From 31018ac8bdefbc60775ca3a439cc6e2461a5f15e Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 20 Sep 2022 08:35:33 -0400 Subject: [PATCH] Revert "Revert patches that were queued while -rc is out" This reverts commit 59bc986c2688b6f17a058a9df186354e128141de. --- ...ebugfs-add-debugfs_lookup_and_remove.patch | 87 ++ ...eson-correct-osd1-global-alpha-value.patch | 40 + ...fi-libstub-disable-shadow-call-stack.patch | 39 + ...libstub-disable-struct-randomization.patch | 56 ++ ...-support-for-irq_type_level_low-flow.patch | 48 + ...f-by-one-error-in-unflatten_dt_nodes.patch | 41 + ...add-missing-iounmap-in-error-path-in.patch | 35 + queue-4.14/series | 7 + ...eson-correct-osd1-global-alpha-value.patch | 40 + ...fi-libstub-disable-shadow-call-stack.patch | 39 + ...libstub-disable-struct-randomization.patch | 56 ++ ...-support-for-irq_type_level_low-flow.patch | 48 + ...-check-return-value-of-debugfs_creat.patch | 104 +++ ...s-fix-memory-leak-when-using-debugfs.patch | 51 + queue-4.19/nvmet-fix-a-use-after-free.patch | 67 ++ ...f-by-one-error-in-unflatten_dt_nodes.patch | 41 + ...add-missing-iounmap-in-error-path-in.patch | 35 + queue-4.19/series | 9 + ...add-missing-iounmap-in-error-path-in.patch | 35 + queue-4.9/series | 1 + ...ine-bestcomm-fix-system-boot-lockups.patch | 141 +++ ...eson-correct-osd1-global-alpha-value.patch | 40 + ...on-fix-osd1-rgb-to-ycbcr-coefficient.patch | 47 + ...-support-for-irq_type_level_low-flow.patch | 48 + ...v-context-tracking-exit-guest-contex.patch | 53 ++ ...ounting-should-defer-vtime-accountin.patch | 121 +++ ...x-allow-use-of-phys-on-cpu-and-dsa-p.patch | 121 +++ ...pen-by-filehandle-and-nfs-re-export-.patch | 69 ++ ...f-by-one-error-in-unflatten_dt_nodes.patch | 41 + ...add-missing-iounmap-in-error-path-in.patch | 35 + ...nel-data-mapping-in-set_pte_at-when-.patch | 101 ++ ...isc-optimize-per-pagetable-spinlocks.patch | 879 ++++++++++++++++++ ...inctrl-sunxi-fix-name-for-a100-r_pio.patch | 38 + ...el-hid-add-quirk-to-support-surface-.patch | 44 + ...mobility-ignore-ibm-platform-facilit.patch | 181 ++++ ...mobility-refactor-node-lookup-during.patch | 154 +++ ...reporting-real-baudrate-value-in-c_o.patch | 84 ++ queue-5.10/series | 19 + ...ler_addr-to-hardirq_-enable-disable-.patch | 60 ++ ...-fix-new-urb-never-complete-if-ep-ca.patch | 102 ++ ...-use-more-system-keyrings-to-verify-.patch | 74 ++ ...enter-__bio_queue_enter-must-return-.patch | 55 ++ ...eson-correct-osd1-global-alpha-value.patch | 40 + ...on-fix-osd1-rgb-to-ycbcr-coefficient.patch | 47 + ...c-fix-build-warning-when-config_pm-n.patch | 54 ++ ...-support-for-irq_type_level_low-flow.patch | 48 + ...s-fix-memory-leak-when-using-debugfs.patch | 51 + ...pen-by-filehandle-and-nfs-re-export-.patch | 69 ++ ...f-by-one-error-in-unflatten_dt_nodes.patch | 41 + ...add-missing-iounmap-in-error-path-in.patch | 35 + ...rl-qcom-sc8180x-fix-gpio_wakeirq_map.patch | 40 + ...l-qcom-sc8180x-fix-wrong-pin-numbers.patch | 45 + ...-enhance-support-for-irq_type_edge_b.patch | 49 + ...inctrl-sunxi-fix-name-for-a100-r_pio.patch | 38 + ...ove-redundant-assignment-in-rs485_co.patch | 46 + queue-5.15/series | 17 + ...-preserve-previous-usart-mode-if-rs4.patch | 74 ++ ...se-after-free-read-in-usb_udc_uevent.patch | 78 ++ ...enter-__bio_queue_enter-must-return-.patch | 55 ++ ...cel-guc-engine-busyness-worker-synch.patch | 52 ++ ...-t-update-engine-busyness-stats-too-.patch | 124 +++ ...t-vdsc-pic_height-before-using-for-d.patch | 73 ++ ...eson-correct-osd1-global-alpha-value.patch | 40 + ...on-fix-osd1-rgb-to-ycbcr-coefficient.patch | 47 + ...p-fix-delays-for-innolux-n116bca-ea1.patch | 53 ++ ...ip-vop2-fix-edp-hdmi-sync-polarities.patch | 46 + ...-support-for-irq_type_level_low-flow.patch | 48 + ...s-fix-memory-leak-when-using-debugfs.patch | 51 + ...pen-by-filehandle-and-nfs-re-export-.patch | 69 ++ ...ode-bits-after-allocate-and-dealloca.patch | 123 +++ ...f-by-one-error-in-unflatten_dt_nodes.patch | 41 + ...add-missing-iounmap-in-error-path-in.patch | 35 + ...rl-qcom-sc8180x-fix-gpio_wakeirq_map.patch | 40 + ...l-qcom-sc8180x-fix-wrong-pin-numbers.patch | 45 + ...-enhance-support-for-irq_type_edge_b.patch | 49 + ...inctrl-sunxi-fix-name-for-a100-r_pio.patch | 38 + ...c-remove-unreachable-error-condition.patch | 41 + queue-5.19/series | 20 + ...ll-completion-races-with-call_decode.patch | 59 ++ ...-pcm-oss-fix-race-at-sndctl_dsp_sync.patch | 53 ++ ...15-implement-waedplinkratedatareload.patch | 95 ++ ...eson-correct-osd1-global-alpha-value.patch | 40 + ...on-fix-osd1-rgb-to-ycbcr-coefficient.patch | 47 + ...fi-libstub-disable-shadow-call-stack.patch | 39 + ...libstub-disable-struct-randomization.patch | 56 ++ ...-support-for-irq_type_level_low-flow.patch | 48 + ...pen-by-filehandle-and-nfs-re-export-.patch | 69 ++ ...f-by-one-error-in-unflatten_dt_nodes.patch | 41 + ...add-missing-iounmap-in-error-path-in.patch | 35 + ...memory-corruption-caused-by-multiple.patch | 75 ++ ...ut-sd-flag-names-rather-than-their-v.patch | 107 +++ queue-5.4/series | 14 + ...k-x86-cea-force-inline-stack-helpers.patch | 53 ++ ...ler_addr-to-hardirq_-enable-disable-.patch | 58 ++ 94 files changed, 6137 insertions(+) create mode 100644 queue-4.14/debugfs-add-debugfs_lookup_and_remove.patch create mode 100644 queue-4.14/drm-meson-correct-osd1-global-alpha-value.patch create mode 100644 queue-4.14/efi-libstub-disable-shadow-call-stack.patch create mode 100644 queue-4.14/efi-libstub-disable-struct-randomization.patch create mode 100644 queue-4.14/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch create mode 100644 queue-4.14/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch create mode 100644 queue-4.14/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch create mode 100644 queue-4.19/drm-meson-correct-osd1-global-alpha-value.patch create mode 100644 queue-4.19/efi-libstub-disable-shadow-call-stack.patch create mode 100644 queue-4.19/efi-libstub-disable-struct-randomization.patch create mode 100644 queue-4.19/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch create mode 100644 queue-4.19/mvpp2-no-need-to-check-return-value-of-debugfs_creat.patch create mode 100644 queue-4.19/net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch create mode 100644 queue-4.19/nvmet-fix-a-use-after-free.patch create mode 100644 queue-4.19/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch create mode 100644 queue-4.19/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch create mode 100644 queue-4.9/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch create mode 100644 queue-5.10/dmaengine-bestcomm-fix-system-boot-lockups.patch create mode 100644 queue-5.10/drm-meson-correct-osd1-global-alpha-value.patch create mode 100644 queue-5.10/drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch create mode 100644 queue-5.10/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch create mode 100644 queue-5.10/kvm-ppc-book3s-hv-context-tracking-exit-guest-contex.patch create mode 100644 queue-5.10/kvm-ppc-tick-accounting-should-defer-vtime-accountin.patch create mode 100644 queue-5.10/net-dsa-mv88e6xxx-allow-use-of-phys-on-cpu-and-dsa-p.patch create mode 100644 queue-5.10/nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch create mode 100644 queue-5.10/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch create mode 100644 queue-5.10/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch create mode 100644 queue-5.10/parisc-flush-kernel-data-mapping-in-set_pte_at-when-.patch create mode 100644 queue-5.10/parisc-optimize-per-pagetable-spinlocks.patch create mode 100644 queue-5.10/pinctrl-sunxi-fix-name-for-a100-r_pio.patch create mode 100644 queue-5.10/platform-x86-intel-hid-add-quirk-to-support-surface-.patch create mode 100644 queue-5.10/powerpc-pseries-mobility-ignore-ibm-platform-facilit.patch create mode 100644 queue-5.10/powerpc-pseries-mobility-refactor-node-lookup-during.patch create mode 100644 queue-5.10/serial-8250-fix-reporting-real-baudrate-value-in-c_o.patch create mode 100644 queue-5.10/tracing-hold-caller_addr-to-hardirq_-enable-disable-.patch create mode 100644 queue-5.10/usb-cdns3-gadget-fix-new-urb-never-complete-if-ep-ca.patch create mode 100644 queue-5.15/arm64-kexec_file-use-more-system-keyrings-to-verify-.patch create mode 100644 queue-5.15/block-blk_queue_enter-__bio_queue_enter-must-return-.patch create mode 100644 queue-5.15/drm-meson-correct-osd1-global-alpha-value.patch create mode 100644 queue-5.15/drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch create mode 100644 queue-5.15/drm-tegra-vic-fix-build-warning-when-config_pm-n.patch create mode 100644 queue-5.15/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch create mode 100644 queue-5.15/net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch create mode 100644 queue-5.15/nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch create mode 100644 queue-5.15/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch create mode 100644 queue-5.15/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch create mode 100644 queue-5.15/pinctrl-qcom-sc8180x-fix-gpio_wakeirq_map.patch create mode 100644 queue-5.15/pinctrl-qcom-sc8180x-fix-wrong-pin-numbers.patch create mode 100644 queue-5.15/pinctrl-rockchip-enhance-support-for-irq_type_edge_b.patch create mode 100644 queue-5.15/pinctrl-sunxi-fix-name-for-a100-r_pio.patch create mode 100644 queue-5.15/serial-atmel-remove-redundant-assignment-in-rs485_co.patch create mode 100644 queue-5.15/tty-serial-atmel-preserve-previous-usart-mode-if-rs4.patch create mode 100644 queue-5.15/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch create mode 100644 queue-5.19/block-blk_queue_enter-__bio_queue_enter-must-return-.patch create mode 100644 queue-5.19/drm-i915-guc-cancel-guc-engine-busyness-worker-synch.patch create mode 100644 queue-5.19/drm-i915-guc-don-t-update-engine-busyness-stats-too-.patch create mode 100644 queue-5.19/drm-i915-vdsc-set-vdsc-pic_height-before-using-for-d.patch create mode 100644 queue-5.19/drm-meson-correct-osd1-global-alpha-value.patch create mode 100644 queue-5.19/drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch create mode 100644 queue-5.19/drm-panel-edp-fix-delays-for-innolux-n116bca-ea1.patch create mode 100644 queue-5.19/drm-rockchip-vop2-fix-edp-hdmi-sync-polarities.patch create mode 100644 queue-5.19/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch create mode 100644 queue-5.19/net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch create mode 100644 queue-5.19/nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch create mode 100644 queue-5.19/nfsv4.2-update-mode-bits-after-allocate-and-dealloca.patch create mode 100644 queue-5.19/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch create mode 100644 queue-5.19/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch create mode 100644 queue-5.19/pinctrl-qcom-sc8180x-fix-gpio_wakeirq_map.patch create mode 100644 queue-5.19/pinctrl-qcom-sc8180x-fix-wrong-pin-numbers.patch create mode 100644 queue-5.19/pinctrl-rockchip-enhance-support-for-irq_type_edge_b.patch create mode 100644 queue-5.19/pinctrl-sunxi-fix-name-for-a100-r_pio.patch create mode 100644 queue-5.19/revert-sunrpc-remove-unreachable-error-condition.patch create mode 100644 queue-5.19/sunrpc-fix-call-completion-races-with-call_decode.patch create mode 100644 queue-5.4/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch create mode 100644 queue-5.4/drm-i915-implement-waedplinkratedatareload.patch create mode 100644 queue-5.4/drm-meson-correct-osd1-global-alpha-value.patch create mode 100644 queue-5.4/drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch create mode 100644 queue-5.4/efi-libstub-disable-shadow-call-stack.patch create mode 100644 queue-5.4/efi-libstub-disable-struct-randomization.patch create mode 100644 queue-5.4/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch create mode 100644 queue-5.4/nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch create mode 100644 queue-5.4/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch create mode 100644 queue-5.4/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch create mode 100644 queue-5.4/sched-debug-fix-memory-corruption-caused-by-multiple.patch create mode 100644 queue-5.4/sched-debug-output-sd-flag-names-rather-than-their-v.patch create mode 100644 queue-5.4/task_stack-x86-cea-force-inline-stack-helpers.patch create mode 100644 queue-5.4/tracing-hold-caller_addr-to-hardirq_-enable-disable-.patch diff --git a/queue-4.14/debugfs-add-debugfs_lookup_and_remove.patch b/queue-4.14/debugfs-add-debugfs_lookup_and_remove.patch new file mode 100644 index 00000000000..367fd94ea09 --- /dev/null +++ b/queue-4.14/debugfs-add-debugfs_lookup_and_remove.patch @@ -0,0 +1,87 @@ +From 044233e644fd5568664b71907ba2ee48b4665e36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 16:59:15 +0200 +Subject: debugfs: add debugfs_lookup_and_remove() + +From: Greg Kroah-Hartman + +[ Upstream commit dec9b2f1e0455a151a7293c367da22ab973f713e ] + +There is a very common pattern of using +debugfs_remove(debufs_lookup(..)) which results in a dentry leak of the +dentry that was looked up. Instead of having to open-code the correct +pattern of calling dput() on the dentry, create +debugfs_lookup_and_remove() to handle this pattern automatically and +properly without any memory leaks. + +Cc: stable +Reported-by: Kuyo Chang +Tested-by: Kuyo Chang +Link: https://lore.kernel.org/r/YxIaQ8cSinDR881k@kroah.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + fs/debugfs/inode.c | 22 ++++++++++++++++++++++ + include/linux/debugfs.h | 6 ++++++ + 2 files changed, 28 insertions(+) + +diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c +index f4df6feec271..58175679eedd 100644 +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -745,6 +745,28 @@ void debugfs_remove_recursive(struct dentry *dentry) + } + EXPORT_SYMBOL_GPL(debugfs_remove_recursive); + ++/** ++ * debugfs_lookup_and_remove - lookup a directory or file and recursively remove it ++ * @name: a pointer to a string containing the name of the item to look up. ++ * @parent: a pointer to the parent dentry of the item. ++ * ++ * This is the equlivant of doing something like ++ * debugfs_remove(debugfs_lookup(..)) but with the proper reference counting ++ * handled for the directory being looked up. ++ */ ++void debugfs_lookup_and_remove(const char *name, struct dentry *parent) ++{ ++ struct dentry *dentry; ++ ++ dentry = debugfs_lookup(name, parent); ++ if (!dentry) ++ return; ++ ++ debugfs_remove(dentry); ++ dput(dentry); ++} ++EXPORT_SYMBOL_GPL(debugfs_lookup_and_remove); ++ + /** + * debugfs_rename - rename a file/directory in the debugfs filesystem + * @old_dir: a pointer to the parent dentry for the renamed object. This +diff --git a/include/linux/debugfs.h b/include/linux/debugfs.h +index 755033acd2b0..497aac2c20d6 100644 +--- a/include/linux/debugfs.h ++++ b/include/linux/debugfs.h +@@ -111,6 +111,8 @@ void debugfs_remove_recursive(struct dentry *dentry); + int debugfs_use_file_start(const struct dentry *dentry, int *srcu_idx) + __acquires(&debugfs_srcu); + ++void debugfs_lookup_and_remove(const char *name, struct dentry *parent); ++ + void debugfs_use_file_finish(int srcu_idx) __releases(&debugfs_srcu); + + ssize_t debugfs_attr_read(struct file *file, char __user *buf, +@@ -240,6 +242,10 @@ static inline void debugfs_remove(struct dentry *dentry) + static inline void debugfs_remove_recursive(struct dentry *dentry) + { } + ++static inline void debugfs_lookup_and_remove(const char *name, ++ struct dentry *parent) ++{ } ++ + static inline int debugfs_use_file_start(const struct dentry *dentry, + int *srcu_idx) + __acquires(&debugfs_srcu) +-- +2.35.1 + diff --git a/queue-4.14/drm-meson-correct-osd1-global-alpha-value.patch b/queue-4.14/drm-meson-correct-osd1-global-alpha-value.patch new file mode 100644 index 00000000000..ffc5861cbf8 --- /dev/null +++ b/queue-4.14/drm-meson-correct-osd1-global-alpha-value.patch @@ -0,0 +1,40 @@ +From c2a539a46d95cc0032f863364a80e8476c792ef6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 16:51:03 +0100 +Subject: drm/meson: Correct OSD1 global alpha value + +From: Stuart Menefy + +[ Upstream commit 6836829c8ea453c9e3e518e61539e35881c8ed5f ] + +VIU_OSD1_CTRL_STAT.GLOBAL_ALPHA is a 9 bit field, so the maximum +value is 0x100 not 0xff. + +This matches the vendor kernel. + +Signed-off-by: Stuart Menefy +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20220908155103.686904-1-stuart.menefy@mathembedded.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_plane.