++ + void generic_svm_setup(struct svm_test_data *svm, void *guest_rip, void *guest_rsp) + { + struct vmcb *vmcb = svm->vmcb; +@@ -70,7 +82,7 @@ void generic_svm_setup(struct svm_test_data *svm, void *guest_rip, void *guest_r + wrmsr(MSR_EFER, efer | EFER_SVME); + wrmsr(MSR_VM_HSAVE_PA, svm->save_area_gpa); + +- memset(vmcb, 0, sizeof(*vmcb)); ++ clear_vmcb(vmcb); + asm volatile ("vmsave %0\n\t" : : "a" (vmcb_gpa) : "memory"); + vmcb_set_seg(&save->es, get_es(), 0, -1U, data_seg_attr); + vmcb_set_seg(&save->cs, get_cs(), 0, -1U, code_seg_attr); +-- +2.33.0 + diff --git a/queue-5.15/leaking_addresses-always-print-a-trailing-newline.patch b/queue-5.15/leaking_addresses-always-print-a-trailing-newline.patch new file mode 100644 index 00000000000..c7f2dffb13e --- /dev/null +++ b/queue-5.15/leaking_addresses-always-print-a-trailing-newline.patch @@ -0,0 +1,44 @@ +From 87583e1260a4786c62e2c755ebdf11763ced5530 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 15:02:18 -0700 +Subject: leaking_addresses: Always print a trailing newline + +From: Kees Cook + +[ Upstream commit cf2a85efdade117e2169d6e26641016cbbf03ef0 ] + +For files that lack trailing newlines and match a leaking address (e.g. +wchan[1]), the leaking_addresses.pl report would run together with the +next line, making things look corrupted. + +Unconditionally remove the newline on input, and write it back out on +output. + +[1] https://lore.kernel.org/all/20210103142726.GC30643@xsang-OptiPlex-9020/ + +Signed-off-by: Kees Cook +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20211008111626.151570317@infradead.org +Signed-off-by: Sasha Levin +--- + scripts/leaking_addresses.pl | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/scripts/leaking_addresses.pl b/scripts/leaking_addresses.pl +index b2d8b8aa2d99e..8f636a23bc3f2 100755 +--- a/scripts/leaking_addresses.pl ++++ b/scripts/leaking_addresses.pl +@@ -455,8 +455,9 @@ sub parse_file + + open my $fh, "<", $file or return; + while ( <$fh> ) { ++ chomp; + if (may_leak_address($_)) { +- print $file . ': ' . $_; ++ printf("$file: $_\n"); + } + } + close $fh; +-- +2.33.0 + diff --git a/queue-5.15/leds-trigger-use-rcu-to-protect-the-led_cdevs-list.patch b/queue-5.15/leds-trigger-use-rcu-to-protect-the-led_cdevs-list.patch new file mode 100644 index 00000000000..c2018b77733 --- /dev/null +++ b/queue-5.15/leds-trigger-use-rcu-to-protect-the-led_cdevs-list.patch @@ -0,0 +1,165 @@ +From 36ad1fc563c47aef0e19d9f240a428d25d6c4a56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 18:16:01 +0200 +Subject: leds: trigger: use RCU to protect the led_cdevs list + +From: Johannes Berg + +[ Upstream commit 2a5a8fa8b23144d14567d6f8293dd6fbeecee393 ] + +Even with the previous commit 27af8e2c90fb +("leds: trigger: fix potential deadlock with libata") +to this file, we still get lockdep unhappy, and Boqun +explained the report here: +https://lore.kernel.org/r/YNA+d1X4UkoQ7g8a@boqun-archlinux + +Effectively, this means that the read_lock_irqsave() isn't +enough here because another CPU might be trying to do a +write lock, and thus block the readers. + +This is all pretty messy, but it doesn't seem right that +the LEDs framework imposes some locking requirements on +users, in particular we'd have to make the spinlock in the +iwlwifi driver always disable IRQs, even if we don't need +that for any other reason, just to avoid this deadlock. + +Since writes to the led_cdevs list are rare (and are done +by userspace), just switch the list to RCU. This costs a +synchronize_rcu() at removal time so we can ensure things +are correct, but that seems like a small price to pay for +getting lock-free iterations and no deadlocks (nor any +locking requirements imposed on users.) + +Signed-off-by: Johannes Berg +Signed-off-by: Pavel Machek +Signed-off-by: Sasha Levin +--- + drivers/leds/led-triggers.c | 41 +++++++++++++++++++------------------ + include/linux/leds.h | 2 +- + 2 files changed, 22 insertions(+), 21 deletions(-) + +diff --git a/drivers/leds/led-triggers.c b/drivers/leds/led-triggers.c +index 4e7b78a84149b..072491d3e17b0 100644 +--- a/drivers/leds/led-triggers.c ++++ b/drivers/leds/led-triggers.c +@@ -157,7 +157,6 @@ EXPORT_SYMBOL_GPL(led_trigger_read); + /* Caller must ensure led_cdev->trigger_lock held */ + int led_trigger_set(struct led_classdev *led_cdev, struct led_trigger *trig) + { +- unsigned long flags; + char *event = NULL; + char *envp[2]; + const char *name; +@@ -171,10 +170,13 @@ int led_trigger_set(struct led_classdev *led_cdev, struct led_trigger *trig) + + /* Remove any existing trigger */ + if (led_cdev->trigger) { +- write_lock_irqsave(&led_cdev->trigger->leddev_list_lock, flags); +- list_del(&led_cdev->trig_list); +- write_unlock_irqrestore(&led_cdev->trigger->leddev_list_lock, +- flags); ++ spin_lock(&led_cdev->trigger->leddev_list_lock); ++ list_del_rcu(&led_cdev->trig_list); ++ spin_unlock(&led_cdev->trigger->leddev_list_lock); ++ ++ /* ensure it's no longer visible on the led_cdevs list */ ++ synchronize_rcu(); ++ + cancel_work_sync(&led_cdev->set_brightness_work); + led_stop_software_blink(led_cdev); + if (led_cdev->trigger->deactivate) +@@ -186,9 +188,9 @@ int led_trigger_set(struct led_classdev *led_cdev, struct led_trigger *trig) + led_set_brightness(led_cdev, LED_OFF); + } + if (trig) { +- write_lock_irqsave(&trig->leddev_list_lock, flags); +- list_add_tail(&led_cdev->trig_list, &trig->led_cdevs); +- write_unlock_irqrestore(&trig->leddev_list_lock, flags); ++ spin_lock(&trig->leddev_list_lock); ++ list_add_tail_rcu(&led_cdev->trig_list, &trig->led_cdevs); ++ spin_unlock(&trig->leddev_list_lock); + led_cdev->trigger = trig; + + if (trig->activate) +@@ -223,9 +225,10 @@ err_add_groups: + trig->deactivate(led_cdev); + err_activate: + +- write_lock_irqsave(&led_cdev->trigger->leddev_list_lock, flags); +- list_del(&led_cdev->trig_list); +- write_unlock_irqrestore(&led_cdev->trigger->leddev_list_lock, flags); ++ spin_lock(&led_cdev->trigger->leddev_list_lock); ++ list_del_rcu(&led_cdev->trig_list); ++ spin_unlock(&led_cdev->trigger->leddev_list_lock); ++ synchronize_rcu(); + led_cdev->trigger = NULL; + led_cdev->trigger_data = NULL; + led_set_brightness(led_cdev, LED_OFF); +@@ -285,7 +288,7 @@ int led_trigger_register(struct led_trigger *trig) + struct led_classdev *led_cdev; + struct led_trigger *_trig; + +- rwlock_init(&trig->leddev_list_lock); ++ spin_lock_init(&trig->leddev_list_lock); + INIT_LIST_HEAD(&trig->led_cdevs); + + down_write(&triggers_list_lock); +@@ -378,15 +381,14 @@ void led_trigger_event(struct led_trigger *trig, + enum led_brightness brightness) + { + struct led_classdev *led_cdev; +- unsigned long flags; + + if (!trig) + return; + +- read_lock_irqsave(&trig->leddev_list_lock, flags); +- list_for_each_entry(led_cdev, &trig->led_cdevs, trig_list) ++ rcu_read_lock(); ++ list_for_each_entry_rcu(led_cdev, &trig->led_cdevs, trig_list) + led_set_brightness(led_cdev, brightness); +- read_unlock_irqrestore(&trig->leddev_list_lock, flags); ++ rcu_read_unlock(); + } + EXPORT_SYMBOL_GPL(led_trigger_event); + +@@ -397,20 +399,19 @@ static void led_trigger_blink_setup(struct led_trigger *trig, + int invert) + { + struct led_classdev *led_cdev; +- unsigned long flags; + + if (!trig) + return; + +- read_lock_irqsave(&trig->leddev_list_lock, flags); +- list_for_each_entry(led_cdev, &trig->led_cdevs, trig_list) { ++ rcu_read_lock(); ++ list_for_each_entry_rcu(led_cdev, &trig->led_cdevs, trig_list) { + if (oneshot) + led_blink_set_oneshot(led_cdev, delay_on, delay_off, + invert); + else + led_blink_set(led_cdev, delay_on, delay_off); + } +- read_unlock_irqrestore(&trig->leddev_list_lock, flags); ++ rcu_read_unlock(); + } + + void led_trigger_blink(struct led_trigger *trig, +diff --git a/include/linux/leds.h b/include/linux/leds.h +index a0b730be40ad2..ba4861ec73d30 100644 +--- a/include/linux/leds.h ++++ b/include/linux/leds.h +@@ -360,7 +360,7 @@ struct led_trigger { + struct led_hw_trigger_type *trigger_type; + + /* LEDs under control by this trigger (for simple triggers) */ +- rwlock_t leddev_list_lock; ++ spinlock_t leddev_list_lock; + struct list_head led_cdevs; + + /* Link to next registered trigger */ +-- +2.33.0 + diff --git a/queue-5.15/lib-xz-avoid-overlapping-memcpy-with-invalid-input-w.patch b/queue-5.15/lib-xz-avoid-overlapping-memcpy-with-invalid-input-w.patch new file mode 100644 index 00000000000..404bb70bbb7 --- /dev/null +++ b/queue-5.15/lib-xz-avoid-overlapping-memcpy-with-invalid-input-w.patch @@ -0,0 +1,91 @@ +From b16896b6a4f8cb30e828433dfc0352e8be56cf56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 05:31:39 +0800 +Subject: lib/xz: Avoid overlapping memcpy() with invalid input with in-place + decompression + +From: Lasse Collin + +[ Upstream commit 83d3c4f22a36d005b55f44628f46cc0d319a75e8 ] + +With valid files, the safety margin described in lib/decompress_unxz.c +ensures that these buffers cannot overlap. But if the uncompressed size +of the input is larger than the caller thought, which is possible when +the input file is invalid/corrupt, the buffers can overlap. Obviously +the result will then be garbage (and usually the decoder will return +an error too) but no other harm will happen when such an over-run occurs. + +This change only affects uncompressed LZMA2 chunks and so this +should have no effect on performance. + +Link: https://lore.kernel.org/r/20211010213145.17462-2-xiang@kernel.org +Signed-off-by: Lasse Collin +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + lib/decompress_unxz.c | 2 +- + lib/xz/xz_dec_lzma2.c | 21 +++++++++++++++++++-- + 2 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/lib/decompress_unxz.c b/lib/decompress_unxz.c +index a2f38e23004aa..f7a3dc13316a3 100644 +--- a/lib/decompress_unxz.c ++++ b/lib/decompress_unxz.c +@@ -167,7 +167,7 @@ + * memeq and memzero are not used much and any remotely sane implementation + * is fast enough. memcpy/memmove speed matters in multi-call mode, but + * the kernel image is decompressed in single-call mode, in which only +- * memcpy speed can matter and only if there is a lot of uncompressible data ++ * memmove speed can matter and only if there is a lot of uncompressible data + * (LZMA2 stores uncompressible chunks in uncompressed form). Thus, the + * functions below should just be kept small; it's probably not worth + * optimizing for speed. +diff --git a/lib/xz/xz_dec_lzma2.c b/lib/xz/xz_dec_lzma2.c +index 7a6781e3f47b6..d548cf0e59fe6 100644 +--- a/lib/xz/xz_dec_lzma2.c ++++ b/lib/xz/xz_dec_lzma2.c +@@ -387,7 +387,14 @@ static void dict_uncompressed(struct dictionary *dict, struct xz_buf *b, + + *left -= copy_size; + +- memcpy(dict->buf + dict->pos, b->in + b->in_pos, copy_size); ++ /* ++ * If doing in-place decompression in single-call mode and the ++ * uncompressed size of the file is larger than the caller ++ * thought (i.e. it is invalid input!), the buffers below may ++ * overlap and cause undefined behavior with memcpy(). ++ * With valid inputs memcpy() would be fine here. ++ */ ++ memmove(dict->buf + dict->pos, b->in + b->in_pos, copy_size); + dict->pos += copy_size; + + if (dict->full < dict->pos) +@@ -397,7 +404,11 @@ static void dict_uncompressed(struct dictionary *dict, struct xz_buf *b, + if (dict->pos == dict->end) + dict->pos = 0; + +- memcpy(b->out + b->out_pos, b->in + b->in_pos, ++ /* ++ * Like above but for multi-call mode: use memmove() ++ * to avoid undefined behavior with invalid input. ++ */ ++ memmove(b->out + b->out_pos, b->in + b->in_pos, + copy_size); + } + +@@ -421,6 +432,12 @@ static uint32_t dict_flush(struct dictionary *dict, struct xz_buf *b) + if (dict->pos == dict->end) + dict->pos = 0; + ++ /* ++ * These buffers cannot overlap even if doing in-place ++ * decompression because in multi-call mode dict->buf ++ * has been allocated by us in this file; it's not ++ * provided by the caller like in single-call mode. ++ */ + memcpy(b->out + b->out_pos, dict->buf + dict->start, + copy_size); + } +-- +2.33.0 + diff --git a/queue-5.15/lib-xz-validate-the-value-before-assigning-it-to-an-.patch b/queue-5.15/lib-xz-validate-the-value-before-assigning-it-to-an-.patch new file mode 100644 index 00000000000..b457a1f9ef6 --- /dev/null +++ b/queue-5.15/lib-xz-validate-the-value-before-assigning-it-to-an-.patch @@ -0,0 +1,51 @@ +From 46c5199e839c49ac64061c08c40bc492e479d886 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 05:31:40 +0800 +Subject: lib/xz: Validate the value before assigning it to an enum variable + +From: Lasse Collin + +[ Upstream commit 4f8d7abaa413c34da9d751289849dbfb7c977d05 ] + +This might matter, for example, if the underlying type of enum xz_check +was a signed char. In such a case the validation wouldn't have caught an +unsupported header. I don't know if this problem can occur in the kernel +on any arch but it's still good to fix it because some people might copy +the XZ code to their own projects from Linux instead of the upstream +XZ Embedded repository. + +This change may increase the code size by a few bytes. An alternative +would have been to use an unsigned int instead of enum xz_check but +using an enumeration looks cleaner. + +Link: https://lore.kernel.org/r/20211010213145.17462-3-xiang@kernel.org +Signed-off-by: Lasse Collin +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + lib/xz/xz_dec_stream.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/xz/xz_dec_stream.c b/lib/xz/xz_dec_stream.c +index fea86deaaa01d..683570b93a8c4 100644 +--- a/lib/xz/xz_dec_stream.c ++++ b/lib/xz/xz_dec_stream.c +@@ -402,12 +402,12 @@ static enum xz_ret dec_stream_header(struct xz_dec *s) + * we will accept other check types too, but then the check won't + * be verified and a warning (XZ_UNSUPPORTED_CHECK) will be given. + */ ++ if (s->temp.buf[HEADER_MAGIC_SIZE + 1] > XZ_CHECK_MAX) ++ return XZ_OPTIONS_ERROR; ++ + s->check_type = s->temp.buf[HEADER_MAGIC_SIZE + 1]; + + #ifdef XZ_DEC_ANY_CHECK +- if (s->check_type > XZ_CHECK_MAX) +- return XZ_OPTIONS_ERROR; +- + if (s->check_type > XZ_CHECK_CRC32) + return XZ_UNSUPPORTED_CHECK; + #else +-- +2.33.0 + diff --git a/queue-5.15/libbpf-don-t-crash-on-object-files-with-no-symbol-ta.patch b/queue-5.15/libbpf-don-t-crash-on-object-files-with-no-symbol-ta.patch new file mode 100644 index 00000000000..77dda4f2250 --- /dev/null +++ b/queue-5.15/libbpf-don-t-crash-on-object-files-with-no-symbol-ta.patch @@ -0,0 +1,51 @@ +From 861b036581b40c34a9c647c0aad397af5a64ee3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 13:48:12 +0200 +Subject: libbpf: Don't crash on object files with no symbol tables +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Toke Høiland-Jørgensen + +[ Upstream commit 03e601f48b2da6fb44d0f7b86957a8f6bacfb347 ] + +If libbpf encounters an ELF file that has been stripped of its symbol +table, it will crash in bpf_object__add_programs() when trying to +dereference the obj->efile.symbols pointer. + +Fix this by erroring out of bpf_object__elf_collect() if it is not able +able to find the symbol table. + +v2: + - Move check into bpf_object__elf_collect() and add nice error message + +Fixes: 6245947c1b3c ("libbpf: Allow gaps in BPF program sections to support overriden weak functions") +Signed-off-by: Toke Høiland-Jørgensen +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20210901114812.204720-1-toke@redhat.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index e4f83c304ec92..51180f300d2e1 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -2993,6 +2993,12 @@ static int bpf_object__elf_collect(struct bpf_object *obj) + } + } + ++ if (!obj->efile.symbols) { ++ pr_warn("elf: couldn't find symbol table in %s, stripped object file?\n", ++ obj->path); ++ return -ENOENT; ++ } ++ + scn = NULL; + while ((scn = elf_nextscn(elf, scn)) != NULL) { + idx++; +-- +2.33.0 + diff --git a/queue-5.15/libbpf-fix-btf-header-parsing-checks.patch b/queue-5.15/libbpf-fix-btf-header-parsing-checks.patch new file mode 100644 index 00000000000..f1c55fd654d --- /dev/null +++ b/queue-5.15/libbpf-fix-btf-header-parsing-checks.patch @@ -0,0 +1,54 @@ +From d527377c386124d23407b591df29f085fce96e15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Oct 2021 17:31:57 -0700 +Subject: libbpf: Fix BTF header parsing checks + +From: Andrii Nakryiko + +[ Upstream commit c825f5fee19caf301d9821cd79abaa734322de26 ] + +Original code assumed fixed and correct BTF header length. That's not +always the case, though, so fix this bug with a proper additional check. +And use actual header length instead of sizeof(struct btf_header) in +sanity checks. + +Fixes: 8a138aed4a80 ("bpf: btf: Add BTF support to libbpf") +Reported-by: Evgeny Vereshchagin +Signed-off-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20211023003157.726961-2-andrii@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/btf.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c +index cfd701debcf61..1b9341ef638b0 100644 +--- a/tools/lib/bpf/btf.c ++++ b/tools/lib/bpf/btf.c +@@ -231,13 +231,19 @@ static int btf_parse_hdr(struct btf *btf) + } + btf_bswap_hdr(hdr); + } else if (hdr->magic != BTF_MAGIC) { +- pr_debug("Invalid BTF magic:%x\n", hdr->magic); ++ pr_debug("Invalid BTF magic: %x\n", hdr->magic); + return -EINVAL; + } + +- meta_left = btf->raw_size - sizeof(*hdr); ++ if (btf->raw_size < hdr->hdr_len) { ++ pr_debug("BTF header len %u larger than data size %u\n", ++ hdr->hdr_len, btf->raw_size); ++ return -EINVAL; ++ } ++ ++ meta_left = btf->raw_size - hdr->hdr_len; + if (meta_left < (long long)hdr->str_off + hdr->str_len) { +- pr_debug("Invalid BTF total size:%u\n", btf->raw_size); ++ pr_debug("Invalid BTF total size: %u\n", btf->raw_size); + return -EINVAL; + } + +-- +2.33.0 + diff --git a/queue-5.15/libbpf-fix-endianness-detection-in-bpf_core_read_bit.patch b/queue-5.15/libbpf-fix-endianness-detection-in-bpf_core_read_bit.patch new file mode 100644 index 00000000000..c705b55f3d7 --- /dev/null +++ b/queue-5.15/libbpf-fix-endianness-detection-in-bpf_core_read_bit.patch @@ -0,0 +1,40 @@ +From 8cb7066a98d01f01f52176f4447eead97fddd807 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 03:08:26 +0200 +Subject: libbpf: Fix endianness detection in BPF_CORE_READ_BITFIELD_PROBED() + +From: Ilya Leoshkevich + +[ Upstream commit 45f2bebc8079788f62f22d9e8b2819afb1789d7b ] + +__BYTE_ORDER is supposed to be defined by a libc, and __BYTE_ORDER__ - +by a compiler. bpf_core_read.h checks __BYTE_ORDER == __LITTLE_ENDIAN, +which is true if neither are defined, leading to incorrect behavior on +big-endian hosts if libc headers are not included, which is often the +case. + +Fixes: ee26dade0e3b ("libbpf: Add support for relocatable bitfields") +Signed-off-by: Ilya Leoshkevich +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20211026010831.748682-2-iii@linux.ibm.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf_core_read.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h +index 09ebe3db5f2f8..e4aa9996a5501 100644 +--- a/tools/lib/bpf/bpf_core_read.h ++++ b/tools/lib/bpf/bpf_core_read.h +@@ -40,7 +40,7 @@ enum bpf_enum_value_kind { + #define __CORE_RELO(src, field, info) \ + __builtin_preserve_field_info((src)->field, BPF_FIELD_##info) + +-#if __BYTE_ORDER == __LITTLE_ENDIAN ++#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + #define __CORE_BITFIELD_PROBE_READ(dst, src, fld) \ + bpf_probe_read_kernel( \ + (void *)dst, \ +-- +2.33.0 + diff --git a/queue-5.15/libbpf-fix-lookup_and_delete_elem_flags-error-report.patch b/queue-5.15/libbpf-fix-lookup_and_delete_elem_flags-error-report.patch new file mode 100644 index 00000000000..2f73b7ebc3e --- /dev/null +++ b/queue-5.15/libbpf-fix-lookup_and_delete_elem_flags-error-report.patch @@ -0,0 +1,47 @@ +From 2e0768d4ce70daca8b86ae32b5137a69c0c8d17f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Nov 2021 10:13:54 -0700 +Subject: libbpf: Fix lookup_and_delete_elem_flags error reporting + +From: Mehrdad Arshad Rad + +[ Upstream commit 64165ddf8ea184631c65e3bbc8d59f6d940590ca ] + +Fix bpf_map_lookup_and_delete_elem_flags() to pass the return code through +libbpf_err_errno() as we do similarly in bpf_map_lookup_and_delete_elem(). + +Fixes: f12b65432728 ("libbpf: Streamline error reporting for low-level APIs") +Signed-off-by: Mehrdad Arshad Rad +Signed-off-by: Daniel Borkmann +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20211104171354.11072-1-arshad.rad@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/bpf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/bpf.c b/tools/lib/bpf/bpf.c +index 2401fad090c52..bfd1ce9fe2110 100644 +--- a/tools/lib/bpf/bpf.c ++++ b/tools/lib/bpf/bpf.c +@@ -480,6 +480,7 @@ int bpf_map_lookup_and_delete_elem(int fd, const void *key, void *value) + int bpf_map_lookup_and_delete_elem_flags(int fd, const void *key, void *value, __u64 flags) + { + union bpf_attr attr; ++ int ret; + + memset(&attr, 0, sizeof(attr)); + attr.map_fd = fd; +@@ -487,7 +488,8 @@ int bpf_map_lookup_and_delete_elem_flags(int fd, const void *key, void *value, _ + attr.value = ptr_to_u64(value); + attr.flags = flags; + +- return sys_bpf(BPF_MAP_LOOKUP_AND_DELETE_ELEM, &attr, sizeof(attr)); ++ ret = sys_bpf(BPF_MAP_LOOKUP_AND_DELETE_ELEM, &attr, sizeof(attr)); ++ return libbpf_err_errno(ret); + } + + int bpf_map_delete_elem(int fd, const void *key) +-- +2.33.0 + diff --git a/queue-5.15/libbpf-fix-memory-leak-in-btf__dedup.patch b/queue-5.15/libbpf-fix-memory-leak-in-btf__dedup.patch new file mode 100644 index 00000000000..ba530b4d558 --- /dev/null +++ b/queue-5.15/libbpf-fix-memory-leak-in-btf__dedup.patch @@ -0,0 +1,43 @@ +From 7c6860794b81e3707244152e23122f0ee73a95fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Oct 2021 15:20:35 -0500 +Subject: libbpf: Fix memory leak in btf__dedup() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mauricio Vásquez + +[ Upstream commit 1000298c76830bc291358e98e8fa5baa3baa9b3a ] + +Free btf_dedup if btf_ensure_modifiable() returns error. + +Fixes: 919d2b1dbb07 ("libbpf: Allow modification of BTF and add btf__add_str API") +Signed-off-by: Mauricio Vásquez +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20211022202035.48868-1-mauricio@kinvolk.io +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/btf.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c +index 77dc24d58302d..bf8c8676d68e5 100644 +--- a/tools/lib/bpf/btf.c ++++ b/tools/lib/bpf/btf.c +@@ -2914,8 +2914,10 @@ int btf__dedup(struct btf *btf, struct btf_ext *btf_ext, + return libbpf_err(-EINVAL); + } + +- if (btf_ensure_modifiable(btf)) +- return libbpf_err(-ENOMEM); ++ if (btf_ensure_modifiable(btf)) { ++ err = -ENOMEM; ++ goto done; ++ } + + err = btf_dedup_prep(d); + if (err) { +-- +2.33.0 + diff --git a/queue-5.15/libbpf-fix-off-by-one-bug-in-bpf_core_apply_relo.patch b/queue-5.15/libbpf-fix-off-by-one-bug-in-bpf_core_apply_relo.patch new file mode 100644 index 00000000000..c384be0f939 --- /dev/null +++ b/queue-5.15/libbpf-fix-off-by-one-bug-in-bpf_core_apply_relo.patch @@ -0,0 +1,36 @@ +From 6081c2908cca2bed57b2379938604c771cae736f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 15:45:28 -0700 +Subject: libbpf: Fix off-by-one bug in bpf_core_apply_relo() + +From: Andrii Nakryiko + +[ Upstream commit de5d0dcef602de39070c31c7e56c58249c56ba37 ] + +Fix instruction index validity check which has off-by-one error. + +Fixes: 3ee4f5335511 ("libbpf: Split bpf_core_apply_relo() into bpf_program independent helper.") +Signed-off-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20211025224531.1088894-2-andrii@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/libbpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c +index 51180f300d2e1..7145463a4a562 100644 +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -5138,7 +5138,7 @@ static int bpf_core_apply_relo(struct bpf_program *prog, + * relocated, so it's enough to just subtract in-section offset + */ + insn_idx = insn_idx - prog->sec_insn_off; +- if (insn_idx > prog->insns_cnt) ++ if (insn_idx >= prog->insns_cnt) + return -EINVAL; + insn = &prog->insns[insn_idx]; + +-- +2.33.0 + diff --git a/queue-5.15/libbpf-fix-overflow-in-btf-sanity-checks.patch b/queue-5.15/libbpf-fix-overflow-in-btf-sanity-checks.patch new file mode 100644 index 00000000000..7ca889b7273 --- /dev/null +++ b/queue-5.15/libbpf-fix-overflow-in-btf-sanity-checks.patch @@ -0,0 +1,46 @@ +From b8db8dd0aa757f424e99328029ac50b83d4313e0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Oct 2021 17:31:56 -0700 +Subject: libbpf: Fix overflow in BTF sanity checks + +From: Andrii Nakryiko + +[ Upstream commit 5245dafe3d49efba4d3285cf27ee1cc1eeafafc6 ] + +btf_header's str_off+str_len or type_off+type_len can overflow as they +are u32s. This will lead to bypassing the sanity checks during BTF +parsing, resulting in crashes afterwards. Fix by using 64-bit signed +integers for comparison. + +Fixes: d8123624506c ("libbpf: Fix BTF data layout checks and allow empty BTF") +Reported-by: Evgeny Vereshchagin +Signed-off-by: Andrii Nakryiko +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20211023003157.726961-1-andrii@kernel.org +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/btf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/lib/bpf/btf.c b/tools/lib/bpf/btf.c +index bf8c8676d68e5..cfd701debcf61 100644 +--- a/tools/lib/bpf/btf.c ++++ b/tools/lib/bpf/btf.c +@@ -236,12 +236,12 @@ static int btf_parse_hdr(struct btf *btf) + } + + meta_left = btf->raw_size - sizeof(*hdr); +- if (meta_left < hdr->str_off + hdr->str_len) { ++ if (meta_left < (long long)hdr->str_off + hdr->str_len) { + pr_debug("Invalid BTF total size:%u\n", btf->raw_size); + return -EINVAL; + } + +- if (hdr->type_off + hdr->type_len > hdr->str_off) { ++ if ((long long)hdr->type_off + hdr->type_len > hdr->str_off) { + pr_debug("Invalid BTF data sections layout: type data at %u + %u, strings data at %u + %u\n", + hdr->type_off, hdr->type_len, hdr->str_off, hdr->str_len); + return -EINVAL; +-- +2.33.0 + diff --git a/queue-5.15/libbpf-fix-skel_internal.h-to-set-errno-on-loader-re.patch b/queue-5.15/libbpf-fix-skel_internal.h-to-set-errno-on-loader-re.patch new file mode 100644 index 00000000000..8fd443fff6a --- /dev/null +++ b/queue-5.15/libbpf-fix-skel_internal.h-to-set-errno-on-loader-re.patch @@ -0,0 +1,54 @@ +From a7cd644ee378da5326ff1a55557bc1918ea805f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 20:29:39 +0530 +Subject: libbpf: Fix skel_internal.h to set errno on loader retval < 0 + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit e68ac0082787f4e8ee6ae5b19076ec7709ce715b ] + +When the loader indicates an internal error (result of a checked bpf +system call), it returns the result in attr.test.retval. However, tests +that rely on ASSERT_OK_PTR on NULL (returned from light skeleton) may +miss that NULL denotes an error if errno is set to 0. This would result +in skel pointer being NULL, while ASSERT_OK_PTR returning 1, leading to +a SEGV on dereference of skel, because libbpf_get_error relies on the +assumption that errno is always set in case of error for ptr == NULL. + +In particular, this was observed for the ksyms_module test. When +executed using `./test_progs -t ksyms`, prior tests manipulated errno +and the test didn't crash when it failed at ksyms_module load, while +using `./test_progs -t ksyms_module` crashed due to errno being +untouched. + +Fixes: 67234743736a (libbpf: Generate loader program out of BPF ELF file.) +Signed-off-by: Kumar Kartikeya Dwivedi +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20210927145941.1383001-11-memxor@gmail.com +Signed-off-by: Sasha Levin +--- + tools/lib/bpf/skel_internal.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tools/lib/bpf/skel_internal.h b/tools/lib/bpf/skel_internal.h +index b22b50c1b173e..9cf66702fa8dd 100644 +--- a/tools/lib/bpf/skel_internal.h ++++ b/tools/lib/bpf/skel_internal.h +@@ -105,10 +105,12 @@ static inline int bpf_load_and_run(struct bpf_load_and_run_opts *opts) + err = skel_sys_bpf(BPF_PROG_RUN, &attr, sizeof(attr)); + if (err < 0 || (int)attr.test.retval < 0) { + opts->errstr = "failed to execute loader prog"; +- if (err < 0) ++ if (err < 0) { + err = -errno; +- else ++ } else { + err = (int)attr.test.retval; ++ errno = -err; ++ } + goto out; + } + err = 0; +-- +2.33.0 + diff --git a/queue-5.15/libertas-fix-possible-memory-leak-in-probe-and-disco.patch b/queue-5.15/libertas-fix-possible-memory-leak-in-probe-and-disco.patch new file mode 100644 index 00000000000..d20f8dc4bbc --- /dev/null +++ b/queue-5.15/libertas-fix-possible-memory-leak-in-probe-and-disco.patch @@ -0,0 +1,72 @@ +From 6a38b4befdf1c8a46df0593378774e46b2d94d3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 20:03:45 +0800 +Subject: libertas: Fix possible memory leak in probe and disconnect + +From: Wang Hai + +[ Upstream commit 9692151e2fe7a326bafe99836fd1f20a2cc3a049 ] + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff88812c7d7400 (size 512): + comm "kworker/6:1", pid 176, jiffies 4295003332 (age 822.830s) + hex dump (first 32 bytes): + 00 68 1e 04 81 88 ff ff 01 00 00 00 00 00 00 00 .h.............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] slab_post_alloc_hook+0x9c/0x490 + [] kmem_cache_alloc_trace+0x1f7/0x470 + [] if_usb_probe+0x63/0x446 [usb8xxx] + [] usb_probe_interface+0x1aa/0x3c0 [usbcore] + [] really_probe+0x190/0x480 + [] __driver_probe_device+0xf9/0x180 + [] driver_probe_device+0x53/0x130 + [] __device_attach_driver+0x105/0x130 + [] bus_for_each_drv+0x129/0x190 + [] __device_attach+0x1c9/0x270 + [] device_initial_probe+0x20/0x30 + [] bus_probe_device+0x142/0x160 + [] device_add+0x829/0x1300 + [] usb_set_configuration+0xb01/0xcc0 [usbcore] + [] usb_generic_driver_probe+0x6e/0x90 [usbcore] + [] usb_probe_device+0x6f/0x130 [usbcore] + +cardp is missing being freed in the error handling path of the probe +and the path of the disconnect, which will cause memory leak. + +This patch adds the missing kfree(). + +Fixes: 876c9d3aeb98 ("[PATCH] Marvell Libertas 8388 802.11b/g USB driver") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211020120345.2016045-3-wanghai38@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/if_usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/marvell/libertas/if_usb.c b/drivers/net/wireless/marvell/libertas/if_usb.c +index 20436a289d5cd..5d6dc1dd050d4 100644 +--- a/drivers/net/wireless/marvell/libertas/if_usb.c ++++ b/drivers/net/wireless/marvell/libertas/if_usb.c +@@ -292,6 +292,7 @@ err_add_card: + if_usb_reset_device(cardp); + dealloc: + if_usb_free(cardp); ++ kfree(cardp); + + error: + return r; +@@ -316,6 +317,7 @@ static void if_usb_disconnect(struct usb_interface *intf) + + /* Unlink and free urb */ + if_usb_free(cardp); ++ kfree(cardp); + + usb_set_intfdata(intf, NULL); + usb_put_dev(interface_to_usbdev(intf)); +-- +2.33.0 + diff --git a/queue-5.15/libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch b/queue-5.15/libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch new file mode 100644 index 00000000000..69c23c12421 --- /dev/null +++ b/queue-5.15/libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch @@ -0,0 +1,72 @@ +From f29537ed70faacefc489be6ce4d4887a2c64c981 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 20:03:44 +0800 +Subject: libertas_tf: Fix possible memory leak in probe and disconnect + +From: Wang Hai + +[ Upstream commit d549107305b4634c81223a853701c06bcf657bc3 ] + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff88810a2ddc00 (size 512): + comm "kworker/6:1", pid 176, jiffies 4295009893 (age 757.220s) + hex dump (first 32 bytes): + 00 50 05 18 81 88 ff ff 00 00 00 00 00 00 00 00 .P.............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] slab_post_alloc_hook+0x9c/0x490 + [] kmem_cache_alloc_trace+0x1f7/0x470 + [] if_usb_probe+0x60/0x37c [libertas_tf_usb] + [] usb_probe_interface+0x1aa/0x3c0 [usbcore] + [] really_probe+0x190/0x480 + [] __driver_probe_device+0xf9/0x180 + [] driver_probe_device+0x53/0x130 + [] __device_attach_driver+0x105/0x130 + [] bus_for_each_drv+0x129/0x190 + [] __device_attach+0x1c9/0x270 + [] device_initial_probe+0x20/0x30 + [] bus_probe_device+0x142/0x160 + [] device_add+0x829/0x1300 + [] usb_set_configuration+0xb01/0xcc0 [usbcore] + [] usb_generic_driver_probe+0x6e/0x90 [usbcore] + [] usb_probe_device+0x6f/0x130 [usbcore] + +cardp is missing being freed in the error handling path of the probe +and the path of the disconnect, which will cause memory leak. + +This patch adds the missing kfree(). + +Fixes: c305a19a0d0a ("libertas_tf: usb specific functions") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211020120345.2016045-2-wanghai38@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas_tf/if_usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/marvell/libertas_tf/if_usb.c b/drivers/net/wireless/marvell/libertas_tf/if_usb.c +index fe0a69e804d8c..75b5319d033f3 100644 +--- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c ++++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c +@@ -230,6 +230,7 @@ static int if_usb_probe(struct usb_interface *intf, + + dealloc: + if_usb_free(cardp); ++ kfree(cardp); + error: + lbtf_deb_leave(LBTF_DEB_MAIN); + return -ENOMEM; +@@ -254,6 +255,7 @@ static void if_usb_disconnect(struct usb_interface *intf) + + /* Unlink and free urb */ + if_usb_free(cardp); ++ kfree(cardp); + + usb_set_intfdata(intf, NULL); + usb_put_dev(interface_to_usbdev(intf)); +-- +2.33.0 + diff --git a/queue-5.15/litex_liteeth-fix-a-double-free-in-the-remove-functi.patch b/queue-5.15/litex_liteeth-fix-a-double-free-in-the-remove-functi.patch new file mode 100644 index 00000000000..5bfebe0e80a --- /dev/null +++ b/queue-5.15/litex_liteeth-fix-a-double-free-in-the-remove-functi.patch @@ -0,0 +1,36 @@ +From 6971573fbbd419de9a04b81fbdb17bf8f0c2b813 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Nov 2021 21:13:07 +0100 +Subject: litex_liteeth: Fix a double free in the remove function + +From: Christophe JAILLET + +[ Upstream commit c45231a7668d6b632534f692b10592ea375b55b0 ] + +'netdev' is a managed resource allocated in the probe using +'devm_alloc_etherdev()'. +It must not be freed explicitly in the remove function. + +Fixes: ee7da21ac4c3 ("net: Add driver for LiteX's LiteETH network interface") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/litex/litex_liteeth.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/litex/litex_liteeth.c b/drivers/net/ethernet/litex/litex_liteeth.c +index a9bdbf0dcfe1e..5bb1cc8a2ce13 100644 +--- a/drivers/net/ethernet/litex/litex_liteeth.c ++++ b/drivers/net/ethernet/litex/litex_liteeth.c +@@ -289,7 +289,6 @@ static int liteeth_remove(struct platform_device *pdev) + struct net_device *netdev = platform_get_drvdata(pdev); + + unregister_netdev(netdev); +- free_netdev(netdev); + + return 0; + } +-- +2.33.0 + diff --git a/queue-5.15/llc-fix-out-of-bound-array-index-in-llc_sk_dev_hash.patch b/queue-5.15/llc-fix-out-of-bound-array-index-in-llc_sk_dev_hash.patch new file mode 100644 index 00000000000..fa2ab353316 --- /dev/null +++ b/queue-5.15/llc-fix-out-of-bound-array-index-in-llc_sk_dev_hash.patch @@ -0,0 +1,68 @@ +From 8e3972cdd6b697315c26006cf64ae771bb8f76f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 14:42:14 -0700 +Subject: llc: fix out-of-bound array index in llc_sk_dev_hash() + +From: Eric Dumazet + +[ Upstream commit 8ac9dfd58b138f7e82098a4e0a0d46858b12215b ] + +Both ifindex and LLC_SK_DEV_HASH_ENTRIES are signed. + +This means that (ifindex % LLC_SK_DEV_HASH_ENTRIES) is negative +if @ifindex is negative. + +We could simply make LLC_SK_DEV_HASH_ENTRIES unsigned. + +In this patch I chose to use hash_32() to get more entropy +from @ifindex, like llc_sk_laddr_hashfn(). + +UBSAN: array-index-out-of-bounds in ./include/net/llc.h:75:26 +index -43 is out of range for type 'hlist_head [64]' +CPU: 1 PID: 20999 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + ubsan_epilogue+0xb/0x5a lib/ubsan.c:151 + __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:291 + llc_sk_dev_hash include/net/llc.h:75 [inline] + llc_sap_add_socket+0x49c/0x520 net/llc/llc_conn.c:697 + llc_ui_bind+0x680/0xd70 net/llc/af_llc.c:404 + __sys_bind+0x1e9/0x250 net/socket.c:1693 + __do_sys_bind net/socket.c:1704 [inline] + __se_sys_bind net/socket.c:1702 [inline] + __x64_sys_bind+0x6f/0xb0 net/socket.c:1702 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7fa503407ae9 + +Fixes: 6d2e3ea28446 ("llc: use a device based hash table to speed up multicast delivery") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/llc.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/net/llc.h b/include/net/llc.h +index df282d9b40170..9c10b121b49b0 100644 +--- a/include/net/llc.h ++++ b/include/net/llc.h +@@ -72,7 +72,9 @@ struct llc_sap { + static inline + struct hlist_head *llc_sk_dev_hash(struct llc_sap *sap, int ifindex) + { +- return &sap->sk_dev_hash[ifindex % LLC_SK_DEV_HASH_ENTRIES]; ++ u32 bucket = hash_32(ifindex, LLC_SK_DEV_HASH_BITS); ++ ++ return &sap->sk_dev_hash[bucket]; + } + + static inline +-- +2.33.0 + diff --git a/queue-5.15/lockdep-let-lock_is_held_type-detect-recursive-read-.patch b/queue-5.15/lockdep-let-lock_is_held_type-detect-recursive-read-.patch new file mode 100644 index 00000000000..7b942b55fa7 --- /dev/null +++ b/queue-5.15/lockdep-let-lock_is_held_type-detect-recursive-read-.patch @@ -0,0 +1,44 @@ +From f1b45f6f65a747b1cb3bf0fb4aa9abf59ac3acec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Sep 2021 10:40:01 +0200 +Subject: lockdep: Let lock_is_held_type() detect recursive read as read + +From: Sebastian Andrzej Siewior + +[ Upstream commit 2507003a1d10917c9158077bf6030719d02c941e ] + +lock_is_held_type(, 1) detects acquired read locks. It only recognized +locks acquired with lock_acquire_shared(). Read locks acquired with +lock_acquire_shared_recursive() are not recognized because a `2' is +stored as the read value. + +Rework the check to additionally recognise lock's read value one and two +as a read held lock. + +Fixes: e918188611f07 ("locking: More accurate annotations for read_lock()") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Boqun Feng +Acked-by: Waiman Long +Link: https://lkml.kernel.org/r/20210903084001.lblecrvz4esl4mrr@linutronix.de +Signed-off-by: Sasha Levin +--- + kernel/locking/lockdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index 8a509672a4cc9..d624231eab2bb 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -5366,7 +5366,7 @@ int __lock_is_held(const struct lockdep_map *lock, int read) + struct held_lock *hlock = curr->held_locks + i; + + if (match_held_lock(hlock, lock)) { +- if (read == -1 || hlock->read == read) ++ if (read == -1 || !!hlock->read == read) + return LOCK_STATE_HELD; + + return LOCK_STATE_NOT_HELD; +-- +2.33.0 + diff --git a/queue-5.15/locking-lockdep-avoid-rcu-induced-noinstr-fail.patch b/queue-5.15/locking-lockdep-avoid-rcu-induced-noinstr-fail.patch new file mode 100644 index 00000000000..af8019f176e --- /dev/null +++ b/queue-5.15/locking-lockdep-avoid-rcu-induced-noinstr-fail.patch @@ -0,0 +1,34 @@ +From cca483c07bc5013c0a821b41431ebb5314ce604f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jun 2021 11:41:10 +0200 +Subject: locking/lockdep: Avoid RCU-induced noinstr fail + +From: Peter Zijlstra + +[ Upstream commit ce0b9c805dd66d5e49fd53ec5415ae398f4c56e6 ] + +vmlinux.o: warning: objtool: look_up_lock_class()+0xc7: call to rcu_read_lock_any_held() leaves .noinstr.text section + +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20210624095148.311980536@infradead.org +Signed-off-by: Sasha Levin +--- + kernel/locking/lockdep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c +index bf1c00c881e48..8a509672a4cc9 100644 +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -888,7 +888,7 @@ look_up_lock_class(const struct lockdep_map *lock, unsigned int subclass) + if (DEBUG_LOCKS_WARN_ON(!irqs_disabled())) + return NULL; + +- hlist_for_each_entry_rcu(class, hash_head, hash_entry) { ++ hlist_for_each_entry_rcu_notrace(class, hash_head, hash_entry) { + if (class->key == key) { + /* + * Huh! same key, different name? Did someone trample +-- +2.33.0 + diff --git a/queue-5.15/locking-rwsem-disable-preemption-for-spinning-region.patch b/queue-5.15/locking-rwsem-disable-preemption-for-spinning-region.patch new file mode 100644 index 00000000000..f02aded7b69 --- /dev/null +++ b/queue-5.15/locking-rwsem-disable-preemption-for-spinning-region.patch @@ -0,0 +1,114 @@ +From 01ce4e807345b68fc108713b85cc096f2b3da99b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 21:41:53 +0800 +Subject: locking/rwsem: Disable preemption for spinning region + +From: Yanfei Xu + +[ Upstream commit 7cdacc5f52d68a9370f182c844b5b3e6cc975cc1 ] + +The spinning region rwsem_spin_on_owner() should not be preempted, +however the rwsem_down_write_slowpath() invokes it and don't disable +preemption. Fix it by adding a pair of preempt_disable/enable(). + +Signed-off-by: Yanfei Xu +[peterz: Fix CONFIG_RWSEM_SPIN_ON_OWNER=n build] +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Waiman Long +Link: https://lore.kernel.org/r/20211013134154.1085649-3-yanfei.xu@windriver.com +Signed-off-by: Sasha Levin +--- + kernel/locking/rwsem.c | 53 ++++++++++++++++++++++++------------------ + 1 file changed, 30 insertions(+), 23 deletions(-) + +diff --git a/kernel/locking/rwsem.c b/kernel/locking/rwsem.c +index 000e8d5a28841..29eea50a3e678 100644 +--- a/kernel/locking/rwsem.c ++++ b/kernel/locking/rwsem.c +@@ -577,6 +577,24 @@ static inline bool rwsem_try_write_lock(struct rw_semaphore *sem, + return true; + } + ++/* ++ * The rwsem_spin_on_owner() function returns the following 4 values ++ * depending on the lock owner state. ++ * OWNER_NULL : owner is currently NULL ++ * OWNER_WRITER: when owner changes and is a writer ++ * OWNER_READER: when owner changes and the new owner may be a reader. ++ * OWNER_NONSPINNABLE: ++ * when optimistic spinning has to stop because either the ++ * owner stops running, is unknown, or its timeslice has ++ * been used up. ++ */ ++enum owner_state { ++ OWNER_NULL = 1 << 0, ++ OWNER_WRITER = 1 << 1, ++ OWNER_READER = 1 << 2, ++ OWNER_NONSPINNABLE = 1 << 3, ++}; ++ + #ifdef CONFIG_RWSEM_SPIN_ON_OWNER + /* + * Try to acquire write lock before the writer has been put on wait queue. +@@ -632,23 +650,6 @@ static inline bool rwsem_can_spin_on_owner(struct rw_semaphore *sem) + return ret; + } + +-/* +- * The rwsem_spin_on_owner() function returns the following 4 values +- * depending on the lock owner state. +- * OWNER_NULL : owner is currently NULL +- * OWNER_WRITER: when owner changes and is a writer +- * OWNER_READER: when owner changes and the new owner may be a reader. +- * OWNER_NONSPINNABLE: +- * when optimistic spinning has to stop because either the +- * owner stops running, is unknown, or its timeslice has +- * been used up. +- */ +-enum owner_state { +- OWNER_NULL = 1 << 0, +- OWNER_WRITER = 1 << 1, +- OWNER_READER = 1 << 2, +- OWNER_NONSPINNABLE = 1 << 3, +-}; + #define OWNER_SPINNABLE (OWNER_NULL | OWNER_WRITER | OWNER_READER) + + static inline enum owner_state +@@ -878,12 +879,11 @@ static inline bool rwsem_optimistic_spin(struct rw_semaphore *sem) + + static inline void clear_nonspinnable(struct rw_semaphore *sem) { } + +-static inline int ++static inline enum owner_state + rwsem_spin_on_owner(struct rw_semaphore *sem) + { +- return 0; ++ return OWNER_NONSPINNABLE; + } +-#define OWNER_NULL 1 + #endif + + /* +@@ -1095,9 +1095,16 @@ wait: + * In this case, we attempt to acquire the lock again + * without sleeping. + */ +- if (wstate == WRITER_HANDOFF && +- rwsem_spin_on_owner(sem) == OWNER_NULL) +- goto trylock_again; ++ if (wstate == WRITER_HANDOFF) { ++ enum owner_state owner_state; ++ ++ preempt_disable(); ++ owner_state = rwsem_spin_on_owner(sem); ++ preempt_enable(); ++ ++ if (owner_state == OWNER_NULL) ++ goto trylock_again; ++ } + + /* Block until there are no active lockers. */ + for (;;) { +-- +2.33.0 + diff --git a/queue-5.15/m68k-set-a-default-value-for-memory_reserve.patch b/queue-5.15/m68k-set-a-default-value-for-memory_reserve.patch new file mode 100644 index 00000000000..e077db96731 --- /dev/null +++ b/queue-5.15/m68k-set-a-default-value-for-memory_reserve.patch @@ -0,0 +1,50 @@ +From f3c03cafa0ad2afe81debd22798cab6acf5bf032 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Oct 2021 17:02:23 -0700 +Subject: m68k: set a default value for MEMORY_RESERVE + +From: Randy Dunlap + +[ Upstream commit 1aaa557b2db95c9506ed0981bc34505c32d6b62b ] + +'make randconfig' can produce a .config file with +"CONFIG_MEMORY_RESERVE=" (no value) since it has no default. +When a subsequent 'make all' is done, kconfig restarts the config +and prompts for a value for MEMORY_RESERVE. This breaks +scripting/automation where there is no interactive user input. + +Add a default value for MEMORY_RESERVE. (Any integer value will +work here for kconfig.) + +Fixes a kconfig warning: + +.config:214:warning: symbol value '' invalid for MEMORY_RESERVE +* Restart config... +Memory reservation (MiB) (MEMORY_RESERVE) [] (NEW) + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") # from beginning of git history +Signed-off-by: Randy Dunlap +Reviewed-by: Geert Uytterhoeven +Cc: Greg Ungerer +Cc: linux-m68k@lists.linux-m68k.org +Signed-off-by: Greg Ungerer +Signed-off-by: Sasha Levin +--- + arch/m68k/Kconfig.machine | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/m68k/Kconfig.machine b/arch/m68k/Kconfig.machine +index 36fa0c3ef1296..eeab4f3e6c197 100644 +--- a/arch/m68k/Kconfig.machine ++++ b/arch/m68k/Kconfig.machine +@@ -203,6 +203,7 @@ config INIT_LCD + config MEMORY_RESERVE + int "Memory reservation (MiB)" + depends on (UCSIMM || UCDIMM) ++ default 0 + help + Reserve certain memory regions on 68x328 based boards. + +-- +2.33.0 + diff --git a/queue-5.15/mac80211-twt-don-t-use-potentially-unaligned-pointer.patch b/queue-5.15/mac80211-twt-don-t-use-potentially-unaligned-pointer.patch new file mode 100644 index 00000000000..d3a8a927392 --- /dev/null +++ b/queue-5.15/mac80211-twt-don-t-use-potentially-unaligned-pointer.patch @@ -0,0 +1,46 @@ +From 125e6cadb06455ad7d4c35821c4caf2996e86037 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 11:51:24 +0200 +Subject: mac80211: twt: don't use potentially unaligned pointer + +From: Johannes Berg + +[ Upstream commit 7ff379ba2d4b7b205240e666601fe302207d73f8 ] + +Since we're pointing into a frame, the pointer to the +twt_agrt->req_type struct member is potentially not +aligned properly. Open-code le16p_replace_bits() to +avoid passing an unaligned pointer. + +Reported-by: kernel test robot +Fixes: f5a4c24e689f ("mac80211: introduce individual TWT support in AP mode") +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20210927115124.e1208694f37b.Ie3de9bcc5dde5a79e3ac81f3185beafe4d214e57@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/s1g.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/s1g.c b/net/mac80211/s1g.c +index 7e35ab5b61664..4141bc80cdfd6 100644 +--- a/net/mac80211/s1g.c ++++ b/net/mac80211/s1g.c +@@ -104,9 +104,11 @@ ieee80211_s1g_rx_twt_setup(struct ieee80211_sub_if_data *sdata, + + /* broadcast TWT not supported yet */ + if (twt->control & IEEE80211_TWT_CONTROL_NEG_TYPE_BROADCAST) { +- le16p_replace_bits(&twt_agrt->req_type, +- TWT_SETUP_CMD_REJECT, +- IEEE80211_TWT_REQTYPE_SETUP_CMD); ++ twt_agrt->req_type &= ++ ~cpu_to_le16(IEEE80211_TWT_REQTYPE_SETUP_CMD); ++ twt_agrt->req_type |= ++ le16_encode_bits(TWT_SETUP_CMD_REJECT, ++ IEEE80211_TWT_REQTYPE_SETUP_CMD); + goto out; + } + +-- +2.33.0 + diff --git a/queue-5.15/mailbox-mtk-cmdq-fix-local-clock-id-usage.patch b/queue-5.15/mailbox-mtk-cmdq-fix-local-clock-id-usage.patch new file mode 100644 index 00000000000..9ca6e4fee97 --- /dev/null +++ b/queue-5.15/mailbox-mtk-cmdq-fix-local-clock-id-usage.patch @@ -0,0 +1,56 @@ +From 18ef805625f8267d63aa9a96f5ad3c11aad74804 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Oct 2021 20:03:52 +0800 +Subject: mailbox: mtk-cmdq: Fix local clock ID usage + +From: Fei Shao + +[ Upstream commit 0a5ad4322927ee4aaba6facc0e4faf1ab6c0d48e ] + +In the probe function, the clock IDs were pointed to local variables +which should only be used in the same code block, and any access to them +after the probing stage becomes an use-after-free case. + +Since there are only limited variants of the gce clock names so far, we +can just declare them as static constants to fix the issue. + +Fixes: 85dfdbfc13ea ("mailbox: cmdq: add multi-gce clocks support for mt8195") +Signed-off-by: Fei Shao +Reviewed-by: Tzung-Bi Shih +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mtk-cmdq-mailbox.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/mailbox/mtk-cmdq-mailbox.c b/drivers/mailbox/mtk-cmdq-mailbox.c +index 9b0cc3bb5b23a..bb4793c7b38fd 100644 +--- a/drivers/mailbox/mtk-cmdq-mailbox.c ++++ b/drivers/mailbox/mtk-cmdq-mailbox.c +@@ -531,7 +531,8 @@ static int cmdq_probe(struct platform_device *pdev) + struct device_node *phandle = dev->of_node; + struct device_node *node; + int alias_id = 0; +- char clk_name[4] = "gce"; ++ static const char * const clk_name = "gce"; ++ static const char * const clk_names[] = { "gce0", "gce1" }; + + cmdq = devm_kzalloc(dev, sizeof(*cmdq), GFP_KERNEL); + if (!cmdq) +@@ -569,12 +570,9 @@ static int cmdq_probe(struct platform_device *pdev) + + if (cmdq->gce_num > 1) { + for_each_child_of_node(phandle->parent, node) { +- char clk_id[8]; +- + alias_id = of_alias_get_id(node, clk_name); + if (alias_id >= 0 && alias_id < cmdq->gce_num) { +- snprintf(clk_id, sizeof(clk_id), "%s%d", clk_name, alias_id); +- cmdq->clocks[alias_id].id = clk_id; ++ cmdq->clocks[alias_id].id = clk_names[alias_id]; + cmdq->clocks[alias_id].clk = of_clk_get(node, 0); + if (IS_ERR(cmdq->clocks[alias_id].clk)) { + dev_err(dev, "failed to get gce clk: %d\n", alias_id); +-- +2.33.0 + diff --git a/queue-5.15/mailbox-mtk-cmdq-validate-alias_id-on-probe.patch b/queue-5.15/mailbox-mtk-cmdq-validate-alias_id-on-probe.patch new file mode 100644 index 00000000000..a4c894bcd22 --- /dev/null +++ b/queue-5.15/mailbox-mtk-cmdq-validate-alias_id-on-probe.patch @@ -0,0 +1,38 @@ +From d69b7f0611b9d1681119f495622fc4b0e6ca811f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Oct 2021 20:03:51 +0800 +Subject: mailbox: mtk-cmdq: Validate alias_id on probe + +From: Fei Shao + +[ Upstream commit 5c154b6a51c2d2d7f266b3ef49b7dd1dc8cb5b65 ] + +of_alias_get_id() may return -ENODEV which leads to illegal access to +the cmdq->clocks array. +Adding a check over alias_id to prevent the unexpected behavior. + +Fixes: 85dfdbfc13ea ("mailbox: cmdq: add multi-gce clocks support for mt8195") +Signed-off-by: Fei Shao +Reviewed-by: Tzung-Bi Shih +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mtk-cmdq-mailbox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mailbox/mtk-cmdq-mailbox.c b/drivers/mailbox/mtk-cmdq-mailbox.c +index c591dab9d5a48..9b0cc3bb5b23a 100644 +--- a/drivers/mailbox/mtk-cmdq-mailbox.c ++++ b/drivers/mailbox/mtk-cmdq-mailbox.c +@@ -572,7 +572,7 @@ static int cmdq_probe(struct platform_device *pdev) + char clk_id[8]; + + alias_id = of_alias_get_id(node, clk_name); +- if (alias_id < cmdq->gce_num) { ++ if (alias_id >= 0 && alias_id < cmdq->gce_num) { + snprintf(clk_id, sizeof(clk_id), "%s%d", clk_name, alias_id); + cmdq->clocks[alias_id].id = clk_id; + cmdq->clocks[alias_id].clk = of_clk_get(node, 0); +-- +2.33.0 + diff --git a/queue-5.15/mailbox-remove-warn_on-for-async_cb.cb-in-cmdq_exec_.patch b/queue-5.15/mailbox-remove-warn_on-for-async_cb.cb-in-cmdq_exec_.patch new file mode 100644 index 00000000000..616e2691ae2 --- /dev/null +++ b/queue-5.15/mailbox-remove-warn_on-for-async_cb.cb-in-cmdq_exec_.patch @@ -0,0 +1,39 @@ +From 7df2018b5bd6cc170c9cb86e005ff43ca27044ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 15:08:07 +0800 +Subject: mailbox: Remove WARN_ON for async_cb.cb in cmdq_exec_done + +From: jason-jh.lin + +[ Upstream commit ce1537fe288469bf68ee0aabdb860a790b4755ef ] + +Because mtk_drm_crtc_update_config is not using cmdq_pkt_flush_async, +it won't have pkt->async_cb.cb anymore. + +So remove the WARN_ON check of pkt->async_cb.cb at cmdq_exec_done. + +Fixes: 1b6b0ce2240e ("mailbox: mtk-cmdq: Use mailbox rx_callback") +Signed-off-by: jason-jh.lin +Reviewed-by: Chun-Kuang Hu +Tested-by: Enric Balletbo i Serra +Signed-off-by: Jassi Brar +Signed-off-by: Sasha Levin +--- + drivers/mailbox/mtk-cmdq-mailbox.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/mailbox/mtk-cmdq-mailbox.c b/drivers/mailbox/mtk-cmdq-mailbox.c +index 64175a893312e..c591dab9d5a48 100644 +--- a/drivers/mailbox/mtk-cmdq-mailbox.c ++++ b/drivers/mailbox/mtk-cmdq-mailbox.c +@@ -195,7 +195,6 @@ static void cmdq_task_exec_done(struct cmdq_task *task, int sta) + struct cmdq_task_cb *cb = &task->pkt->async_cb; + struct cmdq_cb_data data; + +- WARN_ON(cb->cb == (cmdq_async_flush_cb)NULL); + data.sta = sta; + data.data = cb->data; + data.pkt = task->pkt; +-- +2.33.0 + diff --git a/queue-5.15/md-update-superblock-after-changing-rdev-flags-in-st.patch b/queue-5.15/md-update-superblock-after-changing-rdev-flags-in-st.patch new file mode 100644 index 00000000000..e661b5a0f67 --- /dev/null +++ b/queue-5.15/md-update-superblock-after-changing-rdev-flags-in-st.patch @@ -0,0 +1,82 @@ +From fd9de7a36771d2c78d42ecf0243f79ad03efa301 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 22:59:33 +0800 +Subject: md: update superblock after changing rdev flags in state_store + +From: Xiao Ni + +[ Upstream commit 8b9e2291e355a0eafdd5b1e21a94a6659f24b351 ] + +When the in memory flag is changed, we need to persist the change in the +rdev superblock flags. This is needed for "writemostly" and "failfast". + +Reviewed-by: Li Feng +Signed-off-by: Xiao Ni +Signed-off-by: Song Liu +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 6c0c3d0d905aa..e89eb467f1429 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -2976,7 +2976,11 @@ state_store(struct md_rdev *rdev, const char *buf, size_t len) + * -write_error - clears WriteErrorSeen + * {,-}failfast - set/clear FailFast + */ ++ ++ struct mddev *mddev = rdev->mddev; + int err = -EINVAL; ++ bool need_update_sb = false; ++ + if (cmd_match(buf, "faulty") && rdev->mddev->pers) { + md_error(rdev->mddev, rdev); + if (test_bit(Faulty, &rdev->flags)) +@@ -2991,7 +2995,6 @@ state_store(struct md_rdev *rdev, const char *buf, size_t len) + if (rdev->raid_disk >= 0) + err = -EBUSY; + else { +- struct mddev *mddev = rdev->mddev; + err = 0; + if (mddev_is_clustered(mddev)) + err = md_cluster_ops->remove_disk(mddev, rdev); +@@ -3008,10 +3011,12 @@ state_store(struct md_rdev *rdev, const char *buf, size_t len) + } else if (cmd_match(buf, "writemostly")) { + set_bit(WriteMostly, &rdev->flags); + mddev_create_serial_pool(rdev->mddev, rdev, false); ++ need_update_sb = true; + err = 0; + } else if (cmd_match(buf, "-writemostly")) { + mddev_destroy_serial_pool(rdev->mddev, rdev, false); + clear_bit(WriteMostly, &rdev->flags); ++ need_update_sb = true; + err = 0; + } else if (cmd_match(buf, "blocked")) { + set_bit(Blocked, &rdev->flags); +@@ -3037,9 +3042,11 @@ state_store(struct md_rdev *rdev, const char *buf, size_t len) + err = 0; + } else if (cmd_match(buf, "failfast")) { + set_bit(FailFast, &rdev->flags); ++ need_update_sb = true; + err = 0; + } else if (cmd_match(buf, "-failfast")) { + clear_bit(FailFast, &rdev->flags); ++ need_update_sb = true; + err = 0; + } else if (cmd_match(buf, "-insync") && rdev->raid_disk >= 0 && + !test_bit(Journal, &rdev->flags)) { +@@ -3118,6 +3125,8 @@ state_store(struct md_rdev *rdev, const char *buf, size_t len) + clear_bit(ExternalBbl, &rdev->flags); + err = 0; + } ++ if (need_update_sb) ++ md_update_sb(mddev, 1); + if (!err) + sysfs_notify_dirent_safe(rdev->sysfs_state); + return err ? err : len; +-- +2.33.0 + diff --git a/queue-5.15/media-allegro-ignore-interrupt-if-mailbox-is-not-ini.patch b/queue-5.15/media-allegro-ignore-interrupt-if-mailbox-is-not-ini.patch new file mode 100644 index 00000000000..53c02969bf2 --- /dev/null +++ b/queue-5.15/media-allegro-ignore-interrupt-if-mailbox-is-not-ini.patch @@ -0,0 +1,50 @@ +From 0941484ce2a569220cd205dab7febf85ea4ad429 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 14:03:10 +0100 +Subject: media: allegro: ignore interrupt if mailbox is not initialized + +From: Michael Tretter + +[ Upstream commit 1ecda6393db4be44aba27a243e648dc98c9b92e3 ] + +The mailbox is initialized after the interrupt handler is installed. As +the firmware is loaded and started even later, it should not happen that +the interrupt occurs without the mailbox being initialized. + +As the Linux Driver Verification project (linuxtesting.org) keeps +reporting this as an error, add a check to ignore interrupts before the +mailbox is initialized to fix this potential null pointer dereference. + +Reported-by: Yuri Savinykh +Reported-by: Nadezda Lutovinova +Signed-off-by: Michael Tretter +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/allegro-dvt/allegro-core.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/media/platform/allegro-dvt/allegro-core.c b/drivers/media/platform/allegro-dvt/allegro-core.c +index 887b492e4ad1c..14a119b43bca0 100644 +--- a/drivers/media/platform/allegro-dvt/allegro-core.c ++++ b/drivers/media/platform/allegro-dvt/allegro-core.c +@@ -2185,6 +2185,15 @@ static irqreturn_t allegro_irq_thread(int irq, void *data) + { + struct allegro_dev *dev = data; + ++ /* ++ * The firmware is initialized after the mailbox is setup. We further ++ * check the AL5_ITC_CPU_IRQ_STA register, if the firmware actually ++ * triggered the interrupt. Although this should not happen, make sure ++ * that we ignore interrupts, if the mailbox is not initialized. ++ */ ++ if (!dev->mbox_status) ++ return IRQ_NONE; ++ + allegro_mbox_notify(dev->mbox_status); + + return IRQ_HANDLED; +-- +2.33.0 + diff --git a/queue-5.15/media-atmel-fix-the-ispck-initialization.patch b/queue-5.15/media-atmel-fix-the-ispck-initialization.patch new file mode 100644 index 00000000000..31e406eb138 --- /dev/null +++ b/queue-5.15/media-atmel-fix-the-ispck-initialization.patch @@ -0,0 +1,253 @@ +From 0a8c8f923f697f07aaddad6003cfaf0417224942 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Sep 2021 12:22:54 +0200 +Subject: media: atmel: fix the ispck initialization + +From: Eugen Hristev + +[ Upstream commit d7f26849ed7cc875d0ff7480c2efebeeccea2bad ] + +The runtime enabling of the ISPCK (internally clocks the pipeline inside +the ISC) has to be done after the pm_runtime for the ISC dev has been +started. + +After the commit by Mauro: +the ISC failed to probe with the error: + +atmel-sama5d2-isc f0008000.isc: failed to enable ispck: -13 +atmel-sama5d2-isc: probe of f0008000.isc failed with error -13 + +This is because the enabling of the ispck is done too early in the probe, +and the PM runtime returns invalid request. +Thus, moved this clock enabling after pm_runtime_idle is called. + +The ISPCK is required only for sama5d2 type of ISC. +Thus, add a bool inside the isc struct that is platform dependent. +For the sama7g5-isc, the enabling of the ISPCK is wrong and does not make +sense. Removed it from the sama7g5 probe. In sama7g5-isc, there is only +one clock, the MCK, which also clocks the internal pipeline of the ISC. + +Adapted the clk_prepare and clk_unprepare to request the runtime PM +for both clocks (MCK and ISPCK) in case of sama5d2-isc, and the single +clock (MCK) in case of sama7g5-isc. + +Fixes: dd97908ee350 ("media: atmel: properly get pm_runtime") +Signed-off-by: Eugen Hristev +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/atmel/atmel-isc-base.c | 25 ++++++------ + drivers/media/platform/atmel/atmel-isc.h | 2 + + .../media/platform/atmel/atmel-sama5d2-isc.c | 39 ++++++++++--------- + .../media/platform/atmel/atmel-sama7g5-isc.c | 22 ++--------- + 4 files changed, 38 insertions(+), 50 deletions(-) + +diff --git a/drivers/media/platform/atmel/atmel-isc-base.c b/drivers/media/platform/atmel/atmel-isc-base.c +index 136ab7cf36edc..ebf264b980f91 100644 +--- a/drivers/media/platform/atmel/atmel-isc-base.c ++++ b/drivers/media/platform/atmel/atmel-isc-base.c +@@ -123,11 +123,9 @@ static int isc_clk_prepare(struct clk_hw *hw) + struct isc_clk *isc_clk = to_isc_clk(hw); + int ret; + +- if (isc_clk->id == ISC_ISPCK) { +- ret = pm_runtime_resume_and_get(isc_clk->dev); +- if (ret < 0) +- return ret; +- } ++ ret = pm_runtime_resume_and_get(isc_clk->dev); ++ if (ret < 0) ++ return ret; + + return isc_wait_clk_stable(hw); + } +@@ -138,8 +136,7 @@ static void isc_clk_unprepare(struct clk_hw *hw) + + isc_wait_clk_stable(hw); + +- if (isc_clk->id == ISC_ISPCK) +- pm_runtime_put_sync(isc_clk->dev); ++ pm_runtime_put_sync(isc_clk->dev); + } + + static int isc_clk_enable(struct clk_hw *hw) +@@ -186,16 +183,13 @@ static int isc_clk_is_enabled(struct clk_hw *hw) + u32 status; + int ret; + +- if (isc_clk->id == ISC_ISPCK) { +- ret = pm_runtime_resume_and_get(isc_clk->dev); +- if (ret < 0) +- return 0; +- } ++ ret = pm_runtime_resume_and_get(isc_clk->dev); ++ if (ret < 0) ++ return 0; + + regmap_read(isc_clk->regmap, ISC_CLKSR, &status); + +- if (isc_clk->id == ISC_ISPCK) +- pm_runtime_put_sync(isc_clk->dev); ++ pm_runtime_put_sync(isc_clk->dev); + + return status & ISC_CLK(isc_clk->id) ? 1 : 0; + } +@@ -325,6 +319,9 @@ static int isc_clk_register(struct isc_device *isc, unsigned int id) + const char *parent_names[3]; + int num_parents; + ++ if (id == ISC_ISPCK && !isc->ispck_required) ++ return 0; ++ + num_parents = of_clk_get_parent_count(np); + if (num_parents < 1 || num_parents > 3) + return -EINVAL; +diff --git a/drivers/media/platform/atmel/atmel-isc.h b/drivers/media/platform/atmel/atmel-isc.h +index 19cc60dfcbe0f..2bfcb135ef13b 100644 +--- a/drivers/media/platform/atmel/atmel-isc.h ++++ b/drivers/media/platform/atmel/atmel-isc.h +@@ -178,6 +178,7 @@ struct isc_reg_offsets { + * @hclock: Hclock clock input (refer datasheet) + * @ispck: iscpck clock (refer datasheet) + * @isc_clks: ISC clocks ++ * @ispck_required: ISC requires ISP Clock initialization + * @dcfg: DMA master configuration, architecture dependent + * + * @dev: Registered device driver +@@ -252,6 +253,7 @@ struct isc_device { + struct clk *hclock; + struct clk *ispck; + struct isc_clk isc_clks[2]; ++ bool ispck_required; + u32 dcfg; + + struct device *dev; +diff --git a/drivers/media/platform/atmel/atmel-sama5d2-isc.c b/drivers/media/platform/atmel/atmel-sama5d2-isc.c +index b66f1d174e9d7..e29a9193bac81 100644 +--- a/drivers/media/platform/atmel/atmel-sama5d2-isc.c ++++ b/drivers/media/platform/atmel/atmel-sama5d2-isc.c +@@ -454,6 +454,9 @@ static int atmel_isc_probe(struct platform_device *pdev) + /* sama5d2-isc - 8 bits per beat */ + isc->dcfg = ISC_DCFG_YMBSIZE_BEATS8 | ISC_DCFG_CMBSIZE_BEATS8; + ++ /* sama5d2-isc : ISPCK is required and mandatory */ ++ isc->ispck_required = true; ++ + ret = isc_pipeline_init(isc); + if (ret) + return ret; +@@ -476,22 +479,6 @@ static int atmel_isc_probe(struct platform_device *pdev) + dev_err(dev, "failed to init isc clock: %d\n", ret); + goto unprepare_hclk; + } +- +- isc->ispck = isc->isc_clks[ISC_ISPCK].clk; +- +- ret = clk_prepare_enable(isc->ispck); +- if (ret) { +- dev_err(dev, "failed to enable ispck: %d\n", ret); +- goto unprepare_hclk; +- } +- +- /* ispck should be greater or equal to hclock */ +- ret = clk_set_rate(isc->ispck, clk_get_rate(isc->hclock)); +- if (ret) { +- dev_err(dev, "failed to set ispck rate: %d\n", ret); +- goto unprepare_clk; +- } +- + ret = v4l2_device_register(dev, &isc->v4l2_dev); + if (ret) { + dev_err(dev, "unable to register v4l2 device.\n"); +@@ -545,19 +532,35 @@ static int atmel_isc_probe(struct platform_device *pdev) + pm_runtime_enable(dev); + pm_request_idle(dev); + ++ isc->ispck = isc->isc_clks[ISC_ISPCK].clk; ++ ++ ret = clk_prepare_enable(isc->ispck); ++ if (ret) { ++ dev_err(dev, "failed to enable ispck: %d\n", ret); ++ goto cleanup_subdev; ++ } ++ ++ /* ispck should be greater or equal to hclock */ ++ ret = clk_set_rate(isc->ispck, clk_get_rate(isc->hclock)); ++ if (ret) { ++ dev_err(dev, "failed to set ispck rate: %d\n", ret); ++ goto unprepare_clk; ++ } ++ + regmap_read(isc->regmap, ISC_VERSION + isc->offsets.version, &ver); + dev_info(dev, "Microchip ISC version %x\n", ver); + + return 0; + ++unprepare_clk: ++ clk_disable_unprepare(isc->ispck); ++ + cleanup_subdev: + isc_subdev_cleanup(isc); + + unregister_v4l2_device: + v4l2_device_unregister(&isc->v4l2_dev); + +-unprepare_clk: +- clk_disable_unprepare(isc->ispck); + unprepare_hclk: + clk_disable_unprepare(isc->hclock); + +diff --git a/drivers/media/platform/atmel/atmel-sama7g5-isc.c b/drivers/media/platform/atmel/atmel-sama7g5-isc.c +index f2785131ff569..9c05acafd0724 100644 +--- a/drivers/media/platform/atmel/atmel-sama7g5-isc.c ++++ b/drivers/media/platform/atmel/atmel-sama7g5-isc.c +@@ -447,6 +447,9 @@ static int microchip_xisc_probe(struct platform_device *pdev) + /* sama7g5-isc RAM access port is full AXI4 - 32 bits per beat */ + isc->dcfg = ISC_DCFG_YMBSIZE_BEATS32 | ISC_DCFG_CMBSIZE_BEATS32; + ++ /* sama7g5-isc : ISPCK does not exist, ISC is clocked by MCK */ ++ isc->ispck_required = false; ++ + ret = isc_pipeline_init(isc); + if (ret) + return ret; +@@ -470,25 +473,10 @@ static int microchip_xisc_probe(struct platform_device *pdev) + goto unprepare_hclk; + } + +- isc->ispck = isc->isc_clks[ISC_ISPCK].clk; +- +- ret = clk_prepare_enable(isc->ispck); +- if (ret) { +- dev_err(dev, "failed to enable ispck: %d\n", ret); +- goto unprepare_hclk; +- } +- +- /* ispck should be greater or equal to hclock */ +- ret = clk_set_rate(isc->ispck, clk_get_rate(isc->hclock)); +- if (ret) { +- dev_err(dev, "failed to set ispck rate: %d\n", ret); +- goto unprepare_clk; +- } +- + ret = v4l2_device_register(dev, &isc->v4l2_dev); + if (ret) { + dev_err(dev, "unable to register v4l2 device.\n"); +- goto unprepare_clk; ++ goto unprepare_hclk; + } + + ret = xisc_parse_dt(dev, isc); +@@ -549,8 +537,6 @@ cleanup_subdev: + unregister_v4l2_device: + v4l2_device_unregister(&isc->v4l2_dev); + +-unprepare_clk: +- clk_disable_unprepare(isc->ispck); + unprepare_hclk: + clk_disable_unprepare(isc->hclock); + +-- +2.33.0 + diff --git a/queue-5.15/media-atomisp-fix-error-handling-in-probe.patch b/queue-5.15/media-atomisp-fix-error-handling-in-probe.patch new file mode 100644 index 00000000000..0b1a0ac6442 --- /dev/null +++ b/queue-5.15/media-atomisp-fix-error-handling-in-probe.patch @@ -0,0 +1,123 @@ +From a5eda1a0deaba2e40bd550d4b25d4ef3414b2288 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 18:29:43 +0200 +Subject: media: atomisp: Fix error handling in probe + +From: Evgeny Novikov + +[ Upstream commit e16f5e39acd6d10cc63ae39bc0a77188ed828f22 ] + +There were several issues with handling errors in lm3554_probe(): +- Probe did not set the error code when v4l2_ctrl_handler_init() failed. +- It intermixed gotos for handling errors of v4l2_ctrl_handler_init() + and media_entity_pads_init(). +- It did not set the error code for failures of v4l2_ctrl_new_custom(). +- Probe did not free resources in case of failures of + atomisp_register_i2c_module(). + +The patch fixes all these issues. + +Found by Linux Driver Verification project (linuxtesting.org). + +Link: https://lore.kernel.org/linux-media/20210810162943.19852-1-novikov@ispras.ru +Signed-off-by: Evgeny Novikov +Reviewed-by: Dan Carpenter +Acked-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../media/atomisp/i2c/atomisp-lm3554.c | 37 ++++++++++++------- + 1 file changed, 24 insertions(+), 13 deletions(-) + +diff --git a/drivers/staging/media/atomisp/i2c/atomisp-lm3554.c b/drivers/staging/media/atomisp/i2c/atomisp-lm3554.c +index 362ed44b4effa..e046489cd253b 100644 +--- a/drivers/staging/media/atomisp/i2c/atomisp-lm3554.c ++++ b/drivers/staging/media/atomisp/i2c/atomisp-lm3554.c +@@ -835,7 +835,6 @@ static int lm3554_probe(struct i2c_client *client) + int err = 0; + struct lm3554 *flash; + unsigned int i; +- int ret; + + flash = kzalloc(sizeof(*flash), GFP_KERNEL); + if (!flash) +@@ -844,7 +843,7 @@ static int lm3554_probe(struct i2c_client *client) + flash->pdata = lm3554_platform_data_func(client); + if (IS_ERR(flash->pdata)) { + err = PTR_ERR(flash->pdata); +- goto fail1; ++ goto free_flash; + } + + v4l2_i2c_subdev_init(&flash->sd, client, &lm3554_ops); +@@ -852,12 +851,12 @@ static int lm3554_probe(struct i2c_client *client) + flash->sd.flags |= V4L2_SUBDEV_FL_HAS_DEVNODE; + flash->mode = ATOMISP_FLASH_MODE_OFF; + flash->timeout = LM3554_MAX_TIMEOUT / LM3554_TIMEOUT_STEPSIZE - 1; +- ret = ++ err = + v4l2_ctrl_handler_init(&flash->ctrl_handler, + ARRAY_SIZE(lm3554_controls)); +- if (ret) { ++ if (err) { + dev_err(&client->dev, "error initialize a ctrl_handler.\n"); +- goto fail3; ++ goto unregister_subdev; + } + + for (i = 0; i < ARRAY_SIZE(lm3554_controls); i++) +@@ -866,14 +865,15 @@ static int lm3554_probe(struct i2c_client *client) + + if (flash->ctrl_handler.error) { + dev_err(&client->dev, "ctrl_handler error.\n"); +- goto fail3; ++ err = flash->ctrl_handler.error; ++ goto free_handler; + } + + flash->sd.ctrl_handler = &flash->ctrl_handler; + err = media_entity_pads_init(&flash->sd.entity, 0, NULL); + if (err) { + dev_err(&client->dev, "error initialize a media entity.\n"); +- goto fail2; ++ goto free_handler; + } + + flash->sd.entity.function = MEDIA_ENT_F_FLASH; +@@ -884,16 +884,27 @@ static int lm3554_probe(struct i2c_client *client) + + err = lm3554_gpio_init(client); + if (err) { +- dev_err(&client->dev, "gpio request/direction_output fail"); +- goto fail3; ++ dev_err(&client->dev, "gpio request/direction_output fail.\n"); ++ goto cleanup_media; ++ } ++ ++ err = atomisp_register_i2c_module(&flash->sd, NULL, LED_FLASH); ++ if (err) { ++ dev_err(&client->dev, "fail to register atomisp i2c module.\n"); ++ goto uninit_gpio; + } +- return atomisp_register_i2c_module(&flash->sd, NULL, LED_FLASH); +-fail3: ++ ++ return 0; ++ ++uninit_gpio: ++ lm3554_gpio_uninit(client); ++cleanup_media: + media_entity_cleanup(&flash->sd.entity); ++free_handler: + v4l2_ctrl_handler_free(&flash->ctrl_handler); +-fail2: ++unregister_subdev: + v4l2_device_unregister_subdev(&flash->sd); +-fail1: ++free_flash: + kfree(flash); + + return err; +-- +2.33.0 + diff --git a/queue-5.15/media-cx23885-fix-snd_card_free-call-on-null-card-po.patch b/queue-5.15/media-cx23885-fix-snd_card_free-call-on-null-card-po.patch new file mode 100644 index 00000000000..625ab643e28 --- /dev/null +++ b/queue-5.15/media-cx23885-fix-snd_card_free-call-on-null-card-po.patch @@ -0,0 +1,50 @@ +From 9a25dbf870a5cb45fc501cdf60c296d50d25edcc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Aug 2021 10:50:10 +0200 +Subject: media: cx23885: Fix snd_card_free call on null card pointer + +From: Colin Ian King + +[ Upstream commit 7266dda2f1dfe151b12ef0c14eb4d4e622fb211c ] + +Currently a call to snd_card_new that fails will set card with a NULL +pointer, this causes a null pointer dereference on the error cleanup +path when card it passed to snd_card_free. Fix this by adding a new +error exit path that does not call snd_card_free and exiting via this +new path. + +Addresses-Coverity: ("Explicit null dereference") + +Fixes: 9e44d63246a9 ("[media] cx23885: Add ALSA support") +Signed-off-by: Colin Ian King +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx23885/cx23885-alsa.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/cx23885/cx23885-alsa.c b/drivers/media/pci/cx23885/cx23885-alsa.c +index ab14d35214aa8..25dc8d4dc5b73 100644 +--- a/drivers/media/pci/cx23885/cx23885-alsa.c ++++ b/drivers/media/pci/cx23885/cx23885-alsa.c +@@ -550,7 +550,7 @@ struct cx23885_audio_dev *cx23885_audio_register(struct cx23885_dev *dev) + SNDRV_DEFAULT_IDX1, SNDRV_DEFAULT_STR1, + THIS_MODULE, sizeof(struct cx23885_audio_dev), &card); + if (err < 0) +- goto error; ++ goto error_msg; + + chip = (struct cx23885_audio_dev *) card->private_data; + chip->dev = dev; +@@ -576,6 +576,7 @@ struct cx23885_audio_dev *cx23885_audio_register(struct cx23885_dev *dev) + + error: + snd_card_free(card); ++error_msg: + pr_err("%s(): Failed to register analog audio adapter\n", + __func__); + +-- +2.33.0 + diff --git a/queue-5.15/media-cxd2880-spi-fix-a-null-pointer-dereference-on-.patch b/queue-5.15/media-cxd2880-spi-fix-a-null-pointer-dereference-on-.patch new file mode 100644 index 00000000000..3cbddf9ec53 --- /dev/null +++ b/queue-5.15/media-cxd2880-spi-fix-a-null-pointer-dereference-on-.patch @@ -0,0 +1,43 @@ +From ff20d980078cfe43c50d708c8d1136c3b128157d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 18:07:49 +0200 +Subject: media: cxd2880-spi: Fix a null pointer dereference on error handling + path + +From: Colin Ian King + +[ Upstream commit 11b982e950d2138e90bd120501df10a439006ff8 ] + +Currently the null pointer check on dvb_spi->vcc_supply is inverted and +this leads to only null values of the dvb_spi->vcc_supply being passed +to the call of regulator_disable causing null pointer dereferences. +Fix this by only calling regulator_disable if dvb_spi->vcc_supply is +not null. + +Addresses-Coverity: ("Dereference after null check") + +Fixes: dcb014582101 ("media: cxd2880-spi: Fix an error handling path") +Signed-off-by: Colin Ian King +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/spi/cxd2880-spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/spi/cxd2880-spi.c b/drivers/media/spi/cxd2880-spi.c +index b91a1e845b972..506f52c1af101 100644 +--- a/drivers/media/spi/cxd2880-spi.c ++++ b/drivers/media/spi/cxd2880-spi.c +@@ -618,7 +618,7 @@ fail_frontend: + fail_attach: + dvb_unregister_adapter(&dvb_spi->adapter); + fail_adapter: +- if (!dvb_spi->vcc_supply) ++ if (dvb_spi->vcc_supply) + regulator_disable(dvb_spi->vcc_supply); + fail_regulator: + kfree(dvb_spi); +-- +2.33.0 + diff --git a/queue-5.15/media-dvb-frontends-mn88443x-handle-errors-of-clk_pr.patch b/queue-5.15/media-dvb-frontends-mn88443x-handle-errors-of-clk_pr.patch new file mode 100644 index 00000000000..4bd6aacbfb5 --- /dev/null +++ b/queue-5.15/media-dvb-frontends-mn88443x-handle-errors-of-clk_pr.patch @@ -0,0 +1,80 @@ +From 29c728fe7f0d92a9757b9260848c2f84490dae08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Aug 2021 11:48:03 +0200 +Subject: media: dvb-frontends: mn88443x: Handle errors of clk_prepare_enable() + +From: Evgeny Novikov + +[ Upstream commit 69a10678e2fba3d182e78ea041f2d1b1a6058764 ] + +mn88443x_cmn_power_on() did not handle possible errors of +clk_prepare_enable() and always finished successfully so that its caller +mn88443x_probe() did not care about failed preparing/enabling of clocks +as well. + +Add missed error handling in both mn88443x_cmn_power_on() and +mn88443x_probe(). This required to change the return value of the former +from "void" to "int". + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: 0f408ce8941f ("media: dvb-frontends: add Socionext MN88443x ISDB-S/T demodulator driver") +Signed-off-by: Evgeny Novikov +Co-developed-by: Kirill Shilimanov +Signed-off-by: Kirill Shilimanov +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/mn88443x.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/dvb-frontends/mn88443x.c b/drivers/media/dvb-frontends/mn88443x.c +index e4528784f8477..fff212c0bf3b5 100644 +--- a/drivers/media/dvb-frontends/mn88443x.c ++++ b/drivers/media/dvb-frontends/mn88443x.c +@@ -204,11 +204,18 @@ struct mn88443x_priv { + struct regmap *regmap_t; + }; + +-static void mn88443x_cmn_power_on(struct mn88443x_priv *chip) ++static int mn88443x_cmn_power_on(struct mn88443x_priv *chip) + { ++ struct device *dev = &chip->client_s->dev; + struct regmap *r_t = chip->regmap_t; ++ int ret; + +- clk_prepare_enable(chip->mclk); ++ ret = clk_prepare_enable(chip->mclk); ++ if (ret) { ++ dev_err(dev, "Failed to prepare and enable mclk: %d\n", ++ ret); ++ return ret; ++ } + + gpiod_set_value_cansleep(chip->reset_gpio, 1); + usleep_range(100, 1000); +@@ -222,6 +229,8 @@ static void mn88443x_cmn_power_on(struct mn88443x_priv *chip) + } else { + regmap_write(r_t, HIZSET3, 0x8f); + } ++ ++ return 0; + } + + static void mn88443x_cmn_power_off(struct mn88443x_priv *chip) +@@ -738,7 +747,10 @@ static int mn88443x_probe(struct i2c_client *client, + chip->fe.demodulator_priv = chip; + i2c_set_clientdata(client, chip); + +- mn88443x_cmn_power_on(chip); ++ ret = mn88443x_cmn_power_on(chip); ++ if (ret) ++ goto err_i2c_t; ++ + mn88443x_s_sleep(chip); + mn88443x_t_sleep(chip); + +-- +2.33.0 + diff --git a/queue-5.15/media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch b/queue-5.15/media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch new file mode 100644 index 00000000000..d2598743d5d --- /dev/null +++ b/queue-5.15/media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch @@ -0,0 +1,39 @@ +From 6775e085025bdb344e1fbcf2d973a6d49e38b785 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 16:34:20 +0200 +Subject: media: dvb-usb: fix ununit-value in az6027_rc_query + +From: Pavel Skripkin + +[ Upstream commit afae4ef7d5ad913cab1316137854a36bea6268a5 ] + +Syzbot reported ununit-value bug in az6027_rc_query(). The problem was +in missing state pointer initialization. Since this function does nothing +we can simply initialize state to REMOTE_NO_KEY_PRESSED. + +Reported-and-tested-by: syzbot+2cd8c5db4a85f0a04142@syzkaller.appspotmail.com + +Fixes: 76f9a820c867 ("V4L/DVB: AZ6027: Initial import of the driver") +Signed-off-by: Pavel Skripkin +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/az6027.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c +index 1c39b61cde29b..86788771175b7 100644 +--- a/drivers/media/usb/dvb-usb/az6027.c ++++ b/drivers/media/usb/dvb-usb/az6027.c +@@ -391,6 +391,7 @@ static struct rc_map_table rc_map_az6027_table[] = { + /* remote control stuff (does not work with my box) */ + static int az6027_rc_query(struct dvb_usb_device *d, u32 *event, int *state) + { ++ *state = REMOTE_NO_KEY_PRESSED; + return 0; + } + +-- +2.33.0 + diff --git a/queue-5.15/media-em28xx-add-missing-em28xx_close_extension.patch b/queue-5.15/media-em28xx-add-missing-em28xx_close_extension.patch new file mode 100644 index 00000000000..140f02d94e0 --- /dev/null +++ b/queue-5.15/media-em28xx-add-missing-em28xx_close_extension.patch @@ -0,0 +1,44 @@ +From 0150b167f2667da2c1d6b4e2d20165eda7a351a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jul 2021 22:23:33 +0200 +Subject: media: em28xx: add missing em28xx_close_extension + +From: Pavel Skripkin + +[ Upstream commit 2c98b8a3458df03abdc6945bbef67ef91d181938 ] + +If em28xx dev has ->dev_next pointer, we need to delete ->dev_next list +node from em28xx_extension_devlist on disconnect to avoid UAF bugs and +corrupted list bugs, since driver frees this pointer on disconnect. + +Reported-and-tested-by: syzbot+a6969ef522a36d3344c9@syzkaller.appspotmail.com + +Fixes: 1a23f81b7dc3 ("V4L/DVB (9979): em28xx: move usb probe code to a proper place") +Signed-off-by: Pavel Skripkin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/em28xx/em28xx-cards.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/em28xx/em28xx-cards.c b/drivers/media/usb/em28xx/em28xx-cards.c +index c1e0dccb74088..948e22e29b42a 100644 +--- a/drivers/media/usb/em28xx/em28xx-cards.c ++++ b/drivers/media/usb/em28xx/em28xx-cards.c +@@ -4139,8 +4139,11 @@ static void em28xx_usb_disconnect(struct usb_interface *intf) + + em28xx_close_extension(dev); + +- if (dev->dev_next) ++ if (dev->dev_next) { ++ em28xx_close_extension(dev->dev_next); + em28xx_release_resources(dev->dev_next); ++ } ++ + em28xx_release_resources(dev); + + if (dev->dev_next) { +-- +2.33.0 + diff --git a/queue-5.15/media-em28xx-don-t-use-ops-suspend-if-it-is-null.patch b/queue-5.15/media-em28xx-don-t-use-ops-suspend-if-it-is-null.patch new file mode 100644 index 00000000000..41f3d32e3c5 --- /dev/null +++ b/queue-5.15/media-em28xx-don-t-use-ops-suspend-if-it-is-null.patch @@ -0,0 +1,43 @@ +From 71a29b4e13e2954c46a30871d11b553bd2ec826d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Sep 2021 18:07:02 +0200 +Subject: media: em28xx: Don't use ops->suspend if it is NULL + +From: Colin Ian King + +[ Upstream commit 51fa3b70d27342baf1ea8aaab3e96e5f4f26d5b2 ] + +The call to ops->suspend for the dev->dev_next case can currently +trigger a call on a null function pointer if ops->suspend is null. +Skip over the use of function ops->suspend if it is null. + +Addresses-Coverity: ("Dereference after null check") + +Fixes: be7fd3c3a8c5 ("media: em28xx: Hauppauge DualHD second tuner functionality") +Signed-off-by: Colin Ian King +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/em28xx/em28xx-core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/em28xx/em28xx-core.c b/drivers/media/usb/em28xx/em28xx-core.c +index 584fa400cd7d8..acc0bf7dbe2b1 100644 +--- a/drivers/media/usb/em28xx/em28xx-core.c ++++ b/drivers/media/usb/em28xx/em28xx-core.c +@@ -1154,8 +1154,9 @@ int em28xx_suspend_extension(struct em28xx *dev) + dev_info(&dev->intf->dev, "Suspending extensions\n"); + mutex_lock(&em28xx_devlist_mutex); + list_for_each_entry(ops, &em28xx_extension_devlist, next) { +- if (ops->suspend) +- ops->suspend(dev); ++ if (!ops->suspend) ++ continue; ++ ops->suspend(dev); + if (dev->dev_next) + ops->suspend(dev->dev_next); + } +-- +2.33.0 + diff --git a/queue-5.15/media-i2c-ths8200-needs-v4l2_async.patch b/queue-5.15/media-i2c-ths8200-needs-v4l2_async.patch new file mode 100644 index 00000000000..8dbf7cc8d4b --- /dev/null +++ b/queue-5.15/media-i2c-ths8200-needs-v4l2_async.patch @@ -0,0 +1,44 @@ +From 91cf7010ea2392b93bffe8be171242f2f53ad762 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Sep 2021 01:28:08 +0200 +Subject: media: i2c: ths8200 needs V4L2_ASYNC + +From: Randy Dunlap + +[ Upstream commit e4625044d656f3c33ece0cc9da22577bc10ca5d3 ] + +Fix the build errors reported by the kernel test robot by +selecting V4L2_ASYNC: + +mips-linux-ld: drivers/media/i2c/ths8200.o: in function `ths8200_remove': +ths8200.c:(.text+0x1ec): undefined reference to `v4l2_async_unregister_subdev' +mips-linux-ld: drivers/media/i2c/ths8200.o: in function `ths8200_probe': +ths8200.c:(.text+0x404): undefined reference to `v4l2_async_register_subdev' + +Fixes: ed29f89497006 ("media: i2c: ths8200: support asynchronous probing") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Reviewed-by: Lad Prabhakar +Acked-by: Sakari Ailus +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/i2c/Kconfig b/drivers/media/i2c/Kconfig +index 08feb3e8c1bf6..6157e73eef24e 100644 +--- a/drivers/media/i2c/Kconfig ++++ b/drivers/media/i2c/Kconfig +@@ -597,6 +597,7 @@ config VIDEO_AK881X + config VIDEO_THS8200 + tristate "Texas Instruments THS8200 video encoder" + depends on VIDEO_V4L2 && I2C ++ select V4L2_ASYNC + help + Support for the Texas Instruments THS8200 video encoder. + +-- +2.33.0 + diff --git a/queue-5.15/media-imx-jpeg-fix-possible-null-pointer-dereference.patch b/queue-5.15/media-imx-jpeg-fix-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..68e0ea1a7ce --- /dev/null +++ b/queue-5.15/media-imx-jpeg-fix-possible-null-pointer-dereference.patch @@ -0,0 +1,38 @@ +From 90b5066a389565a95bd8afe343aaa5f75baeada2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 20:56:32 +0200 +Subject: media: imx-jpeg: Fix possible null pointer dereference + +From: Mirela Rabulea + +[ Upstream commit 83f5f0633b156c636f5249d3c10f2a9423dd4c96 ] + +Found by Coverity scan. + +Signed-off-by: Mirela Rabulea +Reviewed-by: Laurentiu Palcu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/imx-jpeg/mxc-jpeg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/platform/imx-jpeg/mxc-jpeg.c b/drivers/media/platform/imx-jpeg/mxc-jpeg.c +index 755138063ee61..33e7604271cdf 100644 +--- a/drivers/media/platform/imx-jpeg/mxc-jpeg.c ++++ b/drivers/media/platform/imx-jpeg/mxc-jpeg.c +@@ -575,6 +575,10 @@ static irqreturn_t mxc_jpeg_dec_irq(int irq, void *priv) + + dst_buf = v4l2_m2m_next_dst_buf(ctx->fh.m2m_ctx); + src_buf = v4l2_m2m_next_src_buf(ctx->fh.m2m_ctx); ++ if (!dst_buf || !src_buf) { ++ dev_err(dev, "No source or destination buffer.\n"); ++ goto job_unlock; ++ } + jpeg_src_buf = vb2_to_mxc_buf(&src_buf->vb2_buf); + + if (dec_ret & SLOT_STATUS_ENC_CONFIG_ERR) { +-- +2.33.0 + diff --git a/queue-5.15/media-imx-jpeg-fix-the-error-handling-path-of-mxc_jp.patch b/queue-5.15/media-imx-jpeg-fix-the-error-handling-path-of-mxc_jp.patch new file mode 100644 index 00000000000..b819ff120ac --- /dev/null +++ b/queue-5.15/media-imx-jpeg-fix-the-error-handling-path-of-mxc_jp.patch @@ -0,0 +1,40 @@ +From 3135adfdf59140b5df5aec7dc01ae72e2932dd35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Aug 2021 13:12:53 +0200 +Subject: media: imx-jpeg: Fix the error handling path of 'mxc_jpeg_probe()' + +From: Christophe JAILLET + +[ Upstream commit 5c47dc6657543b3c4dffcbe741fb693b9b96796d ] + +A successful 'mxc_jpeg_attach_pm_domains()' call should be balanced by a +corresponding 'mxc_jpeg_detach_pm_domains()' call in the error handling +path of the probe, as already done in the remove function. + +Update the error handling path accordingly. + +Fixes: 2db16c6ed72c ("media: imx-jpeg: Add V4L2 driver for i.MX8 JPEG Encoder/Decoder") +Signed-off-by: Christophe JAILLET +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/imx-jpeg/mxc-jpeg.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/imx-jpeg/mxc-jpeg.c b/drivers/media/platform/imx-jpeg/mxc-jpeg.c +index 33e7604271cdf..fc905ea78b175 100644 +--- a/drivers/media/platform/imx-jpeg/mxc-jpeg.c ++++ b/drivers/media/platform/imx-jpeg/mxc-jpeg.c +@@ -2092,6 +2092,8 @@ err_m2m: + v4l2_device_unregister(&jpeg->v4l2_dev); + + err_register: ++ mxc_jpeg_detach_pm_domains(jpeg); ++ + err_irq: + return ret; + } +-- +2.33.0 + diff --git a/queue-5.15/media-imx-set-a-media_device-bus_info-string.patch b/queue-5.15/media-imx-set-a-media_device-bus_info-string.patch new file mode 100644 index 00000000000..943358153a2 --- /dev/null +++ b/queue-5.15/media-imx-set-a-media_device-bus_info-string.patch @@ -0,0 +1,41 @@ +From a6c6b11207bff137d49764d834b18f35b4bf3f41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 10:47:46 +0200 +Subject: media: imx: set a media_device bus_info string + +From: Martin Kepplinger + +[ Upstream commit 6d0d779b212c27293d9ccb4da092ff0ccb6efa39 ] + +Some tools like v4l2-compliance let users select a media device based +on the bus_info string which can be quite convenient. Use a unique +string for that. + +This also fixes the following v4l2-compliance warning: +warn: v4l2-test-media.cpp(52): empty bus_info + +Signed-off-by: Martin Kepplinger +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/imx/imx-media-dev-common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/staging/media/imx/imx-media-dev-common.c b/drivers/staging/media/imx/imx-media-dev-common.c +index d186179388d03..4d873726a461b 100644 +--- a/drivers/staging/media/imx/imx-media-dev-common.c ++++ b/drivers/staging/media/imx/imx-media-dev-common.c +@@ -367,6 +367,8 @@ struct imx_media_dev *imx_media_dev_init(struct device *dev, + imxmd->v4l2_dev.notify = imx_media_notify; + strscpy(imxmd->v4l2_dev.name, "imx-media", + sizeof(imxmd->v4l2_dev.name)); ++ snprintf(imxmd->md.bus_info, sizeof(imxmd->md.bus_info), ++ "platform:%s", dev_name(imxmd->md.dev)); + + media_device_init(&imxmd->md); + +-- +2.33.0 + diff --git a/queue-5.15/media-imx258-fix-getting-clock-frequency.patch b/queue-5.15/media-imx258-fix-getting-clock-frequency.patch new file mode 100644 index 00000000000..0f29e3090bc --- /dev/null +++ b/queue-5.15/media-imx258-fix-getting-clock-frequency.patch @@ -0,0 +1,52 @@ +From 5b7080c8d8fdae39d8d3403983bcd10aa8737439 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Aug 2021 15:08:59 +0200 +Subject: media: imx258: Fix getting clock frequency + +From: Sakari Ailus + +[ Upstream commit d170b0ea1760989fe8ac053bef83e61f3bf87992 ] + +Obtain the clock frequency by reading the clock-frequency property if +there's no clock. + +Fixes: 9fda25332c4b ("media: i2c: imx258: get clock from device properties and enable it via runtime PM") +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/imx258.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/i2c/imx258.c b/drivers/media/i2c/imx258.c +index 81cdf37216ca7..c249507aa2dbc 100644 +--- a/drivers/media/i2c/imx258.c ++++ b/drivers/media/i2c/imx258.c +@@ -1260,18 +1260,18 @@ static int imx258_probe(struct i2c_client *client) + return -ENOMEM; + + imx258->clk = devm_clk_get_optional(&client->dev, NULL); ++ if (IS_ERR(imx258->clk)) ++ return dev_err_probe(&client->dev, PTR_ERR(imx258->clk), ++ "error getting clock\n"); + if (!imx258->clk) { + dev_dbg(&client->dev, + "no clock provided, using clock-frequency property\n"); + + device_property_read_u32(&client->dev, "clock-frequency", &val); +- if (val != IMX258_INPUT_CLOCK_FREQ) +- return -EINVAL; +- } else if (IS_ERR(imx258->clk)) { +- return dev_err_probe(&client->dev, PTR_ERR(imx258->clk), +- "error getting clock\n"); ++ } else { ++ val = clk_get_rate(imx258->clk); + } +- if (clk_get_rate(imx258->clk) != IMX258_INPUT_CLOCK_FREQ) { ++ if (val != IMX258_INPUT_CLOCK_FREQ) { + dev_err(&client->dev, "input clock frequency not supported\n"); + return -EINVAL; + } +-- +2.33.0 + diff --git a/queue-5.15/media-ipu3-imgu-imgu_fmt-handle-properly-try.patch b/queue-5.15/media-ipu3-imgu-imgu_fmt-handle-properly-try.patch new file mode 100644 index 00000000000..89032b70121 --- /dev/null +++ b/queue-5.15/media-ipu3-imgu-imgu_fmt-handle-properly-try.patch @@ -0,0 +1,41 @@ +From 1b8ebc6c298f7111db2a23b2bbe5f09cb2da764c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 00:26:21 +0200 +Subject: media: ipu3-imgu: imgu_fmt: Handle properly try + +From: Ricardo Ribalda + +[ Upstream commit 553481e38045f349bb9aa596d03bebd020020c9c ] + +For a try_fmt call, the node noes not need to be enabled. + +Fixes v4l2-compliance + +fail: v4l2-test-formats.cpp(717): Video Output Multiplanar is valid, but + no TRY_FMT was implemented +test VIDIOC_TRY_FMT: FAIL + +Signed-off-by: Ricardo Ribalda +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/ipu3/ipu3-v4l2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c +index 38a2407645096..ea746e8054eb7 100644 +--- a/drivers/staging/media/ipu3/ipu3-v4l2.c ++++ b/drivers/staging/media/ipu3/ipu3-v4l2.c +@@ -696,7 +696,7 @@ static int imgu_fmt(struct imgu_device *imgu, unsigned int pipe, int node, + + /* CSS expects some format on OUT queue */ + if (i != IPU3_CSS_QUEUE_OUT && +- !imgu_pipe->nodes[inode].enabled) { ++ !imgu_pipe->nodes[inode].enabled && !try) { + fmts[i] = NULL; + continue; + } +-- +2.33.0 + diff --git a/queue-5.15/media-ipu3-imgu-vidioc_querycap-fix-bus_info.patch b/queue-5.15/media-ipu3-imgu-vidioc_querycap-fix-bus_info.patch new file mode 100644 index 00000000000..880b612b4c9 --- /dev/null +++ b/queue-5.15/media-ipu3-imgu-vidioc_querycap-fix-bus_info.patch @@ -0,0 +1,48 @@ +From 9fafe388919e58e356b92a0563da54c1932061c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 00:26:22 +0200 +Subject: media: ipu3-imgu: VIDIOC_QUERYCAP: Fix bus_info + +From: Ricardo Ribalda + +[ Upstream commit ea2b9a33711604e91f8c826f4dcb3c12baa1990a ] + +bus_info field had a different value for the media entity and the video +device. + +Fixes v4l2-compliance: + +v4l2-compliance.cpp(637): media bus_info 'PCI:0000:00:05.0' differs from + V4L2 bus_info 'PCI:viewfinder' + +Reviewed-by: Bingbu Cao +Signed-off-by: Ricardo Ribalda +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/staging/media/ipu3/ipu3-v4l2.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/media/ipu3/ipu3-v4l2.c b/drivers/staging/media/ipu3/ipu3-v4l2.c +index ea746e8054eb7..90c86ba5040e3 100644 +--- a/drivers/staging/media/ipu3/ipu3-v4l2.c ++++ b/drivers/staging/media/ipu3/ipu3-v4l2.c +@@ -592,11 +592,12 @@ static const struct imgu_fmt *find_format(struct v4l2_format *f, u32 type) + static int imgu_vidioc_querycap(struct file *file, void *fh, + struct v4l2_capability *cap) + { +- struct imgu_video_device *node = file_to_intel_imgu_node(file); ++ struct imgu_device *imgu = video_drvdata(file); + + strscpy(cap->driver, IMGU_NAME, sizeof(cap->driver)); + strscpy(cap->card, IMGU_NAME, sizeof(cap->card)); +- snprintf(cap->bus_info, sizeof(cap->bus_info), "PCI:%s", node->name); ++ snprintf(cap->bus_info, sizeof(cap->bus_info), "PCI:%s", ++ pci_name(imgu->pci_dev)); + + return 0; + } +-- +2.33.0 + diff --git a/queue-5.15/media-ir_toy-assignment-to-be16-should-be-of-correct.patch b/queue-5.15/media-ir_toy-assignment-to-be16-should-be-of-correct.patch new file mode 100644 index 00000000000..cf262dffb9c --- /dev/null +++ b/queue-5.15/media-ir_toy-assignment-to-be16-should-be-of-correct.patch @@ -0,0 +1,37 @@ +From a5934229728d747b2c8909956ea17e41825e1343 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 09:14:10 +0100 +Subject: media: ir_toy: assignment to be16 should be of correct type + +From: Sean Young + +[ Upstream commit febfe985fc2ea052a363f6525ff624b8efd5273c ] + +commit f0c15b360fb6 ("media: ir_toy: prevent device from hanging during +transmit") removed a cpu_to_be16() cast, which causes a sparse warning. + +Fixes: f0c15b360fb6 ("media: ir_toy: prevent device from hanging during transmit") +Reported-by: Hans Verkuil +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/ir_toy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/rc/ir_toy.c b/drivers/media/rc/ir_toy.c +index 48d52baec1a1c..1aa7989e756cc 100644 +--- a/drivers/media/rc/ir_toy.c ++++ b/drivers/media/rc/ir_toy.c +@@ -310,7 +310,7 @@ static int irtoy_tx(struct rc_dev *rc, uint *txbuf, uint count) + buf[i] = cpu_to_be16(v); + } + +- buf[count] = 0xffff; ++ buf[count] = cpu_to_be16(0xffff); + + irtoy->tx_buf = buf; + irtoy->tx_len = size; +-- +2.33.0 + diff --git a/queue-5.15/media-ivtv-fix-build-for-uml.patch b/queue-5.15/media-ivtv-fix-build-for-uml.patch new file mode 100644 index 00000000000..0cd0c246a16 --- /dev/null +++ b/queue-5.15/media-ivtv-fix-build-for-uml.patch @@ -0,0 +1,88 @@ +From bdb897f7b3caab3e2681142123df4b0981bcf32c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Oct 2021 20:38:36 +0100 +Subject: media: ivtv: fix build for UML +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 6cb67bea945bdf0ad40e633cd2d9fbeb0855675b ] + +Prevent the use of page table macros and types from 2 conflicting +places. This fixes multiple build errors and warnings, e.g.: + +../arch/x86/include/asm/pgtable_64_types.h:21:34: error: conflicting types for ‘pte_t’ + typedef struct { pteval_t pte; } pte_t; + ^~~~~ +In file included from ../include/linux/mm_types_task.h:16:0, + from ../include/linux/mm_types.h:5, + from ../include/linux/buildid.h:5, + from ../include/linux/module.h:14, + from ../drivers/media/pci/ivtv/ivtv-driver.h:40, + from ../drivers/media/pci/ivtv/ivtvfb.c:29: +../arch/um/include/asm/page.h:57:39: note: previous declaration of ‘pte_t’ was here + typedef struct { unsigned long pte; } pte_t; + +../arch/x86/include/asm/pgtable_types.h:284:43: error: expected ‘)’ before ‘prot’ + static inline pgprot_t pgprot_nx(pgprot_t prot) + ^ +../include/linux/pgtable.h:914:26: note: in definition of macro ‘pgprot_nx’ + #define pgprot_nx(prot) (prot) + ^~~~ +In file included from ../arch/x86/include/asm/memtype.h:6:0, + from ../drivers/media/pci/ivtv/ivtvfb.c:40: +../arch/x86/include/asm/pgtable_types.h:288:0: warning: "pgprot_nx" redefined + #define pgprot_nx pgprot_nx + +../arch/x86/include/asm/page_types.h:11:0: warning: "PAGE_SIZE" redefined + #define PAGE_SIZE (_AC(1,UL) << PAGE_SHIFT) + +In file included from ../include/linux/mm_types_task.h:16:0, + from ../include/linux/mm_types.h:5, + from ../include/linux/buildid.h:5, + from ../include/linux/module.h:14, + from ../drivers/media/pci/ivtv/ivtv-driver.h:40, + from ../drivers/media/pci/ivtv/ivtvfb.c:29: +../arch/um/include/asm/page.h:14:0: note: this is the location of the previous definition + #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT) + +Fixes: 68f5d3f3b654 ("um: add PCI over virtio emulation driver") +Signed-off-by: Randy Dunlap +Cc: Johannes Berg +Cc: Andy Walls +Cc: linux-um@lists.infradead.org +Cc: Richard Weinberger +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/ivtv/ivtvfb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/pci/ivtv/ivtvfb.c b/drivers/media/pci/ivtv/ivtvfb.c +index e2d56dca5be40..5ad03b2a50bdb 100644 +--- a/drivers/media/pci/ivtv/ivtvfb.c ++++ b/drivers/media/pci/ivtv/ivtvfb.c +@@ -36,7 +36,7 @@ + #include + #include + +-#ifdef CONFIG_X86_64 ++#if defined(CONFIG_X86_64) && !defined(CONFIG_UML) + #include + #endif + +@@ -1157,7 +1157,7 @@ static int ivtvfb_init_card(struct ivtv *itv) + { + int rc; + +-#ifdef CONFIG_X86_64 ++#if defined(CONFIG_X86_64) && !defined(CONFIG_UML) + if (pat_enabled()) { + if (ivtvfb_force_pat) { + pr_info("PAT is enabled. Write-combined framebuffer caching will be disabled.\n"); +-- +2.33.0 + diff --git a/queue-5.15/media-mceusb-return-without-resubmitting-urb-in-case.patch b/queue-5.15/media-mceusb-return-without-resubmitting-urb-in-case.patch new file mode 100644 index 00000000000..345d42ff8fd --- /dev/null +++ b/queue-5.15/media-mceusb-return-without-resubmitting-urb-in-case.patch @@ -0,0 +1,40 @@ +From d33f220fc47ebf18da254239d4c6f08bc9871ac5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 22:31:10 +0200 +Subject: media: mceusb: return without resubmitting URB in case of -EPROTO + error. + +From: Rajat Asthana + +[ Upstream commit 476db72e521983ecb847e4013b263072bb1110fc ] + +Syzkaller reported a warning called "rcu detected stall in dummy_timer". + +The error seems to be an error in mceusb_dev_recv(). In the case of +-EPROTO error, the routine immediately resubmits the URB. Instead it +should return without resubmitting URB. + +Reported-by: syzbot+4d3749e9612c2cfab956@syzkaller.appspotmail.com +Signed-off-by: Rajat Asthana +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/mceusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c +index e03dd1f0144f0..137a71954aabf 100644 +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -1386,6 +1386,7 @@ static void mceusb_dev_recv(struct urb *urb) + case -ECONNRESET: + case -ENOENT: + case -EILSEQ: ++ case -EPROTO: + case -ESHUTDOWN: + usb_unlink_urb(urb); + return; +-- +2.33.0 + diff --git a/queue-5.15/media-meson-ge2d-fix-rotation-parameter-changes-dete.patch b/queue-5.15/media-meson-ge2d-fix-rotation-parameter-changes-dete.patch new file mode 100644 index 00000000000..d350d87abc8 --- /dev/null +++ b/queue-5.15/media-meson-ge2d-fix-rotation-parameter-changes-dete.patch @@ -0,0 +1,45 @@ +From 5ac4099b180f43401829fb5d91d8325d2039ba6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Jul 2021 21:35:05 +0200 +Subject: media: meson-ge2d: Fix rotation parameter changes detection in + 'ge2d_s_ctrl()' + +From: Christophe JAILLET + +[ Upstream commit 4b9e3e8af4b336eefca1f1ee535bc4b6734ed6aa ] + +There is likely a typo here. To be consistent, we should compare +'fmt.height' with 'ctx->out.pix_fmt.height', not 'ctx->out.pix_fmt.width'. + +Instead of fixing the test, just remove it and copy 'fmt' unconditionally. + +Fixes: 59a635327ca7 ("media: meson: Add M2M driver for the Amlogic GE2D Accelerator Unit") +Signed-off-by: Christophe JAILLET +Acked-by: Neil Armstrong +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/meson/ge2d/ge2d.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/drivers/media/platform/meson/ge2d/ge2d.c b/drivers/media/platform/meson/ge2d/ge2d.c +index a1393fefa8aea..9b1e973e78da3 100644 +--- a/drivers/media/platform/meson/ge2d/ge2d.c ++++ b/drivers/media/platform/meson/ge2d/ge2d.c +@@ -779,11 +779,7 @@ static int ge2d_s_ctrl(struct v4l2_ctrl *ctrl) + * If the rotation parameter changes the OUTPUT frames + * parameters, take them in account + */ +- if (fmt.width != ctx->out.pix_fmt.width || +- fmt.height != ctx->out.pix_fmt.width || +- fmt.bytesperline > ctx->out.pix_fmt.bytesperline || +- fmt.sizeimage > ctx->out.pix_fmt.sizeimage) +- ctx->out.pix_fmt = fmt; ++ ctx->out.pix_fmt = fmt; + + break; + } +-- +2.33.0 + diff --git a/queue-5.15/media-mt9p031-fix-corrupted-frame-after-restarting-s.patch b/queue-5.15/media-mt9p031-fix-corrupted-frame-after-restarting-s.patch new file mode 100644 index 00000000000..2ec434d626d --- /dev/null +++ b/queue-5.15/media-mt9p031-fix-corrupted-frame-after-restarting-s.patch @@ -0,0 +1,89 @@ +From 37193b4387df5c640474b0bae4f891d6939e6366 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 09:35:15 +0200 +Subject: media: mt9p031: Fix corrupted frame after restarting stream + +From: Dirk Bender + +[ Upstream commit 0961ba6dd211a4a52d1dd4c2d59be60ac2dc08c7 ] + +To prevent corrupted frames after starting and stopping the sensor its +datasheet specifies a specific pause sequence to follow: + +Stopping: + Set Pause_Restart Bit -> Set Restart Bit -> Set Chip_Enable Off + +Restarting: + Set Chip_Enable On -> Clear Pause_Restart Bit + +The Restart Bit is cleared automatically and must not be cleared +manually as this would cause undefined behavior. + +Signed-off-by: Dirk Bender +Signed-off-by: Stefan Riedmueller +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/mt9p031.c | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/mt9p031.c b/drivers/media/i2c/mt9p031.c +index 6eb88ef997836..3ae1b28c8351b 100644 +--- a/drivers/media/i2c/mt9p031.c ++++ b/drivers/media/i2c/mt9p031.c +@@ -78,7 +78,9 @@ + #define MT9P031_PIXEL_CLOCK_INVERT (1 << 15) + #define MT9P031_PIXEL_CLOCK_SHIFT(n) ((n) << 8) + #define MT9P031_PIXEL_CLOCK_DIVIDE(n) ((n) << 0) +-#define MT9P031_FRAME_RESTART 0x0b ++#define MT9P031_RESTART 0x0b ++#define MT9P031_FRAME_PAUSE_RESTART (1 << 1) ++#define MT9P031_FRAME_RESTART (1 << 0) + #define MT9P031_SHUTTER_DELAY 0x0c + #define MT9P031_RST 0x0d + #define MT9P031_RST_ENABLE 1 +@@ -444,9 +446,23 @@ static int mt9p031_set_params(struct mt9p031 *mt9p031) + static int mt9p031_s_stream(struct v4l2_subdev *subdev, int enable) + { + struct mt9p031 *mt9p031 = to_mt9p031(subdev); ++ struct i2c_client *client = v4l2_get_subdevdata(subdev); ++ int val; + int ret; + + if (!enable) { ++ /* enable pause restart */ ++ val = MT9P031_FRAME_PAUSE_RESTART; ++ ret = mt9p031_write(client, MT9P031_RESTART, val); ++ if (ret < 0) ++ return ret; ++ ++ /* enable restart + keep pause restart set */ ++ val |= MT9P031_FRAME_RESTART; ++ ret = mt9p031_write(client, MT9P031_RESTART, val); ++ if (ret < 0) ++ return ret; ++ + /* Stop sensor readout */ + ret = mt9p031_set_output_control(mt9p031, + MT9P031_OUTPUT_CONTROL_CEN, 0); +@@ -466,6 +482,16 @@ static int mt9p031_s_stream(struct v4l2_subdev *subdev, int enable) + if (ret < 0) + return ret; + ++ /* ++ * - clear pause restart ++ * - don't clear restart as clearing restart manually can cause ++ * undefined behavior ++ */ ++ val = MT9P031_FRAME_RESTART; ++ ret = mt9p031_write(client, MT9P031_RESTART, val); ++ if (ret < 0) ++ return ret; ++ + return mt9p031_pll_enable(mt9p031); + } + +-- +2.33.0 + diff --git a/queue-5.15/media-mtk-vcodec-venc-fix-return-value-when-start_st.patch b/queue-5.15/media-mtk-vcodec-venc-fix-return-value-when-start_st.patch new file mode 100644 index 00000000000..8f49ff4589c --- /dev/null +++ b/queue-5.15/media-mtk-vcodec-venc-fix-return-value-when-start_st.patch @@ -0,0 +1,51 @@ +From 084a2fc551dab1a7c6f5aa7d94283341aa982552 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 10:36:41 +0200 +Subject: media: mtk-vcodec: venc: fix return value when start_streaming fails + +From: Dafna Hirschfeld + +[ Upstream commit 065a7c66bd8b21db212fa86187ff12f0cac6ea6d ] + +In case vb2ops_venc_start_streaming fails, the error value +is overwritten by the ret value of pm_runtime_put which might +be 0. Fix it. + +Fixes: 985c73693fe5a (" media: mtk-vcodec: Separating mtk encoder driver") +Signed-off-by: Dafna Hirschfeld +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c +index 416f356af363d..d97a6765693f1 100644 +--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c ++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c +@@ -793,7 +793,7 @@ static int vb2ops_venc_start_streaming(struct vb2_queue *q, unsigned int count) + { + struct mtk_vcodec_ctx *ctx = vb2_get_drv_priv(q); + struct venc_enc_param param; +- int ret; ++ int ret, pm_ret; + int i; + + /* Once state turn into MTK_STATE_ABORT, we need stop_streaming +@@ -845,9 +845,9 @@ static int vb2ops_venc_start_streaming(struct vb2_queue *q, unsigned int count) + return 0; + + err_set_param: +- ret = pm_runtime_put(&ctx->dev->plat_dev->dev); +- if (ret < 0) +- mtk_v4l2_err("pm_runtime_put fail %d", ret); ++ pm_ret = pm_runtime_put(&ctx->dev->plat_dev->dev); ++ if (pm_ret < 0) ++ mtk_v4l2_err("pm_runtime_put fail %d", pm_ret); + + err_start_stream: + for (i = 0; i < q->num_buffers; ++i) { +-- +2.33.0 + diff --git a/queue-5.15/media-mtk-vpu-fix-a-resource-leak-in-the-error-handl.patch b/queue-5.15/media-mtk-vpu-fix-a-resource-leak-in-the-error-handl.patch new file mode 100644 index 00000000000..1d00228a9bd --- /dev/null +++ b/queue-5.15/media-mtk-vpu-fix-a-resource-leak-in-the-error-handl.patch @@ -0,0 +1,52 @@ +From 7714922d998bdae6036faef0e5792465c5cf5117 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 22:21:25 +0200 +Subject: media: mtk-vpu: Fix a resource leak in the error handling path of + 'mtk_vpu_probe()' + +From: Christophe JAILLET + +[ Upstream commit 2143ad413c05c7be24c3a92760e367b7f6aaac92 ] + +A successful 'clk_prepare()' call should be balanced by a corresponding +'clk_unprepare()' call in the error handling path of the probe, as already +done in the remove function. + +Update the error handling path accordingly. + +Fixes: 3003a180ef6b ("[media] VPU: mediatek: support Mediatek VPU") +Signed-off-by: Christophe JAILLET +Reviewed-by: Houlong Wei +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mtk-vpu/mtk_vpu.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/mtk-vpu/mtk_vpu.c b/drivers/media/platform/mtk-vpu/mtk_vpu.c +index ec290dde59cfd..7f1647da0ade0 100644 +--- a/drivers/media/platform/mtk-vpu/mtk_vpu.c ++++ b/drivers/media/platform/mtk-vpu/mtk_vpu.c +@@ -848,7 +848,8 @@ static int mtk_vpu_probe(struct platform_device *pdev) + vpu->wdt.wq = create_singlethread_workqueue("vpu_wdt"); + if (!vpu->wdt.wq) { + dev_err(dev, "initialize wdt workqueue failed\n"); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto clk_unprepare; + } + INIT_WORK(&vpu->wdt.ws, vpu_wdt_reset_func); + mutex_init(&vpu->vpu_mutex); +@@ -942,6 +943,8 @@ disable_vpu_clk: + vpu_clock_disable(vpu); + workqueue_destroy: + destroy_workqueue(vpu->wdt.wq); ++clk_unprepare: ++ clk_unprepare(vpu->clk); + + return ret; + } +-- +2.33.0 + diff --git a/queue-5.15/media-netup_unidvb-handle-interrupt-properly-accordi.patch b/queue-5.15/media-netup_unidvb-handle-interrupt-properly-accordi.patch new file mode 100644 index 00000000000..a4313141401 --- /dev/null +++ b/queue-5.15/media-netup_unidvb-handle-interrupt-properly-accordi.patch @@ -0,0 +1,178 @@ +From a07ed540d40c713006063f3594eaeb96fcd7f1a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jun 2021 08:01:05 +0200 +Subject: media: netup_unidvb: handle interrupt properly according to the + firmware + +From: Zheyu Ma + +[ Upstream commit dbb4cfea6efe979ed153bd59a6a527a90d3d0ab3 ] + +The interrupt handling should be related to the firmware version. If +the driver matches an old firmware, then the driver should not handle +interrupt such as i2c or dma, otherwise it will cause some errors. + +This log reveals it: + +[ 27.708641] INFO: trying to register non-static key. +[ 27.710851] The code is fine but needs lockdep annotation, or maybe +[ 27.712010] you didn't initialize this object before use? +[ 27.712396] turning off the locking correctness validator. +[ 27.712787] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4-g70e7f0549188-dirty #169 +[ 27.713349] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 27.714149] Call Trace: +[ 27.714329] +[ 27.714480] dump_stack+0xba/0xf5 +[ 27.714737] register_lock_class+0x873/0x8f0 +[ 27.715052] ? __lock_acquire+0x323/0x1930 +[ 27.715353] __lock_acquire+0x75/0x1930 +[ 27.715636] lock_acquire+0x1dd/0x3e0 +[ 27.715905] ? netup_i2c_interrupt+0x19/0x310 +[ 27.716226] _raw_spin_lock_irqsave+0x4b/0x60 +[ 27.716544] ? netup_i2c_interrupt+0x19/0x310 +[ 27.716863] netup_i2c_interrupt+0x19/0x310 +[ 27.717178] netup_unidvb_isr+0xd3/0x160 +[ 27.717467] __handle_irq_event_percpu+0x53/0x3e0 +[ 27.717808] handle_irq_event_percpu+0x35/0x90 +[ 27.718129] handle_irq_event+0x39/0x60 +[ 27.718409] handle_fasteoi_irq+0xc2/0x1d0 +[ 27.718707] __common_interrupt+0x7f/0x150 +[ 27.719008] common_interrupt+0xb4/0xd0 +[ 27.719289] +[ 27.719446] asm_common_interrupt+0x1e/0x40 +[ 27.719747] RIP: 0010:native_safe_halt+0x17/0x20 +[ 27.720084] Code: 07 0f 00 2d 8b ee 4c 00 f4 5d c3 0f 1f 84 00 00 00 00 00 8b 05 72 95 17 02 55 48 89 e5 85 c0 7e 07 0f 00 2d 6b ee 4c 00 fb f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d 29 f6 +[ 27.721386] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246 +[ 27.721758] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 +[ 27.722262] RDX: 0000000000000000 RSI: ffffffff85f7c054 RDI: ffffffff85ded4e6 +[ 27.722770] RBP: ffffc9000008fe90 R08: 0000000000000001 R09: 0000000000000001 +[ 27.723277] R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff86a75408 +[ 27.723781] R13: 0000000000000000 R14: 0000000000000000 R15: ffff888100260000 +[ 27.724289] default_idle+0x9/0x10 +[ 27.724537] arch_cpu_idle+0xa/0x10 +[ 27.724791] default_idle_call+0x6e/0x250 +[ 27.725082] do_idle+0x1f0/0x2d0 +[ 27.725326] cpu_startup_entry+0x18/0x20 +[ 27.725613] start_secondary+0x11f/0x160 +[ 27.725902] secondary_startup_64_no_verify+0xb0/0xbb +[ 27.726272] BUG: kernel NULL pointer dereference, address: 0000000000000002 +[ 27.726768] #PF: supervisor read access in kernel mode +[ 27.727138] #PF: error_code(0x0000) - not-present page +[ 27.727507] PGD 8000000118688067 P4D 8000000118688067 PUD 10feab067 PMD 0 +[ 27.727999] Oops: 0000 [#1] PREEMPT SMP PTI +[ 27.728302] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4-g70e7f0549188-dirty #169 +[ 27.728861] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 27.729660] RIP: 0010:netup_i2c_interrupt+0x23/0x310 +[ 27.730019] Code: 0f 1f 80 00 00 00 00 55 48 89 e5 41 55 41 54 53 48 89 fb e8 af 6e 95 fd 48 89 df e8 e7 9f 1c 01 49 89 c5 48 8b 83 48 08 00 00 <66> 44 8b 60 02 44 89 e0 48 8b 93 48 08 00 00 83 e0 f8 66 89 42 02 +[ 27.731339] RSP: 0018:ffffc90000118e90 EFLAGS: 00010046 +[ 27.731716] RAX: 0000000000000000 RBX: ffff88810803c4d8 RCX: 0000000000000000 +[ 27.732223] RDX: 0000000000000001 RSI: ffffffff85d37b94 RDI: ffff88810803c4d8 +[ 27.732727] RBP: ffffc90000118ea8 R08: 0000000000000000 R09: 0000000000000001 +[ 27.733239] R10: ffff88810803c4f0 R11: 61646e6f63657320 R12: 0000000000000000 +[ 27.733745] R13: 0000000000000046 R14: ffff888101041000 R15: ffff8881081b2400 +[ 27.734251] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000 +[ 27.734821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 27.735228] CR2: 0000000000000002 CR3: 0000000108194000 CR4: 00000000000006e0 +[ 27.735735] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 27.736241] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 27.736744] Call Trace: +[ 27.736924] +[ 27.737074] netup_unidvb_isr+0xd3/0x160 +[ 27.737363] __handle_irq_event_percpu+0x53/0x3e0 +[ 27.737706] handle_irq_event_percpu+0x35/0x90 +[ 27.738028] handle_irq_event+0x39/0x60 +[ 27.738306] handle_fasteoi_irq+0xc2/0x1d0 +[ 27.738602] __common_interrupt+0x7f/0x150 +[ 27.738899] common_interrupt+0xb4/0xd0 +[ 27.739176] +[ 27.739331] asm_common_interrupt+0x1e/0x40 +[ 27.739633] RIP: 0010:native_safe_halt+0x17/0x20 +[ 27.739967] Code: 07 0f 00 2d 8b ee 4c 00 f4 5d c3 0f 1f 84 00 00 00 00 00 8b 05 72 95 17 02 55 48 89 e5 85 c0 7e 07 0f 00 2d 6b ee 4c 00 fb f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d 29 f6 +[ 27.741275] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246 +[ 27.741647] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 +[ 27.742148] RDX: 0000000000000000 RSI: ffffffff85f7c054 RDI: ffffffff85ded4e6 +[ 27.742652] RBP: ffffc9000008fe90 R08: 0000000000000001 R09: 0000000000000001 +[ 27.743154] R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff86a75408 +[ 27.743652] R13: 0000000000000000 R14: 0000000000000000 R15: ffff888100260000 +[ 27.744157] default_idle+0x9/0x10 +[ 27.744405] arch_cpu_idle+0xa/0x10 +[ 27.744658] default_idle_call+0x6e/0x250 +[ 27.744948] do_idle+0x1f0/0x2d0 +[ 27.745190] cpu_startup_entry+0x18/0x20 +[ 27.745475] start_secondary+0x11f/0x160 +[ 27.745761] secondary_startup_64_no_verify+0xb0/0xbb +[ 27.746123] Modules linked in: +[ 27.746348] Dumping ftrace buffer: +[ 27.746596] (ftrace buffer empty) +[ 27.746852] CR2: 0000000000000002 +[ 27.747094] ---[ end trace ebafd46f83ab946d ]--- +[ 27.747424] RIP: 0010:netup_i2c_interrupt+0x23/0x310 +[ 27.747778] Code: 0f 1f 80 00 00 00 00 55 48 89 e5 41 55 41 54 53 48 89 fb e8 af 6e 95 fd 48 89 df e8 e7 9f 1c 01 49 89 c5 48 8b 83 48 08 00 00 <66> 44 8b 60 02 44 89 e0 48 8b 93 48 08 00 00 83 e0 f8 66 89 42 02 +[ 27.749082] RSP: 0018:ffffc90000118e90 EFLAGS: 00010046 +[ 27.749461] RAX: 0000000000000000 RBX: ffff88810803c4d8 RCX: 0000000000000000 +[ 27.749966] RDX: 0000000000000001 RSI: ffffffff85d37b94 RDI: ffff88810803c4d8 +[ 27.750471] RBP: ffffc90000118ea8 R08: 0000000000000000 R09: 0000000000000001 +[ 27.750976] R10: ffff88810803c4f0 R11: 61646e6f63657320 R12: 0000000000000000 +[ 27.751480] R13: 0000000000000046 R14: ffff888101041000 R15: ffff8881081b2400 +[ 27.751986] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000 +[ 27.752560] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 27.752970] CR2: 0000000000000002 CR3: 0000000108194000 CR4: 00000000000006e0 +[ 27.753481] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 27.753984] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 27.754487] Kernel panic - not syncing: Fatal exception in interrupt +[ 27.755033] Dumping ftrace buffer: +[ 27.755279] (ftrace buffer empty) +[ 27.755534] Kernel Offset: disabled +[ 27.755785] Rebooting in 1 seconds.. + +Signed-off-by: Zheyu Ma +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../pci/netup_unidvb/netup_unidvb_core.c | 27 +++++++++++-------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +index 6f3125c2d0976..77bae14685513 100644 +--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c ++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +@@ -258,19 +258,24 @@ static irqreturn_t netup_unidvb_isr(int irq, void *dev_id) + if ((reg40 & AVL_IRQ_ASSERTED) != 0) { + /* IRQ is being signaled */ + reg_isr = readw(ndev->bmmio0 + REG_ISR); +- if (reg_isr & NETUP_UNIDVB_IRQ_I2C0) { +- iret = netup_i2c_interrupt(&ndev->i2c[0]); +- } else if (reg_isr & NETUP_UNIDVB_IRQ_I2C1) { +- iret = netup_i2c_interrupt(&ndev->i2c[1]); +- } else if (reg_isr & NETUP_UNIDVB_IRQ_SPI) { ++ if (reg_isr & NETUP_UNIDVB_IRQ_SPI) + iret = netup_spi_interrupt(ndev->spi); +- } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA1) { +- iret = netup_dma_interrupt(&ndev->dma[0]); +- } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA2) { +- iret = netup_dma_interrupt(&ndev->dma[1]); +- } else if (reg_isr & NETUP_UNIDVB_IRQ_CI) { +- iret = netup_ci_interrupt(ndev); ++ else if (!ndev->old_fw) { ++ if (reg_isr & NETUP_UNIDVB_IRQ_I2C0) { ++ iret = netup_i2c_interrupt(&ndev->i2c[0]); ++ } else if (reg_isr & NETUP_UNIDVB_IRQ_I2C1) { ++ iret = netup_i2c_interrupt(&ndev->i2c[1]); ++ } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA1) { ++ iret = netup_dma_interrupt(&ndev->dma[0]); ++ } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA2) { ++ iret = netup_dma_interrupt(&ndev->dma[1]); ++ } else if (reg_isr & NETUP_UNIDVB_IRQ_CI) { ++ iret = netup_ci_interrupt(ndev); ++ } else { ++ goto err; ++ } + } else { ++err: + dev_err(&pci_dev->dev, + "%s(): unknown interrupt 0x%x\n", + __func__, reg_isr); +-- +2.33.0 + diff --git a/queue-5.15/media-radio-wl1273-avoid-card-name-truncation.patch b/queue-5.15/media-radio-wl1273-avoid-card-name-truncation.patch new file mode 100644 index 00000000000..9e3374a71f1 --- /dev/null +++ b/queue-5.15/media-radio-wl1273-avoid-card-name-truncation.patch @@ -0,0 +1,39 @@ +From 106995e019e7e13cd78195c2bb9a887fb49bb7a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Aug 2021 21:46:08 +0200 +Subject: media: radio-wl1273: Avoid card name truncation + +From: Kees Cook + +[ Upstream commit dfadec236aa99f6086141949c9dc3ec50f3ff20d ] + +The "card" string only holds 31 characters (and the terminating NUL). +In order to avoid truncation, use a shorter card description instead of +the current result, "Texas Instruments Wl1273 FM Rad". + +Suggested-by: Hans Verkuil +Fixes: 87d1a50ce451 ("[media] V4L2: WL1273 FM Radio: TI WL1273 FM radio driver") +Signed-off-by: Kees Cook +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/radio/radio-wl1273.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/radio/radio-wl1273.c b/drivers/media/radio/radio-wl1273.c +index 1123768731676..484046471c03f 100644 +--- a/drivers/media/radio/radio-wl1273.c ++++ b/drivers/media/radio/radio-wl1273.c +@@ -1279,7 +1279,7 @@ static int wl1273_fm_vidioc_querycap(struct file *file, void *priv, + + strscpy(capability->driver, WL1273_FM_DRIVER_NAME, + sizeof(capability->driver)); +- strscpy(capability->card, "Texas Instruments Wl1273 FM Radio", ++ strscpy(capability->card, "TI Wl1273 FM Radio", + sizeof(capability->card)); + strscpy(capability->bus_info, radio->bus_type, + sizeof(capability->bus_info)); +-- +2.33.0 + diff --git a/queue-5.15/media-rcar-csi2-add-checking-to-rcsi2_start_receiver.patch b/queue-5.15/media-rcar-csi2-add-checking-to-rcsi2_start_receiver.patch new file mode 100644 index 00000000000..28f812fd113 --- /dev/null +++ b/queue-5.15/media-rcar-csi2-add-checking-to-rcsi2_start_receiver.patch @@ -0,0 +1,45 @@ +From 78e84c57a6b43773ff4c361cf759e91af3c0785a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Aug 2021 19:18:16 +0200 +Subject: media: rcar-csi2: Add checking to rcsi2_start_receiver() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nadezda Lutovinova + +[ Upstream commit fc41665498332ad394b7db37f23e9394096ddc71 ] + +If rcsi2_code_to_fmt() return NULL, then null pointer dereference occurs +in the next cycle. That should not be possible now but adding checking +protects from future bugs. +The patch adds checking if format is NULL. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Nadezda Lutovinova +Reviewed-by: Jacopo Mondi +Reviewed-by: Niklas Söderlund +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar-vin/rcar-csi2.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/rcar-vin/rcar-csi2.c b/drivers/media/platform/rcar-vin/rcar-csi2.c +index e28eff0396888..ba4a380016cc4 100644 +--- a/drivers/media/platform/rcar-vin/rcar-csi2.c ++++ b/drivers/media/platform/rcar-vin/rcar-csi2.c +@@ -553,6 +553,8 @@ static int rcsi2_start_receiver(struct rcar_csi2 *priv) + + /* Code is validated in set_fmt. */ + format = rcsi2_code_to_fmt(priv->mf.code); ++ if (!format) ++ return -EINVAL; + + /* + * Enable all supported CSI-2 channels with virtual channel and +-- +2.33.0 + diff --git a/queue-5.15/media-rcar-vin-use-user-provided-buffers-when-starti.patch b/queue-5.15/media-rcar-vin-use-user-provided-buffers-when-starti.patch new file mode 100644 index 00000000000..5beb72f910c --- /dev/null +++ b/queue-5.15/media-rcar-vin-use-user-provided-buffers-when-starti.patch @@ -0,0 +1,56 @@ +From cfbed2a9c282838203779a1c389b4d65e417a36d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Sep 2021 21:19:58 +0200 +Subject: media: rcar-vin: Use user provided buffers when starting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Niklas Söderlund + +[ Upstream commit a5991c4e947153418f71f4689614b87ca0551b81 ] + +When adding an internal scratch buffer to improve buffer handling when +stopping it was also erroneously used when syncing at capture start. +This led to that the first three buffers captured were always dropped +as they were captured in the scratch buffer instead of in a buffer +provided by the user. + +Allow the hardware to be given user provided buffers when preparing for +capture in the stopped state. This still allows the driver to sync with +the hardware and always completes the buffers to user-space in the +correct order as no buffers are completed before the sync is complete. +This change improves the driver as buffers are completed and given to +the user three frames earlier than before. + +The change also fixes a warning produced by v4l2-compliance, + + warn: v4l2-test-buffers.cpp(448): got sequence number 3, expected 0 + +[hverkuil: fixed some typos in the Subject and the log message] + +Signed-off-by: Niklas Söderlund +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/rcar-vin/rcar-dma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/rcar-vin/rcar-dma.c b/drivers/media/platform/rcar-vin/rcar-dma.c +index f5f722ab1d4e8..520d044bfb8d5 100644 +--- a/drivers/media/platform/rcar-vin/rcar-dma.c ++++ b/drivers/media/platform/rcar-vin/rcar-dma.c +@@ -904,7 +904,8 @@ static void rvin_fill_hw_slot(struct rvin_dev *vin, int slot) + vin->format.sizeimage / 2; + break; + } +- } else if (vin->state != RUNNING || list_empty(&vin->buf_list)) { ++ } else if ((vin->state != STOPPED && vin->state != RUNNING) || ++ list_empty(&vin->buf_list)) { + vin->buf_hw[slot].buffer = NULL; + vin->buf_hw[slot].type = FULL; + phys_addr = vin->scratch_phys; +-- +2.33.0 + diff --git a/queue-5.15/media-s5p-mfc-add-checking-to-s5p_mfc_probe.patch b/queue-5.15/media-s5p-mfc-add-checking-to-s5p_mfc_probe.patch new file mode 100644 index 00000000000..fdf48686ee8 --- /dev/null +++ b/queue-5.15/media-s5p-mfc-add-checking-to-s5p_mfc_probe.patch @@ -0,0 +1,41 @@ +From b9dde6499045331a0e4846198f6a3f88f19e1f2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Aug 2021 15:32:28 +0200 +Subject: media: s5p-mfc: Add checking to s5p_mfc_probe(). + +From: Nadezda Lutovinova + +[ Upstream commit cdfaf4752e6915a4b455ad4400133e540e4dc965 ] + +If of_device_get_match_data() return NULL, +then null pointer dereference occurs in s5p_mfc_init_pm(). +The patch adds checking if dev->variant is NULL. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Nadezda Lutovinova +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-mfc/s5p_mfc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c +index c763c0a03140c..f336a95432732 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -1288,6 +1288,10 @@ static int s5p_mfc_probe(struct platform_device *pdev) + } + + dev->variant = of_device_get_match_data(&pdev->dev); ++ if (!dev->variant) { ++ dev_err(&pdev->dev, "Failed to get device MFC hardware variant information\n"); ++ return -ENOENT; ++ } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + dev->regs_base = devm_ioremap_resource(&pdev->dev, res); +-- +2.33.0 + diff --git a/queue-5.15/media-s5p-mfc-fix-possible-null-pointer-dereference-.patch b/queue-5.15/media-s5p-mfc-fix-possible-null-pointer-dereference-.patch new file mode 100644 index 00000000000..1489b48bc5f --- /dev/null +++ b/queue-5.15/media-s5p-mfc-fix-possible-null-pointer-dereference-.patch @@ -0,0 +1,49 @@ +From 3d0a39d6c20aef38b936fa1b0fa491da46af565a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Aug 2021 09:55:35 +0200 +Subject: media: s5p-mfc: fix possible null-pointer dereference in + s5p_mfc_probe() + +From: Tuo Li + +[ Upstream commit 8515965e5e33f4feb56134348c95953f3eadfb26 ] + +The variable pdev is assigned to dev->plat_dev, and dev->plat_dev is +checked in: + if (!dev->plat_dev) + +This indicates both dev->plat_dev and pdev can be NULL. If so, the +function dev_err() is called to print error information. + dev_err(&pdev->dev, "No platform data specified\n"); + +However, &pdev->dev is an illegal address, and it is dereferenced in +dev_err(). + +To fix this possible null-pointer dereference, replace dev_err() with +mfc_err(). + +Reported-by: TOTE Robot +Signed-off-by: Tuo Li +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-mfc/s5p_mfc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c +index eba2b9f040df0..c763c0a03140c 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -1283,7 +1283,7 @@ static int s5p_mfc_probe(struct platform_device *pdev) + spin_lock_init(&dev->condlock); + dev->plat_dev = pdev; + if (!dev->plat_dev) { +- dev_err(&pdev->dev, "No platform data specified\n"); ++ mfc_err("No platform data specified\n"); + return -ENODEV; + } + +-- +2.33.0 + diff --git a/queue-5.15/media-si470x-avoid-card-name-truncation.patch b/queue-5.15/media-si470x-avoid-card-name-truncation.patch new file mode 100644 index 00000000000..2f86f7f5ece --- /dev/null +++ b/queue-5.15/media-si470x-avoid-card-name-truncation.patch @@ -0,0 +1,54 @@ +From 23bf4a646a66db3f13e8c99c3718c9dfa999d2f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Aug 2021 21:46:09 +0200 +Subject: media: si470x: Avoid card name truncation + +From: Kees Cook + +[ Upstream commit 2908249f3878a591f7918368fdf0b7b0a6c3158c ] + +The "card" string only holds 31 characters (and the terminating NUL). +In order to avoid truncation, use a shorter card description instead of +the current result, "Silicon Labs Si470x FM Radio Re". + +Suggested-by: Hans Verkuil +Fixes: 78656acdcf48 ("V4L/DVB (7038): USB radio driver for Silicon Labs Si470x FM Radio Receivers") +Fixes: cc35bbddfe10 ("V4L/DVB (12416): radio-si470x: add i2c driver for si470x") +Signed-off-by: Kees Cook +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/radio/si470x/radio-si470x-i2c.c | 2 +- + drivers/media/radio/si470x/radio-si470x-usb.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/radio/si470x/radio-si470x-i2c.c b/drivers/media/radio/si470x/radio-si470x-i2c.c +index f491420d7b538..a972c0705ac79 100644 +--- a/drivers/media/radio/si470x/radio-si470x-i2c.c ++++ b/drivers/media/radio/si470x/radio-si470x-i2c.c +@@ -11,7 +11,7 @@ + + /* driver definitions */ + #define DRIVER_AUTHOR "Joonyoung Shim "; +-#define DRIVER_CARD "Silicon Labs Si470x FM Radio Receiver" ++#define DRIVER_CARD "Silicon Labs Si470x FM Radio" + #define DRIVER_DESC "I2C radio driver for Si470x FM Radio Receivers" + #define DRIVER_VERSION "1.0.2" + +diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c +index fedff68d8c496..3f8634a465730 100644 +--- a/drivers/media/radio/si470x/radio-si470x-usb.c ++++ b/drivers/media/radio/si470x/radio-si470x-usb.c +@@ -16,7 +16,7 @@ + + /* driver definitions */ + #define DRIVER_AUTHOR "Tobias Lorenz " +-#define DRIVER_CARD "Silicon Labs Si470x FM Radio Receiver" ++#define DRIVER_CARD "Silicon Labs Si470x FM Radio" + #define DRIVER_DESC "USB radio driver for Si470x FM Radio Receivers" + #define DRIVER_VERSION "1.0.10" + +-- +2.33.0 + diff --git a/queue-5.15/media-stm32-potential-null-pointer-dereference-in-dc.patch b/queue-5.15/media-stm32-potential-null-pointer-dereference-in-dc.patch new file mode 100644 index 00000000000..0035becd0af --- /dev/null +++ b/queue-5.15/media-stm32-potential-null-pointer-dereference-in-dc.patch @@ -0,0 +1,94 @@ +From 81a4e5b292ddad7d3bee1c151766dfa4f9d1f7dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 17:06:26 +0200 +Subject: media: stm32: Potential NULL pointer dereference in dcmi_irq_thread() + +From: Dmitriy Ulitin + +[ Upstream commit 548fa43a58696450c15b8f5564e99589c5144664 ] + +At the moment of enabling irq handling: + +1922 ret = devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback, +1923 dcmi_irq_thread, IRQF_ONESHOT, +1924 dev_name(&pdev->dev), dcmi); + +there is still uninitialized field sd_format of struct stm32_dcmi *dcmi. +If an interrupt occurs in the interval between the installation of the +interrupt handler and the initialization of this field, NULL pointer +dereference happens. + +This field is dereferenced in the handler function without any check: + +457 if (dcmi->sd_format->fourcc == V4L2_PIX_FMT_JPEG && +458 dcmi->misr & IT_FRAME) { + +The patch moves interrupt handler installation +after initialization of the sd_format field that happens in +dcmi_graph_notify_complete() via dcmi_set_default_fmt(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Dmitriy Ulitin +Signed-off-by: Alexey Khoroshilov +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/stm32/stm32-dcmi.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/drivers/media/platform/stm32/stm32-dcmi.c b/drivers/media/platform/stm32/stm32-dcmi.c +index d914ccef98317..6110718645a4f 100644 +--- a/drivers/media/platform/stm32/stm32-dcmi.c ++++ b/drivers/media/platform/stm32/stm32-dcmi.c +@@ -128,6 +128,7 @@ struct stm32_dcmi { + int sequence; + struct list_head buffers; + struct dcmi_buf *active; ++ int irq; + + struct v4l2_device v4l2_dev; + struct video_device *vdev; +@@ -1759,6 +1760,14 @@ static int dcmi_graph_notify_complete(struct v4l2_async_notifier *notifier) + return ret; + } + ++ ret = devm_request_threaded_irq(dcmi->dev, dcmi->irq, dcmi_irq_callback, ++ dcmi_irq_thread, IRQF_ONESHOT, ++ dev_name(dcmi->dev), dcmi); ++ if (ret) { ++ dev_err(dcmi->dev, "Unable to request irq %d\n", dcmi->irq); ++ return ret; ++ } ++ + return 0; + } + +@@ -1914,6 +1923,8 @@ static int dcmi_probe(struct platform_device *pdev) + if (irq <= 0) + return irq ? irq : -ENXIO; + ++ dcmi->irq = irq; ++ + dcmi->res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (!dcmi->res) { + dev_err(&pdev->dev, "Could not get resource\n"); +@@ -1926,14 +1937,6 @@ static int dcmi_probe(struct platform_device *pdev) + return PTR_ERR(dcmi->regs); + } + +- ret = devm_request_threaded_irq(&pdev->dev, irq, dcmi_irq_callback, +- dcmi_irq_thread, IRQF_ONESHOT, +- dev_name(&pdev->dev), dcmi); +- if (ret) { +- dev_err(&pdev->dev, "Unable to request irq %d\n", irq); +- return ret; +- } +- + mclk = devm_clk_get(&pdev->dev, "mclk"); + if (IS_ERR(mclk)) { + if (PTR_ERR(mclk) != -EPROBE_DEFER) +-- +2.33.0 + diff --git a/queue-5.15/media-sun6i-csi-allow-the-video-device-to-be-open-mu.patch b/queue-5.15/media-sun6i-csi-allow-the-video-device-to-be-open-mu.patch new file mode 100644 index 00000000000..cd81b9133f6 --- /dev/null +++ b/queue-5.15/media-sun6i-csi-allow-the-video-device-to-be-open-mu.patch @@ -0,0 +1,54 @@ +From f3bda9b23456fbf70b257ded1bbd59be71603100 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 12:56:09 +0200 +Subject: media: sun6i-csi: Allow the video device to be open multiple times + +From: Ondrej Jirman + +[ Upstream commit 8ed852834683ebe064157e069af8dfb41cad6403 ] + +Previously it was possible, but a recent fix for uninitialized +`ret` variable broke this behavior. + +v4l2_fh_is_singular_file() check is there just to determine +whether the power needs to be enabled, and it's not a failure +if it returns false. + +Fixes: ba9139116bc0 ("media: sun6i-csi: add a missing return code") +Signed-off-by: Ondrej Jirman +Reviewed-by: Jernej Skrabec +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sunxi/sun6i-csi/sun6i_video.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/platform/sunxi/sun6i-csi/sun6i_video.c b/drivers/media/platform/sunxi/sun6i-csi/sun6i_video.c +index 07b2161392d21..5ba3e29f794fd 100644 +--- a/drivers/media/platform/sunxi/sun6i-csi/sun6i_video.c ++++ b/drivers/media/platform/sunxi/sun6i-csi/sun6i_video.c +@@ -467,7 +467,7 @@ static const struct v4l2_ioctl_ops sun6i_video_ioctl_ops = { + static int sun6i_video_open(struct file *file) + { + struct sun6i_video *video = video_drvdata(file); +- int ret; ++ int ret = 0; + + if (mutex_lock_interruptible(&video->lock)) + return -ERESTARTSYS; +@@ -481,10 +481,8 @@ static int sun6i_video_open(struct file *file) + goto fh_release; + + /* check if already powered */ +- if (!v4l2_fh_is_singular_file(file)) { +- ret = -EBUSY; ++ if (!v4l2_fh_is_singular_file(file)) + goto unlock; +- } + + ret = sun6i_csi_set_power(video->csi, true); + if (ret < 0) +-- +2.33.0 + diff --git a/queue-5.15/media-tda1997x-handle-short-reads-of-hdmi-info-frame.patch b/queue-5.15/media-tda1997x-handle-short-reads-of-hdmi-info-frame.patch new file mode 100644 index 00000000000..a45426f2674 --- /dev/null +++ b/queue-5.15/media-tda1997x-handle-short-reads-of-hdmi-info-frame.patch @@ -0,0 +1,74 @@ +From 4b1e2ee5edd63ce8a05f468347abf22eed90a7e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 19:00:43 +0200 +Subject: media: TDA1997x: handle short reads of hdmi info frame. + +From: Tom Rix + +[ Upstream commit 48d219f9cc667bc6fbc3e3af0b1bfd75db94fce4 ] + +Static analysis reports this representative problem + +tda1997x.c:1939: warning: 7th function call argument is an uninitialized +value + +The 7th argument is buffer[0], which is set in the earlier call to +io_readn(). When io_readn() call to io_read() fails with the first +read, buffer[0] is not set and 0 is returned and stored in len. + +The later call to hdmi_infoframe_unpack()'s size parameter is the +static size of buffer, always 40, so a short read is not caught +in hdmi_infoframe_unpacks()'s checking. The variable len should be +used instead. + +Zero initialize buffer to 0 so it is in a known start state. + +Fixes: 9ac0038db9a7 ("media: i2c: Add TDA1997x HDMI receiver driver") +Signed-off-by: Tom Rix +Reviewed-by: Tim Harvey +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tda1997x.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/i2c/tda1997x.c b/drivers/media/i2c/tda1997x.c +index 6070aaf0b32ea..4dafa9f1cf522 100644 +--- a/drivers/media/i2c/tda1997x.c ++++ b/drivers/media/i2c/tda1997x.c +@@ -1248,13 +1248,13 @@ tda1997x_parse_infoframe(struct tda1997x_state *state, u16 addr) + { + struct v4l2_subdev *sd = &state->sd; + union hdmi_infoframe frame; +- u8 buffer[40]; ++ u8 buffer[40] = { 0 }; + u8 reg; + int len, err; + + /* read data */ + len = io_readn(sd, addr, sizeof(buffer), buffer); +- err = hdmi_infoframe_unpack(&frame, buffer, sizeof(buffer)); ++ err = hdmi_infoframe_unpack(&frame, buffer, len); + if (err) { + v4l_err(state->client, + "failed parsing %d byte infoframe: 0x%04x/0x%02x\n", +@@ -1928,13 +1928,13 @@ static int tda1997x_log_infoframe(struct v4l2_subdev *sd, int addr) + { + struct tda1997x_state *state = to_state(sd); + union hdmi_infoframe frame; +- u8 buffer[40]; ++ u8 buffer[40] = { 0 }; + int len, err; + + /* read data */ + len = io_readn(sd, addr, sizeof(buffer), buffer); + v4l2_dbg(1, debug, sd, "infoframe: addr=%d len=%d\n", addr, len); +- err = hdmi_infoframe_unpack(&frame, buffer, sizeof(buffer)); ++ err = hdmi_infoframe_unpack(&frame, buffer, len); + if (err) { + v4l_err(state->client, + "failed parsing %d byte infoframe: 0x%04x/0x%02x\n", +-- +2.33.0 + diff --git a/queue-5.15/media-tm6000-avoid-card-name-truncation.patch b/queue-5.15/media-tm6000-avoid-card-name-truncation.patch new file mode 100644 index 00000000000..16bd54e2d5f --- /dev/null +++ b/queue-5.15/media-tm6000-avoid-card-name-truncation.patch @@ -0,0 +1,40 @@ +From edb4731998056cb4e2e78c6ab955208b0deeca0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Aug 2021 21:46:10 +0200 +Subject: media: tm6000: Avoid card name truncation + +From: Kees Cook + +[ Upstream commit 42bb98e420d454fef3614b70ea11cc59068395f6 ] + +The "card" string only holds 31 characters (and the terminating NUL). +In order to avoid truncation, use a shorter card description instead of +the current result, "Trident TVMaster TM5600/6000/60". + +Suggested-by: Hans Verkuil +Fixes: e28f49b0b2a8 ("V4L/DVB: tm6000: fix some info messages") +Signed-off-by: Kees Cook +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/tm6000/tm6000-video.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/usb/tm6000/tm6000-video.c b/drivers/media/usb/tm6000/tm6000-video.c +index 3f650ede0c3dc..e293f6f3d1bc9 100644 +--- a/drivers/media/usb/tm6000/tm6000-video.c ++++ b/drivers/media/usb/tm6000/tm6000-video.c +@@ -852,8 +852,7 @@ static int vidioc_querycap(struct file *file, void *priv, + struct tm6000_core *dev = ((struct tm6000_fh *)priv)->dev; + + strscpy(cap->driver, "tm6000", sizeof(cap->driver)); +- strscpy(cap->card, "Trident TVMaster TM5600/6000/6010", +- sizeof(cap->card)); ++ strscpy(cap->card, "Trident TM5600/6000/6010", sizeof(cap->card)); + usb_make_path(dev->udev, cap->bus_info, sizeof(cap->bus_info)); + cap->capabilities = V4L2_CAP_VIDEO_CAPTURE | V4L2_CAP_READWRITE | + V4L2_CAP_DEVICE_CAPS; +-- +2.33.0 + diff --git a/queue-5.15/media-ttusb-dec-avoid-release-of-non-acquired-mutex.patch b/queue-5.15/media-ttusb-dec-avoid-release-of-non-acquired-mutex.patch new file mode 100644 index 00000000000..5262fe14018 --- /dev/null +++ b/queue-5.15/media-ttusb-dec-avoid-release-of-non-acquired-mutex.patch @@ -0,0 +1,69 @@ +From 32e5976dd7da62de10467d70de41c49b3e6469af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 11:28:27 +0200 +Subject: media: ttusb-dec: avoid release of non-acquired mutex + +From: Evgeny Novikov + +[ Upstream commit 36b9d695aa6fb8e9a312db21af41f90824d16ab4 ] + +ttusb_dec_send_command() invokes mutex_lock_interruptible() that can +fail but then it releases the non-acquired mutex. The patch fixes that. + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: dba328bab4c6 ("media: ttusb-dec: cleanup an error handling logic") +Signed-off-by: Evgeny Novikov +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/ttusb-dec/ttusb_dec.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/usb/ttusb-dec/ttusb_dec.c b/drivers/media/usb/ttusb-dec/ttusb_dec.c +index bfda46a36dc50..38822cedd93a9 100644 +--- a/drivers/media/usb/ttusb-dec/ttusb_dec.c ++++ b/drivers/media/usb/ttusb-dec/ttusb_dec.c +@@ -327,7 +327,7 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command, + result = mutex_lock_interruptible(&dec->usb_mutex); + if (result) { + printk("%s: Failed to lock usb mutex.\n", __func__); +- goto err; ++ goto err_free; + } + + b[0] = 0xaa; +@@ -349,7 +349,7 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command, + if (result) { + printk("%s: command bulk message failed: error %d\n", + __func__, result); +- goto err; ++ goto err_mutex_unlock; + } + + result = usb_bulk_msg(dec->udev, dec->result_pipe, b, +@@ -358,7 +358,7 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command, + if (result) { + printk("%s: result bulk message failed: error %d\n", + __func__, result); +- goto err; ++ goto err_mutex_unlock; + } else { + if (debug) { + printk(KERN_DEBUG "%s: result: %*ph\n", +@@ -371,9 +371,9 @@ static int ttusb_dec_send_command(struct ttusb_dec *dec, const u8 command, + memcpy(cmd_result, &b[4], b[3]); + } + +-err: ++err_mutex_unlock: + mutex_unlock(&dec->usb_mutex); +- ++err_free: + kfree(b); + return result; + } +-- +2.33.0 + diff --git a/queue-5.15/media-usb-dvd-usb-fix-uninit-value-bug-in-dibusb_rea.patch b/queue-5.15/media-usb-dvd-usb-fix-uninit-value-bug-in-dibusb_rea.patch new file mode 100644 index 00000000000..1c78106515c --- /dev/null +++ b/queue-5.15/media-usb-dvd-usb-fix-uninit-value-bug-in-dibusb_rea.patch @@ -0,0 +1,41 @@ +From 680640c7ee6420ca4b7d9838f2cd183020820024 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Dec 2020 07:16:06 +0100 +Subject: media: usb: dvd-usb: fix uninit-value bug in + dibusb_read_eeprom_byte() + +From: Anant Thazhemadam + +[ Upstream commit 899a61a3305d49e8a712e9ab20d0db94bde5929f ] + +In dibusb_read_eeprom_byte(), if dibusb_i2c_msg() fails, val gets +assigned an value that's not properly initialized. +Using kzalloc() in place of kmalloc() for the buffer fixes this issue, +as the val can now be set to 0 in the event dibusb_i2c_msg() fails. + +Reported-by: syzbot+e27b4fd589762b0b9329@syzkaller.appspotmail.com +Tested-by: syzbot+e27b4fd589762b0b9329@syzkaller.appspotmail.com +Signed-off-by: Anant Thazhemadam +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dibusb-common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb/dibusb-common.c b/drivers/media/usb/dvb-usb/dibusb-common.c +index 02b51d1a1b67c..aff60c10cb0b2 100644 +--- a/drivers/media/usb/dvb-usb/dibusb-common.c ++++ b/drivers/media/usb/dvb-usb/dibusb-common.c +@@ -223,7 +223,7 @@ int dibusb_read_eeprom_byte(struct dvb_usb_device *d, u8 offs, u8 *val) + u8 *buf; + int rc; + +- buf = kmalloc(2, GFP_KERNEL); ++ buf = kzalloc(2, GFP_KERNEL); + if (!buf) + return -ENOMEM; + +-- +2.33.0 + diff --git a/queue-5.15/media-uvcvideo-return-eio-for-control-errors.patch b/queue-5.15/media-uvcvideo-return-eio-for-control-errors.patch new file mode 100644 index 00000000000..f1269bbfb7d --- /dev/null +++ b/queue-5.15/media-uvcvideo-return-eio-for-control-errors.patch @@ -0,0 +1,48 @@ +From 6898a1cb75db9c39ddab615130296ee7d3ac9f46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 14:29:09 +0200 +Subject: media: uvcvideo: Return -EIO for control errors + +From: Ricardo Ribalda + +[ Upstream commit ffccdde5f0e17d2f0d788a9d831a027187890eaa ] + +The device is doing something unexpected with the control. Either because +the protocol is not properly implemented or there has been a HW error. + +Fixes v4l2-compliance: + +Control ioctls (Input 0): + fail: v4l2-test-controls.cpp(448): s_ctrl returned an error (22) + test VIDIOC_G/S_CTRL: FAIL + fail: v4l2-test-controls.cpp(698): s_ext_ctrls returned an error (22) + test VIDIOC_G/S/TRY_EXT_CTRLS: FAIL + +Reviewed-by: Hans Verkuil +Signed-off-by: Ricardo Ribalda +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_video.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c +index e16464606b140..9f37eaf28ce7e 100644 +--- a/drivers/media/usb/uvc/uvc_video.c ++++ b/drivers/media/usb/uvc/uvc_video.c +@@ -115,6 +115,11 @@ int uvc_query_ctrl(struct uvc_device *dev, u8 query, u8 unit, + case 5: /* Invalid unit */ + case 6: /* Invalid control */ + case 7: /* Invalid Request */ ++ /* ++ * The firmware has not properly implemented ++ * the control or there has been a HW error. ++ */ ++ return -EIO; + case 8: /* Invalid value within range */ + return -EINVAL; + default: /* reserved or unknown */ +-- +2.33.0 + diff --git a/queue-5.15/media-uvcvideo-set-capability-in-s_param.patch b/queue-5.15/media-uvcvideo-set-capability-in-s_param.patch new file mode 100644 index 00000000000..c81d4b6eb5a --- /dev/null +++ b/queue-5.15/media-uvcvideo-set-capability-in-s_param.patch @@ -0,0 +1,47 @@ +From e10dafde682c41bdfc8b3416efb243feac60708e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 14:29:08 +0200 +Subject: media: uvcvideo: Set capability in s_param + +From: Ricardo Ribalda + +[ Upstream commit 97a2777a96070afb7da5d587834086c0b586c8cc ] + +Fixes v4l2-compliance: + +Format ioctls (Input 0): + warn: v4l2-test-formats.cpp(1339): S_PARM is supported but doesn't report V4L2_CAP_TIMEPERFRAME + fail: v4l2-test-formats.cpp(1241): node->has_frmintervals && !cap->capability + +Reviewed-by: Hans Verkuil +Signed-off-by: Ricardo Ribalda +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_v4l2.