From 2bc3e0b8d0665514c0c165db9be614c93b88bd86 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 26 Jun 2022 23:09:30 -0400 Subject: [PATCH] Fixes for 5.15 Signed-off-by: Sasha Levin --- queue-5.15/afs-fix-dynamic-root-getattr.patch | 59 +++ ...tor-spams-netdev_notify_peers-notifi.patch | 48 ++ ...quest_sock-leak-in-sk-lookup-helpers.patch | 98 ++++ ...-call-count-offset-calculation-on-bp.patch | 86 +++ ...-core_initialized-before-disable-int.patch | 69 +++ ...t-initialize-phy-until-plugin-interr.patch | 497 ++++++++++++++++++ ...nk_parse_sink_count-return-immediate.patch | 103 ++++ ...m-dp-drop-now-unused-hpd_high-member.patch | 94 ++++ ...-link-training-for-display-resolutio.patch | 198 +++++++ ...sm-ensure-mmap-offset-is-initialized.patch | 79 +++ ...m-fix-double-pm_runtime_disable-call.patch | 70 +++ ...-refcount-leak-in-mdp4_modeset_init_.patch | 50 ++ ...rdering-of-runpm-put-vs-devfreq_idle.patch | 53 ++ ...each_sgtable_sg-to-iterate-over-scat.patch | 39 ++ ...ash-during-suspend-after-component-b.patch | 59 +++ ...ssume-transport-header-is-always-set.patch | 127 +++++ ...htool-fix-get-module-eeprom-fallback.patch | 40 ++ ...d-fix-error-code-in-winbond_gpio_get.patch | 45 ++ ...tool-advertise-1000m-speeds-properly.patch | 86 +++ ...fter-free-issue-in-igb_clean_tx_ring.patch | 93 ++++ ...ter-when-cpu-is-active-on-the-pcie-l.patch | 83 +++ ...-fix-conversion-mode-sysfs-node-name.patch | 35 ++ ...tometer-yas530-fix-memchr_inv-misuse.patch | 43 ++ ...probe-fail-when-device-tree-compatib.patch | 48 ++ ...t-kmemleak-from-accessing-pkvm-memor.patch | 92 ++++ ...ve-repetitive-increase-irq_err_count.patch | 61 +++ .../net-fix-data-race-in-dev_isalive.patch | 179 +++++++ ...tem-fix-arithmetic-in-netem_dump-for.patch | 73 +++ ...s_sk_proto_close-executed-repeatedly.patch | 55 ++ ...ev_base_lock-without-disabling-botto.patch | 169 ++++++ ...se-get_random_u32-instead-of-prandom.patch | 131 +++++ ...msung-x5-quirk-entry-to-the-core-qui.patch | 65 +++ ...-add-no-apst-quirk-for-kioxia-device.patch | 54 ++ ...-t-set-data-source-if-it-s-not-a-mem.patch | 99 ++++ ...-an-when-higher-speeds-than-1g-are-n.patch | 63 +++ ...-bug-in-regmap_irq_enable-for-type_i.patch | 55 ++ ...ffset-index-mismatch-in-read_sub_irq.patch | 46 ++ ...ix-tls_sk_proto_close-executed-repea.patch | 42 ++ ...e-events-cycles-and-instructions-ide.patch | 102 ++++ ...lude-zero-from-the-endpoint-id-range.patch | 48 ++ ...fix-zone-transition-to-full-conditio.patch | 81 +++ ...rect-reporting-of-hyper-v-i-o-size-l.patch | 102 ++++ ...ter-correct-pktgen_script_paths-in-n.patch | 61 +++ queue-5.15/series | 51 ++ ...do-the-psock-vs-ulp-protection-check.patch | 98 ++++ ...after-free-read-in-tipc_named_reinit.patch | 80 +++ .../udmabuf-add-back-sanity-check.patch | 42 ++ ...drop-wrong-dependency-to-intel_soc_p.patch | 45 ++ ...dp_rxq_info-bug-after-suspend-resume.patch | 115 ++++ ...undefined-behavior-in-setup_features.patch | 37 ++ .../xen-blkfront-handle-null-gendisk.patch | 143 +++++ ...transmit-when-completion-queue-reser.patch | 78 +++ 52 files changed, 4469 insertions(+) create mode 100644 queue-5.15/afs-fix-dynamic-root-getattr.patch create mode 100644 queue-5.15/bonding-arp-monitor-spams-netdev_notify_peers-notifi.patch create mode 100644 queue-5.15/bpf-fix-request_sock-leak-in-sk-lookup-helpers.patch create mode 100644 queue-5.15/bpf-x86-fix-tail-call-count-offset-calculation-on-bp.patch create mode 100644 queue-5.15/drm-msm-dp-check-core_initialized-before-disable-int.patch create mode 100644 queue-5.15/drm-msm-dp-do-not-initialize-phy-until-plugin-interr.patch create mode 100644 queue-5.15/drm-msm-dp-dp_link_parse_sink_count-return-immediate.patch create mode 100644 queue-5.15/drm-msm-dp-drop-now-unused-hpd_high-member.patch create mode 100644 queue-5.15/drm-msm-dp-force-link-training-for-display-resolutio.patch create mode 100644 queue-5.15/drm-msm-ensure-mmap-offset-is-initialized.patch create mode 100644 queue-5.15/drm-msm-fix-double-pm_runtime_disable-call.patch create mode 100644 queue-5.15/drm-msm-mdp4-fix-refcount-leak-in-mdp4_modeset_init_.patch create mode 100644 queue-5.15/drm-msm-switch-ordering-of-runpm-put-vs-devfreq_idle.patch create mode 100644 queue-5.15/drm-msm-use-for_each_sgtable_sg-to-iterate-over-scat.patch create mode 100644 queue-5.15/drm-sun4i-fix-crash-during-suspend-after-component-b.patch create mode 100644 queue-5.15/erspan-do-not-assume-transport-header-is-always-set.patch create mode 100644 queue-5.15/ethtool-fix-get-module-eeprom-fallback.patch create mode 100644 queue-5.15/gpio-winbond-fix-error-code-in-winbond_gpio_get.patch create mode 100644 queue-5.15/ice-ethtool-advertise-1000m-speeds-properly.patch create mode 100644 queue-5.15/igb-fix-a-use-after-free-issue-in-igb_clean_tx_ring.patch create mode 100644 queue-5.15/igb-make-dma-faster-when-cpu-is-active-on-the-pcie-l.patch create mode 100644 queue-5.15/iio-adc-vf610-fix-conversion-mode-sysfs-node-name.patch create mode 100644 queue-5.15/iio-magnetometer-yas530-fix-memchr_inv-misuse.patch create mode 100644 queue-5.15/iio-mma8452-fix-probe-fail-when-device-tree-compatib.patch create mode 100644 queue-5.15/kvm-arm64-prevent-kmemleak-from-accessing-pkvm-memor.patch create mode 100644 queue-5.15/mips-remove-repetitive-increase-irq_err_count.patch create mode 100644 queue-5.15/net-fix-data-race-in-dev_isalive.patch create mode 100644 queue-5.15/net-sched-sch_netem-fix-arithmetic-in-netem_dump-for.patch create mode 100644 queue-5.15/net-tls-fix-tls_sk_proto_close-executed-repeatedly.patch create mode 100644 queue-5.15/net-write-lock-dev_base_lock-without-disabling-botto.patch create mode 100644 queue-5.15/netfilter-use-get_random_u32-instead-of-prandom.patch create mode 100644 queue-5.15/nvme-move-the-samsung-x5-quirk-entry-to-the-core-qui.patch create mode 100644 queue-5.15/nvme-pci-add-no-apst-quirk-for-kioxia-device.patch create mode 100644 queue-5.15/perf-arm-spe-don-t-set-data-source-if-it-s-not-a-mem.patch create mode 100644 queue-5.15/phy-aquantia-fix-an-when-higher-speeds-than-1g-are-n.patch create mode 100644 queue-5.15/regmap-irq-fix-a-bug-in-regmap_irq_enable-for-type_i.patch create mode 100644 queue-5.15/regmap-irq-fix-offset-index-mismatch-in-read_sub_irq.patch create mode 100644 queue-5.15/revert-net-tls-fix-tls_sk_proto_close-executed-repea.patch create mode 100644 queue-5.15/s390-cpumf-handle-events-cycles-and-instructions-ide.patch create mode 100644 queue-5.15/scsi-iscsi-exclude-zero-from-the-endpoint-id-range.patch create mode 100644 queue-5.15/scsi-scsi_debug-fix-zone-transition-to-full-conditio.patch create mode 100644 queue-5.15/scsi-storvsc-correct-reporting-of-hyper-v-i-o-size-l.patch create mode 100644 queue-5.15/selftests-netfilter-correct-pktgen_script_paths-in-n.patch create mode 100644 queue-5.15/sock-redo-the-psock-vs-ulp-protection-check.patch create mode 100644 queue-5.15/tipc-fix-use-after-free-read-in-tipc_named_reinit.patch create mode 100644 queue-5.15/udmabuf-add-back-sanity-check.patch create mode 100644 queue-5.15/usb-typec-wcove-drop-wrong-dependency-to-intel_soc_p.patch create mode 100644 queue-5.15/virtio_net-fix-xdp_rxq_info-bug-after-suspend-resume.patch create mode 100644 queue-5.15/x86-xen-remove-undefined-behavior-in-setup_features.patch create mode 100644 queue-5.15/xen-blkfront-handle-null-gendisk.patch create mode 100644 queue-5.15/xsk-fix-generic-transmit-when-completion-queue-reser.patch diff --git a/queue-5.15/afs-fix-dynamic-root-getattr.patch b/queue-5.15/afs-fix-dynamic-root-getattr.patch new file mode 100644 index 00000000000..210a55c0110 --- /dev/null +++ b/queue-5.15/afs-fix-dynamic-root-getattr.patch @@ -0,0 +1,59 @@ +From 998c1e9973fba358b982c1b683bb43a6fefc9ee2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jun 2022 15:59:57 +0100 +Subject: afs: Fix dynamic root getattr + +From: David Howells + +[ Upstream commit cb78d1b5efffe4cf97e16766329dd7358aed3deb ] + +The recent patch to make afs_getattr consult the server didn't account +for the pseudo-inodes employed by the dynamic root-type afs superblock +not having a volume or a server to access, and thus an oops occurs if +such a directory is stat'd. + +Fix this by checking to see if the vnode->volume pointer actually points +anywhere before following it in afs_getattr(). + +This can be tested by stat'ing a directory in /afs. It may be +sufficient just to do "ls /afs" and the oops looks something like: + + BUG: kernel NULL pointer dereference, address: 0000000000000020 + ... + RIP: 0010:afs_getattr+0x8b/0x14b + ... + Call Trace: + + vfs_statx+0x79/0xf5 + vfs_fstatat+0x49/0x62 + +Fixes: 2aeb8c86d499 ("afs: Fix afs_getattr() to refetch file status if callback break occurred") +Reported-by: Marc Dionne +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Tested-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/165408450783.1031787.7941404776393751186.stgit@warthog.procyon.org.uk/ +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/afs/inode.c b/fs/afs/inode.c +index a47666ba48f5..785bacb972da 100644 +--- a/fs/afs/inode.c ++++ b/fs/afs/inode.c +@@ -733,7 +733,8 @@ int afs_getattr(struct user_namespace *mnt_userns, const struct path *path, + + _enter("{ ino=%lu v=%u }", inode->i_ino, inode->i_generation); + +- if (!(query_flags & AT_STATX_DONT_SYNC) && ++ if (vnode->volume && ++ !(query_flags & AT_STATX_DONT_SYNC) && + !test_bit(AFS_VNODE_CB_PROMISED, &vnode->flags)) { + key = afs_request_key(vnode->volume->cell); + if (IS_ERR(key)) +-- +2.35.1 + diff --git a/queue-5.15/bonding-arp-monitor-spams-netdev_notify_peers-notifi.patch b/queue-5.15/bonding-arp-monitor-spams-netdev_notify_peers-notifi.patch new file mode 100644 index 00000000000..14cb125a886 --- /dev/null +++ b/queue-5.15/bonding-arp-monitor-spams-netdev_notify_peers-notifi.patch @@ -0,0 +1,48 @@ +From 44671b082198a66a5e9e90016418c69ee77765a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jun 2022 12:32:40 -0700 +Subject: bonding: ARP monitor spams NETDEV_NOTIFY_PEERS notifiers + +From: Jay Vosburgh + +[ Upstream commit 7a9214f3d88cfdb099f3896e102a306b316d8707 ] + +The bonding ARP monitor fails to decrement send_peer_notif, the +number of peer notifications (gratuitous ARP or ND) to be sent. This +results in a continuous series of notifications. + +Correct this by decrementing the counter for each notification. + +Reported-by: Jonathan Toppins +Signed-off-by: Jay Vosburgh +Fixes: b0929915e035 ("bonding: Fix RTNL: assertion failed at net/core/rtnetlink.c for ab arp monitor") +Link: https://lore.kernel.org/netdev/b2fd4147-8f50-bebd-963a-1a3e8d1d9715@redhat.com/ +Tested-by: Jonathan Toppins +Reviewed-by: Jonathan Toppins +Link: https://lore.kernel.org/r/9400.1655407960@famine +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 2e75b7e8f70b..cd0d7b24f014 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -3474,9 +3474,11 @@ static void bond_activebackup_arp_mon(struct bonding *bond) + if (!rtnl_trylock()) + return; + +- if (should_notify_peers) ++ if (should_notify_peers) { ++ bond->send_peer_notif--; + call_netdevice_notifiers(NETDEV_NOTIFY_PEERS, + bond->dev); ++ } + if (should_notify_rtnl) { + bond_slave_state_notify(bond); + bond_slave_link_notify(bond); +-- +2.35.1 + diff --git a/queue-5.15/bpf-fix-request_sock-leak-in-sk-lookup-helpers.patch b/queue-5.15/bpf-fix-request_sock-leak-in-sk-lookup-helpers.patch new file mode 100644 index 00000000000..5bfdb995e76 --- /dev/null +++ b/queue-5.15/bpf-fix-request_sock-leak-in-sk-lookup-helpers.patch @@ -0,0 +1,98 @@ +From e6174509c17c13ffbb4426d7068894db10524c86 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jun 2022 11:15:40 +1000 +Subject: bpf: Fix request_sock leak in sk lookup helpers + +From: Jon Maxwell + +[ Upstream commit 3046a827316c0e55fc563b4fb78c93b9ca5c7c37 ] + +A customer reported a request_socket leak in a Calico cloud environment. We +found that a BPF program was doing a socket lookup with takes a refcnt on +the socket and that it was finding the request_socket but returning the parent +LISTEN socket via sk_to_full_sk() without decrementing the child request socket +1st, resulting in request_sock slab object leak. This patch retains the +existing behaviour of returning full socks to the caller but it also decrements +the child request_socket if one is present before doing so to prevent the leak. + +Thanks to Curtis Taylor for all the help in diagnosing and testing this. And +thanks to Antoine Tenart for the reproducer and patch input. + +v2 of this patch contains, refactor as per Daniel Borkmann's suggestions to +validate RCU flags on the listen socket so that it balances with bpf_sk_release() +and update comments as per Martin KaFai Lau's suggestion. One small change to +Daniels suggestion, put "sk = sk2" under "if (sk2 != sk)" to avoid an extra +instruction. + +Fixes: f7355a6c0497 ("bpf: Check sk_fullsock() before returning from bpf_sk_lookup()") +Fixes: edbf8c01de5a ("bpf: add skc_lookup_tcp helper") +Co-developed-by: Antoine Tenart +Signed-off-by: Antoine Tenart +Signed-off-by: Jon Maxwell +Signed-off-by: Daniel Borkmann +Tested-by: Curtis Taylor +Cc: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/56d6f898-bde0-bb25-3427-12a330b29fb8@iogearbox.net +Link: https://lore.kernel.org/bpf/20220615011540.813025-1-jmaxwell37@gmail.com +Signed-off-by: Sasha Levin +--- + net/core/filter.c | 34 ++++++++++++++++++++++++++++------ + 1 file changed, 28 insertions(+), 6 deletions(-) + +diff --git a/net/core/filter.c b/net/core/filter.c +index 0816468c545c..d1e2ef77ce4c 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -6209,10 +6209,21 @@ __bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len, + ifindex, proto, netns_id, flags); + + if (sk) { +- sk = sk_to_full_sk(sk); +- if (!sk_fullsock(sk)) { ++ struct sock *sk2 = sk_to_full_sk(sk); ++ ++ /* sk_to_full_sk() may return (sk)->rsk_listener, so make sure the original sk ++ * sock refcnt is decremented to prevent a request_sock leak. ++ */ ++ if (!sk_fullsock(sk2)) ++ sk2 = NULL; ++ if (sk2 != sk) { + sock_gen_put(sk); +- return NULL; ++ /* Ensure there is no need to bump sk2 refcnt */ ++ if (unlikely(sk2 && !sock_flag(sk2, SOCK_RCU_FREE))) { ++ WARN_ONCE(1, "Found non-RCU, unreferenced socket!"); ++ return NULL; ++ } ++ sk = sk2; + } + } + +@@ -6246,10 +6257,21 @@ bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len, + flags); + + if (sk) { +- sk = sk_to_full_sk(sk); +- if (!sk_fullsock(sk)) { ++ struct sock *sk2 = sk_to_full_sk(sk); ++ ++ /* sk_to_full_sk() may return (sk)->rsk_listener, so make sure the original sk ++ * sock refcnt is decremented to prevent a request_sock leak. ++ */ ++ if (!sk_fullsock(sk2)) ++ sk2 = NULL; ++ if (sk2 != sk) { + sock_gen_put(sk); +- return NULL; ++ /* Ensure there is no need to bump sk2 refcnt */ ++ if (unlikely(sk2 && !sock_flag(sk2, SOCK_RCU_FREE))) { ++ WARN_ONCE(1, "Found non-RCU, unreferenced socket!"); ++ return NULL; ++ } ++ sk = sk2; + } + } + +-- +2.35.1 + diff --git a/queue-5.15/bpf-x86-fix-tail-call-count-offset-calculation-on-bp.patch b/queue-5.15/bpf-x86-fix-tail-call-count-offset-calculation-on-bp.patch new file mode 100644 index 00000000000..ffb31f5a0cc --- /dev/null +++ b/queue-5.15/bpf-x86-fix-tail-call-count-offset-calculation-on-bp.patch @@ -0,0 +1,86 @@ +From 80478f4a984047eeeefe6bff903e76bd1f83fc76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jun 2022 18:20:36 +0200 +Subject: bpf, x86: Fix tail call count offset calculation on bpf2bpf call + +From: Jakub Sitnicki + +[ Upstream commit ff672c67ee7635ca1e28fb13729e8ef0d1f08ce5 ] + +On x86-64 the tail call count is passed from one BPF function to another +through %rax. Additionally, on function entry, the tail call count value +is stored on stack right after the BPF program stack, due to register +shortage. + +The stored count is later loaded from stack either when performing a tail +call - to check if we have not reached the tail call limit - or before +calling another BPF function call in order to pass it via %rax. + +In the latter case, we miscalculate the offset at which the tail call count +was stored on function entry. The JIT does not take into account that the +allocated BPF program stack is always a multiple of 8 on x86, while the +actual stack depth does not have to be. + +This leads to a load from an offset that belongs to the BPF stack, as shown +in the example below: + +SEC("tc") +int entry(struct __sk_buff *skb) +{ + /* Have data on stack which size is not a multiple of 8 */ + volatile char arr[1] = {}; + return subprog_tail(skb); +} + +int entry(struct __sk_buff * skb): + 0: (b4) w2 = 0 + 1: (73) *(u8 *)(r10 -1) = r2 + 2: (85) call pc+1#bpf_prog_ce2f79bb5f3e06dd_F + 3: (95) exit + +int entry(struct __sk_buff * skb): + 0xffffffffa0201788: nop DWORD PTR [rax+rax*1+0x0] + 0xffffffffa020178d: xor eax,eax + 0xffffffffa020178f: push rbp + 0xffffffffa0201790: mov rbp,rsp + 0xffffffffa0201793: sub rsp,0x8 + 0xffffffffa020179a: push rax + 0xffffffffa020179b: xor esi,esi + 0xffffffffa020179d: mov BYTE PTR [rbp-0x1],sil + 0xffffffffa02017a1: mov rax,QWORD PTR [rbp-0x9] !!! tail call count + 0xffffffffa02017a8: call 0xffffffffa02017d8 !!! is at rbp-0x10 + 0xffffffffa02017ad: leave + 0xffffffffa02017ae: ret + +Fix it by rounding up the BPF stack depth to a multiple of 8, when +calculating the tail call count offset on stack. + +Fixes: ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT") +Signed-off-by: Jakub Sitnicki +Signed-off-by: Daniel Borkmann +Acked-by: Maciej Fijalkowski +Acked-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20220616162037.535469-2-jakub@cloudflare.com +Signed-off-by: Sasha Levin +--- + arch/x86/net/bpf_jit_comp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c +index d99434dc215c..8dca2bcbb0ea 100644 +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -1440,8 +1440,9 @@ st: if (is_imm8(insn->off)) + case BPF_JMP | BPF_CALL: + func = (u8 *) __bpf_call_base + imm32; + if (tail_call_reachable) { ++ /* mov rax, qword ptr [rbp - rounded_stack_depth - 8] */ + EMIT3_off32(0x48, 0x8B, 0x85, +- -(bpf_prog->aux->stack_depth + 8)); ++ -round_up(bpf_prog->aux->stack_depth, 8) - 8); + if (!imm32 || emit_call(&prog, func, image + addrs[i - 1] + 7)) + return -EINVAL; + } else { +-- +2.35.1 + diff --git a/queue-5.15/drm-msm-dp-check-core_initialized-before-disable-int.patch b/queue-5.15/drm-msm-dp-check-core_initialized-before-disable-int.patch new file mode 100644 index 00000000000..78b8de528f7 --- /dev/null +++ b/queue-5.15/drm-msm-dp-check-core_initialized-before-disable-int.patch @@ -0,0 +1,69 @@ +From 80c31aad5d6b592b9942a482fb226346298669cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 10:55:39 -0700 +Subject: drm/msm/dp: check core_initialized before disable interrupts at + dp_display_unbind() + +From: Kuogee Hsieh + +[ Upstream commit d80c3ba0ac247791a4ed7a0cd865a64906c8906a ] + +During msm initialize phase, dp_display_unbind() will be called to undo +initializations had been done by dp_display_bind() previously if there is +error happen at msm_drm_bind. In this case, core_initialized flag had to +be check to make sure clocks is on before update DP controller register +to disable HPD interrupts. Otherwise system will crash due to below NOC +fatal error. + +QTISECLIB [01f01a7ad]CNOC2 ERROR: ERRLOG0_LOW = 0x00061007 +QTISECLIB [01f01a7ad]GEM_NOC ERROR: ERRLOG0_LOW = 0x00001007 +QTISECLIB [01f0371a0]CNOC2 ERROR: ERRLOG0_HIGH = 0x00000003 +QTISECLIB [01f055297]GEM_NOC ERROR: ERRLOG0_HIGH = 0x00000003 +QTISECLIB [01f072beb]CNOC2 ERROR: ERRLOG1_LOW = 0x00000024 +QTISECLIB [01f0914b8]GEM_NOC ERROR: ERRLOG1_LOW = 0x00000042 +QTISECLIB [01f0ae639]CNOC2 ERROR: ERRLOG1_HIGH = 0x00004002 +QTISECLIB [01f0cc73f]GEM_NOC ERROR: ERRLOG1_HIGH = 0x00004002 +QTISECLIB [01f0ea092]CNOC2 ERROR: ERRLOG2_LOW = 0x0009020c +QTISECLIB [01f10895f]GEM_NOC ERROR: ERRLOG2_LOW = 0x0ae9020c +QTISECLIB [01f125ae1]CNOC2 ERROR: ERRLOG2_HIGH = 0x00000000 +QTISECLIB [01f143be7]GEM_NOC ERROR: ERRLOG2_HIGH = 0x00000000 +QTISECLIB [01f16153a]CNOC2 ERROR: ERRLOG3_LOW = 0x00000000 +QTISECLIB [01f17fe07]GEM_NOC ERROR: ERRLOG3_LOW = 0x00000000 +QTISECLIB [01f19cf89]CNOC2 ERROR: ERRLOG3_HIGH = 0x00000000 +QTISECLIB [01f1bb08e]GEM_NOC ERROR: ERRLOG3_HIGH = 0x00000000 +QTISECLIB [01f1d8a31]CNOC2 ERROR: SBM1 FAULTINSTATUS0_LOW = 0x00000002 +QTISECLIB [01f1f72a4]GEM_NOC ERROR: SBM0 FAULTINSTATUS0_LOW = 0x00000001 +QTISECLIB [01f21a217]CNOC3 ERROR: ERRLOG0_LOW = 0x00000006 +QTISECLIB [01f23dfd3]NOC error fatal + +changes in v2: +-- drop the first patch (drm/msm: enable msm irq after all initializations are done successfully at msm_drm_init()) since the problem had been fixed by other patch + +Fixes: 570d3e5d28db ("drm/msm/dp: stop event kernel thread when DP unbind") +Signed-off-by: Kuogee Hsieh +Reviewed-by: Stephen Boyd +Patchwork: https://patchwork.freedesktop.org/patch/488387/ +Link: https://lore.kernel.org/r/1654538139-7450-1-git-send-email-quic_khsieh@quicinc.com +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_display.