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/meson/meson_plane.c b/drivers/gpu/drm/meson/meson_plane.c +index 85fa39e2be34..75132d0c5c28 100644 +--- a/drivers/gpu/drm/meson/meson_plane.c ++++ b/drivers/gpu/drm/meson/meson_plane.c +@@ -105,7 +105,7 @@ static void meson_plane_atomic_update(struct drm_plane *plane, + + /* Enable OSD and BLK0, set max global alpha */ + priv->viu.osd1_ctrl_stat = OSD_ENABLE | +- (0xFF << OSD_GLOBAL_ALPHA_SHIFT) | ++ (0x100 << OSD_GLOBAL_ALPHA_SHIFT) | + OSD_BLK0_ENABLE; + + /* Set up BLK0 to point to the right canvas */ +-- +2.35.1 + diff --git a/queue-4.14/efi-libstub-disable-shadow-call-stack.patch b/queue-4.14/efi-libstub-disable-shadow-call-stack.patch new file mode 100644 index 00000000000..62f98d55f26 --- /dev/null +++ b/queue-4.14/efi-libstub-disable-shadow-call-stack.patch @@ -0,0 +1,39 @@ +From 55705a151da312dbfb05b8e47e6a40f58f6f29ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 09:00:18 -0700 +Subject: efi/libstub: Disable Shadow Call Stack + +From: Sami Tolvanen + +[ Upstream commit cc49c71d2abe99c1c2c9bedf0693ad2d3ee4a067 ] + +Shadow stacks are not available in the EFI stub, filter out SCS flags. + +Suggested-by: James Morse +Signed-off-by: Sami Tolvanen +Reviewed-by: Kees Cook +Acked-by: Ard Biesheuvel +Signed-off-by: Will Deacon +Stable-dep-of: 1a3887924a7e ("efi: libstub: Disable struct randomization") +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile +index 678bc910e080..54dbcec7e06f 100644 +--- a/drivers/firmware/efi/libstub/Makefile ++++ b/drivers/firmware/efi/libstub/Makefile +@@ -23,6 +23,9 @@ KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \ + $(call cc-option,-ffreestanding) \ + $(call cc-option,-fno-stack-protector) + ++# remove SCS flags from all objects in this directory ++KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_SCS), $(KBUILD_CFLAGS)) ++ + GCOV_PROFILE := n + KASAN_SANITIZE := n + UBSAN_SANITIZE := n +-- +2.35.1 + diff --git a/queue-4.14/efi-libstub-disable-struct-randomization.patch b/queue-4.14/efi-libstub-disable-struct-randomization.patch new file mode 100644 index 00000000000..cde40a74dbd --- /dev/null +++ b/queue-4.14/efi-libstub-disable-struct-randomization.patch @@ -0,0 +1,56 @@ +From 2d977350ae0a9d976238451123e8d48e6ec55fcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 19:20:33 +0200 +Subject: efi: libstub: Disable struct randomization + +From: Ard Biesheuvel + +[ Upstream commit 1a3887924a7e6edd331be76da7bf4c1e8eab4b1e ] + +The EFI stub is a wrapper around the core kernel that makes it look like +a EFI compatible PE/COFF application to the EFI firmware. EFI +applications run on top of the EFI runtime, which is heavily based on +so-called protocols, which are struct types consisting [mostly] of +function pointer members that are instantiated and recorded in a +protocol database. + +These structs look like the ideal randomization candidates to the +randstruct plugin (as they only carry function pointers), but of course, +these protocols are contracts between the firmware that exposes them, +and the EFI applications (including our stubbed kernel) that invoke +them. This means that struct randomization for EFI protocols is not a +great idea, and given that the stub shares very little data with the +core kernel that is represented as a randomizable struct, we're better +off just disabling it completely here. + +Cc: # v4.14+ +Reported-by: Daniel Marth +Tested-by: Daniel Marth +Signed-off-by: Ard Biesheuvel +Acked-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/Makefile | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile +index 54dbcec7e06f..7dc2d093962e 100644 +--- a/drivers/firmware/efi/libstub/Makefile ++++ b/drivers/firmware/efi/libstub/Makefile +@@ -23,6 +23,13 @@ KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \ + $(call cc-option,-ffreestanding) \ + $(call cc-option,-fno-stack-protector) + ++# ++# struct randomization only makes sense for Linux internal types, which the EFI ++# stub code never touches, so let's turn off struct randomization for the stub ++# altogether ++# ++KBUILD_CFLAGS := $(filter-out $(RANDSTRUCT_CFLAGS), $(KBUILD_CFLAGS)) ++ + # remove SCS flags from all objects in this directory + KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_SCS), $(KBUILD_CFLAGS)) + +-- +2.35.1 + diff --git a/queue-4.14/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch b/queue-4.14/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch new file mode 100644 index 00000000000..dc359aa0fcd --- /dev/null +++ b/queue-4.14/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch @@ -0,0 +1,48 @@ +From 315d4c4983d6ef371856ba5121a1ceecb8c013ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 12:54:31 +0200 +Subject: gpio: mpc8xxx: Fix support for IRQ_TYPE_LEVEL_LOW flow_type in + mpc85xx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 279c12df8d2efb28def9d037f288cbfb97c30fe2 ] + +Commit e39d5ef67804 ("powerpc/5xxx: extend mpc8xxx_gpio driver to support +mpc512x gpios") implemented support for IRQ_TYPE_LEVEL_LOW flow type in +mpc512x via falling edge type. Do same for mpc85xx which support was added +in commit 345e5c8a1cc3 ("powerpc: Add interrupt support to mpc8xxx_gpio"). + +Fixes probing of lm90 hwmon driver on mpc85xx based board which use level +interrupt. Without it kernel prints error and refuse lm90 to work: + + [ 15.258370] genirq: Setting trigger mode 8 for irq 49 failed (mpc8xxx_irq_set_type+0x0/0xf8) + [ 15.267168] lm90 0-004c: cannot request IRQ 49 + [ 15.272708] lm90: probe of 0-004c failed with error -22 + +Fixes: 345e5c8a1cc3 ("powerpc: Add interrupt support to mpc8xxx_gpio") +Signed-off-by: Pali Rohár +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mpc8xxx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpio/gpio-mpc8xxx.c b/drivers/gpio/gpio-mpc8xxx.c +index d5f735ce0dd4..1b213c49ec0f 100644 +--- a/drivers/gpio/gpio-mpc8xxx.c ++++ b/drivers/gpio/gpio-mpc8xxx.c +@@ -157,6 +157,7 @@ static int mpc8xxx_irq_set_type(struct irq_data *d, unsigned int flow_type) + + switch (flow_type) { + case IRQ_TYPE_EDGE_FALLING: ++ case IRQ_TYPE_LEVEL_LOW: + raw_spin_lock_irqsave(&mpc8xxx_gc->lock, flags); + gc->write_reg(mpc8xxx_gc->regs + GPIO_ICR, + gc->read_reg(mpc8xxx_gc->regs + GPIO_ICR) +-- +2.35.1 + diff --git a/queue-4.14/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch b/queue-4.14/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch new file mode 100644 index 00000000000..21302560bf1 --- /dev/null +++ b/queue-4.14/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch @@ -0,0 +1,41 @@ +From cfb1ca26f15562b1a924bb14c76f7eb3bbc4c3bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Aug 2022 23:34:16 +0300 +Subject: of: fdt: fix off-by-one error in unflatten_dt_nodes() + +From: Sergey Shtylyov + +[ Upstream commit 2f945a792f67815abca26fa8a5e863ccf3fa1181 ] + +Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") +forgot to fix up the depth check in the loop body in unflatten_dt_nodes() +which makes it possible to overflow the nps[] buffer... + +Found by Linux Verification Center (linuxtesting.org) with the SVACE static +analysis tool. + +Fixes: 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Rob Herring +Link: https://lore.kernel.org/r/7c354554-006f-6b31-c195-cdfe4caee392@omp.ru +Signed-off-by: Sasha Levin +--- + drivers/of/fdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c +index 512d3a8439c9..cc9b8c699da4 100644 +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -425,7 +425,7 @@ static int unflatten_dt_nodes(const void *blob, + for (offset = 0; + offset >= 0 && depth >= initial_depth; + offset = fdt_next_node(blob, offset, &depth)) { +- if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH)) ++ if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH - 1)) + continue; + + fpsizes[depth+1] = populate_node(blob, offset, &mem, +-- +2.35.1 + diff --git a/queue-4.14/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch b/queue-4.14/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch new file mode 100644 index 00000000000..860ed1adcdb --- /dev/null +++ b/queue-4.14/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch @@ -0,0 +1,35 @@ +From b2feba6ed16fc1bb6c2bc3195aa94f592c8a49d2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 17:36:57 +0800 +Subject: parisc: ccio-dma: Add missing iounmap in error path in ccio_probe() + +From: Yang Yingliang + +[ Upstream commit 38238be4e881a5d0abbe4872b4cd6ed790be06c8 ] + +Add missing iounmap() before return from ccio_probe(), if ccio_init_resources() +fails. + +Fixes: d46c742f827f ("parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources()") +Signed-off-by: Yang Yingliang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/parisc/ccio-dma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/parisc/ccio-dma.c b/drivers/parisc/ccio-dma.c +index cc23b30337c1..afae74a99df1 100644 +--- a/drivers/parisc/ccio-dma.c ++++ b/drivers/parisc/ccio-dma.c +@@ -1581,6 +1581,7 @@ static int __init ccio_probe(struct parisc_device *dev) + } + ccio_ioc_init(ioc); + if (ccio_init_resources(ioc)) { ++ iounmap(ioc->ioc_regs); + kfree(ioc); + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-4.14/series b/queue-4.14/series index e69de29bb2d..867a6eae03c 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -0,0 +1,7 @@ +of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch +gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch +drm-meson-correct-osd1-global-alpha-value.patch +parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch +efi-libstub-disable-shadow-call-stack.patch +efi-libstub-disable-struct-randomization.patch +debugfs-add-debugfs_lookup_and_remove.patch diff --git a/queue-4.19/drm-meson-correct-osd1-global-alpha-value.patch b/queue-4.19/drm-meson-correct-osd1-global-alpha-value.patch new file mode 100644 index 00000000000..f950189a6c9 --- /dev/null +++ b/queue-4.19/drm-meson-correct-osd1-global-alpha-value.patch @@ -0,0 +1,40 @@ +From 0e369de2c7b1ef569fd85b881e5299860ddf416f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 16:51:03 +0100 +Subject: drm/meson: Correct OSD1 global alpha value + +From: Stuart Menefy + +[ Upstream commit 6836829c8ea453c9e3e518e61539e35881c8ed5f ] + +VIU_OSD1_CTRL_STAT.GLOBAL_ALPHA is a 9 bit field, so the maximum +value is 0x100 not 0xff. + +This matches the vendor kernel. + +Signed-off-by: Stuart Menefy +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20220908155103.686904-1-stuart.menefy@mathembedded.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_plane.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/meson/meson_plane.c b/drivers/gpu/drm/meson/meson_plane.c +index c7daae53fa1f..26ff2dc56419 100644 +--- a/drivers/gpu/drm/meson/meson_plane.c ++++ b/drivers/gpu/drm/meson/meson_plane.c +@@ -101,7 +101,7 @@ static void meson_plane_atomic_update(struct drm_plane *plane, + + /* Enable OSD and BLK0, set max global alpha */ + priv->viu.osd1_ctrl_stat = OSD_ENABLE | +- (0xFF << OSD_GLOBAL_ALPHA_SHIFT) | ++ (0x100 << OSD_GLOBAL_ALPHA_SHIFT) | + OSD_BLK0_ENABLE; + + /* Set up BLK0 to point to the right canvas */ +-- +2.35.1 + diff --git a/queue-4.19/efi-libstub-disable-shadow-call-stack.patch b/queue-4.19/efi-libstub-disable-shadow-call-stack.patch new file mode 100644 index 00000000000..7ee291a30b4 --- /dev/null +++ b/queue-4.19/efi-libstub-disable-shadow-call-stack.patch @@ -0,0 +1,39 @@ +From 617bdc131a75a444da24b369185c61fd864cba4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 09:00:18 -0700 +Subject: efi/libstub: Disable Shadow Call Stack + +From: Sami Tolvanen + +[ Upstream commit cc49c71d2abe99c1c2c9bedf0693ad2d3ee4a067 ] + +Shadow stacks are not available in the EFI stub, filter out SCS flags. + +Suggested-by: James Morse +Signed-off-by: Sami Tolvanen +Reviewed-by: Kees Cook +Acked-by: Ard Biesheuvel +Signed-off-by: Will Deacon +Stable-dep-of: 1a3887924a7e ("efi: libstub: Disable struct randomization") +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile +index d3777d754984..e0cff3b942ac 100644 +--- a/drivers/firmware/efi/libstub/Makefile ++++ b/drivers/firmware/efi/libstub/Makefile +@@ -31,6 +31,9 @@ KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \ + $(call cc-option,-fno-addrsig) \ + -D__DISABLE_EXPORTS + ++# remove SCS flags from all objects in this directory ++KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_SCS), $(KBUILD_CFLAGS)) ++ + GCOV_PROFILE := n + KASAN_SANITIZE := n + UBSAN_SANITIZE := n +-- +2.35.1 + diff --git a/queue-4.19/efi-libstub-disable-struct-randomization.patch b/queue-4.19/efi-libstub-disable-struct-randomization.patch new file mode 100644 index 00000000000..1b618a27378 --- /dev/null +++ b/queue-4.19/efi-libstub-disable-struct-randomization.patch @@ -0,0 +1,56 @@ +From 647b9e3ae48fd6671991e42990051a828b138273 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 19:20:33 +0200 +Subject: efi: libstub: Disable struct randomization + +From: Ard Biesheuvel + +[ Upstream commit 1a3887924a7e6edd331be76da7bf4c1e8eab4b1e ] + +The EFI stub is a wrapper around the core kernel that makes it look like +a EFI compatible PE/COFF application to the EFI firmware. EFI +applications run on top of the EFI runtime, which is heavily based on +so-called protocols, which are struct types consisting [mostly] of +function pointer members that are instantiated and recorded in a +protocol database. + +These structs look like the ideal randomization candidates to the +randstruct plugin (as they only carry function pointers), but of course, +these protocols are contracts between the firmware that exposes them, +and the EFI applications (including our stubbed kernel) that invoke +them. This means that struct randomization for EFI protocols is not a +great idea, and given that the stub shares very little data with the +core kernel that is represented as a randomizable struct, we're better +off just disabling it completely here. + +Cc: # v4.14+ +Reported-by: Daniel Marth +Tested-by: Daniel Marth +Signed-off-by: Ard Biesheuvel +Acked-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/Makefile | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile +index e0cff3b942ac..7fad5d90898b 100644 +--- a/drivers/firmware/efi/libstub/Makefile ++++ b/drivers/firmware/efi/libstub/Makefile +@@ -31,6 +31,13 @@ KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \ + $(call cc-option,-fno-addrsig) \ + -D__DISABLE_EXPORTS + ++# ++# struct randomization only makes sense for Linux internal types, which the EFI ++# stub code never touches, so let's turn off struct randomization for the stub ++# altogether ++# ++KBUILD_CFLAGS := $(filter-out $(RANDSTRUCT_CFLAGS), $(KBUILD_CFLAGS)) ++ + # remove SCS flags from all objects in this directory + KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_SCS), $(KBUILD_CFLAGS)) + +-- +2.35.1 + diff --git a/queue-4.19/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch b/queue-4.19/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch new file mode 100644 index 00000000000..e1c4aa46021 --- /dev/null +++ b/queue-4.19/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch @@ -0,0 +1,48 @@ +From 1ab1d96aead014336703902c9c5d3679da158592 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 12:54:31 +0200 +Subject: gpio: mpc8xxx: Fix support for IRQ_TYPE_LEVEL_LOW flow_type in + mpc85xx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 279c12df8d2efb28def9d037f288cbfb97c30fe2 ] + +Commit e39d5ef67804 ("powerpc/5xxx: extend mpc8xxx_gpio driver to support +mpc512x gpios") implemented support for IRQ_TYPE_LEVEL_LOW flow type in +mpc512x via falling edge type. Do same for mpc85xx which support was added +in commit 345e5c8a1cc3 ("powerpc: Add interrupt support to mpc8xxx_gpio"). + +Fixes probing of lm90 hwmon driver on mpc85xx based board which use level +interrupt. Without it kernel prints error and refuse lm90 to work: + + [ 15.258370] genirq: Setting trigger mode 8 for irq 49 failed (mpc8xxx_irq_set_type+0x0/0xf8) + [ 15.267168] lm90 0-004c: cannot request IRQ 49 + [ 15.272708] lm90: probe of 0-004c failed with error -22 + +Fixes: 345e5c8a1cc3 ("powerpc: Add interrupt support to mpc8xxx_gpio") +Signed-off-by: Pali Rohár +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mpc8xxx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpio/gpio-mpc8xxx.c b/drivers/gpio/gpio-mpc8xxx.c +index 1899d172590b..546f8c453add 100644 +--- a/drivers/gpio/gpio-mpc8xxx.c ++++ b/drivers/gpio/gpio-mpc8xxx.c +@@ -168,6 +168,7 @@ static int mpc8xxx_irq_set_type(struct irq_data *d, unsigned int flow_type) + + switch (flow_type) { + case IRQ_TYPE_EDGE_FALLING: ++ case IRQ_TYPE_LEVEL_LOW: + raw_spin_lock_irqsave(&mpc8xxx_gc->lock, flags); + gc->write_reg(mpc8xxx_gc->regs + GPIO_ICR, + gc->read_reg(mpc8xxx_gc->regs + GPIO_ICR) +-- +2.35.1 + diff --git a/queue-4.19/mvpp2-no-need-to-check-return-value-of-debugfs_creat.patch b/queue-4.19/mvpp2-no-need-to-check-return-value-of-debugfs_creat.patch new file mode 100644 index 00000000000..5eed70d48ff --- /dev/null +++ b/queue-4.19/mvpp2-no-need-to-check-return-value-of-debugfs_creat.patch @@ -0,0 +1,104 @@ +From 5eb23f2971df4366d2eb73db722e7c3358816f76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Aug 2019 12:17:28 +0200 +Subject: mvpp2: no need to check return value of debugfs_create functions + +From: Greg Kroah-Hartman + +[ Upstream commit e6882aa623f6fe0d80fa82ebf3ee78c353bffbe1 ] + +When calling debugfs functions, there is no need to ever check the +return value. The function can work or not, but the code logic should +never do something different based on this. + +Cc: "David S. Miller" +Cc: Maxime Chevallier +Cc: Nick Desaulniers +Cc: Nathan Huckleberry +Cc: netdev@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Stable-dep-of: fe2c9c61f668 ("net: mvpp2: debugfs: fix memory leak when using debugfs_lookup()") +Signed-off-by: Sasha Levin +--- + .../ethernet/marvell/mvpp2/mvpp2_debugfs.c | 19 +------------------ + 1 file changed, 1 insertion(+), 18 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +index f9744a61e5dd..87d9cbe10cec 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +@@ -484,8 +484,6 @@ static int mvpp2_dbgfs_flow_port_init(struct dentry *parent, + struct dentry *port_dir; + + port_dir = debugfs_create_dir(port->dev->name, parent); +- if (IS_ERR(port_dir)) +- return PTR_ERR(port_dir); + + /* This will be freed by 'hash_opts' release op */ + port_entry = kmalloc(sizeof(*port_entry), GFP_KERNEL); +@@ -515,8 +513,6 @@ static int mvpp2_dbgfs_flow_entry_init(struct dentry *parent, + sprintf(flow_entry_name, "%02d", flow); + + flow_entry_dir = debugfs_create_dir(flow_entry_name, parent); +- if (!flow_entry_dir) +- return -ENOMEM; + + /* This will be freed by 'type' release op */ + entry = kmalloc(sizeof(*entry), GFP_KERNEL); +@@ -554,8 +550,6 @@ static int mvpp2_dbgfs_flow_init(struct dentry *parent, struct mvpp2 *priv) + int i, ret; + + flow_dir = debugfs_create_dir("flows", parent); +- if (!flow_dir) +- return -ENOMEM; + + for (i = 0; i < MVPP2_N_FLOWS; i++) { + ret = mvpp2_dbgfs_flow_entry_init(flow_dir, priv, i); +@@ -579,8 +573,6 @@ static int mvpp2_dbgfs_prs_entry_init(struct dentry *parent, + sprintf(prs_entry_name, "%03d", tid); + + prs_entry_dir = debugfs_create_dir(prs_entry_name, parent); +- if (!prs_entry_dir) +- return -ENOMEM; + + /* The 'valid' entry's ops will free that */ + entry = kmalloc(sizeof(*entry), GFP_KERNEL); +@@ -618,8 +610,6 @@ static int mvpp2_dbgfs_prs_init(struct dentry *parent, struct mvpp2 *priv) + int i, ret; + + prs_dir = debugfs_create_dir("parser", parent); +- if (!prs_dir) +- return -ENOMEM; + + for (i = 0; i < MVPP2_PRS_TCAM_SRAM_SIZE; i++) { + ret = mvpp2_dbgfs_prs_entry_init(prs_dir, priv, i); +@@ -636,8 +626,6 @@ static int mvpp2_dbgfs_port_init(struct dentry *parent, + struct dentry *port_dir; + + port_dir = debugfs_create_dir(port->dev->name, parent); +- if (IS_ERR(port_dir)) +- return PTR_ERR(port_dir); + + debugfs_create_file("parser_entries", 0444, port_dir, port, + &mvpp2_dbgfs_port_parser_fops); +@@ -671,15 +659,10 @@ void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name) + int ret, i; + + mvpp2_root = debugfs_lookup(MVPP2_DRIVER_NAME, NULL); +- if (!mvpp2_root) { ++ if (!mvpp2_root) + mvpp2_root = debugfs_create_dir(MVPP2_DRIVER_NAME, NULL); +- if (IS_ERR(mvpp2_root)) +- return; +- } + + mvpp2_dir = debugfs_create_dir(name, mvpp2_root); +- if (IS_ERR(mvpp2_dir)) +- return; + + priv->dbgfs_dir = mvpp2_dir; + +-- +2.35.1 + diff --git a/queue-4.19/net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch b/queue-4.19/net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch new file mode 100644 index 00000000000..6c2dd8f111f --- /dev/null +++ b/queue-4.19/net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch @@ -0,0 +1,51 @@ +From 3feb4d894fc97629b74ff051ec35f09cf7ed11eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 15:41:11 +0200 +Subject: net: mvpp2: debugfs: fix memory leak when using debugfs_lookup() + +From: Greg Kroah-Hartman + +[ Upstream commit fe2c9c61f668cde28dac2b188028c5299cedcc1e ] + +When calling debugfs_lookup() the result must have dput() called on it, +otherwise the memory will leak over time. Fix this up to be much +simpler logic and only create the root debugfs directory once when the +driver is first accessed. That resolves the memory leak and makes +things more obvious as to what the intent is. + +Cc: Marcin Wojtas +Cc: Russell King +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: netdev@vger.kernel.org +Cc: stable +Fixes: 21da57a23125 ("net: mvpp2: add a debugfs interface for the Header Parser") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +index 87d9cbe10cec..a43bfb86f315 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +@@ -655,10 +655,10 @@ void mvpp2_dbgfs_cleanup(struct mvpp2 *priv) + + void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name) + { +- struct dentry *mvpp2_dir, *mvpp2_root; ++ static struct dentry *mvpp2_root; ++ struct dentry *mvpp2_dir; + int ret, i; + +- mvpp2_root = debugfs_lookup(MVPP2_DRIVER_NAME, NULL); + if (!mvpp2_root) + mvpp2_root = debugfs_create_dir(MVPP2_DRIVER_NAME, NULL); + +-- +2.35.1 + diff --git a/queue-4.19/nvmet-fix-a-use-after-free.patch b/queue-4.19/nvmet-fix-a-use-after-free.patch new file mode 100644 index 00000000000..62c5c9f2e94 --- /dev/null +++ b/queue-4.19/nvmet-fix-a-use-after-free.patch @@ -0,0 +1,67 @@ +From a2beeda56ca0138c260720efafcd71c535534795 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Aug 2022 14:03:17 -0700 +Subject: nvmet: fix a use-after-free + +From: Bart Van Assche + +[ Upstream commit 6a02a61e81c231cc5c680c5dbf8665275147ac52 ] + +Fix the following use-after-free complaint triggered by blktests nvme/004: + +BUG: KASAN: user-memory-access in blk_mq_complete_request_remote+0xac/0x350 +Read of size 4 at addr 0000607bd1835943 by task kworker/13:1/460 +Workqueue: nvmet-wq nvme_loop_execute_work [nvme_loop] +Call Trace: + show_stack+0x52/0x58 + dump_stack_lvl+0x49/0x5e + print_report.cold+0x36/0x1e2 + kasan_report+0xb9/0xf0 + __asan_load4+0x6b/0x80 + blk_mq_complete_request_remote+0xac/0x350 + nvme_loop_queue_response+0x1df/0x275 [nvme_loop] + __nvmet_req_complete+0x132/0x4f0 [nvmet] + nvmet_req_complete+0x15/0x40 [nvmet] + nvmet_execute_io_connect+0x18a/0x1f0 [nvmet] + nvme_loop_execute_work+0x20/0x30 [nvme_loop] + process_one_work+0x56e/0xa70 + worker_thread+0x2d1/0x640 + kthread+0x183/0x1c0 + ret_from_fork+0x1f/0x30 + +Cc: stable@vger.kernel.org +Fixes: a07b4970f464 ("nvmet: add a generic NVMe target") +Signed-off-by: Bart Van Assche +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/nvme/target/core.c b/drivers/nvme/target/core.c +index 1a35d73c39c3..80b5aae1bdc9 100644 +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -504,6 +504,7 @@ static void __nvmet_req_complete(struct nvmet_req *req, u16 status) + { + u32 old_sqhd, new_sqhd; + u16 sqhd; ++ struct nvmet_ns *ns = req->ns; + + if (status) + nvmet_set_status(req, status); +@@ -520,9 +521,9 @@ static void __nvmet_req_complete(struct nvmet_req *req, u16 status) + req->rsp->sq_id = cpu_to_le16(req->sq->qid); + req->rsp->command_id = req->cmd->common.command_id; + +- if (req->ns) +- nvmet_put_namespace(req->ns); + req->ops->queue_response(req); ++ if (ns) ++ nvmet_put_namespace(ns); + } + + void nvmet_req_complete(struct nvmet_req *req, u16 status) +-- +2.35.1 + diff --git a/queue-4.19/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch b/queue-4.19/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch new file mode 100644 index 00000000000..c2b90afd745 --- /dev/null +++ b/queue-4.19/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch @@ -0,0 +1,41 @@ +From 77701ccea5ea1203cc261920287f9458b34c81a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Aug 2022 23:34:16 +0300 +Subject: of: fdt: fix off-by-one error in unflatten_dt_nodes() + +From: Sergey Shtylyov + +[ Upstream commit 2f945a792f67815abca26fa8a5e863ccf3fa1181 ] + +Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") +forgot to fix up the depth check in the loop body in unflatten_dt_nodes() +which makes it possible to overflow the nps[] buffer... + +Found by Linux Verification Center (linuxtesting.org) with the SVACE static +analysis tool. + +Fixes: 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Rob Herring +Link: https://lore.kernel.org/r/7c354554-006f-6b31-c195-cdfe4caee392@omp.ru +Signed-off-by: Sasha Levin +--- + drivers/of/fdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c +index 9fecac72c358..7c284ca0212c 100644 +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -392,7 +392,7 @@ static int unflatten_dt_nodes(const void *blob, + for (offset = 0; + offset >= 0 && depth >= initial_depth; + offset = fdt_next_node(blob, offset, &depth)) { +- if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH)) ++ if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH - 1)) + continue; + + if (!IS_ENABLED(CONFIG_OF_KOBJ) && +-- +2.35.1 + diff --git a/queue-4.19/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch b/queue-4.19/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch new file mode 100644 index 00000000000..15adc34b410 --- /dev/null +++ b/queue-4.19/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch @@ -0,0 +1,35 @@ +From d62cb493a47629e9a64a9466847c616437c699fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 17:36:57 +0800 +Subject: parisc: ccio-dma: Add missing iounmap in error path in ccio_probe() + +From: Yang Yingliang + +[ Upstream commit 38238be4e881a5d0abbe4872b4cd6ed790be06c8 ] + +Add missing iounmap() before return from ccio_probe(), if ccio_init_resources() +fails. + +Fixes: d46c742f827f ("parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources()") +Signed-off-by: Yang Yingliang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/parisc/ccio-dma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/parisc/ccio-dma.c b/drivers/parisc/ccio-dma.c +index 73ee74d6e7a3..2c763f9d75df 100644 +--- a/drivers/parisc/ccio-dma.c ++++ b/drivers/parisc/ccio-dma.c +@@ -1555,6 +1555,7 @@ static int __init ccio_probe(struct parisc_device *dev) + } + ccio_ioc_init(ioc); + if (ccio_init_resources(ioc)) { ++ iounmap(ioc->ioc_regs); + kfree(ioc); + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-4.19/series b/queue-4.19/series index e69de29bb2d..9bc1517976a 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -0,0 +1,9 @@ +of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch +gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch +drm-meson-correct-osd1-global-alpha-value.patch +parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch +efi-libstub-disable-shadow-call-stack.patch +efi-libstub-disable-struct-randomization.patch +nvmet-fix-a-use-after-free.patch +mvpp2-no-need-to-check-return-value-of-debugfs_creat.patch +net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch diff --git a/queue-4.9/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch b/queue-4.9/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch new file mode 100644 index 00000000000..4c581194d8e --- /dev/null +++ b/queue-4.9/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch @@ -0,0 +1,35 @@ +From 889ce4d3d13d5ea4bd190d341984507164e8dcbd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 17:36:57 +0800 +Subject: parisc: ccio-dma: Add missing iounmap in error path in ccio_probe() + +From: Yang Yingliang + +[ Upstream commit 38238be4e881a5d0abbe4872b4cd6ed790be06c8 ] + +Add missing iounmap() before return from ccio_probe(), if ccio_init_resources() +fails. + +Fixes: d46c742f827f ("parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources()") +Signed-off-by: Yang Yingliang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/parisc/ccio-dma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/parisc/ccio-dma.c b/drivers/parisc/ccio-dma.c +index 633762f8d775..84a93ddcd57a 100644 +--- a/drivers/parisc/ccio-dma.c ++++ b/drivers/parisc/ccio-dma.c +@@ -1569,6 +1569,7 @@ static int __init ccio_probe(struct parisc_device *dev) + ioc->ioc_regs = ioremap_nocache(dev->hpa.start, 4096); + ccio_ioc_init(ioc); + if (ccio_init_resources(ioc)) { ++ iounmap(ioc->ioc_regs); + kfree(ioc); + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-4.9/series b/queue-4.9/series index e69de29bb2d..1887280cc3e 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -0,0 +1 @@ +parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch diff --git a/queue-5.10/dmaengine-bestcomm-fix-system-boot-lockups.patch b/queue-5.10/dmaengine-bestcomm-fix-system-boot-lockups.patch new file mode 100644 index 00000000000..ce2209b1247 --- /dev/null +++ b/queue-5.10/dmaengine-bestcomm-fix-system-boot-lockups.patch @@ -0,0 +1,141 @@ +From 108396aae7bc469ce45822765530e8d88bde4193 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Oct 2021 11:40:12 +0200 +Subject: dmaengine: bestcomm: fix system boot lockups + +From: Anatolij Gustschin + +[ Upstream commit adec566b05288f2787a1f88dbaf77ed8b0c644fa ] + +memset() and memcpy() on an MMIO region like here results in a +lockup at startup on mpc5200 platform (since this first happens +during probing of the ATA and Ethernet drivers). Use memset_io() +and memcpy_toio() instead. + +Fixes: 2f9ea1bde0d1 ("bestcomm: core bestcomm support for Freescale MPC5200") +Cc: stable@vger.kernel.org # v5.14+ +Signed-off-by: Anatolij Gustschin +Link: https://lore.kernel.org/r/20211014094012.21286-1-agust@denx.de +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/bestcomm/ata.c | 2 +- + drivers/dma/bestcomm/bestcomm.c | 22 +++++++++++----------- + drivers/dma/bestcomm/fec.c | 4 ++-- + drivers/dma/bestcomm/gen_bd.c | 4 ++-- + 4 files changed, 16 insertions(+), 16 deletions(-) + +diff --git a/drivers/dma/bestcomm/ata.c b/drivers/dma/bestcomm/ata.c +index 2fd87f83cf90..e169f18da551 100644 +--- a/drivers/dma/bestcomm/ata.c ++++ b/drivers/dma/bestcomm/ata.c +@@ -133,7 +133,7 @@ void bcom_ata_reset_bd(struct bcom_task *tsk) + struct bcom_ata_var *var; + + /* Reset all BD */ +- memset(tsk->bd, 0x00, tsk->num_bd * tsk->bd_size); ++ memset_io(tsk->bd, 0x00, tsk->num_bd * tsk->bd_size); + + tsk->index = 0; + tsk->outdex = 0; +diff --git a/drivers/dma/bestcomm/bestcomm.c b/drivers/dma/bestcomm/bestcomm.c +index d91cbbe7a48f..8c42e5ca00a9 100644 +--- a/drivers/dma/bestcomm/bestcomm.c ++++ b/drivers/dma/bestcomm/bestcomm.c +@@ -95,7 +95,7 @@ bcom_task_alloc(int bd_count, int bd_size, int priv_size) + tsk->bd = bcom_sram_alloc(bd_count * bd_size, 4, &tsk->bd_pa); + if (!tsk->bd) + goto error; +- memset(tsk->bd, 0x00, bd_count * bd_size); ++ memset_io(tsk->bd, 0x00, bd_count * bd_size); + + tsk->num_bd = bd_count; + tsk->bd_size = bd_size; +@@ -186,16 +186,16 @@ bcom_load_image(int task, u32 *task_image) + inc = bcom_task_inc(task); + + /* Clear & copy */ +- memset(var, 0x00, BCOM_VAR_SIZE); +- memset(inc, 0x00, BCOM_INC_SIZE); ++ memset_io(var, 0x00, BCOM_VAR_SIZE); ++ memset_io(inc, 0x00, BCOM_INC_SIZE); + + desc_src = (u32 *)(hdr + 1); + var_src = desc_src + hdr->desc_size; + inc_src = var_src + hdr->var_size; + +- memcpy(desc, desc_src, hdr->desc_size * sizeof(u32)); +- memcpy(var + hdr->first_var, var_src, hdr->var_size * sizeof(u32)); +- memcpy(inc, inc_src, hdr->inc_size * sizeof(u32)); ++ memcpy_toio(desc, desc_src, hdr->desc_size * sizeof(u32)); ++ memcpy_toio(var + hdr->first_var, var_src, hdr->var_size * sizeof(u32)); ++ memcpy_toio(inc, inc_src, hdr->inc_size * sizeof(u32)); + + return 0; + } +@@ -302,13 +302,13 @@ static int bcom_engine_init(void) + return -ENOMEM; + } + +- memset(bcom_eng->tdt, 0x00, tdt_size); +- memset(bcom_eng->ctx, 0x00, ctx_size); +- memset(bcom_eng->var, 0x00, var_size); +- memset(bcom_eng->fdt, 0x00, fdt_size); ++ memset_io(bcom_eng->tdt, 0x00, tdt_size); ++ memset_io(bcom_eng->ctx, 0x00, ctx_size); ++ memset_io(bcom_eng->var, 0x00, var_size); ++ memset_io(bcom_eng->fdt, 0x00, fdt_size); + + /* Copy the FDT for the EU#3 */ +- memcpy(&bcom_eng->fdt[48], fdt_ops, sizeof(fdt_ops)); ++ memcpy_toio(&bcom_eng->fdt[48], fdt_ops, sizeof(fdt_ops)); + + /* Initialize Task base structure */ + for (task=0; taskindex = 0; + tsk->outdex = 0; + +- memset(tsk->bd, 0x00, tsk->num_bd * tsk->bd_size); ++ memset_io(tsk->bd, 0x00, tsk->num_bd * tsk->bd_size); + + /* Configure some stuff */ + bcom_set_task_pragma(tsk->tasknum, BCOM_FEC_RX_BD_PRAGMA); +@@ -241,7 +241,7 @@ bcom_fec_tx_reset(struct bcom_task *tsk) + tsk->index = 0; + tsk->outdex = 0; + +- memset(tsk->bd, 0x00, tsk->num_bd * tsk->bd_size); ++ memset_io(tsk->bd, 0x00, tsk->num_bd * tsk->bd_size); + + /* Configure some stuff */ + bcom_set_task_pragma(tsk->tasknum, BCOM_FEC_TX_BD_PRAGMA); +diff --git a/drivers/dma/bestcomm/gen_bd.c b/drivers/dma/bestcomm/gen_bd.c +index 906ddba6a6f5..8a24a5cbc263 100644 +--- a/drivers/dma/bestcomm/gen_bd.c ++++ b/drivers/dma/bestcomm/gen_bd.c +@@ -142,7 +142,7 @@ bcom_gen_bd_rx_reset(struct bcom_task *tsk) + tsk->index = 0; + tsk->outdex = 0; + +- memset(tsk->bd, 0x00, tsk->num_bd * tsk->bd_size); ++ memset_io(tsk->bd, 0x00, tsk->num_bd * tsk->bd_size); + + /* Configure some stuff */ + bcom_set_task_pragma(tsk->tasknum, BCOM_GEN_RX_BD_PRAGMA); +@@ -226,7 +226,7 @@ bcom_gen_bd_tx_reset(struct bcom_task *tsk) + tsk->index = 0; + tsk->outdex = 0; + +- memset(tsk->bd, 0x00, tsk->num_bd * tsk->bd_size); ++ memset_io(tsk->bd, 0x00, tsk->num_bd * tsk->bd_size); + + /* Configure some stuff */ + bcom_set_task_pragma(tsk->tasknum, BCOM_GEN_TX_BD_PRAGMA); +-- +2.35.1 + diff --git a/queue-5.10/drm-meson-correct-osd1-global-alpha-value.patch b/queue-5.10/drm-meson-correct-osd1-global-alpha-value.patch new file mode 100644 index 00000000000..1120fee13a0 --- /dev/null +++ b/queue-5.10/drm-meson-correct-osd1-global-alpha-value.patch @@ -0,0 +1,40 @@ +From aa434829b871f8aa9cfcb6d2e3946c1405934817 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 16:51:03 +0100 +Subject: drm/meson: Correct OSD1 global alpha value + +From: Stuart Menefy + +[ Upstream commit 6836829c8ea453c9e3e518e61539e35881c8ed5f ] + +VIU_OSD1_CTRL_STAT.GLOBAL_ALPHA is a 9 bit field, so the maximum +value is 0x100 not 0xff. + +This matches the vendor kernel. + +Signed-off-by: Stuart Menefy +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20220908155103.686904-1-stuart.menefy@mathembedded.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_plane.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/meson/meson_plane.c b/drivers/gpu/drm/meson/meson_plane.c +index 35338ed18209..255c6b863f8d 100644 +--- a/drivers/gpu/drm/meson/meson_plane.c ++++ b/drivers/gpu/drm/meson/meson_plane.c +@@ -163,7 +163,7 @@ static void meson_plane_atomic_update(struct drm_plane *plane, + + /* Enable OSD and BLK0, set max global alpha */ + priv->viu.osd1_ctrl_stat = OSD_ENABLE | +- (0xFF << OSD_GLOBAL_ALPHA_SHIFT) | ++ (0x100 << OSD_GLOBAL_ALPHA_SHIFT) | + OSD_BLK0_ENABLE; + + priv->viu.osd1_ctrl_stat2 = readl(priv->io_base + +-- +2.35.1 + diff --git a/queue-5.10/drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch b/queue-5.10/drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch new file mode 100644 index 00000000000..7f6a8b47939 --- /dev/null +++ b/queue-5.10/drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch @@ -0,0 +1,47 @@ +From 73aee469b94113de5cf3f177a69deb8e6f75c585 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 16:52:43 +0100 +Subject: drm/meson: Fix OSD1 RGB to YCbCr coefficient + +From: Stuart Menefy + +[ Upstream commit 6463d3930ba5b6addcfc8f80a4543976a2fc7656 ] + +VPP_WRAP_OSD1_MATRIX_COEF22.Coeff22 is documented as being bits 0-12, +not 16-28. + +Without this the output tends to have a pink hue, changing it results +in better color accuracy. + +The vendor kernel doesn't use this register. However the code which +sets VIU2_OSD1_MATRIX_COEF22 also uses bits 0-12. There is a slightly +different style of registers for configuring some of the other matrices, +which do use bits 16-28 for this coefficient, but those have names +ending in MATRIX_COEF22_30, and this is not one of those. + +Signed-off-by: Stuart Menefy +Fixes: 728883948b0d ("drm/meson: Add G12A Support for VIU setup") +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20220908155243.687143-1-stuart.menefy@mathembedded.