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c +index 6acb8013de08b..c9d208677bcd8 100644 +--- a/drivers/media/usb/uvc/uvc_v4l2.c ++++ b/drivers/media/usb/uvc/uvc_v4l2.c +@@ -472,10 +472,13 @@ static int uvc_v4l2_set_streamparm(struct uvc_streaming *stream, + uvc_simplify_fraction(&timeperframe.numerator, + &timeperframe.denominator, 8, 333); + +- if (parm->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) ++ if (parm->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) { + parm->parm.capture.timeperframe = timeperframe; +- else ++ parm->parm.capture.capability = V4L2_CAP_TIMEPERFRAME; ++ } else { + parm->parm.output.timeperframe = timeperframe; ++ parm->parm.output.capability = V4L2_CAP_TIMEPERFRAME; ++ } + + return 0; + } +-- +2.33.0 + diff --git a/queue-5.15/media-uvcvideo-set-unique-vdev-name-based-in-type.patch b/queue-5.15/media-uvcvideo-set-unique-vdev-name-based-in-type.patch new file mode 100644 index 00000000000..1015b6972bb --- /dev/null +++ b/queue-5.15/media-uvcvideo-set-unique-vdev-name-based-in-type.patch @@ -0,0 +1,67 @@ +From 87495236def22c92f08548faf3a11553dd0a3ab7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 14:29:13 +0200 +Subject: media: uvcvideo: Set unique vdev name based in type + +From: Ricardo Ribalda + +[ Upstream commit e3f60e7e1a2b451f538f9926763432249bcf39c4 ] + +All the entities must have a unique name. We can have a descriptive and +unique name by appending the function and the entity->id. + +This is even resilent to multi chain devices. + +Fixes v4l2-compliance: +Media Controller ioctls: + fail: v4l2-test-media.cpp(205): v2_entity_names_set.find(key) != v2_entity_names_set.end() + test MEDIA_IOC_G_TOPOLOGY: FAIL + fail: v4l2-test-media.cpp(394): num_data_links != num_links + test MEDIA_IOC_ENUM_ENTITIES/LINKS: FAIL + +Signed-off-by: Ricardo Ribalda +Reviewed-by: Hans Verkuil +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_driver.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c +index 9a791d8ef200d..c4bc67024534a 100644 +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -2194,6 +2194,7 @@ int uvc_register_video_device(struct uvc_device *dev, + const struct v4l2_file_operations *fops, + const struct v4l2_ioctl_ops *ioctl_ops) + { ++ const char *name; + int ret; + + /* Initialize the video buffers queue. */ +@@ -2222,16 +2223,20 @@ int uvc_register_video_device(struct uvc_device *dev, + case V4L2_BUF_TYPE_VIDEO_CAPTURE: + default: + vdev->device_caps = V4L2_CAP_VIDEO_CAPTURE | V4L2_CAP_STREAMING; ++ name = "Video Capture"; + break; + case V4L2_BUF_TYPE_VIDEO_OUTPUT: + vdev->device_caps = V4L2_CAP_VIDEO_OUTPUT | V4L2_CAP_STREAMING; ++ name = "Video Output"; + break; + case V4L2_BUF_TYPE_META_CAPTURE: + vdev->device_caps = V4L2_CAP_META_CAPTURE | V4L2_CAP_STREAMING; ++ name = "Metadata"; + break; + } + +- strscpy(vdev->name, dev->name, sizeof(vdev->name)); ++ snprintf(vdev->name, sizeof(vdev->name), "%s %u", name, ++ stream->header.bTerminalLink); + + /* + * Set the driver data before calling video_register_device, otherwise +-- +2.33.0 + diff --git a/queue-5.15/media-v4l2-ioctl-s_ctrl-output-the-right-value.patch b/queue-5.15/media-v4l2-ioctl-s_ctrl-output-the-right-value.patch new file mode 100644 index 00000000000..0aebfcaab00 --- /dev/null +++ b/queue-5.15/media-v4l2-ioctl-s_ctrl-output-the-right-value.patch @@ -0,0 +1,61 @@ +From be483c8a897a998b6ea302d0d0bacdc925f5fad7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 14:29:06 +0200 +Subject: media: v4l2-ioctl: S_CTRL output the right value + +From: Ricardo Ribalda + +[ Upstream commit c87ed93574e3cd8346c05bd934c617596c12541b ] + +If the driver does not implement s_ctrl, but it does implement +s_ext_ctrls, we convert the call. + +When that happens we have also to convert back the response from +s_ext_ctrls. + +Fixes v4l2_compliance: +Control ioctls (Input 0): + fail: v4l2-test-controls.cpp(411): returned control value out of range + fail: v4l2-test-controls.cpp(507): invalid control 00980900 + test VIDIOC_G/S_CTRL: FAIL + +Fixes: 35ea11ff8471 ("V4L/DVB (8430): videodev: move some functions from v4l2-dev.h to v4l2-common.h or v4l2-ioctl.h") +Reviewed-by: Hans Verkuil +Signed-off-by: Ricardo Ribalda +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/v4l2-ioctl.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c +index da5b4002a466a..f4f67b385d00a 100644 +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -2224,6 +2224,7 @@ static int v4l_s_ctrl(const struct v4l2_ioctl_ops *ops, + test_bit(V4L2_FL_USES_V4L2_FH, &vfd->flags) ? fh : NULL; + struct v4l2_ext_controls ctrls; + struct v4l2_ext_control ctrl; ++ int ret; + + if (vfh && vfh->ctrl_handler) + return v4l2_s_ctrl(vfh, vfh->ctrl_handler, p); +@@ -2239,9 +2240,11 @@ static int v4l_s_ctrl(const struct v4l2_ioctl_ops *ops, + ctrls.controls = &ctrl; + ctrl.id = p->id; + ctrl.value = p->value; +- if (check_ext_ctrls(&ctrls, VIDIOC_S_CTRL)) +- return ops->vidioc_s_ext_ctrls(file, fh, &ctrls); +- return -EINVAL; ++ if (!check_ext_ctrls(&ctrls, VIDIOC_S_CTRL)) ++ return -EINVAL; ++ ret = ops->vidioc_s_ext_ctrls(file, fh, &ctrls); ++ p->value = ctrl.value; ++ return ret; + } + + static int v4l_g_ext_ctrls(const struct v4l2_ioctl_ops *ops, +-- +2.33.0 + diff --git a/queue-5.15/media-venus-fix-vpp-frequency-calculation-for-decode.patch b/queue-5.15/media-venus-fix-vpp-frequency-calculation-for-decode.patch new file mode 100644 index 00000000000..b6d435bbb23 --- /dev/null +++ b/queue-5.15/media-venus-fix-vpp-frequency-calculation-for-decode.patch @@ -0,0 +1,51 @@ +From 6b444af5ef6e66c61f556128008d07557d483f1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 05:57:07 +0200 +Subject: media: venus: fix vpp frequency calculation for decoder + +From: Mansur Alisha Shaik + +[ Upstream commit 1444232152ea33f5ae41fc14bade3e74d642b634 ] + +In existing video driver implementation vpp frequency calculation in +calculate_inst_freq() is always zero because the value of vpp_freq_per_mb +is always zero for decoder. + +Fixed this by correcting the calculating the vpp frequency calculation for +decoder. + +Fixes: 3cfe5815ce0e ("media: venus: Enable low power setting for encoder") +Signed-off-by: Mansur Alisha Shaik +Signed-off-by: Stanimir Varbanov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/qcom/venus/pm_helpers.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/qcom/venus/pm_helpers.c b/drivers/media/platform/qcom/venus/pm_helpers.c +index 3e2345eb47f7c..e031fd17f4e75 100644 +--- a/drivers/media/platform/qcom/venus/pm_helpers.c ++++ b/drivers/media/platform/qcom/venus/pm_helpers.c +@@ -1085,12 +1085,16 @@ static unsigned long calculate_inst_freq(struct venus_inst *inst, + if (inst->state != INST_START) + return 0; + +- if (inst->session_type == VIDC_SESSION_TYPE_ENC) ++ if (inst->session_type == VIDC_SESSION_TYPE_ENC) { + vpp_freq_per_mb = inst->flags & VENUS_LOW_POWER ? + inst->clk_data.low_power_freq : + inst->clk_data.vpp_freq; + +- vpp_freq = mbs_per_sec * vpp_freq_per_mb; ++ vpp_freq = mbs_per_sec * vpp_freq_per_mb; ++ } else { ++ vpp_freq = mbs_per_sec * inst->clk_data.vpp_freq; ++ } ++ + /* 21 / 20 is overhead factor */ + vpp_freq += vpp_freq / 20; + vsp_freq = mbs_per_sec * inst->clk_data.vsp_freq; +-- +2.33.0 + diff --git a/queue-5.15/media-videobuf2-rework-vb2_mem_ops-api.patch b/queue-5.15/media-videobuf2-rework-vb2_mem_ops-api.patch new file mode 100644 index 00000000000..a70f1ee03b3 --- /dev/null +++ b/queue-5.15/media-videobuf2-rework-vb2_mem_ops-api.patch @@ -0,0 +1,555 @@ +From be561259e10ec984c2bdb4527dcf1bd0543ff1c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Sep 2021 13:24:23 +0200 +Subject: media: videobuf2: rework vb2_mem_ops API + +From: Sergey Senozhatsky + +[ Upstream commit a4b83deb3e76fb9385ca58e2c072a145b3a320d6 ] + +With the new DMA API we need an extension of the videobuf2 API. +Previously, videobuf2 core would set the non-coherent DMA bit +in the vb2_queue dma_attr field (if user-space would pass a +corresponding memory hint); the vb2 core then would pass the +vb2_queue dma_attrs to the vb2 allocators. The vb2 allocator +would use the queue's dma_attr and the DMA API would allocate +either coherent or non-coherent memory. + +But we cannot do this anymore, since there is no corresponding DMA +attr flag and, hence, there is no way for the allocator to become +aware of what type of allocation user-space has requested. So we +need to pass more context from videobuf2 core to the allocators. + +Fix this by changing the call_ptr_memop() macro to pass the +vb2 pointer to the corresponding op callbacks. + +Signed-off-by: Sergey Senozhatsky +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../media/common/videobuf2/videobuf2-core.c | 42 +++++++++++-------- + .../common/videobuf2/videobuf2-dma-contig.c | 36 +++++++++------- + .../media/common/videobuf2/videobuf2-dma-sg.c | 33 ++++++++------- + .../common/videobuf2/videobuf2-vmalloc.c | 30 ++++++------- + include/media/videobuf2-core.h | 37 ++++++++-------- + 5 files changed, 98 insertions(+), 80 deletions(-) + +diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c +index 508ac295eb06e..033b0c83272fe 100644 +--- a/drivers/media/common/videobuf2/videobuf2-core.c ++++ b/drivers/media/common/videobuf2/videobuf2-core.c +@@ -68,13 +68,13 @@ module_param(debug, int, 0644); + err; \ + }) + +-#define call_ptr_memop(vb, op, args...) \ ++#define call_ptr_memop(op, vb, args...) \ + ({ \ + struct vb2_queue *_q = (vb)->vb2_queue; \ + void *ptr; \ + \ + log_memop(vb, op); \ +- ptr = _q->mem_ops->op ? _q->mem_ops->op(args) : NULL; \ ++ ptr = _q->mem_ops->op ? _q->mem_ops->op(vb, args) : NULL; \ + if (!IS_ERR_OR_NULL(ptr)) \ + (vb)->cnt_mem_ ## op++; \ + ptr; \ +@@ -144,9 +144,9 @@ module_param(debug, int, 0644); + ((vb)->vb2_queue->mem_ops->op ? \ + (vb)->vb2_queue->mem_ops->op(args) : 0) + +-#define call_ptr_memop(vb, op, args...) \ ++#define call_ptr_memop(op, vb, args...) \ + ((vb)->vb2_queue->mem_ops->op ? \ +- (vb)->vb2_queue->mem_ops->op(args) : NULL) ++ (vb)->vb2_queue->mem_ops->op(vb, args) : NULL) + + #define call_void_memop(vb, op, args...) \ + do { \ +@@ -230,9 +230,10 @@ static int __vb2_buf_mem_alloc(struct vb2_buffer *vb) + if (size < vb->planes[plane].length) + goto free; + +- mem_priv = call_ptr_memop(vb, alloc, +- q->alloc_devs[plane] ? : q->dev, +- q->dma_attrs, size, q->dma_dir, q->gfp_flags); ++ mem_priv = call_ptr_memop(alloc, ++ vb, ++ q->alloc_devs[plane] ? : q->dev, ++ size); + if (IS_ERR_OR_NULL(mem_priv)) { + if (mem_priv) + ret = PTR_ERR(mem_priv); +@@ -975,7 +976,7 @@ void *vb2_plane_vaddr(struct vb2_buffer *vb, unsigned int plane_no) + if (plane_no >= vb->num_planes || !vb->planes[plane_no].mem_priv) + return NULL; + +- return call_ptr_memop(vb, vaddr, vb->planes[plane_no].mem_priv); ++ return call_ptr_memop(vaddr, vb, vb->planes[plane_no].mem_priv); + + } + EXPORT_SYMBOL_GPL(vb2_plane_vaddr); +@@ -985,7 +986,7 @@ void *vb2_plane_cookie(struct vb2_buffer *vb, unsigned int plane_no) + if (plane_no >= vb->num_planes || !vb->planes[plane_no].mem_priv) + return NULL; + +- return call_ptr_memop(vb, cookie, vb->planes[plane_no].mem_priv); ++ return call_ptr_memop(cookie, vb, vb->planes[plane_no].mem_priv); + } + EXPORT_SYMBOL_GPL(vb2_plane_cookie); + +@@ -1125,10 +1126,11 @@ static int __prepare_userptr(struct vb2_buffer *vb) + vb->planes[plane].data_offset = 0; + + /* Acquire each plane's memory */ +- mem_priv = call_ptr_memop(vb, get_userptr, +- q->alloc_devs[plane] ? : q->dev, +- planes[plane].m.userptr, +- planes[plane].length, q->dma_dir); ++ mem_priv = call_ptr_memop(get_userptr, ++ vb, ++ q->alloc_devs[plane] ? : q->dev, ++ planes[plane].m.userptr, ++ planes[plane].length); + if (IS_ERR(mem_priv)) { + dprintk(q, 1, "failed acquiring userspace memory for plane %d\n", + plane); +@@ -1249,9 +1251,11 @@ static int __prepare_dmabuf(struct vb2_buffer *vb) + vb->planes[plane].data_offset = 0; + + /* Acquire each plane's memory */ +- mem_priv = call_ptr_memop(vb, attach_dmabuf, +- q->alloc_devs[plane] ? : q->dev, +- dbuf, planes[plane].length, q->dma_dir); ++ mem_priv = call_ptr_memop(attach_dmabuf, ++ vb, ++ q->alloc_devs[plane] ? : q->dev, ++ dbuf, ++ planes[plane].length); + if (IS_ERR(mem_priv)) { + dprintk(q, 1, "failed to attach dmabuf\n"); + ret = PTR_ERR(mem_priv); +@@ -2187,8 +2191,10 @@ int vb2_core_expbuf(struct vb2_queue *q, int *fd, unsigned int type, + + vb_plane = &vb->planes[plane]; + +- dbuf = call_ptr_memop(vb, get_dmabuf, vb_plane->mem_priv, +- flags & O_ACCMODE); ++ dbuf = call_ptr_memop(get_dmabuf, ++ vb, ++ vb_plane->mem_priv, ++ flags & O_ACCMODE); + if (IS_ERR_OR_NULL(dbuf)) { + dprintk(q, 1, "failed to export buffer %d, plane %d\n", + index, plane); +diff --git a/drivers/media/common/videobuf2/videobuf2-dma-contig.c b/drivers/media/common/videobuf2/videobuf2-dma-contig.c +index a7f61ba854405..019c3843dc6d5 100644 +--- a/drivers/media/common/videobuf2/videobuf2-dma-contig.c ++++ b/drivers/media/common/videobuf2/videobuf2-dma-contig.c +@@ -40,6 +40,8 @@ struct vb2_dc_buf { + + /* DMABUF related */ + struct dma_buf_attachment *db_attach; ++ ++ struct vb2_buffer *vb; + }; + + /*********************************************/ +@@ -66,14 +68,14 @@ static unsigned long vb2_dc_get_contiguous_size(struct sg_table *sgt) + /* callbacks for all buffers */ + /*********************************************/ + +-static void *vb2_dc_cookie(void *buf_priv) ++static void *vb2_dc_cookie(struct vb2_buffer *vb, void *buf_priv) + { + struct vb2_dc_buf *buf = buf_priv; + + return &buf->dma_addr; + } + +-static void *vb2_dc_vaddr(void *buf_priv) ++static void *vb2_dc_vaddr(struct vb2_buffer *vb, void *buf_priv) + { + struct vb2_dc_buf *buf = buf_priv; + struct dma_buf_map map; +@@ -137,9 +139,9 @@ static void vb2_dc_put(void *buf_priv) + kfree(buf); + } + +-static void *vb2_dc_alloc(struct device *dev, unsigned long attrs, +- unsigned long size, enum dma_data_direction dma_dir, +- gfp_t gfp_flags) ++static void *vb2_dc_alloc(struct vb2_buffer *vb, ++ struct device *dev, ++ unsigned long size) + { + struct vb2_dc_buf *buf; + +@@ -150,9 +152,10 @@ static void *vb2_dc_alloc(struct device *dev, unsigned long attrs, + if (!buf) + return ERR_PTR(-ENOMEM); + +- buf->attrs = attrs; ++ buf->attrs = vb->vb2_queue->dma_attrs; + buf->cookie = dma_alloc_attrs(dev, size, &buf->dma_addr, +- GFP_KERNEL | gfp_flags, buf->attrs); ++ GFP_KERNEL | vb->vb2_queue->gfp_flags, ++ buf->attrs); + if (!buf->cookie) { + dev_err(dev, "dma_alloc_coherent of size %ld failed\n", size); + kfree(buf); +@@ -165,11 +168,12 @@ static void *vb2_dc_alloc(struct device *dev, unsigned long attrs, + /* Prevent the device from being released while the buffer is used */ + buf->dev = get_device(dev); + buf->size = size; +- buf->dma_dir = dma_dir; ++ buf->dma_dir = vb->vb2_queue->dma_dir; + + buf->handler.refcount = &buf->refcount; + buf->handler.put = vb2_dc_put; + buf->handler.arg = buf; ++ buf->vb = vb; + + refcount_set(&buf->refcount, 1); + +@@ -397,7 +401,9 @@ static struct sg_table *vb2_dc_get_base_sgt(struct vb2_dc_buf *buf) + return sgt; + } + +-static struct dma_buf *vb2_dc_get_dmabuf(void *buf_priv, unsigned long flags) ++static struct dma_buf *vb2_dc_get_dmabuf(struct vb2_buffer *vb, ++ void *buf_priv, ++ unsigned long flags) + { + struct vb2_dc_buf *buf = buf_priv; + struct dma_buf *dbuf; +@@ -459,8 +465,8 @@ static void vb2_dc_put_userptr(void *buf_priv) + kfree(buf); + } + +-static void *vb2_dc_get_userptr(struct device *dev, unsigned long vaddr, +- unsigned long size, enum dma_data_direction dma_dir) ++static void *vb2_dc_get_userptr(struct vb2_buffer *vb, struct device *dev, ++ unsigned long vaddr, unsigned long size) + { + struct vb2_dc_buf *buf; + struct frame_vector *vec; +@@ -490,7 +496,7 @@ static void *vb2_dc_get_userptr(struct device *dev, unsigned long vaddr, + return ERR_PTR(-ENOMEM); + + buf->dev = dev; +- buf->dma_dir = dma_dir; ++ buf->dma_dir = vb->vb2_queue->dma_dir; + + offset = lower_32_bits(offset_in_page(vaddr)); + vec = vb2_create_framevec(vaddr, size); +@@ -660,8 +666,8 @@ static void vb2_dc_detach_dmabuf(void *mem_priv) + kfree(buf); + } + +-static void *vb2_dc_attach_dmabuf(struct device *dev, struct dma_buf *dbuf, +- unsigned long size, enum dma_data_direction dma_dir) ++static void *vb2_dc_attach_dmabuf(struct vb2_buffer *vb, struct device *dev, ++ struct dma_buf *dbuf, unsigned long size) + { + struct vb2_dc_buf *buf; + struct dma_buf_attachment *dba; +@@ -685,7 +691,7 @@ static void *vb2_dc_attach_dmabuf(struct device *dev, struct dma_buf *dbuf, + return dba; + } + +- buf->dma_dir = dma_dir; ++ buf->dma_dir = vb->vb2_queue->dma_dir; + buf->size = size; + buf->db_attach = dba; + +diff --git a/drivers/media/common/videobuf2/videobuf2-dma-sg.c b/drivers/media/common/videobuf2/videobuf2-dma-sg.c +index c5b06a5095661..50265080cfc80 100644 +--- a/drivers/media/common/videobuf2/videobuf2-dma-sg.c ++++ b/drivers/media/common/videobuf2/videobuf2-dma-sg.c +@@ -51,6 +51,8 @@ struct vb2_dma_sg_buf { + struct vb2_vmarea_handler handler; + + struct dma_buf_attachment *db_attach; ++ ++ struct vb2_buffer *vb; + }; + + static void vb2_dma_sg_put(void *buf_priv); +@@ -96,9 +98,8 @@ static int vb2_dma_sg_alloc_compacted(struct vb2_dma_sg_buf *buf, + return 0; + } + +-static void *vb2_dma_sg_alloc(struct device *dev, unsigned long dma_attrs, +- unsigned long size, enum dma_data_direction dma_dir, +- gfp_t gfp_flags) ++static void *vb2_dma_sg_alloc(struct vb2_buffer *vb, struct device *dev, ++ unsigned long size) + { + struct vb2_dma_sg_buf *buf; + struct sg_table *sgt; +@@ -113,7 +114,7 @@ static void *vb2_dma_sg_alloc(struct device *dev, unsigned long dma_attrs, + return ERR_PTR(-ENOMEM); + + buf->vaddr = NULL; +- buf->dma_dir = dma_dir; ++ buf->dma_dir = vb->vb2_queue->dma_dir; + buf->offset = 0; + buf->size = size; + /* size is already page aligned */ +@@ -130,7 +131,7 @@ static void *vb2_dma_sg_alloc(struct device *dev, unsigned long dma_attrs, + if (!buf->pages) + goto fail_pages_array_alloc; + +- ret = vb2_dma_sg_alloc_compacted(buf, gfp_flags); ++ ret = vb2_dma_sg_alloc_compacted(buf, vb->vb2_queue->gfp_flags); + if (ret) + goto fail_pages_alloc; + +@@ -154,6 +155,7 @@ static void *vb2_dma_sg_alloc(struct device *dev, unsigned long dma_attrs, + buf->handler.refcount = &buf->refcount; + buf->handler.put = vb2_dma_sg_put; + buf->handler.arg = buf; ++ buf->vb = vb; + + refcount_set(&buf->refcount, 1); + +@@ -213,9 +215,8 @@ static void vb2_dma_sg_finish(void *buf_priv) + dma_sync_sgtable_for_cpu(buf->dev, sgt, buf->dma_dir); + } + +-static void *vb2_dma_sg_get_userptr(struct device *dev, unsigned long vaddr, +- unsigned long size, +- enum dma_data_direction dma_dir) ++static void *vb2_dma_sg_get_userptr(struct vb2_buffer *vb, struct device *dev, ++ unsigned long vaddr, unsigned long size) + { + struct vb2_dma_sg_buf *buf; + struct sg_table *sgt; +@@ -230,7 +231,7 @@ static void *vb2_dma_sg_get_userptr(struct device *dev, unsigned long vaddr, + + buf->vaddr = NULL; + buf->dev = dev; +- buf->dma_dir = dma_dir; ++ buf->dma_dir = vb->vb2_queue->dma_dir; + buf->offset = vaddr & ~PAGE_MASK; + buf->size = size; + buf->dma_sgt = &buf->sg_table; +@@ -292,7 +293,7 @@ static void vb2_dma_sg_put_userptr(void *buf_priv) + kfree(buf); + } + +-static void *vb2_dma_sg_vaddr(void *buf_priv) ++static void *vb2_dma_sg_vaddr(struct vb2_buffer *vb, void *buf_priv) + { + struct vb2_dma_sg_buf *buf = buf_priv; + struct dma_buf_map map; +@@ -511,7 +512,9 @@ static const struct dma_buf_ops vb2_dma_sg_dmabuf_ops = { + .release = vb2_dma_sg_dmabuf_ops_release, + }; + +-static struct dma_buf *vb2_dma_sg_get_dmabuf(void *buf_priv, unsigned long flags) ++static struct dma_buf *vb2_dma_sg_get_dmabuf(struct vb2_buffer *vb, ++ void *buf_priv, ++ unsigned long flags) + { + struct vb2_dma_sg_buf *buf = buf_priv; + struct dma_buf *dbuf; +@@ -605,8 +608,8 @@ static void vb2_dma_sg_detach_dmabuf(void *mem_priv) + kfree(buf); + } + +-static void *vb2_dma_sg_attach_dmabuf(struct device *dev, struct dma_buf *dbuf, +- unsigned long size, enum dma_data_direction dma_dir) ++static void *vb2_dma_sg_attach_dmabuf(struct vb2_buffer *vb, struct device *dev, ++ struct dma_buf *dbuf, unsigned long size) + { + struct vb2_dma_sg_buf *buf; + struct dma_buf_attachment *dba; +@@ -630,14 +633,14 @@ static void *vb2_dma_sg_attach_dmabuf(struct device *dev, struct dma_buf *dbuf, + return dba; + } + +- buf->dma_dir = dma_dir; ++ buf->dma_dir = vb->vb2_queue->dma_dir; + buf->size = size; + buf->db_attach = dba; + + return buf; + } + +-static void *vb2_dma_sg_cookie(void *buf_priv) ++static void *vb2_dma_sg_cookie(struct vb2_buffer *vb, void *buf_priv) + { + struct vb2_dma_sg_buf *buf = buf_priv; + +diff --git a/drivers/media/common/videobuf2/videobuf2-vmalloc.c b/drivers/media/common/videobuf2/videobuf2-vmalloc.c +index 83f95258ec8c6..ef36abd912dcc 100644 +--- a/drivers/media/common/videobuf2/videobuf2-vmalloc.c ++++ b/drivers/media/common/videobuf2/videobuf2-vmalloc.c +@@ -34,13 +34,12 @@ struct vb2_vmalloc_buf { + + static void vb2_vmalloc_put(void *buf_priv); + +-static void *vb2_vmalloc_alloc(struct device *dev, unsigned long attrs, +- unsigned long size, enum dma_data_direction dma_dir, +- gfp_t gfp_flags) ++static void *vb2_vmalloc_alloc(struct vb2_buffer *vb, struct device *dev, ++ unsigned long size) + { + struct vb2_vmalloc_buf *buf; + +- buf = kzalloc(sizeof(*buf), GFP_KERNEL | gfp_flags); ++ buf = kzalloc(sizeof(*buf), GFP_KERNEL | vb->vb2_queue->gfp_flags); + if (!buf) + return ERR_PTR(-ENOMEM); + +@@ -52,7 +51,7 @@ static void *vb2_vmalloc_alloc(struct device *dev, unsigned long attrs, + return ERR_PTR(-ENOMEM); + } + +- buf->dma_dir = dma_dir; ++ buf->dma_dir = vb->vb2_queue->dma_dir; + buf->handler.refcount = &buf->refcount; + buf->handler.put = vb2_vmalloc_put; + buf->handler.arg = buf; +@@ -71,9 +70,8 @@ static void vb2_vmalloc_put(void *buf_priv) + } + } + +-static void *vb2_vmalloc_get_userptr(struct device *dev, unsigned long vaddr, +- unsigned long size, +- enum dma_data_direction dma_dir) ++static void *vb2_vmalloc_get_userptr(struct vb2_buffer *vb, struct device *dev, ++ unsigned long vaddr, unsigned long size) + { + struct vb2_vmalloc_buf *buf; + struct frame_vector *vec; +@@ -84,7 +82,7 @@ static void *vb2_vmalloc_get_userptr(struct device *dev, unsigned long vaddr, + if (!buf) + return ERR_PTR(-ENOMEM); + +- buf->dma_dir = dma_dir; ++ buf->dma_dir = vb->vb2_queue->dma_dir; + offset = vaddr & ~PAGE_MASK; + buf->size = size; + vec = vb2_create_framevec(vaddr, size); +@@ -147,7 +145,7 @@ static void vb2_vmalloc_put_userptr(void *buf_priv) + kfree(buf); + } + +-static void *vb2_vmalloc_vaddr(void *buf_priv) ++static void *vb2_vmalloc_vaddr(struct vb2_buffer *vb, void *buf_priv) + { + struct vb2_vmalloc_buf *buf = buf_priv; + +@@ -339,7 +337,9 @@ static const struct dma_buf_ops vb2_vmalloc_dmabuf_ops = { + .release = vb2_vmalloc_dmabuf_ops_release, + }; + +-static struct dma_buf *vb2_vmalloc_get_dmabuf(void *buf_priv, unsigned long flags) ++static struct dma_buf *vb2_vmalloc_get_dmabuf(struct vb2_buffer *vb, ++ void *buf_priv, ++ unsigned long flags) + { + struct vb2_vmalloc_buf *buf = buf_priv; + struct dma_buf *dbuf; +@@ -403,8 +403,10 @@ static void vb2_vmalloc_detach_dmabuf(void *mem_priv) + kfree(buf); + } + +-static void *vb2_vmalloc_attach_dmabuf(struct device *dev, struct dma_buf *dbuf, +- unsigned long size, enum dma_data_direction dma_dir) ++static void *vb2_vmalloc_attach_dmabuf(struct vb2_buffer *vb, ++ struct device *dev, ++ struct dma_buf *dbuf, ++ unsigned long size) + { + struct vb2_vmalloc_buf *buf; + +@@ -416,7 +418,7 @@ static void *vb2_vmalloc_attach_dmabuf(struct device *dev, struct dma_buf *dbuf, + return ERR_PTR(-ENOMEM); + + buf->dbuf = dbuf; +- buf->dma_dir = dma_dir; ++ buf->dma_dir = vb->vb2_queue->dma_dir; + buf->size = size; + + return buf; +diff --git a/include/media/videobuf2-core.h b/include/media/videobuf2-core.h +index 12955cb460d23..3b5986cee0739 100644 +--- a/include/media/videobuf2-core.h ++++ b/include/media/videobuf2-core.h +@@ -46,6 +46,7 @@ enum vb2_memory { + + struct vb2_fileio_data; + struct vb2_threadio_data; ++struct vb2_buffer; + + /** + * struct vb2_mem_ops - memory handling/memory allocator operations. +@@ -53,10 +54,8 @@ struct vb2_threadio_data; + * return ERR_PTR() on failure or a pointer to allocator private, + * per-buffer data on success; the returned private structure + * will then be passed as @buf_priv argument to other ops in this +- * structure. Additional gfp_flags to use when allocating the +- * are also passed to this operation. These flags are from the +- * gfp_flags field of vb2_queue. The size argument to this function +- * shall be *page aligned*. ++ * structure. The size argument to this function shall be ++ * *page aligned*. + * @put: inform the allocator that the buffer will no longer be used; + * usually will result in the allocator freeing the buffer (if + * no other users of this buffer are present); the @buf_priv +@@ -117,31 +116,33 @@ struct vb2_threadio_data; + * map_dmabuf, unmap_dmabuf. + */ + struct vb2_mem_ops { +- void *(*alloc)(struct device *dev, unsigned long attrs, +- unsigned long size, +- enum dma_data_direction dma_dir, +- gfp_t gfp_flags); ++ void *(*alloc)(struct vb2_buffer *vb, ++ struct device *dev, ++ unsigned long size); + void (*put)(void *buf_priv); +- struct dma_buf *(*get_dmabuf)(void *buf_priv, unsigned long flags); +- +- void *(*get_userptr)(struct device *dev, unsigned long vaddr, +- unsigned long size, +- enum dma_data_direction dma_dir); ++ struct dma_buf *(*get_dmabuf)(struct vb2_buffer *vb, ++ void *buf_priv, ++ unsigned long flags); ++ ++ void *(*get_userptr)(struct vb2_buffer *vb, ++ struct device *dev, ++ unsigned long vaddr, ++ unsigned long size); + void (*put_userptr)(void *buf_priv); + + void (*prepare)(void *buf_priv); + void (*finish)(void *buf_priv); + +- void *(*attach_dmabuf)(struct device *dev, ++ void *(*attach_dmabuf)(struct vb2_buffer *vb, ++ struct device *dev, + struct dma_buf *dbuf, +- unsigned long size, +- enum dma_data_direction dma_dir); ++ unsigned long size); + void (*detach_dmabuf)(void *buf_priv); + int (*map_dmabuf)(void *buf_priv); + void (*unmap_dmabuf)(void *buf_priv); + +- void *(*vaddr)(void *buf_priv); +- void *(*cookie)(void *buf_priv); ++ void *(*vaddr)(struct vb2_buffer *vb, void *buf_priv); ++ void *(*cookie)(struct vb2_buffer *vb, void *buf_priv); + + unsigned int (*num_users)(void *buf_priv); + +-- +2.33.0 + diff --git a/queue-5.15/media-vidtv-fix-memory-leak-in-remove.patch b/queue-5.15/media-vidtv-fix-memory-leak-in-remove.patch new file mode 100644 index 00000000000..880cf4c22b9 --- /dev/null +++ b/queue-5.15/media-vidtv-fix-memory-leak-in-remove.patch @@ -0,0 +1,37 @@ +From ebdd490d6610a517ab8a60054740d41937f04e1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 11:26:24 +0200 +Subject: media: vidtv: Fix memory leak in remove + +From: Evgeny Novikov + +[ Upstream commit 76e21bb8be4f5f987f3006d197196fe6af63f656 ] + +vidtv_bridge_remove() releases and cleans up everything except for dvb +itself. The patch adds this missed release. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/test-drivers/vidtv/vidtv_bridge.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/test-drivers/vidtv/vidtv_bridge.c b/drivers/media/test-drivers/vidtv/vidtv_bridge.c +index 75617709c8ce2..0f6d998d18dc0 100644 +--- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c ++++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c +@@ -557,6 +557,7 @@ static int vidtv_bridge_remove(struct platform_device *pdev) + dvb_dmxdev_release(&dvb->dmx_dev); + dvb_dmx_release(&dvb->demux); + dvb_unregister_adapter(&dvb->adapter); ++ kfree(dvb); + dev_info(&pdev->dev, "Successfully removed vidtv\n"); + + return 0; +-- +2.33.0 + diff --git a/queue-5.15/memory-fsl_ifc-fix-leak-of-irq-and-nand_irq-in-fsl_i.patch b/queue-5.15/memory-fsl_ifc-fix-leak-of-irq-and-nand_irq-in-fsl_i.patch new file mode 100644 index 00000000000..756b1183c13 --- /dev/null +++ b/queue-5.15/memory-fsl_ifc-fix-leak-of-irq-and-nand_irq-in-fsl_i.patch @@ -0,0 +1,73 @@ +From 2096b4395debaa7a23baa57182079e87a42cd92c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Sep 2021 23:14:32 +0800 +Subject: memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe + +From: Dongliang Mu + +[ Upstream commit 4ed2f3545c2e5acfbccd7f85fea5b1a82e9862d7 ] + +The error handling code of fsl_ifc_ctrl_probe is problematic. When +fsl_ifc_ctrl_init fails or request_irq of fsl_ifc_ctrl_dev->irq fails, +it forgets to free the irq and nand_irq. Meanwhile, if request_irq of +fsl_ifc_ctrl_dev->nand_irq fails, it will still free nand_irq even if +the request_irq is not successful. + +Fix this by refactoring the error handling code. + +Fixes: d2ae2e20fbdd ("driver/memory:Move Freescale IFC driver to a common driver") +Signed-off-by: Dongliang Mu +Link: https://lore.kernel.org/r/20210925151434.8170-1-mudongliangabcd@gmail.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/fsl_ifc.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/memory/fsl_ifc.c b/drivers/memory/fsl_ifc.c +index d062c2f8250f4..75a8c38df9394 100644 +--- a/drivers/memory/fsl_ifc.c ++++ b/drivers/memory/fsl_ifc.c +@@ -263,7 +263,7 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev) + + ret = fsl_ifc_ctrl_init(fsl_ifc_ctrl_dev); + if (ret < 0) +- goto err; ++ goto err_unmap_nandirq; + + init_waitqueue_head(&fsl_ifc_ctrl_dev->nand_wait); + +@@ -272,7 +272,7 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev) + if (ret != 0) { + dev_err(&dev->dev, "failed to install irq (%d)\n", + fsl_ifc_ctrl_dev->irq); +- goto err_irq; ++ goto err_unmap_nandirq; + } + + if (fsl_ifc_ctrl_dev->nand_irq) { +@@ -281,17 +281,16 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev) + if (ret != 0) { + dev_err(&dev->dev, "failed to install irq (%d)\n", + fsl_ifc_ctrl_dev->nand_irq); +- goto err_nandirq; ++ goto err_free_irq; + } + } + + return 0; + +-err_nandirq: +- free_irq(fsl_ifc_ctrl_dev->nand_irq, fsl_ifc_ctrl_dev); +- irq_dispose_mapping(fsl_ifc_ctrl_dev->nand_irq); +-err_irq: ++err_free_irq: + free_irq(fsl_ifc_ctrl_dev->irq, fsl_ifc_ctrl_dev); ++err_unmap_nandirq: ++ irq_dispose_mapping(fsl_ifc_ctrl_dev->nand_irq); + irq_dispose_mapping(fsl_ifc_ctrl_dev->irq); + err: + iounmap(fsl_ifc_ctrl_dev->gregs); +-- +2.33.0 + diff --git a/queue-5.15/memstick-avoid-out-of-range-warning.patch b/queue-5.15/memstick-avoid-out-of-range-warning.patch new file mode 100644 index 00000000000..b713010b5cf --- /dev/null +++ b/queue-5.15/memstick-avoid-out-of-range-warning.patch @@ -0,0 +1,44 @@ +From ed071872e392be80a6af05d5f96ab532b0e321dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 11:44:47 +0200 +Subject: memstick: avoid out-of-range warning + +From: Arnd Bergmann + +[ Upstream commit 4853396f03c3019eccf5cd113e464231e9ddf0b3 ] + +clang-14 complains about a sanity check that always passes when the +page size is 64KB or larger: + +drivers/memstick/core/ms_block.c:1739:21: error: result of comparison of constant 65536 with expression of type 'unsigned short' is always false [-Werror,-Wtautological-constant-out-of-range-compare] + if (msb->page_size > PAGE_SIZE) { + ~~~~~~~~~~~~~~ ^ ~~~~~~~~~ + +This is fine, it will still work on all architectures, so just shut +up that warning with a cast. + +Fixes: 0ab30494bc4f ("memstick: add support for legacy memorysticks") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20210927094520.696665-1-arnd@kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/core/ms_block.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/memstick/core/ms_block.c b/drivers/memstick/core/ms_block.c +index acf36676e388d..487e4cc2951e0 100644 +--- a/drivers/memstick/core/ms_block.c ++++ b/drivers/memstick/core/ms_block.c +@@ -1736,7 +1736,7 @@ static int msb_init_card(struct memstick_dev *card) + msb->pages_in_block = boot_block->attr.block_size * 2; + msb->block_size = msb->page_size * msb->pages_in_block; + +- if (msb->page_size > PAGE_SIZE) { ++ if ((size_t)msb->page_size > PAGE_SIZE) { + /* this isn't supported by linux at all, anyway*/ + dbg("device page %d size isn't supported", msb->page_size); + return -EINVAL; +-- +2.33.0 + diff --git a/queue-5.15/memstick-jmb38x_ms-use-appropriate-free-function-in-.patch b/queue-5.15/memstick-jmb38x_ms-use-appropriate-free-function-in-.patch new file mode 100644 index 00000000000..42684a3f814 --- /dev/null +++ b/queue-5.15/memstick-jmb38x_ms-use-appropriate-free-function-in-.patch @@ -0,0 +1,40 @@ +From 47efabc66fe2e51974d1feed8cc107c12c44c811 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 15:39:12 +0300 +Subject: memstick: jmb38x_ms: use appropriate free function in + jmb38x_ms_alloc_host() + +From: Dan Carpenter + +[ Upstream commit beae4a6258e64af609ad5995cc6b6056eb0d898e ] + +The "msh" pointer is device managed, meaning that memstick_alloc_host() +calls device_initialize() on it. That means that it can't be free +using kfree() but must instead be freed with memstick_free_host(). +Otherwise it leads to a tiny memory leak of device resources. + +Fixes: 60fdd931d577 ("memstick: add support for JMicron jmb38x MemoryStick host controller") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211011123912.GD15188@kili +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/host/jmb38x_ms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/memstick/host/jmb38x_ms.c b/drivers/memstick/host/jmb38x_ms.c +index f9a93b0565e15..435d4c058b20e 100644 +--- a/drivers/memstick/host/jmb38x_ms.c ++++ b/drivers/memstick/host/jmb38x_ms.c +@@ -882,7 +882,7 @@ static struct memstick_host *jmb38x_ms_alloc_host(struct jmb38x_ms *jm, int cnt) + + iounmap(host->addr); + err_out_free: +- kfree(msh); ++ memstick_free_host(msh); + return NULL; + } + +-- +2.33.0 + diff --git a/queue-5.15/memstick-r592-fix-a-uaf-bug-when-removing-the-driver.patch b/queue-5.15/memstick-r592-fix-a-uaf-bug-when-removing-the-driver.patch new file mode 100644 index 00000000000..b889e5a1dfd --- /dev/null +++ b/queue-5.15/memstick-r592-fix-a-uaf-bug-when-removing-the-driver.patch @@ -0,0 +1,80 @@ +From 70f2ca7e015b20f3113091d2d6f162363ef74155 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 11:26:21 +0000 +Subject: memstick: r592: Fix a UAF bug when removing the driver + +From: Zheyu Ma + +[ Upstream commit 738216c1953e802aa9f930c5d15b8f9092c847ff ] + +In r592_remove(), the driver will free dma after freeing the host, which +may cause a UAF bug. + +The following log reveals it: + +[ 45.361796 ] BUG: KASAN: use-after-free in r592_remove+0x269/0x350 [r592] +[ 45.364286 ] Call Trace: +[ 45.364472 ] dump_stack_lvl+0xa8/0xd1 +[ 45.364751 ] print_address_description+0x87/0x3b0 +[ 45.365137 ] kasan_report+0x172/0x1c0 +[ 45.365415 ] ? r592_remove+0x269/0x350 [r592] +[ 45.365834 ] ? r592_remove+0x269/0x350 [r592] +[ 45.366168 ] __asan_report_load8_noabort+0x14/0x20 +[ 45.366531 ] r592_remove+0x269/0x350 [r592] +[ 45.378785 ] +[ 45.378903 ] Allocated by task 4674: +[ 45.379162 ] ____kasan_kmalloc+0xb5/0xe0 +[ 45.379455 ] __kasan_kmalloc+0x9/0x10 +[ 45.379730 ] __kmalloc+0x150/0x280 +[ 45.379984 ] memstick_alloc_host+0x2a/0x190 +[ 45.380664 ] +[ 45.380781 ] Freed by task 5509: +[ 45.381014 ] kasan_set_track+0x3d/0x70 +[ 45.381293 ] kasan_set_free_info+0x23/0x40 +[ 45.381635 ] ____kasan_slab_free+0x10b/0x140 +[ 45.381950 ] __kasan_slab_free+0x11/0x20 +[ 45.382241 ] slab_free_freelist_hook+0x81/0x150 +[ 45.382575 ] kfree+0x13e/0x290 +[ 45.382805 ] memstick_free+0x1c/0x20 +[ 45.383070 ] device_release+0x9c/0x1d0 +[ 45.383349 ] kobject_put+0x2ef/0x4c0 +[ 45.383616 ] put_device+0x1f/0x30 +[ 45.383865 ] memstick_free_host+0x24/0x30 +[ 45.384162 ] r592_remove+0x242/0x350 [r592] +[ 45.384473 ] pci_device_remove+0xa9/0x250 + +Signed-off-by: Zheyu Ma +Link: https://lore.kernel.org/r/1634383581-11055-1-git-send-email-zheyuma97@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/host/r592.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c +index e79a0218c492e..1d35d147552d4 100644 +--- a/drivers/memstick/host/r592.c ++++ b/drivers/memstick/host/r592.c +@@ -838,15 +838,15 @@ static void r592_remove(struct pci_dev *pdev) + } + memstick_remove_host(dev->host); + ++ if (dev->dummy_dma_page) ++ dma_free_coherent(&pdev->dev, PAGE_SIZE, dev->dummy_dma_page, ++ dev->dummy_dma_page_physical_address); ++ + free_irq(dev->irq, dev); + iounmap(dev->mmio); + pci_release_regions(pdev); + pci_disable_device(pdev); + memstick_free_host(dev->host); +- +- if (dev->dummy_dma_page) +- dma_free_coherent(&pdev->dev, PAGE_SIZE, dev->dummy_dma_page, +- dev->dummy_dma_page_physical_address); + } + + #ifdef CONFIG_PM_SLEEP +-- +2.33.0 + diff --git a/queue-5.15/mfd-altera-sysmgr-fix-a-mistake-caused-by-resource_s.patch b/queue-5.15/mfd-altera-sysmgr-fix-a-mistake-caused-by-resource_s.patch new file mode 100644 index 00000000000..d146b8539c1 --- /dev/null +++ b/queue-5.15/mfd-altera-sysmgr-fix-a-mistake-caused-by-resource_s.patch @@ -0,0 +1,42 @@ +From f2eababb31e396fa723e1bf362abe739a496bc5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 22:19:26 +0800 +Subject: mfd: altera-sysmgr: Fix a mistake caused by resource_size conversion + +From: Kai Song + +[ Upstream commit fae2570d629cdd72f0611d015fc4ba705ae5422b ] + +The resource_size defines that: + res->end - res->start + 1; +The origin original code is: + sysmgr_config.max_register = res->end - res->start - 3; + +So, the correct fix is that: + sysmgr_config.max_register = resource_size(res) - 4; + +Fixes: d12edf9661a4 ("mfd: altera-sysmgr: Use resource_size function on resource object") +Signed-off-by: Kai Song +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211006141926.6120-1-songkai01@inspur.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/altera-sysmgr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/altera-sysmgr.c b/drivers/mfd/altera-sysmgr.c +index 20cb294c75122..5d3715a28b28e 100644 +--- a/drivers/mfd/altera-sysmgr.c ++++ b/drivers/mfd/altera-sysmgr.c +@@ -153,7 +153,7 @@ static int sysmgr_probe(struct platform_device *pdev) + if (!base) + return -ENOMEM; + +- sysmgr_config.max_register = resource_size(res) - 3; ++ sysmgr_config.max_register = resource_size(res) - 4; + regmap = devm_regmap_init_mmio(dev, base, &sysmgr_config); + } + +-- +2.33.0 + diff --git a/queue-5.15/mfd-core-add-missing-of_node_put-for-loop-iteration.patch b/queue-5.15/mfd-core-add-missing-of_node_put-for-loop-iteration.patch new file mode 100644 index 00000000000..583ef6afe33 --- /dev/null +++ b/queue-5.15/mfd-core-add-missing-of_node_put-for-loop-iteration.patch @@ -0,0 +1,47 @@ +From e96fde1aa5d7dc636c35a0bf3414f5836428af4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 07:51:26 -0400 +Subject: mfd: core: Add missing of_node_put for loop iteration + +From: Krzysztof Kozlowski + +[ Upstream commit 002be81140075e17a1ebd5c3c55e356fbab0ddad ] + +Early exits from for_each_child_of_node() should decrement the +node reference counter. Reported by Coccinelle: + + drivers/mfd/mfd-core.c:197:2-24: WARNING: + Function "for_each_child_of_node" should have of_node_put() before goto around lines 209. + +Fixes: c94bb233a9fe ("mfd: Make MFD core code Device Tree and IRQ domain aware") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20210528115126.18370-1-krzysztof.kozlowski@canonical.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/mfd-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c +index 79f5c6a18815a..684a011a63968 100644 +--- a/drivers/mfd/mfd-core.c ++++ b/drivers/mfd/mfd-core.c +@@ -198,6 +198,7 @@ static int mfd_add_device(struct device *parent, int id, + if (of_device_is_compatible(np, cell->of_compatible)) { + /* Ignore 'disabled' devices error free */ + if (!of_device_is_available(np)) { ++ of_node_put(np); + ret = 0; + goto fail_alias; + } +@@ -205,6 +206,7 @@ static int mfd_add_device(struct device *parent, int id, + ret = mfd_match_of_node_to_dev(pdev, np, cell); + if (ret == -EAGAIN) + continue; ++ of_node_put(np); + if (ret) + goto fail_alias; + +-- +2.33.0 + diff --git a/queue-5.15/mfd-cpcap-add-spi-device-id-table.patch b/queue-5.15/mfd-cpcap-add-spi-device-id-table.patch new file mode 100644 index 00000000000..fb6c4c5e20f --- /dev/null +++ b/queue-5.15/mfd-cpcap-add-spi-device-id-table.patch @@ -0,0 +1,52 @@ +From 6bacd862c9523e3511103da1108ee78cd0d59e79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Sep 2021 15:33:46 +0100 +Subject: mfd: cpcap: Add SPI device ID table + +From: Mark Brown + +[ Upstream commit d5fa8592b773f4da2b04e7333cd37efec5e4ca43 ] + +Currently autoloading for SPI devices does not use the DT ID table, it uses +SPI modalises. Supporting OF modalises is going to be difficult if not +impractical, an attempt was made but has been reverted, so ensure that +module autoloading works for this driver by adding a SPI device ID table. + +Fixes: 96c8395e2166 ("spi: Revert modalias changes") +Signed-off-by: Mark Brown +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20210924143347.14721-3-broonie@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/mfd/motorola-cpcap.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/mfd/motorola-cpcap.c b/drivers/mfd/motorola-cpcap.c +index 6fb206da27298..265464b5d7cc5 100644 +--- a/drivers/mfd/motorola-cpcap.c ++++ b/drivers/mfd/motorola-cpcap.c +@@ -202,6 +202,13 @@ static const struct of_device_id cpcap_of_match[] = { + }; + MODULE_DEVICE_TABLE(of, cpcap_of_match); + ++static const struct spi_device_id cpcap_spi_ids[] = { ++ { .name = "cpcap", }, ++ { .name = "6556002", }, ++ {}, ++}; ++MODULE_DEVICE_TABLE(spi, cpcap_spi_ids); ++ + static const struct regmap_config cpcap_regmap_config = { + .reg_bits = 16, + .reg_stride = 4, +@@ -342,6 +349,7 @@ static struct spi_driver cpcap_driver = { + .pm = &cpcap_pm, + }, + .probe = cpcap_probe, ++ .id_table = cpcap_spi_ids, + }; + module_spi_driver(cpcap_driver); + +-- +2.33.0 + diff --git a/queue-5.15/mfd-sprd-add-spi-device-id-table.patch b/queue-5.15/mfd-sprd-add-spi-device-id-table.patch new file mode 100644 index 00000000000..05071c3cb26 --- /dev/null +++ b/queue-5.15/mfd-sprd-add-spi-device-id-table.patch @@ -0,0 +1,52 @@ +From 11ab7283cc7c8c36acb4884b6b33b18b3411bb7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Sep 2021 15:33:47 +0100 +Subject: mfd: sprd: Add SPI device ID table + +From: Mark Brown + +[ Upstream commit c5c7f0677107052060037583b9c8c15d818afb04 ] + +Currently autoloading for SPI devices does not use the DT ID table, it uses +SPI modalises. Supporting OF modalises is going to be difficult if not +impractical, an attempt was made but has been reverted, so ensure that +module autoloading works for this driver by adding a SPI device ID table. + +Fixes: 96c8395e2166 ("spi: Revert modalias changes") +Signed-off-by: Mark Brown +Reviewed-by: Baolin Wang +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20210924143347.14721-4-broonie@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/mfd/sprd-sc27xx-spi.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/mfd/sprd-sc27xx-spi.c b/drivers/mfd/sprd-sc27xx-spi.c +index 6b7956604a0f0..9890882db1ed3 100644 +--- a/drivers/mfd/sprd-sc27xx-spi.c ++++ b/drivers/mfd/sprd-sc27xx-spi.c +@@ -236,6 +236,12 @@ static const struct of_device_id sprd_pmic_match[] = { + }; + MODULE_DEVICE_TABLE(of, sprd_pmic_match); + ++static const struct spi_device_id sprd_pmic_spi_ids[] = { ++ { .name = "sc2731", .driver_data = (unsigned long)&sc2731_data }, ++ {}, ++}; ++MODULE_DEVICE_TABLE(spi, sprd_pmic_spi_ids); ++ + static struct spi_driver sprd_pmic_driver = { + .driver = { + .name = "sc27xx-pmic", +@@ -243,6 +249,7 @@ static struct spi_driver sprd_pmic_driver = { + .pm = &sprd_pmic_pm_ops, + }, + .probe = sprd_pmic_probe, ++ .id_table = sprd_pmic_spi_ids, + }; + + static int __init sprd_pmic_init(void) +-- +2.33.0 + diff --git a/queue-5.15/mips-cm-convert-to-bitfield-api-to-fix-out-of-bounds.patch b/queue-5.15/mips-cm-convert-to-bitfield-api-to-fix-out-of-bounds.patch new file mode 100644 index 00000000000..6d568f1c343 --- /dev/null +++ b/queue-5.15/mips-cm-convert-to-bitfield-api-to-fix-out-of-bounds.patch @@ -0,0 +1,142 @@ +From 023394b6e60f43ff8678dce8ea4f7c88a8a2427c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 11:58:16 +0200 +Subject: mips: cm: Convert to bitfield API to fix out-of-bounds access + +From: Geert Uytterhoeven + +[ Upstream commit 18b8f5b6fc53d097cadb94a93d8d6566ba88e389 ] + +mips_cm_error_report() extracts the cause and other cause from the error +register using shifts. This works fine for the former, as it is stored +in the top bits, and the shift will thus remove all non-related bits. +However, the latter is stored in the bottom bits, hence thus needs masking +to get rid of non-related bits. Without such masking, using it as an +index into the cm2_causes[] array will lead to an out-of-bounds access, +probably causing a crash. + +Fix this by using FIELD_GET() instead. Bite the bullet and convert all +MIPS CM handling to the bitfield API, to improve readability and safety. + +Fixes: 3885c2b463f6a236 ("MIPS: CM: Add support for reporting CM cache errors") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Jiaxun Yang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/mips-cm.h | 12 ++++++------ + arch/mips/kernel/mips-cm.c | 21 ++++++++++----------- + 2 files changed, 16 insertions(+), 17 deletions(-) + +diff --git a/arch/mips/include/asm/mips-cm.h b/arch/mips/include/asm/mips-cm.h +index aeae2effa123d..23c67c0871b17 100644 +--- a/arch/mips/include/asm/mips-cm.h ++++ b/arch/mips/include/asm/mips-cm.h +@@ -11,6 +11,7 @@ + #ifndef __MIPS_ASM_MIPS_CM_H__ + #define __MIPS_ASM_MIPS_CM_H__ + ++#include + #include + #include + +@@ -153,8 +154,8 @@ GCR_ACCESSOR_RO(32, 0x030, rev) + #define CM_GCR_REV_MINOR GENMASK(7, 0) + + #define CM_ENCODE_REV(major, minor) \ +- (((major) << __ffs(CM_GCR_REV_MAJOR)) | \ +- ((minor) << __ffs(CM_GCR_REV_MINOR))) ++ (FIELD_PREP(CM_GCR_REV_MAJOR, major) | \ ++ FIELD_PREP(CM_GCR_REV_MINOR, minor)) + + #define CM_REV_CM2 CM_ENCODE_REV(6, 0) + #define CM_REV_CM2_5 CM_ENCODE_REV(7, 0) +@@ -362,10 +363,10 @@ static inline int mips_cm_revision(void) + static inline unsigned int mips_cm_max_vp_width(void) + { + extern int smp_num_siblings; +- uint32_t cfg; + + if (mips_cm_revision() >= CM_REV_CM3) +- return read_gcr_sys_config2() & CM_GCR_SYS_CONFIG2_MAXVPW; ++ return FIELD_GET(CM_GCR_SYS_CONFIG2_MAXVPW, ++ read_gcr_sys_config2()); + + if (mips_cm_present()) { + /* +@@ -373,8 +374,7 @@ static inline unsigned int mips_cm_max_vp_width(void) + * number of VP(E)s, and if that ever changes then this will + * need revisiting. + */ +- cfg = read_gcr_cl_config() & CM_GCR_Cx_CONFIG_PVPE; +- return (cfg >> __ffs(CM_GCR_Cx_CONFIG_PVPE)) + 1; ++ return FIELD_GET(CM_GCR_Cx_CONFIG_PVPE, read_gcr_cl_config()) + 1; + } + + if (IS_ENABLED(CONFIG_SMP)) +diff --git a/arch/mips/kernel/mips-cm.c b/arch/mips/kernel/mips-cm.c +index 90f1c3df1f0e4..b4f7d950c8468 100644 +--- a/arch/mips/kernel/mips-cm.c ++++ b/arch/mips/kernel/mips-cm.c +@@ -221,8 +221,7 @@ static void mips_cm_probe_l2sync(void) + phys_addr_t addr; + + /* L2-only sync was introduced with CM major revision 6 */ +- major_rev = (read_gcr_rev() & CM_GCR_REV_MAJOR) >> +- __ffs(CM_GCR_REV_MAJOR); ++ major_rev = FIELD_GET(CM_GCR_REV_MAJOR, read_gcr_rev()); + if (major_rev < 6) + return; + +@@ -306,13 +305,13 @@ void mips_cm_lock_other(unsigned int cluster, unsigned int core, + preempt_disable(); + + if (cm_rev >= CM_REV_CM3) { +- val = core << __ffs(CM3_GCR_Cx_OTHER_CORE); +- val |= vp << __ffs(CM3_GCR_Cx_OTHER_VP); ++ val = FIELD_PREP(CM3_GCR_Cx_OTHER_CORE, core) | ++ FIELD_PREP(CM3_GCR_Cx_OTHER_VP, vp); + + if (cm_rev >= CM_REV_CM3_5) { + val |= CM_GCR_Cx_OTHER_CLUSTER_EN; +- val |= cluster << __ffs(CM_GCR_Cx_OTHER_CLUSTER); +- val |= block << __ffs(CM_GCR_Cx_OTHER_BLOCK); ++ val |= FIELD_PREP(CM_GCR_Cx_OTHER_CLUSTER, cluster); ++ val |= FIELD_PREP(CM_GCR_Cx_OTHER_BLOCK, block); + } else { + WARN_ON(cluster != 0); + WARN_ON(block != CM_GCR_Cx_OTHER_BLOCK_LOCAL); +@@ -342,7 +341,7 @@ void mips_cm_lock_other(unsigned int cluster, unsigned int core, + spin_lock_irqsave(&per_cpu(cm_core_lock, curr_core), + per_cpu(cm_core_lock_flags, curr_core)); + +- val = core << __ffs(CM_GCR_Cx_OTHER_CORENUM); ++ val = FIELD_PREP(CM_GCR_Cx_OTHER_CORENUM, core); + } + + write_gcr_cl_other(val); +@@ -386,8 +385,8 @@ void mips_cm_error_report(void) + cm_other = read_gcr_error_mult(); + + if (revision < CM_REV_CM3) { /* CM2 */ +- cause = cm_error >> __ffs(CM_GCR_ERROR_CAUSE_ERRTYPE); +- ocause = cm_other >> __ffs(CM_GCR_ERROR_MULT_ERR2ND); ++ cause = FIELD_GET(CM_GCR_ERROR_CAUSE_ERRTYPE, cm_error); ++ ocause = FIELD_GET(CM_GCR_ERROR_MULT_ERR2ND, cm_other); + + if (!cause) + return; +@@ -445,8 +444,8 @@ void mips_cm_error_report(void) + ulong core_id_bits, vp_id_bits, cmd_bits, cmd_group_bits; + ulong cm3_cca_bits, mcp_bits, cm3_tr_bits, sched_bit; + +- cause = cm_error >> __ffs64(CM3_GCR_ERROR_CAUSE_ERRTYPE); +- ocause = cm_other >> __ffs(CM_GCR_ERROR_MULT_ERR2ND); ++ cause = FIELD_GET(CM3_GCR_ERROR_CAUSE_ERRTYPE, cm_error); ++ ocause = FIELD_GET(CM_GCR_ERROR_MULT_ERR2ND, cm_other); + + if (!cause) + return; +-- +2.33.0 + diff --git a/queue-5.15/mips-lantiq-dma-add-small-delay-after-reset.patch b/queue-5.15/mips-lantiq-dma-add-small-delay-after-reset.patch new file mode 100644 index 00000000000..954c722e076 --- /dev/null +++ b/queue-5.15/mips-lantiq-dma-add-small-delay-after-reset.patch @@ -0,0 +1,43 @@ +From 9b41cfe35422444c84c371960786b1522fa0b4cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 23:20:58 +0200 +Subject: MIPS: lantiq: dma: add small delay after reset + +From: Aleksander Jan Bajkowski + +[ Upstream commit c12aa581f6d5e80c3c3675ab26a52c2b3b62f76e ] + +Reading the DMA registers immediately after the reset causes +Data Bus Error. Adding a small delay fixes this issue. + +Signed-off-by: Aleksander Jan Bajkowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/xway/dma.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/mips/lantiq/xway/dma.c b/arch/mips/lantiq/xway/dma.c +index 63dccb2ed08b2..2784715933d13 100644 +--- a/arch/mips/lantiq/xway/dma.c ++++ b/arch/mips/lantiq/xway/dma.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -222,6 +223,8 @@ ltq_dma_init(struct platform_device *pdev) + clk_enable(clk); + ltq_dma_w32_mask(0, DMA_RESET, LTQ_DMA_CTRL); + ++ usleep_range(1, 10); ++ + /* disable all interrupts */ + ltq_dma_w32(0, LTQ_DMA_IRNEN); + +-- +2.33.0 + diff --git a/queue-5.15/mips-lantiq-dma-fix-burst-length-for-deu.patch b/queue-5.15/mips-lantiq-dma-fix-burst-length-for-deu.patch new file mode 100644 index 00000000000..cf568707d8b --- /dev/null +++ b/queue-5.15/mips-lantiq-dma-fix-burst-length-for-deu.patch @@ -0,0 +1,52 @@ +From 6c1d8d4056fd464fe8e1ed42e274b31f6364a980 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 23:21:00 +0200 +Subject: MIPS: lantiq: dma: fix burst length for DEU + +From: Aleksander Jan Bajkowski + +[ Upstream commit 5ad74d39c51dd41b3c819f4f5396655f0629b4fd ] + +The current definition of 2W burst length is invalid. +This patch fixes it. Current downstream DEU driver doesn't +use DMA. An incorrect burst length value doesn't cause any +errors. This patch also adds other burst length values. + +Fixes: dfec1a827d2b ("MIPS: Lantiq: Add DMA support") +Signed-off-by: Aleksander Jan Bajkowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/xway/dma.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/lantiq/xway/dma.c b/arch/mips/lantiq/xway/dma.c +index 364ab39eb8a41..53fcc672a2944 100644 +--- a/arch/mips/lantiq/xway/dma.c ++++ b/arch/mips/lantiq/xway/dma.c +@@ -41,7 +41,11 @@ + #define DMA_IRQ_ACK 0x7e /* IRQ status register */ + #define DMA_POLL BIT(31) /* turn on channel polling */ + #define DMA_CLK_DIV4 BIT(6) /* polling clock divider */ +-#define DMA_2W_BURST BIT(1) /* 2 word burst length */ ++#define DMA_PCTRL_2W_BURST 0x1 /* 2 word burst length */ ++#define DMA_PCTRL_4W_BURST 0x2 /* 4 word burst length */ ++#define DMA_PCTRL_8W_BURST 0x3 /* 8 word burst length */ ++#define DMA_TX_BURST_SHIFT 4 /* tx burst shift */ ++#define DMA_RX_BURST_SHIFT 2 /* rx burst shift */ + #define DMA_ETOP_ENDIANNESS (0xf << 8) /* endianness swap etop channels */ + #define DMA_WEIGHT (BIT(17) | BIT(16)) /* default channel wheight */ + +@@ -192,7 +196,8 @@ ltq_dma_init_port(int p) + break; + + case DMA_PORT_DEU: +- ltq_dma_w32((DMA_2W_BURST << 4) | (DMA_2W_BURST << 2), ++ ltq_dma_w32((DMA_PCTRL_2W_BURST << DMA_TX_BURST_SHIFT) | ++ (DMA_PCTRL_2W_BURST << DMA_RX_BURST_SHIFT), + LTQ_DMA_PCTRL); + break; + +-- +2.33.0 + diff --git a/queue-5.15/mips-lantiq-dma-reset-correct-number-of-channel.patch b/queue-5.15/mips-lantiq-dma-reset-correct-number-of-channel.patch new file mode 100644 index 00000000000..c0abec1ba6e --- /dev/null +++ b/queue-5.15/mips-lantiq-dma-reset-correct-number-of-channel.patch @@ -0,0 +1,79 @@ +From e786074d9274dfb1dfe82b43ec7b5aec9ee94a4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 23:20:59 +0200 +Subject: MIPS: lantiq: dma: reset correct number of channel + +From: Aleksander Jan Bajkowski + +[ Upstream commit 5ca9ce2ba4d5884cd94d1a856c675ab1242cd242 ] + +Different SoCs have a different number of channels, e.g .: +* amazon-se has 10 channels, +* danube+ar9 have 20 channels, +* vr9 has 28 channels, +* ar10 has 24 channels. + +We can read the ID register and, depending on the reported +number of channels, reset the appropriate number of channels. + +Signed-off-by: Aleksander Jan Bajkowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/xway/dma.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/arch/mips/lantiq/xway/dma.c b/arch/mips/lantiq/xway/dma.c +index 2784715933d13..364ab39eb8a41 100644 +--- a/arch/mips/lantiq/xway/dma.c ++++ b/arch/mips/lantiq/xway/dma.c +@@ -31,6 +31,7 @@ + #define LTQ_DMA_PCTRL 0x44 + #define LTQ_DMA_IRNEN 0xf4 + ++#define DMA_ID_CHNR GENMASK(26, 20) /* channel number */ + #define DMA_DESCPT BIT(3) /* descriptor complete irq */ + #define DMA_TX BIT(8) /* TX channel direction */ + #define DMA_CHAN_ON BIT(0) /* channel on / off bit */ +@@ -41,7 +42,6 @@ + #define DMA_POLL BIT(31) /* turn on channel polling */ + #define DMA_CLK_DIV4 BIT(6) /* polling clock divider */ + #define DMA_2W_BURST BIT(1) /* 2 word burst length */ +-#define DMA_MAX_CHANNEL 20 /* the soc has 20 channels */ + #define DMA_ETOP_ENDIANNESS (0xf << 8) /* endianness swap etop channels */ + #define DMA_WEIGHT (BIT(17) | BIT(16)) /* default channel wheight */ + +@@ -207,7 +207,7 @@ ltq_dma_init(struct platform_device *pdev) + { + struct clk *clk; + struct resource *res; +- unsigned id; ++ unsigned int id, nchannels; + int i; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +@@ -229,17 +229,18 @@ ltq_dma_init(struct platform_device *pdev) + ltq_dma_w32(0, LTQ_DMA_IRNEN); + + /* reset/configure each channel */ +- for (i = 0; i < DMA_MAX_CHANNEL; i++) { ++ id = ltq_dma_r32(LTQ_DMA_ID); ++ nchannels = ((id & DMA_ID_CHNR) >> 20); ++ for (i = 0; i < nchannels; i++) { + ltq_dma_w32(i, LTQ_DMA_CS); + ltq_dma_w32(DMA_CHAN_RST, LTQ_DMA_CCTRL); + ltq_dma_w32(DMA_POLL | DMA_CLK_DIV4, LTQ_DMA_CPOLL); + ltq_dma_w32_mask(DMA_CHAN_ON, 0, LTQ_DMA_CCTRL); + } + +- id = ltq_dma_r32(LTQ_DMA_ID); + dev_info(&pdev->dev, + "Init done - hw rev: %X, ports: %d, channels: %d\n", +- id & 0x1f, (id >> 16) & 0xf, id >> 20); ++ id & 0x1f, (id >> 16) & 0xf, nchannels); + + return 0; + } +-- +2.33.0 + diff --git a/queue-5.15/mips-loongson64-make-cpu_loongson64-depends-on-mips_.patch b/queue-5.15/mips-loongson64-make-cpu_loongson64-depends-on-mips_.patch new file mode 100644 index 00000000000..51b26ebc3d1 --- /dev/null +++ b/queue-5.15/mips-loongson64-make-cpu_loongson64-depends-on-mips_.patch @@ -0,0 +1,50 @@ +From 501d527a0f739f338e3ec33876239b911eee8dcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Sep 2021 14:19:08 +0800 +Subject: MIPS: loongson64: make CPU_LOONGSON64 depends on MIPS_FP_SUPPORT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jackie Liu + +[ Upstream commit 7f3b3c2bfa9c93ab9b5595543496f570983dc330 ] + +mach/loongson64 fails to build when the FPU support is disabled: + +arch/mips/loongson64/cop2-ex.c:45:15: error: implicit declaration of function ‘__is_fpu_owner’; did you mean ‘is_fpu_owner’? [-Werror=implicit-function-declaration] +arch/mips/loongson64/cop2-ex.c:98:30: error: ‘struct thread_struct’ has no member named ‘fpu’ +arch/mips/loongson64/cop2-ex.c:99:30: error: ‘struct thread_struct’ has no member named ‘fpu’ +arch/mips/loongson64/cop2-ex.c:131:43: error: ‘struct thread_struct’ has no member named ‘fpu’ +arch/mips/loongson64/cop2-ex.c:137:38: error: ‘struct thread_struct’ has no member named ‘fpu’ +arch/mips/loongson64/cop2-ex.c:203:30: error: ‘struct thread_struct’ has no member named ‘fpu’ +arch/mips/loongson64/cop2-ex.c:219:30: error: ‘struct thread_struct’ has no member named ‘fpu’ +arch/mips/loongson64/cop2-ex.c:283:38: error: ‘struct thread_struct’ has no member named ‘fpu’ +arch/mips/loongson64/cop2-ex.c:301:38: error: ‘struct thread_struct’ has no member named ‘fpu’ + +Fixes: ef2f826c8f2f ("MIPS: Loongson-3: Enable the COP2 usage") +Suggested-by: Huacai Chen +Reviewed-by: Huacai Chen +Reported-by: k2ci robot +Signed-off-by: Jackie Liu +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig +index 6b8f591c5054c..cbbb302a460eb 100644 +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -1379,6 +1379,7 @@ config CPU_LOONGSON64 + select MIPS_ASID_BITS_VARIABLE + select MIPS_PGD_C0_CONTEXT + select MIPS_L1_CACHE_SHIFT_6 ++ select MIPS_FP_SUPPORT + select GPIOLIB + select SWIOTLB + select HAVE_KVM +-- +2.33.0 + diff --git a/queue-5.15/mips-ralink-don-t-define-pc_iobase-but-increase-io_s.patch b/queue-5.15/mips-ralink-don-t-define-pc_iobase-but-increase-io_s.patch new file mode 100644 index 00000000000..f3077b6e53c --- /dev/null +++ b/queue-5.15/mips-ralink-don-t-define-pc_iobase-but-increase-io_s.patch @@ -0,0 +1,47 @@ +From 38e92cf76656405e5c5ba7e4e80f4766e9dc0500 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Aug 2021 18:10:03 +0200 +Subject: MIPS: ralink: don't define PC_IOBASE but increase IO_SPACE_LIMIT + +From: Sergio Paracuellos + +[ Upstream commit 159697474db41732ef3b6c2e8d9395f09d1f659e ] + +Defining PCI_IOBASE results in pci resource handling working but the +addresses generated for IO accesses are wrong since the ioremap in the pci core +function 'pci_parse_request_of_pci_ranges' tries to remap to a fixed virtual +address (PC_IOBASE) which can't work for KSEG1 addresses. To get it working this +way, we would need to put PCI_IOBASE somewhere into KSEG2 which will result in +creating TLB entries for IO addresses, which most of the time isn't needed on +MIPS because of access via KSEG1. So avoid to define PCI_IOBASE and increase +IO_SPACE_LIMIT resource for ralink MIPS platform instead, to get valid IO +addresses for resources from pci core 'pci_address_to_pio' function. + +Fixes: 222b27713d7f ("MIPS: ralink: Define PCI_IOBASE") +Acked-by: Thomas Bogendoerfer +Signed-off-by: Sergio Paracuellos +Link: https://lore.kernel.org/r/20210822161005.22467-2-sergio.paracuellos@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/mach-ralink/spaces.h | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/arch/mips/include/asm/mach-ralink/spaces.h b/arch/mips/include/asm/mach-ralink/spaces.h +index 87d085c9ad610..31a3525213cf3 100644 +--- a/arch/mips/include/asm/mach-ralink/spaces.h ++++ b/arch/mips/include/asm/mach-ralink/spaces.h +@@ -2,9 +2,7 @@ + #ifndef __ASM_MACH_RALINK_SPACES_H_ + #define __ASM_MACH_RALINK_SPACES_H_ + +-#define PCI_IOBASE _AC(0xa0000000, UL) +-#define PCI_IOSIZE SZ_16M +-#define IO_SPACE_LIMIT (PCI_IOSIZE - 1) ++#define IO_SPACE_LIMIT 0x1fffffff + + #include + #endif +-- +2.33.0 + diff --git a/queue-5.15/mm-zsmalloc.c-close-race-window-between-zs_pool_dec_.patch b/queue-5.15/mm-zsmalloc.c-close-race-window-between-zs_pool_dec_.patch new file mode 100644 index 00000000000..df6cd0e8202 --- /dev/null +++ b/queue-5.15/mm-zsmalloc.c-close-race-window-between-zs_pool_dec_.patch @@ -0,0 +1,65 @@ +From 354ffb50a4dc49f8963d76d3e2716655414377d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 13:45:03 -0700 +Subject: mm/zsmalloc.c: close race window between zs_pool_dec_isolated() and + zs_unregister_migration() + +From: Miaohe Lin + +[ Upstream commit afe8605ca45424629fdddfd85984b442c763dc47 ] + +There is one possible race window between zs_pool_dec_isolated() and +zs_unregister_migration() because wait_for_isolated_drain() checks the +isolated count without holding class->lock and there is no order inside +zs_pool_dec_isolated(). Thus the below race window could be possible: + + zs_pool_dec_isolated zs_unregister_migration + check pool->destroying != 0 + pool->destroying = true; + smp_mb(); + wait_for_isolated_drain() + wait for pool->isolated_pages == 0 + atomic_long_dec(&pool->isolated_pages); + atomic_long_read(&pool->isolated_pages) == 0 + +Since we observe the pool->destroying (false) before atomic_long_dec() +for pool->isolated_pages, waking pool->migration_wait up is missed. + +Fix this by ensure checking pool->destroying happens after the +atomic_long_dec(&pool->isolated_pages). + +Link: https://lkml.kernel.org/r/20210708115027.7557-1-linmiaohe@huawei.com +Fixes: 701d678599d0 ("mm/zsmalloc.c: fix race condition in zs_destroy_pool") +Signed-off-by: Miaohe Lin +Cc: Minchan Kim +Cc: Sergey Senozhatsky +Cc: Henry Burns +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/zsmalloc.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c +index 68e8831068f4b..b897ce3b399a1 100644 +--- a/mm/zsmalloc.c ++++ b/mm/zsmalloc.c +@@ -1830,10 +1830,11 @@ static inline void zs_pool_dec_isolated(struct zs_pool *pool) + VM_BUG_ON(atomic_long_read(&pool->isolated_pages) <= 0); + atomic_long_dec(&pool->isolated_pages); + /* +- * There's no possibility of racing, since wait_for_isolated_drain() +- * checks the isolated count under &class->lock after enqueuing +- * on migration_wait. ++ * Checking pool->destroying must happen after atomic_long_dec() ++ * for pool->isolated_pages above. Paired with the smp_mb() in ++ * zs_unregister_migration(). + */ ++ smp_mb__after_atomic(); + if (atomic_long_read(&pool->isolated_pages) == 0 && pool->destroying) + wake_up_all(&pool->migration_wait); + } +-- +2.33.0 + diff --git a/queue-5.15/mmc-moxart-fix-reference-count-leaks-in-moxart_probe.patch b/queue-5.15/mmc-moxart-fix-reference-count-leaks-in-moxart_probe.patch new file mode 100644 index 00000000000..884b721cb0b --- /dev/null +++ b/queue-5.15/mmc-moxart-fix-reference-count-leaks-in-moxart_probe.patch @@ -0,0 +1,74 @@ +From be65073a6cd90530800c65be0783040a387b802f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Oct 2021 12:19:18 +0800 +Subject: mmc: moxart: Fix reference count leaks in moxart_probe + +From: Xin Xiong + +[ Upstream commit 8105c2abbf36296bf38ca44f55ee45d160db476a ] + +The issue happens in several error handling paths on two refcounted +object related to the object "host" (dma_chan_rx, dma_chan_tx). In +these paths, the function forgets to decrement one or both objects' +reference count increased earlier by dma_request_chan(), causing +reference count leaks. + +Fix it by balancing the refcounts of both objects in some error +handling paths. In correspondence with the changes in moxart_probe(), +IS_ERR() is replaced with IS_ERR_OR_NULL() in moxart_remove() as well. + +Signed-off-by: Xin Xiong +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Link: https://lore.kernel.org/r/20211009041918.28419-1-xiongx18@fudan.edu.cn +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/moxart-mmc.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c +index 6c9d38132f74c..7b9fcef490de7 100644 +--- a/drivers/mmc/host/moxart-mmc.c ++++ b/drivers/mmc/host/moxart-mmc.c +@@ -621,6 +621,14 @@ static int moxart_probe(struct platform_device *pdev) + ret = -EPROBE_DEFER; + goto out; + } ++ if (!IS_ERR(host->dma_chan_tx)) { ++ dma_release_channel(host->dma_chan_tx); ++ host->dma_chan_tx = NULL; ++ } ++ if (!IS_ERR(host->dma_chan_rx)) { ++ dma_release_channel(host->dma_chan_rx); ++ host->dma_chan_rx = NULL; ++ } + dev_dbg(dev, "PIO mode transfer enabled\n"); + host->have_dma = false; + } else { +@@ -675,6 +683,10 @@ static int moxart_probe(struct platform_device *pdev) + return 0; + + out: ++ if (!IS_ERR_OR_NULL(host->dma_chan_tx)) ++ dma_release_channel(host->dma_chan_tx); ++ if (!IS_ERR_OR_NULL(host->dma_chan_rx)) ++ dma_release_channel(host->dma_chan_rx); + if (mmc) + mmc_free_host(mmc); + return ret; +@@ -687,9 +699,9 @@ static int moxart_remove(struct platform_device *pdev) + + dev_set_drvdata(&pdev->dev, NULL); + +- if (!IS_ERR(host->dma_chan_tx)) ++ if (!IS_ERR_OR_NULL(host->dma_chan_tx)) + dma_release_channel(host->dma_chan_tx); +- if (!IS_ERR(host->dma_chan_rx)) ++ if (!IS_ERR_OR_NULL(host->dma_chan_rx)) + dma_release_channel(host->dma_chan_rx); + mmc_remove_host(mmc); + mmc_free_host(mmc); +-- +2.33.0 + diff --git a/queue-5.15/mmc-mxs-mmc-disable-regulator-on-error-and-in-the-re.patch b/queue-5.15/mmc-mxs-mmc-disable-regulator-on-error-and-in-the-re.patch new file mode 100644 index 00000000000..0b8ea9cb7d8 --- /dev/null +++ b/queue-5.15/mmc-mxs-mmc-disable-regulator-on-error-and-in-the-re.patch @@ -0,0 +1,55 @@ +From 90c052aa0616bc75c493b46c83b9cec7b6c8fe42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 08:21:44 +0200 +Subject: mmc: mxs-mmc: disable regulator on error and in the remove function + +From: Christophe JAILLET + +[ Upstream commit ce5f6c2c9b0fcb4094f8e162cfd37fb4294204f7 ] + +The 'reg_vmmc' regulator is enabled in the probe. It is never disabled. +Neither in the error handling path of the probe nor in the remove +function. + +Register a devm_action to disable it when needed. + +Fixes: 4dc5a79f1350 ("mmc: mxs-mmc: enable regulator for mmc slot") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/4aadb3c97835f7b80f00819c3d549e6130384e67.1634365151.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mxs-mmc.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/mmc/host/mxs-mmc.c b/drivers/mmc/host/mxs-mmc.c +index 947581de78601..8c3655d3be961 100644 +--- a/drivers/mmc/host/mxs-mmc.c ++++ b/drivers/mmc/host/mxs-mmc.c +@@ -552,6 +552,11 @@ static const struct of_device_id mxs_mmc_dt_ids[] = { + }; + MODULE_DEVICE_TABLE(of, mxs_mmc_dt_ids); + ++static void mxs_mmc_regulator_disable(void *regulator) ++{ ++ regulator_disable(regulator); ++} ++ + static int mxs_mmc_probe(struct platform_device *pdev) + { + struct device_node *np = pdev->dev.of_node; +@@ -591,6 +596,11 @@ static int mxs_mmc_probe(struct platform_device *pdev) + "Failed to enable vmmc regulator: %d\n", ret); + goto out_mmc_free; + } ++ ++ ret = devm_add_action_or_reset(&pdev->dev, mxs_mmc_regulator_disable, ++ reg_vmmc); ++ if (ret) ++ goto out_mmc_free; + } + + ssp->clk = devm_clk_get(&pdev->dev, NULL); +-- +2.33.0 + diff --git a/queue-5.15/mmc-sdhci-omap-fix-context-restore.patch b/queue-5.15/mmc-sdhci-omap-fix-context-restore.patch new file mode 100644 index 00000000000..a4cedb09ea7 --- /dev/null +++ b/queue-5.15/mmc-sdhci-omap-fix-context-restore.patch @@ -0,0 +1,78 @@ +From 28e1991739e5ee952347f0eb6bb072dc6b5f0fbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Sep 2021 14:00:26 +0300 +Subject: mmc: sdhci-omap: Fix context restore + +From: Tony Lindgren + +[ Upstream commit d806e334d0390502cd2a820ad33d65d7f9bba618 ] + +We need to restore context in a specified order with HCTL set in two +phases. This is similar to what omap_hsmmc_context_restore() is doing. +Otherwise SDIO can stop working on resume. + +And for PM runtime and SDIO cards, we need to also save SYSCTL, IE and +ISE. + +This should not be a problem currently, and these patches can be applied +whenever suitable. + +Fixes: ee0f309263a6 ("mmc: sdhci-omap: Add Support for Suspend/Resume") +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20210921110029.21944-3-tony@atomide.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-omap.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/sdhci-omap.c b/drivers/mmc/host/sdhci-omap.c +index 3ddced779e965..fd188b6d88f49 100644 +--- a/drivers/mmc/host/sdhci-omap.c ++++ b/drivers/mmc/host/sdhci-omap.c +@@ -62,6 +62,8 @@ + #define SDHCI_OMAP_IE 0x234 + #define INT_CC_EN BIT(0) + ++#define SDHCI_OMAP_ISE 0x238 ++ + #define SDHCI_OMAP_AC12 0x23c + #define AC12_V1V8_SIGEN BIT(19) + #define AC12_SCLK_SEL BIT(23) +@@ -113,6 +115,8 @@ struct sdhci_omap_host { + u32 hctl; + u32 sysctl; + u32 capa; ++ u32 ie; ++ u32 ise; + }; + + static void sdhci_omap_start_clock(struct sdhci_omap_host *omap_host); +@@ -1245,14 +1249,23 @@ static void sdhci_omap_context_save(struct sdhci_omap_host *omap_host) + { + omap_host->con = sdhci_omap_readl(omap_host, SDHCI_OMAP_CON); + omap_host->hctl = sdhci_omap_readl(omap_host, SDHCI_OMAP_HCTL); ++ omap_host->sysctl = sdhci_omap_readl(omap_host, SDHCI_OMAP_SYSCTL); + omap_host->capa = sdhci_omap_readl(omap_host, SDHCI_OMAP_CAPA); ++ omap_host->ie = sdhci_omap_readl(omap_host, SDHCI_OMAP_IE); ++ omap_host->ise = sdhci_omap_readl(omap_host, SDHCI_OMAP_ISE); + } + ++/* Order matters here, HCTL must be restored in two phases */ + static void sdhci_omap_context_restore(struct sdhci_omap_host *omap_host) + { +- sdhci_omap_writel(omap_host, SDHCI_OMAP_CON, omap_host->con); + sdhci_omap_writel(omap_host, SDHCI_OMAP_HCTL, omap_host->hctl); + sdhci_omap_writel(omap_host, SDHCI_OMAP_CAPA, omap_host->capa); ++ sdhci_omap_writel(omap_host, SDHCI_OMAP_HCTL, omap_host->hctl); ++ ++ sdhci_omap_writel(omap_host, SDHCI_OMAP_SYSCTL, omap_host->sysctl); ++ sdhci_omap_writel(omap_host, SDHCI_OMAP_CON, omap_host->con); ++ sdhci_omap_writel(omap_host, SDHCI_OMAP_IE, omap_host->ie); ++ sdhci_omap_writel(omap_host, SDHCI_OMAP_ISE, omap_host->ise); + } + + static int __maybe_unused sdhci_omap_suspend(struct device *dev) +-- +2.33.0 + diff --git a/queue-5.15/mmc-sdhci-omap-fix-null-pointer-exception-if-regulat.patch b/queue-5.15/mmc-sdhci-omap-fix-null-pointer-exception-if-regulat.patch new file mode 100644 index 00000000000..b6e2c031e45 --- /dev/null +++ b/queue-5.15/mmc-sdhci-omap-fix-null-pointer-exception-if-regulat.patch @@ -0,0 +1,55 @@ +From 5d0506a7298ac792e48ff339a5b7af32a07242db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Sep 2021 14:00:25 +0300 +Subject: mmc: sdhci-omap: Fix NULL pointer exception if regulator is not + configured + +From: Tony Lindgren + +[ Upstream commit 8e0e7bd38b1ec7f9e5d18725ad41828be4e09859 ] + +If sdhci-omap is configured for an unused device instance and the device +is not set as disabled, we can get a NULL pointer dereference: + +Unable to handle kernel NULL pointer dereference at virtual address +00000045 +... +(regulator_set_voltage) from [] (mmc_regulator_set_ocr+0x44/0xd0) +(mmc_regulator_set_ocr) from [] (sdhci_set_ios+0xa4/0x490) +(sdhci_set_ios) from [] (sdhci_omap_set_ios+0x124/0x160) +(sdhci_omap_set_ios) from [] (mmc_power_up.part.0+0x3c/0x154) +(mmc_power_up.part.0) from [] (mmc_start_host+0x88/0x9c) +(mmc_start_host) from [] (mmc_add_host+0x58/0x7c) +(mmc_add_host) from [] (__sdhci_add_host+0xf0/0x22c) +(__sdhci_add_host) from [] (sdhci_omap_probe+0x318/0x72c) +(sdhci_omap_probe) from [] (platform_probe+0x58/0xb8) + +AFAIK we are not seeing this with the devices configured in the mainline +kernel but this can cause issues for folks bringing up their boards. + +Fixes: 7d326930d352 ("mmc: sdhci-omap: Add OMAP SDHCI driver") +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20210921110029.21944-2-tony@atomide.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci-omap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/sdhci-omap.c b/drivers/mmc/host/sdhci-omap.c +index 8f4d1f003f656..3ddced779e965 100644 +--- a/drivers/mmc/host/sdhci-omap.c ++++ b/drivers/mmc/host/sdhci-omap.c +@@ -682,7 +682,8 @@ static void sdhci_omap_set_power(struct sdhci_host *host, unsigned char mode, + { + struct mmc_host *mmc = host->mmc; + +- mmc_regulator_set_ocr(mmc, mmc->supply.vmmc, vdd); ++ if (!IS_ERR(mmc->supply.vmmc)) ++ mmc_regulator_set_ocr(mmc, mmc->supply.vmmc, vdd); + } + + static int sdhci_omap_enable_dma(struct sdhci_host *host) +-- +2.33.0 + diff --git a/queue-5.15/mptcp-do-not-shrink-snd_nxt-when-recovering.patch b/queue-5.15/mptcp-do-not-shrink-snd_nxt-when-recovering.patch new file mode 100644 index 00000000000..03f81cc71f4 --- /dev/null +++ b/queue-5.15/mptcp-do-not-shrink-snd_nxt-when-recovering.patch @@ -0,0 +1,147 @@ +From 81f516366d2a94b676049e4f9727d9cbf3768197 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Sep 2021 14:12:34 -0700 +Subject: mptcp: do not shrink snd_nxt when recovering + +From: Florian Westphal + +[ Upstream commit 0d199e4363b482badcedba764e2aceab53a4a10a ] + +When recovering after a link failure, snd_nxt should not be set to a +lower value. Else, update of snd_nxt is broken because: + + msk->snd_nxt += ret; (where ret is number of bytes sent) + +assumes that snd_nxt always moves forward. +After reduction, its possible that snd_nxt update gets out of sync: +dfrag we just sent might have had a data sequence number even past +recovery_snd_nxt. + +This change factors the common msk state update to a helper +and updates snd_nxt based on the current dfrag data sequence number. + +The conditional is required for the recovery phase where we may +re-transmit old dfrags that are before current snd_nxt. + +After this change, snd_nxt only moves forward and covers all in-sequence +data that was transmitted. + +recovery_snd_nxt is retained to detect when recovery has completed. + +Fixes: 1e1d9d6f119c5 ("mptcp: handle pending data on closed subflow") +Signed-off-by: Florian Westphal +Signed-off-by: Mat Martineau +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/mptcp/options.c | 8 +++----- + net/mptcp/protocol.c | 43 +++++++++++++++++++++++++++++++------------ + 2 files changed, 34 insertions(+), 17 deletions(-) + +diff --git a/net/mptcp/options.c b/net/mptcp/options.c +index f0f22eb4fd5f7..350348f070700 100644 +--- a/net/mptcp/options.c ++++ b/net/mptcp/options.c +@@ -1019,11 +1019,9 @@ static void ack_update_msk(struct mptcp_sock *msk, + old_snd_una = msk->snd_una; + new_snd_una = mptcp_expand_seq(old_snd_una, mp_opt->data_ack, mp_opt->ack64); + +- /* ACK for data not even sent yet and even above recovery bound? Ignore.*/ +- if (unlikely(after64(new_snd_una, snd_nxt))) { +- if (!msk->recovery || after64(new_snd_una, msk->recovery_snd_nxt)) +- new_snd_una = old_snd_una; +- } ++ /* ACK for data not even sent yet? Ignore.*/ ++ if (unlikely(after64(new_snd_una, snd_nxt))) ++ new_snd_una = old_snd_una; + + new_wnd_end = new_snd_una + tcp_sk(ssk)->snd_wnd; + +diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c +index d073b21113828..4379d69aead7e 100644 +--- a/net/mptcp/protocol.c ++++ b/net/mptcp/protocol.c +@@ -1505,6 +1505,32 @@ static void mptcp_push_release(struct sock *sk, struct sock *ssk, + release_sock(ssk); + } + ++static void mptcp_update_post_push(struct mptcp_sock *msk, ++ struct mptcp_data_frag *dfrag, ++ u32 sent) ++{ ++ u64 snd_nxt_new = dfrag->data_seq; ++ ++ dfrag->already_sent += sent; ++ ++ msk->snd_burst -= sent; ++ msk->tx_pending_data -= sent; ++ ++ snd_nxt_new += dfrag->already_sent; ++ ++ /* snd_nxt_new can be smaller than snd_nxt in case mptcp ++ * is recovering after a failover. In that event, this re-sends ++ * old segments. ++ * ++ * Thus compute snd_nxt_new candidate based on ++ * the dfrag->data_seq that was sent and the data ++ * that has been handed to the subflow for transmission ++ * and skip update in case it was old dfrag. ++ */ ++ if (likely(after64(snd_nxt_new, msk->snd_nxt))) ++ msk->snd_nxt = snd_nxt_new; ++} ++ + void __mptcp_push_pending(struct sock *sk, unsigned int flags) + { + struct sock *prev_ssk = NULL, *ssk = NULL; +@@ -1548,12 +1574,10 @@ void __mptcp_push_pending(struct sock *sk, unsigned int flags) + } + + info.sent += ret; +- dfrag->already_sent += ret; +- msk->snd_nxt += ret; +- msk->snd_burst -= ret; +- msk->tx_pending_data -= ret; + copied += ret; + len -= ret; ++ ++ mptcp_update_post_push(msk, dfrag, ret); + } + WRITE_ONCE(msk->first_pending, mptcp_send_next(sk)); + } +@@ -1606,13 +1630,11 @@ static void __mptcp_subflow_push_pending(struct sock *sk, struct sock *ssk) + goto out; + + info.sent += ret; +- dfrag->already_sent += ret; +- msk->snd_nxt += ret; +- msk->snd_burst -= ret; +- msk->tx_pending_data -= ret; + copied += ret; + len -= ret; + first = false; ++ ++ mptcp_update_post_push(msk, dfrag, ret); + } + WRITE_ONCE(msk->first_pending, mptcp_send_next(sk)); + } +@@ -2183,15 +2205,12 @@ bool __mptcp_retransmit_pending_data(struct sock *sk) + return false; + } + +- /* will accept ack for reijected data before re-sending them */ +- if (!msk->recovery || after64(msk->snd_nxt, msk->recovery_snd_nxt)) +- msk->recovery_snd_nxt = msk->snd_nxt; ++ msk->recovery_snd_nxt = msk->snd_nxt; + msk->recovery = true; + mptcp_data_unlock(sk); + + msk->first_pending = rtx_head; + msk->tx_pending_data += msk->snd_nxt - rtx_head->data_seq; +- msk->snd_nxt = rtx_head->data_seq; + msk->snd_burst = 0; + + /* be sure to clear the "sent status" on all re-injected fragments */ +-- +2.33.0 + diff --git a/queue-5.15/mt76-connac-fix-gtk-rekey-offload-failure-on-wpa-mix.patch b/queue-5.15/mt76-connac-fix-gtk-rekey-offload-failure-on-wpa-mix.patch new file mode 100644 index 00000000000..ef7e1f8617b --- /dev/null +++ b/queue-5.15/mt76-connac-fix-gtk-rekey-offload-failure-on-wpa-mix.patch @@ -0,0 +1,66 @@ +From a7dd7205ea99fd9dc8406b0bc8ad3d193da94e90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Jul 2021 06:59:16 +0800 +Subject: mt76: connac: fix GTK rekey offload failure on WPA mixed mode + +From: Leon Yen + +[ Upstream commit 781f62960c635cfed55a8f8c0f909bdaf8268257 ] + +Update the proper firmware programming sequence to fix GTK rekey +offload failure on WPA mixed mode. + +In the mt76_connac_mcu_key_iter, +gtk_tlv->proto should be only set up on pairwise key +and gtk_tlk->group_cipher should be only set up on the group key. + +Otherwise, those parameters required by firmware would be set +incorrectly to cause GTK rekey offload failure on WPA mixed mode +and then disconnection follows. + +Fixes: b47e21e75c80 ("mt76: mt7615: add gtk rekey offload support") +Co-developed-by: Sean Wang +Signed-off-by: Sean Wang +Signed-off-by: Leon Yen +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt76_connac_mcu.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +index 5c3a81e5f559d..f57f047fce99c 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +@@ -1929,19 +1929,22 @@ mt76_connac_mcu_key_iter(struct ieee80211_hw *hw, + key->cipher != WLAN_CIPHER_SUITE_TKIP) + return; + +- if (key->cipher == WLAN_CIPHER_SUITE_TKIP) { +- gtk_tlv->proto = cpu_to_le32(NL80211_WPA_VERSION_1); ++ if (key->cipher == WLAN_CIPHER_SUITE_TKIP) + cipher = BIT(3); +- } else { +- gtk_tlv->proto = cpu_to_le32(NL80211_WPA_VERSION_2); ++ else + cipher = BIT(4); +- } + + /* we are assuming here to have a single pairwise key */ + if (key->flags & IEEE80211_KEY_FLAG_PAIRWISE) { ++ if (key->cipher == WLAN_CIPHER_SUITE_TKIP) ++ gtk_tlv->proto = cpu_to_le32(NL80211_WPA_VERSION_1); ++ else ++ gtk_tlv->proto = cpu_to_le32(NL80211_WPA_VERSION_2); ++ + gtk_tlv->pairwise_cipher = cpu_to_le32(cipher); +- gtk_tlv->group_cipher = cpu_to_le32(cipher); + gtk_tlv->keyid = key->keyidx; ++ } else { ++ gtk_tlv->group_cipher = cpu_to_le32(cipher); + } + } + +-- +2.33.0 + diff --git a/queue-5.15/mt76-connac-fix-mt76_connac_gtk_rekey_tlv-usage.patch b/queue-5.15/mt76-connac-fix-mt76_connac_gtk_rekey_tlv-usage.patch new file mode 100644 index 00000000000..c4151100c55 --- /dev/null +++ b/queue-5.15/mt76-connac-fix-mt76_connac_gtk_rekey_tlv-usage.patch @@ -0,0 +1,48 @@ +From 0d32c81b6b5d2a1aa2776bf8f7eb28c5deb267cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jul 2021 12:29:06 +0800 +Subject: mt76: connac: fix mt76_connac_gtk_rekey_tlv usage + +From: Leon Yen + +[ Upstream commit d741abeafa47a7331cd4fe526e44db4ad3da0f62 ] + +The mistaken structure is introduced since we added the GTK rekey offload +to mt7663. The patch fixes mt76_connac_gtk_rekey_tlv structure according +to the MT7663 and MT7921 firmware we have submitted into +linux-firmware.git. + +Fixes: b47e21e75c80 ("mt76: mt7615: add gtk rekey offload support") +Signed-off-by: Sean Wang +Signed-off-by: Leon Yen +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h +index 1c73beb226771..4bcd728ff97c5 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h +@@ -844,14 +844,14 @@ struct mt76_connac_gtk_rekey_tlv { + * 2: rekey update + */ + u8 keyid; +- u8 pad[2]; ++ u8 option; /* 1: rekey data update without enabling offload */ ++ u8 pad[1]; + __le32 proto; /* WPA-RSN-WAPI-OPSN */ + __le32 pairwise_cipher; + __le32 group_cipher; + __le32 key_mgmt; /* NONE-PSK-IEEE802.1X */ + __le32 mgmt_group_cipher; +- u8 option; /* 1: rekey data update without enabling offload */ +- u8 reserverd[3]; ++ u8 reserverd[4]; + } __packed; + + #define MT76_CONNAC_WOW_MASK_MAX_LEN 16 +-- +2.33.0 + diff --git a/queue-5.15/mt76-connac-fix-possible-null-pointer-dereference-in.patch b/queue-5.15/mt76-connac-fix-possible-null-pointer-dereference-in.patch new file mode 100644 index 00000000000..6e1a0942f5f --- /dev/null +++ b/queue-5.15/mt76-connac-fix-possible-null-pointer-dereference-in.patch @@ -0,0 +1,90 @@ +From 97be121323dee11969964924e2ff001f46b4007d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Oct 2021 17:19:53 +0200 +Subject: mt76: connac: fix possible NULL pointer dereference in + mt76_connac_get_phy_mode_v2 + +From: Lorenzo Bianconi + +[ Upstream commit b5f2ba8a4c794e8349c0e30036352b9f685164c4 ] + +Fix the following NULL pointer dereference in mt76_connac_get_phy_mode_v2 +routine triggered on mt7663s device when sta is NULL + +[ 5.490700] mt7663s mmc0:0001:1: N9 Firmware Version: 3.1.1, Build Time: 20200604161656 +[ 5.490815] mt7663s mmc0:0001:1: Region number: 0x4 +[ 5.490868] mt7663s mmc0:0001:1: Parsing tailer Region: 0 +[ 5.496251] mt7663s mmc0:0001:1: Region 0, override_addr = 0x00118000 +[ 5.496419] mt7663s mmc0:0001:1: Parsing tailer Region: 1 +[ 5.624027] mt7663s mmc0:0001:1: Parsing tailer Region: 2 +[ 5.656999] mt7663s mmc0:0001:1: Parsing tailer Region: 3 +[ 5.671876] mt7663s mmc0:0001:1: override_addr = 0x00118000, option = 3 +[ 9.358658] BUG: kernel NULL pointer dereference, address: 0000000000000000 +[ 9.358775] #PF: supervisor read access in kernel mode +[ 9.358831] #PF: error_code(0x0000) - not-present page +[ 9.358886] PGD 0 P4D 0 +[ 9.358917] Oops: 0000 [#1] SMP +[ 9.358960] CPU: 0 PID: 235 Comm: NetworkManager Not tainted 5.15.0-rc4-kvm-02151-g39e333d657f4-dirty #769 +[ 9.359057] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-4.fc34 04/01/2014 +[ 9.359150] RIP: 0010:mt76_connac_get_phy_mode_v2+0xc9/0x11c +[ 9.359473] RAX: 0000000000000013 RBX: 0000000000000000 RCX: 0000000000000027 +[ 9.359546] RDX: ffff8881f9c17358 RSI: 0000000000000001 RDI: ffff8881f9c17350 +[ 9.359624] RBP: ffff88810bac1ed4 R08: ffffffff822a4a48 R09: 0000000000000003 +[ 9.359697] R10: ffffffff82234a60 R11: ffffffff82234a60 R12: ffff88810bac1eec +[ 9.359779] R13: 0000000000000000 R14: ffff88810bad1648 R15: ffff88810bac1eb8 +[ 9.359859] FS: 00007f5f1e45bbc0(0000) GS:ffff8881f9c00000(0000) knlGS:0000000000000000 +[ 9.359939] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 9.360003] CR2: 0000000000000000 CR3: 0000000105d5d000 CR4: 00000000000006b0 +[ 9.360083] Call Trace: +[ 9.360116] mt76_connac_mcu_uni_add_bss.cold+0x21/0x250 +[ 9.360175] ? schedule_preempt_disabled+0xa/0x10 +[ 9.360232] ? __mutex_lock.constprop.0+0x2ab/0x460 +[ 9.360286] mt7615_remove_interface+0x63/0x1d0 +[ 9.360342] drv_remove_interface+0x32/0xe0 +[ 9.360385] ieee80211_do_stop+0x5da/0x800 +[ 9.360428] ? dev_reset_queue+0x30/0x90 +[ 9.360472] ieee80211_stop+0x3b/0xb0 +[ 9.360516] __dev_close_many+0x7a/0xd0 +[ 9.360559] __dev_change_flags+0xd6/0x1f0 +[ 9.360604] dev_change_flags+0x21/0x60 +[ 9.360648] do_setlink+0x259/0xfb0 +[ 9.360686] ? __nla_validate_parse+0x51/0xb80 +[ 9.360742] __rtnl_newlink+0x5b3/0x960 +[ 9.360785] ? inet6_fill_ifla6_attrs+0x41d/0x470 +[ 9.360841] ? __kmalloc_track_caller+0x57/0x3c0 +[ 9.360905] ? netlink_trim+0x8a/0xb0 +[ 9.360949] ? skb_queue_tail+0x1b/0x50 + +Fixes: 67aa27431c7f8 ("mt76: mt7921: rely on mt76_connac_mcu common library") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +index 98d233e24afcc..d25b50e769328 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +@@ -689,7 +689,7 @@ mt76_connac_get_phy_mode_v2(struct mt76_phy *mphy, struct ieee80211_vif *vif, + if (ht_cap->ht_supported) + mode |= PHY_TYPE_BIT_HT; + +- if (he_cap->has_he) ++ if (he_cap && he_cap->has_he) + mode |= PHY_TYPE_BIT_HE; + } else if (band == NL80211_BAND_5GHZ) { + mode |= PHY_TYPE_BIT_OFDM; +@@ -700,7 +700,7 @@ mt76_connac_get_phy_mode_v2(struct mt76_phy *mphy, struct ieee80211_vif *vif, + if (vht_cap->vht_supported) + mode |= PHY_TYPE_BIT_VHT; + +- if (he_cap->has_he) ++ if (he_cap && he_cap->has_he) + mode |= PHY_TYPE_BIT_HE; + } + +-- +2.33.0 + diff --git a/queue-5.15/mt76-fix-build-error-implicit-enumeration-conversion.patch b/queue-5.15/mt76-fix-build-error-implicit-enumeration-conversion.patch new file mode 100644 index 00000000000..7ab91e64fb5 --- /dev/null +++ b/queue-5.15/mt76-fix-build-error-implicit-enumeration-conversion.patch @@ -0,0 +1,59 @@ +From 910bc0e26bfcbcb56d9090820a0a7d940d1b6f60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Jun 2021 15:48:07 +0800 +Subject: mt76: fix build error implicit enumeration conversion + +From: Sean Wang + +[ Upstream commit adedbc643f02f5a3193b8dcc5cfca97b4c988667 ] + +drivers/net/wireless/mediatek/mt76/mt7915/mcu.c:114:10: error: implicit +conversion from enumeration type 'enum mt76_cipher_type' to different +enumeration type 'enum mcu_cipher_type' [-Werror,-Wenum-conversion] + return MT_CIPHER_NONE; + ~~~~~~ ^~~~~~~~~~~~~~ + +drivers/net/wireless/mediatek/mt76/mt7921/mcu.c:114:10: error: implicit +conversion from enumeration type 'enum mt76_cipher_type' to different +enumeration type 'enum mcu_cipher_type' [-Werror,-Wenum-conversion] + return MT_CIPHER_NONE; + ~~~~~~ ^~~~~~~~~~~~~~ + +Fixes: c368362c36d3 ("mt76: fix iv and CCMP header insertion") +Signed-off-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +- + drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +index caf2033c5c17e..c08c7398f9b85 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +@@ -1201,7 +1201,7 @@ mt7915_mcu_sta_key_tlv(struct mt7915_sta *msta, struct sk_buff *skb, + u8 cipher; + + cipher = mt7915_mcu_get_cipher(key->cipher); +- if (cipher == MT_CIPHER_NONE) ++ if (cipher == MCU_CIPHER_NONE) + return -EOPNOTSUPP; + + sec_key = &sec->key[0]; +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +index 68840e55ede7a..8329b705c2ca2 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +@@ -620,7 +620,7 @@ mt7921_mcu_sta_key_tlv(struct mt7921_sta *msta, struct sk_buff *skb, + u8 cipher; + + cipher = mt7921_mcu_get_cipher(key->cipher); +- if (cipher == MT_CIPHER_NONE) ++ if (cipher == MCU_CIPHER_NONE) + return -EOPNOTSUPP; + + sec_key = &sec->key[0]; +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7615-fix-endianness-warning-in-mt7615_mac_wri.patch b/queue-5.15/mt76-mt7615-fix-endianness-warning-in-mt7615_mac_wri.patch new file mode 100644 index 00000000000..2e7d2798e17 --- /dev/null +++ b/queue-5.15/mt76-mt7615-fix-endianness-warning-in-mt7615_mac_wri.patch @@ -0,0 +1,53 @@ +From e243f199d1ee7fee014e8c807c48d1698607e108 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 23:53:22 +0200 +Subject: mt76: mt7615: fix endianness warning in mt7615_mac_write_txwi + +From: Lorenzo Bianconi + +[ Upstream commit d81bfb41e30c42531536c5d2baa4d275a8309715 ] + +Fix the following sparse warning in mt7615_mac_write_txwi routine: +drivers/net/wireless/mediatek/mt76/mt7615/mac.c:758:17: + warning: incorrect type in assignment + expected restricted __le32 [usertype] + got unsigned long + +Fixes: 04b8e65922f63 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets") +Fixes: d4bf77bd74930 ("mt76: mt7615: introduce mt7663u support to mt7615_write_txwi") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c +index a83e48c07a71e..5455231f51881 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c +@@ -755,12 +755,15 @@ int mt7615_mac_write_txwi(struct mt7615_dev *dev, __le32 *txwi, + if (info->flags & IEEE80211_TX_CTL_NO_ACK) + txwi[3] |= cpu_to_le32(MT_TXD3_NO_ACK); + +- txwi[7] = FIELD_PREP(MT_TXD7_TYPE, fc_type) | +- FIELD_PREP(MT_TXD7_SUB_TYPE, fc_stype) | +- FIELD_PREP(MT_TXD7_SPE_IDX, 0x18); +- if (!is_mmio) +- txwi[8] = FIELD_PREP(MT_TXD8_L_TYPE, fc_type) | +- FIELD_PREP(MT_TXD8_L_SUB_TYPE, fc_stype); ++ val = FIELD_PREP(MT_TXD7_TYPE, fc_type) | ++ FIELD_PREP(MT_TXD7_SUB_TYPE, fc_stype) | ++ FIELD_PREP(MT_TXD7_SPE_IDX, 0x18); ++ txwi[7] = cpu_to_le32(val); ++ if (!is_mmio) { ++ val = FIELD_PREP(MT_TXD8_L_TYPE, fc_type) | ++ FIELD_PREP(MT_TXD8_L_SUB_TYPE, fc_stype); ++ txwi[8] = cpu_to_le32(val); ++ } + + return 0; + } +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7615-fix-hwmon-temp-sensor-mem-use-after-free.patch b/queue-5.15/mt76-mt7615-fix-hwmon-temp-sensor-mem-use-after-free.patch new file mode 100644 index 00000000000..aff54db94d8 --- /dev/null +++ b/queue-5.15/mt76-mt7615-fix-hwmon-temp-sensor-mem-use-after-free.patch @@ -0,0 +1,44 @@ +From ad6396d056b7b1c7fd3698a84ff1d46b7ebc112f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 13:52:04 +0800 +Subject: mt76: mt7615: fix hwmon temp sensor mem use-after-free + +From: Ryder Lee + +[ Upstream commit 0bb4e9187ea4a59dc6658a62978deda0c0dc4b28 ] + +Without this change, garbage is seen in the hwmon name and sensors output +for mt7615 is garbled. + +Fixes: 109e505ad944 ("mt76: mt7615: add thermal sensor device support") +Signed-off-by: Ryder Lee +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7615/init.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/init.c b/drivers/net/wireless/mediatek/mt76/mt7615/init.c +index 2f1ac644e018e..47f23ac905a3c 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/init.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/init.c +@@ -49,12 +49,14 @@ int mt7615_thermal_init(struct mt7615_dev *dev) + { + struct wiphy *wiphy = mt76_hw(dev)->wiphy; + struct device *hwmon; ++ const char *name; + + if (!IS_REACHABLE(CONFIG_HWMON)) + return 0; + +- hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev, +- wiphy_name(wiphy), dev, ++ name = devm_kasprintf(&wiphy->dev, GFP_KERNEL, "mt7615_%s", ++ wiphy_name(wiphy)); ++ hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev, name, dev, + mt7615_hwmon_groups); + if (IS_ERR(hwmon)) + return PTR_ERR(hwmon); +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7615-fix-monitor-mode-tear-down-crash.patch b/queue-5.15/mt76-mt7615-fix-monitor-mode-tear-down-crash.patch new file mode 100644 index 00000000000..91fff87bfa7 --- /dev/null +++ b/queue-5.15/mt76-mt7615-fix-monitor-mode-tear-down-crash.patch @@ -0,0 +1,118 @@ +From e31b6bfc0e4bdcb10460142d03826286f1b3d7b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 12:59:49 +0800 +Subject: mt76: mt7615: fix monitor mode tear down crash + +From: Ryder Lee + +[ Upstream commit a6fdbdd1ac2996a58a84672ef37efb5cbb98fadf ] + +[ 103.451600] CPU 3 Unable to handle kernel paging request at virtual address 00000003, epc == 8576591c, ra == 857659f0 +[ 103.462226] Oops[#1]: +[ 103.464499] CPU: 3 PID: 9247 Comm: ifconfig Tainted: G W 5.4.143 #0 +[ 103.472031] $ 0 : 00000000 00000001 83be3854 00000000 +[ 103.477239] $ 4 : 8102a374 8102a374 8102f0b0 00000200 +[ 103.482444] $ 8 : 0000002d 000001e4 64373765 5d206337 +[ 103.487647] $12 : 00000000 00000005 00000000 0006d1df +[ 103.492853] $16 : 83be3848 853838a8 8743d600 00010000 +[ 103.498059] $20 : 00000000 00000000 8553dec0 0000007f +[ 103.503266] $24 : 00000003 80382084 +[ 103.508472] $28 : 831d4000 831d5bc0 00000001 857659f0 +[ 103.513678] Hi : 00000122 +[ 103.516543] Lo : d1768000 +[ 103.519452] epc : 8576591c mt7615_mcu_add_bss+0xd0/0x3c0 [mt7615_common] +[ 103.526306] ra : 857659f0 mt7615_mcu_add_bss+0x1a4/0x3c0 [mt7615_common] +[ 103.533232] Status: 11007c03 KERNEL EXL IE +[ 103.537402] Cause : 40800008 (ExcCode 02) +[ 103.541389] BadVA : 00000003 +[ 103.544253] PrId : 0001992f (MIPS 1004Kc) +[ 103.797086] Call Trace: +[ 103.799562] [<8576591c>] mt7615_mcu_add_bss+0xd0/0x3c0 [mt7615_common] +[ 103.806082] [<85760a14>] mt7615_remove_interface+0x74/0x1e0 [mt7615_common] +[ 103.813280] [<85603fcc>] drv_remove_interface+0x2c/0xa0 [mac80211] +[ 103.819612] [<8561a8e4>] ieee80211_del_virtual_monitor.part.22+0x74/0xe8 [mac80211] +[ 103.827410] [<8561b7f0>] ieee80211_do_stop+0x4a4/0x8a0 [mac80211] +[ 103.833671] [<8561bc00>] ieee80211_stop+0x14/0x24 [mac80211] +[ 103.839405] [<8045a328>] __dev_close_many+0x9c/0x10c +[ 103.844364] [<80463de4>] __dev_change_flags+0x16c/0x1e4 +[ 103.849569] [<80463e84>] dev_change_flags+0x28/0x70 +[ 103.854440] [<80521e54>] devinet_ioctl+0x280/0x774 +[ 103.859222] [<80526248>] inet_ioctl+0xa4/0x1c8 +[ 103.863674] [<80436830>] sock_ioctl+0x2d8/0x4bc +[ 103.868201] [<801adbb4>] do_vfs_ioctl+0xb8/0x7c0 +[ 103.872804] [<801ae30c>] ksys_ioctl+0x50/0xb4 +[ 103.877156] [<80014598>] syscall_common+0x34/0x58 + +Fixes: 04b8e65922f63 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets") +Signed-off-by: Ryder Lee +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt7615/mcu.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c +index f8a09692d3e4c..4fed3afad67cc 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c +@@ -808,7 +808,8 @@ mt7615_mcu_ctrl_pm_state(struct mt7615_dev *dev, int band, int state) + + static int + mt7615_mcu_bss_basic_tlv(struct sk_buff *skb, struct ieee80211_vif *vif, +- struct ieee80211_sta *sta, bool enable) ++ struct ieee80211_sta *sta, struct mt7615_phy *phy, ++ bool enable) + { + struct mt7615_vif *mvif = (struct mt7615_vif *)vif->drv_priv; + u32 type = vif->p2p ? NETWORK_P2P : NETWORK_INFRA; +@@ -821,6 +822,7 @@ mt7615_mcu_bss_basic_tlv(struct sk_buff *skb, struct ieee80211_vif *vif, + switch (vif->type) { + case NL80211_IFTYPE_MESH_POINT: + case NL80211_IFTYPE_AP: ++ case NL80211_IFTYPE_MONITOR: + break; + case NL80211_IFTYPE_STATION: + /* TODO: enable BSS_INFO_UAPSD & BSS_INFO_PM */ +@@ -840,14 +842,19 @@ mt7615_mcu_bss_basic_tlv(struct sk_buff *skb, struct ieee80211_vif *vif, + } + + bss = (struct bss_info_basic *)tlv; +- memcpy(bss->bssid, vif->bss_conf.bssid, ETH_ALEN); +- bss->bcn_interval = cpu_to_le16(vif->bss_conf.beacon_int); + bss->network_type = cpu_to_le32(type); +- bss->dtim_period = vif->bss_conf.dtim_period; + bss->bmc_tx_wlan_idx = wlan_idx; + bss->wmm_idx = mvif->mt76.wmm_idx; + bss->active = enable; + ++ if (vif->type != NL80211_IFTYPE_MONITOR) { ++ memcpy(bss->bssid, vif->bss_conf.bssid, ETH_ALEN); ++ bss->bcn_interval = cpu_to_le16(vif->bss_conf.beacon_int); ++ bss->dtim_period = vif->bss_conf.dtim_period; ++ } else { ++ memcpy(bss->bssid, phy->mt76->macaddr, ETH_ALEN); ++ } ++ + return 0; + } + +@@ -863,6 +870,7 @@ mt7615_mcu_bss_omac_tlv(struct sk_buff *skb, struct ieee80211_vif *vif) + tlv = mt76_connac_mcu_add_tlv(skb, BSS_INFO_OMAC, sizeof(*omac)); + + switch (vif->type) { ++ case NL80211_IFTYPE_MONITOR: + case NL80211_IFTYPE_MESH_POINT: + case NL80211_IFTYPE_AP: + if (vif->p2p) +@@ -929,7 +937,7 @@ mt7615_mcu_add_bss(struct mt7615_phy *phy, struct ieee80211_vif *vif, + if (enable) + mt7615_mcu_bss_omac_tlv(skb, vif); + +- mt7615_mcu_bss_basic_tlv(skb, vif, sta, enable); ++ mt7615_mcu_bss_basic_tlv(skb, vif, sta, phy, enable); + + if (enable && mvif->mt76.omac_idx >= EXT_BSSID_START && + mvif->mt76.omac_idx < REPEATER_BSSID_START) +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7615-mt7622-fix-ibss-and-meshpoint.patch b/queue-5.15/mt76-mt7615-mt7622-fix-ibss-and-meshpoint.patch new file mode 100644 index 00000000000..8d349ca7d5a --- /dev/null +++ b/queue-5.15/mt76-mt7615-mt7622-fix-ibss-and-meshpoint.patch @@ -0,0 +1,65 @@ +From 7592c7c1185e28dfefa406c60dc7d02eadcf6c04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Oct 2021 00:57:25 +0200 +Subject: mt76: mt7615: mt7622: fix ibss and meshpoint + +From: Nick Hainke + +[ Upstream commit 753453afacc0243bd45de45e34218a8d17493e8f ] + +commit 7f4b7920318b ("mt76: mt7615: add ibss support") introduced IBSS +and commit f4ec7fdf7f83 ("mt76: mt7615: enable support for mesh") +meshpoint support. + +Both used in the "get_omac_idx"-function: + + if (~mask & BIT(HW_BSSID_0)) + return HW_BSSID_0; + +With commit d8d59f66d136 ("mt76: mt7615: support 16 interfaces") the +ibss and meshpoint mode should "prefer hw bssid slot 1-3". However, +with that change the ibss or meshpoint mode will not send any beacon on +the mt7622 wifi anymore. Devices were still able to exchange data but +only if a bssid already existed. Two mt7622 devices will never be able +to communicate. + +This commits reverts the preferation of slot 1-3 for ibss and +meshpoint. Only NL80211_IFTYPE_STATION will still prefer slot 1-3. + +Tested on Banana Pi R64. + +Fixes: d8d59f66d136 ("mt76: mt7615: support 16 interfaces") +Signed-off-by: Nick Hainke +Acked-by: Felix Fietkau +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211007225725.2615-1-vincent@systemli.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7615/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/main.c b/drivers/net/wireless/mediatek/mt76/mt7615/main.c +index dada43d6d879e..51260a669d166 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/main.c +@@ -135,8 +135,6 @@ static int get_omac_idx(enum nl80211_iftype type, u64 mask) + int i; + + switch (type) { +- case NL80211_IFTYPE_MESH_POINT: +- case NL80211_IFTYPE_ADHOC: + case NL80211_IFTYPE_STATION: + /* prefer hw bssid slot 1-3 */ + i = get_free_idx(mask, HW_BSSID_1, HW_BSSID_3); +@@ -160,6 +158,8 @@ static int get_omac_idx(enum nl80211_iftype type, u64 mask) + return HW_BSSID_0; + + break; ++ case NL80211_IFTYPE_ADHOC: ++ case NL80211_IFTYPE_MESH_POINT: + case NL80211_IFTYPE_MONITOR: + case NL80211_IFTYPE_AP: + /* ap uses hw bssid 0 and ext bssid */ +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt76x02-fix-endianness-warnings-in-mt76x02_mac..patch b/queue-5.15/mt76-mt76x02-fix-endianness-warnings-in-mt76x02_mac..patch new file mode 100644 index 00000000000..e7b54dbaf65 --- /dev/null +++ b/queue-5.15/mt76-mt76x02-fix-endianness-warnings-in-mt76x02_mac..patch @@ -0,0 +1,87 @@ +From 463d05d64569bd24f24ced16e2daf38e52c27cc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Jun 2021 09:48:30 +0200 +Subject: mt76: mt76x02: fix endianness warnings in mt76x02_mac.c + +From: Lorenzo Bianconi + +[ Upstream commit c33edef520213feccebc22c9474c685b9fb60611 ] + +Fix the following sparse warning in mt76x02_mac_write_txwi and +mt76x02_mac_tx_rate_val routines: +drivers/net/wireless/mediatek/mt76/mt76x02_mac.c:237:19: + warning: restricted __le16 degrades to intege + warning: cast from restricted __le16 +drivers/net/wireless/mediatek/mt76/mt76x02_mac.c:383:28: + warning: incorrect type in assignment (different base types) + expected restricted __le16 [usertype] rate + got unsigned long + +Fixes: db9f11d3433f7 ("mt76: store wcid tx rate info in one u32 reduce locking") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76x02_mac.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c b/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c +index c32e6dc687739..07b21b2085823 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x02_mac.c +@@ -176,7 +176,7 @@ void mt76x02_mac_wcid_set_drop(struct mt76x02_dev *dev, u8 idx, bool drop) + mt76_wr(dev, MT_WCID_DROP(idx), (val & ~bit) | (bit * drop)); + } + +-static __le16 ++static u16 + mt76x02_mac_tx_rate_val(struct mt76x02_dev *dev, + const struct ieee80211_tx_rate *rate, u8 *nss_val) + { +@@ -222,14 +222,14 @@ mt76x02_mac_tx_rate_val(struct mt76x02_dev *dev, + rateval |= MT_RXWI_RATE_SGI; + + *nss_val = nss; +- return cpu_to_le16(rateval); ++ return rateval; + } + + void mt76x02_mac_wcid_set_rate(struct mt76x02_dev *dev, struct mt76_wcid *wcid, + const struct ieee80211_tx_rate *rate) + { + s8 max_txpwr_adj = mt76x02_tx_get_max_txpwr_adj(dev, rate); +- __le16 rateval; ++ u16 rateval; + u32 tx_info; + s8 nss; + +@@ -342,7 +342,7 @@ void mt76x02_mac_write_txwi(struct mt76x02_dev *dev, struct mt76x02_txwi *txwi, + struct ieee80211_key_conf *key = info->control.hw_key; + u32 wcid_tx_info; + u16 rate_ht_mask = FIELD_PREP(MT_RXWI_RATE_PHY, BIT(1) | BIT(2)); +- u16 txwi_flags = 0; ++ u16 txwi_flags = 0, rateval; + u8 nss; + s8 txpwr_adj, max_txpwr_adj; + u8 ccmp_pn[8], nstreams = dev->mphy.chainmask & 0xf; +@@ -380,14 +380,15 @@ void mt76x02_mac_write_txwi(struct mt76x02_dev *dev, struct mt76x02_txwi *txwi, + + if (wcid && (rate->idx < 0 || !rate->count)) { + wcid_tx_info = wcid->tx_info; +- txwi->rate = FIELD_GET(MT_WCID_TX_INFO_RATE, wcid_tx_info); ++ rateval = FIELD_GET(MT_WCID_TX_INFO_RATE, wcid_tx_info); + max_txpwr_adj = FIELD_GET(MT_WCID_TX_INFO_TXPWR_ADJ, + wcid_tx_info); + nss = FIELD_GET(MT_WCID_TX_INFO_NSS, wcid_tx_info); + } else { +- txwi->rate = mt76x02_mac_tx_rate_val(dev, rate, &nss); ++ rateval = mt76x02_mac_tx_rate_val(dev, rate, &nss); + max_txpwr_adj = mt76x02_tx_get_max_txpwr_adj(dev, rate); + } ++ txwi->rate = cpu_to_le16(rateval); + + txpwr_adj = mt76x02_tx_get_txpwr_adj(dev, dev->txpower_conf, + max_txpwr_adj); +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7915-fix-an-off-by-one-bound-check.patch b/queue-5.15/mt76-mt7915-fix-an-off-by-one-bound-check.patch new file mode 100644 index 00000000000..807416864ae --- /dev/null +++ b/queue-5.15/mt76-mt7915-fix-an-off-by-one-bound-check.patch @@ -0,0 +1,34 @@ +From 1364077042e60f0757782acb67b67e8caf5bffce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 15:56:10 +0800 +Subject: mt76: mt7915: fix an off-by-one bound check + +From: Ryder Lee + +[ Upstream commit d45dac0732a287fc371a23f257cce04e65627947 ] + +The bounds check on datalen is off-by-one, so fix it. + +Signed-off-by: Ryder Lee +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +index 43960770a9af2..2f30047bd80f2 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +@@ -925,7 +925,7 @@ static void mt7915_check_he_obss_narrow_bw_ru_iter(struct wiphy *wiphy, + + elem = ieee80211_bss_get_elem(bss, WLAN_EID_EXT_CAPABILITY); + +- if (!elem || elem->datalen < 10 || ++ if (!elem || elem->datalen <= 10 || + !(elem->data[10] & + WLAN_EXT_CAPA10_OBSS_NARROW_BW_RU_TOLERANCE_SUPPORT)) + data->tolerated = false; +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7915-fix-bit-fields-for-ht-rate-idx.patch b/queue-5.15/mt76-mt7915-fix-bit-fields-for-ht-rate-idx.patch new file mode 100644 index 00000000000..05c235ed396 --- /dev/null +++ b/queue-5.15/mt76-mt7915-fix-bit-fields-for-ht-rate-idx.patch @@ -0,0 +1,39 @@ +From 021459cdcac890a756500685f28cf56f4df42cd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 21:00:14 +0800 +Subject: mt76: mt7915: fix bit fields for HT rate idx + +From: Shayne Chen + +[ Upstream commit 47f1c08db7f3aaa2d13f8e56209375462ace7b8a ] + +The bit fields of tx rate idx should be 6 bits, otherwise it might be +incorrect in HT mode. +For VHT/HE rates, only 4 bits are actually used by rate idx, the other +2 bits are used for other functions. + +Fixes: c31d94af1843 ("mt76: mt7915: fix tx rate related fields in tx descriptor") +Signed-off-by: Shayne Chen +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/mac.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.h b/drivers/net/wireless/mediatek/mt76/mt7915/mac.h +index eb1885f4bd8eb..fee7741b5d421 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.h ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.h +@@ -272,7 +272,8 @@ enum tx_mcu_port_q_idx { + #define MT_TX_RATE_MODE GENMASK(9, 6) + #define MT_TX_RATE_SU_EXT_TONE BIT(5) + #define MT_TX_RATE_DCM BIT(4) +-#define MT_TX_RATE_IDX GENMASK(3, 0) ++/* VHT/HE only use bits 0-3 */ ++#define MT_TX_RATE_IDX GENMASK(5, 0) + + #define MT_TXP_MAX_BUF_NUM 6 + +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7915-fix-endianness-warning-in-mt7915_mac_add.patch b/queue-5.15/mt76-mt7915-fix-endianness-warning-in-mt7915_mac_add.patch new file mode 100644 index 00000000000..05d591cad60 --- /dev/null +++ b/queue-5.15/mt76-mt7915-fix-endianness-warning-in-mt7915_mac_add.patch @@ -0,0 +1,40 @@ +From 233bc50ca5dc38c9d73bd36e19292440b8094cab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 10:21:31 +0200 +Subject: mt76: mt7915: fix endianness warning in mt7915_mac_add_txs_skb + +From: Lorenzo Bianconi + +[ Upstream commit 08b3c8da87aed4200dab00906f149d675ca90f23 ] + +Fix the following sparse warning in mt7915_mac_add_txs_skb routine: + +drivers/net/wireless/mediatek/mt76/mt7915/mac.c:1235:29: + warning: cast to restricted __le32 +drivers/net/wireless/mediatek/mt76/mt7915/mac.c:1235:23: + warning: restricted __le32 degrades to integer + +Fixes: 3de4cb1756565 ("mt76: mt7915: add support for tx status reporting") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c +index 2462704094b0a..bbc996f86b5c3 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c +@@ -1232,7 +1232,7 @@ mt7915_mac_add_txs_skb(struct mt7915_dev *dev, struct mt76_wcid *wcid, int pid, + goto out; + + info = IEEE80211_SKB_CB(skb); +- if (!(txs_data[0] & le32_to_cpu(MT_TXS0_ACK_ERROR_MASK))) ++ if (!(txs_data[0] & cpu_to_le32(MT_TXS0_ACK_ERROR_MASK))) + info->flags |= IEEE80211_TX_STAT_ACK; + + info->status.ampdu_len = 1; +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7915-fix-hwmon-temp-sensor-mem-use-after-free.patch b/queue-5.15/mt76-mt7915-fix-hwmon-temp-sensor-mem-use-after-free.patch new file mode 100644 index 00000000000..b4b088ff629 --- /dev/null +++ b/queue-5.15/mt76-mt7915-fix-hwmon-temp-sensor-mem-use-after-free.patch @@ -0,0 +1,55 @@ +From 4128f80d8b913cc8dd7aa3f0c1aaf89421d6615d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 13:52:03 +0800 +Subject: mt76: mt7915: fix hwmon temp sensor mem use-after-free + +From: Ben Greear + +[ Upstream commit 0ae3ff5684514d72357240f1033a7494c51f93ed ] + +Without this change, garbage is seen in the hwmon name and sensors output +for mt7915 is garbled. It appears that the hwmon logic does not make a +copy of the incoming string, but instead just copies a char* and expects +it to never go away. + +Fixes: 33fe9c639c13 ("mt76: mt7915: add thermal sensor device support") +Signed-off-by: Ben Greear +Signed-off-by: Ryder Lee +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/init.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/init.c b/drivers/net/wireless/mediatek/mt76/mt7915/init.c +index 4798d6344305d..b171027e0cfa8 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/init.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/init.c +@@ -130,9 +130,12 @@ static int mt7915_thermal_init(struct mt7915_phy *phy) + struct wiphy *wiphy = phy->mt76->hw->wiphy; + struct thermal_cooling_device *cdev; + struct device *hwmon; ++ const char *name; + +- cdev = thermal_cooling_device_register(wiphy_name(wiphy), phy, +- &mt7915_thermal_ops); ++ name = devm_kasprintf(&wiphy->dev, GFP_KERNEL, "mt7915_%s", ++ wiphy_name(wiphy)); ++ ++ cdev = thermal_cooling_device_register(name, phy, &mt7915_thermal_ops); + if (!IS_ERR(cdev)) { + if (sysfs_create_link(&wiphy->dev.kobj, &cdev->device.kobj, + "cooling_device") < 0) +@@ -144,8 +147,7 @@ static int mt7915_thermal_init(struct mt7915_phy *phy) + if (!IS_REACHABLE(CONFIG_HWMON)) + return 0; + +- hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev, +- wiphy_name(wiphy), phy, ++ hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev, name, phy, + mt7915_hwmon_groups); + if (IS_ERR(hwmon)) + return PTR_ERR(hwmon); +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7915-fix-info-leak-in-mt7915_mcu_set_pre_cal.patch b/queue-5.15/mt76-mt7915-fix-info-leak-in-mt7915_mcu_set_pre_cal.patch new file mode 100644 index 00000000000..4f787a2e66d --- /dev/null +++ b/queue-5.15/mt76-mt7915-fix-info-leak-in-mt7915_mcu_set_pre_cal.patch @@ -0,0 +1,37 @@ +From 2e47add8e414bd0b1e146f581edd6d123aea2557 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jun 2021 17:58:54 +0300 +Subject: mt76: mt7915: fix info leak in mt7915_mcu_set_pre_cal() + +From: Dan Carpenter + +[ Upstream commit 3924715ffe5e064a85f56490f77b7b2084230800 ] + +Zero out all the unused members of "req" so that we don't disclose +stack information. + +Fixes: 495184ac91bb ("mt76: mt7915: add support for applying pre-calibration data") +Signed-off-by: Dan Carpenter +Acked-by: Felix Fietkau +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +index 2f30047bd80f2..caf2033c5c17e 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +@@ -3481,7 +3481,7 @@ static int mt7915_mcu_set_pre_cal(struct mt7915_dev *dev, u8 idx, + u8 idx; + u8 rsv[4]; + __le32 len; +- } req; ++ } req = {}; + struct sk_buff *skb; + + skb = mt76_mcu_msg_alloc(&dev->mt76, NULL, sizeof(req) + len); +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7915-fix-muar_idx-in-mt7915_mcu_alloc_sta_req.patch b/queue-5.15/mt76-mt7915-fix-muar_idx-in-mt7915_mcu_alloc_sta_req.patch new file mode 100644 index 00000000000..6b7f39f02ff --- /dev/null +++ b/queue-5.15/mt76-mt7915-fix-muar_idx-in-mt7915_mcu_alloc_sta_req.patch @@ -0,0 +1,35 @@ +From 5a9eb3c413a8103e6f61ae51817994d3bdf86aa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 16:07:04 +0800 +Subject: mt76: mt7915: fix muar_idx in mt7915_mcu_alloc_sta_req() + +From: Shayne Chen + +[ Upstream commit 161cc13912d3c3e8857001988dfba39be842454a ] + +For broadcast/multicast wcid, the muar_idx should be 0xe. + +Fixes: e57b7901469f ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets") +Signed-off-by: Shayne Chen +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +index 6dfe3716a63a5..ba36d3caec8e1 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +@@ -721,7 +721,7 @@ mt7915_mcu_alloc_sta_req(struct mt7915_dev *dev, struct mt7915_vif *mvif, + .bss_idx = mvif->idx, + .wlan_idx_lo = msta ? to_wcid_lo(msta->wcid.idx) : 0, + .wlan_idx_hi = msta ? to_wcid_hi(msta->wcid.idx) : 0, +- .muar_idx = msta ? mvif->omac_idx : 0, ++ .muar_idx = msta && msta->wcid.sta ? mvif->omac_idx : 0xe, + .is_tlv_append = 1, + }; + struct sk_buff *skb; +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7915-fix-possible-infinite-loop-release-semap.patch b/queue-5.15/mt76-mt7915-fix-possible-infinite-loop-release-semap.patch new file mode 100644 index 00000000000..2d45574af23 --- /dev/null +++ b/queue-5.15/mt76-mt7915-fix-possible-infinite-loop-release-semap.patch @@ -0,0 +1,36 @@ +From 37e2ce91a705b30f1c5aefa3689ec45038ff8864 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 18:42:51 +0200 +Subject: mt76: mt7915: fix possible infinite loop release semaphore + +From: Lorenzo Bianconi + +[ Upstream commit e500c9470e26be66eb2bc6de773ae9091149118a ] + +Fix possible infinite loop in mt7915_load_patch if +mt7915_mcu_patch_sem_ctrl always returns an error. + +Fixes: e57b7901469fc ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +index e7e396f58c92c..85c9c08ee2a82 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +@@ -2790,7 +2790,7 @@ out: + default: + ret = -EAGAIN; + dev_err(dev->mt76.dev, "Failed to release patch semaphore\n"); +- goto out; ++ break; + } + release_firmware(fw); + +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7915-fix-potential-overflow-of-eeprom-page-in.patch b/queue-5.15/mt76-mt7915-fix-potential-overflow-of-eeprom-page-in.patch new file mode 100644 index 00000000000..778d7fd598a --- /dev/null +++ b/queue-5.15/mt76-mt7915-fix-potential-overflow-of-eeprom-page-in.patch @@ -0,0 +1,62 @@ +From 4f0ba6c948d30eb8c719684b4932d224a0427473 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Jul 2021 10:48:32 +0800 +Subject: mt76: mt7915: fix potential overflow of eeprom page index + +From: Shayne Chen + +[ Upstream commit 82a980f82a511ce74ab57eb9f692d02225eb32f4 ] + +If total eeprom size is divisible by per-page size, the i in for loop +will exceed max page index, which happens in our newer chipset. + +Fixes: 26f18380e6ca ("mt76: mt7915: add support for flash mode") +Signed-off-by: Bo Jiao +Signed-off-by: Shayne Chen +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +index c08c7398f9b85..e7e396f58c92c 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +@@ -3391,20 +3391,20 @@ int mt7915_mcu_set_chan_info(struct mt7915_phy *phy, int cmd) + + static int mt7915_mcu_set_eeprom_flash(struct mt7915_dev *dev) + { +-#define TOTAL_PAGE_MASK GENMASK(7, 5) ++#define MAX_PAGE_IDX_MASK GENMASK(7, 5) + #define PAGE_IDX_MASK GENMASK(4, 2) + #define PER_PAGE_SIZE 0x400 + struct mt7915_mcu_eeprom req = { .buffer_mode = EE_MODE_BUFFER }; +- u8 total = MT7915_EEPROM_SIZE / PER_PAGE_SIZE; ++ u8 total = DIV_ROUND_UP(MT7915_EEPROM_SIZE, PER_PAGE_SIZE); + u8 *eep = (u8 *)dev->mt76.eeprom.data; + int eep_len; + int i; + +- for (i = 0; i <= total; i++, eep += eep_len) { ++ for (i = 0; i < total; i++, eep += eep_len) { + struct sk_buff *skb; + int ret; + +- if (i == total) ++ if (i == total - 1 && !!(MT7915_EEPROM_SIZE % PER_PAGE_SIZE)) + eep_len = MT7915_EEPROM_SIZE % PER_PAGE_SIZE; + else + eep_len = PER_PAGE_SIZE; +@@ -3414,7 +3414,7 @@ static int mt7915_mcu_set_eeprom_flash(struct mt7915_dev *dev) + if (!skb) + return -ENOMEM; + +- req.format = FIELD_PREP(TOTAL_PAGE_MASK, total) | ++ req.format = FIELD_PREP(MAX_PAGE_IDX_MASK, total - 1) | + FIELD_PREP(PAGE_IDX_MASK, i) | EE_FORMAT_WHOLE; + req.len = cpu_to_le16(eep_len); + +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7915-fix-sta_rec_wtbl-tag-len.patch b/queue-5.15/mt76-mt7915-fix-sta_rec_wtbl-tag-len.patch new file mode 100644 index 00000000000..b39540ed8a3 --- /dev/null +++ b/queue-5.15/mt76-mt7915-fix-sta_rec_wtbl-tag-len.patch @@ -0,0 +1,36 @@ +From 65447ea022e525b5ccea927952613353aa6af737 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 16:07:02 +0800 +Subject: mt76: mt7915: fix sta_rec_wtbl tag len + +From: Shayne Chen + +[ Upstream commit afa0370f3a3a64af6d368da0bedd72ab2a026cd0 ] + +Fix tag len error for sta_rec_wtbl, which causes fw parsing error for +the tags placed behind it. + +Fixes: e57b7901469f ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets") +Signed-off-by: Shayne Chen +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +index 85c9c08ee2a82..6dfe3716a63a5 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c +@@ -757,7 +757,7 @@ mt7915_mcu_alloc_wtbl_req(struct mt7915_dev *dev, struct mt7915_sta *msta, + } + + if (sta_hdr) +- sta_hdr->len = cpu_to_le16(sizeof(hdr)); ++ le16_add_cpu(&sta_hdr->len, sizeof(hdr)); + + return skb_put_data(nskb, &hdr, sizeof(hdr)); + } +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7921-always-wake-device-if-necessary-in-debug.patch b/queue-5.15/mt76-mt7921-always-wake-device-if-necessary-in-debug.patch new file mode 100644 index 00000000000..852f2ad1a95 --- /dev/null +++ b/queue-5.15/mt76-mt7921-always-wake-device-if-necessary-in-debug.patch @@ -0,0 +1,63 @@ +From 7df2c3876c43e676bcaef0df035b6ea6aaee40e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 10:20:57 +0200 +Subject: mt76: mt7921: always wake device if necessary in debugfs + +From: Lorenzo Bianconi + +[ Upstream commit 569008744178b672ea3ad9047fa3098f1b73ca55 ] + +Add missing device wakeup in debugfs code if we are accessing chip +registers. + +Fixes: 1d8efc741df8 ("mt76: mt7921: introduce Runtime PM support") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/debugfs.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/debugfs.c b/drivers/net/wireless/mediatek/mt76/mt7921/debugfs.c +index 4c89c4ac8031a..30f3b3085c786 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/debugfs.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/debugfs.c +@@ -95,6 +95,8 @@ mt7921_tx_stats_show(struct seq_file *file, void *data) + struct mt7921_dev *dev = file->private; + int stat[8], i, n; + ++ mt7921_mutex_acquire(dev); ++ + mt7921_ampdu_stat_read_phy(&dev->phy, file); + + /* Tx amsdu info */ +@@ -104,6 +106,8 @@ mt7921_tx_stats_show(struct seq_file *file, void *data) + n += stat[i]; + } + ++ mt7921_mutex_release(dev); ++ + for (i = 0; i < ARRAY_SIZE(stat); i++) { + seq_printf(file, "AMSDU pack count of %d MSDU in TXD: 0x%x ", + i + 1, stat[i]); +@@ -124,6 +128,8 @@ mt7921_queues_acq(struct seq_file *s, void *data) + struct mt7921_dev *dev = dev_get_drvdata(s->private); + int i; + ++ mt7921_mutex_acquire(dev); ++ + for (i = 0; i < 16; i++) { + int j, acs = i / 4, index = i % 4; + u32 ctrl, val, qlen = 0; +@@ -143,6 +149,8 @@ mt7921_queues_acq(struct seq_file *s, void *data) + seq_printf(s, "AC%d%d: queued=%d\n", acs, index, qlen); + } + ++ mt7921_mutex_release(dev); ++ + return 0; + } + +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7921-fix-dma-hang-in-rmmod.patch b/queue-5.15/mt76-mt7921-fix-dma-hang-in-rmmod.patch new file mode 100644 index 00000000000..40db5680307 --- /dev/null +++ b/queue-5.15/mt76-mt7921-fix-dma-hang-in-rmmod.patch @@ -0,0 +1,49 @@ +From d3ae28487a9450301f06ef81e2c13cd70547c1f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jul 2021 17:47:09 +0800 +Subject: mt76: mt7921: fix dma hang in rmmod + +From: Deren Wu + +[ Upstream commit a23f80aa9c5e6ad4ec8df88037b7ffd4162b1ec4 ] + +The dma would be broken after rmmod flow. There are two different +cases causing this issue. +1. dma access without privilege. +2. hw access sequence borken by another context. + +This patch handle both cases to avoid hw crash. + +Fixes: 2b9ea5a8cf1bd ("mt76: mt7921: add mt7921_dma_cleanup in mt7921_unregister_device") +Signed-off-by: Deren Wu +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/init.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/init.c b/drivers/net/wireless/mediatek/mt76/mt7921/init.c +index 52d40385fab6c..78a00028137bd 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/init.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/init.c +@@ -251,8 +251,17 @@ int mt7921_register_device(struct mt7921_dev *dev) + + void mt7921_unregister_device(struct mt7921_dev *dev) + { ++ int i; ++ struct mt76_connac_pm *pm = &dev->pm; ++ + mt76_unregister_device(&dev->mt76); ++ mt76_for_each_q_rx(&dev->mt76, i) ++ napi_disable(&dev->mt76.napi[i]); ++ cancel_delayed_work_sync(&pm->ps_work); ++ cancel_work_sync(&pm->wake_work); ++ + mt7921_tx_token_put(dev); ++ mt7921_mcu_drv_pmctrl(dev); + mt7921_dma_cleanup(dev); + mt7921_mcu_exit(dev); + +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7921-fix-endianness-in-mt7921_mcu_tx_done_eve.patch b/queue-5.15/mt76-mt7921-fix-endianness-in-mt7921_mcu_tx_done_eve.patch new file mode 100644 index 00000000000..84b48742039 --- /dev/null +++ b/queue-5.15/mt76-mt7921-fix-endianness-in-mt7921_mcu_tx_done_eve.patch @@ -0,0 +1,69 @@ +From fec80488e25ef7cd1a9f144b31461c4a034486d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Jun 2021 20:18:19 +0200 +Subject: mt76: mt7921: fix endianness in mt7921_mcu_tx_done_event + +From: Lorenzo Bianconi + +[ Upstream commit df040215c077de0c13aab12c222bd0360a0d3988 ] + +Fix endianness in mt7921_mcu_tx_done_event event reported by the +firmware. + +Fixes: 3cce2b98e0241 ("mt76: mt7921: introduce mac tx done handling") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 3 ++- + drivers/net/wireless/mediatek/mt76/mt7921/mcu.h | 10 +++++----- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +index 9fbaacc67cfad..68840e55ede7a 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +@@ -532,7 +532,8 @@ mt7921_mcu_tx_done_event(struct mt7921_dev *dev, struct sk_buff *skb) + peer.g8 = !!(sta->vht_cap.cap & IEEE80211_VHT_CAP_SHORT_GI_80); + peer.g16 = !!(sta->vht_cap.cap & IEEE80211_VHT_CAP_SHORT_GI_160); + mt7921_mcu_tx_rate_parse(mphy->mt76, &peer, +- &msta->stats.tx_rate, event->tx_rate); ++ &msta->stats.tx_rate, ++ le16_to_cpu(event->tx_rate)); + + spin_lock_bh(&dev->sta_poll_lock); + break; +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.h b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.h +index de3c091f67368..42e7271848956 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.h ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.h +@@ -296,11 +296,11 @@ struct mt7921_txpwr_event { + struct mt7921_mcu_tx_done_event { + u8 pid; + u8 status; +- u16 seq; ++ __le16 seq; + + u8 wlan_idx; + u8 tx_cnt; +- u16 tx_rate; ++ __le16 tx_rate; + + u8 flag; + u8 tid; +@@ -312,9 +312,9 @@ struct mt7921_mcu_tx_done_event { + u8 reason; + u8 rsv0[1]; + +- u32 delay; +- u32 timestamp; +- u32 applied_flag; ++ __le32 delay; ++ __le32 timestamp; ++ __le32 applied_flag; + + u8 txs[28]; + +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7921-fix-endianness-warning-in-mt7921_update_.patch b/queue-5.15/mt76-mt7921-fix-endianness-warning-in-mt7921_update_.patch new file mode 100644 index 00000000000..73bfc05fb29 --- /dev/null +++ b/queue-5.15/mt76-mt7921-fix-endianness-warning-in-mt7921_update_.patch @@ -0,0 +1,41 @@ +From 58b8f36f55232301762d4345c1e86c0c8da992c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 11:18:58 +0200 +Subject: mt76: mt7921: fix endianness warning in mt7921_update_txs + +From: Lorenzo Bianconi + +[ Upstream commit 7fc167bbc9296e6aeaaa4063db3639e8a3db75f6 ] + +Fix the following sparse warning in mt7921_update_txs routine: +drivers/net/wireless/mediatek/mt76/mt7921/mac.c:752:31: + warning: cast to restricted __le32 +drivers/net/wireless/mediatek/mt76/mt7921/mac.c:752:31: + warning: restricted __le32 degrades to integer + +Fixes: e5bca8c5d2cd3 ("mt76: mt7921: improve code readability for mt7921_update_txs") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c +index 7fe2e3a50428f..f4714b0f6e5c4 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c +@@ -735,8 +735,9 @@ mt7921_mac_write_txwi_80211(struct mt7921_dev *dev, __le32 *txwi, + static void mt7921_update_txs(struct mt76_wcid *wcid, __le32 *txwi) + { + struct mt7921_sta *msta = container_of(wcid, struct mt7921_sta, wcid); +- u32 pid, frame_type = FIELD_GET(MT_TXD2_FRAME_TYPE, txwi[2]); ++ u32 pid, frame_type; + ++ frame_type = FIELD_GET(MT_TXD2_FRAME_TYPE, le32_to_cpu(txwi[2])); + if (!(frame_type & (IEEE80211_FTYPE_DATA >> 2))) + return; + +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7921-fix-firmware-usage-of-ra-info-using-lega.patch b/queue-5.15/mt76-mt7921-fix-firmware-usage-of-ra-info-using-lega.patch new file mode 100644 index 00000000000..bbaf51ce54f --- /dev/null +++ b/queue-5.15/mt76-mt7921-fix-firmware-usage-of-ra-info-using-lega.patch @@ -0,0 +1,71 @@ +From 358e0d85fb21be3835a39920475831564a32350d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Aug 2021 13:58:24 +0800 +Subject: mt76: mt7921: fix firmware usage of RA info using legacy rates + +From: Sean Wang + +[ Upstream commit 99b8e195994d9d77de3bfe0cb403c44a57c2cf79 ] + +According to the firmware usage, OFDM rates should fill out bit 6 - 13 +while CCK rates should fill out bit 0 - 3 in legacy field of RA info to +make the rate adaption runs propertly. Otherwise, a unicast frame might be +picking up the unsupported rate to send out. + +Fixes: 1c099ab44727 ("mt76: mt7921: add MCU support") +Reported-by: Joshua Emele +Co-developed-by: YN Chen +Signed-off-by: YN Chen +Signed-off-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 11 ++++++++++- + drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h | 2 ++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +index f57f047fce99c..98d233e24afcc 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c +@@ -719,6 +719,7 @@ void mt76_connac_mcu_sta_tlv(struct mt76_phy *mphy, struct sk_buff *skb, + struct sta_rec_state *state; + struct sta_rec_phy *phy; + struct tlv *tlv; ++ u16 supp_rates; + + /* starec ht */ + if (sta->ht_cap.ht_supported) { +@@ -767,7 +768,15 @@ void mt76_connac_mcu_sta_tlv(struct mt76_phy *mphy, struct sk_buff *skb, + + tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_RA, sizeof(*ra_info)); + ra_info = (struct sta_rec_ra_info *)tlv; +- ra_info->legacy = cpu_to_le16((u16)sta->supp_rates[band]); ++ ++ supp_rates = sta->supp_rates[band]; ++ if (band == NL80211_BAND_2GHZ) ++ supp_rates = FIELD_PREP(RA_LEGACY_OFDM, supp_rates >> 4) | ++ FIELD_PREP(RA_LEGACY_CCK, supp_rates & 0xf); ++ else ++ supp_rates = FIELD_PREP(RA_LEGACY_OFDM, supp_rates); ++ ++ ra_info->legacy = cpu_to_le16(supp_rates); + + if (sta->ht_cap.ht_supported) + memcpy(ra_info->rx_mcs_bitmask, sta->ht_cap.mcs.rx_mask, +diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h +index 4bcd728ff97c5..77d4435e4581e 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h +@@ -124,6 +124,8 @@ struct sta_rec_state { + u8 rsv[1]; + } __packed; + ++#define RA_LEGACY_OFDM GENMASK(13, 6) ++#define RA_LEGACY_CCK GENMASK(3, 0) + #define HT_MCS_MASK_NUM 10 + struct sta_rec_ra_info { + __le16 tag; +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7921-fix-kernel-warning-from-cfg80211_calcula.patch b/queue-5.15/mt76-mt7921-fix-kernel-warning-from-cfg80211_calcula.patch new file mode 100644 index 00000000000..b37f0ae4a76 --- /dev/null +++ b/queue-5.15/mt76-mt7921-fix-kernel-warning-from-cfg80211_calcula.patch @@ -0,0 +1,96 @@ +From e31774a160b00c996a69ce9c7a8bbe2cb3c9b27e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Aug 2021 02:09:18 +0800 +Subject: mt76: mt7921: fix kernel warning from cfg80211_calculate_bitrate + +From: Sean Wang + +[ Upstream commit 8e695328a1006b7bab2d972e7d0111fa6e6faf51 ] + +Fix the kernel warning from cfg80211_calculate_bitrate +due to the legacy rate is not parsed well in the current driver. + +Also, zeros struct rate_info before we fill it out to avoid the old value +is kept such as rate->legacy. + +[ 790.921560] WARNING: CPU: 7 PID: 970 at net/wireless/util.c:1298 cfg80211_calculate_bitrate+0x354/0x35c [cfg80211] +[ 790.987738] Hardware name: MediaTek Asurada rev1 board (DT) +[ 790.993298] pstate: a0400009 (NzCv daif +PAN -UAO) +[ 790.998104] pc : cfg80211_calculate_bitrate+0x354/0x35c [cfg80211] +[ 791.004295] lr : cfg80211_calculate_bitrate+0x180/0x35c [cfg80211] +[ 791.010462] sp : ffffffc0129c3880 +[ 791.013765] x29: ffffffc0129c3880 x28: ffffffd38305bea8 +[ 791.019065] x27: ffffffc0129c3970 x26: 0000000000000013 +[ 791.024364] x25: 00000000000003ca x24: 000000000000002f +[ 791.029664] x23: 00000000000000d0 x22: ffffff8d108bc000 +[ 791.034964] x21: ffffff8d108bc0d0 x20: ffffffc0129c39a8 +[ 791.040264] x19: ffffffc0129c39a8 x18: 00000000ffff0a10 +[ 791.045563] x17: 0000000000000050 x16: 00000000000000ec +[ 791.050910] x15: ffffffd3f9ebed9c x14: 0000000000000006 +[ 791.056211] x13: 00000000000b2eea x12: 0000000000000000 +[ 791.061511] x11: 00000000ffffffff x10: 0000000000000000 +[ 791.066811] x9 : 0000000000000000 x8 : 0000000000000000 +[ 791.072110] x7 : 0000000000000000 x6 : ffffffd3fafa5a7b +[ 791.077409] x5 : 0000000000000000 x4 : 0000000000000000 +[ 791.082708] x3 : 0000000000000000 x2 : 0000000000000000 +[ 791.088008] x1 : ffffff8d3f79c918 x0 : 0000000000000000 +[ 791.093308] Call trace: +[ 791.095770] cfg80211_calculate_bitrate+0x354/0x35c [cfg80211] +[ 791.101615] nl80211_put_sta_rate+0x6c/0x2c0 [cfg80211] +[ 791.106853] nl80211_send_station+0x980/0xaa4 [cfg80211] +[ 791.112178] nl80211_get_station+0xb4/0x134 [cfg80211] +[ 791.117308] genl_rcv_msg+0x3a0/0x440 +[ 791.120960] netlink_rcv_skb+0xcc/0x118 +[ 791.124785] genl_rcv+0x34/0x48 +[ 791.127916] netlink_unicast+0x144/0x1dc + +Fixes: 1c099ab44727 ("mt76: mt7921: add MCU support") +Signed-off-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +index 8ced55501d373..3cb53c642d242 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +@@ -320,11 +320,13 @@ mt7921_mcu_tx_rate_parse(struct mt76_phy *mphy, + struct rate_info *rate, u16 r) + { + struct ieee80211_supported_band *sband; +- u16 flags = 0; ++ u16 flags = 0, rate_idx; + u8 txmode = FIELD_GET(MT_WTBL_RATE_TX_MODE, r); + u8 gi = 0; + u8 bw = 0; ++ bool cck = false; + ++ memset(rate, 0, sizeof(*rate)); + rate->mcs = FIELD_GET(MT_WTBL_RATE_MCS, r); + rate->nss = FIELD_GET(MT_WTBL_RATE_NSS, r) + 1; + +@@ -349,13 +351,18 @@ mt7921_mcu_tx_rate_parse(struct mt76_phy *mphy, + + switch (txmode) { + case MT_PHY_TYPE_CCK: ++ cck = true; ++ fallthrough; + case MT_PHY_TYPE_OFDM: + if (mphy->chandef.chan->band == NL80211_BAND_5GHZ) + sband = &mphy->sband_5g.sband; + else + sband = &mphy->sband_2g.sband; + +- rate->legacy = sband->bitrates[rate->mcs].bitrate; ++ rate_idx = FIELD_GET(MT_TX_RATE_IDX, r); ++ rate_idx = mt76_get_rate(mphy->dev, sband, rate_idx, ++ cck); ++ rate->legacy = sband->bitrates[rate_idx].bitrate; + break; + case MT_PHY_TYPE_HT: + case MT_PHY_TYPE_HT_GF: +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7921-fix-out-of-order-process-by-invalid-even.patch b/queue-5.15/mt76-mt7921-fix-out-of-order-process-by-invalid-even.patch new file mode 100644 index 00000000000..2b5e196b1b1 --- /dev/null +++ b/queue-5.15/mt76-mt7921-fix-out-of-order-process-by-invalid-even.patch @@ -0,0 +1,46 @@ +From d475c2dbb40eb9cd7381855603fbdc1104950df1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Jul 2021 23:50:52 +0800 +Subject: mt76: mt7921: Fix out of order process by invalid event pkt + +From: Deren Wu + +[ Upstream commit cd3f387371e941e6806b455b4ba5b9f4ca4b77c6 ] + +The acceptable event report should inlcude original CMD-ID. Otherwise, +drop unexpected result from fw. + +Fixes: 1c099ab44727c ("mt76: mt7921: add MCU support") +Signed-off-by: Jimmy Hu +Signed-off-by: Deren Wu +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +index 8329b705c2ca2..8ced55501d373 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +@@ -157,6 +157,7 @@ mt7921_mcu_parse_response(struct mt76_dev *mdev, int cmd, + struct sk_buff *skb, int seq) + { + struct mt7921_mcu_rxd *rxd; ++ int mcu_cmd = cmd & MCU_CMD_MASK; + int ret = 0; + + if (!skb) { +@@ -194,6 +195,9 @@ mt7921_mcu_parse_response(struct mt76_dev *mdev, int cmd, + skb_pull(skb, sizeof(*rxd)); + event = (struct mt7921_mcu_uni_event *)skb->data; + ret = le32_to_cpu(event->status); ++ /* skip invalid event */ ++ if (mcu_cmd != event->cid) ++ ret = -EAGAIN; + break; + } + case MCU_CMD_REG_READ: { +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7921-fix-retrying-release-semaphore-without-e.patch b/queue-5.15/mt76-mt7921-fix-retrying-release-semaphore-without-e.patch new file mode 100644 index 00000000000..99bcaa4cead --- /dev/null +++ b/queue-5.15/mt76-mt7921-fix-retrying-release-semaphore-without-e.patch @@ -0,0 +1,38 @@ +From 5a3a1dccfb4e3452b85a9929183b9fe6d2bd8319 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 23:50:22 +0800 +Subject: mt76: mt7921: fix retrying release semaphore without end + +From: Sean Wang + +[ Upstream commit 02d1c7d494d8052288bc175e4ff54b56d08a3c5f ] + +We should pass the error code to the caller immediately +to avoid the possible infinite retry to release the semaphore. + +Fixes: 1c099ab44727 ("mt76: mt7921: add MCU support") +Co-developed-by: YN Chen +Signed-off-by: YN Chen +Signed-off-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +index 3cb53c642d242..506a1909ce6d5 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c +@@ -827,7 +827,7 @@ out: + default: + ret = -EAGAIN; + dev_err(dev->mt76.dev, "Failed to release patch semaphore\n"); +- goto out; ++ break; + } + release_firmware(fw); + +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7921-fix-survey-dump-reporting.patch b/queue-5.15/mt76-mt7921-fix-survey-dump-reporting.patch new file mode 100644 index 00000000000..5f13877c099 --- /dev/null +++ b/queue-5.15/mt76-mt7921-fix-survey-dump-reporting.patch @@ -0,0 +1,65 @@ +From 17830b008d53b303f35dcb16577713a136b0ca64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jun 2021 15:19:19 +0200 +Subject: mt76: mt7921: fix survey-dump reporting + +From: Lorenzo Bianconi + +[ Upstream commit 64ed76d118c656907ec1155f2cdd24de778470a2 ] + +Fix MIB tx-rx MIB counters for survey-dump reporting. + +Fixes: 163f4d22c118d ("mt76: mt7921: add MAC support") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt7921/init.c | 4 ++++ + drivers/net/wireless/mediatek/mt76/mt7921/regs.h | 8 ++++++-- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/init.c b/drivers/net/wireless/mediatek/mt76/mt7921/init.c +index a9ce10b988273..52d40385fab6c 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/init.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/init.c +@@ -106,6 +106,10 @@ mt7921_mac_init_band(struct mt7921_dev *dev, u8 band) + mt76_set(dev, MT_WF_RMAC_MIB_TIME0(band), MT_WF_RMAC_MIB_RXTIME_EN); + mt76_set(dev, MT_WF_RMAC_MIB_AIRTIME0(band), MT_WF_RMAC_MIB_RXTIME_EN); + ++ /* enable MIB tx-rx time reporting */ ++ mt76_set(dev, MT_MIB_SCR1(band), MT_MIB_TXDUR_EN); ++ mt76_set(dev, MT_MIB_SCR1(band), MT_MIB_RXDUR_EN); ++ + mt76_rmw_field(dev, MT_DMA_DCR0(band), MT_DMA_DCR0_MAX_RX_LEN, 1536); + /* disable rx rate report by default due to hw issues */ + mt76_clear(dev, MT_DMA_DCR0(band), MT_DMA_DCR0_RXD_G5_EN); +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/regs.h b/drivers/net/wireless/mediatek/mt76/mt7921/regs.h +index b6944c867a573..26fb118237626 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/regs.h ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/regs.h +@@ -96,6 +96,10 @@ + #define MT_WF_MIB_BASE(_band) ((_band) ? 0xa4800 : 0x24800) + #define MT_WF_MIB(_band, ofs) (MT_WF_MIB_BASE(_band) + (ofs)) + ++#define MT_MIB_SCR1(_band) MT_WF_MIB(_band, 0x004) ++#define MT_MIB_TXDUR_EN BIT(8) ++#define MT_MIB_RXDUR_EN BIT(9) ++ + #define MT_MIB_SDR3(_band) MT_WF_MIB(_band, 0x698) + #define MT_MIB_SDR3_FCS_ERR_MASK GENMASK(31, 16) + +@@ -108,9 +112,9 @@ + #define MT_MIB_SDR34(_band) MT_WF_MIB(_band, 0x090) + #define MT_MIB_MU_BF_TX_CNT GENMASK(15, 0) + +-#define MT_MIB_SDR36(_band) MT_WF_MIB(_band, 0x098) ++#define MT_MIB_SDR36(_band) MT_WF_MIB(_band, 0x054) + #define MT_MIB_SDR36_TXTIME_MASK GENMASK(23, 0) +-#define MT_MIB_SDR37(_band) MT_WF_MIB(_band, 0x09c) ++#define MT_MIB_SDR37(_band) MT_WF_MIB(_band, 0x058) + #define MT_MIB_SDR37_RXTIME_MASK GENMASK(23, 0) + + #define MT_MIB_DR8(_band) MT_WF_MIB(_band, 0x0c0) +-- +2.33.0 + diff --git a/queue-5.15/mt76-mt7921-report-he-mu-radiotap.patch b/queue-5.15/mt76-mt7921-report-he-mu-radiotap.patch new file mode 100644 index 00000000000..8258d6f2c6f --- /dev/null +++ b/queue-5.15/mt76-mt7921-report-he-mu-radiotap.patch @@ -0,0 +1,187 @@ +From 6abe4d9cb9ad9e68042348c76926a931d91dc39d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 06:48:24 +0800 +Subject: mt76: mt7921: report HE MU radiotap + +From: Sean Wang + +[ Upstream commit 4fee32153ab62356aeea9d152d8f33a5fd3a0086 ] + +Report HE MU/BF radiotap. + +That fixed HE MU packets dropped by mac80211 because they are missing the +ieee80211_radiotap_he_mu header. + +Fixes: 163f4d22c118d ("mt76: mt7921: add MAC support") +Co-developed-by: Ryder Lee +Signed-off-by: Ryder Lee +Co-developed-by: Eric-SY Chang +Signed-off-by: Eric-SY Chang +Tested-by: Eric-SY Chang +Signed-off-by: Sean Wang +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + .../net/wireless/mediatek/mt76/mt7921/mac.c | 65 ++++++++++++++++--- + .../net/wireless/mediatek/mt76/mt7921/mac.h | 8 +++ + 2 files changed, 65 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c +index f4714b0f6e5c4..8a16f3f4d5253 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c +@@ -180,12 +180,56 @@ mt7921_mac_decode_he_radiotap_ru(struct mt76_rx_status *status, + IEEE80211_RADIOTAP_HE_DATA2_RU_OFFSET); + } + ++static void ++mt7921_mac_decode_he_mu_radiotap(struct sk_buff *skb, ++ struct mt76_rx_status *status, ++ __le32 *rxv) ++{ ++ static const struct ieee80211_radiotap_he_mu mu_known = { ++ .flags1 = HE_BITS(MU_FLAGS1_SIG_B_MCS_KNOWN) | ++ HE_BITS(MU_FLAGS1_SIG_B_DCM_KNOWN) | ++ HE_BITS(MU_FLAGS1_CH1_RU_KNOWN) | ++ HE_BITS(MU_FLAGS1_SIG_B_SYMS_USERS_KNOWN) | ++ HE_BITS(MU_FLAGS1_SIG_B_COMP_KNOWN), ++ .flags2 = HE_BITS(MU_FLAGS2_BW_FROM_SIG_A_BW_KNOWN) | ++ HE_BITS(MU_FLAGS2_PUNC_FROM_SIG_A_BW_KNOWN), ++ }; ++ struct ieee80211_radiotap_he_mu *he_mu = NULL; ++ ++ he_mu = skb_push(skb, sizeof(mu_known)); ++ memcpy(he_mu, &mu_known, sizeof(mu_known)); ++ ++#define MU_PREP(f, v) le16_encode_bits(v, IEEE80211_RADIOTAP_HE_MU_##f) ++ ++ he_mu->flags1 |= MU_PREP(FLAGS1_SIG_B_MCS, status->rate_idx); ++ if (status->he_dcm) ++ he_mu->flags1 |= MU_PREP(FLAGS1_SIG_B_DCM, status->he_dcm); ++ ++ he_mu->flags2 |= MU_PREP(FLAGS2_BW_FROM_SIG_A_BW, status->bw) | ++ MU_PREP(FLAGS2_SIG_B_SYMS_USERS, ++ le32_get_bits(rxv[2], MT_CRXV_HE_NUM_USER)); ++ ++ he_mu->ru_ch1[0] = FIELD_GET(MT_CRXV_HE_RU0, cpu_to_le32(rxv[3])); ++ ++ if (status->bw >= RATE_INFO_BW_40) { ++ he_mu->flags1 |= HE_BITS(MU_FLAGS1_CH2_RU_KNOWN); ++ he_mu->ru_ch2[0] = ++ FIELD_GET(MT_CRXV_HE_RU1, cpu_to_le32(rxv[3])); ++ } ++ ++ if (status->bw >= RATE_INFO_BW_80) { ++ he_mu->ru_ch1[1] = ++ FIELD_GET(MT_CRXV_HE_RU2, cpu_to_le32(rxv[3])); ++ he_mu->ru_ch2[1] = ++ FIELD_GET(MT_CRXV_HE_RU3, cpu_to_le32(rxv[3])); ++ } ++} ++ + static void + mt7921_mac_decode_he_radiotap(struct sk_buff *skb, + struct mt76_rx_status *status, + __le32 *rxv, u32 phy) + { +- /* TODO: struct ieee80211_radiotap_he_mu */ + static const struct ieee80211_radiotap_he known = { + .data1 = HE_BITS(DATA1_DATA_MCS_KNOWN) | + HE_BITS(DATA1_DATA_DCM_KNOWN) | +@@ -193,6 +237,7 @@ mt7921_mac_decode_he_radiotap(struct sk_buff *skb, + HE_BITS(DATA1_CODING_KNOWN) | + HE_BITS(DATA1_LDPC_XSYMSEG_KNOWN) | + HE_BITS(DATA1_DOPPLER_KNOWN) | ++ HE_BITS(DATA1_SPTL_REUSE_KNOWN) | + HE_BITS(DATA1_BSS_COLOR_KNOWN), + .data2 = HE_BITS(DATA2_GI_KNOWN) | + HE_BITS(DATA2_TXBF_KNOWN) | +@@ -207,9 +252,12 @@ mt7921_mac_decode_he_radiotap(struct sk_buff *skb, + + he->data3 = HE_PREP(DATA3_BSS_COLOR, BSS_COLOR, rxv[14]) | + HE_PREP(DATA3_LDPC_XSYMSEG, LDPC_EXT_SYM, rxv[2]); ++ he->data4 = HE_PREP(DATA4_SU_MU_SPTL_REUSE, SR_MASK, rxv[11]); + he->data5 = HE_PREP(DATA5_PE_DISAMBIG, PE_DISAMBIG, rxv[2]) | + le16_encode_bits(ltf_size, + IEEE80211_RADIOTAP_HE_DATA5_LTF_SIZE); ++ if (cpu_to_le32(rxv[0]) & MT_PRXV_TXBF) ++ he->data5 |= HE_BITS(DATA5_TXBF); + he->data6 = HE_PREP(DATA6_TXOP, TXOP_DUR, rxv[14]) | + HE_PREP(DATA6_DOPPLER, DOPPLER, rxv[14]); + +@@ -217,8 +265,7 @@ mt7921_mac_decode_he_radiotap(struct sk_buff *skb, + case MT_PHY_TYPE_HE_SU: + he->data1 |= HE_BITS(DATA1_FORMAT_SU) | + HE_BITS(DATA1_UL_DL_KNOWN) | +- HE_BITS(DATA1_BEAM_CHANGE_KNOWN) | +- HE_BITS(DATA1_SPTL_REUSE_KNOWN); ++ HE_BITS(DATA1_BEAM_CHANGE_KNOWN); + + he->data3 |= HE_PREP(DATA3_BEAM_CHANGE, BEAM_CHNG, rxv[14]) | + HE_PREP(DATA3_UL_DL, UPLINK, rxv[2]); +@@ -232,17 +279,15 @@ mt7921_mac_decode_he_radiotap(struct sk_buff *skb, + break; + case MT_PHY_TYPE_HE_MU: + he->data1 |= HE_BITS(DATA1_FORMAT_MU) | +- HE_BITS(DATA1_UL_DL_KNOWN) | +- HE_BITS(DATA1_SPTL_REUSE_KNOWN); ++ HE_BITS(DATA1_UL_DL_KNOWN); + + he->data3 |= HE_PREP(DATA3_UL_DL, UPLINK, rxv[2]); +- he->data4 |= HE_PREP(DATA4_SU_MU_SPTL_REUSE, SR_MASK, rxv[11]); ++ he->data4 |= HE_PREP(DATA4_MU_STA_ID, MU_AID, rxv[7]); + + mt7921_mac_decode_he_radiotap_ru(status, he, rxv); + break; + case MT_PHY_TYPE_HE_TB: + he->data1 |= HE_BITS(DATA1_FORMAT_TRIG) | +- HE_BITS(DATA1_SPTL_REUSE_KNOWN) | + HE_BITS(DATA1_SPTL_REUSE2_KNOWN) | + HE_BITS(DATA1_SPTL_REUSE3_KNOWN) | + HE_BITS(DATA1_SPTL_REUSE4_KNOWN); +@@ -606,9 +651,13 @@ int mt7921_mac_fill_rx(struct mt7921_dev *dev, struct sk_buff *skb) + + mt7921_mac_assoc_rssi(dev, skb); + +- if (rxv && status->flag & RX_FLAG_RADIOTAP_HE) ++ if (rxv && status->flag & RX_FLAG_RADIOTAP_HE) { + mt7921_mac_decode_he_radiotap(skb, status, rxv, mode); + ++ if (status->flag & RX_FLAG_RADIOTAP_HE_MU) ++ mt7921_mac_decode_he_mu_radiotap(skb, status, rxv); ++ } ++ + if (!status->wcid || !ieee80211_is_data_qos(fc)) + return 0; + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.h b/drivers/net/wireless/mediatek/mt76/mt7921/mac.h +index 3af67fac213df..f0194c8780372 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/mac.h ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/mac.h +@@ -116,6 +116,7 @@ enum rx_pkt_type { + #define MT_PRXV_TX_DCM BIT(4) + #define MT_PRXV_TX_ER_SU_106T BIT(5) + #define MT_PRXV_NSTS GENMASK(9, 7) ++#define MT_PRXV_TXBF BIT(10) + #define MT_PRXV_HT_AD_CODE BIT(11) + #define MT_PRXV_FRAME_MODE GENMASK(14, 12) + #define MT_PRXV_SGI GENMASK(16, 15) +@@ -138,8 +139,15 @@ enum rx_pkt_type { + #define MT_CRXV_HE_LTF_SIZE GENMASK(18, 17) + #define MT_CRXV_HE_LDPC_EXT_SYM BIT(20) + #define MT_CRXV_HE_PE_DISAMBIG BIT(23) ++#define MT_CRXV_HE_NUM_USER GENMASK(30, 24) + #define MT_CRXV_HE_UPLINK BIT(31) + ++#define MT_CRXV_HE_RU0 GENMASK(7, 0) ++#define MT_CRXV_HE_RU1 GENMASK(15, 8) ++#define MT_CRXV_HE_RU2 GENMASK(23, 16) ++#define MT_CRXV_HE_RU3 GENMASK(31, 24) ++#define MT_CRXV_HE_MU_AID GENMASK(30, 20) ++ + #define MT_CRXV_HE_SR_MASK GENMASK(11, 8) + #define MT_CRXV_HE_SR1_MASK GENMASK(16, 12) + #define MT_CRXV_HE_SR2_MASK GENMASK(20, 17) +-- +2.33.0 + diff --git a/queue-5.15/mt76-overwrite-default-reg_ops-if-necessary.patch b/queue-5.15/mt76-overwrite-default-reg_ops-if-necessary.patch new file mode 100644 index 00000000000..2b2287cccf2 --- /dev/null +++ b/queue-5.15/mt76-overwrite-default-reg_ops-if-necessary.patch @@ -0,0 +1,173 @@ +From a3626035b3d191b82dad0b9eb1ddf2745b1594aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 Aug 2021 21:11:49 +0200 +Subject: mt76: overwrite default reg_ops if necessary + +From: Lorenzo Bianconi + +[ Upstream commit f6e1f59885dae5a2553f8bbd328be2cb1c80ccb2 ] + +Introduce mt76_register_debugfs_fops routine in order to +define per-driver regs file operations and make sure the +device is up before reading or writing its registers + +Fixes: 1d8efc741df8 ("mt76: mt7921: introduce Runtime PM support") +Fixes: de5ff3c9d1a2 ("mt76: mt7615: introduce pm_power_save delayed work") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Felix Fietkau +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/debugfs.c | 10 ++++--- + drivers/net/wireless/mediatek/mt76/mt76.h | 8 ++++- + .../wireless/mediatek/mt76/mt7615/debugfs.c | 29 ++++++++++++++++++- + .../wireless/mediatek/mt76/mt7921/debugfs.c | 28 +++++++++++++++++- + 4 files changed, 68 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/debugfs.c b/drivers/net/wireless/mediatek/mt76/debugfs.c +index fa48cc3a7a8f7..ad97308c78534 100644 +--- a/drivers/net/wireless/mediatek/mt76/debugfs.c ++++ b/drivers/net/wireless/mediatek/mt76/debugfs.c +@@ -116,8 +116,11 @@ static int mt76_read_rate_txpower(struct seq_file *s, void *data) + return 0; + } + +-struct dentry *mt76_register_debugfs(struct mt76_dev *dev) ++struct dentry * ++mt76_register_debugfs_fops(struct mt76_dev *dev, ++ const struct file_operations *ops) + { ++ const struct file_operations *fops = ops ? ops : &fops_regval; + struct dentry *dir; + + dir = debugfs_create_dir("mt76", dev->hw->wiphy->debugfsdir); +@@ -126,8 +129,7 @@ struct dentry *mt76_register_debugfs(struct mt76_dev *dev) + + debugfs_create_u8("led_pin", 0600, dir, &dev->led_pin); + debugfs_create_u32("regidx", 0600, dir, &dev->debugfs_reg); +- debugfs_create_file_unsafe("regval", 0600, dir, dev, +- &fops_regval); ++ debugfs_create_file_unsafe("regval", 0600, dir, dev, fops); + debugfs_create_file_unsafe("napi_threaded", 0600, dir, dev, + &fops_napi_threaded); + debugfs_create_blob("eeprom", 0400, dir, &dev->eeprom); +@@ -140,4 +142,4 @@ struct dentry *mt76_register_debugfs(struct mt76_dev *dev) + + return dir; + } +-EXPORT_SYMBOL_GPL(mt76_register_debugfs); ++EXPORT_SYMBOL_GPL(mt76_register_debugfs_fops); +diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h +index 25c5ceef52577..4d01fd85283df 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76.h ++++ b/drivers/net/wireless/mediatek/mt76/mt76.h +@@ -869,7 +869,13 @@ struct mt76_phy *mt76_alloc_phy(struct mt76_dev *dev, unsigned int size, + int mt76_register_phy(struct mt76_phy *phy, bool vht, + struct ieee80211_rate *rates, int n_rates); + +-struct dentry *mt76_register_debugfs(struct mt76_dev *dev); ++struct dentry *mt76_register_debugfs_fops(struct mt76_dev *dev, ++ const struct file_operations *ops); ++static inline struct dentry *mt76_register_debugfs(struct mt76_dev *dev) ++{ ++ return mt76_register_debugfs_fops(dev, NULL); ++} ++ + int mt76_queues_read(struct seq_file *s, void *data); + void mt76_seq_puts_array(struct seq_file *file, const char *str, + s8 *val, int len); +diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/debugfs.c b/drivers/net/wireless/mediatek/mt76/mt7615/debugfs.c +index cb4659771fd97..bda22ca0bd714 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7615/debugfs.