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c +index 7b624191abf1..8b51a5cc3eb8 100644 +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -260,7 +260,8 @@ static void dp_display_unbind(struct device *dev, struct device *master, + struct dp_display_private, dp_display); + + /* disable all HPD interrupts */ +- dp_catalog_hpd_config_intr(dp->catalog, DP_DP_HPD_INT_MASK, false); ++ if (dp->core_initialized) ++ dp_catalog_hpd_config_intr(dp->catalog, DP_DP_HPD_INT_MASK, false); + + kthread_stop(dp->ev_tsk); + +-- +2.35.1 + diff --git a/queue-5.15/drm-msm-dp-do-not-initialize-phy-until-plugin-interr.patch b/queue-5.15/drm-msm-dp-do-not-initialize-phy-until-plugin-interr.patch new file mode 100644 index 00000000000..e72bbecbeaa --- /dev/null +++ b/queue-5.15/drm-msm-dp-do-not-initialize-phy-until-plugin-interr.patch @@ -0,0 +1,497 @@ +From c85f41a15c5d7a52198a81753217dca8da97f753 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Jan 2022 10:47:25 -0800 +Subject: drm/msm/dp: do not initialize phy until plugin interrupt received + +From: Kuogee Hsieh + +[ Upstream commit 989ebe7bc4463002c210db0010c8475797a9098f ] + +Current DP drivers have regulators, clocks, irq and phy are grouped +together within a function and executed not in a symmetric manner. +This increase difficulty of code maintenance and limited code scalability. +This patch divides the driver life cycle of operation into four states, +resume (including booting up), dongle plugin, dongle unplugged and suspend. +Regulators, core clocks and irq are grouped together and enabled at resume +(or booting up) so that the DP controller is armed and ready to receive HPD +plugin interrupts. HPD plugin interrupt is generated when a dongle plugs +into DUT (device under test). Once HPD plugin interrupt is received, DP +controller will initialize phy so that dpcd read/write will function and +following link training can be proceeded successfully. DP phy will be +disabled after main link is teared down at end of unplugged HPD interrupt +handle triggered by dongle unplugged out of DUT. Finally regulators, code +clocks and irq are disabled at corresponding suspension. + +Changes in V2: +-- removed unnecessary dp_ctrl NULL check +-- removed unnecessary phy init_count and power_count DRM_DEBUG_DP logs +-- remove flip parameter out of dp_ctrl_irq_enable() +-- add fixes tag + +Changes in V3: +-- call dp_display_host_phy_init() instead of dp_ctrl_phy_init() at + dp_display_host_init() for eDP + +Changes in V4: +-- rewording commit text to match this commit changes + +Changes in V5: +-- rebase on top of msm-next branch + +Changes in V6: +-- delete flip variable + +Changes in V7: +-- dp_ctrl_irq_enable/disabe() merged into dp_ctrl_reset_irq_ctrl() + +Changes in V8: +-- add more detail comment regrading dp phy at dp_display_host_init() + +Changes in V9: +-- remove set phy_initialized to false when -ECONNRESET detected + +Changes in v10: +-- group into one series + +Changes in v11: +-- drop drm/msm/dp: dp_link_parse_sink_count() return immediately + if aux read + +Changes in v12: +-- move dp_display_host_phy_exit() after dp_display_host_deinit() + +Changes in v13: +-- do not execute phy_init until plugged_in interrupt for edp, same as DP. + +Changes in v14: +-- remove redundant dp->core_initialized = false form dp_pm_suspend. + +Changes in v15: +-- remove core_initialized flag check at both host_init and host_deinit + +Changes in v16: +-- remove dp_display_host_phy_exit core_initialized=false at dp_pm_suspend + +Changes in v17: +-- remove core_initialized checking before execute attention_cb() + +Changes in v18: +-- remove core_initialized checking at dp_pm_suspend + +Fixes: 8ede2ecc3e5e ("drm/msm/dp: Add DP compliance tests on Snapdragon Chipsets") +Signed-off-by: Kuogee Hsieh +Reviewed-by: Stephen Boyd +Link: https://lore.kernel.org/r/1642531648-8448-2-git-send-email-quic_khsieh@quicinc.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_ctrl.c | 80 ++++++++------------ + drivers/gpu/drm/msm/dp/dp_ctrl.h | 8 +- + drivers/gpu/drm/msm/dp/dp_display.c | 111 ++++++++++++++-------------- + 3 files changed, 92 insertions(+), 107 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.c b/drivers/gpu/drm/msm/dp/dp_ctrl.c +index 1992347537e6..0776b1960f21 100644 +--- a/drivers/gpu/drm/msm/dp/dp_ctrl.c ++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.c +@@ -1348,60 +1348,44 @@ static int dp_ctrl_enable_stream_clocks(struct dp_ctrl_private *ctrl) + return ret; + } + +-int dp_ctrl_host_init(struct dp_ctrl *dp_ctrl, bool flip, bool reset) ++void dp_ctrl_reset_irq_ctrl(struct dp_ctrl *dp_ctrl, bool enable) ++{ ++ struct dp_ctrl_private *ctrl; ++ ++ ctrl = container_of(dp_ctrl, struct dp_ctrl_private, dp_ctrl); ++ ++ dp_catalog_ctrl_reset(ctrl->catalog); ++ ++ if (enable) ++ dp_catalog_ctrl_enable_irq(ctrl->catalog, enable); ++} ++ ++void dp_ctrl_phy_init(struct dp_ctrl *dp_ctrl) + { + struct dp_ctrl_private *ctrl; + struct dp_io *dp_io; + struct phy *phy; + +- if (!dp_ctrl) { +- DRM_ERROR("Invalid input data\n"); +- return -EINVAL; +- } +- + ctrl = container_of(dp_ctrl, struct dp_ctrl_private, dp_ctrl); + dp_io = &ctrl->parser->io; + phy = dp_io->phy; + +- ctrl->dp_ctrl.orientation = flip; +- +- if (reset) +- dp_catalog_ctrl_reset(ctrl->catalog); +- +- DRM_DEBUG_DP("flip=%d\n", flip); + dp_catalog_ctrl_phy_reset(ctrl->catalog); + phy_init(phy); +- dp_catalog_ctrl_enable_irq(ctrl->catalog, true); +- +- return 0; + } + +-/** +- * dp_ctrl_host_deinit() - Uninitialize DP controller +- * @dp_ctrl: Display Port Driver data +- * +- * Perform required steps to uninitialize DP controller +- * and its resources. +- */ +-void dp_ctrl_host_deinit(struct dp_ctrl *dp_ctrl) ++void dp_ctrl_phy_exit(struct dp_ctrl *dp_ctrl) + { + struct dp_ctrl_private *ctrl; + struct dp_io *dp_io; + struct phy *phy; + +- if (!dp_ctrl) { +- DRM_ERROR("Invalid input data\n"); +- return; +- } +- + ctrl = container_of(dp_ctrl, struct dp_ctrl_private, dp_ctrl); + dp_io = &ctrl->parser->io; + phy = dp_io->phy; + +- dp_catalog_ctrl_enable_irq(ctrl->catalog, false); ++ dp_catalog_ctrl_phy_reset(ctrl->catalog); + phy_exit(phy); +- +- DRM_DEBUG_DP("Host deinitialized successfully\n"); + } + + static bool dp_ctrl_use_fixed_nvid(struct dp_ctrl_private *ctrl) +@@ -1471,7 +1455,10 @@ static int dp_ctrl_deinitialize_mainlink(struct dp_ctrl_private *ctrl) + } + + phy_power_off(phy); ++ ++ /* aux channel down, reinit phy */ + phy_exit(phy); ++ phy_init(phy); + + return 0; + } +@@ -1877,8 +1864,14 @@ int dp_ctrl_off_link_stream(struct dp_ctrl *dp_ctrl) + return ret; + } + ++ DRM_DEBUG_DP("Before, phy=%x init_count=%d power_on=%d\n", ++ (u32)(uintptr_t)phy, phy->init_count, phy->power_count); ++ + phy_power_off(phy); + ++ DRM_DEBUG_DP("After, phy=%x init_count=%d power_on=%d\n", ++ (u32)(uintptr_t)phy, phy->init_count, phy->power_count); ++ + /* aux channel down, reinit phy */ + phy_exit(phy); + phy_init(phy); +@@ -1887,23 +1880,6 @@ int dp_ctrl_off_link_stream(struct dp_ctrl *dp_ctrl) + return ret; + } + +-void dp_ctrl_off_phy(struct dp_ctrl *dp_ctrl) +-{ +- struct dp_ctrl_private *ctrl; +- struct dp_io *dp_io; +- struct phy *phy; +- +- ctrl = container_of(dp_ctrl, struct dp_ctrl_private, dp_ctrl); +- dp_io = &ctrl->parser->io; +- phy = dp_io->phy; +- +- dp_catalog_ctrl_reset(ctrl->catalog); +- +- phy_exit(phy); +- +- DRM_DEBUG_DP("DP off phy done\n"); +-} +- + int dp_ctrl_off(struct dp_ctrl *dp_ctrl) + { + struct dp_ctrl_private *ctrl; +@@ -1931,10 +1907,14 @@ int dp_ctrl_off(struct dp_ctrl *dp_ctrl) + DRM_ERROR("Failed to disable link clocks. ret=%d\n", ret); + } + ++ DRM_DEBUG_DP("Before, phy=%x init_count=%d power_on=%d\n", ++ (u32)(uintptr_t)phy, phy->init_count, phy->power_count); ++ + phy_power_off(phy); +- phy_exit(phy); + +- DRM_DEBUG_DP("DP off done\n"); ++ DRM_DEBUG_DP("After, phy=%x init_count=%d power_on=%d\n", ++ (u32)(uintptr_t)phy, phy->init_count, phy->power_count); ++ + return ret; + } + +diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.h b/drivers/gpu/drm/msm/dp/dp_ctrl.h +index 2363a2df9597..2433edbc70a6 100644 +--- a/drivers/gpu/drm/msm/dp/dp_ctrl.h ++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.h +@@ -19,12 +19,9 @@ struct dp_ctrl { + u32 pixel_rate; + }; + +-int dp_ctrl_host_init(struct dp_ctrl *dp_ctrl, bool flip, bool reset); +-void dp_ctrl_host_deinit(struct dp_ctrl *dp_ctrl); + int dp_ctrl_on_link(struct dp_ctrl *dp_ctrl); + int dp_ctrl_on_stream(struct dp_ctrl *dp_ctrl); + int dp_ctrl_off_link_stream(struct dp_ctrl *dp_ctrl); +-void dp_ctrl_off_phy(struct dp_ctrl *dp_ctrl); + int dp_ctrl_off(struct dp_ctrl *dp_ctrl); + void dp_ctrl_push_idle(struct dp_ctrl *dp_ctrl); + void dp_ctrl_isr(struct dp_ctrl *dp_ctrl); +@@ -34,4 +31,9 @@ struct dp_ctrl *dp_ctrl_get(struct device *dev, struct dp_link *link, + struct dp_power *power, struct dp_catalog *catalog, + struct dp_parser *parser); + ++void dp_ctrl_reset_irq_ctrl(struct dp_ctrl *dp_ctrl, bool enable); ++void dp_ctrl_phy_init(struct dp_ctrl *dp_ctrl); ++void dp_ctrl_phy_exit(struct dp_ctrl *dp_ctrl); ++void dp_ctrl_irq_phy_exit(struct dp_ctrl *dp_ctrl); ++ + #endif /* _DP_CTRL_H_ */ +diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c +index 32b8dbb917bf..bbd0bf820192 100644 +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -81,6 +81,7 @@ struct dp_display_private { + + /* state variables */ + bool core_initialized; ++ bool phy_initialized; + bool hpd_irq_on; + bool audio_supported; + +@@ -362,36 +363,45 @@ static int dp_display_process_hpd_high(struct dp_display_private *dp) + return rc; + } + +-static void dp_display_host_init(struct dp_display_private *dp, int reset) ++static void dp_display_host_phy_init(struct dp_display_private *dp) + { +- bool flip = false; ++ DRM_DEBUG_DP("core_init=%d phy_init=%d\n", ++ dp->core_initialized, dp->phy_initialized); + +- DRM_DEBUG_DP("core_initialized=%d\n", dp->core_initialized); +- if (dp->core_initialized) { +- DRM_DEBUG_DP("DP core already initialized\n"); +- return; ++ if (!dp->phy_initialized) { ++ dp_ctrl_phy_init(dp->ctrl); ++ dp->phy_initialized = true; + } ++} ++ ++static void dp_display_host_phy_exit(struct dp_display_private *dp) ++{ ++ DRM_DEBUG_DP("core_init=%d phy_init=%d\n", ++ dp->core_initialized, dp->phy_initialized); + +- if (dp->usbpd->orientation == ORIENTATION_CC2) +- flip = true; ++ if (dp->phy_initialized) { ++ dp_ctrl_phy_exit(dp->ctrl); ++ dp->phy_initialized = false; ++ } ++} ++ ++static void dp_display_host_init(struct dp_display_private *dp) ++{ ++ DRM_DEBUG_DP("core_initialized=%d\n", dp->core_initialized); + +- dp_power_init(dp->power, flip); +- dp_ctrl_host_init(dp->ctrl, flip, reset); ++ dp_power_init(dp->power, false); ++ dp_ctrl_reset_irq_ctrl(dp->ctrl, true); + dp_aux_init(dp->aux); + dp->core_initialized = true; + } + + static void dp_display_host_deinit(struct dp_display_private *dp) + { +- if (!dp->core_initialized) { +- DRM_DEBUG_DP("DP core not initialized\n"); +- return; +- } ++ DRM_DEBUG_DP("core_initialized=%d\n", dp->core_initialized); + +- dp_ctrl_host_deinit(dp->ctrl); ++ dp_ctrl_reset_irq_ctrl(dp->ctrl, false); + dp_aux_deinit(dp->aux); + dp_power_deinit(dp->power); +- + dp->core_initialized = false; + } + +@@ -409,7 +419,7 @@ static int dp_display_usbpd_configure_cb(struct device *dev) + dp = container_of(g_dp_display, + struct dp_display_private, dp_display); + +- dp_display_host_init(dp, false); ++ dp_display_host_phy_init(dp); + + rc = dp_display_process_hpd_high(dp); + end: +@@ -550,11 +560,6 @@ static int dp_hpd_plug_handle(struct dp_display_private *dp, u32 data) + ret = dp_display_usbpd_configure_cb(&dp->pdev->dev); + if (ret) { /* link train failed */ + dp->hpd_state = ST_DISCONNECTED; +- +- if (ret == -ECONNRESET) { /* cable unplugged */ +- dp->core_initialized = false; +- } +- + } else { + /* start sentinel checking in case of missing uevent */ + dp_add_event(dp, EV_CONNECT_PENDING_TIMEOUT, 0, tout); +@@ -624,8 +629,7 @@ static int dp_hpd_unplug_handle(struct dp_display_private *dp, u32 data) + if (state == ST_DISCONNECTED) { + /* triggered by irq_hdp with sink_count = 0 */ + if (dp->link->sink_count == 0) { +- dp_ctrl_off_phy(dp->ctrl); +- dp->core_initialized = false; ++ dp_display_host_phy_exit(dp); + } + mutex_unlock(&dp->event_mutex); + return 0; +@@ -687,7 +691,6 @@ static int dp_disconnect_pending_timeout(struct dp_display_private *dp, u32 data + static int dp_irq_hpd_handle(struct dp_display_private *dp, u32 data) + { + u32 state; +- int ret; + + mutex_lock(&dp->event_mutex); + +@@ -712,16 +715,8 @@ static int dp_irq_hpd_handle(struct dp_display_private *dp, u32 data) + return 0; + } + +- /* +- * dp core (ahb/aux clks) must be initialized before +- * irq_hpd be handled +- */ +- if (dp->core_initialized) { +- ret = dp_display_usbpd_attention_cb(&dp->pdev->dev); +- if (ret == -ECONNRESET) { /* cable unplugged */ +- dp->core_initialized = false; +- } +- } ++ dp_display_usbpd_attention_cb(&dp->pdev->dev); ++ + DRM_DEBUG_DP("hpd_state=%d\n", state); + + mutex_unlock(&dp->event_mutex); +@@ -916,12 +911,19 @@ static int dp_display_disable(struct dp_display_private *dp, u32 data) + + dp_display->audio_enabled = false; + +- /* triggered by irq_hpd with sink_count = 0 */ + if (dp->link->sink_count == 0) { ++ /* ++ * irq_hpd with sink_count = 0 ++ * hdmi unplugged out of dongle ++ */ + dp_ctrl_off_link_stream(dp->ctrl); + } else { ++ /* ++ * unplugged interrupt ++ * dongle unplugged out of DUT ++ */ + dp_ctrl_off(dp->ctrl); +- dp->core_initialized = false; ++ dp_display_host_phy_exit(dp); + } + + dp_display->power_on = false; +@@ -1051,7 +1053,7 @@ void msm_dp_snapshot(struct msm_disp_state *disp_state, struct msm_dp *dp) + static void dp_display_config_hpd(struct dp_display_private *dp) + { + +- dp_display_host_init(dp, true); ++ dp_display_host_init(dp); + dp_catalog_ctrl_hpd_config(dp->catalog); + + /* Enable interrupt first time +@@ -1318,20 +1320,23 @@ static int dp_pm_resume(struct device *dev) + dp->hpd_state = ST_DISCONNECTED; + + /* turn on dp ctrl/phy */ +- dp_display_host_init(dp, true); ++ dp_display_host_init(dp); + + dp_catalog_ctrl_hpd_config(dp->catalog); + +- /* +- * set sink to normal operation mode -- D0 +- * before dpcd read +- */ +- dp_link_psm_config(dp->link, &dp->panel->link_info, false); + + if (dp_catalog_link_is_connected(dp->catalog)) { ++ /* ++ * set sink to normal operation mode -- D0 ++ * before dpcd read ++ */ ++ dp_display_host_phy_init(dp); ++ dp_link_psm_config(dp->link, &dp->panel->link_info, false); + sink_count = drm_dp_read_sink_count(dp->aux); + if (sink_count < 0) + sink_count = 0; ++ ++ dp_display_host_phy_exit(dp); + } + + dp->link->sink_count = sink_count; +@@ -1370,18 +1375,16 @@ static int dp_pm_suspend(struct device *dev) + DRM_DEBUG_DP("Before, core_inited=%d power_on=%d\n", + dp->core_initialized, dp_display->power_on); + +- if (dp->core_initialized == true) { +- /* mainlink enabled */ +- if (dp_power_clk_status(dp->power, DP_CTRL_PM)) +- dp_ctrl_off_link_stream(dp->ctrl); ++ /* mainlink enabled */ ++ if (dp_power_clk_status(dp->power, DP_CTRL_PM)) ++ dp_ctrl_off_link_stream(dp->ctrl); + +- dp_display_host_deinit(dp); +- } +- +- dp->hpd_state = ST_SUSPENDED; ++ dp_display_host_phy_exit(dp); + + /* host_init will be called at pm_resume */ +- dp->core_initialized = false; ++ dp_display_host_deinit(dp); ++ ++ dp->hpd_state = ST_SUSPENDED; + + DRM_DEBUG_DP("After, core_inited=%d power_on=%d\n", + dp->core_initialized, dp_display->power_on); +@@ -1538,7 +1541,7 @@ int msm_dp_display_enable(struct msm_dp *dp, struct drm_encoder *encoder) + state = dp_display->hpd_state; + + if (state == ST_DISPLAY_OFF) +- dp_display_host_init(dp_display, true); ++ dp_display_host_phy_init(dp_display); + + dp_display_enable(dp_display, 0); + +-- +2.35.1 + diff --git a/queue-5.15/drm-msm-dp-dp_link_parse_sink_count-return-immediate.patch b/queue-5.15/drm-msm-dp-dp_link_parse_sink_count-return-immediate.patch new file mode 100644 index 00000000000..ec95f00348c --- /dev/null +++ b/queue-5.15/drm-msm-dp-dp_link_parse_sink_count-return-immediate.patch @@ -0,0 +1,103 @@ +From 3de4524eb34b7db46474a1dfd6e416284f7198c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Dec 2021 09:41:02 -0800 +Subject: drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read + failed + +From: Kuogee Hsieh + +[ Upstream commit f61550b3864b9578527c28cf9c465316ac1566e1 ] + +Add checking aux read/write status at both dp_link_parse_sink_count() +and dp_link_parse_sink_status_filed() to avoid long timeout delay if +dp aux read/write failed at timeout due to cable unplugged. + +Changes in V4: +-- split this patch as stand alone patch + +Changes in v5: +-- rebase on msm-next branch + +Signed-off-by: Kuogee Hsieh + +Reviewed-by: Stephen Boyd +Tested-by: Stephen Boyd +Link: https://lore.kernel.org/r/1638985262-2072-1-git-send-email-quic_khsieh@quicinc.com +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_display.c | 12 +++++++++--- + drivers/gpu/drm/msm/dp/dp_link.c | 19 ++++++++++++++----- + 2 files changed, 23 insertions(+), 8 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c +index a66ee63253a3..32b8dbb917bf 100644 +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -712,9 +712,15 @@ static int dp_irq_hpd_handle(struct dp_display_private *dp, u32 data) + return 0; + } + +- ret = dp_display_usbpd_attention_cb(&dp->pdev->dev); +- if (ret == -ECONNRESET) { /* cable unplugged */ +- dp->core_initialized = false; ++ /* ++ * dp core (ahb/aux clks) must be initialized before ++ * irq_hpd be handled ++ */ ++ if (dp->core_initialized) { ++ ret = dp_display_usbpd_attention_cb(&dp->pdev->dev); ++ if (ret == -ECONNRESET) { /* cable unplugged */ ++ dp->core_initialized = false; ++ } + } + DRM_DEBUG_DP("hpd_state=%d\n", state); + +diff --git a/drivers/gpu/drm/msm/dp/dp_link.c b/drivers/gpu/drm/msm/dp/dp_link.c +index a5bdfc5029de..d4d31e5bda07 100644 +--- a/drivers/gpu/drm/msm/dp/dp_link.c ++++ b/drivers/gpu/drm/msm/dp/dp_link.c +@@ -737,18 +737,25 @@ static int dp_link_parse_sink_count(struct dp_link *dp_link) + return 0; + } + +-static void dp_link_parse_sink_status_field(struct dp_link_private *link) ++static int dp_link_parse_sink_status_field(struct dp_link_private *link) + { + int len = 0; + + link->prev_sink_count = link->dp_link.sink_count; +- dp_link_parse_sink_count(&link->dp_link); ++ len = dp_link_parse_sink_count(&link->dp_link); ++ if (len < 0) { ++ DRM_ERROR("DP parse sink count failed\n"); ++ return len; ++ } + + len = drm_dp_dpcd_read_link_status(link->aux, + link->link_status); +- if (len < DP_LINK_STATUS_SIZE) ++ if (len < DP_LINK_STATUS_SIZE) { + DRM_ERROR("DP link status read failed\n"); +- dp_link_parse_request(link); ++ return len; ++ } ++ ++ return dp_link_parse_request(link); + } + + /** +@@ -1023,7 +1030,9 @@ int dp_link_process_request(struct dp_link *dp_link) + + dp_link_reset_data(link); + +- dp_link_parse_sink_status_field(link); ++ ret = dp_link_parse_sink_status_field(link); ++ if (ret) ++ return ret; + + if (link->request.test_requested == DP_TEST_LINK_EDID_READ) { + dp_link->sink_request |= DP_TEST_LINK_EDID_READ; +-- +2.35.1 + diff --git a/queue-5.15/drm-msm-dp-drop-now-unused-hpd_high-member.patch b/queue-5.15/drm-msm-dp-drop-now-unused-hpd_high-member.patch new file mode 100644 index 00000000000..c2995a1c1a1 --- /dev/null +++ b/queue-5.15/drm-msm-dp-drop-now-unused-hpd_high-member.patch @@ -0,0 +1,94 @@ +From 2ebc23ad5e8bcd6b5ce005076b8f5319f75196c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 6 Nov 2021 10:22:46 -0700 +Subject: drm/msm/dp: Drop now unused hpd_high member + +From: Bjorn Andersson + +[ Upstream commit fabae667b1263216be53e0230cd3966a9a1963a4 ] + +Since '8ede2ecc3e5e ("drm/msm/dp: Add DP compliance tests on Snapdragon +Chipsets")' the hpd_high member of struct dp_usbpd has been write-only. + +Let's clean up the code a little bit by removing the writes as well. + +Signed-off-by: Bjorn Andersson +Reviewed-by: Stephen Boyd +Link: https://lore.kernel.org/r/20211106172246.2597431-1-bjorn.andersson@linaro.org +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_display.c | 6 ------ + drivers/gpu/drm/msm/dp/dp_hpd.c | 2 -- + drivers/gpu/drm/msm/dp/dp_hpd.h | 2 -- + 3 files changed, 10 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c +index 8b51a5cc3eb8..a66ee63253a3 100644 +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -547,11 +547,8 @@ static int dp_hpd_plug_handle(struct dp_display_private *dp, u32 data) + + dp->hpd_state = ST_CONNECT_PENDING; + +- hpd->hpd_high = 1; +- + ret = dp_display_usbpd_configure_cb(&dp->pdev->dev); + if (ret) { /* link train failed */ +- hpd->hpd_high = 0; + dp->hpd_state = ST_DISCONNECTED; + + if (ret == -ECONNRESET) { /* cable unplugged */ +@@ -628,7 +625,6 @@ static int dp_hpd_unplug_handle(struct dp_display_private *dp, u32 data) + /* triggered by irq_hdp with sink_count = 0 */ + if (dp->link->sink_count == 0) { + dp_ctrl_off_phy(dp->ctrl); +- hpd->hpd_high = 0; + dp->core_initialized = false; + } + mutex_unlock(&dp->event_mutex); +@@ -652,8 +648,6 @@ static int dp_hpd_unplug_handle(struct dp_display_private *dp, u32 data) + /* disable HPD plug interrupts */ + dp_catalog_hpd_config_intr(dp->catalog, DP_DP_HPD_PLUG_INT_MASK, false); + +- hpd->hpd_high = 0; +- + /* + * We don't need separate work for disconnect as + * connect/attention interrupts are disabled +diff --git a/drivers/gpu/drm/msm/dp/dp_hpd.c b/drivers/gpu/drm/msm/dp/dp_hpd.c +index e1c90fa47411..db98a1d431eb 100644 +--- a/drivers/gpu/drm/msm/dp/dp_hpd.c ++++ b/drivers/gpu/drm/msm/dp/dp_hpd.c +@@ -32,8 +32,6 @@ int dp_hpd_connect(struct dp_usbpd *dp_usbpd, bool hpd) + hpd_priv = container_of(dp_usbpd, struct dp_hpd_private, + dp_usbpd); + +- dp_usbpd->hpd_high = hpd; +- + if (!hpd_priv->dp_cb || !hpd_priv->dp_cb->configure + || !hpd_priv->dp_cb->disconnect) { + pr_err("hpd dp_cb not initialized\n"); +diff --git a/drivers/gpu/drm/msm/dp/dp_hpd.h b/drivers/gpu/drm/msm/dp/dp_hpd.h +index 5bc5bb64680f..8feec5aa5027 100644 +--- a/drivers/gpu/drm/msm/dp/dp_hpd.h ++++ b/drivers/gpu/drm/msm/dp/dp_hpd.h +@@ -26,7 +26,6 @@ enum plug_orientation { + * @multi_func: multi-function preferred + * @usb_config_req: request to switch to usb + * @exit_dp_mode: request exit from displayport mode +- * @hpd_high: Hot Plug Detect signal is high. + * @hpd_irq: Change in the status since last message + * @alt_mode_cfg_done: bool to specify alt mode status + * @debug_en: bool to specify debug mode +@@ -39,7 +38,6 @@ struct dp_usbpd { + bool multi_func; + bool usb_config_req; + bool exit_dp_mode; +- bool hpd_high; + bool hpd_irq; + bool alt_mode_cfg_done; + bool debug_en; +-- +2.35.1 + diff --git a/queue-5.15/drm-msm-dp-force-link-training-for-display-resolutio.patch b/queue-5.15/drm-msm-dp-force-link-training-for-display-resolutio.patch new file mode 100644 index 00000000000..f4eb0b2dd4d --- /dev/null +++ b/queue-5.15/drm-msm-dp-force-link-training-for-display-resolutio.patch @@ -0,0 +1,198 @@ +From 2ccbc3e83da9eec97bf275c7014e247bafebebed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jun 2022 13:26:40 -0700 +Subject: drm/msm/dp: force link training for display resolution change + +From: Kuogee Hsieh + +[ Upstream commit a6e2af64a79afa7f1b29375b5231e840a84bb845 ] + +Display resolution change is implemented through drm modeset. Older +modeset (resolution) has to be disabled first before newer modeset +(resolution) can be enabled. Display disable will turn off both +pixel clock and main link clock so that main link have to be +re-trained during display enable to have new video stream flow +again. At current implementation, display enable function manually +kicks up irq_hpd_handle which will read panel link status and start +link training if link status is not in sync state. + +However, there is rare case that a particular panel links status keep +staying in sync for some period of time after main link had been shut +down previously at display disabled. In this case, main link retraining +will not be executed by irq_hdp_handle(). Hence video stream of newer +display resolution will fail to be transmitted to panel due to main +link is not in sync between host and panel. + +This patch will bypass irq_hpd_handle() in favor of directly call +dp_ctrl_on_stream() to always perform link training in regardless of +main link status. So that no unexpected exception resolution change +failure cases will happen. Also this implementation are more efficient +than manual kicking off irq_hpd_handle function. + +Changes in v2: +-- set force_link_train flag on DP only (is_edp == false) + +Changes in v3: +-- revise commit text +-- add Fixes tag + +Changes in v4: +-- revise commit text + +Changes in v5: +-- fix spelling at commit text + +Changes in v6: +-- split dp_ctrl_on_stream() for phy test case +-- revise commit text for modeset + +Changes in v7: +-- drop 0 assignment at local variable (ret = 0) + +Changes in v8: +-- add patch to remove pixel_rate from dp_ctrl + +Changes in v9: +-- forward declare dp_ctrl_on_stream_phy_test_report() + +Fixes: 62671d2ef24b ("drm/msm/dp: fixes wrong connection state caused by failure of link train") +Signed-off-by: Kuogee Hsieh +Reviewed-by: Stephen Boyd +Patchwork: https://patchwork.freedesktop.org/patch/489895/ +Link: https://lore.kernel.org/r/1655411200-7255-1-git-send-email-quic_khsieh@quicinc.com +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dp/dp_ctrl.c | 33 ++++++++++++++++++++++------- + drivers/gpu/drm/msm/dp/dp_ctrl.h | 2 +- + drivers/gpu/drm/msm/dp/dp_display.c | 13 ++++++------ + 3 files changed, 32 insertions(+), 16 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.c b/drivers/gpu/drm/msm/dp/dp_ctrl.c +index 0776b1960f21..afffdad0ebf9 100644 +--- a/drivers/gpu/drm/msm/dp/dp_ctrl.c ++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.c +@@ -1488,6 +1488,8 @@ static int dp_ctrl_link_maintenance(struct dp_ctrl_private *ctrl) + return ret; + } + ++static int dp_ctrl_on_stream_phy_test_report(struct dp_ctrl *dp_ctrl); ++ + static int dp_ctrl_process_phy_test_request(struct dp_ctrl_private *ctrl) + { + int ret = 0; +@@ -1510,7 +1512,7 @@ static int dp_ctrl_process_phy_test_request(struct dp_ctrl_private *ctrl) + + ret = dp_ctrl_on_link(&ctrl->dp_ctrl); + if (!ret) +- ret = dp_ctrl_on_stream(&ctrl->dp_ctrl); ++ ret = dp_ctrl_on_stream_phy_test_report(&ctrl->dp_ctrl); + else + DRM_ERROR("failed to enable DP link controller\n"); + +@@ -1765,7 +1767,27 @@ static int dp_ctrl_link_retrain(struct dp_ctrl_private *ctrl) + return dp_ctrl_setup_main_link(ctrl, &training_step); + } + +-int dp_ctrl_on_stream(struct dp_ctrl *dp_ctrl) ++static int dp_ctrl_on_stream_phy_test_report(struct dp_ctrl *dp_ctrl) ++{ ++ int ret; ++ struct dp_ctrl_private *ctrl; ++ ++ ctrl = container_of(dp_ctrl, struct dp_ctrl_private, dp_ctrl); ++ ++ ctrl->dp_ctrl.pixel_rate = ctrl->panel->dp_mode.drm_mode.clock; ++ ++ ret = dp_ctrl_enable_stream_clocks(ctrl); ++ if (ret) { ++ DRM_ERROR("Failed to start pixel clocks. ret=%d\n", ret); ++ return ret; ++ } ++ ++ dp_ctrl_send_phy_test_pattern(ctrl); ++ ++ return 0; ++} ++ ++int dp_ctrl_on_stream(struct dp_ctrl *dp_ctrl, bool force_link_train) + { + int ret = 0; + bool mainlink_ready = false; +@@ -1796,12 +1818,7 @@ int dp_ctrl_on_stream(struct dp_ctrl *dp_ctrl) + goto end; + } + +- if (ctrl->link->sink_request & DP_TEST_LINK_PHY_TEST_PATTERN) { +- dp_ctrl_send_phy_test_pattern(ctrl); +- return 0; +- } +- +- if (!dp_ctrl_channel_eq_ok(ctrl)) ++ if (force_link_train || !dp_ctrl_channel_eq_ok(ctrl)) + dp_ctrl_link_retrain(ctrl); + + /* stop txing train pattern to end link training */ +diff --git a/drivers/gpu/drm/msm/dp/dp_ctrl.h b/drivers/gpu/drm/msm/dp/dp_ctrl.h +index 2433edbc70a6..dcc7af21a5f0 100644 +--- a/drivers/gpu/drm/msm/dp/dp_ctrl.h ++++ b/drivers/gpu/drm/msm/dp/dp_ctrl.h +@@ -20,7 +20,7 @@ struct dp_ctrl { + }; + + int dp_ctrl_on_link(struct dp_ctrl *dp_ctrl); +-int dp_ctrl_on_stream(struct dp_ctrl *dp_ctrl); ++int dp_ctrl_on_stream(struct dp_ctrl *dp_ctrl, bool force_link_train); + int dp_ctrl_off_link_stream(struct dp_ctrl *dp_ctrl); + int dp_ctrl_off(struct dp_ctrl *dp_ctrl); + void dp_ctrl_push_idle(struct dp_ctrl *dp_ctrl); +diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c +index bbd0bf820192..b141ccb527b0 100644 +--- a/drivers/gpu/drm/msm/dp/dp_display.c ++++ b/drivers/gpu/drm/msm/dp/dp_display.c +@@ -865,7 +865,7 @@ static int dp_display_enable(struct dp_display_private *dp, u32 data) + return 0; + } + +- rc = dp_ctrl_on_stream(dp->ctrl); ++ rc = dp_ctrl_on_stream(dp->ctrl, data); + if (!rc) + dp_display->power_on = true; + +@@ -1512,6 +1512,7 @@ int msm_dp_display_enable(struct msm_dp *dp, struct drm_encoder *encoder) + int rc = 0; + struct dp_display_private *dp_display; + u32 state; ++ bool force_link_train = false; + + dp_display = container_of(dp, struct dp_display_private, dp_display); + if (!dp_display->dp_mode.drm_mode.clock) { +@@ -1540,10 +1541,12 @@ int msm_dp_display_enable(struct msm_dp *dp, struct drm_encoder *encoder) + + state = dp_display->hpd_state; + +- if (state == ST_DISPLAY_OFF) ++ if (state == ST_DISPLAY_OFF) { + dp_display_host_phy_init(dp_display); ++ force_link_train = true; ++ } + +- dp_display_enable(dp_display, 0); ++ dp_display_enable(dp_display, force_link_train); + + rc = dp_display_post_enable(dp); + if (rc) { +@@ -1552,10 +1555,6 @@ int msm_dp_display_enable(struct msm_dp *dp, struct drm_encoder *encoder) + dp_display_unprepare(dp); + } + +- /* manual kick off plug event to train link */ +- if (state == ST_DISPLAY_OFF) +- dp_add_event(dp_display, EV_IRQ_HPD_INT, 0, 0); +- + /* completed connection */ + dp_display->hpd_state = ST_CONNECTED; + +-- +2.35.1 + diff --git a/queue-5.15/drm-msm-ensure-mmap-offset-is-initialized.patch b/queue-5.15/drm-msm-ensure-mmap-offset-is-initialized.patch new file mode 100644 index 00000000000..344957cd834 --- /dev/null +++ b/queue-5.15/drm-msm-ensure-mmap-offset-is-initialized.patch @@ -0,0 +1,79 @@ +From 4fce174e236bbda8d4f02042b11a23c5e724bc93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 13:08:56 -0700 +Subject: drm/msm: Ensure mmap offset is initialized + +From: Rob Clark + +[ Upstream commit 036d20726c30267724416e966c9f92db07de8081 ] + +If a GEM object is allocated, and then exported as a dma-buf fd which is +mmap'd before or without the GEM buffer being directly mmap'd, the +vma_node could be unitialized. This leads to a situation where the CPU +mapping is not correctly torn down in drm_vma_node_unmap(). + +Fixes: e5516553999f ("drm: call drm_gem_object_funcs.mmap with fake offset") +Signed-off-by: Rob Clark +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20220531200857.136547-1-robdclark@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_drv.c | 2 +- + drivers/gpu/drm/msm/msm_drv.h | 1 + + drivers/gpu/drm/msm/msm_gem_prime.c | 15 +++++++++++++++ + 3 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c +index 9712582886aa..916361c30d77 100644 +--- a/drivers/gpu/drm/msm/msm_drv.c ++++ b/drivers/gpu/drm/msm/msm_drv.c +@@ -1102,7 +1102,7 @@ static const struct drm_driver msm_driver = { + .prime_handle_to_fd = drm_gem_prime_handle_to_fd, + .prime_fd_to_handle = drm_gem_prime_fd_to_handle, + .gem_prime_import_sg_table = msm_gem_prime_import_sg_table, +- .gem_prime_mmap = drm_gem_prime_mmap, ++ .gem_prime_mmap = msm_gem_prime_mmap, + #ifdef CONFIG_DEBUG_FS + .debugfs_init = msm_debugfs_init, + #endif +diff --git a/drivers/gpu/drm/msm/msm_drv.h b/drivers/gpu/drm/msm/msm_drv.h +index c552f0c3890c..bd5132bb9bde 100644 +--- a/drivers/gpu/drm/msm/msm_drv.h ++++ b/drivers/gpu/drm/msm/msm_drv.h +@@ -298,6 +298,7 @@ unsigned long msm_gem_shrinker_shrink(struct drm_device *dev, unsigned long nr_t + void msm_gem_shrinker_init(struct drm_device *dev); + void msm_gem_shrinker_cleanup(struct drm_device *dev); + ++int msm_gem_prime_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma); + struct sg_table *msm_gem_prime_get_sg_table(struct drm_gem_object *obj); + int msm_gem_prime_vmap(struct drm_gem_object *obj, struct dma_buf_map *map); + void msm_gem_prime_vunmap(struct drm_gem_object *obj, struct dma_buf_map *map); +diff --git a/drivers/gpu/drm/msm/msm_gem_prime.c b/drivers/gpu/drm/msm/msm_gem_prime.c +index 8a2d94bd5df2..02c70a0b2a03 100644 +--- a/drivers/gpu/drm/msm/msm_gem_prime.c ++++ b/drivers/gpu/drm/msm/msm_gem_prime.c +@@ -11,6 +11,21 @@ + #include "msm_drv.h" + #include "msm_gem.h" + ++int msm_gem_prime_mmap(struct drm_gem_object *obj, struct vm_area_struct *vma) ++{ ++ int ret; ++ ++ /* Ensure the mmap offset is initialized. We lazily initialize it, ++ * so if it has not been first mmap'd directly as a GEM object, the ++ * mmap offset will not be already initialized. ++ */ ++ ret = drm_gem_create_mmap_offset(obj); ++ if (ret) ++ return ret; ++ ++ return drm_gem_prime_mmap(obj, vma); ++} ++ + struct sg_table *msm_gem_prime_get_sg_table(struct drm_gem_object *obj) + { + struct msm_gem_object *msm_obj = to_msm_bo(obj); +-- +2.35.1 + diff --git a/queue-5.15/drm-msm-fix-double-pm_runtime_disable-call.patch b/queue-5.15/drm-msm-fix-double-pm_runtime_disable-call.patch new file mode 100644 index 00000000000..e6bdcb93af9 --- /dev/null +++ b/queue-5.15/drm-msm-fix-double-pm_runtime_disable-call.patch @@ -0,0 +1,70 @@ +From 1c3195b0b06d9f0ef2b982b08892ad04c411d94c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 23:13:05 +0200 +Subject: drm/msm: Fix double pm_runtime_disable() call + +From: Maximilian Luz + +[ Upstream commit ce0db505bc0c51ef5e9ba446c660de7e26f78f29 ] + +Following commit 17e822f7591f ("drm/msm: fix unbalanced +pm_runtime_enable in adreno_gpu_{init, cleanup}"), any call to +adreno_unbind() will disable runtime PM twice, as indicated by the call +trees below: + + adreno_unbind() + -> pm_runtime_force_suspend() + -> pm_runtime_disable() + + adreno_unbind() + -> gpu->funcs->destroy() [= aNxx_destroy()] + -> adreno_gpu_cleanup() + -> pm_runtime_disable() + +Note that pm_runtime_force_suspend() is called right before +gpu->funcs->destroy() and both functions are called unconditionally. + +With recent addition of the eDP AUX bus code, this problem manifests +itself when the eDP panel cannot be found yet and probing is deferred. +On the first probe attempt, we disable runtime PM twice as described +above. This then causes any later probe attempt to fail with + + [drm:adreno_load_gpu [msm]] *ERROR* Couldn't power up the GPU: -13 + +preventing the driver from loading. + +As there seem to be scenarios where the aNxx_destroy() functions are not +called from adreno_unbind(), simply removing pm_runtime_disable() from +inside adreno_unbind() does not seem to be the proper fix. This is what +commit 17e822f7591f ("drm/msm: fix unbalanced pm_runtime_enable in +adreno_gpu_{init, cleanup}") intended to fix. Therefore, instead check +whether runtime PM is still enabled, and only disable it in that case. + +Fixes: 17e822f7591f ("drm/msm: fix unbalanced pm_runtime_enable in adreno_gpu_{init, cleanup}") +Signed-off-by: Maximilian Luz +Tested-by: Bjorn Andersson +Reviewed-by: Rob Clark +Link: https://lore.kernel.org/r/20220606211305.189585-1-luzmaximilian@gmail.com +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/adreno/adreno_gpu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c +index 748665232d29..bba68776cb25 100644 +--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c ++++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c +@@ -958,7 +958,8 @@ void adreno_gpu_cleanup(struct adreno_gpu *adreno_gpu) + for (i = 0; i < ARRAY_SIZE(adreno_gpu->info->fw); i++) + release_firmware(adreno_gpu->fw[i]); + +- pm_runtime_disable(&priv->gpu_pdev->dev); ++ if (pm_runtime_enabled(&priv->gpu_pdev->dev)) ++ pm_runtime_disable(&priv->gpu_pdev->dev); + + msm_gpu_cleanup(&adreno_gpu->base); + } +-- +2.35.1 + diff --git a/queue-5.15/drm-msm-mdp4-fix-refcount-leak-in-mdp4_modeset_init_.patch b/queue-5.15/drm-msm-mdp4-fix-refcount-leak-in-mdp4_modeset_init_.patch new file mode 100644 index 00000000000..6f3d828ccf9 --- /dev/null +++ b/queue-5.15/drm-msm-mdp4-fix-refcount-leak-in-mdp4_modeset_init_.patch @@ -0,0 +1,50 @@ +From 939245487dacbfa76ca0aac8dd42d49afe9d9e08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 15:08:38 +0400 +Subject: drm/msm/mdp4: Fix refcount leak in mdp4_modeset_init_intf + +From: Miaoqian Lin + +[ Upstream commit b9cc4598607cb7f7eae5c75fc1e3209cd52ff5e0 ] + +of_graph_get_remote_node() returns remote device node pointer with +refcount incremented, we should use of_node_put() on it +when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 86418f90a4c1 ("drm: convert drivers to use of_graph_get_remote_node") +Signed-off-by: Miaoqian Lin +Reviewed-by: Dmitry Baryshkov +Reviewed-by: Stephen Boyd +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/488473/ +Link: https://lore.kernel.org/r/20220607110841.53889-1-linmq006@gmail.com +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c b/drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c +index cdcaf470f148..97ae68182f3e 100644 +--- a/drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c ++++ b/drivers/gpu/drm/msm/disp/mdp4/mdp4_kms.c +@@ -223,6 +223,7 @@ static int mdp4_modeset_init_intf(struct mdp4_kms *mdp4_kms, + encoder = mdp4_lcdc_encoder_init(dev, panel_node); + if (IS_ERR(encoder)) { + DRM_DEV_ERROR(dev->dev, "failed to construct LCDC encoder\n"); ++ of_node_put(panel_node); + return PTR_ERR(encoder); + } + +@@ -232,6 +233,7 @@ static int mdp4_modeset_init_intf(struct mdp4_kms *mdp4_kms, + connector = mdp4_lvds_connector_init(dev, panel_node, encoder); + if (IS_ERR(connector)) { + DRM_DEV_ERROR(dev->dev, "failed to initialize LVDS connector\n"); ++ of_node_put(panel_node); + return PTR_ERR(connector); + } + +-- +2.35.1 + diff --git a/queue-5.15/drm-msm-switch-ordering-of-runpm-put-vs-devfreq_idle.patch b/queue-5.15/drm-msm-switch-ordering-of-runpm-put-vs-devfreq_idle.patch new file mode 100644 index 00000000000..b7e41fb3a1b --- /dev/null +++ b/queue-5.15/drm-msm-switch-ordering-of-runpm-put-vs-devfreq_idle.patch @@ -0,0 +1,53 @@ +From 36c7f8a8ff5121d9ff0ec8473fd479ab51c3698a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 09:13:34 -0700 +Subject: drm/msm: Switch ordering of runpm put vs devfreq_idle + +From: Rob Clark + +[ Upstream commit 49e477610087a02c3604061b8f3ee3a25a493987 ] + +In msm_devfreq_suspend() we cancel idle_work synchronously so that it +doesn't run after we power of the hw or in the resume path. But this +means that we want to ensure that idle_work is not scheduled *after* we +no longer hold a runpm ref. So switch the ordering of pm_runtime_put() +vs msm_devfreq_idle(). + +v2. Only move the runpm _put_autosuspend, and not the _mark_last_busy() + +Fixes: 9bc95570175a ("drm/msm: Devfreq tuning") +Signed-off-by: Rob Clark +Link: https://lore.kernel.org/r/20210927152928.831245-1-robdclark@gmail.com +Reviewed-by: Akhil P Oommen +Reviewed-by: Douglas Anderson +Link: https://lore.kernel.org/r/20220608161334.2140611-1-robdclark@gmail.com +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gpu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_gpu.c b/drivers/gpu/drm/msm/msm_gpu.c +index 2c46cd968ac4..b01d0a521c90 100644 +--- a/drivers/gpu/drm/msm/msm_gpu.c ++++ b/drivers/gpu/drm/msm/msm_gpu.c +@@ -658,7 +658,6 @@ static void retire_submit(struct msm_gpu *gpu, struct msm_ringbuffer *ring, + msm_submit_retire(submit); + + pm_runtime_mark_last_busy(&gpu->pdev->dev); +- pm_runtime_put_autosuspend(&gpu->pdev->dev); + + spin_lock_irqsave(&ring->submit_lock, flags); + list_del(&submit->node); +@@ -672,6 +671,8 @@ static void retire_submit(struct msm_gpu *gpu, struct msm_ringbuffer *ring, + msm_devfreq_idle(gpu); + mutex_unlock(&gpu->active_lock); + ++ pm_runtime_put_autosuspend(&gpu->pdev->dev); ++ + msm_gem_submit_put(submit); + } + +-- +2.35.1 + diff --git a/queue-5.15/drm-msm-use-for_each_sgtable_sg-to-iterate-over-scat.patch b/queue-5.15/drm-msm-use-for_each_sgtable_sg-to-iterate-over-scat.patch new file mode 100644 index 00000000000..c7eecbd8e1f --- /dev/null +++ b/queue-5.15/drm-msm-use-for_each_sgtable_sg-to-iterate-over-scat.patch @@ -0,0 +1,39 @@ +From e3424f27c106b903d63f6f37e2513dee0beba3ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 18:10:19 -0400 +Subject: drm/msm: use for_each_sgtable_sg to iterate over scatterlist + +From: Jonathan Marek + +[ Upstream commit 62b5e322fb6cc5a5a91fdeba0e4e57e75d9f4387 ] + +The dma_map_sgtable() call (used to invalidate cache) overwrites sgt->nents +with 1, so msm_iommu_pagetable_map maps only the first physical segment. + +To fix this problem use for_each_sgtable_sg(), which uses orig_nents. + +Fixes: b145c6e65eb0 ("drm/msm: Add support to create a local pagetable") +Signed-off-by: Jonathan Marek +Link: https://lore.kernel.org/r/20220613221019.11399-1-jonathan@marek.ca +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_iommu.c b/drivers/gpu/drm/msm/msm_iommu.c +index bcaddbba564d..a54ed354578b 100644 +--- a/drivers/gpu/drm/msm/msm_iommu.c ++++ b/drivers/gpu/drm/msm/msm_iommu.c +@@ -58,7 +58,7 @@ static int msm_iommu_pagetable_map(struct msm_mmu *mmu, u64 iova, + u64 addr = iova; + unsigned int i; + +- for_each_sg(sgt->sgl, sg, sgt->nents, i) { ++ for_each_sgtable_sg(sgt, sg, i) { + size_t size = sg->length; + phys_addr_t phys = sg_phys(sg); + +-- +2.35.1 + diff --git a/queue-5.15/drm-sun4i-fix-crash-during-suspend-after-component-b.patch b/queue-5.15/drm-sun4i-fix-crash-during-suspend-after-component-b.patch new file mode 100644 index 00000000000..86983da09d8 --- /dev/null +++ b/queue-5.15/drm-sun4i-fix-crash-during-suspend-after-component-b.patch @@ -0,0 +1,59 @@ +From 43bf0e2fa72566c711db2bf048a119bd04b1be19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jun 2022 00:42:53 -0500 +Subject: drm/sun4i: Fix crash during suspend after component bind failure + +From: Samuel Holland + +[ Upstream commit 1342b5b23da9559a1578978eaff7f797d8a87d91 ] + +If the component driver fails to bind, or is unbound, the driver data +for the top-level platform device points to a freed drm_device. If the +system is then suspended, the driver passes this dangling pointer to +drm_mode_config_helper_suspend(), which crashes. + +Fix this by only setting the driver data while the platform driver holds +a reference to the drm_device. + +Fixes: 624b4b48d9d8 ("drm: sun4i: Add support for suspending the display driver") +Signed-off-by: Samuel Holland +Reviewed-by: Jernej Skrabec +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20220615054254.16352-1-samuel@sholland.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sun4i/sun4i_drv.