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_viu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/meson/meson_viu.c b/drivers/gpu/drm/meson/meson_viu.c +index bb7e109534de..d4b907889a21 100644 +--- a/drivers/gpu/drm/meson/meson_viu.c ++++ b/drivers/gpu/drm/meson/meson_viu.c +@@ -94,7 +94,7 @@ static void meson_viu_set_g12a_osd1_matrix(struct meson_drm *priv, + priv->io_base + _REG(VPP_WRAP_OSD1_MATRIX_COEF11_12)); + writel(((m[9] & 0x1fff) << 16) | (m[10] & 0x1fff), + priv->io_base + _REG(VPP_WRAP_OSD1_MATRIX_COEF20_21)); +- writel((m[11] & 0x1fff) << 16, ++ writel((m[11] & 0x1fff), + priv->io_base + _REG(VPP_WRAP_OSD1_MATRIX_COEF22)); + + writel(((m[18] & 0xfff) << 16) | (m[19] & 0xfff), +-- +2.35.1 + diff --git a/queue-5.10/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch b/queue-5.10/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch new file mode 100644 index 00000000000..12c3f764faf --- /dev/null +++ b/queue-5.10/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch @@ -0,0 +1,48 @@ +From 0fdc05b1ecd1616f8a1b4624be13d6c0aa955b2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 12:54:31 +0200 +Subject: gpio: mpc8xxx: Fix support for IRQ_TYPE_LEVEL_LOW flow_type in + mpc85xx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 279c12df8d2efb28def9d037f288cbfb97c30fe2 ] + +Commit e39d5ef67804 ("powerpc/5xxx: extend mpc8xxx_gpio driver to support +mpc512x gpios") implemented support for IRQ_TYPE_LEVEL_LOW flow type in +mpc512x via falling edge type. Do same for mpc85xx which support was added +in commit 345e5c8a1cc3 ("powerpc: Add interrupt support to mpc8xxx_gpio"). + +Fixes probing of lm90 hwmon driver on mpc85xx based board which use level +interrupt. Without it kernel prints error and refuse lm90 to work: + + [ 15.258370] genirq: Setting trigger mode 8 for irq 49 failed (mpc8xxx_irq_set_type+0x0/0xf8) + [ 15.267168] lm90 0-004c: cannot request IRQ 49 + [ 15.272708] lm90: probe of 0-004c failed with error -22 + +Fixes: 345e5c8a1cc3 ("powerpc: Add interrupt support to mpc8xxx_gpio") +Signed-off-by: Pali Rohár +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mpc8xxx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpio/gpio-mpc8xxx.c b/drivers/gpio/gpio-mpc8xxx.c +index d60d5520707d..60c2533a39a5 100644 +--- a/drivers/gpio/gpio-mpc8xxx.c ++++ b/drivers/gpio/gpio-mpc8xxx.c +@@ -169,6 +169,7 @@ static int mpc8xxx_irq_set_type(struct irq_data *d, unsigned int flow_type) + + switch (flow_type) { + case IRQ_TYPE_EDGE_FALLING: ++ case IRQ_TYPE_LEVEL_LOW: + raw_spin_lock_irqsave(&mpc8xxx_gc->lock, flags); + gc->write_reg(mpc8xxx_gc->regs + GPIO_ICR, + gc->read_reg(mpc8xxx_gc->regs + GPIO_ICR) +-- +2.35.1 + diff --git a/queue-5.10/kvm-ppc-book3s-hv-context-tracking-exit-guest-contex.patch b/queue-5.10/kvm-ppc-book3s-hv-context-tracking-exit-guest-contex.patch new file mode 100644 index 00000000000..8675065ea25 --- /dev/null +++ b/queue-5.10/kvm-ppc-book3s-hv-context-tracking-exit-guest-contex.patch @@ -0,0 +1,53 @@ +From 717449ad205e566989b15b9b57cff080442ab206 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Jan 2021 23:08:12 +1000 +Subject: KVM: PPC: Book3S HV: Context tracking exit guest context before + enabling irqs + +From: Nicholas Piggin + +[ Upstream commit 112665286d08c87e66d699e7cba43c1497ad165f ] + +Interrupts that occur in kernel mode expect that context tracking +is set to kernel. Enabling local irqs before context tracking +switches from guest to host means interrupts can come in and trigger +warnings about wrong context, and possibly worse. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20210130130852.2952424-3-npiggin@gmail.com +Stable-dep-of: 235cee162459 ("KVM: PPC: Tick accounting should defer vtime accounting 'til after IRQ handling") +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index 38b7a3491aac..d6c4e27f7ed9 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -3399,8 +3399,9 @@ static noinline void kvmppc_run_core(struct kvmppc_vcore *vc) + + kvmppc_set_host_core(pcpu); + ++ guest_exit_irqoff(); ++ + local_irq_enable(); +- guest_exit(); + + /* Let secondaries go back to the offline loop */ + for (i = 0; i < controlled_threads; ++i) { +@@ -4235,8 +4236,9 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit, + + kvmppc_set_host_core(pcpu); + ++ guest_exit_irqoff(); ++ + local_irq_enable(); +- guest_exit(); + + cpumask_clear_cpu(pcpu, &kvm->arch.cpu_in_guest); + +-- +2.35.1 + diff --git a/queue-5.10/kvm-ppc-tick-accounting-should-defer-vtime-accountin.patch b/queue-5.10/kvm-ppc-tick-accounting-should-defer-vtime-accountin.patch new file mode 100644 index 00000000000..46d75c64e84 --- /dev/null +++ b/queue-5.10/kvm-ppc-tick-accounting-should-defer-vtime-accountin.patch @@ -0,0 +1,121 @@ +From 3aeed0c876227b61e7852f8a6345234a77261be9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 00:21:50 +1000 +Subject: KVM: PPC: Tick accounting should defer vtime accounting 'til after + IRQ handling + +From: Laurent Vivier + +[ Upstream commit 235cee162459d96153d63651ce7ff51752528c96 ] + +Commit 112665286d08 ("KVM: PPC: Book3S HV: Context tracking exit guest +context before enabling irqs") moved guest_exit() into the interrupt +protected area to avoid wrong context warning (or worse). The problem is +that tick-based time accounting has not yet been updated at this point +(because it depends on the timer interrupt firing), so the guest time +gets incorrectly accounted to system time. + +To fix the problem, follow the x86 fix in commit 160457140187 ("Defer +vtime accounting 'til after IRQ handling"), and allow host IRQs to run +before accounting the guest exit time. + +In the case vtime accounting is enabled, this is not required because TB +is used directly for accounting. + +Before this patch, with CONFIG_TICK_CPU_ACCOUNTING=y in the host and a +guest running a kernel compile, the 'guest' fields of /proc/stat are +stuck at zero. With the patch they can be observed increasing roughly as +expected. + +Fixes: e233d54d4d97 ("KVM: booke: use __kvm_guest_exit") +Fixes: 112665286d08 ("KVM: PPC: Book3S HV: Context tracking exit guest context before enabling irqs") +Cc: stable@vger.kernel.org # 5.12+ +Signed-off-by: Laurent Vivier +[np: only required for tick accounting, add Book3E fix, tweak changelog] +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211027142150.3711582-1-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kvm/book3s_hv.c | 30 ++++++++++++++++++++++++++++-- + arch/powerpc/kvm/booke.c | 16 +++++++++++++++- + 2 files changed, 43 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c +index d6c4e27f7ed9..1d2593238995 100644 +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -3399,7 +3399,20 @@ static noinline void kvmppc_run_core(struct kvmppc_vcore *vc) + + kvmppc_set_host_core(pcpu); + +- guest_exit_irqoff(); ++ context_tracking_guest_exit(); ++ if (!vtime_accounting_enabled_this_cpu()) { ++ local_irq_enable(); ++ /* ++ * Service IRQs here before vtime_account_guest_exit() so any ++ * ticks that occurred while running the guest are accounted to ++ * the guest. If vtime accounting is enabled, accounting uses ++ * TB rather than ticks, so it can be done without enabling ++ * interrupts here, which has the problem that it accounts ++ * interrupt processing overhead to the host. ++ */ ++ local_irq_disable(); ++ } ++ vtime_account_guest_exit(); + + local_irq_enable(); + +@@ -4236,7 +4249,20 @@ int kvmhv_run_single_vcpu(struct kvm_vcpu *vcpu, u64 time_limit, + + kvmppc_set_host_core(pcpu); + +- guest_exit_irqoff(); ++ context_tracking_guest_exit(); ++ if (!vtime_accounting_enabled_this_cpu()) { ++ local_irq_enable(); ++ /* ++ * Service IRQs here before vtime_account_guest_exit() so any ++ * ticks that occurred while running the guest are accounted to ++ * the guest. If vtime accounting is enabled, accounting uses ++ * TB rather than ticks, so it can be done without enabling ++ * interrupts here, which has the problem that it accounts ++ * interrupt processing overhead to the host. ++ */ ++ local_irq_disable(); ++ } ++ vtime_account_guest_exit(); + + local_irq_enable(); + +diff --git a/arch/powerpc/kvm/booke.c b/arch/powerpc/kvm/booke.c +index b1abcb816439..75381beb7514 100644 +--- a/arch/powerpc/kvm/booke.c ++++ b/arch/powerpc/kvm/booke.c +@@ -1016,7 +1016,21 @@ int kvmppc_handle_exit(struct kvm_vcpu *vcpu, unsigned int exit_nr) + } + + trace_kvm_exit(exit_nr, vcpu); +- guest_exit_irqoff(); ++ ++ context_tracking_guest_exit(); ++ if (!vtime_accounting_enabled_this_cpu()) { ++ local_irq_enable(); ++ /* ++ * Service IRQs here before vtime_account_guest_exit() so any ++ * ticks that occurred while running the guest are accounted to ++ * the guest. If vtime accounting is enabled, accounting uses ++ * TB rather than ticks, so it can be done without enabling ++ * interrupts here, which has the problem that it accounts ++ * interrupt processing overhead to the host. ++ */ ++ local_irq_disable(); ++ } ++ vtime_account_guest_exit(); + + local_irq_enable(); + +-- +2.35.1 + diff --git a/queue-5.10/net-dsa-mv88e6xxx-allow-use-of-phys-on-cpu-and-dsa-p.patch b/queue-5.10/net-dsa-mv88e6xxx-allow-use-of-phys-on-cpu-and-dsa-p.patch new file mode 100644 index 00000000000..a9a8b3505a4 --- /dev/null +++ b/queue-5.10/net-dsa-mv88e6xxx-allow-use-of-phys-on-cpu-and-dsa-p.patch @@ -0,0 +1,121 @@ +From 42c2960e3eaf2110f494ac8f223c637af7b45cea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Dec 2021 09:26:47 +0000 +Subject: net: dsa: mv88e6xxx: allow use of PHYs on CPU and DSA ports + +From: Russell King (Oracle) + +[ Upstream commit 04ec4e6250e5f58b525b08f3dca45c7d7427620e ] + +Martyn Welch reports that his CPU port is unable to link where it has +been necessary to use one of the switch ports with an internal PHY for +the CPU port. The reason behind this is the port control register is +left forcing the link down, preventing traffic flow. + +This occurs because during initialisation, phylink expects the link to +be down, and DSA forces the link down by synthesising a call to the +DSA drivers phylink_mac_link_down() method, but we don't touch the +forced-link state when we later reconfigure the port. + +Resolve this by also unforcing the link state when we are operating in +PHY mode and the PPU is set to poll the PHY to retrieve link status +information. + +Reported-by: Martyn Welch +Tested-by: Martyn Welch +Fixes: 3be98b2d5fbc ("net: dsa: Down cpu/dsa ports phylink will control") +Cc: # 5.7: 2b29cb9e3f7f: net: dsa: mv88e6xxx: fix "don't use PHY_DETECT on internal PHY's" +Signed-off-by: Russell King (Oracle) +Link: https://lore.kernel.org/r/E1mvFhP-00F8Zb-Ul@rmk-PC.armlinux.org.uk +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 64 +++++++++++++++++--------------- + 1 file changed, 34 insertions(+), 30 deletions(-) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 7b7a8a74405d..371b345635e6 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -666,44 +666,48 @@ static void mv88e6xxx_mac_config(struct dsa_switch *ds, int port, + { + struct mv88e6xxx_chip *chip = ds->priv; + struct mv88e6xxx_port *p; +- int err; ++ int err = 0; + + p = &chip->ports[port]; + +- /* FIXME: is this the correct test? If we're in fixed mode on an +- * internal port, why should we process this any different from +- * PHY mode? On the other hand, the port may be automedia between +- * an internal PHY and the serdes... +- */ +- if ((mode == MLO_AN_PHY) && mv88e6xxx_phy_is_internal(ds, port)) +- return; +- + mv88e6xxx_reg_lock(chip); +- /* In inband mode, the link may come up at any time while the link +- * is not forced down. Force the link down while we reconfigure the +- * interface mode. +- */ +- if (mode == MLO_AN_INBAND && p->interface != state->interface && +- chip->info->ops->port_set_link) +- chip->info->ops->port_set_link(chip, port, LINK_FORCED_DOWN); +- +- err = mv88e6xxx_port_config_interface(chip, port, state->interface); +- if (err && err != -EOPNOTSUPP) +- goto err_unlock; + +- err = mv88e6xxx_serdes_pcs_config(chip, port, mode, state->interface, +- state->advertising); +- /* FIXME: we should restart negotiation if something changed - which +- * is something we get if we convert to using phylinks PCS operations. +- */ +- if (err > 0) +- err = 0; ++ if (mode != MLO_AN_PHY || !mv88e6xxx_phy_is_internal(ds, port)) { ++ /* In inband mode, the link may come up at any time while the ++ * link is not forced down. Force the link down while we ++ * reconfigure the interface mode. ++ */ ++ if (mode == MLO_AN_INBAND && ++ p->interface != state->interface && ++ chip->info->ops->port_set_link) ++ chip->info->ops->port_set_link(chip, port, ++ LINK_FORCED_DOWN); ++ ++ err = mv88e6xxx_port_config_interface(chip, port, ++ state->interface); ++ if (err && err != -EOPNOTSUPP) ++ goto err_unlock; ++ ++ err = mv88e6xxx_serdes_pcs_config(chip, port, mode, ++ state->interface, ++ state->advertising); ++ /* FIXME: we should restart negotiation if something changed - ++ * which is something we get if we convert to using phylinks ++ * PCS operations. ++ */ ++ if (err > 0) ++ err = 0; ++ } + + /* Undo the forced down state above after completing configuration +- * irrespective of its state on entry, which allows the link to come up. ++ * irrespective of its state on entry, which allows the link to come ++ * up in the in-band case where there is no separate SERDES. Also ++ * ensure that the link can come up if the PPU is in use and we are ++ * in PHY mode (we treat the PPU as an effective in-band mechanism.) + */ +- if (mode == MLO_AN_INBAND && p->interface != state->interface && +- chip->info->ops->port_set_link) ++ if (chip->info->ops->port_set_link && ++ ((mode == MLO_AN_INBAND && p->interface != state->interface) || ++ (mode == MLO_AN_PHY && mv88e6xxx_port_ppu_updates(chip, port)))) + chip->info->ops->port_set_link(chip, port, LINK_UNFORCED); + + p->interface = state->interface; +-- +2.35.1 + diff --git a/queue-5.10/nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch b/queue-5.10/nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch new file mode 100644 index 00000000000..4766fffcebc --- /dev/null +++ b/queue-5.10/nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch @@ -0,0 +1,69 @@ +From 40fa1927954434c7d8903e58d83c12a72b8ad5e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 14:49:05 -0400 +Subject: NFSv4: Turn off open-by-filehandle and NFS re-export for NFSv4.0 + +From: Trond Myklebust + +[ Upstream commit 2a9d683b48c8a87e61a4215792d44c90bcbbb536 ] + +The NFSv4.0 protocol only supports open() by name. It cannot therefore +be used with open_by_handle() and friends, nor can it be re-exported by +knfsd. + +Reported-by: Chuck Lever III +Fixes: 20fa19027286 ("nfs: add export operations") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 4034102010f0..b3fcc27b9564 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1029,22 +1029,31 @@ static void nfs_fill_super(struct super_block *sb, struct nfs_fs_context *ctx) + if (ctx && ctx->bsize) + sb->s_blocksize = nfs_block_size(ctx->bsize, &sb->s_blocksize_bits); + +- if (server->nfs_client->rpc_ops->version != 2) { +- /* The VFS shouldn't apply the umask to mode bits. We will do +- * so ourselves when necessary. ++ switch (server->nfs_client->rpc_ops->version) { ++ case 2: ++ sb->s_time_gran = 1000; ++ sb->s_time_min = 0; ++ sb->s_time_max = U32_MAX; ++ break; ++ case 3: ++ /* ++ * The VFS shouldn't apply the umask to mode bits. ++ * We will do so ourselves when necessary. + */ + sb->s_flags |= SB_POSIXACL; + sb->s_time_gran = 1; +- sb->s_export_op = &nfs_export_ops; +- } else +- sb->s_time_gran = 1000; +- +- if (server->nfs_client->rpc_ops->version != 4) { + sb->s_time_min = 0; + sb->s_time_max = U32_MAX; +- } else { ++ sb->s_export_op = &nfs_export_ops; ++ break; ++ case 4: ++ sb->s_flags |= SB_POSIXACL; ++ sb->s_time_gran = 1; + sb->s_time_min = S64_MIN; + sb->s_time_max = S64_MAX; ++ if (server->caps & NFS_CAP_ATOMIC_OPEN_V1) ++ sb->s_export_op = &nfs_export_ops; ++ break; + } + + sb->s_magic = NFS_SUPER_MAGIC; +-- +2.35.1 + diff --git a/queue-5.10/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch b/queue-5.10/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch new file mode 100644 index 00000000000..b1f7cf8fc65 --- /dev/null +++ b/queue-5.10/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch @@ -0,0 +1,41 @@ +From 45d68e39c82f54e70500f2cd3731525166f371d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Aug 2022 23:34:16 +0300 +Subject: of: fdt: fix off-by-one error in unflatten_dt_nodes() + +From: Sergey Shtylyov + +[ Upstream commit 2f945a792f67815abca26fa8a5e863ccf3fa1181 ] + +Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") +forgot to fix up the depth check in the loop body in unflatten_dt_nodes() +which makes it possible to overflow the nps[] buffer... + +Found by Linux Verification Center (linuxtesting.org) with the SVACE static +analysis tool. + +Fixes: 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Rob Herring +Link: https://lore.kernel.org/r/7c354554-006f-6b31-c195-cdfe4caee392@omp.ru +Signed-off-by: Sasha Levin +--- + drivers/of/fdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c +index 57ff31b6b1e4..5a1b8688b460 100644 +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -315,7 +315,7 @@ static int unflatten_dt_nodes(const void *blob, + for (offset = 0; + offset >= 0 && depth >= initial_depth; + offset = fdt_next_node(blob, offset, &depth)) { +- if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH)) ++ if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH - 1)) + continue; + + if (!IS_ENABLED(CONFIG_OF_KOBJ) && +-- +2.35.1 + diff --git a/queue-5.10/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch b/queue-5.10/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch new file mode 100644 index 00000000000..33f6b9e4a8d --- /dev/null +++ b/queue-5.10/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch @@ -0,0 +1,35 @@ +From f5d6677dbfb0406b3d3bafbd140ba366587b28ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 17:36:57 +0800 +Subject: parisc: ccio-dma: Add missing iounmap in error path in ccio_probe() + +From: Yang Yingliang + +[ Upstream commit 38238be4e881a5d0abbe4872b4cd6ed790be06c8 ] + +Add missing iounmap() before return from ccio_probe(), if ccio_init_resources() +fails. + +Fixes: d46c742f827f ("parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources()") +Signed-off-by: Yang Yingliang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/parisc/ccio-dma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/parisc/ccio-dma.c b/drivers/parisc/ccio-dma.c +index ffd5000c23d3..be81b765858b 100644 +--- a/drivers/parisc/ccio-dma.c ++++ b/drivers/parisc/ccio-dma.c +@@ -1546,6 +1546,7 @@ static int __init ccio_probe(struct parisc_device *dev) + } + ccio_ioc_init(ioc); + if (ccio_init_resources(ioc)) { ++ iounmap(ioc->ioc_regs); + kfree(ioc); + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-5.10/parisc-flush-kernel-data-mapping-in-set_pte_at-when-.patch b/queue-5.10/parisc-flush-kernel-data-mapping-in-set_pte_at-when-.patch new file mode 100644 index 00000000000..5f8ae1190c3 --- /dev/null +++ b/queue-5.10/parisc-flush-kernel-data-mapping-in-set_pte_at-when-.patch @@ -0,0 +1,101 @@ +From 780ff6d9eb5b8c8a3cfe9f5bf7d9b789f3ad0418 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Nov 2021 16:48:16 -0500 +Subject: parisc: Flush kernel data mapping in set_pte_at() when installing pte + for user page + +From: John David Anglin + +[ Upstream commit 38860b2c8bb1b92f61396eb06a63adff916fc31d ] + +For years, there have been random segmentation faults in userspace on +SMP PA-RISC machines. It occurred to me that this might be a problem in +set_pte_at(). MIPS and some other architectures do cache flushes when +installing PTEs with the present bit set. + +Here I have adapted the code in update_mmu_cache() to flush the kernel +mapping when the kernel flush is deferred, or when the kernel mapping +may alias with the user mapping. This simplifies calls to +update_mmu_cache(). + +I also changed the barrier in set_pte() from a compiler barrier to a +full memory barrier. I know this change is not sufficient to fix the +problem. It might not be needed. + +I have had a few days of operation with 5.14.16 to 5.15.1 and haven't +seen any random segmentation faults on rp3440 or c8000 so far. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Cc: stable@kernel.org # 5.12+ +Signed-off-by: Sasha Levin +--- + arch/parisc/include/asm/pgtable.h | 10 ++++++++-- + arch/parisc/kernel/cache.c | 4 ++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h +index 39017210dbf0..8964798b8274 100644 +--- a/arch/parisc/include/asm/pgtable.h ++++ b/arch/parisc/include/asm/pgtable.h +@@ -76,6 +76,8 @@ static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr) + purge_tlb_end(flags); + } + ++extern void __update_cache(pte_t pte); ++ + /* Certain architectures need to do special things when PTEs + * within a page table are directly modified. Thus, the following + * hook is made available. +@@ -83,11 +85,14 @@ static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr) + #define set_pte(pteptr, pteval) \ + do { \ + *(pteptr) = (pteval); \ +- barrier(); \ ++ mb(); \ + } while(0) + + #define set_pte_at(mm, addr, pteptr, pteval) \ + do { \ ++ if (pte_present(pteval) && \ ++ pte_user(pteval)) \ ++ __update_cache(pteval); \ + *(pteptr) = (pteval); \ + purge_tlb_entries(mm, addr); \ + } while (0) +@@ -305,6 +310,7 @@ extern unsigned long *empty_zero_page; + + #define pte_none(x) (pte_val(x) == 0) + #define pte_present(x) (pte_val(x) & _PAGE_PRESENT) ++#define pte_user(x) (pte_val(x) & _PAGE_USER) + #define pte_clear(mm, addr, xp) set_pte_at(mm, addr, xp, __pte(0)) + + #define pmd_flag(x) (pmd_val(x) & PxD_FLAG_MASK) +@@ -412,7 +418,7 @@ extern void paging_init (void); + + #define PG_dcache_dirty PG_arch_1 + +-extern void update_mmu_cache(struct vm_area_struct *, unsigned long, pte_t *); ++#define update_mmu_cache(vms,addr,ptep) __update_cache(*ptep) + + /* Encode and de-code a swap entry */ + +diff --git a/arch/parisc/kernel/cache.c b/arch/parisc/kernel/cache.c +index 86a1a63563fd..c81ab0cb8925 100644 +--- a/arch/parisc/kernel/cache.c ++++ b/arch/parisc/kernel/cache.c +@@ -83,9 +83,9 @@ EXPORT_SYMBOL(flush_cache_all_local); + #define pfn_va(pfn) __va(PFN_PHYS(pfn)) + + void +-update_mmu_cache(struct vm_area_struct *vma, unsigned long address, pte_t *ptep) ++__update_cache(pte_t pte) + { +- unsigned long pfn = pte_pfn(*ptep); ++ unsigned long pfn = pte_pfn(pte); + struct page *page; + + /* We don't have pte special. As a result, we can be called with +-- +2.35.1 + diff --git a/queue-5.10/parisc-optimize-per-pagetable-spinlocks.patch b/queue-5.10/parisc-optimize-per-pagetable-spinlocks.patch new file mode 100644 index 00000000000..325d0dbdbea --- /dev/null +++ b/queue-5.10/parisc-optimize-per-pagetable-spinlocks.patch @@ -0,0 +1,879 @@ +From a4ec4e671b257ad90c28079aae345298057a3687 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Feb 2021 16:38:52 +0100 +Subject: parisc: Optimize per-pagetable spinlocks + +From: Helge Deller + +[ Upstream commit b7795074a04669d0a023babf786d29bf67c68783 ] + +On parisc a spinlock is stored in the next page behind the pgd which +protects against parallel accesses to the pgd. That's why one additional +page (PGD_ALLOC_ORDER) is allocated for the pgd. + +Matthew Wilcox suggested that we instead should use a pointer in the +struct page table for this spinlock and noted, that the comments for the +PGD_ORDER and PMD_ORDER defines were wrong. + +Both suggestions are addressed with this patch. Instead of having an own +spinlock to protect the pgd, we now switch to use the existing +page_table_lock. Additionally, beside loading the pgd into cr25 in +switch_mm_irqs_off(), the physical address of this lock is loaded into +cr28 (tr4), so that we can avoid implementing a complicated lookup in +assembly for this lock in the TLB fault handlers. + +The existing Hybrid L2/L3 page table scheme (where the pmd is adjacent +to the pgd) has been dropped with this patch. + +Remove the locking in set_pte() and the huge-page pte functions too. +They trigger a spinlock recursion on 32bit machines and seem unnecessary. + +Suggested-by: Matthew Wilcox +Fixes: b37d1c1898b2 ("parisc: Use per-pagetable spinlock") +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Stable-dep-of: 38860b2c8bb1 ("parisc: Flush kernel data mapping in set_pte_at() when installing pte for user page") +Signed-off-by: Sasha Levin +--- + arch/parisc/Kconfig | 10 +++ + arch/parisc/include/asm/mmu_context.h | 7 ++ + arch/parisc/include/asm/page.h | 2 +- + arch/parisc/include/asm/pgalloc.h | 76 ++++------------- + arch/parisc/include/asm/pgtable.h | 89 ++++---------------- + arch/parisc/kernel/asm-offsets.c | 1 - + arch/parisc/kernel/entry.S | 116 +++++++++++--------------- + arch/parisc/mm/hugetlbpage.c | 13 --- + arch/parisc/mm/init.c | 10 +-- + 9 files changed, 110 insertions(+), 214 deletions(-) + +diff --git a/arch/parisc/Kconfig b/arch/parisc/Kconfig +index 2d89f79f460c..07a4d4badd69 100644 +--- a/arch/parisc/Kconfig ++++ b/arch/parisc/Kconfig +@@ -315,6 +315,16 @@ config IRQSTACKS + for handling hard and soft interrupts. This can help avoid + overflowing the process kernel stacks. + ++config TLB_PTLOCK ++ bool "Use page table locks in TLB fault handler" ++ depends on SMP ++ default n ++ help ++ Select this option to enable page table locking in the TLB ++ fault handler. This ensures that page table entries are ++ updated consistently on SMP machines at the expense of some ++ loss in performance. ++ + config HOTPLUG_CPU + bool + default y if SMP +diff --git a/arch/parisc/include/asm/mmu_context.h b/arch/parisc/include/asm/mmu_context.h +index cb5f2f730421..aba69ff79e8c 100644 +--- a/arch/parisc/include/asm/mmu_context.h ++++ b/arch/parisc/include/asm/mmu_context.h +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + #include + + static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk) +@@ -52,6 +53,12 @@ static inline void switch_mm_irqs_off(struct mm_struct *prev, + struct mm_struct *next, struct task_struct *tsk) + { + if (prev != next) { ++#ifdef CONFIG_TLB_PTLOCK ++ /* put physical address of page_table_lock in cr28 (tr4) ++ for TLB faults */ ++ spinlock_t *pgd_lock = &next->page_table_lock; ++ mtctl(__pa(__ldcw_align(&pgd_lock->rlock.raw_lock)), 28); ++#endif + mtctl(__pa(next->pgd), 25); + load_context(next->context); + } +diff --git a/arch/parisc/include/asm/page.h b/arch/parisc/include/asm/page.h +index 8802ce651a3a..0561568f7b48 100644 +--- a/arch/parisc/include/asm/page.h ++++ b/arch/parisc/include/asm/page.h +@@ -112,7 +112,7 @@ extern int npmem_ranges; + #else + #define BITS_PER_PTE_ENTRY 2 + #define BITS_PER_PMD_ENTRY 2 +-#define BITS_PER_PGD_ENTRY BITS_PER_PMD_ENTRY ++#define BITS_PER_PGD_ENTRY 2 + #endif + #define PGD_ENTRY_SIZE (1UL << BITS_PER_PGD_ENTRY) + #define PMD_ENTRY_SIZE (1UL << BITS_PER_PMD_ENTRY) +diff --git a/arch/parisc/include/asm/pgalloc.h b/arch/parisc/include/asm/pgalloc.h +index a6482b2ce0ea..dda557085311 100644 +--- a/arch/parisc/include/asm/pgalloc.h ++++ b/arch/parisc/include/asm/pgalloc.h +@@ -15,47 +15,23 @@ + #define __HAVE_ARCH_PGD_FREE + #include + +-/* Allocate the top level pgd (page directory) +- * +- * Here (for 64 bit kernels) we implement a Hybrid L2/L3 scheme: we +- * allocate the first pmd adjacent to the pgd. This means that we can +- * subtract a constant offset to get to it. The pmd and pgd sizes are +- * arranged so that a single pmd covers 4GB (giving a full 64-bit +- * process access to 8TB) so our lookups are effectively L2 for the +- * first 4GB of the kernel (i.e. for all ILP32 processes and all the +- * kernel for machines with under 4GB of memory) */ ++/* Allocate the top level pgd (page directory) */ + static inline pgd_t *pgd_alloc(struct mm_struct *mm) + { +- pgd_t *pgd = (pgd_t *)__get_free_pages(GFP_KERNEL, +- PGD_ALLOC_ORDER); +- pgd_t *actual_pgd = pgd; ++ pgd_t *pgd; + +- if (likely(pgd != NULL)) { +- memset(pgd, 0, PAGE_SIZE<> PxD_VALUE_SHIFT))); +- /* The first pmd entry also is marked with PxD_FLAG_ATTACHED as +- * a signal that this pmd may not be freed */ +- set_pgd(pgd, __pgd(PxD_FLAG_ATTACHED)); +-#endif +- } +- spin_lock_init(pgd_spinlock(actual_pgd)); +- return actual_pgd; ++ pgd = (pgd_t *) __get_free_pages(GFP_KERNEL, PGD_ORDER); ++ if (unlikely(pgd == NULL)) ++ return NULL; ++ ++ memset(pgd, 0, PAGE_SIZE << PGD_ORDER); ++ ++ return pgd; + } + + static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd) + { +-#if CONFIG_PGTABLE_LEVELS == 3 +- pgd -= PTRS_PER_PGD; +-#endif +- free_pages((unsigned long)pgd, PGD_ALLOC_ORDER); ++ free_pages((unsigned long)pgd, PGD_ORDER); + } + + #if CONFIG_PGTABLE_LEVELS == 3 +@@ -70,41 +46,25 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd) + + static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address) + { +- return (pmd_t *)__get_free_pages(GFP_PGTABLE_KERNEL, PMD_ORDER); ++ pmd_t *pmd; ++ ++ pmd = (pmd_t *)__get_free_pages(GFP_PGTABLE_KERNEL, PMD_ORDER); ++ if (likely(pmd)) ++ memset ((void *)pmd, 0, PAGE_SIZE << PMD_ORDER); ++ return pmd; + } + + static inline void pmd_free(struct mm_struct *mm, pmd_t *pmd) + { +- if (pmd_flag(*pmd) & PxD_FLAG_ATTACHED) { +- /* +- * This is the permanent pmd attached to the pgd; +- * cannot free it. +- * Increment the counter to compensate for the decrement +- * done by generic mm code. +- */ +- mm_inc_nr_pmds(mm); +- return; +- } + free_pages((unsigned long)pmd, PMD_ORDER); + } +- + #endif + + static inline void + pmd_populate_kernel(struct mm_struct *mm, pmd_t *pmd, pte_t *pte) + { +-#if CONFIG_PGTABLE_LEVELS == 3 +- /* preserve the gateway marker if this is the beginning of +- * the permanent pmd */ +- if(pmd_flag(*pmd) & PxD_FLAG_ATTACHED) +- set_pmd(pmd, __pmd((PxD_FLAG_PRESENT | +- PxD_FLAG_VALID | +- PxD_FLAG_ATTACHED) +- + (__u32)(__pa((unsigned long)pte) >> PxD_VALUE_SHIFT))); +- else +-#endif +- set_pmd(pmd, __pmd((PxD_FLAG_PRESENT | PxD_FLAG_VALID) +- + (__u32)(__pa((unsigned long)pte) >> PxD_VALUE_SHIFT))); ++ set_pmd(pmd, __pmd((PxD_FLAG_PRESENT | PxD_FLAG_VALID) ++ + (__u32)(__pa((unsigned long)pte) >> PxD_VALUE_SHIFT))); + } + + #define pmd_populate(mm, pmd, pte_page) \ +diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h +index 75cf84070fc9..39017210dbf0 100644 +--- a/arch/parisc/include/asm/pgtable.h ++++ b/arch/parisc/include/asm/pgtable.h +@@ -23,8 +23,6 @@ + #include + #include + +-static inline spinlock_t *pgd_spinlock(pgd_t *); +- + /* + * kern_addr_valid(ADDR) tests if ADDR is pointing to valid kernel + * memory. For the return value to be meaningful, ADDR must be >= +@@ -42,12 +40,8 @@ static inline spinlock_t *pgd_spinlock(pgd_t *); + + /* This is for the serialization of PxTLB broadcasts. At least on the N class + * systems, only one PxTLB inter processor broadcast can be active at any one +- * time on the Merced bus. +- +- * PTE updates are protected by locks in the PMD. +- */ ++ * time on the Merced bus. */ + extern spinlock_t pa_tlb_flush_lock; +-extern spinlock_t pa_swapper_pg_lock; + #if defined(CONFIG_64BIT) && defined(CONFIG_SMP) + extern int pa_serialize_tlb_flushes; + #else +@@ -86,18 +80,16 @@ static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr) + * within a page table are directly modified. Thus, the following + * hook is made available. + */ +-#define set_pte(pteptr, pteval) \ +- do{ \ +- *(pteptr) = (pteval); \ +- } while(0) +- +-#define set_pte_at(mm, addr, ptep, pteval) \ +- do { \ +- unsigned long flags; \ +- spin_lock_irqsave(pgd_spinlock((mm)->pgd), flags);\ +- set_pte(ptep, pteval); \ +- purge_tlb_entries(mm, addr); \ +- spin_unlock_irqrestore(pgd_spinlock((mm)->pgd), flags);\ ++#define set_pte(pteptr, pteval) \ ++ do { \ ++ *(pteptr) = (pteval); \ ++ barrier(); \ ++ } while(0) ++ ++#define set_pte_at(mm, addr, pteptr, pteval) \ ++ do { \ ++ *(pteptr) = (pteval); \ ++ purge_tlb_entries(mm, addr); \ + } while (0) + + #endif /* !__ASSEMBLY__ */ +@@ -120,12 +112,10 @@ static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr) + #define KERNEL_INITIAL_SIZE (1 << KERNEL_INITIAL_ORDER) + + #if CONFIG_PGTABLE_LEVELS == 3 +-#define PGD_ORDER 1 /* Number of pages per pgd */ +-#define PMD_ORDER 1 /* Number of pages per pmd */ +-#define PGD_ALLOC_ORDER (2 + 1) /* first pgd contains pmd */ ++#define PMD_ORDER 1 ++#define PGD_ORDER 0 + #else +-#define PGD_ORDER 1 /* Number of pages per pgd */ +-#define PGD_ALLOC_ORDER (PGD_ORDER + 1) ++#define PGD_ORDER 1 + #endif + + /* Definitions for 3rd level (we use PLD here for Page Lower directory +@@ -240,11 +230,9 @@ static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr) + * able to effectively address 40/42/44-bits of physical address space + * depending on 4k/16k/64k PAGE_SIZE */ + #define _PxD_PRESENT_BIT 31 +-#define _PxD_ATTACHED_BIT 30 +-#define _PxD_VALID_BIT 29 ++#define _PxD_VALID_BIT 30 + + #define PxD_FLAG_PRESENT (1 << xlate_pabit(_PxD_PRESENT_BIT)) +-#define PxD_FLAG_ATTACHED (1 << xlate_pabit(_PxD_ATTACHED_BIT)) + #define PxD_FLAG_VALID (1 << xlate_pabit(_PxD_VALID_BIT)) + #define PxD_FLAG_MASK (0xf) + #define PxD_FLAG_SHIFT (4) +@@ -326,23 +314,10 @@ extern unsigned long *empty_zero_page; + #define pgd_flag(x) (pgd_val(x) & PxD_FLAG_MASK) + #define pgd_address(x) ((unsigned long)(pgd_val(x) &~ PxD_FLAG_MASK) << PxD_VALUE_SHIFT) + +-#if CONFIG_PGTABLE_LEVELS == 3 +-/* The first entry of the permanent pmd is not there if it contains +- * the gateway marker */ +-#define pmd_none(x) (!pmd_val(x) || pmd_flag(x) == PxD_FLAG_ATTACHED) +-#else + #define pmd_none(x) (!pmd_val(x)) +-#endif + #define pmd_bad(x) (!(pmd_flag(x) & PxD_FLAG_VALID)) + #define pmd_present(x) (pmd_flag(x) & PxD_FLAG_PRESENT) + static inline void pmd_clear(pmd_t *pmd) { +-#if CONFIG_PGTABLE_LEVELS == 3 +- if (pmd_flag(*pmd) & PxD_FLAG_ATTACHED) +- /* This is the entry pointing to the permanent pmd +- * attached to the pgd; cannot clear it */ +- set_pmd(pmd, __pmd(PxD_FLAG_ATTACHED)); +- else +-#endif + set_pmd(pmd, __pmd(0)); + } + +@@ -358,12 +333,6 @@ static inline void pmd_clear(pmd_t *pmd) { + #define pud_bad(x) (!(pud_flag(x) & PxD_FLAG_VALID)) + #define pud_present(x) (pud_flag(x) & PxD_FLAG_PRESENT) + static inline void pud_clear(pud_t *pud) { +-#if CONFIG_PGTABLE_LEVELS == 3 +- if(pud_flag(*pud) & PxD_FLAG_ATTACHED) +- /* This is the permanent pmd attached to the pud; cannot +- * free it */ +- return; +-#endif + set_pud(pud, __pud(0)); + } + #endif +@@ -456,32 +425,18 @@ extern void update_mmu_cache(struct vm_area_struct *, unsigned long, pte_t *); + #define __pte_to_swp_entry(pte) ((swp_entry_t) { pte_val(pte) }) + #define __swp_entry_to_pte(x) ((pte_t) { (x).val }) + +- +-static inline spinlock_t *pgd_spinlock(pgd_t *pgd) +-{ +- if (unlikely(pgd == swapper_pg_dir)) +- return &pa_swapper_pg_lock; +- return (spinlock_t *)((char *)pgd + (PAGE_SIZE << (PGD_ALLOC_ORDER - 1))); +-} +- +- + static inline int ptep_test_and_clear_young(struct vm_area_struct *vma, unsigned long addr, pte_t *ptep) + { + pte_t pte; +- unsigned long flags; + + if (!pte_young(*ptep)) + return 0; + +- spin_lock_irqsave(pgd_spinlock(vma->vm_mm->pgd), flags); + pte = *ptep; + if (!pte_young(pte)) { +- spin_unlock_irqrestore(pgd_spinlock(vma->vm_mm->pgd), flags); + return 0; + } +- set_pte(ptep, pte_mkold(pte)); +- purge_tlb_entries(vma->vm_mm, addr); +- spin_unlock_irqrestore(pgd_spinlock(vma->vm_mm->pgd), flags); ++ set_pte_at(vma->vm_mm, addr, ptep, pte_mkold(pte)); + return 1; + } + +@@ -489,24 +444,16 @@ struct mm_struct; + static inline pte_t ptep_get_and_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep) + { + pte_t old_pte; +- unsigned long flags; + +- spin_lock_irqsave(pgd_spinlock(mm->pgd), flags); + old_pte = *ptep; +- set_pte(ptep, __pte(0)); +- purge_tlb_entries(mm, addr); +- spin_unlock_irqrestore(pgd_spinlock(mm->pgd), flags); ++ set_pte_at(mm, addr, ptep, __pte(0)); + + return old_pte; + } + + static inline void ptep_set_wrprotect(struct mm_struct *mm, unsigned long addr, pte_t *ptep) + { +- unsigned long flags; +- spin_lock_irqsave(pgd_spinlock(mm->pgd), flags); +- set_pte(ptep, pte_wrprotect(*ptep)); +- purge_tlb_entries(mm, addr); +- spin_unlock_irqrestore(pgd_spinlock(mm->pgd), flags); ++ set_pte_at(mm, addr, ptep, pte_wrprotect(*ptep)); + } + + #define pte_same(A,B) (pte_val(A) == pte_val(B)) +diff --git a/arch/parisc/kernel/asm-offsets.c b/arch/parisc/kernel/asm-offsets.c +index 305768a40773..cd2cc1b1648c 100644 +--- a/arch/parisc/kernel/asm-offsets.c ++++ b/arch/parisc/kernel/asm-offsets.c +@@ -268,7 +268,6 @@ int main(void) + DEFINE(ASM_BITS_PER_PGD, BITS_PER_PGD); + DEFINE(ASM_BITS_PER_PMD, BITS_PER_PMD); + DEFINE(ASM_BITS_PER_PTE, BITS_PER_PTE); +- DEFINE(ASM_PGD_PMD_OFFSET, -(PAGE_SIZE << PGD_ORDER)); + DEFINE(ASM_PMD_ENTRY, ((PAGE_OFFSET & PMD_MASK) >> PMD_SHIFT)); + DEFINE(ASM_PGD_ENTRY, PAGE_OFFSET >> PGDIR_SHIFT); + DEFINE(ASM_PGD_ENTRY_SIZE, PGD_ENTRY_SIZE); +diff --git a/arch/parisc/kernel/entry.S b/arch/parisc/kernel/entry.S +index 3da39140babc..05bed27eef85 100644 +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -35,10 +35,9 @@ + .level 2.0 + #endif + +- .import pa_tlb_lock,data +- .macro load_pa_tlb_lock reg +- mfctl %cr25,\reg +- addil L%(PAGE_SIZE << (PGD_ALLOC_ORDER - 1)),\reg ++ /* Get aligned page_table_lock address for this mm from cr28/tr4 */ ++ .macro get_ptl reg ++ mfctl %cr28,\reg + .endm + + /* space_to_prot macro creates a prot id from a space id */ +@@ -407,7 +406,9 @@ + # endif + #endif + dep %r0,31,PAGE_SHIFT,\pmd /* clear offset */ ++#if CONFIG_PGTABLE_LEVELS < 3 + copy %r0,\pte ++#endif + ldw,s \index(\pmd),\pmd + bb,>=,n \pmd,_PxD_PRESENT_BIT,\fault + dep %r0,31,PxD_FLAG_SHIFT,\pmd /* clear flags */ +@@ -417,38 +418,23 @@ + shladd \index,BITS_PER_PTE_ENTRY,\pmd,\pmd /* pmd is now pte */ + .endm + +- /* Look up PTE in a 3-Level scheme. +- * +- * Here we implement a Hybrid L2/L3 scheme: we allocate the +- * first pmd adjacent to the pgd. This means that we can +- * subtract a constant offset to get to it. The pmd and pgd +- * sizes are arranged so that a single pmd covers 4GB (giving +- * a full LP64 process access to 8TB) so our lookups are +- * effectively L2 for the first 4GB of the kernel (i.e. for +- * all ILP32 processes and all the kernel for machines with +- * under 4GB of memory) */ ++ /* Look up PTE in a 3-Level scheme. */ + .macro L3_ptep pgd,pte,index,va,fault +-#if CONFIG_PGTABLE_LEVELS == 3 /* we might have a 2-Level scheme, e.g. with 16kb page size */ ++#if CONFIG_PGTABLE_LEVELS == 3 ++ copy %r0,\pte + extrd,u \va,63-ASM_PGDIR_SHIFT,ASM_BITS_PER_PGD,\index +- extrd,u,*= \va,63-ASM_PGDIR_SHIFT,64-ASM_PGDIR_SHIFT,%r0 + ldw,s \index(\pgd),\pgd +- extrd,u,*= \va,63-ASM_PGDIR_SHIFT,64-ASM_PGDIR_SHIFT,%r0 + bb,>=,n \pgd,_PxD_PRESENT_BIT,\fault +- extrd,u,*= \va,63-ASM_PGDIR_SHIFT,64-ASM_PGDIR_SHIFT,%r0 +- shld \pgd,PxD_VALUE_SHIFT,\index +- extrd,u,*= \va,63-ASM_PGDIR_SHIFT,64-ASM_PGDIR_SHIFT,%r0 +- copy \index,\pgd +- extrd,u,*<> \va,63-ASM_PGDIR_SHIFT,64-ASM_PGDIR_SHIFT,%r0 +- ldo ASM_PGD_PMD_OFFSET(\pgd),\pgd ++ shld \pgd,PxD_VALUE_SHIFT,\pgd + #endif + L2_ptep \pgd,\pte,\index,\va,\fault + .endm + +- /* Acquire pa_tlb_lock lock and check page is present. */ +- .macro tlb_lock spc,ptp,pte,tmp,tmp1,fault +-#ifdef CONFIG_SMP ++ /* Acquire page_table_lock and check page is present. */ ++ .macro ptl_lock spc,ptp,pte,tmp,tmp1,fault ++#ifdef CONFIG_TLB_PTLOCK + 98: cmpib,COND(=),n 0,\spc,2f +- load_pa_tlb_lock \tmp ++ get_ptl \tmp + 1: LDCW 0(\tmp),\tmp1 + cmpib,COND(=) 0,\tmp1,1b + nop +@@ -463,26 +449,26 @@ + 3: + .endm + +- /* Release pa_tlb_lock lock without reloading lock address. ++ /* Release page_table_lock without reloading lock address. + Note that the values in the register spc are limited to + NR_SPACE_IDS (262144). Thus, the stw instruction always + stores a nonzero value even when register spc is 64 bits. + We use an ordered store to ensure all prior accesses are + performed prior to releasing the lock. */ +- .macro tlb_unlock0 spc,tmp +-#ifdef CONFIG_SMP ++ .macro ptl_unlock0 spc,tmp ++#ifdef CONFIG_TLB_PTLOCK + 98: or,COND(=) %r0,\spc,%r0 + stw,ma \spc,0(\tmp) + 99: ALTERNATIVE(98b, 99b, ALT_COND_NO_SMP, INSN_NOP) + #endif + .endm + +- /* Release pa_tlb_lock lock. */ +- .macro tlb_unlock1 spc,tmp +-#ifdef CONFIG_SMP +-98: load_pa_tlb_lock \tmp ++ /* Release page_table_lock. */ ++ .macro ptl_unlock1 spc,tmp ++#ifdef CONFIG_TLB_PTLOCK ++98: get_ptl \tmp ++ ptl_unlock0 \spc,\tmp + 99: ALTERNATIVE(98b, 99b, ALT_COND_NO_SMP, INSN_NOP) +- tlb_unlock0 \spc,\tmp + #endif + .endm + +@@ -1165,14 +1151,14 @@ dtlb_miss_20w: + + L3_ptep ptp,pte,t0,va,dtlb_check_alias_20w + +- tlb_lock spc,ptp,pte,t0,t1,dtlb_check_alias_20w ++ ptl_lock spc,ptp,pte,t0,t1,dtlb_check_alias_20w + update_accessed ptp,pte,t0,t1 + + make_insert_tlb spc,pte,prot,t1 + + idtlbt pte,prot + +- tlb_unlock1 spc,t0 ++ ptl_unlock1 spc,t0 + rfir + nop + +@@ -1191,14 +1177,14 @@ nadtlb_miss_20w: + + L3_ptep ptp,pte,t0,va,nadtlb_check_alias_20w + +- tlb_lock spc,ptp,pte,t0,t1,nadtlb_check_alias_20w ++ ptl_lock spc,ptp,pte,t0,t1,nadtlb_check_alias_20w + update_accessed ptp,pte,t0,t1 + + make_insert_tlb spc,pte,prot,t1 + + idtlbt pte,prot + +- tlb_unlock1 spc,t0 ++ ptl_unlock1 spc,t0 + rfir + nop + +@@ -1219,7 +1205,7 @@ dtlb_miss_11: + + L2_ptep ptp,pte,t0,va,dtlb_check_alias_11 + +- tlb_lock spc,ptp,pte,t0,t1,dtlb_check_alias_11 ++ ptl_lock spc,ptp,pte,t0,t1,dtlb_check_alias_11 + update_accessed ptp,pte,t0,t1 + + make_insert_tlb_11 spc,pte,prot +@@ -1232,7 +1218,7 @@ dtlb_miss_11: + + mtsp t1, %sr1 /* Restore sr1 */ + +- tlb_unlock1 spc,t0 ++ ptl_unlock1 spc,t0 + rfir + nop + +@@ -1252,7 +1238,7 @@ nadtlb_miss_11: + + L2_ptep ptp,pte,t0,va,nadtlb_check_alias_11 + +- tlb_lock spc,ptp,pte,t0,t1,nadtlb_check_alias_11 ++ ptl_lock spc,ptp,pte,t0,t1,nadtlb_check_alias_11 + update_accessed ptp,pte,t0,t1 + + make_insert_tlb_11 spc,pte,prot +@@ -1265,7 +1251,7 @@ nadtlb_miss_11: + + mtsp t1, %sr1 /* Restore sr1 */ + +- tlb_unlock1 spc,t0 ++ ptl_unlock1 spc,t0 + rfir + nop + +@@ -1285,7 +1271,7 @@ dtlb_miss_20: + + L2_ptep ptp,pte,t0,va,dtlb_check_alias_20 + +- tlb_lock spc,ptp,pte,t0,t1,dtlb_check_alias_20 ++ ptl_lock spc,ptp,pte,t0,t1,dtlb_check_alias_20 + update_accessed ptp,pte,t0,t1 + + make_insert_tlb spc,pte,prot,t1 +@@ -1294,7 +1280,7 @@ dtlb_miss_20: + + idtlbt pte,prot + +- tlb_unlock1 spc,t0 ++ ptl_unlock1 spc,t0 + rfir + nop + +@@ -1313,7 +1299,7 @@ nadtlb_miss_20: + + L2_ptep ptp,pte,t0,va,nadtlb_check_alias_20 + +- tlb_lock spc,ptp,pte,t0,t1,nadtlb_check_alias_20 ++ ptl_lock spc,ptp,pte,t0,t1,nadtlb_check_alias_20 + update_accessed ptp,pte,t0,t1 + + make_insert_tlb spc,pte,prot,t1 +@@ -1322,7 +1308,7 @@ nadtlb_miss_20: + + idtlbt pte,prot + +- tlb_unlock1 spc,t0 ++ ptl_unlock1 spc,t0 + rfir + nop + +@@ -1422,14 +1408,14 @@ itlb_miss_20w: + + L3_ptep ptp,pte,t0,va,itlb_fault + +- tlb_lock spc,ptp,pte,t0,t1,itlb_fault ++ ptl_lock spc,ptp,pte,t0,t1,itlb_fault + update_accessed ptp,pte,t0,t1 + + make_insert_tlb spc,pte,prot,t1 + + iitlbt pte,prot + +- tlb_unlock1 spc,t0 ++ ptl_unlock1 spc,t0 + rfir + nop + +@@ -1446,14 +1432,14 @@ naitlb_miss_20w: + + L3_ptep ptp,pte,t0,va,naitlb_check_alias_20w + +- tlb_lock spc,ptp,pte,t0,t1,naitlb_check_alias_20w ++ ptl_lock spc,ptp,pte,t0,t1,naitlb_check_alias_20w + update_accessed ptp,pte,t0,t1 + + make_insert_tlb spc,pte,prot,t1 + + iitlbt pte,prot + +- tlb_unlock1 spc,t0 ++ ptl_unlock1 spc,t0 + rfir + nop + +@@ -1474,7 +1460,7 @@ itlb_miss_11: + + L2_ptep ptp,pte,t0,va,itlb_fault + +- tlb_lock spc,ptp,pte,t0,t1,itlb_fault ++ ptl_lock spc,ptp,pte,t0,t1,itlb_fault + update_accessed ptp,pte,t0,t1 + + make_insert_tlb_11 spc,pte,prot +@@ -1487,7 +1473,7 @@ itlb_miss_11: + + mtsp t1, %sr1 /* Restore sr1 */ + +- tlb_unlock1 spc,t0 ++ ptl_unlock1 spc,t0 + rfir + nop + +@@ -1498,7 +1484,7 @@ naitlb_miss_11: + + L2_ptep ptp,pte,t0,va,naitlb_check_alias_11 + +- tlb_lock spc,ptp,pte,t0,t1,naitlb_check_alias_11 ++ ptl_lock spc,ptp,pte,t0,t1,naitlb_check_alias_11 + update_accessed ptp,pte,t0,t1 + + make_insert_tlb_11 spc,pte,prot +@@ -1511,7 +1497,7 @@ naitlb_miss_11: + + mtsp t1, %sr1 /* Restore sr1 */ + +- tlb_unlock1 spc,t0 ++ ptl_unlock1 spc,t0 + rfir + nop + +@@ -1532,7 +1518,7 @@ itlb_miss_20: + + L2_ptep ptp,pte,t0,va,itlb_fault + +- tlb_lock spc,ptp,pte,t0,t1,itlb_fault ++ ptl_lock spc,ptp,pte,t0,t1,itlb_fault + update_accessed ptp,pte,t0,t1 + + make_insert_tlb spc,pte,prot,t1 +@@ -1541,7 +1527,7 @@ itlb_miss_20: + + iitlbt pte,prot + +- tlb_unlock1 spc,t0 ++ ptl_unlock1 spc,t0 + rfir + nop + +@@ -1552,7 +1538,7 @@ naitlb_miss_20: + + L2_ptep ptp,pte,t0,va,naitlb_check_alias_20 + +- tlb_lock spc,ptp,pte,t0,t1,naitlb_check_alias_20 ++ ptl_lock spc,ptp,pte,t0,t1,naitlb_check_alias_20 + update_accessed ptp,pte,t0,t1 + + make_insert_tlb spc,pte,prot,t1 +@@ -1561,7 +1547,7 @@ naitlb_miss_20: + + iitlbt pte,prot + +- tlb_unlock1 spc,t0 ++ ptl_unlock1 spc,t0 + rfir + nop + +@@ -1584,14 +1570,14 @@ dbit_trap_20w: + + L3_ptep ptp,pte,t0,va,dbit_fault + +- tlb_lock spc,ptp,pte,t0,t1,dbit_fault ++ ptl_lock spc,ptp,pte,t0,t1,dbit_fault + update_dirty ptp,pte,t1 + + make_insert_tlb spc,pte,prot,t1 + + idtlbt pte,prot + +- tlb_unlock0 spc,t0 ++ ptl_unlock0 spc,t0 + rfir + nop + #else +@@ -1604,7 +1590,7 @@ dbit_trap_11: + + L2_ptep ptp,pte,t0,va,dbit_fault + +- tlb_lock spc,ptp,pte,t0,t1,dbit_fault ++ ptl_lock spc,ptp,pte,t0,t1,dbit_fault + update_dirty ptp,pte,t1 + + make_insert_tlb_11 spc,pte,prot +@@ -1617,7 +1603,7 @@ dbit_trap_11: + + mtsp t1, %sr1 /* Restore sr1 */ + +- tlb_unlock0 spc,t0 ++ ptl_unlock0 spc,t0 + rfir + nop + +@@ -1628,7 +1614,7 @@ dbit_trap_20: + + L2_ptep ptp,pte,t0,va,dbit_fault + +- tlb_lock spc,ptp,pte,t0,t1,dbit_fault ++ ptl_lock spc,ptp,pte,t0,t1,dbit_fault + update_dirty ptp,pte,t1 + + make_insert_tlb spc,pte,prot,t1 +@@ -1637,7 +1623,7 @@ dbit_trap_20: + + idtlbt pte,prot + +- tlb_unlock0 spc,t0 ++ ptl_unlock0 spc,t0 + rfir + nop + #endif +diff --git a/arch/parisc/mm/hugetlbpage.c b/arch/parisc/mm/hugetlbpage.c +index d7ba014a7fbb..43652de5f139 100644 +--- a/arch/parisc/mm/hugetlbpage.c ++++ b/arch/parisc/mm/hugetlbpage.c +@@ -142,24 +142,17 @@ static void __set_huge_pte_at(struct mm_struct *mm, unsigned long addr, + void set_huge_pte_at(struct mm_struct *mm, unsigned long addr, + pte_t *ptep, pte_t entry) + { +- unsigned long flags; +- +- spin_lock_irqsave(pgd_spinlock((mm)->pgd), flags); + __set_huge_pte_at(mm, addr, ptep, entry); +- spin_unlock_irqrestore(pgd_spinlock((mm)->pgd), flags); + } + + + pte_t huge_ptep_get_and_clear(struct mm_struct *mm, unsigned long addr, + pte_t *ptep) + { +- unsigned long flags; + pte_t entry; + +- spin_lock_irqsave(pgd_spinlock((mm)->pgd), flags); + entry = *ptep; + __set_huge_pte_at(mm, addr, ptep, __pte(0)); +- spin_unlock_irqrestore(pgd_spinlock((mm)->pgd), flags); + + return entry; + } +@@ -168,29 +161,23 @@ pte_t huge_ptep_get_and_clear(struct mm_struct *mm, unsigned long addr, + void huge_ptep_set_wrprotect(struct mm_struct *mm, + unsigned long addr, pte_t *ptep) + { +- unsigned long flags; + pte_t old_pte; + +- spin_lock_irqsave(pgd_spinlock((mm)->pgd), flags); + old_pte = *ptep; + __set_huge_pte_at(mm, addr, ptep, pte_wrprotect(old_pte)); +- spin_unlock_irqrestore(pgd_spinlock((mm)->pgd), flags); + } + + int huge_ptep_set_access_flags(struct vm_area_struct *vma, + unsigned long addr, pte_t *ptep, + pte_t pte, int dirty) + { +- unsigned long flags; + int changed; + struct mm_struct *mm = vma->vm_mm; + +- spin_lock_irqsave(pgd_spinlock((mm)->pgd), flags); + changed = !pte_same(*ptep, pte); + if (changed) { + __set_huge_pte_at(mm, addr, ptep, pte); + } +- spin_unlock_irqrestore(pgd_spinlock((mm)->pgd), flags); + return changed; + } + +diff --git a/arch/parisc/mm/init.c b/arch/parisc/mm/init.c +index 319afa00cdf7..6a083fc87a03 100644 +--- a/arch/parisc/mm/init.c ++++ b/arch/parisc/mm/init.c +@@ -37,11 +37,6 @@ extern int data_start; + extern void parisc_kernel_start(void); /* Kernel entry point in head.S */ + + #if CONFIG_PGTABLE_LEVELS == 3 +-/* NOTE: This layout exactly conforms to the hybrid L2/L3 page table layout +- * with the first pmd adjacent to the pgd and below it. gcc doesn't actually +- * guarantee that global objects will be laid out in memory in the same order +- * as the order of declaration, so put these in different sections and use +- * the linker script to order them. */ + pmd_t pmd0[PTRS_PER_PMD] __section(".data..vm0.pmd") __attribute__ ((aligned(PAGE_SIZE))); + #endif + +@@ -558,6 +553,11 @@ void __init mem_init(void) + BUILD_BUG_ON(PGD_ENTRY_SIZE != sizeof(pgd_t)); + BUILD_BUG_ON(PAGE_SHIFT + BITS_PER_PTE + BITS_PER_PMD + BITS_PER_PGD + > BITS_PER_LONG); ++#if CONFIG_PGTABLE_LEVELS == 3 ++ BUILD_BUG_ON(PT_INITIAL > PTRS_PER_PMD); ++#else ++ BUILD_BUG_ON(PT_INITIAL > PTRS_PER_PGD); ++#endif + + high_memory = __va((max_pfn << PAGE_SHIFT)); + set_max_mapnr(max_low_pfn); +-- +2.35.1 + diff --git a/queue-5.10/pinctrl-sunxi-fix-name-for-a100-r_pio.patch b/queue-5.10/pinctrl-sunxi-fix-name-for-a100-r_pio.patch new file mode 100644 index 00000000000..0551bcfb4d5 --- /dev/null +++ b/queue-5.10/pinctrl-sunxi-fix-name-for-a100-r_pio.patch @@ -0,0 +1,38 @@ +From 18b586b48c6b0211df1aa40a275e9ba22eb30dbf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 10:45:41 +0800 +Subject: pinctrl: sunxi: Fix name for A100 R_PIO + +From: Michael Wu + +[ Upstream commit 76648c867c6c03b8a468d9c9222025873ecc613d ] + +The name of A100 R_PIO driver should be sun50i-a100-r-pinctrl, +not sun50iw10p1-r-pinctrl. + +Fixes: 473436e7647d6 ("pinctrl: sunxi: add support for the Allwinner A100 pin controller") +Signed-off-by: Michael Wu +Acked-by: Samuel Holland +Link: https://lore.kernel.org/r/20220819024541.74191-1-michael@allwinnertech.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/sunxi/pinctrl-sun50i-a100-r.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/sunxi/pinctrl-sun50i-a100-r.c b/drivers/pinctrl/sunxi/pinctrl-sun50i-a100-r.c +index 21054fcacd34..18088f6f44b2 100644 +--- a/drivers/pinctrl/sunxi/pinctrl-sun50i-a100-r.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sun50i-a100-r.c +@@ -98,7 +98,7 @@ MODULE_DEVICE_TABLE(of, a100_r_pinctrl_match); + static struct platform_driver a100_r_pinctrl_driver = { + .probe = a100_r_pinctrl_probe, + .driver = { +- .name = "sun50iw10p1-r-pinctrl", ++ .name = "sun50i-a100-r-pinctrl", + .of_match_table = a100_r_pinctrl_match, + }, + }; +-- +2.35.1 + diff --git a/queue-5.10/platform-x86-intel-hid-add-quirk-to-support-surface-.patch b/queue-5.10/platform-x86-intel-hid-add-quirk-to-support-surface-.patch new file mode 100644 index 00000000000..4f9d135ae15 --- /dev/null +++ b/queue-5.10/platform-x86-intel-hid-add-quirk-to-support-surface-.patch @@ -0,0 +1,44 @@ +From c0869381df903bd8d36840766c8f4721f63a0e33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Dec 2021 14:28:10 -0700 +Subject: platform/x86/intel: hid: add quirk to support Surface Go 3 + +From: Alex Hung + +[ Upstream commit 01e16cb67cce68afaeb9c7bed72299036dbb0bc1 ] + +Similar to other systems Surface Go 3 requires a DMI quirk to enable +5 button array for power and volume buttons. + +Buglink: https://github.com/linux-surface/linux-surface/issues/595 + +Cc: stable@vger.kernel.org +Signed-off-by: Alex Hung +Link: https://lore.kernel.org/r/20211203212810.2666508-1-alex.hung@canonical.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/intel-hid.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/platform/x86/intel-hid.c b/drivers/platform/x86/intel-hid.c +index 8a0cd5bf0065..cebddefba2f4 100644 +--- a/drivers/platform/x86/intel-hid.c ++++ b/drivers/platform/x86/intel-hid.c +@@ -93,6 +93,13 @@ static const struct dmi_system_id button_array_table[] = { + DMI_MATCH(DMI_PRODUCT_FAMILY, "ThinkPad X1 Tablet Gen 2"), + }, + }, ++ { ++ .ident = "Microsoft Surface Go 3", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Microsoft Corporation"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Surface Go 3"), ++ }, ++ }, + { } + }; + +-- +2.35.1 + diff --git a/queue-5.10/powerpc-pseries-mobility-ignore-ibm-platform-facilit.patch b/queue-5.10/powerpc-pseries-mobility-ignore-ibm-platform-facilit.patch new file mode 100644 index 00000000000..807e982efe7 --- /dev/null +++ b/queue-5.10/powerpc-pseries-mobility-ignore-ibm-platform-facilit.patch @@ -0,0 +1,181 @@ +From 22fcef10448ce0354437bde5b51f0da3ea7c0358 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 14:47:03 -0500 +Subject: powerpc/pseries/mobility: ignore ibm, platform-facilities updates +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nathan Lynch + +[ Upstream commit 319fa1a52e438a6e028329187783a25ad498c4e6 ] + +On VMs with NX encryption, compression, and/or RNG offload, these +capabilities are described by nodes in the ibm,platform-facilities device +tree hierarchy: + + $ tree -d /sys/firmware/devicetree/base/ibm,platform-facilities/ + /sys/firmware/devicetree/base/ibm,platform-facilities/ + ├── ibm,compression-v1 + ├── ibm,random-v1 + └── ibm,sym-encryption-v1 + + 3 directories + +The acceleration functions that these nodes describe are not disrupted by +live migration, not even temporarily. + +But the post-migration ibm,update-nodes sequence firmware always sends +"delete" messages for this hierarchy, followed by an "add" directive to +reconstruct it via ibm,configure-connector (log with debugging statements +enabled in mobility.c): + + mobility: removing node /ibm,platform-facilities/ibm,random-v1:4294967285 + mobility: removing node /ibm,platform-facilities/ibm,compression-v1:4294967284 + mobility: removing node /ibm,platform-facilities/ibm,sym-encryption-v1:4294967283 + mobility: removing node /ibm,platform-facilities:4294967286 + ... + mobility: added node /ibm,platform-facilities:4294967286 + +Note we receive a single "add" message for the entire hierarchy, and what +we receive from the ibm,configure-connector sequence is the top-level +platform-facilities node along with its three children. The debug message +simply reports the parent node and not the whole subtree. + +Also, significantly, the nodes added are almost completely equivalent to +the ones removed; even phandles are unchanged. ibm,shared-interrupt-pool in +the leaf nodes is the only property I've observed to differ, and Linux does +not use that. So in practice, the sum of update messages Linux receives for +this hierarchy is equivalent to minor property updates. + +We succeed in removing the original hierarchy from the device tree. But the +vio bus code is ignorant of this, and does not unbind or relinquish its +references. The leaf nodes, still reachable through sysfs, of course still +refer to the now-freed ibm,platform-facilities parent node, which makes +use-after-free possible: + + refcount_t: addition on 0; use-after-free. + WARNING: CPU: 3 PID: 1706 at lib/refcount.c:25 refcount_warn_saturate+0x164/0x1f0 + refcount_warn_saturate+0x160/0x1f0 (unreliable) + kobject_get+0xf0/0x100 + of_node_get+0x30/0x50 + of_get_parent+0x50/0xb0 + of_fwnode_get_parent+0x54/0x90 + fwnode_count_parents+0x50/0x150 + fwnode_full_name_string+0x30/0x110 + device_node_string+0x49c/0x790 + vsnprintf+0x1c0/0x4c0 + sprintf+0x44/0x60 + devspec_show+0x34/0x50 + dev_attr_show+0x40/0xa0 + sysfs_kf_seq_show+0xbc/0x200 + kernfs_seq_show+0x44/0x60 + seq_read_iter+0x2a4/0x740 + kernfs_fop_read_iter+0x254/0x2e0 + new_sync_read+0x120/0x190 + vfs_read+0x1d0/0x240 + +Moreover, the "new" replacement subtree is not correctly added to the +device tree, resulting in ibm,platform-facilities parent node without the +appropriate leaf nodes, and broken symlinks in the sysfs device hierarchy: + + $ tree -d /sys/firmware/devicetree/base/ibm,platform-facilities/ + /sys/firmware/devicetree/base/ibm,platform-facilities/ + + 0 directories + + $ cd /sys/devices/vio ; find . -xtype l -exec file {} + + ./ibm,sym-encryption-v1/of_node: broken symbolic link to + ../../../firmware/devicetree/base/ibm,platform-facilities/ibm,sym-encryption-v1 + ./ibm,random-v1/of_node: broken symbolic link to + ../../../firmware/devicetree/base/ibm,platform-facilities/ibm,random-v1 + ./ibm,compression-v1/of_node: broken symbolic link to + ../../../firmware/devicetree/base/ibm,platform-facilities/ibm,compression-v1 + +This is because add_dt_node() -> dlpar_attach_node() attaches only the +parent node returned from configure-connector, ignoring any children. This +should be corrected for the general case, but fixing that won't help with +the stale OF node references, which is the more urgent problem. + +One way to address that would be to make the drivers respond to node +removal notifications, so that node references can be dropped +appropriately. But this would likely force the drivers to disrupt active +clients