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/debugfs.c +@@ -2,6 +2,33 @@ + + #include "mt7615.h" + ++static int ++mt7615_reg_set(void *data, u64 val) ++{ ++ struct mt7615_dev *dev = data; ++ ++ mt7615_mutex_acquire(dev); ++ mt76_wr(dev, dev->mt76.debugfs_reg, val); ++ mt7615_mutex_release(dev); ++ ++ return 0; ++} ++ ++static int ++mt7615_reg_get(void *data, u64 *val) ++{ ++ struct mt7615_dev *dev = data; ++ ++ mt7615_mutex_acquire(dev); ++ *val = mt76_rr(dev, dev->mt76.debugfs_reg); ++ mt7615_mutex_release(dev); ++ ++ return 0; ++} ++ ++DEFINE_DEBUGFS_ATTRIBUTE(fops_regval, mt7615_reg_get, mt7615_reg_set, ++ "0x%08llx\n"); ++ + static int + mt7615_radar_pattern_set(void *data, u64 val) + { +@@ -506,7 +533,7 @@ int mt7615_init_debugfs(struct mt7615_dev *dev) + { + struct dentry *dir; + +- dir = mt76_register_debugfs(&dev->mt76); ++ dir = mt76_register_debugfs_fops(&dev->mt76, &fops_regval); + if (!dir) + return -ENOMEM; + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/debugfs.c b/drivers/net/wireless/mediatek/mt76/mt7921/debugfs.c +index 77468bdae460b..4c89c4ac8031a 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/debugfs.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/debugfs.c +@@ -4,6 +4,32 @@ + #include "mt7921.h" + #include "eeprom.h" + ++static int ++mt7921_reg_set(void *data, u64 val) ++{ ++ struct mt7921_dev *dev = data; ++ ++ mt7921_mutex_acquire(dev); ++ mt76_wr(dev, dev->mt76.debugfs_reg, val); ++ mt7921_mutex_release(dev); ++ ++ return 0; ++} ++ ++static int ++mt7921_reg_get(void *data, u64 *val) ++{ ++ struct mt7921_dev *dev = data; ++ ++ mt7921_mutex_acquire(dev); ++ *val = mt76_rr(dev, dev->mt76.debugfs_reg); ++ mt7921_mutex_release(dev); ++ ++ return 0; ++} ++ ++DEFINE_DEBUGFS_ATTRIBUTE(fops_regval, mt7921_reg_get, mt7921_reg_set, ++ "0x%08llx\n"); + static int + mt7921_fw_debug_set(void *data, u64 val) + { +@@ -373,7 +399,7 @@ int mt7921_init_debugfs(struct mt7921_dev *dev) + { + struct dentry *dir; + +- dir = mt76_register_debugfs(&dev->mt76); ++ dir = mt76_register_debugfs_fops(&dev->mt76, &fops_regval); + if (!dir) + return -ENOMEM; + +-- +2.33.0 + diff --git a/queue-5.15/mtd-core-don-t-remove-debugfs-directory-if-device-is.patch b/queue-5.15/mtd-core-don-t-remove-debugfs-directory-if-device-is.patch new file mode 100644 index 00000000000..0b43972ecca --- /dev/null +++ b/queue-5.15/mtd-core-don-t-remove-debugfs-directory-if-device-is.patch @@ -0,0 +1,48 @@ +From 5dc228311c0b3c2b7092713398cbc3f1a8d1d2ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Oct 2021 13:39:52 -0700 +Subject: mtd: core: don't remove debugfs directory if device is in use + +From: Zev Weiss + +[ Upstream commit c13de2386c78e890d4ae6f01a85eefd0b293fb08 ] + +Previously, if del_mtd_device() failed with -EBUSY due to a non-zero +usecount, a subsequent call to attempt the deletion again would try to +remove a debugfs directory that had already been removed and panic. +With this change the second call can instead proceed safely. + +Fixes: e8e3edb95ce6 ("mtd: create per-device and module-scope debugfs entries") +Signed-off-by: Zev Weiss +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20211014203953.5424-1-zev@bewilderbeest.net +Signed-off-by: Sasha Levin +--- + drivers/mtd/mtdcore.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c +index c8fd7f758938b..1532291989471 100644 +--- a/drivers/mtd/mtdcore.c ++++ b/drivers/mtd/mtdcore.c +@@ -724,8 +724,6 @@ int del_mtd_device(struct mtd_info *mtd) + + mutex_lock(&mtd_table_mutex); + +- debugfs_remove_recursive(mtd->dbg.dfs_dir); +- + if (idr_find(&mtd_idr, mtd->index) != mtd) { + ret = -ENODEV; + goto out_error; +@@ -741,6 +739,8 @@ int del_mtd_device(struct mtd_info *mtd) + mtd->index, mtd->name, mtd->usecount); + ret = -EBUSY; + } else { ++ debugfs_remove_recursive(mtd->dbg.dfs_dir); ++ + /* Try to remove the NVMEM provider */ + if (mtd->nvmem) + nvmem_unregister(mtd->nvmem); +-- +2.33.0 + diff --git a/queue-5.15/mtd-rawnand-arasan-prevent-an-unsupported-configurat.patch b/queue-5.15/mtd-rawnand-arasan-prevent-an-unsupported-configurat.patch new file mode 100644 index 00000000000..540958f5597 --- /dev/null +++ b/queue-5.15/mtd-rawnand-arasan-prevent-an-unsupported-configurat.patch @@ -0,0 +1,58 @@ +From 7de412377c926864c667b449e75f56b8753bc7d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Oct 2021 18:36:40 +0200 +Subject: mtd: rawnand: arasan: Prevent an unsupported configuration + +From: Miquel Raynal + +[ Upstream commit fc9e18f9e987ad46722dad53adab1c12148c213c ] + +Under the following conditions: +* after rounding up by 4 the number of bytes to transfer (this is + related to the controller's internal constraints), +* if this (rounded) amount of data is situated beyond the end of the + device, +* and only in NV-DDR mode, +the Arasan NAND controller timeouts. + +This currently can happen in a particular helper used when picking +software ECC algorithms. Let's prevent this situation by refusing to use +the NV-DDR interface with software engines. + +Fixes: 4edde6031458 ("mtd: rawnand: arasan: Support NV-DDR interface") +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20211008163640.1753821-1-miquel.raynal@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/arasan-nand-controller.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/drivers/mtd/nand/raw/arasan-nand-controller.c b/drivers/mtd/nand/raw/arasan-nand-controller.c +index 9cbcc698c64d8..53bd10738418b 100644 +--- a/drivers/mtd/nand/raw/arasan-nand-controller.c ++++ b/drivers/mtd/nand/raw/arasan-nand-controller.c +@@ -973,6 +973,21 @@ static int anfc_setup_interface(struct nand_chip *chip, int target, + nvddr = nand_get_nvddr_timings(conf); + if (IS_ERR(nvddr)) + return PTR_ERR(nvddr); ++ ++ /* ++ * The controller only supports data payload requests which are ++ * a multiple of 4. In practice, most data accesses are 4-byte ++ * aligned and this is not an issue. However, rounding up will ++ * simply be refused by the controller if we reached the end of ++ * the device *and* we are using the NV-DDR interface(!). In ++ * this situation, unaligned data requests ending at the device ++ * boundary will confuse the controller and cannot be performed. ++ * ++ * This is something that happens in nand_read_subpage() when ++ * selecting software ECC support and must be avoided. ++ */ ++ if (chip->ecc.engine_type == NAND_ECC_ENGINE_TYPE_SOFT) ++ return -ENOTSUPP; + } else { + sdr = nand_get_sdr_timings(conf); + if (IS_ERR(sdr)) +-- +2.33.0 + diff --git a/queue-5.15/mtd-rawnand-intel-fix-potential-buffer-overflow-in-p.patch b/queue-5.15/mtd-rawnand-intel-fix-potential-buffer-overflow-in-p.patch new file mode 100644 index 00000000000..dbe6c9f3b8b --- /dev/null +++ b/queue-5.15/mtd-rawnand-intel-fix-potential-buffer-overflow-in-p.patch @@ -0,0 +1,51 @@ +From be54336453207339fa820d53add16d5265fa3705 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Sep 2021 11:26:53 +0300 +Subject: mtd: rawnand: intel: Fix potential buffer overflow in probe + +From: Evgeny Novikov + +[ Upstream commit 46a0dc10fb32bec3e765e51bf71fbc070dc77ca3 ] + +ebu_nand_probe() read the value of u32 variable "cs" from the device +firmware description and used it as the index for array ebu_host->cs +that can contain MAX_CS (2) elements at most. That could result in +a buffer overflow and various bad consequences later. + +Fix the potential buffer overflow by restricting values of "cs" with +MAX_CS in probe. + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: 0b1039f016e8 ("mtd: rawnand: Add NAND controller support on Intel LGM SoC") +Signed-off-by: Evgeny Novikov +Co-developed-by: Kirill Shilimanov +Signed-off-by: Kirill Shilimanov +Co-developed-by: Anton Vasilyev +Signed-off-by: Anton Vasilyev +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20210903082653.16441-1-novikov@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/raw/intel-nand-controller.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/mtd/nand/raw/intel-nand-controller.c b/drivers/mtd/nand/raw/intel-nand-controller.c +index b9784f3da7a11..7c1c80dae826a 100644 +--- a/drivers/mtd/nand/raw/intel-nand-controller.c ++++ b/drivers/mtd/nand/raw/intel-nand-controller.c +@@ -609,6 +609,11 @@ static int ebu_nand_probe(struct platform_device *pdev) + dev_err(dev, "failed to get chip select: %d\n", ret); + return ret; + } ++ if (cs >= MAX_CS) { ++ dev_err(dev, "got invalid chip select: %d\n", cs); ++ return -EINVAL; ++ } ++ + ebu_host->cs_num = cs; + + resname = devm_kasprintf(dev, GFP_KERNEL, "nand_cs%d", cs); +-- +2.33.0 + diff --git a/queue-5.15/mtd-spi-nor-hisi-sfc-remove-excessive-clk_disable_un.patch b/queue-5.15/mtd-spi-nor-hisi-sfc-remove-excessive-clk_disable_un.patch new file mode 100644 index 00000000000..57644083b55 --- /dev/null +++ b/queue-5.15/mtd-spi-nor-hisi-sfc-remove-excessive-clk_disable_un.patch @@ -0,0 +1,42 @@ +From ada535668807287de079681c7fbfe437f669d86b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 17:45:29 +0300 +Subject: mtd: spi-nor: hisi-sfc: Remove excessive clk_disable_unprepare() + +From: Evgeny Novikov + +[ Upstream commit 78e4d342187625585932bb437ec26e1060f7fc6f ] + +hisi_spi_nor_probe() invokes clk_disable_unprepare() on all paths after +successful call of clk_prepare_enable(). Besides, the clock is enabled by +hispi_spi_nor_prep() and disabled by hispi_spi_nor_unprep(). So at remove +time it is not possible to have the clock enabled. The patch removes +excessive clk_disable_unprepare() from hisi_spi_nor_remove(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: e523f11141bd ("mtd: spi-nor: add hisilicon spi-nor flash controller driver") +Signed-off-by: Evgeny Novikov +Signed-off-by: Tudor Ambarus +Reviewed-by: Pratyush Yadav +Link: https://lore.kernel.org/r/20210709144529.31379-1-novikov@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/mtd/spi-nor/controllers/hisi-sfc.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/mtd/spi-nor/controllers/hisi-sfc.c b/drivers/mtd/spi-nor/controllers/hisi-sfc.c +index 47fbf1d1e5573..516e502694780 100644 +--- a/drivers/mtd/spi-nor/controllers/hisi-sfc.c ++++ b/drivers/mtd/spi-nor/controllers/hisi-sfc.c +@@ -477,7 +477,6 @@ static int hisi_spi_nor_remove(struct platform_device *pdev) + + hisi_spi_nor_unregister_all(host); + mutex_destroy(&host->lock); +- clk_disable_unprepare(host->clk); + return 0; + } + +-- +2.33.0 + diff --git a/queue-5.15/mwifiex-properly-initialize-private-structure-on-int.patch b/queue-5.15/mwifiex-properly-initialize-private-structure-on-int.patch new file mode 100644 index 00000000000..98e0e6a52fd --- /dev/null +++ b/queue-5.15/mwifiex-properly-initialize-private-structure-on-int.patch @@ -0,0 +1,65 @@ +From bb8ba644efc9eb6fa505a9e151cc6b51b3492fd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 21:59:08 +0200 +Subject: mwifiex: Properly initialize private structure on interface type + changes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonas Dreßler + +[ Upstream commit c606008b70627a2fc485732a53cc22f0f66d0981 ] + +When creating a new virtual interface in mwifiex_add_virtual_intf(), we +update our internal driver states like bss_type, bss_priority, bss_role +and bss_mode to reflect the mode the firmware will be set to. + +When switching virtual interface mode using +mwifiex_init_new_priv_params() though, we currently only update bss_mode +and bss_role. In order for the interface mode switch to actually work, +we also need to update bss_type to its proper value, so do that. + +This fixes a crash of the firmware (because the driver tries to execute +commands that are invalid in AP mode) when switching from station mode +to AP mode. + +Signed-off-by: Jonas Dreßler +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210914195909.36035-9-verdre@v0yd.nl +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/cfg80211.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +index 93eb5f109949f..97f0f39364d67 100644 +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -908,16 +908,20 @@ mwifiex_init_new_priv_params(struct mwifiex_private *priv, + switch (type) { + case NL80211_IFTYPE_STATION: + case NL80211_IFTYPE_ADHOC: +- priv->bss_role = MWIFIEX_BSS_ROLE_STA; ++ priv->bss_role = MWIFIEX_BSS_ROLE_STA; ++ priv->bss_type = MWIFIEX_BSS_TYPE_STA; + break; + case NL80211_IFTYPE_P2P_CLIENT: +- priv->bss_role = MWIFIEX_BSS_ROLE_STA; ++ priv->bss_role = MWIFIEX_BSS_ROLE_STA; ++ priv->bss_type = MWIFIEX_BSS_TYPE_P2P; + break; + case NL80211_IFTYPE_P2P_GO: +- priv->bss_role = MWIFIEX_BSS_ROLE_UAP; ++ priv->bss_role = MWIFIEX_BSS_ROLE_UAP; ++ priv->bss_type = MWIFIEX_BSS_TYPE_P2P; + break; + case NL80211_IFTYPE_AP: + priv->bss_role = MWIFIEX_BSS_ROLE_UAP; ++ priv->bss_type = MWIFIEX_BSS_TYPE_UAP; + break; + default: + mwifiex_dbg(adapter, ERROR, +-- +2.33.0 + diff --git a/queue-5.15/mwifiex-run-set_bss_mode-when-changing-from-p2p-to-s.patch b/queue-5.15/mwifiex-run-set_bss_mode-when-changing-from-p2p-to-s.patch new file mode 100644 index 00000000000..5f89764a1c1 --- /dev/null +++ b/queue-5.15/mwifiex-run-set_bss_mode-when-changing-from-p2p-to-s.patch @@ -0,0 +1,77 @@ +From fc9f49bf90ec21bc17d651fcbfccc78291a526f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 21:59:03 +0200 +Subject: mwifiex: Run SET_BSS_MODE when changing from P2P to STATION vif-type +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonas Dreßler + +[ Upstream commit c2e9666cdffd347460a2b17988db4cfaf2a68fb9 ] + +We currently handle changing from the P2P to the STATION virtual +interface type slightly different than changing from P2P to ADHOC: When +changing to STATION, we don't send the SET_BSS_MODE command. We do send +that command on all other type-changes though, and it probably makes +sense to send the command since after all we just changed our BSS_MODE. +Looking at prior changes to this part of the code, it seems that this is +simply a leftover from old refactorings. + +Since sending the SET_BSS_MODE command is the only difference between +mwifiex_change_vif_to_sta_adhoc() and the current code, we can now use +mwifiex_change_vif_to_sta_adhoc() for both switching to ADHOC and +STATION interface type. + +This does not fix any particular bug and just "looked right", so there's +a small chance it might be a regression. + +Signed-off-by: Jonas Dreßler +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210914195909.36035-4-verdre@v0yd.nl +Signed-off-by: Sasha Levin +--- + .../net/wireless/marvell/mwifiex/cfg80211.c | 22 ++++--------------- + 1 file changed, 4 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +index 0961f4a5e415c..93eb5f109949f 100644 +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -1229,29 +1229,15 @@ mwifiex_cfg80211_change_virtual_intf(struct wiphy *wiphy, + break; + case NL80211_IFTYPE_P2P_CLIENT: + case NL80211_IFTYPE_P2P_GO: ++ if (mwifiex_cfg80211_deinit_p2p(priv)) ++ return -EFAULT; ++ + switch (type) { +- case NL80211_IFTYPE_STATION: +- if (mwifiex_cfg80211_deinit_p2p(priv)) +- return -EFAULT; +- priv->adapter->curr_iface_comb.p2p_intf--; +- priv->adapter->curr_iface_comb.sta_intf++; +- dev->ieee80211_ptr->iftype = type; +- if (mwifiex_deinit_priv_params(priv)) +- return -1; +- if (mwifiex_init_new_priv_params(priv, dev, type)) +- return -1; +- if (mwifiex_sta_init_cmd(priv, false, false)) +- return -1; +- break; + case NL80211_IFTYPE_ADHOC: +- if (mwifiex_cfg80211_deinit_p2p(priv)) +- return -EFAULT; ++ case NL80211_IFTYPE_STATION: + return mwifiex_change_vif_to_sta_adhoc(dev, curr_iftype, + type, params); +- break; + case NL80211_IFTYPE_AP: +- if (mwifiex_cfg80211_deinit_p2p(priv)) +- return -EFAULT; + return mwifiex_change_vif_to_ap(dev, curr_iftype, type, + params); + case NL80211_IFTYPE_UNSPECIFIED: +-- +2.33.0 + diff --git a/queue-5.15/mwifiex-send-delba-requests-according-to-spec.patch b/queue-5.15/mwifiex-send-delba-requests-according-to-spec.patch new file mode 100644 index 00000000000..bb607a1eab6 --- /dev/null +++ b/queue-5.15/mwifiex-send-delba-requests-according-to-spec.patch @@ -0,0 +1,56 @@ +From b8c31b8160005488d09be42bf3f64cfd5ffe1b5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 17:32:43 +0200 +Subject: mwifiex: Send DELBA requests according to spec +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonas Dreßler + +[ Upstream commit cc8a8bc37466f79b24d972555237f3d591150602 ] + +While looking at on-air packets using Wireshark, I noticed we're never +setting the initiator bit when sending DELBA requests to the AP: While +we set the bit on our del_ba_param_set bitmask, we forget to actually +copy that bitmask over to the command struct, which means we never +actually set the initiator bit. + +Fix that and copy the bitmask over to the host_cmd_ds_11n_delba command +struct. + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Jonas Dreßler +Acked-by: Pali Rohár +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211016153244.24353-5-verdre@v0yd.nl +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/11n.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/11n.c b/drivers/net/wireless/marvell/mwifiex/11n.c +index 6696bce561786..cf08a4af84d6d 100644 +--- a/drivers/net/wireless/marvell/mwifiex/11n.c ++++ b/drivers/net/wireless/marvell/mwifiex/11n.c +@@ -657,14 +657,15 @@ int mwifiex_send_delba(struct mwifiex_private *priv, int tid, u8 *peer_mac, + uint16_t del_ba_param_set; + + memset(&delba, 0, sizeof(delba)); +- delba.del_ba_param_set = cpu_to_le16(tid << DELBA_TID_POS); + +- del_ba_param_set = le16_to_cpu(delba.del_ba_param_set); ++ del_ba_param_set = tid << DELBA_TID_POS; ++ + if (initiator) + del_ba_param_set |= IEEE80211_DELBA_PARAM_INITIATOR_MASK; + else + del_ba_param_set &= ~IEEE80211_DELBA_PARAM_INITIATOR_MASK; + ++ delba.del_ba_param_set = cpu_to_le16(del_ba_param_set); + memcpy(&delba.peer_mac_addr, peer_mac, ETH_ALEN); + + /* We don't wait for the response of this command */ +-- +2.33.0 + diff --git a/queue-5.15/mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch b/queue-5.15/mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch new file mode 100644 index 00000000000..f7ab54e13a3 --- /dev/null +++ b/queue-5.15/mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch @@ -0,0 +1,61 @@ +From 5c3e91f90decaea259fd677163215061922b4e75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 04:02:59 +0000 +Subject: mwl8k: Fix use-after-free in mwl8k_fw_state_machine() + +From: Zheyu Ma + +[ Upstream commit 257051a235c17e33782b6e24a4b17f2d7915aaec ] + +When the driver fails to request the firmware, it calls its error +handler. In the error handler, the driver detaches device from driver +first before releasing the firmware, which can cause a use-after-free bug. + +Fix this by releasing firmware first. + +The following log reveals it: + +[ 9.007301 ] BUG: KASAN: use-after-free in mwl8k_fw_state_machine+0x320/0xba0 +[ 9.010143 ] Workqueue: events request_firmware_work_func +[ 9.010830 ] Call Trace: +[ 9.010830 ] dump_stack_lvl+0xa8/0xd1 +[ 9.010830 ] print_address_description+0x87/0x3b0 +[ 9.010830 ] kasan_report+0x172/0x1c0 +[ 9.010830 ] ? mutex_unlock+0xd/0x10 +[ 9.010830 ] ? mwl8k_fw_state_machine+0x320/0xba0 +[ 9.010830 ] ? mwl8k_fw_state_machine+0x320/0xba0 +[ 9.010830 ] __asan_report_load8_noabort+0x14/0x20 +[ 9.010830 ] mwl8k_fw_state_machine+0x320/0xba0 +[ 9.010830 ] ? mwl8k_load_firmware+0x5f0/0x5f0 +[ 9.010830 ] request_firmware_work_func+0x172/0x250 +[ 9.010830 ] ? read_lock_is_recursive+0x20/0x20 +[ 9.010830 ] ? process_one_work+0x7a1/0x1100 +[ 9.010830 ] ? request_firmware_nowait+0x460/0x460 +[ 9.010830 ] ? __this_cpu_preempt_check+0x13/0x20 +[ 9.010830 ] process_one_work+0x9bb/0x1100 + +Signed-off-by: Zheyu Ma +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1634356979-6211-1-git-send-email-zheyuma97@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwl8k.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c +index 3bf6571f41490..529e325498cdb 100644 +--- a/drivers/net/wireless/marvell/mwl8k.c ++++ b/drivers/net/wireless/marvell/mwl8k.c +@@ -5800,8 +5800,8 @@ static void mwl8k_fw_state_machine(const struct firmware *fw, void *context) + fail: + priv->fw_state = FW_STATE_ERROR; + complete(&priv->firmware_loading_complete); +- device_release_driver(&priv->pdev->dev); + mwl8k_release_firmware(priv); ++ device_release_driver(&priv->pdev->dev); + } + + #define MAX_RESTART_ATTEMPTS 1 +-- +2.33.0 + diff --git a/queue-5.15/nbd-fix-max-value-for-first_minor.patch b/queue-5.15/nbd-fix-max-value-for-first_minor.patch new file mode 100644 index 00000000000..ca705a27e58 --- /dev/null +++ b/queue-5.15/nbd-fix-max-value-for-first_minor.patch @@ -0,0 +1,66 @@ +From 5a70811f30c42ce7ee152663caffd3f835640a1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 09:52:34 +0800 +Subject: nbd: fix max value for 'first_minor' + +From: Yu Kuai + +[ Upstream commit e4c4871a73944353ea23e319de27ef73ce546623 ] + +commit b1a811633f73 ("block: nbd: add sanity check for first_minor") +checks that 'first_minor' should not be greater than 0xff, which is +wrong. Whitout the commit, the details that when user pass 0x100000, +it ends up create sysfs dir "/sys/block/43:0" are as follows: + +nbd_dev_add + disk->first_minor = index << part_shift + -> default part_shift is 5, first_minor is 0x2000000 + device_add_disk + ddev->devt = MKDEV(disk->major, disk->first_minor) + -> (0x2b << 20) | (0x2000000) = 0x2b00000 + device_add + device_create_sys_dev_entry + format_dev_t + sprintf(buffer, "%u:%u", MAJOR(dev), MINOR(dev)); + -> got 43:0 + sysfs_create_link -> /sys/block/43:0 + +By the way, with the wrong fix, when part_shift is the default value, +only 8 ndb devices can be created since 8 << 5 is greater than 0xff. + +Since the max bits for 'first_minor' should be the same as what +MKDEV() does, which is 20. Change the upper bound of 'first_minor' +from 0xff to 0xfffff. + +Fixes: b1a811633f73 ("block: nbd: add sanity check for first_minor") +Signed-off-by: Yu Kuai +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/r/20211102015237.2309763-2-yebin10@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 4f1b591c3a555..0d820c4dec176 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1749,11 +1749,11 @@ static struct nbd_device *nbd_dev_add(int index, unsigned int refs) + disk->major = NBD_MAJOR; + + /* Too big first_minor can cause duplicate creation of +- * sysfs files/links, since first_minor will be truncated to +- * byte in __device_add_disk(). ++ * sysfs files/links, since MKDEV() expect that the max bits of ++ * first_minor is 20. + */ + disk->first_minor = index << part_shift; +- if (disk->first_minor > 0xff) { ++ if (disk->first_minor > MINORMASK) { + err = -EINVAL; + goto out_free_idr; + } +-- +2.33.0 + diff --git a/queue-5.15/nbd-fix-possible-overflow-for-first_minor-in-nbd_dev.patch b/queue-5.15/nbd-fix-possible-overflow-for-first_minor-in-nbd_dev.patch new file mode 100644 index 00000000000..d27da7e68b2 --- /dev/null +++ b/queue-5.15/nbd-fix-possible-overflow-for-first_minor-in-nbd_dev.patch @@ -0,0 +1,45 @@ +From 89b8f8377e576ef57c82df1c6ab458f8f2e59538 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 09:52:35 +0800 +Subject: nbd: fix possible overflow for 'first_minor' in nbd_dev_add() + +From: Yu Kuai + +[ Upstream commit 940c264984fd1457918393c49674f6b39ee16506 ] + +If 'part_shift' is not zero, then 'index << part_shift' might +overflow to a value that is not greater than '0xfffff', then sysfs +might complains about duplicate creation. + +Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices") +Signed-off-by: Yu Kuai +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/r/20211102015237.2309763-3-yebin10@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 0d820c4dec176..577c7dba5d78d 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1749,11 +1749,11 @@ static struct nbd_device *nbd_dev_add(int index, unsigned int refs) + disk->major = NBD_MAJOR; + + /* Too big first_minor can cause duplicate creation of +- * sysfs files/links, since MKDEV() expect that the max bits of +- * first_minor is 20. ++ * sysfs files/links, since index << part_shift might overflow, or ++ * MKDEV() expect that the max bits of first_minor is 20. + */ + disk->first_minor = index << part_shift; +- if (disk->first_minor > MINORMASK) { ++ if (disk->first_minor < index || disk->first_minor > MINORMASK) { + err = -EINVAL; + goto out_free_idr; + } +-- +2.33.0 + diff --git a/queue-5.15/nbd-fix-use-after-free-in-pid_show.patch b/queue-5.15/nbd-fix-use-after-free-in-pid_show.patch new file mode 100644 index 00000000000..187a79891d7 --- /dev/null +++ b/queue-5.15/nbd-fix-use-after-free-in-pid_show.patch @@ -0,0 +1,135 @@ +From f2a0bc8508c406fd239a4958f4164b0d6780530f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 15:39:59 +0800 +Subject: nbd: Fix use-after-free in pid_show + +From: Ye Bin + +[ Upstream commit 0c98057be9efa32de78dbc4685fc73da9d71faa1 ] + +I got issue as follows: +[ 263.886511] BUG: KASAN: use-after-free in pid_show+0x11f/0x13f +[ 263.888359] Read of size 4 at addr ffff8880bf0648c0 by task cat/746 +[ 263.890479] CPU: 0 PID: 746 Comm: cat Not tainted 4.19.90-dirty #140 +[ 263.893162] Call Trace: +[ 263.893509] dump_stack+0x108/0x15f +[ 263.893999] print_address_description+0xa5/0x372 +[ 263.894641] kasan_report.cold+0x236/0x2a8 +[ 263.895696] __asan_report_load4_noabort+0x25/0x30 +[ 263.896365] pid_show+0x11f/0x13f +[ 263.897422] dev_attr_show+0x48/0x90 +[ 263.898361] sysfs_kf_seq_show+0x24d/0x4b0 +[ 263.899479] kernfs_seq_show+0x14e/0x1b0 +[ 263.900029] seq_read+0x43f/0x1150 +[ 263.900499] kernfs_fop_read+0xc7/0x5a0 +[ 263.903764] vfs_read+0x113/0x350 +[ 263.904231] ksys_read+0x103/0x270 +[ 263.905230] __x64_sys_read+0x77/0xc0 +[ 263.906284] do_syscall_64+0x106/0x360 +[ 263.906797] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reproduce this issue as follows: +1. nbd-server 8000 /tmp/disk +2. nbd-client localhost 8000 /dev/nbd1 +3. cat /sys/block/nbd1/pid +Then trigger use-after-free in pid_show. + +Reason is after do step '2', nbd-client progress is already exit. So +it's task_struct already freed. +To solve this issue, revert part of 6521d39a64b3's modify and remove +useless 'recv_task' member of nbd_device. + +Fixes: 6521d39a64b3 ("nbd: Remove variable 'pid'") +Signed-off-by: Ye Bin +Reviewed-by: Josef Bacik +Link: https://lore.kernel.org/r/20211020073959.2679255-1-yebin10@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/nbd.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 1183f7872b713..4f1b591c3a555 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -122,10 +122,10 @@ struct nbd_device { + struct work_struct remove_work; + + struct list_head list; +- struct task_struct *task_recv; + struct task_struct *task_setup; + + unsigned long flags; ++ pid_t pid; /* pid of nbd-client, if attached */ + + char *backend; + }; +@@ -217,7 +217,7 @@ static ssize_t pid_show(struct device *dev, + struct gendisk *disk = dev_to_disk(dev); + struct nbd_device *nbd = (struct nbd_device *)disk->private_data; + +- return sprintf(buf, "%d\n", task_pid_nr(nbd->task_recv)); ++ return sprintf(buf, "%d\n", nbd->pid); + } + + static const struct device_attribute pid_attr = { +@@ -329,7 +329,7 @@ static int nbd_set_size(struct nbd_device *nbd, loff_t bytesize, + nbd->config->bytesize = bytesize; + nbd->config->blksize_bits = __ffs(blksize); + +- if (!nbd->task_recv) ++ if (!nbd->pid) + return 0; + + if (nbd->config->flags & NBD_FLAG_SEND_TRIM) { +@@ -1241,7 +1241,7 @@ static void nbd_config_put(struct nbd_device *nbd) + if (test_and_clear_bit(NBD_RT_HAS_PID_FILE, + &config->runtime_flags)) + device_remove_file(disk_to_dev(nbd->disk), &pid_attr); +- nbd->task_recv = NULL; ++ nbd->pid = 0; + if (test_and_clear_bit(NBD_RT_HAS_BACKEND_FILE, + &config->runtime_flags)) { + device_remove_file(disk_to_dev(nbd->disk), &backend_attr); +@@ -1282,7 +1282,7 @@ static int nbd_start_device(struct nbd_device *nbd) + int num_connections = config->num_connections; + int error = 0, i; + +- if (nbd->task_recv) ++ if (nbd->pid) + return -EBUSY; + if (!config->socks) + return -EINVAL; +@@ -1301,7 +1301,7 @@ static int nbd_start_device(struct nbd_device *nbd) + } + + blk_mq_update_nr_hw_queues(&nbd->tag_set, config->num_connections); +- nbd->task_recv = current; ++ nbd->pid = task_pid_nr(current); + + nbd_parse_flags(nbd); + +@@ -1557,8 +1557,8 @@ static int nbd_dbg_tasks_show(struct seq_file *s, void *unused) + { + struct nbd_device *nbd = s->private; + +- if (nbd->task_recv) +- seq_printf(s, "recv: %d\n", task_pid_nr(nbd->task_recv)); ++ if (nbd->pid) ++ seq_printf(s, "recv: %d\n", nbd->pid); + + return 0; + } +@@ -2135,7 +2135,7 @@ static int nbd_genl_reconfigure(struct sk_buff *skb, struct genl_info *info) + mutex_lock(&nbd->config_lock); + config = nbd->config; + if (!test_bit(NBD_RT_BOUND, &config->runtime_flags) || +- !nbd->task_recv) { ++ !nbd->pid) { + dev_err(nbd_to_dev(nbd), + "not configured, cannot reconfigure\n"); + ret = -EINVAL; +-- +2.33.0 + diff --git a/queue-5.15/net-amd-xgbe-toggle-pll-settings-during-rate-change.patch b/queue-5.15/net-amd-xgbe-toggle-pll-settings-during-rate-change.patch new file mode 100644 index 00000000000..98b955eb162 --- /dev/null +++ b/queue-5.15/net-amd-xgbe-toggle-pll-settings-during-rate-change.patch @@ -0,0 +1,110 @@ +From 88ab3b29eb2761856f17e8dfb774c82db9deb716 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 15:27:27 +0530 +Subject: net: amd-xgbe: Toggle PLL settings during rate change + +From: Shyam Sundar S K + +[ Upstream commit daf182d360e509a494db18666799f4e85d83dda0 ] + +For each rate change command submission, the FW has to do a phy +power off sequence internally. For this to happen correctly, the +PLL re-initialization control setting has to be turned off before +sending mailbox commands and re-enabled once the command submission +is complete. + +Without the PLL control setting, the link up takes longer time in a +fixed phy configuration. + +Fixes: 47f164deab22 ("amd-xgbe: Add PCI device support") +Co-developed-by: Sudheesh Mavila +Signed-off-by: Sudheesh Mavila +Signed-off-by: Shyam Sundar S K +Acked-by: Tom Lendacky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/xgbe/xgbe-common.h | 8 ++++++++ + drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 20 +++++++++++++++++++- + 2 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h +index b2cd3bdba9f89..533b8519ec352 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h +@@ -1331,6 +1331,10 @@ + #define MDIO_VEND2_PMA_CDR_CONTROL 0x8056 + #endif + ++#ifndef MDIO_VEND2_PMA_MISC_CTRL0 ++#define MDIO_VEND2_PMA_MISC_CTRL0 0x8090 ++#endif ++ + #ifndef MDIO_CTRL1_SPEED1G + #define MDIO_CTRL1_SPEED1G (MDIO_CTRL1_SPEED10G & ~BMCR_SPEED100) + #endif +@@ -1389,6 +1393,10 @@ + #define XGBE_PMA_RX_RST_0_RESET_ON 0x10 + #define XGBE_PMA_RX_RST_0_RESET_OFF 0x00 + ++#define XGBE_PMA_PLL_CTRL_MASK BIT(15) ++#define XGBE_PMA_PLL_CTRL_ENABLE BIT(15) ++#define XGBE_PMA_PLL_CTRL_DISABLE 0x0000 ++ + /* Bit setting and getting macros + * The get macro will extract the current bit field value from within + * the variable +diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +index 18e48b3bc402b..213769054391c 100644 +--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c ++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c +@@ -1977,12 +1977,26 @@ static void xgbe_phy_rx_reset(struct xgbe_prv_data *pdata) + } + } + ++static void xgbe_phy_pll_ctrl(struct xgbe_prv_data *pdata, bool enable) ++{ ++ XMDIO_WRITE_BITS(pdata, MDIO_MMD_PMAPMD, MDIO_VEND2_PMA_MISC_CTRL0, ++ XGBE_PMA_PLL_CTRL_MASK, ++ enable ? XGBE_PMA_PLL_CTRL_ENABLE ++ : XGBE_PMA_PLL_CTRL_DISABLE); ++ ++ /* Wait for command to complete */ ++ usleep_range(100, 200); ++} ++ + static void xgbe_phy_perform_ratechange(struct xgbe_prv_data *pdata, + unsigned int cmd, unsigned int sub_cmd) + { + unsigned int s0 = 0; + unsigned int wait; + ++ /* Disable PLL re-initialization during FW command processing */ ++ xgbe_phy_pll_ctrl(pdata, false); ++ + /* Log if a previous command did not complete */ + if (XP_IOREAD_BITS(pdata, XP_DRIVER_INT_RO, STATUS)) { + netif_dbg(pdata, link, pdata->netdev, +@@ -2003,7 +2017,7 @@ static void xgbe_phy_perform_ratechange(struct xgbe_prv_data *pdata, + wait = XGBE_RATECHANGE_COUNT; + while (wait--) { + if (!XP_IOREAD_BITS(pdata, XP_DRIVER_INT_RO, STATUS)) +- return; ++ goto reenable_pll; + + usleep_range(1000, 2000); + } +@@ -2013,6 +2027,10 @@ static void xgbe_phy_perform_ratechange(struct xgbe_prv_data *pdata, + + /* Reset on error */ + xgbe_phy_rx_reset(pdata); ++ ++reenable_pll: ++ /* Enable PLL re-initialization */ ++ xgbe_phy_pll_ctrl(pdata, true); + } + + static void xgbe_phy_rrc(struct xgbe_prv_data *pdata) +-- +2.33.0 + diff --git a/queue-5.15/net-annotate-data-race-in-neigh_output.patch b/queue-5.15/net-annotate-data-race-in-neigh_output.patch new file mode 100644 index 00000000000..4759fa4060a --- /dev/null +++ b/queue-5.15/net-annotate-data-race-in-neigh_output.patch @@ -0,0 +1,148 @@ +From db46be5f0488e871cca68b88cc53d4460785bff7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 11:15:55 -0700 +Subject: net: annotate data-race in neigh_output() + +From: Eric Dumazet + +[ Upstream commit d18785e213866935b4c3dc0c33c3e18801ce0ce8 ] + +neigh_output() reads n->nud_state and hh->hh_len locklessly. + +This is fine, but we need to add annotations and document this. + +We evaluate skip_cache first to avoid reading these fields +if the cache has to by bypassed. + +syzbot report: + +BUG: KCSAN: data-race in __neigh_event_send / ip_finish_output2 + +write to 0xffff88810798a885 of 1 bytes by interrupt on cpu 1: + __neigh_event_send+0x40d/0xac0 net/core/neighbour.c:1128 + neigh_event_send include/net/neighbour.h:444 [inline] + neigh_resolve_output+0x104/0x410 net/core/neighbour.c:1476 + neigh_output include/net/neighbour.h:510 [inline] + ip_finish_output2+0x80a/0xaa0 net/ipv4/ip_output.c:221 + ip_finish_output+0x3b5/0x510 net/ipv4/ip_output.c:309 + NF_HOOK_COND include/linux/netfilter.h:296 [inline] + ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:423 + dst_output include/net/dst.h:450 [inline] + ip_local_out+0x164/0x220 net/ipv4/ip_output.c:126 + __ip_queue_xmit+0x9d3/0xa20 net/ipv4/ip_output.c:525 + ip_queue_xmit+0x34/0x40 net/ipv4/ip_output.c:539 + __tcp_transmit_skb+0x142a/0x1a00 net/ipv4/tcp_output.c:1405 + tcp_transmit_skb net/ipv4/tcp_output.c:1423 [inline] + tcp_xmit_probe_skb net/ipv4/tcp_output.c:4011 [inline] + tcp_write_wakeup+0x4a9/0x810 net/ipv4/tcp_output.c:4064 + tcp_send_probe0+0x2c/0x2b0 net/ipv4/tcp_output.c:4079 + tcp_probe_timer net/ipv4/tcp_timer.c:398 [inline] + tcp_write_timer_handler+0x394/0x520 net/ipv4/tcp_timer.c:626 + tcp_write_timer+0xb9/0x180 net/ipv4/tcp_timer.c:642 + call_timer_fn+0x2e/0x1d0 kernel/time/timer.c:1421 + expire_timers+0x135/0x240 kernel/time/timer.c:1466 + __run_timers+0x368/0x430 kernel/time/timer.c:1734 + run_timer_softirq+0x19/0x30 kernel/time/timer.c:1747 + __do_softirq+0x12c/0x26e kernel/softirq.c:558 + invoke_softirq kernel/softirq.c:432 [inline] + __irq_exit_rcu kernel/softirq.c:636 [inline] + irq_exit_rcu+0x4e/0xa0 kernel/softirq.c:648 + sysvec_apic_timer_interrupt+0x69/0x80 arch/x86/kernel/apic/apic.c:1097 + asm_sysvec_apic_timer_interrupt+0x12/0x20 + native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline] + arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline] + acpi_safe_halt drivers/acpi/processor_idle.c:109 [inline] + acpi_idle_do_entry drivers/acpi/processor_idle.c:553 [inline] + acpi_idle_enter+0x258/0x2e0 drivers/acpi/processor_idle.c:688 + cpuidle_enter_state+0x2b4/0x760 drivers/cpuidle/cpuidle.c:237 + cpuidle_enter+0x3c/0x60 drivers/cpuidle/cpuidle.c:351 + call_cpuidle kernel/sched/idle.c:158 [inline] + cpuidle_idle_call kernel/sched/idle.c:239 [inline] + do_idle+0x1a3/0x250 kernel/sched/idle.c:306 + cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:403 + secondary_startup_64_no_verify+0xb1/0xbb + +read to 0xffff88810798a885 of 1 bytes by interrupt on cpu 0: + neigh_output include/net/neighbour.h:507 [inline] + ip_finish_output2+0x79a/0xaa0 net/ipv4/ip_output.c:221 + ip_finish_output+0x3b5/0x510 net/ipv4/ip_output.c:309 + NF_HOOK_COND include/linux/netfilter.h:296 [inline] + ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:423 + dst_output include/net/dst.h:450 [inline] + ip_local_out+0x164/0x220 net/ipv4/ip_output.c:126 + __ip_queue_xmit+0x9d3/0xa20 net/ipv4/ip_output.c:525 + ip_queue_xmit+0x34/0x40 net/ipv4/ip_output.c:539 + __tcp_transmit_skb+0x142a/0x1a00 net/ipv4/tcp_output.c:1405 + tcp_transmit_skb net/ipv4/tcp_output.c:1423 [inline] + tcp_xmit_probe_skb net/ipv4/tcp_output.c:4011 [inline] + tcp_write_wakeup+0x4a9/0x810 net/ipv4/tcp_output.c:4064 + tcp_send_probe0+0x2c/0x2b0 net/ipv4/tcp_output.c:4079 + tcp_probe_timer net/ipv4/tcp_timer.c:398 [inline] + tcp_write_timer_handler+0x394/0x520 net/ipv4/tcp_timer.c:626 + tcp_write_timer+0xb9/0x180 net/ipv4/tcp_timer.c:642 + call_timer_fn+0x2e/0x1d0 kernel/time/timer.c:1421 + expire_timers+0x135/0x240 kernel/time/timer.c:1466 + __run_timers+0x368/0x430 kernel/time/timer.c:1734 + run_timer_softirq+0x19/0x30 kernel/time/timer.c:1747 + __do_softirq+0x12c/0x26e kernel/softirq.c:558 + invoke_softirq kernel/softirq.c:432 [inline] + __irq_exit_rcu kernel/softirq.c:636 [inline] + irq_exit_rcu+0x4e/0xa0 kernel/softirq.c:648 + sysvec_apic_timer_interrupt+0x69/0x80 arch/x86/kernel/apic/apic.c:1097 + asm_sysvec_apic_timer_interrupt+0x12/0x20 + native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline] + arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline] + acpi_safe_halt drivers/acpi/processor_idle.c:109 [inline] + acpi_idle_do_entry drivers/acpi/processor_idle.c:553 [inline] + acpi_idle_enter+0x258/0x2e0 drivers/acpi/processor_idle.c:688 + cpuidle_enter_state+0x2b4/0x760 drivers/cpuidle/cpuidle.c:237 + cpuidle_enter+0x3c/0x60 drivers/cpuidle/cpuidle.c:351 + call_cpuidle kernel/sched/idle.c:158 [inline] + cpuidle_idle_call kernel/sched/idle.c:239 [inline] + do_idle+0x1a3/0x250 kernel/sched/idle.c:306 + cpu_startup_entry+0x15/0x20 kernel/sched/idle.c:403 + rest_init+0xee/0x100 init/main.c:734 + arch_call_rest_init+0xa/0xb + start_kernel+0x5e4/0x669 init/main.c:1142 + secondary_startup_64_no_verify+0xb1/0xbb + +value changed: 0x20 -> 0x01 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.15.0-rc6-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/neighbour.h | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/include/net/neighbour.h b/include/net/neighbour.h +index 22ced1381ede5..990f9b1d17092 100644 +--- a/include/net/neighbour.h ++++ b/include/net/neighbour.h +@@ -504,10 +504,15 @@ static inline int neigh_output(struct neighbour *n, struct sk_buff *skb, + { + const struct hh_cache *hh = &n->hh; + +- if ((n->nud_state & NUD_CONNECTED) && hh->hh_len && !skip_cache) ++ /* n->nud_state and hh->hh_len could be changed under us. ++ * neigh_hh_output() is taking care of the race later. ++ */ ++ if (!skip_cache && ++ (READ_ONCE(n->nud_state) & NUD_CONNECTED) && ++ READ_ONCE(hh->hh_len)) + return neigh_hh_output(hh, skb); +- else +- return n->output(n, skb); ++ ++ return n->output(n, skb); + } + + static inline struct neighbour * +-- +2.33.0 + diff --git a/queue-5.15/net-bridge-fix-uninitialized-variables-when-bridge_c.patch b/queue-5.15/net-bridge-fix-uninitialized-variables-when-bridge_c.patch new file mode 100644 index 00000000000..bb85e197a7c --- /dev/null +++ b/queue-5.15/net-bridge-fix-uninitialized-variables-when-bridge_c.patch @@ -0,0 +1,46 @@ +From 2eb9cde72a233327573682003e44d145fcf6258f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 17:58:35 +0200 +Subject: net: bridge: fix uninitialized variables when BRIDGE_CFM is disabled + +From: Ivan Vecera + +[ Upstream commit 829e050eea69c7442441b714b6f5b339b5b8c367 ] + +Function br_get_link_af_size_filtered() calls br_cfm_{,peer}_mep_count() +that return a count. When BRIDGE_CFM is not enabled these functions +simply return -EOPNOTSUPP but do not modify count parameter and +calling function then works with uninitialized variables. +Modify these inline functions to return zero in count parameter. + +Fixes: b6d0425b816e ("bridge: cfm: Netlink Notifications.") +Cc: Henrik Bjoernlund +Signed-off-by: Ivan Vecera +Acked-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/bridge/br_private.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 37ca76406f1e8..fd5e7e74573ce 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -1911,11 +1911,13 @@ static inline int br_cfm_status_fill_info(struct sk_buff *skb, + + static inline int br_cfm_mep_count(struct net_bridge *br, u32 *count) + { ++ *count = 0; + return -EOPNOTSUPP; + } + + static inline int br_cfm_peer_mep_count(struct net_bridge *br, u32 *count) + { ++ *count = 0; + return -EOPNOTSUPP; + } + #endif +-- +2.33.0 + diff --git a/queue-5.15/net-davinci_emac-fix-interrupt-pacing-disable.patch b/queue-5.15/net-davinci_emac-fix-interrupt-pacing-disable.patch new file mode 100644 index 00000000000..d4ce826e3b8 --- /dev/null +++ b/queue-5.15/net-davinci_emac-fix-interrupt-pacing-disable.patch @@ -0,0 +1,59 @@ +From f8ba078b1bfa489bdeac413183d208e254e58ede Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Nov 2021 18:23:41 +0300 +Subject: net: davinci_emac: Fix interrupt pacing disable + +From: Maxim Kiselev + +[ Upstream commit d52bcb47bdf971a59a2467975d2405fcfcb2fa19 ] + +This patch allows to use 0 for `coal->rx_coalesce_usecs` param to +disable rx irq coalescing. + +Previously we could enable rx irq coalescing via ethtool +(For ex: `ethtool -C eth0 rx-usecs 2000`) but we couldn't disable +it because this part rejects 0 value: + + if (!coal->rx_coalesce_usecs) + return -EINVAL; + +Fixes: 84da2658a619 ("TI DaVinci EMAC : Implement interrupt pacing functionality.") +Signed-off-by: Maxim Kiselev +Reviewed-by: Grygorii Strashko +Link: https://lore.kernel.org/r/20211101152343.4193233-1-bigunclemax@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/davinci_emac.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c +index e8291d8488391..d243ca5dfde00 100644 +--- a/drivers/net/ethernet/ti/davinci_emac.c ++++ b/drivers/net/ethernet/ti/davinci_emac.c +@@ -420,8 +420,20 @@ static int emac_set_coalesce(struct net_device *ndev, + u32 int_ctrl, num_interrupts = 0; + u32 prescale = 0, addnl_dvdr = 1, coal_intvl = 0; + +- if (!coal->rx_coalesce_usecs) +- return -EINVAL; ++ if (!coal->rx_coalesce_usecs) { ++ priv->coal_intvl = 0; ++ ++ switch (priv->version) { ++ case EMAC_VERSION_2: ++ emac_ctrl_write(EMAC_DM646X_CMINTCTRL, 0); ++ break; ++ default: ++ emac_ctrl_write(EMAC_CTRL_EWINTTCNT, 0); ++ break; ++ } ++ ++ return 0; ++ } + + coal_intvl = coal->rx_coalesce_usecs; + +-- +2.33.0 + diff --git a/queue-5.15/net-dsa-avoid-refcount-warnings-when-port_-fdb-mdb-_.patch b/queue-5.15/net-dsa-avoid-refcount-warnings-when-port_-fdb-mdb-_.patch new file mode 100644 index 00000000000..e32c18f3da7 --- /dev/null +++ b/queue-5.15/net-dsa-avoid-refcount-warnings-when-port_-fdb-mdb-_.patch @@ -0,0 +1,52 @@ +From cb8fe0951ee065521aa366c4d821fd030502b774 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Oct 2021 20:17:48 +0300 +Subject: net: dsa: avoid refcount warnings when ->port_{fdb,mdb}_del returns + error + +From: Vladimir Oltean + +[ Upstream commit 232deb3f9567ce37d99b8616a6c07c1fc0436abf ] + +At present, when either of ds->ops->port_fdb_del() or ds->ops->port_mdb_del() +return a non-zero error code, we attempt to save the day and keep the +data structure associated with that switchdev object, as the deletion +procedure did not complete. + +However, the way in which we do this is suspicious to the checker in +lib/refcount.c, who thinks it is buggy to increment a refcount that +became zero, and that this is indicative of a use-after-free. + +Fixes: 161ca59d39e9 ("net: dsa: reference count the MDB entries at the cross-chip notifier level") +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/dsa/switch.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/dsa/switch.c b/net/dsa/switch.c +index 6466d0539af9f..44558fbdc65b3 100644 +--- a/net/dsa/switch.c ++++ b/net/dsa/switch.c +@@ -264,7 +264,7 @@ static int dsa_switch_do_mdb_del(struct dsa_switch *ds, int port, + + err = ds->ops->port_mdb_del(ds, port, mdb); + if (err) { +- refcount_inc(&a->refcount); ++ refcount_set(&a->refcount, 1); + return err; + } + +@@ -329,7 +329,7 @@ static int dsa_switch_do_fdb_del(struct dsa_switch *ds, int port, + + err = ds->ops->port_fdb_del(ds, port, addr, vid); + if (err) { +- refcount_inc(&a->refcount); ++ refcount_set(&a->refcount, 1); + return err; + } + +-- +2.33.0 + diff --git a/queue-5.15/net-dsa-felix-fix-broken-vlan-tagged-ptp-under-vlan-.patch b/queue-5.15/net-dsa-felix-fix-broken-vlan-tagged-ptp-under-vlan-.patch new file mode 100644 index 00000000000..bf69592c042 --- /dev/null +++ b/queue-5.15/net-dsa-felix-fix-broken-vlan-tagged-ptp-under-vlan-.patch @@ -0,0 +1,183 @@ +From a911ab26e20059aa12393524313af5ce55cc68fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 21:31:22 +0200 +Subject: net: dsa: felix: fix broken VLAN-tagged PTP under VLAN-aware bridge + +From: Vladimir Oltean + +[ Upstream commit 92f62485b3715882cd397b0cbd80a96d179b86d6 ] + +Normally it is expected that the dsa_device_ops :: rcv() method finishes +parsing the DSA tag and consumes it, then never looks at it again. + +But commit c0bcf537667c ("net: dsa: ocelot: add hardware timestamping +support for Felix") added support for RX timestamping in a very +unconventional way. On this switch, a partial timestamp is available in +the DSA header, but the driver got away with not parsing that timestamp +right away, but instead delayed that parsing for a little longer: + +dsa_switch_rcv(): + nskb = cpu_dp->rcv(skb, dev); <------------- not here + -> ocelot_rcv() + ... + + skb = nskb; + skb_push(skb, ETH_HLEN); + skb->pkt_type = PACKET_HOST; + skb->protocol = eth_type_trans(skb, skb->dev); + + ... + + if (dsa_skb_defer_rx_timestamp(p, skb)) <--- but here + -> felix_rxtstamp() + return 0; + +When in felix_rxtstamp(), this driver accounted for the fact that +eth_type_trans() happened in the meanwhile, so it got a hold of the +extraction header again by subtracting (ETH_HLEN + OCELOT_TAG_LEN) bytes +from the current skb->data. + +This worked for quite some time but was quite fragile from the very +beginning. Not to mention that having DSA tag parsing split in two +different files, under different folders (net/dsa/tag_ocelot.c vs +drivers/net/dsa/ocelot/felix.c) made it quite non-obvious for patches to +come that they might break this. + +Finally, the blamed commit does the following: at the end of +ocelot_rcv(), it checks whether the skb payload contains a VLAN header. +If it does, and this port is under a VLAN-aware bridge, that VLAN ID +might not be correct in the sense that the packet might have suffered +VLAN rewriting due to TCAM rules (VCAP IS1). So we consume the VLAN ID +from the skb payload using __skb_vlan_pop(), and take the classified +VLAN ID from the DSA tag, and construct a hwaccel VLAN tag with the +classified VLAN, and the skb payload is VLAN-untagged. + +The big problem is that __skb_vlan_pop() does: + + memmove(skb->data + VLAN_HLEN, skb->data, 2 * ETH_ALEN); + __skb_pull(skb, VLAN_HLEN); + +aka it moves the Ethernet header 4 bytes to the right, and pulls 4 bytes +from the skb headroom (effectively also moving skb->data, by definition). +So for felix_rxtstamp()'s fragile logic, all bets are off now. +Instead of having the "extraction" pointer point to the DSA header, +it actually points to 4 bytes _inside_ the extraction header. +Corollary, the last 4 bytes of the "extraction" header are in fact 4 +stale bytes of the destination MAC address from the Ethernet header, +from prior to the __skb_vlan_pop() movement. + +So of course, RX timestamps are completely bogus when the system is +configured in this way. + +The fix is actually very simple: just don't structure the code like that. +For better or worse, the DSA PTP timestamping API does not offer a +straightforward way for drivers to present their RX timestamps, but +other drivers (sja1105) have established a simple mechanism to carry +their RX timestamp from dsa_device_ops :: rcv() all the way to +dsa_switch_ops :: port_rxtstamp() and even later. That mechanism is to +simply save the partial timestamp to the skb->cb, and complete it later. + +Question: why don't we simply populate the skb's struct +skb_shared_hwtstamps from ocelot_rcv(), and bother with this +complication of propagating the timestamp to felix_rxtstamp()? + +Answer: dsa_switch_ops :: port_rxtstamp() answers the question whether +PTP packets need sleepable context to retrieve the full RX timestamp. +Currently felix_rxtstamp() answers "no, thanks" to that question, and +calls ocelot_ptp_gettime64() from softirq atomic context. This is +understandable, since Felix VSC9959 is a PCIe memory-mapped switch, so +hardware access does not require sleeping. But the felix driver is +preparing for the introduction of other switches where hardware access +is over a slow bus like SPI or MDIO: +https://lore.kernel.org/lkml/20210814025003.2449143-1-colin.foster@in-advantage.com/ + +So I would like to keep this code structure, so the rework needed when +that driver will need PTP support will be minimal (answer "yes, I need +deferred context for this skb's RX timestamp", then the partial +timestamp will still be found in the skb->cb. + +Fixes: ea440cd2d9b2 ("net: dsa: tag_ocelot: use VLAN information from tagging header when available") +Reported-by: Po Liu +Cc: Yangbo Lu +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/ocelot/felix.c | 9 +++------ + include/linux/dsa/ocelot.h | 1 + + net/dsa/tag_ocelot.c | 3 +++ + 3 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/dsa/ocelot/felix.c b/drivers/net/dsa/ocelot/felix.c +index 341236dcbdb47..6873d5a253afb 100644 +--- a/drivers/net/dsa/ocelot/felix.c ++++ b/drivers/net/dsa/ocelot/felix.c +@@ -1368,12 +1368,12 @@ out: + static bool felix_rxtstamp(struct dsa_switch *ds, int port, + struct sk_buff *skb, unsigned int type) + { +- u8 *extraction = skb->data - ETH_HLEN - OCELOT_TAG_LEN; ++ u32 tstamp_lo = OCELOT_SKB_CB(skb)->tstamp_lo; + struct skb_shared_hwtstamps *shhwtstamps; + struct ocelot *ocelot = ds->priv; +- u32 tstamp_lo, tstamp_hi; + struct timespec64 ts; +- u64 tstamp, val; ++ u32 tstamp_hi; ++ u64 tstamp; + + /* If the "no XTR IRQ" workaround is in use, tell DSA to defer this skb + * for RX timestamping. Then free it, and poll for its copy through +@@ -1388,9 +1388,6 @@ static bool felix_rxtstamp(struct dsa_switch *ds, int port, + ocelot_ptp_gettime64(&ocelot->ptp_info, &ts); + tstamp = ktime_set(ts.tv_sec, ts.tv_nsec); + +- ocelot_xfh_get_rew_val(extraction, &val); +- tstamp_lo = (u32)val; +- + tstamp_hi = tstamp >> 32; + if ((tstamp & 0xffffffff) < tstamp_lo) + tstamp_hi--; +diff --git a/include/linux/dsa/ocelot.h b/include/linux/dsa/ocelot.h +index 8ae999f587c48..289064b51fa9a 100644 +--- a/include/linux/dsa/ocelot.h ++++ b/include/linux/dsa/ocelot.h +@@ -12,6 +12,7 @@ + struct ocelot_skb_cb { + struct sk_buff *clone; + unsigned int ptp_class; /* valid only for clones */ ++ u32 tstamp_lo; + u8 ptp_cmd; + u8 ts_id; + }; +diff --git a/net/dsa/tag_ocelot.c b/net/dsa/tag_ocelot.c +index 605b51ca69210..6e0518aa3a4d2 100644 +--- a/net/dsa/tag_ocelot.c ++++ b/net/dsa/tag_ocelot.c +@@ -62,6 +62,7 @@ static struct sk_buff *ocelot_rcv(struct sk_buff *skb, + struct dsa_port *dp; + u8 *extraction; + u16 vlan_tpid; ++ u64 rew_val; + + /* Revert skb->data by the amount consumed by the DSA master, + * so it points to the beginning of the frame. +@@ -91,6 +92,7 @@ static struct sk_buff *ocelot_rcv(struct sk_buff *skb, + ocelot_xfh_get_qos_class(extraction, &qos_class); + ocelot_xfh_get_tag_type(extraction, &tag_type); + ocelot_xfh_get_vlan_tci(extraction, &vlan_tci); ++ ocelot_xfh_get_rew_val(extraction, &rew_val); + + skb->dev = dsa_master_find_slave(netdev, 0, src_port); + if (!skb->dev) +@@ -104,6 +106,7 @@ static struct sk_buff *ocelot_rcv(struct sk_buff *skb, + + dsa_default_offload_fwd_mark(skb); + skb->priority = qos_class; ++ OCELOT_SKB_CB(skb)->tstamp_lo = rew_val; + + /* Ocelot switches copy frames unmodified to the CPU. However, it is + * possible for the user to request a VLAN modification through +-- +2.33.0 + diff --git a/queue-5.15/net-dsa-flush-switchdev-workqueue-when-leaving-the-b.patch b/queue-5.15/net-dsa-flush-switchdev-workqueue-when-leaving-the-b.patch new file mode 100644 index 00000000000..c5d0c6be8dd --- /dev/null +++ b/queue-5.15/net-dsa-flush-switchdev-workqueue-when-leaving-the-b.patch @@ -0,0 +1,81 @@ +From adb6e98a98eb5504594d0d0f767637b20c9ccf0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 12:25:55 +0300 +Subject: net: dsa: flush switchdev workqueue when leaving the bridge + +From: Vladimir Oltean + +[ Upstream commit d7d0d423dbaa73fd0506e25971dfdab6bf185d00 ] + +DSA is preparing to offer switch drivers an API through which they can +associate each FDB entry with a struct net_device *bridge_dev. This can +be used to perform FDB isolation (the FDB lookup performed on the +ingress of a standalone, or bridged port, should not find an FDB entry +that is present in the FDB of another bridge). + +In preparation of that work, DSA needs to ensure that by the time we +call the switch .port_fdb_add and .port_fdb_del methods, the +dp->bridge_dev pointer is still valid, i.e. the port is still a bridge +port. + +This is not guaranteed because the SWITCHDEV_FDB_{ADD,DEL}_TO_DEVICE API +requires drivers that must have sleepable context to handle those events +to schedule the deferred work themselves. DSA does this through the +dsa_owq. + +It can happen that a port leaves a bridge, del_nbp() flushes the FDB on +that port, SWITCHDEV_FDB_DEL_TO_DEVICE is notified in atomic context, +DSA schedules its deferred work, but del_nbp() finishes unlinking the +bridge as a master from the port before DSA's deferred work is run. + +Fundamentally, the port must not be unlinked from the bridge until all +FDB deletion deferred work items have been flushed. The bridge must wait +for the completion of these hardware accesses. + +An attempt has been made to address this issue centrally in switchdev by +making SWITCHDEV_FDB_DEL_TO_DEVICE deferred (=> blocking) at the switchdev +level, which would offer implicit synchronization with del_nbp: + +https://patchwork.kernel.org/project/netdevbpf/cover/20210820115746.3701811-1-vladimir.oltean@nxp.com/ + +but it seems that any attempt to modify switchdev's behavior and make +the events blocking there would introduce undesirable side effects in +other switchdev consumers. + +The most undesirable behavior seems to be that +switchdev_deferred_process_work() takes the rtnl_mutex itself, which +would be worse off than having the rtnl_mutex taken individually from +drivers which is what we have now (except DSA which has removed that +lock since commit 0faf890fc519 ("net: dsa: drop rtnl_lock from +dsa_slave_switchdev_event_work")). + +So to offer the needed guarantee to DSA switch drivers, I have come up +with a compromise solution that does not require switchdev rework: +we already have a hook at the last moment in time when the bridge is +still an upper of ours: the NETDEV_PRECHANGEUPPER handler. We can flush +the dsa_owq manually from there, which makes all FDB deletions +synchronous. + +Signed-off-by: Vladimir Oltean +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/dsa/port.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/dsa/port.c b/net/dsa/port.c +index 616330a16d319..3947537ed46ba 100644 +--- a/net/dsa/port.c ++++ b/net/dsa/port.c +@@ -380,6 +380,8 @@ void dsa_port_pre_bridge_leave(struct dsa_port *dp, struct net_device *br) + switchdev_bridge_port_unoffload(brport_dev, dp, + &dsa_slave_switchdev_notifier, + &dsa_slave_switchdev_blocking_notifier); ++ ++ dsa_flush_workqueue(); + } + + void dsa_port_bridge_leave(struct dsa_port *dp, struct net_device *br) +-- +2.33.0 + diff --git a/queue-5.15/net-dsa-lantiq_gswip-serialize-access-to-the-pce-tab.patch b/queue-5.15/net-dsa-lantiq_gswip-serialize-access-to-the-pce-tab.patch new file mode 100644 index 00000000000..3f0986c3359 --- /dev/null +++ b/queue-5.15/net-dsa-lantiq_gswip-serialize-access-to-the-pce-tab.patch @@ -0,0 +1,121 @@ +From f5b48b051b089066c6f1db520ea689edeb5b2653 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Oct 2021 21:43:08 +0300 +Subject: net: dsa: lantiq_gswip: serialize access to the PCE table + +From: Vladimir Oltean + +[ Upstream commit 49753a75b9a32de4c0393bb8d1e51ea223fda8e4 ] + +Looking at the code, the GSWIP switch appears to hold bridging service +structures (VLANs, FDBs, forwarding rules) in PCE table entries. +Hardware access to the PCE table is non-atomic, and is comprised of +several register reads and writes. + +These accesses are currently serialized by the rtnl_lock, but DSA is +changing its driver API and that lock will no longer be held when +calling ->port_fdb_add() and ->port_fdb_del(). + +So this driver needs to serialize the access to the PCE table using its +own locking scheme. This patch adds that. + +Signed-off-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Acked-by: Hauke Mehrtens +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/lantiq_gswip.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/dsa/lantiq_gswip.c b/drivers/net/dsa/lantiq_gswip.c +index dbd4486a173ff..1a96df70d1e85 100644 +--- a/drivers/net/dsa/lantiq_gswip.c ++++ b/drivers/net/dsa/lantiq_gswip.c +@@ -276,6 +276,7 @@ struct gswip_priv { + int num_gphy_fw; + struct gswip_gphy_fw *gphy_fw; + u32 port_vlan_filter; ++ struct mutex pce_table_lock; + }; + + struct gswip_pce_table_entry { +@@ -523,10 +524,14 @@ static int gswip_pce_table_entry_read(struct gswip_priv *priv, + u16 addr_mode = tbl->key_mode ? GSWIP_PCE_TBL_CTRL_OPMOD_KSRD : + GSWIP_PCE_TBL_CTRL_OPMOD_ADRD; + ++ mutex_lock(&priv->pce_table_lock); ++ + err = gswip_switch_r_timeout(priv, GSWIP_PCE_TBL_CTRL, + GSWIP_PCE_TBL_CTRL_BAS); +- if (err) ++ if (err) { ++ mutex_unlock(&priv->pce_table_lock); + return err; ++ } + + gswip_switch_w(priv, tbl->index, GSWIP_PCE_TBL_ADDR); + gswip_switch_mask(priv, GSWIP_PCE_TBL_CTRL_ADDR_MASK | +@@ -536,8 +541,10 @@ static int gswip_pce_table_entry_read(struct gswip_priv *priv, + + err = gswip_switch_r_timeout(priv, GSWIP_PCE_TBL_CTRL, + GSWIP_PCE_TBL_CTRL_BAS); +- if (err) ++ if (err) { ++ mutex_unlock(&priv->pce_table_lock); + return err; ++ } + + for (i = 0; i < ARRAY_SIZE(tbl->key); i++) + tbl->key[i] = gswip_switch_r(priv, GSWIP_PCE_TBL_KEY(i)); +@@ -553,6 +560,8 @@ static int gswip_pce_table_entry_read(struct gswip_priv *priv, + tbl->valid = !!(crtl & GSWIP_PCE_TBL_CTRL_VLD); + tbl->gmap = (crtl & GSWIP_PCE_TBL_CTRL_GMAP_MASK) >> 7; + ++ mutex_unlock(&priv->pce_table_lock); ++ + return 0; + } + +@@ -565,10 +574,14 @@ static int gswip_pce_table_entry_write(struct gswip_priv *priv, + u16 addr_mode = tbl->key_mode ? GSWIP_PCE_TBL_CTRL_OPMOD_KSWR : + GSWIP_PCE_TBL_CTRL_OPMOD_ADWR; + ++ mutex_lock(&priv->pce_table_lock); ++ + err = gswip_switch_r_timeout(priv, GSWIP_PCE_TBL_CTRL, + GSWIP_PCE_TBL_CTRL_BAS); +- if (err) ++ if (err) { ++ mutex_unlock(&priv->pce_table_lock); + return err; ++ } + + gswip_switch_w(priv, tbl->index, GSWIP_PCE_TBL_ADDR); + gswip_switch_mask(priv, GSWIP_PCE_TBL_CTRL_ADDR_MASK | +@@ -600,8 +613,12 @@ static int gswip_pce_table_entry_write(struct gswip_priv *priv, + crtl |= GSWIP_PCE_TBL_CTRL_BAS; + gswip_switch_w(priv, crtl, GSWIP_PCE_TBL_CTRL); + +- return gswip_switch_r_timeout(priv, GSWIP_PCE_TBL_CTRL, +- GSWIP_PCE_TBL_CTRL_BAS); ++ err = gswip_switch_r_timeout(priv, GSWIP_PCE_TBL_CTRL, ++ GSWIP_PCE_TBL_CTRL_BAS); ++ ++ mutex_unlock(&priv->pce_table_lock); ++ ++ return err; + } + + /* Add the LAN port into a bridge with the CPU port by +@@ -2106,6 +2123,7 @@ static int gswip_probe(struct platform_device *pdev) + priv->ds->priv = priv; + priv->ds->ops = priv->hw_info->ops; + priv->dev = dev; ++ mutex_init(&priv->pce_table_lock); + version = gswip_switch_r(priv, GSWIP_VERSION); + + np = dev->of_node; +-- +2.33.0 + diff --git a/queue-5.15/net-dsa-mv88e6xxx-don-t-support-1g-speeds-on-6191x-o.patch b/queue-5.15/net-dsa-mv88e6xxx-don-t-support-1g-speeds-on-6191x-o.patch new file mode 100644 index 00000000000..79480bd12fa --- /dev/null +++ b/queue-5.15/net-dsa-mv88e6xxx-don-t-support-1g-speeds-on-6191x-o.patch @@ -0,0 +1,46 @@ +From 9b0d300e7158bb40b936d366ccf6ffd8a8410e67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Nov 2021 18:17:47 +0100 +Subject: net: dsa: mv88e6xxx: Don't support >1G speeds on 6191X on ports other + than 10 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit dc2fc9f03c5c410d8f01c2206b3d529f80b13733 ] + +Model 88E6191X only supports >1G speeds on port 10. Port 0 and 9 are +only 1G. + +Fixes: de776d0d316f ("net: dsa: mv88e6xxx: add support for mv88e6393x family") +Signed-off-by: Marek Behún +Cc: Russell King (Oracle) +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20211104171747.10509-1-kabel@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 8dadcae93c9b5..be8589fa86a15 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -640,7 +640,10 @@ static void mv88e6393x_phylink_validate(struct mv88e6xxx_chip *chip, int port, + unsigned long *mask, + struct phylink_link_state *state) + { +- if (port == 0 || port == 9 || port == 10) { ++ bool is_6191x = ++ chip->info->prod_num == MV88E6XXX_PORT_SWITCH_ID_PROD_6191X; ++ ++ if (((port == 0 || port == 9) && !is_6191x) || port == 10) { + phylink_set(mask, 10000baseT_Full); + phylink_set(mask, 10000baseKR_Full); + phylink_set(mask, 10000baseCR_Full); +-- +2.33.0 + diff --git a/queue-5.15/net-dsa-rtl8366-fix-a-bug-in-deleting-vlans.patch b/queue-5.15/net-dsa-rtl8366-fix-a-bug-in-deleting-vlans.patch new file mode 100644 index 00000000000..985da0739c7 --- /dev/null +++ b/queue-5.15/net-dsa-rtl8366-fix-a-bug-in-deleting-vlans.patch @@ -0,0 +1,46 @@ +From f4bc2be2b11c9cff4061692e1ceb706b8308c896 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Sep 2021 00:59:28 +0200 +Subject: net: dsa: rtl8366: Fix a bug in deleting VLANs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Walleij + +[ Upstream commit d8251b9db34a2cbc5619b610e7e8aad1d165c531 ] + +We were checking that the MC (member config) was != 0 +for some reason, all we need to check is that the config +has no ports, i.e. no members. Then it can be recycled. +This must be some misunderstanding. + +Fixes: 4ddcaf1ebb5e ("net: dsa: rtl8366: Properly clear member config") +Cc: Mauri Sandberg +Cc: DENG Qingfang +Reviewed-by: Alvin Šipraga +Reviewed-by: Vladimir Oltean +Reviewed-by: Florian Fainelli +Signed-off-by: Linus Walleij +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/rtl8366.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/rtl8366.c b/drivers/net/dsa/rtl8366.c +index 75897a3690969..ffbe5b6b2655b 100644 +--- a/drivers/net/dsa/rtl8366.c ++++ b/drivers/net/dsa/rtl8366.c +@@ -457,7 +457,7 @@ int rtl8366_vlan_del(struct dsa_switch *ds, int port, + * anymore then clear the whole member + * config so it can be reused. + */ +- if (!vlanmc.member && vlanmc.untag) { ++ if (!vlanmc.member) { + vlanmc.vid = 0; + vlanmc.priority = 0; + vlanmc.fid = 0; +-- +2.33.0 + diff --git a/queue-5.15/net-dsa-rtl8366rb-fix-off-by-one-bug.patch b/queue-5.15/net-dsa-rtl8366rb-fix-off-by-one-bug.patch new file mode 100644 index 00000000000..58c96c27bac --- /dev/null +++ b/queue-5.15/net-dsa-rtl8366rb-fix-off-by-one-bug.patch @@ -0,0 +1,50 @@ +From c081e0ec2c16a862dcd4945b886b628300ea8e06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Sep 2021 00:59:27 +0200 +Subject: net: dsa: rtl8366rb: Fix off-by-one bug +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Walleij + +[ Upstream commit 5f5f12f5d4b108399130bb5c11f07765851d9cdb ] + +The max VLAN number with non-4K VLAN activated is 15, and the +range is 0..15. Not 16. + +The impact should be low since we by default have 4K VLAN and +thus have 4095 VLANs to play with in this switch. There will +not be a problem unless the code is rewritten to only use +16 VLANs. + +Fixes: d8652956cf37 ("net: dsa: realtek-smi: Add Realtek SMI driver") +Cc: Mauri Sandberg +Cc: DENG Qingfang +Cc: Florian Fainelli +Reviewed-by: Alvin Šipraga +Reviewed-by: Vladimir Oltean +Signed-off-by: Linus Walleij +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/rtl8366rb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/dsa/rtl8366rb.c b/drivers/net/dsa/rtl8366rb.c +index a89093bc6c6ad..9e3b572ed999e 100644 +--- a/drivers/net/dsa/rtl8366rb.c ++++ b/drivers/net/dsa/rtl8366rb.c +@@ -1350,7 +1350,7 @@ static int rtl8366rb_set_mc_index(struct realtek_smi *smi, int port, int index) + + static bool rtl8366rb_is_vlan_valid(struct realtek_smi *smi, unsigned int vlan) + { +- unsigned int max = RTL8366RB_NUM_VLANS; ++ unsigned int max = RTL8366RB_NUM_VLANS - 1; + + if (smi->vlan4k_enabled) + max = RTL8366RB_NUM_VIDS - 1; +-- +2.33.0 + diff --git a/queue-5.15/net-enetc-unmap-dma-in-enetc_send_cmd.patch b/queue-5.15/net-enetc-unmap-dma-in-enetc_send_cmd.patch new file mode 100644 index 00000000000..49693d093cd --- /dev/null +++ b/queue-5.15/net-enetc-unmap-dma-in-enetc_send_cmd.patch @@ -0,0 +1,92 @@ +From e2b6eea13a66472846c34bcb36ed0212a4bbe42a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 12:19:50 -0600 +Subject: net: enetc: unmap DMA in enetc_send_cmd() + +From: Tim Gardner + +[ Upstream commit cd4bc63de774eee95e9bac26a565cd80e0fca421 ] + +Coverity complains of a possible dereference of a null return value. + + 5. returned_null: kzalloc returns NULL. [show details] + 6. var_assigned: Assigning: si_data = NULL return value from kzalloc. +488 si_data = kzalloc(data_size, __GFP_DMA | GFP_KERNEL); +489 cbd.length = cpu_to_le16(data_size); +490 +491 dma = dma_map_single(&priv->si->pdev->dev, si_data, +492 data_size, DMA_FROM_DEVICE); + +While this kzalloc() is unlikely to fail, I did notice that the function +returned without unmapping si_data. + +Fix this by refactoring the error paths and checking for kzalloc() +failure. + +Fixes: 888ae5a3952ba ("net: enetc: add tc flower psfp offload driver") +Cc: Claudiu Manoil +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org (open list) +Signed-off-by: Tim Gardner +Acked-by: Claudiu Manoil +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/freescale/enetc/enetc_qos.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/enetc/enetc_qos.c b/drivers/net/ethernet/freescale/enetc/enetc_qos.c +index 4577226d3c6ad..0536d2c76fbc4 100644 +--- a/drivers/net/ethernet/freescale/enetc/enetc_qos.c ++++ b/drivers/net/ethernet/freescale/enetc/enetc_qos.c +@@ -486,14 +486,16 @@ static int enetc_streamid_hw_set(struct enetc_ndev_priv *priv, + + data_size = sizeof(struct streamid_data); + si_data = kzalloc(data_size, __GFP_DMA | GFP_KERNEL); ++ if (!si_data) ++ return -ENOMEM; + cbd.length = cpu_to_le16(data_size); + + dma = dma_map_single(&priv->si->pdev->dev, si_data, + data_size, DMA_FROM_DEVICE); + if (dma_mapping_error(&priv->si->pdev->dev, dma)) { + netdev_err(priv->si->ndev, "DMA mapping failed!\n"); +- kfree(si_data); +- return -ENOMEM; ++ err = -ENOMEM; ++ goto out; + } + + cbd.addr[0] = cpu_to_le32(lower_32_bits(dma)); +@@ -512,12 +514,10 @@ static int enetc_streamid_hw_set(struct enetc_ndev_priv *priv, + + err = enetc_send_cmd(priv->si, &cbd); + if (err) +- return -EINVAL; ++ goto out; + +- if (!enable) { +- kfree(si_data); +- return 0; +- } ++ if (!enable) ++ goto out; + + /* Enable the entry overwrite again incase space flushed by hardware */ + memset(&cbd, 0, sizeof(cbd)); +@@ -560,6 +560,10 @@ static int enetc_streamid_hw_set(struct enetc_ndev_priv *priv, + } + + err = enetc_send_cmd(priv->si, &cbd); ++out: ++ if (!dma_mapping_error(&priv->si->pdev->dev, dma)) ++ dma_unmap_single(&priv->si->pdev->dev, dma, data_size, DMA_FROM_DEVICE); ++ + kfree(si_data); + + return err; +-- +2.33.0 + diff --git a/queue-5.15/net-ethernet-ti-cpsw_ale-fix-access-to-un-initialize.patch b/queue-5.15/net-ethernet-ti-cpsw_ale-fix-access-to-un-initialize.patch new file mode 100644 index 00000000000..6f8783de06e --- /dev/null +++ b/queue-5.15/net-ethernet-ti-cpsw_ale-fix-access-to-un-initialize.patch @@ -0,0 +1,43 @@ +From 7b13b7e84aa4bc514a26e137024d066687a8d335 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Nov 2021 22:28:55 +0100 +Subject: net: ethernet: ti: cpsw_ale: Fix access to un-initialized memory + +From: Christophe JAILLET + +[ Upstream commit 7a166854b4e24c57d56b3eba9fe1594985ee0a2c ] + +It is spurious to allocate a bitmap without initializing it. +So, better safe than sorry, initialize it to 0 at least to have some known +values. + +While at it, switch to the devm_bitmap_ API which is less verbose. + +Fixes: 4b41d3436796 ("net: ethernet: ti: cpsw: allow untagged traffic on host port") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpsw_ale.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/ti/cpsw_ale.c b/drivers/net/ethernet/ti/cpsw_ale.c +index 0c75e0576ee1f..1ef0aaef5c61c 100644 +--- a/drivers/net/ethernet/ti/cpsw_ale.c ++++ b/drivers/net/ethernet/ti/cpsw_ale.c +@@ -1299,10 +1299,8 @@ struct cpsw_ale *cpsw_ale_create(struct cpsw_ale_params *params) + if (!ale) + return ERR_PTR(-ENOMEM); + +- ale->p0_untag_vid_mask = +- devm_kmalloc_array(params->dev, BITS_TO_LONGS(VLAN_N_VID), +- sizeof(unsigned long), +- GFP_KERNEL); ++ ale->p0_untag_vid_mask = devm_bitmap_zalloc(params->dev, VLAN_N_VID, ++ GFP_KERNEL); + if (!ale->p0_untag_vid_mask) + return ERR_PTR(-ENOMEM); + +-- +2.33.0 + diff --git a/queue-5.15/net-fealnx-fix-build-for-uml.patch b/queue-5.15/net-fealnx-fix-build-for-uml.patch new file mode 100644 index 00000000000..5d3c7a20443 --- /dev/null +++ b/queue-5.15/net-fealnx-fix-build-for-uml.patch @@ -0,0 +1,51 @@ +From 07456394f473ce43c0564e6ac5663ffbdf547c88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 22:05:00 -0700 +Subject: net: fealnx: fix build for UML +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit cd2621d07d517473611b170c69beb6524c677740 ] + +On i386, when builtin (not a loadable module), the fealnx driver +inspects boot_cpu_data to see what CPU family it is running on, and +then acts on that data. The "family" struct member (x86) does not exist +when running on UML, so prevent that test and do the default action. + +Prevents this build error on UML + i386: + +../drivers/net/ethernet/fealnx.c: In function ‘netdev_open’: +../drivers/net/ethernet/fealnx.c:861:19: error: ‘struct cpuinfo_um’ has no member named ‘x86’ + +Fixes: 68f5d3f3b654 ("um: add PCI over virtio emulation driver") +Signed-off-by: Randy Dunlap +Cc: linux-um@lists.infradead.org +Cc: Jeff Dike +Cc: Richard Weinberger +Cc: Anton Ivanov +Link: https://lore.kernel.org/r/20211014050500.5620-1-rdunlap@infradead.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/fealnx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/fealnx.c b/drivers/net/ethernet/fealnx.c +index 25c91b3c5fd30..819266d463b07 100644 +--- a/drivers/net/ethernet/fealnx.c ++++ b/drivers/net/ethernet/fealnx.c +@@ -857,7 +857,7 @@ static int netdev_open(struct net_device *dev) + np->bcrvalue |= 0x04; /* big-endian */ + #endif + +-#if defined(__i386__) && !defined(MODULE) ++#if defined(__i386__) && !defined(MODULE) && !defined(CONFIG_UML) + if (boot_cpu_data.x86 <= 4) + np->crvalue = 0xa00; + else +-- +2.33.0 + diff --git a/queue-5.15/net-hns3-allow-configure-ets-bandwidth-of-all-tcs.patch b/queue-5.15/net-hns3-allow-configure-ets-bandwidth-of-all-tcs.patch new file mode 100644 index 00000000000..412fe75dad2 --- /dev/null +++ b/queue-5.15/net-hns3-allow-configure-ets-bandwidth-of-all-tcs.patch @@ -0,0 +1,66 @@ +From 13bce78a0ea17615d461c9f1d7c2e209ebdaf64f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Nov 2021 21:42:56 +0800 +Subject: net: hns3: allow configure ETS bandwidth of all TCs + +From: Guangbin Huang + +[ Upstream commit 688db0c7a4a69ddc8b8143a1cac01eb20082a3aa ] + +Currently, driver only allow configuring ETS bandwidth of TCs according +to the max TC number queried from firmware. However, the hardware actually +supports 8 TCs and users may need to configure ETS bandwidth of all TCs, +so remove the restriction. + +Fixes: 330baff5423b ("net: hns3: add ETS TC weight setting in SSU module") +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c | 2 +- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 9 +-------- + 2 files changed, 2 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c +index 90013c131e949..375ebf105a9aa 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c +@@ -129,7 +129,7 @@ static int hclge_ets_sch_mode_validate(struct hclge_dev *hdev, + u32 total_ets_bw = 0; + u8 i; + +- for (i = 0; i < hdev->tc_max; i++) { ++ for (i = 0; i < HNAE3_MAX_TC; i++) { + switch (ets->tc_tsa[i]) { + case IEEE_8021QAZ_TSA_STRICT: + if (hdev->tm_info.tc_info[i].tc_sch_mode != +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +index a50e2edbf4a0f..429652a8cde16 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +@@ -1123,7 +1123,6 @@ static int hclge_tm_pri_tc_base_dwrr_cfg(struct hclge_dev *hdev) + + static int hclge_tm_ets_tc_dwrr_cfg(struct hclge_dev *hdev) + { +-#define DEFAULT_TC_WEIGHT 1 + #define DEFAULT_TC_OFFSET 14 + + struct hclge_ets_tc_weight_cmd *ets_weight; +@@ -1136,13 +1135,7 @@ static int hclge_tm_ets_tc_dwrr_cfg(struct hclge_dev *hdev) + for (i = 0; i < HNAE3_MAX_TC; i++) { + struct hclge_pg_info *pg_info; + +- ets_weight->tc_weight[i] = DEFAULT_TC_WEIGHT; +- +- if (!(hdev->hw_tc_map & BIT(i))) +- continue; +- +- pg_info = +- &hdev->tm_info.pg_info[hdev->tm_info.tc_info[i].pgid]; ++ pg_info = &hdev->tm_info.pg_info[hdev->tm_info.tc_info[i].pgid]; + ets_weight->tc_weight[i] = pg_info->tc_dwrr[i]; + } + +-- +2.33.0 + diff --git a/queue-5.15/net-hns3-fix-kernel-crash-when-unload-vf-while-it-is.patch b/queue-5.15/net-hns3-fix-kernel-crash-when-unload-vf-while-it-is.patch new file mode 100644 index 00000000000..f0caae15c37 --- /dev/null +++ b/queue-5.15/net-hns3-fix-kernel-crash-when-unload-vf-while-it-is.patch @@ -0,0 +1,105 @@ +From 3983f9e102bcce6de4e558d255756969d46f37e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Nov 2021 21:42:53 +0800 +Subject: net: hns3: fix kernel crash when unload VF while it is being reset + +From: Yufeng Mo + +[ Upstream commit e140c7983e3054be0652bf914f4454f16c5520b0 ] + +When fully configure VLANs for a VF, then unload the VF while +triggering a reset to PF, will cause a kernel crash because the +irq is already uninit. + +[ 293.177579] ------------[ cut here ]------------ +[ 293.183502] kernel BUG at drivers/pci/msi.c:352! +[ 293.189547] Internal error: Oops - BUG: 0 [#1] SMP +...... +[ 293.390124] Workqueue: hclgevf hclgevf_service_task [hclgevf] +[ 293.402627] pstate: 80c00009 (Nzcv daif +PAN +UAO) +[ 293.414324] pc : free_msi_irqs+0x19c/0x1b8 +[ 293.425429] lr : free_msi_irqs+0x18c/0x1b8 +[ 293.436545] sp : ffff00002716fbb0 +[ 293.446950] x29: ffff00002716fbb0 x28: 0000000000000000 +[ 293.459519] x27: 0000000000000000 x26: ffff45b91ea16b00 +[ 293.472183] x25: 0000000000000000 x24: ffffa587b08f4700 +[ 293.484717] x23: ffffc591ac30e000 x22: ffffa587b08f8428 +[ 293.497190] x21: ffffc591ac30e300 x20: 0000000000000000 +[ 293.509594] x19: ffffa58a062a8300 x18: 0000000000000000 +[ 293.521949] x17: 0000000000000000 x16: ffff45b91dcc3f48 +[ 293.534013] x15: 0000000000000000 x14: 0000000000000000 +[ 293.545883] x13: 0000000000000040 x12: 0000000000000228 +[ 293.557508] x11: 0000000000000020 x10: 0000000000000040 +[ 293.568889] x9 : ffff45b91ea1e190 x8 : ffffc591802d0000 +[ 293.580123] x7 : ffffc591802d0148 x6 : 0000000000000120 +[ 293.591190] x5 : ffffc591802d0000 x4 : 0000000000000000 +[ 293.602015] x3 : 0000000000000000 x2 : 0000000000000000 +[ 293.612624] x1 : 00000000000004a4 x0 : ffffa58a1e0c6b80 +[ 293.623028] Call trace: +[ 293.630340] free_msi_irqs+0x19c/0x1b8 +[ 293.638849] pci_disable_msix+0x118/0x140 +[ 293.647452] pci_free_irq_vectors+0x20/0x38 +[ 293.656081] hclgevf_uninit_msi+0x44/0x58 [hclgevf] +[ 293.665309] hclgevf_reset_rebuild+0x1ac/0x2e0 [hclgevf] +[ 293.674866] hclgevf_reset+0x358/0x400 [hclgevf] +[ 293.683545] hclgevf_reset_service_task+0xd0/0x1b0 [hclgevf] +[ 293.693325] hclgevf_service_task+0x4c/0x2e8 [hclgevf] +[ 293.702307] process_one_work+0x1b0/0x448 +[ 293.710034] worker_thread+0x54/0x468 +[ 293.717331] kthread+0x134/0x138 +[ 293.724114] ret_from_fork+0x10/0x18 +[ 293.731324] Code: f940b000 b4ffff00 a903e7b8 f90017b6 (d4210000) + +This patch fixes the problem by waiting for the VF reset done +while unloading the VF. + +Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support") +Signed-off-by: Yufeng Mo +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 5 +++++ + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 2 ++ + 2 files changed, 7 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index 4cf34f1693544..3b8bde58613a8 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -3010,7 +3010,10 @@ static void hclgevf_uninit_client_instance(struct hnae3_client *client, + + /* un-init roce, if it exists */ + if (hdev->roce_client) { ++ while (test_bit(HCLGEVF_STATE_RST_HANDLING, &hdev->state)) ++ msleep(HCLGEVF_WAIT_RESET_DONE); + clear_bit(HCLGEVF_STATE_ROCE_REGISTERED, &hdev->state); ++ + hdev->roce_client->ops->uninit_instance(&hdev->roce, 0); + hdev->roce_client = NULL; + hdev->roce.client = NULL; +@@ -3019,6 +3022,8 @@ static void hclgevf_uninit_client_instance(struct hnae3_client *client, + /* un-init nic/unic, if this was not called by roce client */ + if (client->ops->uninit_instance && hdev->nic_client && + client->type != HNAE3_CLIENT_ROCE) { ++ while (test_bit(HCLGEVF_STATE_RST_HANDLING, &hdev->state)) ++ msleep(HCLGEVF_WAIT_RESET_DONE); + clear_bit(HCLGEVF_STATE_NIC_REGISTERED, &hdev->state); + + client->ops->uninit_instance(&hdev->nic, 0); +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h +index 4bd922b475012..f6f736c0091c0 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h +@@ -109,6 +109,8 @@ + #define HCLGEVF_VF_RST_ING 0x07008 + #define HCLGEVF_VF_RST_ING_BIT BIT(16) + ++#define HCLGEVF_WAIT_RESET_DONE 100 ++ + #define HCLGEVF_RSS_IND_TBL_SIZE 512 + #define HCLGEVF_RSS_SET_BITMAP_MSK 0xffff + #define HCLGEVF_RSS_KEY_SIZE 40 +-- +2.33.0 + diff --git a/queue-5.15/net-hns3-fix-pfc-packet-number-incorrect-after-query.patch b/queue-5.15/net-hns3-fix-pfc-packet-number-incorrect-after-query.patch new file mode 100644 index 00000000000..a4a4cb4a2c4 --- /dev/null +++ b/queue-5.15/net-hns3-fix-pfc-packet-number-incorrect-after-query.patch @@ -0,0 +1,225 @@ +From 2317d88ceb2a0fbc94a01fafa084f7f80620c63f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Nov 2021 21:42:51 +0800 +Subject: net: hns3: fix pfc packet number incorrect after querying pfc + parameters + +From: Jie Wang + +[ Upstream commit 0b653a81a26d66ffe526a54c2177e24fb1400301 ] + +Currently, driver will send command to firmware to query pfc packet number +when user uses dcb tool to get pfc parameters. However, the periodic +service task will also periodically query and record MAC statistics, +including pfc packet number. + +As the hardware registers of statistics is cleared after reading, it will +cause pfc packet number of MAC statistics are not correct after using dcb +tool to get pfc parameters. + +To fix this problem, when user uses dcb tool to get pfc parameters, driver +updates MAC statistics firstly and then get pfc packet number from MAC +statistics. + +Fixes: 64fd2300fcc1 ("net: hns3: add support for querying pfc puase packets statistic") +Signed-off-by: Jie Wang +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../hisilicon/hns3/hns3pf/hclge_dcb.c | 18 ++--- + .../hisilicon/hns3/hns3pf/hclge_main.c | 4 +- + .../hisilicon/hns3/hns3pf/hclge_main.h | 4 ++ + .../ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 68 +++++++++---------- + .../ethernet/hisilicon/hns3/hns3pf/hclge_tm.h | 4 +- + 5 files changed, 48 insertions(+), 50 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c +index 91cb578f56b80..90013c131e949 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_dcb.c +@@ -286,28 +286,24 @@ err_out: + + static int hclge_ieee_getpfc(struct hnae3_handle *h, struct ieee_pfc *pfc) + { +- u64 requests[HNAE3_MAX_TC], indications[HNAE3_MAX_TC]; + struct hclge_vport *vport = hclge_get_vport(h); + struct hclge_dev *hdev = vport->back; + int ret; +- u8 i; + + memset(pfc, 0, sizeof(*pfc)); + pfc->pfc_cap = hdev->pfc_max; + pfc->pfc_en = hdev->tm_info.pfc_en; + +- ret = hclge_pfc_tx_stats_get(hdev, requests); +- if (ret) ++ ret = hclge_mac_update_stats(hdev); ++ if (ret) { ++ dev_err(&hdev->pdev->dev, ++ "failed to update MAC stats, ret = %d.\n", ret); + return ret; ++ } + +- ret = hclge_pfc_rx_stats_get(hdev, indications); +- if (ret) +- return ret; ++ hclge_pfc_tx_stats_get(hdev, pfc->requests); ++ hclge_pfc_rx_stats_get(hdev, pfc->indications); + +- for (i = 0; i < HCLGE_MAX_TC_NUM; i++) { +- pfc->requests[i] = requests[i]; +- pfc->indications[i] = indications[i]; +- } + return 0; + } + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index ffd85cd297ef3..66c407d0d507e 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -26,8 +26,6 @@ + #include "hclge_devlink.h" + + #define HCLGE_NAME "hclge" +-#define HCLGE_STATS_READ(p, offset) (*(u64 *)((u8 *)(p) + (offset))) +-#define HCLGE_MAC_STATS_FIELD_OFF(f) (offsetof(struct hclge_mac_stats, f)) + + #define HCLGE_BUF_SIZE_UNIT 256U + #define HCLGE_BUF_MUL_BY 2 +@@ -548,7 +546,7 @@ static int hclge_mac_query_reg_num(struct hclge_dev *hdev, u32 *desc_num) + return 0; + } + +-static int hclge_mac_update_stats(struct hclge_dev *hdev) ++int hclge_mac_update_stats(struct hclge_dev *hdev) + { + u32 desc_num; + int ret; +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h +index 9111b8c84d786..2fa6e14c96e5b 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h +@@ -824,6 +824,9 @@ struct hclge_vf_vlan_cfg { + (y) = (_k_ ^ ~_v_) & (_k_); \ + } while (0) + ++#define HCLGE_MAC_STATS_FIELD_OFF(f) (offsetof(struct hclge_mac_stats, f)) ++#define HCLGE_STATS_READ(p, offset) (*(u64 *)((u8 *)(p) + (offset))) ++ + #define HCLGE_MAC_TNL_LOG_SIZE 8 + #define HCLGE_VPORT_NUM 256 + struct hclge_dev { +@@ -1136,4 +1139,5 @@ void hclge_inform_vf_promisc_info(struct hclge_vport *vport); + int hclge_dbg_dump_rst_info(struct hclge_dev *hdev, char *buf, int len); + int hclge_push_vf_link_status(struct hclge_vport *vport); + int hclge_enable_vport_vlan_filter(struct hclge_vport *vport, bool request_en); ++int hclge_mac_update_stats(struct hclge_dev *hdev); + #endif +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +index 95074e91a8466..a50e2edbf4a0f 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +@@ -113,50 +113,50 @@ static int hclge_shaper_para_calc(u32 ir, u8 shaper_level, + return 0; + } + +-static int hclge_pfc_stats_get(struct hclge_dev *hdev, +- enum hclge_opcode_type opcode, u64 *stats) +-{ +- struct hclge_desc desc[HCLGE_TM_PFC_PKT_GET_CMD_NUM]; +- int ret, i, j; +- +- if (!(opcode == HCLGE_OPC_QUERY_PFC_RX_PKT_CNT || +- opcode == HCLGE_OPC_QUERY_PFC_TX_PKT_CNT)) +- return -EINVAL; +- +- for (i = 0; i < HCLGE_TM_PFC_PKT_GET_CMD_NUM - 1; i++) { +- hclge_cmd_setup_basic_desc(&desc[i], opcode, true); +- desc[i].flag |= cpu_to_le16(HCLGE_CMD_FLAG_NEXT); +- } +- +- hclge_cmd_setup_basic_desc(&desc[i], opcode, true); ++static const u16 hclge_pfc_tx_stats_offset[] = { ++ HCLGE_MAC_STATS_FIELD_OFF(mac_tx_pfc_pri0_pkt_num), ++ HCLGE_MAC_STATS_FIELD_OFF(mac_tx_pfc_pri1_pkt_num), ++ HCLGE_MAC_STATS_FIELD_OFF(mac_tx_pfc_pri2_pkt_num), ++ HCLGE_MAC_STATS_FIELD_OFF(mac_tx_pfc_pri3_pkt_num), ++ HCLGE_MAC_STATS_FIELD_OFF(mac_tx_pfc_pri4_pkt_num), ++ HCLGE_MAC_STATS_FIELD_OFF(mac_tx_pfc_pri5_pkt_num), ++ HCLGE_MAC_STATS_FIELD_OFF(mac_tx_pfc_pri6_pkt_num), ++ HCLGE_MAC_STATS_FIELD_OFF(mac_tx_pfc_pri7_pkt_num) ++}; + +- ret = hclge_cmd_send(&hdev->hw, desc, HCLGE_TM_PFC_PKT_GET_CMD_NUM); +- if (ret) +- return ret; ++static const u16 hclge_pfc_rx_stats_offset[] = { ++ HCLGE_MAC_STATS_FIELD_OFF(mac_rx_pfc_pri0_pkt_num), ++ HCLGE_MAC_STATS_FIELD_OFF(mac_rx_pfc_pri1_pkt_num), ++ HCLGE_MAC_STATS_FIELD_OFF(mac_rx_pfc_pri2_pkt_num), ++ HCLGE_MAC_STATS_FIELD_OFF(mac_rx_pfc_pri3_pkt_num), ++ HCLGE_MAC_STATS_FIELD_OFF(mac_rx_pfc_pri4_pkt_num), ++ HCLGE_MAC_STATS_FIELD_OFF(mac_rx_pfc_pri5_pkt_num), ++ HCLGE_MAC_STATS_FIELD_OFF(mac_rx_pfc_pri6_pkt_num), ++ HCLGE_MAC_STATS_FIELD_OFF(mac_rx_pfc_pri7_pkt_num) ++}; + +- for (i = 0; i < HCLGE_TM_PFC_PKT_GET_CMD_NUM; i++) { +- struct hclge_pfc_stats_cmd *pfc_stats = +- (struct hclge_pfc_stats_cmd *)desc[i].data; ++static void hclge_pfc_stats_get(struct hclge_dev *hdev, bool tx, u64 *stats) ++{ ++ const u16 *offset; ++ int i; + +- for (j = 0; j < HCLGE_TM_PFC_NUM_GET_PER_CMD; j++) { +- u32 index = i * HCLGE_TM_PFC_PKT_GET_CMD_NUM + j; ++ if (tx) ++ offset = hclge_pfc_tx_stats_offset; ++ else ++ offset = hclge_pfc_rx_stats_offset; + +- if (index < HCLGE_MAX_TC_NUM) +- stats[index] = +- le64_to_cpu(pfc_stats->pkt_num[j]); +- } +- } +- return 0; ++ for (i = 0; i < HCLGE_MAX_TC_NUM; i++) ++ stats[i] = HCLGE_STATS_READ(&hdev->mac_stats, offset[i]); + } + +-int hclge_pfc_rx_stats_get(struct hclge_dev *hdev, u64 *stats) ++void hclge_pfc_rx_stats_get(struct hclge_dev *hdev, u64 *stats) + { +- return hclge_pfc_stats_get(hdev, HCLGE_OPC_QUERY_PFC_RX_PKT_CNT, stats); ++ hclge_pfc_stats_get(hdev, false, stats); + } + +-int hclge_pfc_tx_stats_get(struct hclge_dev *hdev, u64 *stats) ++void hclge_pfc_tx_stats_get(struct hclge_dev *hdev, u64 *stats) + { +- return hclge_pfc_stats_get(hdev, HCLGE_OPC_QUERY_PFC_TX_PKT_CNT, stats); ++ hclge_pfc_stats_get(hdev, true, stats); + } + + int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx) +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h +index 2ee9b795f71dc..1db7f40b45255 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h +@@ -228,8 +228,8 @@ int hclge_tm_dwrr_cfg(struct hclge_dev *hdev); + int hclge_tm_init_hw(struct hclge_dev *hdev, bool init); + int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx); + int hclge_pause_addr_cfg(struct hclge_dev *hdev, const u8 *mac_addr); +-int hclge_pfc_rx_stats_get(struct hclge_dev *hdev, u64 *stats); +-int hclge_pfc_tx_stats_get(struct hclge_dev *hdev, u64 *stats); ++void hclge_pfc_rx_stats_get(struct hclge_dev *hdev, u64 *stats); ++void hclge_pfc_tx_stats_get(struct hclge_dev *hdev, u64 *stats); + int hclge_tm_qs_shaper_cfg(struct hclge_vport *vport, int max_tx_rate); + int hclge_tm_get_qset_num(struct hclge_dev *hdev, u16 *qset_num); + int hclge_tm_get_pri_num(struct hclge_dev *hdev, u8 *pri_num); +-- +2.33.0 + diff --git a/queue-5.15/net-hns3-fix-roce-base-interrupt-vector-initializati.patch b/queue-5.15/net-hns3-fix-roce-base-interrupt-vector-initializati.patch new file mode 100644 index 00000000000..10d6de2c02c --- /dev/null +++ b/queue-5.15/net-hns3-fix-roce-base-interrupt-vector-initializati.patch @@ -0,0 +1,109 @@ +From 7c8e5bf0444073f54cf6e91fad6e8fa67f6b1176 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Nov 2021 21:42:50 +0800 +Subject: net: hns3: fix ROCE base interrupt vector initialization bug + +From: Jie Wang + +[ Upstream commit beb27ca451a57a1c0e52b5268703f3c3173c1f8c ] + +Currently, NIC init ROCE interrupt vector with MSIX interrupt. But ROCE use +pci_irq_vector() to get interrupt vector, which adds the relative interrupt +vector again and gets wrong interrupt vector. + +So fixes it by assign relative interrupt vector to ROCE instead of MSIX +interrupt vector and delete the unused struct member base_msi_vector +declaration of hclgevf_dev. + +Fixes: 46a3df9f9718 ("net: hns3: Add HNS3 Acceleration Engine & Compatibility Layer Support") +Signed-off-by: Jie Wang +Signed-off-by: Guangbin Huang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 6 +----- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h | 2 -- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 5 +---- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h | 2 -- + 4 files changed, 2 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +index d891390d492f6..ffd85cd297ef3 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +@@ -2498,7 +2498,7 @@ static int hclge_init_roce_base_info(struct hclge_vport *vport) + if (hdev->num_msi < hdev->num_nic_msi + hdev->num_roce_msi) + return -EINVAL; + +- roce->rinfo.base_vector = hdev->roce_base_vector; ++ roce->rinfo.base_vector = hdev->num_nic_msi; + + roce->rinfo.netdev = nic->kinfo.netdev; + roce->rinfo.roce_io_base = hdev->hw.io_base; +@@ -2534,10 +2534,6 @@ static int hclge_init_msi(struct hclge_dev *hdev) + hdev->num_msi = vectors; + hdev->num_msi_left = vectors; + +- hdev->base_msi_vector = pdev->irq; +- hdev->roce_base_vector = hdev->base_msi_vector + +- hdev->num_nic_msi; +- + hdev->vector_status = devm_kcalloc(&pdev->dev, hdev->num_msi, + sizeof(u16), GFP_KERNEL); + if (!hdev->vector_status) { +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h +index 69cd8f87b4c86..9111b8c84d786 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.h +@@ -876,12 +876,10 @@ struct hclge_dev { + u16 num_msi; + u16 num_msi_left; + u16 num_msi_used; +- u32 base_msi_vector; + u16 *vector_status; + int *vector_irq; + u16 num_nic_msi; /* Num of nic vectors for this PF */ + u16 num_roce_msi; /* Num of roce vectors for this PF */ +- int roce_base_vector; + + unsigned long service_timer_period; + unsigned long service_timer_previous; +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +index cf00ad7bb881f..4cf34f1693544 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -2557,7 +2557,7 @@ static int hclgevf_init_roce_base_info(struct hclgevf_dev *hdev) + hdev->num_msi_left == 0) + return -EINVAL; + +- roce->rinfo.base_vector = hdev->roce_base_vector; ++ roce->rinfo.base_vector = hdev->roce_base_msix_offset; + + roce->rinfo.netdev = nic->kinfo.netdev; + roce->rinfo.roce_io_base = hdev->hw.io_base; +@@ -2823,9 +2823,6 @@ static int hclgevf_init_msi(struct hclgevf_dev *hdev) + hdev->num_msi = vectors; + hdev->num_msi_left = vectors; + +- hdev->base_msi_vector = pdev->irq; +- hdev->roce_base_vector = pdev->irq + hdev->roce_base_msix_offset; +- + hdev->vector_status = devm_kcalloc(&pdev->dev, hdev->num_msi, + sizeof(u16), GFP_KERNEL); + if (!hdev->vector_status) { +diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h +index 28288d7e33032..4bd922b475012 100644 +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.h +@@ -308,8 +308,6 @@ struct hclgevf_dev { + u16 num_nic_msix; /* Num of nic vectors for this VF */ + u16 num_roce_msix; /* Num of roce vectors for this VF */ + u16 roce_base_msix_offset; +- int roce_base_vector; +- u32 base_msi_vector; + u16 *vector_status; + int *vector_irq; + +-- +2.33.0 + diff --git a/queue-5.15/net-intel-igc_ptp-fix-build-for-uml.patch b/queue-5.15/net-intel-igc_ptp-fix-build-for-uml.patch new file mode 100644 index 00000000000..807e8e0a537 --- /dev/null +++ b/queue-5.15/net-intel-igc_ptp-fix-build-for-uml.patch @@ -0,0 +1,57 @@ +From 3b2eb18c7ba51fecb7a8c456f4ec89e4536cc76c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 22:05:16 -0700 +Subject: net: intel: igc_ptp: fix build for UML +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 523994ba3ad1b7b55abe4a72e156897b5e2db825 ] + +On a UML build, the igc_ptp driver uses CONFIG_X86_TSC for timestamp +conversion. The function that is used is not available on UML builds, +so have the function use the default system_counterval_t timestamp +instead for UML builds. + +Prevents this build error on UML: + +../drivers/net/ethernet/intel/igc/igc_ptp.c: In function ‘igc_device_tstamp_to_system’: +../drivers/net/ethernet/intel/igc/igc_ptp.c:777:9: error: implicit declaration of function ‘convert_art_ns_to_tsc’ [-Werror=implicit-function-declaration] + return convert_art_ns_to_tsc(tstamp); +../drivers/net/ethernet/intel/igc/igc_ptp.c:777:9: error: incompatible types when returning type ‘int’ but ‘struct system_counterval_t’ was expected + return convert_art_ns_to_tsc(tstamp); + +Fixes: 68f5d3f3b654 ("um: add PCI over virtio emulation driver") +Signed-off-by: Randy Dunlap +Cc: linux-um@lists.infradead.org +Cc: Jeff Dike +Cc: Richard Weinberger +Cc: Anton Ivanov +Cc: Jesse Brandeburg +Cc: Tony Nguyen +Cc: intel-wired-lan@lists.osuosl.org +Link: https://lore.kernel.org/r/20211014050516.6846-1-rdunlap@infradead.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igc/igc_ptp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igc/igc_ptp.c b/drivers/net/ethernet/intel/igc/igc_ptp.c +index 0f021909b430a..30568e3544cda 100644 +--- a/drivers/net/ethernet/intel/igc/igc_ptp.c ++++ b/drivers/net/ethernet/intel/igc/igc_ptp.c +@@ -773,7 +773,7 @@ static bool igc_is_crosststamp_supported(struct igc_adapter *adapter) + + static struct system_counterval_t igc_device_tstamp_to_system(u64 tstamp) + { +-#if IS_ENABLED(CONFIG_X86_TSC) ++#if IS_ENABLED(CONFIG_X86_TSC) && !defined(CONFIG_UML) + return convert_art_ns_to_tsc(tstamp); + #else + return (struct system_counterval_t) { }; +-- +2.33.0 + diff --git a/queue-5.15/net-marvell-mvpp2-fix-wrong-serdes-reconfiguration-o.patch b/queue-5.15/net-marvell-mvpp2-fix-wrong-serdes-reconfiguration-o.patch new file mode 100644 index 00000000000..9887a321dde --- /dev/null +++ b/queue-5.15/net-marvell-mvpp2-fix-wrong-serdes-reconfiguration-o.patch @@ -0,0 +1,199 @@ +From c3c517637712157e2fca534d50047e55441f83a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Nov 2021 22:49:18 +0100 +Subject: net: marvell: mvpp2: Fix wrong SerDes reconfiguration order +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit bb7bbb6e36474933540c24ae1f1ad651b843981f ] + +Commit bfe301ebbc94 ("net: mvpp2: convert to use +mac_prepare()/mac_finish()") introduced a bug wherein it leaves the MAC +RESET register asserted after mac_finish(), due to wrong order of +function calls. + +Before it was: + .mac_config() + mvpp22_mode_reconfigure() + assert reset + mvpp2_xlg_config() + deassert reset + +Now it is: + .mac_prepare() + .mac_config() + mvpp2_xlg_config() + deassert reset + .mac_finish() + mvpp2_xlg_config() + assert reset + +Obviously this is wrong. + +This bug is triggered when phylink tries to change the PHY interface +mode from a GMAC mode (sgmii, 1000base-x, 2500base-x) to XLG mode +(10gbase-r, xaui). The XLG mode does not work since reset is left +asserted. Only after + ifconfig down && ifconfig up +is called will the XLG mode work. + +Move the call to mvpp22_mode_reconfigure() to .mac_prepare() +implementation. Since some of the subsequent functions need to know +whether the interface is being changed, we unfortunately also need to +pass around the new interface mode before setting port->phy_interface. + +Fixes: bfe301ebbc94 ("net: mvpp2: convert to use mac_prepare()/mac_finish()") +Signed-off-by: Marek Behún +Signed-off-by: Russell King (Oracle) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../net/ethernet/marvell/mvpp2/mvpp2_main.c | 38 ++++++++++--------- + 1 file changed, 20 insertions(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +index d5c92e43f89e6..d74d4966b13fc 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c +@@ -1605,7 +1605,7 @@ static void mvpp22_gop_fca_set_periodic_timer(struct mvpp2_port *port) + mvpp22_gop_fca_enable_periodic(port, true); + } + +-static int mvpp22_gop_init(struct mvpp2_port *port) ++static int mvpp22_gop_init(struct mvpp2_port *port, phy_interface_t interface) + { + struct mvpp2 *priv = port->priv; + u32 val; +@@ -1613,7 +1613,7 @@ static int mvpp22_gop_init(struct mvpp2_port *port) + if (!priv->sysctrl_base) + return 0; + +- switch (port->phy_interface) { ++ switch (interface) { + case PHY_INTERFACE_MODE_RGMII: + case PHY_INTERFACE_MODE_RGMII_ID: + case PHY_INTERFACE_MODE_RGMII_RXID: +@@ -1743,15 +1743,15 @@ static void mvpp22_gop_setup_irq(struct mvpp2_port *port) + * lanes by the physical layer. This is why configurations like + * "PPv2 (2500BaseX) - COMPHY (2500SGMII)" are valid. + */ +-static int mvpp22_comphy_init(struct mvpp2_port *port) ++static int mvpp22_comphy_init(struct mvpp2_port *port, ++ phy_interface_t interface) + { + int ret; + + if (!port->comphy) + return 0; + +- ret = phy_set_mode_ext(port->comphy, PHY_MODE_ETHERNET, +- port->phy_interface); ++ ret = phy_set_mode_ext(port->comphy, PHY_MODE_ETHERNET, interface); + if (ret) + return ret; + +@@ -2172,7 +2172,8 @@ static void mvpp22_pcs_reset_assert(struct mvpp2_port *port) + writel(val & ~MVPP22_XPCS_CFG0_RESET_DIS, xpcs + MVPP22_XPCS_CFG0); + } + +-static void mvpp22_pcs_reset_deassert(struct mvpp2_port *port) ++static void mvpp22_pcs_reset_deassert(struct mvpp2_port *port, ++ phy_interface_t interface) + { + struct mvpp2 *priv = port->priv; + void __iomem *mpcs, *xpcs; +@@ -2184,7 +2185,7 @@ static void mvpp22_pcs_reset_deassert(struct mvpp2_port *port) + mpcs = priv->iface_base + MVPP22_MPCS_BASE(port->gop_id); + xpcs = priv->iface_base + MVPP22_XPCS_BASE(port->gop_id); + +- switch (port->phy_interface) { ++ switch (interface) { + case PHY_INTERFACE_MODE_10GBASER: + val = readl(mpcs + MVPP22_MPCS_CLK_RESET); + val |= MAC_CLK_RESET_MAC | MAC_CLK_RESET_SD_RX | +@@ -4529,7 +4530,8 @@ static int mvpp2_poll(struct napi_struct *napi, int budget) + return rx_done; + } + +-static void mvpp22_mode_reconfigure(struct mvpp2_port *port) ++static void mvpp22_mode_reconfigure(struct mvpp2_port *port, ++ phy_interface_t interface) + { + u32 ctrl3; + +@@ -4540,18 +4542,18 @@ static void mvpp22_mode_reconfigure(struct mvpp2_port *port) + mvpp22_pcs_reset_assert(port); + + /* comphy reconfiguration */ +- mvpp22_comphy_init(port); ++ mvpp22_comphy_init(port, interface); + + /* gop reconfiguration */ +- mvpp22_gop_init(port); ++ mvpp22_gop_init(port, interface); + +- mvpp22_pcs_reset_deassert(port); ++ mvpp22_pcs_reset_deassert(port, interface); + + if (mvpp2_port_supports_xlg(port)) { + ctrl3 = readl(port->base + MVPP22_XLG_CTRL3_REG); + ctrl3 &= ~MVPP22_XLG_CTRL3_MACMODESELECT_MASK; + +- if (mvpp2_is_xlg(port->phy_interface)) ++ if (mvpp2_is_xlg(interface)) + ctrl3 |= MVPP22_XLG_CTRL3_MACMODESELECT_10G; + else + ctrl3 |= MVPP22_XLG_CTRL3_MACMODESELECT_GMAC; +@@ -4559,7 +4561,7 @@ static void mvpp22_mode_reconfigure(struct mvpp2_port *port) + writel(ctrl3, port->base + MVPP22_XLG_CTRL3_REG); + } + +- if (mvpp2_port_supports_xlg(port) && mvpp2_is_xlg(port->phy_interface)) ++ if (mvpp2_port_supports_xlg(port) && mvpp2_is_xlg(interface)) + mvpp2_xlg_max_rx_size_set(port); + else + mvpp2_gmac_max_rx_size_set(port); +@@ -4579,7 +4581,7 @@ static void mvpp2_start_dev(struct mvpp2_port *port) + mvpp2_interrupts_enable(port); + + if (port->priv->hw_version >= MVPP22) +- mvpp22_mode_reconfigure(port); ++ mvpp22_mode_reconfigure(port, port->phy_interface); + + if (port->phylink) { + phylink_start(port->phylink); +@@ -6477,6 +6479,9 @@ static int mvpp2__mac_prepare(struct phylink_config *config, unsigned int mode, + mvpp22_gop_mask_irq(port); + + phy_power_off(port->comphy); ++ ++ /* Reconfigure the serdes lanes */ ++ mvpp22_mode_reconfigure(port, interface); + } + } + +@@ -6531,9 +6536,6 @@ static int mvpp2_mac_finish(struct phylink_config *config, unsigned int mode, + port->phy_interface != interface) { + port->phy_interface = interface; + +- /* Reconfigure the serdes lanes */ +- mvpp22_mode_reconfigure(port); +- + /* Unmask interrupts */ + mvpp22_gop_unmask_irq(port); + } +@@ -6960,7 +6962,7 @@ static int mvpp2_port_probe(struct platform_device *pdev, + * driver does this, we can remove this code. + */ + if (port->comphy) { +- err = mvpp22_comphy_init(port); ++ err = mvpp22_comphy_init(port, port->phy_interface); + if (err == 0) + phy_power_off(port->comphy); + } +-- +2.33.0 + diff --git a/queue-5.15/net-mlx5-accept-devlink-user-input-after-driver-init.patch b/queue-5.15/net-mlx5-accept-devlink-user-input-after-driver-init.patch new file mode 100644 index 00000000000..9a87b9d73be --- /dev/null +++ b/queue-5.15/net-mlx5-accept-devlink-user-input-after-driver-init.patch @@ -0,0 +1,275 @@ +From 955ab8ead54bc8ace90eb147ae96613fe55c9fee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Sep 2021 14:22:50 +0300 +Subject: net/mlx5: Accept devlink user input after driver initialization + complete + +From: Leon Romanovsky + +[ Upstream commit 64ea2d0e7263b67d8efc93fa1baace041ed36d1e ] + +The change of devlink_alloc() to accept device makes sure that device +is fully initialized and device_register() does nothing except allowing +users to use that devlink instance. + +Such change ensures that no user input will be usable till that point and +it eliminates the need to worry about internal locking as long as devlink_register +is called last since all accesses to the devlink are during initialization. + +This change fixes the following lockdep warning. + + ====================================================== + WARNING: possible circular locking dependency detected + 5.14.0-rc2+ #27 Not tainted + ------------------------------------------------------ + devlink/265 is trying to acquire lock: + ffff8880133c2bc0 (&dev->intf_state_mutex){+.+.}-{3:3}, at: mlx5_unload_one+0x1e/0xa0 [mlx5_core] + but task is already holding lock: + ffffffff8362b468 (devlink_mutex){+.+.}-{3:3}, at: devlink_nl_pre_doit+0x2b/0x8d0 + which lock already depends on the new lock. + the existing dependency chain (in reverse order) is: + + -> #1 (devlink_mutex){+.+.}-{3:3}: + __mutex_lock+0x149/0x1310 + devlink_register+0xe7/0x280 + mlx5_devlink_register+0x118/0x480 [mlx5_core] + mlx5_init_one+0x34b/0x440 [mlx5_core] + probe_one+0x480/0x6e0 [mlx5_core] + pci_device_probe+0x2a0/0x4a0 + really_probe+0x1cb/0xba0 + __driver_probe_device+0x18f/0x470 + driver_probe_device+0x49/0x120 + __driver_attach+0x1ce/0x400 + bus_for_each_dev+0x11e/0x1a0 + bus_add_driver+0x309/0x570 + driver_register+0x20f/0x390 + 0xffffffffa04a0062 + do_one_initcall+0xd5/0x400 + do_init_module+0x1c8/0x760 + load_module+0x7d9d/0xa4b0 + __do_sys_finit_module+0x118/0x1a0 + do_syscall_64+0x3d/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + -> #0 (&dev->intf_state_mutex){+.+.}-{3:3}: + __lock_acquire+0x2999/0x5a40 + lock_acquire+0x1a9/0x4a0 + __mutex_lock+0x149/0x1310 + mlx5_unload_one+0x1e/0xa0 [mlx5_core] + mlx5_devlink_reload_down+0x185/0x2b0 [mlx5_core] + devlink_reload+0x1f2/0x640 + devlink_nl_cmd_reload+0x6c3/0x10d0 + genl_family_rcv_msg_doit+0x1e9/0x2f0 + genl_rcv_msg+0x27f/0x4a0 + netlink_rcv_skb+0x11e/0x340 + genl_rcv+0x24/0x40 + netlink_unicast+0x433/0x700 + netlink_sendmsg+0x6fb/0xbe0 + sock_sendmsg+0xb0/0xe0 + __sys_sendto+0x192/0x240 + __x64_sys_sendto+0xdc/0x1b0 + do_syscall_64+0x3d/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + + other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(devlink_mutex); + lock(&dev->intf_state_mutex); + lock(devlink_mutex); + lock(&dev->intf_state_mutex); + + *** DEADLOCK *** + + 3 locks held by devlink/265: + #0: ffffffff836371d0 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40 + #1: ffffffff83637288 (genl_mutex){+.+.}-{3:3}, at: genl_rcv_msg+0x31a/0x4a0 + #2: ffffffff8362b468 (devlink_mutex){+.+.}-{3:3}, at: devlink_nl_pre_doit+0x2b/0x8d0 + + stack backtrace: + CPU: 0 PID: 265 Comm: devlink Not tainted 5.14.0-rc2+ #27 + Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 + Call Trace: + dump_stack_lvl+0x45/0x59 + check_noncircular+0x268/0x310 + ? print_circular_bug+0x460/0x460 + ? __kernel_text_address+0xe/0x30 + ? alloc_chain_hlocks+0x1e6/0x5a0 + __lock_acquire+0x2999/0x5a40 + ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0 + ? add_lock_to_list.constprop.0+0x6c/0x530 + lock_acquire+0x1a9/0x4a0 + ? mlx5_unload_one+0x1e/0xa0 [mlx5_core] + ? lock_release+0x6c0/0x6c0 + ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0 + ? lock_is_held_type+0x98/0x110 + __mutex_lock+0x149/0x1310 + ? mlx5_unload_one+0x1e/0xa0 [mlx5_core] + ? lock_is_held_type+0x98/0x110 + ? mlx5_unload_one+0x1e/0xa0 [mlx5_core] + ? find_held_lock+0x2d/0x110 + ? mutex_lock_io_nested+0x1160/0x1160 + ? mlx5_lag_is_active+0x72/0x90 [mlx5_core] + ? lock_downgrade+0x6d0/0x6d0 + ? do_raw_spin_lock+0x12e/0x270 + ? rwlock_bug.part.0+0x90/0x90 + ? mlx5_unload_one+0x1e/0xa0 [mlx5_core] + mlx5_unload_one+0x1e/0xa0 [mlx5_core] + mlx5_devlink_reload_down+0x185/0x2b0 [mlx5_core] + ? netlink_broadcast_filtered+0x308/0xac0 + ? mlx5_devlink_info_get+0x1f0/0x1f0 [mlx5_core] + ? __build_skb_around+0x110/0x2b0 + ? __alloc_skb+0x113/0x2b0 + devlink_reload+0x1f2/0x640 + ? devlink_unregister+0x1e0/0x1e0 + ? security_capable+0x51/0x90 + devlink_nl_cmd_reload+0x6c3/0x10d0 + ? devlink_nl_cmd_get_doit+0x1e0/0x1e0 + ? devlink_nl_pre_doit+0x72/0x8d0 + genl_family_rcv_msg_doit+0x1e9/0x2f0 + ? __lock_acquire+0x15e2/0x5a40 + ? genl_family_rcv_msg_attrs_parse.constprop.0+0x240/0x240 + ? mutex_lock_io_nested+0x1160/0x1160 + ? security_capable+0x51/0x90 + genl_rcv_msg+0x27f/0x4a0 + ? genl_get_cmd+0x3c0/0x3c0 + ? lock_acquire+0x1a9/0x4a0 + ? devlink_nl_cmd_get_doit+0x1e0/0x1e0 + ? lock_release+0x6c0/0x6c0 + netlink_rcv_skb+0x11e/0x340 + ? genl_get_cmd+0x3c0/0x3c0 + ? netlink_ack+0x930/0x930 + genl_rcv+0x24/0x40 + netlink_unicast+0x433/0x700 + ? netlink_attachskb+0x750/0x750 + ? __alloc_skb+0x113/0x2b0 + netlink_sendmsg+0x6fb/0xbe0 + ? netlink_unicast+0x700/0x700 + ? netlink_unicast+0x700/0x700 + sock_sendmsg+0xb0/0xe0 + __sys_sendto+0x192/0x240 + ? __x64_sys_getpeername+0xb0/0xb0 + ? do_sys_openat2+0x10a/0x370 + ? down_write_nested+0x150/0x150 + ? do_user_addr_fault+0x215/0xd50 + ? __x64_sys_openat+0x11f/0x1d0 + ? __x64_sys_open+0x1a0/0x1a0 + __x64_sys_sendto+0xdc/0x1b0 + ? syscall_enter_from_user_mode+0x1d/0x50 + do_syscall_64+0x3d/0x90 + entry_SYSCALL_64_after_hwframe+0x44/0xae + RIP: 0033:0x7f50b50b6b3a + Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 76 c3 0f 1f 44 00 00 55 48 83 ec 30 44 89 4c + RSP: 002b:00007fff6c0d3f38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c + RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f50b50b6b3a + RDX: 0000000000000038 RSI: 000055763ac08440 RDI: 0000000000000003 + RBP: 000055763ac08410 R08: 00007f50b5192200 R09: 000000000000000c + R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 + R13: 0000000000000000 R14: 000055763ac08410 R15: 000055763ac08440 + mlx5_core 0000:00:09.0: firmware version: 4.8.9999 + mlx5_core 0000:00:09.0: 0.000 Gb/s available PCIe bandwidth (8.0 GT/s PCIe x255 link) + mlx5_core 0000:00:09.0 eth1: Link up + +Fixes: a6f3b62386a0 ("net/mlx5: Move devlink registration before interfaces load") +Signed-off-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 12 ++---------- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 ++ + .../net/ethernet/mellanox/mlx5/core/sf/dev/driver.c | 2 ++ + 3 files changed, 6 insertions(+), 10 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c +index 7d56a927081d0..d7576b6fa43b7 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c +@@ -793,14 +793,11 @@ int mlx5_devlink_register(struct devlink *devlink) + { + int err; + +- err = devlink_register(devlink); +- if (err) +- return err; +- + err = devlink_params_register(devlink, mlx5_devlink_params, + ARRAY_SIZE(mlx5_devlink_params)); + if (err) +- goto params_reg_err; ++ return err; ++ + mlx5_devlink_set_params_init_values(devlink); + + err = mlx5_devlink_auxdev_params_register(devlink); +@@ -811,7 +808,6 @@ int mlx5_devlink_register(struct devlink *devlink) + if (err) + goto traps_reg_err; + +- devlink_params_publish(devlink); + return 0; + + traps_reg_err: +@@ -819,17 +815,13 @@ traps_reg_err: + auxdev_reg_err: + devlink_params_unregister(devlink, mlx5_devlink_params, + ARRAY_SIZE(mlx5_devlink_params)); +-params_reg_err: +- devlink_unregister(devlink); + return err; + } + + void mlx5_devlink_unregister(struct devlink *devlink) + { +- devlink_params_unpublish(devlink); + mlx5_devlink_traps_unregister(devlink); + mlx5_devlink_auxdev_params_unregister(devlink); + devlink_params_unregister(devlink, mlx5_devlink_params, + ARRAY_SIZE(mlx5_devlink_params)); +- devlink_unregister(devlink); + } +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c +index 79482824c64ff..92b08fa07efae 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -1537,6 +1537,7 @@ static int probe_one(struct pci_dev *pdev, const struct pci_device_id *id) + dev_err(&pdev->dev, "mlx5_crdump_enable failed with error code %d\n", err); + + pci_save_state(pdev); ++ devlink_register(devlink); + if (!mlx5_core_is_mp_slave(dev)) + devlink_reload_enable(devlink); + return 0; +@@ -1559,6 +1560,7 @@ static void remove_one(struct pci_dev *pdev) + struct devlink *devlink = priv_to_devlink(dev); + + devlink_reload_disable(devlink); ++ devlink_unregister(devlink); + mlx5_crdump_disable(dev); + mlx5_drain_health_wq(dev); + mlx5_uninit_one(dev); +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +index 052f48068dc16..3cf272fa21646 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/sf/dev/driver.c +@@ -46,6 +46,7 @@ static int mlx5_sf_dev_probe(struct auxiliary_device *adev, const struct auxilia + mlx5_core_warn(mdev, "mlx5_init_one err=%d\n", err); + goto init_one_err; + } ++ devlink_register(devlink); + devlink_reload_enable(devlink); + return 0; + +@@ -65,6 +66,7 @@ static void mlx5_sf_dev_remove(struct auxiliary_device *adev) + + devlink = priv_to_devlink(sf_dev->mdev); + devlink_reload_disable(devlink); ++ devlink_unregister(devlink); + mlx5_uninit_one(sf_dev->mdev); + iounmap(sf_dev->mdev->iseg); + mlx5_mdev_uninit(sf_dev->mdev); +-- +2.33.0 + diff --git a/queue-5.15/net-mlx5-publish-and-unpublish-all-devlink-parameter.patch b/queue-5.15/net-mlx5-publish-and-unpublish-all-devlink-parameter.patch new file mode 100644 index 00000000000..366c0892aac --- /dev/null +++ b/queue-5.15/net-mlx5-publish-and-unpublish-all-devlink-parameter.patch @@ -0,0 +1,114 @@ +From ba77c43da5ed31912245e173b61d97b5c6b446f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 15:58:28 +0300 +Subject: net/mlx5: Publish and unpublish all devlink parameters at once + +From: Leon Romanovsky + +[ Upstream commit e9310aed8e6a5003abb2aa6b9229d2fb9ceb9e85 ] + +The devlink parameters were published in two steps despite being static +and known in advance. + +First step was to use devlink_params_publish() which iterated over all +known up to that point parameters and sent notification messages. +In second step, the call was devlink_param_publish() that looped over +same parameters list and sent notification for new parameters. + +In order to simplify the API, move devlink_params_publish() to be called +when all parameters were already added and save the need to iterate over +parameters list again. + +As a side effect, this change fixes the error unwind flow in which +parameters were not marked as unpublished. + +Fixes: 82e6c96f04e1 ("net/mlx5: Register to devlink ingress VLAN filter trap") +Signed-off-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c +index dcf9f27ba2efd..7d56a927081d0 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c +@@ -625,7 +625,6 @@ static int mlx5_devlink_eth_param_register(struct devlink *devlink) + devlink_param_driverinit_value_set(devlink, + DEVLINK_PARAM_GENERIC_ID_ENABLE_ETH, + value); +- devlink_param_publish(devlink, &enable_eth_param); + return 0; + } + +@@ -636,7 +635,6 @@ static void mlx5_devlink_eth_param_unregister(struct devlink *devlink) + if (!mlx5_eth_supported(dev)) + return; + +- devlink_param_unpublish(devlink, &enable_eth_param); + devlink_param_unregister(devlink, &enable_eth_param); + } + +@@ -672,7 +670,6 @@ static int mlx5_devlink_rdma_param_register(struct devlink *devlink) + devlink_param_driverinit_value_set(devlink, + DEVLINK_PARAM_GENERIC_ID_ENABLE_RDMA, + value); +- devlink_param_publish(devlink, &enable_rdma_param); + return 0; + } + +@@ -681,7 +678,6 @@ static void mlx5_devlink_rdma_param_unregister(struct devlink *devlink) + if (!IS_ENABLED(CONFIG_MLX5_INFINIBAND)) + return; + +- devlink_param_unpublish(devlink, &enable_rdma_param); + devlink_param_unregister(devlink, &enable_rdma_param); + } + +@@ -706,7 +702,6 @@ static int mlx5_devlink_vnet_param_register(struct devlink *devlink) + devlink_param_driverinit_value_set(devlink, + DEVLINK_PARAM_GENERIC_ID_ENABLE_VNET, + value); +- devlink_param_publish(devlink, &enable_rdma_param); + return 0; + } + +@@ -717,7 +712,6 @@ static void mlx5_devlink_vnet_param_unregister(struct devlink *devlink) + if (!mlx5_vnet_supported(dev)) + return; + +- devlink_param_unpublish(devlink, &enable_vnet_param); + devlink_param_unregister(devlink, &enable_vnet_param); + } + +@@ -808,7 +802,6 @@ int mlx5_devlink_register(struct devlink *devlink) + if (err) + goto params_reg_err; + mlx5_devlink_set_params_init_values(devlink); +- devlink_params_publish(devlink); + + err = mlx5_devlink_auxdev_params_register(devlink); + if (err) +@@ -818,6 +811,7 @@ int mlx5_devlink_register(struct devlink *devlink) + if (err) + goto traps_reg_err; + ++ devlink_params_publish(devlink); + return 0; + + traps_reg_err: +@@ -832,9 +826,9 @@ params_reg_err: + + void mlx5_devlink_unregister(struct devlink *devlink) + { ++ devlink_params_unpublish(devlink); + mlx5_devlink_traps_unregister(devlink); + mlx5_devlink_auxdev_params_unregister(devlink); +- devlink_params_unpublish(devlink); + devlink_params_unregister(devlink, mlx5_devlink_params, + ARRAY_SIZE(mlx5_devlink_params)); + devlink_unregister(devlink); +-- +2.33.0 + diff --git a/queue-5.15/net-neigh-fix-ntf_ext_learned-in-combination-with-nt.patch b/queue-5.15/net-neigh-fix-ntf_ext_learned-in-combination-with-nt.patch new file mode 100644 index 00000000000..6e6d1aab188 --- /dev/null +++ b/queue-5.15/net-neigh-fix-ntf_ext_learned-in-combination-with-nt.patch @@ -0,0 +1,111 @@ +From 53e8fe90103805a0db8cd06768bceb2e28530449 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 14:12:35 +0200 +Subject: net, neigh: Fix NTF_EXT_LEARNED in combination with NTF_USE + +From: Daniel Borkmann + +[ Upstream commit e4400bbf5b15750e1b59bf4722d18d99be60c69f ] + +The NTF_EXT_LEARNED neigh flag is usually propagated back to user space +upon dump of the neighbor table. However, when used in combination with +NTF_USE flag this is not the case despite exempting the entry from the +garbage collector. This results in inconsistent state since entries are +typically marked in neigh->flags with NTF_EXT_LEARNED, but here they are +not. Fix it by propagating the creation flag to ___neigh_create(). + +Before fix: + + # ./ip/ip n replace 192.168.178.30 dev enp5s0 use extern_learn + # ./ip/ip n + 192.168.178.30 dev enp5s0 lladdr f4:8c:50:5e:71:9a REACHABLE + [...] + +After fix: + + # ./ip/ip n replace 192.168.178.30 dev enp5s0 use extern_learn + # ./ip/ip n + 192.168.178.30 dev enp5s0 lladdr f4:8c:50:5e:71:9a extern_learn REACHABLE + [...] + +Fixes: 9ce33e46531d ("neighbour: support for NTF_EXT_LEARNED flag") +Signed-off-by: Daniel Borkmann +Acked-by: Roopa Prabhu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/neighbour.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 2d5bc3a75faec..8457d5f97022b 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -379,7 +379,7 @@ EXPORT_SYMBOL(neigh_ifdown); + + static struct neighbour *neigh_alloc(struct neigh_table *tbl, + struct net_device *dev, +- bool exempt_from_gc) ++ u8 flags, bool exempt_from_gc) + { + struct neighbour *n = NULL; + unsigned long now = jiffies; +@@ -412,6 +412,7 @@ do_alloc: + n->updated = n->used = now; + n->nud_state = NUD_NONE; + n->output = neigh_blackhole; ++ n->flags = flags; + seqlock_init(&n->hh.hh_lock); + n->parms = neigh_parms_clone(&tbl->parms); + timer_setup(&n->timer, neigh_timer_handler, 0); +@@ -575,19 +576,18 @@ struct neighbour *neigh_lookup_nodev(struct neigh_table *tbl, struct net *net, + } + EXPORT_SYMBOL(neigh_lookup_nodev); + +-static struct neighbour *___neigh_create(struct neigh_table *tbl, +- const void *pkey, +- struct net_device *dev, +- bool exempt_from_gc, bool want_ref) ++static struct neighbour * ++___neigh_create(struct neigh_table *tbl, const void *pkey, ++ struct net_device *dev, u8 flags, ++ bool exempt_from_gc, bool want_ref) + { +- struct neighbour *n1, *rc, *n = neigh_alloc(tbl, dev, exempt_from_gc); +- u32 hash_val; +- unsigned int key_len = tbl->key_len; +- int error; ++ u32 hash_val, key_len = tbl->key_len; ++ struct neighbour *n1, *rc, *n; + struct neigh_hash_table *nht; ++ int error; + ++ n = neigh_alloc(tbl, dev, flags, exempt_from_gc); + trace_neigh_create(tbl, dev, pkey, n, exempt_from_gc); +- + if (!n) { + rc = ERR_PTR(-ENOBUFS); + goto out; +@@ -674,7 +674,7 @@ out_neigh_release: + struct neighbour *__neigh_create(struct neigh_table *tbl, const void *pkey, + struct net_device *dev, bool want_ref) + { +- return ___neigh_create(tbl, pkey, dev, false, want_ref); ++ return ___neigh_create(tbl, pkey, dev, 0, false, want_ref); + } + EXPORT_SYMBOL(__neigh_create); + +@@ -1942,7 +1942,9 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh, + + exempt_from_gc = ndm->ndm_state & NUD_PERMANENT || + ndm->ndm_flags & NTF_EXT_LEARNED; +- neigh = ___neigh_create(tbl, dst, dev, exempt_from_gc, true); ++ neigh = ___neigh_create(tbl, dst, dev, ++ ndm->ndm_flags & NTF_EXT_LEARNED, ++ exempt_from_gc, true); + if (IS_ERR(neigh)) { + err = PTR_ERR(neigh); + goto out; +-- +2.33.0 + diff --git a/queue-5.15/net-net_namespace-fix-undefined-member-in-key_remove.patch b/queue-5.15/net-net_namespace-fix-undefined-member-in-key_remove.patch new file mode 100644 index 00000000000..6c254d77605 --- /dev/null +++ b/queue-5.15/net-net_namespace-fix-undefined-member-in-key_remove.patch @@ -0,0 +1,47 @@ +From cfff5c162bc4bc1be406502d20578f2030e44f9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Sep 2021 17:04:10 +0800 +Subject: net: net_namespace: Fix undefined member in key_remove_domain() + +From: Yajun Deng + +[ Upstream commit aed0826b0cf2e488900ab92193893e803d65c070 ] + +The key_domain member in struct net only exists if we define CONFIG_KEYS. +So we should add the define when we used key_domain. + +Fixes: 9b242610514f ("keys: Network namespace domain tag") +Signed-off-by: Yajun Deng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/net_namespace.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c +index a448a9b5bb2d6..202fa5eacd0f9 100644 +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -473,7 +473,9 @@ struct net *copy_net_ns(unsigned long flags, + + if (rv < 0) { + put_userns: ++#ifdef CONFIG_KEYS + key_remove_domain(net->key_domain); ++#endif + put_user_ns(user_ns); + net_free(net); + dec_ucounts: +@@ -605,7 +607,9 @@ static void cleanup_net(struct work_struct *work) + list_for_each_entry_safe(net, tmp, &net_exit_list, exit_list) { + list_del_init(&net->exit_list); + dec_net_namespaces(net->ucounts); ++#ifdef CONFIG_KEYS + key_remove_domain(net->key_domain); ++#endif + put_user_ns(net->user_ns); + net_free(net); + } +-- +2.33.0 + diff --git a/queue-5.15/net-phy-fix-duplex-out-of-sync-problem-while-changin.patch b/queue-5.15/net-phy-fix-duplex-out-of-sync-problem-while-changin.patch new file mode 100644 index 00000000000..e2de64b238c --- /dev/null +++ b/queue-5.15/net-phy-fix-duplex-out-of-sync-problem-while-changin.patch @@ -0,0 +1,53 @@ +From bb39bb618d05b229ea4e225a541361ee6db306bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 22:08:28 +0100 +Subject: net: phy: fix duplex out of sync problem while changing settings + +From: Heiner Kallweit + +[ Upstream commit a4db9055fdb9cf607775c66d39796caf6439ec92 ] + +As reported by Zhang there's a small issue if in forced mode the duplex +mode changes with the link staying up [0]. In this case the MAC isn't +notified about the change. + +The proposed patch relies on the phylib state machine and ignores the +fact that there are drivers that uses phylib but not the phylib state +machine. So let's don't change the behavior for such drivers and fix +it w/o re-adding state PHY_FORCING for the case that phylib state +machine is used. + +[0] https://lore.kernel.org/netdev/a5c26ffd-4ee4-a5e6-4103-873208ce0dc5@huawei.com/T/ + +Fixes: 2bd229df5e2e ("net: phy: remove state PHY_FORCING") +Reported-by: Zhang Changzhong +Tested-by: Zhang Changzhong +Signed-off-by: Heiner Kallweit +Link: https://lore.kernel.org/r/7b8b9456-a93f-abbc-1dc5-a2c2542f932c@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c +index a3bfb156c83d7..beb2b66da1324 100644 +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -815,7 +815,12 @@ int phy_ethtool_ksettings_set(struct phy_device *phydev, + phydev->mdix_ctrl = cmd->base.eth_tp_mdix_ctrl; + + /* Restart the PHY */ +- _phy_start_aneg(phydev); ++ if (phy_is_started(phydev)) { ++ phydev->state = PHY_UP; ++ phy_trigger_machine(phydev); ++ } else { ++ _phy_start_aneg(phydev); ++ } + + mutex_unlock(&phydev->lock); + return 0; +-- +2.33.0 + diff --git a/queue-5.15/net-phy-micrel-make-skew-ps-check-more-lenient.patch b/queue-5.15/net-phy-micrel-make-skew-ps-check-more-lenient.patch new file mode 100644 index 00000000000..4f061278367 --- /dev/null +++ b/queue-5.15/net-phy-micrel-make-skew-ps-check-more-lenient.patch @@ -0,0 +1,43 @@ +From d46115585f90e31245a85f7fbbb072be4b2282e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 12:34:02 +0200 +Subject: net: phy: micrel: make *-skew-ps check more lenient + +From: Matthias Schiffer + +[ Upstream commit 67ca5159dbe2edb5dae7544447b8677d2596933a ] + +It seems reasonable to fine-tune only some of the skew values when using +one of the rgmii-*id PHY modes, and even when all skew values are +specified, using the correct ID PHY mode makes sense for documentation +purposes. Such a configuration also appears in the binding docs in +Documentation/devicetree/bindings/net/micrel-ksz90x1.txt, so the driver +should not warn about it. + +Signed-off-by: Matthias Schiffer +Link: https://lore.kernel.org/r/20211012103402.21438-1-matthias.schiffer@ew.tq-group.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/micrel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index 5c928f827173c..643b1c1827a92 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -863,9 +863,9 @@ static int ksz9031_config_init(struct phy_device *phydev) + MII_KSZ9031RN_TX_DATA_PAD_SKEW, 4, + tx_data_skews, 4, &update); + +- if (update && phydev->interface != PHY_INTERFACE_MODE_RGMII) ++ if (update && !phy_interface_is_rgmii(phydev)) + phydev_warn(phydev, +- "*-skew-ps values should be used only with phy-mode = \"rgmii\"\n"); ++ "*-skew-ps values should be used only with RGMII PHY modes\n"); + + /* Silicon Errata Sheet (DS80000691D or DS80000692D): + * When the device links in the 1000BASE-T slave mode only, +-- +2.33.0 + diff --git a/queue-5.15/net-phylink-avoid-mvneta-warning-when-setting-pause-.patch b/queue-5.15/net-phylink-avoid-mvneta-warning-when-setting-pause-.patch new file mode 100644 index 00000000000..bcb5107c416 --- /dev/null +++ b/queue-5.15/net-phylink-avoid-mvneta-warning-when-setting-pause-.patch @@ -0,0 +1,44 @@ +From 1dc13d3eb22a853ab6beaf9b8c9e8ba11afa0cad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 15:55:34 +0100 +Subject: net: phylink: avoid mvneta warning when setting pause parameters + +From: Russell King (Oracle) + +[ Upstream commit fd8d9731bcdfb22d28e45bce789bcb211c868c78 ] + +mvneta does not support asymetric pause modes, and it flags this by the +lack of AsymPause in the supported field. When setting pause modes, we +check that pause->rx_pause == pause->tx_pause, but only when pause +autoneg is enabled. When pause autoneg is disabled, we still allow +pause->rx_pause != pause->tx_pause, which is incorrect when the MAC +does not support asymetric pause, and causes mvneta to issue a warning. + +Fix this by removing the test for pause->autoneg, so we always check +that pause->rx_pause == pause->tx_pause for network devices that do not +support AsymPause. + +Fixes: 9525ae83959b ("phylink: add phylink infrastructure") +Signed-off-by: Russell King (Oracle) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phylink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c +index 5a58c77d00022..7ec3105010ac1 100644 +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -1727,7 +1727,7 @@ int phylink_ethtool_set_pauseparam(struct phylink *pl, + return -EOPNOTSUPP; + + if (!phylink_test(pl->supported, Asym_Pause) && +- !pause->autoneg && pause->rx_pause != pause->tx_pause) ++ pause->rx_pause != pause->tx_pause) + return -EINVAL; + + pause_state = 0; +-- +2.33.0 + diff --git a/queue-5.15/net-phylink-don-t-call-netif_carrier_off-with-null-n.patch b/queue-5.15/net-phylink-don-t-call-netif_carrier_off-with-null-n.patch new file mode 100644 index 00000000000..fdf7d5d3f06 --- /dev/null +++ b/queue-5.15/net-phylink-don-t-call-netif_carrier_off-with-null-n.patch @@ -0,0 +1,42 @@ +From a0d608aeb3f25ab9856fc61a4d3fb9f84f3880a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Sep 2021 14:36:31 +0100 +Subject: net: phylink: don't call netif_carrier_off() with NULL netdev + +From: Russell King (Oracle) + +[ Upstream commit cbcca2e3961eac736566ac13ef0d0bf6f0b764ec ] + +Dan Carpenter points out that we have a code path that permits a NULL +netdev pointer to be passed to netif_carrier_off(), which will cause +a kernel oops. In any case, we need to set pl->old_link_state to false +to have the desired effect when there is no netdev present. + +Fixes: f97493657c63 ("net: phylink: add suspend/resume support") +Reported-by: Dan Carpenter +Signed-off-by: Russell King (Oracle) +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phylink.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/phylink.c b/drivers/net/phy/phylink.c +index 0a0abe8e4be0b..5a58c77d00022 100644 +--- a/drivers/net/phy/phylink.c ++++ b/drivers/net/phy/phylink.c +@@ -1333,7 +1333,10 @@ void phylink_suspend(struct phylink *pl, bool mac_wol) + * but one would hope all packets have been sent. This + * also means phylink_resolve() will do nothing. + */ +- netif_carrier_off(pl->netdev); ++ if (pl->netdev) ++ netif_carrier_off(pl->netdev); ++ else ++ pl->old_link_state = false; + + /* We do not call mac_link_down() here as we want the + * link to remain up to receive the WoL packets. +-- +2.33.0 + diff --git a/queue-5.15/net-sched-sch_taprio-fix-undefined-behavior-in-ktime.patch b/queue-5.15/net-sched-sch_taprio-fix-undefined-behavior-in-ktime.patch new file mode 100644 index 00000000000..482eb9de126 --- /dev/null +++ b/queue-5.15/net-sched-sch_taprio-fix-undefined-behavior-in-ktime.patch @@ -0,0 +1,138 @@ +From 111c97caf7fa9add48a74627e7749c81ce8794bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Nov 2021 10:08:15 -0800 +Subject: net/sched: sch_taprio: fix undefined behavior in ktime_mono_to_any + +From: Eric Dumazet + +[ Upstream commit 6dc25401cba4d428328eade8ceae717633fdd702 ] + +1) if q->tk_offset == TK_OFFS_MAX, then get_tcp_tstamp() calls + ktime_mono_to_any() with out-of-bound value. + +2) if q->tk_offset is changed in taprio_parse_clockid(), + taprio_get_time() might also call ktime_mono_to_any() + with out-of-bound value as sysbot found: + +UBSAN: array-index-out-of-bounds in kernel/time/timekeeping.c:908:27 +index 3 is out of range for type 'ktime_t *[3]' +CPU: 1 PID: 25668 Comm: kworker/u4:0 Not tainted 5.15.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + ubsan_epilogue+0xb/0x5a lib/ubsan.c:151 + __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:291 + ktime_mono_to_any+0x1d4/0x1e0 kernel/time/timekeeping.c:908 + get_tcp_tstamp net/sched/sch_taprio.c:322 [inline] + get_packet_txtime net/sched/sch_taprio.c:353 [inline] + taprio_enqueue_one+0x5b0/0x1460 net/sched/sch_taprio.c:420 + taprio_enqueue+0x3b1/0x730 net/sched/sch_taprio.c:485 + dev_qdisc_enqueue+0x40/0x300 net/core/dev.c:3785 + __dev_xmit_skb net/core/dev.c:3869 [inline] + __dev_queue_xmit+0x1f6e/0x3630 net/core/dev.c:4194 + batadv_send_skb_packet+0x4a9/0x5f0 net/batman-adv/send.c:108 + batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:393 [inline] + batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:421 [inline] + batadv_iv_send_outstanding_bat_ogm_packet+0x6d7/0x8e0 net/batman-adv/bat_iv_ogm.c:1701 + process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298 + worker_thread+0x658/0x11f0 kernel/workqueue.c:2445 + kthread+0x405/0x4f0 kernel/kthread.c:327 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 + +Fixes: 7ede7b03484b ("taprio: make clock reference conversions easier") +Fixes: 54002066100b ("taprio: Adjust timestamps for TCP packets") +Signed-off-by: Eric Dumazet +Cc: Vedang Patel +Reported-by: syzbot +Reviewed-by: Vinicius Costa Gomes +Link: https://lore.kernel.org/r/20211108180815.1822479-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_taprio.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c +index b9fd18d986464..a66398fb2d6d0 100644 +--- a/net/sched/sch_taprio.c ++++ b/net/sched/sch_taprio.c +@@ -95,18 +95,22 @@ static ktime_t sched_base_time(const struct sched_gate_list *sched) + return ns_to_ktime(sched->base_time); + } + +-static ktime_t taprio_get_time(struct taprio_sched *q) ++static ktime_t taprio_mono_to_any(const struct taprio_sched *q, ktime_t mono) + { +- ktime_t mono = ktime_get(); ++ /* This pairs with WRITE_ONCE() in taprio_parse_clockid() */ ++ enum tk_offsets tk_offset = READ_ONCE(q->tk_offset); + +- switch (q->tk_offset) { ++ switch (tk_offset) { + case TK_OFFS_MAX: + return mono; + default: +- return ktime_mono_to_any(mono, q->tk_offset); ++ return ktime_mono_to_any(mono, tk_offset); + } ++} + +- return KTIME_MAX; ++static ktime_t taprio_get_time(const struct taprio_sched *q) ++{ ++ return taprio_mono_to_any(q, ktime_get()); + } + + static void taprio_free_sched_cb(struct rcu_head *head) +@@ -319,7 +323,7 @@ static ktime_t get_tcp_tstamp(struct taprio_sched *q, struct sk_buff *skb) + return 0; + } + +- return ktime_mono_to_any(skb->skb_mstamp_ns, q->tk_offset); ++ return taprio_mono_to_any(q, skb->skb_mstamp_ns); + } + + /* There are a few scenarios where we will have to modify the txtime from +@@ -1352,6 +1356,7 @@ static int taprio_parse_clockid(struct Qdisc *sch, struct nlattr **tb, + } + } else if (tb[TCA_TAPRIO_ATTR_SCHED_CLOCKID]) { + int clockid = nla_get_s32(tb[TCA_TAPRIO_ATTR_SCHED_CLOCKID]); ++ enum tk_offsets tk_offset; + + /* We only support static clockids and we don't allow + * for it to be modified after the first init. +@@ -1366,22 +1371,24 @@ static int taprio_parse_clockid(struct Qdisc *sch, struct nlattr **tb, + + switch (clockid) { + case CLOCK_REALTIME: +- q->tk_offset = TK_OFFS_REAL; ++ tk_offset = TK_OFFS_REAL; + break; + case CLOCK_MONOTONIC: +- q->tk_offset = TK_OFFS_MAX; ++ tk_offset = TK_OFFS_MAX; + break; + case CLOCK_BOOTTIME: +- q->tk_offset = TK_OFFS_BOOT; ++ tk_offset = TK_OFFS_BOOT; + break; + case CLOCK_TAI: +- q->tk_offset = TK_OFFS_TAI; ++ tk_offset = TK_OFFS_TAI; + break; + default: + NL_SET_ERR_MSG(extack, "Invalid 'clockid'"); + err = -EINVAL; + goto out; + } ++ /* This pairs with READ_ONCE() in taprio_mono_to_any */ ++ WRITE_ONCE(q->tk_offset, tk_offset); + + q->clockid = clockid; + } else { +-- +2.33.0 + diff --git a/queue-5.15/net-sched-update-default-qdisc-visibility-after-tx-q.patch b/queue-5.15/net-sched-update-default-qdisc-visibility-after-tx-q.patch new file mode 100644 index 00000000000..b711a8653c6 --- /dev/null +++ b/queue-5.15/net-sched-update-default-qdisc-visibility-after-tx-q.patch @@ -0,0 +1,186 @@ +From 03652685c0ec90c178cddd9895ec2cae24c93710 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Sep 2021 15:53:30 -0700 +Subject: net: sched: update default qdisc visibility after Tx queue cnt + changes + +From: Jakub Kicinski + +[ Upstream commit 1e080f17750d1083e8a32f7b350584ae1cd7ff20 ] + +mq / mqprio make the default child qdiscs visible. They only do +so for the qdiscs which are within real_num_tx_queues when the +device is registered. Depending on order of calls in the driver, +or if user space changes config via ethtool -L the number of +qdiscs visible under tc qdisc show will differ from the number +of queues. This is confusing to users and potentially to system +configuration scripts which try to make sure qdiscs have the +right parameters. + +Add a new Qdisc_ops callback and make relevant qdiscs TTRT. + +Note that this uncovers the "shortcut" created by +commit 1f27cde313d7 ("net: sched: use pfifo_fast for non real queues") +The default child qdiscs beyond initial real_num_tx are always +pfifo_fast, no matter what the sysfs setting is. Fixing this +gets a little tricky because we'd need to keep a reference +on whatever the default qdisc was at the time of creation. +In practice this is likely an non-issue the qdiscs likely have +to be configured to non-default settings, so whatever user space +is doing such configuration can replace the pfifos... now that +it will see them. + +Reported-by: Matthew Massey +Reviewed-by: Dave Taht +Signed-off-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sch_generic.h | 4 ++++ + net/core/dev.c | 2 ++ + net/sched/sch_generic.c | 9 +++++++++ + net/sched/sch_mq.c | 24 ++++++++++++++++++++++++ + net/sched/sch_mqprio.c | 23 +++++++++++++++++++++++ + 5 files changed, 62 insertions(+) + +diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h +index c0069ac00e62d..8c2d611639fca 100644 +--- a/include/net/sch_generic.h ++++ b/include/net/sch_generic.h +@@ -308,6 +308,8 @@ struct Qdisc_ops { + struct netlink_ext_ack *extack); + void (*attach)(struct Qdisc *sch); + int (*change_tx_queue_len)(struct Qdisc *, unsigned int); ++ void (*change_real_num_tx)(struct Qdisc *sch, ++ unsigned int new_real_tx); + + int (*dump)(struct Qdisc *, struct sk_buff *); + int (*dump_stats)(struct Qdisc *, struct gnet_dump *); +@@ -684,6 +686,8 @@ void qdisc_class_hash_grow(struct Qdisc *, struct Qdisc_class_hash *); + void qdisc_class_hash_destroy(struct Qdisc_class_hash *); + + int dev_qdisc_change_tx_queue_len(struct net_device *dev); ++void dev_qdisc_change_real_num_tx(struct net_device *dev, ++ unsigned int new_real_tx); + void dev_init_scheduler(struct net_device *dev); + void dev_shutdown(struct net_device *dev); + void dev_activate(struct net_device *dev); +diff --git a/net/core/dev.c b/net/core/dev.c +index eb3a366bf212c..aa7a98fd2d64b 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2921,6 +2921,8 @@ int netif_set_real_num_tx_queues(struct net_device *dev, unsigned int txq) + if (dev->num_tc) + netif_setup_tc(dev, txq); + ++ dev_qdisc_change_real_num_tx(dev, txq); ++ + dev->real_num_tx_queues = txq; + + if (disabling) { +diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c +index a8dd06c74e318..66d2fbe9ef501 100644 +--- a/net/sched/sch_generic.c ++++ b/net/sched/sch_generic.c +@@ -1330,6 +1330,15 @@ static int qdisc_change_tx_queue_len(struct net_device *dev, + return 0; + } + ++void dev_qdisc_change_real_num_tx(struct net_device *dev, ++ unsigned int new_real_tx) ++{ ++ struct Qdisc *qdisc = dev->qdisc; ++ ++ if (qdisc->ops->change_real_num_tx) ++ qdisc->ops->change_real_num_tx(qdisc, new_real_tx); ++} ++ + int dev_qdisc_change_tx_queue_len(struct net_device *dev) + { + bool up = dev->flags & IFF_UP; +diff --git a/net/sched/sch_mq.c b/net/sched/sch_mq.c +index e79f1afe0cfd6..db18d8a860f9c 100644 +--- a/net/sched/sch_mq.c ++++ b/net/sched/sch_mq.c +@@ -125,6 +125,29 @@ static void mq_attach(struct Qdisc *sch) + priv->qdiscs = NULL; + } + ++static void mq_change_real_num_tx(struct Qdisc *sch, unsigned int new_real_tx) ++{ ++#ifdef CONFIG_NET_SCHED ++ struct net_device *dev = qdisc_dev(sch); ++ struct Qdisc *qdisc; ++ unsigned int i; ++ ++ for (i = new_real_tx; i < dev->real_num_tx_queues; i++) { ++ qdisc = netdev_get_tx_queue(dev, i)->qdisc_sleeping; ++ /* Only update the default qdiscs we created, ++ * qdiscs with handles are always hashed. ++ */ ++ if (qdisc != &noop_qdisc && !qdisc->handle) ++ qdisc_hash_del(qdisc); ++ } ++ for (i = dev->real_num_tx_queues; i < new_real_tx; i++) { ++ qdisc = netdev_get_tx_queue(dev, i)->qdisc_sleeping; ++ if (qdisc != &noop_qdisc && !qdisc->handle) ++ qdisc_hash_add(qdisc, false); ++ } ++#endif ++} ++ + static int mq_dump(struct Qdisc *sch, struct sk_buff *skb) + { + struct net_device *dev = qdisc_dev(sch); +@@ -288,6 +311,7 @@ struct Qdisc_ops mq_qdisc_ops __read_mostly = { + .init = mq_init, + .destroy = mq_destroy, + .attach = mq_attach, ++ .change_real_num_tx = mq_change_real_num_tx, + .dump = mq_dump, + .owner = THIS_MODULE, + }; +diff --git a/net/sched/sch_mqprio.c b/net/sched/sch_mqprio.c +index 5eb3b1b7ae5e7..50e15add6068f 100644 +--- a/net/sched/sch_mqprio.c ++++ b/net/sched/sch_mqprio.c +@@ -306,6 +306,28 @@ static void mqprio_attach(struct Qdisc *sch) + priv->qdiscs = NULL; + } + ++static void mqprio_change_real_num_tx(struct Qdisc *sch, ++ unsigned int new_real_tx) ++{ ++ struct net_device *dev = qdisc_dev(sch); ++ struct Qdisc *qdisc; ++ unsigned int i; ++ ++ for (i = new_real_tx; i < dev->real_num_tx_queues; i++) { ++ qdisc = netdev_get_tx_queue(dev, i)->qdisc_sleeping; ++ /* Only update the default qdiscs we created, ++ * qdiscs with handles are always hashed. ++ */ ++ if (qdisc != &noop_qdisc && !qdisc->handle) ++ qdisc_hash_del(qdisc); ++ } ++ for (i = dev->real_num_tx_queues; i < new_real_tx; i++) { ++ qdisc = netdev_get_tx_queue(dev, i)->qdisc_sleeping; ++ if (qdisc != &noop_qdisc && !qdisc->handle) ++ qdisc_hash_add(qdisc, false); ++ } ++} ++ + static struct netdev_queue *mqprio_queue_get(struct Qdisc *sch, + unsigned long cl) + { +@@ -629,6 +651,7 @@ static struct Qdisc_ops mqprio_qdisc_ops __read_mostly = { + .init = mqprio_init, + .destroy = mqprio_destroy, + .attach = mqprio_attach, ++ .change_real_num_tx = mqprio_change_real_num_tx, + .dump = mqprio_dump, + .owner = THIS_MODULE, + }; +-- +2.33.0 + diff --git a/queue-5.15/net-smc-fix-sk_refcnt-underflow-on-linkdown-and-fall.patch b/queue-5.15/net-smc-fix-sk_refcnt-underflow-on-linkdown-and-fall.patch new file mode 100644 index 00000000000..3eedb140408 --- /dev/null +++ b/queue-5.15/net-smc-fix-sk_refcnt-underflow-on-linkdown-and-fall.patch @@ -0,0 +1,110 @@ +From 15650f8dbdd5dfc36e15e7df4378d6f6dc7552d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Nov 2021 15:02:34 +0800 +Subject: net/smc: fix sk_refcnt underflow on linkdown and fallback + +From: Dust Li + +[ Upstream commit e5d5aadcf3cd59949316df49c27cb21788d7efe4 ] + +We got the following WARNING when running ab/nginx +test with RDMA link flapping (up-down-up). +The reason is when smc_sock fallback and at linkdown +happens simultaneously, we may got the following situation: + +__smc_lgr_terminate() + --> smc_conn_kill() + --> smc_close_active_abort() + smc_sock->sk_state = SMC_CLOSED + sock_put(smc_sock) + +smc_sock was set to SMC_CLOSED and sock_put() been called +when terminate the link group. But later application call +close() on the socket, then we got: + +__smc_release(): + if (smc_sock->fallback) + smc_sock->sk_state = SMC_CLOSED + sock_put(smc_sock) + +Again we set the smc_sock to CLOSED through it's already +in CLOSED state, and double put the refcnt, so the following +warning happens: + +refcount_t: underflow; use-after-free. +WARNING: CPU: 5 PID: 860 at lib/refcount.c:28 refcount_warn_saturate+0x8d/0xf0 +Modules linked in: +CPU: 5 PID: 860 Comm: nginx Not tainted 5.10.46+ #403 +Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8c24b4c 04/01/2014 +RIP: 0010:refcount_warn_saturate+0x8d/0xf0 +Code: 05 5c 1e b5 01 01 e8 52 25 bc ff 0f 0b c3 80 3d 4f 1e b5 01 00 75 ad 48 + +RSP: 0018:ffffc90000527e50 EFLAGS: 00010286 +RAX: 0000000000000026 RBX: ffff8881300df2c0 RCX: 0000000000000027 +RDX: 0000000000000000 RSI: ffff88813bd58040 RDI: ffff88813bd58048 +RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000001 +R10: ffff8881300df2c0 R11: ffffc90000527c78 R12: ffff8881300df340 +R13: ffff8881300df930 R14: ffff88810b3dad80 R15: ffff8881300df4f8 +FS: 00007f739de8fb80(0000) GS:ffff88813bd40000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000000a01b008 CR3: 0000000111b64003 CR4: 00000000003706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + smc_release+0x353/0x3f0 + __sock_release+0x3d/0xb0 + sock_close+0x11/0x20 + __fput+0x93/0x230 + task_work_run+0x65/0xa0 + exit_to_user_mode_prepare+0xf9/0x100 + syscall_exit_to_user_mode+0x27/0x190 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +This patch adds check in __smc_release() to make +sure we won't do an extra sock_put() and set the +socket to CLOSED when its already in CLOSED state. + +Fixes: 51f1de79ad8e (net/smc: replace sock_put worker by socket refcounting) +Signed-off-by: Dust Li +Reviewed-by: Tony Lu +Signed-off-by: Dust Li +Acked-by: Karsten Graul +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/smc/af_smc.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c +index 78b663dbfa1f9..32c1c7ce856d3 100644 +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -148,14 +148,18 @@ static int __smc_release(struct smc_sock *smc) + sock_set_flag(sk, SOCK_DEAD); + sk->sk_shutdown |= SHUTDOWN_MASK; + } else { +- if (sk->sk_state != SMC_LISTEN && sk->sk_state != SMC_INIT) +- sock_put(sk); /* passive closing */ +- if (sk->sk_state == SMC_LISTEN) { +- /* wake up clcsock accept */ +- rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR); ++ if (sk->sk_state != SMC_CLOSED) { ++ if (sk->sk_state != SMC_LISTEN && ++ sk->sk_state != SMC_INIT) ++ sock_put(sk); /* passive closing */ ++ if (sk->sk_state == SMC_LISTEN) { ++ /* wake up clcsock accept */ ++ rc = kernel_sock_shutdown(smc->clcsock, ++ SHUT_RDWR); ++ } ++ sk->sk_state = SMC_CLOSED; ++ sk->sk_state_change(sk); + } +- sk->sk_state = SMC_CLOSED; +- sk->sk_state_change(sk); + smc_restore_fallback_changes(smc); + } + +-- +2.33.0 + diff --git a/queue-5.15/net-stmmac-allow-a-tc-taprio-base-time-of-zero.patch b/queue-5.15/net-stmmac-allow-a-tc-taprio-base-time-of-zero.patch new file mode 100644 index 00000000000..3f22d3962c9 --- /dev/null +++ b/queue-5.15/net-stmmac-allow-a-tc-taprio-base-time-of-zero.patch @@ -0,0 +1,41 @@ +From 7272c15b3f37bd15573b730e28343550fddbf16c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Nov 2021 22:28:54 +0200 +Subject: net: stmmac: allow a tc-taprio base-time of zero + +From: Vladimir Oltean + +[ Upstream commit f64ab8e4f368f48afb08ae91928e103d17b235e9 ] + +Commit fe28c53ed71d ("net: stmmac: fix taprio configuration when +base_time is in the past") allowed some base time values in the past, +but apparently not all, the base-time value of 0 (Jan 1st 1970) is still +explicitly denied by the driver. + +Remove the bogus check. + +Fixes: b60189e0392f ("net: stmmac: Integrate EST with TAPRIO scheduler API") +Signed-off-by: Vladimir Oltean +Reviewed-by: Kurt Kanzenbach +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +index 8160087ee92f2..1c4ea0b1b845b 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c +@@ -786,8 +786,6 @@ static int tc_setup_taprio(struct stmmac_priv *priv, + goto disable; + if (qopt->num_entries >= dep) + return -EINVAL; +- if (!qopt->base_time) +- return -ERANGE; + if (!qopt->cycle_time) + return -ERANGE; + +-- +2.33.0 + diff --git a/queue-5.15/net-stream-don-t-purge-sk_error_queue-in-sk_stream_k.patch b/queue-5.15/net-stream-don-t-purge-sk_error_queue-in-sk_stream_k.patch new file mode 100644 index 00000000000..6ecf070e452 --- /dev/null +++ b/queue-5.15/net-stream-don-t-purge-sk_error_queue-in-sk_stream_k.patch @@ -0,0 +1,68 @@ +From 18a07483479a62c644b817220001d17dbb1599a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 06:37:39 -0700 +Subject: net: stream: don't purge sk_error_queue in sk_stream_kill_queues() + +From: Jakub Kicinski + +[ Upstream commit 24bcbe1cc69fa52dc4f7b5b2456678ed464724d8 ] + +sk_stream_kill_queues() can be called on close when there are +still outstanding skbs to transmit. Those skbs may try to queue +notifications to the error queue (e.g. timestamps). +If sk_stream_kill_queues() purges the queue without taking +its lock the queue may get corrupted, and skbs leaked. + +This shows up as a warning about an rmem leak: + +WARNING: CPU: 24 PID: 0 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x... + +The leak is always a multiple of 0x300 bytes (the value is in +%rax on my builds, so RAX: 0000000000000300). 