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/sun4i/sun4i_drv.c b/drivers/gpu/drm/sun4i/sun4i_drv.c +index 54dd562e294c..5b7061e2bca4 100644 +--- a/drivers/gpu/drm/sun4i/sun4i_drv.c ++++ b/drivers/gpu/drm/sun4i/sun4i_drv.c +@@ -72,7 +72,6 @@ static int sun4i_drv_bind(struct device *dev) + goto free_drm; + } + +- dev_set_drvdata(dev, drm); + drm->dev_private = drv; + INIT_LIST_HEAD(&drv->frontend_list); + INIT_LIST_HEAD(&drv->engine_list); +@@ -113,6 +112,8 @@ static int sun4i_drv_bind(struct device *dev) + + drm_fbdev_generic_setup(drm, 32); + ++ dev_set_drvdata(dev, drm); ++ + return 0; + + finish_poll: +@@ -129,6 +130,7 @@ static void sun4i_drv_unbind(struct device *dev) + { + struct drm_device *drm = dev_get_drvdata(dev); + ++ dev_set_drvdata(dev, NULL); + drm_dev_unregister(drm); + drm_kms_helper_poll_fini(drm); + drm_atomic_helper_shutdown(drm); +-- +2.35.1 + diff --git a/queue-5.15/erspan-do-not-assume-transport-header-is-always-set.patch b/queue-5.15/erspan-do-not-assume-transport-header-is-always-set.patch new file mode 100644 index 00000000000..7b6c83f4ada --- /dev/null +++ b/queue-5.15/erspan-do-not-assume-transport-header-is-always-set.patch @@ -0,0 +1,127 @@ +From b6f8541cd7d5d63341e95412ef4c100a0f5dbca6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 01:35:06 -0700 +Subject: erspan: do not assume transport header is always set + +From: Eric Dumazet + +[ Upstream commit 301bd140ed0b24f0da660874c7e8a47dad8c8222 ] + +Rewrite tests in ip6erspan_tunnel_xmit() and +erspan_fb_xmit() to not assume transport header is set. + +syzbot reported: + +WARNING: CPU: 0 PID: 1350 at include/linux/skbuff.h:2911 skb_transport_header include/linux/skbuff.h:2911 [inline] +WARNING: CPU: 0 PID: 1350 at include/linux/skbuff.h:2911 ip6erspan_tunnel_xmit+0x15af/0x2eb0 net/ipv6/ip6_gre.c:963 +Modules linked in: +CPU: 0 PID: 1350 Comm: aoe_tx0 Not tainted 5.19.0-rc2-syzkaller-00160-g274295c6e53f #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 +RIP: 0010:skb_transport_header include/linux/skbuff.h:2911 [inline] +RIP: 0010:ip6erspan_tunnel_xmit+0x15af/0x2eb0 net/ipv6/ip6_gre.c:963 +Code: 0f 47 f0 40 88 b5 7f fe ff ff e8 8c 16 4b f9 89 de bf ff ff ff ff e8 a0 12 4b f9 66 83 fb ff 0f 85 1d f1 ff ff e8 71 16 4b f9 <0f> 0b e9 43 f0 ff ff e8 65 16 4b f9 48 8d 85 30 ff ff ff ba 60 00 +RSP: 0018:ffffc90005daf910 EFLAGS: 00010293 +RAX: 0000000000000000 RBX: 000000000000ffff RCX: 0000000000000000 +RDX: ffff88801f032100 RSI: ffffffff882e8d3f RDI: 0000000000000003 +RBP: ffffc90005dafab8 R08: 0000000000000003 R09: 000000000000ffff +R10: 000000000000ffff R11: 0000000000000000 R12: ffff888024f21d40 +R13: 000000000000a288 R14: 00000000000000b0 R15: ffff888025a2e000 +FS: 0000000000000000(0000) GS:ffff88802c800000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b2e425000 CR3: 000000006d099000 CR4: 0000000000152ef0 +Call Trace: + +__netdev_start_xmit include/linux/netdevice.h:4805 [inline] +netdev_start_xmit include/linux/netdevice.h:4819 [inline] +xmit_one net/core/dev.c:3588 [inline] +dev_hard_start_xmit+0x188/0x880 net/core/dev.c:3604 +sch_direct_xmit+0x19f/0xbe0 net/sched/sch_generic.c:342 +__dev_xmit_skb net/core/dev.c:3815 [inline] +__dev_queue_xmit+0x14a1/0x3900 net/core/dev.c:4219 +dev_queue_xmit include/linux/netdevice.h:2994 [inline] +tx+0x6a/0xc0 drivers/block/aoe/aoenet.c:63 +kthread+0x1e7/0x3b0 drivers/block/aoe/aoecmd.c:1229 +kthread+0x2e9/0x3a0 kernel/kthread.c:376 +ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 + + +Fixes: d5db21a3e697 ("erspan: auto detect truncated ipv6 packets.") +Reported-by: syzbot +Signed-off-by: Eric Dumazet +Cc: William Tu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ip_gre.c | 15 ++++++++++----- + net/ipv6/ip6_gre.c | 15 ++++++++++----- + 2 files changed, 20 insertions(+), 10 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index f23528c77539..fc74a3e3b3e1 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -524,7 +524,6 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev) + int tunnel_hlen; + int version; + int nhoff; +- int thoff; + + tun_info = skb_tunnel_info(skb); + if (unlikely(!tun_info || !(tun_info->mode & IP_TUNNEL_INFO_TX) || +@@ -558,10 +557,16 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev) + (ntohs(ip_hdr(skb)->tot_len) > skb->len - nhoff)) + truncate = true; + +- thoff = skb_transport_header(skb) - skb_mac_header(skb); +- if (skb->protocol == htons(ETH_P_IPV6) && +- (ntohs(ipv6_hdr(skb)->payload_len) > skb->len - thoff)) +- truncate = true; ++ if (skb->protocol == htons(ETH_P_IPV6)) { ++ int thoff; ++ ++ if (skb_transport_header_was_set(skb)) ++ thoff = skb_transport_header(skb) - skb_mac_header(skb); ++ else ++ thoff = nhoff + sizeof(struct ipv6hdr); ++ if (ntohs(ipv6_hdr(skb)->payload_len) > skb->len - thoff) ++ truncate = true; ++ } + + if (version == 1) { + erspan_build_header(skb, ntohl(tunnel_id_to_key32(key->tun_id)), +diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c +index a817ac6d9759..70ef4d4ebff4 100644 +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -944,7 +944,6 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + __be16 proto; + __u32 mtu; + int nhoff; +- int thoff; + + if (!pskb_inet_may_pull(skb)) + goto tx_err; +@@ -965,10 +964,16 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, + (ntohs(ip_hdr(skb)->tot_len) > skb->len - nhoff)) + truncate = true; + +- thoff = skb_transport_header(skb) - skb_mac_header(skb); +- if (skb->protocol == htons(ETH_P_IPV6) && +- (ntohs(ipv6_hdr(skb)->payload_len) > skb->len - thoff)) +- truncate = true; ++ if (skb->protocol == htons(ETH_P_IPV6)) { ++ int thoff; ++ ++ if (skb_transport_header_was_set(skb)) ++ thoff = skb_transport_header(skb) - skb_mac_header(skb); ++ else ++ thoff = nhoff + sizeof(struct ipv6hdr); ++ if (ntohs(ipv6_hdr(skb)->payload_len) > skb->len - thoff) ++ truncate = true; ++ } + + if (skb_cow_head(skb, dev->needed_headroom ?: t->hlen)) + goto tx_err; +-- +2.35.1 + diff --git a/queue-5.15/ethtool-fix-get-module-eeprom-fallback.patch b/queue-5.15/ethtool-fix-get-module-eeprom-fallback.patch new file mode 100644 index 00000000000..5bd726c8d9e --- /dev/null +++ b/queue-5.15/ethtool-fix-get-module-eeprom-fallback.patch @@ -0,0 +1,40 @@ +From b42b3d6ffe1c2d25993e4613850fee8d6ab8fcac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jun 2022 18:08:55 +0200 +Subject: ethtool: Fix get module eeprom fallback + +From: Ivan Vecera + +[ Upstream commit a3bb7b63813f674fb62bac321cdd897cc62de094 ] + +Function fallback_set_params() checks if the module type returned +by a driver is ETH_MODULE_SFF_8079 and in this case it assumes +that buffer returns a concatenated content of page A0h and A2h. +The check is wrong because the correct type is ETH_MODULE_SFF_8472. + +Fixes: 96d971e307cc ("ethtool: Add fallback to get_module_eeprom from netlink command") +Signed-off-by: Ivan Vecera +Reviewed-by: Ido Schimmel +Link: https://lore.kernel.org/r/20220616160856.3623273-1-ivecera@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ethtool/eeprom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ethtool/eeprom.c b/net/ethtool/eeprom.c +index 7e6b37a54add..1c94bb8ea03f 100644 +--- a/net/ethtool/eeprom.c ++++ b/net/ethtool/eeprom.c +@@ -36,7 +36,7 @@ static int fallback_set_params(struct eeprom_req_info *request, + if (request->page) + offset = request->page * ETH_MODULE_EEPROM_PAGE_LEN + offset; + +- if (modinfo->type == ETH_MODULE_SFF_8079 && ++ if (modinfo->type == ETH_MODULE_SFF_8472 && + request->i2c_address == 0x51) + offset += ETH_MODULE_EEPROM_PAGE_LEN * 2; + +-- +2.35.1 + diff --git a/queue-5.15/gpio-winbond-fix-error-code-in-winbond_gpio_get.patch b/queue-5.15/gpio-winbond-fix-error-code-in-winbond_gpio_get.patch new file mode 100644 index 00000000000..4040635ad95 --- /dev/null +++ b/queue-5.15/gpio-winbond-fix-error-code-in-winbond_gpio_get.patch @@ -0,0 +1,45 @@ +From a39afe07564bc9b4956340f951f28edf1edbe668 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jun 2022 11:29:48 +0300 +Subject: gpio: winbond: Fix error code in winbond_gpio_get() + +From: Dan Carpenter + +[ Upstream commit 9ca766eaea2e87b8b773bff04ee56c055cb76d4e ] + +This error path returns 1, but it should instead propagate the negative +error code from winbond_sio_enter(). + +Fixes: a0d65009411c ("gpio: winbond: Add driver") +Signed-off-by: Dan Carpenter +Reviewed-by: Andy Shevchenko +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-winbond.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpio/gpio-winbond.c b/drivers/gpio/gpio-winbond.c +index 7f8f5b02e31d..4b61d975cc0e 100644 +--- a/drivers/gpio/gpio-winbond.c ++++ b/drivers/gpio/gpio-winbond.c +@@ -385,12 +385,13 @@ static int winbond_gpio_get(struct gpio_chip *gc, unsigned int offset) + unsigned long *base = gpiochip_get_data(gc); + const struct winbond_gpio_info *info; + bool val; ++ int ret; + + winbond_gpio_get_info(&offset, &info); + +- val = winbond_sio_enter(*base); +- if (val) +- return val; ++ ret = winbond_sio_enter(*base); ++ if (ret) ++ return ret; + + winbond_sio_select_logical(*base, info->dev); + +-- +2.35.1 + diff --git a/queue-5.15/ice-ethtool-advertise-1000m-speeds-properly.patch b/queue-5.15/ice-ethtool-advertise-1000m-speeds-properly.patch new file mode 100644 index 00000000000..3cfd31ea9de --- /dev/null +++ b/queue-5.15/ice-ethtool-advertise-1000m-speeds-properly.patch @@ -0,0 +1,86 @@ +From 2b5dc98ab17cc8047cf05cd8ca5f62b5b76c71bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 09:47:05 +0200 +Subject: ice: ethtool: advertise 1000M speeds properly + +From: Anatolii Gerasymenko + +[ Upstream commit c3d184c83ff4b80167e34edfc3d21df424bf27ff ] + +In current implementation ice_update_phy_type enables all link modes +for selected speed. This approach doesn't work for 1000M speeds, +because both copper (1000baseT) and optical (1000baseX) standards +cannot be enabled at once. + +Fix this, by adding the function `ice_set_phy_type_from_speed()` +for 1000M speeds. + +Fixes: 48cb27f2fd18 ("ice: Implement handlers for ethtool PHY/link operations") +Signed-off-by: Anatolii Gerasymenko +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/ice/ice_ethtool.c | 39 +++++++++++++++++++- + 1 file changed, 38 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/ice/ice_ethtool.c b/drivers/net/ethernet/intel/ice/ice_ethtool.c +index 19f115402969..982db894754f 100644 +--- a/drivers/net/ethernet/intel/ice/ice_ethtool.c ++++ b/drivers/net/ethernet/intel/ice/ice_ethtool.c +@@ -2150,6 +2150,42 @@ ice_setup_autoneg(struct ice_port_info *p, struct ethtool_link_ksettings *ks, + return err; + } + ++/** ++ * ice_set_phy_type_from_speed - set phy_types based on speeds ++ * and advertised modes ++ * @ks: ethtool link ksettings struct ++ * @phy_type_low: pointer to the lower part of phy_type ++ * @phy_type_high: pointer to the higher part of phy_type ++ * @adv_link_speed: targeted link speeds bitmap ++ */ ++static void ++ice_set_phy_type_from_speed(const struct ethtool_link_ksettings *ks, ++ u64 *phy_type_low, u64 *phy_type_high, ++ u16 adv_link_speed) ++{ ++ /* Handle 1000M speed in a special way because ice_update_phy_type ++ * enables all link modes, but having mixed copper and optical ++ * standards is not supported. ++ */ ++ adv_link_speed &= ~ICE_AQ_LINK_SPEED_1000MB; ++ ++ if (ethtool_link_ksettings_test_link_mode(ks, advertising, ++ 1000baseT_Full)) ++ *phy_type_low |= ICE_PHY_TYPE_LOW_1000BASE_T | ++ ICE_PHY_TYPE_LOW_1G_SGMII; ++ ++ if (ethtool_link_ksettings_test_link_mode(ks, advertising, ++ 1000baseKX_Full)) ++ *phy_type_low |= ICE_PHY_TYPE_LOW_1000BASE_KX; ++ ++ if (ethtool_link_ksettings_test_link_mode(ks, advertising, ++ 1000baseX_Full)) ++ *phy_type_low |= ICE_PHY_TYPE_LOW_1000BASE_SX | ++ ICE_PHY_TYPE_LOW_1000BASE_LX; ++ ++ ice_update_phy_type(phy_type_low, phy_type_high, adv_link_speed); ++} ++ + /** + * ice_set_link_ksettings - Set Speed and Duplex + * @netdev: network interface device structure +@@ -2286,7 +2322,8 @@ ice_set_link_ksettings(struct net_device *netdev, + adv_link_speed = curr_link_speed; + + /* Convert the advertise link speeds to their corresponded PHY_TYPE */ +- ice_update_phy_type(&phy_type_low, &phy_type_high, adv_link_speed); ++ ice_set_phy_type_from_speed(ks, &phy_type_low, &phy_type_high, ++ adv_link_speed); + + if (!autoneg_changed && adv_link_speed == curr_link_speed) { + netdev_info(netdev, "Nothing changed, exiting without setting anything.\n"); +-- +2.35.1 + diff --git a/queue-5.15/igb-fix-a-use-after-free-issue-in-igb_clean_tx_ring.patch b/queue-5.15/igb-fix-a-use-after-free-issue-in-igb_clean_tx_ring.patch new file mode 100644 index 00000000000..d5bbd9e4aa0 --- /dev/null +++ b/queue-5.15/igb-fix-a-use-after-free-issue-in-igb_clean_tx_ring.patch @@ -0,0 +1,93 @@ +From 8c1ff7e7bc2501017242b3e2b661f9f95e50de93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jun 2022 16:13:20 +0200 +Subject: igb: fix a use-after-free issue in igb_clean_tx_ring + +From: Lorenzo Bianconi + +[ Upstream commit 3f6a57ee8544ec3982f8a3cbcbf4aea7d47eb9ec ] + +Fix the following use-after-free bug in igb_clean_tx_ring routine when +the NIC is running in XDP mode. The issue can be triggered redirecting +traffic into the igb NIC and then closing the device while the traffic +is flowing. + +[ 73.322719] CPU: 1 PID: 487 Comm: xdp_redirect Not tainted 5.18.3-apu2 #9 +[ 73.330639] Hardware name: PC Engines APU2/APU2, BIOS 4.0.7 02/28/2017 +[ 73.337434] RIP: 0010:refcount_warn_saturate+0xa7/0xf0 +[ 73.362283] RSP: 0018:ffffc9000081f798 EFLAGS: 00010282 +[ 73.367761] RAX: 0000000000000000 RBX: ffffc90000420f80 RCX: 0000000000000000 +[ 73.375200] RDX: ffff88811ad22d00 RSI: ffff88811ad171e0 RDI: ffff88811ad171e0 +[ 73.382590] RBP: 0000000000000900 R08: ffffffff82298f28 R09: 0000000000000058 +[ 73.390008] R10: 0000000000000219 R11: ffffffff82280f40 R12: 0000000000000090 +[ 73.397356] R13: ffff888102343a40 R14: ffff88810359e0e4 R15: 0000000000000000 +[ 73.404806] FS: 00007ff38d31d740(0000) GS:ffff88811ad00000(0000) knlGS:0000000000000000 +[ 73.413129] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 73.419096] CR2: 000055cff35f13f8 CR3: 0000000106391000 CR4: 00000000000406e0 +[ 73.426565] Call Trace: +[ 73.429087] +[ 73.431314] igb_clean_tx_ring+0x43/0x140 [igb] +[ 73.436002] igb_down+0x1d7/0x220 [igb] +[ 73.439974] __igb_close+0x3c/0x120 [igb] +[ 73.444118] igb_xdp+0x10c/0x150 [igb] +[ 73.447983] ? igb_pci_sriov_configure+0x70/0x70 [igb] +[ 73.453362] dev_xdp_install+0xda/0x110 +[ 73.457371] dev_xdp_attach+0x1da/0x550 +[ 73.461369] do_setlink+0xfd0/0x10f0 +[ 73.465166] ? __nla_validate_parse+0x89/0xc70 +[ 73.469714] rtnl_setlink+0x11a/0x1e0 +[ 73.473547] rtnetlink_rcv_msg+0x145/0x3d0 +[ 73.477709] ? rtnl_calcit.isra.0+0x130/0x130 +[ 73.482258] netlink_rcv_skb+0x8d/0x110 +[ 73.486229] netlink_unicast+0x230/0x340 +[ 73.490317] netlink_sendmsg+0x215/0x470 +[ 73.494395] __sys_sendto+0x179/0x190 +[ 73.498268] ? move_addr_to_user+0x37/0x70 +[ 73.502547] ? __sys_getsockname+0x84/0xe0 +[ 73.506853] ? netlink_setsockopt+0x1c1/0x4a0 +[ 73.511349] ? __sys_setsockopt+0xc8/0x1d0 +[ 73.515636] __x64_sys_sendto+0x20/0x30 +[ 73.519603] do_syscall_64+0x3b/0x80 +[ 73.523399] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 73.528712] RIP: 0033:0x7ff38d41f20c +[ 73.551866] RSP: 002b:00007fff3b945a68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c +[ 73.559640] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff38d41f20c +[ 73.567066] RDX: 0000000000000034 RSI: 00007fff3b945b30 RDI: 0000000000000003 +[ 73.574457] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 +[ 73.581852] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff3b945ab0 +[ 73.589179] R13: 0000000000000000 R14: 0000000000000003 R15: 00007fff3b945b30 +[ 73.596545] +[ 73.598842] ---[ end trace 0000000000000000 ]--- + +Fixes: 9cbc948b5a20c ("igb: add XDP support") +Signed-off-by: Lorenzo Bianconi +Reviewed-by: Jesse Brandeburg +Acked-by: Jesper Dangaard Brouer +Link: https://lore.kernel.org/r/e5c01d549dc37bff18e46aeabd6fb28a7bcf84be.1655388571.git.lorenzo@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index b88303351484..5ee5ee8e6848 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -4819,8 +4819,11 @@ static void igb_clean_tx_ring(struct igb_ring *tx_ring) + while (i != tx_ring->next_to_use) { + union e1000_adv_tx_desc *eop_desc, *tx_desc; + +- /* Free all the Tx ring sk_buffs */ +- dev_kfree_skb_any(tx_buffer->skb); ++ /* Free all the Tx ring sk_buffs or xdp frames */ ++ if (tx_buffer->type == IGB_TYPE_SKB) ++ dev_kfree_skb_any(tx_buffer->skb); ++ else ++ xdp_return_frame(tx_buffer->xdpf); + + /* unmap skb header data */ + dma_unmap_single(tx_ring->dev, +-- +2.35.1 + diff --git a/queue-5.15/igb-make-dma-faster-when-cpu-is-active-on-the-pcie-l.patch b/queue-5.15/igb-make-dma-faster-when-cpu-is-active-on-the-pcie-l.patch new file mode 100644 index 00000000000..0948032de34 --- /dev/null +++ b/queue-5.15/igb-make-dma-faster-when-cpu-is-active-on-the-pcie-l.patch @@ -0,0 +1,83 @@ +From 44a69353a2940563c8c663910b5b9d368650c17e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jun 2022 15:10:56 -0700 +Subject: igb: Make DMA faster when CPU is active on the PCIe link + +From: Kai-Heng Feng + +[ Upstream commit 4e0effd9007ea0be31f7488611eb3824b4541554 ] + +Intel I210 on some Intel Alder Lake platforms can only achieve ~750Mbps +Tx speed via iperf. The RR2DCDELAY shows around 0x2xxx DMA delay, which +will be significantly lower when 1) ASPM is disabled or 2) SoC package +c-state stays above PC3. When the RR2DCDELAY is around 0x1xxx the Tx +speed can reach to ~950Mbps. + +According to the I210 datasheet "8.26.1 PCIe Misc. Register - PCIEMISC", +"DMA Idle Indication" doesn't seem to tie to DMA coalesce anymore, so +set it to 1b for "DMA is considered idle when there is no Rx or Tx AND +when there are no TLPs indicating that CPU is active detected on the +PCIe link (such as the host executes CSR or Configuration register read +or write operation)" and performing Tx should also fall under "active +CPU on PCIe link" case. + +In addition to that, commit b6e0c419f040 ("igb: Move DMA Coalescing init +code to separate function.") seems to wrongly changed from enabling +E1000_PCIEMISC_LX_DECISION to disabling it, also fix that. + +Fixes: b6e0c419f040 ("igb: Move DMA Coalescing init code to separate function.") +Signed-off-by: Kai-Heng Feng +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Link: https://lore.kernel.org/r/20220621221056.604304-1-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 5ee5ee8e6848..db11a1c278f6 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -9823,11 +9823,10 @@ static void igb_init_dmac(struct igb_adapter *adapter, u32 pba) + struct e1000_hw *hw = &adapter->hw; + u32 dmac_thr; + u16 hwm; ++ u32 reg; + + if (hw->mac.type > e1000_82580) { + if (adapter->flags & IGB_FLAG_DMAC) { +- u32 reg; +- + /* force threshold to 0. */ + wr32(E1000_DMCTXTH, 0); + +@@ -9860,7 +9859,6 @@ static void igb_init_dmac(struct igb_adapter *adapter, u32 pba) + /* Disable BMC-to-OS Watchdog Enable */ + if (hw->mac.type != e1000_i354) + reg &= ~E1000_DMACR_DC_BMC2OSW_EN; +- + wr32(E1000_DMACR, reg); + + /* no lower threshold to disable +@@ -9877,12 +9875,12 @@ static void igb_init_dmac(struct igb_adapter *adapter, u32 pba) + */ + wr32(E1000_DMCTXTH, (IGB_MIN_TXPBSIZE - + (IGB_TX_BUF_4096 + adapter->max_frame_size)) >> 6); ++ } + +- /* make low power state decision controlled +- * by DMA coal +- */ ++ if (hw->mac.type >= e1000_i210 || ++ (adapter->flags & IGB_FLAG_DMAC)) { + reg = rd32(E1000_PCIEMISC); +- reg &= ~E1000_PCIEMISC_LX_DECISION; ++ reg |= E1000_PCIEMISC_LX_DECISION; + wr32(E1000_PCIEMISC, reg); + } /* endif adapter->dmac is not disabled */ + } else if (hw->mac.type == e1000_82580) { +-- +2.35.1 + diff --git a/queue-5.15/iio-adc-vf610-fix-conversion-mode-sysfs-node-name.patch b/queue-5.15/iio-adc-vf610-fix-conversion-mode-sysfs-node-name.patch new file mode 100644 index 00000000000..2d07f1c0722 --- /dev/null +++ b/queue-5.15/iio-adc-vf610-fix-conversion-mode-sysfs-node-name.patch @@ -0,0 +1,35 @@ +From 6e744caa5f5abba8db7baf49db7988e08fa25615 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 11:50:26 +0300 +Subject: iio: adc: vf610: fix conversion mode sysfs node name + +From: Baruch Siach + +[ Upstream commit f1a633b15cd5371a2a83f02c513984e51132dd68 ] + +The documentation missed the "in_" prefix for this IIO_SHARED_BY_DIR +entry. + +Fixes: bf04c1a367e3 ("iio: adc: vf610: implement configurable conversion modes") +Signed-off-by: Baruch Siach +Acked-by: Haibo Chen +Link: https://lore.kernel.org/r/560dc93fafe5ef7e9a409885fd20b6beac3973d8.1653900626.git.baruch@tkos.co.il +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-bus-iio-vf610 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/ABI/testing/sysfs-bus-iio-vf610 b/Documentation/ABI/testing/sysfs-bus-iio-vf610 +index 308a6756d3bf..491ead804488 100644 +--- a/Documentation/ABI/testing/sysfs-bus-iio-vf610 ++++ b/Documentation/ABI/testing/sysfs-bus-iio-vf610 +@@ -1,4 +1,4 @@ +-What: /sys/bus/iio/devices/iio:deviceX/conversion_mode ++What: /sys/bus/iio/devices/iio:deviceX/in_conversion_mode + KernelVersion: 4.2 + Contact: linux-iio@vger.kernel.org + Description: +-- +2.35.1 + diff --git a/queue-5.15/iio-magnetometer-yas530-fix-memchr_inv-misuse.patch b/queue-5.15/iio-magnetometer-yas530-fix-memchr_inv-misuse.patch new file mode 100644 index 00000000000..c015f497729 --- /dev/null +++ b/queue-5.15/iio-magnetometer-yas530-fix-memchr_inv-misuse.patch @@ -0,0 +1,43 @@ +From 1325dbdac6d3c89a62adcb2047d1834d3ea4967f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 May 2022 21:50:29 +0200 +Subject: iio: magnetometer: yas530: Fix memchr_inv() misuse + +From: Linus Walleij + +[ Upstream commit bb52d3691db8cf24cea049235223f3599778f264 ] + +The call to check if the calibration is all zeroes is doing +it wrong: memchr_inv() returns NULL if the the calibration +contains all zeroes, but the check is for != NULL. + +Fix it up. It's probably not an urgent fix because the inner +check for BIT(7) in data[13] will save us. But fix it. + +Fixes: de8860b1ed47 ("iio: magnetometer: Add driver for Yamaha YAS530") +Reported-by: Jakob Hauser +Cc: Andy Shevchenko +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20220501195029.151852-1-linus.walleij@linaro.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/magnetometer/yamaha-yas530.