for no useful purpose: equivalent nodes are immediately re-added. +And recall that the acceleration capabilities described by the nodes remain +available throughout the whole process. + +The solution I believe to be robust for this situation is to convert +remove+add of a node with an unchanged phandle to an update of the node's +properties in the Linux device tree structure. That would involve changing +and adding a fair amount of code, and may take several iterations to land. + +Until that can be realized we have a confirmed use-after-free and the +possibility of memory corruption. So add a limited workaround that +discriminates on the node type, ignoring adds and removes. This should be +amenable to backporting in the meantime. + +Fixes: 410bccf97881 ("powerpc/pseries: Partition migration in the kernel") +Cc: stable@vger.kernel.org +Signed-off-by: Nathan Lynch +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211020194703.2613093-1-nathanl@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/mobility.c | 34 +++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c +index acf1664d1ad7..f386a7bc3811 100644 +--- a/arch/powerpc/platforms/pseries/mobility.c ++++ b/arch/powerpc/platforms/pseries/mobility.c +@@ -61,6 +61,27 @@ static int mobility_rtas_call(int token, char *buf, s32 scope) + + static int delete_dt_node(struct device_node *dn) + { ++ struct device_node *pdn; ++ bool is_platfac; ++ ++ pdn = of_get_parent(dn); ++ is_platfac = of_node_is_type(dn, "ibm,platform-facilities") || ++ of_node_is_type(pdn, "ibm,platform-facilities"); ++ of_node_put(pdn); ++ ++ /* ++ * The drivers that bind to nodes in the platform-facilities ++ * hierarchy don't support node removal, and the removal directive ++ * from firmware is always followed by an add of an equivalent ++ * node. The capability (e.g. RNG, encryption, compression) ++ * represented by the node is never interrupted by the migration. ++ * So ignore changes to this part of the tree. ++ */ ++ if (is_platfac) { ++ pr_notice("ignoring remove operation for %pOFfp\n", dn); ++ return 0; ++ } ++ + pr_debug("removing node %pOFfp\n", dn); + dlpar_detach_node(dn); + return 0; +@@ -219,6 +240,19 @@ static int add_dt_node(struct device_node *parent_dn, __be32 drc_index) + if (!dn) + return -ENOENT; + ++ /* ++ * Since delete_dt_node() ignores this node type, this is the ++ * necessary counterpart. We also know that a platform-facilities ++ * node returned from dlpar_configure_connector() has children ++ * attached, and dlpar_attach_node() only adds the parent, leaking ++ * the children. So ignore these on the add side for now. ++ */ ++ if (of_node_is_type(dn, "ibm,platform-facilities")) { ++ pr_notice("ignoring add operation for %pOF\n", dn); ++ dlpar_free_cc_nodes(dn); ++ return 0; ++ } ++ + rc = dlpar_attach_node(dn, parent_dn); + if (rc) + dlpar_free_cc_nodes(dn); +-- +2.35.1 + diff --git a/queue-5.10/powerpc-pseries-mobility-refactor-node-lookup-during.patch b/queue-5.10/powerpc-pseries-mobility-refactor-node-lookup-during.patch new file mode 100644 index 00000000000..57c01099047 --- /dev/null +++ b/queue-5.10/powerpc-pseries-mobility-refactor-node-lookup-during.patch @@ -0,0 +1,154 @@ +From ef6f77afc7f045ccc8f3d1ac9877987e2f894937 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Dec 2020 15:52:00 -0600 +Subject: powerpc/pseries/mobility: refactor node lookup during DT update + +From: Nathan Lynch + +[ Upstream commit 2efd7f6eb9b7107e469837d8452e750d7d080a5d ] + +In pseries_devicetree_update(), with each call to ibm,update-nodes the +partition firmware communicates the node to be deleted or updated by +placing its phandle in the work buffer. Each of delete_dt_node(), +update_dt_node(), and add_dt_node() have duplicate lookups using the +phandle value and corresponding refcount management. + +Move the lookup and of_node_put() into pseries_devicetree_update(), +and emit a warning on any failed lookups. + +Signed-off-by: Nathan Lynch +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201207215200.1785968-29-nathanl@linux.ibm.com +Stable-dep-of: 319fa1a52e43 ("powerpc/pseries/mobility: ignore ibm, platform-facilities updates") +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/mobility.c | 49 ++++++++--------------- + 1 file changed, 17 insertions(+), 32 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/mobility.c b/arch/powerpc/platforms/pseries/mobility.c +index 2f73cb5bf12d..acf1664d1ad7 100644 +--- a/arch/powerpc/platforms/pseries/mobility.c ++++ b/arch/powerpc/platforms/pseries/mobility.c +@@ -59,18 +59,10 @@ static int mobility_rtas_call(int token, char *buf, s32 scope) + return rc; + } + +-static int delete_dt_node(__be32 phandle) ++static int delete_dt_node(struct device_node *dn) + { +- struct device_node *dn; +- +- dn = of_find_node_by_phandle(be32_to_cpu(phandle)); +- if (!dn) +- return -ENOENT; +- + pr_debug("removing node %pOFfp\n", dn); +- + dlpar_detach_node(dn); +- of_node_put(dn); + return 0; + } + +@@ -135,10 +127,9 @@ static int update_dt_property(struct device_node *dn, struct property **prop, + return 0; + } + +-static int update_dt_node(__be32 phandle, s32 scope) ++static int update_dt_node(struct device_node *dn, s32 scope) + { + struct update_props_workarea *upwa; +- struct device_node *dn; + struct property *prop = NULL; + int i, rc, rtas_rc; + char *prop_data; +@@ -155,14 +146,8 @@ static int update_dt_node(__be32 phandle, s32 scope) + if (!rtas_buf) + return -ENOMEM; + +- dn = of_find_node_by_phandle(be32_to_cpu(phandle)); +- if (!dn) { +- kfree(rtas_buf); +- return -ENOENT; +- } +- + upwa = (struct update_props_workarea *)&rtas_buf[0]; +- upwa->phandle = phandle; ++ upwa->phandle = cpu_to_be32(dn->phandle); + + do { + rtas_rc = mobility_rtas_call(update_properties_token, rtas_buf, +@@ -221,26 +206,18 @@ static int update_dt_node(__be32 phandle, s32 scope) + cond_resched(); + } while (rtas_rc == 1); + +- of_node_put(dn); + kfree(rtas_buf); + return 0; + } + +-static int add_dt_node(__be32 parent_phandle, __be32 drc_index) ++static int add_dt_node(struct device_node *parent_dn, __be32 drc_index) + { + struct device_node *dn; +- struct device_node *parent_dn; + int rc; + +- parent_dn = of_find_node_by_phandle(be32_to_cpu(parent_phandle)); +- if (!parent_dn) +- return -ENOENT; +- + dn = dlpar_configure_connector(drc_index, parent_dn); +- if (!dn) { +- of_node_put(parent_dn); ++ if (!dn) + return -ENOENT; +- } + + rc = dlpar_attach_node(dn, parent_dn); + if (rc) +@@ -248,7 +225,6 @@ static int add_dt_node(__be32 parent_phandle, __be32 drc_index) + + pr_debug("added node %pOFfp\n", dn); + +- of_node_put(parent_dn); + return rc; + } + +@@ -281,22 +257,31 @@ int pseries_devicetree_update(s32 scope) + data++; + + for (i = 0; i < node_count; i++) { ++ struct device_node *np; + __be32 phandle = *data++; + __be32 drc_index; + ++ np = of_find_node_by_phandle(be32_to_cpu(phandle)); ++ if (!np) { ++ pr_warn("Failed lookup: phandle 0x%x for action 0x%x\n", ++ be32_to_cpu(phandle), action); ++ continue; ++ } ++ + switch (action) { + case DELETE_DT_NODE: +- delete_dt_node(phandle); ++ delete_dt_node(np); + break; + case UPDATE_DT_NODE: +- update_dt_node(phandle, scope); ++ update_dt_node(np, scope); + break; + case ADD_DT_NODE: + drc_index = *data++; +- add_dt_node(phandle, drc_index); ++ add_dt_node(np, drc_index); + break; + } + ++ of_node_put(np); + cond_resched(); + } + } +-- +2.35.1 + diff --git a/queue-5.10/serial-8250-fix-reporting-real-baudrate-value-in-c_o.patch b/queue-5.10/serial-8250-fix-reporting-real-baudrate-value-in-c_o.patch new file mode 100644 index 00000000000..6d10ab849ed --- /dev/null +++ b/queue-5.10/serial-8250-fix-reporting-real-baudrate-value-in-c_o.patch @@ -0,0 +1,84 @@ +From b29f6305c471c758a77a72ee7bc03cdc0331e8db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 11:37:04 +0200 +Subject: serial: 8250: Fix reporting real baudrate value in c_ospeed field +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 32262e2e429cdb31f9e957e997d53458762931b7 ] + +In most cases it is not possible to set exact baudrate value to hardware. + +So fix reporting real baudrate value which was set to hardware via c_ospeed +termios field. It can be retrieved by ioctl(TCGETS2) from userspace. + +Real baudrate value is calculated from chosen hardware divisor and base +clock. It is implemented in a new function serial8250_compute_baud_rate() +which is inverse of serial8250_get_divisor() function. + +With this change is fixed also UART timeout value (it is updated via +uart_update_timeout() function), which is calculated from the now fixed +baudrate value too. + +Cc: stable@vger.kernel.org +Signed-off-by: Pali Rohár +Link: https://lore.kernel.org/r/20210927093704.19768-1-pali@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_port.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index 9d60418e4adb..eaf4eb33a78d 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2547,6 +2547,19 @@ static unsigned int serial8250_get_divisor(struct uart_port *port, + return serial8250_do_get_divisor(port, baud, frac); + } + ++static unsigned int serial8250_compute_baud_rate(struct uart_port *port, ++ unsigned int quot) ++{ ++ if ((port->flags & UPF_MAGIC_MULTIPLIER) && quot == 0x8001) ++ return port->uartclk / 4; ++ else if ((port->flags & UPF_MAGIC_MULTIPLIER) && quot == 0x8002) ++ return port->uartclk / 8; ++ else if (port->type == PORT_NPCM) ++ return DIV_ROUND_CLOSEST(port->uartclk - 2 * (quot + 2), 16 * (quot + 2)); ++ else ++ return DIV_ROUND_CLOSEST(port->uartclk, 16 * quot); ++} ++ + static unsigned char serial8250_compute_lcr(struct uart_8250_port *up, + tcflag_t c_cflag) + { +@@ -2688,11 +2701,14 @@ void serial8250_update_uartclk(struct uart_port *port, unsigned int uartclk) + + baud = serial8250_get_baud_rate(port, termios, NULL); + quot = serial8250_get_divisor(port, baud, &frac); ++ baud = serial8250_compute_baud_rate(port, quot); + + serial8250_rpm_get(up); + spin_lock_irqsave(&port->lock, flags); + + uart_update_timeout(port, termios->c_cflag, baud); ++ if (tty_termios_baud_rate(termios)) ++ tty_termios_encode_baud_rate(termios, baud, baud); + + serial8250_set_divisor(port, baud, quot, frac); + serial_port_out(port, UART_LCR, up->lcr); +@@ -2726,6 +2742,7 @@ serial8250_do_set_termios(struct uart_port *port, struct ktermios *termios, + + baud = serial8250_get_baud_rate(port, termios, old); + quot = serial8250_get_divisor(port, baud, &frac); ++ baud = serial8250_compute_baud_rate(port, quot); + + /* + * Ok, we're now changing the port state. Do it with +-- +2.35.1 + diff --git a/queue-5.10/series b/queue-5.10/series index e69de29bb2d..f321d73c09e 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -0,0 +1,19 @@ +kvm-ppc-book3s-hv-context-tracking-exit-guest-contex.patch +kvm-ppc-tick-accounting-should-defer-vtime-accountin.patch +serial-8250-fix-reporting-real-baudrate-value-in-c_o.patch +parisc-optimize-per-pagetable-spinlocks.patch +parisc-flush-kernel-data-mapping-in-set_pte_at-when-.patch +dmaengine-bestcomm-fix-system-boot-lockups.patch +powerpc-pseries-mobility-refactor-node-lookup-during.patch +powerpc-pseries-mobility-ignore-ibm-platform-facilit.patch +usb-cdns3-gadget-fix-new-urb-never-complete-if-ep-ca.patch +platform-x86-intel-hid-add-quirk-to-support-surface-.patch +net-dsa-mv88e6xxx-allow-use-of-phys-on-cpu-and-dsa-p.patch +of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch +pinctrl-sunxi-fix-name-for-a100-r_pio.patch +nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch +gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch +drm-meson-correct-osd1-global-alpha-value.patch +drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch +parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch +tracing-hold-caller_addr-to-hardirq_-enable-disable-.patch diff --git a/queue-5.10/tracing-hold-caller_addr-to-hardirq_-enable-disable-.patch b/queue-5.10/tracing-hold-caller_addr-to-hardirq_-enable-disable-.patch new file mode 100644 index 00000000000..b2b751b389d --- /dev/null +++ b/queue-5.10/tracing-hold-caller_addr-to-hardirq_-enable-disable-.patch @@ -0,0 +1,60 @@ +From e13a74b34317a6572324b769aad4c5e657504a89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 18:45:14 +0800 +Subject: tracing: hold caller_addr to hardirq_{enable,disable}_ip + +From: Yipeng Zou + +[ Upstream commit 54c3931957f6a6194d5972eccc36d052964b2abe ] + +Currently, The arguments passing to lockdep_hardirqs_{on,off} was fixed +in CALLER_ADDR0. +The function trace_hardirqs_on_caller should have been intended to use +caller_addr to represent the address that caller wants to be traced. + +For example, lockdep log in riscv showing the last {enabled,disabled} at +__trace_hardirqs_{on,off} all the time(if called by): +[ 57.853175] hardirqs last enabled at (2519): __trace_hardirqs_on+0xc/0x14 +[ 57.853848] hardirqs last disabled at (2520): __trace_hardirqs_off+0xc/0x14 + +After use trace_hardirqs_xx_caller, we can get more effective information: +[ 53.781428] hardirqs last enabled at (2595): restore_all+0xe/0x66 +[ 53.782185] hardirqs last disabled at (2596): ret_from_exception+0xa/0x10 + +Link: https://lkml.kernel.org/r/20220901104515.135162-2-zouyipeng@huawei.com + +Cc: stable@vger.kernel.org +Fixes: c3bc8fd637a96 ("tracing: Centralize preemptirq tracepoints and unify their usage") +Signed-off-by: Yipeng Zou +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_preemptirq.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/kernel/trace/trace_preemptirq.c b/kernel/trace/trace_preemptirq.c +index f4938040c228..3aa55b807560 100644 +--- a/kernel/trace/trace_preemptirq.c ++++ b/kernel/trace/trace_preemptirq.c +@@ -94,15 +94,15 @@ __visible void trace_hardirqs_on_caller(unsigned long caller_addr) + this_cpu_write(tracing_irq_cpu, 0); + } + +- lockdep_hardirqs_on_prepare(CALLER_ADDR0); +- lockdep_hardirqs_on(CALLER_ADDR0); ++ lockdep_hardirqs_on_prepare(caller_addr); ++ lockdep_hardirqs_on(caller_addr); + } + EXPORT_SYMBOL(trace_hardirqs_on_caller); + NOKPROBE_SYMBOL(trace_hardirqs_on_caller); + + __visible void trace_hardirqs_off_caller(unsigned long caller_addr) + { +- lockdep_hardirqs_off(CALLER_ADDR0); ++ lockdep_hardirqs_off(caller_addr); + + if (!this_cpu_read(tracing_irq_cpu)) { + this_cpu_write(tracing_irq_cpu, 1); +-- +2.35.1 + diff --git a/queue-5.10/usb-cdns3-gadget-fix-new-urb-never-complete-if-ep-ca.patch b/queue-5.10/usb-cdns3-gadget-fix-new-urb-never-complete-if-ep-ca.patch new file mode 100644 index 00000000000..a60bc921bff --- /dev/null +++ b/queue-5.10/usb-cdns3-gadget-fix-new-urb-never-complete-if-ep-ca.patch @@ -0,0 +1,102 @@ +From f019ee5569364f80d877025dcc5223a7126ac720 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 09:42:39 -0600 +Subject: usb: cdns3: gadget: fix new urb never complete if ep cancel previous + requests + +From: Frank Li + +[ Upstream commit 387c2b6ba197c6df28e75359f7d892f7c8dec204 ] + +This issue was found at android12 MTP. +1. MTP submit many out urb request. +2. Cancel left requests (>20) when enough data get from host +3. Send ACK by IN endpoint. +4. MTP submit new out urb request. +5. 4's urb never complete. + +TRACE LOG: + +MtpServer-2157 [000] d..3 1287.150391: cdns3_ep_dequeue: ep1out: req: 00000000299e6836, req buff 000000009df42287, length: 0/16384 zsi, status: -115, trb: [start:87, end:87: virt addr 0x80004000ffd50420], flags:1 SID: 0 +MtpServer-2157 [000] d..3 1287.150410: cdns3_gadget_giveback: ep1out: req: 00000000299e6836, req buff 000000009df42287, length: 0/16384 zsi, status: -104, trb: [start:87, end:87: virt addr 0x80004000ffd50420], flags:0 SID: 0 +MtpServer-2157 [000] d..3 1287.150433: cdns3_ep_dequeue: ep1out: req: 0000000080b7bde6, req buff 000000009ed5c556, length: 0/16384 zsi, status: -115, trb: [start:88, end:88: virt addr 0x80004000ffd5042c], flags:1 SID: 0 +MtpServer-2157 [000] d..3 1287.150446: cdns3_gadget_giveback: ep1out: req: 0000000080b7bde6, req buff 000000009ed5c556, length: 0/16384 zsi, status: -104, trb: [start:88, end:88: virt addr 0x80004000ffd5042c], flags:0 SID: 0 + .... +MtpServer-2157 [000] d..1 1293.630410: cdns3_alloc_request: ep1out: req: 00000000afbccb7d, req buff 0000000000000000, length: 0/0 zsi, status: 0, trb: [start:0, end:0: virt addr (null)], flags:0 SID: 0 +MtpServer-2157 [000] d..2 1293.630421: cdns3_ep_queue: ep1out: req: 00000000afbccb7d, req buff 00000000871caf90, length: 0/512 zsi, status: -115, trb: [start:0, end:0: virt addr (null)], flags:0 SID: 0 +MtpServer-2157 [000] d..2 1293.630445: cdns3_wa1: WA1: ep1out set guard +MtpServer-2157 [000] d..2 1293.630450: cdns3_wa1: WA1: ep1out restore cycle bit +MtpServer-2157 [000] d..2 1293.630453: cdns3_prepare_trb: ep1out: trb 000000007317b3ee, dma buf: 0xffd5bc00, size: 512, burst: 128 ctrl: 0x00000424 (C=0, T=0, ISP, IOC, Normal) SID:0 LAST_SID:0 +MtpServer-2157 [000] d..2 1293.630460: cdns3_doorbell_epx: ep1out, ep_trbaddr ffd50414 + .... +irq/241-5b13000-2154 [000] d..1 1293.680849: cdns3_epx_irq: IRQ for ep1out: 01000408 ISP , ep_traddr: ffd508ac ep_last_sid: 00000000 use_streams: 0 +irq/241-5b13000-2154 [000] d..1 1293.680858: cdns3_complete_trb: ep1out: trb 0000000021a11b54, dma buf: 0xffd50420, size: 16384, burst: 128 ctrl: 0x00001810 (C=0, T=0, CHAIN, LINK) SID:0 LAST_SID:0 +irq/241-5b13000-2154 [000] d..1 1293.680865: cdns3_request_handled: Req: 00000000afbccb7d not handled, DMA pos: 185, ep deq: 88, ep enq: 185, start trb: 184, end trb: 184 + +Actually DMA pos already bigger than previous submit request afbccb7d's TRB (184-184). The reason of (not handled) is that deq position is wrong. + +The TRB link is below when irq happen. + + DEQ LINK LINK LINK LINK LINK .... TRB(afbccb7d):START DMA(EP_TRADDR). + +Original code check LINK TRB, but DEQ just move one step. + + LINK DEQ LINK LINK LINK LINK .... TRB(afbccb7d):START DMA(EP_TRADDR). + +This patch skip all LINK TRB and sync DEQ to trb's start. + + LINK LINK LINK LINK LINK .... DEQ = TRB(afbccb7d):START DMA(EP_TRADDR). + +Acked-by: Peter Chen +Cc: stable +Signed-off-by: Frank Li +Signed-off-by: Jun Li +Link: https://lore.kernel.org/r/20211130154239.8029-1-Frank.Li@nxp.