0x300 is truesize of +an empty sk_buff. Indeed if we dump the socket state at the time +of the warning the sk_error_queue is often (but not always) +corrupted. The ->next pointer points back at the list head, +but not the ->prev pointer. Indeed we can find the leaked skb +by scanning the kernel memory for something that looks like +an skb with ->sk = socket in question, and ->truesize = 0x300. +The contents of ->cb[] of the skb confirms the suspicion that +it is indeed a timestamp notification (as generated in +__skb_complete_tx_timestamp()). + +Removing purging of sk_error_queue should be okay, since +inet_sock_destruct() does it again once all socket refs +are gone. Eric suggests this may cause sockets that go +thru disconnect() to maintain notifications from the +previous incarnations of the socket, but that should be +okay since the race was there anyway, and disconnect() +is not exactly dependable. + +Thanks to Jonathan Lemon and Omar Sandoval for help at various +stages of tracing the issue. + +Fixes: cb9eff097831 ("net: new user space API for time stamping of incoming and outgoing packets") +Signed-off-by: Jakub Kicinski +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/stream.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/core/stream.c b/net/core/stream.c +index 4f1d4aa5fb38d..a166a32b411fa 100644 +--- a/net/core/stream.c ++++ b/net/core/stream.c +@@ -195,9 +195,6 @@ void sk_stream_kill_queues(struct sock *sk) + /* First the read buffer. */ + __skb_queue_purge(&sk->sk_receive_queue); + +- /* Next, the error queue. */ +- __skb_queue_purge(&sk->sk_error_queue); +- + /* Next, the write queue. */ + WARN_ON(!skb_queue_empty(&sk->sk_write_queue)); + +-- +2.33.0 + diff --git a/queue-5.15/net-sysfs-try-not-to-restart-the-syscall-if-it-will-.patch b/queue-5.15/net-sysfs-try-not-to-restart-the-syscall-if-it-will-.patch new file mode 100644 index 00000000000..3a311d01817 --- /dev/null +++ b/queue-5.15/net-sysfs-try-not-to-restart-the-syscall-if-it-will-.patch @@ -0,0 +1,161 @@ +From aa464a3adfa5c5f7fdfa4918d9335d01af518a48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 16:00:51 +0200 +Subject: net-sysfs: try not to restart the syscall if it will fail eventually + +From: Antoine Tenart + +[ Upstream commit 146e5e733310379f51924111068f08a3af0db830 ] + +Due to deadlocks in the networking subsystem spotted 12 years ago[1], +a workaround was put in place[2] to avoid taking the rtnl lock when it +was not available and restarting the syscall (back to VFS, letting +userspace spin). The following construction is found a lot in the net +sysfs and sysctl code: + + if (!rtnl_trylock()) + return restart_syscall(); + +This can be problematic when multiple userspace threads use such +interfaces in a short period, making them to spin a lot. This happens +for example when adding and moving virtual interfaces: userspace +programs listening on events, such as systemd-udevd and NetworkManager, +do trigger actions reading files in sysfs. It gets worse when a lot of +virtual interfaces are created concurrently, say when creating +containers at boot time. + +Returning early without hitting the above pattern when the syscall will +fail eventually does make things better. While it is not a fix for the +issue, it does ease things. + +[1] https://lore.kernel.org/netdev/49A4D5D5.5090602@trash.net/ + https://lore.kernel.org/netdev/m14oyhis31.fsf@fess.ebiederm.org/ + and https://lore.kernel.org/netdev/20090226084924.16cb3e08@nehalam/ +[2] Rightfully, those deadlocks are *hard* to solve. + +Signed-off-by: Antoine Tenart +Reviewed-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/net-sysfs.c | 55 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 55 insertions(+) + +diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c +index b2e49eb7001d6..dfa5ecff7f738 100644 +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -175,6 +175,14 @@ static int change_carrier(struct net_device *dev, unsigned long new_carrier) + static ssize_t carrier_store(struct device *dev, struct device_attribute *attr, + const char *buf, size_t len) + { ++ struct net_device *netdev = to_net_dev(dev); ++ ++ /* The check is also done in change_carrier; this helps returning early ++ * without hitting the trylock/restart in netdev_store. ++ */ ++ if (!netdev->netdev_ops->ndo_change_carrier) ++ return -EOPNOTSUPP; ++ + return netdev_store(dev, attr, buf, len, change_carrier); + } + +@@ -196,6 +204,12 @@ static ssize_t speed_show(struct device *dev, + struct net_device *netdev = to_net_dev(dev); + int ret = -EINVAL; + ++ /* The check is also done in __ethtool_get_link_ksettings; this helps ++ * returning early without hitting the trylock/restart below. ++ */ ++ if (!netdev->ethtool_ops->get_link_ksettings) ++ return ret; ++ + if (!rtnl_trylock()) + return restart_syscall(); + +@@ -216,6 +230,12 @@ static ssize_t duplex_show(struct device *dev, + struct net_device *netdev = to_net_dev(dev); + int ret = -EINVAL; + ++ /* The check is also done in __ethtool_get_link_ksettings; this helps ++ * returning early without hitting the trylock/restart below. ++ */ ++ if (!netdev->ethtool_ops->get_link_ksettings) ++ return ret; ++ + if (!rtnl_trylock()) + return restart_syscall(); + +@@ -468,6 +488,14 @@ static ssize_t proto_down_store(struct device *dev, + struct device_attribute *attr, + const char *buf, size_t len) + { ++ struct net_device *netdev = to_net_dev(dev); ++ ++ /* The check is also done in change_proto_down; this helps returning ++ * early without hitting the trylock/restart in netdev_store. ++ */ ++ if (!netdev->netdev_ops->ndo_change_proto_down) ++ return -EOPNOTSUPP; ++ + return netdev_store(dev, attr, buf, len, change_proto_down); + } + NETDEVICE_SHOW_RW(proto_down, fmt_dec); +@@ -478,6 +506,12 @@ static ssize_t phys_port_id_show(struct device *dev, + struct net_device *netdev = to_net_dev(dev); + ssize_t ret = -EINVAL; + ++ /* The check is also done in dev_get_phys_port_id; this helps returning ++ * early without hitting the trylock/restart below. ++ */ ++ if (!netdev->netdev_ops->ndo_get_phys_port_id) ++ return -EOPNOTSUPP; ++ + if (!rtnl_trylock()) + return restart_syscall(); + +@@ -500,6 +534,13 @@ static ssize_t phys_port_name_show(struct device *dev, + struct net_device *netdev = to_net_dev(dev); + ssize_t ret = -EINVAL; + ++ /* The checks are also done in dev_get_phys_port_name; this helps ++ * returning early without hitting the trylock/restart below. ++ */ ++ if (!netdev->netdev_ops->ndo_get_phys_port_name && ++ !netdev->netdev_ops->ndo_get_devlink_port) ++ return -EOPNOTSUPP; ++ + if (!rtnl_trylock()) + return restart_syscall(); + +@@ -522,6 +563,14 @@ static ssize_t phys_switch_id_show(struct device *dev, + struct net_device *netdev = to_net_dev(dev); + ssize_t ret = -EINVAL; + ++ /* The checks are also done in dev_get_phys_port_name; this helps ++ * returning early without hitting the trylock/restart below. This works ++ * because recurse is false when calling dev_get_port_parent_id. ++ */ ++ if (!netdev->netdev_ops->ndo_get_port_parent_id && ++ !netdev->netdev_ops->ndo_get_devlink_port) ++ return -EOPNOTSUPP; ++ + if (!rtnl_trylock()) + return restart_syscall(); + +@@ -1226,6 +1275,12 @@ static ssize_t tx_maxrate_store(struct netdev_queue *queue, + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + ++ /* The check is also done later; this helps returning early without ++ * hitting the trylock/restart below. ++ */ ++ if (!dev->netdev_ops->ndo_set_tx_maxrate) ++ return -EOPNOTSUPP; ++ + err = kstrtou32(buf, 10, &rate); + if (err < 0) + return err; +-- +2.33.0 + diff --git a/queue-5.15/net-tulip-winbond-840-fix-build-for-uml.patch b/queue-5.15/net-tulip-winbond-840-fix-build-for-uml.patch new file mode 100644 index 00000000000..41e37d56ba7 --- /dev/null +++ b/queue-5.15/net-tulip-winbond-840-fix-build-for-uml.patch @@ -0,0 +1,52 @@ +From b7385671e14d5db985910a493309e99fa01c7633 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 22:06:06 -0700 +Subject: net: tulip: winbond-840: fix build for UML +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit a3d708925fcca1a2f7219bc9ce93e6341f85c1e0 ] + +On i386, when builtin (not a loadable module), the winbond-840 driver +inspects boot_cpu_data to see what CPU family it is running on, and +then acts on that data. The "family" struct member (x86) does not exist +when running on UML, so prevent that test and do the default action. + +Prevents this build error on UML + i386: + +../drivers/net/ethernet/dec/tulip/winbond-840.c: In function ‘init_registers’: +../drivers/net/ethernet/dec/tulip/winbond-840.c:882:19: error: ‘struct cpuinfo_um’ has no member named ‘x86’ + if (boot_cpu_data.x86 <= 4) { + +Fixes: 68f5d3f3b654 ("um: add PCI over virtio emulation driver") +Signed-off-by: Randy Dunlap +Cc: linux-um@lists.infradead.org +Cc: Jeff Dike +Cc: Richard Weinberger +Cc: Anton Ivanov +Link: https://lore.kernel.org/r/20211014050606.7288-1-rdunlap@infradead.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dec/tulip/winbond-840.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/dec/tulip/winbond-840.c b/drivers/net/ethernet/dec/tulip/winbond-840.c +index 85b99099c6b94..5babcf05bc2f1 100644 +--- a/drivers/net/ethernet/dec/tulip/winbond-840.c ++++ b/drivers/net/ethernet/dec/tulip/winbond-840.c +@@ -877,7 +877,7 @@ static void init_registers(struct net_device *dev) + 8000 16 longwords 0200 2 longwords 2000 32 longwords + C000 32 longwords 0400 4 longwords */ + +-#if defined (__i386__) && !defined(MODULE) ++#if defined (__i386__) && !defined(MODULE) && !defined(CONFIG_UML) + /* When not a module we can work around broken '486 PCI boards. */ + if (boot_cpu_data.x86 <= 4) { + i |= 0x4800; +-- +2.33.0 + diff --git a/queue-5.15/net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch b/queue-5.15/net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch new file mode 100644 index 00000000000..f67b170d29d --- /dev/null +++ b/queue-5.15/net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch @@ -0,0 +1,86 @@ +From 88f94c1e192ebe230d819acff997529b2489c958 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 10:12:18 +0800 +Subject: net: vlan: fix a UAF in vlan_dev_real_dev() + +From: Ziyang Xuan + +[ Upstream commit 563bcbae3ba233c275c244bfce2efe12938f5363 ] + +The real_dev of a vlan net_device may be freed after +unregister_vlan_dev(). Access the real_dev continually by +vlan_dev_real_dev() will trigger the UAF problem for the +real_dev like following: + +================================================================== +BUG: KASAN: use-after-free in vlan_dev_real_dev+0xf9/0x120 +Call Trace: + kasan_report.cold+0x83/0xdf + vlan_dev_real_dev+0xf9/0x120 + is_eth_port_of_netdev_filter.part.0+0xb1/0x2c0 + is_eth_port_of_netdev_filter+0x28/0x40 + ib_enum_roce_netdev+0x1a3/0x300 + ib_enum_all_roce_netdevs+0xc7/0x140 + netdevice_event_work_handler+0x9d/0x210 +... + +Freed by task 9288: + kasan_save_stack+0x1b/0x40 + kasan_set_track+0x1c/0x30 + kasan_set_free_info+0x20/0x30 + __kasan_slab_free+0xfc/0x130 + slab_free_freelist_hook+0xdd/0x240 + kfree+0xe4/0x690 + kvfree+0x42/0x50 + device_release+0x9f/0x240 + kobject_put+0x1c8/0x530 + put_device+0x1b/0x30 + free_netdev+0x370/0x540 + ppp_destroy_interface+0x313/0x3d0 +... + +Move the put_device(real_dev) to vlan_dev_free(). Ensure +real_dev not be freed before vlan_dev unregistered. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+e4df4e1389e28972e955@syzkaller.appspotmail.com +Signed-off-by: Ziyang Xuan +Reviewed-by: Jason Gunthorpe +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/8021q/vlan.c | 3 --- + net/8021q/vlan_dev.c | 3 +++ + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c +index 55275ef9a31a7..a3a0a5e994f5a 100644 +--- a/net/8021q/vlan.c ++++ b/net/8021q/vlan.c +@@ -123,9 +123,6 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head) + } + + vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id); +- +- /* Get rid of the vlan's reference to real_dev */ +- dev_put(real_dev); + } + + int vlan_check_real_dev(struct net_device *real_dev, +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c +index 0c21d1fec8522..aeeb5f90417b5 100644 +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -843,6 +843,9 @@ static void vlan_dev_free(struct net_device *dev) + + free_percpu(vlan->vlan_pcpu_stats); + vlan->vlan_pcpu_stats = NULL; ++ ++ /* Get rid of the vlan's reference to real_dev */ ++ dev_put(vlan->real_dev); + } + + void vlan_setup(struct net_device *dev) +-- +2.33.0 + diff --git a/queue-5.15/netfilter-conntrack-set-on-ips_assured-if-flows-ente.patch b/queue-5.15/netfilter-conntrack-set-on-ips_assured-if-flows-ente.patch new file mode 100644 index 00000000000..7828d9a5b94 --- /dev/null +++ b/queue-5.15/netfilter-conntrack-set-on-ips_assured-if-flows-ente.patch @@ -0,0 +1,83 @@ +From e7c93e88bfe3d9723c5cdf77a1e37879b9e2edc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 11:26:49 +0200 +Subject: netfilter: conntrack: set on IPS_ASSURED if flows enters internal + stream state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pablo Neira Ayuso + +[ Upstream commit b7b1d02fc43925a4d569ec221715db2dfa1ce4f5 ] + +The internal stream state sets the timeout to 120 seconds 2 seconds +after the creation of the flow, attach this internal stream state to the +IPS_ASSURED flag for consistent event reporting. + +Before this patch: + + [NEW] udp 17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 [UNREPLIED] src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 + [UPDATE] udp 17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 + [UPDATE] udp 17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED] + [DESTROY] udp 17 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED] + +Note IPS_ASSURED for the flow not yet in the internal stream state. + +after this update: + + [NEW] udp 17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 [UNREPLIED] src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 + [UPDATE] udp 17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 + [UPDATE] udp 17 120 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED] + [DESTROY] udp 17 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED] + +Before this patch, short-lived UDP flows never entered IPS_ASSURED, so +they were already candidate flow to be deleted by early_drop under +stress. + +Before this patch, IPS_ASSURED is set on regardless the internal stream +state, attach this internal stream state to IPS_ASSURED. + +packet #1 (original direction) enters NEW state +packet #2 (reply direction) enters ESTABLISHED state, sets on IPS_SEEN_REPLY +paclet #3 (any direction) sets on IPS_ASSURED (if 2 seconds since the + creation has passed by). + +Reported-by: Maciej Żenczykowski +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nf_conntrack_proto_udp.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c +index f8e3c0d2602f6..3b516cffc779b 100644 +--- a/net/netfilter/nf_conntrack_proto_udp.c ++++ b/net/netfilter/nf_conntrack_proto_udp.c +@@ -104,10 +104,13 @@ int nf_conntrack_udp_packet(struct nf_conn *ct, + */ + if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { + unsigned long extra = timeouts[UDP_CT_UNREPLIED]; ++ bool stream = false; + + /* Still active after two seconds? Extend timeout. */ +- if (time_after(jiffies, ct->proto.udp.stream_ts)) ++ if (time_after(jiffies, ct->proto.udp.stream_ts)) { + extra = timeouts[UDP_CT_REPLIED]; ++ stream = true; ++ } + + nf_ct_refresh_acct(ct, ctinfo, skb, extra); + +@@ -116,7 +119,7 @@ int nf_conntrack_udp_packet(struct nf_conn *ct, + return NF_ACCEPT; + + /* Also, more likely to be important, and not a probe */ +- if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) ++ if (stream && !test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) + nf_conntrack_event_cache(IPCT_ASSURED, ct); + } else { + nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[UDP_CT_UNREPLIED]); +-- +2.33.0 + diff --git a/queue-5.15/netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch b/queue-5.15/netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch new file mode 100644 index 00000000000..b7290231ada --- /dev/null +++ b/queue-5.15/netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch @@ -0,0 +1,55 @@ +From da39781cdc5e478530c0ee5dadf66172d2751d4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 18:08:10 +0200 +Subject: netfilter: nfnetlink_queue: fix OOB when mac header was cleared + +From: Florian Westphal + +[ Upstream commit 5648b5e1169ff1d6d6a46c35c0b5fbebd2a5cbb2 ] + +On 64bit platforms the MAC header is set to 0xffff on allocation and +also when a helper like skb_unset_mac_header() is called. + +dev_parse_header may call skb_mac_header() which assumes valid mac offset: + + BUG: KASAN: use-after-free in eth_header_parse+0x75/0x90 + Read of size 6 at addr ffff8881075a5c05 by task nf-queue/1364 + Call Trace: + memcpy+0x20/0x60 + eth_header_parse+0x75/0x90 + __nfqnl_enqueue_packet+0x1a61/0x3380 + __nf_queue+0x597/0x1300 + nf_queue+0xf/0x40 + nf_hook_slow+0xed/0x190 + nf_hook+0x184/0x440 + ip_output+0x1c0/0x2a0 + nf_reinject+0x26f/0x700 + nfqnl_recv_verdict+0xa16/0x18b0 + nfnetlink_rcv_msg+0x506/0xe70 + +The existing code only works if the skb has a mac header. + +Fixes: 2c38de4c1f8da7 ("netfilter: fix looped (broad|multi)cast's MAC handling") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_queue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index 4c3fbaaeb1030..4acc4b8e9fe5a 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -560,7 +560,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, + goto nla_put_failure; + + if (indev && entskb->dev && +- entskb->mac_header != entskb->network_header) { ++ skb_mac_header_was_set(entskb)) { + struct nfqnl_msg_packet_hw phw; + int len; + +-- +2.33.0 + diff --git a/queue-5.15/netfilter-nft_dynset-relax-superfluous-check-on-set-.patch b/queue-5.15/netfilter-nft_dynset-relax-superfluous-check-on-set-.patch new file mode 100644 index 00000000000..be8d3cf3c75 --- /dev/null +++ b/queue-5.15/netfilter-nft_dynset-relax-superfluous-check-on-set-.patch @@ -0,0 +1,46 @@ +From 28b8ecab3316dca9b3b4d82e35aa4cca6fc8c67e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Sep 2021 22:40:26 +0200 +Subject: netfilter: nft_dynset: relax superfluous check on set updates + +From: Pablo Neira Ayuso + +[ Upstream commit 7b1394892de8d95748d05e3ee41e85edb4abbfa1 ] + +Relax this condition to make add and update commands idempotent for sets +with no timeout. The eval function already checks if the set element +timeout is available and updates it if the update command is used. + +Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_dynset.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c +index 6ba3256fa8449..87f3af4645d9c 100644 +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -198,17 +198,8 @@ static int nft_dynset_init(const struct nft_ctx *ctx, + return -EBUSY; + + priv->op = ntohl(nla_get_be32(tb[NFTA_DYNSET_OP])); +- switch (priv->op) { +- case NFT_DYNSET_OP_ADD: +- case NFT_DYNSET_OP_DELETE: +- break; +- case NFT_DYNSET_OP_UPDATE: +- if (!(set->flags & NFT_SET_TIMEOUT)) +- return -EOPNOTSUPP; +- break; +- default: ++ if (priv->op > NFT_DYNSET_OP_DELETE) + return -EOPNOTSUPP; +- } + + timeout = 0; + if (tb[NFTA_DYNSET_TIMEOUT] != NULL) { +-- +2.33.0 + diff --git a/queue-5.15/nfc-pn533-fix-double-free-when-pn533_fill_fragment_s.patch b/queue-5.15/nfc-pn533-fix-double-free-when-pn533_fill_fragment_s.patch new file mode 100644 index 00000000000..f3b034e8d4c --- /dev/null +++ b/queue-5.15/nfc-pn533-fix-double-free-when-pn533_fill_fragment_s.patch @@ -0,0 +1,59 @@ +From f3558abe1df2ea6e0bf74d70f590387317b3ffdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 06:36:36 -0700 +Subject: nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails + +From: Chengfeng Ye + +[ Upstream commit 9fec40f850658e00a14a7dd9e06f7fbc7e59cc4a ] + +skb is already freed by dev_kfree_skb in pn533_fill_fragment_skbs, +but follow error handler branch when pn533_fill_fragment_skbs() +fails, skb is freed again, results in double free issue. Fix this +by not free skb in error path of pn533_fill_fragment_skbs. + +Fixes: 963a82e07d4e ("NFC: pn533: Split large Tx frames in chunks") +Fixes: 93ad42020c2d ("NFC: pn533: Target mode Tx fragmentation support") +Signed-off-by: Chengfeng Ye +Reviewed-by: Dan Carpenter +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/pn533/pn533.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c +index 2f3f3fe9a0baa..d32aec0c334fe 100644 +--- a/drivers/nfc/pn533/pn533.c ++++ b/drivers/nfc/pn533/pn533.c +@@ -2218,7 +2218,7 @@ static int pn533_fill_fragment_skbs(struct pn533 *dev, struct sk_buff *skb) + frag = pn533_alloc_skb(dev, frag_size); + if (!frag) { + skb_queue_purge(&dev->fragment_skb); +- break; ++ return -ENOMEM; + } + + if (!dev->tgt_mode) { +@@ -2287,7 +2287,7 @@ static int pn533_transceive(struct nfc_dev *nfc_dev, + /* jumbo frame ? */ + if (skb->len > PN533_CMD_DATAEXCH_DATA_MAXLEN) { + rc = pn533_fill_fragment_skbs(dev, skb); +- if (rc <= 0) ++ if (rc < 0) + goto error; + + skb = skb_dequeue(&dev->fragment_skb); +@@ -2355,7 +2355,7 @@ static int pn533_tm_send(struct nfc_dev *nfc_dev, struct sk_buff *skb) + /* let's split in multiple chunks if size's too big */ + if (skb->len > PN533_CMD_DATAEXCH_DATA_MAXLEN) { + rc = pn533_fill_fragment_skbs(dev, skb); +- if (rc <= 0) ++ if (rc < 0) + goto error; + + /* get the first skb */ +-- +2.33.0 + diff --git a/queue-5.15/nfp-fix-null-pointer-access-when-scheduling-dim-work.patch b/queue-5.15/nfp-fix-null-pointer-access-when-scheduling-dim-work.patch new file mode 100644 index 00000000000..c14d22cf93f --- /dev/null +++ b/queue-5.15/nfp-fix-null-pointer-access-when-scheduling-dim-work.patch @@ -0,0 +1,49 @@ +From 2ebc5cd31efe321c7443a31f14b3dc82a213e8e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 13:29:02 +0200 +Subject: nfp: fix NULL pointer access when scheduling dim work + +From: Yinjun Zhang + +[ Upstream commit f8d384a640dd32aaf0a05fec137ccbf0e986b09f ] + +Each rx/tx ring has a related dim work, when rx/tx ring number is +decreased by `ethtool -L`, the corresponding rx_ring or tx_ring is +assigned NULL, while its related work is not destroyed. When scheduled, +the work will access NULL pointer. + +Fixes: 9d32e4e7e9e1 ("nfp: add support for coalesce adaptive feature") +Signed-off-by: Yinjun Zhang +Signed-off-by: Louis Peens +Signed-off-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c +index 5bfa22accf2c9..f8b880c8e5148 100644 +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c +@@ -2067,7 +2067,7 @@ static int nfp_net_poll(struct napi_struct *napi, int budget) + if (napi_complete_done(napi, pkts_polled)) + nfp_net_irq_unmask(r_vec->nfp_net, r_vec->irq_entry); + +- if (r_vec->nfp_net->rx_coalesce_adapt_on) { ++ if (r_vec->nfp_net->rx_coalesce_adapt_on && r_vec->rx_ring) { + struct dim_sample dim_sample = {}; + unsigned int start; + u64 pkts, bytes; +@@ -2082,7 +2082,7 @@ static int nfp_net_poll(struct napi_struct *napi, int budget) + net_dim(&r_vec->rx_dim, dim_sample); + } + +- if (r_vec->nfp_net->tx_coalesce_adapt_on) { ++ if (r_vec->nfp_net->tx_coalesce_adapt_on && r_vec->tx_ring) { + struct dim_sample dim_sample = {}; + unsigned int start; + u64 pkts, bytes; +-- +2.33.0 + diff --git a/queue-5.15/nfp-fix-potential-deadlock-when-canceling-dim-work.patch b/queue-5.15/nfp-fix-potential-deadlock-when-canceling-dim-work.patch new file mode 100644 index 00000000000..ce7039b4e04 --- /dev/null +++ b/queue-5.15/nfp-fix-potential-deadlock-when-canceling-dim-work.patch @@ -0,0 +1,56 @@ +From 38811aee7bd9307004cee5320ead303d13981a2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 13:29:03 +0200 +Subject: nfp: fix potential deadlock when canceling dim work + +From: Yinjun Zhang + +[ Upstream commit 17e712c6a1bade9dac02a7bf2b464746faa7e9a0 ] + +When port is linked down, the process which has acquired rtnl_lock +will wait for the in-progress dim work to finish, and the work also +acquires rtnl_lock, which may cause deadlock. + +Currently IRQ_MOD registers can be configured by `ethtool -C` and +dim work, and which will take effect depends on the execution order, +rtnl_lock is useless here, so remove them. + +Fixes: 9d32e4e7e9e1 ("nfp: add support for coalesce adaptive feature") +Signed-off-by: Yinjun Zhang +Signed-off-by: Louis Peens +Signed-off-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c +index f8b880c8e5148..850bfdf83d0a4 100644 +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c +@@ -3016,10 +3016,8 @@ static void nfp_net_rx_dim_work(struct work_struct *work) + + /* copy RX interrupt coalesce parameters */ + value = (moder.pkts << 16) | (factor * moder.usec); +- rtnl_lock(); + nn_writel(nn, NFP_NET_CFG_RXR_IRQ_MOD(r_vec->rx_ring->idx), value); + (void)nfp_net_reconfig(nn, NFP_NET_CFG_UPDATE_IRQMOD); +- rtnl_unlock(); + + dim->state = DIM_START_MEASURE; + } +@@ -3047,10 +3045,8 @@ static void nfp_net_tx_dim_work(struct work_struct *work) + + /* copy TX interrupt coalesce parameters */ + value = (moder.pkts << 16) | (factor * moder.usec); +- rtnl_lock(); + nn_writel(nn, NFP_NET_CFG_TXR_IRQ_MOD(r_vec->tx_ring->idx), value); + (void)nfp_net_reconfig(nn, NFP_NET_CFG_UPDATE_IRQMOD); +- rtnl_unlock(); + + dim->state = DIM_START_MEASURE; + } +-- +2.33.0 + diff --git a/queue-5.15/nfs-default-change_attr_type-to-nfs4_change_type_is_.patch b/queue-5.15/nfs-default-change_attr_type-to-nfs4_change_type_is_.patch new file mode 100644 index 00000000000..6cb2c47c9dc --- /dev/null +++ b/queue-5.15/nfs-default-change_attr_type-to-nfs4_change_type_is_.patch @@ -0,0 +1,75 @@ +From 7df9ba3c24c7b05822447e9d2186f55dd6406fb2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Sep 2021 14:05:04 -0400 +Subject: NFS: Default change_attr_type to NFS4_CHANGE_TYPE_IS_UNDEFINED + +From: Trond Myklebust + +[ Upstream commit eea413308f2e6deb00f061f18081a53f3ecc8cc6 ] + +Both NFSv3 and NFSv2 generate their change attribute from the ctime +value that was supplied by the server. However the problem is that there +are plenty of servers out there with ctime resolutions of 1ms or worse. +In a modern performance system, this is insufficient when trying to +decide which is the most recent set of attributes when, for instance, a +READ or GETATTR call races with a WRITE or SETATTR. + +For this reason, let's revert to labelling the NFSv2/v3 change +attributes as NFS4_CHANGE_TYPE_IS_UNDEFINED. This will ensure we protect +against such races. + +Fixes: 7b24dacf0840 ("NFS: Another inode revalidation improvement") +Signed-off-by: Trond Myklebust +Tested-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfs/inode.c | 4 +++- + fs/nfs/nfs3xdr.c | 2 +- + fs/nfs/proc.c | 2 +- + 3 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index 853213b3a2095..6ea1bde33cb62 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -1777,8 +1777,10 @@ static int nfs_inode_finish_partial_attr_update(const struct nfs_fattr *fattr, + NFS_INO_INVALID_BLOCKS | NFS_INO_INVALID_OTHER | + NFS_INO_INVALID_NLINK; + unsigned long cache_validity = NFS_I(inode)->cache_validity; ++ enum nfs4_change_attr_type ctype = NFS_SERVER(inode)->change_attr_type; + +- if (!(cache_validity & NFS_INO_INVALID_CHANGE) && ++ if (ctype != NFS4_CHANGE_TYPE_IS_UNDEFINED && ++ !(cache_validity & NFS_INO_INVALID_CHANGE) && + (cache_validity & check_valid) != 0 && + (fattr->valid & NFS_ATTR_FATTR_CHANGE) != 0 && + nfs_inode_attrs_cmp_monotonic(fattr, inode) == 0) +diff --git a/fs/nfs/nfs3xdr.c b/fs/nfs/nfs3xdr.c +index e6eca1d7481b8..9274c9c5efea6 100644 +--- a/fs/nfs/nfs3xdr.c ++++ b/fs/nfs/nfs3xdr.c +@@ -2227,7 +2227,7 @@ static int decode_fsinfo3resok(struct xdr_stream *xdr, + + /* ignore properties */ + result->lease_time = 0; +- result->change_attr_type = NFS4_CHANGE_TYPE_IS_TIME_METADATA; ++ result->change_attr_type = NFS4_CHANGE_TYPE_IS_UNDEFINED; + return 0; + } + +diff --git a/fs/nfs/proc.c b/fs/nfs/proc.c +index ea19dbf123014..ecc4e717808c4 100644 +--- a/fs/nfs/proc.c ++++ b/fs/nfs/proc.c +@@ -91,7 +91,7 @@ nfs_proc_get_root(struct nfs_server *server, struct nfs_fh *fhandle, + info->dtpref = fsinfo.tsize; + info->maxfilesize = 0x7FFFFFFF; + info->lease_time = 0; +- info->change_attr_type = NFS4_CHANGE_TYPE_IS_TIME_METADATA; ++ info->change_attr_type = NFS4_CHANGE_TYPE_IS_UNDEFINED; + return 0; + } + +-- +2.33.0 + diff --git a/queue-5.15/nfs-don-t-set-nfs_ino_data_inval_defer-and-nfs_ino_i.patch b/queue-5.15/nfs-don-t-set-nfs_ino_data_inval_defer-and-nfs_ino_i.patch new file mode 100644 index 00000000000..67f6e1200fe --- /dev/null +++ b/queue-5.15/nfs-don-t-set-nfs_ino_data_inval_defer-and-nfs_ino_i.patch @@ -0,0 +1,46 @@ +From 156611cd9d782bbcb62dc14a62c92719581da0ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 11:15:53 -0400 +Subject: NFS: Don't set NFS_INO_DATA_INVAL_DEFER and NFS_INO_INVALID_DATA + +From: Trond Myklebust + +[ Upstream commit 488796ec1e39fb9194cc8175f770823d40fbf0ed ] + +NFS_INO_DATA_INVAL_DEFER and NFS_INO_INVALID_DATA should be considered +mutually exclusive. + +Fixes: 1c341b777501 ("NFS: Add deferred cache invalidation for close-to-open consistency violations") +Signed-off-by: Trond Myklebust +Tested-by: Benjamin Coddington +Reviewed-by: Benjamin Coddington +Signed-off-by: Sasha Levin +--- + fs/nfs/inode.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c +index 6ea1bde33cb62..f9d3ad3acf114 100644 +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -210,10 +210,15 @@ void nfs_set_cache_invalid(struct inode *inode, unsigned long flags) + flags &= ~NFS_INO_INVALID_XATTR; + if (flags & NFS_INO_INVALID_DATA) + nfs_fscache_invalidate(inode); +- if (inode->i_mapping->nrpages == 0) +- flags &= ~(NFS_INO_INVALID_DATA|NFS_INO_DATA_INVAL_DEFER); + flags &= ~(NFS_INO_REVAL_PAGECACHE | NFS_INO_REVAL_FORCED); ++ + nfsi->cache_validity |= flags; ++ ++ if (inode->i_mapping->nrpages == 0) ++ nfsi->cache_validity &= ~(NFS_INO_INVALID_DATA | ++ NFS_INO_DATA_INVAL_DEFER); ++ else if (nfsi->cache_validity & NFS_INO_INVALID_DATA) ++ nfsi->cache_validity &= ~NFS_INO_DATA_INVAL_DEFER; + } + EXPORT_SYMBOL_GPL(nfs_set_cache_invalid); + +-- +2.33.0 + diff --git a/queue-5.15/nfs-fix-an-oops-in-pnfs_mark_request_commit.patch b/queue-5.15/nfs-fix-an-oops-in-pnfs_mark_request_commit.patch new file mode 100644 index 00000000000..e791f0aa9c6 --- /dev/null +++ b/queue-5.15/nfs-fix-an-oops-in-pnfs_mark_request_commit.patch @@ -0,0 +1,68 @@ +From 12ecd958dd3d6a3264bfaa7c424941f6f019b05a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 14:05:02 -0400 +Subject: NFS: Fix an Oops in pnfs_mark_request_commit() + +From: Trond Myklebust + +[ Upstream commit f0caea8882a7412a2ad4d8274f0280cdf849c9e2 ] + +Olga reports seeing the following Oops when doing O_DIRECT writes to a +pNFS flexfiles server: + +Oops: 0000 [#1] SMP PTI +CPU: 1 PID: 234186 Comm: kworker/u8:1 Not tainted 5.15.0-rc4+ #4 +Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.13.0-2.module+el8.3.0+7353+9de0a3cc 04/01/2014 +Workqueue: nfsiod rpc_async_release [sunrpc] +RIP: 0010:nfs_mark_request_commit+0x12/0x30 [nfs] +Code: ff ff be 03 00 00 00 e8 ac 34 83 eb e9 29 ff ff +ff e8 22 bc d7 eb 66 90 0f 1f 44 00 00 48 85 f6 74 16 48 8b 42 10 48 +8b 40 18 <48> 8b 40 18 48 85 c0 74 05 e9 70 fc 15 ec 48 89 d6 e9 68 ed +ff ff +RSP: 0018:ffffa82f0159fe00 EFLAGS: 00010286 +RAX: 0000000000000000 RBX: ffff8f3393141880 RCX: 0000000000000000 +RDX: ffffa82f0159fe08 RSI: ffff8f3381252500 RDI: ffff8f3393141880 +RBP: ffff8f33ac317c00 R08: 0000000000000000 R09: ffff8f3487724cb0 +R10: 0000000000000008 R11: 0000000000000001 R12: 0000000000000001 +R13: ffff8f3485bccee0 R14: ffff8f33ac317c10 R15: ffff8f33ac317cd8 +FS: 0000000000000000(0000) GS:ffff8f34fbc80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000018 CR3: 0000000122120006 CR4: 0000000000770ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + nfs_direct_write_completion+0x13b/0x250 [nfs] + rpc_free_task+0x39/0x60 [sunrpc] + rpc_async_release+0x29/0x40 [sunrpc] + process_one_work+0x1ce/0x370 + worker_thread+0x30/0x380 + ? process_one_work+0x370/0x370 + kthread+0x11a/0x140 + ? set_kthread_struct+0x40/0x40 + ret_from_fork+0x22/0x30 + +Reported-by: Olga Kornievskaia +Fixes: 9c455a8c1e14 ("NFS/pNFS: Clean up pNFS commit operations") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/pnfs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/pnfs.h b/fs/nfs/pnfs.h +index d810ae674f4e8..a0f6ff094b3a4 100644 +--- a/fs/nfs/pnfs.h ++++ b/fs/nfs/pnfs.h +@@ -517,7 +517,7 @@ pnfs_mark_request_commit(struct nfs_page *req, struct pnfs_layout_segment *lseg, + { + struct pnfs_ds_commit_info *fl_cinfo = cinfo->ds; + +- if (!lseg || !fl_cinfo->ops->mark_request_commit) ++ if (!lseg || !fl_cinfo->ops || !fl_cinfo->ops->mark_request_commit) + return false; + fl_cinfo->ops->mark_request_commit(req, lseg, cinfo, ds_commit_idx); + return true; +-- +2.33.0 + diff --git a/queue-5.15/nfs-fix-deadlocks-in-nfs_scan_commit_list.patch b/queue-5.15/nfs-fix-deadlocks-in-nfs_scan_commit_list.patch new file mode 100644 index 00000000000..6ccb57969a3 --- /dev/null +++ b/queue-5.15/nfs-fix-deadlocks-in-nfs_scan_commit_list.patch @@ -0,0 +1,66 @@ +From 27c2607a04eeb4920fa7dd83a1d3c69ffff46e24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Oct 2021 15:44:16 -0400 +Subject: NFS: Fix deadlocks in nfs_scan_commit_list() + +From: Trond Myklebust + +[ Upstream commit 64a93dbf25d3a1368bb58ddf0f61d0a92d7479e3 ] + +Partially revert commit 2ce209c42c01 ("NFS: Wait for requests that are +locked on the commit list"), since it can lead to deadlocks between +commit requests and nfs_join_page_group(). +For now we should assume that any locked requests on the commit list are +either about to be removed and committed by another task, or the writes +they describe are about to be retransmitted. In either case, we should +not need to worry. + +Fixes: 2ce209c42c01 ("NFS: Wait for requests that are locked on the commit list") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/write.c | 17 ++--------------- + 1 file changed, 2 insertions(+), 15 deletions(-) + +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index eae9bf1140417..735a054747752 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -1038,25 +1038,11 @@ nfs_scan_commit_list(struct list_head *src, struct list_head *dst, + struct nfs_page *req, *tmp; + int ret = 0; + +-restart: + list_for_each_entry_safe(req, tmp, src, wb_list) { + kref_get(&req->wb_kref); + if (!nfs_lock_request(req)) { +- int status; +- +- /* Prevent deadlock with nfs_lock_and_join_requests */ +- if (!list_empty(dst)) { +- nfs_release_request(req); +- continue; +- } +- /* Ensure we make progress to prevent livelock */ +- mutex_unlock(&NFS_I(cinfo->inode)->commit_mutex); +- status = nfs_wait_on_request(req); + nfs_release_request(req); +- mutex_lock(&NFS_I(cinfo->inode)->commit_mutex); +- if (status < 0) +- break; +- goto restart; ++ continue; + } + nfs_request_remove_commit_list(req, cinfo); + clear_bit(PG_COMMIT_TO_DS, &req->wb_flags); +@@ -1936,6 +1922,7 @@ static int __nfs_commit_inode(struct inode *inode, int how, + int may_wait = how & FLUSH_SYNC; + int ret, nscan; + ++ how &= ~FLUSH_SYNC; + nfs_init_cinfo_from_inode(&cinfo, inode); + nfs_commit_begin(cinfo.mds); + for (;;) { +-- +2.33.0 + diff --git a/queue-5.15/nfs-fix-dentry-verifier-races.patch b/queue-5.15/nfs-fix-dentry-verifier-races.patch new file mode 100644 index 00000000000..9ee8fbda7d8 --- /dev/null +++ b/queue-5.15/nfs-fix-dentry-verifier-races.patch @@ -0,0 +1,47 @@ +From 38e9fb9d2c216bbc951463089a6cbc5095f1e8ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 08:12:53 -0400 +Subject: NFS: Fix dentry verifier races + +From: Trond Myklebust + +[ Upstream commit cec08f452a687fce9dfdf47946d00a1d12a8bec5 ] + +If the directory changed while we were revalidating the dentry, then +don't update the dentry verifier. There is no value in setting the +verifier to an older value, and we could end up overwriting a more up to +date verifier from a parallel revalidation. + +Fixes: efeda80da38d ("NFSv4: Fix revalidation of dentries with delegations") +Signed-off-by: Trond Myklebust +Tested-by: Benjamin Coddington +Reviewed-by: Benjamin Coddington +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 085b8ecdc17d9..5b68c44848caf 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1269,13 +1269,12 @@ static bool nfs_verifier_is_delegated(struct dentry *dentry) + static void nfs_set_verifier_locked(struct dentry *dentry, unsigned long verf) + { + struct inode *inode = d_inode(dentry); ++ struct inode *dir = d_inode(dentry->d_parent); + +- if (!nfs_verifier_is_delegated(dentry) && +- !nfs_verify_change_attribute(d_inode(dentry->d_parent), verf)) +- goto out; ++ if (!nfs_verify_change_attribute(dir, verf)) ++ return; + if (inode && NFS_PROTO(inode)->have_delegation(inode, FMODE_READ)) + nfs_set_verifier_delegated(&verf); +-out: + dentry->d_time = verf; + } + +-- +2.33.0 + diff --git a/queue-5.15/nfs-fix-up-commit-deadlocks.patch b/queue-5.15/nfs-fix-up-commit-deadlocks.patch new file mode 100644 index 00000000000..36dcf46f05f --- /dev/null +++ b/queue-5.15/nfs-fix-up-commit-deadlocks.patch @@ -0,0 +1,107 @@ +From 61f587ab5c8079291be5e5e49a72c69bb84b94e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Oct 2021 15:37:42 -0400 +Subject: NFS: Fix up commit deadlocks + +From: Trond Myklebust + +[ Upstream commit 133a48abf6ecc535d7eddc6da1c3e4c972445882 ] + +If O_DIRECT bumps the commit_info rpcs_out field, then that could lead +to fsync() hangs. The fix is to ensure that O_DIRECT calls +nfs_commit_end(). + +Fixes: 723c921e7dfc ("sched/wait, fs/nfs: Convert wait_on_atomic_t() usage to the new wait_var_event() API") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/direct.c | 2 +- + fs/nfs/pnfs_nfs.c | 2 -- + fs/nfs/write.c | 9 ++++++--- + include/linux/nfs_fs.h | 1 + + 4 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c +index 2e894fec036b0..3c0335c15a730 100644 +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -620,7 +620,7 @@ static void nfs_direct_commit_complete(struct nfs_commit_data *data) + nfs_unlock_and_release_request(req); + } + +- if (atomic_dec_and_test(&cinfo.mds->rpcs_out)) ++ if (nfs_commit_end(cinfo.mds)) + nfs_direct_write_complete(dreq); + } + +diff --git a/fs/nfs/pnfs_nfs.c b/fs/nfs/pnfs_nfs.c +index 02bd6e83961d9..316f68f96e573 100644 +--- a/fs/nfs/pnfs_nfs.c ++++ b/fs/nfs/pnfs_nfs.c +@@ -468,7 +468,6 @@ pnfs_bucket_alloc_ds_commits(struct list_head *list, + goto out_error; + data->ds_commit_index = i; + list_add_tail(&data->list, list); +- atomic_inc(&cinfo->mds->rpcs_out); + nreq++; + } + mutex_unlock(&NFS_I(cinfo->inode)->commit_mutex); +@@ -520,7 +519,6 @@ pnfs_generic_commit_pagelist(struct inode *inode, struct list_head *mds_pages, + data->ds_commit_index = -1; + list_splice_init(mds_pages, &data->pages); + list_add_tail(&data->list, &list); +- atomic_inc(&cinfo->mds->rpcs_out); + nreq++; + } + +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index 735a054747752..7dce3e735fc53 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -1657,10 +1657,13 @@ static void nfs_commit_begin(struct nfs_mds_commit_info *cinfo) + atomic_inc(&cinfo->rpcs_out); + } + +-static void nfs_commit_end(struct nfs_mds_commit_info *cinfo) ++bool nfs_commit_end(struct nfs_mds_commit_info *cinfo) + { +- if (atomic_dec_and_test(&cinfo->rpcs_out)) ++ if (atomic_dec_and_test(&cinfo->rpcs_out)) { + wake_up_var(&cinfo->rpcs_out); ++ return true; ++ } ++ return false; + } + + void nfs_commitdata_release(struct nfs_commit_data *data) +@@ -1760,6 +1763,7 @@ void nfs_init_commit(struct nfs_commit_data *data, + data->res.fattr = &data->fattr; + data->res.verf = &data->verf; + nfs_fattr_init(&data->fattr); ++ nfs_commit_begin(cinfo->mds); + } + EXPORT_SYMBOL_GPL(nfs_init_commit); + +@@ -1806,7 +1810,6 @@ nfs_commit_list(struct inode *inode, struct list_head *head, int how, + + /* Set up the argument struct */ + nfs_init_commit(data, head, NULL, cinfo); +- atomic_inc(&cinfo->mds->rpcs_out); + if (NFS_SERVER(inode)->nfs_client->cl_minorversion) + task_flags = RPC_TASK_MOVEABLE; + return nfs_initiate_commit(NFS_CLIENT(inode), data, NFS_PROTO(inode), +diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h +index b9a8b925db430..4d95cc999d121 100644 +--- a/include/linux/nfs_fs.h ++++ b/include/linux/nfs_fs.h +@@ -569,6 +569,7 @@ extern int nfs_wb_page_cancel(struct inode *inode, struct page* page); + extern int nfs_commit_inode(struct inode *, int); + extern struct nfs_commit_data *nfs_commitdata_alloc(bool never_fail); + extern void nfs_commit_free(struct nfs_commit_data *data); ++bool nfs_commit_end(struct nfs_mds_commit_info *cinfo); + + static inline int + nfs_have_writebacks(struct inode *inode) +-- +2.33.0 + diff --git a/queue-5.15/nfs-ignore-the-directory-size-when-marking-for-reval.patch b/queue-5.15/nfs-ignore-the-directory-size-when-marking-for-reval.patch new file mode 100644 index 00000000000..d6ea55df657 --- /dev/null +++ b/queue-5.15/nfs-ignore-the-directory-size-when-marking-for-reval.patch @@ -0,0 +1,37 @@ +From 6c5cd8f19f4092c8766563e9c393bb0bba4062fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 11:24:57 -0400 +Subject: NFS: Ignore the directory size when marking for revalidation + +From: Trond Myklebust + +[ Upstream commit a6a361c4ca3cc3e6f3b39d1b6bca1de90f5f4b11 ] + +If we want to revalidate the directory, then just mark the change +attribute as invalid. + +Fixes: 13c0b082b6a9 ("NFS: Replace use of NFS_INO_REVAL_PAGECACHE when checking cache validity") +Signed-off-by: Trond Myklebust +Tested-by: Benjamin Coddington +Reviewed-by: Benjamin Coddington +Signed-off-by: Sasha Levin +--- + fs/nfs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index 1a6d2867fba4f..085b8ecdc17d9 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1413,7 +1413,7 @@ out_force: + static void nfs_mark_dir_for_revalidate(struct inode *inode) + { + spin_lock(&inode->i_lock); +- nfs_set_cache_invalid(inode, NFS_INO_REVAL_PAGECACHE); ++ nfs_set_cache_invalid(inode, NFS_INO_INVALID_CHANGE); + spin_unlock(&inode->i_lock); + } + +-- +2.33.0 + diff --git a/queue-5.15/nfsd-don-t-alloc-under-spinlock-in-rpc_parse_scope_i.patch b/queue-5.15/nfsd-don-t-alloc-under-spinlock-in-rpc_parse_scope_i.patch new file mode 100644 index 00000000000..ea3926cbef4 --- /dev/null +++ b/queue-5.15/nfsd-don-t-alloc-under-spinlock-in-rpc_parse_scope_i.patch @@ -0,0 +1,90 @@ +From 797cc06f7792e32503261433748eb9dba7abb797 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 12:30:32 -0400 +Subject: nfsd: don't alloc under spinlock in rpc_parse_scope_id + +From: J. Bruce Fields + +[ Upstream commit 9b6e27d01adcec58e046c624874f8a124e8b07ec ] + +Dan Carpenter says: + + The patch d20c11d86d8f: "nfsd: Protect session creation and client + confirm using client_lock" from Jul 30, 2014, leads to the following + Smatch static checker warning: + + net/sunrpc/addr.c:178 rpc_parse_scope_id() + warn: sleeping in atomic context + +Reported-by: Dan Carpenter +Fixes: d20c11d86d8f ("nfsd: Protect session creation and client...") +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + net/sunrpc/addr.c | 40 ++++++++++++++++++---------------------- + 1 file changed, 18 insertions(+), 22 deletions(-) + +diff --git a/net/sunrpc/addr.c b/net/sunrpc/addr.c +index 6e4dbd577a39f..d435bffc61999 100644 +--- a/net/sunrpc/addr.c ++++ b/net/sunrpc/addr.c +@@ -162,8 +162,10 @@ static int rpc_parse_scope_id(struct net *net, const char *buf, + const size_t buflen, const char *delim, + struct sockaddr_in6 *sin6) + { +- char *p; ++ char p[IPV6_SCOPE_ID_LEN + 1]; + size_t len; ++ u32 scope_id = 0; ++ struct net_device *dev; + + if ((buf + buflen) == delim) + return 1; +@@ -175,29 +177,23 @@ static int rpc_parse_scope_id(struct net *net, const char *buf, + return 0; + + len = (buf + buflen) - delim - 1; +- p = kmemdup_nul(delim + 1, len, GFP_KERNEL); +- if (p) { +- u32 scope_id = 0; +- struct net_device *dev; +- +- dev = dev_get_by_name(net, p); +- if (dev != NULL) { +- scope_id = dev->ifindex; +- dev_put(dev); +- } else { +- if (kstrtou32(p, 10, &scope_id) != 0) { +- kfree(p); +- return 0; +- } +- } +- +- kfree(p); +- +- sin6->sin6_scope_id = scope_id; +- return 1; ++ if (len > IPV6_SCOPE_ID_LEN) ++ return 0; ++ ++ memcpy(p, delim + 1, len); ++ p[len] = 0; ++ ++ dev = dev_get_by_name(net, p); ++ if (dev != NULL) { ++ scope_id = dev->ifindex; ++ dev_put(dev); ++ } else { ++ if (kstrtou32(p, 10, &scope_id) != 0) ++ return 0; + } + +- return 0; ++ sin6->sin6_scope_id = scope_id; ++ return 1; + } + + static size_t rpc_pton6(struct net *net, const char *buf, const size_t buflen, +-- +2.33.0 + diff --git a/queue-5.15/nfsv4-fix-a-regression-in-nfs_set_open_stateid_locke.patch b/queue-5.15/nfsv4-fix-a-regression-in-nfs_set_open_stateid_locke.patch new file mode 100644 index 00000000000..2b8e1b8b3f0 --- /dev/null +++ b/queue-5.15/nfsv4-fix-a-regression-in-nfs_set_open_stateid_locke.patch @@ -0,0 +1,55 @@ +From eca88fb5a56269f4de9b7ed10c747592bbcf4a65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 21:56:40 -0400 +Subject: NFSv4: Fix a regression in nfs_set_open_stateid_locked() + +From: Trond Myklebust + +[ Upstream commit 01d29f87fcfef38d51ce2b473981a5c1e861ac0a ] + +If we already hold open state on the client, yet the server gives us a +completely different stateid to the one we already hold, then we +currently treat it as if it were an out-of-sequence update, and wait for +5 seconds for other updates to come in. +This commit fixes the behaviour so that we immediately start processing +of the new stateid, and then leave it to the call to +nfs4_test_and_free_stateid() to decide what to do with the old stateid. + +Fixes: b4868b44c562 ("NFSv4: Wait for stateid updates after CLOSE/OPEN_DOWNGRADE") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index e1214bb6b7ee5..1f38f8cd8c3ce 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1609,15 +1609,16 @@ static bool nfs_stateid_is_sequential(struct nfs4_state *state, + { + if (test_bit(NFS_OPEN_STATE, &state->flags)) { + /* The common case - we're updating to a new sequence number */ +- if (nfs4_stateid_match_other(stateid, &state->open_stateid) && +- nfs4_stateid_is_next(&state->open_stateid, stateid)) { +- return true; ++ if (nfs4_stateid_match_other(stateid, &state->open_stateid)) { ++ if (nfs4_stateid_is_next(&state->open_stateid, stateid)) ++ return true; ++ return false; + } +- } else { +- /* This is the first OPEN in this generation */ +- if (stateid->seqid == cpu_to_be32(1)) +- return true; ++ /* The server returned a new stateid */ + } ++ /* This is the first OPEN in this generation */ ++ if (stateid->seqid == cpu_to_be32(1)) ++ return true; + return false; + } + +-- +2.33.0 + diff --git a/queue-5.15/nvdimm-btt-do-not-call-del_gendisk-if-not-needed.patch b/queue-5.15/nvdimm-btt-do-not-call-del_gendisk-if-not-needed.patch new file mode 100644 index 00000000000..5512f96575f --- /dev/null +++ b/queue-5.15/nvdimm-btt-do-not-call-del_gendisk-if-not-needed.patch @@ -0,0 +1,37 @@ +From eca258cca66c85dc7492d255bf3754d2ed92bb58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 09:58:43 -0700 +Subject: nvdimm/btt: do not call del_gendisk() if not needed + +From: Luis Chamberlain + +[ Upstream commit 3aefb5ee843fbe4789d03bb181e190d462df95e4 ] + +del_gendisk() should not called if the disk has not been added. Fix this. + +Fixes: 41cd8b70c37a ("libnvdimm, btt: add support for blk integrity") +Reviewed-by: Dan Williams +Reviewed-by: Christoph Hellwig +Signed-off-by: Luis Chamberlain +Link: https://lore.kernel.org/r/20211103165843.1402142-1-mcgrof@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/btt.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/nvdimm/btt.c b/drivers/nvdimm/btt.c +index 92dec49522972..3fd1bdb9fc05b 100644 +--- a/drivers/nvdimm/btt.c ++++ b/drivers/nvdimm/btt.c +@@ -1538,7 +1538,6 @@ static int btt_blk_init(struct btt *btt) + int rc = nd_integrity_init(btt->btt_disk, btt_meta_size(btt)); + + if (rc) { +- del_gendisk(btt->btt_disk); + blk_cleanup_disk(btt->btt_disk); + return rc; + } +-- +2.33.0 + diff --git a/queue-5.15/nvdimm-pmem-cleanup-the-disk-if-pmem_release_disk-is.patch b/queue-5.15/nvdimm-pmem-cleanup-the-disk-if-pmem_release_disk-is.patch new file mode 100644 index 00000000000..55853b17b50 --- /dev/null +++ b/queue-5.15/nvdimm-pmem-cleanup-the-disk-if-pmem_release_disk-is.patch @@ -0,0 +1,65 @@ +From c42a353a285cdb0ec83a502177b48a5e53c3848b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 16:04:28 -0700 +Subject: nvdimm/pmem: cleanup the disk if pmem_release_disk() is yet assigned + +From: Luis Chamberlain + +[ Upstream commit accf58afb689f81daadde24080ea1164ad2db75f ] + +Prior to devm being able to use pmem_release_disk() there are other +failure which can occur for which we must account for and release the +disk for. Address those few cases. + +Fixes: 3dd60fb9d95d ("nvdimm/pmem: stop using q_usage_count as external pgmap refcount") +Reviewed-by: Christoph Hellwig +Signed-off-by: Luis Chamberlain +Link: https://lore.kernel.org/r/20211103230437.1639990-6-mcgrof@kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/nvdimm/pmem.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvdimm/pmem.c b/drivers/nvdimm/pmem.c +index 054154c22899a..2721dd2ead0a7 100644 +--- a/drivers/nvdimm/pmem.c ++++ b/drivers/nvdimm/pmem.c +@@ -429,8 +429,10 @@ static int pmem_attach_disk(struct device *dev, + bb_range.end = res->end; + } + +- if (IS_ERR(addr)) +- return PTR_ERR(addr); ++ if (IS_ERR(addr)) { ++ rc = PTR_ERR(addr); ++ goto out; ++ } + pmem->virt_addr = addr; + + blk_queue_write_cache(q, true, fua); +@@ -455,7 +457,8 @@ static int pmem_attach_disk(struct device *dev, + flags = DAXDEV_F_SYNC; + dax_dev = alloc_dax(pmem, disk->disk_name, &pmem_dax_ops, flags); + if (IS_ERR(dax_dev)) { +- return PTR_ERR(dax_dev); ++ rc = PTR_ERR(dax_dev); ++ goto out; + } + dax_write_cache(dax_dev, nvdimm_has_cache(nd_region)); + pmem->dax_dev = dax_dev; +@@ -470,8 +473,10 @@ static int pmem_attach_disk(struct device *dev, + "badblocks"); + if (!pmem->bb_state) + dev_warn(dev, "'badblocks' notification disabled\n"); +- + return 0; ++out: ++ blk_cleanup_disk(pmem->disk); ++ return rc; + } + + static int nd_pmem_probe(struct device *dev) +-- +2.33.0 + diff --git a/queue-5.15/nvme-drop-scan_lock-and-always-kick-requeue-list-whe.patch b/queue-5.15/nvme-drop-scan_lock-and-always-kick-requeue-list-whe.patch new file mode 100644 index 00000000000..5280f4b4394 --- /dev/null +++ b/queue-5.15/nvme-drop-scan_lock-and-always-kick-requeue-list-whe.patch @@ -0,0 +1,74 @@ +From b2096023f6525e70f18f39473c3fb2f2606daf44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 07:59:10 +0200 +Subject: nvme: drop scan_lock and always kick requeue list when removing + namespaces + +From: Hannes Reinecke + +[ Upstream commit 2b81a5f015199f3d585ce710190a9e87714d3c1e ] + +When reading the partition table on initial scan hits an I/O error the +I/O will hang with the scan_mutex held: + +[<0>] do_read_cache_page+0x49b/0x790 +[<0>] read_part_sector+0x39/0xe0 +[<0>] read_lba+0xf9/0x1d0 +[<0>] efi_partition+0xf1/0x7f0 +[<0>] bdev_disk_changed+0x1ee/0x550 +[<0>] blkdev_get_whole+0x81/0x90 +[<0>] blkdev_get_by_dev+0x128/0x2e0 +[<0>] device_add_disk+0x377/0x3c0 +[<0>] nvme_mpath_set_live+0x130/0x1b0 [nvme_core] +[<0>] nvme_mpath_add_disk+0x150/0x160 [nvme_core] +[<0>] nvme_alloc_ns+0x417/0x950 [nvme_core] +[<0>] nvme_validate_or_alloc_ns+0xe9/0x1e0 [nvme_core] +[<0>] nvme_scan_work+0x168/0x310 [nvme_core] +[<0>] process_one_work+0x231/0x420 + +and trying to delete the controller will deadlock as it tries to grab +the scan mutex: + +[<0>] nvme_mpath_clear_ctrl_paths+0x25/0x80 [nvme_core] +[<0>] nvme_remove_namespaces+0x31/0xf0 [nvme_core] +[<0>] nvme_do_delete_ctrl+0x4b/0x80 [nvme_core] + +As we're now properly ordering the namespace list there is no need to +hold the scan_mutex in nvme_mpath_clear_ctrl_paths() anymore. +And we always need to kick the requeue list as the path will be marked +as unusable and I/O will be requeued _without_ a current path. + +Signed-off-by: Hannes Reinecke +Reviewed-by: Keith Busch +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/multipath.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c +index fba06618c6c23..2f76969408b27 100644 +--- a/drivers/nvme/host/multipath.c ++++ b/drivers/nvme/host/multipath.c +@@ -138,13 +138,12 @@ void nvme_mpath_clear_ctrl_paths(struct nvme_ctrl *ctrl) + { + struct nvme_ns *ns; + +- mutex_lock(&ctrl->scan_lock); + down_read(&ctrl->namespaces_rwsem); +- list_for_each_entry(ns, &ctrl->namespaces, list) +- if (nvme_mpath_clear_current_path(ns)) +- kblockd_schedule_work(&ns->head->requeue_work); ++ list_for_each_entry(ns, &ctrl->namespaces, list) { ++ nvme_mpath_clear_current_path(ns); ++ kblockd_schedule_work(&ns->head->requeue_work); ++ } + up_read(&ctrl->namespaces_rwsem); +- mutex_unlock(&ctrl->scan_lock); + } + + void nvme_mpath_revalidate_paths(struct nvme_ns *ns) +-- +2.33.0 + diff --git a/queue-5.15/nvme-rdma-fix-error-code-in-nvme_rdma_setup_ctrl.patch b/queue-5.15/nvme-rdma-fix-error-code-in-nvme_rdma_setup_ctrl.patch new file mode 100644 index 00000000000..cbab0a3e1bf --- /dev/null +++ b/queue-5.15/nvme-rdma-fix-error-code-in-nvme_rdma_setup_ctrl.patch @@ -0,0 +1,43 @@ +From c94d6f398cb3601521d2c120e0cb790c73afda6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Oct 2021 11:58:16 +0300 +Subject: nvme-rdma: fix error code in nvme_rdma_setup_ctrl + +From: Max Gurtovoy + +[ Upstream commit 09748122009aed7bfaa7acc33c10c083a4758322 ] + +In case that icdoff is not zero or mandatory keyed sgls are not +supported by the NVMe/RDMA target, we'll go to error flow but we'll +return 0 to the caller. Fix it by returning an appropriate error code. + +Fixes: c66e2998c8ca ("nvme-rdma: centralize controller setup sequence") +Signed-off-by: Max Gurtovoy +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/rdma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/host/rdma.c b/drivers/nvme/host/rdma.c +index 042c594bc57e2..0498801542eb6 100644 +--- a/drivers/nvme/host/rdma.c ++++ b/drivers/nvme/host/rdma.c +@@ -1095,11 +1095,13 @@ static int nvme_rdma_setup_ctrl(struct nvme_rdma_ctrl *ctrl, bool new) + return ret; + + if (ctrl->ctrl.icdoff) { ++ ret = -EOPNOTSUPP; + dev_err(ctrl->ctrl.device, "icdoff is not supported!\n"); + goto destroy_admin; + } + + if (!(ctrl->ctrl.sgls & (1 << 2))) { ++ ret = -EOPNOTSUPP; + dev_err(ctrl->ctrl.device, + "Mandatory keyed sgls are not supported!\n"); + goto destroy_admin; +-- +2.33.0 + diff --git a/queue-5.15/nvmet-fix-use-after-free-when-a-port-is-removed.patch b/queue-5.15/nvmet-fix-use-after-free-when-a-port-is-removed.patch new file mode 100644 index 00000000000..ce4782a85f1 --- /dev/null +++ b/queue-5.15/nvmet-fix-use-after-free-when-a-port-is-removed.patch @@ -0,0 +1,42 @@ +From a7bdb4810be454ffd8ad986e04b2e8f0a0636664 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 08:09:43 +0000 +Subject: nvmet: fix use-after-free when a port is removed + +From: Israel Rukshin + +[ Upstream commit e3e19dcc4c416d65f99f13d55be2b787f8d0050e ] + +When a port is removed through configfs, any connected controllers +are starting teardown flow asynchronously and can still send commands. +This causes a use-after-free bug for any command that dereferences +req->port (like in nvmet_parse_io_cmd). + +To fix this, wait for all the teardown scheduled works to complete +(like release_work at rdma/tcp drivers). This ensures there are no +active controllers when the port is eventually removed. + +Signed-off-by: Israel Rukshin +Reviewed-by: Max Gurtovoy +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/configfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c +index be5d82421e3a4..496d775c67707 100644 +--- a/drivers/nvme/target/configfs.c ++++ b/drivers/nvme/target/configfs.c +@@ -1553,6 +1553,8 @@ static void nvmet_port_release(struct config_item *item) + { + struct nvmet_port *port = to_nvmet_port(item); + ++ /* Let inflight controllers teardown complete */ ++ flush_scheduled_work(); + list_del(&port->global_entry); + + kfree(port->ana_state); +-- +2.33.0 + diff --git a/queue-5.15/nvmet-rdma-fix-use-after-free-when-a-port-is-removed.patch b/queue-5.15/nvmet-rdma-fix-use-after-free-when-a-port-is-removed.patch new file mode 100644 index 00000000000..60cff4326ee --- /dev/null +++ b/queue-5.15/nvmet-rdma-fix-use-after-free-when-a-port-is-removed.patch @@ -0,0 +1,69 @@ +From 1fdf00f18b2f64e7d30c7aa5e9252f314b2764ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 08:09:44 +0000 +Subject: nvmet-rdma: fix use-after-free when a port is removed + +From: Israel Rukshin + +[ Upstream commit fcf73a804c7d6bbf0ea63531c6122aa363852e04 ] + +When removing a port, all its controllers are being removed, but there +are queues on the port that doesn't belong to any controller (during +connection time). This causes a use-after-free bug for any command +that dereferences req->port (like in nvmet_alloc_ctrl). Those queues +should be destroyed before freeing the port via configfs. Destroy the +remaining queues after the RDMA-CM was destroyed guarantees that no +new queue will be created. + +Signed-off-by: Israel Rukshin +Reviewed-by: Max Gurtovoy +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/rdma.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c +index 891174ccd44bb..f1eedbf493d5b 100644 +--- a/drivers/nvme/target/rdma.c ++++ b/drivers/nvme/target/rdma.c +@@ -1818,12 +1818,36 @@ restart: + mutex_unlock(&nvmet_rdma_queue_mutex); + } + ++static void nvmet_rdma_destroy_port_queues(struct nvmet_rdma_port *port) ++{ ++ struct nvmet_rdma_queue *queue, *tmp; ++ struct nvmet_port *nport = port->nport; ++ ++ mutex_lock(&nvmet_rdma_queue_mutex); ++ list_for_each_entry_safe(queue, tmp, &nvmet_rdma_queue_list, ++ queue_list) { ++ if (queue->port != nport) ++ continue; ++ ++ list_del_init(&queue->queue_list); ++ __nvmet_rdma_queue_disconnect(queue); ++ } ++ mutex_unlock(&nvmet_rdma_queue_mutex); ++} ++ + static void nvmet_rdma_disable_port(struct nvmet_rdma_port *port) + { + struct rdma_cm_id *cm_id = xchg(&port->cm_id, NULL); + + if (cm_id) + rdma_destroy_id(cm_id); ++ ++ /* ++ * Destroy the remaining queues, which are not belong to any ++ * controller yet. Do it here after the RDMA-CM was destroyed ++ * guarantees that no new queue will be created. ++ */ ++ nvmet_rdma_destroy_port_queues(port); + } + + static int nvmet_rdma_enable_port(struct nvmet_rdma_port *port) +-- +2.33.0 + diff --git a/queue-5.15/nvmet-tcp-fix-use-after-free-when-a-port-is-removed.patch b/queue-5.15/nvmet-tcp-fix-use-after-free-when-a-port-is-removed.patch new file mode 100644 index 00000000000..6ea4910af11 --- /dev/null +++ b/queue-5.15/nvmet-tcp-fix-use-after-free-when-a-port-is-removed.patch @@ -0,0 +1,62 @@ +From e13e7c0591211124c2f1fde60c78940263cc017a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 08:09:45 +0000 +Subject: nvmet-tcp: fix use-after-free when a port is removed + +From: Israel Rukshin + +[ Upstream commit 2351ead99ce9164fb42555aee3f96af84c4839e9 ] + +When removing a port, all its controllers are being removed, but there +are queues on the port that doesn't belong to any controller (during +connection time). This causes a use-after-free bug for any command +that dereferences req->port (like in nvmet_alloc_ctrl). Those queues +should be destroyed before freeing the port via configfs. Destroy +the remaining queues after the accept_work was cancelled guarantees +that no new queue will be created. + +Signed-off-by: Israel Rukshin +Reviewed-by: Max Gurtovoy +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/tcp.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c +index 46c3b3be7e033..84c387e4bf431 100644 +--- a/drivers/nvme/target/tcp.c ++++ b/drivers/nvme/target/tcp.c +@@ -1740,6 +1740,17 @@ err_port: + return ret; + } + ++static void nvmet_tcp_destroy_port_queues(struct nvmet_tcp_port *port) ++{ ++ struct nvmet_tcp_queue *queue; ++ ++ mutex_lock(&nvmet_tcp_queue_mutex); ++ list_for_each_entry(queue, &nvmet_tcp_queue_list, queue_list) ++ if (queue->port == port) ++ kernel_sock_shutdown(queue->sock, SHUT_RDWR); ++ mutex_unlock(&nvmet_tcp_queue_mutex); ++} ++ + static void nvmet_tcp_remove_port(struct nvmet_port *nport) + { + struct nvmet_tcp_port *port = nport->priv; +@@ -1749,6 +1760,11 @@ static void nvmet_tcp_remove_port(struct nvmet_port *nport) + port->sock->sk->sk_user_data = NULL; + write_unlock_bh(&port->sock->sk->sk_callback_lock); + cancel_work_sync(&port->accept_work); ++ /* ++ * Destroy the remaining queues, which are not belong to any ++ * controller yet. ++ */ ++ nvmet_tcp_destroy_port_queues(port); + + sock_release(port->sock); + kfree(port); +-- +2.33.0 + diff --git a/queue-5.15/objtool-handle-__sanitize_cov-tail-calls.patch b/queue-5.15/objtool-handle-__sanitize_cov-tail-calls.patch new file mode 100644 index 00000000000..ca263da1c7d --- /dev/null +++ b/queue-5.15/objtool-handle-__sanitize_cov-tail-calls.patch @@ -0,0 +1,295 @@ +From 4d3edff446a92a3cfb6ed76913a3d8648a1353bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jun 2021 11:41:02 +0200 +Subject: objtool: Handle __sanitize_cov*() tail calls + +From: Peter Zijlstra + +[ Upstream commit f56dae88a81fded66adf2bea9922d1d98d1da14f ] + +Turns out the compilers also generate tail calls to __sanitize_cov*(), +make sure to also patch those out in noinstr code. + +Fixes: 0f1441b44e82 ("objtool: Fix noinstr vs KCOV") +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Marco Elver +Link: https://lore.kernel.org/r/20210624095147.818783799@infradead.org +Signed-off-by: Sasha Levin +--- + tools/objtool/arch/x86/decode.c | 20 ++++ + tools/objtool/check.c | 158 ++++++++++++++------------- + tools/objtool/include/objtool/arch.h | 1 + + 3 files changed, 105 insertions(+), 74 deletions(-) + +diff --git a/tools/objtool/arch/x86/decode.c b/tools/objtool/arch/x86/decode.c +index 0893436cc09f8..77b51600e3e94 100644 +--- a/tools/objtool/arch/x86/decode.c ++++ b/tools/objtool/arch/x86/decode.c +@@ -659,6 +659,26 @@ const char *arch_nop_insn(int len) + return nops[len-1]; + } + ++#define BYTE_RET 0xC3 ++ ++const char *arch_ret_insn(int len) ++{ ++ static const char ret[5][5] = { ++ { BYTE_RET }, ++ { BYTE_RET, BYTES_NOP1 }, ++ { BYTE_RET, BYTES_NOP2 }, ++ { BYTE_RET, BYTES_NOP3 }, ++ { BYTE_RET, BYTES_NOP4 }, ++ }; ++ ++ if (len < 1 || len > 5) { ++ WARN("invalid RET size: %d\n", len); ++ return NULL; ++ } ++ ++ return ret[len-1]; ++} ++ + /* asm/alternative.h ? */ + + #define ALTINSTR_FLAG_INV (1 << 15) +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index 8bffc004f4e53..81982948f981d 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -829,6 +829,79 @@ static struct reloc *insn_reloc(struct objtool_file *file, struct instruction *i + return insn->reloc; + } + ++static void remove_insn_ops(struct instruction *insn) ++{ ++ struct stack_op *op, *tmp; ++ ++ list_for_each_entry_safe(op, tmp, &insn->stack_ops, list) { ++ list_del(&op->list); ++ free(op); ++ } ++} ++ ++static void add_call_dest(struct objtool_file *file, struct instruction *insn, ++ struct symbol *dest, bool sibling) ++{ ++ struct reloc *reloc = insn_reloc(file, insn); ++ ++ insn->call_dest = dest; ++ if (!dest) ++ return; ++ ++ if (insn->call_dest->static_call_tramp) { ++ list_add_tail(&insn->call_node, ++ &file->static_call_list); ++ } ++ ++ /* ++ * Many compilers cannot disable KCOV with a function attribute ++ * so they need a little help, NOP out any KCOV calls from noinstr ++ * text. ++ */ ++ if (insn->sec->noinstr && ++ !strncmp(insn->call_dest->name, "__sanitizer_cov_", 16)) { ++ if (reloc) { ++ reloc->type = R_NONE; ++ elf_write_reloc(file->elf, reloc); ++ } ++ ++ elf_write_insn(file->elf, insn->sec, ++ insn->offset, insn->len, ++ sibling ? arch_ret_insn(insn->len) ++ : arch_nop_insn(insn->len)); ++ ++ insn->type = sibling ? INSN_RETURN : INSN_NOP; ++ } ++ ++ if (mcount && !strcmp(insn->call_dest->name, "__fentry__")) { ++ if (sibling) ++ WARN_FUNC("Tail call to __fentry__ !?!?", insn->sec, insn->offset); ++ ++ if (reloc) { ++ reloc->type = R_NONE; ++ elf_write_reloc(file->elf, reloc); ++ } ++ ++ elf_write_insn(file->elf, insn->sec, ++ insn->offset, insn->len, ++ arch_nop_insn(insn->len)); ++ ++ insn->type = INSN_NOP; ++ ++ list_add_tail(&insn->mcount_loc_node, ++ &file->mcount_loc_list); ++ } ++ ++ /* ++ * Whatever stack impact regular CALLs have, should be undone ++ * by the RETURN of the called function. ++ * ++ * Annotated intra-function calls retain the stack_ops but ++ * are converted to JUMP, see read_intra_function_calls(). ++ */ ++ remove_insn_ops(insn); ++} ++ + /* + * Find the destination instructions for all jumps. + */ +@@ -867,11 +940,7 @@ static int add_jump_destinations(struct objtool_file *file) + continue; + } else if (insn->func) { + /* internal or external sibling call (with reloc) */ +- insn->call_dest = reloc->sym; +- if (insn->call_dest->static_call_tramp) { +- list_add_tail(&insn->call_node, +- &file->static_call_list); +- } ++ add_call_dest(file, insn, reloc->sym, true); + continue; + } else if (reloc->sym->sec->idx) { + dest_sec = reloc->sym->sec; +@@ -927,13 +996,8 @@ static int add_jump_destinations(struct objtool_file *file) + + } else if (insn->jump_dest->func->pfunc != insn->func->pfunc && + insn->jump_dest->offset == insn->jump_dest->func->offset) { +- + /* internal sibling call (without reloc) */ +- insn->call_dest = insn->jump_dest->func; +- if (insn->call_dest->static_call_tramp) { +- list_add_tail(&insn->call_node, +- &file->static_call_list); +- } ++ add_call_dest(file, insn, insn->jump_dest->func, true); + } + } + } +@@ -941,16 +1005,6 @@ static int add_jump_destinations(struct objtool_file *file) + return 0; + } + +-static void remove_insn_ops(struct instruction *insn) +-{ +- struct stack_op *op, *tmp; +- +- list_for_each_entry_safe(op, tmp, &insn->stack_ops, list) { +- list_del(&op->list); +- free(op); +- } +-} +- + static struct symbol *find_call_destination(struct section *sec, unsigned long offset) + { + struct symbol *call_dest; +@@ -969,6 +1023,7 @@ static int add_call_destinations(struct objtool_file *file) + { + struct instruction *insn; + unsigned long dest_off; ++ struct symbol *dest; + struct reloc *reloc; + + for_each_insn(file, insn) { +@@ -978,7 +1033,9 @@ static int add_call_destinations(struct objtool_file *file) + reloc = insn_reloc(file, insn); + if (!reloc) { + dest_off = arch_jump_destination(insn); +- insn->call_dest = find_call_destination(insn->sec, dest_off); ++ dest = find_call_destination(insn->sec, dest_off); ++ ++ add_call_dest(file, insn, dest, false); + + if (insn->ignore) + continue; +@@ -996,9 +1053,8 @@ static int add_call_destinations(struct objtool_file *file) + + } else if (reloc->sym->type == STT_SECTION) { + dest_off = arch_dest_reloc_offset(reloc->addend); +- insn->call_dest = find_call_destination(reloc->sym->sec, +- dest_off); +- if (!insn->call_dest) { ++ dest = find_call_destination(reloc->sym->sec, dest_off); ++ if (!dest) { + WARN_FUNC("can't find call dest symbol at %s+0x%lx", + insn->sec, insn->offset, + reloc->sym->sec->name, +@@ -1006,6 +1062,8 @@ static int add_call_destinations(struct objtool_file *file) + return -1; + } + ++ add_call_dest(file, insn, dest, false); ++ + } else if (arch_is_retpoline(reloc->sym)) { + /* + * Retpoline calls are really dynamic calls in +@@ -1021,55 +1079,7 @@ static int add_call_destinations(struct objtool_file *file) + continue; + + } else +- insn->call_dest = reloc->sym; +- +- if (insn->call_dest && insn->call_dest->static_call_tramp) { +- list_add_tail(&insn->call_node, +- &file->static_call_list); +- } +- +- /* +- * Many compilers cannot disable KCOV with a function attribute +- * so they need a little help, NOP out any KCOV calls from noinstr +- * text. +- */ +- if (insn->sec->noinstr && +- !strncmp(insn->call_dest->name, "__sanitizer_cov_", 16)) { +- if (reloc) { +- reloc->type = R_NONE; +- elf_write_reloc(file->elf, reloc); +- } +- +- elf_write_insn(file->elf, insn->sec, +- insn->offset, insn->len, +- arch_nop_insn(insn->len)); +- insn->type = INSN_NOP; +- } +- +- if (mcount && !strcmp(insn->call_dest->name, "__fentry__")) { +- if (reloc) { +- reloc->type = R_NONE; +- elf_write_reloc(file->elf, reloc); +- } +- +- elf_write_insn(file->elf, insn->sec, +- insn->offset, insn->len, +- arch_nop_insn(insn->len)); +- +- insn->type = INSN_NOP; +- +- list_add_tail(&insn->mcount_loc_node, +- &file->mcount_loc_list); +- } +- +- /* +- * Whatever stack impact regular CALLs have, should be undone +- * by the RETURN of the called function. +- * +- * Annotated intra-function calls retain the stack_ops but +- * are converted to JUMP, see read_intra_function_calls(). +- */ +- remove_insn_ops(insn); ++ add_call_dest(file, insn, reloc->sym, false); + } + + return 0; +diff --git a/tools/objtool/include/objtool/arch.h b/tools/objtool/include/objtool/arch.h +index 062bb6e9b8658..478e054fcdf71 100644 +--- a/tools/objtool/include/objtool/arch.h ++++ b/tools/objtool/include/objtool/arch.h +@@ -82,6 +82,7 @@ unsigned long arch_jump_destination(struct instruction *insn); + unsigned long arch_dest_reloc_offset(int addend); + + const char *arch_nop_insn(int len); ++const char *arch_ret_insn(int len); + + int arch_decode_hint_reg(struct instruction *insn, u8 sp_reg); + +-- +2.33.0 + diff --git a/queue-5.15/octeontx2-pf-enable-promisc-allmulti-match-mcam-entr.patch b/queue-5.15/octeontx2-pf-enable-promisc-allmulti-match-mcam-entr.patch new file mode 100644 index 00000000000..42c68f68c3f --- /dev/null +++ b/queue-5.15/octeontx2-pf-enable-promisc-allmulti-match-mcam-entr.patch @@ -0,0 +1,142 @@ +From 9b7b6ac474ee560cfc94a7b6866738664431a0c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 23:13:45 +0530 +Subject: octeontx2-pf: Enable promisc/allmulti match MCAM entries. + +From: Rakesh Babu + +[ Upstream commit ffd2f89ad05cd620d822112a07b0c5669fa9e333 ] + +Whenever the interface is brought up/down then set_rx_mode +function is called by the stack which enables promisc/allmulti +MCAM entries. But there are cases when driver brings +interface down and then up such as while changing number +of channels. In these cases promisc/allmulti MCAM entries +are left disabled as set_rx_mode callback is not called. +This patch enables these MCAM entries in all such cases. + +Signed-off-by: Rakesh Babu +Signed-off-by: Subbaraya Sundeep +Signed-off-by: Sunil Goutham +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/octeontx2/nic/otx2_pf.c | 78 ++++++++++--------- + 1 file changed, 43 insertions(+), 35 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +index 53df7fff92c40..53a3e8de1a51e 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c ++++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_pf.c +@@ -1493,6 +1493,44 @@ static void otx2_free_hw_resources(struct otx2_nic *pf) + mutex_unlock(&mbox->lock); + } + ++static void otx2_do_set_rx_mode(struct otx2_nic *pf) ++{ ++ struct net_device *netdev = pf->netdev; ++ struct nix_rx_mode *req; ++ bool promisc = false; ++ ++ if (!(netdev->flags & IFF_UP)) ++ return; ++ ++ if ((netdev->flags & IFF_PROMISC) || ++ (netdev_uc_count(netdev) > OTX2_MAX_UNICAST_FLOWS)) { ++ promisc = true; ++ } ++ ++ /* Write unicast address to mcam entries or del from mcam */ ++ if (!promisc && netdev->priv_flags & IFF_UNICAST_FLT) ++ __dev_uc_sync(netdev, otx2_add_macfilter, otx2_del_macfilter); ++ ++ mutex_lock(&pf->mbox.lock); ++ req = otx2_mbox_alloc_msg_nix_set_rx_mode(&pf->mbox); ++ if (!req) { ++ mutex_unlock(&pf->mbox.lock); ++ return; ++ } ++ ++ req->mode = NIX_RX_MODE_UCAST; ++ ++ if (promisc) ++ req->mode |= NIX_RX_MODE_PROMISC; ++ if (netdev->flags & (IFF_ALLMULTI | IFF_MULTICAST)) ++ req->mode |= NIX_RX_MODE_ALLMULTI; ++ ++ req->mode |= NIX_RX_MODE_USE_MCE; ++ ++ otx2_sync_mbox_msg(&pf->mbox); ++ mutex_unlock(&pf->mbox.lock); ++} ++ + int otx2_open(struct net_device *netdev) + { + struct otx2_nic *pf = netdev_priv(netdev); +@@ -1646,6 +1684,8 @@ int otx2_open(struct net_device *netdev) + if (err) + goto err_tx_stop_queues; + ++ otx2_do_set_rx_mode(pf); ++ + return 0; + + err_tx_stop_queues: +@@ -1791,43 +1831,11 @@ static void otx2_set_rx_mode(struct net_device *netdev) + queue_work(pf->otx2_wq, &pf->rx_mode_work); + } + +-static void otx2_do_set_rx_mode(struct work_struct *work) ++static void otx2_rx_mode_wrk_handler(struct work_struct *work) + { + struct otx2_nic *pf = container_of(work, struct otx2_nic, rx_mode_work); +- struct net_device *netdev = pf->netdev; +- struct nix_rx_mode *req; +- bool promisc = false; +- +- if (!(netdev->flags & IFF_UP)) +- return; +- +- if ((netdev->flags & IFF_PROMISC) || +- (netdev_uc_count(netdev) > OTX2_MAX_UNICAST_FLOWS)) { +- promisc = true; +- } + +- /* Write unicast address to mcam entries or del from mcam */ +- if (!promisc && netdev->priv_flags & IFF_UNICAST_FLT) +- __dev_uc_sync(netdev, otx2_add_macfilter, otx2_del_macfilter); +- +- mutex_lock(&pf->mbox.lock); +- req = otx2_mbox_alloc_msg_nix_set_rx_mode(&pf->mbox); +- if (!req) { +- mutex_unlock(&pf->mbox.lock); +- return; +- } +- +- req->mode = NIX_RX_MODE_UCAST; +- +- if (promisc) +- req->mode |= NIX_RX_MODE_PROMISC; +- if (netdev->flags & (IFF_ALLMULTI | IFF_MULTICAST)) +- req->mode |= NIX_RX_MODE_ALLMULTI; +- +- req->mode |= NIX_RX_MODE_USE_MCE; +- +- otx2_sync_mbox_msg(&pf->mbox); +- mutex_unlock(&pf->mbox.lock); ++ otx2_do_set_rx_mode(pf); + } + + static int otx2_set_features(struct net_device *netdev, +@@ -2358,7 +2366,7 @@ static int otx2_wq_init(struct otx2_nic *pf) + if (!pf->otx2_wq) + return -ENOMEM; + +- INIT_WORK(&pf->rx_mode_work, otx2_do_set_rx_mode); ++ INIT_WORK(&pf->rx_mode_work, otx2_rx_mode_wrk_handler); + INIT_WORK(&pf->reset_task, otx2_reset_task); + return 0; + } +-- +2.33.0 + diff --git a/queue-5.15/octeontx2-pf-select-config_net_devlink.patch b/queue-5.15/octeontx2-pf-select-config_net_devlink.patch new file mode 100644 index 00000000000..d08459342bc --- /dev/null +++ b/queue-5.15/octeontx2-pf-select-config_net_devlink.patch @@ -0,0 +1,47 @@ +From c908f689f6b342cc04ea5d3586518d78778faa6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Nov 2021 14:34:42 +0100 +Subject: octeontx2-pf: select CONFIG_NET_DEVLINK + +From: Arnd Bergmann + +[ Upstream commit 9cbc3367968de69017a87a1118b62490ac1bdd0a ] + +The octeontx2 pf nic driver failsz to link when the devlink support +is not reachable: + +aarch64-linux-ld: drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.o: in function `otx2_dl_mcam_count_get': +otx2_devlink.c:(.text+0x10): undefined reference to `devlink_priv' +aarch64-linux-ld: drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.o: in function `otx2_dl_mcam_count_validate': +otx2_devlink.c:(.text+0x50): undefined reference to `devlink_priv' +aarch64-linux-ld: drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.o: in function `otx2_dl_mcam_count_set': +otx2_devlink.c:(.text+0xd0): undefined reference to `devlink_priv' +aarch64-linux-ld: drivers/net/ethernet/marvell/octeontx2/nic/otx2_devlink.o: in function `otx2_devlink_info_get': +otx2_devlink.c:(.text+0x150): undefined reference to `devlink_priv' + +This is already selected by the admin function driver, but not the +actual nic, which might be built-in when the af driver is not. + +Fixes: 2da489432747 ("octeontx2-pf: devlink params support to set mcam entry count") +Signed-off-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/octeontx2/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/marvell/octeontx2/Kconfig b/drivers/net/ethernet/marvell/octeontx2/Kconfig +index 3f982ccf2c85f..639893d870550 100644 +--- a/drivers/net/ethernet/marvell/octeontx2/Kconfig ++++ b/drivers/net/ethernet/marvell/octeontx2/Kconfig +@@ -31,6 +31,7 @@ config NDC_DIS_DYNAMIC_CACHING + config OCTEONTX2_PF + tristate "Marvell OcteonTX2 NIC Physical Function driver" + select OCTEONTX2_MBOX ++ select NET_DEVLINK + depends on (64BIT && COMPILE_TEST) || ARM64 + depends on PCI + depends on PTP_1588_CLOCK_OPTIONAL +-- +2.33.0 + diff --git a/queue-5.15/of-unittest-fix-expect-text-for-gpio-hog-errors.patch b/queue-5.15/of-unittest-fix-expect-text-for-gpio-hog-errors.patch new file mode 100644 index 00000000000..089b99fd397 --- /dev/null +++ b/queue-5.15/of-unittest-fix-expect-text-for-gpio-hog-errors.patch @@ -0,0 +1,88 @@ +From cb86eaac9f2be377139cb263bd00712bd714d797 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 20:32:25 -0500 +Subject: of: unittest: fix EXPECT text for gpio hog errors + +From: Frank Rowand + +[ Upstream commit e85860e5bc077865a04f0a88d0b0335d3200484a ] + +The console message text for gpio hog errors does not match +what unittest expects. + +Fixes: f4056e705b2ef ("of: unittest: add overlay gpio test to catch gpio hog problem") +Signed-off-by: Frank Rowand +Link: https://lore.kernel.org/r/20211029013225.2048695-1-frowand.list@gmail.com +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +--- + drivers/of/unittest.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c +index 8c056972a6ddc..5b85a2a3792ae 100644 +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -1688,19 +1688,19 @@ static void __init of_unittest_overlay_gpio(void) + */ + + EXPECT_BEGIN(KERN_INFO, +- "GPIO line <> (line-B-input) hogged as input\n"); ++ "gpio-<> (line-B-input): hogged as input\n"); + + EXPECT_BEGIN(KERN_INFO, +- "GPIO line <> (line-A-input) hogged as input\n"); ++ "gpio-<> (line-A-input): hogged as input\n"); + + ret = platform_driver_register(&unittest_gpio_driver); + if (unittest(ret == 0, "could not register unittest gpio driver\n")) + return; + + EXPECT_END(KERN_INFO, +- "GPIO line <> (line-A-input) hogged as input\n"); ++ "gpio-<> (line-A-input): hogged as input\n"); + EXPECT_END(KERN_INFO, +- "GPIO line <> (line-B-input) hogged as input\n"); ++ "gpio-<> (line-B-input): hogged as input\n"); + + unittest(probe_pass_count + 2 == unittest_gpio_probe_pass_count, + "unittest_gpio_probe() failed or not called\n"); +@@ -1727,7 +1727,7 @@ static void __init of_unittest_overlay_gpio(void) + chip_request_count = unittest_gpio_chip_request_count; + + EXPECT_BEGIN(KERN_INFO, +- "GPIO line <> (line-D-input) hogged as input\n"); ++ "gpio-<> (line-D-input): hogged as input\n"); + + /* overlay_gpio_03 contains gpio node and child gpio hog node */ + +@@ -1735,7 +1735,7 @@ static void __init of_unittest_overlay_gpio(void) + "Adding overlay 'overlay_gpio_03' failed\n"); + + EXPECT_END(KERN_INFO, +- "GPIO line <> (line-D-input) hogged as input\n"); ++ "gpio-<> (line-D-input): hogged as input\n"); + + unittest(probe_pass_count + 1 == unittest_gpio_probe_pass_count, + "unittest_gpio_probe() failed or not called\n"); +@@ -1774,7 +1774,7 @@ static void __init of_unittest_overlay_gpio(void) + */ + + EXPECT_BEGIN(KERN_INFO, +- "GPIO line <> (line-C-input) hogged as input\n"); ++ "gpio-<> (line-C-input): hogged as input\n"); + + /* overlay_gpio_04b contains child gpio hog node */ + +@@ -1782,7 +1782,7 @@ static void __init of_unittest_overlay_gpio(void) + "Adding overlay 'overlay_gpio_04b' failed\n"); + + EXPECT_END(KERN_INFO, +- "GPIO line <> (line-C-input) hogged as input\n"); ++ "gpio-<> (line-C-input): hogged as input\n"); + + unittest(chip_request_count + 1 == unittest_gpio_chip_request_count, + "unittest_gpio_chip_request() called %d times (expected 1 time)\n", +-- +2.33.0 + diff --git a/queue-5.15/openrisc-fix-smp-tlb-flush-null-pointer-dereference.patch b/queue-5.15/openrisc-fix-smp-tlb-flush-null-pointer-dereference.patch new file mode 100644 index 00000000000..6a63e48e8e9 --- /dev/null +++ b/queue-5.15/openrisc-fix-smp-tlb-flush-null-pointer-dereference.patch @@ -0,0 +1,80 @@ +From 3d4f252477ffe667365234041b850d67fe8608a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 20:19:33 +0900 +Subject: openrisc: fix SMP tlb flush NULL pointer dereference + +From: Stafford Horne + +[ Upstream commit 27dff9a9c247d4e38d82c2e7234914cfe8499294 ] + +Throughout the OpenRISC kernel port VMA is passed as NULL when flushing +kernel tlb entries. Somehow this was missed when I was testing +c28b27416da9 ("openrisc: Implement proper SMP tlb flushing") and now the +SMP kernel fails to completely boot. + +In OpenRISC VMA is used only to determine which cores need to have their +TLB entries flushed. + +This patch updates the logic to flush tlbs on all cores when the VMA is +passed as NULL. Also, we update places VMA is passed as NULL to use +flush_tlb_kernel_range instead. Now, the only place VMA is passed as +NULL is in the implementation of flush_tlb_kernel_range. + +Fixes: c28b27416da9 ("openrisc: Implement proper SMP tlb flushing") +Reported-by: Jan Henrik Weinstock +Signed-off-by: Stafford Horne +Signed-off-by: Sasha Levin +--- + arch/openrisc/kernel/dma.c | 4 ++-- + arch/openrisc/kernel/smp.c | 6 ++++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/openrisc/kernel/dma.c b/arch/openrisc/kernel/dma.c +index 1b16d97e7da7f..a82b2caaa560d 100644 +--- a/arch/openrisc/kernel/dma.c ++++ b/arch/openrisc/kernel/dma.c +@@ -33,7 +33,7 @@ page_set_nocache(pte_t *pte, unsigned long addr, + * Flush the page out of the TLB so that the new page flags get + * picked up next time there's an access + */ +- flush_tlb_page(NULL, addr); ++ flush_tlb_kernel_range(addr, addr + PAGE_SIZE); + + /* Flush page out of dcache */ + for (cl = __pa(addr); cl < __pa(next); cl += cpuinfo->dcache_block_size) +@@ -56,7 +56,7 @@ page_clear_nocache(pte_t *pte, unsigned long addr, + * Flush the page out of the TLB so that the new page flags get + * picked up next time there's an access + */ +- flush_tlb_page(NULL, addr); ++ flush_tlb_kernel_range(addr, addr + PAGE_SIZE); + + return 0; + } +diff --git a/arch/openrisc/kernel/smp.c b/arch/openrisc/kernel/smp.c +index 415e209732a3d..ba78766cf00b5 100644 +--- a/arch/openrisc/kernel/smp.c ++++ b/arch/openrisc/kernel/smp.c +@@ -272,7 +272,7 @@ static inline void ipi_flush_tlb_range(void *info) + local_flush_tlb_range(NULL, fd->addr1, fd->addr2); + } + +-static void smp_flush_tlb_range(struct cpumask *cmask, unsigned long start, ++static void smp_flush_tlb_range(const struct cpumask *cmask, unsigned long start, + unsigned long end) + { + unsigned int cpuid; +@@ -320,7 +320,9 @@ void flush_tlb_page(struct vm_area_struct *vma, unsigned long uaddr) + void flush_tlb_range(struct vm_area_struct *vma, + unsigned long start, unsigned long end) + { +- smp_flush_tlb_range(mm_cpumask(vma->vm_mm), start, end); ++ const struct cpumask *cmask = vma ? mm_cpumask(vma->vm_mm) ++ : cpu_online_mask; ++ smp_flush_tlb_range(cmask, start, end); + } + + /* Instruction cache invalidate - performed on each cpu */ +-- +2.33.0 + diff --git a/queue-5.15/opp-fix-return-in-_opp_add_static_v2.patch b/queue-5.15/opp-fix-return-in-_opp_add_static_v2.patch new file mode 100644 index 00000000000..39ac1be171c --- /dev/null +++ b/queue-5.15/opp-fix-return-in-_opp_add_static_v2.patch @@ -0,0 +1,38 @@ +From 57cbe037fc690f29155c56250dfcbb58a64a214d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Oct 2021 15:46:52 +0800 +Subject: opp: Fix return in _opp_add_static_v2() + +From: YueHaibing + +[ Upstream commit 27ff8187f13ecfec8a26fb1928e906f46f326cc5 ] + +Fix sparse warning: +drivers/opp/of.c:924 _opp_add_static_v2() warn: passing zero to 'ERR_PTR' + +For duplicate OPPs 'ret' be set to zero. + +Fixes: deac8703da5f ("PM / OPP: _of_add_opp_table_v2(): increment count only if OPP is added") +Signed-off-by: YueHaibing +Signed-off-by: Viresh Kumar +Signed-off-by: Sasha Levin +--- + drivers/opp/of.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/opp/of.c b/drivers/opp/of.c +index 2a97c6535c4c6..c32ae7497392b 100644 +--- a/drivers/opp/of.c ++++ b/drivers/opp/of.c +@@ -921,7 +921,7 @@ free_required_opps: + free_opp: + _opp_free(new_opp); + +- return ERR_PTR(ret); ++ return ret ? ERR_PTR(ret) : NULL; + } + + /* Initializes OPP tables based on new bindings */ +-- +2.33.0 + diff --git a/queue-5.15/parisc-fix-warning-in-flush_tlb_all.patch b/queue-5.15/parisc-fix-warning-in-flush_tlb_all.patch new file mode 100644 index 00000000000..87003508b16 --- /dev/null +++ b/queue-5.15/parisc-fix-warning-in-flush_tlb_all.patch @@ -0,0 +1,68 @@ +From de599199385ddf7b074c0a66e8eadeedae9abdd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Oct 2021 20:24:39 +0200 +Subject: parisc: fix warning in flush_tlb_all + +From: Sven Schnelle + +[ Upstream commit 1030d681319b43869e0d5b568b9d0226652d1a6f ] + +I've got the following splat after enabling preemption: + +[ 3.724721] BUG: using __this_cpu_add() in preemptible [00000000] code: swapper/0/1 +[ 3.734630] caller is __this_cpu_preempt_check+0x38/0x50 +[ 3.740635] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc4-64bit+ #324 +[ 3.744605] Hardware name: 9000/785/C8000 +[ 3.744605] Backtrace: +[ 3.744605] [<00000000401d9d58>] show_stack+0x74/0xb0 +[ 3.744605] [<0000000040c27bd4>] dump_stack_lvl+0x10c/0x188 +[ 3.744605] [<0000000040c27c84>] dump_stack+0x34/0x48 +[ 3.744605] [<0000000040c33438>] check_preemption_disabled+0x178/0x1b0 +[ 3.744605] [<0000000040c334f8>] __this_cpu_preempt_check+0x38/0x50 +[ 3.744605] [<00000000401d632c>] flush_tlb_all+0x58/0x2e0 +[ 3.744605] [<00000000401075c0>] 0x401075c0 +[ 3.744605] [<000000004010b8fc>] 0x4010b8fc +[ 3.744605] [<00000000401080fc>] 0x401080fc +[ 3.744605] [<00000000401d5224>] do_one_initcall+0x128/0x378 +[ 3.744605] [<0000000040102de8>] 0x40102de8 +[ 3.744605] [<0000000040c33864>] kernel_init+0x60/0x3a8 +[ 3.744605] [<00000000401d1020>] ret_from_kernel_thread+0x20/0x28 +[ 3.744605] + +Fix this by moving the __inc_irq_stat() into the locked section. + +Signed-off-by: Sven Schnelle +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/mm/init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/parisc/mm/init.c b/arch/parisc/mm/init.c +index 3f7d6d5b56ac8..65f50f072a87b 100644 +--- a/arch/parisc/mm/init.c ++++ b/arch/parisc/mm/init.c +@@ -842,9 +842,9 @@ void flush_tlb_all(void) + { + int do_recycle; + +- __inc_irq_stat(irq_tlb_count); + do_recycle = 0; + spin_lock(&sid_lock); ++ __inc_irq_stat(irq_tlb_count); + if (dirty_space_ids > RECYCLE_THRESHOLD) { + BUG_ON(recycle_inuse); /* FIXME: Use a semaphore/wait queue here */ + get_dirty_sids(&recycle_ndirty,recycle_dirty_array); +@@ -863,8 +863,8 @@ void flush_tlb_all(void) + #else + void flush_tlb_all(void) + { +- __inc_irq_stat(irq_tlb_count); + spin_lock(&sid_lock); ++ __inc_irq_stat(irq_tlb_count); + flush_tlb_all_local(NULL); + recycle_sids(); + spin_unlock(&sid_lock); +-- +2.33.0 + diff --git a/queue-5.15/parisc-kgdb-add-kgdb_roundup-to-make-kgdb-work-with-.patch b/queue-5.15/parisc-kgdb-add-kgdb_roundup-to-make-kgdb-work-with-.patch new file mode 100644 index 00000000000..fea005fa09c --- /dev/null +++ b/queue-5.15/parisc-kgdb-add-kgdb_roundup-to-make-kgdb-work-with-.patch @@ -0,0 +1,78 @@ +From 174763118d674ab329dee3e42094ff95484fb51f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 21:49:23 +0200 +Subject: parisc/kgdb: add kgdb_roundup() to make kgdb work with idle polling + +From: Sven Schnelle + +[ Upstream commit 66e29fcda1824f0427966fbee2bd2c85bf362c82 ] + +With idle polling, IPIs are not sent when a CPU idle, but queued +and run later from do_idle(). The default kgdb_call_nmi_hook() +implementation gets the pointer to struct pt_regs from get_irq_reqs(), +which doesn't work in that case because it was not called from the +IPI interrupt handler. Fix it by defining our own kgdb_roundup() +function which sents an IPI_ENTER_KGDB. When that IPI is received +on the target CPU kgdb_nmicallback() is called. + +Signed-off-by: Sven Schnelle +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/smp.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/arch/parisc/kernel/smp.c b/arch/parisc/kernel/smp.c +index 1405b603b91b6..cf92ece20b757 100644 +--- a/arch/parisc/kernel/smp.c ++++ b/arch/parisc/kernel/smp.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -69,7 +70,10 @@ enum ipi_message_type { + IPI_CALL_FUNC, + IPI_CPU_START, + IPI_CPU_STOP, +- IPI_CPU_TEST ++ IPI_CPU_TEST, ++#ifdef CONFIG_KGDB ++ IPI_ENTER_KGDB, ++#endif + }; + + +@@ -167,7 +171,12 @@ ipi_interrupt(int irq, void *dev_id) + case IPI_CPU_TEST: + smp_debug(100, KERN_DEBUG "CPU%d is alive!\n", this_cpu); + break; +- ++#ifdef CONFIG_KGDB ++ case IPI_ENTER_KGDB: ++ smp_debug(100, KERN_DEBUG "CPU%d ENTER_KGDB\n", this_cpu); ++ kgdb_nmicallback(raw_smp_processor_id(), get_irq_regs()); ++ break; ++#endif + default: + printk(KERN_CRIT "Unknown IPI num on CPU%d: %lu\n", + this_cpu, which); +@@ -226,6 +235,12 @@ send_IPI_allbutself(enum ipi_message_type op) + } + } + ++#ifdef CONFIG_KGDB ++void kgdb_roundup_cpus(void) ++{ ++ send_IPI_allbutself(IPI_ENTER_KGDB); ++} ++#endif + + inline void + smp_send_stop(void) { send_IPI_allbutself(IPI_CPU_STOP); } +-- +2.33.0 + diff --git a/queue-5.15/parisc-unwind-fix-unwinder-when-config_64bit-is-enab.patch b/queue-5.15/parisc-unwind-fix-unwinder-when-config_64bit-is-enab.patch new file mode 100644 index 00000000000..513e730752a --- /dev/null +++ b/queue-5.15/parisc-unwind-fix-unwinder-when-config_64bit-is-enab.patch @@ -0,0 +1,101 @@ +From 18c7977cdb37120d51cf8d3a8afaf1199800738c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Oct 2021 23:15:17 +0200 +Subject: parisc/unwind: fix unwinder when CONFIG_64BIT is enabled + +From: Sven Schnelle + +[ Upstream commit 8e0ba125c2bf1030af3267058019ba86da96863f ] + +With 64 bit kernels unwind_special() is not working because +it compares the pc to the address of the function descriptor. +Add a helper function that compares pc with the dereferenced +address. This fixes all of the backtraces on my c8000. Without +this changes, a lot of backtraces are missing in kdb or the +show-all-tasks command from /proc/sysrq-trigger. + +Signed-off-by: Sven Schnelle +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/unwind.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/arch/parisc/kernel/unwind.c b/arch/parisc/kernel/unwind.c +index 87ae476d1c4f5..86a57fb0e6fae 100644 +--- a/arch/parisc/kernel/unwind.c ++++ b/arch/parisc/kernel/unwind.c +@@ -21,6 +21,8 @@ + #include + + #include ++#include ++#include + + /* #define DEBUG 1 */ + #ifdef DEBUG +@@ -203,6 +205,11 @@ int __init unwind_init(void) + return 0; + } + ++static bool pc_is_kernel_fn(unsigned long pc, void *fn) ++{ ++ return (unsigned long)dereference_kernel_function_descriptor(fn) == pc; ++} ++ + static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int frame_size) + { + /* +@@ -221,7 +228,7 @@ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int + extern void * const _call_on_stack; + #endif /* CONFIG_IRQSTACKS */ + +- if (pc == (unsigned long) &handle_interruption) { ++ if (pc_is_kernel_fn(pc, handle_interruption)) { + struct pt_regs *regs = (struct pt_regs *)(info->sp - frame_size - PT_SZ_ALGN); + dbg("Unwinding through handle_interruption()\n"); + info->prev_sp = regs->gr[30]; +@@ -229,13 +236,13 @@ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int + return 1; + } + +- if (pc == (unsigned long) &ret_from_kernel_thread || +- pc == (unsigned long) &syscall_exit) { ++ if (pc_is_kernel_fn(pc, ret_from_kernel_thread) || ++ pc_is_kernel_fn(pc, syscall_exit)) { + info->prev_sp = info->prev_ip = 0; + return 1; + } + +- if (pc == (unsigned long) &intr_return) { ++ if (pc_is_kernel_fn(pc, intr_return)) { + struct pt_regs *regs; + + dbg("Found intr_return()\n"); +@@ -246,20 +253,20 @@ static int unwind_special(struct unwind_frame_info *info, unsigned long pc, int + return 1; + } + +- if (pc == (unsigned long) &_switch_to_ret) { ++ if (pc_is_kernel_fn(pc, _switch_to) || ++ pc_is_kernel_fn(pc, _switch_to_ret)) { + info->prev_sp = info->sp - CALLEE_SAVE_FRAME_SIZE; + info->prev_ip = *(unsigned long *)(info->prev_sp - RP_OFFSET); + return 1; + } + + #ifdef CONFIG_IRQSTACKS +- if (pc == (unsigned long) &_call_on_stack) { ++ if (pc_is_kernel_fn(pc, _call_on_stack)) { + info->prev_sp = *(unsigned long *)(info->sp - FRAME_SIZE - REG_SZ); + info->prev_ip = *(unsigned long *)(info->sp - FRAME_SIZE - RP_OFFSET); + return 1; + } + #endif +- + return 0; + } + +-- +2.33.0 + diff --git a/queue-5.15/pci-aardvark-don-t-spam-about-pio-response-status.patch b/queue-5.15/pci-aardvark-don-t-spam-about-pio-response-status.patch new file mode 100644 index 00000000000..d17cd5a828f --- /dev/null +++ b/queue-5.15/pci-aardvark-don-t-spam-about-pio-response-status.patch @@ -0,0 +1,42 @@ +From 68162d37e0d5977d995e674b7a71d8b38cf66ba1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 20:09:42 +0200 +Subject: PCI: aardvark: Don't spam about PIO Response Status +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +[ Upstream commit 464de7e7fff767e87429cd7be09c4f2cb50a6ccb ] + +Use dev_dbg() instead of dev_err() in advk_pcie_check_pio_status(). + +For example CRS is not an error status, it just says that the request +should be retried. + +Link: https://lore.kernel.org/r/20211005180952.6812-4-kabel@kernel.org +Fixes: 8c39d710363c1 ("PCI: aardvark: Add Aardvark PCI host controller driver") +Signed-off-by: Marek Behún +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-aardvark.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/pci-aardvark.c b/drivers/pci/controller/pci-aardvark.c +index 0dd42435e7289..589ddb4c50100 100644 +--- a/drivers/pci/controller/pci-aardvark.c ++++ b/drivers/pci/controller/pci-aardvark.c +@@ -778,7 +778,7 @@ static int advk_pcie_check_pio_status(struct advk_pcie *pcie, bool allow_crs, u3 + else + str_posted = "Posted"; + +- dev_err(dev, "%s PIO Response Status: %s, %#x @ %#x\n", ++ dev_dbg(dev, "%s PIO Response Status: %s, %#x @ %#x\n", + str_posted, strcomp_status, reg, advk_readl(pcie, PIO_ADDR_LS)); + + return -EFAULT; +-- +2.33.0 + diff --git a/queue-5.15/pci-aardvark-fix-preserving-pci_exp_rtctl_crssve-fla.patch b/queue-5.15/pci-aardvark-fix-preserving-pci_exp_rtctl_crssve-fla.patch new file mode 100644 index 00000000000..68e051ac053 --- /dev/null +++ b/queue-5.15/pci-aardvark-fix-preserving-pci_exp_rtctl_crssve-fla.patch @@ -0,0 +1,50 @@ +From 8ffae454ed32eedb20a4f63b3f03a1a7361bc841 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 20:09:43 +0200 +Subject: PCI: aardvark: Fix preserving PCI_EXP_RTCTL_CRSSVE flag on emulated + bridge +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit d419052bc6c60fa4ab2b5a51d5f1e55a66e2b4ff ] + +Commit 43f5c77bcbd2 ("PCI: aardvark: Fix reporting CRS value") started +using CRSSVE flag for handling CRS responses. + +PCI_EXP_RTCTL_CRSSVE flag is stored only in emulated config space buffer +and there is handler for PCI_EXP_RTCTL register. So every read operation +from config space automatically clears CRSSVE flag as it is not defined in +PCI_EXP_RTCTL read handler. + +Fix this by reading current CRSSVE bit flag from emulated space buffer and +appending it to PCI_EXP_RTCTL read response. + +Link: https://lore.kernel.org/r/20211005180952.6812-5-kabel@kernel.org +Fixes: 43f5c77bcbd2 ("PCI: aardvark: Fix reporting CRS value") +Signed-off-by: Pali Rohár +Signed-off-by: Marek Behún +Signed-off-by: Lorenzo Pieralisi +Reviewed-by: Marek Behún +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/pci-aardvark.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pci/controller/pci-aardvark.c b/drivers/pci/controller/pci-aardvark.c +index 589ddb4c50100..b792a779f1059 100644 +--- a/drivers/pci/controller/pci-aardvark.c ++++ b/drivers/pci/controller/pci-aardvark.c +@@ -885,6 +885,7 @@ advk_pci_bridge_emul_pcie_conf_read(struct pci_bridge_emul *bridge, + case PCI_EXP_RTCTL: { + u32 val = advk_readl(pcie, PCIE_ISR0_MASK_REG); + *value = (val & PCIE_MSG_PM_PME_MASK) ? 0 : PCI_EXP_RTCTL_PMEIE; ++ *value |= le16_to_cpu(bridge->pcie_conf.rootctl) & PCI_EXP_RTCTL_CRSSVE; + *value |= PCI_EXP_RTCAP_CRSVIS << 16; + return PCI_BRIDGE_EMUL_HANDLED; + } +-- +2.33.0 + diff --git a/queue-5.15/pci-do-not-enable-atomicops-on-vfs.patch b/queue-5.15/pci-do-not-enable-atomicops-on-vfs.patch new file mode 100644 index 00000000000..3db62950dc7 --- /dev/null +++ b/queue-5.15/pci-do-not-enable-atomicops-on-vfs.patch @@ -0,0 +1,69 @@ +From cb0e419750c7fe8a806ebadb9162df4bfe123b67 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 11 Sep 2021 03:03:05 -0700 +Subject: PCI: Do not enable AtomicOps on VFs + +From: Selvin Xavier + +[ Upstream commit 5ec0a6fcb60ea430f8ee7e0bec22db9b22f856d3 ] + +Host crashes when pci_enable_atomic_ops_to_root() is called for VFs with +virtual buses. The virtual buses added to SR-IOV have bus->self set to NULL +and host crashes due to this. + + PID: 4481 TASK: ffff89c6941b0000 CPU: 53 COMMAND: "bash" + ... + #3 [ffff9a9481713808] oops_end at ffffffffb9025cd6 + #4 [ffff9a9481713828] page_fault_oops at ffffffffb906e417 + #5 [ffff9a9481713888] exc_page_fault at ffffffffb9a0ad14 + #6 [ffff9a94817138b0] asm_exc_page_fault at ffffffffb9c00ace + [exception RIP: pcie_capability_read_dword+28] + RIP: ffffffffb952fd5c RSP: ffff9a9481713960 RFLAGS: 00010246 + RAX: 0000000000000001 RBX: ffff89c6b1096000 RCX: 0000000000000000 + RDX: ffff9a9481713990 RSI: 0000000000000024 RDI: 0000000000000000 + RBP: 0000000000000080 R8: 0000000000000008 R9: ffff89c64341a2f8 + R10: 0000000000000002 R11: 0000000000000000 R12: ffff89c648bab000 + R13: 0000000000000000 R14: 0000000000000000 R15: ffff89c648bab0c8 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #7 [ffff9a9481713988] pci_enable_atomic_ops_to_root at ffffffffb95359a6 + #8 [ffff9a94817139c0] bnxt_qplib_determine_atomics at ffffffffc08c1a33 [bnxt_re] + #9 [ffff9a94817139d0] bnxt_re_dev_init at ffffffffc08ba2d1 [bnxt_re] + +Per PCIe r5.0, sec 9.3.5.10, the AtomicOp Requester Enable bit in Device +Control 2 is reserved for VFs. The PF value applies to all associated VFs. + +Return -EINVAL if pci_enable_atomic_ops_to_root() is called for a VF. + +Link: https://lore.kernel.org/r/1631354585-16597-1-git-send-email-selvin.xavier@broadcom.com +Fixes: 35f5ace5dea4 ("RDMA/bnxt_re: Enable global atomic ops if platform supports") +Fixes: 430a23689dea ("PCI: Add pci_enable_atomic_ops_to_root()") +Signed-off-by: Selvin Xavier +Signed-off-by: Bjorn Helgaas +Reviewed-by: Andy Gospodarek +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index ce2ab62b64cfa..a101faf3e88a9 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -3719,6 +3719,14 @@ int pci_enable_atomic_ops_to_root(struct pci_dev *dev, u32 cap_mask) + struct pci_dev *bridge; + u32 cap, ctl2; + ++ /* ++ * Per PCIe r5.0, sec 9.3.5.10, the AtomicOp Requester Enable bit ++ * in Device Control 2 is reserved in VFs and the PF value applies ++ * to all associated VFs. ++ */ ++ if (dev->is_virtfn) ++ return -EINVAL; ++ + if (!pci_is_pcie(dev)) + return -EINVAL; + +-- +2.33.0 + diff --git a/queue-5.15/pci-j721e-fix-j721e_pcie_probe-error-path.patch b/queue-5.15/pci-j721e-fix-j721e_pcie_probe-error-path.patch new file mode 100644 index 00000000000..6ec77b60baf --- /dev/null +++ b/queue-5.15/pci-j721e-fix-j721e_pcie_probe-error-path.patch @@ -0,0 +1,44 @@ +From 3ae141c2c16c681cf0ed69305516ba42e0fd8213 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Jun 2021 13:46:24 +0200 +Subject: PCI: j721e: Fix j721e_pcie_probe() error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Christophe JAILLET + +[ Upstream commit 496bb18483cc0474913e81e18a6b313aaea4c120 ] + +If an error occurs after a successful cdns_pcie_init_phy() call, it must be +undone by a cdns_pcie_disable_phy() call, as already done above and below. + +Update the goto to branch at the correct place of the error handling path. + +Link: https://lore.kernel.org/r/db477b0cb444891a17c4bb424467667dc30d0bab.1624794264.git.christophe.jaillet@wanadoo.fr +Fixes: 49e0efdce791 ("PCI: j721e: Add support to provide refclk to PCIe connector") +Signed-off-by: Christophe JAILLET +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Reviewed-by: Krzysztof Wilczyński +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/cadence/pci-j721e.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pci/controller/cadence/pci-j721e.c b/drivers/pci/controller/cadence/pci-j721e.c +index ffb176d288cd9..918e11082e6a7 100644 +--- a/drivers/pci/controller/cadence/pci-j721e.c ++++ b/drivers/pci/controller/cadence/pci-j721e.c +@@ -474,7 +474,7 @@ static int j721e_pcie_probe(struct platform_device *pdev) + ret = clk_prepare_enable(clk); + if (ret) { + dev_err(dev, "failed to enable pcie_refclk\n"); +- goto err_get_sync; ++ goto err_pcie_setup; + } + pcie->refclk = clk; + +-- +2.33.0 + diff --git a/queue-5.15/pci-uniphier-serialize-intx-masking-unmasking-and-fi.patch b/queue-5.15/pci-uniphier-serialize-intx-masking-unmasking-and-fi.patch new file mode 100644 index 00000000000..51221e6e208 --- /dev/null +++ b/queue-5.15/pci-uniphier-serialize-intx-masking-unmasking-and-fi.patch @@ -0,0 +1,104 @@ +From 70e7c1e1b05b1aa62af5e4040e8d51e569c34fbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Sep 2021 09:22:59 +0900 +Subject: PCI: uniphier: Serialize INTx masking/unmasking and fix the bit + operation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kunihiko Hayashi + +[ Upstream commit 4caab28a6215da5f3c1b505ff08810bc6acfe365 ] + +The condition register PCI_RCV_INTX is used in irq_mask() and irq_unmask() +callbacks. Accesses to register can occur at the same time without a lock. +Add a lock into each callback to prevent the issue. + +And INTX mask and unmask fields in PCL_RCV_INTX register should only be +set/reset for each bit. Clearing by PCL_RCV_INTX_ALL_MASK should be +removed. + +INTX status fields in PCL_RCV_INTX register only indicates each INTX +interrupt status, so the handler can't clear by writing 1 to the field. +The status is expected to be cleared by the interrupt origin. +The ack function has no meaning, so should remove it. + +Suggested-by: Pali Rohár +Link: https://lore.kernel.org/r/1631924579-24567-1-git-send-email-hayashi.kunihiko@socionext.com +Fixes: 7e6d5cd88a6f ("PCI: uniphier: Add UniPhier PCIe host controller support") +Signed-off-by: Kunihiko Hayashi +Signed-off-by: Lorenzo Pieralisi +Acked-by: Pali Rohár +Acked-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + drivers/pci/controller/dwc/pcie-uniphier.c | 26 +++++++++------------- + 1 file changed, 10 insertions(+), 16 deletions(-) + +diff --git a/drivers/pci/controller/dwc/pcie-uniphier.c b/drivers/pci/controller/dwc/pcie-uniphier.c +index d842fd0181299..d05be942956e2 100644 +--- a/drivers/pci/controller/dwc/pcie-uniphier.c ++++ b/drivers/pci/controller/dwc/pcie-uniphier.c +@@ -168,30 +168,21 @@ static void uniphier_pcie_irq_enable(struct uniphier_pcie_priv *priv) + writel(PCL_RCV_INTX_ALL_ENABLE, priv->base + PCL_RCV_INTX); + } + +-static void uniphier_pcie_irq_ack(struct irq_data *d) +-{ +- struct pcie_port *pp = irq_data_get_irq_chip_data(d); +- struct dw_pcie *pci = to_dw_pcie_from_pp(pp); +- struct uniphier_pcie_priv *priv = to_uniphier_pcie(pci); +- u32 val; +- +- val = readl(priv->base + PCL_RCV_INTX); +- val &= ~PCL_RCV_INTX_ALL_STATUS; +- val |= BIT(irqd_to_hwirq(d) + PCL_RCV_INTX_STATUS_SHIFT); +- writel(val, priv->base + PCL_RCV_INTX); +-} +- + static void uniphier_pcie_irq_mask(struct irq_data *d) + { + struct pcie_port *pp = irq_data_get_irq_chip_data(d); + struct dw_pcie *pci = to_dw_pcie_from_pp(pp); + struct uniphier_pcie_priv *priv = to_uniphier_pcie(pci); ++ unsigned long flags; + u32 val; + ++ raw_spin_lock_irqsave(&pp->lock, flags); ++ + val = readl(priv->base + PCL_RCV_INTX); +- val &= ~PCL_RCV_INTX_ALL_MASK; + val |= BIT(irqd_to_hwirq(d) + PCL_RCV_INTX_MASK_SHIFT); + writel(val, priv->base + PCL_RCV_INTX); ++ ++ raw_spin_unlock_irqrestore(&pp->lock, flags); + } + + static void uniphier_pcie_irq_unmask(struct irq_data *d) +@@ -199,17 +190,20 @@ static void uniphier_pcie_irq_unmask(struct irq_data *d) + struct pcie_port *pp = irq_data_get_irq_chip_data(d); + struct dw_pcie *pci = to_dw_pcie_from_pp(pp); + struct uniphier_pcie_priv *priv = to_uniphier_pcie(pci); ++ unsigned long flags; + u32 val; + ++ raw_spin_lock_irqsave(&pp->lock, flags); ++ + val = readl(priv->base + PCL_RCV_INTX); +- val &= ~PCL_RCV_INTX_ALL_MASK; + val &= ~BIT(irqd_to_hwirq(d) + PCL_RCV_INTX_MASK_SHIFT); + writel(val, priv->base + PCL_RCV_INTX); ++ ++ raw_spin_unlock_irqrestore(&pp->lock, flags); + } + + static struct irq_chip uniphier_pcie_irq_chip = { + .name = "PCI", +- .irq_ack = uniphier_pcie_irq_ack, + .irq_mask = uniphier_pcie_irq_mask, + .irq_unmask = uniphier_pcie_irq_unmask, + }; +-- +2.33.0 + diff --git a/queue-5.15/perf-bpf-add-missing-free-to-bpf_event__print_bpf_pr.patch b/queue-5.15/perf-bpf-add-missing-free-to-bpf_event__print_bpf_pr.patch new file mode 100644 index 00000000000..8ed00e86186 --- /dev/null +++ b/queue-5.15/perf-bpf-add-missing-free-to-bpf_event__print_bpf_pr.patch @@ -0,0 +1,60 @@ +From 07f759d69190be136b1747d4c8e896149bdf07e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 22:37:33 -0700 +Subject: perf bpf: Add missing free to bpf_event__print_bpf_prog_info() + +From: Ian Rogers + +[ Upstream commit 88c42f4d6cb249eb68524282f8d4cc32f9059984 ] + +If btf__new() is called then there needs to be a corresponding btf__free(). + +Fixes: f8dfeae009effc0b ("perf bpf: Show more BPF program info in print_bpf_prog_info()") +Signed-off-by: Ian Rogers +Cc: Alexander Shishkin +Cc: Alexei Starovoitov +Cc: Andrii Nakryiko +Cc: Daniel Borkmann +Cc: Jiri Olsa +Cc: John Fastabend +Cc: KP Singh +Cc: Mark Rutland +Cc: Martin KaFai Lau +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Song Liu +Cc: Stephane Eranian +Cc: Tiezhu Yang +Cc: Yonghong Song +Cc: bpf@vger.kernel.org +Cc: netdev@vger.kernel.org +Link: http://lore.kernel.org/lkml/20211106053733.3580931-2-irogers@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/bpf-event.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c +index 1a7112a87736a..a410b3968b3af 100644 +--- a/tools/perf/util/bpf-event.c ++++ b/tools/perf/util/bpf-event.c +@@ -576,7 +576,7 @@ void bpf_event__print_bpf_prog_info(struct bpf_prog_info *info, + synthesize_bpf_prog_name(name, KSYM_NAME_LEN, info, btf, 0); + fprintf(fp, "# bpf_prog_info %u: %s addr 0x%llx size %u\n", + info->id, name, prog_addrs[0], prog_lens[0]); +- return; ++ goto out; + } + + fprintf(fp, "# bpf_prog_info %u:\n", info->id); +@@ -586,4 +586,6 @@ void bpf_event__print_bpf_prog_info(struct bpf_prog_info *info, + fprintf(fp, "# \tsub_prog %u: %s addr 0x%llx size %u\n", + i, name, prog_addrs[i], prog_lens[i]); + } ++out: ++ btf__free(btf); + } +-- +2.33.0 + diff --git a/queue-5.15/perf-x86-intel-fix-icl-spr-inst_retired.prec_dist-en.patch b/queue-5.15/perf-x86-intel-fix-icl-spr-inst_retired.prec_dist-en.patch new file mode 100644 index 00000000000..df1679c5917 --- /dev/null +++ b/queue-5.15/perf-x86-intel-fix-icl-spr-inst_retired.prec_dist-en.patch @@ -0,0 +1,80 @@ +From 8fc50dcf9cd93f417d27017377a8c62dda4bd92d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 17:12:14 -0700 +Subject: perf/x86/intel: Fix ICL/SPR INST_RETIRED.PREC_DIST encodings + +From: Stephane Eranian + +[ Upstream commit 2de71ee153efa93099d2ab864acffeec70a8dcd5 ] + +This patch fixes the encoding for INST_RETIRED.PREC_DIST as published by Intel +(download.01.org/perfmon/) for Icelake. The official encoding +is event code 0x00 umask 0x1, a change from Skylake where it was code 0xc0 +umask 0x1. + +With this patch applied it is possible to run: +$ perf record -a -e cpu/event=0x00,umask=0x1/pp ..... + +Whereas before this would fail. + +To avoid problems with tools which may use the old code, we maintain the old +encoding for Icelake. + +Signed-off-by: Stephane Eranian +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20211014001214.2680534-1-eranian@google.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/core.c | 5 +++-- + arch/x86/events/intel/ds.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c +index 9a044438072ba..bc3f97f834011 100644 +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -243,7 +243,8 @@ static struct extra_reg intel_skl_extra_regs[] __read_mostly = { + + static struct event_constraint intel_icl_event_constraints[] = { + FIXED_EVENT_CONSTRAINT(0x00c0, 0), /* INST_RETIRED.ANY */ +- FIXED_EVENT_CONSTRAINT(0x01c0, 0), /* INST_RETIRED.PREC_DIST */ ++ FIXED_EVENT_CONSTRAINT(0x01c0, 0), /* old INST_RETIRED.PREC_DIST */ ++ FIXED_EVENT_CONSTRAINT(0x0100, 0), /* INST_RETIRED.PREC_DIST */ + FIXED_EVENT_CONSTRAINT(0x003c, 1), /* CPU_CLK_UNHALTED.CORE */ + FIXED_EVENT_CONSTRAINT(0x0300, 2), /* CPU_CLK_UNHALTED.REF */ + FIXED_EVENT_CONSTRAINT(0x0400, 3), /* SLOTS */ +@@ -288,7 +289,7 @@ static struct extra_reg intel_spr_extra_regs[] __read_mostly = { + + static struct event_constraint intel_spr_event_constraints[] = { + FIXED_EVENT_CONSTRAINT(0x00c0, 0), /* INST_RETIRED.ANY */ +- FIXED_EVENT_CONSTRAINT(0x01c0, 0), /* INST_RETIRED.PREC_DIST */ ++ FIXED_EVENT_CONSTRAINT(0x0100, 0), /* INST_RETIRED.PREC_DIST */ + FIXED_EVENT_CONSTRAINT(0x003c, 1), /* CPU_CLK_UNHALTED.CORE */ + FIXED_EVENT_CONSTRAINT(0x0300, 2), /* CPU_CLK_UNHALTED.REF */ + FIXED_EVENT_CONSTRAINT(0x0400, 3), /* SLOTS */ +diff --git a/arch/x86/events/intel/ds.c b/arch/x86/events/intel/ds.c +index 8647713276a73..4dbb55a43dad2 100644 +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -923,7 +923,8 @@ struct event_constraint intel_skl_pebs_event_constraints[] = { + }; + + struct event_constraint intel_icl_pebs_event_constraints[] = { +- INTEL_FLAGS_UEVENT_CONSTRAINT(0x1c0, 0x100000000ULL), /* INST_RETIRED.PREC_DIST */ ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x01c0, 0x100000000ULL), /* old INST_RETIRED.PREC_DIST */ ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x0100, 0x100000000ULL), /* INST_RETIRED.PREC_DIST */ + INTEL_FLAGS_UEVENT_CONSTRAINT(0x0400, 0x800000000ULL), /* SLOTS */ + + INTEL_PLD_CONSTRAINT(0x1cd, 0xff), /* MEM_TRANS_RETIRED.LOAD_LATENCY */ +@@ -943,7 +944,7 @@ struct event_constraint intel_icl_pebs_event_constraints[] = { + }; + + struct event_constraint intel_spr_pebs_event_constraints[] = { +- INTEL_FLAGS_UEVENT_CONSTRAINT(0x1c0, 0x100000000ULL), ++ INTEL_FLAGS_UEVENT_CONSTRAINT(0x100, 0x100000000ULL), /* INST_RETIRED.PREC_DIST */ + INTEL_FLAGS_UEVENT_CONSTRAINT(0x0400, 0x800000000ULL), + + INTEL_FLAGS_EVENT_CONSTRAINT(0xc0, 0xfe), +-- +2.33.0 + diff --git a/queue-5.15/perf-x86-intel-uncore-fix-intel-spr-cha-event-constr.patch b/queue-5.15/perf-x86-intel-uncore-fix-intel-spr-cha-event-constr.patch new file mode 100644 index 00000000000..fbe2b129887 --- /dev/null +++ b/queue-5.15/perf-x86-intel-uncore-fix-intel-spr-cha-event-constr.patch @@ -0,0 +1,37 @@ +From db751260d43f3e8251b15b1629e02dd09ddf5a40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Aug 2021 08:32:40 -0700 +Subject: perf/x86/intel/uncore: Fix Intel SPR CHA event constraints + +From: Kan Liang + +[ Upstream commit 9d756e408e080d40e7916484b00c802026e6d1ad ] + +SPR CHA events have the exact same event constraints as SKX, so add the +constraints. + +Fixes: 949b11381f81 ("perf/x86/intel/uncore: Add Sapphire Rapids server CHA support") +Reported-by: Stephane Eranian +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/1629991963-102621-5-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_snbep.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c +index d941854e4efaa..ce85ee5f60f97 100644 +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -5649,6 +5649,7 @@ static struct intel_uncore_type spr_uncore_chabox = { + .event_mask = SPR_CHA_PMON_EVENT_MASK, + .event_mask_ext = SPR_RAW_EVENT_MASK_EXT, + .num_shared_regs = 1, ++ .constraints = skx_uncore_chabox_constraints, + .ops = &spr_uncore_chabox_ops, + .format_group = &spr_uncore_chabox_format_group, + .attr_update = uncore_alias_groups, +-- +2.33.0 + diff --git a/queue-5.15/perf-x86-intel-uncore-fix-intel-spr-iio-event-constr.patch b/queue-5.15/perf-x86-intel-uncore-fix-intel-spr-iio-event-constr.patch new file mode 100644 index 00000000000..88eacf49be8 --- /dev/null +++ b/queue-5.15/perf-x86-intel-uncore-fix-intel-spr-iio-event-constr.patch @@ -0,0 +1,36 @@ +From 7c76b88f58ba7ff6aef0a7a42eb81f83c6b1c310 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Aug 2021 08:32:41 -0700 +Subject: perf/x86/intel/uncore: Fix Intel SPR IIO event constraints + +From: Kan Liang + +[ Upstream commit 67c5d44384f8dc57e1c1b3040423cfce99b578cd ] + +SPR IIO events have the exact same event constraints as ICX, so add the +constraints. + +Fixes: 3ba7095beaec ("perf/x86/intel/uncore: Add Sapphire Rapids server IIO support") +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/1629991963-102621-6-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_snbep.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c +index ce85ee5f60f97..2d75d212c8cc4 100644 +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -5661,6 +5661,7 @@ static struct intel_uncore_type spr_uncore_iio = { + .event_mask_ext = SNR_IIO_PMON_RAW_EVENT_MASK_EXT, + .format_group = &snr_uncore_iio_format_group, + .attr_update = uncore_alias_groups, ++ .constraints = icx_uncore_iio_constraints, + }; + + static struct attribute *spr_uncore_raw_formats_attr[] = { +-- +2.33.0 + diff --git a/queue-5.15/perf-x86-intel-uncore-fix-intel-spr-m2pcie-event-con.patch b/queue-5.15/perf-x86-intel-uncore-fix-intel-spr-m2pcie-event-con.patch new file mode 100644 index 00000000000..3d70d7f0e75 --- /dev/null +++ b/queue-5.15/perf-x86-intel-uncore-fix-intel-spr-m2pcie-event-con.patch @@ -0,0 +1,45 @@ +From f80a425fdcd714aec707d39b2f6988af260980ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Aug 2021 08:32:42 -0700 +Subject: perf/x86/intel/uncore: Fix Intel SPR M2PCIE event constraints + +From: Kan Liang + +[ Upstream commit f01d7d558e1855d4aa8e927b86111846536dd476 ] + +Similar to the ICX M2PCIE events, some of the SPR M2PCIE events also +have constraints. Add the constraints for SPR M2PCIE. + +Fixes: f85ef898f884 ("perf/x86/intel/uncore: Add Sapphire Rapids server M2PCIe support") +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/1629991963-102621-7-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_snbep.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c +index 2d75d212c8cc4..cd53057fd52de 100644 +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -5690,9 +5690,16 @@ static struct intel_uncore_type spr_uncore_irp = { + + }; + ++static struct event_constraint spr_uncore_m2pcie_constraints[] = { ++ UNCORE_EVENT_CONSTRAINT(0x14, 0x3), ++ UNCORE_EVENT_CONSTRAINT(0x2d, 0x3), ++ EVENT_CONSTRAINT_END ++}; ++ + static struct intel_uncore_type spr_uncore_m2pcie = { + SPR_UNCORE_COMMON_FORMAT(), + .name = "m2pcie", ++ .constraints = spr_uncore_m2pcie_constraints, + }; + + static struct intel_uncore_type spr_uncore_pcu = { +-- +2.33.0 + diff --git a/queue-5.15/perf-x86-intel-uncore-fix-intel-spr-m3upi-event-cons.patch b/queue-5.15/perf-x86-intel-uncore-fix-intel-spr-m3upi-event-cons.patch new file mode 100644 index 00000000000..be8a8079067 --- /dev/null +++ b/queue-5.15/perf-x86-intel-uncore-fix-intel-spr-m3upi-event-cons.patch @@ -0,0 +1,36 @@ +From 601aae3fb1e5eba5fcce6a83d0eb6519216daf42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Aug 2021 08:32:43 -0700 +Subject: perf/x86/intel/uncore: Fix Intel SPR M3UPI event constraints + +From: Kan Liang + +[ Upstream commit 4034fb207e302cc0b1f304084d379640c1fb1436 ] + +SPR M3UPI have the exact same event constraints as ICX, so add the +constraints. + +Fixes: 2a8e51eae7c8 ("perf/x86/intel/uncore: Add Sapphire Rapids server M3UPI support") +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/1629991963-102621-8-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +--- + arch/x86/events/intel/uncore_snbep.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c +index cd53057fd52de..eb2c6cea9d0d5 100644 +--- a/arch/x86/events/intel/uncore_snbep.c ++++ b/arch/x86/events/intel/uncore_snbep.c +@@ -5776,6 +5776,7 @@ static struct intel_uncore_type spr_uncore_upi = { + static struct intel_uncore_type spr_uncore_m3upi = { + SPR_UNCORE_PCI_COMMON_FORMAT(), + .name = "m3upi", ++ .constraints = icx_uncore_m3upi_constraints, + }; + + static struct intel_uncore_type spr_uncore_mdf = { +-- +2.33.0 + diff --git a/queue-5.15/phy-micrel-ksz8041nl-do-not-use-power-down-mode.patch b/queue-5.15/phy-micrel-ksz8041nl-do-not-use-power-down-mode.patch new file mode 100644 index 00000000000..938e95e62b3 --- /dev/null +++ b/queue-5.15/phy-micrel-ksz8041nl-do-not-use-power-down-mode.patch @@ -0,0 +1,57 @@ +From ce7cbb01ef47da8f7299d867d808fb7ef8863578 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 21:16:47 +0200 +Subject: phy: micrel: ksz8041nl: do not use power down mode + +From: Stefan Agner + +[ Upstream commit 2641b62d2fab52648e34cdc6994b2eacde2d27c1 ] + +Some Micrel KSZ8041NL PHY chips exhibit continuous RX errors after using +the power down mode bit (0.11). If the PHY is taken out of power down +mode in a certain temperature range, the PHY enters a weird state which +leads to continuously reporting RX errors. In that state, the MAC is not +able to receive or send any Ethernet frames and the activity LED is +constantly blinking. Since Linux is using the suspend callback when the +interface is taken down, ending up in that state can easily happen +during a normal startup. + +Micrel confirmed the issue in errata DS80000700A [*], caused by abnormal +clock recovery when using power down mode. Even the latest revision (A4, +Revision ID 0x1513) seems to suffer that problem, and according to the +errata is not going to be fixed. + +Remove the suspend/resume callback to avoid using the power down mode +completely. + +[*] https://ww1.microchip.com/downloads/en/DeviceDoc/80000700A.pdf + +Fixes: 1a5465f5d6a2 ("phy/micrel: Add suspend/resume support to Micrel PHYs") +Signed-off-by: Stefan Agner +Acked-by: Marcel Ziswiler +Signed-off-by: Francesco Dolcini +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/micrel.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c +index 643b1c1827a92..aec0fcefdccd6 100644 +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -1593,8 +1593,9 @@ static struct phy_driver ksphy_driver[] = { + .get_sset_count = kszphy_get_sset_count, + .get_strings = kszphy_get_strings, + .get_stats = kszphy_get_stats, +- .suspend = genphy_suspend, +- .resume = genphy_resume, ++ /* No suspend/resume callbacks because of errata DS80000700A, ++ * receiver error following software power down. ++ */ + }, { + .phy_id = PHY_ID_KSZ8041RNLI, + .phy_id_mask = MICREL_PHY_ID_MASK, +-- +2.33.0 + diff --git a/queue-5.15/phy-qcom-qmp-another-fix-for-the-sc8180x-pcie-defini.patch b/queue-5.15/phy-qcom-qmp-another-fix-for-the-sc8180x-pcie-defini.patch new file mode 100644 index 00000000000..f7f23cb206d --- /dev/null +++ b/queue-5.15/phy-qcom-qmp-another-fix-for-the-sc8180x-pcie-defini.patch @@ -0,0 +1,43 @@ +From 8bdc11637a781edea594c5cea07915ef4fb5ae16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 18:56:04 +0300 +Subject: phy: qcom-qmp: another fix for the sc8180x PCIe definition + +From: Dmitry Baryshkov + +[ Upstream commit 26f71abef580537d978f6299330689f029ee1e6c ] + +Commit f839f14e24f2 ("phy: qcom-qmp: Add sc8180x PCIe support") added +SC8180X PCIe tables, but used sm8250_qmp_pcie_serdes_tbl as a serdes +table because of the copy paste error. Commit bfccd9a71a08 ("phy: +qcom-qmp: Fix sc8180x PCIe definition") corrected part of this mistake +by pointing serdes_tbl to sc8180x_qmp_pcie_serdes_tbl, however the +serdes_tbl_num field was not updated to use sc8180x table. So let's now +fix the serdes_tbl_num field too. + +Fixes: bfccd9a71a08 ("phy: qcom-qmp: Fix sc8180x PCIe definition") +Signed-off-by: Dmitry Baryshkov +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211020155604.1374530-1-dmitry.baryshkov@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qmp.c b/drivers/phy/qualcomm/phy-qcom-qmp.c +index f14032170b1c1..06b04606dd7ea 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qmp.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp.c +@@ -3632,7 +3632,7 @@ static const struct qmp_phy_cfg sc8180x_pciephy_cfg = { + .nlanes = 1, + + .serdes_tbl = sc8180x_qmp_pcie_serdes_tbl, +- .serdes_tbl_num = ARRAY_SIZE(sm8250_qmp_pcie_serdes_tbl), ++ .serdes_tbl_num = ARRAY_SIZE(sc8180x_qmp_pcie_serdes_tbl), + .tx_tbl = sc8180x_qmp_pcie_tx_tbl, + .tx_tbl_num = ARRAY_SIZE(sc8180x_qmp_pcie_tx_tbl), + .rx_tbl = sc8180x_qmp_pcie_rx_tbl, +-- +2.33.0 + diff --git a/queue-5.15/phy-qcom-qusb2-fix-a-memory-leak-on-probe.patch b/queue-5.15/phy-qcom-qusb2-fix-a-memory-leak-on-probe.patch new file mode 100644 index 00000000000..cbce9965c01 --- /dev/null +++ b/queue-5.15/phy-qcom-qusb2-fix-a-memory-leak-on-probe.patch @@ -0,0 +1,94 @@ +From 7e14adb680cf28a5b5a5b9fa08e1caed6932c3d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 02:35:48 +0300 +Subject: phy: qcom-qusb2: Fix a memory leak on probe + +From: Vladimir Zapolskiy + +[ Upstream commit bf7ffcd0069d30e2e7ba2b827f08c89f471cd1f3 ] + +On success nvmem_cell_read() returns a pointer to a dynamically allocated +buffer, and therefore it shall be freed after usage. + +The issue is reported by kmemleak: + + # cat /sys/kernel/debug/kmemleak + unreferenced object 0xffff3b3803e4b280 (size 128): + comm "kworker/u16:1", pid 107, jiffies 4294892861 (age 94.120s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<000000007739afdc>] __kmalloc+0x27c/0x41c + [<0000000071c0fbf8>] nvmem_cell_read+0x40/0xe0 + [<00000000e803ef1f>] qusb2_phy_init+0x258/0x5bc + [<00000000fc81fcfa>] phy_init+0x70/0x110 + [<00000000e3d48a57>] dwc3_core_soft_reset+0x4c/0x234 + [<0000000027d1dbd4>] dwc3_core_init+0x68/0x990 + [<000000001965faf9>] dwc3_probe+0x4f4/0x730 + [<000000002f7617ca>] platform_probe+0x74/0xf0 + [<00000000a2576cac>] really_probe+0xc4/0x470 + [<00000000bc77f2c5>] __driver_probe_device+0x11c/0x190 + [<00000000130db71f>] driver_probe_device+0x48/0x110 + [<0000000019f36c2b>] __device_attach_driver+0xa4/0x140 + [<00000000e5812ff7>] bus_for_each_drv+0x84/0xe0 + [<00000000f4bac574>] __device_attach+0xe4/0x1c0 + [<00000000d3beb631>] device_initial_probe+0x20/0x30 + [<000000008019b9db>] bus_probe_device+0xa4/0xb0 + +Fixes: ca04d9d3e1b1 ("phy: qcom-qusb2: New driver for QUSB2 PHY on Qcom chips") +Signed-off-by: Vladimir Zapolskiy +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20210922233548.2150244-1-vladimir.zapolskiy@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-qusb2.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c +index 3c1d3b71c825b..f1d97fbd13318 100644 +--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c ++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c +@@ -561,7 +561,7 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy) + { + struct device *dev = &qphy->phy->dev; + const struct qusb2_phy_cfg *cfg = qphy->cfg; +- u8 *val; ++ u8 *val, hstx_trim; + + /* efuse register is optional */ + if (!qphy->cell) +@@ -575,7 +575,13 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy) + * set while configuring the phy. + */ + val = nvmem_cell_read(qphy->cell, NULL); +- if (IS_ERR(val) || !val[0]) { ++ if (IS_ERR(val)) { ++ dev_dbg(dev, "failed to read a valid hs-tx trim value\n"); ++ return; ++ } ++ hstx_trim = val[0]; ++ kfree(val); ++ if (!hstx_trim) { + dev_dbg(dev, "failed to read a valid hs-tx trim value\n"); + return; + } +@@ -583,12 +589,10 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy) + /* Fused TUNE1/2 value is the higher nibble only */ + if (cfg->update_tune1_with_efuse) + qusb2_write_mask(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE1], +- val[0] << HSTX_TRIM_SHIFT, +- HSTX_TRIM_MASK); ++ hstx_trim << HSTX_TRIM_SHIFT, HSTX_TRIM_MASK); + else + qusb2_write_mask(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE2], +- val[0] << HSTX_TRIM_SHIFT, +- HSTX_TRIM_MASK); ++ hstx_trim << HSTX_TRIM_SHIFT, HSTX_TRIM_MASK); + } + + static int qusb2_phy_set_mode(struct phy *phy, +-- +2.33.0 + diff --git a/queue-5.15/phy-qcom-snps-correct-the-fsel_mask.patch b/queue-5.15/phy-qcom-snps-correct-the-fsel_mask.patch new file mode 100644 index 00000000000..b34cb233f54 --- /dev/null +++ b/queue-5.15/phy-qcom-snps-correct-the-fsel_mask.patch @@ -0,0 +1,40 @@ +From 27e183e5369d3560cb6a6d95bff952b72d4b2c7b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 09:49:35 +0530 +Subject: phy: qcom-snps: Correct the FSEL_MASK + +From: Sandeep Maheswaram + +[ Upstream commit b475bf0ec40a2b13fb32ef62f5706576d5858460 ] + +The FSEL_MASK which selects the refclock is defined incorrectly. +It should be [4:6] not [5:7]. Due to this incorrect definition, the BIT(7) +in USB2_PHY_USB_PHY_HS_PHY_CTRL_COMMON0 is reset which keeps PHY analog +blocks ON during suspend. +Fix this issue by correctly defining the FSEL_MASK. + +Fixes: 51e8114f80d0 ("phy: qcom-snps: Add SNPS USB PHY driver for QCOM based SOCs") +Signed-off-by: Sandeep Maheswaram +Link: https://lore.kernel.org/r/1635135575-5668-1-git-send-email-quic_c_sanm@quicinc.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/qualcomm/phy-qcom-snps-femto-v2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/phy/qualcomm/phy-qcom-snps-femto-v2.c b/drivers/phy/qualcomm/phy-qcom-snps-femto-v2.c +index ae4bac024c7b1..7e61202aa234e 100644 +--- a/drivers/phy/qualcomm/phy-qcom-snps-femto-v2.c ++++ b/drivers/phy/qualcomm/phy-qcom-snps-femto-v2.c +@@ -33,7 +33,7 @@ + + #define USB2_PHY_USB_PHY_HS_PHY_CTRL_COMMON0 (0x54) + #define RETENABLEN BIT(3) +-#define FSEL_MASK GENMASK(7, 5) ++#define FSEL_MASK GENMASK(6, 4) + #define FSEL_DEFAULT (0x3 << 4) + + #define USB2_PHY_USB_PHY_HS_PHY_CTRL_COMMON1 (0x58) +-- +2.33.0 + diff --git a/queue-5.15/phy-sparx5-eth-serdes-fix-return-value-check-in-spar.patch b/queue-5.15/phy-sparx5-eth-serdes-fix-return-value-check-in-spar.patch new file mode 100644 index 00000000000..1717ba1e322 --- /dev/null +++ b/queue-5.15/phy-sparx5-eth-serdes-fix-return-value-check-in-spar.patch @@ -0,0 +1,44 @@ +From 3ed941cd9c0df560aaf27c6b398629640b380394 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Sep 2021 15:21:49 +0800 +Subject: phy: Sparx5 Eth SerDes: Fix return value check in + sparx5_serdes_probe() + +From: Yang Yingliang + +[ Upstream commit b4dc97ab0a629eda8bda20d96ef47dac08a505d9 ] + +In case of error, the function devm_ioremap() returns NULL +pointer not ERR_PTR(). The IS_ERR() test in the return value +check should be replaced with NULL test. + +Fixes: 2ff8a1eeb5aa ("phy: Add Sparx5 ethernet serdes PHY driver") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20210909072149.2934047-1-yangyingliang@huawei.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/microchip/sparx5_serdes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/phy/microchip/sparx5_serdes.c b/drivers/phy/microchip/sparx5_serdes.c +index 4076580fc2cd9..ab1b0986aa671 100644 +--- a/drivers/phy/microchip/sparx5_serdes.c ++++ b/drivers/phy/microchip/sparx5_serdes.c +@@ -2475,10 +2475,10 @@ static int sparx5_serdes_probe(struct platform_device *pdev) + return -EINVAL; + } + iomem = devm_ioremap(priv->dev, iores->start, resource_size(iores)); +- if (IS_ERR(iomem)) { ++ if (!iomem) { + dev_err(priv->dev, "Unable to get serdes registers: %s\n", + iores->name); +- return PTR_ERR(iomem); ++ return -ENOMEM; + } + for (idx = 0; idx < ARRAY_SIZE(sparx5_serdes_iomap); idx++) { + struct sparx5_serdes_io_resource *iomap = &sparx5_serdes_iomap[idx]; +-- +2.33.0 + diff --git a/queue-5.15/phy-ti-gmii-sel-check-of_get_address-for-failure.patch b/queue-5.15/phy-ti-gmii-sel-check-of_get_address-for-failure.patch new file mode 100644 index 00000000000..0ce9db57a18 --- /dev/null +++ b/queue-5.15/phy-ti-gmii-sel-check-of_get_address-for-failure.patch @@ -0,0 +1,38 @@ +From 2c743d5b02bde6b9efb13c15961772562bc6334c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 14:00:38 +0300 +Subject: phy: ti: gmii-sel: check of_get_address() for failure + +From: Dan Carpenter + +[ Upstream commit 8d55027f4e2c04146a75fb63371ab96ccc887f2c ] + +Smatch complains that if of_get_address() returns NULL, then "size" +isn't initialized. Also it would lead to an Oops. + +Fixes: 7f78322cdd67 ("phy: ti: gmii-sel: retrieve ports number and base offset from dt") +Signed-off-by: Dan Carpenter +Reviewed-by: Grygorii Strashko +Link: https://lore.kernel.org/r/20210914110038.GB11657@kili +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/ti/phy-gmii-sel.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/phy/ti/phy-gmii-sel.c b/drivers/phy/ti/phy-gmii-sel.c +index 5fd2e8a08bfcf..d0ab69750c6b4 100644 +--- a/drivers/phy/ti/phy-gmii-sel.c ++++ b/drivers/phy/ti/phy-gmii-sel.c +@@ -320,6 +320,8 @@ static int phy_gmii_sel_init_ports(struct phy_gmii_sel_priv *priv) + u64 size; + + offset = of_get_address(dev->of_node, 0, &size, NULL); ++ if (!offset) ++ return -EINVAL; + priv->num_ports = size / sizeof(u32); + if (!priv->num_ports) + return -EINVAL; +-- +2.33.0 + diff --git a/queue-5.15/pinctrl-equilibrium-fix-function-addition-in-multipl.patch b/queue-5.15/pinctrl-equilibrium-fix-function-addition-in-multipl.patch new file mode 100644 index 00000000000..586a0c98be8 --- /dev/null +++ b/queue-5.15/pinctrl-equilibrium-fix-function-addition-in-multipl.patch @@ -0,0 +1,49 @@ +From 0c9216b50299cd19a2663b5bf297a0315a4c0788 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 17:38:15 +0800 +Subject: pinctrl: equilibrium: Fix function addition in multiple groups + +From: Rahul Tanwar + +[ Upstream commit 53b3947ddb7f309d1f611f8dc9bfd6ea9d699907 ] + +Ignore the same function with multiple groups. +Fix a typo in error print. + +Fixes: 1948d5c51dba ("pinctrl: Add pinmux & GPIO controller driver for a new SoC") +Signed-off-by: Rahul Tanwar +Link: https://lore.kernel.org/r/20211020093815.20870-1-rtanwar@maxlinear.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-equilibrium.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-equilibrium.c b/drivers/pinctrl/pinctrl-equilibrium.c +index fb713f9c53d0e..3f0143087cc77 100644 +--- a/drivers/pinctrl/pinctrl-equilibrium.c ++++ b/drivers/pinctrl/pinctrl-equilibrium.c +@@ -675,6 +675,11 @@ static int eqbr_build_functions(struct eqbr_pinctrl_drv_data *drvdata) + return ret; + + for (i = 0; i < nr_funcs; i++) { ++ ++ /* Ignore the same function with multiple groups */ ++ if (funcs[i].name == NULL) ++ continue; ++ + ret = pinmux_generic_add_function(drvdata->pctl_dev, + funcs[i].name, + funcs[i].groups, +@@ -815,7 +820,7 @@ static int pinctrl_reg(struct eqbr_pinctrl_drv_data *drvdata) + + ret = eqbr_build_functions(drvdata); + if (ret) { +- dev_err(dev, "Failed to build groups\n"); ++ dev_err(dev, "Failed to build functions\n"); + return ret; + } + +-- +2.33.0 + diff --git a/queue-5.15/pinctrl-renesas-checker-fix-off-by-one-bug-in-drive-.patch b/queue-5.15/pinctrl-renesas-checker-fix-off-by-one-bug-in-drive-.patch new file mode 100644 index 00000000000..ad59e85bece --- /dev/null +++ b/queue-5.15/pinctrl-renesas-checker-fix-off-by-one-bug-in-drive-.patch @@ -0,0 +1,39 @@ +From e9c2501d709309dfac331cdeabc54d39ad72421c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 16:38:47 +0200 +Subject: pinctrl: renesas: checker: Fix off-by-one bug in drive register check + +From: Geert Uytterhoeven + +[ Upstream commit 28e7f8ff90583791a034d43b5d2e3fe394142e13 ] + +The GENMASK(h, l) macro creates a contiguous bitmask starting at bit +position @l and ending at position @h, inclusive. + +This did not trigger any error checks, as the individual register fields +cover at most 3 of the 4 available bits. + +Fixes: 08df16e07ad0a1ec ("pinctrl: sh-pfc: checker: Add drive strength register checks") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/8f82d6147fbe3367d4c83962480e97f58d9c96a2.1633615652.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/renesas/core.c b/drivers/pinctrl/renesas/core.c +index f2ab02225837e..f29130957e49a 100644 +--- a/drivers/pinctrl/renesas/core.c ++++ b/drivers/pinctrl/renesas/core.c +@@ -890,7 +890,7 @@ static void __init sh_pfc_check_drive_reg(const struct sh_pfc_soc_info *info, + if (!field->pin && !field->offset && !field->size) + continue; + +- mask = GENMASK(field->offset + field->size, field->offset); ++ mask = GENMASK(field->offset + field->size - 1, field->offset); + if (mask & seen) + sh_pfc_err("drive_reg 0x%x: field %u overlap\n", + drive->reg, i); +-- +2.33.0 + diff --git a/queue-5.15/pinctrl-renesas-rzg2l-fix-missing-port-register-21h.patch b/queue-5.15/pinctrl-renesas-rzg2l-fix-missing-port-register-21h.patch new file mode 100644 index 00000000000..8df8a88fa8d --- /dev/null +++ b/queue-5.15/pinctrl-renesas-rzg2l-fix-missing-port-register-21h.patch @@ -0,0 +1,37 @@ +From 35ed953e727e2a38b57d4323c930943a3218e6e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Sep 2021 08:41:40 +0100 +Subject: pinctrl: renesas: rzg2l: Fix missing port register 21h + +From: Biju Das + +[ Upstream commit fcfb63148c241adad54ed99fc318167176d7254b ] + +Remove the duplicate port register 22h and replace it with missing port +register 21h. + +Signed-off-by: Biju Das +Link: https://lore.kernel.org/r/20210922074140.22178-1-biju.das.jz@bp.renesas.com +Fixes: c4c4637eb57f2a25 ("pinctrl: renesas: Add RZ/G2L pin and gpio controller driver") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/renesas/pinctrl-rzg2l.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/renesas/pinctrl-rzg2l.c b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +index dbf2f521bb272..20b2af889ca96 100644 +--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c ++++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c +@@ -852,7 +852,7 @@ static const u32 rzg2l_gpio_configs[] = { + RZG2L_GPIO_PORT_PACK(2, 0x1e, RZG2L_MPXED_PIN_FUNCS), + RZG2L_GPIO_PORT_PACK(2, 0x1f, RZG2L_MPXED_PIN_FUNCS), + RZG2L_GPIO_PORT_PACK(2, 0x20, RZG2L_MPXED_PIN_FUNCS), +- RZG2L_GPIO_PORT_PACK(3, 0x22, RZG2L_MPXED_PIN_FUNCS), ++ RZG2L_GPIO_PORT_PACK(3, 0x21, RZG2L_MPXED_PIN_FUNCS), + RZG2L_GPIO_PORT_PACK(2, 0x22, RZG2L_MPXED_PIN_FUNCS), + RZG2L_GPIO_PORT_PACK(2, 0x23, RZG2L_MPXED_PIN_FUNCS), + RZG2L_GPIO_PORT_PACK(3, 0x24, RZG2L_MPXED_ETH_PIN_FUNCS(PIN_CFG_IOLH_ETH0)), +-- +2.33.0 + diff --git a/queue-5.15/platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch b/queue-5.15/platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch new file mode 100644 index 00000000000..53b721278e8 --- /dev/null +++ b/queue-5.15/platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch @@ -0,0 +1,50 @@ +From 6b5793f6f22d246d4052220ef1dbb08c96735eea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 11:25:37 -0700 +Subject: platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning + +From: Nathan Chancellor + +[ Upstream commit fd96e35ea7b95f1e216277805be89d66e4ae962d ] + +A new warning in clang points out a use of bitwise OR with boolean +expressions in this driver: + +drivers/platform/x86/thinkpad_acpi.c:9061:11: error: use of bitwise '|' with boolean operands [-Werror,-Wbitwise-instead-of-logical] + else if ((strlencmp(cmd, "level disengaged") == 0) | + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + || +drivers/platform/x86/thinkpad_acpi.c:9061:11: note: cast one or both operands to int to silence this warning +1 error generated. + +This should clearly be a logical OR so change it to fix the warning. + +Fixes: fe98a52ce754 ("ACPI: thinkpad-acpi: add sysfs support to fan subdriver") +Link: https://github.com/ClangBuiltLinux/linux/issues/1476 +Reported-by: Tor Vic +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Link: https://lore.kernel.org/r/20211018182537.2316800-1-nathan@kernel.org +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/thinkpad_acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c +index 50ff04c84650c..27595aba214d9 100644 +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -9145,7 +9145,7 @@ static int fan_write_cmd_level(const char *cmd, int *rc) + + if (strlencmp(cmd, "level auto") == 0) + level = TP_EC_FAN_AUTO; +- else if ((strlencmp(cmd, "level disengaged") == 0) | ++ else if ((strlencmp(cmd, "level disengaged") == 0) || + (strlencmp(cmd, "level full-speed") == 0)) + level = TP_EC_FAN_FULLSPEED; + else if (sscanf(cmd, "level %d", &level) != 1) +-- +2.33.0 + diff --git a/queue-5.15/platform-x86-wmi-do-not-fail-if-disabling-fails.patch b/queue-5.15/platform-x86-wmi-do-not-fail-if-disabling-fails.patch new file mode 100644 index 00000000000..b3a1b456b6f --- /dev/null +++ b/queue-5.15/platform-x86-wmi-do-not-fail-if-disabling-fails.patch @@ -0,0 +1,52 @@ +From db9f7820bf552e0ded42618a21d6ebbb87ed61a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 17:56:26 +0000 +Subject: platform/x86: wmi: do not fail if disabling fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit 1975718c488a39128f1f515b23ae61a5a214cc3d ] + +Previously, `__query_block()` would fail if the +second WCxx method call failed. However, the +WQxx method might have succeeded, and potentially +allocated memory for the result. Instead of +throwing away the result and potentially +leaking memory, ignore the result of +the second WCxx call. + +Signed-off-by: Barnabás Pőcze +Link: https://lore.kernel.org/r/20210904175450.156801-25-pobrn@protonmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index a76313006bdc4..1b65bb61ce888 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -353,7 +353,14 @@ static acpi_status __query_block(struct wmi_block *wblock, u8 instance, + * the WQxx method failed - we should disable collection anyway. + */ + if ((block->flags & ACPI_WMI_EXPENSIVE) && ACPI_SUCCESS(wc_status)) { +- status = acpi_execute_simple_method(handle, wc_method, 0); ++ /* ++ * Ignore whether this WCxx call succeeds or not since ++ * the previously executed WQxx method call might have ++ * succeeded, and returning the failing status code ++ * of this call would throw away the result of the WQxx ++ * call, potentially leaking memory. ++ */ ++ acpi_execute_simple_method(handle, wc_method, 0); + } + + return status; +-- +2.33.0 + diff --git a/queue-5.15/pm-em-fix-inefficient-states-detection.patch b/queue-5.15/pm-em-fix-inefficient-states-detection.patch new file mode 100644 index 00000000000..ff133f1d62a --- /dev/null +++ b/queue-5.15/pm-em-fix-inefficient-states-detection.patch @@ -0,0 +1,77 @@ +From 6861f4b5ac4d905b45ba56dee1ac3ea5a774c373 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 15:05:22 +0100 +Subject: PM: EM: Fix inefficient states detection + +From: Vincent Donnefort + +[ Upstream commit aa1a43262ad5df010768f69530fa179ff81651d3 ] + +Currently, a debug message is printed if an inefficient state is detected +in the Energy Model. Unfortunately, it won't detect if the first state is +inefficient or if two successive states are. Fix this behavior. + +Fixes: 27871f7a8a34 (PM: Introduce an Energy Model management framework) +Signed-off-by: Vincent Donnefort +Reviewed-by: Quentin Perret +Reviewed-by: Lukasz Luba +Reviewed-by: Matthias Kaehlcke +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/energy_model.c | 23 ++++++++--------------- + 1 file changed, 8 insertions(+), 15 deletions(-) + +diff --git a/kernel/power/energy_model.c b/kernel/power/energy_model.c +index a332ccd829e24..97e62469a6b32 100644 +--- a/kernel/power/energy_model.c ++++ b/kernel/power/energy_model.c +@@ -107,8 +107,7 @@ static void em_debug_remove_pd(struct device *dev) {} + static int em_create_perf_table(struct device *dev, struct em_perf_domain *pd, + int nr_states, struct em_data_callback *cb) + { +- unsigned long opp_eff, prev_opp_eff = ULONG_MAX; +- unsigned long power, freq, prev_freq = 0; ++ unsigned long power, freq, prev_freq = 0, prev_cost = ULONG_MAX; + struct em_perf_state *table; + int i, ret; + u64 fmax; +@@ -153,27 +152,21 @@ static int em_create_perf_table(struct device *dev, struct em_perf_domain *pd, + + table[i].power = power; + table[i].frequency = prev_freq = freq; +- +- /* +- * The hertz/watts efficiency ratio should decrease as the +- * frequency grows on sane platforms. But this isn't always +- * true in practice so warn the user if a higher OPP is more +- * power efficient than a lower one. +- */ +- opp_eff = freq / power; +- if (opp_eff >= prev_opp_eff) +- dev_dbg(dev, "EM: hertz/watts ratio non-monotonically decreasing: em_perf_state %d >= em_perf_state%d\n", +- i, i - 1); +- prev_opp_eff = opp_eff; + } + + /* Compute the cost of each performance state. */ + fmax = (u64) table[nr_states - 1].frequency; +- for (i = 0; i < nr_states; i++) { ++ for (i = nr_states - 1; i >= 0; i--) { + unsigned long power_res = em_scale_power(table[i].power); + + table[i].cost = div64_u64(fmax * power_res, + table[i].frequency); ++ if (table[i].cost >= prev_cost) { ++ dev_dbg(dev, "EM: OPP:%lu is inefficient\n", ++ table[i].frequency); ++ } else { ++ prev_cost = table[i].cost; ++ } + } + + pd->table = table; +-- +2.33.0 + diff --git a/queue-5.15/pm-hibernate-fix-sparse-warnings.patch b/queue-5.15/pm-hibernate-fix-sparse-warnings.patch new file mode 100644 index 00000000000..8de281f3086 --- /dev/null +++ b/queue-5.15/pm-hibernate-fix-sparse-warnings.patch @@ -0,0 +1,52 @@ +From 18f202a6c9a323576ba3176ecfffc228ea726518 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 21:13:37 +0200 +Subject: PM: hibernate: fix sparse warnings + +From: Anders Roxell + +[ Upstream commit 01de5fcd8b1ac0ca28d2bb0921226a54fdd62684 ] + +When building the kernel with sparse enabled 'C=1' the following +warnings shows up: + +kernel/power/swap.c:390:29: warning: incorrect type in assignment (different base types) +kernel/power/swap.c:390:29: expected int ret +kernel/power/swap.c:390:29: got restricted blk_status_t + +This is due to function hib_wait_io() returns a 'blk_status_t' which is +a bitwise u8. Commit 5416da01ff6e ("PM: hibernate: Remove +blk_status_to_errno in hib_wait_io") seemed to have mixed up the return +type. However, the 4e4cbee93d56 ("block: switch bios to blk_status_t") +actually broke the behaviour by returning the wrong type. + +Rework so function hib_wait_io() returns a 'int' instead of +'blk_status_t' and make sure to call function +blk_status_to_errno(hb->error)' when returning from function +hib_wait_io() a int gets returned. + +Fixes: 4e4cbee93d56 ("block: switch bios to blk_status_t") +Fixes: 5416da01ff6e ("PM: hibernate: Remove blk_status_to_errno in hib_wait_io") +Signed-off-by: Anders Roxell +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/swap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/power/swap.c b/kernel/power/swap.c +index 0aabc94125d6b..f3a1086f7cdb2 100644 +--- a/kernel/power/swap.c ++++ b/kernel/power/swap.c +@@ -299,7 +299,7 @@ static int hib_submit_io(int op, int op_flags, pgoff_t page_off, void *addr, + return error; + } + +-static blk_status_t hib_wait_io(struct hib_bio_batch *hb) ++static int hib_wait_io(struct hib_bio_batch *hb) + { + /* + * We are relying on the behavior of blk_plug that a thread with +-- +2.33.0 + diff --git a/queue-5.15/pm-hibernate-get-block-device-exclusively-in-swsusp_.patch b/queue-5.15/pm-hibernate-get-block-device-exclusively-in-swsusp_.patch new file mode 100644 index 00000000000..77bfd8db809 --- /dev/null +++ b/queue-5.15/pm-hibernate-get-block-device-exclusively-in-swsusp_.patch @@ -0,0 +1,100 @@ +From 3655ccbf906d70845222b02fdea72c4d833473bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 20:19:14 +0800 +Subject: PM: hibernate: Get block device exclusively in swsusp_check() + +From: Ye Bin + +[ Upstream commit 39fbef4b0f77f9c89c8f014749ca533643a37c9f ] + +The following kernel crash can be triggered: + +[ 89.266592] ------------[ cut here ]------------ +[ 89.267427] kernel BUG at fs/buffer.c:3020! +[ 89.268264] invalid opcode: 0000 [#1] SMP KASAN PTI +[ 89.269116] CPU: 7 PID: 1750 Comm: kmmpd-loop0 Not tainted 5.10.0-862.14.0.6.x86_64-08610-gc932cda3cef4-dirty #20 +[ 89.273169] RIP: 0010:submit_bh_wbc.isra.0+0x538/0x6d0 +[ 89.277157] RSP: 0018:ffff888105ddfd08 EFLAGS: 00010246 +[ 89.278093] RAX: 0000000000000005 RBX: ffff888124231498 RCX: ffffffffb2772612 +[ 89.279332] RDX: 1ffff11024846293 RSI: 0000000000000008 RDI: ffff888124231498 +[ 89.280591] RBP: ffff8881248cc000 R08: 0000000000000001 R09: ffffed1024846294 +[ 89.281851] R10: ffff88812423149f R11: ffffed1024846293 R12: 0000000000003800 +[ 89.283095] R13: 0000000000000001 R14: 0000000000000000 R15: ffff8881161f7000 +[ 89.284342] FS: 0000000000000000(0000) GS:ffff88839b5c0000(0000) knlGS:0000000000000000 +[ 89.285711] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 89.286701] CR2: 00007f166ebc01a0 CR3: 0000000435c0e000 CR4: 00000000000006e0 +[ 89.287919] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 89.289138] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 89.290368] Call Trace: +[ 89.290842] write_mmp_block+0x2ca/0x510 +[ 89.292218] kmmpd+0x433/0x9a0 +[ 89.294902] kthread+0x2dd/0x3e0 +[ 89.296268] ret_from_fork+0x22/0x30 +[ 89.296906] Modules linked in: + +by running the following commands: + + 1. mkfs.ext4 -O mmp /dev/sda -b 1024 + 2. mount /dev/sda /home/test + 3. echo "/dev/sda" > /sys/power/resume + +That happens because swsusp_check() calls set_blocksize() on the +target partition which confuses the file system: + + Thread1 Thread2 +mount /dev/sda /home/test +get s_mmp_bh --> has mapped flag +start kmmpd thread + echo "/dev/sda" > /sys/power/resume + resume_store + software_resume + swsusp_check + set_blocksize + truncate_inode_pages_range + truncate_cleanup_page + block_invalidatepage + discard_buffer --> clean mapped flag +write_mmp_block + submit_bh + submit_bh_wbc + BUG_ON(!buffer_mapped(bh)) + +To address this issue, modify swsusp_check() to open the target block +device with exclusive access. + +Signed-off-by: Ye Bin +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/swap.