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/magnetometer/yamaha-yas530.c b/drivers/iio/magnetometer/yamaha-yas530.c +index 9ff7b0e56cf6..b2bc637150bf 100644 +--- a/drivers/iio/magnetometer/yamaha-yas530.c ++++ b/drivers/iio/magnetometer/yamaha-yas530.c +@@ -639,7 +639,7 @@ static int yas532_get_calibration_data(struct yas5xx *yas5xx) + dev_dbg(yas5xx->dev, "calibration data: %*ph\n", 14, data); + + /* Sanity check, is this all zeroes? */ +- if (memchr_inv(data, 0x00, 13)) { ++ if (memchr_inv(data, 0x00, 13) == NULL) { + if (!(data[13] & BIT(7))) + dev_warn(yas5xx->dev, "calibration is blank!\n"); + } +-- +2.35.1 + diff --git a/queue-5.15/iio-mma8452-fix-probe-fail-when-device-tree-compatib.patch b/queue-5.15/iio-mma8452-fix-probe-fail-when-device-tree-compatib.patch new file mode 100644 index 00000000000..54bb9e5a620 --- /dev/null +++ b/queue-5.15/iio-mma8452-fix-probe-fail-when-device-tree-compatib.patch @@ -0,0 +1,48 @@ +From 65c86c495a3780f820dfef9c202d54acb596727d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Apr 2022 16:41:00 +0800 +Subject: iio: mma8452: fix probe fail when device tree compatible is used. + +From: Haibo Chen + +[ Upstream commit fe18894930a025617114aa8ca0adbf94d5bffe89 ] + +Correct the logic for the probe. First check of_match_table, if +not meet, then check i2c_driver.id_table. If both not meet, then +return fail. + +Fixes: a47ac019e7e8 ("iio: mma8452: Fix probe failing when an i2c_device_id is used") +Signed-off-by: Haibo Chen +Link: https://lore.kernel.org/r/1650876060-17577-1-git-send-email-haibo.chen@nxp.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/mma8452.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/iio/accel/mma8452.c b/drivers/iio/accel/mma8452.c +index 21a99467f364..40faf09f5d87 100644 +--- a/drivers/iio/accel/mma8452.c ++++ b/drivers/iio/accel/mma8452.c +@@ -1539,11 +1539,13 @@ static int mma8452_probe(struct i2c_client *client, + mutex_init(&data->lock); + + data->chip_info = device_get_match_data(&client->dev); +- if (!data->chip_info && id) { +- data->chip_info = &mma_chip_info_table[id->driver_data]; +- } else { +- dev_err(&client->dev, "unknown device model\n"); +- return -ENODEV; ++ if (!data->chip_info) { ++ if (id) { ++ data->chip_info = &mma_chip_info_table[id->driver_data]; ++ } else { ++ dev_err(&client->dev, "unknown device model\n"); ++ return -ENODEV; ++ } + } + + data->vdd_reg = devm_regulator_get(&client->dev, "vdd"); +-- +2.35.1 + diff --git a/queue-5.15/kvm-arm64-prevent-kmemleak-from-accessing-pkvm-memor.patch b/queue-5.15/kvm-arm64-prevent-kmemleak-from-accessing-pkvm-memor.patch new file mode 100644 index 00000000000..56e19903edd --- /dev/null +++ b/queue-5.15/kvm-arm64-prevent-kmemleak-from-accessing-pkvm-memor.patch @@ -0,0 +1,92 @@ +From daac2f4249065dd60642e07170e398d4b5e79b4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jun 2022 16:11:34 +0000 +Subject: KVM: arm64: Prevent kmemleak from accessing pKVM memory + +From: Quentin Perret + +[ Upstream commit 56961c6331463cce2d84d0f973177a517fb33a82 ] + +Commit a7259df76702 ("memblock: make memblock_find_in_range method +private") changed the API using which memory is reserved for the pKVM +hypervisor. However, memblock_phys_alloc() differs from the original API in +terms of kmemleak semantics -- the old one didn't report the reserved +regions to kmemleak while the new one does. Unfortunately, when protected +KVM is enabled, all kernel accesses to pKVM-private memory result in a +fatal exception, which can now happen because of kmemleak scans: + +$ echo scan > /sys/kernel/debug/kmemleak +[ 34.991354] kvm [304]: nVHE hyp BUG at: [] __kvm_nvhe_handle_host_mem_abort+0x270/0x290! +[ 34.991580] kvm [304]: Hyp Offset: 0xfffe8be807e00000 +[ 34.991813] Kernel panic - not syncing: HYP panic: +[ 34.991813] PS:600003c9 PC:0000f418011a3750 ESR:00000000f2000800 +[ 34.991813] FAR:ffff000439200000 HPFAR:0000000004792000 PAR:0000000000000000 +[ 34.991813] VCPU:0000000000000000 +[ 34.993660] CPU: 0 PID: 304 Comm: bash Not tainted 5.19.0-rc2 #102 +[ 34.994059] Hardware name: linux,dummy-virt (DT) +[ 34.994452] Call trace: +[ 34.994641] dump_backtrace.part.0+0xcc/0xe0 +[ 34.994932] show_stack+0x18/0x6c +[ 34.995094] dump_stack_lvl+0x68/0x84 +[ 34.995276] dump_stack+0x18/0x34 +[ 34.995484] panic+0x16c/0x354 +[ 34.995673] __hyp_pgtable_total_pages+0x0/0x60 +[ 34.995933] scan_block+0x74/0x12c +[ 34.996129] scan_gray_list+0xd8/0x19c +[ 34.996332] kmemleak_scan+0x2c8/0x580 +[ 34.996535] kmemleak_write+0x340/0x4a0 +[ 34.996744] full_proxy_write+0x60/0xbc +[ 34.996967] vfs_write+0xc4/0x2b0 +[ 34.997136] ksys_write+0x68/0xf4 +[ 34.997311] __arm64_sys_write+0x20/0x2c +[ 34.997532] invoke_syscall+0x48/0x114 +[ 34.997779] el0_svc_common.constprop.0+0x44/0xec +[ 34.998029] do_el0_svc+0x2c/0xc0 +[ 34.998205] el0_svc+0x2c/0x84 +[ 34.998421] el0t_64_sync_handler+0xf4/0x100 +[ 34.998653] el0t_64_sync+0x18c/0x190 +[ 34.999252] SMP: stopping secondary CPUs +[ 35.000034] Kernel Offset: disabled +[ 35.000261] CPU features: 0x800,00007831,00001086 +[ 35.000642] Memory Limit: none +[ 35.001329] ---[ end Kernel panic - not syncing: HYP panic: +[ 35.001329] PS:600003c9 PC:0000f418011a3750 ESR:00000000f2000800 +[ 35.001329] FAR:ffff000439200000 HPFAR:0000000004792000 PAR:0000000000000000 +[ 35.001329] VCPU:0000000000000000 ]--- + +Fix this by explicitly excluding the hypervisor's memory pool from +kmemleak like we already do for the hyp BSS. + +Cc: Mike Rapoport +Fixes: a7259df76702 ("memblock: make memblock_find_in_range method private") +Signed-off-by: Quentin Perret +Acked-by: Catalin Marinas +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20220616161135.3997786-1-qperret@google.com +Signed-off-by: Sasha Levin +--- + arch/arm64/kvm/arm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm64/kvm/arm.c b/arch/arm64/kvm/arm.c +index a30c036577a3..f181527f9d43 100644 +--- a/arch/arm64/kvm/arm.c ++++ b/arch/arm64/kvm/arm.c +@@ -2011,11 +2011,11 @@ static int finalize_hyp_mode(void) + return 0; + + /* +- * Exclude HYP BSS from kmemleak so that it doesn't get peeked +- * at, which would end badly once the section is inaccessible. +- * None of other sections should ever be introspected. ++ * Exclude HYP sections from kmemleak so that they don't get peeked ++ * at, which would end badly once inaccessible. + */ + kmemleak_free_part(__hyp_bss_start, __hyp_bss_end - __hyp_bss_start); ++ kmemleak_free_part(__va(hyp_mem_base), hyp_mem_size); + return pkvm_drop_host_privileges(); + } + +-- +2.35.1 + diff --git a/queue-5.15/mips-remove-repetitive-increase-irq_err_count.patch b/queue-5.15/mips-remove-repetitive-increase-irq_err_count.patch new file mode 100644 index 00000000000..1bc8f5af53a --- /dev/null +++ b/queue-5.15/mips-remove-repetitive-increase-irq_err_count.patch @@ -0,0 +1,61 @@ +From 0a752cdee9b3ef018894db578a76f890db854f5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jun 2022 19:14:20 +0800 +Subject: MIPS: Remove repetitive increase irq_err_count + +From: huhai + +[ Upstream commit c81aba8fde2aee4f5778ebab3a1d51bd2ef48e4c ] + +commit 979934da9e7a ("[PATCH] mips: update IRQ handling for vr41xx") added +a function irq_dispatch, and it'll increase irq_err_count when the get_irq +callback returns a negative value, but increase irq_err_count in get_irq +was not removed. + +And also, modpost complains once gpio-vr41xx drivers become modules. + ERROR: modpost: "irq_err_count" [drivers/gpio/gpio-vr41xx.ko] undefined! + +So it would be a good idea to remove repetitive increase irq_err_count in +get_irq callback. + +Fixes: 27fdd325dace ("MIPS: Update VR41xx GPIO driver to use gpiolib") +Fixes: 979934da9e7a ("[PATCH] mips: update IRQ handling for vr41xx") +Reported-by: k2ci +Signed-off-by: huhai +Signed-off-by: Genjian Zhang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/vr41xx/common/icu.c | 2 -- + drivers/gpio/gpio-vr41xx.c | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/arch/mips/vr41xx/common/icu.c b/arch/mips/vr41xx/common/icu.c +index 7b7f25b4b057..9240bcdbe74e 100644 +--- a/arch/mips/vr41xx/common/icu.c ++++ b/arch/mips/vr41xx/common/icu.c +@@ -640,8 +640,6 @@ static int icu_get_irq(unsigned int irq) + + printk(KERN_ERR "spurious ICU interrupt: %04x,%04x\n", pend1, pend2); + +- atomic_inc(&irq_err_count); +- + return -1; + } + +diff --git a/drivers/gpio/gpio-vr41xx.c b/drivers/gpio/gpio-vr41xx.c +index 98cd715ccc33..8d09b619c166 100644 +--- a/drivers/gpio/gpio-vr41xx.c ++++ b/drivers/gpio/gpio-vr41xx.c +@@ -217,8 +217,6 @@ static int giu_get_irq(unsigned int irq) + printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n", + maskl, pendl, maskh, pendh); + +- atomic_inc(&irq_err_count); +- + return -EINVAL; + } + +-- +2.35.1 + diff --git a/queue-5.15/net-fix-data-race-in-dev_isalive.patch b/queue-5.15/net-fix-data-race-in-dev_isalive.patch new file mode 100644 index 00000000000..2c0d1f2bf29 --- /dev/null +++ b/queue-5.15/net-fix-data-race-in-dev_isalive.patch @@ -0,0 +1,179 @@ +From 63402ad564f281bf29f9f767b49e0ebe7a293957 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jun 2022 00:34:34 -0700 +Subject: net: fix data-race in dev_isalive() + +From: Eric Dumazet + +[ Upstream commit cc26c2661fefea215f41edb665193324a5f99021 ] + +dev_isalive() is called under RTNL or dev_base_lock protection. + +This means that changes to dev->reg_state should be done with both locks held. + +syzbot reported: + +BUG: KCSAN: data-race in register_netdevice / type_show + +write to 0xffff888144ecf518 of 1 bytes by task 20886 on cpu 0: +register_netdevice+0xb9f/0xdf0 net/core/dev.c:10050 +lapbeth_new_device drivers/net/wan/lapbether.c:414 [inline] +lapbeth_device_event+0x4a0/0x6c0 drivers/net/wan/lapbether.c:456 +notifier_call_chain kernel/notifier.c:87 [inline] +raw_notifier_call_chain+0x53/0xb0 kernel/notifier.c:455 +__dev_notify_flags+0x1d6/0x3a0 +dev_change_flags+0xa2/0xc0 net/core/dev.c:8607 +do_setlink+0x778/0x2230 net/core/rtnetlink.c:2780 +__rtnl_newlink net/core/rtnetlink.c:3546 [inline] +rtnl_newlink+0x114c/0x16a0 net/core/rtnetlink.c:3593 +rtnetlink_rcv_msg+0x811/0x8c0 net/core/rtnetlink.c:6089 +netlink_rcv_skb+0x13e/0x240 net/netlink/af_netlink.c:2501 +rtnetlink_rcv+0x18/0x20 net/core/rtnetlink.c:6107 +netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] +netlink_unicast+0x58a/0x660 net/netlink/af_netlink.c:1345 +netlink_sendmsg+0x661/0x750 net/netlink/af_netlink.c:1921 +sock_sendmsg_nosec net/socket.c:714 [inline] +sock_sendmsg net/socket.c:734 [inline] +__sys_sendto+0x21e/0x2c0 net/socket.c:2119 +__do_sys_sendto net/socket.c:2131 [inline] +__se_sys_sendto net/socket.c:2127 [inline] +__x64_sys_sendto+0x74/0x90 net/socket.c:2127 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +read to 0xffff888144ecf518 of 1 bytes by task 20423 on cpu 1: +dev_isalive net/core/net-sysfs.c:38 [inline] +netdev_show net/core/net-sysfs.c:50 [inline] +type_show+0x24/0x90 net/core/net-sysfs.c:112 +dev_attr_show+0x35/0x90 drivers/base/core.c:2095 +sysfs_kf_seq_show+0x175/0x240 fs/sysfs/file.c:59 +kernfs_seq_show+0x75/0x80 fs/kernfs/file.c:162 +seq_read_iter+0x2c3/0x8e0 fs/seq_file.c:230 +kernfs_fop_read_iter+0xd1/0x2f0 fs/kernfs/file.c:235 +call_read_iter include/linux/fs.h:2052 [inline] +new_sync_read fs/read_write.c:401 [inline] +vfs_read+0x5a5/0x6a0 fs/read_write.c:482 +ksys_read+0xe8/0x1a0 fs/read_write.c:620 +__do_sys_read fs/read_write.c:630 [inline] +__se_sys_read fs/read_write.c:628 [inline] +__x64_sys_read+0x3e/0x50 fs/read_write.c:628 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +value changed: 0x00 -> 0x01 + +Reported by Kernel Concurrency Sanitizer on: +CPU: 1 PID: 20423 Comm: udevd Tainted: G W 5.19.0-rc2-syzkaller-dirty #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 28 ++++++++++++++++------------ + net/core/net-sysfs.c | 1 + + 2 files changed, 17 insertions(+), 12 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 860fc6a98373..6111506a4105 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -378,16 +378,18 @@ static void list_netdevice(struct net_device *dev) + /* Device list removal + * caller must respect a RCU grace period before freeing/reusing dev + */ +-static void unlist_netdevice(struct net_device *dev) ++static void unlist_netdevice(struct net_device *dev, bool lock) + { + ASSERT_RTNL(); + + /* Unlink dev from the device chain */ +- write_lock(&dev_base_lock); ++ if (lock) ++ write_lock(&dev_base_lock); + list_del_rcu(&dev->dev_list); + netdev_name_node_del(dev->name_node); + hlist_del_rcu(&dev->index_hlist); +- write_unlock(&dev_base_lock); ++ if (lock) ++ write_unlock(&dev_base_lock); + + dev_base_seq_inc(dev_net(dev)); + } +@@ -10319,11 +10321,11 @@ int register_netdevice(struct net_device *dev) + goto err_uninit; + + ret = netdev_register_kobject(dev); +- if (ret) { +- dev->reg_state = NETREG_UNREGISTERED; ++ write_lock(&dev_base_lock); ++ dev->reg_state = ret ? NETREG_UNREGISTERED : NETREG_REGISTERED; ++ write_unlock(&dev_base_lock); ++ if (ret) + goto err_uninit; +- } +- dev->reg_state = NETREG_REGISTERED; + + __netdev_update_features(dev); + +@@ -10483,8 +10485,6 @@ static void netdev_wait_allrefs(struct net_device *dev) + unsigned long rebroadcast_time, warning_time; + int wait = 0, refcnt; + +- linkwatch_forget_dev(dev); +- + rebroadcast_time = warning_time = jiffies; + refcnt = netdev_refcnt_read(dev); + +@@ -10598,7 +10598,10 @@ void netdev_run_todo(void) + continue; + } + ++ write_lock(&dev_base_lock); + dev->reg_state = NETREG_UNREGISTERED; ++ write_unlock(&dev_base_lock); ++ linkwatch_forget_dev(dev); + + netdev_wait_allrefs(dev); + +@@ -11043,9 +11046,10 @@ void unregister_netdevice_many(struct list_head *head) + + list_for_each_entry(dev, head, unreg_list) { + /* And unlink it from device chain. */ +- unlist_netdevice(dev); +- ++ write_lock(&dev_base_lock); ++ unlist_netdevice(dev, false); + dev->reg_state = NETREG_UNREGISTERING; ++ write_unlock(&dev_base_lock); + } + flush_all_backlogs(); + +@@ -11190,7 +11194,7 @@ int __dev_change_net_namespace(struct net_device *dev, struct net *net, + dev_close(dev); + + /* And unlink it from device chain */ +- unlist_netdevice(dev); ++ unlist_netdevice(dev, true); + + synchronize_net(); + +diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c +index 9e5657f63245..e9ea0695efb4 100644 +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -32,6 +32,7 @@ static const char fmt_dec[] = "%d\n"; + static const char fmt_ulong[] = "%lu\n"; + static const char fmt_u64[] = "%llu\n"; + ++/* Caller holds RTNL or dev_base_lock */ + static inline int dev_isalive(const struct net_device *dev) + { + return dev->reg_state <= NETREG_REGISTERED; +-- +2.35.1 + diff --git a/queue-5.15/net-sched-sch_netem-fix-arithmetic-in-netem_dump-for.patch b/queue-5.15/net-sched-sch_netem-fix-arithmetic-in-netem_dump-for.patch new file mode 100644 index 00000000000..9ab9fc6c3fc --- /dev/null +++ b/queue-5.15/net-sched-sch_netem-fix-arithmetic-in-netem_dump-for.patch @@ -0,0 +1,73 @@ +From 25bd214c1b949ad1911561aff474c9a01690bae0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jun 2022 16:43:36 -0700 +Subject: net/sched: sch_netem: Fix arithmetic in netem_dump() for 32-bit + platforms + +From: Peilin Ye + +[ Upstream commit a2b1a5d40bd12b44322c2ccd40bb0ec1699708b6 ] + +As reported by Yuming, currently tc always show a latency of UINT_MAX +for netem Qdisc's on 32-bit platforms: + + $ tc qdisc add dev dummy0 root netem latency 100ms + $ tc qdisc show dev dummy0 + qdisc netem 8001: root refcnt 2 limit 1000 delay 275s 275s + ^^^^^^^^^^^^^^^^ + +Let us take a closer look at netem_dump(): + + qopt.latency = min_t(psched_tdiff_t, PSCHED_NS2TICKS(q->latency, + UINT_MAX); + +qopt.latency is __u32, psched_tdiff_t is signed long, +(psched_tdiff_t)(UINT_MAX) is negative for 32-bit platforms, so +qopt.latency is always UINT_MAX. + +Fix it by using psched_time_t (u64) instead. + +Note: confusingly, users have two ways to specify 'latency': + + 1. normally, via '__u32 latency' in struct tc_netem_qopt; + 2. via the TCA_NETEM_LATENCY64 attribute, which is s64. + +For the second case, theoretically 'latency' could be negative. This +patch ignores that corner case, since it is broken (i.e. assigning a +negative s64 to __u32) anyways, and should be handled separately. + +Thanks Ted Lin for the analysis [1] . + +[1] https://github.com/raspberrypi/linux/issues/3512 + +Reported-by: Yuming Chen +Fixes: 112f9cb65643 ("netem: convert to qdisc_watchdog_schedule_ns") +Reviewed-by: Cong Wang +Signed-off-by: Peilin Ye +Acked-by: Stephen Hemminger +Link: https://lore.kernel.org/r/20220616234336.2443-1-yepeilin.cs@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_netem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c +index 0c345e43a09a..adc5407fd5d5 100644 +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -1146,9 +1146,9 @@ static int netem_dump(struct Qdisc *sch, struct sk_buff *skb) + struct tc_netem_rate rate; + struct tc_netem_slot slot; + +- qopt.latency = min_t(psched_tdiff_t, PSCHED_NS2TICKS(q->latency), ++ qopt.latency = min_t(psched_time_t, PSCHED_NS2TICKS(q->latency), + UINT_MAX); +- qopt.jitter = min_t(psched_tdiff_t, PSCHED_NS2TICKS(q->jitter), ++ qopt.jitter = min_t(psched_time_t, PSCHED_NS2TICKS(q->jitter), + UINT_MAX); + qopt.limit = q->limit; + qopt.loss = q->loss; +-- +2.35.1 + diff --git a/queue-5.15/net-tls-fix-tls_sk_proto_close-executed-repeatedly.patch b/queue-5.15/net-tls-fix-tls_sk_proto_close-executed-repeatedly.patch new file mode 100644 index 00000000000..5fa103bff46 --- /dev/null +++ b/queue-5.15/net-tls-fix-tls_sk_proto_close-executed-repeatedly.patch @@ -0,0 +1,55 @@ +From 69ea086ce5343beb379dffa13cd67141f5cb32d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 12:35:08 +0800 +Subject: net/tls: fix tls_sk_proto_close executed repeatedly + +From: Ziyang Xuan + +[ Upstream commit 69135c572d1f84261a6de2a1268513a7e71753e2 ] + +After setting the sock ktls, update ctx->sk_proto to sock->sk_prot by +tls_update(), so now ctx->sk_proto->close is tls_sk_proto_close(). When +close the sock, tls_sk_proto_close() is called for sock->sk_prot->close +is tls_sk_proto_close(). But ctx->sk_proto->close() will be executed later +in tls_sk_proto_close(). Thus tls_sk_proto_close() executed repeatedly +occurred. That will trigger the following bug. + +================================================================= +KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] +RIP: 0010:tls_sk_proto_close+0xd8/0xaf0 net/tls/tls_main.c:306 +Call Trace: + + tls_sk_proto_close+0x356/0xaf0 net/tls/tls_main.c:329 + inet_release+0x12e/0x280 net/ipv4/af_inet.c:428 + __sock_release+0xcd/0x280 net/socket.c:650 + sock_close+0x18/0x20 net/socket.c:1365 + +Updating a proto which is same with sock->sk_prot is incorrect. Add proto +and sock->sk_prot equality check at the head of tls_update() to fix it. + +Fixes: 95fa145479fb ("bpf: sockmap/tls, close can race with map free") +Reported-by: syzbot+29c3c12f3214b85ad081@syzkaller.appspotmail.com +Signed-off-by: Ziyang Xuan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tls/tls_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index 9aac9c60d786..057c1af6182a 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -790,6 +790,9 @@ static void tls_update(struct sock *sk, struct proto *p, + { + struct tls_context *ctx; + ++ if (sk->sk_prot == p) ++ return; ++ + ctx = tls_get_ctx(sk); + if (likely(ctx)) { + ctx->sk_write_space = write_space; +-- +2.35.1 + diff --git a/queue-5.15/net-write-lock-dev_base_lock-without-disabling-botto.patch b/queue-5.15/net-write-lock-dev_base_lock-without-disabling-botto.patch new file mode 100644 index 00000000000..cf8d6374889 --- /dev/null +++ b/queue-5.15/net-write-lock-dev_base_lock-without-disabling-botto.patch @@ -0,0 +1,169 @@ +From 2634d7f1414aa76c55144cc4c8cecd30ed09c3af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Nov 2021 17:15:29 +0100 +Subject: net: Write lock dev_base_lock without disabling bottom halves. + +From: Sebastian Andrzej Siewior + +[ Upstream commit fd888e85fe6b661e78044dddfec0be5271afa626 ] + +The writer acquires dev_base_lock with disabled bottom halves. +The reader can acquire dev_base_lock without disabling bottom halves +because there is no writer in softirq context. + +On PREEMPT_RT the softirqs are preemptible and local_bh_disable() acts +as a lock to ensure that resources, that are protected by disabling +bottom halves, remain protected. +This leads to a circular locking dependency if the lock acquired with +disabled bottom halves (as in write_lock_bh()) and somewhere else with +enabled bottom halves (as by read_lock() in netstat_show()) followed by +disabling bottom halves (cxgb_get_stats() -> t4_wr_mbox_meat_timeout() +-> spin_lock_bh()). This is the reverse locking order. + +All read_lock() invocation are from sysfs callback which are not invoked +from softirq context. Therefore there is no need to disable bottom +halves while acquiring a write lock. + +Acquire the write lock of dev_base_lock without disabling bottom halves. + +Reported-by: Pei Zhang +Reported-by: Luis Claudio R. Goncalves +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 16 ++++++++-------- + net/core/link_watch.c | 4 ++-- + net/core/rtnetlink.c | 8 ++++---- + net/hsr/hsr_device.c | 6 +++--- + 4 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index b9731b267d07..860fc6a98373 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -365,12 +365,12 @@ static void list_netdevice(struct net_device *dev) + + ASSERT_RTNL(); + +- write_lock_bh(&dev_base_lock); ++ write_lock(&dev_base_lock); + list_add_tail_rcu(&dev->dev_list, &net->dev_base_head); + netdev_name_node_add(net, dev->name_node); + hlist_add_head_rcu(&dev->index_hlist, + dev_index_hash(net, dev->ifindex)); +- write_unlock_bh(&dev_base_lock); ++ write_unlock(&dev_base_lock); + + dev_base_seq_inc(net); + } +@@ -383,11 +383,11 @@ static void unlist_netdevice(struct net_device *dev) + ASSERT_RTNL(); + + /* Unlink dev from the device chain */ +- write_lock_bh(&dev_base_lock); ++ write_lock(&dev_base_lock); + list_del_rcu(&dev->dev_list); + netdev_name_node_del(dev->name_node); + hlist_del_rcu(&dev->index_hlist); +- write_unlock_bh(&dev_base_lock); ++ write_unlock(&dev_base_lock); + + dev_base_seq_inc(dev_net(dev)); + } +@@ -1266,15 +1266,15 @@ int dev_change_name(struct net_device *dev, const char *newname) + + netdev_adjacent_rename_links(dev, oldname); + +- write_lock_bh(&dev_base_lock); ++ write_lock(&dev_base_lock); + netdev_name_node_del(dev->name_node); +- write_unlock_bh(&dev_base_lock); ++ write_unlock(&dev_base_lock); + + synchronize_rcu(); + +- write_lock_bh(&dev_base_lock); ++ write_lock(&dev_base_lock); + netdev_name_node_add(net, dev->name_node); +- write_unlock_bh(&dev_base_lock); ++ write_unlock(&dev_base_lock); + + ret = call_netdevice_notifiers(NETDEV_CHANGENAME, dev); + ret = notifier_to_errno(ret); +diff --git a/net/core/link_watch.c b/net/core/link_watch.c +index 1a455847da54..9599afd0862d 100644 +--- a/net/core/link_watch.c ++++ b/net/core/link_watch.c +@@ -55,7 +55,7 @@ static void rfc2863_policy(struct net_device *dev) + if (operstate == dev->operstate) + return; + +- write_lock_bh(&dev_base_lock); ++ write_lock(&dev_base_lock); + + switch(dev->link_mode) { + case IF_LINK_MODE_TESTING: +@@ -74,7 +74,7 @@ static void rfc2863_policy(struct net_device *dev) + + dev->operstate = operstate; + +- write_unlock_bh(&dev_base_lock); ++ write_unlock(&dev_base_lock); + } + + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 9c0e8ccf9bc5..8c85e93daa73 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -842,9 +842,9 @@ static void set_operstate(struct net_device *dev, unsigned char transition) + } + + if (dev->operstate != operstate) { +- write_lock_bh(&dev_base_lock); ++ write_lock(&dev_base_lock); + dev->operstate = operstate; +- write_unlock_bh(&dev_base_lock); ++ write_unlock(&dev_base_lock); + netdev_state_change(dev); + } + } +@@ -2781,11 +2781,11 @@ static int do_setlink(const struct sk_buff *skb, + if (tb[IFLA_LINKMODE]) { + unsigned char value = nla_get_u8(tb[IFLA_LINKMODE]); + +- write_lock_bh(&dev_base_lock); ++ write_lock(&dev_base_lock); + if (dev->link_mode ^ value) + status |= DO_SETLINK_NOTIFY; + dev->link_mode = value; +- write_unlock_bh(&dev_base_lock); ++ write_unlock(&dev_base_lock); + } + + if (tb[IFLA_VFINFO_LIST]) { +diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c +index 26c32407f029..ea7b96e296ef 100644 +--- a/net/hsr/hsr_device.c ++++ b/net/hsr/hsr_device.c +@@ -30,13 +30,13 @@ static bool is_slave_up(struct net_device *dev) + + static void __hsr_set_operstate(struct net_device *dev, int transition) + { +- write_lock_bh(&dev_base_lock); ++ write_lock(&dev_base_lock); + if (dev->operstate != transition) { + dev->operstate = transition; +- write_unlock_bh(&dev_base_lock); ++ write_unlock(&dev_base_lock); + netdev_state_change(dev); + } else { +- write_unlock_bh(&dev_base_lock); ++ write_unlock(&dev_base_lock); + } + } + +-- +2.35.1 + diff --git a/queue-5.15/netfilter-use-get_random_u32-instead-of-prandom.patch b/queue-5.15/netfilter-use-get_random_u32-instead-of-prandom.patch new file mode 100644 index 00000000000..3a75529509b --- /dev/null +++ b/queue-5.15/netfilter-use-get_random_u32-instead-of-prandom.patch @@ -0,0 +1,131 @@ +From 2564d00f64ff408749efddeab579411d0c62d7fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 20:15:31 +0200 +Subject: netfilter: use get_random_u32 instead of prandom + +From: Florian Westphal + +[ Upstream commit b1fd94e704571f98b21027340eecf821b2bdffba ] + +bh might occur while updating per-cpu rnd_state from user context, +ie. local_out path. + +BUG: using smp_processor_id() in preemptible [00000000] code: nginx/2725 +caller is nft_ng_random_eval+0x24/0x54 [nft_numgen] +Call Trace: + check_preemption_disabled+0xde/0xe0 + nft_ng_random_eval+0x24/0x54 [nft_numgen] + +Use the random driver instead, this also avoids need for local prandom +state. Moreover, prandom now uses the random driver since d4150779e60f +("random32: use real rng for non-deterministic randomness"). + +Based on earlier patch from Pablo Neira. + +Fixes: 6b2faee0ca91 ("netfilter: nft_meta: place prandom handling in a helper") +Fixes: 978d8f9055c3 ("netfilter: nft_numgen: add map lookups for numgen random operations") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_meta.c | 13 ++----------- + net/netfilter/nft_numgen.c | 12 +++--------- + 2 files changed, 5 insertions(+), 20 deletions(-) + +diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c +index a7e01e9952f1..44d9b38e5f90 100644 +--- a/net/netfilter/nft_meta.c ++++ b/net/netfilter/nft_meta.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -32,8 +33,6 @@ + #define NFT_META_SECS_PER_DAY 86400 + #define NFT_META_DAYS_PER_WEEK 7 + +-static DEFINE_PER_CPU(struct rnd_state, nft_prandom_state); +- + static u8 nft_meta_weekday(void) + { + time64_t secs = ktime_get_real_seconds(); +@@ -267,13 +266,6 @@ static bool nft_meta_get_eval_ifname(enum nft_meta_keys key, u32 *dest, + return true; + } + +-static noinline u32 nft_prandom_u32(void) +-{ +- struct rnd_state *state = this_cpu_ptr(&nft_prandom_state); +- +- return prandom_u32_state(state); +-} +- + #ifdef CONFIG_IP_ROUTE_CLASSID + static noinline bool + nft_meta_get_eval_rtclassid(const struct sk_buff *skb, u32 *dest) +@@ -385,7 +377,7 @@ void nft_meta_get_eval(const struct nft_expr *expr, + break; + #endif + case NFT_META_PRANDOM: +- *dest = nft_prandom_u32(); ++ *dest = get_random_u32(); + break; + #ifdef CONFIG_XFRM + case NFT_META_SECPATH: +@@ -514,7 +506,6 @@ int nft_meta_get_init(const struct nft_ctx *ctx, + len = IFNAMSIZ; + break; + case NFT_META_PRANDOM: +- prandom_init_once(&nft_prandom_state); + len = sizeof(u32); + break; + #ifdef CONFIG_XFRM +diff --git a/net/netfilter/nft_numgen.c b/net/netfilter/nft_numgen.c +index 722cac1e90e0..4e43214e88de 100644 +--- a/net/netfilter/nft_numgen.c ++++ b/net/netfilter/nft_numgen.c +@@ -9,12 +9,11 @@ + #include + #include + #include ++#include + #include + #include + #include + +-static DEFINE_PER_CPU(struct rnd_state, nft_numgen_prandom_state); +- + struct nft_ng_inc { + u8 dreg; + u32 modulus; +@@ -104,12 +103,9 @@ struct nft_ng_random { + u32 offset; + }; + +-static u32 nft_ng_random_gen(struct nft_ng_random *priv) ++static u32 nft_ng_random_gen(const struct nft_ng_random *priv) + { +- struct rnd_state *state = this_cpu_ptr(&nft_numgen_prandom_state); +- +- return reciprocal_scale(prandom_u32_state(state), priv->modulus) + +- priv->offset; ++ return reciprocal_scale(get_random_u32(), priv->modulus) + priv->offset; + } + + static void nft_ng_random_eval(const struct nft_expr *expr, +@@ -137,8 +133,6 @@ static int nft_ng_random_init(const struct nft_ctx *ctx, + if (priv->offset + priv->modulus - 1 < priv->offset) + return -EOVERFLOW; + +- prandom_init_once(&nft_numgen_prandom_state); +- + return nft_parse_register_store(ctx, tb[NFTA_NG_DREG], &priv->dreg, + NULL, NFT_DATA_VALUE, sizeof(u32)); + } +-- +2.35.1 + diff --git a/queue-5.15/nvme-move-the-samsung-x5-quirk-entry-to-the-core-qui.patch b/queue-5.15/nvme-move-the-samsung-x5-quirk-entry-to-the-core-qui.patch new file mode 100644 index 00000000000..133602990bf --- /dev/null +++ b/queue-5.15/nvme-move-the-samsung-x5-quirk-entry-to-the-core-qui.patch @@ -0,0 +1,65 @@ +From af366c5f4347fcf16575a1299e3e148604306780 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jun 2022 10:29:42 +0200 +Subject: nvme: move the Samsung X5 quirk entry to the core quirks + +From: Christoph Hellwig + +[ Upstream commit e6487833182a8a0187f0292aca542fc163ccd03e ] + +This device shares the PCI ID with the Samsung 970 Evo Plus that +does not need or want the quirks. Move the the quirk entry to the +core table based on the model number instead. + +Fixes: bc360b0b1611 ("nvme-pci: add quirks for Samsung X5 SSDs") +Signed-off-by: Christoph Hellwig +Reviewed-by: Pankaj Raghav +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 14 ++++++++++++++ + drivers/nvme/host/pci.c | 4 ---- + 2 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 3ef1f9112ee0..19054b791c67 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2489,6 +2489,20 @@ static const struct nvme_core_quirk_entry core_quirks[] = { + .vid = 0x1e0f, + .mn = "KCD6XVUL6T40", + .quirks = NVME_QUIRK_NO_APST, ++ }, ++ { ++ /* ++ * The external Samsung X5 SSD fails initialization without a ++ * delay before checking if it is ready and has a whole set of ++ * other problems. To make this even more interesting, it ++ * shares the PCI ID with internal Samsung 970 Evo Plus that ++ * does not need or want these quirks. ++ */ ++ .vid = 0x144d, ++ .mn = "Samsung Portable SSD X5", ++ .quirks = NVME_QUIRK_DELAY_BEFORE_CHK_RDY | ++ NVME_QUIRK_NO_DEEPEST_PS | ++ NVME_QUIRK_IGNORE_DEV_SUBNQN, + } + }; + +diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c +index 3ddd24a42043..58b8461b2b0f 100644 +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -3380,10 +3380,6 @@ static const struct pci_device_id nvme_id_table[] = { + NVME_QUIRK_128_BYTES_SQES | + NVME_QUIRK_SHARED_TAGS | + NVME_QUIRK_SKIP_CID_GEN }, +- { PCI_DEVICE(0x144d, 0xa808), /* Samsung X5 */ +- .driver_data = NVME_QUIRK_DELAY_BEFORE_CHK_RDY| +- NVME_QUIRK_NO_DEEPEST_PS | +- NVME_QUIRK_IGNORE_DEV_SUBNQN, }, + { PCI_DEVICE_CLASS(PCI_CLASS_STORAGE_EXPRESS, 0xffffff) }, + { 0, } + }; +-- +2.35.1 + diff --git a/queue-5.15/nvme-pci-add-no-apst-quirk-for-kioxia-device.patch b/queue-5.15/nvme-pci-add-no-apst-quirk-for-kioxia-device.patch new file mode 100644 index 00000000000..9003b98c388 --- /dev/null +++ b/queue-5.15/nvme-pci-add-no-apst-quirk-for-kioxia-device.patch @@ -0,0 +1,54 @@ +From 430ddfa7cafd83642f80d5cf9d0e9d32cdac50f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 23:08:57 -0300 +Subject: nvme-pci: add NO APST quirk for Kioxia device + +From: Enzo Matsumiya + +[ Upstream commit 5a6254d55e2a9f7919ead8580d7aa0c7a382b26a ] + +This particular Kioxia device times out and aborts I/O during any load, +but it's more easily observable with discards (fstrim). + +The device gets to a state that is also not possible to use +"nvme set-feature" to disable APST. +Booting with nvme_core.default_ps_max_latency=0 solves the issue. + +We had a dozen or so of these devices behaving this same way in +customer environments. + +Signed-off-by: Enzo Matsumiya +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/host/core.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c +index 9bc9f6d225bd..3ef1f9112ee0 100644 +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2475,6 +2475,20 @@ static const struct nvme_core_quirk_entry core_quirks[] = { + .vid = 0x14a4, + .fr = "22301111", + .quirks = NVME_QUIRK_SIMPLE_SUSPEND, ++ }, ++ { ++ /* ++ * This Kioxia CD6-V Series / HPE PE8030 device times out and ++ * aborts I/O during any load, but more easily reproducible ++ * with discards (fstrim). ++ * ++ * The device is left in a state where it is also not possible ++ * to use "nvme set-feature" to disable APST, but booting with ++ * nvme_core.default_ps_max_latency=0 works. ++ */ ++ .vid = 0x1e0f, ++ .mn = "KCD6XVUL6T40", ++ .quirks = NVME_QUIRK_NO_APST, + } + }; + +-- +2.35.1 + diff --git a/queue-5.15/perf-arm-spe-don-t-set-data-source-if-it-s-not-a-mem.patch b/queue-5.15/perf-arm-spe-don-t-set-data-source-if-it-s-not-a-mem.patch new file mode 100644 index 00000000000..94b22c0909a --- /dev/null +++ b/queue-5.15/perf-arm-spe-don-t-set-data-source-if-it-s-not-a-mem.patch @@ -0,0 +1,99 @@ +From 8185e7def60607dddcd79a1334c5463cc803b8c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 02:03:25 +0000 +Subject: perf arm-spe: Don't set data source if it's not a memory operation + +From: Leo Yan + +[ Upstream commit 51ba539f5bdb5a8cc7b1dedd5e73ac54564a7602 ] + +Except for memory load and store operations, ARM SPE records also can +support other operation types, bug when set the data source field the +current code assumes a record is a either load operation or store +operation, this leads to wrongly synthesize memory samples. + +This patch strictly checks the record operation type, it only sets data +source only for the operation types ARM_SPE_LD and ARM_SPE_ST, +otherwise, returns zero for data source. Therefore, we can synthesize +memory samples only when data source is a non-zero value, the function +arm_spe__is_memory_event() is useless and removed. + +Fixes: e55ed3423c1bb29f ("perf arm-spe: Synthesize memory event") +Reviewed-by: Ali Saidi +Reviewed-by: German Gomez +Signed-off-by: Leo Yan +Tested-by: Ali Saidi +Cc: Alexander Shishkin +Cc: alisaidi@amazon.com +Cc: Andrew Kilroy +Cc: Benjamin Herrenschmidt +Cc: James Clark +Cc: Jiri Olsa +Cc: John Garry +Cc: Kajol Jain +Cc: Leo Yan +Cc: Li Huafei +Cc: linux-arm-kernel@lists.infradead.org +Cc: Mark Rutland +Cc: Mathieu Poirier +Cc: Namhyung Kim +Cc: Nick Forrington +Cc: Peter Zijlstra +Cc: Will Deacon +Link: http://lore.kernel.org/lkml/20220517020326.18580-5-alisaidi@amazon.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/arm-spe.c | 22 ++++++++-------------- + 1 file changed, 8 insertions(+), 14 deletions(-) + +diff --git a/tools/perf/util/arm-spe.c b/tools/perf/util/arm-spe.c +index 235549bb28b9..569e1b8ad0ab 100644 +--- a/tools/perf/util/arm-spe.c ++++ b/tools/perf/util/arm-spe.c +@@ -312,26 +312,16 @@ static int arm_spe__synth_branch_sample(struct arm_spe_queue *speq, + return arm_spe_deliver_synth_event(spe, speq, event, &sample); + } + +-#define SPE_MEM_TYPE (ARM_SPE_L1D_ACCESS | ARM_SPE_L1D_MISS | \ +- ARM_SPE_LLC_ACCESS | ARM_SPE_LLC_MISS | \ +- ARM_SPE_REMOTE_ACCESS) +- +-static bool arm_spe__is_memory_event(enum arm_spe_sample_type type) +-{ +- if (type & SPE_MEM_TYPE) +- return true; +- +- return false; +-} +- + static u64 arm_spe__synth_data_source(const struct arm_spe_record *record) + { + union perf_mem_data_src data_src = { 0 }; + + if (record->op == ARM_SPE_LD) + data_src.mem_op = PERF_MEM_OP_LOAD; +- else ++ else if (record->op == ARM_SPE_ST) + data_src.mem_op = PERF_MEM_OP_STORE; ++ else ++ return 0; + + if (record->type & (ARM_SPE_LLC_ACCESS | ARM_SPE_LLC_MISS)) { + data_src.mem_lvl = PERF_MEM_LVL_L3; +@@ -435,7 +425,11 @@ static int arm_spe_sample(struct arm_spe_queue *speq) + return err; + } + +- if (spe->sample_memory && arm_spe__is_memory_event(record->type)) { ++ /* ++ * When data_src is zero it means the record is not a memory operation, ++ * skip to synthesize memory sample for this case. ++ */ ++ if (spe->sample_memory && data_src) { + err = arm_spe__synth_mem_sample(speq, spe->memory_id, data_src); + if (err) + return err; +-- +2.35.1 + diff --git a/queue-5.15/phy-aquantia-fix-an-when-higher-speeds-than-1g-are-n.patch b/queue-5.15/phy-aquantia-fix-an-when-higher-speeds-than-1g-are-n.patch new file mode 100644 index 00000000000..8d26053a6e2 --- /dev/null +++ b/queue-5.15/phy-aquantia-fix-an-when-higher-speeds-than-1g-are-n.patch @@ -0,0 +1,63 @@ +From 409c0b9e02b65c66cb415bf6978be59a6e67f45c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jun 2022 11:40:37 +0300 +Subject: phy: aquantia: Fix AN when higher speeds than 1G are not advertised + +From: Claudiu Manoil + +[ Upstream commit 9b7fd1670a94a57d974795acebde843a5c1a354e ] + +Even when the eth port is resticted to work with speeds not higher than 1G, +and so the eth driver is requesting the phy (via phylink) to advertise up +to 1000BASET support, the aquantia phy device is still advertising for 2.5G +and 5G speeds. +Clear these advertising defaults when requested. + +Cc: Ondrej Spacek +Fixes: 09c4c57f7bc41 ("net: phy: aquantia: add support for auto-negotiation configuration") +Signed-off-by: Claudiu Manoil +Link: https://lore.kernel.org/r/20220610084037.7625-1-claudiu.manoil@nxp.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/aquantia_main.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/phy/aquantia_main.c b/drivers/net/phy/aquantia_main.c +index 968dd43a2b1e..3221224525ac 100644 +--- a/drivers/net/phy/aquantia_main.c ++++ b/drivers/net/phy/aquantia_main.c +@@ -34,6 +34,8 @@ + #define MDIO_AN_VEND_PROV 0xc400 + #define MDIO_AN_VEND_PROV_1000BASET_FULL BIT(15) + #define MDIO_AN_VEND_PROV_1000BASET_HALF BIT(14) ++#define MDIO_AN_VEND_PROV_5000BASET_FULL BIT(11) ++#define MDIO_AN_VEND_PROV_2500BASET_FULL BIT(10) + #define MDIO_AN_VEND_PROV_DOWNSHIFT_EN BIT(4) + #define MDIO_AN_VEND_PROV_DOWNSHIFT_MASK GENMASK(3, 0) + #define MDIO_AN_VEND_PROV_DOWNSHIFT_DFLT 4 +@@ -231,9 +233,20 @@ static int aqr_config_aneg(struct phy_device *phydev) + phydev->advertising)) + reg |= MDIO_AN_VEND_PROV_1000BASET_HALF; + ++ /* Handle the case when the 2.5G and 5G speeds are not advertised */ ++ if (linkmode_test_bit(ETHTOOL_LINK_MODE_2500baseT_Full_BIT, ++ phydev->advertising)) ++ reg |= MDIO_AN_VEND_PROV_2500BASET_FULL; ++ ++ if (linkmode_test_bit(ETHTOOL_LINK_MODE_5000baseT_Full_BIT, ++ phydev->advertising)) ++ reg |= MDIO_AN_VEND_PROV_5000BASET_FULL; ++ + ret = phy_modify_mmd_changed(phydev, MDIO_MMD_AN, MDIO_AN_VEND_PROV, + MDIO_AN_VEND_PROV_1000BASET_HALF | +- MDIO_AN_VEND_PROV_1000BASET_FULL, reg); ++ MDIO_AN_VEND_PROV_1000BASET_FULL | ++ MDIO_AN_VEND_PROV_2500BASET_FULL | ++ MDIO_AN_VEND_PROV_5000BASET_FULL, reg); + if (ret < 0) + return ret; + if (ret > 0) +-- +2.35.1 + diff --git a/queue-5.15/regmap-irq-fix-a-bug-in-regmap_irq_enable-for-type_i.patch b/queue-5.15/regmap-irq-fix-a-bug-in-regmap_irq_enable-for-type_i.patch new file mode 100644 index 00000000000..afb24eb9bec --- /dev/null +++ b/queue-5.15/regmap-irq-fix-a-bug-in-regmap_irq_enable-for-type_i.patch @@ -0,0 +1,55 @@ +From 1be45a6094255d181ac75c7178e8ecc9a435bef4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 21:05:56 +0100 +Subject: regmap-irq: Fix a bug in regmap_irq_enable() for type_in_mask chips + +From: Aidan MacDonald + +[ Upstream commit 485037ae9a095491beb7f893c909a76cc4f9d1e7 ] + +When enabling a type_in_mask irq, the type_buf contents must be +AND'd with the mask of the IRQ we're enabling to avoid enabling +other IRQs by accident, which can happen if several type_in_mask +irqs share a mask register. + +Fixes: bc998a730367 ("regmap: irq: handle HW using separate rising/falling edge interrupts") +Signed-off-by: Aidan MacDonald +Link: https://lore.kernel.org/r/20220620200644.1961936-2-aidanmacdonald.0x0@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap-irq.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/base/regmap/regmap-irq.c b/drivers/base/regmap/regmap-irq.c +index 4a446259a184..cd12078ed51b 100644 +--- a/drivers/base/regmap/regmap-irq.c ++++ b/drivers/base/regmap/regmap-irq.c +@@ -252,6 +252,7 @@ static void regmap_irq_enable(struct irq_data *data) + struct regmap_irq_chip_data *d = irq_data_get_irq_chip_data(data); + struct regmap *map = d->map; + const struct regmap_irq *irq_data = irq_to_regmap_irq(d, data->hwirq); ++ unsigned int reg = irq_data->reg_offset / map->reg_stride; + unsigned int mask, type; + + type = irq_data->type.type_falling_val | irq_data->type.type_rising_val; +@@ -268,14 +269,14 @@ static void regmap_irq_enable(struct irq_data *data) + * at the corresponding offset in regmap_irq_set_type(). + */ + if (d->chip->type_in_mask && type) +- mask = d->type_buf[irq_data->reg_offset / map->reg_stride]; ++ mask = d->type_buf[reg] & irq_data->mask; + else + mask = irq_data->mask; + + if (d->chip->clear_on_unmask) + d->clear_status = true; + +- d->mask_buf[irq_data->reg_offset / map->reg_stride] &= ~mask; ++ d->mask_buf[reg] &= ~mask; + } + + static void regmap_irq_disable(struct irq_data *data) +-- +2.35.1 + diff --git a/queue-5.15/regmap-irq-fix-offset-index-mismatch-in-read_sub_irq.patch b/queue-5.15/regmap-irq-fix-offset-index-mismatch-in-read_sub_irq.patch new file mode 100644 index 00000000000..d994bbb8f61 --- /dev/null +++ b/queue-5.15/regmap-irq-fix-offset-index-mismatch-in-read_sub_irq.patch @@ -0,0 +1,46 @@ +From 609e3e770484bb7a8558ec15393f893d4c3adfe7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 21:05:57 +0100 +Subject: regmap-irq: Fix offset/index mismatch in read_sub_irq_data() + +From: Aidan MacDonald + +[ Upstream commit 3f05010f243be06478a9b11cfce0ce994f5a0890 ] + +We need to divide the sub-irq status register offset by register +stride to get an index for the status buffer to avoid an out of +bounds write when the register stride is greater than 1. + +Fixes: a2d21848d921 ("regmap: regmap-irq: Add main status register support") +Signed-off-by: Aidan MacDonald +Link: https://lore.kernel.org/r/20220620200644.1961936-3-aidanmacdonald.0x0@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap-irq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/base/regmap/regmap-irq.c b/drivers/base/regmap/regmap-irq.c +index cd12078ed51b..3aac960ae30a 100644 +--- a/drivers/base/regmap/regmap-irq.c ++++ b/drivers/base/regmap/regmap-irq.c +@@ -387,6 +387,7 @@ static inline int read_sub_irq_data(struct regmap_irq_chip_data *data, + subreg = &chip->sub_reg_offsets[b]; + for (i = 0; i < subreg->num_regs; i++) { + unsigned int offset = subreg->offset[i]; ++ unsigned int index = offset / map->reg_stride; + + if (chip->not_fixed_stride) + ret = regmap_read(map, +@@ -395,7 +396,7 @@ static inline int read_sub_irq_data(struct regmap_irq_chip_data *data, + else + ret = regmap_read(map, + chip->status_base + offset, +- &data->status_buf[offset]); ++ &data->status_buf[index]); + + if (ret) + break; +-- +2.35.1 + diff --git a/queue-5.15/revert-net-tls-fix-tls_sk_proto_close-executed-repea.patch b/queue-5.15/revert-net-tls-fix-tls_sk_proto_close-executed-repea.patch new file mode 100644 index 00000000000..5c33c54ee4e --- /dev/null +++ b/queue-5.15/revert-net-tls-fix-tls_sk_proto_close-executed-repea.patch @@ -0,0 +1,42 @@ +From 3df1d8262080947de2a8557e41717c624da8a676 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 12:13:52 -0700 +Subject: Revert "net/tls: fix tls_sk_proto_close executed repeatedly" + +From: Jakub Kicinski + +[ Upstream commit 1b205d948fbb06a7613d87dcea0ff5fd8a08ed91 ] + +This reverts commit 69135c572d1f84261a6de2a1268513a7e71753e2. + +This commit was just papering over the issue, ULP should not +get ->update() called with its own sk_prot. Each ULP would +need to add this check. + +Fixes: 69135c572d1f ("net/tls: fix tls_sk_proto_close executed repeatedly") +Signed-off-by: Jakub Kicinski +Reviewed-by: John Fastabend +Link: https://lore.kernel.org/r/20220620191353.1184629-1-kuba@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/tls/tls_main.