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/power/swap.c b/kernel/power/swap.c +index 3cb89baebc796..0aabc94125d6b 100644 +--- a/kernel/power/swap.c ++++ b/kernel/power/swap.c +@@ -1521,9 +1521,10 @@ end: + int swsusp_check(void) + { + int error; ++ void *holder; + + hib_resume_bdev = blkdev_get_by_dev(swsusp_resume_device, +- FMODE_READ, NULL); ++ FMODE_READ | FMODE_EXCL, &holder); + if (!IS_ERR(hib_resume_bdev)) { + set_blocksize(hib_resume_bdev, PAGE_SIZE); + clear_page(swsusp_header); +@@ -1545,7 +1546,7 @@ int swsusp_check(void) + + put: + if (error) +- blkdev_put(hib_resume_bdev, FMODE_READ); ++ blkdev_put(hib_resume_bdev, FMODE_READ | FMODE_EXCL); + else + pr_debug("Image signature found, resuming\n"); + } else { +-- +2.33.0 + diff --git a/queue-5.15/pnfs-flexfiles-fix-misplaced-barrier-in-nfs4_ff_layo.patch b/queue-5.15/pnfs-flexfiles-fix-misplaced-barrier-in-nfs4_ff_layo.patch new file mode 100644 index 00000000000..2df42e1f2dd --- /dev/null +++ b/queue-5.15/pnfs-flexfiles-fix-misplaced-barrier-in-nfs4_ff_layo.patch @@ -0,0 +1,74 @@ +From cf2b372bd61dc3cba78dacac229166d69abb72a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 11:59:24 +1000 +Subject: pnfs/flexfiles: Fix misplaced barrier in nfs4_ff_layout_prepare_ds + +From: Baptiste Lepers + +[ Upstream commit a2915fa06227b056a8f9b0d79b61dca08ad5cfc6 ] + +_nfs4_pnfs_v3/v4_ds_connect do + some work + smp_wmb + ds->ds_clp = clp; + +And nfs4_ff_layout_prepare_ds currently does + smp_rmb + if(ds->ds_clp) + ... + +This patch places the smp_rmb after the if. This ensures that following +reads only happen once nfs4_ff_layout_prepare_ds has checked that data +has been properly initialized. + +Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver") +Signed-off-by: Baptiste Lepers +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/flexfilelayout/flexfilelayoutdev.c | 4 ++-- + fs/nfs/pnfs_nfs.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +index c9b61b818ec11..bfa7202ca7be1 100644 +--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c ++++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c +@@ -378,10 +378,10 @@ nfs4_ff_layout_prepare_ds(struct pnfs_layout_segment *lseg, + goto noconnect; + + ds = mirror->mirror_ds->ds; ++ if (READ_ONCE(ds->ds_clp)) ++ goto out; + /* matching smp_wmb() in _nfs4_pnfs_v3/4_ds_connect */ + smp_rmb(); +- if (ds->ds_clp) +- goto out; + + /* FIXME: For now we assume the server sent only one version of NFS + * to use for the DS. +diff --git a/fs/nfs/pnfs_nfs.c b/fs/nfs/pnfs_nfs.c +index cf19914fec817..02bd6e83961d9 100644 +--- a/fs/nfs/pnfs_nfs.c ++++ b/fs/nfs/pnfs_nfs.c +@@ -895,7 +895,7 @@ static int _nfs4_pnfs_v3_ds_connect(struct nfs_server *mds_srv, + } + + smp_wmb(); +- ds->ds_clp = clp; ++ WRITE_ONCE(ds->ds_clp, clp); + dprintk("%s [new] addr: %s\n", __func__, ds->ds_remotestr); + out: + return status; +@@ -973,7 +973,7 @@ static int _nfs4_pnfs_v4_ds_connect(struct nfs_server *mds_srv, + } + + smp_wmb(); +- ds->ds_clp = clp; ++ WRITE_ONCE(ds->ds_clp, clp); + dprintk("%s [new] addr: %s\n", __func__, ds->ds_remotestr); + out: + return status; +-- +2.33.0 + diff --git a/queue-5.15/power-reset-at91-reset-check-properly-the-return-val.patch b/queue-5.15/power-reset-at91-reset-check-properly-the-return-val.patch new file mode 100644 index 00000000000..3152a8439aa --- /dev/null +++ b/queue-5.15/power-reset-at91-reset-check-properly-the-return-val.patch @@ -0,0 +1,47 @@ +From 8bbd0cfd9873d87a30d1cb291655d1b6ad2906a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Sep 2021 13:09:28 +0300 +Subject: power: reset: at91-reset: check properly the return value of + devm_of_iomap + +From: Claudiu Beznea + +[ Upstream commit f558c8072c3461b65c12c0068b108f78cebc8246 ] + +devm_of_iomap() returns error code or valid pointer. Check its return +value with IS_ERR(). + +Fixes: bd3127733f2c ("power: reset: at91-reset: use devm_of_iomap") +Reported-by: Cristian Birsan +Signed-off-by: Claudiu Beznea +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/reset/at91-reset.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/reset/at91-reset.c b/drivers/power/reset/at91-reset.c +index 026649409135c..64def79d557a8 100644 +--- a/drivers/power/reset/at91-reset.c ++++ b/drivers/power/reset/at91-reset.c +@@ -193,7 +193,7 @@ static int __init at91_reset_probe(struct platform_device *pdev) + return -ENOMEM; + + reset->rstc_base = devm_of_iomap(&pdev->dev, pdev->dev.of_node, 0, NULL); +- if (!reset->rstc_base) { ++ if (IS_ERR(reset->rstc_base)) { + dev_err(&pdev->dev, "Could not map reset controller address\n"); + return -ENODEV; + } +@@ -203,7 +203,7 @@ static int __init at91_reset_probe(struct platform_device *pdev) + for_each_matching_node_and_match(np, at91_ramc_of_match, &match) { + reset->ramc_lpr = (u32)match->data; + reset->ramc_base[idx] = devm_of_iomap(&pdev->dev, np, 0, NULL); +- if (!reset->ramc_base[idx]) { ++ if (IS_ERR(reset->ramc_base[idx])) { + dev_err(&pdev->dev, "Could not map ram controller address\n"); + of_node_put(np); + return -ENODEV; +-- +2.33.0 + diff --git a/queue-5.15/power-supply-bq27xxx-fix-kernel-crash-on-irq-handler.patch b/queue-5.15/power-supply-bq27xxx-fix-kernel-crash-on-irq-handler.patch new file mode 100644 index 00000000000..1ed298e454b --- /dev/null +++ b/queue-5.15/power-supply-bq27xxx-fix-kernel-crash-on-irq-handler.patch @@ -0,0 +1,45 @@ +From febc5e4a5e417a91f6a37904e79b39f81085089d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Oct 2021 16:25:22 +0100 +Subject: power: supply: bq27xxx: Fix kernel crash on IRQ handler register + error + +From: Hans de Goede + +[ Upstream commit cdf10ffe8f626d8a2edc354abf063df0078b2d71 ] + +When registering the IRQ handler fails, do not just return the error code, +this will free the devm_kzalloc()-ed data struct while leaving the queued +work queued and the registered power_supply registered with both of them +now pointing to free-ed memory, resulting in various kernel crashes +soon afterwards. + +Instead properly tear-down things on IRQ handler register errors. + +Fixes: 703df6c09795 ("power: bq27xxx_battery: Reorganize I2C into a module") +Cc: Andrew F. Davis +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/bq27xxx_battery_i2c.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/power/supply/bq27xxx_battery_i2c.c b/drivers/power/supply/bq27xxx_battery_i2c.c +index 46f078350fd3f..cf38cbfe13e9d 100644 +--- a/drivers/power/supply/bq27xxx_battery_i2c.c ++++ b/drivers/power/supply/bq27xxx_battery_i2c.c +@@ -187,7 +187,8 @@ static int bq27xxx_battery_i2c_probe(struct i2c_client *client, + dev_err(&client->dev, + "Unable to register IRQ %d error %d\n", + client->irq, ret); +- return ret; ++ bq27xxx_battery_teardown(di); ++ goto err_failed; + } + } + +-- +2.33.0 + diff --git a/queue-5.15/power-supply-max17040-fix-null-ptr-deref-in-max17040.patch b/queue-5.15/power-supply-max17040-fix-null-ptr-deref-in-max17040.patch new file mode 100644 index 00000000000..65fd3242053 --- /dev/null +++ b/queue-5.15/power-supply-max17040-fix-null-ptr-deref-in-max17040.patch @@ -0,0 +1,53 @@ +From 75471524b6650989d7a14fc4ed95cbd8384de00b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Oct 2021 14:31:50 +0800 +Subject: power: supply: max17040: fix null-ptr-deref in max17040_probe() + +From: Yang Yingliang + +[ Upstream commit 1d422ecfc48ee683ae1ccc9217764f6310c0ffce ] + +Add check the return value of devm_regmap_init_i2c(), otherwise +later access may cause null-ptr-deref as follows: + +KASAN: null-ptr-deref in range [0x0000000000000360-0x0000000000000367] +RIP: 0010:regmap_read+0x33/0x170 +Call Trace: + max17040_probe+0x61b/0xff0 [max17040_battery] + ? write_comp_data+0x2a/0x90 + ? max17040_set_property+0x1d0/0x1d0 [max17040_battery] + ? tracer_hardirqs_on+0x33/0x520 + ? __sanitizer_cov_trace_pc+0x1d/0x50 + ? _raw_spin_unlock_irqrestore+0x4b/0x60 + ? trace_hardirqs_on+0x63/0x2d0 + ? write_comp_data+0x2a/0x90 + ? __sanitizer_cov_trace_pc+0x1d/0x50 + ? max17040_set_property+0x1d0/0x1d0 [max17040_battery] + i2c_device_probe+0xa31/0xbe0 + +Fixes: 6455a8a84bdf ("power: supply: max17040: Use regmap i2c") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/max17040_battery.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/power/supply/max17040_battery.c b/drivers/power/supply/max17040_battery.c +index 3cea92e28dc3e..a9aef1e8b186e 100644 +--- a/drivers/power/supply/max17040_battery.c ++++ b/drivers/power/supply/max17040_battery.c +@@ -449,6 +449,8 @@ static int max17040_probe(struct i2c_client *client, + + chip->client = client; + chip->regmap = devm_regmap_init_i2c(client, &max17040_regmap); ++ if (IS_ERR(chip->regmap)) ++ return PTR_ERR(chip->regmap); + chip_id = (enum chip_id) id->driver_data; + if (client->dev.of_node) { + ret = max17040_get_of_data(chip); +-- +2.33.0 + diff --git a/queue-5.15/power-supply-rt5033_battery-change-voltage-values-to.patch b/queue-5.15/power-supply-rt5033_battery-change-voltage-values-to.patch new file mode 100644 index 00000000000..1db4d601890 --- /dev/null +++ b/queue-5.15/power-supply-rt5033_battery-change-voltage-values-to.patch @@ -0,0 +1,42 @@ +From 12bd495059e4050505ecc8e5cc650b722da34b16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Oct 2021 10:32:45 +0200 +Subject: =?UTF-8?q?power:=20supply:=20rt5033=5Fbattery:=20Change=20voltage?= + =?UTF-8?q?=20values=20to=20=C2=B5V?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakob Hauser + +[ Upstream commit bf895295e9a73411889816f1a0c1f4f1a2d9c678 ] + +Currently the rt5033_battery driver provides voltage values in mV. It +should be µV as stated in Documentation/power/power_supply_class.rst. + +Fixes: b847dd96e659 ("power: rt5033_battery: Add RT5033 Fuel gauge device driver") +Cc: Beomho Seo +Cc: Chanwoo Choi +Signed-off-by: Jakob Hauser +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/rt5033_battery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/rt5033_battery.c b/drivers/power/supply/rt5033_battery.c +index 9ad0afe83d1b7..7a23c70f48791 100644 +--- a/drivers/power/supply/rt5033_battery.c ++++ b/drivers/power/supply/rt5033_battery.c +@@ -60,7 +60,7 @@ static int rt5033_battery_get_watt_prop(struct i2c_client *client, + regmap_read(battery->regmap, regh, &msb); + regmap_read(battery->regmap, regl, &lsb); + +- ret = ((msb << 4) + (lsb >> 4)) * 1250 / 1000; ++ ret = ((msb << 4) + (lsb >> 4)) * 1250; + + return ret; + } +-- +2.33.0 + diff --git a/queue-5.15/powerpc-44x-fsp2-add-missing-of_node_put.patch b/queue-5.15/powerpc-44x-fsp2-add-missing-of_node_put.patch new file mode 100644 index 00000000000..25f28caae66 --- /dev/null +++ b/queue-5.15/powerpc-44x-fsp2-add-missing-of_node_put.patch @@ -0,0 +1,48 @@ +From c5971188a5ab665a67f8b6a11099c06eb6086c92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 15:28:22 +0800 +Subject: powerpc/44x/fsp2: add missing of_node_put + +From: Bixuan Cui + +[ Upstream commit 290fe8aa69ef5c51c778c0bb33f8ef0181c769f5 ] + +Early exits from for_each_compatible_node() should decrement the +node reference counter. Reported by Coccinelle: + +./arch/powerpc/platforms/44x/fsp2.c:206:1-25: WARNING: Function +"for_each_compatible_node" should have of_node_put() before return +around line 218. + +Fixes: 7813043e1bbc ("powerpc/44x/fsp2: Add irq error handlers") +Signed-off-by: Bixuan Cui +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1635406102-88719-1-git-send-email-cuibixuan@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/44x/fsp2.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/platforms/44x/fsp2.c b/arch/powerpc/platforms/44x/fsp2.c +index b299e43f5ef94..823397c802def 100644 +--- a/arch/powerpc/platforms/44x/fsp2.c ++++ b/arch/powerpc/platforms/44x/fsp2.c +@@ -208,6 +208,7 @@ static void node_irq_request(const char *compat, irq_handler_t errirq_handler) + if (irq == NO_IRQ) { + pr_err("device tree node %pOFn is missing a interrupt", + np); ++ of_node_put(np); + return; + } + +@@ -215,6 +216,7 @@ static void node_irq_request(const char *compat, irq_handler_t errirq_handler) + if (rc) { + pr_err("fsp_of_probe: request_irq failed: np=%pOF rc=%d", + np, rc); ++ of_node_put(np); + return; + } + } +-- +2.33.0 + diff --git a/queue-5.15/powerpc-book3e-fix-set_memory_x-and-set_memory_nx.patch b/queue-5.15/powerpc-book3e-fix-set_memory_x-and-set_memory_nx.patch new file mode 100644 index 00000000000..c2fa843c5cb --- /dev/null +++ b/queue-5.15/powerpc-book3e-fix-set_memory_x-and-set_memory_nx.patch @@ -0,0 +1,171 @@ +From 11fcfeaafc954e9e20cc0deb5ae49cf2243112e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 07:39:25 +0200 +Subject: powerpc/book3e: Fix set_memory_x() and set_memory_nx() + +From: Christophe Leroy + +[ Upstream commit b6cb20fdc2735f8b2e082937066c33fe376c2ee2 ] + +set_memory_x() calls pte_mkexec() which sets _PAGE_EXEC. +set_memory_nx() calls pte_exprotec() which clears _PAGE_EXEC. + +Book3e has 2 bits, UX and SX, which defines the exec rights +resp. for user (PR=1) and for kernel (PR=0). + +_PAGE_EXEC is defined as UX only. + +An executable kernel page is set with either _PAGE_KERNEL_RWX +or _PAGE_KERNEL_ROX, which both have SX set and UX cleared. + +So set_memory_nx() call for an executable kernel page does +nothing because UX is already cleared. + +And set_memory_x() on a non-executable kernel page makes it +executable for the user and keeps it non-executable for kernel. + +Also, pte_exec() always returns 'false' on kernel pages, because +it checks _PAGE_EXEC which doesn't include SX, so for instance +the W+X check doesn't work. + +To fix this: + - change tlb_low_64e.S to use _PAGE_BAP_UX instead of _PAGE_USER + - sets both UX and SX in _PAGE_EXEC so that pte_exec() returns + true whenever one of the two bits is set and pte_exprotect() + clears both bits. + - Define a book3e specific version of pte_mkexec() which sets + either SX or UX based on UR. + +Fixes: 1f9ad21c3b38 ("powerpc/mm: Implement set_memory() routines") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/c41100f9c144dc5b62e5a751b810190c6b5d42fd.1635226743.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/nohash/32/pgtable.h | 2 ++ + arch/powerpc/include/asm/nohash/64/pgtable.h | 5 ----- + arch/powerpc/include/asm/nohash/pte-book3e.h | 18 ++++++++++++++---- + arch/powerpc/mm/nohash/tlb_low_64e.S | 8 ++++---- + 4 files changed, 20 insertions(+), 13 deletions(-) + +diff --git a/arch/powerpc/include/asm/nohash/32/pgtable.h b/arch/powerpc/include/asm/nohash/32/pgtable.h +index ac0a5ff48c3ad..d6ba821a56ced 100644 +--- a/arch/powerpc/include/asm/nohash/32/pgtable.h ++++ b/arch/powerpc/include/asm/nohash/32/pgtable.h +@@ -193,10 +193,12 @@ static inline pte_t pte_wrprotect(pte_t pte) + } + #endif + ++#ifndef pte_mkexec + static inline pte_t pte_mkexec(pte_t pte) + { + return __pte(pte_val(pte) | _PAGE_EXEC); + } ++#endif + + #define pmd_none(pmd) (!pmd_val(pmd)) + #define pmd_bad(pmd) (pmd_val(pmd) & _PMD_BAD) +diff --git a/arch/powerpc/include/asm/nohash/64/pgtable.h b/arch/powerpc/include/asm/nohash/64/pgtable.h +index d081704b13fb9..9d2905a474103 100644 +--- a/arch/powerpc/include/asm/nohash/64/pgtable.h ++++ b/arch/powerpc/include/asm/nohash/64/pgtable.h +@@ -118,11 +118,6 @@ static inline pte_t pte_wrprotect(pte_t pte) + return __pte(pte_val(pte) & ~_PAGE_RW); + } + +-static inline pte_t pte_mkexec(pte_t pte) +-{ +- return __pte(pte_val(pte) | _PAGE_EXEC); +-} +- + #define PMD_BAD_BITS (PTE_TABLE_SIZE-1) + #define PUD_BAD_BITS (PMD_TABLE_SIZE-1) + +diff --git a/arch/powerpc/include/asm/nohash/pte-book3e.h b/arch/powerpc/include/asm/nohash/pte-book3e.h +index 813918f407653..f798640422c2d 100644 +--- a/arch/powerpc/include/asm/nohash/pte-book3e.h ++++ b/arch/powerpc/include/asm/nohash/pte-book3e.h +@@ -48,7 +48,7 @@ + #define _PAGE_WRITETHRU 0x800000 /* W: cache write-through */ + + /* "Higher level" linux bit combinations */ +-#define _PAGE_EXEC _PAGE_BAP_UX /* .. and was cache cleaned */ ++#define _PAGE_EXEC (_PAGE_BAP_SX | _PAGE_BAP_UX) /* .. and was cache cleaned */ + #define _PAGE_RW (_PAGE_BAP_SW | _PAGE_BAP_UW) /* User write permission */ + #define _PAGE_KERNEL_RW (_PAGE_BAP_SW | _PAGE_BAP_SR | _PAGE_DIRTY) + #define _PAGE_KERNEL_RO (_PAGE_BAP_SR) +@@ -93,11 +93,11 @@ + /* Permission masks used to generate the __P and __S table */ + #define PAGE_NONE __pgprot(_PAGE_BASE) + #define PAGE_SHARED __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW) +-#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_EXEC) ++#define PAGE_SHARED_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW | _PAGE_BAP_UX) + #define PAGE_COPY __pgprot(_PAGE_BASE | _PAGE_USER) +-#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC) ++#define PAGE_COPY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_BAP_UX) + #define PAGE_READONLY __pgprot(_PAGE_BASE | _PAGE_USER) +-#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC) ++#define PAGE_READONLY_X __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_BAP_UX) + + #ifndef __ASSEMBLY__ + static inline pte_t pte_mkprivileged(pte_t pte) +@@ -113,6 +113,16 @@ static inline pte_t pte_mkuser(pte_t pte) + } + + #define pte_mkuser pte_mkuser ++ ++static inline pte_t pte_mkexec(pte_t pte) ++{ ++ if (pte_val(pte) & _PAGE_BAP_UR) ++ return __pte((pte_val(pte) & ~_PAGE_BAP_SX) | _PAGE_BAP_UX); ++ else ++ return __pte((pte_val(pte) & ~_PAGE_BAP_UX) | _PAGE_BAP_SX); ++} ++#define pte_mkexec pte_mkexec ++ + #endif /* __ASSEMBLY__ */ + + #endif /* __KERNEL__ */ +diff --git a/arch/powerpc/mm/nohash/tlb_low_64e.S b/arch/powerpc/mm/nohash/tlb_low_64e.S +index bf24451f3e71f..9235e720e3572 100644 +--- a/arch/powerpc/mm/nohash/tlb_low_64e.S ++++ b/arch/powerpc/mm/nohash/tlb_low_64e.S +@@ -222,7 +222,7 @@ tlb_miss_kernel_bolted: + + tlb_miss_fault_bolted: + /* We need to check if it was an instruction miss */ +- andi. r10,r11,_PAGE_EXEC|_PAGE_BAP_SX ++ andi. r10,r11,_PAGE_BAP_UX|_PAGE_BAP_SX + bne itlb_miss_fault_bolted + dtlb_miss_fault_bolted: + tlb_epilog_bolted +@@ -239,7 +239,7 @@ itlb_miss_fault_bolted: + srdi r15,r16,60 /* get region */ + bne- itlb_miss_fault_bolted + +- li r11,_PAGE_PRESENT|_PAGE_EXEC /* Base perm */ ++ li r11,_PAGE_PRESENT|_PAGE_BAP_UX /* Base perm */ + + /* We do the user/kernel test for the PID here along with the RW test + */ +@@ -614,7 +614,7 @@ itlb_miss_fault_e6500: + + /* We do the user/kernel test for the PID here along with the RW test + */ +- li r11,_PAGE_PRESENT|_PAGE_EXEC /* Base perm */ ++ li r11,_PAGE_PRESENT|_PAGE_BAP_UX /* Base perm */ + oris r11,r11,_PAGE_ACCESSED@h + + cmpldi cr0,r15,0 /* Check for user region */ +@@ -734,7 +734,7 @@ normal_tlb_miss_done: + + normal_tlb_miss_access_fault: + /* We need to check if it was an instruction miss */ +- andi. r10,r11,_PAGE_EXEC ++ andi. r10,r11,_PAGE_BAP_UX + bne 1f + ld r14,EX_TLB_DEAR(r12) + ld r15,EX_TLB_ESR(r12) +-- +2.33.0 + diff --git a/queue-5.15/powerpc-booke-disable-strict_kernel_rwx-debug_pageal.patch b/queue-5.15/powerpc-booke-disable-strict_kernel_rwx-debug_pageal.patch new file mode 100644 index 00000000000..521f432d7fc --- /dev/null +++ b/queue-5.15/powerpc-booke-disable-strict_kernel_rwx-debug_pageal.patch @@ -0,0 +1,60 @@ +From 9e20b09c8b7ddbd8e2966d9728066a80c1f2ef79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 12:02:42 +0200 +Subject: powerpc/booke: Disable STRICT_KERNEL_RWX, DEBUG_PAGEALLOC and KFENCE + +From: Christophe Leroy + +[ Upstream commit 68b44f94d6370e2c6c790fedd28e637fa9964a93 ] + +fsl_booke and 44x are not able to map kernel linear memory with +pages, so they can't support DEBUG_PAGEALLOC and KFENCE, and +STRICT_KERNEL_RWX is also a problem for now. + +Enable those only on book3s (both 32 and 64 except KFENCE), 8xx and 40x. + +Fixes: 88df6e90fa97 ("[POWERPC] DEBUG_PAGEALLOC for 32-bit") +Fixes: 95902e6c8864 ("powerpc/mm: Implement STRICT_KERNEL_RWX on PPC32") +Fixes: 90cbac0e995d ("powerpc: Enable KFENCE for PPC32") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/d1ad9fdd9b27da3fdfa16510bb542ed51fa6e134.1634292136.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/Kconfig | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig +index ba5b661893588..6b9f523882c58 100644 +--- a/arch/powerpc/Kconfig ++++ b/arch/powerpc/Kconfig +@@ -138,7 +138,7 @@ config PPC + select ARCH_HAS_PTE_SPECIAL + select ARCH_HAS_SCALED_CPUTIME if VIRT_CPU_ACCOUNTING_NATIVE && PPC_BOOK3S_64 + select ARCH_HAS_SET_MEMORY +- select ARCH_HAS_STRICT_KERNEL_RWX if ((PPC_BOOK3S_64 || PPC32) && !HIBERNATION) ++ select ARCH_HAS_STRICT_KERNEL_RWX if (PPC_BOOK3S || PPC_8xx || 40x) && !HIBERNATION + select ARCH_HAS_STRICT_MODULE_RWX if ARCH_HAS_STRICT_KERNEL_RWX && !PPC_BOOK3S_32 + select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST + select ARCH_HAS_UACCESS_FLUSHCACHE +@@ -150,7 +150,7 @@ config PPC + select ARCH_OPTIONAL_KERNEL_RWX if ARCH_HAS_STRICT_KERNEL_RWX + select ARCH_STACKWALK + select ARCH_SUPPORTS_ATOMIC_RMW +- select ARCH_SUPPORTS_DEBUG_PAGEALLOC if PPC32 || PPC_BOOK3S_64 ++ select ARCH_SUPPORTS_DEBUG_PAGEALLOC if PPC_BOOK3S || PPC_8xx || 40x + select ARCH_USE_BUILTIN_BSWAP + select ARCH_USE_CMPXCHG_LOCKREF if PPC64 + select ARCH_USE_MEMTEST +@@ -190,7 +190,7 @@ config PPC + select HAVE_ARCH_JUMP_LABEL_RELATIVE + select HAVE_ARCH_KASAN if PPC32 && PPC_PAGE_SHIFT <= 14 + select HAVE_ARCH_KASAN_VMALLOC if PPC32 && PPC_PAGE_SHIFT <= 14 +- select HAVE_ARCH_KFENCE if PPC32 ++ select HAVE_ARCH_KFENCE if PPC_BOOK3S_32 || PPC_8xx || 40x + select HAVE_ARCH_KGDB + select HAVE_ARCH_MMAP_RND_BITS + select HAVE_ARCH_MMAP_RND_COMPAT_BITS if COMPAT +-- +2.33.0 + diff --git a/queue-5.15/powerpc-don-t-provide-__kernel_map_pages-without-arc.patch b/queue-5.15/powerpc-don-t-provide-__kernel_map_pages-without-arc.patch new file mode 100644 index 00000000000..53e3449aeb7 --- /dev/null +++ b/queue-5.15/powerpc-don-t-provide-__kernel_map_pages-without-arc.patch @@ -0,0 +1,44 @@ +From 6c0b834972fdfa18b9a51ae3cde425c7357df42f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 14:59:15 +0200 +Subject: powerpc: Don't provide __kernel_map_pages() without + ARCH_SUPPORTS_DEBUG_PAGEALLOC + +From: Christophe Leroy + +[ Upstream commit f8c0e36b48e32b14bb83332d24e0646acd31d9e9 ] + +When ARCH_SUPPORTS_DEBUG_PAGEALLOC is not selected, the user can +still select CONFIG_DEBUG_PAGEALLOC in which case __kernel_map_pages() +is provided by mm/page_poison.c + +So only define __kernel_map_pages() when both +CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC and CONFIG_DEBUG_PAGEALLOC +are defined. + +Fixes: 68b44f94d637 ("powerpc/booke: Disable STRICT_KERNEL_RWX, DEBUG_PAGEALLOC and KFENCE") +Reported-by: kernel test robot +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/971b69739ff4746252e711a9845210465c023a9e.1635425947.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/pgtable_32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/mm/pgtable_32.c b/arch/powerpc/mm/pgtable_32.c +index dcf5ecca19d99..fde1ed445ca46 100644 +--- a/arch/powerpc/mm/pgtable_32.c ++++ b/arch/powerpc/mm/pgtable_32.c +@@ -173,7 +173,7 @@ void mark_rodata_ro(void) + } + #endif + +-#ifdef CONFIG_DEBUG_PAGEALLOC ++#if defined(CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC) && defined(CONFIG_DEBUG_PAGEALLOC) + void __kernel_map_pages(struct page *page, int numpages, int enable) + { + unsigned long addr = (unsigned long)page_address(page); +-- +2.33.0 + diff --git a/queue-5.15/powerpc-fix-unbalanced-node-refcount-in-check_kvm_gu.patch b/queue-5.15/powerpc-fix-unbalanced-node-refcount-in-check_kvm_gu.patch new file mode 100644 index 00000000000..1578d03442b --- /dev/null +++ b/queue-5.15/powerpc-fix-unbalanced-node-refcount-in-check_kvm_gu.patch @@ -0,0 +1,49 @@ +From 718c1b8bc37b82976ab6d4e5f117a5de8bdb6738 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 07:45:50 -0500 +Subject: powerpc: fix unbalanced node refcount in check_kvm_guest() + +From: Nathan Lynch + +[ Upstream commit 56537faf8821e361d739fc5ff58c9c40f54a1d4c ] + +When check_kvm_guest() succeeds in looking up a /hypervisor OF node, it +returns without performing a matching put for the lookup, leaving the +node's reference count elevated. + +Add the necessary call to of_node_put(), rearranging the code slightly to +avoid repetition or goto. + +Fixes: 107c55005fbd ("powerpc/pseries: Add KVM guest doorbell restrictions") +Signed-off-by: Nathan Lynch +Reviewed-by: Srikar Dronamraju +Reviewed-by: Tyrel Datwyler +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210928124550.132020-1-nathanl@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/firmware.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/arch/powerpc/kernel/firmware.c b/arch/powerpc/kernel/firmware.c +index c7022c41cc314..20328f72f9f2b 100644 +--- a/arch/powerpc/kernel/firmware.c ++++ b/arch/powerpc/kernel/firmware.c +@@ -31,11 +31,10 @@ int __init check_kvm_guest(void) + if (!hyper_node) + return 0; + +- if (!of_device_is_compatible(hyper_node, "linux,kvm")) +- return 0; +- +- static_branch_enable(&kvm_guest); ++ if (of_device_is_compatible(hyper_node, "linux,kvm")) ++ static_branch_enable(&kvm_guest); + ++ of_node_put(hyper_node); + return 0; + } + core_initcall(check_kvm_guest); // before kvm_guest_init() +-- +2.33.0 + diff --git a/queue-5.15/powerpc-mem-fix-arch-powerpc-mm-mem.c-53-12-error-no.patch b/queue-5.15/powerpc-mem-fix-arch-powerpc-mm-mem.c-53-12-error-no.patch new file mode 100644 index 00000000000..a15ccaf6850 --- /dev/null +++ b/queue-5.15/powerpc-mem-fix-arch-powerpc-mm-mem.c-53-12-error-no.patch @@ -0,0 +1,43 @@ +From f9c9cd96a88a484f26ff55c2cd67198d8e09d28f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Sep 2021 17:17:26 +0200 +Subject: powerpc/mem: Fix arch/powerpc/mm/mem.c:53:12: error: no previous + prototype for 'create_section_mapping' + +From: Christophe Leroy + +[ Upstream commit 7eff9bc00ddf1e2281dff575884b7f676c85b006 ] + +Commit 8e11d62e2e87 ("powerpc/mem: Add back missing header to fix 'no +previous prototype' error") was supposed to fix the problem, but in +the meantime commit a927bd6ba952 ("mm: fix phys_to_target_node() and* +memory_add_physaddr_to_nid() exports") moved create_section_mapping() +prototype from asm/sparsemem.h to asm/mmzone.h + +Fixes: 8e11d62e2e87 ("powerpc/mem: Add back missing header to fix 'no previous prototype' error") +Reported-by: kernel test robot +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/025754fde3d027904ae9d0191f395890bec93369.1631541649.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/mm/mem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/mm/mem.c b/arch/powerpc/mm/mem.c +index c3c4e31462eca..05b9c3f31456c 100644 +--- a/arch/powerpc/mm/mem.c ++++ b/arch/powerpc/mm/mem.c +@@ -20,8 +20,8 @@ + #include + #include + #include +-#include + #include ++#include + + #include + +-- +2.33.0 + diff --git a/queue-5.15/powerpc-nohash-fix-__ptep_set_access_flags-and-ptep_.patch b/queue-5.15/powerpc-nohash-fix-__ptep_set_access_flags-and-ptep_.patch new file mode 100644 index 00000000000..16f543b71f4 --- /dev/null +++ b/queue-5.15/powerpc-nohash-fix-__ptep_set_access_flags-and-ptep_.patch @@ -0,0 +1,121 @@ +From be2427d6eedd6767b907cb446ace8d402a4c637d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 07:39:24 +0200 +Subject: powerpc/nohash: Fix __ptep_set_access_flags() and + ptep_set_wrprotect() + +From: Christophe Leroy + +[ Upstream commit b1b93cb7e794e914787bf7d9936b57a149cdee4f ] + +Commit 26973fa5ac0e ("powerpc/mm: use pte helpers in generic code") +changed those two functions to use pte helpers to determine which +bits to clear and which bits to set. + +This change was based on the assumption that bits to be set/cleared +are always the same and can be determined by applying the pte +manipulation helpers on __pte(0). + +But on platforms like book3e, the bits depend on whether the page +is a user page or not. + +For the time being it more or less works because of _PAGE_EXEC being +used for user pages only and exec right being set at all time on +kernel page. But following patch will clean that and output of +pte_mkexec() will depend on the page being a user or kernel page. + +Instead of trying to make an even more complicated helper where bits +would become dependent on the final pte value, come back to a more +static situation like before commit 26973fa5ac0e ("powerpc/mm: use +pte helpers in generic code"), by introducing an 8xx specific +version of __ptep_set_access_flags() and ptep_set_wrprotect(). + +Fixes: 26973fa5ac0e ("powerpc/mm: use pte helpers in generic code") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/922bdab3a220781bae2360ff3dd5adb7fe4d34f1.1635226743.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/nohash/32/pgtable.h | 17 +++++++-------- + arch/powerpc/include/asm/nohash/32/pte-8xx.h | 22 ++++++++++++++++++++ + 2 files changed, 30 insertions(+), 9 deletions(-) + +diff --git a/arch/powerpc/include/asm/nohash/32/pgtable.h b/arch/powerpc/include/asm/nohash/32/pgtable.h +index f06ae00f2a65e..ac0a5ff48c3ad 100644 +--- a/arch/powerpc/include/asm/nohash/32/pgtable.h ++++ b/arch/powerpc/include/asm/nohash/32/pgtable.h +@@ -306,30 +306,29 @@ static inline pte_t ptep_get_and_clear(struct mm_struct *mm, unsigned long addr, + } + + #define __HAVE_ARCH_PTEP_SET_WRPROTECT ++#ifndef ptep_set_wrprotect + static inline void ptep_set_wrprotect(struct mm_struct *mm, unsigned long addr, + pte_t *ptep) + { +- unsigned long clr = ~pte_val(pte_wrprotect(__pte(~0))); +- unsigned long set = pte_val(pte_wrprotect(__pte(0))); +- +- pte_update(mm, addr, ptep, clr, set, 0); ++ pte_update(mm, addr, ptep, _PAGE_RW, 0, 0); + } ++#endif + ++#ifndef __ptep_set_access_flags + static inline void __ptep_set_access_flags(struct vm_area_struct *vma, + pte_t *ptep, pte_t entry, + unsigned long address, + int psize) + { +- pte_t pte_set = pte_mkyoung(pte_mkdirty(pte_mkwrite(pte_mkexec(__pte(0))))); +- pte_t pte_clr = pte_mkyoung(pte_mkdirty(pte_mkwrite(pte_mkexec(__pte(~0))))); +- unsigned long set = pte_val(entry) & pte_val(pte_set); +- unsigned long clr = ~pte_val(entry) & ~pte_val(pte_clr); ++ unsigned long set = pte_val(entry) & ++ (_PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_RW | _PAGE_EXEC); + int huge = psize > mmu_virtual_psize ? 1 : 0; + +- pte_update(vma->vm_mm, address, ptep, clr, set, huge); ++ pte_update(vma->vm_mm, address, ptep, 0, set, huge); + + flush_tlb_page(vma, address); + } ++#endif + + static inline int pte_young(pte_t pte) + { +diff --git a/arch/powerpc/include/asm/nohash/32/pte-8xx.h b/arch/powerpc/include/asm/nohash/32/pte-8xx.h +index fcc48d590d888..1a89ebdc3acc9 100644 +--- a/arch/powerpc/include/asm/nohash/32/pte-8xx.h ++++ b/arch/powerpc/include/asm/nohash/32/pte-8xx.h +@@ -136,6 +136,28 @@ static inline pte_t pte_mkhuge(pte_t pte) + + #define pte_mkhuge pte_mkhuge + ++static inline pte_basic_t pte_update(struct mm_struct *mm, unsigned long addr, pte_t *p, ++ unsigned long clr, unsigned long set, int huge); ++ ++static inline void ptep_set_wrprotect(struct mm_struct *mm, unsigned long addr, pte_t *ptep) ++{ ++ pte_update(mm, addr, ptep, 0, _PAGE_RO, 0); ++} ++#define ptep_set_wrprotect ptep_set_wrprotect ++ ++static inline void __ptep_set_access_flags(struct vm_area_struct *vma, pte_t *ptep, ++ pte_t entry, unsigned long address, int psize) ++{ ++ unsigned long set = pte_val(entry) & (_PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_EXEC); ++ unsigned long clr = ~pte_val(entry) & _PAGE_RO; ++ int huge = psize > mmu_virtual_psize ? 1 : 0; ++ ++ pte_update(vma->vm_mm, address, ptep, clr, set, huge); ++ ++ flush_tlb_page(vma, address); ++} ++#define __ptep_set_access_flags __ptep_set_access_flags ++ + static inline unsigned long pgd_leaf_size(pgd_t pgd) + { + if (pgd_val(pgd) & _PMD_PAGE_8M) +-- +2.33.0 + diff --git a/queue-5.15/powerpc-paravirt-correct-preempt-debug-splat-in-vcpu.patch b/queue-5.15/powerpc-paravirt-correct-preempt-debug-splat-in-vcpu.patch new file mode 100644 index 00000000000..c31c24df915 --- /dev/null +++ b/queue-5.15/powerpc-paravirt-correct-preempt-debug-splat-in-vcpu.patch @@ -0,0 +1,73 @@ +From 21b059c5bb66ed6a137f3b9f91d0afd85abd3069 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 16:41:47 -0500 +Subject: powerpc/paravirt: correct preempt debug splat in vcpu_is_preempted() + +From: Nathan Lynch + +[ Upstream commit fda0eb220021a97c1d656434b9340ebf3fc4704a ] + +vcpu_is_preempted() can be used outside of preempt-disabled critical +sections, yielding warnings such as: + +BUG: using smp_processor_id() in preemptible [00000000] code: systemd-udevd/185 +caller is rwsem_spin_on_owner+0x1cc/0x2d0 +CPU: 1 PID: 185 Comm: systemd-udevd Not tainted 5.15.0-rc2+ #33 +Call Trace: +[c000000012907ac0] [c000000000aa30a8] dump_stack_lvl+0xac/0x108 (unreliable) +[c000000012907b00] [c000000001371f70] check_preemption_disabled+0x150/0x160 +[c000000012907b90] [c0000000001e0e8c] rwsem_spin_on_owner+0x1cc/0x2d0 +[c000000012907be0] [c0000000001e1408] rwsem_down_write_slowpath+0x478/0x9a0 +[c000000012907ca0] [c000000000576cf4] filename_create+0x94/0x1e0 +[c000000012907d10] [c00000000057ac08] do_symlinkat+0x68/0x1a0 +[c000000012907d70] [c00000000057ae18] sys_symlink+0x58/0x70 +[c000000012907da0] [c00000000002e448] system_call_exception+0x198/0x3c0 +[c000000012907e10] [c00000000000c54c] system_call_common+0xec/0x250 + +The result of vcpu_is_preempted() is always used speculatively, and the +function does not access per-cpu resources in a (Linux) preempt-unsafe way. +Use raw_smp_processor_id() to avoid such warnings, adding explanatory +comments. + +Fixes: ca3f969dcb11 ("powerpc/paravirt: Use is_kvm_guest() in vcpu_is_preempted()") +Signed-off-by: Nathan Lynch +Reviewed-by: Srikar Dronamraju +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210928214147.312412-3-nathanl@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/paravirt.h | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/paravirt.h b/arch/powerpc/include/asm/paravirt.h +index bcb7b5f917be6..b325022ffa2b0 100644 +--- a/arch/powerpc/include/asm/paravirt.h ++++ b/arch/powerpc/include/asm/paravirt.h +@@ -97,7 +97,23 @@ static inline bool vcpu_is_preempted(int cpu) + + #ifdef CONFIG_PPC_SPLPAR + if (!is_kvm_guest()) { +- int first_cpu = cpu_first_thread_sibling(smp_processor_id()); ++ int first_cpu; ++ ++ /* ++ * The result of vcpu_is_preempted() is used in a ++ * speculative way, and is always subject to invalidation ++ * by events internal and external to Linux. While we can ++ * be called in preemptable context (in the Linux sense), ++ * we're not accessing per-cpu resources in a way that can ++ * race destructively with Linux scheduler preemption and ++ * migration, and callers can tolerate the potential for ++ * error introduced by sampling the CPU index without ++ * pinning the task to it. So it is permissible to use ++ * raw_smp_processor_id() here to defeat the preempt debug ++ * warnings that can arise from using smp_processor_id() ++ * in arbitrary contexts. ++ */ ++ first_cpu = cpu_first_thread_sibling(raw_smp_processor_id()); + + /* + * Preemption can only happen at core granularity. This CPU +-- +2.33.0 + diff --git a/queue-5.15/powerpc-perf-fix-cycles-instructions-as-pm_cyc-pm_in.patch b/queue-5.15/powerpc-perf-fix-cycles-instructions-as-pm_cyc-pm_in.patch new file mode 100644 index 00000000000..a2bdfa0b384 --- /dev/null +++ b/queue-5.15/powerpc-perf-fix-cycles-instructions-as-pm_cyc-pm_in.patch @@ -0,0 +1,182 @@ +From cf5972ec609e295239f3d6186e123a566d19bad3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 13:21:21 +0530 +Subject: powerpc/perf: Fix cycles/instructions as PM_CYC/PM_INST_CMPL in + power10 + +From: Athira Rajeev + +[ Upstream commit 8f6aca0e0f26eaaee670cd27896993a45cdc8f9e ] + +On power9 and earlier platforms, the default event used for cyles and +instructions is PM_CYC (0x0001e) and PM_INST_CMPL (0x00002) +respectively. These events use two programmable PMCs and by default will +count irrespective of the run latch state (idle state). But since they +use programmable PMCs, these events can lead to multiplexing with other +events, because there are only 4 programmable PMCs. Hence in power10, +performance monitoring unit (PMU) driver uses performance monitor +counter 5 (PMC5) and performance monitor counter6 (PMC6) for counting +instructions and cycles. + +Currently on power10, the event used for cycles is PM_RUN_CYC (0x600F4) +and instructions uses PM_RUN_INST_CMPL (0x500fa). But counting of these +events in idle state is controlled by the CC56RUN bit setting in Monitor +Mode Control Register0 (MMCR0). If the CC56RUN bit is zero, PMC5/6 will +not count when CTRL[RUN] (run latch) is zero. This could lead to missing +some counts if a thread is in idle state during system wide profiling. + +To fix it, set the CC56RUN bit in MMCR0 for power10, which makes PMC5 +and PMC6 count instructions and cycles regardless of the run latch +state. Since this change make PMC5/6 count as PM_INST_CMPL/PM_CYC, +rename the event code 0x600f4 as PM_CYC instead of PM_RUN_CYC and event +code 0x500fa as PM_INST_CMPL instead of PM_RUN_INST_CMPL. The changes +are only for PMC5/6 event codes and will not affect the behaviour of +PM_RUN_CYC/PM_RUN_INST_CMPL if progammed in other PMC's. + +Fixes: a64e697cef23 ("powerpc/perf: power10 Performance Monitoring support") +Signed-off-by: Athira Rajeev +Reviewed-by: Madhavan Srinivasan +[mpe: Tweak change log wording for style and consistency] +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211007075121.28497-1-atrajeev@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/power10-events-list.h | 8 ++--- + arch/powerpc/perf/power10-pmu.c | 44 +++++++++++++++++-------- + 2 files changed, 35 insertions(+), 17 deletions(-) + +diff --git a/arch/powerpc/perf/power10-events-list.h b/arch/powerpc/perf/power10-events-list.h +index 93be7197d2502..564f14097f07b 100644 +--- a/arch/powerpc/perf/power10-events-list.h ++++ b/arch/powerpc/perf/power10-events-list.h +@@ -9,10 +9,10 @@ + /* + * Power10 event codes. + */ +-EVENT(PM_RUN_CYC, 0x600f4); ++EVENT(PM_CYC, 0x600f4); + EVENT(PM_DISP_STALL_CYC, 0x100f8); + EVENT(PM_EXEC_STALL, 0x30008); +-EVENT(PM_RUN_INST_CMPL, 0x500fa); ++EVENT(PM_INST_CMPL, 0x500fa); + EVENT(PM_BR_CMPL, 0x4d05e); + EVENT(PM_BR_MPRED_CMPL, 0x400f6); + EVENT(PM_BR_FIN, 0x2f04a); +@@ -50,8 +50,8 @@ EVENT(PM_DTLB_MISS, 0x300fc); + /* ITLB Reloaded */ + EVENT(PM_ITLB_MISS, 0x400fc); + +-EVENT(PM_RUN_CYC_ALT, 0x0001e); +-EVENT(PM_RUN_INST_CMPL_ALT, 0x00002); ++EVENT(PM_CYC_ALT, 0x0001e); ++EVENT(PM_INST_CMPL_ALT, 0x00002); + + /* + * Memory Access Events +diff --git a/arch/powerpc/perf/power10-pmu.c b/arch/powerpc/perf/power10-pmu.c +index f9d64c63bb4a7..9dd75f3858372 100644 +--- a/arch/powerpc/perf/power10-pmu.c ++++ b/arch/powerpc/perf/power10-pmu.c +@@ -91,8 +91,8 @@ extern u64 PERF_REG_EXTENDED_MASK; + + /* Table of alternatives, sorted by column 0 */ + static const unsigned int power10_event_alternatives[][MAX_ALT] = { +- { PM_RUN_CYC_ALT, PM_RUN_CYC }, +- { PM_RUN_INST_CMPL_ALT, PM_RUN_INST_CMPL }, ++ { PM_CYC_ALT, PM_CYC }, ++ { PM_INST_CMPL_ALT, PM_INST_CMPL }, + }; + + static int power10_get_alternatives(u64 event, unsigned int flags, u64 alt[]) +@@ -118,8 +118,8 @@ static int power10_check_attr_config(struct perf_event *ev) + return 0; + } + +-GENERIC_EVENT_ATTR(cpu-cycles, PM_RUN_CYC); +-GENERIC_EVENT_ATTR(instructions, PM_RUN_INST_CMPL); ++GENERIC_EVENT_ATTR(cpu-cycles, PM_CYC); ++GENERIC_EVENT_ATTR(instructions, PM_INST_CMPL); + GENERIC_EVENT_ATTR(branch-instructions, PM_BR_CMPL); + GENERIC_EVENT_ATTR(branch-misses, PM_BR_MPRED_CMPL); + GENERIC_EVENT_ATTR(cache-references, PM_LD_REF_L1); +@@ -148,8 +148,8 @@ CACHE_EVENT_ATTR(dTLB-load-misses, PM_DTLB_MISS); + CACHE_EVENT_ATTR(iTLB-load-misses, PM_ITLB_MISS); + + static struct attribute *power10_events_attr_dd1[] = { +- GENERIC_EVENT_PTR(PM_RUN_CYC), +- GENERIC_EVENT_PTR(PM_RUN_INST_CMPL), ++ GENERIC_EVENT_PTR(PM_CYC), ++ GENERIC_EVENT_PTR(PM_INST_CMPL), + GENERIC_EVENT_PTR(PM_BR_CMPL), + GENERIC_EVENT_PTR(PM_BR_MPRED_CMPL), + GENERIC_EVENT_PTR(PM_LD_REF_L1), +@@ -173,8 +173,8 @@ static struct attribute *power10_events_attr_dd1[] = { + }; + + static struct attribute *power10_events_attr[] = { +- GENERIC_EVENT_PTR(PM_RUN_CYC), +- GENERIC_EVENT_PTR(PM_RUN_INST_CMPL), ++ GENERIC_EVENT_PTR(PM_CYC), ++ GENERIC_EVENT_PTR(PM_INST_CMPL), + GENERIC_EVENT_PTR(PM_BR_FIN), + GENERIC_EVENT_PTR(PM_MPRED_BR_FIN), + GENERIC_EVENT_PTR(PM_LD_REF_L1), +@@ -271,8 +271,8 @@ static const struct attribute_group *power10_pmu_attr_groups[] = { + }; + + static int power10_generic_events_dd1[] = { +- [PERF_COUNT_HW_CPU_CYCLES] = PM_RUN_CYC, +- [PERF_COUNT_HW_INSTRUCTIONS] = PM_RUN_INST_CMPL, ++ [PERF_COUNT_HW_CPU_CYCLES] = PM_CYC, ++ [PERF_COUNT_HW_INSTRUCTIONS] = PM_INST_CMPL, + [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = PM_BR_CMPL, + [PERF_COUNT_HW_BRANCH_MISSES] = PM_BR_MPRED_CMPL, + [PERF_COUNT_HW_CACHE_REFERENCES] = PM_LD_REF_L1, +@@ -280,8 +280,8 @@ static int power10_generic_events_dd1[] = { + }; + + static int power10_generic_events[] = { +- [PERF_COUNT_HW_CPU_CYCLES] = PM_RUN_CYC, +- [PERF_COUNT_HW_INSTRUCTIONS] = PM_RUN_INST_CMPL, ++ [PERF_COUNT_HW_CPU_CYCLES] = PM_CYC, ++ [PERF_COUNT_HW_INSTRUCTIONS] = PM_INST_CMPL, + [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = PM_BR_FIN, + [PERF_COUNT_HW_BRANCH_MISSES] = PM_MPRED_BR_FIN, + [PERF_COUNT_HW_CACHE_REFERENCES] = PM_LD_REF_L1, +@@ -548,6 +548,24 @@ static u64 power10_cache_events[C(MAX)][C(OP_MAX)][C(RESULT_MAX)] = { + + #undef C + ++/* ++ * Set the MMCR0[CC56RUN] bit to enable counting for ++ * PMC5 and PMC6 regardless of the state of CTRL[RUN], ++ * so that we can use counters 5 and 6 as PM_INST_CMPL and ++ * PM_CYC. ++ */ ++static int power10_compute_mmcr(u64 event[], int n_ev, ++ unsigned int hwc[], struct mmcr_regs *mmcr, ++ struct perf_event *pevents[], u32 flags) ++{ ++ int ret; ++ ++ ret = isa207_compute_mmcr(event, n_ev, hwc, mmcr, pevents, flags); ++ if (!ret) ++ mmcr->mmcr0 |= MMCR0_C56RUN; ++ return ret; ++} ++ + static struct power_pmu power10_pmu = { + .name = "POWER10", + .n_counter = MAX_PMU_COUNTERS, +@@ -555,7 +573,7 @@ static struct power_pmu power10_pmu = { + .test_adder = ISA207_TEST_ADDER, + .group_constraint_mask = CNST_CACHE_PMC4_MASK, + .group_constraint_val = CNST_CACHE_PMC4_VAL, +- .compute_mmcr = isa207_compute_mmcr, ++ .compute_mmcr = power10_compute_mmcr, + .config_bhrb = power10_config_bhrb, + .bhrb_filter_map = power10_bhrb_filter_map, + .get_constraint = isa207_get_constraint, +-- +2.33.0 + diff --git a/queue-5.15/powerpc-xmon-fix-task-state-output.patch b/queue-5.15/powerpc-xmon-fix-task-state-output.patch new file mode 100644 index 00000000000..e4b24053fcc --- /dev/null +++ b/queue-5.15/powerpc-xmon-fix-task-state-output.patch @@ -0,0 +1,39 @@ +From f79daff2812660b386e06549a17b602cdb43a407 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 16:31:08 +0300 +Subject: powerpc/xmon: fix task state output + +From: Denis Kirjanov + +[ Upstream commit b1f896ce3542eb2eede5949ee2e481526fae1108 ] + +p_state is unsigned since the commit 2f064a59a11f + +The patch also uses TASK_RUNNING instead of null. + +Fixes: 2f064a59a11f ("sched: Change task_struct::state") +Signed-off-by: Denis Kirjanov +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211026133108.7113-1-kda@linux-powerpc.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/xmon/xmon.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c +index dd8241c009e53..8b28ff9d98d16 100644 +--- a/arch/powerpc/xmon/xmon.c ++++ b/arch/powerpc/xmon/xmon.c +@@ -3264,8 +3264,7 @@ static void show_task(struct task_struct *volatile tsk) + * appropriate for calling from xmon. This could be moved + * to a common, generic, routine used by both. + */ +- state = (p_state == 0) ? 'R' : +- (p_state < 0) ? 'U' : ++ state = (p_state == TASK_RUNNING) ? 'R' : + (p_state & TASK_UNINTERRUPTIBLE) ? 'D' : + (p_state & TASK_STOPPED) ? 'T' : + (p_state & TASK_TRACED) ? 'C' : +-- +2.33.0 + diff --git a/queue-5.15/qed-don-t-ignore-devlink-allocation-failures.patch b/queue-5.15/qed-don-t-ignore-devlink-allocation-failures.patch new file mode 100644 index 00000000000..69473059694 --- /dev/null +++ b/queue-5.15/qed-don-t-ignore-devlink-allocation-failures.patch @@ -0,0 +1,71 @@ +From 4ad684a17a613877f24543e73eb79d0429ea7b13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 21:12:53 +0300 +Subject: qed: Don't ignore devlink allocation failures + +From: Leon Romanovsky + +[ Upstream commit e6a54d6f221301347aaf9d83bb1f23129325c1c5 ] + +devlink is a software interface that doesn't depend on any hardware +capabilities. The failure in SW means memory issues, wrong parameters, +programmer error e.t.c. + +Like any other such interface in the kernel, the returned status of +devlink APIs should be checked and propagated further and not ignored. + +Fixes: 755f982bb1ff ("qed/qede: make devlink survive recovery") +Signed-off-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qede/qede_main.c | 12 +++++------- + drivers/scsi/qedf/qedf_main.c | 2 ++ + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c b/drivers/net/ethernet/qlogic/qede/qede_main.c +index 9837bdb89cd40..ee4c3bd28a934 100644 +--- a/drivers/net/ethernet/qlogic/qede/qede_main.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_main.c +@@ -1176,19 +1176,17 @@ static int __qede_probe(struct pci_dev *pdev, u32 dp_module, u8 dp_level, + edev->devlink = qed_ops->common->devlink_register(cdev); + if (IS_ERR(edev->devlink)) { + DP_NOTICE(edev, "Cannot register devlink\n"); ++ rc = PTR_ERR(edev->devlink); + edev->devlink = NULL; +- /* Go on, we can live without devlink */ ++ goto err3; + } + } else { + struct net_device *ndev = pci_get_drvdata(pdev); ++ struct qed_devlink *qdl; + + edev = netdev_priv(ndev); +- +- if (edev->devlink) { +- struct qed_devlink *qdl = devlink_priv(edev->devlink); +- +- qdl->cdev = cdev; +- } ++ qdl = devlink_priv(edev->devlink); ++ qdl->cdev = cdev; + edev->cdev = cdev; + memset(&edev->stats, 0, sizeof(edev->stats)); + memcpy(&edev->dev_info, &dev_info, sizeof(dev_info)); +diff --git a/drivers/scsi/qedf/qedf_main.c b/drivers/scsi/qedf/qedf_main.c +index 42d0d941dba5c..94ee08fab46a5 100644 +--- a/drivers/scsi/qedf/qedf_main.c ++++ b/drivers/scsi/qedf/qedf_main.c +@@ -3416,7 +3416,9 @@ retry_probe: + qedf->devlink = qed_ops->common->devlink_register(qedf->cdev); + if (IS_ERR(qedf->devlink)) { + QEDF_ERR(&qedf->dbg_ctx, "Cannot register devlink\n"); ++ rc = PTR_ERR(qedf->devlink); + qedf->devlink = NULL; ++ goto err2; + } + } + +-- +2.33.0 + diff --git a/queue-5.15/rcu-always-inline-rcu_dynticks_task-_-enter-exit.patch b/queue-5.15/rcu-always-inline-rcu_dynticks_task-_-enter-exit.patch new file mode 100644 index 00000000000..21b1c8dc0a3 --- /dev/null +++ b/queue-5.15/rcu-always-inline-rcu_dynticks_task-_-enter-exit.patch @@ -0,0 +1,73 @@ +From 23fc3dcaca2eb44e55f6ed42797ddcfd69405570 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 10:40:21 +0200 +Subject: rcu: Always inline rcu_dynticks_task*_{enter,exit}() + +From: Peter Zijlstra + +[ Upstream commit 7663ad9a5dbcc27f3090e6bfd192c7e59222709f ] + +RCU managed to grow a few noinstr violations: + + vmlinux.o: warning: objtool: rcu_dynticks_eqs_enter()+0x0: call to rcu_dynticks_task_trace_enter() leaves .noinstr.text section + vmlinux.o: warning: objtool: rcu_dynticks_eqs_exit()+0xe: call to rcu_dynticks_task_trace_exit() leaves .noinstr.text section + +Fix them by adding __always_inline to the relevant trivial functions. + +Also replace the noinstr with __always_inline for the existing +rcu_dynticks_task_*() functions since noinstr would force noinline +them, even when empty, which seems silly. + +Fixes: 7d0c9c50c5a1 ("rcu-tasks: Avoid IPIing userspace/idle tasks if kernel is so built") +Reported-by: Stephen Rothwell +Reviewed-by: Thomas Gleixner +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_plugin.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h +index d070059163d70..0d21a5cdc7247 100644 +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -1480,7 +1480,7 @@ static void rcu_bind_gp_kthread(void) + } + + /* Record the current task on dyntick-idle entry. */ +-static void noinstr rcu_dynticks_task_enter(void) ++static __always_inline void rcu_dynticks_task_enter(void) + { + #if defined(CONFIG_TASKS_RCU) && defined(CONFIG_NO_HZ_FULL) + WRITE_ONCE(current->rcu_tasks_idle_cpu, smp_processor_id()); +@@ -1488,7 +1488,7 @@ static void noinstr rcu_dynticks_task_enter(void) + } + + /* Record no current task on dyntick-idle exit. */ +-static void noinstr rcu_dynticks_task_exit(void) ++static __always_inline void rcu_dynticks_task_exit(void) + { + #if defined(CONFIG_TASKS_RCU) && defined(CONFIG_NO_HZ_FULL) + WRITE_ONCE(current->rcu_tasks_idle_cpu, -1); +@@ -1496,7 +1496,7 @@ static void noinstr rcu_dynticks_task_exit(void) + } + + /* Turn on heavyweight RCU tasks trace readers on idle/user entry. */ +-static void rcu_dynticks_task_trace_enter(void) ++static __always_inline void rcu_dynticks_task_trace_enter(void) + { + #ifdef CONFIG_TASKS_TRACE_RCU + if (IS_ENABLED(CONFIG_TASKS_TRACE_RCU_READ_MB)) +@@ -1505,7 +1505,7 @@ static void rcu_dynticks_task_trace_enter(void) + } + + /* Turn off heavyweight RCU tasks trace readers on idle/user exit. */ +-static void rcu_dynticks_task_trace_exit(void) ++static __always_inline void rcu_dynticks_task_trace_exit(void) + { + #ifdef CONFIG_TASKS_TRACE_RCU + if (IS_ENABLED(CONFIG_TASKS_TRACE_RCU_READ_MB)) +-- +2.33.0 + diff --git a/queue-5.15/rcu-fix-existing-exp-request-check-in-sync_sched_exp.patch b/queue-5.15/rcu-fix-existing-exp-request-check-in-sync_sched_exp.patch new file mode 100644 index 00000000000..081977e510b --- /dev/null +++ b/queue-5.15/rcu-fix-existing-exp-request-check-in-sync_sched_exp.patch @@ -0,0 +1,45 @@ +From c658e79293985d229952273b457b1a64dc85e1fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 13:34:00 +0530 +Subject: rcu: Fix existing exp request check in + sync_sched_exp_online_cleanup() + +From: Neeraj Upadhyay + +[ Upstream commit f0b2b2df5423fb369ac762c77900bc7765496d58 ] + +The sync_sched_exp_online_cleanup() checks to see if RCU needs +an expedited quiescent state from the incoming CPU, sending it +an IPI if so. Before sending IPI, it checks whether expedited +qs need has been already requested for the incoming CPU, by +checking rcu_data.cpu_no_qs.b.exp for the current cpu, on which +sync_sched_exp_online_cleanup() is running. This works for the +case where incoming CPU is same as self. However, for the case +where incoming CPU is different from self, expedited request +won't get marked, which can potentially delay reporting of +expedited quiescent state for the incoming CPU. + +Fixes: e015a3411220 ("rcu: Avoid self-IPI in sync_sched_exp_online_cleanup()") +Signed-off-by: Neeraj Upadhyay +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_exp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h +index 2796084ef85a5..454b516ea566e 100644 +--- a/kernel/rcu/tree_exp.h ++++ b/kernel/rcu/tree_exp.h +@@ -760,7 +760,7 @@ static void sync_sched_exp_online_cleanup(int cpu) + my_cpu = get_cpu(); + /* Quiescent state either not needed or already requested, leave. */ + if (!(READ_ONCE(rnp->expmask) & rdp->grpmask) || +- __this_cpu_read(rcu_data.cpu_no_qs.b.exp)) { ++ rdp->cpu_no_qs.b.exp) { + put_cpu(); + return; + } +-- +2.33.0 + diff --git a/queue-5.15/rcu-fix-rcu_dynticks_curr_cpu_in_eqs-vs-noinstr.patch b/queue-5.15/rcu-fix-rcu_dynticks_curr_cpu_in_eqs-vs-noinstr.patch new file mode 100644 index 00000000000..63024bb582d --- /dev/null +++ b/queue-5.15/rcu-fix-rcu_dynticks_curr_cpu_in_eqs-vs-noinstr.patch @@ -0,0 +1,40 @@ +From f2fbca8d66e83c0392c28c836570c40dc5fec1b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 10:40:22 +0200 +Subject: rcu: Fix rcu_dynticks_curr_cpu_in_eqs() vs noinstr + +From: Peter Zijlstra + +[ Upstream commit 74aece72f95f399dd29363669dc32a1344c8fab4 ] + + vmlinux.o: warning: objtool: rcu_nmi_enter()+0x36: call to __kasan_check_read() leaves .noinstr.text section + +noinstr cannot have atomic_*() functions in because they're explicitly +annotated, use arch_atomic_*(). + +Fixes: 2be57f732889 ("rcu: Weaken ->dynticks accesses and updates") +Reported-by: Stephen Rothwell +Reviewed-by: Thomas Gleixner +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c +index bce848e50512e..bdd1dc6de71ab 100644 +--- a/kernel/rcu/tree.c ++++ b/kernel/rcu/tree.c +@@ -327,7 +327,7 @@ static void rcu_dynticks_eqs_online(void) + */ + static __always_inline bool rcu_dynticks_curr_cpu_in_eqs(void) + { +- return !(atomic_read(this_cpu_ptr(&rcu_data.dynticks)) & 0x1); ++ return !(arch_atomic_read(this_cpu_ptr(&rcu_data.dynticks)) & 0x1); + } + + /* +-- +2.33.0 + diff --git a/queue-5.15/rcu-tasks-move-rtgs_wait_cbs-to-beginning-of-rcu_tas.patch b/queue-5.15/rcu-tasks-move-rtgs_wait_cbs-to-beginning-of-rcu_tas.patch new file mode 100644 index 00000000000..b1b7a019a67 --- /dev/null +++ b/queue-5.15/rcu-tasks-move-rtgs_wait_cbs-to-beginning-of-rcu_tas.patch @@ -0,0 +1,46 @@ +From 7e2717e9dd7f193488196d6e0fc9f3e1881e0c94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Aug 2021 09:07:44 -0700 +Subject: rcu-tasks: Move RTGS_WAIT_CBS to beginning of rcu_tasks_kthread() + loop + +From: Paul E. McKenney + +[ Upstream commit 0db7c32ad3160ae06f497d48a74bd46a2a35e6bf ] + +Early in debugging, it made some sense to differentiate the first +iteration from subsequent iterations, but now this just causes confusion. +This commit therefore moves the "set_tasks_gp_state(rtp, RTGS_WAIT_CBS)" +statement to the beginning of the "for" loop in rcu_tasks_kthread(). + +Reported-by: Neeraj Upadhyay +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tasks.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/kernel/rcu/tasks.h b/kernel/rcu/tasks.h +index 806160c44b172..6591914af4864 100644 +--- a/kernel/rcu/tasks.h ++++ b/kernel/rcu/tasks.h +@@ -197,6 +197,7 @@ static int __noreturn rcu_tasks_kthread(void *arg) + * This loop is terminated by the system going down. ;-) + */ + for (;;) { ++ set_tasks_gp_state(rtp, RTGS_WAIT_CBS); + + /* Pick up any new callbacks. */ + raw_spin_lock_irqsave(&rtp->cbs_lock, flags); +@@ -236,8 +237,6 @@ static int __noreturn rcu_tasks_kthread(void *arg) + } + /* Paranoid sleep to keep this from entering a tight loop */ + schedule_timeout_idle(rtp->gp_sleep); +- +- set_tasks_gp_state(rtp, RTGS_WAIT_CBS); + } + } + +-- +2.33.0 + diff --git a/queue-5.15/rcutorture-avoid-problematic-critical-section-nestin.patch b/queue-5.15/rcutorture-avoid-problematic-critical-section-nestin.patch new file mode 100644 index 00000000000..a1406eb5db7 --- /dev/null +++ b/queue-5.15/rcutorture-avoid-problematic-critical-section-nestin.patch @@ -0,0 +1,128 @@ +From d7582a6b8e7006b94af42a626b354c40650bebf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Aug 2021 09:42:36 +0200 +Subject: rcutorture: Avoid problematic critical section nesting on PREEMPT_RT + +From: Scott Wood + +[ Upstream commit 71921a9606ddbcc1d98c00eca7ae82c373d1fecd ] + +rcutorture is generating some nesting scenarios that are not compatible on PREEMPT_RT. +For example: + preempt_disable(); + rcu_read_lock_bh(); + preempt_enable(); + rcu_read_unlock_bh(); + +The problem here is that on PREEMPT_RT the bottom halves have to be +disabled and enabled in preemptible context. + +Reorder locking: start with BH locking and continue with then with +disabling preemption or interrupts. In the unlocking do it reverse by +first enabling interrupts and preemption and BH at the very end. +Ensure that on PREEMPT_RT BH locking remains unchanged if in +non-preemptible context. + +Link: https://lkml.kernel.org/r/20190911165729.11178-6-swood@redhat.com +Link: https://lkml.kernel.org/r/20210819182035.GF4126399@paulmck-ThinkPad-P17-Gen-1 +Signed-off-by: Scott Wood +[bigeasy: Drop ATOM_BH, make it only about changing BH in atomic +context. Allow enabling RCU in IRQ-off section. Reword commit message.] +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/rcutorture.c | 48 ++++++++++++++++++++++++++++++----------- + 1 file changed, 36 insertions(+), 12 deletions(-) + +diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c +index ab4215266ebee..968696ace8f3f 100644 +--- a/kernel/rcu/rcutorture.c ++++ b/kernel/rcu/rcutorture.c +@@ -1432,28 +1432,34 @@ static void rcutorture_one_extend(int *readstate, int newstate, + /* First, put new protection in place to avoid critical-section gap. */ + if (statesnew & RCUTORTURE_RDR_BH) + local_bh_disable(); ++ if (statesnew & RCUTORTURE_RDR_RBH) ++ rcu_read_lock_bh(); + if (statesnew & RCUTORTURE_RDR_IRQ) + local_irq_disable(); + if (statesnew & RCUTORTURE_RDR_PREEMPT) + preempt_disable(); +- if (statesnew & RCUTORTURE_RDR_RBH) +- rcu_read_lock_bh(); + if (statesnew & RCUTORTURE_RDR_SCHED) + rcu_read_lock_sched(); + if (statesnew & RCUTORTURE_RDR_RCU) + idxnew = cur_ops->readlock() << RCUTORTURE_RDR_SHIFT; + +- /* Next, remove old protection, irq first due to bh conflict. */ ++ /* ++ * Next, remove old protection, in decreasing order of strength ++ * to avoid unlock paths that aren't safe in the stronger ++ * context. Namely: BH can not be enabled with disabled interrupts. ++ * Additionally PREEMPT_RT requires that BH is enabled in preemptible ++ * context. ++ */ + if (statesold & RCUTORTURE_RDR_IRQ) + local_irq_enable(); +- if (statesold & RCUTORTURE_RDR_BH) +- local_bh_enable(); + if (statesold & RCUTORTURE_RDR_PREEMPT) + preempt_enable(); +- if (statesold & RCUTORTURE_RDR_RBH) +- rcu_read_unlock_bh(); + if (statesold & RCUTORTURE_RDR_SCHED) + rcu_read_unlock_sched(); ++ if (statesold & RCUTORTURE_RDR_BH) ++ local_bh_enable(); ++ if (statesold & RCUTORTURE_RDR_RBH) ++ rcu_read_unlock_bh(); + if (statesold & RCUTORTURE_RDR_RCU) { + bool lockit = !statesnew && !(torture_random(trsp) & 0xffff); + +@@ -1496,6 +1502,9 @@ rcutorture_extend_mask(int oldmask, struct torture_random_state *trsp) + int mask = rcutorture_extend_mask_max(); + unsigned long randmask1 = torture_random(trsp) >> 8; + unsigned long randmask2 = randmask1 >> 3; ++ unsigned long preempts = RCUTORTURE_RDR_PREEMPT | RCUTORTURE_RDR_SCHED; ++ unsigned long preempts_irq = preempts | RCUTORTURE_RDR_IRQ; ++ unsigned long bhs = RCUTORTURE_RDR_BH | RCUTORTURE_RDR_RBH; + + WARN_ON_ONCE(mask >> RCUTORTURE_RDR_SHIFT); + /* Mostly only one bit (need preemption!), sometimes lots of bits. */ +@@ -1503,11 +1512,26 @@ rcutorture_extend_mask(int oldmask, struct torture_random_state *trsp) + mask = mask & randmask2; + else + mask = mask & (1 << (randmask2 % RCUTORTURE_RDR_NBITS)); +- /* Can't enable bh w/irq disabled. */ +- if ((mask & RCUTORTURE_RDR_IRQ) && +- ((!(mask & RCUTORTURE_RDR_BH) && (oldmask & RCUTORTURE_RDR_BH)) || +- (!(mask & RCUTORTURE_RDR_RBH) && (oldmask & RCUTORTURE_RDR_RBH)))) +- mask |= RCUTORTURE_RDR_BH | RCUTORTURE_RDR_RBH; ++ ++ /* ++ * Can't enable bh w/irq disabled. ++ */ ++ if (mask & RCUTORTURE_RDR_IRQ) ++ mask |= oldmask & bhs; ++ ++ /* ++ * Ideally these sequences would be detected in debug builds ++ * (regardless of RT), but until then don't stop testing ++ * them on non-RT. ++ */ ++ if (IS_ENABLED(CONFIG_PREEMPT_RT)) { ++ /* Can't modify BH in atomic context */ ++ if (oldmask & preempts_irq) ++ mask &= ~bhs; ++ if ((oldmask | mask) & preempts_irq) ++ mask |= oldmask & bhs; ++ } ++ + return mask ?: RCUTORTURE_RDR_RCU; + } + +-- +2.33.0 + diff --git a/queue-5.15/rdma-bnxt_re-fix-query-srq-failure.patch b/queue-5.15/rdma-bnxt_re-fix-query-srq-failure.patch new file mode 100644 index 00000000000..9e80299f3c5 --- /dev/null +++ b/queue-5.15/rdma-bnxt_re-fix-query-srq-failure.patch @@ -0,0 +1,43 @@ +From afd87d6692b0d8039f476e3ace027868bc198d60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 05:32:38 -0700 +Subject: RDMA/bnxt_re: Fix query SRQ failure + +From: Selvin Xavier + +[ Upstream commit 598d16fa1bf93431ad35bbab3ed1affe4fb7b562 ] + +Fill the missing parameters for the FW command while querying SRQ. + +Fixes: 37cb11acf1f7 ("RDMA/bnxt_re: Add SRQ support for Broadcom adapters") +Link: https://lore.kernel.org/r/1631709163-2287-8-git-send-email-selvin.xavier@broadcom.com +Signed-off-by: Selvin Xavier +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.c b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +index d4d4959c2434c..bd153aa7e9ab3 100644 +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -707,12 +707,13 @@ int bnxt_qplib_query_srq(struct bnxt_qplib_res *res, + int rc = 0; + + RCFW_CMD_PREP(req, QUERY_SRQ, cmd_flags); +- req.srq_cid = cpu_to_le32(srq->id); + + /* Configure the request */ + sbuf = bnxt_qplib_rcfw_alloc_sbuf(rcfw, sizeof(*sb)); + if (!sbuf) + return -ENOMEM; ++ req.resp_size = sizeof(*sb) / BNXT_QPLIB_CMDQE_UNITS; ++ req.srq_cid = cpu_to_le32(srq->id); + sb = sbuf->sb; + rc = bnxt_qplib_rcfw_send_message(rcfw, (void *)&req, (void *)&resp, + (void *)sbuf, 0); +-- +2.33.0 + diff --git a/queue-5.15/rdma-core-require-the-driver-to-set-the-iova-correct.patch b/queue-5.15/rdma-core-require-the-driver-to-set-the-iova-correct.patch new file mode 100644 index 00000000000..ddbc163d2b2 --- /dev/null +++ b/queue-5.15/rdma-core-require-the-driver-to-set-the-iova-correct.patch @@ -0,0 +1,54 @@ +From 89757e4fdae2c291002a4dad30b8d7016c89a37f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 08:55:22 +0300 +Subject: RDMA/core: Require the driver to set the IOVA correctly during + rereg_mr + +From: Aharon Landau + +[ Upstream commit f1a090f09f42be5a5542009f0be310fdb3e768fc ] + +If the driver returns a new MR during rereg it has to fill it with the +IOVA from the proper source. If IB_MR_REREG_TRANS is set then the IOVA is +cmd.hca_va, otherwise the IOVA comes from the old MR. mlx5 for example has +two calls inside rereg_mr: + + return create_real_mr(new_pd, umem, mr->ibmr.iova, + new_access_flags); +and + return create_real_mr(new_pd, new_umem, iova, new_access_flags); + +Unconditionally overwriting the iova in the newly allocated MR will +corrupt the iova if the first path is used. + +Remove the redundant initializations from ib_uverbs_rereg_mr(). + +Fixes: 6e0954b11c05 ("RDMA/uverbs: Allow drivers to create a new HW object during rereg_mr") +Link: https://lore.kernel.org/r/4b0a31bbc372842613286a10d7a8cbb0ee6069c7.1635400472.git.leonro@nvidia.com +Signed-off-by: Aharon Landau +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/uverbs_cmd.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c +index 740e6b2efe0e7..d1345d76d9b12 100644 +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -837,11 +837,8 @@ static int ib_uverbs_rereg_mr(struct uverbs_attr_bundle *attrs) + new_mr->device = new_pd->device; + new_mr->pd = new_pd; + new_mr->type = IB_MR_TYPE_USER; +- new_mr->dm = NULL; +- new_mr->sig_attrs = NULL; + new_mr->uobject = uobj; + atomic_inc(&new_pd->usecnt); +- new_mr->iova = cmd.hca_va; + new_uobj->object = new_mr; + + rdma_restrack_new(&new_mr->res, RDMA_RESTRACK_MR); +-- +2.33.0 + diff --git a/queue-5.15/rdma-core-set-sgtable-nents-when-using-ib_dma_virt_m.patch b/queue-5.15/rdma-core-set-sgtable-nents-when-using-ib_dma_virt_m.patch new file mode 100644 index 00000000000..3cbdf51e5c9 --- /dev/null +++ b/queue-5.15/rdma-core-set-sgtable-nents-when-using-ib_dma_virt_m.patch @@ -0,0 +1,49 @@ +From 8c7f93d071a87932b07e45970e71bd19eaff3490 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 10:59:42 -0600 +Subject: RDMA/core: Set sgtable nents when using ib_dma_virt_map_sg() + +From: Logan Gunthorpe + +[ Upstream commit ac0fffa0859b8e1e991939663b3ebdd80bf979e6 ] + +ib_dma_map_sgtable_attrs() should be mapping the sgls and setting nents +but the ib_uses_virt_dma() path falls back to ib_dma_virt_map_sg() which +will not set the nents in the sgtable. + +Check the return value (per the map_sg calling convention) and set +sgt->nents appropriately on success. + +Fixes: 79fbd3e1241c ("RDMA: Use the sg_table directly and remove the opencoded version from umem") +Link: https://lore.kernel.org/r/20211013165942.89806-1-logang@deltatee.com +Reported-by: Bart Van Assche +Signed-off-by: Logan Gunthorpe +Tested-by: Bart Van Assche +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + include/rdma/ib_verbs.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/include/rdma/ib_verbs.h b/include/rdma/ib_verbs.h +index 4b50d9a3018a6..4ba642fc8a19a 100644 +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -4097,8 +4097,13 @@ static inline int ib_dma_map_sgtable_attrs(struct ib_device *dev, + enum dma_data_direction direction, + unsigned long dma_attrs) + { ++ int nents; ++ + if (ib_uses_virt_dma(dev)) { +- ib_dma_virt_map_sg(dev, sgt->sgl, sgt->orig_nents); ++ nents = ib_dma_virt_map_sg(dev, sgt->sgl, sgt->orig_nents); ++ if (!nents) ++ return -EIO; ++ sgt->nents = nents; + return 0; + } + return dma_map_sgtable(dev->dma_device, sgt, direction, dma_attrs); +-- +2.33.0 + diff --git a/queue-5.15/rdma-hns-fix-initial-arm_st-of-cq.patch b/queue-5.15/rdma-hns-fix-initial-arm_st-of-cq.patch new file mode 100644 index 00000000000..8796ee65d36 --- /dev/null +++ b/queue-5.15/rdma-hns-fix-initial-arm_st-of-cq.patch @@ -0,0 +1,39 @@ +From 56684aeaaa912349ef6253bc00ea742c4958641d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 17:58:46 +0800 +Subject: RDMA/hns: Fix initial arm_st of CQ + +From: Haoyue Xu + +[ Upstream commit 571fb4fb78a3bf0fcadbe65eca9ca4ccee885af4 ] + +We set the init CQ status to ARMED before. As a result, an unexpected CEQE +would be reported. Therefore, the init CQ status should be set to no_armed +rather than REG_NXT_CEQE. + +Fixes: a5073d6054f7 ("RDMA/hns: Add eq support of hip08") +Link: https://lore.kernel.org/r/20211029095846.26732-1-liangwenpeng@huawei.com +Signed-off-by: Haoyue Xu +Signed-off-by: Wenpeng Liang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index d5f3faa1627a4..8e5f0862896ee 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -3328,7 +3328,7 @@ static void hns_roce_v2_write_cqc(struct hns_roce_dev *hr_dev, + memset(cq_context, 0, sizeof(*cq_context)); + + hr_reg_write(cq_context, CQC_CQ_ST, V2_CQ_STATE_VALID); +- hr_reg_write(cq_context, CQC_ARM_ST, REG_NXT_CEQE); ++ hr_reg_write(cq_context, CQC_ARM_ST, NO_ARMED); + hr_reg_write(cq_context, CQC_SHIFT, ilog2(hr_cq->cq_depth)); + hr_reg_write(cq_context, CQC_CEQN, hr_cq->vector); + hr_reg_write(cq_context, CQC_CQN, hr_cq->cqn); +-- +2.33.0 + diff --git a/queue-5.15/rdma-hns-modify-the-value-of-max_lp_msg_len-to-meet-.patch b/queue-5.15/rdma-hns-modify-the-value-of-max_lp_msg_len-to-meet-.patch new file mode 100644 index 00000000000..b055acc6981 --- /dev/null +++ b/queue-5.15/rdma-hns-modify-the-value-of-max_lp_msg_len-to-meet-.patch @@ -0,0 +1,44 @@ +From 5262e9a6b42119ea8bf0819452e35e979a4a3bf9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 18:05:37 +0800 +Subject: RDMA/hns: Modify the value of MAX_LP_MSG_LEN to meet hardware + compatibility + +From: Yixing Liu + +[ Upstream commit 0e60778efb072d47efc7100c4009b5bd97273b0b ] + +The upper limit of MAX_LP_MSG_LEN on HIP08 is 64K, and the upper limit on +HIP09 is 16K. Regardless of whether it is HIP08 or HIP09, only 16K will be +used. In order to ensure compatibility, it is unified to 16K. + +Setting MAX_LP_MSG_LEN to 16K will not cause performance loss on HIP08. + +Fixes: fbed9d2be292 ("RDMA/hns: Fix configuration of ack_req_freq in QPC") +Link: https://lore.kernel.org/r/20211029100537.27299-1-liangwenpeng@huawei.com +Signed-off-by: Yixing Liu +Signed-off-by: Wenpeng Liang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +index 8e5f0862896ee..a9c6ffef9640f 100644 +--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c ++++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c +@@ -4399,8 +4399,8 @@ static int modify_qp_init_to_rtr(struct ib_qp *ibqp, + mtu = ib_mtu_enum_to_int(ib_mtu); + if (WARN_ON(mtu <= 0)) + return -EINVAL; +-#define MAX_LP_MSG_LEN 65536 +- /* MTU * (2 ^ LP_PKTN_INI) shouldn't be bigger than 64KB */ ++#define MAX_LP_MSG_LEN 16384 ++ /* MTU * (2 ^ LP_PKTN_INI) shouldn't be bigger than 16KB */ + lp_pktn_ini = ilog2(MAX_LP_MSG_LEN / mtu); + if (WARN_ON(lp_pktn_ini >= 0xF)) + return -EINVAL; +-- +2.33.0 + diff --git a/queue-5.15/rdma-mlx4-return-missed-an-error-if-device-doesn-t-s.patch b/queue-5.15/rdma-mlx4-return-missed-an-error-if-device-doesn-t-s.patch new file mode 100644 index 00000000000..49ec190a279 --- /dev/null +++ b/queue-5.15/rdma-mlx4-return-missed-an-error-if-device-doesn-t-s.patch @@ -0,0 +1,42 @@ +From 124ffedc57014a8dc306603e2ec8d5c100b303a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 10:28:43 +0300 +Subject: RDMA/mlx4: Return missed an error if device doesn't support steering + +From: Leon Romanovsky + +[ Upstream commit f4e56ec4452f48b8292dcf0e1c4bdac83506fb8b ] + +The error flow fixed in this patch is not possible because all kernel +users of create QP interface check that device supports steering before +set IB_QP_CREATE_NETIF_QP flag. + +Fixes: c1c98501121e ("IB/mlx4: Add support for steerable IB UD QPs") +Link: https://lore.kernel.org/r/91c61f6e60eb0240f8bbc321fda7a1d2986dd03c.1634023677.git.leonro@nvidia.com +Reported-by: Dan Carpenter +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/qp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c +index 8662f462e2a5f..3a1a4ac9dd33d 100644 +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -1099,8 +1099,10 @@ static int create_qp_common(struct ib_pd *pd, struct ib_qp_init_attr *init_attr, + if (dev->steering_support == + MLX4_STEERING_MODE_DEVICE_MANAGED) + qp->flags |= MLX4_IB_QP_NETIF; +- else ++ else { ++ err = -EINVAL; + goto err; ++ } + } + + err = set_kernel_sq_size(dev, &init_attr->cap, qp_type, qp); +-- +2.33.0 + diff --git a/queue-5.15/rdma-rxe-fix-wrong-port_cap_flags.patch b/queue-5.15/rdma-rxe-fix-wrong-port_cap_flags.patch new file mode 100644 index 00000000000..599b9db0fae --- /dev/null +++ b/queue-5.15/rdma-rxe-fix-wrong-port_cap_flags.patch @@ -0,0 +1,39 @@ +From 0d834300dbd0e7407f0e245d18f05b60a594bebb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Aug 2021 16:32:23 +0800 +Subject: RDMA/rxe: Fix wrong port_cap_flags + +From: Junji Wei + +[ Upstream commit dcd3f985b20ffcc375f82ca0ca9f241c7025eb5e ] + +The port->attr.port_cap_flags should be set to enum +ib_port_capability_mask_bits in ib_mad.h, not +RDMA_CORE_CAP_PROT_ROCE_UDP_ENCAP. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20210831083223.65797-1-weijunji@bytedance.com +Signed-off-by: Junji Wei +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_param.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_param.h b/drivers/infiniband/sw/rxe/rxe_param.h +index 742e6ec93686c..b5a70cbe94aac 100644 +--- a/drivers/infiniband/sw/rxe/rxe_param.h ++++ b/drivers/infiniband/sw/rxe/rxe_param.h +@@ -113,7 +113,7 @@ enum rxe_device_param { + /* default/initial rxe port parameters */ + enum rxe_port_param { + RXE_PORT_GID_TBL_LEN = 1024, +- RXE_PORT_PORT_CAP_FLAGS = RDMA_CORE_CAP_PROT_ROCE_UDP_ENCAP, ++ RXE_PORT_PORT_CAP_FLAGS = IB_PORT_CM_SUP, + RXE_PORT_MAX_MSG_SZ = 0x800000, + RXE_PORT_BAD_PKEY_CNTR = 0, + RXE_PORT_QKEY_VIOL_CNTR = 0, +-- +2.33.0 + diff --git a/queue-5.15/remoteproc-fix-a-memory-leak-in-an-error-handling-pa.patch b/queue-5.15/remoteproc-fix-a-memory-leak-in-an-error-handling-pa.patch new file mode 100644 index 00000000000..6305e95dc4b --- /dev/null +++ b/queue-5.15/remoteproc-fix-a-memory-leak-in-an-error-handling-pa.patch @@ -0,0 +1,57 @@ +From 61bbc3702e73a779ac347f3e23a9ad2dfb52551c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 13:37:32 +0200 +Subject: remoteproc: Fix a memory leak in an error handling path in + 'rproc_handle_vdev()' + +From: Christophe JAILLET + +[ Upstream commit 0374a4ea7269645c46c3eb288526ea072fa19e79 ] + +If 'copy_dma_range_map() fails, the memory allocated for 'rvdev' will leak. +Move the 'copy_dma_range_map()' call after the device registration so +that 'rproc_rvdev_release()' can be called to free some resources. + +Also, branch to the error handling path if 'copy_dma_range_map()' instead +of a direct return to avoid some other leaks. + +Fixes: e0d072782c73 ("dma-mapping: introduce DMA range map, supplanting dma_pfn_offset") +Signed-off-by: Christophe JAILLET +Reviewed-by: Jim Quinlan +Reviewed-by: Mathieu Poirier +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/e6d0dad6620da4fdf847faa903f79b735d35f262.1630755377.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/remoteproc_core.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c +index 502b6604b757b..775df165eb450 100644 +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -556,9 +556,6 @@ static int rproc_handle_vdev(struct rproc *rproc, void *ptr, + /* Initialise vdev subdevice */ + snprintf(name, sizeof(name), "vdev%dbuffer", rvdev->index); + rvdev->dev.parent = &rproc->dev; +- ret = copy_dma_range_map(&rvdev->dev, rproc->dev.parent); +- if (ret) +- return ret; + rvdev->dev.release = rproc_rvdev_release; + dev_set_name(&rvdev->dev, "%s#%s", dev_name(rvdev->dev.parent), name); + dev_set_drvdata(&rvdev->dev, rvdev); +@@ -568,6 +565,11 @@ static int rproc_handle_vdev(struct rproc *rproc, void *ptr, + put_device(&rvdev->dev); + return ret; + } ++ ++ ret = copy_dma_range_map(&rvdev->dev, rproc->dev.parent); ++ if (ret) ++ goto free_rvdev; ++ + /* Make device dma capable by inheriting from parent's capabilities */ + set_dma_ops(&rvdev->dev, get_dma_ops(rproc->dev.parent)); + +-- +2.33.0 + diff --git a/queue-5.15/remoteproc-imx_rproc-fix-tcm-io-memory-type.patch b/queue-5.15/remoteproc-imx_rproc-fix-tcm-io-memory-type.patch new file mode 100644 index 00000000000..1650b34e911 --- /dev/null +++ b/queue-5.15/remoteproc-imx_rproc-fix-tcm-io-memory-type.patch @@ -0,0 +1,164 @@ +From f4b93cca66641d6e9738d50cd591072654e78fc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Sep 2021 17:06:18 +0800 +Subject: remoteproc: imx_rproc: Fix TCM io memory type + +From: Dong Aisheng + +[ Upstream commit 91bb26637353f35241f5472eedf3202ebe13e2e5 ] + +is_iomem was introduced in the commit 40df0a91b2a5 ("remoteproc: add +is_iomem to da_to_va"), but the driver seemed missed to provide the io +type correctly. +This patch updates remoteproc driver to indicate the TCM on IMX are io +memories. Without the change, remoteproc kick will fail. + +Cc: Bjorn Andersson +Cc: Mathieu Poirier +Cc: Peng Fan +Reviewed-and-tested-by: Peng Fan +Fixes: 79806d32d5aa ("remoteproc: imx_rproc: support i.MX8MN/P") +Signed-off-by: Dong Aisheng +Signed-off-by: Peng Fan +stable +Link: https://lore.kernel.org/r/20210910090621.3073540-4-peng.fan@oss.nxp.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/remoteproc/imx_rproc.c | 35 ++++++++++++++++++++-------------- + 1 file changed, 21 insertions(+), 14 deletions(-) + +diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c +index d88f76f5305eb..71dcc6dd32e40 100644 +--- a/drivers/remoteproc/imx_rproc.c ++++ b/drivers/remoteproc/imx_rproc.c +@@ -71,6 +71,7 @@ struct imx_rproc_mem { + /* att flags */ + /* M4 own area. Can be mapped at probe */ + #define ATT_OWN BIT(1) ++#define ATT_IOMEM BIT(2) + + /* address translation table */ + struct imx_rproc_att { +@@ -117,7 +118,7 @@ struct imx_rproc { + static const struct imx_rproc_att imx_rproc_att_imx8mn[] = { + /* dev addr , sys addr , size , flags */ + /* ITCM */ +- { 0x00000000, 0x007E0000, 0x00020000, ATT_OWN }, ++ { 0x00000000, 0x007E0000, 0x00020000, ATT_OWN | ATT_IOMEM }, + /* OCRAM_S */ + { 0x00180000, 0x00180000, 0x00009000, 0 }, + /* OCRAM */ +@@ -131,7 +132,7 @@ static const struct imx_rproc_att imx_rproc_att_imx8mn[] = { + /* DDR (Code) - alias */ + { 0x10000000, 0x40000000, 0x0FFE0000, 0 }, + /* DTCM */ +- { 0x20000000, 0x00800000, 0x00020000, ATT_OWN }, ++ { 0x20000000, 0x00800000, 0x00020000, ATT_OWN | ATT_IOMEM }, + /* OCRAM_S - alias */ + { 0x20180000, 0x00180000, 0x00008000, ATT_OWN }, + /* OCRAM */ +@@ -147,7 +148,7 @@ static const struct imx_rproc_att imx_rproc_att_imx8mn[] = { + static const struct imx_rproc_att imx_rproc_att_imx8mq[] = { + /* dev addr , sys addr , size , flags */ + /* TCML - alias */ +- { 0x00000000, 0x007e0000, 0x00020000, 0 }, ++ { 0x00000000, 0x007e0000, 0x00020000, ATT_IOMEM}, + /* OCRAM_S */ + { 0x00180000, 0x00180000, 0x00008000, 0 }, + /* OCRAM */ +@@ -159,9 +160,9 @@ static const struct imx_rproc_att imx_rproc_att_imx8mq[] = { + /* DDR (Code) - alias */ + { 0x10000000, 0x80000000, 0x0FFE0000, 0 }, + /* TCML */ +- { 0x1FFE0000, 0x007E0000, 0x00020000, ATT_OWN }, ++ { 0x1FFE0000, 0x007E0000, 0x00020000, ATT_OWN | ATT_IOMEM}, + /* TCMU */ +- { 0x20000000, 0x00800000, 0x00020000, ATT_OWN }, ++ { 0x20000000, 0x00800000, 0x00020000, ATT_OWN | ATT_IOMEM}, + /* OCRAM_S */ + { 0x20180000, 0x00180000, 0x00008000, ATT_OWN }, + /* OCRAM */ +@@ -199,12 +200,12 @@ static const struct imx_rproc_att imx_rproc_att_imx7d[] = { + /* OCRAM_PXP (Code) - alias */ + { 0x00940000, 0x00940000, 0x00008000, 0 }, + /* TCML (Code) */ +- { 0x1FFF8000, 0x007F8000, 0x00008000, ATT_OWN }, ++ { 0x1FFF8000, 0x007F8000, 0x00008000, ATT_OWN | ATT_IOMEM }, + /* DDR (Code) - alias, first part of DDR (Data) */ + { 0x10000000, 0x80000000, 0x0FFF0000, 0 }, + + /* TCMU (Data) */ +- { 0x20000000, 0x00800000, 0x00008000, ATT_OWN }, ++ { 0x20000000, 0x00800000, 0x00008000, ATT_OWN | ATT_IOMEM }, + /* OCRAM (Data) */ + { 0x20200000, 0x00900000, 0x00020000, 0 }, + /* OCRAM_EPDC (Data) */ +@@ -218,18 +219,18 @@ static const struct imx_rproc_att imx_rproc_att_imx7d[] = { + static const struct imx_rproc_att imx_rproc_att_imx6sx[] = { + /* dev addr , sys addr , size , flags */ + /* TCML (M4 Boot Code) - alias */ +- { 0x00000000, 0x007F8000, 0x00008000, 0 }, ++ { 0x00000000, 0x007F8000, 0x00008000, ATT_IOMEM }, + /* OCRAM_S (Code) */ + { 0x00180000, 0x008F8000, 0x00004000, 0 }, + /* OCRAM_S (Code) - alias */ + { 0x00180000, 0x008FC000, 0x00004000, 0 }, + /* TCML (Code) */ +- { 0x1FFF8000, 0x007F8000, 0x00008000, ATT_OWN }, ++ { 0x1FFF8000, 0x007F8000, 0x00008000, ATT_OWN | ATT_IOMEM }, + /* DDR (Code) - alias, first part of DDR (Data) */ + { 0x10000000, 0x80000000, 0x0FFF8000, 0 }, + + /* TCMU (Data) */ +- { 0x20000000, 0x00800000, 0x00008000, ATT_OWN }, ++ { 0x20000000, 0x00800000, 0x00008000, ATT_OWN | ATT_IOMEM }, + /* OCRAM_S (Data) - alias? */ + { 0x208F8000, 0x008F8000, 0x00004000, 0 }, + /* DDR (Data) */ +@@ -341,7 +342,7 @@ static int imx_rproc_stop(struct rproc *rproc) + } + + static int imx_rproc_da_to_sys(struct imx_rproc *priv, u64 da, +- size_t len, u64 *sys) ++ size_t len, u64 *sys, bool *is_iomem) + { + const struct imx_rproc_dcfg *dcfg = priv->dcfg; + int i; +@@ -354,6 +355,8 @@ static int imx_rproc_da_to_sys(struct imx_rproc *priv, u64 da, + unsigned int offset = da - att->da; + + *sys = att->sa + offset; ++ if (is_iomem) ++ *is_iomem = att->flags & ATT_IOMEM; + return 0; + } + } +@@ -377,7 +380,7 @@ static void *imx_rproc_da_to_va(struct rproc *rproc, u64 da, size_t len, bool *i + * On device side we have many aliases, so we need to convert device + * address (M4) to system bus address first. + */ +- if (imx_rproc_da_to_sys(priv, da, len, &sys)) ++ if (imx_rproc_da_to_sys(priv, da, len, &sys, is_iomem)) + return NULL; + + for (i = 0; i < IMX_RPROC_MEM_MAX; i++) { +@@ -553,8 +556,12 @@ static int imx_rproc_addr_init(struct imx_rproc *priv, + if (b >= IMX_RPROC_MEM_MAX) + break; + +- priv->mem[b].cpu_addr = devm_ioremap(&pdev->dev, +- att->sa, att->size); ++ if (att->flags & ATT_IOMEM) ++ priv->mem[b].cpu_addr = devm_ioremap(&pdev->dev, ++ att->sa, att->size); ++ else ++ priv->mem[b].cpu_addr = devm_ioremap_wc(&pdev->dev, ++ att->sa, att->size); + if (!priv->mem[b].cpu_addr) { + dev_err(dev, "failed to remap %#x bytes from %#x\n", att->size, att->sa); + return -ENOMEM; +-- +2.33.0 + diff --git a/queue-5.15/revert-drm-imx-annotate-dma-fence-critical-section-i.patch b/queue-5.15/revert-drm-imx-annotate-dma-fence-critical-section-i.patch new file mode 100644 index 00000000000..138e6093b49 --- /dev/null +++ b/queue-5.15/revert-drm-imx-annotate-dma-fence-critical-section-i.patch @@ -0,0 +1,63 @@ +From aca50a603b3e4f77a822ae2168cd8e465c461ef0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Nov 2021 21:11:12 -0300 +Subject: Revert "drm/imx: Annotate dma-fence critical section in commit path" + +From: Fabio Estevam + +[ Upstream commit 14d9a37c952588930d7226953359fea3ab956d39 ] + +This reverts commit f4b34faa08428d813fc3629f882c503487f94a12. + +Since commit f4b34faa0842 ("drm/imx: Annotate dma-fence critical section in +commit path") the following possible circular dependency is detected: + +[ 5.001811] ====================================================== +[ 5.001817] WARNING: possible circular locking dependency detected +[ 5.001824] 5.14.9-01225-g45da36cc6fcc-dirty #1 Tainted: G W +[ 5.001833] ------------------------------------------------------ +[ 5.001838] kworker/u8:0/7 is trying to acquire lock: +[ 5.001848] c1752080 (regulator_list_mutex){+.+.}-{3:3}, at: regulator_lock_dependent+0x40/0x294 +[ 5.001903] +[ 5.001903] but task is already holding lock: +[ 5.001909] c176df78 (dma_fence_map){++++}-{0:0}, at: imx_drm_atomic_commit_tail+0x10/0x160 +[ 5.001957] +[ 5.001957] which lock already depends on the new lock. +... + +Revert it for now. + +Tested on a imx6q-sabresd. + +Fixes: f4b34faa0842 ("drm/imx: Annotate dma-fence critical section in commit path") +Signed-off-by: Fabio Estevam +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20211104001112.4035691-1-festevam@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/imx/imx-drm-core.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/gpu/drm/imx/imx-drm-core.c b/drivers/gpu/drm/imx/imx-drm-core.c +index 9558e9e1b431b..cb685fe2039b4 100644 +--- a/drivers/gpu/drm/imx/imx-drm-core.c ++++ b/drivers/gpu/drm/imx/imx-drm-core.c +@@ -81,7 +81,6 @@ static void imx_drm_atomic_commit_tail(struct drm_atomic_state *state) + struct drm_plane_state *old_plane_state, *new_plane_state; + bool plane_disabling = false; + int i; +- bool fence_cookie = dma_fence_begin_signalling(); + + drm_atomic_helper_commit_modeset_disables(dev, state); + +@@ -112,7 +111,6 @@ static void imx_drm_atomic_commit_tail(struct drm_atomic_state *state) + } + + drm_atomic_helper_commit_hw_done(state); +- dma_fence_end_signalling(fence_cookie); + } + + static const struct drm_mode_config_helper_funcs imx_drm_mode_config_helpers = { +-- +2.33.0 + diff --git a/queue-5.15/revert-wcn36xx-enable-firmware-link-monitoring.patch b/queue-5.15/revert-wcn36xx-enable-firmware-link-monitoring.patch new file mode 100644 index 00000000000..f2c34fb8dd1 --- /dev/null +++ b/queue-5.15/revert-wcn36xx-enable-firmware-link-monitoring.patch @@ -0,0 +1,53 @@ +From f343b36aabd7512f74ce177bc3997947d06679d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 10:30:37 +0100 +Subject: Revert "wcn36xx: Enable firmware link monitoring" + +From: Bryan O'Donoghue + +[ Upstream commit 43ea9bd84f27d06482cc823d9749cc9dd2993bc8 ] + +Firmware link offload monitoring can be made to work in 3/4 cases by +switching on firmware feature bit WLANACTIVE_OFFLOAD + +- Secure power-save on +- Secure power-save off +- Open power-save on + +However, with an open AP if we switch off power-saving - thus never +entering Beacon Mode Power Save - BMPS, firmware never forwards loss +of beacon upwards. + +We had hoped that WLANACTIVE_OFFLOAD and some fixes for sequence numbers +would unblock this but, it hasn't and further investigation is required. + +Its possible to have a complete set of Secure power-save on/off and Open +power-save on/off provided we use Linux' link monitoring mechanism. + +While we debug the Open AP failure we need to fix upstream. + +This reverts commit c973fdad79f6eaf247d48b5fc77733e989eb01e1. + +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211025093037.3966022-2-bryan.odonoghue@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index 39d86e3031bd7..28d6251ad77a6 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -1341,7 +1341,6 @@ static int wcn36xx_init_ieee80211(struct wcn36xx *wcn) + ieee80211_hw_set(wcn->hw, HAS_RATE_CONTROL); + ieee80211_hw_set(wcn->hw, SINGLE_SCAN_ON_ALL_BANDS); + ieee80211_hw_set(wcn->hw, REPORTS_TX_ACK_STATUS); +- ieee80211_hw_set(wcn->hw, CONNECTION_MONITOR); + + wcn->hw->wiphy->interface_modes = BIT(NL80211_IFTYPE_STATION) | + BIT(NL80211_IFTYPE_AP) | +-- +2.33.0 + diff --git a/queue-5.15/rpmsg-fix-rpmsg_create_ept-return-when-rpmsg-config-.patch b/queue-5.15/rpmsg-fix-rpmsg_create_ept-return-when-rpmsg-config-.patch new file mode 100644 index 00000000000..152d6fc54e6 --- /dev/null +++ b/queue-5.15/rpmsg-fix-rpmsg_create_ept-return-when-rpmsg-config-.patch @@ -0,0 +1,38 @@ +From 8a2652ee1e728db485911dafad972b07c0a2acab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Jul 2021 14:39:12 +0200 +Subject: rpmsg: Fix rpmsg_create_ept return when RPMSG config is not defined + +From: Arnaud Pouliquen + +[ Upstream commit 537d3af1bee8ad1415fda9b622d1ea6d1ae76dfa ] + +According to the description of the rpmsg_create_ept in rpmsg_core.c +the function should return NULL on error. + +Fixes: 2c8a57088045 ("rpmsg: Provide function stubs for API") +Signed-off-by: Arnaud Pouliquen +Reviewed-by: Mathieu Poirier +Link: https://lore.kernel.org/r/20210712123912.10672-1-arnaud.pouliquen@foss.st.com +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + include/linux/rpmsg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/rpmsg.h b/include/linux/rpmsg.h +index d97dcd049f18f..a8dcf8a9ae885 100644 +--- a/include/linux/rpmsg.h ++++ b/include/linux/rpmsg.h +@@ -231,7 +231,7 @@ static inline struct rpmsg_endpoint *rpmsg_create_ept(struct rpmsg_device *rpdev + /* This shouldn't be possible */ + WARN_ON(1); + +- return ERR_PTR(-ENXIO); ++ return NULL; + } + + static inline int rpmsg_send(struct rpmsg_endpoint *ept, void *data, int len) +-- +2.33.0 + diff --git a/queue-5.15/rsi-stop-thread-firstly-in-rsi_91x_init-error-handli.patch b/queue-5.15/rsi-stop-thread-firstly-in-rsi_91x_init-error-handli.patch new file mode 100644 index 00000000000..48637c64851 --- /dev/null +++ b/queue-5.15/rsi-stop-thread-firstly-in-rsi_91x_init-error-handli.patch @@ -0,0 +1,61 @@ +From 9911abf04f3a0142d256d88613e49428dc10f78b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 12:03:35 +0800 +Subject: rsi: stop thread firstly in rsi_91x_init() error handling + +From: Ziyang Xuan + +[ Upstream commit 515e7184bdf0a3ebf1757cc77fb046b4fe282189 ] + +When fail to init coex module, free 'common' and 'adapter' directly, but +common->tx_thread which will access 'common' and 'adapter' is running at +the same time. That will trigger the UAF bug. + +================================================================== +BUG: KASAN: use-after-free in rsi_tx_scheduler_thread+0x50f/0x520 [rsi_91x] +Read of size 8 at addr ffff8880076dc000 by task Tx-Thread/124777 +CPU: 0 PID: 124777 Comm: Tx-Thread Not tainted 5.15.0-rc5+ #19 +Call Trace: + dump_stack_lvl+0xe2/0x152 + print_address_description.constprop.0+0x21/0x140 + ? rsi_tx_scheduler_thread+0x50f/0x520 + kasan_report.cold+0x7f/0x11b + ? rsi_tx_scheduler_thread+0x50f/0x520 + rsi_tx_scheduler_thread+0x50f/0x520 +... + +Freed by task 111873: + kasan_save_stack+0x1b/0x40 + kasan_set_track+0x1c/0x30 + kasan_set_free_info+0x20/0x30 + __kasan_slab_free+0x109/0x140 + kfree+0x117/0x4c0 + rsi_91x_init+0x741/0x8a0 [rsi_91x] + rsi_probe+0x9f/0x1750 [rsi_usb] + +Stop thread before free 'common' and 'adapter' to fix it. + +Fixes: 2108df3c4b18 ("rsi: add coex support") +Signed-off-by: Ziyang Xuan +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211015040335.1021546-1-william.xuanziyang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/rsi/rsi_91x_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/rsi/rsi_91x_main.c b/drivers/net/wireless/rsi/rsi_91x_main.c +index 143224a3802ba..f1bf71e6c6081 100644 +--- a/drivers/net/wireless/rsi/rsi_91x_main.c ++++ b/drivers/net/wireless/rsi/rsi_91x_main.c +@@ -369,6 +369,7 @@ struct rsi_hw *rsi_91x_init(u16 oper_mode) + if (common->coex_mode > 1) { + if (rsi_coex_attach(common)) { + rsi_dbg(ERR_ZONE, "Failed to init coex module\n"); ++ rsi_kill_thread(&common->tx_thread); + goto err; + } + } +-- +2.33.0 + diff --git a/queue-5.15/rtc-ds1302-add-spi-id-table.patch b/queue-5.15/rtc-ds1302-add-spi-id-table.patch new file mode 100644 index 00000000000..116bcb237fb --- /dev/null +++ b/queue-5.15/rtc-ds1302-add-spi-id-table.patch @@ -0,0 +1,50 @@ +From 046ee778153944d7d5eb8a3af08944d4e334e3d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 20:49:20 +0100 +Subject: rtc: ds1302: Add SPI ID table + +From: Mark Brown + +[ Upstream commit 8719a17613e0233d707eb22e1645d217594631ef ] + +Currently autoloading for SPI devices does not use the DT ID table, it uses +SPI modalises. Supporting OF modalises is going to be difficult if not +impractical, an attempt was made but has been reverted, so ensure that +module autoloading works for this driver by adding an id_table listing the +SPI IDs for everything. + +Fixes: 96c8395e2166 ("spi: Revert modalias changes") +Signed-off-by: Mark Brown +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20210923194922.53386-2-broonie@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-ds1302.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/rtc/rtc-ds1302.c b/drivers/rtc/rtc-ds1302.c +index b3de6d2e680a4..2f83adef966eb 100644 +--- a/drivers/rtc/rtc-ds1302.c ++++ b/drivers/rtc/rtc-ds1302.c +@@ -199,11 +199,18 @@ static const struct of_device_id ds1302_dt_ids[] = { + MODULE_DEVICE_TABLE(of, ds1302_dt_ids); + #endif + ++static const struct spi_device_id ds1302_spi_ids[] = { ++ { .name = "ds1302", }, ++ { /* sentinel */ } ++}; ++MODULE_DEVICE_TABLE(spi, ds1302_spi_ids); ++ + static struct spi_driver ds1302_driver = { + .driver.name = "rtc-ds1302", + .driver.of_match_table = of_match_ptr(ds1302_dt_ids), + .probe = ds1302_probe, + .remove = ds1302_remove, ++ .id_table = ds1302_spi_ids, + }; + + module_spi_driver(ds1302_driver); +-- +2.33.0 + diff --git a/queue-5.15/rtc-ds1390-add-spi-id-table.patch b/queue-5.15/rtc-ds1390-add-spi-id-table.patch new file mode 100644 index 00000000000..62d8af7cf1d --- /dev/null +++ b/queue-5.15/rtc-ds1390-add-spi-id-table.patch @@ -0,0 +1,51 @@ +From 49ddf6847f7492c767b42d55070854903461966d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 20:49:21 +0100 +Subject: rtc: ds1390: Add SPI ID table + +From: Mark Brown + +[ Upstream commit da87639d6312afb8855717c791768bf2d4ca8ac8 ] + +Currently autoloading for SPI devices does not use the DT ID table, it uses +SPI modalises. Supporting OF modalises is going to be difficult if not +impractical, an attempt was made but has been reverted, so ensure that +module autoloading works for this driver by adding an id_table listing the +SPI IDs for everything. + +Fixes: 96c8395e2166 ("spi: Revert modalias changes") +Signed-off-by: Mark Brown +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20210923194922.53386-3-broonie@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-ds1390.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/rtc/rtc-ds1390.c b/drivers/rtc/rtc-ds1390.c +index 66fc8617d07ee..93ce72b9ae59e 100644 +--- a/drivers/rtc/rtc-ds1390.c ++++ b/drivers/rtc/rtc-ds1390.c +@@ -219,12 +219,19 @@ static const struct of_device_id ds1390_of_match[] = { + }; + MODULE_DEVICE_TABLE(of, ds1390_of_match); + ++static const struct spi_device_id ds1390_spi_ids[] = { ++ { .name = "ds1390" }, ++ {} ++}; ++MODULE_DEVICE_TABLE(spi, ds1390_spi_ids); ++ + static struct spi_driver ds1390_driver = { + .driver = { + .name = "rtc-ds1390", + .of_match_table = of_match_ptr(ds1390_of_match), + }, + .probe = ds1390_probe, ++ .id_table = ds1390_spi_ids, + }; + + module_spi_driver(ds1390_driver); +-- +2.33.0 + diff --git a/queue-5.15/rtc-mcp795-add-spi-id-table.patch b/queue-5.15/rtc-mcp795-add-spi-id-table.patch new file mode 100644 index 00000000000..842a2213b84 --- /dev/null +++ b/queue-5.15/rtc-mcp795-add-spi-id-table.patch @@ -0,0 +1,51 @@ +From af4af8964e857f1205dcd0b6a9e2c72635cefe4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 14:02:40 +0100 +Subject: rtc: mcp795: Add SPI ID table + +From: Mark Brown + +[ Upstream commit 3109151c47343c80300177ec7704e0757064efdc ] + +Currently autoloading for SPI devices does not use the DT ID table, it uses +SPI modalises. Supporting OF modalises is going to be difficult if not +impractical, an attempt was made but has been reverted, so ensure that +module autoloading works for this driver by adding an id_table listing the +SPI IDs for everything. + +Fixes: 96c8395e2166 ("spi: Revert modalias changes") +Signed-off-by: Mark Brown +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20210927130240.33693-1-broonie@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-mcp795.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/rtc/rtc-mcp795.c b/drivers/rtc/rtc-mcp795.c +index bad7792b6ca58..0d515b3df5710 100644 +--- a/drivers/rtc/rtc-mcp795.c ++++ b/drivers/rtc/rtc-mcp795.c +@@ -430,12 +430,19 @@ static const struct of_device_id mcp795_of_match[] = { + MODULE_DEVICE_TABLE(of, mcp795_of_match); + #endif + ++static const struct spi_device_id mcp795_spi_ids[] = { ++ { .name = "mcp795" }, ++ { } ++}; ++MODULE_DEVICE_TABLE(spi, mcp795_spi_ids); ++ + static struct spi_driver mcp795_driver = { + .driver = { + .name = "rtc-mcp795", + .of_match_table = of_match_ptr(mcp795_of_match), + }, + .probe = mcp795_probe, ++ .id_table = mcp795_spi_ids, + }; + + module_spi_driver(mcp795_driver); +-- +2.33.0 + diff --git a/queue-5.15/rtc-pcf2123-add-spi-id-table.patch b/queue-5.15/rtc-pcf2123-add-spi-id-table.patch new file mode 100644 index 00000000000..3395547b18e --- /dev/null +++ b/queue-5.15/rtc-pcf2123-add-spi-id-table.patch @@ -0,0 +1,53 @@ +From 9a91e97a7dd636bd70bd17b81bb043ec2d891d5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 20:49:22 +0100 +Subject: rtc: pcf2123: Add SPI ID table + +From: Mark Brown + +[ Upstream commit 5f84478e14aa8b43a4ea85d2e091931741947749 ] + +Currently autoloading for SPI devices does not use the DT ID table, it uses +SPI modalises. Supporting OF modalises is going to be difficult if not +impractical, an attempt was made but has been reverted, so ensure that +module autoloading works for this driver by adding an id_table listing the +SPI IDs for everything. + +Fixes: 96c8395e2166 ("spi: Revert modalias changes") +Signed-off-by: Mark Brown +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20210923194922.53386-4-broonie@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-pcf2123.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/rtc/rtc-pcf2123.c b/drivers/rtc/rtc-pcf2123.c +index 0f58cac81d8c0..7473e6c8a183b 100644 +--- a/drivers/rtc/rtc-pcf2123.c ++++ b/drivers/rtc/rtc-pcf2123.c +@@ -451,12 +451,21 @@ static const struct of_device_id pcf2123_dt_ids[] = { + MODULE_DEVICE_TABLE(of, pcf2123_dt_ids); + #endif + ++static const struct spi_device_id pcf2123_spi_ids[] = { ++ { .name = "pcf2123", }, ++ { .name = "rv2123", }, ++ { .name = "rtc-pcf2123", }, ++ { /* sentinel */ } ++}; ++MODULE_DEVICE_TABLE(spi, pcf2123_spi_ids); ++ + static struct spi_driver pcf2123_driver = { + .driver = { + .name = "rtc-pcf2123", + .of_match_table = of_match_ptr(pcf2123_dt_ids), + }, + .probe = pcf2123_probe, ++ .id_table = pcf2123_spi_ids, + }; + + module_spi_driver(pcf2123_driver); +-- +2.33.0 + diff --git a/queue-5.15/rtc-rv3032-fix-error-handling-in-rv3032_clkout_set_r.patch b/queue-5.15/rtc-rv3032-fix-error-handling-in-rv3032_clkout_set_r.patch new file mode 100644 index 00000000000..b8136d9f34e --- /dev/null +++ b/queue-5.15/rtc-rv3032-fix-error-handling-in-rv3032_clkout_set_r.patch @@ -0,0 +1,42 @@ +From f9817e8f734485a2acb75739216474bc614dc4eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 13:10:28 +0300 +Subject: rtc: rv3032: fix error handling in rv3032_clkout_set_rate() + +From: Dan Carpenter + +[ Upstream commit c3336b8ac6091df60a5c1049a8c685d0b947cc61 ] + +Do not call rv3032_exit_eerd() if the enter function fails but don't +forget to call the exit when the enter succeeds. + +Fixes: 2eeaa532acca ("rtc: rv3032: Add a driver for Microcrystal RV-3032") +Signed-off-by: Dan Carpenter +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20211012101028.GT2083@kadam +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-rv3032.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/rtc/rtc-rv3032.c b/drivers/rtc/rtc-rv3032.c +index d63102d5cb1e4..1b62ed2f14594 100644 +--- a/drivers/rtc/rtc-rv3032.c ++++ b/drivers/rtc/rtc-rv3032.c +@@ -617,11 +617,11 @@ static int rv3032_clkout_set_rate(struct clk_hw *hw, unsigned long rate, + + ret = rv3032_enter_eerd(rv3032, &eerd); + if (ret) +- goto exit_eerd; ++ return ret; + + ret = regmap_write(rv3032->regmap, RV3032_CLKOUT1, hfd & 0xff); + if (ret) +- return ret; ++ goto exit_eerd; + + ret = regmap_write(rv3032->regmap, RV3032_CLKOUT2, RV3032_CLKOUT2_OS | + FIELD_PREP(RV3032_CLKOUT2_HFD_MSK, hfd >> 8)); +-- +2.33.0 + diff --git a/queue-5.15/rtw88-fix-rx-clock-gate-setting-while-fifo-dump.patch b/queue-5.15/rtw88-fix-rx-clock-gate-setting-while-fifo-dump.patch new file mode 100644 index 00000000000..17158050d7a --- /dev/null +++ b/queue-5.15/rtw88-fix-rx-clock-gate-setting-while-fifo-dump.patch @@ -0,0 +1,66 @@ +From 1e6f14c2410c37451f64afefc852bfba2927ac44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 19:18:30 +0800 +Subject: rtw88: fix RX clock gate setting while fifo dump + +From: Zong-Zhe Yang + +[ Upstream commit c5a8e90730a322f236731fc347dd3afa5db5550e ] + +When fw fifo dumps, RX clock gating should be disabled to avoid +something unexpected. However, the register operation ran into +a mistake. So, we fix it. + +Signed-off-by: Zong-Zhe Yang +Signed-off-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210927111830.5354-1-pkshih@realtek.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtw88/fw.c | 7 +++---- + drivers/net/wireless/realtek/rtw88/reg.h | 1 + + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtw88/fw.c b/drivers/net/wireless/realtek/rtw88/fw.c +index e6399519584bd..a384fc3a4f2b0 100644 +--- a/drivers/net/wireless/realtek/rtw88/fw.c ++++ b/drivers/net/wireless/realtek/rtw88/fw.c +@@ -1556,12 +1556,10 @@ static void rtw_fw_read_fifo_page(struct rtw_dev *rtwdev, u32 offset, u32 size, + u32 i; + u16 idx = 0; + u16 ctl; +- u8 rcr; + +- rcr = rtw_read8(rtwdev, REG_RCR + 2); + ctl = rtw_read16(rtwdev, REG_PKTBUF_DBG_CTRL) & 0xf000; + /* disable rx clock gate */ +- rtw_write8(rtwdev, REG_RCR, rcr | BIT(3)); ++ rtw_write32_set(rtwdev, REG_RCR, BIT_DISGCLK); + + do { + rtw_write16(rtwdev, REG_PKTBUF_DBG_CTRL, start_pg | ctl); +@@ -1580,7 +1578,8 @@ static void rtw_fw_read_fifo_page(struct rtw_dev *rtwdev, u32 offset, u32 size, + + out: + rtw_write16(rtwdev, REG_PKTBUF_DBG_CTRL, ctl); +- rtw_write8(rtwdev, REG_RCR + 2, rcr); ++ /* restore rx clock gate */ ++ rtw_write32_clr(rtwdev, REG_RCR, BIT_DISGCLK); + } + + static void rtw_fw_read_fifo(struct rtw_dev *rtwdev, enum rtw_fw_fifo_sel sel, +diff --git a/drivers/net/wireless/realtek/rtw88/reg.h b/drivers/net/wireless/realtek/rtw88/reg.h +index f5ce75095e904..c0fb1e446245f 100644 +--- a/drivers/net/wireless/realtek/rtw88/reg.h ++++ b/drivers/net/wireless/realtek/rtw88/reg.h +@@ -406,6 +406,7 @@ + #define BIT_MFBEN BIT(22) + #define BIT_DISCHKPPDLLEN BIT(21) + #define BIT_PKTCTL_DLEN BIT(20) ++#define BIT_DISGCLK BIT(19) + #define BIT_TIM_PARSER_EN BIT(18) + #define BIT_BC_MD_EN BIT(17) + #define BIT_UC_MD_EN BIT(16) +-- +2.33.0 + diff --git a/queue-5.15/rxrpc-fix-_usecs_to_jiffies-by-using-usecs_to_jiffie.patch b/queue-5.15/rxrpc-fix-_usecs_to_jiffies-by-using-usecs_to_jiffie.patch new file mode 100644 index 00000000000..0dce77f355c --- /dev/null +++ b/queue-5.15/rxrpc-fix-_usecs_to_jiffies-by-using-usecs_to_jiffie.patch @@ -0,0 +1,39 @@ +From 14579ef5fa4f7aa1d8aea9e4573ad98937c64137 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Sep 2021 03:18:37 +0000 +Subject: rxrpc: Fix _usecs_to_jiffies() by using usecs_to_jiffies() + +From: Jiasheng Jiang + +[ Upstream commit acde891c243c1ed85b19d4d5042bdf00914f5739 ] + +Directly using _usecs_to_jiffies() might be unsafe, so it's +better to use usecs_to_jiffies() instead. +Because we can see that the result of _usecs_to_jiffies() +could be larger than MAX_JIFFY_OFFSET values without the +check of the input. + +Fixes: c410bf01933e ("Fix the excessive initial retransmission timeout") +Signed-off-by: Jiasheng Jiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rxrpc/rtt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rxrpc/rtt.c b/net/rxrpc/rtt.c +index 4e565eeab4260..be61d6f5be8d1 100644 +--- a/net/rxrpc/rtt.c ++++ b/net/rxrpc/rtt.c +@@ -22,7 +22,7 @@ static u32 rxrpc_rto_min_us(struct rxrpc_peer *peer) + + static u32 __rxrpc_set_rto(const struct rxrpc_peer *peer) + { +- return _usecs_to_jiffies((peer->srtt_us >> 3) + peer->rttvar_us); ++ return usecs_to_jiffies((peer->srtt_us >> 3) + peer->rttvar_us); + } + + static u32 rxrpc_bound_rto(u32 rto) +-- +2.33.0 + diff --git a/queue-5.15/s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch b/queue-5.15/s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch new file mode 100644 index 00000000000..f70c365d1c1 --- /dev/null +++ b/queue-5.15/s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch @@ -0,0 +1,48 @@ +From 20305780c6662d45e51f475ad207be6a775f15a7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Sep 2021 18:22:41 +0200 +Subject: s390/gmap: don't unconditionally call pte_unmap_unlock() in + __gmap_zap() + +From: David Hildenbrand + +[ Upstream commit b159f94c86b43cf7e73e654bc527255b1f4eafc4 ] + +... otherwise we will try unlocking a spinlock that was never locked via a +garbage pointer. + +At the time we reach this code path, we usually successfully looked up +a PGSTE already; however, evil user space could have manipulated the VMA +layout in the meantime and triggered removal of the page table. + +Fixes: 1e133ab296f3 ("s390/mm: split arch/s390/mm/pgtable.c") +Signed-off-by: David Hildenbrand +Reviewed-by: Claudio Imbrenda +Acked-by: Heiko Carstens +Link: https://lore.kernel.org/r/20210909162248.14969-3-david@redhat.com +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +--- + arch/s390/mm/gmap.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c +index e0735c3437759..d63c0ccc5ccda 100644 +--- a/arch/s390/mm/gmap.c ++++ b/arch/s390/mm/gmap.c +@@ -689,9 +689,10 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr) + + /* Get pointer to the page table entry */ + ptep = get_locked_pte(gmap->mm, vmaddr, &ptl); +- if (likely(ptep)) ++ if (likely(ptep)) { + ptep_zap_unused(gmap->mm, vmaddr, ptep, 0); +- pte_unmap_unlock(ptep, ptl); ++ pte_unmap_unlock(ptep, ptl); ++ } + } + } + EXPORT_SYMBOL_GPL(__gmap_zap); +-- +2.33.0 + diff --git a/queue-5.15/s390-gmap-validate-vma-in-__gmap_zap.patch b/queue-5.15/s390-gmap-validate-vma-in-__gmap_zap.patch new file mode 100644 index 00000000000..bb0417ba349 --- /dev/null +++ b/queue-5.15/s390-gmap-validate-vma-in-__gmap_zap.patch @@ -0,0 +1,66 @@ +From 0b2d62e91a7a04dc8d7e42b42a8f26993b7adabf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Sep 2021 18:22:40 +0200 +Subject: s390/gmap: validate VMA in __gmap_zap() + +From: David Hildenbrand + +[ Upstream commit 2d8fb8f3914b40e3cc12f8cbb74daefd5245349d ] + +We should not walk/touch page tables outside of VMA boundaries when +holding only the mmap sem in read mode. Evil user space can modify the +VMA layout just before this function runs and e.g., trigger races with +page table removal code since commit dd2283f2605e ("mm: mmap: zap pages +with read mmap_sem in munmap"). The pure prescence in our guest_to_host +radix tree does not imply that there is a VMA. + +Further, we should not allocate page tables (via get_locked_pte()) outside +of VMA boundaries: if evil user space decides to map hugetlbfs to these +ranges, bad things will happen because we suddenly have PTE or PMD page +tables where we shouldn't have them. + +Similarly, we have to check if we suddenly find a hugetlbfs VMA, before +calling get_locked_pte(). + +Note that gmap_discard() is different: +zap_page_range()->unmap_single_vma() makes sure to stay within VMA +boundaries. + +Fixes: b31288fa83b2 ("s390/kvm: support collaborative memory management") +Signed-off-by: David Hildenbrand +Reviewed-by: Claudio Imbrenda +Acked-by: Heiko Carstens +Link: https://lore.kernel.org/r/20210909162248.14969-2-david@redhat.com +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +--- + arch/s390/mm/gmap.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/s390/mm/gmap.c b/arch/s390/mm/gmap.c +index 4d3b33ce81c62..e0735c3437759 100644 +--- a/arch/s390/mm/gmap.c ++++ b/arch/s390/mm/gmap.c +@@ -672,6 +672,7 @@ EXPORT_SYMBOL_GPL(gmap_fault); + */ + void __gmap_zap(struct gmap *gmap, unsigned long gaddr) + { ++ struct vm_area_struct *vma; + unsigned long vmaddr; + spinlock_t *ptl; + pte_t *ptep; +@@ -681,6 +682,11 @@ void __gmap_zap(struct gmap *gmap, unsigned long gaddr) + gaddr >> PMD_SHIFT); + if (vmaddr) { + vmaddr |= gaddr & ~PMD_MASK; ++ ++ vma = vma_lookup(gmap->mm, vmaddr); ++ if (!vma || is_vm_hugetlb_page(vma)) ++ return; ++ + /* Get pointer to the page table entry */ + ptep = get_locked_pte(gmap->mm, vmaddr, &ptl); + if (likely(ptep)) +-- +2.33.0 + diff --git a/queue-5.15/s390-mm-fix-vma-and-page-table-handling-code-in-stor.patch b/queue-5.15/s390-mm-fix-vma-and-page-table-handling-code-in-stor.patch new file mode 100644 index 00000000000..da8d09674c0 --- /dev/null +++ b/queue-5.15/s390-mm-fix-vma-and-page-table-handling-code-in-stor.patch @@ -0,0 +1,170 @@ +From 90227ae9b7cb22e8cc233cda24fa680057439e36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Sep 2021 18:22:43 +0200 +Subject: s390/mm: fix VMA and page table handling code in storage key handling + functions + +From: David Hildenbrand + +[ Upstream commit 949f5c1244ee6c36d2e81c588d1200eaa83a3df6 ] + +There are multiple things broken about our storage key handling +functions: + +1. We should not walk/touch page tables outside of VMA boundaries when + holding only the mmap sem in read mode. Evil user space can modify the + VMA layout just before this function runs and e.g., trigger races with + page table removal code since commit dd2283f2605e ("mm: mmap: zap pages + with read mmap_sem in munmap"). gfn_to_hva() will only translate using + KVM memory regions, but won't validate the VMA. + +2. We should not allocate page tables outside of VMA boundaries: if + evil user space decides to map hugetlbfs to these ranges, bad things + will happen because we suddenly have PTE or PMD page tables where we + shouldn't have them. + +3. We don't handle large PUDs that might suddenly appeared inside our page + table hierarchy. + +Don't manually allocate page tables, properly validate that we have VMA and +bail out on pud_large(). + +All callers of page table handling functions, except +get_guest_storage_key(), call fixup_user_fault() in case they +receive an -EFAULT and retry; this will allocate the necessary page tables +if required. + +To keep get_guest_storage_key() working as expected and not requiring +kvm_s390_get_skeys() to call fixup_user_fault() distinguish between +"there is simply no page table or huge page yet and the key is assumed +to be 0" and "this is a fault to be reported". + +Although commit 637ff9efe5ea ("s390/mm: Add huge pmd storage key handling") +introduced most of the affected code, it was actually already broken +before when using get_locked_pte() without any VMA checks. + +Note: Ever since commit 637ff9efe5ea ("s390/mm: Add huge pmd storage key +handling") we can no longer set a guest storage key (for example from +QEMU during VM live migration) without actually resolving a fault. +Although we would have created most page tables, we would choke on the +!pmd_present(), requiring a call to fixup_user_fault(). I would +have thought that this is problematic in combination with postcopy life +migration ... but nobody noticed and this patch doesn't change the +situation. So maybe it's just fine. + +Fixes: 9fcf93b5de06 ("KVM: S390: Create helper function get_guest_storage_key") +Fixes: 24d5dd0208ed ("s390/kvm: Provide function for setting the guest storage key") +Fixes: a7e19ab55ffd ("KVM: s390: handle missing storage-key facility") +Signed-off-by: David Hildenbrand +Reviewed-by: Claudio Imbrenda +Acked-by: Heiko Carstens +Link: https://lore.kernel.org/r/20210909162248.14969-5-david@redhat.com +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +--- + arch/s390/mm/pgtable.c | 57 +++++++++++++++++++++++++++++------------- + 1 file changed, 39 insertions(+), 18 deletions(-) + +diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c +index 2717a406edeb3..6ad634a27d5b9 100644 +--- a/arch/s390/mm/pgtable.c ++++ b/arch/s390/mm/pgtable.c +@@ -429,22 +429,36 @@ static inline pmd_t pmdp_flush_lazy(struct mm_struct *mm, + } + + #ifdef CONFIG_PGSTE +-static pmd_t *pmd_alloc_map(struct mm_struct *mm, unsigned long addr) ++static int pmd_lookup(struct mm_struct *mm, unsigned long addr, pmd_t **pmdp) + { ++ struct vm_area_struct *vma; + pgd_t *pgd; + p4d_t *p4d; + pud_t *pud; +- pmd_t *pmd; ++ ++ /* We need a valid VMA, otherwise this is clearly a fault. */ ++ vma = vma_lookup(mm, addr); ++ if (!vma) ++ return -EFAULT; + + pgd = pgd_offset(mm, addr); +- p4d = p4d_alloc(mm, pgd, addr); +- if (!p4d) +- return NULL; +- pud = pud_alloc(mm, p4d, addr); +- if (!pud) +- return NULL; +- pmd = pmd_alloc(mm, pud, addr); +- return pmd; ++ if (!pgd_present(*pgd)) ++ return -ENOENT; ++ ++ p4d = p4d_offset(pgd, addr); ++ if (!p4d_present(*p4d)) ++ return -ENOENT; ++ ++ pud = pud_offset(p4d, addr); ++ if (!pud_present(*pud)) ++ return -ENOENT; ++ ++ /* Large PUDs are not supported yet. */ ++ if (pud_large(*pud)) ++ return -EFAULT; ++ ++ *pmdp = pmd_offset(pud, addr); ++ return 0; + } + #endif + +@@ -778,8 +792,7 @@ int set_guest_storage_key(struct mm_struct *mm, unsigned long addr, + pmd_t *pmdp; + pte_t *ptep; + +- pmdp = pmd_alloc_map(mm, addr); +- if (unlikely(!pmdp)) ++ if (pmd_lookup(mm, addr, &pmdp)) + return -EFAULT; + + ptl = pmd_lock(mm, pmdp); +@@ -881,8 +894,7 @@ int reset_guest_reference_bit(struct mm_struct *mm, unsigned long addr) + pte_t *ptep; + int cc = 0; + +- pmdp = pmd_alloc_map(mm, addr); +- if (unlikely(!pmdp)) ++ if (pmd_lookup(mm, addr, &pmdp)) + return -EFAULT; + + ptl = pmd_lock(mm, pmdp); +@@ -935,15 +947,24 @@ int get_guest_storage_key(struct mm_struct *mm, unsigned long addr, + pmd_t *pmdp; + pte_t *ptep; + +- pmdp = pmd_alloc_map(mm, addr); +- if (unlikely(!pmdp)) ++ /* ++ * If we don't have a PTE table and if there is no huge page mapped, ++ * the storage key is 0. ++ */ ++ *key = 0; ++ ++ switch (pmd_lookup(mm, addr, &pmdp)) { ++ case -ENOENT: ++ return 0; ++ case 0: ++ break; ++ default: + return -EFAULT; ++ } + + ptl = pmd_lock(mm, pmdp); + if (!pmd_present(*pmdp)) { +- /* Not yet mapped memory has a zero key */ + spin_unlock(ptl); +- *key = 0; + return 0; + } + +-- +2.33.0 + diff --git a/queue-5.15/s390-mm-validate-vma-in-pgste-manipulation-functions.patch b/queue-5.15/s390-mm-validate-vma-in-pgste-manipulation-functions.patch new file mode 100644 index 00000000000..f1ec181c315 --- /dev/null +++ b/queue-5.15/s390-mm-validate-vma-in-pgste-manipulation-functions.patch @@ -0,0 +1,90 @@ +From 987a5e2a95edd180de90396d66083cc7dac4f466 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Sep 2021 18:22:42 +0200 +Subject: s390/mm: validate VMA in PGSTE manipulation functions + +From: David Hildenbrand + +[ Upstream commit fe3d10024073f06f04c74b9674bd71ccc1d787cf ] + +We should not walk/touch page tables outside of VMA boundaries when +holding only the mmap sem in read mode. Evil user space can modify the +VMA layout just before this function runs and e.g., trigger races with +page table removal code since commit dd2283f2605e ("mm: mmap: zap pages +with read mmap_sem in munmap"). gfn_to_hva() will only translate using +KVM memory regions, but won't validate the VMA. + +Further, we should not allocate page tables outside of VMA boundaries: if +evil user space decides to map hugetlbfs to these ranges, bad things will +happen because we suddenly have PTE or PMD page tables where we +shouldn't have them. + +Similarly, we have to check if we suddenly find a hugetlbfs VMA, before +calling get_locked_pte(). + +Fixes: 2d42f9477320 ("s390/kvm: Add PGSTE manipulation functions") +Signed-off-by: David Hildenbrand +Reviewed-by: Claudio Imbrenda +Acked-by: Heiko Carstens +Link: https://lore.kernel.org/r/20210909162248.14969-4-david@redhat.com +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +--- + arch/s390/mm/pgtable.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/arch/s390/mm/pgtable.c b/arch/s390/mm/pgtable.c +index 034721a68d8fd..2717a406edeb3 100644 +--- a/arch/s390/mm/pgtable.c ++++ b/arch/s390/mm/pgtable.c +@@ -988,6 +988,7 @@ EXPORT_SYMBOL(get_guest_storage_key); + int pgste_perform_essa(struct mm_struct *mm, unsigned long hva, int orc, + unsigned long *oldpte, unsigned long *oldpgste) + { ++ struct vm_area_struct *vma; + unsigned long pgstev; + spinlock_t *ptl; + pgste_t pgste; +@@ -997,6 +998,10 @@ int pgste_perform_essa(struct mm_struct *mm, unsigned long hva, int orc, + WARN_ON_ONCE(orc > ESSA_MAX); + if (unlikely(orc > ESSA_MAX)) + return -EINVAL; ++ ++ vma = vma_lookup(mm, hva); ++ if (!vma || is_vm_hugetlb_page(vma)) ++ return -EFAULT; + ptep = get_locked_pte(mm, hva, &ptl); + if (unlikely(!ptep)) + return -EFAULT; +@@ -1089,10 +1094,14 @@ EXPORT_SYMBOL(pgste_perform_essa); + int set_pgste_bits(struct mm_struct *mm, unsigned long hva, + unsigned long bits, unsigned long value) + { ++ struct vm_area_struct *vma; + spinlock_t *ptl; + pgste_t new; + pte_t *ptep; + ++ vma = vma_lookup(mm, hva); ++ if (!vma || is_vm_hugetlb_page(vma)) ++ return -EFAULT; + ptep = get_locked_pte(mm, hva, &ptl); + if (unlikely(!ptep)) + return -EFAULT; +@@ -1117,9 +1126,13 @@ EXPORT_SYMBOL(set_pgste_bits); + */ + int get_pgste(struct mm_struct *mm, unsigned long hva, unsigned long *pgstep) + { ++ struct vm_area_struct *vma; + spinlock_t *ptl; + pte_t *ptep; + ++ vma = vma_lookup(mm, hva); ++ if (!vma || is_vm_hugetlb_page(vma)) ++ return -EFAULT; + ptep = get_locked_pte(mm, hva, &ptl); + if (unlikely(!ptep)) + return -EFAULT; +-- +2.33.0 + diff --git a/queue-5.15/s390-uv-fully-validate-the-vma-before-calling-follow.patch b/queue-5.15/s390-uv-fully-validate-the-vma-before-calling-follow.patch new file mode 100644 index 00000000000..bb80e81781d --- /dev/null +++ b/queue-5.15/s390-uv-fully-validate-the-vma-before-calling-follow.patch @@ -0,0 +1,46 @@ +From 5a2cf73a00c3bcf6d8be897d7ff5197d887cec7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Sep 2021 18:22:44 +0200 +Subject: s390/uv: fully validate the VMA before calling follow_page() + +From: David Hildenbrand + +[ Upstream commit 46c22ffd2772201662350bc7b94b9ea9d3ee5ac2 ] + +We should not walk/touch page tables outside of VMA boundaries when +holding only the mmap sem in read mode. Evil user space can modify the +VMA layout just before this function runs and e.g., trigger races with +page table removal code since commit dd2283f2605e ("mm: mmap: zap pages +with read mmap_sem in munmap"). + +find_vma() does not check if the address is >= the VMA start address; +use vma_lookup() instead. + +Fixes: 214d9bbcd3a6 ("s390/mm: provide memory management functions for protected KVM guests") +Signed-off-by: David Hildenbrand +Reviewed-by: Claudio Imbrenda +Acked-by: Heiko Carstens +Reviewed-by: Liam R. Howlett +Link: https://lore.kernel.org/r/20210909162248.14969-6-david@redhat.com +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/uv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/uv.c b/arch/s390/kernel/uv.c +index 5a656c7b7a67a..f95ccbd396925 100644 +--- a/arch/s390/kernel/uv.c ++++ b/arch/s390/kernel/uv.c +@@ -212,7 +212,7 @@ again: + uaddr = __gmap_translate(gmap, gaddr); + if (IS_ERR_VALUE(uaddr)) + goto out; +- vma = find_vma(gmap->mm, uaddr); ++ vma = vma_lookup(gmap->mm, uaddr); + if (!vma) + goto out; + /* +-- +2.33.0 + diff --git a/queue-5.15/samples-bpf-fix-application-of-sizeof-to-pointer.patch b/queue-5.15/samples-bpf-fix-application-of-sizeof-to-pointer.patch new file mode 100644 index 00000000000..e63f07082ae --- /dev/null +++ b/queue-5.15/samples-bpf-fix-application-of-sizeof-to-pointer.patch @@ -0,0 +1,50 @@ +From 03cfffbb243e74182627fd555f1eed25c4db5d36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 19:16:49 +0800 +Subject: samples/bpf: Fix application of sizeof to pointer + +From: David Yang + +[ Upstream commit b599015f044df53e93ad0a2957b615bc1a26bf73 ] + +The coccinelle check report: +"./samples/bpf/xdp_redirect_cpu_user.c:397:32-38: +ERROR: application of sizeof to pointer" +Using the "strlen" to fix it. + +Reported-by: Zeal Robot +Signed-off-by: David Yang +Signed-off-by: Andrii Nakryiko +Link: https://lore.kernel.org/bpf/20211012111649.983253-1-davidcomponentone@gmail.com +Signed-off-by: Sasha Levin +--- + samples/bpf/xdp_redirect_cpu_user.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/samples/bpf/xdp_redirect_cpu_user.c b/samples/bpf/xdp_redirect_cpu_user.c +index 6e25fba64c72b..d84e6949007cc 100644 +--- a/samples/bpf/xdp_redirect_cpu_user.c ++++ b/samples/bpf/xdp_redirect_cpu_user.c +@@ -325,7 +325,6 @@ int main(int argc, char **argv) + int add_cpu = -1; + int ifindex = -1; + int *cpu, i, opt; +- char *ifname; + __u32 qsize; + int n_cpus; + +@@ -393,9 +392,8 @@ int main(int argc, char **argv) + fprintf(stderr, "-d/--dev name too long\n"); + goto end_cpu; + } +- ifname = (char *)&ifname_buf; +- safe_strncpy(ifname, optarg, sizeof(ifname)); +- ifindex = if_nametoindex(ifname); ++ safe_strncpy(ifname_buf, optarg, strlen(ifname_buf)); ++ ifindex = if_nametoindex(ifname_buf); + if (!ifindex) + ifindex = strtoul(optarg, NULL, 0); + if (!ifindex) { +-- +2.33.0 + diff --git a/queue-5.15/samples-kretprobes-fix-return-value-if-register_kret.patch b/queue-5.15/samples-kretprobes-fix-return-value-if-register_kret.patch new file mode 100644 index 00000000000..b88efff3a52 --- /dev/null +++ b/queue-5.15/samples-kretprobes-fix-return-value-if-register_kret.patch @@ -0,0 +1,49 @@ +From 91df22cd10fc6dc1b07d87eed5686b63db9af861 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 09:51:28 +0800 +Subject: samples/kretprobes: Fix return value if register_kretprobe() failed + +From: Tiezhu Yang + +[ Upstream commit f76fbbbb5061fe14824ba5807c44bd7400a6b4e1 ] + +Use the actual return value instead of always -1 if register_kretprobe() +failed. + +E.g. without this patch: + + # insmod samples/kprobes/kretprobe_example.ko func=no_such_func + insmod: ERROR: could not insert module samples/kprobes/kretprobe_example.ko: Operation not permitted + +With this patch: + + # insmod samples/kprobes/kretprobe_example.ko func=no_such_func + insmod: ERROR: could not insert module samples/kprobes/kretprobe_example.ko: Unknown symbol in module + +Link: https://lkml.kernel.org/r/1635213091-24387-2-git-send-email-yangtiezhu@loongson.cn + +Fixes: 804defea1c02 ("Kprobes: move kprobe examples to samples/") +Signed-off-by: Tiezhu Yang +Acked-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + samples/kprobes/kretprobe_example.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/samples/kprobes/kretprobe_example.c b/samples/kprobes/kretprobe_example.c +index 5dc1bf3baa98b..228321ecb1616 100644 +--- a/samples/kprobes/kretprobe_example.c ++++ b/samples/kprobes/kretprobe_example.c +@@ -86,7 +86,7 @@ static int __init kretprobe_init(void) + ret = register_kretprobe(&my_kretprobe); + if (ret < 0) { + pr_err("register_kretprobe failed, returned %d\n", ret); +- return -1; ++ return ret; + } + pr_info("Planted return probe at %s: %p\n", + my_kretprobe.kp.symbol_name, my_kretprobe.kp.addr); +-- +2.33.0 + diff --git a/queue-5.15/sched-add-wrapper-for-get_wchan-to-keep-task-blocked.patch b/queue-5.15/sched-add-wrapper-for-get_wchan-to-keep-task-blocked.patch new file mode 100644 index 00000000000..4149690cb5d --- /dev/null +++ b/queue-5.15/sched-add-wrapper-for-get_wchan-to-keep-task-blocked.patch @@ -0,0 +1,943 @@ +From ac9ca8a06f060318966c312bf9a5bd554dc392fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 15:02:14 -0700 +Subject: sched: Add wrapper for get_wchan() to keep task blocked + +From: Kees Cook + +[ Upstream commit 42a20f86dc19f9282d974df0ba4d226c865ab9dd ] + +Having a stable wchan means the process must be blocked and for it to +stay that way while performing stack unwinding. + +Suggested-by: Peter Zijlstra +Signed-off-by: Kees Cook +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Geert Uytterhoeven +Acked-by: Russell King (Oracle) [arm] +Tested-by: Mark Rutland [arm64] +Link: https://lkml.kernel.org/r/20211008111626.332092234@infradead.org +Signed-off-by: Sasha Levin +--- + arch/alpha/include/asm/processor.h | 2 +- + arch/alpha/kernel/process.c | 5 ++--- + arch/arc/include/asm/processor.h | 2 +- + arch/arc/kernel/stacktrace.c | 4 ++-- + arch/arm/include/asm/processor.h | 2 +- + arch/arm/kernel/process.c | 4 +--- + arch/arm64/include/asm/processor.h | 2 +- + arch/arm64/kernel/process.c | 4 +--- + arch/csky/include/asm/processor.h | 2 +- + arch/csky/kernel/stacktrace.c | 5 ++--- + arch/h8300/include/asm/processor.h | 2 +- + arch/h8300/kernel/process.c | 5 +---- + arch/hexagon/include/asm/processor.h | 2 +- + arch/hexagon/kernel/process.c | 4 +--- + arch/ia64/include/asm/processor.h | 2 +- + arch/ia64/kernel/process.c | 5 +---- + arch/m68k/include/asm/processor.h | 2 +- + arch/m68k/kernel/process.c | 4 +--- + arch/microblaze/include/asm/processor.h | 2 +- + arch/microblaze/kernel/process.c | 2 +- + arch/mips/include/asm/processor.h | 2 +- + arch/mips/kernel/process.c | 8 +++----- + arch/nds32/include/asm/processor.h | 2 +- + arch/nds32/kernel/process.c | 7 +------ + arch/nios2/include/asm/processor.h | 2 +- + arch/nios2/kernel/process.c | 5 +---- + arch/openrisc/include/asm/processor.h | 2 +- + arch/openrisc/kernel/process.c | 2 +- + arch/parisc/include/asm/processor.h | 2 +- + arch/parisc/kernel/process.c | 5 +---- + arch/powerpc/include/asm/processor.h | 2 +- + arch/powerpc/kernel/process.c | 9 +++------ + arch/riscv/include/asm/processor.h | 2 +- + arch/riscv/kernel/stacktrace.c | 12 +++++------- + arch/s390/include/asm/processor.h | 2 +- + arch/s390/kernel/process.c | 4 ++-- + arch/sh/include/asm/processor_32.h | 2 +- + arch/sh/kernel/process_32.c | 5 +---- + arch/sparc/include/asm/processor_32.h | 2 +- + arch/sparc/include/asm/processor_64.h | 2 +- + arch/sparc/kernel/process_32.c | 5 +---- + arch/sparc/kernel/process_64.c | 5 +---- + arch/um/include/asm/processor-generic.h | 2 +- + arch/um/kernel/process.c | 5 +---- + arch/x86/include/asm/processor.h | 2 +- + arch/x86/kernel/process.c | 5 +---- + arch/xtensa/include/asm/processor.h | 2 +- + arch/xtensa/kernel/process.c | 5 +---- + include/linux/sched.h | 1 + + kernel/sched/core.c | 19 +++++++++++++++++++ + 50 files changed, 80 insertions(+), 112 deletions(-) + +diff --git a/arch/alpha/include/asm/processor.h b/arch/alpha/include/asm/processor.h +index 6100431da07a3..090499c99c1c1 100644 +--- a/arch/alpha/include/asm/processor.h ++++ b/arch/alpha/include/asm/processor.h +@@ -42,7 +42,7 @@ extern void start_thread(struct pt_regs *, unsigned long, unsigned long); + struct task_struct; + extern void release_thread(struct task_struct *); + +-unsigned long get_wchan(struct task_struct *p); ++unsigned long __get_wchan(struct task_struct *p); + + #define KSTK_EIP(tsk) (task_pt_regs(tsk)->pc) + +diff --git a/arch/alpha/kernel/process.c b/arch/alpha/kernel/process.c +index a5123ea426ce5..5f8527081da92 100644 +--- a/arch/alpha/kernel/process.c ++++ b/arch/alpha/kernel/process.c +@@ -376,12 +376,11 @@ thread_saved_pc(struct task_struct *t) + } + + unsigned long +-get_wchan(struct task_struct *p) ++__get_wchan(struct task_struct *p) + { + unsigned long schedule_frame; + unsigned long pc; +- if (!p || p == current || task_is_running(p)) +- return 0; ++ + /* + * This one depends on the frame size of schedule(). Do a + * "disass schedule" in gdb to find the frame size. Also, the +diff --git a/arch/arc/include/asm/processor.h b/arch/arc/include/asm/processor.h +index f28afcf5c6d10..54db9d7bb562d 100644 +--- a/arch/arc/include/asm/processor.h ++++ b/arch/arc/include/asm/processor.h +@@ -70,7 +70,7 @@ struct task_struct; + extern void start_thread(struct pt_regs * regs, unsigned long pc, + unsigned long usp); + +-extern unsigned int get_wchan(struct task_struct *p); ++extern unsigned int __get_wchan(struct task_struct *p); + + #endif /* !__ASSEMBLY__ */ + +diff --git a/arch/arc/kernel/stacktrace.c b/arch/arc/kernel/stacktrace.c +index c376ff3147e7b..5372dc04e7847 100644 +--- a/arch/arc/kernel/stacktrace.c ++++ b/arch/arc/kernel/stacktrace.c +@@ -15,7 +15,7 @@ + * = specifics of data structs where trace is saved(CONFIG_STACKTRACE etc) + * + * vineetg: March 2009 +- * -Implemented correct versions of thread_saved_pc() and get_wchan() ++ * -Implemented correct versions of thread_saved_pc() and __get_wchan() + * + * rajeshwarr: 2008 + * -Initial implementation +@@ -248,7 +248,7 @@ void show_stack(struct task_struct *tsk, unsigned long *sp, const char *loglvl) + * Of course just returning schedule( ) would be pointless so unwind until + * the function is not in schedular code + */ +-unsigned int get_wchan(struct task_struct *tsk) ++unsigned int __get_wchan(struct task_struct *tsk) + { + return arc_unwind_core(tsk, NULL, __get_first_nonsched, NULL); + } +diff --git a/arch/arm/include/asm/processor.h b/arch/arm/include/asm/processor.h +index 9e6b972863077..6af68edfa53ab 100644 +--- a/arch/arm/include/asm/processor.h ++++ b/arch/arm/include/asm/processor.h +@@ -84,7 +84,7 @@ struct task_struct; + /* Free all resources held by a thread. */ + extern void release_thread(struct task_struct *); + +-unsigned long get_wchan(struct task_struct *p); ++unsigned long __get_wchan(struct task_struct *p); + + #define task_pt_regs(p) \ + ((struct pt_regs *)(THREAD_START_SP + task_stack_page(p)) - 1) +diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c +index 0e2d3051741ed..96f577e59595f 100644 +--- a/arch/arm/kernel/process.c ++++ b/arch/arm/kernel/process.c +@@ -276,13 +276,11 @@ int copy_thread(unsigned long clone_flags, unsigned long stack_start, + return 0; + } + +-unsigned long get_wchan(struct task_struct *p) ++unsigned long __get_wchan(struct task_struct *p) + { + struct stackframe frame; + unsigned long stack_page; + int count = 0; +- if (!p || p == current || task_is_running(p)) +- return 0; + + frame.fp = thread_saved_fp(p); + frame.sp = thread_saved_sp(p); +diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h +index ee2bdc1b9f5bb..55ca034238eae 100644 +--- a/arch/arm64/include/asm/processor.h ++++ b/arch/arm64/include/asm/processor.h +@@ -257,7 +257,7 @@ struct task_struct; + /* Free all resources held by a thread. */ + extern void release_thread(struct task_struct *); + +-unsigned long get_wchan(struct task_struct *p); ++unsigned long __get_wchan(struct task_struct *p); + + void update_sctlr_el1(u64 sctlr); + +diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c +index 40adb8cdbf5af..aacf2f5559a8b 100644 +--- a/arch/arm64/kernel/process.c ++++ b/arch/arm64/kernel/process.c +@@ -528,13 +528,11 @@ __notrace_funcgraph struct task_struct *__switch_to(struct task_struct *prev, + return last; + } + +-unsigned long get_wchan(struct task_struct *p) ++unsigned long __get_wchan(struct task_struct *p) + { + struct stackframe frame; + unsigned long stack_page, ret = 0; + int count = 0; +- if (!p || p == current || task_is_running(p)) +- return 0; + + stack_page = (unsigned long)try_get_task_stack(p); + if (!stack_page) +diff --git a/arch/csky/include/asm/processor.h b/arch/csky/include/asm/processor.h +index 9e933021fe8e0..817dd60ff152d 100644 +--- a/arch/csky/include/asm/processor.h ++++ b/arch/csky/include/asm/processor.h +@@ -81,7 +81,7 @@ static inline void release_thread(struct task_struct *dead_task) + + extern int kernel_thread(int (*fn)(void *), void *arg, unsigned long flags); + +-unsigned long get_wchan(struct task_struct *p); ++unsigned long __get_wchan(struct task_struct *p); + + #define KSTK_EIP(tsk) (task_pt_regs(tsk)->pc) + #define KSTK_ESP(tsk) (task_pt_regs(tsk)->usp) +diff --git a/arch/csky/kernel/stacktrace.c b/arch/csky/kernel/stacktrace.c +index 1b280ef080045..9f78f5d215117 100644 +--- a/arch/csky/kernel/stacktrace.c ++++ b/arch/csky/kernel/stacktrace.c +@@ -111,12 +111,11 @@ static bool save_wchan(unsigned long pc, void *arg) + return false; + } + +-unsigned long get_wchan(struct task_struct *task) ++unsigned long __get_wchan(struct task_struct *task) + { + unsigned long pc = 0; + +- if (likely(task && task != current && !task_is_running(task))) +- walk_stackframe(task, NULL, save_wchan, &pc); ++ walk_stackframe(task, NULL, save_wchan, &pc); + return pc; + } + +diff --git a/arch/h8300/include/asm/processor.h b/arch/h8300/include/asm/processor.h +index a060b41b2d31c..141a23eb62b74 100644 +--- a/arch/h8300/include/asm/processor.h ++++ b/arch/h8300/include/asm/processor.h +@@ -105,7 +105,7 @@ static inline void release_thread(struct task_struct *dead_task) + { + } + +-unsigned long get_wchan(struct task_struct *p); ++unsigned long __get_wchan(struct task_struct *p); + + #define KSTK_EIP(tsk) \ + ({ \ +diff --git a/arch/h8300/kernel/process.c b/arch/h8300/kernel/process.c +index 2ac27e4248a46..8833fa4f5d516 100644 +--- a/arch/h8300/kernel/process.c ++++ b/arch/h8300/kernel/process.c +@@ -128,15 +128,12 @@ int copy_thread(unsigned long clone_flags, unsigned long usp, + return 0; + } + +-unsigned long get_wchan(struct task_struct *p) ++unsigned long __get_wchan(struct task_struct *p) + { + unsigned long fp, pc; + unsigned long stack_page; + int count = 0; + +- if (!p || p == current || task_is_running(p)) +- return 0; +- + stack_page = (unsigned long)p; + fp = ((struct pt_regs *)p->thread.ksp)->er6; + do { +diff --git a/arch/hexagon/include/asm/processor.h b/arch/hexagon/include/asm/processor.h +index 9f0cc99420bee..615f7e49968e6 100644 +--- a/arch/hexagon/include/asm/processor.h ++++ b/arch/hexagon/include/asm/processor.h +@@ -64,7 +64,7 @@ struct thread_struct { + extern void release_thread(struct task_struct *dead_task); + + /* Get wait channel for task P. */ +-extern unsigned long get_wchan(struct task_struct *p); ++extern unsigned long __get_wchan(struct task_struct *p); + + /* The following stuff is pretty HEXAGON specific. */ + +diff --git a/arch/hexagon/kernel/process.c b/arch/hexagon/kernel/process.c +index 6a6835fb42425..232dfd8956aa2 100644 +--- a/arch/hexagon/kernel/process.c ++++ b/arch/hexagon/kernel/process.c +@@ -130,13 +130,11 @@ void flush_thread(void) + * is an identification of the point at which the scheduler + * was invoked by a blocked thread. + */ +-unsigned long get_wchan(struct task_struct *p) ++unsigned long __get_wchan(struct task_struct *p) + { + unsigned long fp, pc; + unsigned long stack_page; + int count = 0; +- if (!p || p == current || task_is_running(p)) +- return 0; + + stack_page = (unsigned long)task_stack_page(p); + fp = ((struct hexagon_switch_stack *)p->thread.switch_sp)->fp; +diff --git a/arch/ia64/include/asm/processor.h b/arch/ia64/include/asm/processor.h +index 2d8bcdc27d7f8..45365c2ef5983 100644 +--- a/arch/ia64/include/asm/processor.h ++++ b/arch/ia64/include/asm/processor.h +@@ -330,7 +330,7 @@ struct task_struct; + #define release_thread(dead_task) + + /* Get wait channel for task P. */ +-extern unsigned long get_wchan (struct task_struct *p); ++extern unsigned long __get_wchan (struct task_struct *p); + + /* Return instruction pointer of blocked task TSK. */ + #define KSTK_EIP(tsk) \ +diff --git a/arch/ia64/kernel/process.c b/arch/ia64/kernel/process.c +index e56d63f4abf9d..834df24a88f12 100644 +--- a/arch/ia64/kernel/process.c ++++ b/arch/ia64/kernel/process.c +@@ -523,15 +523,12 @@ exit_thread (struct task_struct *tsk) + } + + unsigned long +-get_wchan (struct task_struct *p) ++__get_wchan (struct task_struct *p) + { + struct unw_frame_info info; + unsigned long ip; + int count = 0; + +- if (!p || p == current || task_is_running(p)) +- return 0; +- + /* + * Note: p may not be a blocked task (it could be current or + * another process running on some other CPU. Rather than +diff --git a/arch/m68k/include/asm/processor.h b/arch/m68k/include/asm/processor.h +index f4d82c619a5c4..ffeda9aa526a5 100644 +--- a/arch/m68k/include/asm/processor.h ++++ b/arch/m68k/include/asm/processor.h +@@ -150,7 +150,7 @@ static inline void release_thread(struct task_struct *dead_task) + { + } + +-unsigned long get_wchan(struct task_struct *p); ++unsigned long __get_wchan(struct task_struct *p); + + #define KSTK_EIP(tsk) \ + ({ \ +diff --git a/arch/m68k/kernel/process.c b/arch/m68k/kernel/process.c +index 1ab692b952cd6..a6030dbaa0891 100644 +--- a/arch/m68k/kernel/process.c ++++ b/arch/m68k/kernel/process.c +@@ -263,13 +263,11 @@ int dump_fpu (struct pt_regs *regs, struct user_m68kfp_struct *fpu) + } + EXPORT_SYMBOL(dump_fpu); + +-unsigned long get_wchan(struct task_struct *p) ++unsigned long __get_wchan(struct task_struct *p) + { + unsigned long fp, pc; + unsigned long stack_page; + int count = 0; +- if (!p || p == current || task_is_running(p)) +- return 0; + + stack_page = (unsigned long)task_stack_page(p); + fp = ((struct switch_stack *)p->thread.ksp)->a6; +diff --git a/arch/microblaze/include/asm/processor.h b/arch/microblaze/include/asm/processor.h +index 06c6e493590a2..7e9e92670df33 100644 +--- a/arch/microblaze/include/asm/processor.h ++++ b/arch/microblaze/include/asm/processor.h +@@ -68,7 +68,7 @@ static inline void release_thread(struct task_struct *dead_task) + { + } + +-unsigned long get_wchan(struct task_struct *p); ++unsigned long __get_wchan(struct task_struct *p); + + /* The size allocated for kernel stacks. This _must_ be a power of two! */ + # define KERNEL_STACK_SIZE 0x2000 +diff --git a/arch/microblaze/kernel/process.c b/arch/microblaze/kernel/process.c +index 62aa237180b67..5e2b91c1e8ced 100644 +--- a/arch/microblaze/kernel/process.c ++++ b/arch/microblaze/kernel/process.c +@@ -112,7 +112,7 @@ int copy_thread(unsigned long clone_flags, unsigned long usp, unsigned long arg, + return 0; + } + +-unsigned long get_wchan(struct task_struct *p) ++unsigned long __get_wchan(struct task_struct *p) + { + /* TBD (used by procfs) */ + return 0; +diff --git a/arch/mips/include/asm/processor.h b/arch/mips/include/asm/processor.h +index 0c3550c82b726..252ed38ce8c5a 100644 +--- a/arch/mips/include/asm/processor.h ++++ b/arch/mips/include/asm/processor.h +@@ -369,7 +369,7 @@ static inline void flush_thread(void) + { + } + +-unsigned long get_wchan(struct task_struct *p); ++unsigned long __get_wchan(struct task_struct *p); + + #define __KSTK_TOS(tsk) ((unsigned long)task_stack_page(tsk) + \ + THREAD_SIZE - 32 - sizeof(struct pt_regs)) +diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c +index 95aa86fa60778..cbff1b974f882 100644 +--- a/arch/mips/kernel/process.c ++++ b/arch/mips/kernel/process.c +@@ -511,7 +511,7 @@ static int __init frame_info_init(void) + + /* + * Without schedule() frame info, result given by +- * thread_saved_pc() and get_wchan() are not reliable. ++ * thread_saved_pc() and __get_wchan() are not reliable. + */ + if (schedule_mfi.pc_offset < 0) + printk("Can't analyze schedule() prologue at %p\n", schedule); +@@ -652,9 +652,9 @@ unsigned long unwind_stack(struct task_struct *task, unsigned long *sp, + #endif + + /* +- * get_wchan - a maintenance nightmare^W^Wpain in the ass ... ++ * __get_wchan - a maintenance nightmare^W^Wpain in the ass ... + */ +-unsigned long get_wchan(struct task_struct *task) ++unsigned long __get_wchan(struct task_struct *task) + { + unsigned long pc = 0; + #ifdef CONFIG_KALLSYMS +@@ -662,8 +662,6 @@ unsigned long get_wchan(struct task_struct *task) + unsigned long ra = 0; + #endif + +- if (!task || task == current || task_is_running(task)) +- goto out; + if (!task_stack_page(task)) + goto out; + +diff --git a/arch/nds32/include/asm/processor.h b/arch/nds32/include/asm/processor.h +index b82369c7659d4..e6bfc74972bb3 100644 +--- a/arch/nds32/include/asm/processor.h ++++ b/arch/nds32/include/asm/processor.h +@@ -83,7 +83,7 @@ extern struct task_struct *last_task_used_math; + /* Prepare to copy thread state - unlazy all lazy status */ + #define prepare_to_copy(tsk) do { } while (0) + +-unsigned long get_wchan(struct task_struct *p); ++unsigned long __get_wchan(struct task_struct *p); + + #define cpu_relax() barrier() + +diff --git a/arch/nds32/kernel/process.c b/arch/nds32/kernel/process.c +index 391895b54d13c..49fab9e39cbff 100644 +--- a/arch/nds32/kernel/process.c ++++ b/arch/nds32/kernel/process.c +@@ -233,15 +233,12 @@ int dump_fpu(struct pt_regs *regs, elf_fpregset_t * fpu) + + EXPORT_SYMBOL(dump_fpu); + +-unsigned long get_wchan(struct task_struct *p) ++unsigned long __get_wchan(struct task_struct *p) + { + unsigned long fp, lr; + unsigned long stack_start, stack_end; + int count = 0; + +- if (!p || p == current || task_is_running(p)) +- return 0; +- + if (IS_ENABLED(CONFIG_FRAME_POINTER)) { + stack_start = (unsigned long)end_of_stack(p); + stack_end = (unsigned long)task_stack_page(p) + THREAD_SIZE; +@@ -258,5 +255,3 @@ unsigned long get_wchan(struct task_struct *p) + } + return 0; + } +- +-EXPORT_SYMBOL(get_wchan); +diff --git a/arch/nios2/include/asm/processor.h b/arch/nios2/include/asm/processor.h +index 94bcb86f679f5..b8125dfbcad2d 100644 +--- a/arch/nios2/include/asm/processor.h ++++ b/arch/nios2/include/asm/processor.h +@@ -69,7 +69,7 @@ static inline void release_thread(struct task_struct *dead_task) + { + } + +-extern unsigned long get_wchan(struct task_struct *p); ++extern unsigned long __get_wchan(struct task_struct *p); + + #define task_pt_regs(p) \ + ((struct pt_regs *)(THREAD_SIZE + task_stack_page(p)) - 1) +diff --git a/arch/nios2/kernel/process.c b/arch/nios2/kernel/process.c +index 9ff37ba2bb603..f8ea522a15880 100644 +--- a/arch/nios2/kernel/process.c ++++ b/arch/nios2/kernel/process.c +@@ -217,15 +217,12 @@ void dump(struct pt_regs *fp) + pr_emerg("\n\n"); + } + +-unsigned long get_wchan(struct task_struct *p) ++unsigned long __get_wchan(struct task_struct *p) + { + unsigned long fp, pc; + unsigned long stack_page; + int count = 0; + +- if (!p || p == current || task_is_running(p)) +- return 0; +- + stack_page = (unsigned long)p; + fp = ((struct switch_stack *)p->thread.ksp)->fp; /* ;dgt2 */ + do { +diff --git a/arch/openrisc/include/asm/processor.h b/arch/openrisc/include/asm/processor.h +index ad53b31848859..aa1699c18add8 100644 +--- a/arch/openrisc/include/asm/processor.h ++++ b/arch/openrisc/include/asm/processor.h +@@ -73,7 +73,7 @@ struct thread_struct { + + void start_thread(struct pt_regs *regs, unsigned long nip, unsigned long sp); + void release_thread(struct task_struct *); +-unsigned long get_wchan(struct task_struct *p); ++unsigned long __get_wchan(struct task_struct *p); + + #define cpu_relax() barrier() + +diff --git a/arch/openrisc/kernel/process.c b/arch/openrisc/kernel/process.c +index b0698d9ce14fa..3c0c91bcdcbaa 100644 +--- a/arch/openrisc/kernel/process.c ++++ b/arch/openrisc/kernel/process.c +@@ -263,7 +263,7 @@ void dump_elf_thread(elf_greg_t *dest, struct pt_regs* regs) + dest[35] = 0; + } + +-unsigned long get_wchan(struct task_struct *p) ++unsigned long __get_wchan(struct task_struct *p) + { + /* TODO */ + +diff --git a/arch/parisc/include/asm/processor.h b/arch/parisc/include/asm/processor.h +index eeb7da0642891..85a2dbfe52787 100644 +--- a/arch/parisc/include/asm/processor.h ++++ b/arch/parisc/include/asm/processor.h +@@ -273,7 +273,7 @@ struct mm_struct; + /* Free all resources held by a thread. */ + extern void release_thread(struct task_struct *); + +-extern unsigned long get_wchan(struct task_struct *p); ++extern unsigned long __get_wchan(struct task_struct *p); + + #define KSTK_EIP(tsk) ((tsk)->thread.regs.iaoq[0]) + #define KSTK_ESP(tsk) ((tsk)->thread.regs.gr[30]) +diff --git a/arch/parisc/kernel/process.c b/arch/parisc/kernel/process.c +index 38ec4ae812396..4f562dee65a2c 100644 +--- a/arch/parisc/kernel/process.c ++++ b/arch/parisc/kernel/process.c +@@ -240,15 +240,12 @@ copy_thread(unsigned long clone_flags, unsigned long usp, + } + + unsigned long +-get_wchan(struct task_struct *p) ++__get_wchan(struct task_struct *p) + { + struct unwind_frame_info info; + unsigned long ip; + int count = 0; + +- if (!p || p == current || task_is_running(p)) +- return 0; +- + /* + * These bracket the sleeping functions.. + */ +diff --git a/arch/powerpc/include/asm/processor.h b/arch/powerpc/include/asm/processor.h +index f348e564f7dd5..e39bd0ff69f3a 100644 +--- a/arch/powerpc/include/asm/processor.h ++++ b/arch/powerpc/include/asm/processor.h +@@ -300,7 +300,7 @@ struct thread_struct { + + #define task_pt_regs(tsk) ((tsk)->thread.regs) + +-unsigned long get_wchan(struct task_struct *p); ++unsigned long __get_wchan(struct task_struct *p); + + #define KSTK_EIP(tsk) ((tsk)->thread.regs? (tsk)->thread.regs->nip: 0) + #define KSTK_ESP(tsk) ((tsk)->thread.regs? (tsk)->thread.regs->gpr[1]: 0) +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c +index 50436b52c2133..406d7ee9e3220 100644 +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -2111,14 +2111,11 @@ int validate_sp(unsigned long sp, struct task_struct *p, + + EXPORT_SYMBOL(validate_sp); + +-static unsigned long __get_wchan(struct task_struct *p) ++static unsigned long ___get_wchan(struct task_struct *p) + { + unsigned long ip, sp; + int count = 0; + +- if (!p || p == current || task_is_running(p)) +- return 0; +- + sp = p->thread.ksp; + if (!validate_sp(sp, p, STACK_FRAME_OVERHEAD)) + return 0; +@@ -2137,14 +2134,14 @@ static unsigned long __get_wchan(struct task_struct *p) + return 0; + } + +-unsigned long get_wchan(struct task_struct *p) ++unsigned long __get_wchan(struct task_struct *p) + { + unsigned long ret; + + if (!try_get_task_stack(p)) + return 0; + +- ret = __get_wchan(p); ++ ret = ___get_wchan(p); + + put_task_stack(p); + +diff --git a/arch/riscv/include/asm/processor.h b/arch/riscv/include/asm/processor.h +index 46b492c78cbbf..0749924d9e552 100644 +--- a/arch/riscv/include/asm/processor.h ++++ b/arch/riscv/include/asm/processor.h +@@ -66,7 +66,7 @@ static inline void release_thread(struct task_struct *dead_task) + { + } + +-extern unsigned long get_wchan(struct task_struct *p); ++extern unsigned long __get_wchan(struct task_struct *p); + + + static inline void wait_for_interrupt(void) +diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c +index 315db3d0229bf..0fcdc0233faca 100644 +--- a/arch/riscv/kernel/stacktrace.c ++++ b/arch/riscv/kernel/stacktrace.c +@@ -128,16 +128,14 @@ static bool save_wchan(void *arg, unsigned long pc) + return true; + } + +-unsigned long get_wchan(struct task_struct *task) ++unsigned long __get_wchan(struct task_struct *task) + { + unsigned long pc = 0; + +- if (likely(task && task != current && !task_is_running(task))) { +- if (!try_get_task_stack(task)) +- return 0; +- walk_stackframe(task, NULL, save_wchan, &pc); +- put_task_stack(task); +- } ++ if (!try_get_task_stack(task)) ++ return 0; ++ walk_stackframe(task, NULL, save_wchan, &pc); ++ put_task_stack(task); + return pc; + } + +diff --git a/arch/s390/include/asm/processor.h b/arch/s390/include/asm/processor.h +index 879b8e3f609cd..f54c152bf2bf9 100644 +--- a/arch/s390/include/asm/processor.h ++++ b/arch/s390/include/asm/processor.h +@@ -192,7 +192,7 @@ static inline void release_thread(struct task_struct *tsk) { } + void guarded_storage_release(struct task_struct *tsk); + void gs_load_bc_cb(struct pt_regs *regs); + +-unsigned long get_wchan(struct task_struct *p); ++unsigned long __get_wchan(struct task_struct *p); + #define task_pt_regs(tsk) ((struct pt_regs *) \ + (task_stack_page(tsk) + THREAD_SIZE) - 1) + #define KSTK_EIP(tsk) (task_pt_regs(tsk)->psw.addr) +diff --git a/arch/s390/kernel/process.c b/arch/s390/kernel/process.c +index 350e94d0cac23..e5dd46b1bff8c 100644 +--- a/arch/s390/kernel/process.c ++++ b/arch/s390/kernel/process.c +@@ -181,12 +181,12 @@ void execve_tail(void) + asm volatile("sfpc %0" : : "d" (0)); + } + +-unsigned long get_wchan(struct task_struct *p) ++unsigned long __get_wchan(struct task_struct *p) + { + struct unwind_state state; + unsigned long ip = 0; + +- if (!p || p == current || task_is_running(p) || !task_stack_page(p)) ++ if (!task_stack_page(p)) + return 0; + + if (!try_get_task_stack(p)) +diff --git a/arch/sh/include/asm/processor_32.h b/arch/sh/include/asm/processor_32.h +index aa92cc933889d..45240ec6b85a4 100644 +--- a/arch/sh/include/asm/processor_32.h ++++ b/arch/sh/include/asm/processor_32.h +@@ -180,7 +180,7 @@ static inline void show_code(struct pt_regs *regs) + } + #endif + +-extern unsigned long get_wchan(struct task_struct *p); ++extern unsigned long __get_wchan(struct task_struct *p); + + #define KSTK_EIP(tsk) (task_pt_regs(tsk)->pc) + #define KSTK_ESP(tsk) (task_pt_regs(tsk)->regs[15]) +diff --git a/arch/sh/kernel/process_32.c b/arch/sh/kernel/process_32.c +index 717de05c81f49..1c28e3cddb60d 100644 +--- a/arch/sh/kernel/process_32.c ++++ b/arch/sh/kernel/process_32.c +@@ -182,13 +182,10 @@ __switch_to(struct task_struct *prev, struct task_struct *next) + return prev; + } + +-unsigned long get_wchan(struct task_struct *p) ++unsigned long __get_wchan(struct task_struct *p) + { + unsigned long pc; + +- if (!p || p == current || task_is_running(p)) +- return 0; +- + /* + * The same comment as on the Alpha applies here, too ... + */ +diff --git a/arch/sparc/include/asm/processor_32.h b/arch/sparc/include/asm/processor_32.h +index b6242f7771e9e..647bf0ac7beb9 100644 +--- a/arch/sparc/include/asm/processor_32.h ++++ b/arch/sparc/include/asm/processor_32.h +@@ -89,7 +89,7 @@ static inline void start_thread(struct pt_regs * regs, unsigned long pc, + /* Free all resources held by a thread. */ + #define release_thread(tsk) do { } while(0) + +-unsigned long get_wchan(struct task_struct *); ++unsigned long __get_wchan(struct task_struct *); + + #define task_pt_regs(tsk) ((tsk)->thread.kregs) + #define KSTK_EIP(tsk) ((tsk)->thread.kregs->pc) +diff --git a/arch/sparc/include/asm/processor_64.h b/arch/sparc/include/asm/processor_64.h +index 5cf145f18f36b..ae851e8fce4c9 100644 +--- a/arch/sparc/include/asm/processor_64.h ++++ b/arch/sparc/include/asm/processor_64.h +@@ -183,7 +183,7 @@ do { \ + /* Free all resources held by a thread. */ + #define release_thread(tsk) do { } while (0) + +-unsigned long get_wchan(struct task_struct *task); ++unsigned long __get_wchan(struct task_struct *task); + + #define task_pt_regs(tsk) (task_thread_info(tsk)->kregs) + #define KSTK_EIP(tsk) (task_pt_regs(tsk)->tpc) +diff --git a/arch/sparc/kernel/process_32.c b/arch/sparc/kernel/process_32.c +index bbbe0cfef7465..2dc0bf9fe62eb 100644 +--- a/arch/sparc/kernel/process_32.c ++++ b/arch/sparc/kernel/process_32.c +@@ -365,7 +365,7 @@ int copy_thread(unsigned long clone_flags, unsigned long sp, unsigned long arg, + return 0; + } + +-unsigned long get_wchan(struct task_struct *task) ++unsigned long __get_wchan(struct task_struct *task) + { + unsigned long pc, fp, bias = 0; + unsigned long task_base = (unsigned long) task; +@@ -373,9 +373,6 @@ unsigned long get_wchan(struct task_struct *task) + struct reg_window32 *rw; + int count = 0; + +- if (!task || task == current || task_is_running(task)) +- goto out; +- + fp = task_thread_info(task)->ksp + bias; + do { + /* Bogus frame pointer? */ +diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c +index d1cc410d2f647..f5b2cac8669f9 100644 +--- a/arch/sparc/kernel/process_64.c ++++ b/arch/sparc/kernel/process_64.c +@@ -663,7 +663,7 @@ int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src) + return 0; + } + +-unsigned long get_wchan(struct task_struct *task) ++unsigned long __get_wchan(struct task_struct *task) + { + unsigned long pc, fp, bias = 0; + struct thread_info *tp; +@@ -671,9 +671,6 @@ unsigned long get_wchan(struct task_struct *task) + unsigned long ret = 0; + int count = 0; + +- if (!task || task == current || task_is_running(task)) +- goto out; +- + tp = task_thread_info(task); + bias = STACK_BIAS; + fp = task_thread_info(task)->ksp + bias; +diff --git a/arch/um/include/asm/processor-generic.h b/arch/um/include/asm/processor-generic.h +index b5cf0ed116d9e..579692a40a556 100644 +--- a/arch/um/include/asm/processor-generic.h ++++ b/arch/um/include/asm/processor-generic.h +@@ -106,6 +106,6 @@ extern struct cpuinfo_um boot_cpu_data; + #define cache_line_size() (boot_cpu_data.cache_alignment) + + #define KSTK_REG(tsk, reg) get_thread_reg(reg, &tsk->thread.switch_buf) +-extern unsigned long get_wchan(struct task_struct *p); ++extern unsigned long __get_wchan(struct task_struct *p); + + #endif +diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c +index 457a38db368b7..82107373ac7e9 100644 +--- a/arch/um/kernel/process.c ++++ b/arch/um/kernel/process.c +@@ -364,14 +364,11 @@ unsigned long arch_align_stack(unsigned long sp) + } + #endif + +-unsigned long get_wchan(struct task_struct *p) ++unsigned long __get_wchan(struct task_struct *p) + { + unsigned long stack_page, sp, ip; + bool seen_sched = 0; + +- if ((p == NULL) || (p == current) || task_is_running(p)) +- return 0; +- + stack_page = (unsigned long) task_stack_page(p); + /* Bail if the process has no kernel stack for some reason */ + if (stack_page == 0) +diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h +index 577f342dbfb27..2b5f6c6c2b322 100644 +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -590,7 +590,7 @@ static inline void load_sp0(unsigned long sp0) + /* Free all resources held by a thread. */ + extern void release_thread(struct task_struct *); + +-unsigned long get_wchan(struct task_struct *p); ++unsigned long __get_wchan(struct task_struct *p); + + /* + * Generic CPUID function +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index cd426c3283ee1..266962547b58c 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -943,13 +943,10 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) + * because the task might wake up and we might look at a stack + * changing under us. + */ +-unsigned long get_wchan(struct task_struct *p) ++unsigned long __get_wchan(struct task_struct *p) + { + unsigned long entry = 0; + +- if (p == current || task_is_running(p)) +- return 0; +- + stack_trace_save_tsk(p, &entry, 1, 0); + return entry; + } +diff --git a/arch/xtensa/include/asm/processor.h b/arch/xtensa/include/asm/processor.h +index 7f63aca6a0d34..ad15fbc572838 100644 +--- a/arch/xtensa/include/asm/processor.h ++++ b/arch/xtensa/include/asm/processor.h +@@ -215,7 +215,7 @@ struct mm_struct; + /* Free all resources held by a thread. */ + #define release_thread(thread) do { } while(0) + +-extern unsigned long get_wchan(struct task_struct *p); ++extern unsigned long __get_wchan(struct task_struct *p); + + #define KSTK_EIP(tsk) (task_pt_regs(tsk)->pc) + #define KSTK_ESP(tsk) (task_pt_regs(tsk)->areg[1]) +diff --git a/arch/xtensa/kernel/process.c b/arch/xtensa/kernel/process.c +index 0601653406123..47f933fed8700 100644 +--- a/arch/xtensa/kernel/process.c ++++ b/arch/xtensa/kernel/process.c +@@ -298,15 +298,12 @@ int copy_thread(unsigned long clone_flags, unsigned long usp_thread_fn, + * These bracket the sleeping functions.. + */ + +-unsigned long get_wchan(struct task_struct *p) ++unsigned long __get_wchan(struct task_struct *p) + { + unsigned long sp, pc; + unsigned long stack_page = (unsigned long) task_stack_page(p); + int count = 0; + +- if (!p || p == current || task_is_running(p)) +- return 0; +- + sp = p->thread.sp; + pc = MAKE_PC_FROM_RA(p->thread.ra, p->thread.sp); + +diff --git a/include/linux/sched.h b/include/linux/sched.h +index c1a927ddec646..71b012a224e4c 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -2137,6 +2137,7 @@ static inline void set_task_cpu(struct task_struct *p, unsigned int cpu) + #endif /* CONFIG_SMP */ + + extern bool sched_task_on_rq(struct task_struct *p); ++extern unsigned long get_wchan(struct task_struct *p); + + /* + * In order to reduce various lock holder preemption latencies provide an +diff --git a/kernel/sched/core.c b/kernel/sched/core.c +index aea60eae21a7f..d37f959ed1ab8 100644 +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -1962,6 +1962,25 @@ bool sched_task_on_rq(struct task_struct *p) + return task_on_rq_queued(p); + } + ++unsigned long get_wchan(struct task_struct *p) ++{ ++ unsigned long ip = 0; ++ unsigned int state; ++ ++ if (!p || p == current) ++ return 0; ++ ++ /* Only get wchan if task is blocked and we can keep it that way. */ ++ raw_spin_lock_irq(&p->pi_lock); ++ state = READ_ONCE(p->__state); ++ smp_rmb(); /* see try_to_wake_up() */ ++ if (state != TASK_RUNNING && state != TASK_WAKING && !p->on_rq) ++ ip = __get_wchan(p); ++ raw_spin_unlock_irq(&p->pi_lock); ++ ++ return ip; ++} ++ + static inline void enqueue_task(struct rq *rq, struct task_struct *p, int flags) + { + if (!(flags & ENQUEUE_NOCLOCK)) +-- +2.33.0 + diff --git a/queue-5.15/scs-release-kasan-vmalloc-poison-in-scs_free-process.patch b/queue-5.15/scs-release-kasan-vmalloc-poison-in-scs_free-process.patch new file mode 100644 index 00000000000..d0226cf3ddb --- /dev/null +++ b/queue-5.15/scs-release-kasan-vmalloc-poison-in-scs_free-process.patch @@ -0,0 +1,97 @@ +From 2bb518d981235c6fbca0cd27ee2cbe1f05c5209e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Sep 2021 16:16:13 +0800 +Subject: scs: Release kasan vmalloc poison in scs_free process + +From: Yee Lee + +[ Upstream commit 528a4ab45300fa6283556d9b48e26b45a8aa15c4 ] + +Since scs allocation is moved to vmalloc region, the +shadow stack is protected by kasan_posion_vmalloc. +However, the vfree_atomic operation needs to access +its context for scs_free process and causes kasan error +as the dump info below. + +This patch Adds kasan_unpoison_vmalloc() before vfree_atomic, +which aligns to the prior flow as using kmem_cache. +The vmalloc region will go back posioned in the following +vumap() operations. + + ================================================================== + BUG: KASAN: vmalloc-out-of-bounds in llist_add_batch+0x60/0xd4 + Write of size 8 at addr ffff8000100b9000 by task kthreadd/2 + + CPU: 0 PID: 2 Comm: kthreadd Not tainted 5.15.0-rc2-11681-g92477dd1faa6-dirty #1 + Hardware name: linux,dummy-virt (DT) + Call trace: + dump_backtrace+0x0/0x43c + show_stack+0x1c/0x2c + dump_stack_lvl+0x68/0x84 + print_address_description+0x80/0x394 + kasan_report+0x180/0x1dc + __asan_report_store8_noabort+0x48/0x58 + llist_add_batch+0x60/0xd4 + vfree_atomic+0x60/0xe0 + scs_free+0x1dc/0x1fc + scs_release+0xa4/0xd4 + free_task+0x30/0xe4 + __put_task_struct+0x1ec/0x2e0 + delayed_put_task_struct+0x5c/0xa0 + rcu_do_batch+0x62c/0x8a0 + rcu_core+0x60c/0xc14 + rcu_core_si+0x14/0x24 + __do_softirq+0x19c/0x68c + irq_exit+0x118/0x2dc + handle_domain_irq+0xcc/0x134 + gic_handle_irq+0x7c/0x1bc + call_on_irq_stack+0x40/0x70 + do_interrupt_handler+0x78/0x9c + el1_interrupt+0x34/0x60 + el1h_64_irq_handler+0x1c/0x2c + el1h_64_irq+0x78/0x7c + _raw_spin_unlock_irqrestore+0x40/0xcc + sched_fork+0x4f0/0xb00 + copy_process+0xacc/0x3648 + kernel_clone+0x168/0x534 + kernel_thread+0x13c/0x1b0 + kthreadd+0x2bc/0x400 + ret_from_fork+0x10/0x20 + + Memory state around the buggy address: + ffff8000100b8f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ffff8000100b8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + >ffff8000100b9000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ^ + ffff8000100b9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ffff8000100b9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + ================================================================== + +Suggested-by: Kuan-Ying Lee +Acked-by: Will Deacon +Tested-by: Will Deacon +Reviewed-by: Sami Tolvanen +Signed-off-by: Yee Lee +Fixes: a2abe7cbd8fe ("scs: switch to vmapped shadow stacks") +Link: https://lore.kernel.org/r/20210930081619.30091-1-yee.lee@mediatek.com +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + kernel/scs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/scs.c b/kernel/scs.c +index e2a71fc82fa06..579841be88646 100644 +--- a/kernel/scs.c ++++ b/kernel/scs.c +@@ -78,6 +78,7 @@ void scs_free(void *s) + if (this_cpu_cmpxchg(scs_cache[i], 0, s) == NULL) + return; + ++ kasan_unpoison_vmalloc(s, SCS_SIZE); + vfree_atomic(s); + } + +-- +2.33.0 + diff --git a/queue-5.15/scsi-bsg-fix-errno-when-scsi_bsg_register_queue-fail.patch b/queue-5.15/scsi-bsg-fix-errno-when-scsi_bsg_register_queue-fail.patch new file mode 100644 index 00000000000..57c44b1032d --- /dev/null +++ b/queue-5.15/scsi-bsg-fix-errno-when-scsi_bsg_register_queue-fail.patch @@ -0,0 +1,39 @@ +From c1726d9e4a7900ccde2e2d4969cd5c3cc8607fa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Oct 2021 09:02:01 +0800 +Subject: scsi: bsg: Fix errno when scsi_bsg_register_queue() fails + +From: Jackie Liu + +[ Upstream commit 5f7cf82c1d7373fcf9e1062f5654efd5fa2b9211 ] + +When the value of error is printed, it will always be 0. We should print +the correct error code when scsi_bsg_register_queue() fails. + +Link: https://lore.kernel.org/r/20211022010201.426746-1-liu.yun@linux.dev +Fixes: ead09dd3aed5 ("scsi: bsg: Simplify device registration") +Cc: Jens Axboe +Cc: Christoph Hellwig +Reviewed-by: Christoph Hellwig +Signed-off-by: Jackie Liu +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_sysfs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c +index a35841b34bfd9..8bb79ccc9a8b5 100644 +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -1388,6 +1388,7 @@ int scsi_sysfs_add_sdev(struct scsi_device *sdev) + * We're treating error on bsg register as non-fatal, so + * pretend nothing went wrong. + */ ++ error = PTR_ERR(sdev->bsg_dev); + sdev_printk(KERN_INFO, sdev, + "Failed to register bsg queue, errno=%d\n", + error); +-- +2.33.0 + diff --git a/queue-5.15/scsi-csiostor-uninitialized-data-in-csio_ln_vnp_read.patch b/queue-5.15/scsi-csiostor-uninitialized-data-in-csio_ln_vnp_read.patch new file mode 100644 index 00000000000..8194228ad77 --- /dev/null +++ b/queue-5.15/scsi-csiostor-uninitialized-data-in-csio_ln_vnp_read.patch @@ -0,0 +1,40 @@ +From f83ff2f80f2c025eee5cee73ff536b265fe08a19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 10:32:43 +0300 +Subject: scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn() + +From: Dan Carpenter + +[ Upstream commit f4875d509a0a78ad294a1a538d534b5ba94e685a ] + +This variable is just a temporary variable, used to do an endian +conversion. The problem is that the last byte is not initialized. After +the conversion is completely done, the last byte is discarded so it doesn't +cause a problem. But static checkers and the KMSan runtime checker can +detect the uninitialized read and will complain about it. + +Link: https://lore.kernel.org/r/20211006073242.GA8404@kili +Fixes: 5036f0a0ecd3 ("[SCSI] csiostor: Fix sparse warnings.") +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_lnode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/csiostor/csio_lnode.c b/drivers/scsi/csiostor/csio_lnode.c +index dc98f51f466fb..d5ac938970232 100644 +--- a/drivers/scsi/csiostor/csio_lnode.c ++++ b/drivers/scsi/csiostor/csio_lnode.c +@@ -619,7 +619,7 @@ csio_ln_vnp_read_cbfn(struct csio_hw *hw, struct csio_mb *mbp) + struct fc_els_csp *csp; + struct fc_els_cssp *clsp; + enum fw_retval retval; +- __be32 nport_id; ++ __be32 nport_id = 0; + + retval = FW_CMD_RETVAL_G(ntohl(rsp->alloc_to_len16)); + if (retval != FW_SUCCESS) { +-- +2.33.0 + diff --git a/queue-5.15/scsi-dc395-fix-error-case-unwinding.patch b/queue-5.15/scsi-dc395-fix-error-case-unwinding.patch new file mode 100644 index 00000000000..a2391eb98e4 --- /dev/null +++ b/queue-5.15/scsi-dc395-fix-error-case-unwinding.patch @@ -0,0 +1,43 @@ +From 00e9d7751a750eca31a07bab202c26b174a4246e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 21:07:02 -0700 +Subject: scsi: dc395: Fix error case unwinding + +From: Tong Zhang + +[ Upstream commit cbd9a3347c757383f3d2b50cf7cfd03eb479c481 ] + +dc395x_init_one()->adapter_init() might fail. In this case, the acb is +already cleaned up by adapter_init(), no need to do that in +adapter_uninit(acb) again. + +[ 1.252251] dc395x: adapter init failed +[ 1.254900] RIP: 0010:adapter_uninit+0x94/0x170 [dc395x] +[ 1.260307] Call Trace: +[ 1.260442] dc395x_init_one.cold+0x72a/0x9bb [dc395x] + +Link: https://lore.kernel.org/r/20210907040702.1846409-1-ztong0001@gmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Finn Thain +Signed-off-by: Tong Zhang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/dc395x.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c +index 24c7cefb0b78a..1c79e6c271630 100644 +--- a/drivers/scsi/dc395x.c ++++ b/drivers/scsi/dc395x.c +@@ -4618,6 +4618,7 @@ static int dc395x_init_one(struct pci_dev *dev, const struct pci_device_id *id) + /* initialise the adapter and everything we need */ + if (adapter_init(acb, io_port_base, io_port_len, irq)) { + dprintkl(KERN_INFO, "adapter init failed\n"); ++ acb = NULL; + goto fail; + } + +-- +2.33.0 + diff --git a/queue-5.15/scsi-lpfc-fix-nvme-i-o-failover-to-non-optimized-pat.patch b/queue-5.15/scsi-lpfc-fix-nvme-i-o-failover-to-non-optimized-pat.patch new file mode 100644 index 00000000000..cbe6ca620ef --- /dev/null +++ b/queue-5.15/scsi-lpfc-fix-nvme-i-o-failover-to-non-optimized-pat.patch @@ -0,0 +1,45 @@ +From 3e64c3b56245926108f1b202068d76ee145c0beb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Sep 2021 16:31:52 -0700 +Subject: scsi: lpfc: Fix NVMe I/O failover to non-optimized path + +From: James Smart + +[ Upstream commit b507357f79171fb4fb4e732ca43a1f30bc5aab1d ] + +Currently, we hold off unregistering with NVMe transport layer until GID_FT +or ADISC completes upon receipt of RSCN. In the ADISC discovery routine, +for nodes not found in the GID_FT response, the nodes are unregistered from +the SCSI transport but not UNREG_RPI'd. Meaning outstanding WQEs continue +to be outstanding and were not failed back to the OS. If an NVMe device, +this mean there wasn't initial termination of the I/Os so they could be +issued on a different NVMe path. + +Fix by unregistering the RPI so that I/O is cancelled. + +Link: https://lore.kernel.org/r/20210910233159.115896-8-jsmart2021@gmail.com +Fixes: 0614568361b0 ("scsi: lpfc: Delay unregistering from transport until GIDFT or ADISC completes") +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_els.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index 0a68e565147a7..666b0a1b558ac 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -6215,6 +6215,7 @@ lpfc_els_disc_adisc(struct lpfc_vport *vport) + * from backend + */ + lpfc_nlp_unreg_node(vport, ndlp); ++ lpfc_unreg_rpi(vport, ndlp); + continue; + } + +-- +2.33.0 + diff --git a/queue-5.15/scsi-lpfc-wait-for-successful-restart-of-sli3-adapte.patch b/queue-5.15/scsi-lpfc-wait-for-successful-restart-of-sli3-adapte.patch new file mode 100644 index 00000000000..bcf44171987 --- /dev/null +++ b/queue-5.15/scsi-lpfc-wait-for-successful-restart-of-sli3-adapte.patch @@ -0,0 +1,54 @@ +From ed22fe1cef012a5a960e3e66791f7e5695a8b060 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 14:14:11 -0700 +Subject: scsi: lpfc: Wait for successful restart of SLI3 adapter during host + sg_reset + +From: James Smart + +[ Upstream commit d305c253af693e69a36cedec880aca6d0c6d789d ] + +A prior patch introduced HBA_NEEDS_CFG_PORT flag logic, but in +lpfc_sli_brdrestart_s3() code path, right after HBA_NEEDS_CFG_PORT is set, +the phba->hba_flag is cleared in lpfc_sli_brdreset(). + +Fix by calling lpfc_sli_chipset_init() to wait for successful restart of +the HBA in lpfc_host_reset_handler() after lpfc_sli_brdrestart(). + +lpfc_sli_chipset_init() sets the HBA_NEEDS_CFG_PORT flag so that the +lpfc_sli_hba_setup() routine from lpfc_online() will execute +lpfc_sli_config_port() initialization step when the brdrestart is +successful. + +Link: https://lore.kernel.org/r/20211020211417.88754-3-jsmart2021@gmail.com +Fixes: d2f2547efd39 ("scsi: lpfc: Fix auto sli_mode and its effect on CONFIG_PORT for SLI3") +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_scsi.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c +index befdf864c43bd..364c8a9b99095 100644 +--- a/drivers/scsi/lpfc/lpfc_scsi.c ++++ b/drivers/scsi/lpfc/lpfc_scsi.c +@@ -6628,6 +6628,13 @@ lpfc_host_reset_handler(struct scsi_cmnd *cmnd) + if (rc) + goto error; + ++ /* Wait for successful restart of adapter */ ++ if (phba->sli_rev < LPFC_SLI_REV4) { ++ rc = lpfc_sli_chipset_init(phba); ++ if (rc) ++ goto error; ++ } ++ + rc = lpfc_online(phba); + if (rc) + goto error; +-- +2.33.0 + diff --git a/queue-5.15/scsi-megaraid_sas-fix-concurrent-access-to-isr-betwe.patch b/queue-5.15/scsi-megaraid_sas-fix-concurrent-access-to-isr-betwe.patch new file mode 100644 index 00000000000..21587c872e0 --- /dev/null +++ b/queue-5.15/scsi-megaraid_sas-fix-concurrent-access-to-isr-betwe.patch @@ -0,0 +1,74 @@ +From 6d4fd8c3ec2dba439f252f859f47426448789493 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 18:10:20 +0530 +Subject: scsi: megaraid_sas: Fix concurrent access to ISR between IRQ polling + and real interrupt + +From: Sumit Saxena + +[ Upstream commit e7dcc514a49e74051b869697d5ab0370f6301d57 ] + +IRQ polling thread calls ISR after enable_irq() to handle any missed I/O +completion. The atomic flag "in_used" was added to have the synchronization +between the IRQ polling thread and the interrupt context. There is a bug +around it leading to a race condition. + +Below is the sequence: + + - IRQ polling thread accesses ISR, fetches the reply descriptor. + + - Real interrupt arrives and pre-empts polling thread (enable_irq() is + already called). + + - Interrupt context picks the same reply descriptor as fetched by polling + thread, processes it, and exits. + + - Polling thread resumes and processes the descriptor which is already + processed by interrupt thread leads to kernel crash. + +Setting the "in_used" flag before fetching the reply descriptor ensures +synchronized access to ISR. + +Link: https://www.spinics.net/lists/linux-scsi/msg159440.html +Link: https://lore.kernel.org/r/20210929124022.24605-2-sumit.saxena@broadcom.com +Fixes: 9bedd36e9146 ("scsi: megaraid_sas: Handle missing interrupts while re-enabling IRQs") +Signed-off-by: Sumit Saxena +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_sas_fusion.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c b/drivers/scsi/megaraid/megaraid_sas_fusion.c +index 26d0cf9353dd6..eb5ceb75a15ec 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c +@@ -3530,6 +3530,9 @@ complete_cmd_fusion(struct megasas_instance *instance, u32 MSIxIndex, + if (atomic_read(&instance->adprecovery) == MEGASAS_HW_CRITICAL_ERROR) + return IRQ_HANDLED; + ++ if (irq_context && !atomic_add_unless(&irq_context->in_used, 1, 1)) ++ return 0; ++ + desc = fusion->reply_frames_desc[MSIxIndex] + + fusion->last_reply_idx[MSIxIndex]; + +@@ -3540,11 +3543,11 @@ complete_cmd_fusion(struct megasas_instance *instance, u32 MSIxIndex, + reply_descript_type = reply_desc->ReplyFlags & + MPI2_RPY_DESCRIPT_FLAGS_TYPE_MASK; + +- if (reply_descript_type == MPI2_RPY_DESCRIPT_FLAGS_UNUSED) ++ if (reply_descript_type == MPI2_RPY_DESCRIPT_FLAGS_UNUSED) { ++ if (irq_context) ++ atomic_dec(&irq_context->in_used); + return IRQ_NONE; +- +- if (irq_context && !atomic_add_unless(&irq_context->in_used, 1, 1)) +- return 0; ++ } + + num_completed = 0; + +-- +2.33.0 + diff --git a/queue-5.15/scsi-pm80xx-fix-lockup-in-outbound-queue-management.patch b/queue-5.15/scsi-pm80xx-fix-lockup-in-outbound-queue-management.patch new file mode 100644 index 00000000000..e63dff9ef90 --- /dev/null +++ b/queue-5.15/scsi-pm80xx-fix-lockup-in-outbound-queue-management.patch @@ -0,0 +1,234 @@ +From 2e193d36b4f91a6378eda1f0ad69ec23b97d1305 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 22:34:02 +0530 +Subject: scsi: pm80xx: Fix lockup in outbound queue management + +From: Ajish Koshy + +[ Upstream commit b27a40534ef76a22628a5c12f98ea489823a8ba5 ] + +Commit 1f02beff224e ("scsi: pm80xx: Remove global lock from outbound queue +processing") introduced a lock per outbound queue. Prior to that change the +driver was using a global lock for all outbound queues. + +While processing the I/O responses and events the driver takes the outbound +queue spinlock and is supposed to release it in pm8001_ccb_task_free_done() +before calling command done(). Since the older code was using a global +lock, pm8001_ccb_task_free_done() was releasing the global spin lock. The +change that split the lock per outbound queue did not consider this and +pm8001_ccb_task_free_done() was still releasing the global lock. + +Link: https://lore.kernel.org/r/20210906170404.5682-3-Ajish.Koshy@microchip.com +Fixes: 1f02beff224e ("scsi: pm80xx: Remove global lock from outbound queue processing") +Acked-by: Jack Wang +Signed-off-by: Ajish Koshy +Signed-off-by: Viswas G +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pm8001/pm8001_sas.h | 3 +- + drivers/scsi/pm8001/pm80xx_hwi.c | 53 ++++++++++++++++++++++++++------ + 2 files changed, 45 insertions(+), 11 deletions(-) + +diff --git a/drivers/scsi/pm8001/pm8001_sas.h b/drivers/scsi/pm8001/pm8001_sas.h +index 62d08b535a4b6..e18f2b60371db 100644 +--- a/drivers/scsi/pm8001/pm8001_sas.h ++++ b/drivers/scsi/pm8001/pm8001_sas.h +@@ -457,6 +457,7 @@ struct outbound_queue_table { + __le32 producer_index; + u32 consumer_idx; + spinlock_t oq_lock; ++ unsigned long lock_flags; + }; + struct pm8001_hba_memspace { + void __iomem *memvirtaddr; +@@ -738,9 +739,7 @@ pm8001_ccb_task_free_done(struct pm8001_hba_info *pm8001_ha, + { + pm8001_ccb_task_free(pm8001_ha, task, ccb, ccb_idx); + smp_mb(); /*in order to force CPU ordering*/ +- spin_unlock(&pm8001_ha->lock); + task->task_done(task); +- spin_lock(&pm8001_ha->lock); + } + + #endif +diff --git a/drivers/scsi/pm8001/pm80xx_hwi.c b/drivers/scsi/pm8001/pm80xx_hwi.c +index 6ffe17b849ae8..ed02e1aaf868c 100644 +--- a/drivers/scsi/pm8001/pm80xx_hwi.c ++++ b/drivers/scsi/pm8001/pm80xx_hwi.c +@@ -2379,7 +2379,8 @@ static void mpi_ssp_event(struct pm8001_hba_info *pm8001_ha, void *piomb) + + /*See the comments for mpi_ssp_completion */ + static void +-mpi_sata_completion(struct pm8001_hba_info *pm8001_ha, void *piomb) ++mpi_sata_completion(struct pm8001_hba_info *pm8001_ha, ++ struct outbound_queue_table *circularQ, void *piomb) + { + struct sas_task *t; + struct pm8001_ccb_info *ccb; +@@ -2616,7 +2617,11 @@ mpi_sata_completion(struct pm8001_hba_info *pm8001_ha, void *piomb) + IO_OPEN_CNX_ERROR_IT_NEXUS_LOSS); + ts->resp = SAS_TASK_UNDELIVERED; + ts->stat = SAS_QUEUE_FULL; ++ spin_unlock_irqrestore(&circularQ->oq_lock, ++ circularQ->lock_flags); + pm8001_ccb_task_free_done(pm8001_ha, t, ccb, tag); ++ spin_lock_irqsave(&circularQ->oq_lock, ++ circularQ->lock_flags); + return; + } + break; +@@ -2632,7 +2637,11 @@ mpi_sata_completion(struct pm8001_hba_info *pm8001_ha, void *piomb) + IO_OPEN_CNX_ERROR_IT_NEXUS_LOSS); + ts->resp = SAS_TASK_UNDELIVERED; + ts->stat = SAS_QUEUE_FULL; ++ spin_unlock_irqrestore(&circularQ->oq_lock, ++ circularQ->lock_flags); + pm8001_ccb_task_free_done(pm8001_ha, t, ccb, tag); ++ spin_lock_irqsave(&circularQ->oq_lock, ++ circularQ->lock_flags); + return; + } + break; +@@ -2656,7 +2665,11 @@ mpi_sata_completion(struct pm8001_hba_info *pm8001_ha, void *piomb) + IO_OPEN_CNX_ERROR_STP_RESOURCES_BUSY); + ts->resp = SAS_TASK_UNDELIVERED; + ts->stat = SAS_QUEUE_FULL; ++ spin_unlock_irqrestore(&circularQ->oq_lock, ++ circularQ->lock_flags); + pm8001_ccb_task_free_done(pm8001_ha, t, ccb, tag); ++ spin_lock_irqsave(&circularQ->oq_lock, ++ circularQ->lock_flags); + return; + } + break; +@@ -2727,7 +2740,11 @@ mpi_sata_completion(struct pm8001_hba_info *pm8001_ha, void *piomb) + IO_DS_NON_OPERATIONAL); + ts->resp = SAS_TASK_UNDELIVERED; + ts->stat = SAS_QUEUE_FULL; ++ spin_unlock_irqrestore(&circularQ->oq_lock, ++ circularQ->lock_flags); + pm8001_ccb_task_free_done(pm8001_ha, t, ccb, tag); ++ spin_lock_irqsave(&circularQ->oq_lock, ++ circularQ->lock_flags); + return; + } + break; +@@ -2747,7 +2764,11 @@ mpi_sata_completion(struct pm8001_hba_info *pm8001_ha, void *piomb) + IO_DS_IN_ERROR); + ts->resp = SAS_TASK_UNDELIVERED; + ts->stat = SAS_QUEUE_FULL; ++ spin_unlock_irqrestore(&circularQ->oq_lock, ++ circularQ->lock_flags); + pm8001_ccb_task_free_done(pm8001_ha, t, ccb, tag); ++ spin_lock_irqsave(&circularQ->oq_lock, ++ circularQ->lock_flags); + return; + } + break; +@@ -2785,12 +2806,17 @@ mpi_sata_completion(struct pm8001_hba_info *pm8001_ha, void *piomb) + pm8001_ccb_task_free(pm8001_ha, t, ccb, tag); + } else { + spin_unlock_irqrestore(&t->task_state_lock, flags); ++ spin_unlock_irqrestore(&circularQ->oq_lock, ++ circularQ->lock_flags); + pm8001_ccb_task_free_done(pm8001_ha, t, ccb, tag); ++ spin_lock_irqsave(&circularQ->oq_lock, ++ circularQ->lock_flags); + } + } + + /*See the comments for mpi_ssp_completion */ +-static void mpi_sata_event(struct pm8001_hba_info *pm8001_ha, void *piomb) ++static void mpi_sata_event(struct pm8001_hba_info *pm8001_ha, ++ struct outbound_queue_table *circularQ, void *piomb) + { + struct sas_task *t; + struct task_status_struct *ts; +@@ -2890,7 +2916,11 @@ static void mpi_sata_event(struct pm8001_hba_info *pm8001_ha, void *piomb) + IO_OPEN_CNX_ERROR_IT_NEXUS_LOSS); + ts->resp = SAS_TASK_COMPLETE; + ts->stat = SAS_QUEUE_FULL; ++ spin_unlock_irqrestore(&circularQ->oq_lock, ++ circularQ->lock_flags); + pm8001_ccb_task_free_done(pm8001_ha, t, ccb, tag); ++ spin_lock_irqsave(&circularQ->oq_lock, ++ circularQ->lock_flags); + return; + } + break; +@@ -3002,7 +3032,11 @@ static void mpi_sata_event(struct pm8001_hba_info *pm8001_ha, void *piomb) + pm8001_ccb_task_free(pm8001_ha, t, ccb, tag); + } else { + spin_unlock_irqrestore(&t->task_state_lock, flags); ++ spin_unlock_irqrestore(&circularQ->oq_lock, ++ circularQ->lock_flags); + pm8001_ccb_task_free_done(pm8001_ha, t, ccb, tag); ++ spin_lock_irqsave(&circularQ->oq_lock, ++ circularQ->lock_flags); + } + } + +@@ -3902,7 +3936,8 @@ static int ssp_coalesced_comp_resp(struct pm8001_hba_info *pm8001_ha, + * @pm8001_ha: our hba card information + * @piomb: IO message buffer + */ +-static void process_one_iomb(struct pm8001_hba_info *pm8001_ha, void *piomb) ++static void process_one_iomb(struct pm8001_hba_info *pm8001_ha, ++ struct outbound_queue_table *circularQ, void *piomb) + { + __le32 pHeader = *(__le32 *)piomb; + u32 opc = (u32)((le32_to_cpu(pHeader)) & 0xFFF); +@@ -3944,11 +3979,11 @@ static void process_one_iomb(struct pm8001_hba_info *pm8001_ha, void *piomb) + break; + case OPC_OUB_SATA_COMP: + pm8001_dbg(pm8001_ha, MSG, "OPC_OUB_SATA_COMP\n"); +- mpi_sata_completion(pm8001_ha, piomb); ++ mpi_sata_completion(pm8001_ha, circularQ, piomb); + break; + case OPC_OUB_SATA_EVENT: + pm8001_dbg(pm8001_ha, MSG, "OPC_OUB_SATA_EVENT\n"); +- mpi_sata_event(pm8001_ha, piomb); ++ mpi_sata_event(pm8001_ha, circularQ, piomb); + break; + case OPC_OUB_SSP_EVENT: + pm8001_dbg(pm8001_ha, MSG, "OPC_OUB_SSP_EVENT\n"); +@@ -4117,7 +4152,6 @@ static int process_oq(struct pm8001_hba_info *pm8001_ha, u8 vec) + void *pMsg1 = NULL; + u8 bc; + u32 ret = MPI_IO_STATUS_FAIL; +- unsigned long flags; + u32 regval; + + if (vec == (pm8001_ha->max_q_num - 1)) { +@@ -4134,7 +4168,7 @@ static int process_oq(struct pm8001_hba_info *pm8001_ha, u8 vec) + } + } + circularQ = &pm8001_ha->outbnd_q_tbl[vec]; +- spin_lock_irqsave(&circularQ->oq_lock, flags); ++ spin_lock_irqsave(&circularQ->oq_lock, circularQ->lock_flags); + do { + /* spurious interrupt during setup if kexec-ing and + * driver doing a doorbell access w/ the pre-kexec oq +@@ -4145,7 +4179,8 @@ static int process_oq(struct pm8001_hba_info *pm8001_ha, u8 vec) + ret = pm8001_mpi_msg_consume(pm8001_ha, circularQ, &pMsg1, &bc); + if (MPI_IO_STATUS_SUCCESS == ret) { + /* process the outbound message */ +- process_one_iomb(pm8001_ha, (void *)(pMsg1 - 4)); ++ process_one_iomb(pm8001_ha, circularQ, ++ (void *)(pMsg1 - 4)); + /* free the message from the outbound circular buffer */ + pm8001_mpi_msg_free_set(pm8001_ha, pMsg1, + circularQ, bc); +@@ -4160,7 +4195,7 @@ static int process_oq(struct pm8001_hba_info *pm8001_ha, u8 vec) + break; + } + } while (1); +- spin_unlock_irqrestore(&circularQ->oq_lock, flags); ++ spin_unlock_irqrestore(&circularQ->oq_lock, circularQ->lock_flags); + return ret; + } + +-- +2.33.0 + diff --git a/queue-5.15/scsi-pm80xx-fix-misleading-log-statement-in-pm8001_m.patch b/queue-5.15/scsi-pm80xx-fix-misleading-log-statement-in-pm8001_m.patch new file mode 100644 index 00000000000..c26669e2663 --- /dev/null +++ b/queue-5.15/scsi-pm80xx-fix-misleading-log-statement-in-pm8001_m.patch @@ -0,0 +1,40 @@ +From 16632b417a5113b98462436f30686806e3ece095 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 19:58:47 -0700 +Subject: scsi: pm80xx: Fix misleading log statement in + pm8001_mpi_get_nvmd_resp() + +From: Igor Pylypiv + +[ Upstream commit 4084a7235d38311a77c86ba69ba849bd787db87b ] + +pm8001_mpi_get_nvmd_resp() handles a GET_NVMD_DATA response, not a +SET_NVMD_DATA response, as the log statement implies. + +Fixes: 1f889b58716a ("scsi: pm80xx: Fix pm8001_mpi_get_nvmd_resp() race condition") +Link: https://lore.kernel.org/r/20210929025847.646999-1-ipylypiv@google.com +Reviewed-by: Changyuan Lyu +Acked-by: Jack Wang +Signed-off-by: Igor Pylypiv +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pm8001/pm8001_hwi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_hwi.c +index 63690508313b7..639b7e38a1947 100644 +--- a/drivers/scsi/pm8001/pm8001_hwi.c ++++ b/drivers/scsi/pm8001/pm8001_hwi.c +@@ -3169,7 +3169,7 @@ pm8001_mpi_get_nvmd_resp(struct pm8001_hba_info *pm8001_ha, void *piomb) + * fw_control_context->usrAddr + */ + complete(pm8001_ha->nvmd_completion); +- pm8001_dbg(pm8001_ha, MSG, "Set nvm data complete!\n"); ++ pm8001_dbg(pm8001_ha, MSG, "Get nvmd data complete!\n"); + ccb->task = NULL; + ccb->ccb_tag = 0xFFFFFFFF; + pm8001_tag_free(pm8001_ha, tag); +-- +2.33.0 + diff --git a/queue-5.15/scsi-qla2xxx-edif-fix-app-start-delay.patch b/queue-5.15/scsi-qla2xxx-edif-fix-app-start-delay.patch new file mode 100644 index 00000000000..88faa1d34ad --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-edif-fix-app-start-delay.patch @@ -0,0 +1,127 @@ +From 61a217241ad8d2363b3a38544dfd84249ffd0b95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 04:54:04 -0700 +Subject: scsi: qla2xxx: edif: Fix app start delay + +From: Quinn Tran + +[ Upstream commit b492d6a4880fddce098472dec5086d37802c68d3 ] + +Current driver does unnecessary pause for each session to get to certain +state before allowing the app start call to return. In larger environment, +this introduces a long delay. Originally the delay was meant to +synchronize app and driver. However, the with current implementation the +two sides use various events to synchronize their state. + +The same is applied to the authentication failure call. + +Link: https://lore.kernel.org/r/20211026115412.27691-6-njavali@marvell.com +Fixes: 4de067e5df12 ("scsi: qla2xxx: edif: Add N2N support for EDIF") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_edif.c | 64 ++------------------------------- + 1 file changed, 3 insertions(+), 61 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_edif.c b/drivers/scsi/qla2xxx/qla_edif.c +index 615596becb7a1..cf62f26ce27d9 100644 +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -290,63 +290,6 @@ qla_edif_app_check(scsi_qla_host_t *vha, struct app_id appid) + return false; + } + +-static void qla_edif_reset_auth_wait(struct fc_port *fcport, int state, +- int waitonly) +-{ +- int cnt, max_cnt = 200; +- bool traced = false; +- +- fcport->keep_nport_handle = 1; +- +- if (!waitonly) { +- qla2x00_set_fcport_disc_state(fcport, state); +- qlt_schedule_sess_for_deletion(fcport); +- } else { +- qla2x00_set_fcport_disc_state(fcport, state); +- } +- +- ql_dbg(ql_dbg_edif, fcport->vha, 0xf086, +- "%s: waiting for session, max_cnt=%u\n", +- __func__, max_cnt); +- +- cnt = 0; +- +- if (waitonly) { +- /* Marker wait min 10 msecs. */ +- msleep(50); +- cnt += 50; +- } +- while (1) { +- if (!traced) { +- ql_dbg(ql_dbg_edif, fcport->vha, 0xf086, +- "%s: session sleep.\n", +- __func__); +- traced = true; +- } +- msleep(20); +- cnt++; +- if (waitonly && (fcport->disc_state == state || +- fcport->disc_state == DSC_LOGIN_COMPLETE)) +- break; +- if (fcport->disc_state == DSC_LOGIN_AUTH_PEND) +- break; +- if (cnt > max_cnt) +- break; +- } +- +- if (!waitonly) { +- ql_dbg(ql_dbg_edif, fcport->vha, 0xf086, +- "%s: waited for session - %8phC, loopid=%x portid=%06x fcport=%p state=%u, cnt=%u\n", +- __func__, fcport->port_name, fcport->loop_id, +- fcport->d_id.b24, fcport, fcport->disc_state, cnt); +- } else { +- ql_dbg(ql_dbg_edif, fcport->vha, 0xf086, +- "%s: waited ONLY for session - %8phC, loopid=%x portid=%06x fcport=%p state=%u, cnt=%u\n", +- __func__, fcport->port_name, fcport->loop_id, +- fcport->d_id.b24, fcport, fcport->disc_state, cnt); +- } +-} +- + static void + qla_edif_free_sa_ctl(fc_port_t *fcport, struct edif_sa_ctl *sa_ctl, + int index) +@@ -583,8 +526,8 @@ qla_edif_app_start(scsi_qla_host_t *vha, struct bsg_job *bsg_job) + ql_dbg(ql_dbg_edif, vha, 0x911e, + "%s wwpn %8phC calling qla_edif_reset_auth_wait\n", + __func__, fcport->port_name); +- fcport->edif.app_sess_online = 1; +- qla_edif_reset_auth_wait(fcport, DSC_LOGIN_PEND, 0); ++ fcport->edif.app_sess_online = 0; ++ qlt_schedule_sess_for_deletion(fcport); + qla_edif_sa_ctl_init(vha, fcport); + } + } +@@ -800,7 +743,6 @@ qla_edif_app_authok(scsi_qla_host_t *vha, struct bsg_job *bsg_job) + ql_dbg(ql_dbg_edif, vha, 0x911e, + "%s AUTH complete - RESUME with prli for wwpn %8phC\n", + __func__, fcport->port_name); +- qla_edif_reset_auth_wait(fcport, DSC_LOGIN_PEND, 1); + qla24xx_post_prli_work(vha, fcport); + } + +@@ -873,7 +815,7 @@ qla_edif_app_authfail(scsi_qla_host_t *vha, struct bsg_job *bsg_job) + + if (qla_ini_mode_enabled(fcport->vha)) { + fcport->send_els_logo = 1; +- qla_edif_reset_auth_wait(fcport, DSC_LOGIN_PEND, 0); ++ qlt_schedule_sess_for_deletion(fcport); + } + } + +-- +2.33.0 + diff --git a/queue-5.15/scsi-qla2xxx-edif-fix-app-start-fail.patch b/queue-5.15/scsi-qla2xxx-edif-fix-app-start-fail.patch new file mode 100644 index 00000000000..0faf4b08526 --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-edif-fix-app-start-fail.patch @@ -0,0 +1,102 @@ +From 44f45976801d6a4f52d7e8ecc199f36fd38114ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 04:54:03 -0700 +Subject: scsi: qla2xxx: edif: Fix app start fail + +From: Quinn Tran + +[ Upstream commit 8e6d5df3cb32dddf558a52414d29febecb660396 ] + +On app start, all sessions need to be reset to see if secure connection can +be made. Fix the broken check which prevents that process. + +Link: https://lore.kernel.org/r/20211026115412.27691-5-njavali@marvell.com +Fixes: 4de067e5df12 ("scsi: qla2xxx: edif: Add N2N support for EDIF") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_edif.c | 52 ++++++++++++++++----------------- + 1 file changed, 26 insertions(+), 26 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_edif.c b/drivers/scsi/qla2xxx/qla_edif.c +index ad746c62f0d44..615596becb7a1 100644 +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -529,7 +529,8 @@ qla_edif_app_start(scsi_qla_host_t *vha, struct bsg_job *bsg_job) + struct app_start_reply appreply; + struct fc_port *fcport, *tf; + +- ql_dbg(ql_dbg_edif, vha, 0x911d, "%s app start\n", __func__); ++ ql_log(ql_log_info, vha, 0x1313, ++ "EDIF application registration with driver, FC device connections will be re-established.\n"); + + sg_copy_to_buffer(bsg_job->request_payload.sg_list, + bsg_job->request_payload.sg_cnt, &appstart, +@@ -554,37 +555,36 @@ qla_edif_app_start(scsi_qla_host_t *vha, struct bsg_job *bsg_job) + qla2xxx_wake_dpc(vha); + } else { + list_for_each_entry_safe(fcport, tf, &vha->vp_fcports, list) { ++ ql_dbg(ql_dbg_edif, vha, 0x2058, ++ "FCSP - nn %8phN pn %8phN portid=%06x.\n", ++ fcport->node_name, fcport->port_name, ++ fcport->d_id.b24); + ql_dbg(ql_dbg_edif, vha, 0xf084, +- "%s: sess %p %8phC lid %#04x s_id %06x logout %d\n", +- __func__, fcport, fcport->port_name, +- fcport->loop_id, fcport->d_id.b24, +- fcport->logout_on_delete); +- +- ql_dbg(ql_dbg_edif, vha, 0xf084, +- "keep %d els_logo %d disc state %d auth state %d stop state %d\n", +- fcport->keep_nport_handle, +- fcport->send_els_logo, fcport->disc_state, +- fcport->edif.auth_state, fcport->edif.app_stop); ++ "%s: se_sess %p / sess %p from port %8phC " ++ "loop_id %#04x s_id %06x logout %d " ++ "keep %d els_logo %d disc state %d auth state %d" ++ "stop state %d\n", ++ __func__, fcport->se_sess, fcport, ++ fcport->port_name, fcport->loop_id, ++ fcport->d_id.b24, fcport->logout_on_delete, ++ fcport->keep_nport_handle, fcport->send_els_logo, ++ fcport->disc_state, fcport->edif.auth_state, ++ fcport->edif.app_stop); + + if (atomic_read(&vha->loop_state) == LOOP_DOWN) + break; +- if (!(fcport->flags & FCF_FCSP_DEVICE)) +- continue; + + fcport->edif.app_started = 1; +- if (fcport->edif.app_stop || +- (fcport->disc_state != DSC_LOGIN_COMPLETE && +- fcport->disc_state != DSC_LOGIN_PEND && +- fcport->disc_state != DSC_DELETED)) { +- /* no activity */ +- fcport->edif.app_stop = 0; +- +- ql_dbg(ql_dbg_edif, vha, 0x911e, +- "%s wwpn %8phC calling qla_edif_reset_auth_wait\n", +- __func__, fcport->port_name); +- fcport->edif.app_sess_online = 1; +- qla_edif_reset_auth_wait(fcport, DSC_LOGIN_PEND, 0); +- } ++ fcport->login_retry = vha->hw->login_retry_count; ++ ++ /* no activity */ ++ fcport->edif.app_stop = 0; ++ ++ ql_dbg(ql_dbg_edif, vha, 0x911e, ++ "%s wwpn %8phC calling qla_edif_reset_auth_wait\n", ++ __func__, fcport->port_name); ++ fcport->edif.app_sess_online = 1; ++ qla_edif_reset_auth_wait(fcport, DSC_LOGIN_PEND, 0); + qla_edif_sa_ctl_init(vha, fcport); + } + } +-- +2.33.0 + diff --git a/queue-5.15/scsi-qla2xxx-edif-fix-edif-bsg.patch b/queue-5.15/scsi-qla2xxx-edif-fix-edif-bsg.patch new file mode 100644 index 00000000000..f517e00b29d --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-edif-fix-edif-bsg.patch @@ -0,0 +1,162 @@ +From ddd87e99641728224d6987a050d500fd52a7b588 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 04:54:11 -0700 +Subject: scsi: qla2xxx: edif: Fix EDIF bsg + +From: Quinn Tran + +[ Upstream commit 9fd26c633e8ab5a291c0241533efff161bbe5570 ] + +Various EDIF bsgs did not properly fill out the reply_payload_rcv_len +field. This causes app to parse empty data in the return payload. + +Link: https://lore.kernel.org/r/20211026115412.27691-13-njavali@marvell.com +Fixes: 7ebb336e45ef ("scsi: qla2xxx: edif: Add start + stop bsgs") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_edif.c | 49 ++++++++++++++++----------------- + 1 file changed, 23 insertions(+), 26 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_edif.c b/drivers/scsi/qla2xxx/qla_edif.c +index 98235df803aef..9240e788b011d 100644 +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -544,14 +544,14 @@ qla_edif_app_start(scsi_qla_host_t *vha, struct bsg_job *bsg_job) + appreply.edif_enode_active = vha->pur_cinfo.enode_flags; + appreply.edif_edb_active = vha->e_dbell.db_flags; + +- bsg_job->reply_len = sizeof(struct fc_bsg_reply) + +- sizeof(struct app_start_reply); ++ bsg_job->reply_len = sizeof(struct fc_bsg_reply); + + SET_DID_STATUS(bsg_reply->result, DID_OK); + +- sg_copy_from_buffer(bsg_job->reply_payload.sg_list, +- bsg_job->reply_payload.sg_cnt, &appreply, +- sizeof(struct app_start_reply)); ++ bsg_reply->reply_payload_rcv_len = sg_copy_from_buffer(bsg_job->reply_payload.sg_list, ++ bsg_job->reply_payload.sg_cnt, ++ &appreply, ++ sizeof(struct app_start_reply)); + + ql_dbg(ql_dbg_edif, vha, 0x911d, + "%s app start completed with 0x%x\n", +@@ -748,9 +748,10 @@ qla_edif_app_authok(scsi_qla_host_t *vha, struct bsg_job *bsg_job) + + errstate_exit: + bsg_job->reply_len = sizeof(struct fc_bsg_reply); +- sg_copy_from_buffer(bsg_job->reply_payload.sg_list, +- bsg_job->reply_payload.sg_cnt, &appplogireply, +- sizeof(struct app_plogi_reply)); ++ bsg_reply->reply_payload_rcv_len = sg_copy_from_buffer(bsg_job->reply_payload.sg_list, ++ bsg_job->reply_payload.sg_cnt, ++ &appplogireply, ++ sizeof(struct app_plogi_reply)); + + return rval; + } +@@ -833,7 +834,7 @@ static int + qla_edif_app_getfcinfo(scsi_qla_host_t *vha, struct bsg_job *bsg_job) + { + int32_t rval = 0; +- int32_t num_cnt; ++ int32_t pcnt = 0; + struct fc_bsg_reply *bsg_reply = bsg_job->reply; + struct app_pinfo_req app_req; + struct app_pinfo_reply *app_reply; +@@ -845,16 +846,14 @@ qla_edif_app_getfcinfo(scsi_qla_host_t *vha, struct bsg_job *bsg_job) + bsg_job->request_payload.sg_cnt, &app_req, + sizeof(struct app_pinfo_req)); + +- num_cnt = app_req.num_ports; /* num of ports alloc'd by app */ +- + app_reply = kzalloc((sizeof(struct app_pinfo_reply) + +- sizeof(struct app_pinfo) * num_cnt), GFP_KERNEL); ++ sizeof(struct app_pinfo) * app_req.num_ports), GFP_KERNEL); ++ + if (!app_reply) { + SET_DID_STATUS(bsg_reply->result, DID_ERROR); + rval = -1; + } else { + struct fc_port *fcport = NULL, *tf; +- uint32_t pcnt = 0; + + list_for_each_entry_safe(fcport, tf, &vha->vp_fcports, list) { + if (!(fcport->flags & FCF_FCSP_DEVICE)) +@@ -923,9 +922,11 @@ qla_edif_app_getfcinfo(scsi_qla_host_t *vha, struct bsg_job *bsg_job) + SET_DID_STATUS(bsg_reply->result, DID_OK); + } + +- sg_copy_from_buffer(bsg_job->reply_payload.sg_list, +- bsg_job->reply_payload.sg_cnt, app_reply, +- sizeof(struct app_pinfo_reply) + sizeof(struct app_pinfo) * num_cnt); ++ bsg_job->reply_len = sizeof(struct fc_bsg_reply); ++ bsg_reply->reply_payload_rcv_len = sg_copy_from_buffer(bsg_job->reply_payload.sg_list, ++ bsg_job->reply_payload.sg_cnt, ++ app_reply, ++ sizeof(struct app_pinfo_reply) + sizeof(struct app_pinfo) * pcnt); + + kfree(app_reply); + +@@ -942,10 +943,11 @@ qla_edif_app_getstats(scsi_qla_host_t *vha, struct bsg_job *bsg_job) + { + int32_t rval = 0; + struct fc_bsg_reply *bsg_reply = bsg_job->reply; +- uint32_t ret_size, size; ++ uint32_t size; + + struct app_sinfo_req app_req; + struct app_stats_reply *app_reply; ++ uint32_t pcnt = 0; + + sg_copy_to_buffer(bsg_job->request_payload.sg_list, + bsg_job->request_payload.sg_cnt, &app_req, +@@ -961,18 +963,12 @@ qla_edif_app_getstats(scsi_qla_host_t *vha, struct bsg_job *bsg_job) + size = sizeof(struct app_stats_reply) + + (sizeof(struct app_sinfo) * app_req.num_ports); + +- if (size > bsg_job->reply_payload.payload_len) +- ret_size = bsg_job->reply_payload.payload_len; +- else +- ret_size = size; +- + app_reply = kzalloc(size, GFP_KERNEL); + if (!app_reply) { + SET_DID_STATUS(bsg_reply->result, DID_ERROR); + rval = -1; + } else { + struct fc_port *fcport = NULL, *tf; +- uint32_t pcnt = 0; + + list_for_each_entry_safe(fcport, tf, &vha->vp_fcports, list) { + if (fcport->edif.enable) { +@@ -996,9 +992,11 @@ qla_edif_app_getstats(scsi_qla_host_t *vha, struct bsg_job *bsg_job) + SET_DID_STATUS(bsg_reply->result, DID_OK); + } + ++ bsg_job->reply_len = sizeof(struct fc_bsg_reply); + bsg_reply->reply_payload_rcv_len = + sg_copy_from_buffer(bsg_job->reply_payload.sg_list, +- bsg_job->reply_payload.sg_cnt, app_reply, ret_size); ++ bsg_job->reply_payload.sg_cnt, app_reply, ++ sizeof(struct app_stats_reply) + (sizeof(struct app_sinfo) * pcnt)); + + kfree(app_reply); + +@@ -1072,8 +1070,7 @@ qla_edif_app_mgmt(struct bsg_job *bsg_job) + __func__, + bsg_request->rqst_data.h_vendor.vendor_cmd[1]); + rval = EXT_STATUS_INVALID_PARAM; +- bsg_job->reply_len = sizeof(struct fc_bsg_reply); +- SET_DID_STATUS(bsg_reply->result, DID_ERROR); ++ done = false; + break; + } + +-- +2.33.0 + diff --git a/queue-5.15/scsi-qla2xxx-edif-flush-stale-events-and-msgs-on-ses.patch b/queue-5.15/scsi-qla2xxx-edif-flush-stale-events-and-msgs-on-ses.patch new file mode 100644 index 00000000000..a97915bd649 --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-edif-flush-stale-events-and-msgs-on-ses.patch @@ -0,0 +1,181 @@ +From 0c29242f3ef21cf969a526a1e2576ac3711d3d89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 04:54:05 -0700 +Subject: scsi: qla2xxx: edif: Flush stale events and msgs on session down + +From: Quinn Tran + +[ Upstream commit b1af26c245545a289b331c7b71996ecd88321540 ] + +On session down, driver will flush all stale messages and doorbell +events. This prevents authentication application from having to process +stale data. + +Link: https://lore.kernel.org/r/20211026115412.27691-7-njavali@marvell.com +Fixes: 4de067e5df12 ("scsi: qla2xxx: edif: Add N2N support for EDIF") +Reviewed-by: Himanshu Madhani +Co-developed-by: Karunakara Merugu +Signed-off-by: Karunakara Merugu +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_edif.c | 96 ++++++++++++++++++++++++++++++- + drivers/scsi/qla2xxx/qla_gbl.h | 2 + + drivers/scsi/qla2xxx/qla_target.c | 1 + + 3 files changed, 98 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla2xxx/qla_edif.c b/drivers/scsi/qla2xxx/qla_edif.c +index cf62f26ce27d9..3931bae3222b3 100644 +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -1593,6 +1593,40 @@ qla_enode_stop(scsi_qla_host_t *vha) + spin_unlock_irqrestore(&vha->pur_cinfo.pur_lock, flags); + } + ++static void qla_enode_clear(scsi_qla_host_t *vha, port_id_t portid) ++{ ++ unsigned long flags; ++ struct enode *e, *tmp; ++ struct purexevent *purex; ++ LIST_HEAD(enode_list); ++ ++ if (vha->pur_cinfo.enode_flags != ENODE_ACTIVE) { ++ ql_dbg(ql_dbg_edif, vha, 0x09102, ++ "%s enode not active\n", __func__); ++ return; ++ } ++ spin_lock_irqsave(&vha->pur_cinfo.pur_lock, flags); ++ list_for_each_entry_safe(e, tmp, &vha->pur_cinfo.head, list) { ++ purex = &e->u.purexinfo; ++ if (purex->pur_info.pur_sid.b24 == portid.b24) { ++ ql_dbg(ql_dbg_edif, vha, 0x911d, ++ "%s free ELS sid=%06x. xchg %x, nb=%xh\n", ++ __func__, portid.b24, ++ purex->pur_info.pur_rx_xchg_address, ++ purex->pur_info.pur_bytes_rcvd); ++ ++ list_del_init(&e->list); ++ list_add_tail(&e->list, &enode_list); ++ } ++ } ++ spin_unlock_irqrestore(&vha->pur_cinfo.pur_lock, flags); ++ ++ list_for_each_entry_safe(e, tmp, &enode_list, list) { ++ list_del_init(&e->list); ++ qla_enode_free(vha, e); ++ } ++} ++ + /* + * allocate enode struct and populate buffer + * returns: enode pointer with buffers +@@ -1792,6 +1826,57 @@ qla_edb_node_free(scsi_qla_host_t *vha, struct edb_node *node) + node->ntype = N_UNDEF; + } + ++static void qla_edb_clear(scsi_qla_host_t *vha, port_id_t portid) ++{ ++ unsigned long flags; ++ struct edb_node *e, *tmp; ++ port_id_t sid; ++ LIST_HEAD(edb_list); ++ ++ if (vha->e_dbell.db_flags != EDB_ACTIVE) { ++ /* doorbell list not enabled */ ++ ql_dbg(ql_dbg_edif, vha, 0x09102, ++ "%s doorbell not enabled\n", __func__); ++ return; ++ } ++ ++ /* grab lock so list doesn't move */ ++ spin_lock_irqsave(&vha->e_dbell.db_lock, flags); ++ list_for_each_entry_safe(e, tmp, &vha->e_dbell.head, list) { ++ switch (e->ntype) { ++ case VND_CMD_AUTH_STATE_NEEDED: ++ case VND_CMD_AUTH_STATE_SESSION_SHUTDOWN: ++ sid = e->u.plogi_did; ++ break; ++ case VND_CMD_AUTH_STATE_ELS_RCVD: ++ sid = e->u.els_sid; ++ break; ++ case VND_CMD_AUTH_STATE_SAUPDATE_COMPL: ++ /* app wants to see this */ ++ continue; ++ default: ++ ql_log(ql_log_warn, vha, 0x09102, ++ "%s unknown node type: %x\n", __func__, e->ntype); ++ sid.b24 = 0; ++ break; ++ } ++ if (sid.b24 == portid.b24) { ++ ql_dbg(ql_dbg_edif, vha, 0x910f, ++ "%s free doorbell event : node type = %x %p\n", ++ __func__, e->ntype, e); ++ list_del_init(&e->list); ++ list_add_tail(&e->list, &edb_list); ++ } ++ } ++ spin_unlock_irqrestore(&vha->e_dbell.db_lock, flags); ++ ++ list_for_each_entry_safe(e, tmp, &edb_list, list) { ++ qla_edb_node_free(vha, e); ++ list_del_init(&e->list); ++ kfree(e); ++ } ++} ++ + /* function called when app is stopping */ + + void +@@ -2378,7 +2463,7 @@ void qla24xx_auth_els(scsi_qla_host_t *vha, void **pkt, struct rsp_que **rsp) + ql_dbg(ql_dbg_edif, host, 0x0910c, + "%s COMPLETE purex->pur_info.pur_bytes_rcvd =%xh s:%06x -> d:%06x xchg=%xh\n", + __func__, purex->pur_info.pur_bytes_rcvd, purex->pur_info.pur_sid.b24, +- purex->pur_info.pur_did.b24, p->rx_xchg_addr); ++ purex->pur_info.pur_did.b24, purex->pur_info.pur_rx_xchg_address); + + qla_edb_eventcreate(host, VND_CMD_AUTH_STATE_ELS_RCVD, sid, 0, NULL); + } +@@ -3401,3 +3486,12 @@ void qla_edif_sess_down(struct scsi_qla_host *vha, struct fc_port *sess) + qla2x00_post_aen_work(vha, FCH_EVT_PORT_OFFLINE, sess->d_id.b24); + } + } ++ ++void qla_edif_clear_appdata(struct scsi_qla_host *vha, struct fc_port *fcport) ++{ ++ if (!(fcport->flags & FCF_FCSP_DEVICE)) ++ return; ++ ++ qla_edb_clear(vha, fcport->d_id); ++ qla_enode_clear(vha, fcport->d_id); ++} +diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h +index 0a43ce9317db2..2c7e91bffb827 100644 +--- a/drivers/scsi/qla2xxx/qla_gbl.h ++++ b/drivers/scsi/qla2xxx/qla_gbl.h +@@ -142,6 +142,8 @@ void qlt_chk_edif_rx_sa_delete_pending(scsi_qla_host_t *vha, fc_port_t *fcport, + void qla2x00_release_all_sadb(struct scsi_qla_host *vha, struct fc_port *fcport); + int qla_edif_process_els(scsi_qla_host_t *vha, struct bsg_job *bsgjob); + void qla_edif_sess_down(struct scsi_qla_host *vha, struct fc_port *sess); ++void qla_edif_clear_appdata(struct scsi_qla_host *vha, ++ struct fc_port *fcport); + const char *sc_to_str(uint16_t cmd); + + /* +diff --git a/drivers/scsi/qla2xxx/qla_target.c b/drivers/scsi/qla2xxx/qla_target.c +index 7d8242c120fc7..1aaa4238cb722 100644 +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -1003,6 +1003,7 @@ void qlt_free_session_done(struct work_struct *work) + "%s bypassing release_all_sadb\n", + __func__); + } ++ qla_edif_clear_appdata(vha, sess); + qla_edif_sess_down(vha, sess); + } + qla2x00_mark_device_lost(vha, sess, 0); +-- +2.33.0 + diff --git a/queue-5.15/scsi-qla2xxx-edif-increase-els-payload.patch b/queue-5.15/scsi-qla2xxx-edif-increase-els-payload.patch new file mode 100644 index 00000000000..a35405325ec --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-edif-increase-els-payload.patch @@ -0,0 +1,105 @@ +From 19c4abe04aeee850738cd7f0d28e9db53dedf4b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 04:54:09 -0700 +Subject: scsi: qla2xxx: edif: Increase ELS payload + +From: Quinn Tran + +[ Upstream commit 0f6d600a26e89d31d8381b324fc970f72579a126 ] + +Currently, firmware limits ELS payload to FC frame size/2112. This patch +adjusts memory buffer size to be able to handle max ELS payload. + +Link: https://lore.kernel.org/r/20211026115412.27691-11-njavali@marvell.com +Fixes: 84318a9f01ce ("scsi: qla2xxx: edif: Add send, receive, and accept for auth_els") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_edif.c | 2 +- + drivers/scsi/qla2xxx/qla_edif.h | 3 ++- + drivers/scsi/qla2xxx/qla_edif_bsg.h | 2 +- + drivers/scsi/qla2xxx/qla_init.c | 4 ++++ + drivers/scsi/qla2xxx/qla_os.c | 2 +- + 5 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_edif.c b/drivers/scsi/qla2xxx/qla_edif.c +index 3931bae3222b3..98235df803aef 100644 +--- a/drivers/scsi/qla2xxx/qla_edif.c ++++ b/drivers/scsi/qla2xxx/qla_edif.c +@@ -2384,7 +2384,7 @@ void qla24xx_auth_els(scsi_qla_host_t *vha, void **pkt, struct rsp_que **rsp) + return; + } + +- if (totlen > MAX_PAYLOAD) { ++ if (totlen > ELS_MAX_PAYLOAD) { + ql_dbg(ql_dbg_edif, vha, 0x0910d, + "%s WARNING: verbose ELS frame received (totlen=%x)\n", + __func__, totlen); +diff --git a/drivers/scsi/qla2xxx/qla_edif.h b/drivers/scsi/qla2xxx/qla_edif.h +index 9e8f28d0caa1b..45cf87e337780 100644 +--- a/drivers/scsi/qla2xxx/qla_edif.h ++++ b/drivers/scsi/qla2xxx/qla_edif.h +@@ -93,7 +93,6 @@ struct sa_update_28xx { + }; + + #define NUM_ENTRIES 256 +-#define MAX_PAYLOAD 1024 + #define PUR_GET 1 + + struct dinfo { +@@ -128,6 +127,8 @@ struct enode { + } u; + }; + ++#define RX_ELS_SIZE (roundup(sizeof(struct enode) + ELS_MAX_PAYLOAD, SMP_CACHE_BYTES)) ++ + #define EDIF_SESSION_DOWN(_s) \ + (qla_ini_mode_enabled(_s->vha) && (_s->disc_state == DSC_DELETE_PEND || \ + _s->disc_state == DSC_DELETED || \ +diff --git a/drivers/scsi/qla2xxx/qla_edif_bsg.h b/drivers/scsi/qla2xxx/qla_edif_bsg.h +index 58b718d35d19a..53026d82ebffe 100644 +--- a/drivers/scsi/qla2xxx/qla_edif_bsg.h ++++ b/drivers/scsi/qla2xxx/qla_edif_bsg.h +@@ -8,7 +8,7 @@ + #define __QLA_EDIF_BSG_H + + /* BSG Vendor specific commands */ +-#define ELS_MAX_PAYLOAD 1024 ++#define ELS_MAX_PAYLOAD 2112 + #ifndef WWN_SIZE + #define WWN_SIZE 8 + #endif +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 6da4419bcec16..847a6e5d9cb07 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -4467,6 +4467,10 @@ qla2x00_init_rings(scsi_qla_host_t *vha) + (ha->flags.fawwpn_enabled) ? "enabled" : "disabled"); + } + ++ /* ELS pass through payload is limit by frame size. */ ++ if (ha->flags.edif_enabled) ++ mid_init_cb->init_cb.frame_payload_size = cpu_to_le16(ELS_MAX_PAYLOAD); ++ + rval = qla2x00_init_firmware(vha, ha->init_cb_size); + next_check: + if (rval) { +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index b5346d9066dc6..8d87cfae9c598 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -4337,7 +4337,7 @@ qla2x00_mem_alloc(struct qla_hw_data *ha, uint16_t req_len, uint16_t rsp_len, + + /* allocate the purex dma pool */ + ha->purex_dma_pool = dma_pool_create(name, &ha->pdev->dev, +- MAX_PAYLOAD, 8, 0); ++ ELS_MAX_PAYLOAD, 8, 0); + + if (!ha->purex_dma_pool) { + ql_dbg_pci(ql_dbg_init, ha->pdev, 0x011b, +-- +2.33.0 + diff --git a/queue-5.15/scsi-qla2xxx-edif-use-link-event-to-wake-up-app.patch b/queue-5.15/scsi-qla2xxx-edif-use-link-event-to-wake-up-app.patch new file mode 100644 index 00000000000..e6ec798087c --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-edif-use-link-event-to-wake-up-app.patch @@ -0,0 +1,59 @@ +From 26a2f2974b440ac4160d9a44325438a0c1d0d9b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 09:46:17 -0700 +Subject: scsi: qla2xxx: edif: Use link event to wake up app + +From: Quinn Tran + +[ Upstream commit 527d46e0b0147f2b32b78ba49c6a231835b24a41 ] + +Authentication application may be running and in the past tried to probe +driver (app_start) but was unsuccessful. This could be due to the bsg layer +not being ready to service the request. On a successful link up, driver +will use the netlink Link Up event to notify the app to retry the app_start +call. + +In another case, app does not poll for new NPIV host. This link up event +would notify app of the presence of a new SCSI host. + +Link: https://lore.kernel.org/r/20210908164622.19240-6-njavali@marvell.com +Fixes: 4de067e5df12 ("scsi: qla2xxx: edif: Add N2N support for EDIF") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 5fc7697f0af4c..7e64e4730b259 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -5335,15 +5335,14 @@ qla2x00_configure_loop(scsi_qla_host_t *vha) + "LOOP READY.\n"); + ha->flags.fw_init_done = 1; + ++ /* ++ * use link up to wake up app to get ready for ++ * authentication. ++ */ + if (ha->flags.edif_enabled && +- !(vha->e_dbell.db_flags & EDB_ACTIVE) && +- N2N_TOPO(vha->hw)) { +- /* +- * use port online to wake up app to get ready +- * for authentication +- */ +- qla2x00_post_aen_work(vha, FCH_EVT_PORT_ONLINE, 0); +- } ++ !(vha->e_dbell.db_flags & EDB_ACTIVE)) ++ qla2x00_post_aen_work(vha, FCH_EVT_LINKUP, ++ ha->link_data_rate); + + /* + * Process any ATIO queue entries that came in +-- +2.33.0 + diff --git a/queue-5.15/scsi-qla2xxx-fix-gnl-list-corruption.patch b/queue-5.15/scsi-qla2xxx-fix-gnl-list-corruption.patch new file mode 100644 index 00000000000..94f865e7d4b --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-fix-gnl-list-corruption.patch @@ -0,0 +1,79 @@ +From b22b40ed96b8617e92970ad126b49867cf5e929c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 04:54:01 -0700 +Subject: scsi: qla2xxx: Fix gnl list corruption + +From: Quinn Tran + +[ Upstream commit c98c5daaa24b583cba1369b7d167f93c6ae7299c ] + +Current code does list element deletion and addition in and out of lock +protection. This patch moves deletion behind lock. + +list_add double add: new=ffff9130b5eb89f8, prev=ffff9130b5eb89f8, + next=ffff9130c6a715f0. + ------------[ cut here ]------------ + kernel BUG at lib/list_debug.c:31! + invalid opcode: 0000 [#1] SMP PTI + CPU: 1 PID: 182395 Comm: kworker/1:37 Kdump: loaded Tainted: G W OE + --------- - - 4.18.0-193.el8.x86_64 #1 + Hardware name: HP ProLiant DL160 Gen8, BIOS J03 02/10/2014 + Workqueue: qla2xxx_wq qla2x00_iocb_work_fn [qla2xxx] + RIP: 0010:__list_add_valid+0x41/0x50 + Code: 85 94 00 00 00 48 39 c7 74 0b 48 39 d7 74 06 b8 01 00 00 00 c3 48 89 f2 + 4c 89 c1 48 89 fe 48 c7 c7 60 83 ad 97 e8 4d bd ce ff <0f> 0b 0f 1f 00 66 2e + 0f 1f 84 00 00 00 00 00 48 8b 07 48 8b 57 08 + RSP: 0018:ffffaba306f47d68 EFLAGS: 00010046 + RAX: 0000000000000058 RBX: ffff9130b5eb8800 RCX: 0000000000000006 + RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff9130b7456a00 + RBP: ffff9130c6a70a58 R08: 000000000008d7be R09: 0000000000000001 + R10: 0000000000000000 R11: 0000000000000001 R12: ffff9130c6a715f0 + R13: ffff9130b5eb8824 R14: ffff9130b5eb89f8 R15: ffff9130b5eb89f8 + FS: 0000000000000000(0000) GS:ffff9130b7440000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007efcaaef11a0 CR3: 000000005200a002 CR4: 00000000000606e0 + Call Trace: + qla24xx_async_gnl+0x113/0x3c0 [qla2xxx] + ? qla2x00_iocb_work_fn+0x53/0x80 [qla2xxx] + ? process_one_work+0x1a7/0x3b0 + ? worker_thread+0x30/0x390 + ? create_worker+0x1a0/0x1a0 + ? kthread+0x112/0x130 + +Link: https://lore.kernel.org/r/20211026115412.27691-3-njavali@marvell.com +Fixes: 726b85487067 ("qla2xxx: Add framework for async fabric discovery") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index df3884d9f12a2..6da4419bcec16 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -987,8 +987,6 @@ static void qla24xx_async_gnl_sp_done(srb_t *sp, int res) + sp->name, res, sp->u.iocb_cmd.u.mbx.in_mb[1], + sp->u.iocb_cmd.u.mbx.in_mb[2]); + +- if (res == QLA_FUNCTION_TIMEOUT) +- return; + + sp->fcport->flags &= ~(FCF_ASYNC_SENT|FCF_ASYNC_ACTIVE); + memset(&ea, 0, sizeof(ea)); +@@ -1026,8 +1024,8 @@ static void qla24xx_async_gnl_sp_done(srb_t *sp, int res) + spin_unlock_irqrestore(&vha->hw->tgt.sess_lock, flags); + + list_for_each_entry_safe(fcport, tf, &h, gnl_entry) { +- list_del_init(&fcport->gnl_entry); + spin_lock_irqsave(&vha->hw->tgt.sess_lock, flags); ++ list_del_init(&fcport->gnl_entry); + fcport->flags &= ~(FCF_ASYNC_SENT | FCF_ASYNC_ACTIVE); + spin_unlock_irqrestore(&vha->hw->tgt.sess_lock, flags); + ea.fcport = fcport; +-- +2.33.0 + diff --git a/queue-5.15/scsi-qla2xxx-relogin-during-fabric-disturbance.patch b/queue-5.15/scsi-qla2xxx-relogin-during-fabric-disturbance.patch new file mode 100644 index 00000000000..7a859495f3f --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-relogin-during-fabric-disturbance.patch @@ -0,0 +1,95 @@ +From ce7c87301d5487debdd14b571b30077fac81e8d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 04:54:00 -0700 +Subject: scsi: qla2xxx: Relogin during fabric disturbance + +From: Quinn Tran + +[ Upstream commit bb2ca6b3f09ac20e8357d257d0557ab5ddf6adcd ] + +For RSCN of type "Area, Domain, or Fabric", which indicate a portion or +entire fabric was disturbed, current driver does not set the scan_need flag +to indicate a session was affected by the disturbance. This in turn can +lead to I/O timeout and delay of relogin. Hence initiate relogin in the +event of fabric disturbance. + +Link: https://lore.kernel.org/r/20211026115412.27691-2-njavali@marvell.com +Fixes: 1560bafdff9e ("scsi: qla2xxx: Use complete switch scan for RSCN events") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_init.c | 54 +++++++++++++++++++++++++++------ + 1 file changed, 45 insertions(+), 9 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 7e64e4730b259..df3884d9f12a2 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -1786,16 +1786,52 @@ void qla2x00_handle_rscn(scsi_qla_host_t *vha, struct event_arg *ea) + fc_port_t *fcport; + unsigned long flags; + +- fcport = qla2x00_find_fcport_by_nportid(vha, &ea->id, 1); +- if (fcport) { +- if (fcport->flags & FCF_FCP2_DEVICE) { +- ql_dbg(ql_dbg_disc, vha, 0x2115, +- "Delaying session delete for FCP2 portid=%06x %8phC ", +- fcport->d_id.b24, fcport->port_name); +- return; ++ switch (ea->id.b.rsvd_1) { ++ case RSCN_PORT_ADDR: ++ fcport = qla2x00_find_fcport_by_nportid(vha, &ea->id, 1); ++ if (fcport) { ++ if (fcport->flags & FCF_FCP2_DEVICE) { ++ ql_dbg(ql_dbg_disc, vha, 0x2115, ++ "Delaying session delete for FCP2 portid=%06x %8phC ", ++ fcport->d_id.b24, fcport->port_name); ++ return; ++ } ++ fcport->scan_needed = 1; ++ fcport->rscn_gen++; ++ } ++ break; ++ case RSCN_AREA_ADDR: ++ list_for_each_entry(fcport, &vha->vp_fcports, list) { ++ if (fcport->flags & FCF_FCP2_DEVICE) ++ continue; ++ ++ if ((ea->id.b24 & 0xffff00) == (fcport->d_id.b24 & 0xffff00)) { ++ fcport->scan_needed = 1; ++ fcport->rscn_gen++; ++ } + } +- fcport->scan_needed = 1; +- fcport->rscn_gen++; ++ break; ++ case RSCN_DOM_ADDR: ++ list_for_each_entry(fcport, &vha->vp_fcports, list) { ++ if (fcport->flags & FCF_FCP2_DEVICE) ++ continue; ++ ++ if ((ea->id.b24 & 0xff0000) == (fcport->d_id.b24 & 0xff0000)) { ++ fcport->scan_needed = 1; ++ fcport->rscn_gen++; ++ } ++ } ++ break; ++ case RSCN_FAB_ADDR: ++ default: ++ list_for_each_entry(fcport, &vha->vp_fcports, list) { ++ if (fcport->flags & FCF_FCP2_DEVICE) ++ continue; ++ ++ fcport->scan_needed = 1; ++ fcport->rscn_gen++; ++ } ++ break; + } + + spin_lock_irqsave(&vha->work_lock, flags); +-- +2.33.0 + diff --git a/queue-5.15/scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch b/queue-5.15/scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch new file mode 100644 index 00000000000..49cf87639bb --- /dev/null +++ b/queue-5.15/scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch @@ -0,0 +1,131 @@ +From cdc5c0f9f604cb38211049432320f285b0e30069 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 04:54:02 -0700 +Subject: scsi: qla2xxx: Turn off target reset during issue_lip + +From: Quinn Tran + +[ Upstream commit 0b7a9fd934a68ebfc1019811b7bdc1742072ad7b ] + +When user uses issue_lip to do link bounce, driver sends additional target +reset to remote device before resetting the link. The target reset would +affect other paths with active I/Os. This patch will remove the unnecessary +target reset. + +Link: https://lore.kernel.org/r/20211026115412.27691-4-njavali@marvell.com +Fixes: 5854771e314e ("[SCSI] qla2xxx: Add ISPFX00 specific bus reset routine") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_gbl.h | 2 -- + drivers/scsi/qla2xxx/qla_mr.c | 23 ----------------------- + drivers/scsi/qla2xxx/qla_os.c | 27 ++------------------------- + 3 files changed, 2 insertions(+), 50 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h +index 1c3f055d41b8e..0a43ce9317db2 100644 +--- a/drivers/scsi/qla2xxx/qla_gbl.h ++++ b/drivers/scsi/qla2xxx/qla_gbl.h +@@ -171,7 +171,6 @@ extern int ql2xasynctmfenable; + extern int ql2xgffidenable; + extern int ql2xenabledif; + extern int ql2xenablehba_err_chk; +-extern int ql2xtargetreset; + extern int ql2xdontresethba; + extern uint64_t ql2xmaxlun; + extern int ql2xmdcapmask; +@@ -816,7 +815,6 @@ extern void qlafx00_abort_iocb(srb_t *, struct abort_iocb_entry_fx00 *); + extern void qlafx00_fxdisc_iocb(srb_t *, struct fxdisc_entry_fx00 *); + extern void qlafx00_timer_routine(scsi_qla_host_t *); + extern int qlafx00_rescan_isp(scsi_qla_host_t *); +-extern int qlafx00_loop_reset(scsi_qla_host_t *vha); + + /* qla82xx related functions */ + +diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c +index 6e920da64863e..350b0c4346fb6 100644 +--- a/drivers/scsi/qla2xxx/qla_mr.c ++++ b/drivers/scsi/qla2xxx/qla_mr.c +@@ -738,29 +738,6 @@ qlafx00_lun_reset(fc_port_t *fcport, uint64_t l, int tag) + return qla2x00_async_tm_cmd(fcport, TCF_LUN_RESET, l, tag); + } + +-int +-qlafx00_loop_reset(scsi_qla_host_t *vha) +-{ +- int ret; +- struct fc_port *fcport; +- struct qla_hw_data *ha = vha->hw; +- +- if (ql2xtargetreset) { +- list_for_each_entry(fcport, &vha->vp_fcports, list) { +- if (fcport->port_type != FCT_TARGET) +- continue; +- +- ret = ha->isp_ops->target_reset(fcport, 0, 0); +- if (ret != QLA_SUCCESS) { +- ql_dbg(ql_dbg_taskm, vha, 0x803d, +- "Bus Reset failed: Reset=%d " +- "d_id=%x.\n", ret, fcport->d_id.b24); +- } +- } +- } +- return QLA_SUCCESS; +-} +- + int + qlafx00_iospace_config(struct qla_hw_data *ha) + { +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index f800d940a720d..b5346d9066dc6 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -202,12 +202,6 @@ MODULE_PARM_DESC(ql2xdbwr, + " 0 -- Regular doorbell.\n" + " 1 -- CAMRAM doorbell (faster).\n"); + +-int ql2xtargetreset = 1; +-module_param(ql2xtargetreset, int, S_IRUGO); +-MODULE_PARM_DESC(ql2xtargetreset, +- "Enable target reset." +- "Default is 1 - use hw defaults."); +- + int ql2xgffidenable; + module_param(ql2xgffidenable, int, S_IRUGO); + MODULE_PARM_DESC(ql2xgffidenable, +@@ -1695,27 +1689,10 @@ int + qla2x00_loop_reset(scsi_qla_host_t *vha) + { + int ret; +- struct fc_port *fcport; + struct qla_hw_data *ha = vha->hw; + +- if (IS_QLAFX00(ha)) { +- return qlafx00_loop_reset(vha); +- } +- +- if (ql2xtargetreset == 1 && ha->flags.enable_target_reset) { +- list_for_each_entry(fcport, &vha->vp_fcports, list) { +- if (fcport->port_type != FCT_TARGET) +- continue; +- +- ret = ha->isp_ops->target_reset(fcport, 0, 0); +- if (ret != QLA_SUCCESS) { +- ql_dbg(ql_dbg_taskm, vha, 0x802c, +- "Bus Reset failed: Reset=%d " +- "d_id=%x.\n", ret, fcport->d_id.b24); +- } +- } +- } +- ++ if (IS_QLAFX00(ha)) ++ return QLA_SUCCESS; + + if (ha->flags.enable_lip_full_login && !IS_CNA_CAPABLE(ha)) { + atomic_set(&vha->loop_state, LOOP_DOWN); +-- +2.33.0 + diff --git a/queue-5.15/scsi-target-core-remove-from-tmr_list-during-lun-unl.patch b/queue-5.15/scsi-target-core-remove-from-tmr_list-during-lun-unl.patch new file mode 100644 index 00000000000..b16ee80491d --- /dev/null +++ b/queue-5.15/scsi-target-core-remove-from-tmr_list-during-lun-unl.patch @@ -0,0 +1,172 @@ +From d46ea80299c90f994d82b183785fad46b2bec11a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 16:57:53 +0300 +Subject: scsi: target: core: Remove from tmr_list during LUN unlink + +From: Dmitry Bogdanov + +[ Upstream commit 12b6fcd0ea7f3cb7c3b34668fc678779924123ae ] + +Currently TMF commands are removed from de_device.dev_tmf_list at the very +end of se_cmd lifecycle. However, se_lun unlinks from se_cmd upon a command +status (response) being queued in transport layer. This means that LUN and +backend device can be deleted in the meantime and a panic will occur: + +target_tmr_work() + cmd->se_tfo->queue_tm_rsp(cmd); // send abort_rsp to a wire + transport_lun_remove_cmd(cmd) // unlink se_cmd from se_lun +- // - // - // - +<<<--- lun remove +<<<--- core backend device remove +- // - // - // - +qlt_handle_abts_completion() + tfo->free_mcmd() + transport_generic_free_cmd() + target_put_sess_cmd() + core_tmr_release_req() { + if (dev) { // backend device, can not be null + spin_lock_irqsave(&dev->se_tmr_lock, flags); //<<<--- CRASH + +Call Trace: +NIP [c000000000e1683c] _raw_spin_lock_irqsave+0x2c/0xc0 +LR [c00800000e433338] core_tmr_release_req+0x40/0xa0 [target_core_mod] +Call Trace: +(unreliable) +0x0 +target_put_sess_cmd+0x2a0/0x370 [target_core_mod] +transport_generic_free_cmd+0x6c/0x1b0 [target_core_mod] +tcm_qla2xxx_complete_mcmd+0x28/0x50 [tcm_qla2xxx] +process_one_work+0x2c4/0x5c0 +worker_thread+0x88/0x690 + +For the iSCSI protocol this is easily reproduced: + + - Send some SCSI sommand + + - Send Abort of that command over iSCSI + + - Remove LUN on target + + - Send next iSCSI command to acknowledge the Abort_Response + + - Target panics + +There is no need to keep the command in tmr_list until response completion, +so move the removal from tmr_list from the response completion to the +response queueing when the LUN is unlinked. Move the removal from state +list too as it is a subject to the same race condition. + +Link: https://lore.kernel.org/r/20211018135753.15297-1-d.bogdanov@yadro.com +Fixes: c66ac9db8d4a ("[SCSI] target: Add LIO target core v4.0.0-rc6") +Reviewed-by: Roman Bolshakov +Reviewed-by: Mike Christie +Signed-off-by: Dmitry Bogdanov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_tmr.c | 17 +-------------- + drivers/target/target_core_transport.c | 30 ++++++++++++++++++++------ + 2 files changed, 24 insertions(+), 23 deletions(-) + +diff --git a/drivers/target/target_core_tmr.c b/drivers/target/target_core_tmr.c +index e7fcbc09f9dbc..bac111456fa1d 100644 +--- a/drivers/target/target_core_tmr.c ++++ b/drivers/target/target_core_tmr.c +@@ -50,15 +50,6 @@ EXPORT_SYMBOL(core_tmr_alloc_req); + + void core_tmr_release_req(struct se_tmr_req *tmr) + { +- struct se_device *dev = tmr->tmr_dev; +- unsigned long flags; +- +- if (dev) { +- spin_lock_irqsave(&dev->se_tmr_lock, flags); +- list_del_init(&tmr->tmr_list); +- spin_unlock_irqrestore(&dev->se_tmr_lock, flags); +- } +- + kfree(tmr); + } + +@@ -156,13 +147,6 @@ void core_tmr_abort_task( + se_cmd->state_active = false; + spin_unlock_irqrestore(&dev->queues[i].lock, flags); + +- /* +- * Ensure that this ABORT request is visible to the LU +- * RESET code. +- */ +- if (!tmr->tmr_dev) +- WARN_ON_ONCE(transport_lookup_tmr_lun(tmr->task_cmd) < 0); +- + if (dev->transport->tmr_notify) + dev->transport->tmr_notify(dev, TMR_ABORT_TASK, + &aborted_list); +@@ -234,6 +218,7 @@ static void core_tmr_drain_tmr_list( + } + + list_move_tail(&tmr_p->tmr_list, &drain_tmr_list); ++ tmr_p->tmr_dev = NULL; + } + spin_unlock_irqrestore(&dev->se_tmr_lock, flags); + +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index 14c6f2bb1b01d..e60abd230e90f 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -676,6 +676,21 @@ static void target_remove_from_state_list(struct se_cmd *cmd) + spin_unlock_irqrestore(&dev->queues[cmd->cpuid].lock, flags); + } + ++static void target_remove_from_tmr_list(struct se_cmd *cmd) ++{ ++ struct se_device *dev = NULL; ++ unsigned long flags; ++ ++ if (cmd->se_cmd_flags & SCF_SCSI_TMR_CDB) ++ dev = cmd->se_tmr_req->tmr_dev; ++ ++ if (dev) { ++ spin_lock_irqsave(&dev->se_tmr_lock, flags); ++ if (cmd->se_tmr_req->tmr_dev) ++ list_del_init(&cmd->se_tmr_req->tmr_list); ++ spin_unlock_irqrestore(&dev->se_tmr_lock, flags); ++ } ++} + /* + * This function is called by the target core after the target core has + * finished processing a SCSI command or SCSI TMF. Both the regular command +@@ -687,13 +702,6 @@ static int transport_cmd_check_stop_to_fabric(struct se_cmd *cmd) + { + unsigned long flags; + +- target_remove_from_state_list(cmd); +- +- /* +- * Clear struct se_cmd->se_lun before the handoff to FE. +- */ +- cmd->se_lun = NULL; +- + spin_lock_irqsave(&cmd->t_state_lock, flags); + /* + * Determine if frontend context caller is requesting the stopping of +@@ -728,8 +736,16 @@ static void transport_lun_remove_cmd(struct se_cmd *cmd) + if (!lun) + return; + ++ target_remove_from_state_list(cmd); ++ target_remove_from_tmr_list(cmd); ++ + if (cmpxchg(&cmd->lun_ref_active, true, false)) + percpu_ref_put(&lun->lun_ref); ++ ++ /* ++ * Clear struct se_cmd->se_lun before the handoff to FE. ++ */ ++ cmd->se_lun = NULL; + } + + static void target_complete_failure_work(struct work_struct *work) +-- +2.33.0 + diff --git a/queue-5.15/scsi-ufs-core-fix-null-pointer-dereference.patch b/queue-5.15/scsi-ufs-core-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..50448ceeaab --- /dev/null +++ b/queue-5.15/scsi-ufs-core-fix-null-pointer-dereference.patch @@ -0,0 +1,103 @@ +From 7d0b01ac4a9d0ccd0b75878bfc98719db64dfd82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 22:06:38 +0200 +Subject: scsi: ufs: core: Fix NULL pointer dereference + +From: Bean Huo + +[ Upstream commit 1da3b0141e74c18c2377d4c2655406a90a87742f ] + +Calling ufshcd_rpm_{get/put}_sync() prior to ufshcd_scsi_add_wlus() being +called will trigger a NULL pointer dereference. This is because +hba->sdev_ufs_device is initialized in ufshcd_scsi_add_wlus(). + + Unable to handle kernel NULL pointer dereference at virtual address + 0000000000000348 + Mem abort info: + ESR = 0x96000004 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x04: level 0 translation fault + Data abort info: + ISV = 0, ISS = 0x00000004 + CM = 0, WnR = 0 + [0000000000000348] user address but active_mm is swapper + Internal error: Oops: 96000004 [#1] PREEMPT SMP + Modules linked in: + CPU: 0 PID: 91 Comm: kworker/u16:1 Not tainted 5.15.0-rc1-beanhuo-linaro-1423 + Hardware name: MicronRB (DT) + Workqueue: events_unbound async_run_entry_fn + pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : pm_runtime_drop_link+0x128/0x338 + lr : ufshpb_get_dev_info+0x8c/0x148 + sp : ffff800012573c10 + x29: ffff800012573c10 x28: 0000000000000000 x27: 0000000000000003 + x26: ffff000001d21298 x25: 000000005abcea60 x24: ffff800011d89000 + x23: 0000000000000001 x22: ffff000001d21880 x21: ffff000001ec9300 + x20: 0000000000000004 x19: 0000000000000198 x18: ffffffffffffffff + x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000041400 + x14: 5eee00201100200a x13: 000000000000bb03 x12: 0000000000000000 + x11: 0000000000000100 x10: 0200000000000000 x9 : bb0000021a162c01 + x8 : 0302010021021003 x7 : 0000000000000000 x6 : ffff800012573af0 + x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000200 + x2 : 0000000000000348 x1 : 0000000000000348 x0 : ffff80001095308c + Call trace: + pm_runtime_drop_link+0x128/0x338 + ufshpb_get_dev_info+0x8c/0x148 + ufshcd_probe_hba+0xda0/0x11b8 + ufshcd_async_scan+0x34/0x330 + async_run_entry_fn+0x38/0x180 + process_one_work+0x1f4/0x498 + worker_thread+0x48/0x480 + kthread+0x140/0x158 + ret_from_fork+0x10/0x20 + Code: 88027c01 35ffffa2 17fff6c4 f9800051 (885f7c40) + ---[ end trace 2ba541335f595c95 ] + +ufshpb_get_dev_info() is only called during asynchronous scanning and at +that time pm_runtime_get_sync() has been called: + + ... + /* Hold auto suspend until async scan completes */ + pm_runtime_get_sync(dev); + atomic_set(&hba->scsi_block_reqs_cnt, 0); + ... + ufshcd_async_scan() + ufshcd_probe_hba(hba, true); + ufshcd_device_params_init(hba); + ufshpb_get_dev_info(); + ... + pm_runtime_put_sync(hba->dev); + +Remove ufshcd_rpm_{get/put}_sync() from ufshpb_get_dev_info() to fix this +problem. + +Link: https://lore.kernel.org/r/20210929200640.828611-2-huobean@gmail.com +Fixes: 351b3a849ac7 ("scsi: ufs: ufshpb: Use proper power management API") +Signed-off-by: Bean Huo +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshpb.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshpb.c b/drivers/scsi/ufs/ufshpb.c +index 46cdfb0dfca94..3b1a90b1d82ac 100644 +--- a/drivers/scsi/ufs/ufshpb.c ++++ b/drivers/scsi/ufs/ufshpb.c +@@ -2598,11 +2598,8 @@ void ufshpb_get_dev_info(struct ufs_hba *hba, u8 *desc_buf) + if (version == HPB_SUPPORT_LEGACY_VERSION) + hpb_dev_info->is_legacy = true; + +- ufshcd_rpm_get_sync(hba); + ret = ufshcd_query_attr_retry(hba, UPIU_QUERY_OPCODE_READ_ATTR, + QUERY_ATTR_IDN_MAX_HPB_SINGLE_CMD, 0, 0, &max_hpb_single_cmd); +- ufshcd_rpm_put_sync(hba); +- + if (ret) + dev_err(hba->dev, "%s: idn: read max size of single hpb cmd query request failed", + __func__); +-- +2.33.0 + diff --git a/queue-5.15/scsi-ufs-core-fix-ufshcd_probe_hba-prototype-to-matc.patch b/queue-5.15/scsi-ufs-core-fix-ufshcd_probe_hba-prototype-to-matc.patch new file mode 100644 index 00000000000..d2d2798f606 --- /dev/null +++ b/queue-5.15/scsi-ufs-core-fix-ufshcd_probe_hba-prototype-to-matc.patch @@ -0,0 +1,40 @@ +From 0bc2e7f716c7b240e08b8ba855ece5598cfc10f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 22:06:39 +0200 +Subject: scsi: ufs: core: Fix ufshcd_probe_hba() prototype to match the + definition + +From: Bean Huo + +[ Upstream commit 68444d73d6a5864ede12df6366bd6602e022ae5b ] + +Since commit 568dd9959611 ("scsi: ufs: Rename the second ufshcd_probe_hba() +argument"), the second ufshcd_probe_hba() argument has been changed to +init_dev_params. + +Link: https://lore.kernel.org/r/20210929200640.828611-3-huobean@gmail.com +Fixes: 568dd9959611 ("scsi: ufs: Rename the second ufshcd_probe_hba() argument") +Reviewed-by: Bart Van Assche +Signed-off-by: Bean Huo +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index 41f2ff35f82b2..b02feb3ab7b56 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -223,7 +223,7 @@ static int ufshcd_eh_host_reset_handler(struct scsi_cmnd *cmd); + static int ufshcd_clear_tm_cmd(struct ufs_hba *hba, int tag); + static void ufshcd_hba_exit(struct ufs_hba *hba); + static int ufshcd_clear_ua_wluns(struct ufs_hba *hba); +-static int ufshcd_probe_hba(struct ufs_hba *hba, bool async); ++static int ufshcd_probe_hba(struct ufs_hba *hba, bool init_dev_params); + static int ufshcd_setup_clocks(struct ufs_hba *hba, bool on); + static int ufshcd_uic_hibern8_enter(struct ufs_hba *hba); + static inline void ufshcd_add_delay_before_dme_cmd(struct ufs_hba *hba); +-- +2.33.0 + diff --git a/queue-5.15/scsi-ufs-core-stop-clearing-unit-attentions.patch b/queue-5.15/scsi-ufs-core-stop-clearing-unit-attentions.patch new file mode 100644 index 00000000000..83e2566f127 --- /dev/null +++ b/queue-5.15/scsi-ufs-core-stop-clearing-unit-attentions.patch @@ -0,0 +1,346 @@ +From f0f653e89029294bdc3b7bc7cb02bfe65b38200b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Oct 2021 11:20:15 -0700 +Subject: scsi: ufs: core: Stop clearing UNIT ATTENTIONS + +From: Bart Van Assche + +[ Upstream commit edc0596cc04bf0ac3a69c66e994d3ff8b650ff71 ] + +Commit aa53f580e67b ("scsi: ufs: Minor adjustments to error handling") +introduced a ufshcd_clear_ua_wluns() call in +ufshcd_err_handling_unprepare(). As explained in detail by Adrian Hunter, +this can trigger a deadlock. Avoid that deadlock by removing the code that +clears the unit attention. This is safe because the only software that +relies on clearing unit attentions is the Android Trusty software and +because support for handling unit attentions has been added in the Trusty +software. + +See also https://lore.kernel.org/linux-scsi/20210930124224.114031-2-adrian.hunter@intel.com/ + +Note that "scsi: ufs: Retry START_STOP on UNIT_ATTENTION" is a prerequisite +for this commit. + +Link: https://lore.kernel.org/r/20211001182015.1347587-3-jaegeuk@kernel.org +Fixes: aa53f580e67b ("scsi: ufs: Minor adjustments to error handling") +Cc: Adrian Hunter +Signed-off-by: Bart Van Assche +Signed-off-by: Jaegeuk Kim +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd.c | 184 +------------------------------------- + drivers/scsi/ufs/ufshcd.h | 14 --- + 2 files changed, 1 insertion(+), 197 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c +index b02feb3ab7b56..20705cec83c55 100644 +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -222,7 +222,6 @@ static int ufshcd_reset_and_restore(struct ufs_hba *hba); + static int ufshcd_eh_host_reset_handler(struct scsi_cmnd *cmd); + static int ufshcd_clear_tm_cmd(struct ufs_hba *hba, int tag); + static void ufshcd_hba_exit(struct ufs_hba *hba); +-static int ufshcd_clear_ua_wluns(struct ufs_hba *hba); + static int ufshcd_probe_hba(struct ufs_hba *hba, bool init_dev_params); + static int ufshcd_setup_clocks(struct ufs_hba *hba, bool on); + static int ufshcd_uic_hibern8_enter(struct ufs_hba *hba); +@@ -4073,8 +4072,6 @@ int ufshcd_link_recovery(struct ufs_hba *hba) + if (ret) + dev_err(hba->dev, "%s: link recovery failed, err %d", + __func__, ret); +- else +- ufshcd_clear_ua_wluns(hba); + + return ret; + } +@@ -5959,7 +5956,6 @@ static void ufshcd_err_handling_unprepare(struct ufs_hba *hba) + ufshcd_release(hba); + if (ufshcd_is_clkscaling_supported(hba)) + ufshcd_clk_scaling_suspend(hba, false); +- ufshcd_clear_ua_wluns(hba); + ufshcd_rpm_put(hba); + } + +@@ -7875,8 +7871,6 @@ static int ufshcd_add_lus(struct ufs_hba *hba) + if (ret) + goto out; + +- ufshcd_clear_ua_wluns(hba); +- + /* Initialize devfreq after UFS device is detected */ + if (ufshcd_is_clkscaling_supported(hba)) { + memcpy(&hba->clk_scaling.saved_pwr_info.info, +@@ -7902,116 +7896,6 @@ out: + return ret; + } + +-static void ufshcd_request_sense_done(struct request *rq, blk_status_t error) +-{ +- if (error != BLK_STS_OK) +- pr_err("%s: REQUEST SENSE failed (%d)\n", __func__, error); +- kfree(rq->end_io_data); +- blk_put_request(rq); +-} +- +-static int +-ufshcd_request_sense_async(struct ufs_hba *hba, struct scsi_device *sdev) +-{ +- /* +- * Some UFS devices clear unit attention condition only if the sense +- * size used (UFS_SENSE_SIZE in this case) is non-zero. +- */ +- static const u8 cmd[6] = {REQUEST_SENSE, 0, 0, 0, UFS_SENSE_SIZE, 0}; +- struct scsi_request *rq; +- struct request *req; +- char *buffer; +- int ret; +- +- buffer = kzalloc(UFS_SENSE_SIZE, GFP_KERNEL); +- if (!buffer) +- return -ENOMEM; +- +- req = blk_get_request(sdev->request_queue, REQ_OP_DRV_IN, +- /*flags=*/BLK_MQ_REQ_PM); +- if (IS_ERR(req)) { +- ret = PTR_ERR(req); +- goto out_free; +- } +- +- ret = blk_rq_map_kern(sdev->request_queue, req, +- buffer, UFS_SENSE_SIZE, GFP_NOIO); +- if (ret) +- goto out_put; +- +- rq = scsi_req(req); +- rq->cmd_len = ARRAY_SIZE(cmd); +- memcpy(rq->cmd, cmd, rq->cmd_len); +- rq->retries = 3; +- req->timeout = 1 * HZ; +- req->rq_flags |= RQF_PM | RQF_QUIET; +- req->end_io_data = buffer; +- +- blk_execute_rq_nowait(/*bd_disk=*/NULL, req, /*at_head=*/true, +- ufshcd_request_sense_done); +- return 0; +- +-out_put: +- blk_put_request(req); +-out_free: +- kfree(buffer); +- return ret; +-} +- +-static int ufshcd_clear_ua_wlun(struct ufs_hba *hba, u8 wlun) +-{ +- struct scsi_device *sdp; +- unsigned long flags; +- int ret = 0; +- +- spin_lock_irqsave(hba->host->host_lock, flags); +- if (wlun == UFS_UPIU_UFS_DEVICE_WLUN) +- sdp = hba->sdev_ufs_device; +- else if (wlun == UFS_UPIU_RPMB_WLUN) +- sdp = hba->sdev_rpmb; +- else +- BUG(); +- if (sdp) { +- ret = scsi_device_get(sdp); +- if (!ret && !scsi_device_online(sdp)) { +- ret = -ENODEV; +- scsi_device_put(sdp); +- } +- } else { +- ret = -ENODEV; +- } +- spin_unlock_irqrestore(hba->host->host_lock, flags); +- if (ret) +- goto out_err; +- +- ret = ufshcd_request_sense_async(hba, sdp); +- scsi_device_put(sdp); +-out_err: +- if (ret) +- dev_err(hba->dev, "%s: UAC clear LU=%x ret = %d\n", +- __func__, wlun, ret); +- return ret; +-} +- +-static int ufshcd_clear_ua_wluns(struct ufs_hba *hba) +-{ +- int ret = 0; +- +- if (!hba->wlun_dev_clr_ua) +- goto out; +- +- ret = ufshcd_clear_ua_wlun(hba, UFS_UPIU_UFS_DEVICE_WLUN); +- if (!ret) +- ret = ufshcd_clear_ua_wlun(hba, UFS_UPIU_RPMB_WLUN); +- if (!ret) +- hba->wlun_dev_clr_ua = false; +-out: +- if (ret) +- dev_err(hba->dev, "%s: Failed to clear UAC WLUNS ret = %d\n", +- __func__, ret); +- return ret; +-} +- + /** + * ufshcd_probe_hba - probe hba to detect device and initialize it + * @hba: per-adapter instance +@@ -8062,8 +7946,6 @@ static int ufshcd_probe_hba(struct ufs_hba *hba, bool init_dev_params) + /* UFS device is also active now */ + ufshcd_set_ufs_dev_active(hba); + ufshcd_force_reset_auto_bkops(hba); +- hba->wlun_dev_clr_ua = true; +- hba->wlun_rpmb_clr_ua = true; + + /* Gear up to HS gear if supported */ + if (hba->max_pwr_info.is_valid) { +@@ -8625,8 +8507,6 @@ static int ufshcd_set_dev_pwr_mode(struct ufs_hba *hba, + * handling context. + */ + hba->host->eh_noresume = 1; +- if (hba->wlun_dev_clr_ua) +- ufshcd_clear_ua_wlun(hba, UFS_UPIU_UFS_DEVICE_WLUN); + + cmd[4] = pwr_mode << 4; + +@@ -9699,10 +9579,6 @@ void ufshcd_resume_complete(struct device *dev) + ufshcd_rpm_put(hba); + hba->complete_put = false; + } +- if (hba->rpmb_complete_put) { +- ufshcd_rpmb_rpm_put(hba); +- hba->rpmb_complete_put = false; +- } + } + EXPORT_SYMBOL_GPL(ufshcd_resume_complete); + +@@ -9725,10 +9601,6 @@ int ufshcd_suspend_prepare(struct device *dev) + } + hba->complete_put = true; + } +- if (hba->sdev_rpmb) { +- ufshcd_rpmb_rpm_get_sync(hba); +- hba->rpmb_complete_put = true; +- } + return 0; + } + EXPORT_SYMBOL_GPL(ufshcd_suspend_prepare); +@@ -9797,49 +9669,6 @@ static struct scsi_driver ufs_dev_wlun_template = { + }, + }; + +-static int ufshcd_rpmb_probe(struct device *dev) +-{ +- return is_rpmb_wlun(to_scsi_device(dev)) ? 0 : -ENODEV; +-} +- +-static inline int ufshcd_clear_rpmb_uac(struct ufs_hba *hba) +-{ +- int ret = 0; +- +- if (!hba->wlun_rpmb_clr_ua) +- return 0; +- ret = ufshcd_clear_ua_wlun(hba, UFS_UPIU_RPMB_WLUN); +- if (!ret) +- hba->wlun_rpmb_clr_ua = 0; +- return ret; +-} +- +-#ifdef CONFIG_PM +-static int ufshcd_rpmb_resume(struct device *dev) +-{ +- struct ufs_hba *hba = wlun_dev_to_hba(dev); +- +- if (hba->sdev_rpmb) +- ufshcd_clear_rpmb_uac(hba); +- return 0; +-} +-#endif +- +-static const struct dev_pm_ops ufs_rpmb_pm_ops = { +- SET_RUNTIME_PM_OPS(NULL, ufshcd_rpmb_resume, NULL) +- SET_SYSTEM_SLEEP_PM_OPS(NULL, ufshcd_rpmb_resume) +-}; +- +-/* ufs_rpmb_wlun_template - Describes UFS RPMB WLUN. Used only to send UAC. */ +-static struct scsi_driver ufs_rpmb_wlun_template = { +- .gendrv = { +- .name = "ufs_rpmb_wlun", +- .owner = THIS_MODULE, +- .probe = ufshcd_rpmb_probe, +- .pm = &ufs_rpmb_pm_ops, +- }, +-}; +- + static int __init ufshcd_core_init(void) + { + int ret; +@@ -9848,24 +9677,13 @@ static int __init ufshcd_core_init(void) + + ret = scsi_register_driver(&ufs_dev_wlun_template.gendrv); + if (ret) +- goto debugfs_exit; +- +- ret = scsi_register_driver(&ufs_rpmb_wlun_template.gendrv); +- if (ret) +- goto unregister; +- +- return ret; +-unregister: +- scsi_unregister_driver(&ufs_dev_wlun_template.gendrv); +-debugfs_exit: +- ufs_debugfs_exit(); ++ ufs_debugfs_exit(); + return ret; + } + + static void __exit ufshcd_core_exit(void) + { + ufs_debugfs_exit(); +- scsi_unregister_driver(&ufs_rpmb_wlun_template.gendrv); + scsi_unregister_driver(&ufs_dev_wlun_template.gendrv); + } + +diff --git a/drivers/scsi/ufs/ufshcd.h b/drivers/scsi/ufs/ufshcd.h +index 41f6e06f91856..07ada6676c3b4 100644 +--- a/drivers/scsi/ufs/ufshcd.h ++++ b/drivers/scsi/ufs/ufshcd.h +@@ -871,9 +871,6 @@ struct ufs_hba { + struct ufs_vreg_info vreg_info; + struct list_head clk_list_head; + +- bool wlun_dev_clr_ua; +- bool wlun_rpmb_clr_ua; +- + /* Number of requests aborts */ + int req_abort_count; + +@@ -920,7 +917,6 @@ struct ufs_hba { + #endif + u32 luns_avail; + bool complete_put; +- bool rpmb_complete_put; + }; + + /* Returns true if clocks can be gated. Otherwise false */ +@@ -1393,14 +1389,4 @@ static inline int ufshcd_rpm_put(struct ufs_hba *hba) + return pm_runtime_put(&hba->sdev_ufs_device->sdev_gendev); + } + +-static inline int ufshcd_rpmb_rpm_get_sync(struct ufs_hba *hba) +-{ +- return pm_runtime_get_sync(&hba->sdev_rpmb->sdev_gendev); +-} +- +-static inline int ufshcd_rpmb_rpm_put(struct ufs_hba *hba) +-{ +- return pm_runtime_put(&hba->sdev_rpmb->sdev_gendev); +-} +- + #endif /* End of Header */ +-- +2.33.0 + diff --git a/queue-5.15/scsi-ufs-ufshcd-pltfrm-fix-memory-leak-due-to-probe-.patch b/queue-5.15/scsi-ufs-ufshcd-pltfrm-fix-memory-leak-due-to-probe-.patch new file mode 100644 index 00000000000..a032559979c --- /dev/null +++ b/queue-5.15/scsi-ufs-ufshcd-pltfrm-fix-memory-leak-due-to-probe-.patch @@ -0,0 +1,85 @@ +From 4df9740e03c56f6baaf28b78b3238b906930db3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 10:22:14 +0100 +Subject: scsi: ufs: ufshcd-pltfrm: Fix memory leak due to probe defer + +From: Srinivas Kandagatla + +[ Upstream commit b6ca770ae7f2c560a29bbd02c4e3d734fafaf804 ] + +UFS drivers that probe defer will end up leaking memory allocated for clk +and regulator names via kstrdup() because the structure that is holding +this memory is allocated via devm_* variants which will be freed during +probe defer but the names are never freed. + +Use same devm_* variant of kstrdup to free the memory allocated to name +when driver probe defers. + +Kmemleak found around 11 leaks on Qualcomm Dragon Board RB5: + +unreferenced object 0xffff66f243fb2c00 (size 128): + comm "kworker/u16:0", pid 7, jiffies 4294893319 (age 94.848s) + hex dump (first 32 bytes): + 63 6f 72 65 5f 63 6c 6b 00 76 69 72 74 75 61 6c core_clk.virtual + 2f 77 6f 72 6b 71 75 65 75 65 2f 73 63 73 69 5f /workqueue/scsi_ + backtrace: + [<000000006f788cd1>] slab_post_alloc_hook+0x88/0x410 + [<00000000cfd1372b>] __kmalloc_track_caller+0x138/0x230 + [<00000000a92ab17b>] kstrdup+0xb0/0x110 + [<0000000037263ab6>] ufshcd_pltfrm_init+0x1a8/0x500 + [<00000000a20a5caa>] ufs_qcom_probe+0x20/0x58 + [<00000000a5e43067>] platform_probe+0x6c/0x118 + [<00000000ef686e3f>] really_probe+0xc4/0x330 + [<000000005b18792c>] __driver_probe_device+0x88/0x118 + [<00000000a5d295e8>] driver_probe_device+0x44/0x158 + [<000000007e83f58d>] __device_attach_driver+0xb4/0x128 + [<000000004bfa4470>] bus_for_each_drv+0x68/0xd0 + [<00000000b89a83bc>] __device_attach+0xec/0x170 + [<00000000ada2beea>] device_initial_probe+0x14/0x20 + [<0000000079921612>] bus_probe_device+0x9c/0xa8 + [<00000000d268bf7c>] deferred_probe_work_func+0x90/0xd0 + [<000000009ef64bfa>] process_one_work+0x29c/0x788 +unreferenced object 0xffff66f243fb2c80 (size 128): + comm "kworker/u16:0", pid 7, jiffies 4294893319 (age 94.848s) + hex dump (first 32 bytes): + 62 75 73 5f 61 67 67 72 5f 63 6c 6b 00 00 00 00 bus_aggr_clk.... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + +With this patch no memory leaks are reported. + +Link: https://lore.kernel.org/r/20210914092214.6468-1-srinivas.kandagatla@linaro.org +Fixes: aa4976130934 ("ufs: Add regulator enable support") +Fixes: c6e79dacd86f ("ufs: Add clock initialization support") +Reviewed-by: Bart Van Assche +Signed-off-by: Srinivas Kandagatla +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshcd-pltfrm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshcd-pltfrm.c b/drivers/scsi/ufs/ufshcd-pltfrm.c +index 8859c13f4e091..eaeae83b999fd 100644 +--- a/drivers/scsi/ufs/ufshcd-pltfrm.c ++++ b/drivers/scsi/ufs/ufshcd-pltfrm.c +@@ -91,7 +91,7 @@ static int ufshcd_parse_clock_info(struct ufs_hba *hba) + + clki->min_freq = clkfreq[i]; + clki->max_freq = clkfreq[i+1]; +- clki->name = kstrdup(name, GFP_KERNEL); ++ clki->name = devm_kstrdup(dev, name, GFP_KERNEL); + if (!strcmp(name, "ref_clk")) + clki->keep_link_active = true; + dev_dbg(dev, "%s: min %u max %u name %s\n", "freq-table-hz", +@@ -126,7 +126,7 @@ static int ufshcd_populate_vreg(struct device *dev, const char *name, + if (!vreg) + return -ENOMEM; + +- vreg->name = kstrdup(name, GFP_KERNEL); ++ vreg->name = devm_kstrdup(dev, name, GFP_KERNEL); + + snprintf(prop_name, MAX_PROP_SIZE, "%s-max-microamp", name); + if (of_property_read_u32(np, prop_name, &vreg->max_uA)) { +-- +2.33.0 + diff --git a/queue-5.15/scsi-ufs-ufshpb-properly-handle-max-single-cmd.patch b/queue-5.15/scsi-ufs-ufshpb-properly-handle-max-single-cmd.patch new file mode 100644 index 00000000000..fd21e989007 --- /dev/null +++ b/queue-5.15/scsi-ufs-ufshpb-properly-handle-max-single-cmd.patch @@ -0,0 +1,109 @@ +From 53066e2c5657ed7e921e46825860dbf84e3b8ddc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Oct 2021 14:36:54 +0200 +Subject: scsi: ufs: ufshpb: Properly handle max-single-cmd + +From: Avri Altman + +[ Upstream commit 9ec5128a8b5631d652ed06b37e0166f337802f90 ] + +The spec recommends that for transfer length larger than the max-single-cmd +attribute (bMAX_DATA_SIZE_FOR_HPB_SINGLE_CMD) it is possible to couple +pre-requests with the HPB-READ command. Being a recommendation, using +pre-requests can be perceived merely as a means of optimization. A common +practice was to send pre-requests for chunks within some interval, and +leave the READ10 untouched if larger. + +Now that the pre-request flows have been removed, all the commands are +single commands. Properly handle this attribute and do not send HPB-READ +for transfer lengths larger than max-single-cmd. + +[mkp: resolve conflict] + +Fixes: 09d9e4d04187 ("scsi: ufs: ufshpb: Remove HPB2.0 flows") +Link: https://lore.kernel.org/r/20211031123654.17719-1-avri.altman@wdc.com +Reviewed-by: Daejun Park +Signed-off-by: Avri Altman +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshpb.c | 24 +++++++++++++----------- + drivers/scsi/ufs/ufshpb.h | 1 - + 2 files changed, 13 insertions(+), 12 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshpb.c b/drivers/scsi/ufs/ufshpb.c +index 3b1a90b1d82ac..a86d0cc50de21 100644 +--- a/drivers/scsi/ufs/ufshpb.c ++++ b/drivers/scsi/ufs/ufshpb.c +@@ -394,8 +394,6 @@ int ufshpb_prep(struct ufs_hba *hba, struct ufshcd_lrb *lrbp) + if (!ufshpb_is_supported_chunk(hpb, transfer_len)) + return 0; + +- WARN_ON_ONCE(transfer_len > HPB_MULTI_CHUNK_HIGH); +- + if (hpb->is_hcm) { + /* + * in host control mode, reads are the main source for +@@ -1572,7 +1570,7 @@ static void ufshpb_lu_parameter_init(struct ufs_hba *hba, + if (ufshpb_is_legacy(hba)) + hpb->pre_req_max_tr_len = HPB_LEGACY_CHUNK_HIGH; + else +- hpb->pre_req_max_tr_len = HPB_MULTI_CHUNK_HIGH; ++ hpb->pre_req_max_tr_len = hpb_dev_info->max_hpb_single_cmd; + + hpb->lu_pinned_start = hpb_lu_info->pinned_start; + hpb->lu_pinned_end = hpb_lu_info->num_pinned ? +@@ -2582,7 +2580,7 @@ void ufshpb_get_dev_info(struct ufs_hba *hba, u8 *desc_buf) + { + struct ufshpb_dev_info *hpb_dev_info = &hba->ufshpb_dev; + int version, ret; +- u32 max_hpb_single_cmd = HPB_MULTI_CHUNK_LOW; ++ int max_single_cmd; + + hpb_dev_info->control_mode = desc_buf[DEVICE_DESC_PARAM_HPB_CONTROL]; + +@@ -2598,18 +2596,22 @@ void ufshpb_get_dev_info(struct ufs_hba *hba, u8 *desc_buf) + if (version == HPB_SUPPORT_LEGACY_VERSION) + hpb_dev_info->is_legacy = true; + +- ret = ufshcd_query_attr_retry(hba, UPIU_QUERY_OPCODE_READ_ATTR, +- QUERY_ATTR_IDN_MAX_HPB_SINGLE_CMD, 0, 0, &max_hpb_single_cmd); +- if (ret) +- dev_err(hba->dev, "%s: idn: read max size of single hpb cmd query request failed", +- __func__); +- hpb_dev_info->max_hpb_single_cmd = max_hpb_single_cmd; +- + /* + * Get the number of user logical unit to check whether all + * scsi_device finish initialization + */ + hpb_dev_info->num_lu = desc_buf[DEVICE_DESC_PARAM_NUM_LU]; ++ ++ if (hpb_dev_info->is_legacy) ++ return; ++ ++ ret = ufshcd_query_attr_retry(hba, UPIU_QUERY_OPCODE_READ_ATTR, ++ QUERY_ATTR_IDN_MAX_HPB_SINGLE_CMD, 0, 0, &max_single_cmd); ++ ++ if (ret) ++ hpb_dev_info->max_hpb_single_cmd = HPB_LEGACY_CHUNK_HIGH; ++ else ++ hpb_dev_info->max_hpb_single_cmd = min(max_single_cmd + 1, HPB_MULTI_CHUNK_HIGH); + } + + void ufshpb_init(struct ufs_hba *hba) +diff --git a/drivers/scsi/ufs/ufshpb.h b/drivers/scsi/ufs/ufshpb.h +index f15d8fdbce2ef..b475dbd789883 100644 +--- a/drivers/scsi/ufs/ufshpb.h ++++ b/drivers/scsi/ufs/ufshpb.h +@@ -31,7 +31,6 @@ + + /* hpb support chunk size */ + #define HPB_LEGACY_CHUNK_HIGH 1 +-#define HPB_MULTI_CHUNK_LOW 7 + #define HPB_MULTI_CHUNK_HIGH 255 + + /* hpb vender defined opcode */ +-- +2.33.0 + diff --git a/queue-5.15/scsi-ufs-ufshpb-use-proper-power-management-api.patch b/queue-5.15/scsi-ufs-ufshpb-use-proper-power-management-api.patch new file mode 100644 index 00000000000..2acca1e88d1 --- /dev/null +++ b/queue-5.15/scsi-ufs-ufshpb-use-proper-power-management-api.patch @@ -0,0 +1,59 @@ +From 9020036992a1e5c51ccee3b2cfed141af9c6d203 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Sep 2021 09:35:34 +0900 +Subject: scsi: ufs: ufshpb: Use proper power management API + +From: Daejun Park + +[ Upstream commit 351b3a849ac7d92449dc75c43db8a857b38387ea ] + +In ufshpb, pm_runtime_{get,put}_sync() are used to avoid unwanted runtime +suspend during query requests. Whereas commit b294ff3e3449 ("scsi: ufs: +core: Enable power management for wlun") modified the driver core to use +ufshcd_rpm_{get,put}_sync() APIs. + +Switch to these APIs in HPB module as well. + +Link: https://lore.kernel.org/r/20210902003534epcms2p1937a0f0eeb48a441cb69f5ef13ff8430@epcms2p1 +Reviewed-by: Avri Altman +Signed-off-by: Daejun Park +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ufs/ufshpb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/scsi/ufs/ufshpb.c b/drivers/scsi/ufs/ufshpb.c +index 026a133149dce..46cdfb0dfca94 100644 +--- a/drivers/scsi/ufs/ufshpb.c ++++ b/drivers/scsi/ufs/ufshpb.c +@@ -2371,11 +2371,11 @@ static int ufshpb_get_lu_info(struct ufs_hba *hba, int lun, + + ufshcd_map_desc_id_to_length(hba, QUERY_DESC_IDN_UNIT, &size); + +- pm_runtime_get_sync(hba->dev); ++ ufshcd_rpm_get_sync(hba); + ret = ufshcd_query_descriptor_retry(hba, UPIU_QUERY_OPCODE_READ_DESC, + QUERY_DESC_IDN_UNIT, lun, 0, + desc_buf, &size); +- pm_runtime_put_sync(hba->dev); ++ ufshcd_rpm_put_sync(hba); + + if (ret) { + dev_err(hba->dev, +@@ -2598,10 +2598,10 @@ void ufshpb_get_dev_info(struct ufs_hba *hba, u8 *desc_buf) + if (version == HPB_SUPPORT_LEGACY_VERSION) + hpb_dev_info->is_legacy = true; + +- pm_runtime_get_sync(hba->dev); ++ ufshcd_rpm_get_sync(hba); + ret = ufshcd_query_attr_retry(hba, UPIU_QUERY_OPCODE_READ_ATTR, + QUERY_ATTR_IDN_MAX_HPB_SINGLE_CMD, 0, 0, &max_hpb_single_cmd); +- pm_runtime_put_sync(hba->dev); ++ ufshcd_rpm_put_sync(hba); + + if (ret) + dev_err(hba->dev, "%s: idn: read max size of single hpb cmd query request failed", +-- +2.33.0 + diff --git a/queue-5.15/sctp-allow-ip-fragmentation-when-plpmtud-enters-erro.patch b/queue-5.15/sctp-allow-ip-fragmentation-when-plpmtud-enters-erro.patch new file mode 100644 index 00000000000..91c01270cc1 --- /dev/null +++ b/queue-5.15/sctp-allow-ip-fragmentation-when-plpmtud-enters-erro.patch @@ -0,0 +1,92 @@ +From 16f828f85e2e1b61a266e2e77c05d60888c209b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 05:36:01 -0400 +Subject: sctp: allow IP fragmentation when PLPMTUD enters Error state + +From: Xin Long + +[ Upstream commit 40171248bb8934537fec8fbaf718e57c8add187c ] + +Currently when PLPMTUD enters Error state, transport pathmtu will be set +to MIN_PLPMTU(512) while probe is continuing with BASE_PLPMTU(1200). It +will cause pathmtu to stay in a very small value, even if the real pmtu +is some value like 1000. + +RFC8899 doesn't clearly say how to set the value in Error state. But one +possibility could be keep using BASE_PLPMTU for the real pmtu, but allow +to do IP fragmentation when it's in Error state. + +As it says in rfc8899#section-5.4: + + Some paths could be unable to sustain packets of the BASE_PLPMTU + size. The Error State could be implemented to provide robustness to + such paths. This allows fallback to a smaller than desired PLPMTU + rather than suffer connectivity failure. This could utilize methods + such as endpoint IP fragmentation to enable the PL sender to + communicate using packets smaller than the BASE_PLPMTU. + +This patch is to set pmtu to BASE_PLPMTU instead of MIN_PLPMTU for Error +state in sctp_transport_pl_send/toobig(), and set packet ipfragok for +non-probe packets when it's in Error state. + +Fixes: 1dc68c194571 ("sctp: do state transition when PROBE_COUNT == MAX_PROBES on HB send path") +Reported-by: Ying Xu +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/output.c | 13 ++++++++----- + net/sctp/transport.c | 4 ++-- + 2 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/net/sctp/output.c b/net/sctp/output.c +index 4dfb5ea82b05b..cdfdbd353c678 100644 +--- a/net/sctp/output.c ++++ b/net/sctp/output.c +@@ -581,13 +581,16 @@ int sctp_packet_transmit(struct sctp_packet *packet, gfp_t gfp) + chunk = list_entry(packet->chunk_list.next, struct sctp_chunk, list); + sk = chunk->skb->sk; + +- /* check gso */ + if (packet->size > tp->pathmtu && !packet->ipfragok && !chunk->pmtu_probe) { +- if (!sk_can_gso(sk)) { +- pr_err_once("Trying to GSO but underlying device doesn't support it."); +- goto out; ++ if (tp->pl.state == SCTP_PL_ERROR) { /* do IP fragmentation if in Error state */ ++ packet->ipfragok = 1; ++ } else { ++ if (!sk_can_gso(sk)) { /* check gso */ ++ pr_err_once("Trying to GSO but underlying device doesn't support it."); ++ goto out; ++ } ++ gso = 1; + } +- gso = 1; + } + + /* alloc head skb */ +diff --git a/net/sctp/transport.c b/net/sctp/transport.c +index a3d3ca6dd63dd..1f2dfad768d52 100644 +--- a/net/sctp/transport.c ++++ b/net/sctp/transport.c +@@ -269,7 +269,7 @@ bool sctp_transport_pl_send(struct sctp_transport *t) + if (t->pl.probe_size == SCTP_BASE_PLPMTU) { /* BASE_PLPMTU Confirmation Failed */ + t->pl.state = SCTP_PL_ERROR; /* Base -> Error */ + +- t->pl.pmtu = SCTP_MIN_PLPMTU; ++ t->pl.pmtu = SCTP_BASE_PLPMTU; + t->pathmtu = t->pl.pmtu + sctp_transport_pl_hlen(t); + sctp_assoc_sync_pmtu(t->asoc); + } +@@ -366,7 +366,7 @@ static bool sctp_transport_pl_toobig(struct sctp_transport *t, u32 pmtu) + if (pmtu >= SCTP_MIN_PLPMTU && pmtu < SCTP_BASE_PLPMTU) { + t->pl.state = SCTP_PL_ERROR; /* Base -> Error */ + +- t->pl.pmtu = SCTP_MIN_PLPMTU; ++ t->pl.pmtu = SCTP_BASE_PLPMTU; + t->pathmtu = t->pl.pmtu + sctp_transport_pl_hlen(t); + } + } else if (t->pl.state == SCTP_PL_SEARCH) { +-- +2.33.0 + diff --git a/queue-5.15/sctp-reset-probe_timer-in-sctp_transport_pl_update.patch b/queue-5.15/sctp-reset-probe_timer-in-sctp_transport_pl_update.patch new file mode 100644 index 00000000000..8f4785bfa94 --- /dev/null +++ b/queue-5.15/sctp-reset-probe_timer-in-sctp_transport_pl_update.patch @@ -0,0 +1,43 @@ +From 6d3a453d9d425a657753d7520043c3d39a0b9dce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 05:36:02 -0400 +Subject: sctp: reset probe_timer in sctp_transport_pl_update + +From: Xin Long + +[ Upstream commit c6ea04ea692fa0d8e7faeb133fcd28e3acf470a0 ] + +sctp_transport_pl_update() is called when transport update its dst and +pathmtu, instead of stopping the PLPMTUD probe timer, PLPMTUD should +start over and reset the probe timer. Otherwise, the PLPMTUD service +would stop. + +Fixes: 92548ec2f1f9 ("sctp: add the probe timer in transport for PLPMTUD") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sctp/sctp.h | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h +index 69bab88ad66b1..bc00410223b03 100644 +--- a/include/net/sctp/sctp.h ++++ b/include/net/sctp/sctp.h +@@ -653,12 +653,10 @@ static inline void sctp_transport_pl_update(struct sctp_transport *t) + if (t->pl.state == SCTP_PL_DISABLED) + return; + +- if (del_timer(&t->probe_timer)) +- sctp_transport_put(t); +- + t->pl.state = SCTP_PL_BASE; + t->pl.pmtu = SCTP_BASE_PLPMTU; + t->pl.probe_size = SCTP_BASE_PLPMTU; ++ sctp_transport_reset_probe_timer(t); + } + + static inline bool sctp_transport_pl_enabled(struct sctp_transport *t) +-- +2.33.0 + diff --git a/queue-5.15/sctp-return-true-only-for-pathmtu-update-in-sctp_tra.patch b/queue-5.15/sctp-return-true-only-for-pathmtu-update-in-sctp_tra.patch new file mode 100644 index 00000000000..a8588eb1daf --- /dev/null +++ b/queue-5.15/sctp-return-true-only-for-pathmtu-update-in-sctp_tra.patch @@ -0,0 +1,63 @@ +From 0983c9979782c8ee5895cb68124bb0dfe53cc028 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 05:36:04 -0400 +Subject: sctp: return true only for pathmtu update in sctp_transport_pl_toobig + +From: Xin Long + +[ Upstream commit 75cf662c64dd8543f56c329c69eba18141c8fd9f ] + +sctp_transport_pl_toobig() supposes to return true only if there's +pathmtu update, so that in sctp_icmp_frag_needed() it would call +sctp_assoc_sync_pmtu() and sctp_retransmit(). This patch is to fix +these return places in sctp_transport_pl_toobig(). + +Fixes: 836964083177 ("sctp: do state transition when receiving an icmp TOOBIG packet") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/transport.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/sctp/transport.c b/net/sctp/transport.c +index 1f2dfad768d52..133f1719bf1b7 100644 +--- a/net/sctp/transport.c ++++ b/net/sctp/transport.c +@@ -368,6 +368,7 @@ static bool sctp_transport_pl_toobig(struct sctp_transport *t, u32 pmtu) + + t->pl.pmtu = SCTP_BASE_PLPMTU; + t->pathmtu = t->pl.pmtu + sctp_transport_pl_hlen(t); ++ return true; + } + } else if (t->pl.state == SCTP_PL_SEARCH) { + if (pmtu >= SCTP_BASE_PLPMTU && pmtu < t->pl.pmtu) { +@@ -378,11 +379,10 @@ static bool sctp_transport_pl_toobig(struct sctp_transport *t, u32 pmtu) + t->pl.probe_high = 0; + t->pl.pmtu = SCTP_BASE_PLPMTU; + t->pathmtu = t->pl.pmtu + sctp_transport_pl_hlen(t); ++ return true; + } else if (pmtu > t->pl.pmtu && pmtu < t->pl.probe_size) { + t->pl.probe_size = pmtu; + t->pl.probe_count = 0; +- +- return false; + } + } else if (t->pl.state == SCTP_PL_COMPLETE) { + if (pmtu >= SCTP_BASE_PLPMTU && pmtu < t->pl.pmtu) { +@@ -393,10 +393,11 @@ static bool sctp_transport_pl_toobig(struct sctp_transport *t, u32 pmtu) + t->pl.probe_high = 0; + t->pl.pmtu = SCTP_BASE_PLPMTU; + t->pathmtu = t->pl.pmtu + sctp_transport_pl_hlen(t); ++ return true; + } + } + +- return true; ++ return false; + } + + bool sctp_transport_update_pmtu(struct sctp_transport *t, u32 pmtu) +-- +2.33.0 + diff --git a/queue-5.15/sctp-subtract-sctphdr-len-in-sctp_transport_pl_hlen.patch b/queue-5.15/sctp-subtract-sctphdr-len-in-sctp_transport_pl_hlen.patch new file mode 100644 index 00000000000..d1a01c4ef4b --- /dev/null +++ b/queue-5.15/sctp-subtract-sctphdr-len-in-sctp_transport_pl_hlen.patch @@ -0,0 +1,56 @@ +From f4e0c7995a5bbda830ab30a1a5340647735add31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 05:36:03 -0400 +Subject: sctp: subtract sctphdr len in sctp_transport_pl_hlen + +From: Xin Long + +[ Upstream commit cc4665ca646c96181a7c00198aa72c59e0c576e8 ] + +sctp_transport_pl_hlen() is called to calculate the outer header length +for PL. However, as the Figure in rfc8899#section-4.4: + + Any additional + headers .--- MPS -----. + | | | + v v v + +------------------------------+ + | IP | ** | PL | protocol data | + +------------------------------+ + + <----- PLPMTU -----> + <---------- PMTU --------------> + +Outer header are IP + Any additional headers, which doesn't include +Packetization Layer itself header, namely sctphdr, whereas sctphdr +is counted by __sctp_mtu_payload(). + +The incorrect calculation caused the link pathmtu to be set larger +than expected by t->pl.pmtu + sctp_transport_pl_hlen(). This patch +is to fix it by subtracting sctphdr len in sctp_transport_pl_hlen(). + +Fixes: d9e2e410ae30 ("sctp: add the constants/variables and states and some APIs for transport") +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/sctp/sctp.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h +index bc00410223b03..189fdb9db1622 100644 +--- a/include/net/sctp/sctp.h ++++ b/include/net/sctp/sctp.h +@@ -626,7 +626,8 @@ static inline __u32 sctp_min_frag_point(struct sctp_sock *sp, __u16 datasize) + + static inline int sctp_transport_pl_hlen(struct sctp_transport *t) + { +- return __sctp_mtu_payload(sctp_sk(t->asoc->base.sk), t, 0, 0); ++ return __sctp_mtu_payload(sctp_sk(t->asoc->base.sk), t, 0, 0) - ++ sizeof(struct sctphdr); + } + + static inline void sctp_transport_pl_reset(struct sctp_transport *t) +-- +2.33.0 + diff --git a/queue-5.15/selftests-bpf-fix-fclose-pclose-mismatch-in-test_pro.patch b/queue-5.15/selftests-bpf-fix-fclose-pclose-mismatch-in-test_pro.patch new file mode 100644 index 00000000000..79929b25b04 --- /dev/null +++ b/queue-5.15/selftests-bpf-fix-fclose-pclose-mismatch-in-test_pro.patch @@ -0,0 +1,47 @@ +From 376035d433a3ef709b03345859005f9f13d0af76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 16:34:09 +0200 +Subject: selftests/bpf: Fix fclose/pclose mismatch in test_progs + +From: Andrea Righi + +[ Upstream commit f48ad69097fe79d1de13c4d8fef556d4c11c5e68 ] + +Make sure to use pclose() to properly close the pipe opened by popen(). + +Fixes: 81f77fd0deeb ("bpf: add selftest for stackmap with BPF_F_STACK_BUILD_ID") +Signed-off-by: Andrea Righi +Signed-off-by: Daniel Borkmann +Reviewed-by: Shuah Khan +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/20211026143409.42666-1-andrea.righi@canonical.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_progs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c +index cc1cd240445d2..e3fea6f281e4b 100644 +--- a/tools/testing/selftests/bpf/test_progs.c ++++ b/tools/testing/selftests/bpf/test_progs.c +@@ -370,7 +370,7 @@ int extract_build_id(char *build_id, size_t size) + + if (getline(&line, &len, fp) == -1) + goto err; +- fclose(fp); ++ pclose(fp); + + if (len > size) + len = size; +@@ -379,7 +379,7 @@ int extract_build_id(char *build_id, size_t size) + free(line); + return 0; + err: +- fclose(fp); ++ pclose(fp); + return -1; + } + +-- +2.33.0 + diff --git a/queue-5.15/selftests-bpf-fix-fd-cleanup-in-sk_lookup-test.patch b/queue-5.15/selftests-bpf-fix-fd-cleanup-in-sk_lookup-test.patch new file mode 100644 index 00000000000..bbaa56b9ea9 --- /dev/null +++ b/queue-5.15/selftests-bpf-fix-fd-cleanup-in-sk_lookup-test.patch @@ -0,0 +1,56 @@ +From e87d23e9172c39043a9a96910b95c56cfb3a83df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:05:00 +0530 +Subject: selftests/bpf: Fix fd cleanup in sk_lookup test + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit c3fc706e94f5653def2783ffcd809a38676b7551 ] + +Similar to the fix in commit: +e31eec77e4ab ("bpf: selftests: Fix fd cleanup in get_branch_snapshot") + +We use designated initializer to set fds to -1 without breaking on +future changes to MAX_SERVER constant denoting the array size. + +The particular close(0) occurs on non-reuseport tests, so it can be seen +with -n 115/{2,3} but not 115/4. This can cause problems with future +tests if they depend on BTF fd never being acquired as fd 0, breaking +internal libbpf assumptions. + +Fixes: 0ab5539f8584 ("selftests/bpf: Tests for BPF_SK_LOOKUP attach point") +Signed-off-by: Kumar Kartikeya Dwivedi +Signed-off-by: Alexei Starovoitov +Reviewed-by: Jakub Sitnicki +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20211028063501.2239335-8-memxor@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/sk_lookup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/sk_lookup.c b/tools/testing/selftests/bpf/prog_tests/sk_lookup.c +index aee41547e7f45..6db07401bc493 100644 +--- a/tools/testing/selftests/bpf/prog_tests/sk_lookup.c ++++ b/tools/testing/selftests/bpf/prog_tests/sk_lookup.c +@@ -598,7 +598,7 @@ close: + + static void run_lookup_prog(const struct test *t) + { +- int server_fds[MAX_SERVERS] = { -1 }; ++ int server_fds[] = { [0 ... MAX_SERVERS - 1] = -1 }; + int client_fd, reuse_conn_fd = -1; + struct bpf_link *lookup_link; + int i, err; +@@ -1053,7 +1053,7 @@ static void run_sk_assign(struct test_sk_lookup *skel, + struct bpf_program *lookup_prog, + const char *remote_ip, const char *local_ip) + { +- int server_fds[MAX_SERVERS] = { -1 }; ++ int server_fds[] = { [0 ... MAX_SERVERS - 1] = -1 }; + struct bpf_sk_lookup ctx; + __u64 server_cookie; + int i, err; +-- +2.33.0 + diff --git a/queue-5.15/selftests-bpf-fix-memory-leak-in-test_ima.patch b/queue-5.15/selftests-bpf-fix-memory-leak-in-test_ima.patch new file mode 100644 index 00000000000..659d0c053ab --- /dev/null +++ b/queue-5.15/selftests-bpf-fix-memory-leak-in-test_ima.patch @@ -0,0 +1,45 @@ +From a810ff8ef2f52247b59c5cfc70bf48eac3dda9e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 12:05:01 +0530 +Subject: selftests/bpf: Fix memory leak in test_ima + +From: Kumar Kartikeya Dwivedi + +[ Upstream commit efadf2ad17a2d5dc90bda4e6e8b2f96af4c62dae ] + +The allocated ring buffer is never freed, do so in the cleanup path. + +Fixes: f446b570ac7e ("bpf/selftests: Update the IMA test to use BPF ring buffer") +Signed-off-by: Kumar Kartikeya Dwivedi +Signed-off-by: Alexei Starovoitov +Acked-by: Andrii Nakryiko +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20211028063501.2239335-9-memxor@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/test_ima.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/test_ima.c b/tools/testing/selftests/bpf/prog_tests/test_ima.c +index 0252f61d611a9..97d8a6f84f4ab 100644 +--- a/tools/testing/selftests/bpf/prog_tests/test_ima.c ++++ b/tools/testing/selftests/bpf/prog_tests/test_ima.c +@@ -43,7 +43,7 @@ static int process_sample(void *ctx, void *data, size_t len) + void test_test_ima(void) + { + char measured_dir_template[] = "/tmp/ima_measuredXXXXXX"; +- struct ring_buffer *ringbuf; ++ struct ring_buffer *ringbuf = NULL; + const char *measured_dir; + char cmd[256]; + +@@ -85,5 +85,6 @@ close_clean: + err = system(cmd); + CHECK(err, "failed to run command", "%s, errno = %d\n", cmd, errno); + close_prog: ++ ring_buffer__free(ringbuf); + ima__destroy(skel); + } +-- +2.33.0 + diff --git a/queue-5.15/selftests-bpf-fix-perf_buffer-test-on-system-with-of.patch b/queue-5.15/selftests-bpf-fix-perf_buffer-test-on-system-with-of.patch new file mode 100644 index 00000000000..7f523d56fe0 --- /dev/null +++ b/queue-5.15/selftests-bpf-fix-perf_buffer-test-on-system-with-of.patch @@ -0,0 +1,60 @@ +From 692191d4adbdc598fdbccf557c7564e69a39e06a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Oct 2021 13:41:30 +0200 +Subject: selftests/bpf: Fix perf_buffer test on system with offline cpus + +From: Jiri Olsa + +[ Upstream commit d4121376ac7a9c81a696d7558789b2f29ef3574e ] + +The perf_buffer fails on system with offline cpus: + + # test_progs -t perf_buffer + test_perf_buffer:PASS:nr_cpus 0 nsec + test_perf_buffer:PASS:nr_on_cpus 0 nsec + test_perf_buffer:PASS:skel_load 0 nsec + test_perf_buffer:PASS:attach_kprobe 0 nsec + test_perf_buffer:PASS:perf_buf__new 0 nsec + test_perf_buffer:PASS:epoll_fd 0 nsec + skipping offline CPU #24 + skipping offline CPU #25 + skipping offline CPU #26 + skipping offline CPU #27 + skipping offline CPU #28 + skipping offline CPU #29 + skipping offline CPU #30 + skipping offline CPU #31 + test_perf_buffer:PASS:perf_buffer__poll 0 nsec + test_perf_buffer:PASS:seen_cpu_cnt 0 nsec + test_perf_buffer:FAIL:buf_cnt got 24, expected 32 + Summary: 0/0 PASSED, 0 SKIPPED, 1 FAILED + +Changing the test to check online cpus instead of possible. + +Signed-off-by: Jiri Olsa +Signed-off-by: Andrii Nakryiko +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20211021114132.8196-2-jolsa@kernel.org +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/perf_buffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/perf_buffer.c b/tools/testing/selftests/bpf/prog_tests/perf_buffer.c +index 6490e9673002f..7daaaab13681b 100644 +--- a/tools/testing/selftests/bpf/prog_tests/perf_buffer.c ++++ b/tools/testing/selftests/bpf/prog_tests/perf_buffer.c +@@ -107,8 +107,8 @@ void test_perf_buffer(void) + "expect %d, seen %d\n", nr_on_cpus, CPU_COUNT(&cpu_seen))) + goto out_free_pb; + +- if (CHECK(perf_buffer__buffer_cnt(pb) != nr_cpus, "buf_cnt", +- "got %zu, expected %d\n", perf_buffer__buffer_cnt(pb), nr_cpus)) ++ if (CHECK(perf_buffer__buffer_cnt(pb) != nr_on_cpus, "buf_cnt", ++ "got %zu, expected %d\n", perf_buffer__buffer_cnt(pb), nr_on_cpus)) + goto out_close; + + for (i = 0; i < nr_cpus; i++) { +-- +2.33.0 + diff --git a/queue-5.15/selftests-bpf-fix-strobemeta-selftest-regression.patch b/queue-5.15/selftests-bpf-fix-strobemeta-selftest-regression.patch new file mode 100644 index 00000000000..2e89dd7229e --- /dev/null +++ b/queue-5.15/selftests-bpf-fix-strobemeta-selftest-regression.patch @@ -0,0 +1,109 @@ +From 911f557a3a100c49ca970f1746b5aef7a05996d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 11:29:07 -0700 +Subject: selftests/bpf: Fix strobemeta selftest regression + +From: Andrii Nakryiko + +[ Upstream commit 0133c20480b14820d43c37c0e9502da4bffcad3a ] + +After most recent nightly Clang update strobemeta selftests started +failing with the following error (relevant portion of assembly included): + + 1624: (85) call bpf_probe_read_user_str#114 + 1625: (bf) r1 = r0 + 1626: (18) r2 = 0xfffffffe + 1628: (5f) r1 &= r2 + 1629: (55) if r1 != 0x0 goto pc+7 + 1630: (07) r9 += 104 + 1631: (6b) *(u16 *)(r9 +0) = r0 + 1632: (67) r0 <<= 32 + 1633: (77) r0 >>= 32 + 1634: (79) r1 = *(u64 *)(r10 -456) + 1635: (0f) r1 += r0 + 1636: (7b) *(u64 *)(r10 -456) = r1 + 1637: (79) r1 = *(u64 *)(r10 -368) + 1638: (c5) if r1 s< 0x1 goto pc+778 + 1639: (bf) r6 = r8 + 1640: (0f) r6 += r7 + 1641: (b4) w1 = 0 + 1642: (6b) *(u16 *)(r6 +108) = r1 + 1643: (79) r3 = *(u64 *)(r10 -352) + 1644: (79) r9 = *(u64 *)(r10 -456) + 1645: (bf) r1 = r9 + 1646: (b4) w2 = 1 + 1647: (85) call bpf_probe_read_user_str#114 + + R1 unbounded memory access, make sure to bounds check any such access + +In the above code r0 and r1 are implicitly related. Clang knows that, +but verifier isn't able to infer this relationship. + +Yonghong Song narrowed down this "regression" in code generation to +a recent Clang optimization change ([0]), which for BPF target generates +code pattern that BPF verifier can't handle and loses track of register +boundaries. + +This patch works around the issue by adding an BPF assembly-based helper +that helps to prove to the verifier that upper bound of the register is +a given constant by controlling the exact share of generated BPF +instruction sequence. This fixes the immediate issue for strobemeta +selftest. + + [0] https://github.com/llvm/llvm-project/commit/acabad9ff6bf13e00305d9d8621ee8eafc1f8b08 + +Signed-off-by: Andrii Nakryiko +Signed-off-by: Daniel Borkmann +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20211029182907.166910-1-andrii@kernel.org +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/progs/strobemeta.h | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/tools/testing/selftests/bpf/progs/strobemeta.h b/tools/testing/selftests/bpf/progs/strobemeta.h +index 7de534f38c3f1..3687ea755ab5a 100644 +--- a/tools/testing/selftests/bpf/progs/strobemeta.h ++++ b/tools/testing/selftests/bpf/progs/strobemeta.h +@@ -10,6 +10,14 @@ + #include + #include + ++#define bpf_clamp_umax(VAR, UMAX) \ ++ asm volatile ( \ ++ "if %0 <= %[max] goto +1\n" \ ++ "%0 = %[max]\n" \ ++ : "+r"(VAR) \ ++ : [max]"i"(UMAX) \ ++ ) ++ + typedef uint32_t pid_t; + struct task_struct {}; + +@@ -413,6 +421,7 @@ static __always_inline void *read_map_var(struct strobemeta_cfg *cfg, + + len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN, map.tag); + if (len <= STROBE_MAX_STR_LEN) { ++ bpf_clamp_umax(len, STROBE_MAX_STR_LEN); + descr->tag_len = len; + payload += len; + } +@@ -430,6 +439,7 @@ static __always_inline void *read_map_var(struct strobemeta_cfg *cfg, + len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN, + map.entries[i].key); + if (len <= STROBE_MAX_STR_LEN) { ++ bpf_clamp_umax(len, STROBE_MAX_STR_LEN); + descr->key_lens[i] = len; + payload += len; + } +@@ -437,6 +447,7 @@ static __always_inline void *read_map_var(struct strobemeta_cfg *cfg, + len = bpf_probe_read_user_str(payload, STROBE_MAX_STR_LEN, + map.entries[i].val); + if (len <= STROBE_MAX_STR_LEN) { ++ bpf_clamp_umax(len, STROBE_MAX_STR_LEN); + descr->val_lens[i] = len; + payload += len; + } +-- +2.33.0 + diff --git a/queue-5.15/selftests-bpf-xdp_redirect_multi-give-tcpdump-a-chan.patch b/queue-5.15/selftests-bpf-xdp_redirect_multi-give-tcpdump-a-chan.patch new file mode 100644 index 00000000000..d74a986f67f --- /dev/null +++ b/queue-5.15/selftests-bpf-xdp_redirect_multi-give-tcpdump-a-chan.patch @@ -0,0 +1,47 @@ +From c0259e5227903b4379ab9244c1f01fee6517bcd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 11:35:52 +0800 +Subject: selftests/bpf/xdp_redirect_multi: Give tcpdump a chance to terminate + cleanly + +From: Hangbin Liu + +[ Upstream commit 648c3677062fbd14d754b853daebb295426771e8 ] + +No need to kill tcpdump with -9. + +Fixes: d23292476297 ("selftests/bpf: Add xdp_redirect_multi test") +Suggested-by: Jiri Benc +Signed-off-by: Hangbin Liu +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20211027033553.962413-4-liuhangbin@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_xdp_redirect_multi.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/testing/selftests/bpf/test_xdp_redirect_multi.sh b/tools/testing/selftests/bpf/test_xdp_redirect_multi.sh +index c2a933caa32d4..37e347159ab44 100755 +--- a/tools/testing/selftests/bpf/test_xdp_redirect_multi.sh ++++ b/tools/testing/selftests/bpf/test_xdp_redirect_multi.sh +@@ -106,7 +106,7 @@ do_egress_tests() + sleep 0.5 + ip netns exec ns1 ping 192.0.2.254 -i 0.1 -c 4 &> /dev/null + sleep 0.5 +- pkill -9 tcpdump ++ pkill tcpdump + + # mac check + grep -q "${veth_mac[2]} > ff:ff:ff:ff:ff:ff" ${LOG_DIR}/mac_ns1-2_${mode}.log && \ +@@ -133,7 +133,7 @@ do_ping_tests() + # IPv6 test + ip netns exec ns1 ping6 2001:db8::2 -i 0.1 -c 2 &> /dev/null + sleep 0.5 +- pkill -9 tcpdump ++ pkill tcpdump + + # All netns should receive the redirect arp requests + [ $(grep -cF "who-has 192.0.2.254" ${LOG_DIR}/ns1-1_${mode}.log) -eq 4 ] && \ +-- +2.33.0 + diff --git a/queue-5.15/selftests-bpf-xdp_redirect_multi-limit-the-tests-in-.patch b/queue-5.15/selftests-bpf-xdp_redirect_multi-limit-the-tests-in-.patch new file mode 100644 index 00000000000..a0f8f6c6be3 --- /dev/null +++ b/queue-5.15/selftests-bpf-xdp_redirect_multi-limit-the-tests-in-.patch @@ -0,0 +1,129 @@ +From c3366438b179f0f1a2e855e0d50ec95bc7dfadbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 11:35:53 +0800 +Subject: selftests/bpf/xdp_redirect_multi: Limit the tests in netns + +From: Hangbin Liu + +[ Upstream commit 8955c1a329873385775081e029d9a7c6aa9037e1 ] + +As I want to test both DEVMAP and DEVMAP_HASH in XDP multicast redirect, I +limited DEVMAP max entries to a small value for performace. When the test +runs after amount of interface creating/deleting tests. The interface index +will exceed the map max entries and xdp_redirect_multi will error out with +"Get interfacesInterface index to large". + +Fix this issue by limit the tests in netns and specify the ifindex when +creating interfaces. + +Fixes: d23292476297 ("selftests/bpf: Add xdp_redirect_multi test") +Reported-by: Jiri Benc +Signed-off-by: Hangbin Liu +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20211027033553.962413-5-liuhangbin@gmail.com +Signed-off-by: Sasha Levin +--- + .../selftests/bpf/test_xdp_redirect_multi.sh | 23 ++++++++++++------- + .../selftests/bpf/xdp_redirect_multi.c | 4 ++-- + 2 files changed, 17 insertions(+), 10 deletions(-) + +diff --git a/tools/testing/selftests/bpf/test_xdp_redirect_multi.sh b/tools/testing/selftests/bpf/test_xdp_redirect_multi.sh +index 37e347159ab44..bedff7aa7023f 100755 +--- a/tools/testing/selftests/bpf/test_xdp_redirect_multi.sh ++++ b/tools/testing/selftests/bpf/test_xdp_redirect_multi.sh +@@ -2,11 +2,11 @@ + # SPDX-License-Identifier: GPL-2.0 + # + # Test topology: +-# - - - - - - - - - - - - - - - - - - - - - - - - - +-# | veth1 veth2 veth3 | ... init net ++# - - - - - - - - - - - - - - - - - - - ++# | veth1 veth2 veth3 | ns0 + # - -| - - - - - - | - - - - - - | - - + # --------- --------- --------- +-# | veth0 | | veth0 | | veth0 | ... ++# | veth0 | | veth0 | | veth0 | + # --------- --------- --------- + # ns1 ns2 ns3 + # +@@ -51,6 +51,7 @@ clean_up() + ip link del veth$i 2> /dev/null + ip netns del ns$i 2> /dev/null + done ++ ip netns del ns0 2> /dev/null + } + + # Kselftest framework requirement - SKIP code is 4. +@@ -78,10 +79,12 @@ setup_ns() + mode="xdpdrv" + fi + ++ ip netns add ns0 + for i in $(seq $NUM); do + ip netns add ns$i +- ip link add veth$i type veth peer name veth0 netns ns$i +- ip link set veth$i up ++ ip -n ns$i link add veth0 index 2 type veth \ ++ peer name veth$i netns ns0 index $((1 + $i)) ++ ip -n ns0 link set veth$i up + ip -n ns$i link set veth0 up + + ip -n ns$i addr add 192.0.2.$i/24 dev veth0 +@@ -92,7 +95,7 @@ setup_ns() + xdp_dummy.o sec xdp_dummy &> /dev/null || \ + { test_fail "Unable to load dummy xdp" && exit 1; } + IFACES="$IFACES veth$i" +- veth_mac[$i]=$(ip link show veth$i | awk '/link\/ether/ {print $2}') ++ veth_mac[$i]=$(ip -n ns0 link show veth$i | awk '/link\/ether/ {print $2}') + done + } + +@@ -177,9 +180,13 @@ do_tests() + xdpgeneric) drv_p="-S";; + esac + +- ./xdp_redirect_multi $drv_p $IFACES &> ${LOG_DIR}/xdp_redirect_${mode}.log & ++ ip netns exec ns0 ./xdp_redirect_multi $drv_p $IFACES &> ${LOG_DIR}/xdp_redirect_${mode}.log & + xdp_pid=$! + sleep 1 ++ if ! ps -p $xdp_pid > /dev/null; then ++ test_fail "$mode xdp_redirect_multi start failed" ++ return 1 ++ fi + + if [ "$mode" = "xdpegress" ]; then + do_egress_tests $mode +@@ -190,7 +197,7 @@ do_tests() + kill $xdp_pid + } + +-trap clean_up 0 2 3 6 9 ++trap clean_up EXIT + + check_env + +diff --git a/tools/testing/selftests/bpf/xdp_redirect_multi.c b/tools/testing/selftests/bpf/xdp_redirect_multi.c +index 3696a8f32c235..f5ffba341c174 100644 +--- a/tools/testing/selftests/bpf/xdp_redirect_multi.c ++++ b/tools/testing/selftests/bpf/xdp_redirect_multi.c +@@ -129,7 +129,7 @@ int main(int argc, char **argv) + goto err_out; + } + +- printf("Get interfaces"); ++ printf("Get interfaces:"); + for (i = 0; i < MAX_IFACE_NUM && argv[optind + i]; i++) { + ifaces[i] = if_nametoindex(argv[optind + i]); + if (!ifaces[i]) +@@ -139,7 +139,7 @@ int main(int argc, char **argv) + goto err_out; + } + if (ifaces[i] > MAX_INDEX_NUM) { +- printf("Interface index to large\n"); ++ printf(" interface index too large\n"); + goto err_out; + } + printf(" %d", ifaces[i]); +-- +2.33.0 + diff --git a/queue-5.15/selftests-bpf-xdp_redirect_multi-put-the-logs-to-tmp.patch b/queue-5.15/selftests-bpf-xdp_redirect_multi-put-the-logs-to-tmp.patch new file mode 100644 index 00000000000..eeb2569ad42 --- /dev/null +++ b/queue-5.15/selftests-bpf-xdp_redirect_multi-put-the-logs-to-tmp.patch @@ -0,0 +1,137 @@ +From 63703c0ae1eca333981e35c8ad29ece2b858d739 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 11:35:50 +0800 +Subject: selftests/bpf/xdp_redirect_multi: Put the logs to tmp folder + +From: Hangbin Liu + +[ Upstream commit 8b4ac13abe7d82da0e0d22a9ba2e27301559a93e ] + +The xdp_redirect_multi test logs are created in selftest folder and not cleaned +after test. Let's creat a tmp dir and remove the logs after testing. + +Fixes: d23292476297 ("selftests/bpf: Add xdp_redirect_multi test") +Suggested-by: Jiri Benc +Signed-off-by: Hangbin Liu +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20211027033553.962413-2-liuhangbin@gmail.com +Signed-off-by: Sasha Levin +--- + .../selftests/bpf/test_xdp_redirect_multi.sh | 35 ++++++++++--------- + 1 file changed, 18 insertions(+), 17 deletions(-) + +diff --git a/tools/testing/selftests/bpf/test_xdp_redirect_multi.sh b/tools/testing/selftests/bpf/test_xdp_redirect_multi.sh +index 1538373157e3c..b20b96ba72ef0 100755 +--- a/tools/testing/selftests/bpf/test_xdp_redirect_multi.sh ++++ b/tools/testing/selftests/bpf/test_xdp_redirect_multi.sh +@@ -31,6 +31,7 @@ IFACES="" + DRV_MODE="xdpgeneric xdpdrv xdpegress" + PASS=0 + FAIL=0 ++LOG_DIR=$(mktemp -d) + + test_pass() + { +@@ -100,17 +101,17 @@ do_egress_tests() + local mode=$1 + + # mac test +- ip netns exec ns2 tcpdump -e -i veth0 -nn -l -e &> mac_ns1-2_${mode}.log & +- ip netns exec ns3 tcpdump -e -i veth0 -nn -l -e &> mac_ns1-3_${mode}.log & ++ ip netns exec ns2 tcpdump -e -i veth0 -nn -l -e &> ${LOG_DIR}/mac_ns1-2_${mode}.log & ++ ip netns exec ns3 tcpdump -e -i veth0 -nn -l -e &> ${LOG_DIR}/mac_ns1-3_${mode}.log & + sleep 0.5 + ip netns exec ns1 ping 192.0.2.254 -i 0.1 -c 4 &> /dev/null + sleep 0.5 + pkill -9 tcpdump + + # mac check +- grep -q "${veth_mac[2]} > ff:ff:ff:ff:ff:ff" mac_ns1-2_${mode}.log && \ ++ grep -q "${veth_mac[2]} > ff:ff:ff:ff:ff:ff" ${LOG_DIR}/mac_ns1-2_${mode}.log && \ + test_pass "$mode mac ns1-2" || test_fail "$mode mac ns1-2" +- grep -q "${veth_mac[3]} > ff:ff:ff:ff:ff:ff" mac_ns1-3_${mode}.log && \ ++ grep -q "${veth_mac[3]} > ff:ff:ff:ff:ff:ff" ${LOG_DIR}/mac_ns1-3_${mode}.log && \ + test_pass "$mode mac ns1-3" || test_fail "$mode mac ns1-3" + } + +@@ -121,9 +122,9 @@ do_ping_tests() + # ping6 test: echo request should be redirect back to itself, not others + ip netns exec ns1 ip neigh add 2001:db8::2 dev veth0 lladdr 00:00:00:00:00:02 + +- ip netns exec ns1 tcpdump -i veth0 -nn -l -e &> ns1-1_${mode}.log & +- ip netns exec ns2 tcpdump -i veth0 -nn -l -e &> ns1-2_${mode}.log & +- ip netns exec ns3 tcpdump -i veth0 -nn -l -e &> ns1-3_${mode}.log & ++ ip netns exec ns1 tcpdump -i veth0 -nn -l -e &> ${LOG_DIR}/ns1-1_${mode}.log & ++ ip netns exec ns2 tcpdump -i veth0 -nn -l -e &> ${LOG_DIR}/ns1-2_${mode}.log & ++ ip netns exec ns3 tcpdump -i veth0 -nn -l -e &> ${LOG_DIR}/ns1-3_${mode}.log & + sleep 0.5 + # ARP test + ip netns exec ns1 ping 192.0.2.254 -i 0.1 -c 4 &> /dev/null +@@ -135,32 +136,32 @@ do_ping_tests() + pkill -9 tcpdump + + # All netns should receive the redirect arp requests +- [ $(grep -c "who-has 192.0.2.254" ns1-1_${mode}.log) -gt 4 ] && \ ++ [ $(grep -c "who-has 192.0.2.254" ${LOG_DIR}/ns1-1_${mode}.log) -gt 4 ] && \ + test_pass "$mode arp(F_BROADCAST) ns1-1" || \ + test_fail "$mode arp(F_BROADCAST) ns1-1" +- [ $(grep -c "who-has 192.0.2.254" ns1-2_${mode}.log) -le 4 ] && \ ++ [ $(grep -c "who-has 192.0.2.254" ${LOG_DIR}/ns1-2_${mode}.log) -le 4 ] && \ + test_pass "$mode arp(F_BROADCAST) ns1-2" || \ + test_fail "$mode arp(F_BROADCAST) ns1-2" +- [ $(grep -c "who-has 192.0.2.254" ns1-3_${mode}.log) -le 4 ] && \ ++ [ $(grep -c "who-has 192.0.2.254" ${LOG_DIR}/ns1-3_${mode}.log) -le 4 ] && \ + test_pass "$mode arp(F_BROADCAST) ns1-3" || \ + test_fail "$mode arp(F_BROADCAST) ns1-3" + + # ns1 should not receive the redirect echo request, others should +- [ $(grep -c "ICMP echo request" ns1-1_${mode}.log) -eq 4 ] && \ ++ [ $(grep -c "ICMP echo request" ${LOG_DIR}/ns1-1_${mode}.log) -eq 4 ] && \ + test_pass "$mode IPv4 (F_BROADCAST|F_EXCLUDE_INGRESS) ns1-1" || \ + test_fail "$mode IPv4 (F_BROADCAST|F_EXCLUDE_INGRESS) ns1-1" +- [ $(grep -c "ICMP echo request" ns1-2_${mode}.log) -eq 4 ] && \ ++ [ $(grep -c "ICMP echo request" ${LOG_DIR}/ns1-2_${mode}.log) -eq 4 ] && \ + test_pass "$mode IPv4 (F_BROADCAST|F_EXCLUDE_INGRESS) ns1-2" || \ + test_fail "$mode IPv4 (F_BROADCAST|F_EXCLUDE_INGRESS) ns1-2" +- [ $(grep -c "ICMP echo request" ns1-3_${mode}.log) -eq 4 ] && \ ++ [ $(grep -c "ICMP echo request" ${LOG_DIR}/ns1-3_${mode}.log) -eq 4 ] && \ + test_pass "$mode IPv4 (F_BROADCAST|F_EXCLUDE_INGRESS) ns1-3" || \ + test_fail "$mode IPv4 (F_BROADCAST|F_EXCLUDE_INGRESS) ns1-3" + + # ns1 should receive the echo request, ns2 should not +- [ $(grep -c "ICMP6, echo request" ns1-1_${mode}.log) -eq 4 ] && \ ++ [ $(grep -c "ICMP6, echo request" ${LOG_DIR}/ns1-1_${mode}.log) -eq 4 ] && \ + test_pass "$mode IPv6 (no flags) ns1-1" || \ + test_fail "$mode IPv6 (no flags) ns1-1" +- [ $(grep -c "ICMP6, echo request" ns1-2_${mode}.log) -eq 0 ] && \ ++ [ $(grep -c "ICMP6, echo request" ${LOG_DIR}/ns1-2_${mode}.log) -eq 0 ] && \ + test_pass "$mode IPv6 (no flags) ns1-2" || \ + test_fail "$mode IPv6 (no flags) ns1-2" + } +@@ -176,7 +177,7 @@ do_tests() + xdpgeneric) drv_p="-S";; + esac + +- ./xdp_redirect_multi $drv_p $IFACES &> xdp_redirect_${mode}.log & ++ ./xdp_redirect_multi $drv_p $IFACES &> ${LOG_DIR}/xdp_redirect_${mode}.log & + xdp_pid=$! + sleep 1 + +@@ -192,13 +193,13 @@ do_tests() + trap clean_up 0 2 3 6 9 + + check_env +-rm -f xdp_redirect_*.log ns*.log mac_ns*.log + + for mode in ${DRV_MODE}; do + setup_ns $mode + do_tests $mode + clean_up + done ++rm -rf ${LOG_DIR} + + echo "Summary: PASS $PASS, FAIL $FAIL" + [ $FAIL -eq 0 ] && exit 0 || exit 1 +-- +2.33.0 + diff --git a/queue-5.15/selftests-bpf-xdp_redirect_multi-use-arping-to-accur.patch b/queue-5.15/selftests-bpf-xdp_redirect_multi-use-arping-to-accur.patch new file mode 100644 index 00000000000..b73fa9581ae --- /dev/null +++ b/queue-5.15/selftests-bpf-xdp_redirect_multi-use-arping-to-accur.patch @@ -0,0 +1,57 @@ +From eb5fa072ba550c89f3ecff509e2386319c7405c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 11:35:51 +0800 +Subject: selftests/bpf/xdp_redirect_multi: Use arping to accurate the arp + number + +From: Hangbin Liu + +[ Upstream commit f53ea9dbf78d42a10e2392b5c59362ccc224fd1d ] + +The arp request number triggered by ping none exist address is not accurate, +which may lead the test false negative/positive. Change to use arping to +accurate the arp number. Also do not use grep pattern match for dot. + +Fixes: d23292476297 ("selftests/bpf: Add xdp_redirect_multi test") +Suggested-by: Jiri Benc +Signed-off-by: Hangbin Liu +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20211027033553.962413-3-liuhangbin@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/test_xdp_redirect_multi.sh | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/bpf/test_xdp_redirect_multi.sh b/tools/testing/selftests/bpf/test_xdp_redirect_multi.sh +index b20b96ba72ef0..c2a933caa32d4 100755 +--- a/tools/testing/selftests/bpf/test_xdp_redirect_multi.sh ++++ b/tools/testing/selftests/bpf/test_xdp_redirect_multi.sh +@@ -127,7 +127,7 @@ do_ping_tests() + ip netns exec ns3 tcpdump -i veth0 -nn -l -e &> ${LOG_DIR}/ns1-3_${mode}.log & + sleep 0.5 + # ARP test +- ip netns exec ns1 ping 192.0.2.254 -i 0.1 -c 4 &> /dev/null ++ ip netns exec ns1 arping -q -c 2 -I veth0 192.0.2.254 + # IPv4 test + ip netns exec ns1 ping 192.0.2.253 -i 0.1 -c 4 &> /dev/null + # IPv6 test +@@ -136,13 +136,13 @@ do_ping_tests() + pkill -9 tcpdump + + # All netns should receive the redirect arp requests +- [ $(grep -c "who-has 192.0.2.254" ${LOG_DIR}/ns1-1_${mode}.log) -gt 4 ] && \ ++ [ $(grep -cF "who-has 192.0.2.254" ${LOG_DIR}/ns1-1_${mode}.log) -eq 4 ] && \ + test_pass "$mode arp(F_BROADCAST) ns1-1" || \ + test_fail "$mode arp(F_BROADCAST) ns1-1" +- [ $(grep -c "who-has 192.0.2.254" ${LOG_DIR}/ns1-2_${mode}.log) -le 4 ] && \ ++ [ $(grep -cF "who-has 192.0.2.254" ${LOG_DIR}/ns1-2_${mode}.log) -eq 2 ] && \ + test_pass "$mode arp(F_BROADCAST) ns1-2" || \ + test_fail "$mode arp(F_BROADCAST) ns1-2" +- [ $(grep -c "who-has 192.0.2.254" ${LOG_DIR}/ns1-3_${mode}.log) -le 4 ] && \ ++ [ $(grep -cF "who-has 192.0.2.254" ${LOG_DIR}/ns1-3_${mode}.log) -eq 2 ] && \ + test_pass "$mode arp(F_BROADCAST) ns1-3" || \ + test_fail "$mode arp(F_BROADCAST) ns1-3" + +-- +2.33.0 + diff --git a/queue-5.15/selftests-core-fix-conflicting-types-compile-error-f.patch b/queue-5.15/selftests-core-fix-conflicting-types-compile-error-f.patch new file mode 100644 index 00000000000..b773b4f3765 --- /dev/null +++ b/queue-5.15/selftests-core-fix-conflicting-types-compile-error-f.patch @@ -0,0 +1,55 @@ +From 0d8a3981cc8d17a470872206711692d9b7ec8177 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 13:26:19 -0600 +Subject: selftests/core: fix conflicting types compile error for close_range() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shuah Khan + +[ Upstream commit f35dcaa0a8a29188ed61083d153df1454cf89d08 ] + +close_range() test type conflicts with close_range() library call in +x86_64-linux-gnu/bits/unistd_ext.h. Fix it by changing the name to +core_close_range(). + +gcc -g -I../../../../usr/include/ close_range_test.c -o ../tools/testing/selftests/core/close_range_test +In file included from close_range_test.c:16: +close_range_test.c:57:6: error: conflicting types for ‘close_range’; have ‘void(struct __test_metadata *)’ + 57 | TEST(close_range) + | ^~~~~~~~~~~ +../kselftest_harness.h:181:21: note: in definition of macro ‘__TEST_IMPL’ + 181 | static void test_name(struct __test_metadata *_metadata); \ + | ^~~~~~~~~ +close_range_test.c:57:1: note: in expansion of macro ‘TEST’ + 57 | TEST(close_range) + | ^~~~ +In file included from /usr/include/unistd.h:1204, + from close_range_test.c:13: +/usr/include/x86_64-linux-gnu/bits/unistd_ext.h:56:12: note: previous declaration of ‘close_range’ with type ‘int(unsigned int, unsigned int, int)’ + 56 | extern int close_range (unsigned int __fd, unsigned int __max_fd, + | ^~~~~~~~~~~ + +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/core/close_range_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/core/close_range_test.c b/tools/testing/selftests/core/close_range_test.c +index 73eb29c916d1b..aa7d13d91963f 100644 +--- a/tools/testing/selftests/core/close_range_test.c ++++ b/tools/testing/selftests/core/close_range_test.c +@@ -54,7 +54,7 @@ static inline int sys_close_range(unsigned int fd, unsigned int max_fd, + #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) + #endif + +-TEST(close_range) ++TEST(core_close_range) + { + int i, ret; + int open_fds[101]; +-- +2.33.0 + diff --git a/queue-5.15/selftests-kvm-fix-mismatched-fclose-after-popen.patch b/queue-5.15/selftests-kvm-fix-mismatched-fclose-after-popen.patch new file mode 100644 index 00000000000..3fcbe13a017 --- /dev/null +++ b/queue-5.15/selftests-kvm-fix-mismatched-fclose-after-popen.patch @@ -0,0 +1,48 @@ +From d14f123b4ea2b4cc62c9e4a8f7c59959fa3caecb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Oct 2021 11:56:03 -0600 +Subject: selftests: kvm: fix mismatched fclose() after popen() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Shuah Khan + +[ Upstream commit c3867ab5924b7a9a0b4a117902a08669d8be7c21 ] + +get_warnings_count() does fclose() using File * returned from popen(). +Fix it to call pclose() as it should. + +tools/testing/selftests/kvm/x86_64/mmio_warning_test +x86_64/mmio_warning_test.c: In function ‘get_warnings_count’: +x86_64/mmio_warning_test.c:87:9: warning: ‘fclose’ called on pointer returned from a mismatched allocation function [-Wmismatched-dealloc] + 87 | fclose(f); + | ^~~~~~~~~ +x86_64/mmio_warning_test.c:84:13: note: returned from ‘popen’ + 84 | f = popen("dmesg | grep \"WARNING:\" | wc -l", "r"); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Shuah Khan +Acked-by: Paolo Bonzini +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/kvm/x86_64/mmio_warning_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/kvm/x86_64/mmio_warning_test.c b/tools/testing/selftests/kvm/x86_64/mmio_warning_test.c +index 8039e1eff9388..9f55ccd169a13 100644 +--- a/tools/testing/selftests/kvm/x86_64/mmio_warning_test.c ++++ b/tools/testing/selftests/kvm/x86_64/mmio_warning_test.c +@@ -84,7 +84,7 @@ int get_warnings_count(void) + f = popen("dmesg | grep \"WARNING:\" | wc -l", "r"); + if (fscanf(f, "%d", &warnings) < 1) + warnings = 0; +- fclose(f); ++ pclose(f); + + return warnings; + } +-- +2.33.0 + diff --git a/queue-5.15/selftests-mptcp-fix-proto-type-in-link_failure-tests.patch b/queue-5.15/selftests-mptcp-fix-proto-type-in-link_failure-tests.patch new file mode 100644 index 00000000000..9e17a02c101 --- /dev/null +++ b/queue-5.15/selftests-mptcp-fix-proto-type-in-link_failure-tests.patch @@ -0,0 +1,37 @@ +From cc69684540b619dae0e9534cb2b23402f4d6f087 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 16:55:58 -0700 +Subject: selftests: mptcp: fix proto type in link_failure tests + +From: Geliang Tang + +[ Upstream commit 7c909a98042ce403c8497c5d6ff94dd53bdd2131 ] + +In listener_ns, we should pass srv_proto argument to mptcp_connect command, +not cl_proto. + +Fixes: 7d1e6f1639044 ("selftests: mptcp: add testcase for active-back") +Signed-off-by: Geliang Tang +Signed-off-by: Matthieu Baerts +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/mptcp/mptcp_join.