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index 057c1af6182a..9aac9c60d786 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -790,9 +790,6 @@ static void tls_update(struct sock *sk, struct proto *p, + { + struct tls_context *ctx; + +- if (sk->sk_prot == p) +- return; +- + ctx = tls_get_ctx(sk); + if (likely(ctx)) { + ctx->sk_write_space = write_space; +-- +2.35.1 + diff --git a/queue-5.15/s390-cpumf-handle-events-cycles-and-instructions-ide.patch b/queue-5.15/s390-cpumf-handle-events-cycles-and-instructions-ide.patch new file mode 100644 index 00000000000..3b69cc2cbc5 --- /dev/null +++ b/queue-5.15/s390-cpumf-handle-events-cycles-and-instructions-ide.patch @@ -0,0 +1,102 @@ +From fd836eb6e5423c3f843b02bd2298ea73dc4ad16a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jun 2022 15:19:00 +0200 +Subject: s390/cpumf: Handle events cycles and instructions identical + +From: Thomas Richter + +[ Upstream commit be857b7f77d130dbbd47c91fc35198b040f35865 ] + +Events CPU_CYCLES and INSTRUCTIONS can be submitted with two different +perf_event attribute::type values: + - PERF_TYPE_HARDWARE: when invoked via perf tool predefined events name + cycles or cpu-cycles or instructions. + - pmu->type: when invoked via perf tool event name cpu_cf/CPU_CYLCES/ or + cpu_cf/INSTRUCTIONS/. This invocation also selects the PMU to which + the event belongs. +Handle both type of invocations identical for events CPU_CYLCES and +INSTRUCTIONS. They address the same hardware. +The result is different when event modifier exclude_kernel is also set. +Invocation with event modifier for user space event counting fails. + +Output before: + + # perf stat -e cpum_cf/cpu_cycles/u -- true + + Performance counter stats for 'true': + + cpum_cf/cpu_cycles/u + + 0.000761033 seconds time elapsed + + 0.000076000 seconds user + 0.000725000 seconds sys + + # + +Output after: + # perf stat -e cpum_cf/cpu_cycles/u -- true + + Performance counter stats for 'true': + + 349,613 cpum_cf/cpu_cycles/u + + 0.000844143 seconds time elapsed + + 0.000079000 seconds user + 0.000800000 seconds sys + # + +Fixes: 6a82e23f45fe ("s390/cpumf: Adjust registration of s390 PMU device drivers") +Signed-off-by: Thomas Richter +Acked-by: Sumanth Korikkar +[agordeev@linux.ibm.com corrected commit ID of Fixes commit] +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_cf.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/perf_cpum_cf.c b/arch/s390/kernel/perf_cpum_cf.c +index cceb8ec707e4..d2a2a18b5580 100644 +--- a/arch/s390/kernel/perf_cpum_cf.c ++++ b/arch/s390/kernel/perf_cpum_cf.c +@@ -516,6 +516,26 @@ static int __hw_perf_event_init(struct perf_event *event, unsigned int type) + return err; + } + ++/* Events CPU_CYLCES and INSTRUCTIONS can be submitted with two different ++ * attribute::type values: ++ * - PERF_TYPE_HARDWARE: ++ * - pmu->type: ++ * Handle both type of invocations identical. They address the same hardware. ++ * The result is different when event modifiers exclude_kernel and/or ++ * exclude_user are also set. ++ */ ++static int cpumf_pmu_event_type(struct perf_event *event) ++{ ++ u64 ev = event->attr.config; ++ ++ if (cpumf_generic_events_basic[PERF_COUNT_HW_CPU_CYCLES] == ev || ++ cpumf_generic_events_basic[PERF_COUNT_HW_INSTRUCTIONS] == ev || ++ cpumf_generic_events_user[PERF_COUNT_HW_CPU_CYCLES] == ev || ++ cpumf_generic_events_user[PERF_COUNT_HW_INSTRUCTIONS] == ev) ++ return PERF_TYPE_HARDWARE; ++ return PERF_TYPE_RAW; ++} ++ + static int cpumf_pmu_event_init(struct perf_event *event) + { + unsigned int type = event->attr.type; +@@ -525,7 +545,7 @@ static int cpumf_pmu_event_init(struct perf_event *event) + err = __hw_perf_event_init(event, type); + else if (event->pmu->type == type) + /* Registered as unknown PMU */ +- err = __hw_perf_event_init(event, PERF_TYPE_RAW); ++ err = __hw_perf_event_init(event, cpumf_pmu_event_type(event)); + else + return -ENOENT; + +-- +2.35.1 + diff --git a/queue-5.15/scsi-iscsi-exclude-zero-from-the-endpoint-id-range.patch b/queue-5.15/scsi-iscsi-exclude-zero-from-the-endpoint-id-range.patch new file mode 100644 index 00000000000..6b8c3d5c8b9 --- /dev/null +++ b/queue-5.15/scsi-iscsi-exclude-zero-from-the-endpoint-id-range.patch @@ -0,0 +1,48 @@ +From 93d2e7f8fb638ad679b84496acdea230c5db22b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 15:38:54 +0300 +Subject: scsi: iscsi: Exclude zero from the endpoint ID range + +From: Sergey Gorenko + +[ Upstream commit f6eed15f3ea76596ccc689331e1cc850b999133b ] + +The kernel returns an endpoint ID as r.ep_connect_ret.handle in the +iscsi_uevent. The iscsid validates a received endpoint ID and treats zero +as an error. The commit referenced in the fixes line changed the endpoint +ID range, and zero is always assigned to the first endpoint ID. So, the +first attempt to create a new iSER connection always fails. + +Link: https://lore.kernel.org/r/20220613123854.55073-1-sergeygo@nvidia.com +Fixes: 3c6ae371b8a1 ("scsi: iscsi: Release endpoint ID when its freed") +Reviewed-by: Max Gurtovoy +Reviewed-by: Mike Christie +Reviewed-by: Lee Duncan +Signed-off-by: Sergey Gorenko +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_transport_iscsi.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c +index bcdfcb25349a..5947b9d5746e 100644 +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -213,7 +213,12 @@ iscsi_create_endpoint(int dd_size) + return NULL; + + mutex_lock(&iscsi_ep_idr_mutex); +- id = idr_alloc(&iscsi_ep_idr, ep, 0, -1, GFP_NOIO); ++ ++ /* ++ * First endpoint id should be 1 to comply with user space ++ * applications (iscsid). ++ */ ++ id = idr_alloc(&iscsi_ep_idr, ep, 1, -1, GFP_NOIO); + if (id < 0) { + mutex_unlock(&iscsi_ep_idr_mutex); + printk(KERN_ERR "Could not allocate endpoint ID. Error %d.\n", +-- +2.35.1 + diff --git a/queue-5.15/scsi-scsi_debug-fix-zone-transition-to-full-conditio.patch b/queue-5.15/scsi-scsi_debug-fix-zone-transition-to-full-conditio.patch new file mode 100644 index 00000000000..97dbff5b3d8 --- /dev/null +++ b/queue-5.15/scsi-scsi_debug-fix-zone-transition-to-full-conditio.patch @@ -0,0 +1,81 @@ +From 59b71585aa43d7b1cccbe080d7bb8961cdd002df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 10:13:02 +0900 +Subject: scsi: scsi_debug: Fix zone transition to full condition + +From: Damien Le Moal + +[ Upstream commit 566d3c57eb526f32951af15866086e236ce1fc8a ] + +When a write command to a sequential write required or sequential write +preferred zone result in the zone write pointer reaching the end of the +zone, the zone condition must be set to full AND the number of implicitly +or explicitly open zones updated to have a correct accounting for zone +resources. However, the function zbc_inc_wp() only sets the zone condition +to full without updating the open zone counters, resulting in a zone state +machine breakage. + +Introduce the helper function zbc_set_zone_full() and use it in +zbc_inc_wp() to correctly transition zones to the full condition. + +Link: https://lore.kernel.org/r/20220608011302.92061-1-damien.lemoal@opensource.wdc.com +Fixes: f0d1cf9378bd ("scsi: scsi_debug: Add ZBC zone commands") +Reviewed-by: Niklas Cassel +Acked-by: Douglas Gilbert +Signed-off-by: Damien Le Moal +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_debug.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c +index cfeadd5f61f1..747e1cbb7ec9 100644 +--- a/drivers/scsi/scsi_debug.c ++++ b/drivers/scsi/scsi_debug.c +@@ -2747,6 +2747,24 @@ static void zbc_open_zone(struct sdebug_dev_info *devip, + } + } + ++static inline void zbc_set_zone_full(struct sdebug_dev_info *devip, ++ struct sdeb_zone_state *zsp) ++{ ++ switch (zsp->z_cond) { ++ case ZC2_IMPLICIT_OPEN: ++ devip->nr_imp_open--; ++ break; ++ case ZC3_EXPLICIT_OPEN: ++ devip->nr_exp_open--; ++ break; ++ default: ++ WARN_ONCE(true, "Invalid zone %llu condition %x\n", ++ zsp->z_start, zsp->z_cond); ++ break; ++ } ++ zsp->z_cond = ZC5_FULL; ++} ++ + static void zbc_inc_wp(struct sdebug_dev_info *devip, + unsigned long long lba, unsigned int num) + { +@@ -2759,7 +2777,7 @@ static void zbc_inc_wp(struct sdebug_dev_info *devip, + if (zsp->z_type == ZBC_ZONE_TYPE_SWR) { + zsp->z_wp += num; + if (zsp->z_wp >= zend) +- zsp->z_cond = ZC5_FULL; ++ zbc_set_zone_full(devip, zsp); + return; + } + +@@ -2778,7 +2796,7 @@ static void zbc_inc_wp(struct sdebug_dev_info *devip, + n = num; + } + if (zsp->z_wp >= zend) +- zsp->z_cond = ZC5_FULL; ++ zbc_set_zone_full(devip, zsp); + + num -= n; + lba += n; +-- +2.35.1 + diff --git a/queue-5.15/scsi-storvsc-correct-reporting-of-hyper-v-i-o-size-l.patch b/queue-5.15/scsi-storvsc-correct-reporting-of-hyper-v-i-o-size-l.patch new file mode 100644 index 00000000000..348e2ab4609 --- /dev/null +++ b/queue-5.15/scsi-storvsc-correct-reporting-of-hyper-v-i-o-size-l.patch @@ -0,0 +1,102 @@ +From 7faf062a3fbe8a7bf449d0aa6bba41f8dc124f4b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jun 2022 00:05:55 -0700 +Subject: scsi: storvsc: Correct reporting of Hyper-V I/O size limits +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Saurabh Sengar + +[ Upstream commit 1d3e0980782fbafaf93285779fd3905e4f866802 ] + +Current code is based on the idea that the max number of SGL entries +also determines the max size of an I/O request. While this idea was +true in older versions of the storvsc driver when SGL entry length +was limited to 4 Kbytes, commit 3d9c3dcc58e9 ("scsi: storvsc: Enable +scatterlist entry lengths > 4Kbytes") removed that limitation. It's +now theoretically possible for the block layer to send requests that +exceed the maximum size supported by Hyper-V. This problem doesn't +currently happen in practice because the block layer defaults to a +512 Kbyte maximum, while Hyper-V in Azure supports 2 Mbyte I/O sizes. +But some future configuration of Hyper-V could have a smaller max I/O +size, and the block layer could exceed that max. + +Fix this by correctly setting max_sectors as well as sg_tablesize to +reflect the maximum I/O size that Hyper-V reports. While allowing +I/O sizes larger than the block layer default of 512 Kbytes doesn’t +provide any noticeable performance benefit in the tests we ran, it's +still appropriate to report the correct underlying Hyper-V capabilities +to the Linux block layer. + +Also tweak the virt_boundary_mask to reflect that the required +alignment derives from Hyper-V communication using a 4 Kbyte page size, +and not on the guest page size, which might be bigger (eg. ARM64). + +Link: https://lore.kernel.org/r/1655190355-28722-1-git-send-email-ssengar@linux.microsoft.com +Fixes: 3d9c3dcc58e9 ("scsi: storvsc: Enable scatter list entry lengths > 4Kbytes") +Reviewed-by: Michael Kelley +Signed-off-by: Saurabh Sengar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/storvsc_drv.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c +index 9eb1b88a29dd..71c7f7b435c4 100644 +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1907,7 +1907,7 @@ static struct scsi_host_template scsi_driver = { + .cmd_per_lun = 2048, + .this_id = -1, + /* Ensure there are no gaps in presented sgls */ +- .virt_boundary_mask = PAGE_SIZE-1, ++ .virt_boundary_mask = HV_HYP_PAGE_SIZE - 1, + .no_write_same = 1, + .track_queue_depth = 1, + .change_queue_depth = storvsc_change_queue_depth, +@@ -1961,6 +1961,7 @@ static int storvsc_probe(struct hv_device *device, + int max_targets; + int max_channels; + int max_sub_channels = 0; ++ u32 max_xfer_bytes; + + /* + * Based on the windows host we are running on, +@@ -2049,12 +2050,28 @@ static int storvsc_probe(struct hv_device *device, + } + /* max cmd length */ + host->max_cmd_len = STORVSC_MAX_CMD_LEN; +- + /* +- * set the table size based on the info we got +- * from the host. ++ * Any reasonable Hyper-V configuration should provide ++ * max_transfer_bytes value aligning to HV_HYP_PAGE_SIZE, ++ * protecting it from any weird value. ++ */ ++ max_xfer_bytes = round_down(stor_device->max_transfer_bytes, HV_HYP_PAGE_SIZE); ++ /* max_hw_sectors_kb */ ++ host->max_sectors = max_xfer_bytes >> 9; ++ /* ++ * There are 2 requirements for Hyper-V storvsc sgl segments, ++ * based on which the below calculation for max segments is ++ * done: ++ * ++ * 1. Except for the first and last sgl segment, all sgl segments ++ * should be align to HV_HYP_PAGE_SIZE, that also means the ++ * maximum number of segments in a sgl can be calculated by ++ * dividing the total max transfer length by HV_HYP_PAGE_SIZE. ++ * ++ * 2. Except for the first and last, each entry in the SGL must ++ * have an offset that is a multiple of HV_HYP_PAGE_SIZE. + */ +- host->sg_tablesize = (stor_device->max_transfer_bytes >> PAGE_SHIFT); ++ host->sg_tablesize = (max_xfer_bytes >> HV_HYP_PAGE_SHIFT) + 1; + /* + * For non-IDE disks, the host supports multiple channels. + * Set the number of HW queues we are supporting. +-- +2.35.1 + diff --git a/queue-5.15/selftests-netfilter-correct-pktgen_script_paths-in-n.patch b/queue-5.15/selftests-netfilter-correct-pktgen_script_paths-in-n.patch new file mode 100644 index 00000000000..6e35605f9dc --- /dev/null +++ b/queue-5.15/selftests-netfilter-correct-pktgen_script_paths-in-n.patch @@ -0,0 +1,61 @@ +From 405147d73ddcb1770f3756d1e92cc8ab6d9c9758 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jun 2022 15:40:46 +0800 +Subject: selftests: netfilter: correct PKTGEN_SCRIPT_PATHS in + nft_concat_range.sh + +From: Jie2x Zhou + +[ Upstream commit 5d79d8af8dec58bf709b3124d09d9572edd9c617 ] + +Before change: +make -C netfilter + TEST: performance + net,port [SKIP] + perf not supported + port,net [SKIP] + perf not supported + net6,port [SKIP] + perf not supported + port,proto [SKIP] + perf not supported + net6,port,mac [SKIP] + perf not supported + net6,port,mac,proto [SKIP] + perf not supported + net,mac [SKIP] + perf not supported + +After change: + net,mac [ OK ] + baseline (drop from netdev hook): 2061098pps + baseline hash (non-ranged entries): 1606741pps + baseline rbtree (match on first field only): 1191607pps + set with 1000 full, ranged entries: 1639119pps +ok 8 selftests: netfilter: nft_concat_range.sh + +Fixes: 611973c1e06f ("selftests: netfilter: Introduce tests for sets with range concatenation") +Reported-by: kernel test robot +Signed-off-by: Jie2x Zhou +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/netfilter/nft_concat_range.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/netfilter/nft_concat_range.sh b/tools/testing/selftests/netfilter/nft_concat_range.sh +index b5eef5ffb58e..af3461cb5c40 100755 +--- a/tools/testing/selftests/netfilter/nft_concat_range.sh ++++ b/tools/testing/selftests/netfilter/nft_concat_range.sh +@@ -31,7 +31,7 @@ BUGS="flush_remove_add reload" + + # List of possible paths to pktgen script from kernel tree for performance tests + PKTGEN_SCRIPT_PATHS=" +- ../../../samples/pktgen/pktgen_bench_xmit_mode_netif_receive.sh ++ ../../../../samples/pktgen/pktgen_bench_xmit_mode_netif_receive.sh + pktgen/pktgen_bench_xmit_mode_netif_receive.sh" + + # Definition of set types: +-- +2.35.1 + diff --git a/queue-5.15/series b/queue-5.15/series index 94c14b49fa7..4f58960045c 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -30,3 +30,54 @@ usb-serial-pl2303-add-support-for-more-hxn-g-types.patch usb-serial-option-add-telit-le910cx-0x1250-composition.patch usb-serial-option-add-quectel-em05-g-modem.patch usb-serial-option-add-quectel-rm500k-module-support.patch +drm-msm-ensure-mmap-offset-is-initialized.patch +drm-msm-fix-double-pm_runtime_disable-call.patch +netfilter-use-get_random_u32-instead-of-prandom.patch +scsi-scsi_debug-fix-zone-transition-to-full-conditio.patch +drm-msm-switch-ordering-of-runpm-put-vs-devfreq_idle.patch +scsi-iscsi-exclude-zero-from-the-endpoint-id-range.patch +xsk-fix-generic-transmit-when-completion-queue-reser.patch +drm-msm-use-for_each_sgtable_sg-to-iterate-over-scat.patch +bpf-fix-request_sock-leak-in-sk-lookup-helpers.patch +drm-sun4i-fix-crash-during-suspend-after-component-b.patch +bpf-x86-fix-tail-call-count-offset-calculation-on-bp.patch +scsi-storvsc-correct-reporting-of-hyper-v-i-o-size-l.patch +phy-aquantia-fix-an-when-higher-speeds-than-1g-are-n.patch +kvm-arm64-prevent-kmemleak-from-accessing-pkvm-memor.patch +net-write-lock-dev_base_lock-without-disabling-botto.patch +net-fix-data-race-in-dev_isalive.patch +tipc-fix-use-after-free-read-in-tipc_named_reinit.patch +igb-fix-a-use-after-free-issue-in-igb_clean_tx_ring.patch +bonding-arp-monitor-spams-netdev_notify_peers-notifi.patch +ethtool-fix-get-module-eeprom-fallback.patch +net-sched-sch_netem-fix-arithmetic-in-netem_dump-for.patch +drm-msm-mdp4-fix-refcount-leak-in-mdp4_modeset_init_.patch +drm-msm-dp-check-core_initialized-before-disable-int.patch +drm-msm-dp-drop-now-unused-hpd_high-member.patch +drm-msm-dp-dp_link_parse_sink_count-return-immediate.patch +drm-msm-dp-do-not-initialize-phy-until-plugin-interr.patch +drm-msm-dp-force-link-training-for-display-resolutio.patch +perf-arm-spe-don-t-set-data-source-if-it-s-not-a-mem.patch +erspan-do-not-assume-transport-header-is-always-set.patch +net-tls-fix-tls_sk_proto_close-executed-repeatedly.patch +udmabuf-add-back-sanity-check.patch +selftests-netfilter-correct-pktgen_script_paths-in-n.patch +xen-blkfront-handle-null-gendisk.patch +x86-xen-remove-undefined-behavior-in-setup_features.patch +mips-remove-repetitive-increase-irq_err_count.patch +afs-fix-dynamic-root-getattr.patch +ice-ethtool-advertise-1000m-speeds-properly.patch +regmap-irq-fix-a-bug-in-regmap_irq_enable-for-type_i.patch +regmap-irq-fix-offset-index-mismatch-in-read_sub_irq.patch +igb-make-dma-faster-when-cpu-is-active-on-the-pcie-l.patch +virtio_net-fix-xdp_rxq_info-bug-after-suspend-resume.patch +revert-net-tls-fix-tls_sk_proto_close-executed-repea.patch +sock-redo-the-psock-vs-ulp-protection-check.patch +nvme-pci-add-no-apst-quirk-for-kioxia-device.patch +nvme-move-the-samsung-x5-quirk-entry-to-the-core-qui.patch +gpio-winbond-fix-error-code-in-winbond_gpio_get.patch +s390-cpumf-handle-events-cycles-and-instructions-ide.patch +iio-mma8452-fix-probe-fail-when-device-tree-compatib.patch +iio-magnetometer-yas530-fix-memchr_inv-misuse.patch +iio-adc-vf610-fix-conversion-mode-sysfs-node-name.patch +usb-typec-wcove-drop-wrong-dependency-to-intel_soc_p.patch diff --git a/queue-5.15/sock-redo-the-psock-vs-ulp-protection-check.patch b/queue-5.15/sock-redo-the-psock-vs-ulp-protection-check.patch new file mode 100644 index 00000000000..0159090f52a --- /dev/null +++ b/queue-5.15/sock-redo-the-psock-vs-ulp-protection-check.patch @@ -0,0 +1,98 @@ +From 87cfc77131e7d2c1afe33dd038b5f6d4ff94d8e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 12:13:53 -0700 +Subject: sock: redo the psock vs ULP protection check + +From: Jakub Kicinski + +[ Upstream commit e34a07c0ae3906f97eb18df50902e2a01c1015b6 ] + +Commit 8a59f9d1e3d4 ("sock: Introduce sk->sk_prot->psock_update_sk_prot()") +has moved the inet_csk_has_ulp(sk) check from sk_psock_init() to +the new tcp_bpf_update_proto() function. I'm guessing that this +was done to allow creating psocks for non-inet sockets. + +Unfortunately the destruction path for psock includes the ULP +unwind, so we need to fail the sk_psock_init() itself. +Otherwise if ULP is already present we'll notice that later, +and call tcp_update_ulp() with the sk_proto of the ULP +itself, which will most likely result in the ULP looping +its callbacks. + +Fixes: 8a59f9d1e3d4 ("sock: Introduce sk->sk_prot->psock_update_sk_prot()") +Signed-off-by: Jakub Kicinski +Reviewed-by: John Fastabend +Reviewed-by: Jakub Sitnicki +Tested-by: Jakub Sitnicki +Link: https://lore.kernel.org/r/20220620191353.1184629-2-kuba@kernel.org +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + include/net/inet_sock.h | 5 +++++ + net/core/skmsg.c | 5 +++++ + net/ipv4/tcp_bpf.c | 3 --- + net/tls/tls_main.c | 2 ++ + 4 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h +index 9e1111f5915b..d81b7f85819e 100644 +--- a/include/net/inet_sock.h ++++ b/include/net/inet_sock.h +@@ -252,6 +252,11 @@ struct inet_sock { + #define IP_CMSG_CHECKSUM BIT(7) + #define IP_CMSG_RECVFRAGSIZE BIT(8) + ++static inline bool sk_is_inet(struct sock *sk) ++{ ++ return sk->sk_family == AF_INET || sk->sk_family == AF_INET6; ++} ++ + /** + * sk_to_full_sk - Access to a full socket + * @sk: pointer to a socket +diff --git a/net/core/skmsg.c b/net/core/skmsg.c +index cc381165ea08..ede0af308f40 100644 +--- a/net/core/skmsg.c ++++ b/net/core/skmsg.c +@@ -695,6 +695,11 @@ struct sk_psock *sk_psock_init(struct sock *sk, int node) + + write_lock_bh(&sk->sk_callback_lock); + ++ if (sk_is_inet(sk) && inet_csk_has_ulp(sk)) { ++ psock = ERR_PTR(-EINVAL); ++ goto out; ++ } ++ + if (sk->sk_user_data) { + psock = ERR_PTR(-EBUSY); + goto out; +diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c +index 1cdcb4df0eb7..2c597a4e429a 100644 +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -612,9 +612,6 @@ int tcp_bpf_update_proto(struct sock *sk, struct sk_psock *psock, bool restore) + return 0; + } + +- if (inet_csk_has_ulp(sk)) +- return -EINVAL; +- + if (sk->sk_family == AF_INET6) { + if (tcp_bpf_assert_proto_ops(psock->sk_proto)) + return -EINVAL; +diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c +index 9aac9c60d786..62b1c5e32bbd 100644 +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -790,6 +790,8 @@ static void tls_update(struct sock *sk, struct proto *p, + { + struct tls_context *ctx; + ++ WARN_ON_ONCE(sk->sk_prot == p); ++ + ctx = tls_get_ctx(sk); + if (likely(ctx)) { + ctx->sk_write_space = write_space; +-- +2.35.1 + diff --git a/queue-5.15/tipc-fix-use-after-free-read-in-tipc_named_reinit.patch b/queue-5.15/tipc-fix-use-after-free-read-in-tipc_named_reinit.patch new file mode 100644 index 00000000000..a5deb16c7ee --- /dev/null +++ b/queue-5.15/tipc-fix-use-after-free-read-in-tipc_named_reinit.patch @@ -0,0 +1,80 @@ +From ccb2d1d14d4c400cf73b122a840164ace8f84c3d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jun 2022 08:45:51 +0700 +Subject: tipc: fix use-after-free Read in tipc_named_reinit + +From: Hoang Le + +[ Upstream commit 911600bf5a5e84bfda4d33ee32acc75ecf6159f0 ] + +syzbot found the following issue on: +================================================================== +BUG: KASAN: use-after-free in tipc_named_reinit+0x94f/0x9b0 +net/tipc/name_distr.c:413 +Read of size 8 at addr ffff88805299a000 by task kworker/1:9/23764 + +CPU: 1 PID: 23764 Comm: kworker/1:9 Not tainted +5.18.0-rc4-syzkaller-00878-g17d49e6e8012 #0 +Hardware name: Google Compute Engine/Google Compute Engine, +BIOS Google 01/01/2011 +Workqueue: events tipc_net_finalize_work +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_address_description.constprop.0.cold+0xeb/0x495 +mm/kasan/report.c:313 + print_report mm/kasan/report.c:429 [inline] + kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 + tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413 + tipc_net_finalize+0x234/0x3d0 net/tipc/net.c:138 + process_one_work+0x996/0x1610 kernel/workqueue.c:2289 + worker_thread+0x665/0x1080 kernel/workqueue.c:2436 + kthread+0x2e9/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 + +[...] +================================================================== + +In the commit +d966ddcc3821 ("tipc: fix a deadlock when flushing scheduled work"), +the cancel_work_sync() function just to make sure ONLY the work +tipc_net_finalize_work() is executing/pending on any CPU completed before +tipc namespace is destroyed through tipc_exit_net(). But this function +is not guaranteed the work is the last queued. So, the destroyed instance +may be accessed in the work which will try to enqueue later. + +In order to completely fix, we re-order the calling of cancel_work_sync() +to make sure the work tipc_net_finalize_work() was last queued and it +must be completed by calling cancel_work_sync(). + +Reported-by: syzbot+47af19f3307fc9c5c82e@syzkaller.appspotmail.com +Fixes: d966ddcc3821 ("tipc: fix a deadlock when flushing scheduled work") +Acked-by: Jon Maloy +Signed-off-by: Ying Xue +Signed-off-by: Hoang Le +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/tipc/core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/tipc/core.c b/net/tipc/core.c +index 3f4542e0f065..434e70eabe08 100644 +--- a/net/tipc/core.c ++++ b/net/tipc/core.c +@@ -109,10 +109,9 @@ static void __net_exit tipc_exit_net(struct net *net) + struct tipc_net *tn = tipc_net(net); + + tipc_detach_loopback(net); ++ tipc_net_stop(net); + /* Make sure the tipc_net_finalize_work() finished */ + cancel_work_sync(&tn->work); +- tipc_net_stop(net); +- + tipc_bcast_stop(net); + tipc_nametbl_stop(net); + tipc_sk_rht_destroy(net); +-- +2.35.1 + diff --git a/queue-5.15/udmabuf-add-back-sanity-check.patch b/queue-5.15/udmabuf-add-back-sanity-check.patch new file mode 100644 index 00000000000..6919fbc752d --- /dev/null +++ b/queue-5.15/udmabuf-add-back-sanity-check.patch @@ -0,0 +1,42 @@ +From bdea148a7ab3cc7fd112eebf4cdc402be1a9aa82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 09:15:47 +0200 +Subject: udmabuf: add back sanity check + +From: Gerd Hoffmann + +[ Upstream commit 05b252cccb2e5c3f56119d25de684b4f810ba40a ] + +Check vm_fault->pgoff before using it. When we removed the warning, we +also removed the check. + +Fixes: 7b26e4e2119d ("udmabuf: drop WARN_ON() check.") +Reported-by: zdi-disclosures@trendmicro.com +Suggested-by: Linus Torvalds +Signed-off-by: Gerd Hoffmann +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + drivers/dma-buf/udmabuf.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/dma-buf/udmabuf.c b/drivers/dma-buf/udmabuf.c +index e7330684d3b8..9631f2fd2faf 100644 +--- a/drivers/dma-buf/udmabuf.c ++++ b/drivers/dma-buf/udmabuf.c +@@ -32,8 +32,11 @@ static vm_fault_t udmabuf_vm_fault(struct vm_fault *vmf) + { + struct vm_area_struct *vma = vmf->vma; + struct udmabuf *ubuf = vma->vm_private_data; ++ pgoff_t pgoff = vmf->pgoff; + +- vmf->page = ubuf->pages[vmf->pgoff]; ++ if (pgoff >= ubuf->pagecount) ++ return VM_FAULT_SIGBUS; ++ vmf->page = ubuf->pages[pgoff]; + get_page(vmf->page); + return 0; + } +-- +2.35.1 + diff --git a/queue-5.15/usb-typec-wcove-drop-wrong-dependency-to-intel_soc_p.patch b/queue-5.15/usb-typec-wcove-drop-wrong-dependency-to-intel_soc_p.patch new file mode 100644 index 00000000000..1b8db4393cd --- /dev/null +++ b/queue-5.15/usb-typec-wcove-drop-wrong-dependency-to-intel_soc_p.patch @@ -0,0 +1,45 @@ +From 264cfd5f90e72707801f8756798493f1f1fa1720 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 13:43:16 +0300 +Subject: usb: typec: wcove: Drop wrong dependency to INTEL_SOC_PMIC + +From: Andy Shevchenko + +[ Upstream commit 9ef165406308515dcf2e3f6e97b39a1c56d86db5 ] + +Intel SoC PMIC is a generic name for all PMICs that are used +on Intel platforms. In particular, INTEL_SOC_PMIC kernel configuration +option refers to Crystal Cove PMIC, which has never been a part +of any Intel Broxton hardware. Drop wrong dependency from Kconfig. + +Note, the correct dependency is satisfied via ACPI PMIC OpRegion driver, +which the Type-C depends on. + +Fixes: d2061f9cc32d ("usb: typec: add driver for Intel Whiskey Cove PMIC USB Type-C PHY") +Reported-by: Hans de Goede +Reviewed-by: Guenter Roeck +Reviewed-by: Heikki Krogerus +Reviewed-by: Hans de Goede +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220620104316.57592-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/typec/tcpm/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/usb/typec/tcpm/Kconfig b/drivers/usb/typec/tcpm/Kconfig +index 557f392fe24d..073fd2ea5e0b 100644 +--- a/drivers/usb/typec/tcpm/Kconfig ++++ b/drivers/usb/typec/tcpm/Kconfig +@@ -56,7 +56,6 @@ config TYPEC_WCOVE + tristate "Intel WhiskeyCove PMIC USB Type-C PHY driver" + depends on ACPI + depends on MFD_INTEL_PMC_BXT +- depends on INTEL_SOC_PMIC + depends on BXT_WC_PMIC_OPREGION + help + This driver adds support for USB Type-C on Intel Broxton platforms +-- +2.35.1 + diff --git a/queue-5.15/virtio_net-fix-xdp_rxq_info-bug-after-suspend-resume.patch b/queue-5.15/virtio_net-fix-xdp_rxq_info-bug-after-suspend-resume.patch new file mode 100644 index 00000000000..30e1eebf0b1 --- /dev/null +++ b/queue-5.15/virtio_net-fix-xdp_rxq_info-bug-after-suspend-resume.patch @@ -0,0 +1,115 @@ +From 8094f72ffc084c5b6b52f7258cb6b4fbba2cf816 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jun 2022 13:48:44 +0200 +Subject: virtio_net: fix xdp_rxq_info bug after suspend/resume + +From: Stephan Gerhold + +[ Upstream commit 8af52fe9fd3bf5e7478da99193c0632276e1dfce ] + +The following sequence currently causes a driver bug warning +when using virtio_net: + + # ip link set eth0 up + # echo mem > /sys/power/state (or e.g. # rtcwake -s 10 -m mem) + + # ip link set eth0 down + + Missing register, driver bug + WARNING: CPU: 0 PID: 375 at net/core/xdp.c:138 xdp_rxq_info_unreg+0x58/0x60 + Call trace: + xdp_rxq_info_unreg+0x58/0x60 + virtnet_close+0x58/0xac + __dev_close_many+0xac/0x140 + __dev_change_flags+0xd8/0x210 + dev_change_flags+0x24/0x64 + do_setlink+0x230/0xdd0 + ... + +This happens because virtnet_freeze() frees the receive_queue +completely (including struct xdp_rxq_info) but does not call +xdp_rxq_info_unreg(). Similarly, virtnet_restore() sets up the +receive_queue again but does not call xdp_rxq_info_reg(). + +Actually, parts of virtnet_freeze_down() and virtnet_restore_up() +are almost identical to virtnet_close() and virtnet_open(): only +the calls to xdp_rxq_info_(un)reg() are missing. This means that +we can fix this easily and avoid such problems in the future by +just calling virtnet_close()/open() from the freeze/restore handlers. + +Aside from adding the missing xdp_rxq_info calls the only difference +is that the refill work is only cancelled if netif_running(). However, +this should not make any functional difference since the refill work +should only be active if the network interface is actually up. + +Fixes: 754b8a21a96d ("virtio_net: setup xdp_rxq_info") +Signed-off-by: Stephan Gerhold +Acked-by: Jesper Dangaard Brouer +Acked-by: Jason Wang +Link: https://lore.kernel.org/r/20220621114845.3650258-1-stephan.gerhold@kernkonzept.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/virtio_net.c | 25 ++++++------------------- + 1 file changed, 6 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 73aba760e10c..468d0ffc266b 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -2431,7 +2431,6 @@ static const struct ethtool_ops virtnet_ethtool_ops = { + static void virtnet_freeze_down(struct virtio_device *vdev) + { + struct virtnet_info *vi = vdev->priv; +- int i; + + /* Make sure no work handler is accessing the device */ + flush_work(&vi->config_work); +@@ -2439,14 +2438,8 @@ static void virtnet_freeze_down(struct virtio_device *vdev) + netif_tx_lock_bh(vi->dev); + netif_device_detach(vi->dev); + netif_tx_unlock_bh(vi->dev); +- cancel_delayed_work_sync(&vi->refill); +- +- if (netif_running(vi->dev)) { +- for (i = 0; i < vi->max_queue_pairs; i++) { +- napi_disable(&vi->rq[i].napi); +- virtnet_napi_tx_disable(&vi->sq[i].napi); +- } +- } ++ if (netif_running(vi->dev)) ++ virtnet_close(vi->dev); + } + + static int init_vqs(struct virtnet_info *vi); +@@ -2454,7 +2447,7 @@ static int init_vqs(struct virtnet_info *vi); + static int virtnet_restore_up(struct virtio_device *vdev) + { + struct virtnet_info *vi = vdev->priv; +- int err, i; ++ int err; + + err = init_vqs(vi); + if (err) +@@ -2463,15 +2456,9 @@ static int virtnet_restore_up(struct virtio_device *vdev) + virtio_device_ready(vdev); + + if (netif_running(vi->dev)) { +- for (i = 0; i < vi->curr_queue_pairs; i++) +- if (!try_fill_recv(vi, &vi->rq[i], GFP_KERNEL)) +- schedule_delayed_work(&vi->refill, 0); +- +- for (i = 0; i < vi->max_queue_pairs; i++) { +- virtnet_napi_enable(vi->rq[i].vq, &vi->rq[i].napi); +- virtnet_napi_tx_enable(vi, vi->sq[i].vq, +- &vi->sq[i].napi); +- } ++ err = virtnet_open(vi->dev); ++ if (err) ++ return err; + } + + netif_tx_lock_bh(vi->dev); +-- +2.35.1 + diff --git a/queue-5.15/x86-xen-remove-undefined-behavior-in-setup_features.patch b/queue-5.15/x86-xen-remove-undefined-behavior-in-setup_features.patch new file mode 100644 index 00000000000..474ac660583 --- /dev/null +++ b/queue-5.15/x86-xen-remove-undefined-behavior-in-setup_features.patch @@ -0,0 +1,37 @@ +From 2d161481def0d608648b7f5bc2167ef75ef567e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jun 2022 11:30:37 +0100 +Subject: x86/xen: Remove undefined behavior in setup_features() + +From: Julien Grall + +[ Upstream commit ecb6237fa397b7b810d798ad19322eca466dbab1 ] + +1 << 31 is undefined. So switch to 1U << 31. + +Fixes: 5ead97c84fa7 ("xen: Core Xen implementation") +Signed-off-by: Julien Grall +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20220617103037.57828-1-julien@xen.org +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/features.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/xen/features.c b/drivers/xen/features.c +index 7b591443833c..87f1828d40d5 100644 +--- a/drivers/xen/features.c ++++ b/drivers/xen/features.c +@@ -42,7 +42,7 @@ void xen_setup_features(void) + if (HYPERVISOR_xen_version(XENVER_get_features, &fi) < 0) + break; + for (j = 0; j < 32; j++) +- xen_features[i * 32 + j] = !!(fi.submap & 1< +Date: Wed, 1 Jun 2022 15:53:41 -0400 +Subject: xen-blkfront: Handle NULL gendisk +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jason Andryuk + +[ Upstream commit f9710c357e5bbf64d7ce45ba0bc75a52222491c1 ] + +When a VBD is not fully created and then closed, the kernel can have a +NULL pointer dereference: + +The reproducer is trivial: + +[user@dom0 ~]$ sudo xl block-attach work backend=sys-usb vdev=xvdi target=/dev/sdz +[user@dom0 ~]$ xl block-list work +Vdev BE handle state evt-ch ring-ref BE-path +51712 0 241 4 -1 -1 /local/domain/0/backend/vbd/241/51712 +51728 0 241 4 -1 -1 /local/domain/0/backend/vbd/241/51728 +51744 0 241 4 -1 -1 /local/domain/0/backend/vbd/241/51744 +51760 0 241 4 -1 -1 /local/domain/0/backend/vbd/241/51760 +51840 3 241 3 -1 -1 /local/domain/3/backend/vbd/241/51840 + ^ note state, the /dev/sdz doesn't exist in the backend + +[user@dom0 ~]$ sudo xl block-detach work xvdi +[user@dom0 ~]$ xl block-list work +Vdev BE handle state evt-ch ring-ref BE-path +work is an invalid domain identifier + +And its console has: + +BUG: kernel NULL pointer dereference, address: 0000000000000050 +PGD 80000000edebb067 P4D 80000000edebb067 PUD edec2067 PMD 0 +Oops: 0000 [#1] PREEMPT SMP PTI +CPU: 1 PID: 52 Comm: xenwatch Not tainted 5.16.18-2.43.fc32.qubes.x86_64 #1 +RIP: 0010:blk_mq_stop_hw_queues+0x5/0x40 +Code: 00 48 83 e0 fd 83 c3 01 48 89 85 a8 00 00 00 41 39 5c 24 50 77 c0 5b 5d 41 5c 41 5d c3 c3 0f 1f 80 00 00 00 00 0f 1f 44 00 00 <8b> 47 50 85 c0 74 32 41 54 49 89 fc 55 53 31 db 49 8b 44 24 48 48 +RSP: 0018:ffffc90000bcfe98 EFLAGS: 00010293 +RAX: ffffffffc0008370 RBX: 0000000000000005 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 +RBP: ffff88800775f000 R08: 0000000000000001 R09: ffff888006e620b8 +R10: ffff888006e620b0 R11: f000000000000000 R12: ffff8880bff39000 +R13: ffff8880bff39000 R14: 0000000000000000 R15: ffff88800604be00 +FS: 0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000050 CR3: 00000000e932e002 CR4: 00000000003706e0 +Call Trace: + + blkback_changed+0x95/0x137 [xen_blkfront] + ? read_reply+0x160/0x160 + xenwatch_thread+0xc0/0x1a0 + ? do_wait_intr_irq+0xa0/0xa0 + kthread+0x16b/0x190 + ? set_kthread_struct+0x40/0x40 + ret_from_fork+0x22/0x30 + +Modules linked in: snd_seq_dummy snd_hrtimer snd_seq snd_seq_device snd_timer snd soundcore ipt_REJECT nf_reject_ipv4 xt_state xt_conntrack nft_counter nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nft_compat nf_tables nfnetlink intel_rapl_msr intel_rapl_common crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel xen_netfront pcspkr xen_scsiback target_core_mod xen_netback xen_privcmd xen_gntdev xen_gntalloc xen_blkback xen_evtchn ipmi_devintf ipmi_msghandler fuse bpf_preload ip_tables overlay xen_blkfront +CR2: 0000000000000050 +---[ end trace 7bc9597fd06ae89d ]--- +RIP: 0010:blk_mq_stop_hw_queues+0x5/0x40 +Code: 00 48 83 e0 fd 83 c3 01 48 89 85 a8 00 00 00 41 39 5c 24 50 77 c0 5b 5d 41 5c 41 5d c3 c3 0f 1f 80 00 00 00 00 0f 1f 44 00 00 <8b> 47 50 85 c0 74 32 41 54 49 89 fc 55 53 31 db 49 8b 44 24 48 48 +RSP: 0018:ffffc90000bcfe98 EFLAGS: 00010293 +RAX: ffffffffc0008370 RBX: 0000000000000005 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 +RBP: ffff88800775f000 R08: 0000000000000001 R09: ffff888006e620b8 +R10: ffff888006e620b0 R11: f000000000000000 R12: ffff8880bff39000 +R13: ffff8880bff39000 R14: 0000000000000000 R15: ffff88800604be00 +FS: 0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000050 CR3: 00000000e932e002 CR4: 00000000003706e0 +Kernel panic - not syncing: Fatal exception +Kernel Offset: disabled + +info->rq and info->gd are only set in blkfront_connect(), which is +called for state 4 (XenbusStateConnected). Guard against using NULL +variables in blkfront_closing() to avoid the issue. + +The rest of blkfront_closing looks okay. If info->nr_rings is 0, then +for_each_rinfo won't do anything. + +blkfront_remove also needs to check for non-NULL pointers before +cleaning up the gendisk and request queue. + +Fixes: 05d69d950d9d "xen-blkfront: sanitize the removal state machine" +Reported-by: Marek Marczykowski-Górecki +Signed-off-by: Jason Andryuk +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20220601195341.28581-1-jandryuk@gmail.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/block/xen-blkfront.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c +index 390817cf1221..d7a9bf43fb32 100644 +--- a/drivers/block/xen-blkfront.c ++++ b/drivers/block/xen-blkfront.c +@@ -2140,9 +2140,11 @@ static void blkfront_closing(struct blkfront_info *info) + return; + + /* No more blkif_request(). */ +- blk_mq_stop_hw_queues(info->rq); +- blk_mark_disk_dead(info->gd); +- set_capacity(info->gd, 0); ++ if (info->rq && info->gd) { ++ blk_mq_stop_hw_queues(info->rq); ++ blk_mark_disk_dead(info->gd); ++ set_capacity(info->gd, 0); ++ } + + for_each_rinfo(info, rinfo, i) { + /* No more gnttab callback work. */ +@@ -2478,16 +2480,19 @@ static int blkfront_remove(struct xenbus_device *xbdev) + + dev_dbg(&xbdev->dev, "%s removed", xbdev->nodename); + +- del_gendisk(info->gd); ++ if (info->gd) ++ del_gendisk(info->gd); + + mutex_lock(&blkfront_mutex); + list_del(&info->info_list); + mutex_unlock(&blkfront_mutex); + + blkif_free(info, 0); +- xlbd_release_minors(info->gd->first_minor, info->gd->minors); +- blk_cleanup_disk(info->gd); +- blk_mq_free_tag_set(&info->tag_set); ++ if (info->gd) { ++ xlbd_release_minors(info->gd->first_minor, info->gd->minors); ++ blk_cleanup_disk(info->gd); ++ blk_mq_free_tag_set(&info->tag_set); ++ } + + kfree(info); + return 0; +-- +2.35.1 + diff --git a/queue-5.15/xsk-fix-generic-transmit-when-completion-queue-reser.patch b/queue-5.15/xsk-fix-generic-transmit-when-completion-queue-reser.patch new file mode 100644 index 00000000000..8d8637642b1 --- /dev/null +++ b/queue-5.15/xsk-fix-generic-transmit-when-completion-queue-reser.patch @@ -0,0 +1,78 @@ +From 5bb2285427cf5425894e5a84d75137b5c672bc5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jun 2022 07:07:46 +0000 +Subject: xsk: Fix generic transmit when completion queue reservation fails + +From: Ciara Loftus + +[ Upstream commit a6e944f25cdbe6b82275402b8bc9a55ad7aac10b ] + +Two points of potential failure in the generic transmit function are: + + 1. completion queue (cq) reservation failure. + 2. skb allocation failure + +Originally the cq reservation was performed first, followed by the skb +allocation. Commit 675716400da6 ("xdp: fix possible cq entry leak") +reversed the order because at the time there was no mechanism available +to undo the cq reservation which could have led to possible cq entry leaks +in the event of skb allocation failure. However if the skb allocation is +performed first and the cq reservation then fails, the xsk skb destructor +is called which blindly adds the skb address to the already full cq leading +to undefined behavior. + +This commit restores the original order (cq reservation followed by skb +allocation) and uses the xskq_prod_cancel helper to undo the cq reserve +in event of skb allocation failure. + +Fixes: 675716400da6 ("xdp: fix possible cq entry leak") +Signed-off-by: Ciara Loftus +Signed-off-by: Daniel Borkmann +Acked-by: Magnus Karlsson +Link: https://lore.kernel.org/bpf/20220614070746.8871-1-ciara.loftus@intel.com +Signed-off-by: Sasha Levin +--- + net/xdp/xsk.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c +index 16cc38e51f14..9b55ca27cccf 100644 +--- a/net/xdp/xsk.c ++++ b/net/xdp/xsk.c +@@ -553,12 +553,6 @@ static int xsk_generic_xmit(struct sock *sk) + goto out; + } + +- skb = xsk_build_skb(xs, &desc); +- if (IS_ERR(skb)) { +- err = PTR_ERR(skb); +- goto out; +- } +- + /* This is the backpressure mechanism for the Tx path. + * Reserve space in the completion queue and only proceed + * if there is space in it. This avoids having to implement +@@ -567,11 +561,19 @@ static int xsk_generic_xmit(struct sock *sk) + spin_lock_irqsave(&xs->pool->cq_lock, flags); + if (xskq_prod_reserve(xs->pool->cq)) { + spin_unlock_irqrestore(&xs->pool->cq_lock, flags); +- kfree_skb(skb); + goto out; + } + spin_unlock_irqrestore(&xs->pool->cq_lock, flags); + ++ skb = xsk_build_skb(xs, &desc); ++ if (IS_ERR(skb)) { ++ err = PTR_ERR(skb); ++ spin_lock_irqsave(&xs->pool->cq_lock, flags); ++ xskq_prod_cancel(xs->pool->cq); ++ spin_unlock_irqrestore(&xs->pool->cq_lock, flags); ++ goto out; ++ } ++ + err = __dev_direct_xmit(skb, xs->queue_id); + if (err == NETDEV_TX_BUSY) { + /* Tell user-space to retry the send */ +-- +2.35.1 + -- 2.47.3