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh +index 255793c5ac4ff..586af88194e56 100755 +--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh ++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh +@@ -297,7 +297,7 @@ do_transfer() + if [ "$test_link_fail" -eq 2 ];then + timeout ${timeout_test} \ + ip netns exec ${listener_ns} \ +- $mptcp_connect -t ${timeout_poll} -l -p $port -s ${cl_proto} \ ++ $mptcp_connect -t ${timeout_poll} -l -p $port -s ${srv_proto} \ + ${local_addr} < "$sinfail" > "$sout" & + else + timeout ${timeout_test} \ +-- +2.33.0 + diff --git a/queue-5.15/selftests-net-bridge-update-igmp-mld-membership-inte.patch b/queue-5.15/selftests-net-bridge-update-igmp-mld-membership-inte.patch new file mode 100644 index 00000000000..daa0e32bcc4 --- /dev/null +++ b/queue-5.15/selftests-net-bridge-update-igmp-mld-membership-inte.patch @@ -0,0 +1,92 @@ +From 46729246a868a53114406880797ed2952596a7b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 15:05:27 +0300 +Subject: selftests: net: bridge: update IGMP/MLD membership interval value + +From: Nikolay Aleksandrov + +[ Upstream commit 34d7ecb3d4f772eb00ce1f7195ae30886ddf4d2e ] + +When I fixed IGMPv3/MLDv2 to use the bridge's multicast_membership_interval +value which is chosen by user-space instead of calculating it based on +multicast_query_interval and multicast_query_response_interval I forgot +to update the selftests relying on that behaviour. Now we have to +manually set the expected GMI value to perform the tests correctly and get +proper results (similar to IGMPv2 behaviour). + +Fixes: fac3cb82a54a ("net: bridge: mcast: use multicast_membership_interval for IGMPv3") +Signed-off-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../testing/selftests/net/forwarding/bridge_igmp.sh | 12 +++++++++--- + tools/testing/selftests/net/forwarding/bridge_mld.sh | 12 +++++++++--- + 2 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/tools/testing/selftests/net/forwarding/bridge_igmp.sh b/tools/testing/selftests/net/forwarding/bridge_igmp.sh +index 675eff45b0371..1162836f8f329 100755 +--- a/tools/testing/selftests/net/forwarding/bridge_igmp.sh ++++ b/tools/testing/selftests/net/forwarding/bridge_igmp.sh +@@ -482,10 +482,15 @@ v3exc_timeout_test() + local X=("192.0.2.20" "192.0.2.30") + + # GMI should be 3 seconds +- ip link set dev br0 type bridge mcast_query_interval 100 mcast_query_response_interval 100 ++ ip link set dev br0 type bridge mcast_query_interval 100 \ ++ mcast_query_response_interval 100 \ ++ mcast_membership_interval 300 + + v3exclude_prepare $h1 $ALL_MAC $ALL_GROUP +- ip link set dev br0 type bridge mcast_query_interval 500 mcast_query_response_interval 500 ++ ip link set dev br0 type bridge mcast_query_interval 500 \ ++ mcast_query_response_interval 500 \ ++ mcast_membership_interval 1500 ++ + $MZ $h1 -c 1 -b $ALL_MAC -B $ALL_GROUP -t ip "proto=2,p=$MZPKT_ALLOW2" -q + sleep 3 + bridge -j -d -s mdb show dev br0 \ +@@ -517,7 +522,8 @@ v3exc_timeout_test() + log_test "IGMPv3 group $TEST_GROUP exclude timeout" + + ip link set dev br0 type bridge mcast_query_interval 12500 \ +- mcast_query_response_interval 1000 ++ mcast_query_response_interval 1000 \ ++ mcast_membership_interval 26000 + + v3cleanup $swp1 $TEST_GROUP + } +diff --git a/tools/testing/selftests/net/forwarding/bridge_mld.sh b/tools/testing/selftests/net/forwarding/bridge_mld.sh +index ffdcfa87ca2ba..e2b9ff773c6b6 100755 +--- a/tools/testing/selftests/net/forwarding/bridge_mld.sh ++++ b/tools/testing/selftests/net/forwarding/bridge_mld.sh +@@ -479,10 +479,15 @@ mldv2exc_timeout_test() + local X=("2001:db8:1::20" "2001:db8:1::30") + + # GMI should be 3 seconds +- ip link set dev br0 type bridge mcast_query_interval 100 mcast_query_response_interval 100 ++ ip link set dev br0 type bridge mcast_query_interval 100 \ ++ mcast_query_response_interval 100 \ ++ mcast_membership_interval 300 + + mldv2exclude_prepare $h1 +- ip link set dev br0 type bridge mcast_query_interval 500 mcast_query_response_interval 500 ++ ip link set dev br0 type bridge mcast_query_interval 500 \ ++ mcast_query_response_interval 500 \ ++ mcast_membership_interval 1500 ++ + $MZ $h1 -c 1 $MZPKT_ALLOW2 -q + sleep 3 + bridge -j -d -s mdb show dev br0 \ +@@ -514,7 +519,8 @@ mldv2exc_timeout_test() + log_test "MLDv2 group $TEST_GROUP exclude timeout" + + ip link set dev br0 type bridge mcast_query_interval 12500 \ +- mcast_query_response_interval 1000 ++ mcast_query_response_interval 1000 \ ++ mcast_membership_interval 26000 + + mldv2cleanup $swp1 + } +-- +2.33.0 + diff --git a/queue-5.15/selftests-net-fib_nexthops-wait-before-checking-repo.patch b/queue-5.15/selftests-net-fib_nexthops-wait-before-checking-repo.patch new file mode 100644 index 00000000000..4af2a923562 --- /dev/null +++ b/queue-5.15/selftests-net-fib_nexthops-wait-before-checking-repo.patch @@ -0,0 +1,45 @@ +From 12f63996e0e502860e12e7b1b123d636ca82840b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Sep 2021 12:04:27 +0200 +Subject: selftests: net: fib_nexthops: Wait before checking reported idle time + +From: Petr Machata + +[ Upstream commit b69c99463d414cc263411462d52f25205657e9af ] + +The purpose of this test is to verify that after a short activity passes, +the reported time is reasonable: not zero (which could be reported by +mistake), and not something outrageous (which would be indicative of an +issue in used units). + +However, the idle time is reported in units of clock_t, or hundredths of +second. If the initial sequence of commands is very quick, it is possible +that the idle time is reported as just flat-out zero. When this test was +recently enabled in our nightly regression, we started seeing spurious +failures for exactly this reason. + +Therefore buffer the delay leading up to the test with a sleep, to make +sure there is no legitimate way of reporting 0. + +Signed-off-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/fib_nexthops.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/testing/selftests/net/fib_nexthops.sh b/tools/testing/selftests/net/fib_nexthops.sh +index 0d293391e9a44..b5a69ad191b07 100755 +--- a/tools/testing/selftests/net/fib_nexthops.sh ++++ b/tools/testing/selftests/net/fib_nexthops.sh +@@ -2078,6 +2078,7 @@ basic_res() + "id 101 index 0 nhid 2 id 101 index 1 nhid 2 id 101 index 2 nhid 1 id 101 index 3 nhid 1" + log_test $? 0 "Dump all nexthop buckets in a group" + ++ sleep 0.1 + (( $($IP -j nexthop bucket list id 101 | + jq '[.[] | select(.bucket.idle_time > 0 and + .bucket.idle_time < 2)] | length') == 4 )) +-- +2.33.0 + diff --git a/queue-5.15/selftests-net-properly-support-ipv6-in-gso-gre-test.patch b/queue-5.15/selftests-net-properly-support-ipv6-in-gso-gre-test.patch new file mode 100644 index 00000000000..e2a6384c7e9 --- /dev/null +++ b/queue-5.15/selftests-net-properly-support-ipv6-in-gso-gre-test.patch @@ -0,0 +1,76 @@ +From ef60f31fe7cabf7c68e6738b5f852cf13e907747 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Nov 2021 11:46:13 +0100 +Subject: selftests: net: properly support IPv6 in GSO GRE test + +From: Andrea Righi + +[ Upstream commit a985442fdecb59504e3a2f1cfdd3c53af017ea5b ] + +Explicitly pass -6 to netcat when the test is using IPv6 to prevent +failures. + +Also make sure to pass "-N" to netcat to close the socket after EOF on +the client side, otherwise we would always hit the timeout and the test +would fail. + +Without this fix applied: + + TEST: GREv6/v4 - copy file w/ TSO [FAIL] + TEST: GREv6/v4 - copy file w/ GSO [FAIL] + TEST: GREv6/v6 - copy file w/ TSO [FAIL] + TEST: GREv6/v6 - copy file w/ GSO [FAIL] + +With this fix applied: + + TEST: GREv6/v4 - copy file w/ TSO [ OK ] + TEST: GREv6/v4 - copy file w/ GSO [ OK ] + TEST: GREv6/v6 - copy file w/ TSO [ OK ] + TEST: GREv6/v6 - copy file w/ GSO [ OK ] + +Fixes: 025efa0a82df ("selftests: add simple GSO GRE test") +Signed-off-by: Andrea Righi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/gre_gso.sh | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/net/gre_gso.sh b/tools/testing/selftests/net/gre_gso.sh +index facbb0c804439..fdeb44d621eb9 100755 +--- a/tools/testing/selftests/net/gre_gso.sh ++++ b/tools/testing/selftests/net/gre_gso.sh +@@ -116,17 +116,18 @@ gre_gst_test_checks() + { + local name=$1 + local addr=$2 ++ local proto=$3 + +- $NS_EXEC nc -kl $port >/dev/null & ++ $NS_EXEC nc $proto -kl $port >/dev/null & + PID=$! + while ! $NS_EXEC ss -ltn | grep -q $port; do ((i++)); sleep 0.01; done + +- cat $TMPFILE | timeout 1 nc $addr $port ++ cat $TMPFILE | timeout 1 nc $proto -N $addr $port + log_test $? 0 "$name - copy file w/ TSO" + + ethtool -K veth0 tso off + +- cat $TMPFILE | timeout 1 nc $addr $port ++ cat $TMPFILE | timeout 1 nc $proto -N $addr $port + log_test $? 0 "$name - copy file w/ GSO" + + ethtool -K veth0 tso on +@@ -155,7 +156,7 @@ gre6_gso_test() + sleep 2 + + gre_gst_test_checks GREv6/v4 172.16.2.2 +- gre_gst_test_checks GREv6/v6 2001:db8:1::2 ++ gre_gst_test_checks GREv6/v6 2001:db8:1::2 -6 + + cleanup + } +-- +2.33.0 + diff --git a/queue-5.15/selftests-net-udpgso_bench_rx-fix-port-argument.patch b/queue-5.15/selftests-net-udpgso_bench_rx-fix-port-argument.patch new file mode 100644 index 00000000000..e716abd7f7c --- /dev/null +++ b/queue-5.15/selftests-net-udpgso_bench_rx-fix-port-argument.patch @@ -0,0 +1,67 @@ +From e46cbbbb2bc9039da1f71a06a103d983fc8b52e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Nov 2021 06:57:17 -0500 +Subject: selftests/net: udpgso_bench_rx: fix port argument + +From: Willem de Bruijn + +[ Upstream commit d336509cb9d03970911878bb77f0497f64fda061 ] + +The below commit added optional support for passing a bind address. +It configures the sockaddr bind arguments before parsing options and +reconfigures on options -b and -4. + +This broke support for passing port (-p) on its own. + +Configure sockaddr after parsing all arguments. + +Fixes: 3327a9c46352 ("selftests: add functionals test for UDP GRO") +Reported-by: Eric Dumazet +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/net/udpgso_bench_rx.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/tools/testing/selftests/net/udpgso_bench_rx.c b/tools/testing/selftests/net/udpgso_bench_rx.c +index 76a24052f4b47..6a193425c367f 100644 +--- a/tools/testing/selftests/net/udpgso_bench_rx.c ++++ b/tools/testing/selftests/net/udpgso_bench_rx.c +@@ -293,19 +293,17 @@ static void usage(const char *filepath) + + static void parse_opts(int argc, char **argv) + { ++ const char *bind_addr = NULL; + int c; + +- /* bind to any by default */ +- setup_sockaddr(PF_INET6, "::", &cfg_bind_addr); + while ((c = getopt(argc, argv, "4b:C:Gl:n:p:rR:S:tv")) != -1) { + switch (c) { + case '4': + cfg_family = PF_INET; + cfg_alen = sizeof(struct sockaddr_in); +- setup_sockaddr(PF_INET, "0.0.0.0", &cfg_bind_addr); + break; + case 'b': +- setup_sockaddr(cfg_family, optarg, &cfg_bind_addr); ++ bind_addr = optarg; + break; + case 'C': + cfg_connect_timeout_ms = strtoul(optarg, NULL, 0); +@@ -341,6 +339,11 @@ static void parse_opts(int argc, char **argv) + } + } + ++ if (!bind_addr) ++ bind_addr = cfg_family == PF_INET6 ? "::" : "0.0.0.0"; ++ ++ setup_sockaddr(cfg_family, bind_addr, &cfg_bind_addr); ++ + if (optind != argc) + usage(argv[0]); + +-- +2.33.0 + diff --git a/queue-5.15/seq_file-fix-passing-wrong-private-data.patch b/queue-5.15/seq_file-fix-passing-wrong-private-data.patch new file mode 100644 index 00000000000..ade228e4fcb --- /dev/null +++ b/queue-5.15/seq_file-fix-passing-wrong-private-data.patch @@ -0,0 +1,48 @@ +From 7867bee8cb03a5e1c200980cc365e8c8f3186bde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Nov 2021 18:35:19 -0800 +Subject: seq_file: fix passing wrong private data + +From: Muchun Song + +[ Upstream commit 10a6de19cad6efb9b49883513afb810dc265fca2 ] + +DEFINE_PROC_SHOW_ATTRIBUTE() is supposed to be used to define a series +of functions and variables to register proc file easily. And the users +can use proc_create_data() to pass their own private data and get it +via seq->private in the callback. Unfortunately, the proc file system +use PDE_DATA() to get private data instead of inode->i_private. So fix +it. Fortunately, there only one user of it which does not pass any +private data, so this bug does not break any in-tree codes. + +Link: https://lkml.kernel.org/r/20211029032638.84884-1-songmuchun@bytedance.com +Fixes: 97a32539b956 ("proc: convert everything to "struct proc_ops"") +Signed-off-by: Muchun Song +Cc: Andy Shevchenko +Cc: Stephen Rothwell +Cc: Florent Revest +Cc: Alexey Dobriyan +Cc: Christian Brauner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/seq_file.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h +index dd99569595fd3..5733890df64f5 100644 +--- a/include/linux/seq_file.h ++++ b/include/linux/seq_file.h +@@ -194,7 +194,7 @@ static const struct file_operations __name ## _fops = { \ + #define DEFINE_PROC_SHOW_ATTRIBUTE(__name) \ + static int __name ## _open(struct inode *inode, struct file *file) \ + { \ +- return single_open(file, __name ## _show, inode->i_private); \ ++ return single_open(file, __name ## _show, PDE_DATA(inode)); \ + } \ + \ + static const struct proc_ops __name ## _proc_ops = { \ +-- +2.33.0 + diff --git a/queue-5.15/serial-8250_dw-drop-wrong-use-of-acpi_ptr.patch b/queue-5.15/serial-8250_dw-drop-wrong-use-of-acpi_ptr.patch new file mode 100644 index 00000000000..561798fbfc1 --- /dev/null +++ b/queue-5.15/serial-8250_dw-drop-wrong-use-of-acpi_ptr.patch @@ -0,0 +1,40 @@ +From d361853a1f3206066b7be5b5ad8f7b5dab78db91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 16:45:16 +0300 +Subject: serial: 8250_dw: Drop wrong use of ACPI_PTR() + +From: Andy Shevchenko + +[ Upstream commit ebabb77a2a115b6c5e68f7364b598310b5f61fb2 ] + +ACPI_PTR() is more harmful than helpful. For example, in this case +if CONFIG_ACPI=n, the ID table left unused which is not what we want. + +Instead of adding ifdeffery here and there, drop ACPI_PTR(). + +Fixes: 6a7320c4669f ("serial: 8250_dw: Add ACPI 5.0 support") +Reported-by: Daniel Palmer +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20211005134516.23218-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_dw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c +index a3a0154da567d..49559731bbcf1 100644 +--- a/drivers/tty/serial/8250/8250_dw.c ++++ b/drivers/tty/serial/8250/8250_dw.c +@@ -726,7 +726,7 @@ static struct platform_driver dw8250_platform_driver = { + .name = "dw-apb-uart", + .pm = &dw8250_pm_ops, + .of_match_table = dw8250_of_match, +- .acpi_match_table = ACPI_PTR(dw8250_acpi_match), ++ .acpi_match_table = dw8250_acpi_match, + }, + .probe = dw8250_probe, + .remove = dw8250_remove, +-- +2.33.0 + diff --git a/queue-5.15/serial-cpm_uart-protect-udbg-definitions-by-config_s.patch b/queue-5.15/serial-cpm_uart-protect-udbg-definitions-by-config_s.patch new file mode 100644 index 00000000000..aa0bdac050b --- /dev/null +++ b/queue-5.15/serial-cpm_uart-protect-udbg-definitions-by-config_s.patch @@ -0,0 +1,58 @@ +From b2128d51862118ddd70708222fea7abd820ed92c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Oct 2021 09:53:26 +0200 +Subject: serial: cpm_uart: Protect udbg definitions by + CONFIG_SERIAL_CPM_CONSOLE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit d142585bceb3218ad432ed0fcd5be9d6e3cd9052 ] + +If CONFIG_CONSOLE_POLL=y, and CONFIG_SERIAL_CPM=m (hence +CONFIG_SERIAL_CPM_CONSOLE=n): + + drivers/tty/serial/cpm_uart/cpm_uart_core.c:1109:12: warning: ‘udbg_cpm_getc’ defined but not used [-Wunused-function] + 1109 | static int udbg_cpm_getc(void) + | ^~~~~~~~~~~~~ + drivers/tty/serial/cpm_uart/cpm_uart_core.c:1095:13: warning: ‘udbg_cpm_putc’ defined but not used [-Wunused-function] + 1095 | static void udbg_cpm_putc(char c) + | ^~~~~~~~~~~~~ + +Fix this by making the udbg definitions depend on +CONFIG_SERIAL_CPM_CONSOLE, in addition to CONFIG_CONSOLE_POLL. + +Fixes: a60526097f42eb98 ("tty: serial: cpm_uart: Add udbg support for enabling xmon") +Signed-off-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20211027075326.3270785-1-geert@linux-m68k.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/cpm_uart/cpm_uart_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/cpm_uart/cpm_uart_core.c b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +index c719aa2b18328..d6d3db9c3b1f8 100644 +--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c ++++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +@@ -1090,6 +1090,7 @@ static void cpm_put_poll_char(struct uart_port *port, + cpm_uart_early_write(pinfo, ch, 1, false); + } + ++#ifdef CONFIG_SERIAL_CPM_CONSOLE + static struct uart_port *udbg_port; + + static void udbg_cpm_putc(char c) +@@ -1114,6 +1115,7 @@ static int udbg_cpm_getc(void) + cpu_relax(); + return c; + } ++#endif /* CONFIG_SERIAL_CPM_CONSOLE */ + + #endif /* CONFIG_CONSOLE_POLL */ + +-- +2.33.0 + diff --git a/queue-5.15/serial-imx-fix-detach-attach-of-serial-console.patch b/queue-5.15/serial-imx-fix-detach-attach-of-serial-console.patch new file mode 100644 index 00000000000..799eb88294b --- /dev/null +++ b/queue-5.15/serial-imx-fix-detach-attach-of-serial-console.patch @@ -0,0 +1,126 @@ +From 60afb65b5ff60e4eb533c9d124167253b2c66998 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 21:26:42 +0200 +Subject: serial: imx: fix detach/attach of serial console +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stefan Agner + +[ Upstream commit 6d0d1b5a1b4870911beb89544ec1a9751c42fec7 ] + +If the device used as a serial console gets detached/attached at runtime, +register_console() will try to call imx_uart_setup_console(), but this +is not possible since it is marked as __init. + +For instance + + # cat /sys/devices/virtual/tty/console/active + tty1 ttymxc0 + # echo -n N > /sys/devices/virtual/tty/console/subsystem/ttymxc0/console + # echo -n Y > /sys/devices/virtual/tty/console/subsystem/ttymxc0/console + +[ 73.166649] 8<--- cut here --- +[ 73.167005] Unable to handle kernel paging request at virtual address c154d928 +[ 73.167601] pgd = 55433e84 +[ 73.167875] [c154d928] *pgd=8141941e(bad) +[ 73.168304] Internal error: Oops: 8000000d [#1] SMP ARM +[ 73.168429] Modules linked in: +[ 73.168522] CPU: 0 PID: 536 Comm: sh Not tainted 5.15.0-rc6-00056-g3968ddcf05fb #3 +[ 73.168675] Hardware name: Freescale i.MX6 Ultralite (Device Tree) +[ 73.168791] PC is at imx_uart_console_setup+0x0/0x238 +[ 73.168927] LR is at try_enable_new_console+0x98/0x124 +[ 73.169056] pc : [] lr : [] psr: a0000013 +[ 73.169178] sp : c2ef5e70 ip : 00000000 fp : 00000000 +[ 73.169281] r10: 00000000 r9 : c02cf970 r8 : 00000000 +[ 73.169389] r7 : 00000001 r6 : 00000001 r5 : c1760164 r4 : c1e0fb08 +[ 73.169512] r3 : c154d928 r2 : 00000000 r1 : efffcbd1 r0 : c1760164 +[ 73.169641] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +[ 73.169782] Control: 10c5387d Table: 8345406a DAC: 00000051 +[ 73.169895] Register r0 information: non-slab/vmalloc memory +[ 73.170032] Register r1 information: non-slab/vmalloc memory +[ 73.170158] Register r2 information: NULL pointer +[ 73.170273] Register r3 information: non-slab/vmalloc memory +[ 73.170397] Register r4 information: non-slab/vmalloc memory +[ 73.170521] Register r5 information: non-slab/vmalloc memory +[ 73.170647] Register r6 information: non-paged memory +[ 73.170771] Register r7 information: non-paged memory +[ 73.170892] Register r8 information: NULL pointer +[ 73.171009] Register r9 information: non-slab/vmalloc memory +[ 73.171142] Register r10 information: NULL pointer +[ 73.171259] Register r11 information: NULL pointer +[ 73.171375] Register r12 information: NULL pointer +[ 73.171494] Process sh (pid: 536, stack limit = 0xcd1ba82f) +[ 73.171621] Stack: (0xc2ef5e70 to 0xc2ef6000) +[ 73.171731] 5e60: ???????? ???????? ???????? ???????? +[ 73.171899] 5e80: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???????? +[ 73.172059] 5ea0: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???????? +[ 73.172217] 5ec0: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???????? +[ 73.172377] 5ee0: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???????? +[ 73.172537] 5f00: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???????? +[ 73.172698] 5f20: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???????? +[ 73.172856] 5f40: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???????? +[ 73.173016] 5f60: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???????? +[ 73.173177] 5f80: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???????? +[ 73.173336] 5fa0: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???????? +[ 73.173496] 5fc0: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???????? +[ 73.173654] 5fe0: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???????? +[ 73.173826] [] (try_enable_new_console) from [] (register_console+0x10c/0x2ec) +[ 73.174053] [] (register_console) from [] (console_store+0x14c/0x168) +[ 73.174262] [] (console_store) from [] (kernfs_fop_write_iter+0x110/0x1cc) +[ 73.174470] [] (kernfs_fop_write_iter) from [] (vfs_write+0x31c/0x548) +[ 73.174679] [] (vfs_write) from [] (ksys_write+0x60/0xec) +[ 73.174863] [] (ksys_write) from [] (ret_fast_syscall+0x0/0x1c) +[ 73.175052] Exception stack(0xc2ef5fa8 to 0xc2ef5ff0) +[ 73.175167] 5fa0: ???????? ???????? ???????? ???????? ???????? ???????? +[ 73.175327] 5fc0: ???????? ???????? ???????? ???????? ???????? ???????? ???????? ???????? +[ 73.175486] 5fe0: ???????? ???????? ???????? ???????? +[ 73.175608] Code: 00000000 00000000 00000000 00000000 (00000000) +[ 73.175744] ---[ end trace 9b75121265109bf1 ]--- + +A similar issue could be triggered by unbinding/binding the serial +console device [*]. + +Drop __init so that imx_uart_setup_console() can be safely called at +runtime. + +[*] https://lore.kernel.org/all/20181114174940.7865-3-stefan@agner.ch/ + +Fixes: a3cb39d258ef ("serial: core: Allow detach and attach serial device for console") +Reviewed-by: Andy Shevchenko +Acked-by: Uwe Kleine-König +Signed-off-by: Stefan Agner +Signed-off-by: Francesco Dolcini +Link: https://lore.kernel.org/r/20211020192643.476895-2-francesco.dolcini@toradex.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/imx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c +index 8b121cd869e94..51a9f9423b1a6 100644 +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -2017,7 +2017,7 @@ imx_uart_console_write(struct console *co, const char *s, unsigned int count) + * If the port was already initialised (eg, by a boot loader), + * try to determine the current setup. + */ +-static void __init ++static void + imx_uart_console_get_options(struct imx_port *sport, int *baud, + int *parity, int *bits) + { +@@ -2076,7 +2076,7 @@ imx_uart_console_get_options(struct imx_port *sport, int *baud, + } + } + +-static int __init ++static int + imx_uart_console_setup(struct console *co, char *options) + { + struct imx_port *sport; +-- +2.33.0 + diff --git a/queue-5.15/serial-xilinx_uartps-fix-race-condition-causing-stuc.patch b/queue-5.15/serial-xilinx_uartps-fix-race-condition-causing-stuc.patch new file mode 100644 index 00000000000..ffec5825156 --- /dev/null +++ b/queue-5.15/serial-xilinx_uartps-fix-race-condition-causing-stuc.patch @@ -0,0 +1,69 @@ +From d28e33094f283672ac577aa285acbdda8496a8a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 13:27:41 +0300 +Subject: serial: xilinx_uartps: Fix race condition causing stuck TX + +From: Anssi Hannula + +[ Upstream commit 88b20f84f0fe47409342669caf3e58a3fc64c316 ] + +xilinx_uartps .start_tx() clears TXEMPTY when enabling TXEMPTY to avoid +any previous TXEVENT event asserting the UART interrupt. This clear +operation is done immediately after filling the TX FIFO. + +However, if the bytes inserted by cdns_uart_handle_tx() are consumed by +the UART before the TXEMPTY is cleared, the clear operation eats the new +TXEMPTY event as well, causing cdns_uart_isr() to never receive the +TXEMPTY event. If there are bytes still queued in circbuf, TX will get +stuck as they will never get transferred to FIFO (unless new bytes are +queued to circbuf in which case .start_tx() is called again). + +While the racy missed TXEMPTY occurs fairly often with short data +sequences (e.g. write 1 byte), in those cases circbuf is usually empty +so no action on TXEMPTY would have been needed anyway. On the other +hand, longer data sequences make the race much more unlikely as UART +takes longer to consume the TX FIFO. Therefore it is rare for this race +to cause visible issues in general. + +Fix the race by clearing the TXEMPTY bit in ISR *before* filling the +FIFO. + +The TXEMPTY bit in ISR will only get asserted at the exact moment the +TX FIFO *becomes* empty, so clearing the bit before filling FIFO does +not cause an extra immediate assertion even if the FIFO is initially +empty. + +This is hard to reproduce directly on a normal system, but inserting +e.g. udelay(200) after cdns_uart_handle_tx(port), setting 4000000 baud, +and then running "dd if=/dev/zero bs=128 of=/dev/ttyPS0 count=50" +reliably reproduces the issue on my ZynqMP test system unless this fix +is applied. + +Fixes: 85baf542d54e ("tty: xuartps: support 64 byte FIFO size") +Signed-off-by: Anssi Hannula +Link: https://lore.kernel.org/r/20211026102741.2910441-1-anssi.hannula@bitwise.fi +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/xilinx_uartps.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c +index 962e522ccc45c..d5e243908d9fd 100644 +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -601,9 +601,10 @@ static void cdns_uart_start_tx(struct uart_port *port) + if (uart_circ_empty(&port->state->xmit)) + return; + ++ writel(CDNS_UART_IXR_TXEMPTY, port->membase + CDNS_UART_ISR); ++ + cdns_uart_handle_tx(port); + +- writel(CDNS_UART_IXR_TXEMPTY, port->membase + CDNS_UART_ISR); + /* Enable the TX Empty interrupt */ + writel(CDNS_UART_IXR_TXEMPTY, port->membase + CDNS_UART_IER); + } +-- +2.33.0 + diff --git a/queue-5.15/series b/queue-5.15/series index df80d2295fe..94ed3136276 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -179,3 +179,673 @@ usb-iowarrior-fix-control-message-timeouts.patch usb-chipidea-fix-interrupt-deadlock.patch power-supply-max17042_battery-clear-status-bits-in-interrupt-handler.patch component-do-not-leave-master-devres-group-open-after-bind.patch +dma-buf-warn-on-dmabuf-release-with-pending-attachme.patch +drm-panel-orientation-quirks-update-the-lenovo-ideap.patch +drm-panel-orientation-quirks-add-quirk-for-kd-kurio-.patch +drm-panel-orientation-quirks-add-quirk-for-the-samsu.patch +bluetooth-sco-fix-lock_sock-blockage-by-memcpy_from_.patch +bluetooth-fix-use-after-free-error-in-lock_sock_nest.patch +bluetooth-call-sock_hold-earlier-in-sco_conn_del.patch +drm-panel-orientation-quirks-add-valve-steam-deck.patch +rcutorture-avoid-problematic-critical-section-nestin.patch +platform-x86-wmi-do-not-fail-if-disabling-fails.patch +drm-amdgpu-move-iommu_resume-before-ip-init-resume.patch +mips-lantiq-dma-add-small-delay-after-reset.patch +mips-lantiq-dma-reset-correct-number-of-channel.patch +locking-lockdep-avoid-rcu-induced-noinstr-fail.patch +net-sched-update-default-qdisc-visibility-after-tx-q.patch +acpi-resources-add-dmi-based-legacy-irq-override-qui.patch +rcu-tasks-move-rtgs_wait_cbs-to-beginning-of-rcu_tas.patch +smackfs-fix-use-after-free-in-netlbl_catmap_walk.patch +ath11k-align-bss_chan_info-structure-with-firmware.patch +crypto-aesni-check-walk.nbytes-instead-of-err.patch +x86-mm-64-improve-stack-overflow-warnings.patch +x86-increase-exception-stack-sizes.patch +mwifiex-run-set_bss_mode-when-changing-from-p2p-to-s.patch +mwifiex-properly-initialize-private-structure-on-int.patch +spi-check-we-have-a-spi_device_id-for-each-dt-compat.patch +fscrypt-allow-256-bit-master-keys-with-aes-256-xts.patch +drm-amdgpu-fix-mmio-access-page-fault.patch +drm-amd-display-fix-null-pointer-dereference-for-enc.patch +crypto-api-fix-built-in-testing-dependency-failures.patch +selftests-net-fib_nexthops-wait-before-checking-repo.patch +leds-trigger-use-rcu-to-protect-the-led_cdevs-list.patch +ath11k-avoid-reg-rules-update-during-firmware-recove.patch +ath11k-add-handler-for-scan-event-wmi_scan_event_deq.patch +ath11k-change-dma_from_device-to-dma_to_device-when-.patch +ath10k-high-latency-fixes-for-beacon-buffer.patch +octeontx2-pf-enable-promisc-allmulti-match-mcam-entr.patch +media-mt9p031-fix-corrupted-frame-after-restarting-s.patch +media-netup_unidvb-handle-interrupt-properly-accordi.patch +media-atomisp-fix-error-handling-in-probe.patch +media-stm32-potential-null-pointer-dereference-in-dc.patch +media-uvcvideo-set-capability-in-s_param.patch +media-uvcvideo-return-eio-for-control-errors.patch +media-uvcvideo-set-unique-vdev-name-based-in-type.patch +media-vidtv-fix-memory-leak-in-remove.patch +media-s5p-mfc-fix-possible-null-pointer-dereference-.patch +media-s5p-mfc-add-checking-to-s5p_mfc_probe.patch +media-videobuf2-rework-vb2_mem_ops-api.patch +media-imx-set-a-media_device-bus_info-string.patch +media-rcar-vin-use-user-provided-buffers-when-starti.patch +media-mceusb-return-without-resubmitting-urb-in-case.patch +ia64-don-t-do-ia64_cmpxchg_debug-without-config_prin.patch +rtw88-fix-rx-clock-gate-setting-while-fifo-dump.patch +brcmfmac-add-dmi-nvram-filename-quirk-for-cyberbook-.patch +media-rcar-csi2-add-checking-to-rcsi2_start_receiver.patch +ipmi-disable-some-operations-during-a-panic.patch +fs-proc-uptime.c-fix-idle-time-reporting-in-proc-upt.patch +kselftests-sched-cleanup-the-child-processes.patch +acpica-avoid-evaluating-methods-too-early-during-sys.patch +cpufreq-make-policy-min-max-hard-requirements.patch +ice-move-devlink-port-to-pf-vf-struct.patch +media-imx-jpeg-fix-possible-null-pointer-dereference.patch +media-ipu3-imgu-imgu_fmt-handle-properly-try.patch +media-ipu3-imgu-vidioc_querycap-fix-bus_info.patch +media-usb-dvd-usb-fix-uninit-value-bug-in-dibusb_rea.patch +net-sysfs-try-not-to-restart-the-syscall-if-it-will-.patch +drm-amdkfd-rm-bo-resv-on-validation-to-avoid-deadloc.patch +tracefs-have-tracefs-directories-not-set-oth-permiss.patch +tracing-disable-other-permission-bits-in-the-tracefs.patch +ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch +kvm-arm64-propagate-errors-from-__pkvm_prot_finalize.patch +mmc-moxart-fix-reference-count-leaks-in-moxart_probe.patch +iov_iter-fix-iov_iter_get_pages-_alloc-page-fault-re.patch +acpi-battery-accept-charges-over-the-design-capacity.patch +acpi-scan-release-pm-resources-blocked-by-unused-obj.patch +drm-amd-display-fix-null-pointer-deref-when-plugging.patch +drm-amdkfd-fix-resume-error-when-iommu-disabled-in-p.patch +net-phy-micrel-make-skew-ps-check-more-lenient.patch +leaking_addresses-always-print-a-trailing-newline.patch +thermal-core-fix-null-pointer-dereference-in-thermal.patch +drm-msm-prevent-null-dereference-in-msm_gpu_crashsta.patch +thermal-drivers-tsens-add-timeout-to-get_temp_tsens_.patch +block-bump-max-plugged-deferred-size-from-16-to-32.patch +floppy-fix-add_disk-assumption-on-exit-due-to-new-de.patch +floppy-use-blk_cleanup_disk.patch +floppy-fix-calling-platform_device_unregister-on-inv.patch +md-update-superblock-after-changing-rdev-flags-in-st.patch +memstick-r592-fix-a-uaf-bug-when-removing-the-driver.patch +locking-rwsem-disable-preemption-for-spinning-region.patch +lib-xz-avoid-overlapping-memcpy-with-invalid-input-w.patch +lib-xz-validate-the-value-before-assigning-it-to-an-.patch +workqueue-make-sysfs-of-unbound-kworker-cpumask-more.patch +tracing-cfi-fix-cmp_entries_-functions-signature-mis.patch +mt76-mt7915-fix-an-off-by-one-bound-check.patch +mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch +iwlwifi-change-all-jnp-to-no-160-configuration.patch +block-remove-inaccurate-requeue-check.patch +media-allegro-ignore-interrupt-if-mailbox-is-not-ini.patch +drm-amdgpu-pm-properly-handle-sclk-for-profiling-mod.patch +nvmet-fix-use-after-free-when-a-port-is-removed.patch +nvmet-rdma-fix-use-after-free-when-a-port-is-removed.patch +nvmet-tcp-fix-use-after-free-when-a-port-is-removed.patch +nvme-drop-scan_lock-and-always-kick-requeue-list-whe.patch +samples-bpf-fix-application-of-sizeof-to-pointer.patch +arm64-vdso32-suppress-error-message-for-make-mrprope.patch +pm-hibernate-get-block-device-exclusively-in-swsusp_.patch +selftests-kvm-fix-mismatched-fclose-after-popen.patch +selftests-bpf-fix-perf_buffer-test-on-system-with-of.patch +iwlwifi-mvm-disable-rx-diversity-in-powersave.patch +smackfs-use-__gfp_nofail-for-smk_cipso_doi.patch +arm-clang-do-not-rely-on-lr-register-for-stacktrace.patch +gre-sit-don-t-generate-link-local-addr-if-addr_gen_m.patch +net-dsa-lantiq_gswip-serialize-access-to-the-pce-tab.patch +can-bittiming-can_fixup_bittiming-change-type-of-tse.patch +gfs2-cancel-remote-delete-work-asynchronously.patch +gfs2-fix-glock_hash_walk-bugs.patch +arm-9136-1-armv7-m-uses-be-8-not-be-32.patch +tools-latency-collector-use-correct-size-when-writin.patch +vrf-run-conntrack-only-in-context-of-lower-physdev-f.patch +net-annotate-data-race-in-neigh_output.patch +acpi-ac-quirk-gk45-to-skip-reading-_psr.patch +acpi-resources-add-one-more-medion-model-in-irq-over.patch +net-dsa-flush-switchdev-workqueue-when-leaving-the-b.patch +btrfs-reflink-initialize-return-value-to-0-in-btrfs_.patch +btrfs-do-not-take-the-uuid_mutex-in-btrfs_rm_device.patch +btrfs-subpage-make-btrfs_submit_compressed_write-com.patch +spi-bcm-qspi-fix-missing-clk_disable_unprepare-on-er.patch +wcn36xx-correct-band-freq-reporting-on-rx.patch +wcn36xx-fix-packet-drop-on-resume.patch +revert-wcn36xx-enable-firmware-link-monitoring.patch +ftrace-do-cpu-checking-after-preemption-disabled.patch +inet-remove-races-in-inet-6-_getname.patch +x86-hyperv-protect-set_hv_tscchange_cb-against-getti.patch +drm-amd-display-dcn20_resource_construct-reduce-scop.patch +selftests-core-fix-conflicting-types-compile-error-f.patch +perf-x86-intel-fix-icl-spr-inst_retired.prec_dist-en.patch +parisc-fix-warning-in-flush_tlb_all.patch +task_stack-fix-end_of_stack-for-architectures-with-u.patch +erofs-don-t-trigger-warn-when-decompression-fails.patch +parisc-unwind-fix-unwinder-when-config_64bit-is-enab.patch +parisc-kgdb-add-kgdb_roundup-to-make-kgdb-work-with-.patch +netfilter-conntrack-set-on-ips_assured-if-flows-ente.patch +selftests-bpf-fix-strobemeta-selftest-regression.patch +fbdev-efifb-release-pci-device-s-runtime-pm-ref-duri.patch +drm-bridge-anx7625-propagate-errors-from-sp_tx_rst_a.patch +perf-x86-intel-uncore-fix-intel-spr-cha-event-constr.patch +perf-x86-intel-uncore-fix-intel-spr-iio-event-constr.patch +perf-x86-intel-uncore-fix-intel-spr-m2pcie-event-con.patch +perf-x86-intel-uncore-fix-intel-spr-m3upi-event-cons.patch +drm-bridge-it66121-initialize-device-vendor-_ids.patch +drm-bridge-it66121-wait-for-next-bridge-to-be-probed.patch +bluetooth-fix-init-and-cleanup-of-sco_conn.timeout_w.patch +libbpf-don-t-crash-on-object-files-with-no-symbol-ta.patch +bluetooth-hci_uart-fix-gpf-in-h5_recv.patch +rcu-fix-existing-exp-request-check-in-sync_sched_exp.patch +mips-lantiq-dma-fix-burst-length-for-deu.patch +x86-xen-mark-cpu_bringup_and_idle-as-dead_end_functi.patch +objtool-handle-__sanitize_cov-tail-calls.patch +net-mlx5-publish-and-unpublish-all-devlink-parameter.patch +drm-v3d-fix-wait-for-tmu-write-combiner-flush.patch +crypto-sm4-do-not-change-section-of-ck-and-sbox.patch +virtio-gpu-fix-possible-memory-allocation-failure.patch +lockdep-let-lock_is_held_type-detect-recursive-read-.patch +net-net_namespace-fix-undefined-member-in-key_remove.patch +net-phylink-don-t-call-netif_carrier_off-with-null-n.patch +drm-bridge-it66121-fix-return-value-it66121_probe.patch +spi-fixed-division-by-zero-warning.patch +cgroup-make-rebind_subsystems-disable-v2-controllers.patch +wcn36xx-fix-antenna-diversity-switching.patch +wilc1000-fix-possible-memory-leak-in-cfg_scan_result.patch +bluetooth-btmtkuart-fix-a-memleak-in-mtk_hci_wmt_syn.patch +drm-amdgpu-fix-crash-on-device-remove-driver-unload.patch +drm-amd-display-pass-display_pipe_params_st-as-const.patch +drm-amdgpu-move-amdgpu_virt_release_full_gpu-to-fini.patch +crypto-caam-disable-pkc-for-non-e-socs.patch +crypto-qat-power-up-4xxx-device.patch +bluetooth-hci_h5-fix-runtime-suspend-issues-on-rtl87.patch +bnxt_en-check-devlink-allocation-and-registration-st.patch +qed-don-t-ignore-devlink-allocation-failures.patch +rxrpc-fix-_usecs_to_jiffies-by-using-usecs_to_jiffie.patch +mptcp-do-not-shrink-snd_nxt-when-recovering.patch +fortify-fix-dropped-strcpy-compile-time-write-overfl.patch +mac80211-twt-don-t-use-potentially-unaligned-pointer.patch +cfg80211-always-free-wiphy-specific-regdomain.patch +net-mlx5-accept-devlink-user-input-after-driver-init.patch +net-dsa-rtl8366rb-fix-off-by-one-bug.patch +net-dsa-rtl8366-fix-a-bug-in-deleting-vlans.patch +bpf-tests-fix-error-in-tail-call-limit-tests.patch +ath11k-fix-some-sleeping-in-atomic-bugs.patch +ath11k-avoid-race-during-regd-updates.patch +ath11k-fix-packet-drops-due-to-incorrect-6-ghz-freq-.patch +ath11k-fix-memory-leak-in-ath11k_qmi_driver_event_wo.patch +gve-dqo-avoid-unused-variable-warnings.patch +ath10k-fix-missing-frame-timestamp-for-beacon-probe-.patch +ath10k-sdio-add-missing-bh-locking-around-napi_schdu.patch +drm-ttm-stop-calling-tt_swapin-in-vm_access.patch +arm64-mm-update-max_pfn-after-memory-hotplug.patch +drm-amdgpu-fix-warning-for-overflow-check.patch +libbpf-fix-skel_internal.h-to-set-errno-on-loader-re.patch +media-em28xx-add-missing-em28xx_close_extension.patch +media-meson-ge2d-fix-rotation-parameter-changes-dete.patch +media-cxd2880-spi-fix-a-null-pointer-dereference-on-.patch +media-ttusb-dec-avoid-release-of-non-acquired-mutex.patch +media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch +media-imx258-fix-getting-clock-frequency.patch +media-v4l2-ioctl-s_ctrl-output-the-right-value.patch +media-mtk-vcodec-venc-fix-return-value-when-start_st.patch +media-tda1997x-handle-short-reads-of-hdmi-info-frame.patch +media-mtk-vpu-fix-a-resource-leak-in-the-error-handl.patch +media-imx-jpeg-fix-the-error-handling-path-of-mxc_jp.patch +media-i2c-ths8200-needs-v4l2_async.patch +media-sun6i-csi-allow-the-video-device-to-be-open-mu.patch +media-radio-wl1273-avoid-card-name-truncation.patch +media-si470x-avoid-card-name-truncation.patch +media-tm6000-avoid-card-name-truncation.patch +media-cx23885-fix-snd_card_free-call-on-null-card-po.patch +media-atmel-fix-the-ispck-initialization.patch +scs-release-kasan-vmalloc-poison-in-scs_free-process.patch +kprobes-do-not-use-local-variable-when-creating-debu.patch +crypto-ecc-fix-crypto_default_rng-dependency.patch +drm-fb_helper-fix-config_fb-dependency.patch +cpuidle-fix-kobject-memory-leaks-in-error-paths.patch +media-em28xx-don-t-use-ops-suspend-if-it-is-null.patch +ath10k-don-t-always-treat-modem-stop-events-as-crash.patch +ath9k-fix-potential-interrupt-storm-on-queue-reset.patch +pm-em-fix-inefficient-states-detection.patch +x86-insn-use-get_unaligned-instead-of-memcpy.patch +edac-amd64-handle-three-rank-interleaving-mode.patch +rcu-always-inline-rcu_dynticks_task-_-enter-exit.patch +rcu-fix-rcu_dynticks_curr_cpu_in_eqs-vs-noinstr.patch +netfilter-nft_dynset-relax-superfluous-check-on-set-.patch +media-venus-fix-vpp-frequency-calculation-for-decode.patch +media-dvb-frontends-mn88443x-handle-errors-of-clk_pr.patch +crypto-ccree-avoid-out-of-range-warnings-from-clang.patch +crypto-qat-detect-pfvf-collision-after-ack.patch +crypto-qat-disregard-spurious-pfvf-interrupts.patch +hwrng-mtk-force-runtime-pm-ops-for-sleep-ops.patch +ima-fix-deadlock-when-traversing-ima_default_rules.patch +b43legacy-fix-a-lower-bounds-test.patch +b43-fix-a-lower-bounds-test.patch +gve-recover-from-queue-stall-due-to-missed-irq.patch +gve-track-rx-buffer-allocation-failures.patch +mmc-sdhci-omap-fix-null-pointer-exception-if-regulat.patch +mmc-sdhci-omap-fix-context-restore.patch +memstick-avoid-out-of-range-warning.patch +memstick-jmb38x_ms-use-appropriate-free-function-in-.patch +net-neigh-fix-ntf_ext_learned-in-combination-with-nt.patch +hwmon-fix-possible-memleak-in-__hwmon_device_registe.patch +hwmon-pmbus-lm25066-let-compiler-determine-outer-dim.patch +ath10k-fix-max-antenna-gain-unit.patch +kernel-sched-fix-sched_fork-access-an-invalid-sched_.patch +net-fealnx-fix-build-for-uml.patch +net-intel-igc_ptp-fix-build-for-uml.patch +net-tulip-winbond-840-fix-build-for-uml.patch +x86-fix-get_wchan-to-support-the-orc-unwinder.patch +tcp-switch-orphan_count-to-bare-per-cpu-counters.patch +crypto-octeontx2-set-assoclen-in-aead_do_fallback.patch +thermal-core-fix-a-uaf-bug-in-__thermal_cooling_devi.patch +drm-msm-dsi-do-not-enable-irq-handler-before-powerin.patch +drm-msm-fix-potential-oops-in-a6xx_gmu_rpmh_init.patch +drm-msm-potential-error-pointer-dereference-in-init.patch +drm-msm-unlock-on-error-in-get_sched_entity.patch +drm-msm-fix-potential-null-dereference-in-cleanup.patch +drm-msm-uninitialized-variable-in-msm_gem_import.patch +net-stream-don-t-purge-sk_error_queue-in-sk_stream_k.patch +thermal-drivers-qcom-lmh-make-qcom_lmh-depends-on-qc.patch +mailbox-remove-warn_on-for-async_cb.cb-in-cmdq_exec_.patch +media-ivtv-fix-build-for-uml.patch +media-ir_toy-assignment-to-be16-should-be-of-correct.patch +mmc-mxs-mmc-disable-regulator-on-error-and-in-the-re.patch +io-wq-remove-duplicate-code-in-io_workqueue_create.patch +block-ataflop-fix-breakage-introduced-at-blk-mq-refa.patch +blk-wbt-prevent-null-pointer-dereference-in-wb_timer.patch +platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch +mailbox-mtk-cmdq-validate-alias_id-on-probe.patch +mailbox-mtk-cmdq-fix-local-clock-id-usage.patch +acpi-pm-turn-off-unused-wakeup-power-resources.patch +acpi-pm-fix-sharing-of-wakeup-power-resources.patch +drm-amdkfd-fix-an-inappropriate-error-handling-in-al.patch +mt76-mt7921-fix-endianness-in-mt7921_mcu_tx_done_eve.patch +mt76-mt7915-fix-endianness-warning-in-mt7915_mac_add.patch +mt76-mt7921-fix-endianness-warning-in-mt7921_update_.patch +mt76-mt7615-fix-endianness-warning-in-mt7615_mac_wri.patch +mt76-mt7915-fix-info-leak-in-mt7915_mcu_set_pre_cal.patch +mt76-connac-fix-mt76_connac_gtk_rekey_tlv-usage.patch +mt76-fix-build-error-implicit-enumeration-conversion.patch +mt76-mt7921-fix-survey-dump-reporting.patch +mt76-mt76x02-fix-endianness-warnings-in-mt76x02_mac..patch +mt76-mt7921-fix-out-of-order-process-by-invalid-even.patch +mt76-mt7915-fix-potential-overflow-of-eeprom-page-in.patch +mt76-mt7915-fix-bit-fields-for-ht-rate-idx.patch +mt76-mt7921-fix-dma-hang-in-rmmod.patch +mt76-connac-fix-gtk-rekey-offload-failure-on-wpa-mix.patch +mt76-overwrite-default-reg_ops-if-necessary.patch +mt76-mt7921-report-he-mu-radiotap.patch +mt76-mt7921-fix-firmware-usage-of-ra-info-using-lega.patch +mt76-mt7921-fix-kernel-warning-from-cfg80211_calcula.patch +mt76-mt7921-always-wake-device-if-necessary-in-debug.patch +mt76-mt7915-fix-hwmon-temp-sensor-mem-use-after-free.patch +mt76-mt7615-fix-hwmon-temp-sensor-mem-use-after-free.patch +mt76-mt7915-fix-possible-infinite-loop-release-semap.patch +mt76-mt7921-fix-retrying-release-semaphore-without-e.patch +mt76-mt7615-fix-monitor-mode-tear-down-crash.patch +mt76-connac-fix-possible-null-pointer-dereference-in.patch +mt76-mt7915-fix-sta_rec_wtbl-tag-len.patch +mt76-mt7915-fix-muar_idx-in-mt7915_mcu_alloc_sta_req.patch +rsi-stop-thread-firstly-in-rsi_91x_init-error-handli.patch +mwifiex-send-delba-requests-according-to-spec.patch +iwlwifi-mvm-reset-pm-state-on-unsuccessful-resume.patch +iwlwifi-pnvm-don-t-kmemdup-more-than-we-have.patch +iwlwifi-pnvm-read-efi-data-only-if-long-enough.patch +net-enetc-unmap-dma-in-enetc_send_cmd.patch +phy-micrel-ksz8041nl-do-not-use-power-down-mode.patch +nbd-fix-use-after-free-in-pid_show.patch +nvme-rdma-fix-error-code-in-nvme_rdma_setup_ctrl.patch +pm-hibernate-fix-sparse-warnings.patch +clocksource-drivers-timer-ti-dm-select-timer_of.patch +x86-sev-fix-stack-type-check-in-vc_switch_off_ist.patch +drm-msm-fix-potential-null-dereference-in-dpu-sspp.patch +drm-msm-dsi-fix-wrong-type-in-msm_dsi_host.patch +crypto-tcrypt-fix-skcipher-multi-buffer-tests-for-14.patch +smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch +kvm-selftests-fix-nested-svm-tests-when-built-with-c.patch +libbpf-fix-memory-leak-in-btf__dedup.patch +bpftool-avoid-leaking-the-json-writer-prepared-for-p.patch +libbpf-fix-overflow-in-btf-sanity-checks.patch +libbpf-fix-btf-header-parsing-checks.patch +mt76-mt7615-mt7622-fix-ibss-and-meshpoint.patch +s390-gmap-validate-vma-in-__gmap_zap.patch +s390-gmap-don-t-unconditionally-call-pte_unmap_unloc.patch +s390-mm-validate-vma-in-pgste-manipulation-functions.patch +s390-mm-fix-vma-and-page-table-handling-code-in-stor.patch +s390-uv-fully-validate-the-vma-before-calling-follow.patch +kvm-s390-pv-avoid-double-free-of-sida-page.patch +kvm-s390-pv-avoid-stalls-for-kvm_s390_pv_init_vm.patch +irq-mips-avoid-nested-irq_enter.patch +net-dsa-avoid-refcount-warnings-when-port_-fdb-mdb-_.patch +arm-9142-1-kasan-work-around-lpae-build-warning.patch +ath10k-fix-module-load-regression-with-iram-recovery.patch +block-ataflop-more-blk-mq-refactoring-fixes.patch +blk-cgroup-synchronize-blkg-creation-against-policy-.patch +libbpf-fix-off-by-one-bug-in-bpf_core_apply_relo.patch +tpm-fix-atmel-tpm-crash-caused-by-too-frequent-queri.patch +tpm_tis_spi-add-missing-spi-id.patch +libbpf-fix-endianness-detection-in-bpf_core_read_bit.patch +tcp-don-t-free-a-fin-sk_buff-in-tcp_remove_empty_skb.patch +tracing-fix-missing-trace_boot_init_histograms-kstrd.patch +cpufreq-intel_pstate-fix-cpu-pstate.turbo_freq-initi.patch +spi-spi-rpc-if-check-return-value-of-rpcif_sw_init.patch +sched-add-wrapper-for-get_wchan-to-keep-task-blocked.patch +x86-fix-__get_wchan-for-stacktrace.patch +samples-kretprobes-fix-return-value-if-register_kret.patch +kvm-s390-fix-handle_sske-page-fault-handling.patch +libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch +libertas-fix-possible-memory-leak-in-probe-and-disco.patch +wcn36xx-add-proper-dma-memory-barriers-in-rx-path.patch +wcn36xx-fix-discarded-frames-due-to-wrong-sequence-n.patch +bpf-avoid-races-in-__bpf_prog_run-for-32bit-arches.patch +bpf-fixes-possible-race-in-update_prog_stats-for-32b.patch +wcn36xx-channel-list-update-before-hardware-scan.patch +drm-amdgpu-fix-a-potential-memory-leak-in-amdgpu_dev.patch +drm-amdgpu-gmc6-fix-dma-mask-from-44-to-40-bits.patch +selftests-bpf-fix-fd-cleanup-in-sk_lookup-test.patch +selftests-bpf-fix-memory-leak-in-test_ima.patch +sctp-allow-ip-fragmentation-when-plpmtud-enters-erro.patch +sctp-reset-probe_timer-in-sctp_transport_pl_update.patch +sctp-subtract-sctphdr-len-in-sctp_transport_pl_hlen.patch +sctp-return-true-only-for-pathmtu-update-in-sctp_tra.patch +net-amd-xgbe-toggle-pll-settings-during-rate-change.patch +ipmi-kcs_bmc-fix-a-memory-leak-in-the-error-handling.patch +nfp-fix-null-pointer-access-when-scheduling-dim-work.patch +nfp-fix-potential-deadlock-when-canceling-dim-work.patch +net-phylink-avoid-mvneta-warning-when-setting-pause-.patch +net-bridge-fix-uninitialized-variables-when-bridge_c.patch +selftests-net-bridge-update-igmp-mld-membership-inte.patch +crypto-pcrypt-delay-write-to-padata-info.patch +selftests-bpf-fix-fclose-pclose-mismatch-in-test_pro.patch +udp6-allow-so_mark-ctrl-msg-to-affect-routing.patch +ibmvnic-don-t-stop-queue-in-xmit.patch +ibmvnic-process-crqs-after-enabling-interrupts.patch +ibmvnic-delay-complete.patch +selftests-mptcp-fix-proto-type-in-link_failure-tests.patch +skmsg-lose-offset-info-in-sk_psock_skb_ingress.patch +cgroup-fix-rootcg-cpu.stat-guest-double-counting.patch +bpf-fix-propagation-of-bounds-from-64-bit-min-max-in.patch +bpf-fix-propagation-of-signed-bounds-from-64-bit-min.patch +of-unittest-fix-expect-text-for-gpio-hog-errors.patch +cpufreq-fix-parameter-in-parse_perf_domain.patch +staging-r8188eu-fix-memory-leak-in-rtw_set_key.patch +arm64-dts-meson-sm1-add-ethernet-phy-reset-line-for-.patch +iio-st_sensors-disable-regulators-after-device-unreg.patch +rdma-rxe-fix-wrong-port_cap_flags.patch +arm-dts-bcm5301x-fix-memory-nodes-names.patch +arm64-dts-broadcom-bcm4908-fix-uart-clock-name.patch +clk-mvebu-ap-cpu-clk-fix-a-memory-leak-in-error-hand.patch +scsi-pm80xx-fix-lockup-in-outbound-queue-management.patch +scsi-qla2xxx-edif-use-link-event-to-wake-up-app.patch +scsi-lpfc-fix-nvme-i-o-failover-to-non-optimized-pat.patch +arm-s3c-irq-s3c24xx-fix-return-value-check-for-s3c24.patch +arm64-dts-rockchip-move-rk3568-dtsi-to-rk356x-dtsi.patch +arm64-dts-rockchip-fix-rk3568-mbi-alias.patch +arm64-dts-rockchip-fix-gpu-register-width-for-rk3328.patch +arm-dts-qcom-msm8974-add-xo_board-reference-clock-to.patch +rdma-bnxt_re-fix-query-srq-failure.patch +arm64-dts-ti-k3-j721e-main-fix-max-virtual-functions.patch +arm64-dts-ti-k3-j721e-main-fix-bus-range-upto-256-bu.patch +arm64-dts-ti-j7200-main-fix-vendor-id-device-id-prop.patch +arm64-dts-ti-j7200-main-fix-bus-range-upto-256-bus-n.patch +arm64-dts-meson-g12a-fix-the-pwm-regulator-supply-pr.patch +arm64-dts-meson-g12b-fix-the-pwm-regulator-supply-pr.patch +arm64-dts-meson-sm1-fix-the-pwm-regulator-supply-pro.patch +bus-ti-sysc-fix-timekeeping_suspended-warning-on-res.patch +arm-dts-at91-tse850-the-emac-phy-interface-is-rmii.patch +mips-ralink-don-t-define-pc_iobase-but-increase-io_s.patch +arm64-dts-qcom-sc7180-base-dynamic-cpu-power-coeffic.patch +soc-qcom-llcc-disable-mmuhwt-retention.patch +arm64-dts-qcom-sc7280-fix-display-port-phy-reg-prope.patch +scsi-dc395-fix-error-case-unwinding.patch +mips-loongson64-make-cpu_loongson64-depends-on-mips_.patch +jfs-fix-memleak-in-jfs_mount.patch +pinctrl-renesas-rzg2l-fix-missing-port-register-21h.patch +asoc-wcd9335-use-correct-version-to-initialize-class.patch +arm64-dts-qcom-msm8916-fix-secondary-mi2s-bit-clock.patch +arm64-dts-renesas-beacon-fix-ethernet-phy-mode.patch +iommu-mediatek-fix-out-of-range-warning-with-clang.patch +arm64-dts-qcom-pm8916-remove-wrong-reg-names-for-rtc.patch +iommu-dma-fix-sync_sg-with-swiotlb.patch +iommu-dma-fix-arch_sync_dma-for-map.patch +alsa-hda-reduce-udelay-at-skl-position-reporting.patch +alsa-hda-use-position-buffer-for-skl-again.patch +alsa-usb-audio-fix-possible-race-at-sync-of-urb-comp.patch +soundwire-debugfs-use-controller-id-and-link_id-for-.patch +power-reset-at91-reset-check-properly-the-return-val.patch +scsi-ufs-core-fix-ufshcd_probe_hba-prototype-to-matc.patch +scsi-ufs-core-stop-clearing-unit-attentions.patch +scsi-megaraid_sas-fix-concurrent-access-to-isr-betwe.patch +scsi-pm80xx-fix-misleading-log-statement-in-pm8001_m.patch +driver-core-fix-possible-memory-leak-in-device_link_.patch +arm-dts-omap3-gta04a4-accelerometer-irq-fix.patch +asoc-sof-topology-do-not-power-down-primary-core-dur.patch +iio-st_pressure_spi-add-missing-entries-spi-to-devic.patch +soc-tegra-fix-an-error-handling-path-in-tegra_powerg.patch +memory-fsl_ifc-fix-leak-of-irq-and-nand_irq-in-fsl_i.patch +clk-at91-check-pmc-node-status-before-registering-sy.patch +powerpc-mem-fix-arch-powerpc-mm-mem.c-53-12-error-no.patch +video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch +powerpc-fix-unbalanced-node-refcount-in-check_kvm_gu.patch +powerpc-paravirt-correct-preempt-debug-splat-in-vcpu.patch +serial-8250_dw-drop-wrong-use-of-acpi_ptr.patch +usb-gadget-hid-fix-error-code-in-do_config.patch +power-supply-rt5033_battery-change-voltage-values-to.patch +power-supply-max17040-fix-null-ptr-deref-in-max17040.patch +scsi-csiostor-uninitialized-data-in-csio_ln_vnp_read.patch +rdma-mlx4-return-missed-an-error-if-device-doesn-t-s.patch +usb-musb-select-generic_phy-instead-of-depending-on-.patch +staging-most-dim2-do-not-double-register-the-same-de.patch +staging-ks7010-select-crypto_hash-crypto_michael_mic.patch +rdma-core-set-sgtable-nents-when-using-ib_dma_virt_m.patch +dyndbg-make-dyndbg-a-known-cli-param.patch +powerpc-perf-fix-cycles-instructions-as-pm_cyc-pm_in.patch +pinctrl-renesas-checker-fix-off-by-one-bug-in-drive-.patch +arm-dts-stm32-reduce-dhcor-spi-nor-frequency-to-50-m.patch +arm-dts-stm32-fix-stusb1600-type-c-irq-level-on-stm3.patch +arm-dts-stm32-fix-sai-sub-nodes-register-range.patch +arm-dts-stm32-fix-av96-board-sai2-pin-muxing-on-stm3.patch +asoc-cs42l42-always-configure-both-asp-tx-channels.patch +asoc-cs42l42-correct-some-register-default-values.patch +asoc-cs42l42-defer-probe-if-request_threaded_irq-ret.patch +soc-qcom-rpmhpd-make-power_on-actually-enable-the-do.patch +soc-qcom-socinfo-add-two-missing-pmic-ids.patch +iio-buffer-fix-double-free-in-iio_buffers_alloc_sysf.patch +usb-typec-stusb160x-should-select-regmap_i2c.patch +iio-adis-do-not-disabe-irqs-in-adis_init.patch +soundwire-bus-stop-dereferencing-invalid-slave-point.patch +scsi-ufs-ufshcd-pltfrm-fix-memory-leak-due-to-probe-.patch +scsi-lpfc-wait-for-successful-restart-of-sli3-adapte.patch +serial-imx-fix-detach-attach-of-serial-console.patch +usb-dwc2-drd-fix-dwc2_force_mode-call-in-dwc2_ovr_in.patch +usb-dwc2-drd-fix-dwc2_drd_role_sw_set-when-clock-cou.patch +usb-dwc2-drd-reset-current-session-before-setting-th.patch +powerpc-booke-disable-strict_kernel_rwx-debug_pageal.patch +usb-dwc3-gadget-skip-resizing-ep-s-tx-fifo-if-alread.patch +firmware-qcom_scm-fix-error-retval-in-__qcom_scm_is_.patch +soc-qcom-rpmhpd-fix-sm8350_mxc-s-peer-domain.patch +soc-qcom-apr-add-of_node_put-before-return.patch +arm64-dts-qcom-pmi8994-fix-eternal-external-typo-in-.patch +arm64-dts-qcom-sdm845-use-rpmh_ce_clk-macro-directly.patch +arm64-dts-qcom-sdm845-fix-qualcomm-crypto-engine-bus.patch +pinctrl-equilibrium-fix-function-addition-in-multipl.patch +asoc-topology-fix-stub-for-snd_soc_tplg_component_re.patch +phy-qcom-qusb2-fix-a-memory-leak-on-probe.patch +phy-ti-gmii-sel-check-of_get_address-for-failure.patch +phy-qcom-qmp-another-fix-for-the-sc8180x-pcie-defini.patch +phy-qcom-snps-correct-the-fsel_mask.patch +phy-sparx5-eth-serdes-fix-return-value-check-in-spar.patch +serial-xilinx_uartps-fix-race-condition-causing-stuc.patch +clk-at91-sam9x60-pll-use-div_round_closest_ull.patch +clk-at91-clk-master-check-if-div-or-pres-is-zero.patch +clk-at91-clk-master-fix-prescaler-logic.patch +hid-u2fzero-clarify-error-check-and-length-calculati.patch +hid-u2fzero-properly-handle-timeouts-in-usb_submit_u.patch +powerpc-nohash-fix-__ptep_set_access_flags-and-ptep_.patch +powerpc-book3e-fix-set_memory_x-and-set_memory_nx.patch +powerpc-44x-fsp2-add-missing-of_node_put.patch +powerpc-xmon-fix-task-state-output.patch +alsa-oxfw-fix-functional-regression-for-mackie-onyx-.patch +iommu-dma-fix-incorrect-error-return-on-iommu-deferr.patch +powerpc-don-t-provide-__kernel_map_pages-without-arc.patch +asoc-cs42l42-correct-configuring-of-switch-inversion.patch +rdma-hns-fix-initial-arm_st-of-cq.patch +rdma-hns-modify-the-value-of-max_lp_msg_len-to-meet-.patch +asoc-rsnd-fix-an-error-handling-path-in-rsnd_node_co.patch +serial-cpm_uart-protect-udbg-definitions-by-config_s.patch +virtio_ring-check-desc-null-when-using-indirect-with.patch +vdpa-mlx5-fix-clearing-of-virtio_net_f_mac-feature-b.patch +mips-cm-convert-to-bitfield-api-to-fix-out-of-bounds.patch +power-supply-bq27xxx-fix-kernel-crash-on-irq-handler.patch +rdma-core-require-the-driver-to-set-the-iova-correct.patch +apparmor-fix-error-check.patch +rpmsg-fix-rpmsg_create_ept-return-when-rpmsg-config-.patch +mtd-rawnand-intel-fix-potential-buffer-overflow-in-p.patch +nfsd-don-t-alloc-under-spinlock-in-rpc_parse_scope_i.patch +rtc-ds1302-add-spi-id-table.patch +rtc-ds1390-add-spi-id-table.patch +rtc-pcf2123-add-spi-id-table.patch +remoteproc-imx_rproc-fix-tcm-io-memory-type.patch +i2c-i801-use-pci-bus-rescan-mutex-to-protect-p2sb-ac.patch +dmaengine-idxd-move-out-percpu_ref_exit-to-ensure-it.patch +rtc-mcp795-add-spi-id-table.patch +input-ariel-pwrbutton-add-spi-device-id-table.patch +i2c-mediatek-fixing-the-incorrect-register-offset.patch +nfs-default-change_attr_type-to-nfs4_change_type_is_.patch +nfs-don-t-set-nfs_ino_data_inval_defer-and-nfs_ino_i.patch +nfs-ignore-the-directory-size-when-marking-for-reval.patch +nfs-fix-dentry-verifier-races.patch +pnfs-flexfiles-fix-misplaced-barrier-in-nfs4_ff_layo.patch +drm-bridge-lontium-lt9611uxc-fix-provided-connector-.patch +drm-plane-helper-fix-uninitialized-variable-referenc.patch +pci-aardvark-don-t-spam-about-pio-response-status.patch +pci-aardvark-fix-preserving-pci_exp_rtctl_crssve-fla.patch +opp-fix-return-in-_opp_add_static_v2.patch +nfs-fix-deadlocks-in-nfs_scan_commit_list.patch +sparc-add-missing-force-target-when-using-if_changed.patch +fs-orangefs-fix-error-return-code-of-orangefs_revali.patch +input-st1232-increase-wait-ready-timeout.patch +drm-bridge-nwl-dsi-add-atomic_get_input_bus_fmts.patch +mtd-spi-nor-hisi-sfc-remove-excessive-clk_disable_un.patch +pci-uniphier-serialize-intx-masking-unmasking-and-fi.patch +mtd-rawnand-arasan-prevent-an-unsupported-configurat.patch +mtd-core-don-t-remove-debugfs-directory-if-device-is.patch +remoteproc-fix-a-memory-leak-in-an-error-handling-pa.patch +rtc-rv3032-fix-error-handling-in-rv3032_clkout_set_r.patch +dmaengine-at_xdmac-call-at_xdmac_axi_config-on-resum.patch +dmaengine-at_xdmac-fix-at_xdmac_cc_perid-macro.patch +dmaengine-stm32-dma-fix-stm32_dma_get_max_width.patch +nfs-fix-up-commit-deadlocks.patch +nfs-fix-an-oops-in-pnfs_mark_request_commit.patch +fix-user-namespace-leak.patch +auxdisplay-img-ascii-lcd-fix-lock-up-when-displaying.patch +auxdisplay-ht16k33-connect-backlight-to-fbdev.patch +auxdisplay-ht16k33-fix-frame-buffer-device-blanking.patch +soc-fsl-dpaa2-console-free-buffer-before-returning-f.patch +netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch +dmaengine-dmaengine_desc_callback_valid-check-for-ca.patch +dmaengine-tegra210-adma-fix-pm-runtime-unbalance.patch +dmanegine-idxd-fix-resource-free-ordering-on-driver-.patch +dmaengine-idxd-reconfig-device-after-device-reset-co.patch +signal-sh-use-force_sig-sigkill-instead-of-do_group_.patch +m68k-set-a-default-value-for-memory_reserve.patch +watchdog-f71808e_wdt-fix-inaccurate-report-in-wdioc_.patch +ar7-fix-kernel-builds-for-compiler-test.patch +scsi-target-core-remove-from-tmr_list-during-lun-unl.patch +scsi-qla2xxx-relogin-during-fabric-disturbance.patch +scsi-qla2xxx-fix-gnl-list-corruption.patch +scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch +scsi-qla2xxx-edif-fix-app-start-fail.patch +scsi-qla2xxx-edif-fix-app-start-delay.patch +scsi-qla2xxx-edif-flush-stale-events-and-msgs-on-ses.patch +scsi-qla2xxx-edif-increase-els-payload.patch +scsi-qla2xxx-edif-fix-edif-bsg.patch +nfsv4-fix-a-regression-in-nfs_set_open_stateid_locke.patch +dmaengine-idxd-fix-resource-leak-on-dmaengine-driver.patch +i2c-xlr-fix-a-resource-leak-in-the-error-handling-pa.patch +gpio-realtek-otto-fix-gpio-line-irq-offset.patch +xen-pciback-fix-return-in-pm_ctrl_init.patch +nbd-fix-max-value-for-first_minor.patch +nbd-fix-possible-overflow-for-first_minor-in-nbd_dev.patch +io-wq-fix-max-workers-not-correctly-set-on-multi-nod.patch +net-davinci_emac-fix-interrupt-pacing-disable.patch +kselftests-net-add-missed-icmp.sh-test-to-makefile.patch +kselftests-net-add-missed-setup_loopback.sh-setup_ve.patch +kselftests-net-add-missed-srv6-tests.patch +kselftests-net-add-missed-vrf_strict_mode_test.sh-te.patch +kselftests-net-add-missed-toeplitz.sh-toeplitz_clien.patch +ethtool-fix-ethtool-msg-len-calculation-for-pause-st.patch +openrisc-fix-smp-tlb-flush-null-pointer-dereference.patch +net-vlan-fix-a-uaf-in-vlan_dev_real_dev.patch +net-dsa-felix-fix-broken-vlan-tagged-ptp-under-vlan-.patch +ice-fix-replacing-vf-hardware-mac-to-existing-mac-fi.patch +ice-fix-not-stopping-tx-queues-for-vfs.patch +kdb-adopt-scheduler-s-task-classification.patch +acpi-pmic-fix-intel_pmic_regs_handler-read-accesses.patch +pci-j721e-fix-j721e_pcie_probe-error-path.patch +nvdimm-btt-do-not-call-del_gendisk-if-not-needed.patch +scsi-bsg-fix-errno-when-scsi_bsg_register_queue-fail.patch +scsi-ufs-ufshpb-use-proper-power-management-api.patch +scsi-ufs-core-fix-null-pointer-dereference.patch +scsi-ufs-ufshpb-properly-handle-max-single-cmd.patch +selftests-net-properly-support-ipv6-in-gso-gre-test.patch +drm-nouveau-svm-fix-refcount-leak-bug-and-missing-ch.patch +nvdimm-pmem-cleanup-the-disk-if-pmem_release_disk-is.patch +block-ataflop-use-the-blk_cleanup_disk-helper.patch +block-ataflop-add-registration-bool-before-calling-d.patch +block-ataflop-provide-a-helper-for-cleanup-up-an-ata.patch +ataflop-remove-ataflop_probe_lock-mutex.patch +pci-do-not-enable-atomicops-on-vfs.patch +cpufreq-intel_pstate-clear-hwp-desired-on-suspend-sh.patch +net-phy-fix-duplex-out-of-sync-problem-while-changin.patch +block-fix-device_add_disk-kobject_create_and_add-err.patch +drm-ttm-remove-ttm_bo_vm_insert_huge.patch +bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch +octeontx2-pf-select-config_net_devlink.patch +alsa-memalloc-catch-call-with-null-snd_dma_buffer-po.patch +mfd-core-add-missing-of_node_put-for-loop-iteration.patch +mfd-cpcap-add-spi-device-id-table.patch +mfd-sprd-add-spi-device-id-table.patch +mfd-altera-sysmgr-fix-a-mistake-caused-by-resource_s.patch +acpi-pm-fix-device-wakeup-power-reference-counting-e.patch +libbpf-fix-lookup_and_delete_elem_flags-error-report.patch +selftests-bpf-xdp_redirect_multi-put-the-logs-to-tmp.patch +selftests-bpf-xdp_redirect_multi-use-arping-to-accur.patch +selftests-bpf-xdp_redirect_multi-give-tcpdump-a-chan.patch +selftests-bpf-xdp_redirect_multi-limit-the-tests-in-.patch +drm-fb_helper-improve-config_fb-dependency.patch +revert-drm-imx-annotate-dma-fence-critical-section-i.patch +drm-amdgpu-powerplay-fix-sysfs_emit-sysfs_emit_at-ha.patch +can-etas_es58x-es58x_rx_err_msg-fix-memory-leak-in-e.patch +can-mcp251xfd-mcp251xfd_chip_start-fix-error-handlin.patch +mm-zsmalloc.c-close-race-window-between-zs_pool_dec_.patch +zram-off-by-one-in-read_block_state.patch +perf-bpf-add-missing-free-to-bpf_event__print_bpf_pr.patch +llc-fix-out-of-bound-array-index-in-llc_sk_dev_hash.patch +nfc-pn533-fix-double-free-when-pn533_fill_fragment_s.patch +litex_liteeth-fix-a-double-free-in-the-remove-functi.patch +arm64-arm64_ftr_reg-name-may-not-be-a-human-readable.patch +arm64-pgtable-make-__pte_to_phys-__phys_to_pte_val-i.patch +bpf-sockmap-remove-unhash-handler-for-bpf-sockmap-us.patch +bpf-sockmap-fix-race-in-ingress-receive-verdict-with.patch +bpf-sockmap-strparser-and-tls-are-reusing-qdisc_skb_.patch +bpf-sockmap-sk_skb-data_end-access-incorrect-when-sr.patch +dmaengine-stm32-dma-fix-burst-in-case-of-unaligned-m.patch +dmaengine-stm32-dma-avoid-64-bit-division-in-stm32_d.patch +gve-fix-off-by-one-in-gve_tx_timeout.patch +drm-i915-fb-fix-rounding-error-in-subsampled-plane-s.patch +init-make-unknown-command-line-param-message-clearer.patch +seq_file-fix-passing-wrong-private-data.patch +drm-amdgpu-fix-uvd-crash-on-polaris12-during-driver-.patch +net-dsa-mv88e6xxx-don-t-support-1g-speeds-on-6191x-o.patch +net-sched-sch_taprio-fix-undefined-behavior-in-ktime.patch +net-hns3-fix-roce-base-interrupt-vector-initializati.patch +net-hns3-fix-pfc-packet-number-incorrect-after-query.patch +net-hns3-fix-kernel-crash-when-unload-vf-while-it-is.patch +net-hns3-allow-configure-ets-bandwidth-of-all-tcs.patch +net-stmmac-allow-a-tc-taprio-base-time-of-zero.patch +net-ethernet-ti-cpsw_ale-fix-access-to-un-initialize.patch +net-marvell-mvpp2-fix-wrong-serdes-reconfiguration-o.patch +vsock-prevent-unnecessary-refcnt-inc-for-nonblocking.patch +net-smc-fix-sk_refcnt-underflow-on-linkdown-and-fall.patch +cxgb4-fix-eeprom-len-when-diagnostics-not-implemente.patch +selftests-net-udpgso_bench_rx-fix-port-argument.patch +thermal-int340x-fix-build-on-32-bit-targets.patch diff --git a/queue-5.15/signal-sh-use-force_sig-sigkill-instead-of-do_group_.patch b/queue-5.15/signal-sh-use-force_sig-sigkill-instead-of-do_group_.patch new file mode 100644 index 00000000000..d8c3ba021e4 --- /dev/null +++ b/queue-5.15/signal-sh-use-force_sig-sigkill-instead-of-do_group_.patch @@ -0,0 +1,63 @@ +From 84d62a56f6264b975f84cb8d45e8b4dd38efd53c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 12:43:52 -0500 +Subject: signal/sh: Use force_sig(SIGKILL) instead of do_group_exit(SIGKILL) + +From: Eric W. Biederman + +[ Upstream commit ce0ee4e6ac99606f3945f4d47775544edc3f7985 ] + +Today the sh code allocates memory the first time a process uses +the fpu. If that memory allocation fails, kill the affected task +with force_sig(SIGKILL) rather than do_group_exit(SIGKILL). + +Calling do_group_exit from an exception handler can potentially lead +to dead locks as do_group_exit is not designed to be called from +interrupt context. Instead use force_sig(SIGKILL) to kill the +userspace process. Sending signals in general and force_sig in +particular has been tested from interrupt context so there should be +no problems. + +Cc: Yoshinori Sato +Cc: Rich Felker +Cc: linux-sh@vger.kernel.org +Fixes: 0ea820cf9bf5 ("sh: Move over to dynamically allocated FPU context.") +Link: https://lkml.kernel.org/r/20211020174406.17889-6-ebiederm@xmission.com +Signed-off-by: Eric W. Biederman +Signed-off-by: Sasha Levin +--- + arch/sh/kernel/cpu/fpu.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/arch/sh/kernel/cpu/fpu.c b/arch/sh/kernel/cpu/fpu.c +index ae354a2931e7e..fd6db0ab19288 100644 +--- a/arch/sh/kernel/cpu/fpu.c ++++ b/arch/sh/kernel/cpu/fpu.c +@@ -62,18 +62,20 @@ void fpu_state_restore(struct pt_regs *regs) + } + + if (!tsk_used_math(tsk)) { +- local_irq_enable(); ++ int ret; + /* + * does a slab alloc which can sleep + */ +- if (init_fpu(tsk)) { ++ local_irq_enable(); ++ ret = init_fpu(tsk); ++ local_irq_disable(); ++ if (ret) { + /* + * ran out of memory! + */ +- do_group_exit(SIGKILL); ++ force_sig(SIGKILL); + return; + } +- local_irq_disable(); + } + + grab_fpu(regs); +-- +2.33.0 + diff --git a/queue-5.15/skmsg-lose-offset-info-in-sk_psock_skb_ingress.patch b/queue-5.15/skmsg-lose-offset-info-in-sk_psock_skb_ingress.patch new file mode 100644 index 00000000000..49ae10030ce --- /dev/null +++ b/queue-5.15/skmsg-lose-offset-info-in-sk_psock_skb_ingress.patch @@ -0,0 +1,210 @@ +From ded596fa918f8ef859e2a5f9b9571419b78a328d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 22:12:14 +0800 +Subject: skmsg: Lose offset info in sk_psock_skb_ingress + +From: Liu Jian + +[ Upstream commit 7303524e04af49a47991e19f895c3b8cdc3796c7 ] + +If sockmap enable strparser, there are lose offset info in +sk_psock_skb_ingress(). If the length determined by parse_msg function is not +skb->len, the skb will be converted to sk_msg multiple times, and userspace +app will get the data multiple times. + +Fix this by get the offset and length from strp_msg. And as Cong suggested, +add one bit in skb->_sk_redir to distinguish enable or disable strparser. + +Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") +Signed-off-by: Liu Jian +Signed-off-by: Daniel Borkmann +Reviewed-by: Cong Wang +Acked-by: John Fastabend +Link: https://lore.kernel.org/bpf/20211029141216.211899-1-liujian56@huawei.com +Signed-off-by: Sasha Levin +--- + include/linux/skmsg.h | 18 ++++++++++++++++-- + net/core/skmsg.c | 43 +++++++++++++++++++++++++++++++++---------- + 2 files changed, 49 insertions(+), 12 deletions(-) + +diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h +index 1ce9a9eb223b6..b4256847c7079 100644 +--- a/include/linux/skmsg.h ++++ b/include/linux/skmsg.h +@@ -509,8 +509,22 @@ static inline bool sk_psock_strp_enabled(struct sk_psock *psock) + + #if IS_ENABLED(CONFIG_NET_SOCK_MSG) + +-/* We only have one bit so far. */ +-#define BPF_F_PTR_MASK ~(BPF_F_INGRESS) ++#define BPF_F_STRPARSER (1UL << 1) ++ ++/* We only have two bits so far. */ ++#define BPF_F_PTR_MASK ~(BPF_F_INGRESS | BPF_F_STRPARSER) ++ ++static inline bool skb_bpf_strparser(const struct sk_buff *skb) ++{ ++ unsigned long sk_redir = skb->_sk_redir; ++ ++ return sk_redir & BPF_F_STRPARSER; ++} ++ ++static inline void skb_bpf_set_strparser(struct sk_buff *skb) ++{ ++ skb->_sk_redir |= BPF_F_STRPARSER; ++} + + static inline bool skb_bpf_ingress(const struct sk_buff *skb) + { +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index a86ef7e844f8c..1ae52ac943f62 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -508,6 +508,7 @@ static struct sk_msg *sk_psock_create_ingress_msg(struct sock *sk, + } + + static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb, ++ u32 off, u32 len, + struct sk_psock *psock, + struct sock *sk, + struct sk_msg *msg) +@@ -521,11 +522,11 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb, + */ + if (skb_linearize(skb)) + return -EAGAIN; +- num_sge = skb_to_sgvec(skb, msg->sg.data, 0, skb->len); ++ num_sge = skb_to_sgvec(skb, msg->sg.data, off, len); + if (unlikely(num_sge < 0)) + return num_sge; + +- copied = skb->len; ++ copied = len; + msg->sg.start = 0; + msg->sg.size = copied; + msg->sg.end = num_sge; +@@ -536,9 +537,11 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb, + return copied; + } + +-static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb); ++static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb, ++ u32 off, u32 len); + +-static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb) ++static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb, ++ u32 off, u32 len) + { + struct sock *sk = psock->sk; + struct sk_msg *msg; +@@ -549,7 +552,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb) + * correctly. + */ + if (unlikely(skb->sk == sk)) +- return sk_psock_skb_ingress_self(psock, skb); ++ return sk_psock_skb_ingress_self(psock, skb, off, len); + msg = sk_psock_create_ingress_msg(sk, skb); + if (!msg) + return -EAGAIN; +@@ -561,7 +564,7 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb) + * into user buffers. + */ + skb_set_owner_r(skb, sk); +- err = sk_psock_skb_ingress_enqueue(skb, psock, sk, msg); ++ err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg); + if (err < 0) + kfree(msg); + return err; +@@ -571,7 +574,8 @@ static int sk_psock_skb_ingress(struct sk_psock *psock, struct sk_buff *skb) + * skb. In this case we do not need to check memory limits or skb_set_owner_r + * because the skb is already accounted for here. + */ +-static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb) ++static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb, ++ u32 off, u32 len) + { + struct sk_msg *msg = kzalloc(sizeof(*msg), __GFP_NOWARN | GFP_ATOMIC); + struct sock *sk = psock->sk; +@@ -581,7 +585,7 @@ static int sk_psock_skb_ingress_self(struct sk_psock *psock, struct sk_buff *skb + return -EAGAIN; + sk_msg_init(msg); + skb_set_owner_r(skb, sk); +- err = sk_psock_skb_ingress_enqueue(skb, psock, sk, msg); ++ err = sk_psock_skb_ingress_enqueue(skb, off, len, psock, sk, msg); + if (err < 0) + kfree(msg); + return err; +@@ -595,7 +599,7 @@ static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb, + return -EAGAIN; + return skb_send_sock(psock->sk, skb, off, len); + } +- return sk_psock_skb_ingress(psock, skb); ++ return sk_psock_skb_ingress(psock, skb, off, len); + } + + static void sk_psock_skb_state(struct sk_psock *psock, +@@ -638,6 +642,12 @@ static void sk_psock_backlog(struct work_struct *work) + while ((skb = skb_dequeue(&psock->ingress_skb))) { + len = skb->len; + off = 0; ++ if (skb_bpf_strparser(skb)) { ++ struct strp_msg *stm = strp_msg(skb); ++ ++ off = stm->offset; ++ len = stm->full_len; ++ } + start: + ingress = skb_bpf_ingress(skb); + skb_bpf_redirect_clear(skb); +@@ -877,6 +887,7 @@ static int sk_psock_skb_redirect(struct sk_psock *from, struct sk_buff *skb) + * return code, but then didn't set a redirect interface. + */ + if (unlikely(!sk_other)) { ++ skb_bpf_redirect_clear(skb); + sock_drop(from->sk, skb); + return -EIO; + } +@@ -944,6 +955,7 @@ static int sk_psock_verdict_apply(struct sk_psock *psock, struct sk_buff *skb, + { + struct sock *sk_other; + int err = 0; ++ u32 len, off; + + switch (verdict) { + case __SK_PASS: +@@ -951,6 +963,7 @@ static int sk_psock_verdict_apply(struct sk_psock *psock, struct sk_buff *skb, + sk_other = psock->sk; + if (sock_flag(sk_other, SOCK_DEAD) || + !sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED)) { ++ skb_bpf_redirect_clear(skb); + goto out_free; + } + +@@ -963,7 +976,15 @@ static int sk_psock_verdict_apply(struct sk_psock *psock, struct sk_buff *skb, + * retrying later from workqueue. + */ + if (skb_queue_empty(&psock->ingress_skb)) { +- err = sk_psock_skb_ingress_self(psock, skb); ++ len = skb->len; ++ off = 0; ++ if (skb_bpf_strparser(skb)) { ++ struct strp_msg *stm = strp_msg(skb); ++ ++ off = stm->offset; ++ len = stm->full_len; ++ } ++ err = sk_psock_skb_ingress_self(psock, skb, off, len); + } + if (err < 0) { + spin_lock_bh(&psock->ingress_lock); +@@ -1029,6 +1050,8 @@ static void sk_psock_strp_read(struct strparser *strp, struct sk_buff *skb) + skb_dst_drop(skb); + skb_bpf_redirect_clear(skb); + ret = bpf_prog_run_pin_on_cpu(prog, skb); ++ if (ret == SK_PASS) ++ skb_bpf_set_strparser(skb); + ret = sk_psock_map_verd(ret, skb_bpf_redirect_fetch(skb)); + skb->sk = NULL; + } +-- +2.33.0 + diff --git a/queue-5.15/smackfs-fix-use-after-free-in-netlbl_catmap_walk.patch b/queue-5.15/smackfs-fix-use-after-free-in-netlbl_catmap_walk.patch new file mode 100644 index 00000000000..34fd6fecabc --- /dev/null +++ b/queue-5.15/smackfs-fix-use-after-free-in-netlbl_catmap_walk.patch @@ -0,0 +1,55 @@ +From 8259a471a8490c2c87ba934e2984084e47880dff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Aug 2021 23:41:40 -0700 +Subject: smackfs: Fix use-after-free in netlbl_catmap_walk() + +From: Pawan Gupta + +[ Upstream commit 0817534ff9ea809fac1322c5c8c574be8483ea57 ] + +Syzkaller reported use-after-free bug as described in [1]. The bug is +triggered when smk_set_cipso() tries to free stale category bitmaps +while there are concurrent reader(s) using the same bitmaps. + +Wait for RCU grace period to finish before freeing the category bitmaps +in smk_set_cipso(). This makes sure that there are no more readers using +the stale bitmaps and freeing them should be safe. + +[1] https://lore.kernel.org/netdev/000000000000a814c505ca657a4e@google.com/ + +Reported-by: syzbot+3f91de0b813cc3d19a80@syzkaller.appspotmail.com +Signed-off-by: Pawan Gupta +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 3a75d2a8f5178..9d853c0e55b84 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -831,6 +831,7 @@ static int smk_open_cipso(struct inode *inode, struct file *file) + static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + size_t count, loff_t *ppos, int format) + { ++ struct netlbl_lsm_catmap *old_cat; + struct smack_known *skp; + struct netlbl_lsm_secattr ncats; + char mapcatset[SMK_CIPSOLEN]; +@@ -920,9 +921,11 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + + rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN); + if (rc >= 0) { +- netlbl_catmap_free(skp->smk_netlabel.attr.mls.cat); ++ old_cat = skp->smk_netlabel.attr.mls.cat; + skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat; + skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl; ++ synchronize_rcu(); ++ netlbl_catmap_free(old_cat); + rc = count; + /* + * This mapping may have been cached, so clear the cache. +-- +2.33.0 + diff --git a/queue-5.15/smackfs-use-__gfp_nofail-for-smk_cipso_doi.patch b/queue-5.15/smackfs-use-__gfp_nofail-for-smk_cipso_doi.patch new file mode 100644 index 00000000000..ebd5abe9207 --- /dev/null +++ b/queue-5.15/smackfs-use-__gfp_nofail-for-smk_cipso_doi.patch @@ -0,0 +1,41 @@ +From 1900f7ba93081b9c7dc0b41dac211e2856049f48 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 20:54:31 +0900 +Subject: smackfs: use __GFP_NOFAIL for smk_cipso_doi() + +From: Tetsuo Handa + +[ Upstream commit f91488ee15bd3cac467e2d6a361fc2d34d1052ae ] + +syzbot is reporting kernel panic at smk_cipso_doi() due to memory +allocation fault injection [1]. The reason for need to use panic() was +not explained. But since no fix was proposed for 18 months, for now +let's use __GFP_NOFAIL for utilizing syzbot resource on other bugs. + +Link: https://syzkaller.appspot.com/bug?extid=89731ccb6fec15ce1c22 [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 9d853c0e55b84..89989d28ffc55 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -693,9 +693,7 @@ static void smk_cipso_doi(void) + printk(KERN_WARNING "%s:%d remove rc = %d\n", + __func__, __LINE__, rc); + +- doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL); +- if (doip == NULL) +- panic("smack: Failed to initialize cipso DOI.\n"); ++ doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL | __GFP_NOFAIL); + doip->map.std = NULL; + doip->doi = smk_cipso_doi_value; + doip->type = CIPSO_V4_MAP_PASS; +-- +2.33.0 + diff --git a/queue-5.15/smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch b/queue-5.15/smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch new file mode 100644 index 00000000000..6850c9f4595 --- /dev/null +++ b/queue-5.15/smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch @@ -0,0 +1,41 @@ +From 89ddc50b3b7f883786ff6da17add4003489ec369 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 20:27:26 +0900 +Subject: smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi + +From: Tetsuo Handa + +[ Upstream commit 0934ad42bb2c5df90a1b9de690f93de735b622fe ] + +syzbot is reporting UAF at cipso_v4_doi_search() [1], for smk_cipso_doi() +is calling kfree() without removing from the cipso_v4_doi_list list after +netlbl_cfg_cipsov4_map_add() returned an error. We need to use +netlbl_cfg_cipsov4_del() in order to remove from the list and wait for +RCU grace period before kfree(). + +Link: https://syzkaller.appspot.com/bug?extid=93dba5b91f0fed312cbd [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Fixes: 6c2e8ac0953fccdd ("netlabel: Update kernel configuration API") +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 89989d28ffc55..658eab05599e6 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -712,7 +712,7 @@ static void smk_cipso_doi(void) + if (rc != 0) { + printk(KERN_WARNING "%s:%d map add rc = %d\n", + __func__, __LINE__, rc); +- kfree(doip); ++ netlbl_cfg_cipsov4_del(doip->doi, &nai); + return; + } + } +-- +2.33.0 + diff --git a/queue-5.15/soc-fsl-dpaa2-console-free-buffer-before-returning-f.patch b/queue-5.15/soc-fsl-dpaa2-console-free-buffer-before-returning-f.patch new file mode 100644 index 00000000000..281b8200b67 --- /dev/null +++ b/queue-5.15/soc-fsl-dpaa2-console-free-buffer-before-returning-f.patch @@ -0,0 +1,38 @@ +From e5d6e9c9802aec8bc2473822e7c0e560cf793069 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Apr 2021 12:01:51 +0300 +Subject: soc: fsl: dpaa2-console: free buffer before returning from + dpaa2_console_read + +From: Robert-Ionut Alexa + +[ Upstream commit 8120bd469f5525da229953c1197f2b826c0109f4 ] + +Free the kbuf buffer before returning from the dpaa2_console_read() +function. The variable no longer goes out of scope, leaking the storage +it points to. + +Fixes: c93349d8c170 ("soc: fsl: add DPAA2 console support") +Signed-off-by: Robert-Ionut Alexa +Signed-off-by: Ioana Ciornei +Signed-off-by: Li Yang +Signed-off-by: Sasha Levin +--- + drivers/soc/fsl/dpaa2-console.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/soc/fsl/dpaa2-console.c b/drivers/soc/fsl/dpaa2-console.c +index 27243f706f376..53917410f2bdb 100644 +--- a/drivers/soc/fsl/dpaa2-console.c ++++ b/drivers/soc/fsl/dpaa2-console.c +@@ -231,6 +231,7 @@ static ssize_t dpaa2_console_read(struct file *fp, char __user *buf, + cd->cur_ptr += bytes; + written += bytes; + ++ kfree(kbuf); + return written; + + err_free_buf: +-- +2.33.0 + diff --git a/queue-5.15/soc-qcom-apr-add-of_node_put-before-return.patch b/queue-5.15/soc-qcom-apr-add-of_node_put-before-return.patch new file mode 100644 index 00000000000..368b7918ca0 --- /dev/null +++ b/queue-5.15/soc-qcom-apr-add-of_node_put-before-return.patch @@ -0,0 +1,48 @@ +From 59a0d42b7a1a452a6415aaed0a7283e22607a825 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Oct 2021 04:30:17 -0400 +Subject: soc: qcom: apr: Add of_node_put() before return + +From: Wan Jiabing + +[ Upstream commit 72f1aa6205d84337b90b065f602a8fe190821781 ] + +Fix following coccicheck warning: + +./drivers/soc/qcom/apr.c:485:1-23: WARNING: Function +for_each_child_of_node should have of_node_put() before return + +Early exits from for_each_child_of_node should decrement the +node reference counter. + +Fixes: 834735662602 ("soc: qcom: apr: Add avs/audio tracking functionality") +Signed-off-by: Wan Jiabing +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211014083017.19714-1-wanjiabing@vivo.com +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/apr.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/soc/qcom/apr.c b/drivers/soc/qcom/apr.c +index 475a57b435b24..2e455d9e3d94a 100644 +--- a/drivers/soc/qcom/apr.c ++++ b/drivers/soc/qcom/apr.c +@@ -321,12 +321,14 @@ static int of_apr_add_pd_lookups(struct device *dev) + 1, &service_path); + if (ret < 0) { + dev_err(dev, "pdr service path missing: %d\n", ret); ++ of_node_put(node); + return ret; + } + + pds = pdr_add_lookup(apr->pdr, service_name, service_path); + if (IS_ERR(pds) && PTR_ERR(pds) != -EALREADY) { + dev_err(dev, "pdr add lookup failed: %ld\n", PTR_ERR(pds)); ++ of_node_put(node); + return PTR_ERR(pds); + } + } +-- +2.33.0 + diff --git a/queue-5.15/soc-qcom-llcc-disable-mmuhwt-retention.patch b/queue-5.15/soc-qcom-llcc-disable-mmuhwt-retention.patch new file mode 100644 index 00000000000..4b3ad93b360 --- /dev/null +++ b/queue-5.15/soc-qcom-llcc-disable-mmuhwt-retention.patch @@ -0,0 +1,38 @@ +From 6c0ccacdcff772c98c826a1473c02d315296cd62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Sep 2021 11:29:42 +0530 +Subject: soc: qcom: llcc: Disable MMUHWT retention + +From: Naina Mehta + +[ Upstream commit 3a461009e195c3c17f6af73da310b886991309fd ] + +Disable MMUHWT retention for SC7280 as done for other platforms +to avoid more power burn. + +Fixes: f6a07be63301 ("soc: qcom: llcc: Add configuration data for SC7280") +Signed-off-by: Naina Mehta +Signed-off-by: Sai Prakash Ranjan +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20210921055942.30600-1-saiprakash.ranjan@codeaurora.org +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/llcc-qcom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/qcom/llcc-qcom.c b/drivers/soc/qcom/llcc-qcom.c +index 15a36dcab990e..e53109a5c3da9 100644 +--- a/drivers/soc/qcom/llcc-qcom.c ++++ b/drivers/soc/qcom/llcc-qcom.c +@@ -115,7 +115,7 @@ static const struct llcc_slice_config sc7280_data[] = { + { LLCC_CMPT, 10, 768, 1, 1, 0x3f, 0x0, 0, 0, 0, 1, 0, 0}, + { LLCC_GPUHTW, 11, 256, 1, 1, 0x3f, 0x0, 0, 0, 0, 1, 0, 0}, + { LLCC_GPU, 12, 512, 1, 0, 0x3f, 0x0, 0, 0, 0, 1, 0, 0}, +- { LLCC_MMUHWT, 13, 256, 1, 1, 0x3f, 0x0, 0, 0, 0, 1, 1, 0}, ++ { LLCC_MMUHWT, 13, 256, 1, 1, 0x3f, 0x0, 0, 0, 0, 0, 1, 0}, + { LLCC_MDMPNG, 21, 768, 0, 1, 0x3f, 0x0, 0, 0, 0, 1, 0, 0}, + { LLCC_WLHW, 24, 256, 1, 1, 0x3f, 0x0, 0, 0, 0, 1, 0, 0}, + { LLCC_MODPE, 29, 64, 1, 1, 0x3f, 0x0, 0, 0, 0, 1, 0, 0}, +-- +2.33.0 + diff --git a/queue-5.15/soc-qcom-rpmhpd-fix-sm8350_mxc-s-peer-domain.patch b/queue-5.15/soc-qcom-rpmhpd-fix-sm8350_mxc-s-peer-domain.patch new file mode 100644 index 00000000000..9085f9df621 --- /dev/null +++ b/queue-5.15/soc-qcom-rpmhpd-fix-sm8350_mxc-s-peer-domain.patch @@ -0,0 +1,38 @@ +From b73fb71e94aac1c777fcf67f84352754aaf62963 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 04:26:39 +0300 +Subject: soc: qcom: rpmhpd: fix sm8350_mxc's peer domain + +From: Dmitry Baryshkov + +[ Upstream commit 086f52fdc8f7bd273d06a3de2adf65a063eb5392 ] + +The sm8350_mxc's domain description incorrectly references +sm8150_mmcx_ao as a peer instead of sm8350_mxc_ao. Correct this typo. + +Fixes: 639c85628757 ("soc: qcom: rpmhpd: Add SM8350 power domains") +Cc: Vinod Koul +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211020012639.1183806-1-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/rpmhpd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/qcom/rpmhpd.c b/drivers/soc/qcom/rpmhpd.c +index a46735cec3f0f..d98cc8c2e5d5c 100644 +--- a/drivers/soc/qcom/rpmhpd.c ++++ b/drivers/soc/qcom/rpmhpd.c +@@ -206,7 +206,7 @@ static const struct rpmhpd_desc sm8250_desc = { + static struct rpmhpd sm8350_mxc_ao; + static struct rpmhpd sm8350_mxc = { + .pd = { .name = "mxc", }, +- .peer = &sm8150_mmcx_ao, ++ .peer = &sm8350_mxc_ao, + .res_name = "mxc.lvl", + }; + +-- +2.33.0 + diff --git a/queue-5.15/soc-qcom-rpmhpd-make-power_on-actually-enable-the-do.patch b/queue-5.15/soc-qcom-rpmhpd-make-power_on-actually-enable-the-do.patch new file mode 100644 index 00000000000..58ebeae3ce4 --- /dev/null +++ b/queue-5.15/soc-qcom-rpmhpd-make-power_on-actually-enable-the-do.patch @@ -0,0 +1,102 @@ +From 64319f2239e1b42ae76cd8b4393bf4bc65f325d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Oct 2021 20:37:32 -0700 +Subject: soc: qcom: rpmhpd: Make power_on actually enable the domain + +From: Bjorn Andersson + +[ Upstream commit e3e56c050ab6e3f1bd811f0787f50709017543e4 ] + +The general expectation is that powering on a power-domain should make +the power domain deliver some power, and if a specific performance state +is needed further requests has to be made. + +But in contrast with other power-domain implementations (e.g. rpmpd) the +RPMh does not have an interface to enable the power, so the driver has +to vote for a particular corner (performance level) in rpmh_power_on(). + +But the corner is never initialized, so a typical request to simply +enable the power domain would not actually turn on the hardware. Further +more, when no more clients vote for a performance state (i.e. the +aggregated vote is 0) the power domain would be turned off. + +Fix both of these issues by always voting for a corner with non-zero +value, when the power domain is enabled. + +The tracking of the lowest non-zero corner is performed to handle the +corner case if there's ever a domain with a non-zero lowest corner, in +which case both rpmh_power_on() and rpmh_rpmhpd_set_performance_state() +would be allowed to use this lowest corner. + +Fixes: 279b7e8a62cc ("soc: qcom: rpmhpd: Add RPMh power domain driver") +Signed-off-by: Bjorn Andersson +Reviewed-by: Stephen Boyd +Link: https://lore.kernel.org/r/20211005033732.2284447-1-bjorn.andersson@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/rpmhpd.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/soc/qcom/rpmhpd.c b/drivers/soc/qcom/rpmhpd.c +index fa209b479ab35..a46735cec3f0f 100644 +--- a/drivers/soc/qcom/rpmhpd.c ++++ b/drivers/soc/qcom/rpmhpd.c +@@ -30,6 +30,7 @@ + * @active_only: True if it represents an Active only peer + * @corner: current corner + * @active_corner: current active corner ++ * @enable_corner: lowest non-zero corner + * @level: An array of level (vlvl) to corner (hlvl) mappings + * derived from cmd-db + * @level_count: Number of levels supported by the power domain. max +@@ -47,6 +48,7 @@ struct rpmhpd { + const bool active_only; + unsigned int corner; + unsigned int active_corner; ++ unsigned int enable_corner; + u32 level[RPMH_ARC_MAX_LEVELS]; + size_t level_count; + bool enabled; +@@ -385,13 +387,13 @@ static int rpmhpd_aggregate_corner(struct rpmhpd *pd, unsigned int corner) + static int rpmhpd_power_on(struct generic_pm_domain *domain) + { + struct rpmhpd *pd = domain_to_rpmhpd(domain); +- int ret = 0; ++ unsigned int corner; ++ int ret; + + mutex_lock(&rpmhpd_lock); + +- if (pd->corner) +- ret = rpmhpd_aggregate_corner(pd, pd->corner); +- ++ corner = max(pd->corner, pd->enable_corner); ++ ret = rpmhpd_aggregate_corner(pd, corner); + if (!ret) + pd->enabled = true; + +@@ -436,6 +438,10 @@ static int rpmhpd_set_performance_state(struct generic_pm_domain *domain, + i--; + + if (pd->enabled) { ++ /* Ensure that the domain isn't turn off */ ++ if (i < pd->enable_corner) ++ i = pd->enable_corner; ++ + ret = rpmhpd_aggregate_corner(pd, i); + if (ret) + goto out; +@@ -472,6 +478,10 @@ static int rpmhpd_update_level_mapping(struct rpmhpd *rpmhpd) + for (i = 0; i < rpmhpd->level_count; i++) { + rpmhpd->level[i] = buf[i]; + ++ /* Remember the first corner with non-zero level */ ++ if (!rpmhpd->level[rpmhpd->enable_corner] && rpmhpd->level[i]) ++ rpmhpd->enable_corner = i; ++ + /* + * The AUX data may be zero padded. These 0 valued entries at + * the end of the map must be ignored. +-- +2.33.0 + diff --git a/queue-5.15/soc-qcom-socinfo-add-two-missing-pmic-ids.patch b/queue-5.15/soc-qcom-socinfo-add-two-missing-pmic-ids.patch new file mode 100644 index 00000000000..a4b11f4d2c7 --- /dev/null +++ b/queue-5.15/soc-qcom-socinfo-add-two-missing-pmic-ids.patch @@ -0,0 +1,39 @@ +From 743c58ad06a6ecf11f381a6218f45680bb534219 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 22:06:07 +0300 +Subject: soc: qcom: socinfo: add two missing PMIC IDs + +From: Dmitry Baryshkov + +[ Upstream commit 2fae3ecc70405b72ea6c923b216d34547559d6a9 ] + +Add IDs for PMK8001 and PMI8996. They also fall in the list of +'duplicated' IDs, where the same index was used for multiple chips. + +Fixes: 7fda2b0bfbd9 ("soc: qcom: socinfo: import PMIC IDs from pmic-spmi") +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211016190607.49866-1-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/socinfo.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/soc/qcom/socinfo.c b/drivers/soc/qcom/socinfo.c +index 52e5811671155..5beb452f24013 100644 +--- a/drivers/soc/qcom/socinfo.c ++++ b/drivers/soc/qcom/socinfo.c +@@ -87,8 +87,8 @@ static const char *const pmic_models[] = { + [15] = "PM8901", + [16] = "PM8950/PM8027", + [17] = "PMI8950/ISL9519", +- [18] = "PM8921", +- [19] = "PM8018", ++ [18] = "PMK8001/PM8921", ++ [19] = "PMI8996/PM8018", + [20] = "PM8998/PM8015", + [21] = "PMI8998/PM8014", + [22] = "PM8821", +-- +2.33.0 + diff --git a/queue-5.15/soc-tegra-fix-an-error-handling-path-in-tegra_powerg.patch b/queue-5.15/soc-tegra-fix-an-error-handling-path-in-tegra_powerg.patch new file mode 100644 index 00000000000..d1adc1501a8 --- /dev/null +++ b/queue-5.15/soc-tegra-fix-an-error-handling-path-in-tegra_powerg.patch @@ -0,0 +1,41 @@ +From 9fbe4994549bf0fb52c560c0e27cd71b47ddbaa7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Jun 2021 17:54:31 +0200 +Subject: soc/tegra: Fix an error handling path in tegra_powergate_power_up() + +From: Christophe JAILLET + +[ Upstream commit 986b5094708e508baa452a23ffe809870934a7df ] + +If an error occurs after a successful tegra_powergate_enable_clocks() +call, it must be undone by a tegra_powergate_disable_clocks() call, as +already done in the below and above error handling paths of this function. + +Update the 'goto' to branch at the correct place of the error handling +path. + +Fixes: a38045121bf4 ("soc/tegra: pmc: Add generic PM domain support") +Signed-off-by: Christophe JAILLET +Reviewed-by: Jon Hunter +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/soc/tegra/pmc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/tegra/pmc.c b/drivers/soc/tegra/pmc.c +index 50091c4ec9481..a60e142ade344 100644 +--- a/drivers/soc/tegra/pmc.c ++++ b/drivers/soc/tegra/pmc.c +@@ -782,7 +782,7 @@ static int tegra_powergate_power_up(struct tegra_powergate *pg, + + err = reset_control_deassert(pg->reset); + if (err) +- goto powergate_off; ++ goto disable_clks; + + usleep_range(10, 20); + +-- +2.33.0 + diff --git a/queue-5.15/soundwire-bus-stop-dereferencing-invalid-slave-point.patch b/queue-5.15/soundwire-bus-stop-dereferencing-invalid-slave-point.patch new file mode 100644 index 00000000000..c404ac742b9 --- /dev/null +++ b/queue-5.15/soundwire-bus-stop-dereferencing-invalid-slave-point.patch @@ -0,0 +1,55 @@ +From 679e6dfbfde95757121f29e5982938a24240e635 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 11:15:21 +0100 +Subject: soundwire: bus: stop dereferencing invalid slave pointer + +From: Srinivas Kandagatla + +[ Upstream commit 4cbbe74d906be0bcffbe1e74b43a00f99626a69c ] + +Slave pointer is invalid after end of list iteration, using this +would result in below Memory abort. + +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 +... +Call trace: + __dev_printk+0x34/0x7c + _dev_warn+0x6c/0x90 + sdw_bus_exit_clk_stop+0x194/0x1d0 + swrm_runtime_resume+0x13c/0x238 + pm_generic_runtime_resume+0x2c/0x48 + __rpm_callback+0x44/0x150 + rpm_callback+0x6c/0x78 + rpm_resume+0x314/0x558 + rpm_resume+0x378/0x558 + rpm_resume+0x378/0x558 + __pm_runtime_resume+0x3c/0x88 + +Use bus->dev instead to print this error message. + +Fixes: b50bb8ba369cd ("soundwire: bus: handle -ENODATA errors in clock stop/start sequences") +Signed-off-by: Srinivas Kandagatla +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20211012101521.32087-1-srinivas.kandagatla@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soundwire/bus.c b/drivers/soundwire/bus.c +index 1b115734a8f6b..67369e941d0d6 100644 +--- a/drivers/soundwire/bus.c ++++ b/drivers/soundwire/bus.c +@@ -1110,7 +1110,7 @@ int sdw_bus_exit_clk_stop(struct sdw_bus *bus) + if (!simple_clk_stop) { + ret = sdw_bus_wait_for_clk_prep_deprep(bus, SDW_BROADCAST_DEV_NUM); + if (ret < 0) +- dev_warn(&slave->dev, "clock stop deprepare wait failed:%d\n", ret); ++ dev_warn(bus->dev, "clock stop deprepare wait failed:%d\n", ret); + } + + list_for_each_entry(slave, &bus->slaves, node) { +-- +2.33.0 + diff --git a/queue-5.15/soundwire-debugfs-use-controller-id-and-link_id-for-.patch b/queue-5.15/soundwire-debugfs-use-controller-id-and-link_id-for-.patch new file mode 100644 index 00000000000..a34c7d39410 --- /dev/null +++ b/queue-5.15/soundwire-debugfs-use-controller-id-and-link_id-for-.patch @@ -0,0 +1,43 @@ +From 2acd4d3edc3201ce787d90748129c2409cd2d868 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Sep 2021 11:53:32 +0100 +Subject: soundwire: debugfs: use controller id and link_id for debugfs + +From: Srinivas Kandagatla + +[ Upstream commit 75eac387a2539aa6c6bbee3affa23435f2096396 ] + +link_id can be zero and if we have multiple controller instances +in a system like Qualcomm debugfs will end-up with duplicate namespace +resulting in incorrect debugfs entries. + +Using bus-id and link-id combination should give a unique debugfs directory +entry and should fix below warning too. +"debugfs: Directory 'master-0' with parent 'soundwire' already present!" + +Fixes: bf03473d5bcc ("soundwire: add debugfs support") +Signed-off-by: Srinivas Kandagatla +Reviewed-by: Pierre-Louis Bossart +Link: https://lore.kernel.org/r/20210907105332.1257-1-srinivas.kandagatla@linaro.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/soundwire/debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soundwire/debugfs.c b/drivers/soundwire/debugfs.c +index b6cad0d59b7b9..49900cd207bc7 100644 +--- a/drivers/soundwire/debugfs.c ++++ b/drivers/soundwire/debugfs.c +@@ -19,7 +19,7 @@ void sdw_bus_debugfs_init(struct sdw_bus *bus) + return; + + /* create the debugfs master-N */ +- snprintf(name, sizeof(name), "master-%d", bus->link_id); ++ snprintf(name, sizeof(name), "master-%d-%d", bus->id, bus->link_id); + bus->debugfs = debugfs_create_dir(name, sdw_debugfs_root); + } + +-- +2.33.0 + diff --git a/queue-5.15/sparc-add-missing-force-target-when-using-if_changed.patch b/queue-5.15/sparc-add-missing-force-target-when-using-if_changed.patch new file mode 100644 index 00000000000..1202e545298 --- /dev/null +++ b/queue-5.15/sparc-add-missing-force-target-when-using-if_changed.patch @@ -0,0 +1,65 @@ +From 16195fe5fcd1c5426bc373fb087ef2e572be34ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Sep 2021 14:54:18 -0700 +Subject: sparc: Add missing "FORCE" target when using if_changed + +From: Kees Cook + +[ Upstream commit a3c7ca2b141b9735eb383246e966a4f4322e3e65 ] + +Fix observed warning: + + /builds/linux/arch/sparc/boot/Makefile:35: FORCE prerequisite is missing + +Fixes: e1f86d7b4b2a ("kbuild: warn if FORCE is missing for if_changed(_dep,_rule) and filechk") +Signed-off-by: Kees Cook +Acked-by: Nicolas Schier +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + arch/sparc/boot/Makefile | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/sparc/boot/Makefile b/arch/sparc/boot/Makefile +index 849236d4eca48..45e5c76d449ea 100644 +--- a/arch/sparc/boot/Makefile ++++ b/arch/sparc/boot/Makefile +@@ -22,7 +22,7 @@ ifeq ($(CONFIG_SPARC64),y) + + # Actual linking + +-$(obj)/zImage: $(obj)/image ++$(obj)/zImage: $(obj)/image FORCE + $(call if_changed,gzip) + @echo ' kernel: $@ is ready' + +@@ -31,7 +31,7 @@ $(obj)/vmlinux.aout: vmlinux FORCE + @echo ' kernel: $@ is ready' + else + +-$(obj)/zImage: $(obj)/image ++$(obj)/zImage: $(obj)/image FORCE + $(call if_changed,strip) + @echo ' kernel: $@ is ready' + +@@ -44,7 +44,7 @@ OBJCOPYFLAGS_image.bin := -S -O binary -R .note -R .comment + $(obj)/image.bin: $(obj)/image FORCE + $(call if_changed,objcopy) + +-$(obj)/image.gz: $(obj)/image.bin ++$(obj)/image.gz: $(obj)/image.bin FORCE + $(call if_changed,gzip) + + UIMAGE_LOADADDR = $(CONFIG_UBOOT_LOAD_ADDR) +@@ -56,7 +56,7 @@ quiet_cmd_uimage.o = UIMAGE.O $@ + -r -b binary $@ -o $@.o + + targets += uImage +-$(obj)/uImage: $(obj)/image.gz ++$(obj)/uImage: $(obj)/image.gz FORCE + $(call if_changed,uimage) + $(call if_changed,uimage.o) + @echo ' Image $@ is ready' +-- +2.33.0 + diff --git a/queue-5.15/spi-bcm-qspi-fix-missing-clk_disable_unprepare-on-er.patch b/queue-5.15/spi-bcm-qspi-fix-missing-clk_disable_unprepare-on-er.patch new file mode 100644 index 00000000000..00f7969ff77 --- /dev/null +++ b/queue-5.15/spi-bcm-qspi-fix-missing-clk_disable_unprepare-on-er.patch @@ -0,0 +1,55 @@ +From 09b1e23651fc48a72f7b2a47a21f71d908c3a1c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 15:34:13 +0800 +Subject: spi: bcm-qspi: Fix missing clk_disable_unprepare() on error in + bcm_qspi_probe() + +From: Yang Yingliang + +[ Upstream commit ca9b8f56ec089d3a436050afefd17b7237301f47 ] + +Fix the missing clk_disable_unprepare() before return +from bcm_qspi_probe() in the error handling case. + +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211018073413.2029081-1-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm-qspi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c +index 3043677ba2226..ea1865c08fc22 100644 +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -1460,7 +1460,7 @@ int bcm_qspi_probe(struct platform_device *pdev, + &qspi->dev_ids[val]); + if (ret < 0) { + dev_err(&pdev->dev, "IRQ %s not found\n", name); +- goto qspi_probe_err; ++ goto qspi_unprepare_err; + } + + qspi->dev_ids[val].dev = qspi; +@@ -1475,7 +1475,7 @@ int bcm_qspi_probe(struct platform_device *pdev, + if (!num_ints) { + dev_err(&pdev->dev, "no IRQs registered, cannot init driver\n"); + ret = -EINVAL; +- goto qspi_probe_err; ++ goto qspi_unprepare_err; + } + + bcm_qspi_hw_init(qspi); +@@ -1499,6 +1499,7 @@ int bcm_qspi_probe(struct platform_device *pdev, + + qspi_reg_err: + bcm_qspi_hw_uninit(qspi); ++qspi_unprepare_err: + clk_disable_unprepare(qspi->clk); + qspi_probe_err: + kfree(qspi->dev_ids); +-- +2.33.0 + diff --git a/queue-5.15/spi-check-we-have-a-spi_device_id-for-each-dt-compat.patch b/queue-5.15/spi-check-we-have-a-spi_device_id-for-each-dt-compat.patch new file mode 100644 index 00000000000..c367e4c9f0a --- /dev/null +++ b/queue-5.15/spi-check-we-have-a-spi_device_id-for-each-dt-compat.patch @@ -0,0 +1,91 @@ +From 9061823268e9d3129381040bd9e568cd34fba755 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Sep 2021 20:21:49 +0100 +Subject: spi: Check we have a spi_device_id for each DT compatible + +From: Mark Brown + +[ Upstream commit 5fa6863ba69265cb7e45567d12614790ff26bd56 ] + +Currently for SPI devices we use the spi_device_id for module autoloading +even on systems using device tree, meaning that listing a compatible string +in the of_match_table isn't enough to have the module for a SPI driver +autoloaded. + +We attempted to fix this by generating OF based modaliases for devices +instantiated from DT in 3ce6c9e2617e ("spi: add of_device_uevent_modalias +support") but this meant we no longer reported spi_device_id based aliases +which broke drivers such as spi-nor which don't list all the compatible +strings they support directly for DT, and in at least that case it's not +super practical to do so given the very large number of compatibles +needed, much larger than the number spi_device_ids due to vendor strings. +As a result fell back to using spi_device_id based modalises. + +Try to close the gap by printing a warning when a SPI driver has a DT +compatible that won't be matched as a SPI device ID with the goal of having +drivers provide both. Given fallback compatibles this check is going to be +excessive but it should be robust which is probably more important here. + +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20210921192149.50740-1-broonie@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi.c | 41 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c +index 926b68aa45d3e..2a2f41b6df685 100644 +--- a/drivers/spi/spi.c ++++ b/drivers/spi/spi.c +@@ -451,6 +451,47 @@ int __spi_register_driver(struct module *owner, struct spi_driver *sdrv) + { + sdrv->driver.owner = owner; + sdrv->driver.bus = &spi_bus_type; ++ ++ /* ++ * For Really Good Reasons we use spi: modaliases not of: ++ * modaliases for DT so module autoloading won't work if we ++ * don't have a spi_device_id as well as a compatible string. ++ */ ++ if (sdrv->driver.of_match_table) { ++ const struct of_device_id *of_id; ++ ++ for (of_id = sdrv->driver.of_match_table; of_id->compatible[0]; ++ of_id++) { ++ const char *of_name; ++ ++ /* Strip off any vendor prefix */ ++ of_name = strnchr(of_id->compatible, ++ sizeof(of_id->compatible), ','); ++ if (of_name) ++ of_name++; ++ else ++ of_name = of_id->compatible; ++ ++ if (sdrv->id_table) { ++ const struct spi_device_id *spi_id; ++ ++ for (spi_id = sdrv->id_table; spi_id->name[0]; ++ spi_id++) ++ if (strcmp(spi_id->name, of_name) == 0) ++ break; ++ ++ if (spi_id->name[0]) ++ continue; ++ } else { ++ if (strcmp(sdrv->driver.name, of_name) == 0) ++ continue; ++ } ++ ++ pr_warn("SPI driver %s has no spi_device_id for %s\n", ++ sdrv->driver.name, of_id->compatible); ++ } ++ } ++ + return driver_register(&sdrv->driver); + } + EXPORT_SYMBOL_GPL(__spi_register_driver); +-- +2.33.0 + diff --git a/queue-5.15/spi-fixed-division-by-zero-warning.patch b/queue-5.15/spi-fixed-division-by-zero-warning.patch new file mode 100644 index 00000000000..dcd16fc4bf8 --- /dev/null +++ b/queue-5.15/spi-fixed-division-by-zero-warning.patch @@ -0,0 +1,82 @@ +From 77ac3347f0be4465ffba5b2b9e51fb4a1f15c8ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 05:29:12 +0000 +Subject: spi: Fixed division by zero warning + +From: Yoshitaka Ikeda + +[ Upstream commit 09134c5322df9f105d9ed324051872d5d0e162aa ] + +The reason for dividing by zero is because the dummy bus width is zero, +but if the dummy n bytes is zero, it indicates that there is no data transfer, +so there is no need for calculation. + +Fixes: 7512eaf54190 ("spi: cadence-quadspi: Fix dummy cycle calculation when buswidth > 1") +Signed-off-by: Yoshitaka Ikeda +Acked-by: Pratyush Yadav +Link: https://lore.kernel.org/r/OSZPR01MB70049C8F56ED8902852DF97B8BD49@OSZPR01MB7004.jpnprd01.prod.outlook.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/atmel-quadspi.c | 2 +- + drivers/spi/spi-bcm-qspi.c | 3 ++- + drivers/spi/spi-mtk-nor.c | 2 +- + drivers/spi/spi-stm32-qspi.c | 2 +- + 4 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/spi/atmel-quadspi.c b/drivers/spi/atmel-quadspi.c +index 95d4fa32c2995..92d9610df1fd8 100644 +--- a/drivers/spi/atmel-quadspi.c ++++ b/drivers/spi/atmel-quadspi.c +@@ -310,7 +310,7 @@ static int atmel_qspi_set_cfg(struct atmel_qspi *aq, + return mode; + ifr |= atmel_qspi_modes[mode].config; + +- if (op->dummy.buswidth && op->dummy.nbytes) ++ if (op->dummy.nbytes) + dummy_cycles = op->dummy.nbytes * 8 / op->dummy.buswidth; + + /* +diff --git a/drivers/spi/spi-bcm-qspi.c b/drivers/spi/spi-bcm-qspi.c +index ea1865c08fc22..151e154284bde 100644 +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -395,7 +395,8 @@ static int bcm_qspi_bspi_set_flex_mode(struct bcm_qspi *qspi, + if (addrlen == BSPI_ADDRLEN_4BYTES) + bpp = BSPI_BPP_ADDR_SELECT_MASK; + +- bpp |= (op->dummy.nbytes * 8) / op->dummy.buswidth; ++ if (op->dummy.nbytes) ++ bpp |= (op->dummy.nbytes * 8) / op->dummy.buswidth; + + switch (width) { + case SPI_NBITS_SINGLE: +diff --git a/drivers/spi/spi-mtk-nor.c b/drivers/spi/spi-mtk-nor.c +index 41e7b341d2616..5c93730615f8d 100644 +--- a/drivers/spi/spi-mtk-nor.c ++++ b/drivers/spi/spi-mtk-nor.c +@@ -160,7 +160,7 @@ static bool mtk_nor_match_read(const struct spi_mem_op *op) + { + int dummy = 0; + +- if (op->dummy.buswidth) ++ if (op->dummy.nbytes) + dummy = op->dummy.nbytes * BITS_PER_BYTE / op->dummy.buswidth; + + if ((op->data.buswidth == 2) || (op->data.buswidth == 4)) { +diff --git a/drivers/spi/spi-stm32-qspi.c b/drivers/spi/spi-stm32-qspi.c +index 27f35aa2d746d..514337c86d2c3 100644 +--- a/drivers/spi/spi-stm32-qspi.c ++++ b/drivers/spi/spi-stm32-qspi.c +@@ -397,7 +397,7 @@ static int stm32_qspi_send(struct spi_mem *mem, const struct spi_mem_op *op) + ccr |= FIELD_PREP(CCR_ADSIZE_MASK, op->addr.nbytes - 1); + } + +- if (op->dummy.buswidth && op->dummy.nbytes) ++ if (op->dummy.nbytes) + ccr |= FIELD_PREP(CCR_DCYC_MASK, + op->dummy.nbytes * 8 / op->dummy.buswidth); + +-- +2.33.0 + diff --git a/queue-5.15/spi-spi-rpc-if-check-return-value-of-rpcif_sw_init.patch b/queue-5.15/spi-spi-rpc-if-check-return-value-of-rpcif_sw_init.patch new file mode 100644 index 00000000000..0ffb56cabf7 --- /dev/null +++ b/queue-5.15/spi-spi-rpc-if-check-return-value-of-rpcif_sw_init.patch @@ -0,0 +1,42 @@ +From e1fcb3a03e94116ced2324533e326fc5d2b533c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 21:56:27 +0100 +Subject: spi: spi-rpc-if: Check return value of rpcif_sw_init() + +From: Lad Prabhakar + +[ Upstream commit 0b0a281ed7001d4c4f4c47bdc84680c4997761ca ] + +rpcif_sw_init() can fail so make sure we check the return value +of it and on error exit rpcif_spi_probe() callback with error code. + +Fixes: eb8d6d464a27 ("spi: add Renesas RPC-IF driver") +Signed-off-by: Lad Prabhakar +Reviewed-by: Biju Das +Reviewed-by: Wolfram Sang +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20211025205631.21151-4-prabhakar.mahadev-lad.rj@bp.renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-rpc-if.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-rpc-if.c b/drivers/spi/spi-rpc-if.c +index c53138ce00309..83796a4ead34a 100644 +--- a/drivers/spi/spi-rpc-if.c ++++ b/drivers/spi/spi-rpc-if.c +@@ -139,7 +139,9 @@ static int rpcif_spi_probe(struct platform_device *pdev) + return -ENOMEM; + + rpc = spi_controller_get_devdata(ctlr); +- rpcif_sw_init(rpc, parent); ++ error = rpcif_sw_init(rpc, parent); ++ if (error) ++ return error; + + platform_set_drvdata(pdev, ctlr); + +-- +2.33.0 + diff --git a/queue-5.15/staging-ks7010-select-crypto_hash-crypto_michael_mic.patch b/queue-5.15/staging-ks7010-select-crypto_hash-crypto_michael_mic.patch new file mode 100644 index 00000000000..4559e8ebf5f --- /dev/null +++ b/queue-5.15/staging-ks7010-select-crypto_hash-crypto_michael_mic.patch @@ -0,0 +1,47 @@ +From 56f39ef0d7d2fa75b9d06915af353fb8701a72ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 17:29:41 +0200 +Subject: staging: ks7010: select CRYPTO_HASH/CRYPTO_MICHAEL_MIC + +From: Vegard Nossum + +[ Upstream commit 9ca0e55e52c7b2a99f3c2051fc4bd1c63a061519 ] + +Fix the following build/link errors: + + ld: drivers/staging/ks7010/ks_hostif.o: in function `michael_mic.constprop.0': + ks_hostif.c:(.text+0x95b): undefined reference to `crypto_alloc_shash' + ld: ks_hostif.c:(.text+0x97a): undefined reference to `crypto_shash_setkey' + ld: ks_hostif.c:(.text+0xa13): undefined reference to `crypto_shash_update' + ld: ks_hostif.c:(.text+0xa28): undefined reference to `crypto_shash_update' + ld: ks_hostif.c:(.text+0xa48): undefined reference to `crypto_shash_finup' + ld: ks_hostif.c:(.text+0xa6d): undefined reference to `crypto_destroy_tfm' + +Fixes: 8b523f20417d ("staging: ks7010: removed custom Michael MIC implementation.") +Fixes: 3e5bc68fa5968 ("staging: ks7010: Fix build error") +Fixes: a4961427e7494 ("Revert "staging: ks7010: Fix build error"") +Signed-off-by: Vegard Nossum +Link: https://lore.kernel.org/r/20211011152941.12847-1-vegard.nossum@oracle.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/ks7010/Kconfig | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/staging/ks7010/Kconfig b/drivers/staging/ks7010/Kconfig +index 0987fdc2f70db..8ea6c09286798 100644 +--- a/drivers/staging/ks7010/Kconfig ++++ b/drivers/staging/ks7010/Kconfig +@@ -5,6 +5,9 @@ config KS7010 + select WIRELESS_EXT + select WEXT_PRIV + select FW_LOADER ++ select CRYPTO ++ select CRYPTO_HASH ++ select CRYPTO_MICHAEL_MIC + help + This is a driver for KeyStream KS7010 based SDIO WIFI cards. It is + found on at least later Spectec SDW-821 (FCC-ID "S2Y-WLAN-11G-K" only, +-- +2.33.0 + diff --git a/queue-5.15/staging-most-dim2-do-not-double-register-the-same-de.patch b/queue-5.15/staging-most-dim2-do-not-double-register-the-same-de.patch new file mode 100644 index 00000000000..fe76b76509f --- /dev/null +++ b/queue-5.15/staging-most-dim2-do-not-double-register-the-same-de.patch @@ -0,0 +1,189 @@ +From c6d87e4e25e8a123f6507a12cdc66a00ff6663b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 09:11:18 +0300 +Subject: staging: most: dim2: do not double-register the same device + +From: Nikita Yushchenko + +[ Upstream commit 2ab189164056b05474275bb40caa038a37713061 ] + +Commit 723de0f9171e ("staging: most: remove device from interface +structure") moved registration of driver-provided struct device to +the most subsystem. + +Dim2 used to register the same struct device to provide a custom device +attribute. This causes double-registration of the same struct device. + +Fix that by moving the custom attribute to driver's dev_groups. +This moves attribute to the platform_device object, which is a better +location for platform-specific attributes anyway. + +Fixes: 723de0f9171e ("staging: most: remove device from interface structure") +Acked-by: Christian Gromm +Signed-off-by: Nikita Yushchenko +Link: https://lore.kernel.org/r/20211011061117.21435-1-nikita.yoush@cogentembedded.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/most/dim2/Makefile | 2 +- + drivers/staging/most/dim2/dim2.c | 24 ++++++++------- + drivers/staging/most/dim2/sysfs.c | 49 ------------------------------ + drivers/staging/most/dim2/sysfs.h | 11 ------- + 4 files changed, 14 insertions(+), 72 deletions(-) + delete mode 100644 drivers/staging/most/dim2/sysfs.c + +diff --git a/drivers/staging/most/dim2/Makefile b/drivers/staging/most/dim2/Makefile +index 861adacf6c729..5f9612af3fa3c 100644 +--- a/drivers/staging/most/dim2/Makefile ++++ b/drivers/staging/most/dim2/Makefile +@@ -1,4 +1,4 @@ + # SPDX-License-Identifier: GPL-2.0 + obj-$(CONFIG_MOST_DIM2) += most_dim2.o + +-most_dim2-objs := dim2.o hal.o sysfs.o ++most_dim2-objs := dim2.o hal.o +diff --git a/drivers/staging/most/dim2/dim2.c b/drivers/staging/most/dim2/dim2.c +index 093ef9a2b2919..b72d7b9b45ea9 100644 +--- a/drivers/staging/most/dim2/dim2.c ++++ b/drivers/staging/most/dim2/dim2.c +@@ -117,7 +117,8 @@ struct dim2_platform_data { + (((p)[1] == 0x18) && ((p)[2] == 0x05) && ((p)[3] == 0x0C) && \ + ((p)[13] == 0x3C) && ((p)[14] == 0x00) && ((p)[15] == 0x0A)) + +-bool dim2_sysfs_get_state_cb(void) ++static ssize_t state_show(struct device *dev, struct device_attribute *attr, ++ char *buf) + { + bool state; + unsigned long flags; +@@ -126,9 +127,18 @@ bool dim2_sysfs_get_state_cb(void) + state = dim_get_lock_state(); + spin_unlock_irqrestore(&dim_lock, flags); + +- return state; ++ return sysfs_emit(buf, "%s\n", state ? "locked" : ""); + } + ++static DEVICE_ATTR_RO(state); ++ ++static struct attribute *dim2_attrs[] = { ++ &dev_attr_state.attr, ++ NULL, ++}; ++ ++ATTRIBUTE_GROUPS(dim2); ++ + /** + * dimcb_on_error - callback from HAL to report miscommunication between + * HDM and HAL +@@ -866,16 +876,8 @@ static int dim2_probe(struct platform_device *pdev) + goto err_stop_thread; + } + +- ret = dim2_sysfs_probe(&dev->dev); +- if (ret) { +- dev_err(&pdev->dev, "failed to create sysfs attribute\n"); +- goto err_unreg_iface; +- } +- + return 0; + +-err_unreg_iface: +- most_deregister_interface(&dev->most_iface); + err_stop_thread: + kthread_stop(dev->netinfo_task); + err_shutdown_dim: +@@ -898,7 +900,6 @@ static int dim2_remove(struct platform_device *pdev) + struct dim2_hdm *dev = platform_get_drvdata(pdev); + unsigned long flags; + +- dim2_sysfs_destroy(&dev->dev); + most_deregister_interface(&dev->most_iface); + kthread_stop(dev->netinfo_task); + +@@ -1082,6 +1083,7 @@ static struct platform_driver dim2_driver = { + .driver = { + .name = "hdm_dim2", + .of_match_table = dim2_of_match, ++ .dev_groups = dim2_groups, + }, + }; + +diff --git a/drivers/staging/most/dim2/sysfs.c b/drivers/staging/most/dim2/sysfs.c +deleted file mode 100644 +index c85b2cdcdca3d..0000000000000 +--- a/drivers/staging/most/dim2/sysfs.c ++++ /dev/null +@@ -1,49 +0,0 @@ +-// SPDX-License-Identifier: GPL-2.0 +-/* +- * sysfs.c - MediaLB sysfs information +- * +- * Copyright (C) 2015, Microchip Technology Germany II GmbH & Co. KG +- */ +- +-/* Author: Andrey Shvetsov */ +- +-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt +- +-#include +-#include "sysfs.h" +-#include +- +-static ssize_t state_show(struct device *dev, struct device_attribute *attr, +- char *buf) +-{ +- bool state = dim2_sysfs_get_state_cb(); +- +- return sprintf(buf, "%s\n", state ? "locked" : ""); +-} +- +-static DEVICE_ATTR_RO(state); +- +-static struct attribute *dev_attrs[] = { +- &dev_attr_state.attr, +- NULL, +-}; +- +-static struct attribute_group dev_attr_group = { +- .attrs = dev_attrs, +-}; +- +-static const struct attribute_group *dev_attr_groups[] = { +- &dev_attr_group, +- NULL, +-}; +- +-int dim2_sysfs_probe(struct device *dev) +-{ +- dev->groups = dev_attr_groups; +- return device_register(dev); +-} +- +-void dim2_sysfs_destroy(struct device *dev) +-{ +- device_unregister(dev); +-} +diff --git a/drivers/staging/most/dim2/sysfs.h b/drivers/staging/most/dim2/sysfs.h +index 24277a17cff3d..09115cf4ed00e 100644 +--- a/drivers/staging/most/dim2/sysfs.h ++++ b/drivers/staging/most/dim2/sysfs.h +@@ -16,15 +16,4 @@ struct medialb_bus { + struct kobject kobj_group; + }; + +-struct device; +- +-int dim2_sysfs_probe(struct device *dev); +-void dim2_sysfs_destroy(struct device *dev); +- +-/* +- * callback, +- * must deliver MediaLB state as true if locked or false if unlocked +- */ +-bool dim2_sysfs_get_state_cb(void); +- + #endif /* DIM2_SYSFS_H */ +-- +2.33.0 + diff --git a/queue-5.15/staging-r8188eu-fix-memory-leak-in-rtw_set_key.patch b/queue-5.15/staging-r8188eu-fix-memory-leak-in-rtw_set_key.patch new file mode 100644 index 00000000000..e7778187f7c --- /dev/null +++ b/queue-5.15/staging-r8188eu-fix-memory-leak-in-rtw_set_key.patch @@ -0,0 +1,37 @@ +From eb5c3b1c2614c626bae832c13740d81e8a63f10d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Sep 2021 21:17:52 +0300 +Subject: staging: r8188eu: fix memory leak in rtw_set_key + +From: Pavel Skripkin + +[ Upstream commit 393db0f6827f96054a769ba3a38aa382d137d3c7 ] + +Before returning with an error we should free allocated buffers, since +they are not assigned to anywhere. + +Fixes: 15865124feed ("staging: r8188eu: introduce new core dir for RTL8188eu driver") +Signed-off-by: Pavel Skripkin +Link: https://lore.kernel.org/r/ee783fbb71abb549505b84542223be7a7c905eea.1630692375.git.paskripkin@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/r8188eu/core/rtw_mlme.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/staging/r8188eu/core/rtw_mlme.c b/drivers/staging/r8188eu/core/rtw_mlme.c +index 1115ff5d865ad..bd991d7ed8090 100644 +--- a/drivers/staging/r8188eu/core/rtw_mlme.c ++++ b/drivers/staging/r8188eu/core/rtw_mlme.c +@@ -1722,6 +1722,8 @@ int rtw_set_key(struct adapter *adapter, struct security_priv *psecuritypriv, in + psetkeyparm->grpkey = 1; + break; + default: ++ kfree(psetkeyparm); ++ kfree(pcmd); + res = _FAIL; + goto exit; + } +-- +2.33.0 + diff --git a/queue-5.15/task_stack-fix-end_of_stack-for-architectures-with-u.patch b/queue-5.15/task_stack-fix-end_of_stack-for-architectures-with-u.patch new file mode 100644 index 00000000000..0ccacdfa4ab --- /dev/null +++ b/queue-5.15/task_stack-fix-end_of_stack-for-architectures-with-u.patch @@ -0,0 +1,44 @@ +From b371e9adb424db59fc42525e68b1884d0ced9f85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 00:05:43 +0200 +Subject: task_stack: Fix end_of_stack() for architectures with upwards-growing + stack + +From: Helge Deller + +[ Upstream commit 9cc2fa4f4a92ccc6760d764e7341be46ee8aaaa1 ] + +The function end_of_stack() returns a pointer to the last entry of a +stack. For architectures like parisc where the stack grows upwards +return the pointer to the highest address in the stack. + +Without this change I faced a crash on parisc, because the stackleak +functionality wrote STACKLEAK_POISON to the lowest address and thus +overwrote the first 4 bytes of the task_struct which included the +TIF_FLAGS. + +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + include/linux/sched/task_stack.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/include/linux/sched/task_stack.h b/include/linux/sched/task_stack.h +index 2413427e439c7..d10150587d819 100644 +--- a/include/linux/sched/task_stack.h ++++ b/include/linux/sched/task_stack.h +@@ -25,7 +25,11 @@ static inline void *task_stack_page(const struct task_struct *task) + + static inline unsigned long *end_of_stack(const struct task_struct *task) + { ++#ifdef CONFIG_STACK_GROWSUP ++ return (unsigned long *)((unsigned long)task->stack + THREAD_SIZE) - 1; ++#else + return task->stack; ++#endif + } + + #elif !defined(__HAVE_THREAD_FUNCTIONS) +-- +2.33.0 + diff --git a/queue-5.15/tcp-don-t-free-a-fin-sk_buff-in-tcp_remove_empty_skb.patch b/queue-5.15/tcp-don-t-free-a-fin-sk_buff-in-tcp_remove_empty_skb.patch new file mode 100644 index 00000000000..627b250b8a4 --- /dev/null +++ b/queue-5.15/tcp-don-t-free-a-fin-sk_buff-in-tcp_remove_empty_skb.patch @@ -0,0 +1,65 @@ +From 51c62ff3b0d9863a0ff3aacd672fa0e73d1db18d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 10:59:03 +1100 +Subject: tcp: don't free a FIN sk_buff in tcp_remove_empty_skb() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jon Maxwell + +[ Upstream commit cf12e6f9124629b18a6182deefc0315f0a73a199 ] + +v1: Implement a more general statement as recommended by Eric Dumazet. The +sequence number will be advanced, so this check will fix the FIN case and +other cases. + +A customer reported sockets stuck in the CLOSING state. A Vmcore revealed that +the write_queue was not empty as determined by tcp_write_queue_empty() but the +sk_buff containing the FIN flag had been freed and the socket was zombied in +that state. Corresponding pcaps show no FIN from the Linux kernel on the wire. + +Some instrumentation was added to the kernel and it was found that there is a +timing window where tcp_sendmsg() can run after tcp_send_fin(). + +tcp_sendmsg() will hit an error, for example: + +1269 ▹ if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN))↩ +1270 ▹ ▹ goto do_error;↩ + +tcp_remove_empty_skb() will then free the FIN sk_buff as "skb->len == 0". The +TCP socket is now wedged in the FIN-WAIT-1 state because the FIN is never sent. + +If the other side sends a FIN packet the socket will transition to CLOSING and +remain that way until the system is rebooted. + +Fix this by checking for the FIN flag in the sk_buff and don't free it if that +is the case. Testing confirmed that fixed the issue. + +Fixes: fdfc5c8594c2 ("tcp: remove empty skb from write queue in error cases") +Signed-off-by: Jon Maxwell +Reported-by: Monir Zouaoui +Reported-by: Simon Stier +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index d13050b68045b..8affba5909bdf 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -952,7 +952,7 @@ int tcp_send_mss(struct sock *sk, int *size_goal, int flags) + */ + void tcp_remove_empty_skb(struct sock *sk, struct sk_buff *skb) + { +- if (skb && !skb->len) { ++ if (skb && TCP_SKB_CB(skb)->seq == TCP_SKB_CB(skb)->end_seq) { + tcp_unlink_write_queue(skb, sk); + if (tcp_write_queue_empty(sk)) + tcp_chrono_stop(sk, TCP_CHRONO_BUSY); +-- +2.33.0 + diff --git a/queue-5.15/tcp-switch-orphan_count-to-bare-per-cpu-counters.patch b/queue-5.15/tcp-switch-orphan_count-to-bare-per-cpu-counters.patch new file mode 100644 index 00000000000..218cc015bb4 --- /dev/null +++ b/queue-5.15/tcp-switch-orphan_count-to-bare-per-cpu-counters.patch @@ -0,0 +1,374 @@ +From 8b960a6ff2408a3963415667b7e263b72cde1570 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Oct 2021 06:41:26 -0700 +Subject: tcp: switch orphan_count to bare per-cpu counters + +From: Eric Dumazet + +[ Upstream commit 19757cebf0c5016a1f36f7fe9810a9f0b33c0832 ] + +Use of percpu_counter structure to track count of orphaned +sockets is causing problems on modern hosts with 256 cpus +or more. + +Stefan Bach reported a serious spinlock contention in real workloads, +that I was able to reproduce with a netfilter rule dropping +incoming FIN packets. + + 53.56% server [kernel.kallsyms] [k] queued_spin_lock_slowpath + | + ---queued_spin_lock_slowpath + | + --53.51%--_raw_spin_lock_irqsave + | + --53.51%--__percpu_counter_sum + tcp_check_oom + | + |--39.03%--__tcp_close + | tcp_close + | inet_release + | inet6_release + | sock_close + | __fput + | ____fput + | task_work_run + | exit_to_usermode_loop + | do_syscall_64 + | entry_SYSCALL_64_after_hwframe + | __GI___libc_close + | + --14.48%--tcp_out_of_resources + tcp_write_timeout + tcp_retransmit_timer + tcp_write_timer_handler + tcp_write_timer + call_timer_fn + expire_timers + __run_timers + run_timer_softirq + __softirqentry_text_start + +As explained in commit cf86a086a180 ("net/dst: use a smaller percpu_counter +batch for dst entries accounting"), default batch size is too big +for the default value of tcp_max_orphans (262144). + +But even if we reduce batch sizes, there would still be cases +where the estimated count of orphans is beyond the limit, +and where tcp_too_many_orphans() has to call the expensive +percpu_counter_sum_positive(). + +One solution is to use plain per-cpu counters, and have +a timer to periodically refresh this cache. + +Updating this cache every 100ms seems about right, tcp pressure +state is not radically changing over shorter periods. + +percpu_counter was nice 15 years ago while hosts had less +than 16 cpus, not anymore by current standards. + +v2: Fix the build issue for CONFIG_CRYPTO_DEV_CHELSIO_TLS=m, + reported by kernel test robot + Remove unused socket argument from tcp_too_many_orphans() + +Fixes: dd24c00191d5 ("net: Use a percpu_counter for orphan_count") +Signed-off-by: Eric Dumazet +Reported-by: Stefan Bach +Cc: Neal Cardwell +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../chelsio/inline_crypto/chtls/chtls_cm.c | 2 +- + .../chelsio/inline_crypto/chtls/chtls_cm.h | 2 +- + include/net/inet_connection_sock.h | 2 +- + include/net/sock.h | 2 +- + include/net/tcp.h | 17 ++------- + net/dccp/dccp.h | 2 +- + net/dccp/proto.c | 14 ++----- + net/ipv4/inet_connection_sock.c | 4 +- + net/ipv4/inet_hashtables.c | 2 +- + net/ipv4/proc.c | 2 +- + net/ipv4/tcp.c | 38 ++++++++++++++++--- + 11 files changed, 49 insertions(+), 38 deletions(-) + +diff --git a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c +index bcad69c480740..4af5561cbfc54 100644 +--- a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c ++++ b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c +@@ -870,7 +870,7 @@ static void do_abort_syn_rcv(struct sock *child, struct sock *parent) + * created only after 3 way handshake is done. + */ + sock_orphan(child); +- percpu_counter_inc((child)->sk_prot->orphan_count); ++ INC_ORPHAN_COUNT(child); + chtls_release_resources(child); + chtls_conn_done(child); + } else { +diff --git a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.h b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.h +index b1161bdeda4dc..f61ca657601ca 100644 +--- a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.h ++++ b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.h +@@ -95,7 +95,7 @@ struct deferred_skb_cb { + #define WSCALE_OK(tp) ((tp)->rx_opt.wscale_ok) + #define TSTAMP_OK(tp) ((tp)->rx_opt.tstamp_ok) + #define SACK_OK(tp) ((tp)->rx_opt.sack_ok) +-#define INC_ORPHAN_COUNT(sk) percpu_counter_inc((sk)->sk_prot->orphan_count) ++#define INC_ORPHAN_COUNT(sk) this_cpu_inc(*(sk)->sk_prot->orphan_count) + + /* TLS SKB */ + #define skb_ulp_tls_inline(skb) (ULP_SKB_CB(skb)->ulp.tls.ofld) +diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h +index b06c2d02ec84e..fa6a87246a7b8 100644 +--- a/include/net/inet_connection_sock.h ++++ b/include/net/inet_connection_sock.h +@@ -289,7 +289,7 @@ static inline void inet_csk_prepare_for_destroy_sock(struct sock *sk) + { + /* The below has to be done to allow calling inet_csk_destroy_sock */ + sock_set_flag(sk, SOCK_DEAD); +- percpu_counter_inc(sk->sk_prot->orphan_count); ++ this_cpu_inc(*sk->sk_prot->orphan_count); + } + + void inet_csk_destroy_sock(struct sock *sk); +diff --git a/include/net/sock.h b/include/net/sock.h +index 463f390d90b3e..7b0c7f5aab676 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -1237,7 +1237,7 @@ struct proto { + unsigned int useroffset; /* Usercopy region offset */ + unsigned int usersize; /* Usercopy region size */ + +- struct percpu_counter *orphan_count; ++ unsigned int __percpu *orphan_count; + + struct request_sock_ops *rsk_prot; + struct timewait_sock_ops *twsk_prot; +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 60c384569e9cd..31d384c3778a1 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -48,7 +48,9 @@ + + extern struct inet_hashinfo tcp_hashinfo; + +-extern struct percpu_counter tcp_orphan_count; ++DECLARE_PER_CPU(unsigned int, tcp_orphan_count); ++int tcp_orphan_count_sum(void); ++ + void tcp_time_wait(struct sock *sk, int state, int timeo); + + #define MAX_TCP_HEADER L1_CACHE_ALIGN(128 + MAX_HEADER) +@@ -290,19 +292,6 @@ static inline bool tcp_out_of_memory(struct sock *sk) + + void sk_forced_mem_schedule(struct sock *sk, int size); + +-static inline bool tcp_too_many_orphans(struct sock *sk, int shift) +-{ +- struct percpu_counter *ocp = sk->sk_prot->orphan_count; +- int orphans = percpu_counter_read_positive(ocp); +- +- if (orphans << shift > sysctl_tcp_max_orphans) { +- orphans = percpu_counter_sum_positive(ocp); +- if (orphans << shift > sysctl_tcp_max_orphans) +- return true; +- } +- return false; +-} +- + bool tcp_check_oom(struct sock *sk, int shift); + + +diff --git a/net/dccp/dccp.h b/net/dccp/dccp.h +index c5c1d2b8045e8..5183e627468d8 100644 +--- a/net/dccp/dccp.h ++++ b/net/dccp/dccp.h +@@ -48,7 +48,7 @@ extern bool dccp_debug; + + extern struct inet_hashinfo dccp_hashinfo; + +-extern struct percpu_counter dccp_orphan_count; ++DECLARE_PER_CPU(unsigned int, dccp_orphan_count); + + void dccp_time_wait(struct sock *sk, int state, int timeo); + +diff --git a/net/dccp/proto.c b/net/dccp/proto.c +index abb5c596a8176..fc44dadc778bb 100644 +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -42,8 +42,8 @@ DEFINE_SNMP_STAT(struct dccp_mib, dccp_statistics) __read_mostly; + + EXPORT_SYMBOL_GPL(dccp_statistics); + +-struct percpu_counter dccp_orphan_count; +-EXPORT_SYMBOL_GPL(dccp_orphan_count); ++DEFINE_PER_CPU(unsigned int, dccp_orphan_count); ++EXPORT_PER_CPU_SYMBOL_GPL(dccp_orphan_count); + + struct inet_hashinfo dccp_hashinfo; + EXPORT_SYMBOL_GPL(dccp_hashinfo); +@@ -1055,7 +1055,7 @@ adjudge_to_death: + bh_lock_sock(sk); + WARN_ON(sock_owned_by_user(sk)); + +- percpu_counter_inc(sk->sk_prot->orphan_count); ++ this_cpu_inc(dccp_orphan_count); + + /* Have we already been destroyed by a softirq or backlog? */ + if (state != DCCP_CLOSED && sk->sk_state == DCCP_CLOSED) +@@ -1115,13 +1115,10 @@ static int __init dccp_init(void) + + BUILD_BUG_ON(sizeof(struct dccp_skb_cb) > + sizeof_field(struct sk_buff, cb)); +- rc = percpu_counter_init(&dccp_orphan_count, 0, GFP_KERNEL); +- if (rc) +- goto out_fail; + inet_hashinfo_init(&dccp_hashinfo); + rc = inet_hashinfo2_init_mod(&dccp_hashinfo); + if (rc) +- goto out_free_percpu; ++ goto out_fail; + rc = -ENOBUFS; + dccp_hashinfo.bind_bucket_cachep = + kmem_cache_create("dccp_bind_bucket", +@@ -1226,8 +1223,6 @@ out_free_bind_bucket_cachep: + kmem_cache_destroy(dccp_hashinfo.bind_bucket_cachep); + out_free_hashinfo2: + inet_hashinfo2_free_mod(&dccp_hashinfo); +-out_free_percpu: +- percpu_counter_destroy(&dccp_orphan_count); + out_fail: + dccp_hashinfo.bhash = NULL; + dccp_hashinfo.ehash = NULL; +@@ -1250,7 +1245,6 @@ static void __exit dccp_fini(void) + dccp_ackvec_exit(); + dccp_sysctl_exit(); + inet_hashinfo2_free_mod(&dccp_hashinfo); +- percpu_counter_destroy(&dccp_orphan_count); + } + + module_init(dccp_init); +diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c +index f25d02ad4a8af..f7fea3a7c5e64 100644 +--- a/net/ipv4/inet_connection_sock.c ++++ b/net/ipv4/inet_connection_sock.c +@@ -1015,7 +1015,7 @@ void inet_csk_destroy_sock(struct sock *sk) + + sk_refcnt_debug_release(sk); + +- percpu_counter_dec(sk->sk_prot->orphan_count); ++ this_cpu_dec(*sk->sk_prot->orphan_count); + + sock_put(sk); + } +@@ -1074,7 +1074,7 @@ static void inet_child_forget(struct sock *sk, struct request_sock *req, + + sock_orphan(child); + +- percpu_counter_inc(sk->sk_prot->orphan_count); ++ this_cpu_inc(*sk->sk_prot->orphan_count); + + if (sk->sk_protocol == IPPROTO_TCP && tcp_rsk(req)->tfo_listener) { + BUG_ON(rcu_access_pointer(tcp_sk(child)->fastopen_rsk) != req); +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index bfb522e513461..75737267746f8 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -598,7 +598,7 @@ bool inet_ehash_nolisten(struct sock *sk, struct sock *osk, bool *found_dup_sk) + if (ok) { + sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); + } else { +- percpu_counter_inc(sk->sk_prot->orphan_count); ++ this_cpu_inc(*sk->sk_prot->orphan_count); + inet_sk_set_state(sk, TCP_CLOSE); + sock_set_flag(sk, SOCK_DEAD); + inet_csk_destroy_sock(sk); +diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c +index b0d3a09dc84e7..f30273afb5399 100644 +--- a/net/ipv4/proc.c ++++ b/net/ipv4/proc.c +@@ -53,7 +53,7 @@ static int sockstat_seq_show(struct seq_file *seq, void *v) + struct net *net = seq->private; + int orphans, sockets; + +- orphans = percpu_counter_sum_positive(&tcp_orphan_count); ++ orphans = tcp_orphan_count_sum(); + sockets = proto_sockets_allocated_sum_positive(&tcp_prot); + + socket_seq_show(seq); +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index f5c336f8b0c8e..d13050b68045b 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -287,8 +287,8 @@ enum { + TCP_CMSG_TS = 2 + }; + +-struct percpu_counter tcp_orphan_count; +-EXPORT_SYMBOL_GPL(tcp_orphan_count); ++DEFINE_PER_CPU(unsigned int, tcp_orphan_count); ++EXPORT_PER_CPU_SYMBOL_GPL(tcp_orphan_count); + + long sysctl_tcp_mem[3] __read_mostly; + EXPORT_SYMBOL(sysctl_tcp_mem); +@@ -2687,11 +2687,36 @@ void tcp_shutdown(struct sock *sk, int how) + } + EXPORT_SYMBOL(tcp_shutdown); + ++int tcp_orphan_count_sum(void) ++{ ++ int i, total = 0; ++ ++ for_each_possible_cpu(i) ++ total += per_cpu(tcp_orphan_count, i); ++ ++ return max(total, 0); ++} ++ ++static int tcp_orphan_cache; ++static struct timer_list tcp_orphan_timer; ++#define TCP_ORPHAN_TIMER_PERIOD msecs_to_jiffies(100) ++ ++static void tcp_orphan_update(struct timer_list *unused) ++{ ++ WRITE_ONCE(tcp_orphan_cache, tcp_orphan_count_sum()); ++ mod_timer(&tcp_orphan_timer, jiffies + TCP_ORPHAN_TIMER_PERIOD); ++} ++ ++static bool tcp_too_many_orphans(int shift) ++{ ++ return READ_ONCE(tcp_orphan_cache) << shift > sysctl_tcp_max_orphans; ++} ++ + bool tcp_check_oom(struct sock *sk, int shift) + { + bool too_many_orphans, out_of_socket_memory; + +- too_many_orphans = tcp_too_many_orphans(sk, shift); ++ too_many_orphans = tcp_too_many_orphans(shift); + out_of_socket_memory = tcp_out_of_memory(sk); + + if (too_many_orphans) +@@ -2800,7 +2825,7 @@ adjudge_to_death: + /* remove backlog if any, without releasing ownership. */ + __release_sock(sk); + +- percpu_counter_inc(sk->sk_prot->orphan_count); ++ this_cpu_inc(tcp_orphan_count); + + /* Have we already been destroyed by a softirq or backlog? */ + if (state != TCP_CLOSE && sk->sk_state == TCP_CLOSE) +@@ -4502,7 +4527,10 @@ void __init tcp_init(void) + sizeof_field(struct sk_buff, cb)); + + percpu_counter_init(&tcp_sockets_allocated, 0, GFP_KERNEL); +- percpu_counter_init(&tcp_orphan_count, 0, GFP_KERNEL); ++ ++ timer_setup(&tcp_orphan_timer, tcp_orphan_update, TIMER_DEFERRABLE); ++ mod_timer(&tcp_orphan_timer, jiffies + TCP_ORPHAN_TIMER_PERIOD); ++ + inet_hashinfo_init(&tcp_hashinfo); + inet_hashinfo2_init(&tcp_hashinfo, "tcp_listen_portaddr_hash", + thash_entries, 21, /* one slot per 2 MB*/ +-- +2.33.0 + diff --git a/queue-5.15/thermal-core-fix-a-uaf-bug-in-__thermal_cooling_devi.patch b/queue-5.15/thermal-core-fix-a-uaf-bug-in-__thermal_cooling_devi.patch new file mode 100644 index 00000000000..660e7f6c78d --- /dev/null +++ b/queue-5.15/thermal-core-fix-a-uaf-bug-in-__thermal_cooling_devi.patch @@ -0,0 +1,95 @@ +From a1299718e35b56f20aa5ee3c4b49639d1f716269 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 10:45:04 +0800 +Subject: thermal/core: fix a UAF bug in __thermal_cooling_device_register() + +From: Ziyang Xuan + +[ Upstream commit 0a5c26712f963f0500161a23e0ffff8d29f742ab ] + +When device_register() return failed, program will goto out_kfree_type +to release 'cdev->device' by put_device(). That will call thermal_release() +to free 'cdev'. But the follow-up processes access 'cdev' continually. +That trggers the UAF bug. + +==================================================================== +BUG: KASAN: use-after-free in __thermal_cooling_device_register+0x75b/0xa90 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +Call Trace: + dump_stack_lvl+0xe2/0x152 + print_address_description.constprop.0+0x21/0x140 + ? __thermal_cooling_device_register+0x75b/0xa90 + kasan_report.cold+0x7f/0x11b + ? __thermal_cooling_device_register+0x75b/0xa90 + __thermal_cooling_device_register+0x75b/0xa90 + ? memset+0x20/0x40 + ? __sanitizer_cov_trace_pc+0x1d/0x50 + ? __devres_alloc_node+0x130/0x180 + devm_thermal_of_cooling_device_register+0x67/0xf0 + max6650_probe.cold+0x557/0x6aa +...... + +Freed by task 258: + kasan_save_stack+0x1b/0x40 + kasan_set_track+0x1c/0x30 + kasan_set_free_info+0x20/0x30 + __kasan_slab_free+0x109/0x140 + kfree+0x117/0x4c0 + thermal_release+0xa0/0x110 + device_release+0xa7/0x240 + kobject_put+0x1ce/0x540 + put_device+0x20/0x30 + __thermal_cooling_device_register+0x731/0xa90 + devm_thermal_of_cooling_device_register+0x67/0xf0 + max6650_probe.cold+0x557/0x6aa [max6650] + +Do not use 'cdev' again after put_device() to fix the problem like doing +in thermal_zone_device_register(). + +[dlezcano]: as requested by Rafael, change the affectation into two statements. + +Fixes: 584837618100 ("thermal/drivers/core: Use a char pointer for the cooling device name") +Signed-off-by: Ziyang Xuan +Reported-by: kernel test robot +Link: https://lore.kernel.org/r/20211015024504.947520-1-william.xuanziyang@huawei.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index d094ebbde0ed7..30134f49b037a 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -887,7 +887,7 @@ __thermal_cooling_device_register(struct device_node *np, + { + struct thermal_cooling_device *cdev; + struct thermal_zone_device *pos = NULL; +- int ret; ++ int id, ret; + + if (!ops || !ops->get_max_state || !ops->get_cur_state || + !ops->set_cur_state) +@@ -901,6 +901,7 @@ __thermal_cooling_device_register(struct device_node *np, + if (ret < 0) + goto out_kfree_cdev; + cdev->id = ret; ++ id = ret; + + ret = dev_set_name(&cdev->device, "cooling_device%d", cdev->id); + if (ret) +@@ -944,8 +945,9 @@ __thermal_cooling_device_register(struct device_node *np, + out_kfree_type: + kfree(cdev->type); + put_device(&cdev->device); ++ cdev = NULL; + out_ida_remove: +- ida_simple_remove(&thermal_cdev_ida, cdev->id); ++ ida_simple_remove(&thermal_cdev_ida, id); + out_kfree_cdev: + kfree(cdev); + return ERR_PTR(ret); +-- +2.33.0 + diff --git a/queue-5.15/thermal-core-fix-null-pointer-dereference-in-thermal.patch b/queue-5.15/thermal-core-fix-null-pointer-dereference-in-thermal.patch new file mode 100644 index 00000000000..852729c0fdd --- /dev/null +++ b/queue-5.15/thermal-core-fix-null-pointer-dereference-in-thermal.patch @@ -0,0 +1,68 @@ +From 3e18882742b54cf634610bd55d5b7458c98a7648 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 08:32:30 +0000 +Subject: thermal/core: Fix null pointer dereference in thermal_release() + +From: Yuanzheng Song + +[ Upstream commit 1dd7128b839f631b31a9e9dce3aaf639bef74e9d ] + +If both dev_set_name() and device_register() failed, then null pointer +dereference occurs in thermal_release() which will use strncmp() to +compare the name. + +So fix it by adding dev_set_name() return value check. + +Signed-off-by: Yuanzheng Song +Link: https://lore.kernel.org/r/20211015083230.67658-1-songyuanzheng@huawei.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_core.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index 51374f4e1ccaf..d094ebbde0ed7 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -902,6 +902,10 @@ __thermal_cooling_device_register(struct device_node *np, + goto out_kfree_cdev; + cdev->id = ret; + ++ ret = dev_set_name(&cdev->device, "cooling_device%d", cdev->id); ++ if (ret) ++ goto out_ida_remove; ++ + cdev->type = kstrdup(type ? type : "", GFP_KERNEL); + if (!cdev->type) { + ret = -ENOMEM; +@@ -916,7 +920,6 @@ __thermal_cooling_device_register(struct device_node *np, + cdev->device.class = &thermal_class; + cdev->devdata = devdata; + thermal_cooling_device_setup_sysfs(cdev); +- dev_set_name(&cdev->device, "cooling_device%d", cdev->id); + ret = device_register(&cdev->device); + if (ret) + goto out_kfree_type; +@@ -1227,6 +1230,10 @@ thermal_zone_device_register(const char *type, int trips, int mask, + tz->id = id; + strlcpy(tz->type, type, sizeof(tz->type)); + ++ result = dev_set_name(&tz->device, "thermal_zone%d", tz->id); ++ if (result) ++ goto remove_id; ++ + if (!ops->critical) + ops->critical = thermal_zone_device_critical; + +@@ -1248,7 +1255,6 @@ thermal_zone_device_register(const char *type, int trips, int mask, + /* A new thermal zone needs to be updated anyway. */ + atomic_set(&tz->need_update, 1); + +- dev_set_name(&tz->device, "thermal_zone%d", tz->id); + result = device_register(&tz->device); + if (result) + goto release_device; +-- +2.33.0 + diff --git a/queue-5.15/thermal-drivers-qcom-lmh-make-qcom_lmh-depends-on-qc.patch b/queue-5.15/thermal-drivers-qcom-lmh-make-qcom_lmh-depends-on-qc.patch new file mode 100644 index 00000000000..b966c208f48 --- /dev/null +++ b/queue-5.15/thermal-drivers-qcom-lmh-make-qcom_lmh-depends-on-qc.patch @@ -0,0 +1,53 @@ +From 8d55c28c5247976308da13f8066790e5e9494709 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Oct 2021 09:58:53 +0800 +Subject: thermal/drivers/qcom/lmh: make QCOM_LMH depends on QCOM_SCM + +From: Jackie Liu + +[ Upstream commit 9e5a4fb8423081d0efbf165c71c7f4abdf5f918c ] + +Without QCOM_SCM, build failed, avoid like below: + +aarch64-linux-gnu-ld: Unexpected GOT/PLT entries detected! +aarch64-linux-gnu-ld: Unexpected run-time procedure linkages detected! +aarch64-linux-gnu-ld: drivers/thermal/qcom/lmh.o: in function `lmh_probe': +/data/arm/workspace/kernel-build/linux/build/../drivers/thermal/qcom/lmh.c:141: undefined reference to `qcom_scm_lmh_dcvsh_available' +aarch64-linux-gnu-ld: /data/arm/workspace/kernel-build/linux/build/../drivers/thermal/qcom/lmh.c:144: undefined reference to `qcom_scm_lmh_dcvsh' +aarch64-linux-gnu-ld: /data/arm/workspace/kernel-build/linux/build/../drivers/thermal/qcom/lmh.c:149: undefined reference to `qcom_scm_lmh_dcvsh' +aarch64-linux-gnu-ld: /data/arm/workspace/kernel-build/linux/build/../drivers/thermal/qcom/lmh.c:154: undefined reference to `qcom_scm_lmh_dcvsh' +aarch64-linux-gnu-ld: /data/arm/workspace/kernel-build/linux/build/../drivers/thermal/qcom/lmh.c:159: undefined reference to `qcom_scm_lmh_dcvsh' +aarch64-linux-gnu-ld: /data/arm/workspace/kernel-build/linux/build/../drivers/thermal/qcom/lmh.c:166: undefined reference to `qcom_scm_lmh_profile_change' +aarch64-linux-gnu-ld: /data/arm/workspace/kernel-build/linux/build/../drivers/thermal/qcom/lmh.c:173: undefined reference to `qcom_scm_lmh_dcvsh' +aarch64-linux-gnu-ld: /data/arm/workspace/kernel-build/linux/build/../drivers/thermal/qcom/lmh.c:180: undefined reference to `qcom_scm_lmh_dcvsh' +aarch64-linux-gnu-ld: /data/arm/workspace/kernel-build/linux/build/../drivers/thermal/qcom/lmh.c:187: undefined reference to `qcom_scm_lmh_dcvsh' +make[1]: *** [/data/arm/workspace/kernel-build/linux/Makefile:1183: vmlinux] Error 1 +make[1]: Leaving directory '/data/arm/workspace/kernel-build/linux/build' +make: *** [Makefile:219: __sub-make] Error 2 +make: Leaving directory '/data/arm/workspace/kernel-build/linux' + +Fixes: 53bca371cdf7 ("thermal/drivers/qcom: Add support for LMh driver") +Signed-off-by: Jackie Liu +Link: https://lore.kernel.org/r/20211009015853.3509559-1-liu.yun@linux.dev +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/thermal/qcom/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thermal/qcom/Kconfig b/drivers/thermal/qcom/Kconfig +index 7d942f71e5328..bfd889422dd32 100644 +--- a/drivers/thermal/qcom/Kconfig ++++ b/drivers/thermal/qcom/Kconfig +@@ -34,7 +34,7 @@ config QCOM_SPMI_TEMP_ALARM + + config QCOM_LMH + tristate "Qualcomm Limits Management Hardware" +- depends on ARCH_QCOM ++ depends on ARCH_QCOM && QCOM_SCM + help + This enables initialization of Qualcomm limits management + hardware(LMh). LMh allows for hardware-enforced mitigation for cpus based on +-- +2.33.0 + diff --git a/queue-5.15/thermal-drivers-tsens-add-timeout-to-get_temp_tsens_.patch b/queue-5.15/thermal-drivers-tsens-add-timeout-to-get_temp_tsens_.patch new file mode 100644 index 00000000000..e10609d3ace --- /dev/null +++ b/queue-5.15/thermal-drivers-tsens-add-timeout-to-get_temp_tsens_.patch @@ -0,0 +1,70 @@ +From c7866d4c76351a311d4f263898902982d1257718 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 19:28:59 +0200 +Subject: thermal/drivers/tsens: Add timeout to get_temp_tsens_valid + +From: Ansuel Smith + +[ Upstream commit d012f9189fda0f3a1b303780ba0bbc7298d0d349 ] + +The function can loop and lock the system if for whatever reason the bit +for the target sensor is NEVER valid. This is the case if a sensor is +disabled by the factory and the valid bit is never reported as actually +valid. Add a timeout check and exit if a timeout occurs. As this is +a very rare condition, handle the timeout only if the first read fails. +While at it also rework the function to improve readability and convert +to poll_timeout generic macro. + +Signed-off-by: Ansuel Smith +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211007172859.583-1-ansuelsmth@gmail.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/thermal/qcom/tsens.c | 29 ++++++++++++++--------------- + 1 file changed, 14 insertions(+), 15 deletions(-) + +diff --git a/drivers/thermal/qcom/tsens.c b/drivers/thermal/qcom/tsens.c +index b1162e566a707..99a8d9f3e03ca 100644 +--- a/drivers/thermal/qcom/tsens.c ++++ b/drivers/thermal/qcom/tsens.c +@@ -603,22 +603,21 @@ int get_temp_tsens_valid(const struct tsens_sensor *s, int *temp) + int ret; + + /* VER_0 doesn't have VALID bit */ +- if (tsens_version(priv) >= VER_0_1) { +- ret = regmap_field_read(priv->rf[valid_idx], &valid); +- if (ret) +- return ret; +- while (!valid) { +- /* Valid bit is 0 for 6 AHB clock cycles. +- * At 19.2MHz, 1 AHB clock is ~60ns. +- * We should enter this loop very, very rarely. +- */ +- ndelay(400); +- ret = regmap_field_read(priv->rf[valid_idx], &valid); +- if (ret) +- return ret; +- } +- } ++ if (tsens_version(priv) == VER_0) ++ goto get_temp; ++ ++ /* Valid bit is 0 for 6 AHB clock cycles. ++ * At 19.2MHz, 1 AHB clock is ~60ns. ++ * We should enter this loop very, very rarely. ++ * Wait 1 us since it's the min of poll_timeout macro. ++ * Old value was 400 ns. ++ */ ++ ret = regmap_field_read_poll_timeout(priv->rf[valid_idx], valid, ++ valid, 1, 20 * USEC_PER_MSEC); ++ if (ret) ++ return ret; + ++get_temp: + /* Valid bit is set, OK to read the temperature */ + *temp = tsens_hw_to_mC(s, temp_idx); + +-- +2.33.0 + diff --git a/queue-5.15/thermal-int340x-fix-build-on-32-bit-targets.patch b/queue-5.15/thermal-int340x-fix-build-on-32-bit-targets.patch new file mode 100644 index 00000000000..d7d16adfcb0 --- /dev/null +++ b/queue-5.15/thermal-int340x-fix-build-on-32-bit-targets.patch @@ -0,0 +1,53 @@ +From 94d2aa48b08ea50685724dce78a1c134fcce0f44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 10:56:25 -0800 +Subject: thermal: int340x: fix build on 32-bit targets + +From: Linus Torvalds + +[ Upstream commit d9c8e52ff9e84ff1a406330f9ea4de7c5eb40282 ] + +Commit aeb58c860dc5 ("thermal/drivers/int340x: processor_thermal: Suppot +64 bit RFIM responses") started using 'readq()' to read 64-bit status +responses from the int340x hardware. + +That's all fine and good, but on 32-bit targets a 64-bit 'readq()' is +ambiguous, since it's no longer an atomic access. Some hardware might +require 64-bit accesses, and other hardware might want low word first or +high word first. + +It's quite likely that the driver isn't relevant in a 32-bit environment +any more, and there's a patch floating around to just make it depend on +X86_64, but let's make it buildable on x86-32 anyway. + +The driver previously just read the low 32 bits, so the hardware +certainly is ok with 32-bit reads, and in a little-endian environment +the low word first model is the natural one. + +So just add the include for the 'io-64-nonatomic-lo-hi.h' version. + +Fixes: aeb58c860dc5 ("thermal/drivers/int340x: processor_thermal: Suppot 64 bit RFIM responses") +Reported-by: Jakub Kicinski +Cc: Srinivas Pandruvada +Cc: Rafael J. Wysocki +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/thermal/intel/int340x_thermal/processor_thermal_mbox.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/thermal/intel/int340x_thermal/processor_thermal_mbox.c b/drivers/thermal/intel/int340x_thermal/processor_thermal_mbox.c +index 59e93b04f0a9e..66cd0190bc035 100644 +--- a/drivers/thermal/intel/int340x_thermal/processor_thermal_mbox.c ++++ b/drivers/thermal/intel/int340x_thermal/processor_thermal_mbox.c +@@ -7,6 +7,7 @@ + #include + #include + #include ++#include + #include "processor_thermal_device.h" + + #define MBOX_CMD_WORKLOAD_TYPE_READ 0x0E +-- +2.33.0 + diff --git a/queue-5.15/tools-latency-collector-use-correct-size-when-writin.patch b/queue-5.15/tools-latency-collector-use-correct-size-when-writin.patch new file mode 100644 index 00000000000..68cbdb639cf --- /dev/null +++ b/queue-5.15/tools-latency-collector-use-correct-size-when-writin.patch @@ -0,0 +1,45 @@ +From f0c2175d6978ad2652a0f37a549f7663f986254f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 18:07:01 +0200 +Subject: tools/latency-collector: Use correct size when writing + queue_full_warning + +From: Viktor Rosendahl + +[ Upstream commit f604de20c0a47e0e9518940a1810193678c92fa8 ] + +queue_full_warning is a pointer, so it is wrong to use sizeof to calculate +the number of characters of the string it points to. The effect is that we +only print out the first few characters of the warning string. + +The correct way is to use strlen(). We don't need to add 1 to the strlen() +because we don't want to write the terminating null character to stdout. + +Link: https://lkml.kernel.org/r/20211019160701.15587-1-Viktor.Rosendahl@bmw.de + +Link: https://lore.kernel.org/r/8fd4bb65ef3da67feac9ce3258cdbe9824752cf1.1629198502.git.jing.yangyang@zte.com.cn +Link: https://lore.kernel.org/r/20211012025424.180781-1-davidcomponentone@gmail.com +Reported-by: Zeal Robot +Signed-off-by: Viktor Rosendahl +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + tools/tracing/latency/latency-collector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/tracing/latency/latency-collector.c b/tools/tracing/latency/latency-collector.c +index 3a2e6bb781a8c..59a7f2346eab4 100644 +--- a/tools/tracing/latency/latency-collector.c ++++ b/tools/tracing/latency/latency-collector.c +@@ -1538,7 +1538,7 @@ static void tracing_loop(void) + mutex_lock(&print_mtx); + check_signals(); + write_or_die(fd_stdout, queue_full_warning, +- sizeof(queue_full_warning)); ++ strlen(queue_full_warning)); + mutex_unlock(&print_mtx); + } + modified--; +-- +2.33.0 + diff --git a/queue-5.15/tpm-fix-atmel-tpm-crash-caused-by-too-frequent-queri.patch b/queue-5.15/tpm-fix-atmel-tpm-crash-caused-by-too-frequent-queri.patch new file mode 100644 index 00000000000..eed563dc0c7 --- /dev/null +++ b/queue-5.15/tpm-fix-atmel-tpm-crash-caused-by-too-frequent-queri.patch @@ -0,0 +1,171 @@ +From ebb8779e1199527beadc75fb062b1f731b343567 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Sep 2021 02:26:06 -0700 +Subject: tpm: fix Atmel TPM crash caused by too frequent queries + +From: Hao Wu + +[ Upstream commit 79ca6f74dae067681a779fd573c2eb59649989bc ] + +The Atmel TPM 1.2 chips crash with error +`tpm_try_transmit: send(): error -62` since kernel 4.14. +It is observed from the kernel log after running `tpm_sealdata -z`. +The error thrown from the command is as follows +``` +$ tpm_sealdata -z +Tspi_Key_LoadKey failed: 0x00001087 - layer=tddl, +code=0087 (135), I/O error +``` + +The issue was reproduced with the following Atmel TPM chip: +``` +$ tpm_version +T0 TPM 1.2 Version Info: + Chip Version: 1.2.66.1 + Spec Level: 2 + Errata Revision: 3 + TPM Vendor ID: ATML + TPM Version: 01010000 + Manufacturer Info: 41544d4c +``` + +The root cause of the issue is due to the TPM calls to msleep() +were replaced with usleep_range() [1], which reduces +the actual timeout. Via experiments, it is observed that +the original msleep(5) actually sleeps for 15ms. +Because of a known timeout issue in Atmel TPM 1.2 chip, +the shorter timeout than 15ms can cause the error described above. + +A few further changes in kernel 4.16 [2] and 4.18 [3, 4] further +reduced the timeout to less than 1ms. With experiments, +the problematic timeout in the latest kernel is the one +for `wait_for_tpm_stat`. + +To fix it, the patch reverts the timeout of `wait_for_tpm_stat` +to 15ms for all Atmel TPM 1.2 chips, but leave it untouched +for Ateml TPM 2.0 chip, and chips from other vendors. +As explained above, the chosen 15ms timeout is +the actual timeout before this issue introduced, +thus the old value is used here. +Particularly, TPM_ATML_TIMEOUT_WAIT_STAT_MIN is set to 14700us, +TPM_ATML_TIMEOUT_WAIT_STAT_MIN is set to 15000us according to +the existing TPM_TIMEOUT_RANGE_US (300us). +The fixed has been tested in the system with the affected Atmel chip +with no issues observed after boot up. + +References: +[1] 9f3fc7bcddcb tpm: replace msleep() with usleep_range() in TPM +1.2/2.0 generic drivers +[2] cf151a9a44d5 tpm: reduce tpm polling delay in tpm_tis_core +[3] 59f5a6b07f64 tpm: reduce poll sleep time in tpm_transmit() +[4] 424eaf910c32 tpm: reduce polling time to usecs for even finer +granularity + +Fixes: 9f3fc7bcddcb ("tpm: replace msleep() with usleep_range() in TPM 1.2/2.0 generic drivers") +Link: https://patchwork.kernel.org/project/linux-integrity/patch/20200926223150.109645-1-hao.wu@rubrik.com/ +Signed-off-by: Hao Wu +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/tpm_tis_core.c | 26 ++++++++++++++++++-------- + drivers/char/tpm/tpm_tis_core.h | 4 ++++ + include/linux/tpm.h | 1 + + 3 files changed, 23 insertions(+), 8 deletions(-) + +diff --git a/drivers/char/tpm/tpm_tis_core.c b/drivers/char/tpm/tpm_tis_core.c +index 69579efb247b3..b2659a4c40168 100644 +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -48,6 +48,7 @@ static int wait_for_tpm_stat(struct tpm_chip *chip, u8 mask, + unsigned long timeout, wait_queue_head_t *queue, + bool check_cancel) + { ++ struct tpm_tis_data *priv = dev_get_drvdata(&chip->dev); + unsigned long stop; + long rc; + u8 status; +@@ -80,8 +81,8 @@ again: + } + } else { + do { +- usleep_range(TPM_TIMEOUT_USECS_MIN, +- TPM_TIMEOUT_USECS_MAX); ++ usleep_range(priv->timeout_min, ++ priv->timeout_max); + status = chip->ops->status(chip); + if ((status & mask) == mask) + return 0; +@@ -945,7 +946,22 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq, + chip->timeout_b = msecs_to_jiffies(TIS_TIMEOUT_B_MAX); + chip->timeout_c = msecs_to_jiffies(TIS_TIMEOUT_C_MAX); + chip->timeout_d = msecs_to_jiffies(TIS_TIMEOUT_D_MAX); ++ priv->timeout_min = TPM_TIMEOUT_USECS_MIN; ++ priv->timeout_max = TPM_TIMEOUT_USECS_MAX; + priv->phy_ops = phy_ops; ++ ++ rc = tpm_tis_read32(priv, TPM_DID_VID(0), &vendor); ++ if (rc < 0) ++ goto out_err; ++ ++ priv->manufacturer_id = vendor; ++ ++ if (priv->manufacturer_id == TPM_VID_ATML && ++ !(chip->flags & TPM_CHIP_FLAG_TPM2)) { ++ priv->timeout_min = TIS_TIMEOUT_MIN_ATML; ++ priv->timeout_max = TIS_TIMEOUT_MAX_ATML; ++ } ++ + dev_set_drvdata(&chip->dev, priv); + + if (is_bsw()) { +@@ -988,12 +1004,6 @@ int tpm_tis_core_init(struct device *dev, struct tpm_tis_data *priv, int irq, + if (rc) + goto out_err; + +- rc = tpm_tis_read32(priv, TPM_DID_VID(0), &vendor); +- if (rc < 0) +- goto out_err; +- +- priv->manufacturer_id = vendor; +- + rc = tpm_tis_read8(priv, TPM_RID(0), &rid); + if (rc < 0) + goto out_err; +diff --git a/drivers/char/tpm/tpm_tis_core.h b/drivers/char/tpm/tpm_tis_core.h +index b2a3c6c72882d..3be24f221e32a 100644 +--- a/drivers/char/tpm/tpm_tis_core.h ++++ b/drivers/char/tpm/tpm_tis_core.h +@@ -54,6 +54,8 @@ enum tis_defaults { + TIS_MEM_LEN = 0x5000, + TIS_SHORT_TIMEOUT = 750, /* ms */ + TIS_LONG_TIMEOUT = 2000, /* 2 sec */ ++ TIS_TIMEOUT_MIN_ATML = 14700, /* usecs */ ++ TIS_TIMEOUT_MAX_ATML = 15000, /* usecs */ + }; + + /* Some timeout values are needed before it is known whether the chip is +@@ -98,6 +100,8 @@ struct tpm_tis_data { + wait_queue_head_t read_queue; + const struct tpm_tis_phy_ops *phy_ops; + unsigned short rng_quality; ++ unsigned int timeout_min; /* usecs */ ++ unsigned int timeout_max; /* usecs */ + }; + + struct tpm_tis_phy_ops { +diff --git a/include/linux/tpm.h b/include/linux/tpm.h +index aa11fe323c56b..12d827734686d 100644 +--- a/include/linux/tpm.h ++++ b/include/linux/tpm.h +@@ -269,6 +269,7 @@ enum tpm2_cc_attrs { + #define TPM_VID_INTEL 0x8086 + #define TPM_VID_WINBOND 0x1050 + #define TPM_VID_STM 0x104A ++#define TPM_VID_ATML 0x1114 + + enum tpm_chip_flags { + TPM_CHIP_FLAG_TPM2 = BIT(1), +-- +2.33.0 + diff --git a/queue-5.15/tpm_tis_spi-add-missing-spi-id.patch b/queue-5.15/tpm_tis_spi-add-missing-spi-id.patch new file mode 100644 index 00000000000..706864b7cae --- /dev/null +++ b/queue-5.15/tpm_tis_spi-add-missing-spi-id.patch @@ -0,0 +1,44 @@ +From cdba608abf9360e41c495adce8c5a982c5908a82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Sep 2021 15:41:11 +0100 +Subject: tpm_tis_spi: Add missing SPI ID + +From: Mark Brown + +[ Upstream commit 7eba41fe8c7bb01ff3d4b757bd622375792bc720 ] + +In commit c46ed2281bbe ("tpm_tis_spi: add missing SPI device ID entries") +we added SPI IDs for all the DT aliases to handle the fact that we always +use SPI modaliases to load modules even when probed via DT however the +mentioned commit missed that the SPI and OF device ID entries did not +match and were different and so DT nodes with compatible +"tcg,tpm_tis-spi" will not match. Add an extra ID for tpm_tis-spi +rather than just fix the existing one since what's currently there is +going to be better for anyone actually using SPI IDs to instantiate. + +Fixes: c46ed2281bbe ("tpm_tis_spi: add missing SPI device ID entries") +Fixes: 96c8395e2166 ("spi: Revert modalias changes") +Signed-off-by: Mark Brown +Reviewed-by: Jarkko Sakkinen +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + drivers/char/tpm/tpm_tis_spi_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/char/tpm/tpm_tis_spi_main.c b/drivers/char/tpm/tpm_tis_spi_main.c +index 54584b4b00d19..aaa59a00eeaef 100644 +--- a/drivers/char/tpm/tpm_tis_spi_main.c ++++ b/drivers/char/tpm/tpm_tis_spi_main.c +@@ -267,6 +267,7 @@ static const struct spi_device_id tpm_tis_spi_id[] = { + { "st33htpm-spi", (unsigned long)tpm_tis_spi_probe }, + { "slb9670", (unsigned long)tpm_tis_spi_probe }, + { "tpm_tis_spi", (unsigned long)tpm_tis_spi_probe }, ++ { "tpm_tis-spi", (unsigned long)tpm_tis_spi_probe }, + { "cr50", (unsigned long)cr50_spi_probe }, + {} + }; +-- +2.33.0 + diff --git a/queue-5.15/tracefs-have-tracefs-directories-not-set-oth-permiss.patch b/queue-5.15/tracefs-have-tracefs-directories-not-set-oth-permiss.patch new file mode 100644 index 00000000000..5c777cc2854 --- /dev/null +++ b/queue-5.15/tracefs-have-tracefs-directories-not-set-oth-permiss.patch @@ -0,0 +1,47 @@ +From 737076a38cd8b0dcb1b6e7b3f0c8940cd3e2a509 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 11:24:50 -0400 +Subject: tracefs: Have tracefs directories not set OTH permission bits by + default + +From: Steven Rostedt (VMware) + +[ Upstream commit 49d67e445742bbcb03106b735b2ab39f6e5c56bc ] + +The tracefs file system is by default mounted such that only root user can +access it. But there are legitimate reasons to create a group and allow +those added to the group to have access to tracing. By changing the +permissions of the tracefs mount point to allow access, it will allow +group access to the tracefs directory. + +There should not be any real reason to allow all access to the tracefs +directory as it contains sensitive information. Have the default +permission of directories being created not have any OTH (other) bits set, +such that an admin that wants to give permission to a group has to first +disable all OTH bits in the file system. + +Link: https://lkml.kernel.org/r/20210818153038.664127804@goodmis.org + +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + fs/tracefs/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c +index 1261e8b41edb4..925a621b432e3 100644 +--- a/fs/tracefs/inode.c ++++ b/fs/tracefs/inode.c +@@ -432,7 +432,8 @@ static struct dentry *__create_dir(const char *name, struct dentry *parent, + if (unlikely(!inode)) + return failed_creating(dentry); + +- inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; ++ /* Do not set bits for OTH */ ++ inode->i_mode = S_IFDIR | S_IRWXU | S_IRUSR| S_IRGRP | S_IXUSR | S_IXGRP; + inode->i_op = ops; + inode->i_fop = &simple_dir_operations; + +-- +2.33.0 + diff --git a/queue-5.15/tracing-cfi-fix-cmp_entries_-functions-signature-mis.patch b/queue-5.15/tracing-cfi-fix-cmp_entries_-functions-signature-mis.patch new file mode 100644 index 00000000000..19386494d91 --- /dev/null +++ b/queue-5.15/tracing-cfi-fix-cmp_entries_-functions-signature-mis.patch @@ -0,0 +1,134 @@ +From a55cacd0fce9109fba9253708166d6b7f48827c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 21:52:17 -0700 +Subject: tracing/cfi: Fix cmp_entries_* functions signature mismatch + +From: Kalesh Singh + +[ Upstream commit 7ce1bb83a14019f8c396d57ec704d19478747716 ] + +If CONFIG_CFI_CLANG=y, attempting to read an event histogram will cause +the kernel to panic due to failed CFI check. + + 1. echo 'hist:keys=common_pid' >> events/sched/sched_switch/trigger + 2. cat events/sched/sched_switch/hist + 3. kernel panics on attempting to read hist + +This happens because the sort() function expects a generic +int (*)(const void *, const void *) pointer for the compare function. +To prevent this CFI failure, change tracing map cmp_entries_* function +signatures to match this. + +Also, fix the build error reported by the kernel test robot [1]. + +[1] https://lore.kernel.org/r/202110141140.zzi4dRh4-lkp@intel.com/ + +Link: https://lkml.kernel.org/r/20211014045217.3265162-1-kaleshsingh@google.com + +Signed-off-by: Kalesh Singh +Reported-by: kernel test robot +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/tracing_map.c | 40 ++++++++++++++++++++++---------------- + 1 file changed, 23 insertions(+), 17 deletions(-) + +diff --git a/kernel/trace/tracing_map.c b/kernel/trace/tracing_map.c +index d6bddb157ef20..39bb56d2dcbef 100644 +--- a/kernel/trace/tracing_map.c ++++ b/kernel/trace/tracing_map.c +@@ -834,29 +834,35 @@ int tracing_map_init(struct tracing_map *map) + return err; + } + +-static int cmp_entries_dup(const struct tracing_map_sort_entry **a, +- const struct tracing_map_sort_entry **b) ++static int cmp_entries_dup(const void *A, const void *B) + { ++ const struct tracing_map_sort_entry *a, *b; + int ret = 0; + +- if (memcmp((*a)->key, (*b)->key, (*a)->elt->map->key_size)) ++ a = *(const struct tracing_map_sort_entry **)A; ++ b = *(const struct tracing_map_sort_entry **)B; ++ ++ if (memcmp(a->key, b->key, a->elt->map->key_size)) + ret = 1; + + return ret; + } + +-static int cmp_entries_sum(const struct tracing_map_sort_entry **a, +- const struct tracing_map_sort_entry **b) ++static int cmp_entries_sum(const void *A, const void *B) + { + const struct tracing_map_elt *elt_a, *elt_b; ++ const struct tracing_map_sort_entry *a, *b; + struct tracing_map_sort_key *sort_key; + struct tracing_map_field *field; + tracing_map_cmp_fn_t cmp_fn; + void *val_a, *val_b; + int ret = 0; + +- elt_a = (*a)->elt; +- elt_b = (*b)->elt; ++ a = *(const struct tracing_map_sort_entry **)A; ++ b = *(const struct tracing_map_sort_entry **)B; ++ ++ elt_a = a->elt; ++ elt_b = b->elt; + + sort_key = &elt_a->map->sort_key; + +@@ -873,18 +879,21 @@ static int cmp_entries_sum(const struct tracing_map_sort_entry **a, + return ret; + } + +-static int cmp_entries_key(const struct tracing_map_sort_entry **a, +- const struct tracing_map_sort_entry **b) ++static int cmp_entries_key(const void *A, const void *B) + { + const struct tracing_map_elt *elt_a, *elt_b; ++ const struct tracing_map_sort_entry *a, *b; + struct tracing_map_sort_key *sort_key; + struct tracing_map_field *field; + tracing_map_cmp_fn_t cmp_fn; + void *val_a, *val_b; + int ret = 0; + +- elt_a = (*a)->elt; +- elt_b = (*b)->elt; ++ a = *(const struct tracing_map_sort_entry **)A; ++ b = *(const struct tracing_map_sort_entry **)B; ++ ++ elt_a = a->elt; ++ elt_b = b->elt; + + sort_key = &elt_a->map->sort_key; + +@@ -989,10 +998,8 @@ static void sort_secondary(struct tracing_map *map, + struct tracing_map_sort_key *primary_key, + struct tracing_map_sort_key *secondary_key) + { +- int (*primary_fn)(const struct tracing_map_sort_entry **, +- const struct tracing_map_sort_entry **); +- int (*secondary_fn)(const struct tracing_map_sort_entry **, +- const struct tracing_map_sort_entry **); ++ int (*primary_fn)(const void *, const void *); ++ int (*secondary_fn)(const void *, const void *); + unsigned i, start = 0, n_sub = 1; + + if (is_key(map, primary_key->field_idx)) +@@ -1061,8 +1068,7 @@ int tracing_map_sort_entries(struct tracing_map *map, + unsigned int n_sort_keys, + struct tracing_map_sort_entry ***sort_entries) + { +- int (*cmp_entries_fn)(const struct tracing_map_sort_entry **, +- const struct tracing_map_sort_entry **); ++ int (*cmp_entries_fn)(const void *, const void *); + struct tracing_map_sort_entry *sort_entry, **entries; + int i, n_entries, ret; + +-- +2.33.0 + diff --git a/queue-5.15/tracing-disable-other-permission-bits-in-the-tracefs.patch b/queue-5.15/tracing-disable-other-permission-bits-in-the-tracefs.patch new file mode 100644 index 00000000000..2d264c5a4b0 --- /dev/null +++ b/queue-5.15/tracing-disable-other-permission-bits-in-the-tracefs.patch @@ -0,0 +1,688 @@ +From 732b570fcefba84748faefc5bcd223e08e3448c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 11:24:51 -0400 +Subject: tracing: Disable "other" permission bits in the tracefs files + +From: Steven Rostedt (VMware) + +[ Upstream commit 21ccc9cd72116289469e5519b6159c675a2fa58f ] + +When building the files in the tracefs file system, do not by default set +any permissions for OTH (other). This will make it easier for admins who +want to define a group for accessing tracefs and not having to first +disable all the permission bits for "other" in the file system. + +As tracing can leak sensitive information, it should never by default +allowing all users access. An admin can still set the permission bits for +others to have access, which may be useful for creating a honeypot and +seeing who takes advantage of it and roots the machine. + +Link: https://lkml.kernel.org/r/20210818153038.864149276@goodmis.org + +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/ftrace.c | 23 +++++---- + kernel/trace/trace.c | 73 ++++++++++++++------------- + kernel/trace/trace.h | 3 ++ + kernel/trace/trace_dynevent.c | 2 +- + kernel/trace/trace_events.c | 42 +++++++-------- + kernel/trace/trace_events_synth.c | 4 +- + kernel/trace/trace_functions_graph.c | 2 +- + kernel/trace/trace_hwlat.c | 6 +-- + kernel/trace/trace_kprobe.c | 8 +-- + kernel/trace/trace_osnoise.c | 14 ++--- + kernel/trace/trace_printk.c | 2 +- + kernel/trace/trace_recursion_record.c | 4 +- + kernel/trace/trace_stack.c | 6 +-- + kernel/trace/trace_stat.c | 6 +-- + kernel/trace/trace_uprobe.c | 4 +- + 15 files changed, 103 insertions(+), 96 deletions(-) + +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index feebf57c64588..c672040142e98 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -988,8 +988,9 @@ static __init void ftrace_profile_tracefs(struct dentry *d_tracer) + } + } + +- entry = tracefs_create_file("function_profile_enabled", 0644, +- d_tracer, NULL, &ftrace_profile_fops); ++ entry = tracefs_create_file("function_profile_enabled", ++ TRACE_MODE_WRITE, d_tracer, NULL, ++ &ftrace_profile_fops); + if (!entry) + pr_warn("Could not create tracefs 'function_profile_enabled' entry\n"); + } +@@ -6109,10 +6110,10 @@ void ftrace_create_filter_files(struct ftrace_ops *ops, + struct dentry *parent) + { + +- trace_create_file("set_ftrace_filter", 0644, parent, ++ trace_create_file("set_ftrace_filter", TRACE_MODE_WRITE, parent, + ops, &ftrace_filter_fops); + +- trace_create_file("set_ftrace_notrace", 0644, parent, ++ trace_create_file("set_ftrace_notrace", TRACE_MODE_WRITE, parent, + ops, &ftrace_notrace_fops); + } + +@@ -6139,19 +6140,19 @@ void ftrace_destroy_filter_files(struct ftrace_ops *ops) + static __init int ftrace_init_dyn_tracefs(struct dentry *d_tracer) + { + +- trace_create_file("available_filter_functions", 0444, ++ trace_create_file("available_filter_functions", TRACE_MODE_READ, + d_tracer, NULL, &ftrace_avail_fops); + +- trace_create_file("enabled_functions", 0444, ++ trace_create_file("enabled_functions", TRACE_MODE_READ, + d_tracer, NULL, &ftrace_enabled_fops); + + ftrace_create_filter_files(&global_ops, d_tracer); + + #ifdef CONFIG_FUNCTION_GRAPH_TRACER +- trace_create_file("set_graph_function", 0644, d_tracer, ++ trace_create_file("set_graph_function", TRACE_MODE_WRITE, d_tracer, + NULL, + &ftrace_graph_fops); +- trace_create_file("set_graph_notrace", 0644, d_tracer, ++ trace_create_file("set_graph_notrace", TRACE_MODE_WRITE, d_tracer, + NULL, + &ftrace_graph_notrace_fops); + #endif /* CONFIG_FUNCTION_GRAPH_TRACER */ +@@ -7494,10 +7495,10 @@ static const struct file_operations ftrace_no_pid_fops = { + + void ftrace_init_tracefs(struct trace_array *tr, struct dentry *d_tracer) + { +- trace_create_file("set_ftrace_pid", 0644, d_tracer, ++ trace_create_file("set_ftrace_pid", TRACE_MODE_WRITE, d_tracer, + tr, &ftrace_pid_fops); +- trace_create_file("set_ftrace_notrace_pid", 0644, d_tracer, +- tr, &ftrace_no_pid_fops); ++ trace_create_file("set_ftrace_notrace_pid", TRACE_MODE_WRITE, ++ d_tracer, tr, &ftrace_no_pid_fops); + } + + void __init ftrace_init_tracefs_toplevel(struct trace_array *tr, +diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c +index bc677cd642240..5e452dd57af01 100644 +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1714,7 +1714,8 @@ static void trace_create_maxlat_file(struct trace_array *tr, + { + INIT_WORK(&tr->fsnotify_work, latency_fsnotify_workfn); + init_irq_work(&tr->fsnotify_irqwork, latency_fsnotify_workfn_irq); +- tr->d_max_latency = trace_create_file("tracing_max_latency", 0644, ++ tr->d_max_latency = trace_create_file("tracing_max_latency", ++ TRACE_MODE_WRITE, + d_tracer, &tr->max_latency, + &tracing_max_lat_fops); + } +@@ -1748,8 +1749,8 @@ void latency_fsnotify(struct trace_array *tr) + || defined(CONFIG_OSNOISE_TRACER) + + #define trace_create_maxlat_file(tr, d_tracer) \ +- trace_create_file("tracing_max_latency", 0644, d_tracer, \ +- &tr->max_latency, &tracing_max_lat_fops) ++ trace_create_file("tracing_max_latency", TRACE_MODE_WRITE, \ ++ d_tracer, &tr->max_latency, &tracing_max_lat_fops) + + #else + #define trace_create_maxlat_file(tr, d_tracer) do { } while (0) +@@ -6077,7 +6078,7 @@ trace_insert_eval_map_file(struct module *mod, struct trace_eval_map **start, + + static void trace_create_eval_file(struct dentry *d_tracer) + { +- trace_create_file("eval_map", 0444, d_tracer, ++ trace_create_file("eval_map", TRACE_MODE_READ, d_tracer, + NULL, &tracing_eval_map_fops); + } + +@@ -8590,27 +8591,27 @@ tracing_init_tracefs_percpu(struct trace_array *tr, long cpu) + } + + /* per cpu trace_pipe */ +- trace_create_cpu_file("trace_pipe", 0444, d_cpu, ++ trace_create_cpu_file("trace_pipe", TRACE_MODE_READ, d_cpu, + tr, cpu, &tracing_pipe_fops); + + /* per cpu trace */ +- trace_create_cpu_file("trace", 0644, d_cpu, ++ trace_create_cpu_file("trace", TRACE_MODE_WRITE, d_cpu, + tr, cpu, &tracing_fops); + +- trace_create_cpu_file("trace_pipe_raw", 0444, d_cpu, ++ trace_create_cpu_file("trace_pipe_raw", TRACE_MODE_READ, d_cpu, + tr, cpu, &tracing_buffers_fops); + +- trace_create_cpu_file("stats", 0444, d_cpu, ++ trace_create_cpu_file("stats", TRACE_MODE_READ, d_cpu, + tr, cpu, &tracing_stats_fops); + +- trace_create_cpu_file("buffer_size_kb", 0444, d_cpu, ++ trace_create_cpu_file("buffer_size_kb", TRACE_MODE_READ, d_cpu, + tr, cpu, &tracing_entries_fops); + + #ifdef CONFIG_TRACER_SNAPSHOT +- trace_create_cpu_file("snapshot", 0644, d_cpu, ++ trace_create_cpu_file("snapshot", TRACE_MODE_WRITE, d_cpu, + tr, cpu, &snapshot_fops); + +- trace_create_cpu_file("snapshot_raw", 0444, d_cpu, ++ trace_create_cpu_file("snapshot_raw", TRACE_MODE_READ, d_cpu, + tr, cpu, &snapshot_raw_fops); + #endif + } +@@ -8816,8 +8817,8 @@ create_trace_option_file(struct trace_array *tr, + topt->opt = opt; + topt->tr = tr; + +- topt->entry = trace_create_file(opt->name, 0644, t_options, topt, +- &trace_options_fops); ++ topt->entry = trace_create_file(opt->name, TRACE_MODE_WRITE, ++ t_options, topt, &trace_options_fops); + + } + +@@ -8892,7 +8893,7 @@ create_trace_option_core_file(struct trace_array *tr, + if (!t_options) + return NULL; + +- return trace_create_file(option, 0644, t_options, ++ return trace_create_file(option, TRACE_MODE_WRITE, t_options, + (void *)&tr->trace_flags_index[index], + &trace_options_core_fops); + } +@@ -9417,28 +9418,28 @@ init_tracer_tracefs(struct trace_array *tr, struct dentry *d_tracer) + struct trace_event_file *file; + int cpu; + +- trace_create_file("available_tracers", 0444, d_tracer, ++ trace_create_file("available_tracers", TRACE_MODE_READ, d_tracer, + tr, &show_traces_fops); + +- trace_create_file("current_tracer", 0644, d_tracer, ++ trace_create_file("current_tracer", TRACE_MODE_WRITE, d_tracer, + tr, &set_tracer_fops); + +- trace_create_file("tracing_cpumask", 0644, d_tracer, ++ trace_create_file("tracing_cpumask", TRACE_MODE_WRITE, d_tracer, + tr, &tracing_cpumask_fops); + +- trace_create_file("trace_options", 0644, d_tracer, ++ trace_create_file("trace_options", TRACE_MODE_WRITE, d_tracer, + tr, &tracing_iter_fops); + +- trace_create_file("trace", 0644, d_tracer, ++ trace_create_file("trace", TRACE_MODE_WRITE, d_tracer, + tr, &tracing_fops); + +- trace_create_file("trace_pipe", 0444, d_tracer, ++ trace_create_file("trace_pipe", TRACE_MODE_READ, d_tracer, + tr, &tracing_pipe_fops); + +- trace_create_file("buffer_size_kb", 0644, d_tracer, ++ trace_create_file("buffer_size_kb", TRACE_MODE_WRITE, d_tracer, + tr, &tracing_entries_fops); + +- trace_create_file("buffer_total_size_kb", 0444, d_tracer, ++ trace_create_file("buffer_total_size_kb", TRACE_MODE_READ, d_tracer, + tr, &tracing_total_entries_fops); + + trace_create_file("free_buffer", 0200, d_tracer, +@@ -9449,25 +9450,25 @@ init_tracer_tracefs(struct trace_array *tr, struct dentry *d_tracer) + + file = __find_event_file(tr, "ftrace", "print"); + if (file && file->dir) +- trace_create_file("trigger", 0644, file->dir, file, +- &event_trigger_fops); ++ trace_create_file("trigger", TRACE_MODE_WRITE, file->dir, ++ file, &event_trigger_fops); + tr->trace_marker_file = file; + + trace_create_file("trace_marker_raw", 0220, d_tracer, + tr, &tracing_mark_raw_fops); + +- trace_create_file("trace_clock", 0644, d_tracer, tr, ++ trace_create_file("trace_clock", TRACE_MODE_WRITE, d_tracer, tr, + &trace_clock_fops); + +- trace_create_file("tracing_on", 0644, d_tracer, ++ trace_create_file("tracing_on", TRACE_MODE_WRITE, d_tracer, + tr, &rb_simple_fops); + +- trace_create_file("timestamp_mode", 0444, d_tracer, tr, ++ trace_create_file("timestamp_mode", TRACE_MODE_READ, d_tracer, tr, + &trace_time_stamp_mode_fops); + + tr->buffer_percent = 50; + +- trace_create_file("buffer_percent", 0444, d_tracer, ++ trace_create_file("buffer_percent", TRACE_MODE_READ, d_tracer, + tr, &buffer_percent_fops); + + create_trace_options_dir(tr); +@@ -9478,11 +9479,11 @@ init_tracer_tracefs(struct trace_array *tr, struct dentry *d_tracer) + MEM_FAIL(1, "Could not allocate function filter files"); + + #ifdef CONFIG_TRACER_SNAPSHOT +- trace_create_file("snapshot", 0644, d_tracer, ++ trace_create_file("snapshot", TRACE_MODE_WRITE, d_tracer, + tr, &snapshot_fops); + #endif + +- trace_create_file("error_log", 0644, d_tracer, ++ trace_create_file("error_log", TRACE_MODE_WRITE, d_tracer, + tr, &tracing_err_log_fops); + + for_each_tracing_cpu(cpu) +@@ -9675,19 +9676,19 @@ static __init int tracer_init_tracefs(void) + init_tracer_tracefs(&global_trace, NULL); + ftrace_init_tracefs_toplevel(&global_trace, NULL); + +- trace_create_file("tracing_thresh", 0644, NULL, ++ trace_create_file("tracing_thresh", TRACE_MODE_WRITE, NULL, + &global_trace, &tracing_thresh_fops); + +- trace_create_file("README", 0444, NULL, ++ trace_create_file("README", TRACE_MODE_READ, NULL, + NULL, &tracing_readme_fops); + +- trace_create_file("saved_cmdlines", 0444, NULL, ++ trace_create_file("saved_cmdlines", TRACE_MODE_READ, NULL, + NULL, &tracing_saved_cmdlines_fops); + +- trace_create_file("saved_cmdlines_size", 0644, NULL, ++ trace_create_file("saved_cmdlines_size", TRACE_MODE_WRITE, NULL, + NULL, &tracing_saved_cmdlines_size_fops); + +- trace_create_file("saved_tgids", 0444, NULL, ++ trace_create_file("saved_tgids", TRACE_MODE_READ, NULL, + NULL, &tracing_saved_tgids_fops); + + trace_eval_init(); +@@ -9699,7 +9700,7 @@ static __init int tracer_init_tracefs(void) + #endif + + #ifdef CONFIG_DYNAMIC_FTRACE +- trace_create_file("dyn_ftrace_total_info", 0444, NULL, ++ trace_create_file("dyn_ftrace_total_info", TRACE_MODE_READ, NULL, + NULL, &tracing_dyn_info_fops); + #endif + +diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h +index b7c0f8e160fb4..5c71d32b2860a 100644 +--- a/kernel/trace/trace.h ++++ b/kernel/trace/trace.h +@@ -27,6 +27,9 @@ + #include /* some archs define it here */ + #endif + ++#define TRACE_MODE_WRITE 0640 ++#define TRACE_MODE_READ 0440 ++ + enum trace_type { + __TRACE_FIRST_TYPE = 0, + +diff --git a/kernel/trace/trace_dynevent.c b/kernel/trace/trace_dynevent.c +index 1110112e55bd7..e34e8182ee4b5 100644 +--- a/kernel/trace/trace_dynevent.c ++++ b/kernel/trace/trace_dynevent.c +@@ -262,7 +262,7 @@ static __init int init_dynamic_event(void) + if (ret) + return 0; + +- entry = tracefs_create_file("dynamic_events", 0644, NULL, ++ entry = tracefs_create_file("dynamic_events", TRACE_MODE_WRITE, NULL, + NULL, &dynamic_events_ops); + + /* Event list interface */ +diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c +index 830b3b9940f4c..bb1123ef2a021 100644 +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -2312,7 +2312,8 @@ event_subsystem_dir(struct trace_array *tr, const char *name, + /* the ftrace system is special, do not create enable or filter files */ + if (strcmp(name, "ftrace") != 0) { + +- entry = tracefs_create_file("filter", 0644, dir->entry, dir, ++ entry = tracefs_create_file("filter", TRACE_MODE_WRITE, ++ dir->entry, dir, + &ftrace_subsystem_filter_fops); + if (!entry) { + kfree(system->filter); +@@ -2320,7 +2321,7 @@ event_subsystem_dir(struct trace_array *tr, const char *name, + pr_warn("Could not create tracefs '%s/filter' entry\n", name); + } + +- trace_create_file("enable", 0644, dir->entry, dir, ++ trace_create_file("enable", TRACE_MODE_WRITE, dir->entry, dir, + &ftrace_system_enable_fops); + } + +@@ -2402,12 +2403,12 @@ event_create_dir(struct dentry *parent, struct trace_event_file *file) + } + + if (call->class->reg && !(call->flags & TRACE_EVENT_FL_IGNORE_ENABLE)) +- trace_create_file("enable", 0644, file->dir, file, ++ trace_create_file("enable", TRACE_MODE_WRITE, file->dir, file, + &ftrace_enable_fops); + + #ifdef CONFIG_PERF_EVENTS + if (call->event.type && call->class->reg) +- trace_create_file("id", 0444, file->dir, ++ trace_create_file("id", TRACE_MODE_READ, file->dir, + (void *)(long)call->event.type, + &ftrace_event_id_fops); + #endif +@@ -2423,22 +2424,22 @@ event_create_dir(struct dentry *parent, struct trace_event_file *file) + * triggers or filters. + */ + if (!(call->flags & TRACE_EVENT_FL_IGNORE_ENABLE)) { +- trace_create_file("filter", 0644, file->dir, file, +- &ftrace_event_filter_fops); ++ trace_create_file("filter", TRACE_MODE_WRITE, file->dir, ++ file, &ftrace_event_filter_fops); + +- trace_create_file("trigger", 0644, file->dir, file, +- &event_trigger_fops); ++ trace_create_file("trigger", TRACE_MODE_WRITE, file->dir, ++ file, &event_trigger_fops); + } + + #ifdef CONFIG_HIST_TRIGGERS +- trace_create_file("hist", 0444, file->dir, file, ++ trace_create_file("hist", TRACE_MODE_READ, file->dir, file, + &event_hist_fops); + #endif + #ifdef CONFIG_HIST_TRIGGERS_DEBUG +- trace_create_file("hist_debug", 0444, file->dir, file, ++ trace_create_file("hist_debug", TRACE_MODE_READ, file->dir, file, + &event_hist_debug_fops); + #endif +- trace_create_file("format", 0444, file->dir, call, ++ trace_create_file("format", TRACE_MODE_READ, file->dir, call, + &ftrace_event_format_fops); + + #ifdef CONFIG_TRACE_EVENT_INJECT +@@ -3433,7 +3434,7 @@ create_event_toplevel_files(struct dentry *parent, struct trace_array *tr) + struct dentry *d_events; + struct dentry *entry; + +- entry = tracefs_create_file("set_event", 0644, parent, ++ entry = tracefs_create_file("set_event", TRACE_MODE_WRITE, parent, + tr, &ftrace_set_event_fops); + if (!entry) { + pr_warn("Could not create tracefs 'set_event' entry\n"); +@@ -3446,7 +3447,7 @@ create_event_toplevel_files(struct dentry *parent, struct trace_array *tr) + return -ENOMEM; + } + +- entry = trace_create_file("enable", 0644, d_events, ++ entry = trace_create_file("enable", TRACE_MODE_WRITE, d_events, + tr, &ftrace_tr_enable_fops); + if (!entry) { + pr_warn("Could not create tracefs 'enable' entry\n"); +@@ -3455,24 +3456,25 @@ create_event_toplevel_files(struct dentry *parent, struct trace_array *tr) + + /* There are not as crucial, just warn if they are not created */ + +- entry = tracefs_create_file("set_event_pid", 0644, parent, ++ entry = tracefs_create_file("set_event_pid", TRACE_MODE_WRITE, parent, + tr, &ftrace_set_event_pid_fops); + if (!entry) + pr_warn("Could not create tracefs 'set_event_pid' entry\n"); + +- entry = tracefs_create_file("set_event_notrace_pid", 0644, parent, +- tr, &ftrace_set_event_notrace_pid_fops); ++ entry = tracefs_create_file("set_event_notrace_pid", ++ TRACE_MODE_WRITE, parent, tr, ++ &ftrace_set_event_notrace_pid_fops); + if (!entry) + pr_warn("Could not create tracefs 'set_event_notrace_pid' entry\n"); + + /* ring buffer internal formats */ +- entry = trace_create_file("header_page", 0444, d_events, ++ entry = trace_create_file("header_page", TRACE_MODE_READ, d_events, + ring_buffer_print_page_header, + &ftrace_show_header_fops); + if (!entry) + pr_warn("Could not create tracefs 'header_page' entry\n"); + +- entry = trace_create_file("header_event", 0444, d_events, ++ entry = trace_create_file("header_event", TRACE_MODE_READ, d_events, + ring_buffer_print_entry_header, + &ftrace_show_header_fops); + if (!entry) +@@ -3689,8 +3691,8 @@ __init int event_trace_init(void) + if (!tr) + return -ENODEV; + +- entry = tracefs_create_file("available_events", 0444, NULL, +- tr, &ftrace_avail_fops); ++ entry = tracefs_create_file("available_events", TRACE_MODE_READ, ++ NULL, tr, &ftrace_avail_fops); + if (!entry) + pr_warn("Could not create tracefs 'available_events' entry\n"); + +diff --git a/kernel/trace/trace_events_synth.c b/kernel/trace/trace_events_synth.c +index d54094b7a9d75..22db3ce95e74f 100644 +--- a/kernel/trace/trace_events_synth.c ++++ b/kernel/trace/trace_events_synth.c +@@ -2227,8 +2227,8 @@ static __init int trace_events_synth_init(void) + if (err) + goto err; + +- entry = tracefs_create_file("synthetic_events", 0644, NULL, +- NULL, &synth_events_fops); ++ entry = tracefs_create_file("synthetic_events", TRACE_MODE_WRITE, ++ NULL, NULL, &synth_events_fops); + if (!entry) { + err = -ENODEV; + goto err; +diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c +index 0de6837722da5..6b5ff3ba4251f 100644 +--- a/kernel/trace/trace_functions_graph.c ++++ b/kernel/trace/trace_functions_graph.c +@@ -1340,7 +1340,7 @@ static __init int init_graph_tracefs(void) + if (ret) + return 0; + +- trace_create_file("max_graph_depth", 0644, NULL, ++ trace_create_file("max_graph_depth", TRACE_MODE_WRITE, NULL, + NULL, &graph_depth_fops); + + return 0; +diff --git a/kernel/trace/trace_hwlat.c b/kernel/trace/trace_hwlat.c +index 1b83d75eb103b..d0a730d99a331 100644 +--- a/kernel/trace/trace_hwlat.c ++++ b/kernel/trace/trace_hwlat.c +@@ -782,21 +782,21 @@ static int init_tracefs(void) + if (!top_dir) + return -ENOMEM; + +- hwlat_sample_window = tracefs_create_file("window", 0640, ++ hwlat_sample_window = tracefs_create_file("window", TRACE_MODE_WRITE, + top_dir, + &hwlat_window, + &trace_min_max_fops); + if (!hwlat_sample_window) + goto err; + +- hwlat_sample_width = tracefs_create_file("width", 0644, ++ hwlat_sample_width = tracefs_create_file("width", TRACE_MODE_WRITE, + top_dir, + &hwlat_width, + &trace_min_max_fops); + if (!hwlat_sample_width) + goto err; + +- hwlat_thread_mode = trace_create_file("mode", 0644, ++ hwlat_thread_mode = trace_create_file("mode", TRACE_MODE_WRITE, + top_dir, + NULL, + &thread_mode_fops); +diff --git a/kernel/trace/trace_kprobe.c b/kernel/trace/trace_kprobe.c +index 3a64ba4bbad6f..92caef33b68c2 100644 +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -1925,16 +1925,16 @@ static __init int init_kprobe_trace(void) + if (ret) + return 0; + +- entry = tracefs_create_file("kprobe_events", 0644, NULL, +- NULL, &kprobe_events_ops); ++ entry = tracefs_create_file("kprobe_events", TRACE_MODE_WRITE, ++ NULL, NULL, &kprobe_events_ops); + + /* Event list interface */ + if (!entry) + pr_warn("Could not create tracefs 'kprobe_events' entry\n"); + + /* Profile interface */ +- entry = tracefs_create_file("kprobe_profile", 0444, NULL, +- NULL, &kprobe_profile_ops); ++ entry = tracefs_create_file("kprobe_profile", TRACE_MODE_READ, ++ NULL, NULL, &kprobe_profile_ops); + + if (!entry) + pr_warn("Could not create tracefs 'kprobe_profile' entry\n"); +diff --git a/kernel/trace/trace_osnoise.c b/kernel/trace/trace_osnoise.c +index ce053619f289e..c4f14fb98aaac 100644 +--- a/kernel/trace/trace_osnoise.c ++++ b/kernel/trace/trace_osnoise.c +@@ -1856,38 +1856,38 @@ static int init_tracefs(void) + if (!top_dir) + return 0; + +- tmp = tracefs_create_file("period_us", 0640, top_dir, ++ tmp = tracefs_create_file("period_us", TRACE_MODE_WRITE, top_dir, + &osnoise_period, &trace_min_max_fops); + if (!tmp) + goto err; + +- tmp = tracefs_create_file("runtime_us", 0644, top_dir, ++ tmp = tracefs_create_file("runtime_us", TRACE_MODE_WRITE, top_dir, + &osnoise_runtime, &trace_min_max_fops); + if (!tmp) + goto err; + +- tmp = tracefs_create_file("stop_tracing_us", 0640, top_dir, ++ tmp = tracefs_create_file("stop_tracing_us", TRACE_MODE_WRITE, top_dir, + &osnoise_stop_tracing_in, &trace_min_max_fops); + if (!tmp) + goto err; + +- tmp = tracefs_create_file("stop_tracing_total_us", 0640, top_dir, ++ tmp = tracefs_create_file("stop_tracing_total_us", TRACE_MODE_WRITE, top_dir, + &osnoise_stop_tracing_total, &trace_min_max_fops); + if (!tmp) + goto err; + +- tmp = trace_create_file("cpus", 0644, top_dir, NULL, &cpus_fops); ++ tmp = trace_create_file("cpus", TRACE_MODE_WRITE, top_dir, NULL, &cpus_fops); + if (!tmp) + goto err; + #ifdef CONFIG_TIMERLAT_TRACER + #ifdef CONFIG_STACKTRACE +- tmp = tracefs_create_file("print_stack", 0640, top_dir, ++ tmp = tracefs_create_file("print_stack", TRACE_MODE_WRITE, top_dir, + &osnoise_print_stack, &trace_min_max_fops); + if (!tmp) + goto err; + #endif + +- tmp = tracefs_create_file("timerlat_period_us", 0640, top_dir, ++ tmp = tracefs_create_file("timerlat_period_us", TRACE_MODE_WRITE, top_dir, + &timerlat_period, &trace_min_max_fops); + if (!tmp) + goto err; +diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c +index 4b320fe7df704..29f6e95439b67 100644 +--- a/kernel/trace/trace_printk.c ++++ b/kernel/trace/trace_printk.c +@@ -384,7 +384,7 @@ static __init int init_trace_printk_function_export(void) + if (ret) + return 0; + +- trace_create_file("printk_formats", 0444, NULL, ++ trace_create_file("printk_formats", TRACE_MODE_READ, NULL, + NULL, &ftrace_formats_fops); + + return 0; +diff --git a/kernel/trace/trace_recursion_record.c b/kernel/trace/trace_recursion_record.c +index b2edac1fe156e..4d4b78c8ca257 100644 +--- a/kernel/trace/trace_recursion_record.c ++++ b/kernel/trace/trace_recursion_record.c +@@ -226,8 +226,8 @@ __init static int create_recursed_functions(void) + { + struct dentry *dentry; + +- dentry = trace_create_file("recursed_functions", 0644, NULL, NULL, +- &recursed_functions_fops); ++ dentry = trace_create_file("recursed_functions", TRACE_MODE_WRITE, ++ NULL, NULL, &recursed_functions_fops); + if (!dentry) + pr_warn("WARNING: Failed to create recursed_functions\n"); + return 0; +diff --git a/kernel/trace/trace_stack.c b/kernel/trace/trace_stack.c +index 63c2850420516..5a48dba912eae 100644 +--- a/kernel/trace/trace_stack.c ++++ b/kernel/trace/trace_stack.c +@@ -559,14 +559,14 @@ static __init int stack_trace_init(void) + if (ret) + return 0; + +- trace_create_file("stack_max_size", 0644, NULL, ++ trace_create_file("stack_max_size", TRACE_MODE_WRITE, NULL, + &stack_trace_max_size, &stack_max_size_fops); + +- trace_create_file("stack_trace", 0444, NULL, ++ trace_create_file("stack_trace", TRACE_MODE_READ, NULL, + NULL, &stack_trace_fops); + + #ifdef CONFIG_DYNAMIC_FTRACE +- trace_create_file("stack_trace_filter", 0644, NULL, ++ trace_create_file("stack_trace_filter", TRACE_MODE_WRITE, NULL, + &trace_ops, &stack_trace_filter_fops); + #endif + +diff --git a/kernel/trace/trace_stat.c b/kernel/trace/trace_stat.c +index 8d141c3825a94..bb247beec4470 100644 +--- a/kernel/trace/trace_stat.c ++++ b/kernel/trace/trace_stat.c +@@ -297,9 +297,9 @@ static int init_stat_file(struct stat_session *session) + if (!stat_dir && (ret = tracing_stat_init())) + return ret; + +- session->file = tracefs_create_file(session->ts->name, 0644, +- stat_dir, +- session, &tracing_stat_fops); ++ session->file = tracefs_create_file(session->ts->name, TRACE_MODE_WRITE, ++ stat_dir, session, ++ &tracing_stat_fops); + if (!session->file) + return -ENOMEM; + return 0; +diff --git a/kernel/trace/trace_uprobe.c b/kernel/trace/trace_uprobe.c +index 225ce569bf8f8..0a5c0db3137ee 100644 +--- a/kernel/trace/trace_uprobe.c ++++ b/kernel/trace/trace_uprobe.c +@@ -1655,10 +1655,10 @@ static __init int init_uprobe_trace(void) + if (ret) + return 0; + +- trace_create_file("uprobe_events", 0644, NULL, ++ trace_create_file("uprobe_events", TRACE_MODE_WRITE, NULL, + NULL, &uprobe_events_ops); + /* Profile interface */ +- trace_create_file("uprobe_profile", 0444, NULL, ++ trace_create_file("uprobe_profile", TRACE_MODE_READ, NULL, + NULL, &uprobe_profile_ops); + return 0; + } +-- +2.33.0 + diff --git a/queue-5.15/tracing-fix-missing-trace_boot_init_histograms-kstrd.patch b/queue-5.15/tracing-fix-missing-trace_boot_init_histograms-kstrd.patch new file mode 100644 index 00000000000..db04a7915d0 --- /dev/null +++ b/queue-5.15/tracing-fix-missing-trace_boot_init_histograms-kstrd.patch @@ -0,0 +1,48 @@ +From f5ad30caaffffebb5608d49ee9212abe849fc77c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 15:55:50 -0400 +Subject: tracing: Fix missing trace_boot_init_histograms kstrdup NULL checks + +From: Mathieu Desnoyers + +[ Upstream commit 3c20bd3af535d64771b193bb4dd41ed662c464ce ] + +trace_boot_init_histograms misses NULL pointer checks for kstrdup +failure. + +Link: https://lkml.kernel.org/r/20211015195550.22742-1-mathieu.desnoyers@efficios.com + +Fixes: 64dc7f6958ef5 ("tracing/boot: Show correct histogram error command") +Acked-by: Masami Hiramatsu +Signed-off-by: Mathieu Desnoyers +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_boot.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/trace/trace_boot.c b/kernel/trace/trace_boot.c +index 8d252f63cd784..0580287d7a0d1 100644 +--- a/kernel/trace/trace_boot.c ++++ b/kernel/trace/trace_boot.c +@@ -430,6 +430,8 @@ trace_boot_init_histograms(struct trace_event_file *file, + /* All digit started node should be instances. */ + if (trace_boot_compose_hist_cmd(node, buf, size) == 0) { + tmp = kstrdup(buf, GFP_KERNEL); ++ if (!tmp) ++ return; + if (trigger_process_regex(file, buf) < 0) + pr_err("Failed to apply hist trigger: %s\n", tmp); + kfree(tmp); +@@ -439,6 +441,8 @@ trace_boot_init_histograms(struct trace_event_file *file, + if (xbc_node_find_subkey(hnode, "keys")) { + if (trace_boot_compose_hist_cmd(hnode, buf, size) == 0) { + tmp = kstrdup(buf, GFP_KERNEL); ++ if (!tmp) ++ return; + if (trigger_process_regex(file, buf) < 0) + pr_err("Failed to apply hist trigger: %s\n", tmp); + kfree(tmp); +-- +2.33.0 + diff --git a/queue-5.15/udp6-allow-so_mark-ctrl-msg-to-affect-routing.patch b/queue-5.15/udp6-allow-so_mark-ctrl-msg-to-affect-routing.patch new file mode 100644 index 00000000000..2c0cc288618 --- /dev/null +++ b/queue-5.15/udp6-allow-so_mark-ctrl-msg-to-affect-routing.patch @@ -0,0 +1,49 @@ +From 4af72670c390fe131a620f0fcfe62b4f36564ff2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Oct 2021 08:51:34 -0700 +Subject: udp6: allow SO_MARK ctrl msg to affect routing + +From: Jakub Kicinski + +[ Upstream commit 42dcfd850e514b229d616a53dec06d0f2533217c ] + +Commit c6af0c227a22 ("ip: support SO_MARK cmsg") +added propagation of SO_MARK from cmsg to skb->mark. +For IPv4 and raw sockets the mark also affects route +lookup, but in case of IPv6 the flow info is +initialized before cmsg is parsed. + +Fixes: c6af0c227a22 ("ip: support SO_MARK cmsg") +Reported-and-tested-by: Xintong Hu +Signed-off-by: Jakub Kicinski +Reviewed-by: David Ahern +Reviewed-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/udp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 8d785232b4796..be6dc64ece29f 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -1435,7 +1435,6 @@ do_udp_sendmsg: + if (!fl6.flowi6_oif) + fl6.flowi6_oif = np->sticky_pktinfo.ipi6_ifindex; + +- fl6.flowi6_mark = ipc6.sockc.mark; + fl6.flowi6_uid = sk->sk_uid; + + if (msg->msg_controllen) { +@@ -1471,6 +1470,7 @@ do_udp_sendmsg: + ipc6.opt = opt; + + fl6.flowi6_proto = sk->sk_protocol; ++ fl6.flowi6_mark = ipc6.sockc.mark; + fl6.daddr = *daddr; + if (ipv6_addr_any(&fl6.saddr) && !ipv6_addr_any(&np->saddr)) + fl6.saddr = np->saddr; +-- +2.33.0 + diff --git a/queue-5.15/usb-dwc2-drd-fix-dwc2_drd_role_sw_set-when-clock-cou.patch b/queue-5.15/usb-dwc2-drd-fix-dwc2_drd_role_sw_set-when-clock-cou.patch new file mode 100644 index 00000000000..1223233cea0 --- /dev/null +++ b/queue-5.15/usb-dwc2-drd-fix-dwc2_drd_role_sw_set-when-clock-cou.patch @@ -0,0 +1,74 @@ +From fbbfcf16d6bc28bf8c942f083a26c8bedcadf096 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 11:53:04 +0200 +Subject: usb: dwc2: drd: fix dwc2_drd_role_sw_set when clock could be disabled + +From: Amelie Delaunay + +[ Upstream commit 8d387f61b0240854e81450c261beb775065bad5d ] + +In case of USB_DR_MODE_PERIPHERAL, the OTG clock is disabled at the end of +the probe (it is not the case if USB_DR_MODE_HOST or USB_DR_MODE_OTG). +The clock is then enabled on udc_start. +If dwc2_drd_role_sw_set is called before udc_start (it is the case if the +usb cable is plugged at boot), GOTGCTL and GUSBCFG registers cannot be +read/written, so session cannot be overridden. +To avoid this case, check the ll_hw_enabled value and enable the clock if +it is available, and disable it after the override. + +Fixes: 17f934024e84 ("usb: dwc2: override PHY input signals with usb role switch support") +Acked-by: Minas Harutyunyan +Signed-off-by: Amelie Delaunay +Link: https://lore.kernel.org/r/20211005095305.66397-3-amelie.delaunay@foss.st.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/drd.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/usb/dwc2/drd.c b/drivers/usb/dwc2/drd.c +index 80eae88d76dda..99672360f34b0 100644 +--- a/drivers/usb/dwc2/drd.c ++++ b/drivers/usb/dwc2/drd.c +@@ -7,6 +7,7 @@ + * Author(s): Amelie Delaunay + */ + ++#include + #include + #include + #include +@@ -86,6 +87,20 @@ static int dwc2_drd_role_sw_set(struct usb_role_switch *sw, enum usb_role role) + } + #endif + ++ /* ++ * In case of USB_DR_MODE_PERIPHERAL, clock is disabled at the end of ++ * the probe and enabled on udc_start. ++ * If role-switch set is called before the udc_start, we need to enable ++ * the clock to read/write GOTGCTL and GUSBCFG registers to override ++ * mode and sessions. It is the case if cable is plugged at boot. ++ */ ++ if (!hsotg->ll_hw_enabled && hsotg->clk) { ++ int ret = clk_prepare_enable(hsotg->clk); ++ ++ if (ret) ++ return ret; ++ } ++ + spin_lock_irqsave(&hsotg->lock, flags); + + if (role == USB_ROLE_HOST) { +@@ -110,6 +125,9 @@ static int dwc2_drd_role_sw_set(struct usb_role_switch *sw, enum usb_role role) + /* This will raise a Connector ID Status Change Interrupt */ + dwc2_force_mode(hsotg, role == USB_ROLE_HOST); + ++ if (!hsotg->ll_hw_enabled && hsotg->clk) ++ clk_disable_unprepare(hsotg->clk); ++ + dev_dbg(hsotg->dev, "%s-session valid\n", + role == USB_ROLE_NONE ? "No" : + role == USB_ROLE_HOST ? "A" : "B"); +-- +2.33.0 + diff --git a/queue-5.15/usb-dwc2-drd-fix-dwc2_force_mode-call-in-dwc2_ovr_in.patch b/queue-5.15/usb-dwc2-drd-fix-dwc2_force_mode-call-in-dwc2_ovr_in.patch new file mode 100644 index 00000000000..c5fbd12813b --- /dev/null +++ b/queue-5.15/usb-dwc2-drd-fix-dwc2_force_mode-call-in-dwc2_ovr_in.patch @@ -0,0 +1,48 @@ +From 22789f6268efe5573f9a38a9cd5856d7f0cee8d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 11:53:03 +0200 +Subject: usb: dwc2: drd: fix dwc2_force_mode call in dwc2_ovr_init + +From: Amelie Delaunay + +[ Upstream commit b2cab2a24fb5d13ce1d384ecfb6de827fa08a048 ] + +Instead of forcing the role to Device, check the dr_mode configuration. +If the core is Host only, force the mode to Host, this to avoid the +dwc2_force_mode warning: +WARNING: CPU: 1 PID: 21 at drivers/usb/dwc2/core.c:615 dwc2_drd_init+0x104/0x17c + +When forcing mode to Host, dwc2_force_mode may sleep the time the host +role is applied. To avoid sleeping while atomic context, move the call +to dwc2_force_mode after spin_unlock_irqrestore. It is safe, as +interrupts are not yet unmasked here. + +Fixes: 17f934024e84 ("usb: dwc2: override PHY input signals with usb role switch support") +Acked-by: Minas Harutyunyan +Signed-off-by: Amelie Delaunay +Link: https://lore.kernel.org/r/20211005095305.66397-2-amelie.delaunay@foss.st.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/drd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/dwc2/drd.c b/drivers/usb/dwc2/drd.c +index 2d4176f5788eb..80eae88d76dda 100644 +--- a/drivers/usb/dwc2/drd.c ++++ b/drivers/usb/dwc2/drd.c +@@ -25,9 +25,9 @@ static void dwc2_ovr_init(struct dwc2_hsotg *hsotg) + gotgctl &= ~(GOTGCTL_BVALOVAL | GOTGCTL_AVALOVAL | GOTGCTL_VBVALOVAL); + dwc2_writel(hsotg, gotgctl, GOTGCTL); + +- dwc2_force_mode(hsotg, false); +- + spin_unlock_irqrestore(&hsotg->lock, flags); ++ ++ dwc2_force_mode(hsotg, (hsotg->dr_mode == USB_DR_MODE_HOST)); + } + + static int dwc2_ovr_avalid(struct dwc2_hsotg *hsotg, bool valid) +-- +2.33.0 + diff --git a/queue-5.15/usb-dwc2-drd-reset-current-session-before-setting-th.patch b/queue-5.15/usb-dwc2-drd-reset-current-session-before-setting-th.patch new file mode 100644 index 00000000000..9f6393c4b22 --- /dev/null +++ b/queue-5.15/usb-dwc2-drd-reset-current-session-before-setting-th.patch @@ -0,0 +1,48 @@ +From 161c70c349bf21388597fd3b1c0f15e8b47767cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 11:53:05 +0200 +Subject: usb: dwc2: drd: reset current session before setting the new one + +From: Amelie Delaunay + +[ Upstream commit 1ad707f559f7cb12c64f3d7cb37f0b1ea27c1058 ] + +If role is changed without the "none" step, A- and B- valid session could +be set at the same time. It is an issue. +This patch resets A-session if role switch sets B-session, and resets +B-session if role switch sets A-session. +Then, it is possible to change the role without the "none" step. + +Fixes: 17f934024e84 ("usb: dwc2: override PHY input signals with usb role switch support") +Acked-by: Minas Harutyunyan +Signed-off-by: Amelie Delaunay +Link: https://lore.kernel.org/r/20211005095305.66397-4-amelie.delaunay@foss.st.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/drd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/dwc2/drd.c b/drivers/usb/dwc2/drd.c +index 99672360f34b0..aa6eb76f64ddc 100644 +--- a/drivers/usb/dwc2/drd.c ++++ b/drivers/usb/dwc2/drd.c +@@ -40,6 +40,7 @@ static int dwc2_ovr_avalid(struct dwc2_hsotg *hsotg, bool valid) + (!valid && !(gotgctl & GOTGCTL_ASESVLD))) + return -EALREADY; + ++ gotgctl &= ~GOTGCTL_BVALOVAL; + if (valid) + gotgctl |= GOTGCTL_AVALOVAL | GOTGCTL_VBVALOVAL; + else +@@ -58,6 +59,7 @@ static int dwc2_ovr_bvalid(struct dwc2_hsotg *hsotg, bool valid) + (!valid && !(gotgctl & GOTGCTL_BSESVLD))) + return -EALREADY; + ++ gotgctl &= ~GOTGCTL_AVALOVAL; + if (valid) + gotgctl |= GOTGCTL_BVALOVAL | GOTGCTL_VBVALOVAL; + else +-- +2.33.0 + diff --git a/queue-5.15/usb-dwc3-gadget-skip-resizing-ep-s-tx-fifo-if-alread.patch b/queue-5.15/usb-dwc3-gadget-skip-resizing-ep-s-tx-fifo-if-alread.patch new file mode 100644 index 00000000000..c22c1835228 --- /dev/null +++ b/queue-5.15/usb-dwc3-gadget-skip-resizing-ep-s-tx-fifo-if-alread.patch @@ -0,0 +1,105 @@ +From a01514383948cd7c7cf9c7ea62c9f41db938fcd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Oct 2021 11:01:28 -0700 +Subject: usb: dwc3: gadget: Skip resizing EP's TX FIFO if already resized + +From: Jack Pham + +[ Upstream commit 876a75cb520f5869533a30a6ca01545ec817b7a0 ] + +Some functions may dynamically enable and disable their endpoints +regularly throughout their operation, particularly when Set Interface +is employed to switch between Alternate Settings. For instance the +UAC2 function has its respective endpoints for playback & capture +associated with AltSetting 1, in which case those endpoints would not +get enabled until the host activates the AltSetting. And they +conversely become disabled when the interfaces' AltSetting 0 is +chosen. + +With the DWC3 FIFO resizing algorithm recently added, every +usb_ep_enable() call results in a call to resize that EP's TXFIFO, +but if the same endpoint is enabled again and again, this incorrectly +leads to FIFO RAM allocation exhaustion as the mechanism did not +account for the possibility that endpoints can be re-enabled many +times. + +Example log splat: + + dwc3 a600000.dwc3: Fifosize(3717) > RAM size(3462) ep3in depth:217973127 + configfs-gadget gadget: u_audio_start_capture:521 Error! + dwc3 a600000.dwc3: request 000000000be13e18 was not queued to ep3in + +Add another bit DWC3_EP_TXFIFO_RESIZED to dep->flags to keep track of +whether an EP had already been resized in the current configuration. +If so, bail out of dwc3_gadget_resize_tx_fifos() to avoid the +calculation error resulting from accumulating the EP's FIFO depth +repeatedly. This flag is retained across multiple ep_disable() and +ep_enable() calls and is cleared when GTXFIFOSIZn is reset in +dwc3_gadget_clear_tx_fifos() upon receiving the next Set Config. + +Fixes: 9f607a309fbe9 ("usb: dwc3: Resize TX FIFOs to meet EP bursting requirements") +Reviewed-by: Thinh Nguyen +Signed-off-by: Jack Pham +Link: https://lore.kernel.org/r/20211021180129.27938-1-jackp@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/core.h | 1 + + drivers/usb/dwc3/gadget.c | 8 +++++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h +index 5612bfdf37da9..0c100901a7845 100644 +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -723,6 +723,7 @@ struct dwc3_ep { + #define DWC3_EP_FORCE_RESTART_STREAM BIT(9) + #define DWC3_EP_FIRST_STREAM_PRIMED BIT(10) + #define DWC3_EP_PENDING_CLEAR_STALL BIT(11) ++#define DWC3_EP_TXFIFO_RESIZED BIT(12) + + /* This last one is specific to EP0 */ + #define DWC3_EP0_DIR_IN BIT(31) +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 4519d06c9ca2b..ed97e47d32613 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -702,6 +702,7 @@ void dwc3_gadget_clear_tx_fifos(struct dwc3 *dwc) + DWC31_GTXFIFOSIZ_TXFRAMNUM; + + dwc3_writel(dwc->regs, DWC3_GTXFIFOSIZ(num >> 1), size); ++ dep->flags &= ~DWC3_EP_TXFIFO_RESIZED; + } + dwc->num_ep_resized = 0; + } +@@ -747,6 +748,10 @@ static int dwc3_gadget_resize_tx_fifos(struct dwc3_ep *dep) + if (!usb_endpoint_dir_in(dep->endpoint.desc) || dep->number <= 1) + return 0; + ++ /* bail if already resized */ ++ if (dep->flags & DWC3_EP_TXFIFO_RESIZED) ++ return 0; ++ + ram1_depth = DWC3_RAM1_DEPTH(dwc->hwparams.hwparams7); + + if ((dep->endpoint.maxburst > 1 && +@@ -807,6 +812,7 @@ static int dwc3_gadget_resize_tx_fifos(struct dwc3_ep *dep) + } + + dwc3_writel(dwc->regs, DWC3_GTXFIFOSIZ(dep->number >> 1), fifo_size); ++ dep->flags |= DWC3_EP_TXFIFO_RESIZED; + dwc->num_ep_resized++; + + return 0; +@@ -995,7 +1001,7 @@ static int __dwc3_gadget_ep_disable(struct dwc3_ep *dep) + + dep->stream_capable = false; + dep->type = 0; +- dep->flags = 0; ++ dep->flags &= DWC3_EP_TXFIFO_RESIZED; + + return 0; + } +-- +2.33.0 + diff --git a/queue-5.15/usb-gadget-hid-fix-error-code-in-do_config.patch b/queue-5.15/usb-gadget-hid-fix-error-code-in-do_config.patch new file mode 100644 index 00000000000..6a5be1c58ba --- /dev/null +++ b/queue-5.15/usb-gadget-hid-fix-error-code-in-do_config.patch @@ -0,0 +1,40 @@ +From c32e24a8eace73c202efb450273984b382ee44f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 15:37:39 +0300 +Subject: usb: gadget: hid: fix error code in do_config() + +From: Dan Carpenter + +[ Upstream commit 68e7c510fdf4f6167404609da52e1979165649f6 ] + +Return an error code if usb_get_function() fails. Don't return success. + +Fixes: 4bc8a33f2407 ("usb: gadget: hid: convert to new interface of f_hid") +Acked-by: Felipe Balbi +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211011123739.GC15188@kili +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/legacy/hid.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/legacy/hid.c b/drivers/usb/gadget/legacy/hid.c +index 5b27d289443fe..3912cc805f3af 100644 +--- a/drivers/usb/gadget/legacy/hid.c ++++ b/drivers/usb/gadget/legacy/hid.c +@@ -99,8 +99,10 @@ static int do_config(struct usb_configuration *c) + + list_for_each_entry(e, &hidg_func_list, node) { + e->f = usb_get_function(e->fi); +- if (IS_ERR(e->f)) ++ if (IS_ERR(e->f)) { ++ status = PTR_ERR(e->f); + goto put; ++ } + status = usb_add_function(c, e->f); + if (status < 0) { + usb_put_function(e->f); +-- +2.33.0 + diff --git a/queue-5.15/usb-musb-select-generic_phy-instead-of-depending-on-.patch b/queue-5.15/usb-musb-select-generic_phy-instead-of-depending-on-.patch new file mode 100644 index 00000000000..8287f70f917 --- /dev/null +++ b/queue-5.15/usb-musb-select-generic_phy-instead-of-depending-on-.patch @@ -0,0 +1,47 @@ +From 945967ba49e25b4c3e2d32a8758c09abdf673551 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 16:57:47 -0700 +Subject: usb: musb: select GENERIC_PHY instead of depending on it + +From: Randy Dunlap + +[ Upstream commit fde1fbedbaed4e76cef4600d775b185f59b9b568 ] + +The kconfig symbol GENERIC_PHY says: + All the users of this framework should select this config. +and around 136 out of 138 drivers do so, so change USB_MUSB_MEDIATEK +to do so also. + +This (also) fixes a long circular dependency problem for an upcoming +patch. + +Fixes: 0990366bab3c ("usb: musb: Add support for MediaTek musb controller") +Cc: Bin Liu +Cc: Min Guo +Cc: Yonglong Wu +Cc: Greg Kroah-Hartman +Cc: linux-mediatek@lists.infradead.org +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20211005235747.5588-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/musb/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/musb/Kconfig b/drivers/usb/musb/Kconfig +index 8de143807c1ae..4d61df6a9b5c8 100644 +--- a/drivers/usb/musb/Kconfig ++++ b/drivers/usb/musb/Kconfig +@@ -120,7 +120,7 @@ config USB_MUSB_MEDIATEK + tristate "MediaTek platforms" + depends on ARCH_MEDIATEK || COMPILE_TEST + depends on NOP_USB_XCEIV +- depends on GENERIC_PHY ++ select GENERIC_PHY + select USB_ROLE_SWITCH + + comment "MUSB DMA mode" +-- +2.33.0 + diff --git a/queue-5.15/usb-typec-stusb160x-should-select-regmap_i2c.patch b/queue-5.15/usb-typec-stusb160x-should-select-regmap_i2c.patch new file mode 100644 index 00000000000..bf8c02fc846 --- /dev/null +++ b/queue-5.15/usb-typec-stusb160x-should-select-regmap_i2c.patch @@ -0,0 +1,50 @@ +From 64c4c07e1c43a8fb340d4876202f97e0e7a89fae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Oct 2021 18:36:09 -0700 +Subject: usb: typec: STUSB160X should select REGMAP_I2C + +From: Randy Dunlap + +[ Upstream commit 8ef1e58783b9f55daa4a865c7801dc75cbeb8260 ] + +REGMAP_I2C is not a user visible kconfig symbol so driver configs +should not "depend on" it. They should depend on I2C and then +select REGMAP_I2C. + +If this worked, it was only because some other driver had set/enabled +REGMAP_I2C. + +Fixes: da0cb6310094 ("usb: typec: add support for STUSB160x Type-C controller family") +Cc: Heikki Krogerus +Cc: Amelie Delaunay +Cc: Greg Kroah-Hartman +Cc: linux-usb@vger.kernel.org +Reviewed-by: Amelie Delaunay +Reviewed-by: Heikki Krogerus +Signed-off-by: Randy Dunlap +Link: https://lore.kernel.org/r/20211015013609.7300-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/Kconfig | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/typec/Kconfig b/drivers/usb/typec/Kconfig +index a0418f23b4aae..ab480f38523aa 100644 +--- a/drivers/usb/typec/Kconfig ++++ b/drivers/usb/typec/Kconfig +@@ -65,9 +65,9 @@ config TYPEC_HD3SS3220 + + config TYPEC_STUSB160X + tristate "STMicroelectronics STUSB160x Type-C controller driver" +- depends on I2C +- depends on REGMAP_I2C + depends on USB_ROLE_SWITCH || !USB_ROLE_SWITCH ++ depends on I2C ++ select REGMAP_I2C + help + Say Y or M here if your system has STMicroelectronics STUSB160x + Type-C port controller. +-- +2.33.0 + diff --git a/queue-5.15/vdpa-mlx5-fix-clearing-of-virtio_net_f_mac-feature-b.patch b/queue-5.15/vdpa-mlx5-fix-clearing-of-virtio_net_f_mac-feature-b.patch new file mode 100644 index 00000000000..04fad314ec8 --- /dev/null +++ b/queue-5.15/vdpa-mlx5-fix-clearing-of-virtio_net_f_mac-feature-b.patch @@ -0,0 +1,45 @@ +From 60dd97215f7f222a9ddc1f157e8983f805820820 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 20:55:17 +0300 +Subject: vdpa/mlx5: Fix clearing of VIRTIO_NET_F_MAC feature bit + +From: Parav Pandit + +[ Upstream commit ef76eb83a17e803a66b64ac95b36ae48b3d17c22 ] + +Cited patch in the fixes tag clears the features bit during reset. +mlx5 vdpa device feature bits are static decided by device capabilities. +These feature bits (including VIRTIO_NET_F_MAC) are initialized during +device addition time. + +Clearing features bit in reset callback cleared the VIRTIO_NET_F_MAC. Due +to this, MAC address provided by the device is not honored. + +Fix it by not clearing the static feature bits during reset. + +Fixes: 0686082dbf7a ("vdpa: Add reset callback in vdpa_config_ops") +Signed-off-by: Parav Pandit +Reviewed-by: Eli Cohen +Link: https://lore.kernel.org/r/20211026175519.87795-7-parav@nvidia.com +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/vdpa/mlx5/net/mlx5_vnet.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/vdpa/mlx5/net/mlx5_vnet.c b/drivers/vdpa/mlx5/net/mlx5_vnet.c +index bd56de7484dcb..ae85d2dd6eb76 100644 +--- a/drivers/vdpa/mlx5/net/mlx5_vnet.c ++++ b/drivers/vdpa/mlx5/net/mlx5_vnet.c +@@ -2192,7 +2192,6 @@ static int mlx5_vdpa_reset(struct vdpa_device *vdev) + clear_vqs_ready(ndev); + mlx5_vdpa_destroy_mr(&ndev->mvdev); + ndev->mvdev.status = 0; +- ndev->mvdev.mlx_features = 0; + memset(ndev->event_cbs, 0, sizeof(ndev->event_cbs)); + ndev->mvdev.actual_features = 0; + ++mvdev->generation; +-- +2.33.0 + diff --git a/queue-5.15/video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch b/queue-5.15/video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch new file mode 100644 index 00000000000..1b099cbe195 --- /dev/null +++ b/queue-5.15/video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch @@ -0,0 +1,84 @@ +From 628d7340ad21d5f6a5e35055c6054167867e4004 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 15:34:35 +0200 +Subject: video: fbdev: chipsfb: use memset_io() instead of memset() + +From: Christophe Leroy + +[ Upstream commit f2719b26ae27282c145202ffd656d5ff1fe737cc ] + +While investigating a lockup at startup on Powerbook 3400C, it was +identified that the fbdev driver generates alignment exception at +startup: + + --- interrupt: 600 at memset+0x60/0xc0 + NIP: c0021414 LR: c03fc49c CTR: 00007fff + REGS: ca021c10 TRAP: 0600 Tainted: G W (5.14.2-pmac-00727-g12a41fa69492) + MSR: 00009032 CR: 44008442 XER: 20000100 + DAR: cab80020 DSISR: 00017c07 + GPR00: 00000007 ca021cd0 c14412e0 cab80000 00000000 00100000 cab8001c 00000004 + GPR08: 00100000 00007fff 00000000 00000000 84008442 00000000 c0006fb4 00000000 + GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00100000 + GPR24: 00000000 81800000 00000320 c15fa400 c14d1878 00000000 c14d1800 c094e19c + NIP [c0021414] memset+0x60/0xc0 + LR [c03fc49c] chipsfb_pci_init+0x160/0x580 + --- interrupt: 600 + [ca021cd0] [c03fc46c] chipsfb_pci_init+0x130/0x580 (unreliable) + [ca021d20] [c03a3a70] pci_device_probe+0xf8/0x1b8 + [ca021d50] [c043d584] really_probe.part.0+0xac/0x388 + [ca021d70] [c043d914] __driver_probe_device+0xb4/0x170 + [ca021d90] [c043da18] driver_probe_device+0x48/0x144 + [ca021dc0] [c043e318] __driver_attach+0x11c/0x1c4 + [ca021de0] [c043ad30] bus_for_each_dev+0x88/0xf0 + [ca021e10] [c043c724] bus_add_driver+0x190/0x22c + [ca021e40] [c043ee94] driver_register+0x9c/0x170 + [ca021e60] [c0006c28] do_one_initcall+0x54/0x1ec + [ca021ed0] [c08246e4] kernel_init_freeable+0x1c0/0x270 + [ca021f10] [c0006fdc] kernel_init+0x28/0x11c + [ca021f30] [c0017148] ret_from_kernel_thread+0x14/0x1c + Instruction dump: + 7d4601a4 39490777 7d4701a4 39490888 7d4801a4 39490999 7d4901a4 39290aaa + 7d2a01a4 4c00012c 4bfffe88 0fe00000 <4bfffe80> 9421fff0 38210010 48001970 + +This is due to 'dcbz' instruction being used on non-cached memory. +'dcbz' instruction is used by memset() to zeroize a complete +cacheline at once, and memset() is not expected to be used on non +cached memory. + +When performing a 'sparse' check on fbdev driver, it also appears +that the use of memset() is unexpected: + + drivers/video/fbdev/chipsfb.c:334:17: warning: incorrect type in argument 1 (different address spaces) + drivers/video/fbdev/chipsfb.c:334:17: expected void * + drivers/video/fbdev/chipsfb.c:334:17: got char [noderef] __iomem *screen_base + drivers/video/fbdev/chipsfb.c:334:15: warning: memset with byte count of 1048576 + +Use fb_memset() instead of memset(). fb_memset() is defined as +memset_io() for powerpc. + +Fixes: 8c8709334cec ("[PATCH] ppc32: Remove CONFIG_PMAC_PBOOK") +Reported-by: Stan Johnson +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/884a54f1e5cb774c1d9b4db780209bee5d4f6718.1631712563.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/chipsfb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/chipsfb.c b/drivers/video/fbdev/chipsfb.c +index 998067b701fa0..393894af26f84 100644 +--- a/drivers/video/fbdev/chipsfb.c ++++ b/drivers/video/fbdev/chipsfb.c +@@ -331,7 +331,7 @@ static const struct fb_var_screeninfo chipsfb_var = { + + static void init_chips(struct fb_info *p, unsigned long addr) + { +- memset(p->screen_base, 0, 0x100000); ++ fb_memset(p->screen_base, 0, 0x100000); + + p->fix = chipsfb_fix; + p->fix.smem_start = addr; +-- +2.33.0 + diff --git a/queue-5.15/virtio-gpu-fix-possible-memory-allocation-failure.patch b/queue-5.15/virtio-gpu-fix-possible-memory-allocation-failure.patch new file mode 100644 index 00000000000..5f7fb0acac3 --- /dev/null +++ b/queue-5.15/virtio-gpu-fix-possible-memory-allocation-failure.patch @@ -0,0 +1,55 @@ +From a7a68a023ba795648d0c50680f4916ca6d16a2e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Aug 2021 18:43:21 +0800 +Subject: virtio-gpu: fix possible memory allocation failure + +From: liuyuntao + +[ Upstream commit 5bd4f20de8acad37dbb3154feb34dbc36d506c02 ] + +When kmem_cache_zalloc in virtio_gpu_get_vbuf fails, it will return +an error code. But none of its callers checks this error code, and +a core dump will take place. + +Considering many of its callers can't handle such error, I add +a __GFP_NOFAIL flag when calling kmem_cache_zalloc to make sure +it won't fail, and delete those unused error handlings. + +Fixes: dc5698e80cf724 ("Add virtio gpu driver.") +Signed-off-by: Yuntao Liu +Link: http://patchwork.freedesktop.org/patch/msgid/20210828104321.3410312-1-liuyuntao10@huawei.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_vq.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c +index 2e71e91278b45..93a41d018dca6 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_vq.c ++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c +@@ -91,9 +91,7 @@ virtio_gpu_get_vbuf(struct virtio_gpu_device *vgdev, + { + struct virtio_gpu_vbuffer *vbuf; + +- vbuf = kmem_cache_zalloc(vgdev->vbufs, GFP_KERNEL); +- if (!vbuf) +- return ERR_PTR(-ENOMEM); ++ vbuf = kmem_cache_zalloc(vgdev->vbufs, GFP_KERNEL | __GFP_NOFAIL); + + BUG_ON(size > MAX_INLINE_CMD_SIZE || + size < sizeof(struct virtio_gpu_ctrl_hdr)); +@@ -147,10 +145,6 @@ static void *virtio_gpu_alloc_cmd_resp(struct virtio_gpu_device *vgdev, + + vbuf = virtio_gpu_get_vbuf(vgdev, cmd_size, + resp_size, resp_buf, cb); +- if (IS_ERR(vbuf)) { +- *vbuffer_p = NULL; +- return ERR_CAST(vbuf); +- } + *vbuffer_p = vbuf; + return (struct virtio_gpu_command *)vbuf->buf; + } +-- +2.33.0 + diff --git a/queue-5.15/virtio_ring-check-desc-null-when-using-indirect-with.patch b/queue-5.15/virtio_ring-check-desc-null-when-using-indirect-with.patch new file mode 100644 index 00000000000..a44924a2f15 --- /dev/null +++ b/queue-5.15/virtio_ring-check-desc-null-when-using-indirect-with.patch @@ -0,0 +1,63 @@ +From dac021549bb8791a3a64011c78db9ae13a599730 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 19:23:23 +0800 +Subject: virtio_ring: check desc == NULL when using indirect with packed + +From: Xuan Zhuo + +[ Upstream commit fc6d70f40b3d0b3219e2026d05be0409695f620d ] + +When using indirect with packed, we don't check for allocation failures. +This patch checks that and fall back on direct. + +Fixes: 1ce9e6055fa0 ("virtio_ring: introduce packed ring support") +Signed-off-by: Xuan Zhuo +Link: https://lore.kernel.org/r/20211020112323.67466-3-xuanzhuo@linux.alibaba.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/virtio/virtio_ring.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c +index 3035bb6f54585..d1f47327f6cfe 100644 +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -1065,6 +1065,8 @@ static int virtqueue_add_indirect_packed(struct vring_virtqueue *vq, + + head = vq->packed.next_avail_idx; + desc = alloc_indirect_packed(total_sg, gfp); ++ if (!desc) ++ return -ENOMEM; + + if (unlikely(vq->vq.num_free < 1)) { + pr_debug("Can't add buf len 1 - avail = 0\n"); +@@ -1176,6 +1178,7 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq, + unsigned int i, n, c, descs_used, err_idx; + __le16 head_flags, flags; + u16 head, id, prev, curr, avail_used_flags; ++ int err; + + START_USE(vq); + +@@ -1191,9 +1194,14 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq, + + BUG_ON(total_sg == 0); + +- if (virtqueue_use_indirect(_vq, total_sg)) +- return virtqueue_add_indirect_packed(vq, sgs, total_sg, +- out_sgs, in_sgs, data, gfp); ++ if (virtqueue_use_indirect(_vq, total_sg)) { ++ err = virtqueue_add_indirect_packed(vq, sgs, total_sg, out_sgs, ++ in_sgs, data, gfp); ++ if (err != -ENOMEM) ++ return err; ++ ++ /* fall back on direct */ ++ } + + head = vq->packed.next_avail_idx; + avail_used_flags = vq->packed.avail_used_flags; +-- +2.33.0 + diff --git a/queue-5.15/vrf-run-conntrack-only-in-context-of-lower-physdev-f.patch b/queue-5.15/vrf-run-conntrack-only-in-context-of-lower-physdev-f.patch new file mode 100644 index 00000000000..4aa18d81c64 --- /dev/null +++ b/queue-5.15/vrf-run-conntrack-only-in-context-of-lower-physdev-f.patch @@ -0,0 +1,141 @@ +From e224230bcb14d8e7a5764c8bed0151594eac8c63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 16:14:00 +0200 +Subject: vrf: run conntrack only in context of lower/physdev for locally + generated packets + +From: Florian Westphal + +[ Upstream commit 8c9c296adfae9ea05f655d69e9f6e13daa86fb4a ] + +The VRF driver invokes netfilter for output+postrouting hooks so that users +can create rules that check for 'oif $vrf' rather than lower device name. + +This is a problem when NAT rules are configured. + +To avoid any conntrack involvement in round 1, tag skbs as 'untracked' +to prevent conntrack from picking them up. + +This gets cleared before the packet gets handed to the ip stack so +conntrack will be active on the second iteration. + +One remaining issue is that a rule like + + output ... oif $vrfname notrack + +won't propagate to the second round because we can't tell +'notrack set via ruleset' and 'notrack set by vrf driver' apart. +However, this isn't a regression: the 'notrack' removal happens +instead of unconditional nf_reset_ct(). +I'd also like to avoid leaking more vrf specific conditionals into the +netfilter infra. + +For ingress, conntrack has already been done before the packet makes it +to the vrf driver, with this patch egress does connection tracking with +lower/physical device as well. + +Signed-off-by: Florian Westphal +Acked-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/vrf.c | 28 ++++++++++++++++++++++++---- + 1 file changed, 24 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c +index 662e261173539..ccf677015d5bc 100644 +--- a/drivers/net/vrf.c ++++ b/drivers/net/vrf.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + + #define DRV_NAME "vrf" + #define DRV_VERSION "1.1" +@@ -424,12 +425,26 @@ static int vrf_local_xmit(struct sk_buff *skb, struct net_device *dev, + return NETDEV_TX_OK; + } + ++static void vrf_nf_set_untracked(struct sk_buff *skb) ++{ ++ if (skb_get_nfct(skb) == 0) ++ nf_ct_set(skb, NULL, IP_CT_UNTRACKED); ++} ++ ++static void vrf_nf_reset_ct(struct sk_buff *skb) ++{ ++ if (skb_get_nfct(skb) == IP_CT_UNTRACKED) ++ nf_reset_ct(skb); ++} ++ + #if IS_ENABLED(CONFIG_IPV6) + static int vrf_ip6_local_out(struct net *net, struct sock *sk, + struct sk_buff *skb) + { + int err; + ++ vrf_nf_reset_ct(skb); ++ + err = nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net, + sk, skb, NULL, skb_dst(skb)->dev, dst_output); + +@@ -508,6 +523,8 @@ static int vrf_ip_local_out(struct net *net, struct sock *sk, + { + int err; + ++ vrf_nf_reset_ct(skb); ++ + err = nf_hook(NFPROTO_IPV4, NF_INET_LOCAL_OUT, net, sk, + skb, NULL, skb_dst(skb)->dev, dst_output); + if (likely(err == 1)) +@@ -626,8 +643,7 @@ static void vrf_finish_direct(struct sk_buff *skb) + skb_pull(skb, ETH_HLEN); + } + +- /* reset skb device */ +- nf_reset_ct(skb); ++ vrf_nf_reset_ct(skb); + } + + #if IS_ENABLED(CONFIG_IPV6) +@@ -641,7 +657,7 @@ static int vrf_finish_output6(struct net *net, struct sock *sk, + struct neighbour *neigh; + int ret; + +- nf_reset_ct(skb); ++ vrf_nf_reset_ct(skb); + + skb->protocol = htons(ETH_P_IPV6); + skb->dev = dev; +@@ -752,6 +768,8 @@ static struct sk_buff *vrf_ip6_out_direct(struct net_device *vrf_dev, + + skb->dev = vrf_dev; + ++ vrf_nf_set_untracked(skb); ++ + err = nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net, sk, + skb, NULL, vrf_dev, vrf_ip6_out_direct_finish); + +@@ -858,7 +876,7 @@ static int vrf_finish_output(struct net *net, struct sock *sk, struct sk_buff *s + struct neighbour *neigh; + bool is_v6gw = false; + +- nf_reset_ct(skb); ++ vrf_nf_reset_ct(skb); + + /* Be paranoid, rather than too clever. */ + if (unlikely(skb_headroom(skb) < hh_len && dev->header_ops)) { +@@ -980,6 +998,8 @@ static struct sk_buff *vrf_ip_out_direct(struct net_device *vrf_dev, + + skb->dev = vrf_dev; + ++ vrf_nf_set_untracked(skb); ++ + err = nf_hook(NFPROTO_IPV4, NF_INET_LOCAL_OUT, net, sk, + skb, NULL, vrf_dev, vrf_ip_out_direct_finish); + +-- +2.33.0 + diff --git a/queue-5.15/vsock-prevent-unnecessary-refcnt-inc-for-nonblocking.patch b/queue-5.15/vsock-prevent-unnecessary-refcnt-inc-for-nonblocking.patch new file mode 100644 index 00000000000..357d05504af --- /dev/null +++ b/queue-5.15/vsock-prevent-unnecessary-refcnt-inc-for-nonblocking.patch @@ -0,0 +1,42 @@ +From ab1393c3e39563bdb5b659c8e4229c246be82ecc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Nov 2021 00:15:02 +0000 +Subject: vsock: prevent unnecessary refcnt inc for nonblocking connect + +From: Eiichi Tsukata + +[ Upstream commit c7cd82b90599fa10915f41e3dd9098a77d0aa7b6 ] + +Currently vosck_connect() increments sock refcount for nonblocking +socket each time it's called, which can lead to memory leak if +it's called multiple times because connect timeout function decrements +sock refcount only once. + +Fixes it by making vsock_connect() return -EALREADY immediately when +sock state is already SS_CONNECTING. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Reviewed-by: Stefano Garzarella +Signed-off-by: Eiichi Tsukata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index e2c0cfb334d20..fa8c1b623fa21 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1322,6 +1322,8 @@ static int vsock_connect(struct socket *sock, struct sockaddr *addr, + * non-blocking call. + */ + err = -EALREADY; ++ if (flags & O_NONBLOCK) ++ goto out; + break; + default: + if ((sk->sk_state == TCP_LISTEN) || +-- +2.33.0 + diff --git a/queue-5.15/watchdog-f71808e_wdt-fix-inaccurate-report-in-wdioc_.patch b/queue-5.15/watchdog-f71808e_wdt-fix-inaccurate-report-in-wdioc_.patch new file mode 100644 index 00000000000..38e3121dd5d --- /dev/null +++ b/queue-5.15/watchdog-f71808e_wdt-fix-inaccurate-report-in-wdioc_.patch @@ -0,0 +1,53 @@ +From ce19a3b47a50f122f12285cb346172305f8af751 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 18:20:31 +0200 +Subject: watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT + +From: Ahmad Fatoum + +[ Upstream commit 164483c735190775f29d0dcbac0363adc51a068d ] + +The fintek watchdog timer can configure timeouts of second granularity +only up to 255 seconds. Beyond that, the timeout needs to be configured +with minute granularity. WDIOC_GETTIMEOUT should report the actual +timeout configured, not just echo back the timeout configured by the +user. Do so. + +Fixes: 96cb4eb019ce ("watchdog: f71808e_wdt: new watchdog driver for Fintek F71808E and F71882FG") +Suggested-by: Guenter Roeck +Reviewed-by: Guenter Roeck +Signed-off-by: Ahmad Fatoum +Link: https://lore.kernel.org/r/5e17960fe8cc0e3cb2ba53de4730b75d9a0f33d5.1628525954.git-series.a.fatoum@pengutronix.de +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/f71808e_wdt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c +index f60beec1bbaea..f7d82d2619133 100644 +--- a/drivers/watchdog/f71808e_wdt.c ++++ b/drivers/watchdog/f71808e_wdt.c +@@ -228,15 +228,17 @@ static int watchdog_set_timeout(int timeout) + + mutex_lock(&watchdog.lock); + +- watchdog.timeout = timeout; + if (timeout > 0xff) { + watchdog.timer_val = DIV_ROUND_UP(timeout, 60); + watchdog.minutes_mode = true; ++ timeout = watchdog.timer_val * 60; + } else { + watchdog.timer_val = timeout; + watchdog.minutes_mode = false; + } + ++ watchdog.timeout = timeout; ++ + mutex_unlock(&watchdog.lock); + + return 0; +-- +2.33.0 + diff --git a/queue-5.15/wcn36xx-add-proper-dma-memory-barriers-in-rx-path.patch b/queue-5.15/wcn36xx-add-proper-dma-memory-barriers-in-rx-path.patch new file mode 100644 index 00000000000..e2f382f8e7b --- /dev/null +++ b/queue-5.15/wcn36xx-add-proper-dma-memory-barriers-in-rx-path.patch @@ -0,0 +1,66 @@ +From 914d7cebf94cd563793f9b8c80055b6135df128f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Oct 2021 17:15:28 -0700 +Subject: wcn36xx: add proper DMA memory barriers in rx path + +From: Benjamin Li + +[ Upstream commit 9bfe38e064af5decba2ffce66a2958ab8b10eaa4 ] + +This is essentially exactly following the dma_wmb()/dma_rmb() usage +instructions in Documentation/memory-barriers.txt. + +The theoretical races here are: + +1. DXE (the DMA Transfer Engine in the Wi-Fi subsystem) seeing the +dxe->ctrl & WCN36xx_DXE_CTRL_VLD write before the dxe->dst_addr_l +write, thus performing DMA into the wrong address. + +2. CPU reading dxe->dst_addr_l before DXE unsets dxe->ctrl & +WCN36xx_DXE_CTRL_VLD. This should generally be harmless since DXE +doesn't write dxe->dst_addr_l (no risk of freeing the wrong skb). + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") +Signed-off-by: Benjamin Li +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211023001528.3077822-1-benl@squareup.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/dxe.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/dxe.c b/drivers/net/wireless/ath/wcn36xx/dxe.c +index 0e0bbcd11300b..aff04ef662663 100644 +--- a/drivers/net/wireless/ath/wcn36xx/dxe.c ++++ b/drivers/net/wireless/ath/wcn36xx/dxe.c +@@ -606,6 +606,10 @@ static int wcn36xx_rx_handle_packets(struct wcn36xx *wcn, + dxe = ctl->desc; + + while (!(READ_ONCE(dxe->ctrl) & WCN36xx_DXE_CTRL_VLD)) { ++ /* do not read until we own DMA descriptor */ ++ dma_rmb(); ++ ++ /* read/modify DMA descriptor */ + skb = ctl->skb; + dma_addr = dxe->dst_addr_l; + ret = wcn36xx_dxe_fill_skb(wcn->dev, ctl, GFP_ATOMIC); +@@ -616,9 +620,15 @@ static int wcn36xx_rx_handle_packets(struct wcn36xx *wcn, + dma_unmap_single(wcn->dev, dma_addr, WCN36XX_PKT_SIZE, + DMA_FROM_DEVICE); + wcn36xx_rx_skb(wcn, skb); +- } /* else keep old skb not submitted and use it for rx DMA */ ++ } ++ /* else keep old skb not submitted and reuse it for rx DMA ++ * (dropping the packet that it contained) ++ */ + ++ /* flush descriptor changes before re-marking as valid */ ++ dma_wmb(); + dxe->ctrl = ctrl; ++ + ctl = ctl->next; + dxe = ctl->desc; + } +-- +2.33.0 + diff --git a/queue-5.15/wcn36xx-channel-list-update-before-hardware-scan.patch b/queue-5.15/wcn36xx-channel-list-update-before-hardware-scan.patch new file mode 100644 index 00000000000..794217baf48 --- /dev/null +++ b/queue-5.15/wcn36xx-channel-list-update-before-hardware-scan.patch @@ -0,0 +1,212 @@ +From 49157eb982a860ba9ad26be78bb6a222a9334b4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 17:22:08 +0200 +Subject: wcn36xx: Channel list update before hardware scan + +From: Loic Poulain + +[ Upstream commit d707f812bb0513ea0030d0c9fe2a456bae5a4583 ] + +The channel scan list must be updated before triggering a hardware scan +so that firmware takes into account the regulatory info for each single +channel such as active/passive config, power, DFS, etc... Without this +the firmware uses its own internal default channel configuration, which +is not aligned with mac80211 regulatory rules, and misses several +channels (e.g. 144). + +Fixes: 2f3bef4b247e ("wcn36xx: Add hardware scan offload support") +Signed-off-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1635175328-25642-1-git-send-email-loic.poulain@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/hal.h | 32 ++++++++++ + drivers/net/wireless/ath/wcn36xx/main.c | 1 + + drivers/net/wireless/ath/wcn36xx/smd.c | 82 +++++++++++++++++++++++++ + drivers/net/wireless/ath/wcn36xx/smd.h | 1 + + 4 files changed, 116 insertions(+) + +diff --git a/drivers/net/wireless/ath/wcn36xx/hal.h b/drivers/net/wireless/ath/wcn36xx/hal.h +index 455143c4164ee..de3bca043c2b3 100644 +--- a/drivers/net/wireless/ath/wcn36xx/hal.h ++++ b/drivers/net/wireless/ath/wcn36xx/hal.h +@@ -359,6 +359,8 @@ enum wcn36xx_hal_host_msg_type { + WCN36XX_HAL_START_SCAN_OFFLOAD_RSP = 205, + WCN36XX_HAL_STOP_SCAN_OFFLOAD_REQ = 206, + WCN36XX_HAL_STOP_SCAN_OFFLOAD_RSP = 207, ++ WCN36XX_HAL_UPDATE_CHANNEL_LIST_REQ = 208, ++ WCN36XX_HAL_UPDATE_CHANNEL_LIST_RSP = 209, + WCN36XX_HAL_SCAN_OFFLOAD_IND = 210, + + WCN36XX_HAL_AVOID_FREQ_RANGE_IND = 233, +@@ -1353,6 +1355,36 @@ struct wcn36xx_hal_stop_scan_offload_rsp_msg { + u32 status; + } __packed; + ++#define WCN36XX_HAL_CHAN_REG1_MIN_PWR_MASK 0x000000ff ++#define WCN36XX_HAL_CHAN_REG1_MAX_PWR_MASK 0x0000ff00 ++#define WCN36XX_HAL_CHAN_REG1_REG_PWR_MASK 0x00ff0000 ++#define WCN36XX_HAL_CHAN_REG1_CLASS_ID_MASK 0xff000000 ++#define WCN36XX_HAL_CHAN_REG2_ANT_GAIN_MASK 0x000000ff ++#define WCN36XX_HAL_CHAN_INFO_FLAG_PASSIVE BIT(7) ++#define WCN36XX_HAL_CHAN_INFO_FLAG_DFS BIT(10) ++#define WCN36XX_HAL_CHAN_INFO_FLAG_HT BIT(11) ++#define WCN36XX_HAL_CHAN_INFO_FLAG_VHT BIT(12) ++#define WCN36XX_HAL_CHAN_INFO_PHY_11A 0 ++#define WCN36XX_HAL_CHAN_INFO_PHY_11BG 1 ++#define WCN36XX_HAL_DEFAULT_ANT_GAIN 6 ++#define WCN36XX_HAL_DEFAULT_MIN_POWER 6 ++ ++struct wcn36xx_hal_channel_param { ++ u32 mhz; ++ u32 band_center_freq1; ++ u32 band_center_freq2; ++ u32 channel_info; ++ u32 reg_info_1; ++ u32 reg_info_2; ++} __packed; ++ ++struct wcn36xx_hal_update_channel_list_req_msg { ++ struct wcn36xx_hal_msg_header header; ++ ++ u8 num_channel; ++ struct wcn36xx_hal_channel_param channels[80]; ++} __packed; ++ + enum wcn36xx_hal_rate_index { + HW_RATE_INDEX_1MBPS = 0x82, + HW_RATE_INDEX_2MBPS = 0x84, +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index 5974b01f2fd92..5d82aca370a72 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -671,6 +671,7 @@ static int wcn36xx_hw_scan(struct ieee80211_hw *hw, + + mutex_unlock(&wcn->scan_lock); + ++ wcn36xx_smd_update_channel_list(wcn, &hw_req->req); + return wcn36xx_smd_start_hw_scan(wcn, vif, &hw_req->req); + } + +diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c +index f6bea896abe85..70bffe3d87a12 100644 +--- a/drivers/net/wireless/ath/wcn36xx/smd.c ++++ b/drivers/net/wireless/ath/wcn36xx/smd.c +@@ -16,6 +16,7 @@ + + #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + ++#include + #include + #include + #include +@@ -927,6 +928,86 @@ out: + return ret; + } + ++int wcn36xx_smd_update_channel_list(struct wcn36xx *wcn, struct cfg80211_scan_request *req) ++{ ++ struct wcn36xx_hal_update_channel_list_req_msg *msg_body; ++ int ret, i; ++ ++ msg_body = kzalloc(sizeof(*msg_body), GFP_KERNEL); ++ if (!msg_body) ++ return -ENOMEM; ++ ++ INIT_HAL_MSG((*msg_body), WCN36XX_HAL_UPDATE_CHANNEL_LIST_REQ); ++ ++ msg_body->num_channel = min_t(u8, req->n_channels, sizeof(msg_body->channels)); ++ for (i = 0; i < msg_body->num_channel; i++) { ++ struct wcn36xx_hal_channel_param *param = &msg_body->channels[i]; ++ u32 min_power = WCN36XX_HAL_DEFAULT_MIN_POWER; ++ u32 ant_gain = WCN36XX_HAL_DEFAULT_ANT_GAIN; ++ ++ param->mhz = req->channels[i]->center_freq; ++ param->band_center_freq1 = req->channels[i]->center_freq; ++ param->band_center_freq2 = 0; ++ ++ if (req->channels[i]->flags & IEEE80211_CHAN_NO_IR) ++ param->channel_info |= WCN36XX_HAL_CHAN_INFO_FLAG_PASSIVE; ++ ++ if (req->channels[i]->flags & IEEE80211_CHAN_RADAR) ++ param->channel_info |= WCN36XX_HAL_CHAN_INFO_FLAG_DFS; ++ ++ if (req->channels[i]->band == NL80211_BAND_5GHZ) { ++ param->channel_info |= WCN36XX_HAL_CHAN_INFO_FLAG_HT; ++ param->channel_info |= WCN36XX_HAL_CHAN_INFO_FLAG_VHT; ++ param->channel_info |= WCN36XX_HAL_CHAN_INFO_PHY_11A; ++ } else { ++ param->channel_info |= WCN36XX_HAL_CHAN_INFO_PHY_11BG; ++ } ++ ++ if (min_power > req->channels[i]->max_power) ++ min_power = req->channels[i]->max_power; ++ ++ if (req->channels[i]->max_antenna_gain) ++ ant_gain = req->channels[i]->max_antenna_gain; ++ ++ u32p_replace_bits(¶m->reg_info_1, min_power, ++ WCN36XX_HAL_CHAN_REG1_MIN_PWR_MASK); ++ u32p_replace_bits(¶m->reg_info_1, req->channels[i]->max_power, ++ WCN36XX_HAL_CHAN_REG1_MAX_PWR_MASK); ++ u32p_replace_bits(¶m->reg_info_1, req->channels[i]->max_reg_power, ++ WCN36XX_HAL_CHAN_REG1_REG_PWR_MASK); ++ u32p_replace_bits(¶m->reg_info_1, 0, ++ WCN36XX_HAL_CHAN_REG1_CLASS_ID_MASK); ++ u32p_replace_bits(¶m->reg_info_2, ant_gain, ++ WCN36XX_HAL_CHAN_REG2_ANT_GAIN_MASK); ++ ++ wcn36xx_dbg(WCN36XX_DBG_HAL, ++ "%s: freq=%u, channel_info=%08x, reg_info1=%08x, reg_info2=%08x\n", ++ __func__, param->mhz, param->channel_info, param->reg_info_1, ++ param->reg_info_2); ++ } ++ ++ mutex_lock(&wcn->hal_mutex); ++ ++ PREPARE_HAL_BUF(wcn->hal_buf, (*msg_body)); ++ ++ ret = wcn36xx_smd_send_and_wait(wcn, msg_body->header.len); ++ if (ret) { ++ wcn36xx_err("Sending hal_update_channel_list failed\n"); ++ goto out; ++ } ++ ++ ret = wcn36xx_smd_rsp_status_check(wcn->hal_buf, wcn->hal_rsp_len); ++ if (ret) { ++ wcn36xx_err("hal_update_channel_list response failed err=%d\n", ret); ++ goto out; ++ } ++ ++out: ++ kfree(msg_body); ++ mutex_unlock(&wcn->hal_mutex); ++ return ret; ++} ++ + static int wcn36xx_smd_switch_channel_rsp(void *buf, size_t len) + { + struct wcn36xx_hal_switch_channel_rsp_msg *rsp; +@@ -3082,6 +3163,7 @@ int wcn36xx_smd_rsp_process(struct rpmsg_device *rpdev, + case WCN36XX_HAL_GTK_OFFLOAD_RSP: + case WCN36XX_HAL_GTK_OFFLOAD_GETINFO_RSP: + case WCN36XX_HAL_HOST_RESUME_RSP: ++ case WCN36XX_HAL_UPDATE_CHANNEL_LIST_RSP: + memcpy(wcn->hal_buf, buf, len); + wcn->hal_rsp_len = len; + complete(&wcn->hal_rsp_compl); +diff --git a/drivers/net/wireless/ath/wcn36xx/smd.h b/drivers/net/wireless/ath/wcn36xx/smd.h +index d8bded03945d4..d3774568d885e 100644 +--- a/drivers/net/wireless/ath/wcn36xx/smd.h ++++ b/drivers/net/wireless/ath/wcn36xx/smd.h +@@ -70,6 +70,7 @@ int wcn36xx_smd_update_scan_params(struct wcn36xx *wcn, u8 *channels, size_t cha + int wcn36xx_smd_start_hw_scan(struct wcn36xx *wcn, struct ieee80211_vif *vif, + struct cfg80211_scan_request *req); + int wcn36xx_smd_stop_hw_scan(struct wcn36xx *wcn); ++int wcn36xx_smd_update_channel_list(struct wcn36xx *wcn, struct cfg80211_scan_request *req); + int wcn36xx_smd_add_sta_self(struct wcn36xx *wcn, struct ieee80211_vif *vif); + int wcn36xx_smd_delete_sta_self(struct wcn36xx *wcn, u8 *addr); + int wcn36xx_smd_delete_sta(struct wcn36xx *wcn, u8 sta_index); +-- +2.33.0 + diff --git a/queue-5.15/wcn36xx-correct-band-freq-reporting-on-rx.patch b/queue-5.15/wcn36xx-correct-band-freq-reporting-on-rx.patch new file mode 100644 index 00000000000..cd016ddc63c --- /dev/null +++ b/queue-5.15/wcn36xx-correct-band-freq-reporting-on-rx.patch @@ -0,0 +1,91 @@ +From 21a95f93dc2a1b2a6c2edf1daad37f439135a1aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 12:57:57 +0200 +Subject: wcn36xx: Correct band/freq reporting on RX + +From: Loic Poulain + +[ Upstream commit 8a27ca39478270e07baf9c09aa0c99709769ba03 ] + +For packets originating from hardware scan, the channel and band is +included in the buffer descriptor (bd->rf_band & bd->rx_ch). + +For 2Ghz band the channel value is directly reported in the 4-bit +rx_ch field. For 5Ghz band, the rx_ch field contains a mapping +index (given the 4-bit limitation). + +The reserved0 value field is also used to extend 4-bit mapping to +5-bit mapping to support more than 16 5Ghz channels. + +This change adds correct reporting of the frequency/band, that is +used in scan mechanism. And is required for 5Ghz hardware scan +support. + +Signed-off-by: Loic Poulain +Tested-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1634554678-7993-1-git-send-email-loic.poulain@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/txrx.c | 23 +++++++++++++++++++++++ + drivers/net/wireless/ath/wcn36xx/txrx.h | 3 ++- + 2 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.c b/drivers/net/wireless/ath/wcn36xx/txrx.c +index eaf2410e39647..c0f51fa13dfa1 100644 +--- a/drivers/net/wireless/ath/wcn36xx/txrx.c ++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c +@@ -31,6 +31,13 @@ struct wcn36xx_rate { + enum rate_info_bw bw; + }; + ++/* Buffer descriptor rx_ch field is limited to 5-bit (4+1), a mapping is used ++ * for 11A Channels. ++ */ ++static const u8 ab_rx_ch_map[] = { 36, 40, 44, 48, 52, 56, 60, 64, 100, 104, ++ 108, 112, 116, 120, 124, 128, 132, 136, 140, ++ 149, 153, 157, 161, 165, 144 }; ++ + static const struct wcn36xx_rate wcn36xx_rate_table[] = { + /* 11b rates */ + { 10, 0, RX_ENC_LEGACY, 0, RATE_INFO_BW_20 }, +@@ -291,6 +298,22 @@ int wcn36xx_rx_skb(struct wcn36xx *wcn, struct sk_buff *skb) + ieee80211_is_probe_resp(hdr->frame_control)) + status.boottime_ns = ktime_get_boottime_ns(); + ++ if (bd->scan_learn) { ++ /* If packet originates from hardware scanning, extract the ++ * band/channel from bd descriptor. ++ */ ++ u8 hwch = (bd->reserved0 << 4) + bd->rx_ch; ++ ++ if (bd->rf_band != 1 && hwch <= sizeof(ab_rx_ch_map) && hwch >= 1) { ++ status.band = NL80211_BAND_5GHZ; ++ status.freq = ieee80211_channel_to_frequency(ab_rx_ch_map[hwch - 1], ++ status.band); ++ } else { ++ status.band = NL80211_BAND_2GHZ; ++ status.freq = ieee80211_channel_to_frequency(hwch, status.band); ++ } ++ } ++ + memcpy(IEEE80211_SKB_RXCB(skb), &status, sizeof(status)); + + if (ieee80211_is_beacon(hdr->frame_control)) { +diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.h b/drivers/net/wireless/ath/wcn36xx/txrx.h +index 032216e82b2be..b54311ffde9c5 100644 +--- a/drivers/net/wireless/ath/wcn36xx/txrx.h ++++ b/drivers/net/wireless/ath/wcn36xx/txrx.h +@@ -110,7 +110,8 @@ struct wcn36xx_rx_bd { + /* 0x44 */ + u32 exp_seq_num:12; + u32 cur_seq_num:12; +- u32 fr_type_subtype:8; ++ u32 rf_band:2; ++ u32 fr_type_subtype:6; + + /* 0x48 */ + u32 msdu_size:16; +-- +2.33.0 + diff --git a/queue-5.15/wcn36xx-fix-antenna-diversity-switching.patch b/queue-5.15/wcn36xx-fix-antenna-diversity-switching.patch new file mode 100644 index 00000000000..a6a2e3328fb --- /dev/null +++ b/queue-5.15/wcn36xx-fix-antenna-diversity-switching.patch @@ -0,0 +1,150 @@ +From 9d2b5b2929b2913d07bb03a478ffaaec85167382 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Sep 2021 15:44:27 +0100 +Subject: wcn36xx: Fix Antenna Diversity Switching + +From: Bryan O'Donoghue + +[ Upstream commit 701668d3bfa03dabc5095fc383d5315544ee5b31 ] + +We have been tracking a strange bug with Antenna Diversity Switching (ADS) +on wcn3680b for a while. + +ADS is configured like this: + A. Via a firmware configuration table baked into the NV area. + 1. Defines if ADS is enabled. + 2. Defines which GPIOs are connected to which antenna enable pin. + 3. Defines which antenna/GPIO is primary and which is secondary. + + B. WCN36XX_CFG_VAL(ANTENNA_DIVERSITY, N) + N is a bitmask of available antenna. + + Setting N to 3 indicates a bitmask of enabled antenna (1 | 2). + + Obviously then we can set N to 1 or N to 2 to fix to a particular + antenna and disable antenna diversity. + + C. WCN36XX_CFG_VAL(ASD_PROBE_INTERVAL, XX) + XX is the number of beacons between each antenna RSSI check. + Setting this value to 50 means, every 50 received beacons, run the + ADS algorithm. + + D. WCN36XX_CFG_VAL(ASD_TRIGGER_THRESHOLD, YY) + YY is a two's complement integer which specifies the RSSI decibel + threshold below which ADS will run. + We default to -60db here, meaning a measured RSSI <= -60db will + trigger an ADS probe. + + E. WCN36XX_CFG_VAL(ASD_RTT_RSSI_HYST_THRESHOLD, Z) + Z is a hysteresis value, indicating a delta which the RSSI must + exceed for the antenna switch to be valid. + + For example if HYST_THRESHOLD == 3 AntennaId1-RSSI == -60db and + AntennaId-2-RSSI == -58db then firmware will not switch antenna. + The threshold needs to be -57db or better to satisfy the criteria. + + F. A firmware feature bit also exists ANTENNA_DIVERSITY_SELECTION. + This feature bit is used by the firmware to report if + ANTENNA_DIVERSITY_SELECTION is supported. The host is not required to + toggle this bit to enable or disable ADS. + +ADS works like this: + + A. Every XX beacons the firmware switches to or remains on the primary + antenna. + + B. The firmware then sends a Request-To-Send (RTS) packet to the AP. + + C. The firmware waits for a Clear-To-Send (CTS) response from the AP. + + D. The firmware then notes the received RSSI on the CTS packet. + + E. The firmware then repeats steps A-D on the secondary antenna. + + F. Subsequently if the RSSI on the measured antenna is better than + ASD_TRIGGER_THRESHOLD + the active antenna's RSSI then the + measured antenna becomes the active antenna. + + G. If RSSI rises past ASD_TRIGGER_THRESHOLD then ADS doesn't run at + all even if there is a substantially better RSSI on the alternative + antenna. + +What we have been observing is that the RTS packet is being sent but the +MAC address is a byte-swapped version of the target MAC. The ADS/RTS MAC is +corrupted only when the link is encrypted, if the AP is open the RTS MAC is +correct. Similarly if we configure the firmware to an RTS/CTS sequence for +regular data - the transmitted RTS MAC is correctly formatted. + +Internally the wcn36xx firmware uses the indexes in the SMD commands to +populate and extract data from specific entries in an STA lookup table. The +AP's MAC appears a number of times in different indexes within this lookup +table, so the MAC address extracted for the data-transmit RTS and the MAC +address extracted for the ADS/RTS packet are not the same STA table index. + +Our analysis indicates the relevant firmware STA table index is +"bssSelfStaIdx". + +There is an STA populate function responsible for formatting the MAC +address of the bssSelfStaIdx including byte-swapping the MAC address. + +Its clear then that the required STA populate command did not run for +bssSelfStaIdx. + +So taking a look at the sequence of SMD commands sent to the firmware we +see the following downstream when moving from an unencrypted to encrypted +BSS setup. + +- WLAN_HAL_CONFIG_BSS_REQ +- WLAN_HAL_CONFIG_STA_REQ +- WLAN_HAL_SET_STAKEY_REQ + +Upstream in wcn36xx we have + +- WLAN_HAL_CONFIG_BSS_REQ +- WLAN_HAL_SET_STAKEY_REQ + +The solution then is to add the missing WLAN_HAL_CONFIG_STA_REQ between +WLAN_HAL_CONFIG_BSS_REQ and WLAN_HAL_SET_STAKEY_REQ. + +No surprise WLAN_HAL_CONFIG_STA_REQ is the routine responsible for +populating the STA lookup table in the firmware and once done the MAC sent +by the ADS routine is in the correct byte-order. + +This bug is apparent with ADS but it is also the case that any other +firmware routine that depends on the "bssSelfStaIdx" would retrieve +malformed data on an encrypted link. + +Fixes: 3e977c5c523d ("wcn36xx: Define wcn3680 specific firmware parameters") +Signed-off-by: Bryan O'Donoghue +Tested-by: Benjamin Li +Reviewed-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210909144428.2564650-2-bryan.odonoghue@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index 28d6251ad77a6..5974b01f2fd92 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -571,12 +571,14 @@ static int wcn36xx_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + if (IEEE80211_KEY_FLAG_PAIRWISE & key_conf->flags) { + sta_priv->is_data_encrypted = true; + /* Reconfigure bss with encrypt_type */ +- if (NL80211_IFTYPE_STATION == vif->type) ++ if (NL80211_IFTYPE_STATION == vif->type) { + wcn36xx_smd_config_bss(wcn, + vif, + sta, + sta->addr, + true); ++ wcn36xx_smd_config_sta(wcn, vif, sta); ++ } + + wcn36xx_smd_set_stakey(wcn, + vif_priv->encrypt_type, +-- +2.33.0 + diff --git a/queue-5.15/wcn36xx-fix-discarded-frames-due-to-wrong-sequence-n.patch b/queue-5.15/wcn36xx-fix-discarded-frames-due-to-wrong-sequence-n.patch new file mode 100644 index 00000000000..8619bdb6a5e --- /dev/null +++ b/queue-5.15/wcn36xx-fix-discarded-frames-due-to-wrong-sequence-n.patch @@ -0,0 +1,74 @@ +From 273113e7ca495a9ebaa76d26b8e480f1ce71c97c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 10:25:36 +0200 +Subject: wcn36xx: Fix discarded frames due to wrong sequence number + +From: Loic Poulain + +[ Upstream commit 113f304dbc1627c6ec9d5329d839964095768980 ] + +The firmware is offering features such as ARP offload, for which +firmware crafts its own (QoS)packets without waking up the host. +Point is that the sequence numbers generated by the firmware are +not in sync with the host mac80211 layer and can cause packets +such as firmware ARP reponses to be dropped by the AP (too old SN). + +To fix this we need to let the firmware manages the sequence +numbers by its own (except for QoS null frames). There is a SN +counter for each QoS queue and one global/baseline counter for +Non-QoS. + +Fixes: 84aff52e4f57 ("wcn36xx: Use sequence number allocated by mac80211") +Signed-off-by: Loic Poulain +Tested-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1635150336-18736-1-git-send-email-loic.poulain@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/txrx.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/txrx.c b/drivers/net/wireless/ath/wcn36xx/txrx.c +index c0f51fa13dfa1..bbd7194c82e27 100644 +--- a/drivers/net/wireless/ath/wcn36xx/txrx.c ++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c +@@ -344,8 +344,6 @@ static void wcn36xx_set_tx_pdu(struct wcn36xx_tx_bd *bd, + bd->pdu.mpdu_header_off; + bd->pdu.mpdu_len = len; + bd->pdu.tid = tid; +- /* Use seq number generated by mac80211 */ +- bd->pdu.bd_ssn = WCN36XX_TXBD_SSN_FILL_HOST; + } + + static inline struct wcn36xx_vif *get_vif_by_addr(struct wcn36xx *wcn, +@@ -442,6 +440,9 @@ static void wcn36xx_set_tx_data(struct wcn36xx_tx_bd *bd, + tid = ieee80211_get_tid(hdr); + /* TID->QID is one-to-one mapping */ + bd->queue_id = tid; ++ bd->pdu.bd_ssn = WCN36XX_TXBD_SSN_FILL_DPU_QOS; ++ } else { ++ bd->pdu.bd_ssn = WCN36XX_TXBD_SSN_FILL_DPU_NON_QOS; + } + + if (info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT || +@@ -453,6 +454,8 @@ static void wcn36xx_set_tx_data(struct wcn36xx_tx_bd *bd, + /* Don't use a regular queue for null packet (no ampdu) */ + bd->queue_id = WCN36XX_TX_U_WQ_ID; + bd->bd_rate = WCN36XX_BD_RATE_CTRL; ++ if (ieee80211_is_qos_nullfunc(hdr->frame_control)) ++ bd->pdu.bd_ssn = WCN36XX_TXBD_SSN_FILL_HOST; + } + + if (bcast) { +@@ -512,6 +515,8 @@ static void wcn36xx_set_tx_mgmt(struct wcn36xx_tx_bd *bd, + bd->queue_id = WCN36XX_TX_U_WQ_ID; + *vif_priv = __vif_priv; + ++ bd->pdu.bd_ssn = WCN36XX_TXBD_SSN_FILL_DPU_NON_QOS; ++ + wcn36xx_set_tx_pdu(bd, + ieee80211_is_data_qos(hdr->frame_control) ? + sizeof(struct ieee80211_qos_hdr) : +-- +2.33.0 + diff --git a/queue-5.15/wcn36xx-fix-packet-drop-on-resume.patch b/queue-5.15/wcn36xx-fix-packet-drop-on-resume.patch new file mode 100644 index 00000000000..a6f874e8498 --- /dev/null +++ b/queue-5.15/wcn36xx-fix-packet-drop-on-resume.patch @@ -0,0 +1,61 @@ +From 9ad6d087361aa3ec19135ac7cbb328519168ef20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 10:28:16 +0200 +Subject: wcn36xx: Fix packet drop on resume + +From: Loic Poulain + +[ Upstream commit df0697801d8aa2eebfe7f0b7388879639f8fe7cc ] + +If the system is resumed because of an incoming packet, the wcn36xx RX +interrupts is fired before actual resuming of the wireless/mac80211 +stack, causing any received packets to be simply dropped. E.g. a ping +request causes a system resume, but is dropped and so never forwarded +to the IP stack. + +This change fixes that, disabling DMA interrupts on suspend to no pass +packets until mac80211 is resumed and ready to handle them. + +Note that it's not incompatible with RX irq wake. + +Signed-off-by: Loic Poulain +Reviewed-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1635150496-19290-1-git-send-email-loic.poulain@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/main.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index bd1c83aeea606..39d86e3031bd7 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -1115,6 +1115,13 @@ static int wcn36xx_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wow) + goto out; + ret = wcn36xx_smd_wlan_host_suspend_ind(wcn); + } ++ ++ /* Disable IRQ, we don't want to handle any packet before mac80211 is ++ * resumed and ready to receive packets. ++ */ ++ disable_irq(wcn->tx_irq); ++ disable_irq(wcn->rx_irq); ++ + out: + mutex_unlock(&wcn->conf_mutex); + return ret; +@@ -1137,6 +1144,10 @@ static int wcn36xx_resume(struct ieee80211_hw *hw) + wcn36xx_smd_ipv6_ns_offload(wcn, vif, false); + wcn36xx_smd_arp_offload(wcn, vif, false); + } ++ ++ enable_irq(wcn->tx_irq); ++ enable_irq(wcn->rx_irq); ++ + mutex_unlock(&wcn->conf_mutex); + + return 0; +-- +2.33.0 + diff --git a/queue-5.15/wilc1000-fix-possible-memory-leak-in-cfg_scan_result.patch b/queue-5.15/wilc1000-fix-possible-memory-leak-in-cfg_scan_result.patch new file mode 100644 index 00000000000..61118ad36ee --- /dev/null +++ b/queue-5.15/wilc1000-fix-possible-memory-leak-in-cfg_scan_result.patch @@ -0,0 +1,41 @@ +From 9a13af35c4a05a544251a938589977ecff3281e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Sep 2021 16:49:18 +0000 +Subject: wilc1000: fix possible memory leak in cfg_scan_result() + +From: Ajay Singh + +[ Upstream commit 3c719fed0f3a5e95b1d164609ecc81c4191ade70 ] + +When the BSS reference holds a valid reference, it is not freed. The 'if' +condition is wrong. Instead of the 'if (bss)' check, the 'if (!bss)' check +is used. +The issue is solved by removing the unnecessary 'if' check because +cfg80211_put_bss() already performs the NULL validation. + +Fixes: 6cd4fa5ab691 ("staging: wilc1000: make use of cfg80211_inform_bss_frame()") +Signed-off-by: Ajay Singh +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210916164902.74629-3-ajay.kathat@microchip.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/microchip/wilc1000/cfg80211.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/microchip/wilc1000/cfg80211.c b/drivers/net/wireless/microchip/wilc1000/cfg80211.c +index 96973ec7bd9ac..87c14969c75fa 100644 +--- a/drivers/net/wireless/microchip/wilc1000/cfg80211.c ++++ b/drivers/net/wireless/microchip/wilc1000/cfg80211.c +@@ -129,8 +129,7 @@ static void cfg_scan_result(enum scan_event scan_event, + info->frame_len, + (s32)info->rssi * 100, + GFP_KERNEL); +- if (!bss) +- cfg80211_put_bss(wiphy, bss); ++ cfg80211_put_bss(wiphy, bss); + } else if (scan_event == SCAN_EVENT_DONE) { + mutex_lock(&priv->scan_req_lock); + +-- +2.33.0 + diff --git a/queue-5.15/workqueue-make-sysfs-of-unbound-kworker-cpumask-more.patch b/queue-5.15/workqueue-make-sysfs-of-unbound-kworker-cpumask-more.patch new file mode 100644 index 00000000000..fe5bb346545 --- /dev/null +++ b/queue-5.15/workqueue-make-sysfs-of-unbound-kworker-cpumask-more.patch @@ -0,0 +1,71 @@ +From 8af04e146edfc42cdcd2ad96c517969932018680 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Oct 2021 20:04:02 +0800 +Subject: workqueue: make sysfs of unbound kworker cpumask more clever + +From: Menglong Dong + +[ Upstream commit d25302e46592c97d29f70ccb1be558df31a9a360 ] + +Some unfriendly component, such as dpdk, write the same mask to +unbound kworker cpumask again and again. Every time it write to +this interface some work is queue to cpu, even though the mask +is same with the original mask. + +So, fix it by return success and do nothing if the cpumask is +equal with the old one. + +Signed-off-by: Mengen Sun +Signed-off-by: Menglong Dong +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +--- + kernel/workqueue.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/kernel/workqueue.c b/kernel/workqueue.c +index 1b3eb1e9531f4..76988f39ed5ac 100644 +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -5384,9 +5384,6 @@ int workqueue_set_unbound_cpumask(cpumask_var_t cpumask) + int ret = -EINVAL; + cpumask_var_t saved_cpumask; + +- if (!zalloc_cpumask_var(&saved_cpumask, GFP_KERNEL)) +- return -ENOMEM; +- + /* + * Not excluding isolated cpus on purpose. + * If the user wishes to include them, we allow that. +@@ -5394,6 +5391,15 @@ int workqueue_set_unbound_cpumask(cpumask_var_t cpumask) + cpumask_and(cpumask, cpumask, cpu_possible_mask); + if (!cpumask_empty(cpumask)) { + apply_wqattrs_lock(); ++ if (cpumask_equal(cpumask, wq_unbound_cpumask)) { ++ ret = 0; ++ goto out_unlock; ++ } ++ ++ if (!zalloc_cpumask_var(&saved_cpumask, GFP_KERNEL)) { ++ ret = -ENOMEM; ++ goto out_unlock; ++ } + + /* save the old wq_unbound_cpumask. */ + cpumask_copy(saved_cpumask, wq_unbound_cpumask); +@@ -5406,10 +5412,11 @@ int workqueue_set_unbound_cpumask(cpumask_var_t cpumask) + if (ret < 0) + cpumask_copy(wq_unbound_cpumask, saved_cpumask); + ++ free_cpumask_var(saved_cpumask); ++out_unlock: + apply_wqattrs_unlock(); + } + +- free_cpumask_var(saved_cpumask); + return ret; + } + +-- +2.33.0 + diff --git a/queue-5.15/x86-fix-__get_wchan-for-stacktrace.patch b/queue-5.15/x86-fix-__get_wchan-for-stacktrace.patch new file mode 100644 index 00000000000..55584d73a9f --- /dev/null +++ b/queue-5.15/x86-fix-__get_wchan-for-stacktrace.patch @@ -0,0 +1,61 @@ +From ed9a94dc9a3b34131f5063fd69fe7ca3ed81c5cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Oct 2021 16:53:02 +0200 +Subject: x86: Fix __get_wchan() for !STACKTRACE + +From: Peter Zijlstra + +[ Upstream commit 5d1ceb3969b6b2e47e2df6d17790a7c5a20fcbb4 ] + +Use asm/unwind.h to implement wchan, since we cannot always rely on +STACKTRACE=y. + +Fixes: bc9bbb81730e ("x86: Fix get_wchan() to support the ORC unwinder") +Reported-by: Stephen Rothwell +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Kees Cook +Link: https://lkml.kernel.org/r/20211022152104.137058575@infradead.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/process.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index 266962547b58c..2fe1810e922a9 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + + #include "process.h" + +@@ -945,10 +946,20 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) + */ + unsigned long __get_wchan(struct task_struct *p) + { +- unsigned long entry = 0; ++ struct unwind_state state; ++ unsigned long addr = 0; + +- stack_trace_save_tsk(p, &entry, 1, 0); +- return entry; ++ for (unwind_start(&state, p, NULL, NULL); !unwind_done(&state); ++ unwind_next_frame(&state)) { ++ addr = unwind_get_return_address(&state); ++ if (!addr) ++ break; ++ if (in_sched_functions(addr)) ++ continue; ++ break; ++ } ++ ++ return addr; + } + + long do_arch_prctl_common(struct task_struct *task, int option, +-- +2.33.0 + diff --git a/queue-5.15/x86-fix-get_wchan-to-support-the-orc-unwinder.patch b/queue-5.15/x86-fix-get_wchan-to-support-the-orc-unwinder.patch new file mode 100644 index 00000000000..6fef9f04c9f --- /dev/null +++ b/queue-5.15/x86-fix-get_wchan-to-support-the-orc-unwinder.patch @@ -0,0 +1,96 @@ +From c3d0075578e111fe541a909b8a606ba4ab5c0403 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 15:02:17 -0700 +Subject: x86: Fix get_wchan() to support the ORC unwinder + +From: Qi Zheng + +[ Upstream commit bc9bbb81730ea667c31c5b284f95ee312bab466f ] + +Currently, the kernel CONFIG_UNWINDER_ORC option is enabled by default +on x86, but the implementation of get_wchan() is still based on the frame +pointer unwinder, so the /proc//wchan usually returned 0 regardless +of whether the task is running. + +Reimplement get_wchan() by calling stack_trace_save_tsk(), which is +adapted to the ORC and frame pointer unwinders. + +Fixes: ee9f8fce9964 ("x86/unwind: Add the ORC unwinder") +Signed-off-by: Qi Zheng +Signed-off-by: Kees Cook +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20211008111626.271115116@infradead.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/process.c | 51 +++------------------------------------ + 1 file changed, 3 insertions(+), 48 deletions(-) + +diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c +index f2f733bcb2b95..cd426c3283ee1 100644 +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -945,58 +945,13 @@ unsigned long arch_randomize_brk(struct mm_struct *mm) + */ + unsigned long get_wchan(struct task_struct *p) + { +- unsigned long start, bottom, top, sp, fp, ip, ret = 0; +- int count = 0; ++ unsigned long entry = 0; + + if (p == current || task_is_running(p)) + return 0; + +- if (!try_get_task_stack(p)) +- return 0; +- +- start = (unsigned long)task_stack_page(p); +- if (!start) +- goto out; +- +- /* +- * Layout of the stack page: +- * +- * ----------- topmax = start + THREAD_SIZE - sizeof(unsigned long) +- * PADDING +- * ----------- top = topmax - TOP_OF_KERNEL_STACK_PADDING +- * stack +- * ----------- bottom = start +- * +- * The tasks stack pointer points at the location where the +- * framepointer is stored. The data on the stack is: +- * ... IP FP ... IP FP +- * +- * We need to read FP and IP, so we need to adjust the upper +- * bound by another unsigned long. +- */ +- top = start + THREAD_SIZE - TOP_OF_KERNEL_STACK_PADDING; +- top -= 2 * sizeof(unsigned long); +- bottom = start; +- +- sp = READ_ONCE(p->thread.sp); +- if (sp < bottom || sp > top) +- goto out; +- +- fp = READ_ONCE_NOCHECK(((struct inactive_task_frame *)sp)->bp); +- do { +- if (fp < bottom || fp > top) +- goto out; +- ip = READ_ONCE_NOCHECK(*(unsigned long *)(fp + sizeof(unsigned long))); +- if (!in_sched_functions(ip)) { +- ret = ip; +- goto out; +- } +- fp = READ_ONCE_NOCHECK(*(unsigned long *)fp); +- } while (count++ < 16 && !task_is_running(p)); +- +-out: +- put_task_stack(p); +- return ret; ++ stack_trace_save_tsk(p, &entry, 1, 0); ++ return entry; + } + + long do_arch_prctl_common(struct task_struct *task, int option, +-- +2.33.0 + diff --git a/queue-5.15/x86-hyperv-protect-set_hv_tscchange_cb-against-getti.patch b/queue-5.15/x86-hyperv-protect-set_hv_tscchange_cb-against-getti.patch new file mode 100644 index 00000000000..a31cb7e0ff0 --- /dev/null +++ b/queue-5.15/x86-hyperv-protect-set_hv_tscchange_cb-against-getti.patch @@ -0,0 +1,72 @@ +From b90fb6ebf3ca5be3b48dae8a1afd6327d58de37b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 17:50:05 +0200 +Subject: x86/hyperv: Protect set_hv_tscchange_cb() against getting preempted + +From: Vitaly Kuznetsov + +[ Upstream commit 285f68afa8b20f752b0b7194d54980b5e0e27b75 ] + +The following issue is observed with CONFIG_DEBUG_PREEMPT when KVM loads: + + KVM: vmx: using Hyper-V Enlightened VMCS + BUG: using smp_processor_id() in preemptible [00000000] code: systemd-udevd/488 + caller is set_hv_tscchange_cb+0x16/0x80 + CPU: 1 PID: 488 Comm: systemd-udevd Not tainted 5.15.0-rc5+ #396 + Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019 + Call Trace: + dump_stack_lvl+0x6a/0x9a + check_preemption_disabled+0xde/0xe0 + ? kvm_gen_update_masterclock+0xd0/0xd0 [kvm] + set_hv_tscchange_cb+0x16/0x80 + kvm_arch_init+0x23f/0x290 [kvm] + kvm_init+0x30/0x310 [kvm] + vmx_init+0xaf/0x134 [kvm_intel] + ... + +set_hv_tscchange_cb() can get preempted in between acquiring +smp_processor_id() and writing to HV_X64_MSR_REENLIGHTENMENT_CONTROL. This +is not an issue by itself: HV_X64_MSR_REENLIGHTENMENT_CONTROL is a +partition-wide MSR and it doesn't matter which particular CPU will be +used to receive reenlightenment notifications. The only real problem can +(in theory) be observed if the CPU whose id was acquired with +smp_processor_id() goes offline before we manage to write to the MSR, +the logic in hv_cpu_die() won't be able to reassign it correctly. + +Reported-by: Michael Kelley +Signed-off-by: Vitaly Kuznetsov +Link: https://lore.kernel.org/r/20211012155005.1613352-1-vkuznets@redhat.com +Signed-off-by: Wei Liu +Signed-off-by: Sasha Levin +--- + arch/x86/hyperv/hv_init.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c +index 708a2712a516d..179fc173104d7 100644 +--- a/arch/x86/hyperv/hv_init.c ++++ b/arch/x86/hyperv/hv_init.c +@@ -139,7 +139,6 @@ void set_hv_tscchange_cb(void (*cb)(void)) + struct hv_reenlightenment_control re_ctrl = { + .vector = HYPERV_REENLIGHTENMENT_VECTOR, + .enabled = 1, +- .target_vp = hv_vp_index[smp_processor_id()] + }; + struct hv_tsc_emulation_control emu_ctrl = {.enabled = 1}; + +@@ -153,8 +152,12 @@ void set_hv_tscchange_cb(void (*cb)(void)) + /* Make sure callback is registered before we write to MSRs */ + wmb(); + ++ re_ctrl.target_vp = hv_vp_index[get_cpu()]; ++ + wrmsrl(HV_X64_MSR_REENLIGHTENMENT_CONTROL, *((u64 *)&re_ctrl)); + wrmsrl(HV_X64_MSR_TSC_EMULATION_CONTROL, *((u64 *)&emu_ctrl)); ++ ++ put_cpu(); + } + EXPORT_SYMBOL_GPL(set_hv_tscchange_cb); + +-- +2.33.0 + diff --git a/queue-5.15/x86-increase-exception-stack-sizes.patch b/queue-5.15/x86-increase-exception-stack-sizes.patch new file mode 100644 index 00000000000..177d3d7bb3f --- /dev/null +++ b/queue-5.15/x86-increase-exception-stack-sizes.patch @@ -0,0 +1,37 @@ +From fef74a1c207a38e21c338477e30566ed5f418bdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 16:19:46 +0200 +Subject: x86: Increase exception stack sizes + +From: Peter Zijlstra + +[ Upstream commit 7fae4c24a2b84a66c7be399727aca11e7a888462 ] + +It turns out that a single page of stack is trivial to overflow with +all the tracing gunk enabled. Raise the exception stacks to 2 pages, +which is still half the interrupt stacks, which are at 4 pages. + +Reported-by: Michael Wang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/YUIO9Ye98S5Eb68w@hirez.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/page_64_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h +index a8d4ad8565681..e9e2c3ba59239 100644 +--- a/arch/x86/include/asm/page_64_types.h ++++ b/arch/x86/include/asm/page_64_types.h +@@ -15,7 +15,7 @@ + #define THREAD_SIZE_ORDER (2 + KASAN_STACK_ORDER) + #define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER) + +-#define EXCEPTION_STACK_ORDER (0 + KASAN_STACK_ORDER) ++#define EXCEPTION_STACK_ORDER (1 + KASAN_STACK_ORDER) + #define EXCEPTION_STKSZ (PAGE_SIZE << EXCEPTION_STACK_ORDER) + + #define IRQ_STACK_ORDER (2 + KASAN_STACK_ORDER) +-- +2.33.0 + diff --git a/queue-5.15/x86-insn-use-get_unaligned-instead-of-memcpy.patch b/queue-5.15/x86-insn-use-get_unaligned-instead-of-memcpy.patch new file mode 100644 index 00000000000..d870633915b --- /dev/null +++ b/queue-5.15/x86-insn-use-get_unaligned-instead-of-memcpy.patch @@ -0,0 +1,137 @@ +From a7e8290c856966df59f3a0f2bcfbcb5ce5b465d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 16:37:53 +0200 +Subject: x86/insn: Use get_unaligned() instead of memcpy() + +From: Borislav Petkov + +[ Upstream commit f96b4675839b66168f5a07bf964dde6c2f1c4885 ] + +Use get_unaligned() instead of memcpy() to access potentially unaligned +memory, which, when accessed through a pointer, leads to undefined +behavior. get_unaligned() describes much better what is happening there +anyway even if memcpy() does the job. + +In addition, since perf tool builds with -Werror, it would fire with: + + util/intel-pt-decoder/../../../arch/x86/lib/insn.c: In function '__insn_get_emulate_prefix': + tools/include/../include/asm-generic/unaligned.h:10:15: error: packed attribute is unnecessary [-Werror=packed] + 10 | const struct { type x; } __packed *__pptr = (typeof(__pptr))(ptr); \ + +because -Werror=packed would complain if the packed attribute would have +no effect on the layout of the structure. + +In this case, that is intentional so disable the warning only for that +compilation unit. + +That part is Reported-by: Stephen Rothwell + +No functional changes. + +Fixes: 5ba1071f7554 ("x86/insn, tools/x86: Fix undefined behavior due to potential unaligned accesses") +Suggested-by: Linus Torvalds +Signed-off-by: Borislav Petkov +Acked-by: Masami Hiramatsu +Tested-by: Stephen Rothwell +Link: https://lkml.kernel.org/r/YVSsIkj9Z29TyUjE@zn.tnic +Signed-off-by: Sasha Levin +--- + arch/x86/lib/insn.c | 5 +++-- + tools/arch/x86/lib/insn.c | 5 +++-- + tools/include/asm-generic/unaligned.h | 23 +++++++++++++++++++++++ + tools/perf/util/intel-pt-decoder/Build | 2 ++ + 4 files changed, 31 insertions(+), 4 deletions(-) + create mode 100644 tools/include/asm-generic/unaligned.h + +diff --git a/arch/x86/lib/insn.c b/arch/x86/lib/insn.c +index c565def611e24..55e371cc69fd5 100644 +--- a/arch/x86/lib/insn.c ++++ b/arch/x86/lib/insn.c +@@ -13,6 +13,7 @@ + #endif + #include /*__ignore_sync_check__ */ + #include /* __ignore_sync_check__ */ ++#include /* __ignore_sync_check__ */ + + #include + #include +@@ -37,10 +38,10 @@ + ((insn)->next_byte + sizeof(t) + n <= (insn)->end_kaddr) + + #define __get_next(t, insn) \ +- ({ t r; memcpy(&r, insn->next_byte, sizeof(t)); insn->next_byte += sizeof(t); leXX_to_cpu(t, r); }) ++ ({ t r = get_unaligned((t *)(insn)->next_byte); (insn)->next_byte += sizeof(t); leXX_to_cpu(t, r); }) + + #define __peek_nbyte_next(t, insn, n) \ +- ({ t r; memcpy(&r, (insn)->next_byte + n, sizeof(t)); leXX_to_cpu(t, r); }) ++ ({ t r = get_unaligned((t *)(insn)->next_byte + n); leXX_to_cpu(t, r); }) + + #define get_next(t, insn) \ + ({ if (unlikely(!validate_next(t, insn, 0))) goto err_out; __get_next(t, insn); }) +diff --git a/tools/arch/x86/lib/insn.c b/tools/arch/x86/lib/insn.c +index 797699462cd8e..8fd63a067308a 100644 +--- a/tools/arch/x86/lib/insn.c ++++ b/tools/arch/x86/lib/insn.c +@@ -13,6 +13,7 @@ + #endif + #include "../include/asm/inat.h" /* __ignore_sync_check__ */ + #include "../include/asm/insn.h" /* __ignore_sync_check__ */ ++#include "../include/asm-generic/unaligned.h" /* __ignore_sync_check__ */ + + #include + #include +@@ -37,10 +38,10 @@ + ((insn)->next_byte + sizeof(t) + n <= (insn)->end_kaddr) + + #define __get_next(t, insn) \ +- ({ t r; memcpy(&r, insn->next_byte, sizeof(t)); insn->next_byte += sizeof(t); leXX_to_cpu(t, r); }) ++ ({ t r = get_unaligned((t *)(insn)->next_byte); (insn)->next_byte += sizeof(t); leXX_to_cpu(t, r); }) + + #define __peek_nbyte_next(t, insn, n) \ +- ({ t r; memcpy(&r, (insn)->next_byte + n, sizeof(t)); leXX_to_cpu(t, r); }) ++ ({ t r = get_unaligned((t *)(insn)->next_byte + n); leXX_to_cpu(t, r); }) + + #define get_next(t, insn) \ + ({ if (unlikely(!validate_next(t, insn, 0))) goto err_out; __get_next(t, insn); }) +diff --git a/tools/include/asm-generic/unaligned.h b/tools/include/asm-generic/unaligned.h +new file mode 100644 +index 0000000000000..47387c607035e +--- /dev/null ++++ b/tools/include/asm-generic/unaligned.h +@@ -0,0 +1,23 @@ ++/* SPDX-License-Identifier: GPL-2.0-or-later */ ++/* ++ * Copied from the kernel sources to tools/perf/: ++ */ ++ ++#ifndef __TOOLS_LINUX_ASM_GENERIC_UNALIGNED_H ++#define __TOOLS_LINUX_ASM_GENERIC_UNALIGNED_H ++ ++#define __get_unaligned_t(type, ptr) ({ \ ++ const struct { type x; } __packed *__pptr = (typeof(__pptr))(ptr); \ ++ __pptr->x; \ ++}) ++ ++#define __put_unaligned_t(type, val, ptr) do { \ ++ struct { type x; } __packed *__pptr = (typeof(__pptr))(ptr); \ ++ __pptr->x = (val); \ ++} while (0) ++ ++#define get_unaligned(ptr) __get_unaligned_t(typeof(*(ptr)), (ptr)) ++#define put_unaligned(val, ptr) __put_unaligned_t(typeof(*(ptr)), (val), (ptr)) ++ ++#endif /* __TOOLS_LINUX_ASM_GENERIC_UNALIGNED_H */ ++ +diff --git a/tools/perf/util/intel-pt-decoder/Build b/tools/perf/util/intel-pt-decoder/Build +index bc629359826fb..b41c2e9c6f887 100644 +--- a/tools/perf/util/intel-pt-decoder/Build ++++ b/tools/perf/util/intel-pt-decoder/Build +@@ -18,3 +18,5 @@ CFLAGS_intel-pt-insn-decoder.o += -I$(OUTPUT)util/intel-pt-decoder + ifeq ($(CC_NO_CLANG), 1) + CFLAGS_intel-pt-insn-decoder.o += -Wno-override-init + endif ++ ++CFLAGS_intel-pt-insn-decoder.o += -Wno-packed +-- +2.33.0 + diff --git a/queue-5.15/x86-mm-64-improve-stack-overflow-warnings.patch b/queue-5.15/x86-mm-64-improve-stack-overflow-warnings.patch new file mode 100644 index 00000000000..799567530bc --- /dev/null +++ b/queue-5.15/x86-mm-64-improve-stack-overflow-warnings.patch @@ -0,0 +1,289 @@ +From f9e73de8b168d2e2ddeb4f1587661bccf6bfed90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 17:12:59 +0200 +Subject: x86/mm/64: Improve stack overflow warnings + +From: Peter Zijlstra + +[ Upstream commit 44b979fa302cab91bdd2cc982823e5c13202cd4e ] + +Current code has an explicit check for hitting the task stack guard; +but overflowing any of the other stacks will get you a non-descript +general #DF warning. + +Improve matters by using get_stack_info_noinstr() to detetrmine if and +which stack guard page got hit, enabling a better stack warning. + +In specific, Michael Wang reported what turned out to be an NMI +exception stack overflow, which is now clearly reported as such: + + [] BUG: NMI stack guard page was hit at 0000000085fd977b (stack is 000000003a55b09e..00000000d8cce1a5) + +Reported-by: Michael Wang +Signed-off-by: Peter Zijlstra (Intel) +Tested-by: Michael Wang +Link: https://lkml.kernel.org/r/YUTE/NuqnaWbST8n@hirez.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/irq_stack.h | 37 +++++++++++++++++++++---------- + arch/x86/include/asm/stacktrace.h | 10 +++++++++ + arch/x86/include/asm/traps.h | 6 ++--- + arch/x86/kernel/dumpstack_64.c | 6 +++++ + arch/x86/kernel/traps.c | 25 +++++++++++---------- + arch/x86/mm/fault.c | 20 ++++++++--------- + 6 files changed, 67 insertions(+), 37 deletions(-) + +diff --git a/arch/x86/include/asm/irq_stack.h b/arch/x86/include/asm/irq_stack.h +index 562854c608082..8d55bd11848cb 100644 +--- a/arch/x86/include/asm/irq_stack.h ++++ b/arch/x86/include/asm/irq_stack.h +@@ -77,11 +77,11 @@ + * Function calls can clobber anything except the callee-saved + * registers. Tell the compiler. + */ +-#define call_on_irqstack(func, asm_call, argconstr...) \ ++#define call_on_stack(stack, func, asm_call, argconstr...) \ + { \ + register void *tos asm("r11"); \ + \ +- tos = ((void *)__this_cpu_read(hardirq_stack_ptr)); \ ++ tos = ((void *)(stack)); \ + \ + asm_inline volatile( \ + "movq %%rsp, (%[tos]) \n" \ +@@ -98,6 +98,25 @@ + ); \ + } + ++#define ASM_CALL_ARG0 \ ++ "call %P[__func] \n" ++ ++#define ASM_CALL_ARG1 \ ++ "movq %[arg1], %%rdi \n" \ ++ ASM_CALL_ARG0 ++ ++#define ASM_CALL_ARG2 \ ++ "movq %[arg2], %%rsi \n" \ ++ ASM_CALL_ARG1 ++ ++#define ASM_CALL_ARG3 \ ++ "movq %[arg3], %%rdx \n" \ ++ ASM_CALL_ARG2 ++ ++#define call_on_irqstack(func, asm_call, argconstr...) \ ++ call_on_stack(__this_cpu_read(hardirq_stack_ptr), \ ++ func, asm_call, argconstr) ++ + /* Macros to assert type correctness for run_*_on_irqstack macros */ + #define assert_function_type(func, proto) \ + static_assert(__builtin_types_compatible_p(typeof(&func), proto)) +@@ -147,8 +166,7 @@ + */ + #define ASM_CALL_SYSVEC \ + "call irq_enter_rcu \n" \ +- "movq %[arg1], %%rdi \n" \ +- "call %P[__func] \n" \ ++ ASM_CALL_ARG1 \ + "call irq_exit_rcu \n" + + #define SYSVEC_CONSTRAINTS , [arg1] "r" (regs) +@@ -168,12 +186,10 @@ + */ + #define ASM_CALL_IRQ \ + "call irq_enter_rcu \n" \ +- "movq %[arg1], %%rdi \n" \ +- "movl %[arg2], %%esi \n" \ +- "call %P[__func] \n" \ ++ ASM_CALL_ARG2 \ + "call irq_exit_rcu \n" + +-#define IRQ_CONSTRAINTS , [arg1] "r" (regs), [arg2] "r" (vector) ++#define IRQ_CONSTRAINTS , [arg1] "r" (regs), [arg2] "r" ((unsigned long)vector) + + #define run_irq_on_irqstack_cond(func, regs, vector) \ + { \ +@@ -185,9 +201,6 @@ + IRQ_CONSTRAINTS, regs, vector); \ + } + +-#define ASM_CALL_SOFTIRQ \ +- "call %P[__func] \n" +- + /* + * Macro to invoke __do_softirq on the irq stack. This is only called from + * task context when bottom halves are about to be reenabled and soft +@@ -197,7 +210,7 @@ + #define do_softirq_own_stack() \ + { \ + __this_cpu_write(hardirq_stack_inuse, true); \ +- call_on_irqstack(__do_softirq, ASM_CALL_SOFTIRQ); \ ++ call_on_irqstack(__do_softirq, ASM_CALL_ARG0); \ + __this_cpu_write(hardirq_stack_inuse, false); \ + } + +diff --git a/arch/x86/include/asm/stacktrace.h b/arch/x86/include/asm/stacktrace.h +index f248eb2ac2d4a..3881b5333eb81 100644 +--- a/arch/x86/include/asm/stacktrace.h ++++ b/arch/x86/include/asm/stacktrace.h +@@ -38,6 +38,16 @@ int get_stack_info(unsigned long *stack, struct task_struct *task, + bool get_stack_info_noinstr(unsigned long *stack, struct task_struct *task, + struct stack_info *info); + ++static __always_inline ++bool get_stack_guard_info(unsigned long *stack, struct stack_info *info) ++{ ++ /* make sure it's not in the stack proper */ ++ if (get_stack_info_noinstr(stack, current, info)) ++ return false; ++ /* but if it is in the page below it, we hit a guard */ ++ return get_stack_info_noinstr((void *)stack + PAGE_SIZE, current, info); ++} ++ + const char *stack_type_name(enum stack_type type); + + static inline bool on_stack(struct stack_info *info, void *addr, size_t len) +diff --git a/arch/x86/include/asm/traps.h b/arch/x86/include/asm/traps.h +index 7f7200021bd13..6221be7cafc3b 100644 +--- a/arch/x86/include/asm/traps.h ++++ b/arch/x86/include/asm/traps.h +@@ -40,9 +40,9 @@ void math_emulate(struct math_emu_info *); + bool fault_in_kernel_space(unsigned long address); + + #ifdef CONFIG_VMAP_STACK +-void __noreturn handle_stack_overflow(const char *message, +- struct pt_regs *regs, +- unsigned long fault_address); ++void __noreturn handle_stack_overflow(struct pt_regs *regs, ++ unsigned long fault_address, ++ struct stack_info *info); + #endif + + #endif /* _ASM_X86_TRAPS_H */ +diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c +index 5601b95944fae..6c5defd6569a3 100644 +--- a/arch/x86/kernel/dumpstack_64.c ++++ b/arch/x86/kernel/dumpstack_64.c +@@ -32,9 +32,15 @@ const char *stack_type_name(enum stack_type type) + { + BUILD_BUG_ON(N_EXCEPTION_STACKS != 6); + ++ if (type == STACK_TYPE_TASK) ++ return "TASK"; ++ + if (type == STACK_TYPE_IRQ) + return "IRQ"; + ++ if (type == STACK_TYPE_SOFTIRQ) ++ return "SOFTIRQ"; ++ + if (type == STACK_TYPE_ENTRY) { + /* + * On 64-bit, we have a generic entry stack that we +diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c +index f3f3034b06f34..cc6de3a01293c 100644 +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -313,17 +313,19 @@ out: + } + + #ifdef CONFIG_VMAP_STACK +-__visible void __noreturn handle_stack_overflow(const char *message, +- struct pt_regs *regs, +- unsigned long fault_address) ++__visible void __noreturn handle_stack_overflow(struct pt_regs *regs, ++ unsigned long fault_address, ++ struct stack_info *info) + { +- printk(KERN_EMERG "BUG: stack guard page was hit at %p (stack is %p..%p)\n", +- (void *)fault_address, current->stack, +- (char *)current->stack + THREAD_SIZE - 1); +- die(message, regs, 0); ++ const char *name = stack_type_name(info->type); ++ ++ printk(KERN_EMERG "BUG: %s stack guard page was hit at %p (stack is %p..%p)\n", ++ name, (void *)fault_address, info->begin, info->end); ++ ++ die("stack guard page", regs, 0); + + /* Be absolutely certain we don't return. */ +- panic("%s", message); ++ panic("%s stack guard hit", name); + } + #endif + +@@ -353,6 +355,7 @@ DEFINE_IDTENTRY_DF(exc_double_fault) + + #ifdef CONFIG_VMAP_STACK + unsigned long address = read_cr2(); ++ struct stack_info info; + #endif + + #ifdef CONFIG_X86_ESPFIX64 +@@ -455,10 +458,8 @@ DEFINE_IDTENTRY_DF(exc_double_fault) + * stack even if the actual trigger for the double fault was + * something else. + */ +- if ((unsigned long)task_stack_page(tsk) - 1 - address < PAGE_SIZE) { +- handle_stack_overflow("kernel stack overflow (double-fault)", +- regs, address); +- } ++ if (get_stack_guard_info((void *)address, &info)) ++ handle_stack_overflow(regs, address, &info); + #endif + + pr_emerg("PANIC: double fault, error_code: 0x%lx\n", error_code); +diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c +index 84a2c8c4af735..4bfed53e210ec 100644 +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -32,6 +32,7 @@ + #include /* VMALLOC_START, ... */ + #include /* kvm_handle_async_pf */ + #include /* fixup_vdso_exception() */ ++#include + + #define CREATE_TRACE_POINTS + #include +@@ -631,6 +632,9 @@ static noinline void + page_fault_oops(struct pt_regs *regs, unsigned long error_code, + unsigned long address) + { ++#ifdef CONFIG_VMAP_STACK ++ struct stack_info info; ++#endif + unsigned long flags; + int sig; + +@@ -649,9 +653,7 @@ page_fault_oops(struct pt_regs *regs, unsigned long error_code, + * that we're in vmalloc space to avoid this. + */ + if (is_vmalloc_addr((void *)address) && +- (((unsigned long)current->stack - 1 - address < PAGE_SIZE) || +- address - ((unsigned long)current->stack + THREAD_SIZE) < PAGE_SIZE)) { +- unsigned long stack = __this_cpu_ist_top_va(DF) - sizeof(void *); ++ get_stack_guard_info((void *)address, &info)) { + /* + * We're likely to be running with very little stack space + * left. It's plausible that we'd hit this condition but +@@ -662,13 +664,11 @@ page_fault_oops(struct pt_regs *regs, unsigned long error_code, + * and then double-fault, though, because we're likely to + * break the console driver and lose most of the stack dump. + */ +- asm volatile ("movq %[stack], %%rsp\n\t" +- "call handle_stack_overflow\n\t" +- "1: jmp 1b" +- : ASM_CALL_CONSTRAINT +- : "D" ("kernel stack overflow (page fault)"), +- "S" (regs), "d" (address), +- [stack] "rm" (stack)); ++ call_on_stack(__this_cpu_ist_top_va(DF) - sizeof(void*), ++ handle_stack_overflow, ++ ASM_CALL_ARG3, ++ , [arg1] "r" (regs), [arg2] "r" (address), [arg3] "r" (&info)); ++ + unreachable(); + } + #endif +-- +2.33.0 + diff --git a/queue-5.15/x86-sev-fix-stack-type-check-in-vc_switch_off_ist.patch b/queue-5.15/x86-sev-fix-stack-type-check-in-vc_switch_off_ist.patch new file mode 100644 index 00000000000..31921f4145c --- /dev/null +++ b/queue-5.15/x86-sev-fix-stack-type-check-in-vc_switch_off_ist.patch @@ -0,0 +1,39 @@ +From bbee3aa7ba1ecc0f74008d2e5481c31a851aa06e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Oct 2021 10:08:32 +0200 +Subject: x86/sev: Fix stack type check in vc_switch_off_ist() + +From: Joerg Roedel + +[ Upstream commit 5681981fb788281b09a4ea14d310d30b2bd89132 ] + +The value of STACK_TYPE_EXCEPTION_LAST points to the last _valid_ +exception stack. Reflect that in the check done in the +vc_switch_off_ist() function. + +Fixes: a13644f3a53de ("x86/entry/64: Add entry code for #VC handler") +Reported-by: Tom Lendacky +Signed-off-by: Joerg Roedel +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20211021080833.30875-2-joro@8bytes.org +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/traps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c +index cc6de3a01293c..5b1984d468227 100644 +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -743,7 +743,7 @@ asmlinkage __visible noinstr struct pt_regs *vc_switch_off_ist(struct pt_regs *r + stack = (unsigned long *)sp; + + if (!get_stack_info_noinstr(stack, current, &info) || info.type == STACK_TYPE_ENTRY || +- info.type >= STACK_TYPE_EXCEPTION_LAST) ++ info.type > STACK_TYPE_EXCEPTION_LAST) + sp = __this_cpu_ist_top_va(VC2); + + sync: +-- +2.33.0 + diff --git a/queue-5.15/x86-xen-mark-cpu_bringup_and_idle-as-dead_end_functi.patch b/queue-5.15/x86-xen-mark-cpu_bringup_and_idle-as-dead_end_functi.patch new file mode 100644 index 00000000000..dbdbfa34b2f --- /dev/null +++ b/queue-5.15/x86-xen-mark-cpu_bringup_and_idle-as-dead_end_functi.patch @@ -0,0 +1,47 @@ +From 62e6bbac963d62f77c689ffdf3fc94cdfae74acc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Jun 2021 11:41:00 +0200 +Subject: x86/xen: Mark cpu_bringup_and_idle() as dead_end_function + +From: Peter Zijlstra + +[ Upstream commit 9af9dcf11bda3e2c0e24c1acaacb8685ad974e93 ] + +The asm_cpu_bringup_and_idle() function is required to push the return +value on the stack in order to make ORC happy, but the only reason +objtool doesn't complain is because of a happy accident. + +The thing is that asm_cpu_bringup_and_idle() doesn't return, so +validate_branch() never terminates and falls through to the next +function, which in the normal case is the hypercall_page. And that, as +it happens, is 4095 NOPs and a RET. + +Make asm_cpu_bringup_and_idle() terminate on it's own, by making the +function it calls as a dead-end. This way we no longer rely on what +code happens to come after. + +Fixes: c3881eb58d56 ("x86/xen: Make the secondary CPU idle tasks reliable") +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Juergen Gross +Reviewed-by: Miroslav Benes +Link: https://lore.kernel.org/r/20210624095147.693801717@infradead.org +Signed-off-by: Sasha Levin +--- + tools/objtool/check.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/objtool/check.c b/tools/objtool/check.c +index 06b5c164ae931..8bffc004f4e53 100644 +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -173,6 +173,7 @@ static bool __dead_end_function(struct objtool_file *file, struct symbol *func, + "rewind_stack_do_exit", + "kunit_try_catch_throw", + "xen_start_kernel", ++ "cpu_bringup_and_idle", + }; + + if (!func) +-- +2.33.0 + diff --git a/queue-5.15/xen-pciback-fix-return-in-pm_ctrl_init.patch b/queue-5.15/xen-pciback-fix-return-in-pm_ctrl_init.patch new file mode 100644 index 00000000000..90a6e2251a1 --- /dev/null +++ b/queue-5.15/xen-pciback-fix-return-in-pm_ctrl_init.patch @@ -0,0 +1,40 @@ +From 3f327f31e906a78cf8d260776be61a3849ae1e66 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Oct 2021 15:44:17 +0800 +Subject: xen-pciback: Fix return in pm_ctrl_init() + +From: YueHaibing + +[ Upstream commit 4745ea2628bb43a7ec34b71763b5a56407b33990 ] + +Return NULL instead of passing to ERR_PTR while err is zero, +this fix smatch warnings: +drivers/xen/xen-pciback/conf_space_capability.c:163 + pm_ctrl_init() warn: passing zero to 'ERR_PTR' + +Fixes: a92336a1176b ("xen/pciback: Drop two backends, squash and cleanup some code.") +Signed-off-by: YueHaibing +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20211008074417.8260-1-yuehaibing@huawei.com +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +--- + drivers/xen/xen-pciback/conf_space_capability.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/xen/xen-pciback/conf_space_capability.c b/drivers/xen/xen-pciback/conf_space_capability.c +index 22f13abbe9130..5e53b4817f167 100644 +--- a/drivers/xen/xen-pciback/conf_space_capability.c ++++ b/drivers/xen/xen-pciback/conf_space_capability.c +@@ -160,7 +160,7 @@ static void *pm_ctrl_init(struct pci_dev *dev, int offset) + } + + out: +- return ERR_PTR(err); ++ return err ? ERR_PTR(err) : NULL; + } + + static const struct config_field caplist_pm[] = { +-- +2.33.0 + diff --git a/queue-5.15/zram-off-by-one-in-read_block_state.patch b/queue-5.15/zram-off-by-one-in-read_block_state.patch new file mode 100644 index 00000000000..49508b1cd81 --- /dev/null +++ b/queue-5.15/zram-off-by-one-in-read_block_state.patch @@ -0,0 +1,44 @@ +From 2be83fc19e337741852d630e9f833a9038ff591c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 13:45:12 -0700 +Subject: zram: off by one in read_block_state() + +From: Dan Carpenter + +[ Upstream commit a88e03cf3d190cf46bc4063a9b7efe87590de5f4 ] + +snprintf() returns the number of bytes it would have printed if there +were space. But it does not count the NUL terminator. So that means +that if "count == copied" then this has already overflowed by one +character. + +This bug likely isn't super harmful in real life. + +Link: https://lkml.kernel.org/r/20210916130404.GA25094@kili +Fixes: c0265342bff4 ("zram: introduce zram memory tracking") +Signed-off-by: Dan Carpenter +Cc: Minchan Kim +Cc: Sergey Senozhatsky +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/block/zram/zram_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c +index fcaf2750f68f7..6383c81ac5b37 100644 +--- a/drivers/block/zram/zram_drv.c ++++ b/drivers/block/zram/zram_drv.c +@@ -910,7 +910,7 @@ static ssize_t read_block_state(struct file *file, char __user *buf, + zram_test_flag(zram, index, ZRAM_HUGE) ? 'h' : '.', + zram_test_flag(zram, index, ZRAM_IDLE) ? 'i' : '.'); + +- if (count < copied) { ++ if (count <= copied) { + zram_slot_unlock(zram, index); + break; + } +-- +2.33.0 + -- 2.47.2