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/cdns3/gadget.c | 20 ++++---------------- + 1 file changed, 4 insertions(+), 16 deletions(-) + +diff --git a/drivers/usb/cdns3/gadget.c b/drivers/usb/cdns3/gadget.c +index a37ea946459c..c6fc14b169da 100644 +--- a/drivers/usb/cdns3/gadget.c ++++ b/drivers/usb/cdns3/gadget.c +@@ -352,19 +352,6 @@ static void cdns3_ep_inc_deq(struct cdns3_endpoint *priv_ep) + cdns3_ep_inc_trb(&priv_ep->dequeue, &priv_ep->ccs, priv_ep->num_trbs); + } + +-static void cdns3_move_deq_to_next_trb(struct cdns3_request *priv_req) +-{ +- struct cdns3_endpoint *priv_ep = priv_req->priv_ep; +- int current_trb = priv_req->start_trb; +- +- while (current_trb != priv_req->end_trb) { +- cdns3_ep_inc_deq(priv_ep); +- current_trb = priv_ep->dequeue; +- } +- +- cdns3_ep_inc_deq(priv_ep); +-} +- + /** + * cdns3_allow_enable_l1 - enable/disable permits to transition to L1. + * @priv_dev: Extended gadget object +@@ -1518,10 +1505,11 @@ static void cdns3_transfer_completed(struct cdns3_device *priv_dev, + + trb = priv_ep->trb_pool + priv_ep->dequeue; + +- /* Request was dequeued and TRB was changed to TRB_LINK. */ +- if (TRB_FIELD_TO_TYPE(le32_to_cpu(trb->control)) == TRB_LINK) { ++ /* The TRB was changed as link TRB, and the request was handled at ep_dequeue */ ++ while (TRB_FIELD_TO_TYPE(le32_to_cpu(trb->control)) == TRB_LINK) { + trace_cdns3_complete_trb(priv_ep, trb); +- cdns3_move_deq_to_next_trb(priv_req); ++ cdns3_ep_inc_deq(priv_ep); ++ trb = priv_ep->trb_pool + priv_ep->dequeue; + } + + if (!request->stream_id) { +-- +2.35.1 + diff --git a/queue-5.15/arm64-kexec_file-use-more-system-keyrings-to-verify-.patch b/queue-5.15/arm64-kexec_file-use-more-system-keyrings-to-verify-.patch new file mode 100644 index 00000000000..400e08450c6 --- /dev/null +++ b/queue-5.15/arm64-kexec_file-use-more-system-keyrings-to-verify-.patch @@ -0,0 +1,74 @@ +From 8563af973a0b127e5fef22dd255ce2936d45e6ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jul 2022 21:40:26 +0800 +Subject: arm64: kexec_file: use more system keyrings to verify kernel image + signature + +From: Coiby Xu + +[ Upstream commit 0d519cadf75184a24313568e7f489a7fc9b1be3b ] + +Currently, when loading a kernel image via the kexec_file_load() system +call, arm64 can only use the .builtin_trusted_keys keyring to verify +a signature whereas x86 can use three more keyrings i.e. +.secondary_trusted_keys, .machine and .platform keyrings. For example, +one resulting problem is kexec'ing a kernel image would be rejected +with the error "Lockdown: kexec: kexec of unsigned images is restricted; +see man kernel_lockdown.7". + +This patch set enables arm64 to make use of the same keyrings as x86 to +verify the signature kexec'ed kernel image. + +Fixes: 732b7b93d849 ("arm64: kexec_file: add kernel signature verification support") +Cc: stable@vger.kernel.org # 105e10e2cf1c: kexec_file: drop weak attribute from functions +Cc: stable@vger.kernel.org # 34d5960af253: kexec: clean up arch_kexec_kernel_verify_sig +Cc: stable@vger.kernel.org # 83b7bb2d49ae: kexec, KEYS: make the code in bzImage64_verify_sig generic +Acked-by: Baoquan He +Cc: kexec@lists.infradead.org +Cc: keyrings@vger.kernel.org +Cc: linux-security-module@vger.kernel.org +Co-developed-by: Michal Suchanek +Signed-off-by: Michal Suchanek +Acked-by: Will Deacon +Signed-off-by: Coiby Xu +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/kexec_image.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +diff --git a/arch/arm64/kernel/kexec_image.c b/arch/arm64/kernel/kexec_image.c +index 9ec34690e255..5ed6a585f21f 100644 +--- a/arch/arm64/kernel/kexec_image.c ++++ b/arch/arm64/kernel/kexec_image.c +@@ -14,7 +14,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -130,18 +129,10 @@ static void *image_load(struct kimage *image, + return NULL; + } + +-#ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG +-static int image_verify_sig(const char *kernel, unsigned long kernel_len) +-{ +- return verify_pefile_signature(kernel, kernel_len, NULL, +- VERIFYING_KEXEC_PE_SIGNATURE); +-} +-#endif +- + const struct kexec_file_ops kexec_image_ops = { + .probe = image_probe, + .load = image_load, + #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG +- .verify_sig = image_verify_sig, ++ .verify_sig = kexec_kernel_verify_pe_sig, + #endif + }; +-- +2.35.1 + diff --git a/queue-5.15/block-blk_queue_enter-__bio_queue_enter-must-return-.patch b/queue-5.15/block-blk_queue_enter-__bio_queue_enter-must-return-.patch new file mode 100644 index 00000000000..974c38e5685 --- /dev/null +++ b/queue-5.15/block-blk_queue_enter-__bio_queue_enter-must-return-.patch @@ -0,0 +1,55 @@ +From d2fdbf144987da632fbf09374518091755a1d71d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 09:53:25 -0700 +Subject: block: blk_queue_enter() / __bio_queue_enter() must return -EAGAIN + for nowait + +From: Stefan Roesch + +[ Upstream commit 56f99b8d06ef1ed1c9730948f9f05ac2b930a20b ] + +Today blk_queue_enter() and __bio_queue_enter() return -EBUSY for the +nowait code path. This is not correct: they should return -EAGAIN +instead. + +This problem was detected by fio. The following command exposed the +above problem: + +t/io_uring -p0 -d128 -b4096 -s32 -c32 -F1 -B0 -R0 -X1 -n24 -P1 -u1 -O0 /dev/ng0n1 + +By applying the patch, the retry case is handled correctly in the slow +path. + +Signed-off-by: Stefan Roesch +Fixes: bfd343aa1718 ("blk-mq: don't wait in blk_mq_queue_enter() if __GFP_WAIT isn't set") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/block/blk-core.c b/block/blk-core.c +index 5009b9f1c3c9..13e1fca1e923 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -447,7 +447,7 @@ int blk_queue_enter(struct request_queue *q, blk_mq_req_flags_t flags) + + while (!blk_try_enter_queue(q, pm)) { + if (flags & BLK_MQ_REQ_NOWAIT) +- return -EBUSY; ++ return -EAGAIN; + + /* + * read pair of barrier in blk_freeze_queue_start(), we need to +@@ -478,7 +478,7 @@ static inline int bio_queue_enter(struct bio *bio) + if (test_bit(GD_DEAD, &disk->state)) + goto dead; + bio_wouldblock_error(bio); +- return -EBUSY; ++ return -EAGAIN; + } + + /* +-- +2.35.1 + diff --git a/queue-5.15/drm-meson-correct-osd1-global-alpha-value.patch b/queue-5.15/drm-meson-correct-osd1-global-alpha-value.patch new file mode 100644 index 00000000000..976955acee3 --- /dev/null +++ b/queue-5.15/drm-meson-correct-osd1-global-alpha-value.patch @@ -0,0 +1,40 @@ +From cc44f0ea373abad530aa9d9a5a86065651495c30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 16:51:03 +0100 +Subject: drm/meson: Correct OSD1 global alpha value + +From: Stuart Menefy + +[ Upstream commit 6836829c8ea453c9e3e518e61539e35881c8ed5f ] + +VIU_OSD1_CTRL_STAT.GLOBAL_ALPHA is a 9 bit field, so the maximum +value is 0x100 not 0xff. + +This matches the vendor kernel. + +Signed-off-by: Stuart Menefy +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20220908155103.686904-1-stuart.menefy@mathembedded.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_plane.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/meson/meson_plane.c b/drivers/gpu/drm/meson/meson_plane.c +index 8640a8a8a469..44aa52629443 100644 +--- a/drivers/gpu/drm/meson/meson_plane.c ++++ b/drivers/gpu/drm/meson/meson_plane.c +@@ -168,7 +168,7 @@ static void meson_plane_atomic_update(struct drm_plane *plane, + + /* Enable OSD and BLK0, set max global alpha */ + priv->viu.osd1_ctrl_stat = OSD_ENABLE | +- (0xFF << OSD_GLOBAL_ALPHA_SHIFT) | ++ (0x100 << OSD_GLOBAL_ALPHA_SHIFT) | + OSD_BLK0_ENABLE; + + priv->viu.osd1_ctrl_stat2 = readl(priv->io_base + +-- +2.35.1 + diff --git a/queue-5.15/drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch b/queue-5.15/drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch new file mode 100644 index 00000000000..4c606b6f967 --- /dev/null +++ b/queue-5.15/drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch @@ -0,0 +1,47 @@ +From c60c09fb70056b27d0f487e7b49d8eb72a515ba4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 16:52:43 +0100 +Subject: drm/meson: Fix OSD1 RGB to YCbCr coefficient + +From: Stuart Menefy + +[ Upstream commit 6463d3930ba5b6addcfc8f80a4543976a2fc7656 ] + +VPP_WRAP_OSD1_MATRIX_COEF22.Coeff22 is documented as being bits 0-12, +not 16-28. + +Without this the output tends to have a pink hue, changing it results +in better color accuracy. + +The vendor kernel doesn't use this register. However the code which +sets VIU2_OSD1_MATRIX_COEF22 also uses bits 0-12. There is a slightly +different style of registers for configuring some of the other matrices, +which do use bits 16-28 for this coefficient, but those have names +ending in MATRIX_COEF22_30, and this is not one of those. + +Signed-off-by: Stuart Menefy +Fixes: 728883948b0d ("drm/meson: Add G12A Support for VIU setup") +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20220908155243.687143-1-stuart.menefy@mathembedded.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_viu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/meson/meson_viu.c b/drivers/gpu/drm/meson/meson_viu.c +index bb7e109534de..d4b907889a21 100644 +--- a/drivers/gpu/drm/meson/meson_viu.c ++++ b/drivers/gpu/drm/meson/meson_viu.c +@@ -94,7 +94,7 @@ static void meson_viu_set_g12a_osd1_matrix(struct meson_drm *priv, + priv->io_base + _REG(VPP_WRAP_OSD1_MATRIX_COEF11_12)); + writel(((m[9] & 0x1fff) << 16) | (m[10] & 0x1fff), + priv->io_base + _REG(VPP_WRAP_OSD1_MATRIX_COEF20_21)); +- writel((m[11] & 0x1fff) << 16, ++ writel((m[11] & 0x1fff), + priv->io_base + _REG(VPP_WRAP_OSD1_MATRIX_COEF22)); + + writel(((m[18] & 0xfff) << 16) | (m[19] & 0xfff), +-- +2.35.1 + diff --git a/queue-5.15/drm-tegra-vic-fix-build-warning-when-config_pm-n.patch b/queue-5.15/drm-tegra-vic-fix-build-warning-when-config_pm-n.patch new file mode 100644 index 00000000000..37c1cffad20 --- /dev/null +++ b/queue-5.15/drm-tegra-vic-fix-build-warning-when-config_pm-n.patch @@ -0,0 +1,54 @@ +From 521d8684a84a9bdb5ff0e67774979ab3a5ce1dc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 20:32:00 +0800 +Subject: drm/tegra: vic: Fix build warning when CONFIG_PM=n +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: YueHaibing + +[ Upstream commit b5d5288a46876f6767950449aea310f71ac86277 ] + +drivers/gpu/drm/tegra/vic.c:326:12: error: ‘vic_runtime_suspend’ defined but not used [-Werror=unused-function] + static int vic_runtime_suspend(struct device *dev) + ^~~~~~~~~~~~~~~~~~~ +drivers/gpu/drm/tegra/vic.c:292:12: error: ‘vic_runtime_resume’ defined but not used [-Werror=unused-function] + static int vic_runtime_resume(struct device *dev) + ^~~~~~~~~~~~~~~~~~ + +Mark it as __maybe_unused. + +Signed-off-by: YueHaibing +Signed-off-by: Thierry Reding +Stable-dep-of: c7860cbee998 ("drm/tegra: Fix vmapping of prime buffers") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/tegra/vic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/tegra/vic.c b/drivers/gpu/drm/tegra/vic.c +index da4af5371991..d3e2fab91086 100644 +--- a/drivers/gpu/drm/tegra/vic.c ++++ b/drivers/gpu/drm/tegra/vic.c +@@ -275,7 +275,7 @@ static int vic_load_firmware(struct vic *vic) + } + + +-static int vic_runtime_resume(struct device *dev) ++static int __maybe_unused vic_runtime_resume(struct device *dev) + { + struct vic *vic = dev_get_drvdata(dev); + int err; +@@ -309,7 +309,7 @@ static int vic_runtime_resume(struct device *dev) + return err; + } + +-static int vic_runtime_suspend(struct device *dev) ++static int __maybe_unused vic_runtime_suspend(struct device *dev) + { + struct vic *vic = dev_get_drvdata(dev); + int err; +-- +2.35.1 + diff --git a/queue-5.15/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch b/queue-5.15/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch new file mode 100644 index 00000000000..ee141d6c7ba --- /dev/null +++ b/queue-5.15/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch @@ -0,0 +1,48 @@ +From db5dffb080bb8378897fdd999b8e9c6e67a8fab1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 12:54:31 +0200 +Subject: gpio: mpc8xxx: Fix support for IRQ_TYPE_LEVEL_LOW flow_type in + mpc85xx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 279c12df8d2efb28def9d037f288cbfb97c30fe2 ] + +Commit e39d5ef67804 ("powerpc/5xxx: extend mpc8xxx_gpio driver to support +mpc512x gpios") implemented support for IRQ_TYPE_LEVEL_LOW flow type in +mpc512x via falling edge type. Do same for mpc85xx which support was added +in commit 345e5c8a1cc3 ("powerpc: Add interrupt support to mpc8xxx_gpio"). + +Fixes probing of lm90 hwmon driver on mpc85xx based board which use level +interrupt. Without it kernel prints error and refuse lm90 to work: + + [ 15.258370] genirq: Setting trigger mode 8 for irq 49 failed (mpc8xxx_irq_set_type+0x0/0xf8) + [ 15.267168] lm90 0-004c: cannot request IRQ 49 + [ 15.272708] lm90: probe of 0-004c failed with error -22 + +Fixes: 345e5c8a1cc3 ("powerpc: Add interrupt support to mpc8xxx_gpio") +Signed-off-by: Pali Rohár +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mpc8xxx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpio/gpio-mpc8xxx.c b/drivers/gpio/gpio-mpc8xxx.c +index a964e25ea620..763256efddc2 100644 +--- a/drivers/gpio/gpio-mpc8xxx.c ++++ b/drivers/gpio/gpio-mpc8xxx.c +@@ -172,6 +172,7 @@ static int mpc8xxx_irq_set_type(struct irq_data *d, unsigned int flow_type) + + switch (flow_type) { + case IRQ_TYPE_EDGE_FALLING: ++ case IRQ_TYPE_LEVEL_LOW: + raw_spin_lock_irqsave(&mpc8xxx_gc->lock, flags); + gc->write_reg(mpc8xxx_gc->regs + GPIO_ICR, + gc->read_reg(mpc8xxx_gc->regs + GPIO_ICR) +-- +2.35.1 + diff --git a/queue-5.15/net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch b/queue-5.15/net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch new file mode 100644 index 00000000000..682bee86492 --- /dev/null +++ b/queue-5.15/net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch @@ -0,0 +1,51 @@ +From 4d5aed8bbf924dcfababa60dd1526354b0940d0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 15:41:11 +0200 +Subject: net: mvpp2: debugfs: fix memory leak when using debugfs_lookup() + +From: Greg Kroah-Hartman + +[ Upstream commit fe2c9c61f668cde28dac2b188028c5299cedcc1e ] + +When calling debugfs_lookup() the result must have dput() called on it, +otherwise the memory will leak over time. Fix this up to be much +simpler logic and only create the root debugfs directory once when the +driver is first accessed. That resolves the memory leak and makes +things more obvious as to what the intent is. + +Cc: Marcin Wojtas +Cc: Russell King +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: netdev@vger.kernel.org +Cc: stable +Fixes: 21da57a23125 ("net: mvpp2: add a debugfs interface for the Header Parser") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +index 4a3baa7e0142..0eec05d905eb 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +@@ -700,10 +700,10 @@ void mvpp2_dbgfs_cleanup(struct mvpp2 *priv) + + void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name) + { +- struct dentry *mvpp2_dir, *mvpp2_root; ++ static struct dentry *mvpp2_root; ++ struct dentry *mvpp2_dir; + int ret, i; + +- mvpp2_root = debugfs_lookup(MVPP2_DRIVER_NAME, NULL); + if (!mvpp2_root) + mvpp2_root = debugfs_create_dir(MVPP2_DRIVER_NAME, NULL); + +-- +2.35.1 + diff --git a/queue-5.15/nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch b/queue-5.15/nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch new file mode 100644 index 00000000000..214dd30a1f5 --- /dev/null +++ b/queue-5.15/nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch @@ -0,0 +1,69 @@ +From cdde9757b81e28c67e2d178af9f7c8aef120b129 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 14:49:05 -0400 +Subject: NFSv4: Turn off open-by-filehandle and NFS re-export for NFSv4.0 + +From: Trond Myklebust + +[ Upstream commit 2a9d683b48c8a87e61a4215792d44c90bcbbb536 ] + +The NFSv4.0 protocol only supports open() by name. It cannot therefore +be used with open_by_handle() and friends, nor can it be re-exported by +knfsd. + +Reported-by: Chuck Lever III +Fixes: 20fa19027286 ("nfs: add export operations") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index e65c83494c05..a847011f36c9 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1046,22 +1046,31 @@ static void nfs_fill_super(struct super_block *sb, struct nfs_fs_context *ctx) + if (ctx->bsize) + sb->s_blocksize = nfs_block_size(ctx->bsize, &sb->s_blocksize_bits); + +- if (server->nfs_client->rpc_ops->version != 2) { +- /* The VFS shouldn't apply the umask to mode bits. We will do +- * so ourselves when necessary. ++ switch (server->nfs_client->rpc_ops->version) { ++ case 2: ++ sb->s_time_gran = 1000; ++ sb->s_time_min = 0; ++ sb->s_time_max = U32_MAX; ++ break; ++ case 3: ++ /* ++ * The VFS shouldn't apply the umask to mode bits. ++ * We will do so ourselves when necessary. + */ + sb->s_flags |= SB_POSIXACL; + sb->s_time_gran = 1; +- sb->s_export_op = &nfs_export_ops; +- } else +- sb->s_time_gran = 1000; +- +- if (server->nfs_client->rpc_ops->version != 4) { + sb->s_time_min = 0; + sb->s_time_max = U32_MAX; +- } else { ++ sb->s_export_op = &nfs_export_ops; ++ break; ++ case 4: ++ sb->s_flags |= SB_POSIXACL; ++ sb->s_time_gran = 1; + sb->s_time_min = S64_MIN; + sb->s_time_max = S64_MAX; ++ if (server->caps & NFS_CAP_ATOMIC_OPEN_V1) ++ sb->s_export_op = &nfs_export_ops; ++ break; + } + + sb->s_magic = NFS_SUPER_MAGIC; +-- +2.35.1 + diff --git a/queue-5.15/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch b/queue-5.15/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch new file mode 100644 index 00000000000..429d67bc264 --- /dev/null +++ b/queue-5.15/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch @@ -0,0 +1,41 @@ +From a03aaca34c09a5435f30660a786e82c7abbc24c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Aug 2022 23:34:16 +0300 +Subject: of: fdt: fix off-by-one error in unflatten_dt_nodes() + +From: Sergey Shtylyov + +[ Upstream commit 2f945a792f67815abca26fa8a5e863ccf3fa1181 ] + +Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") +forgot to fix up the depth check in the loop body in unflatten_dt_nodes() +which makes it possible to overflow the nps[] buffer... + +Found by Linux Verification Center (linuxtesting.org) with the SVACE static +analysis tool. + +Fixes: 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Rob Herring +Link: https://lore.kernel.org/r/7c354554-006f-6b31-c195-cdfe4caee392@omp.ru +Signed-off-by: Sasha Levin +--- + drivers/of/fdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c +index d245628b15dd..338171c978cc 100644 +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -313,7 +313,7 @@ static int unflatten_dt_nodes(const void *blob, + for (offset = 0; + offset >= 0 && depth >= initial_depth; + offset = fdt_next_node(blob, offset, &depth)) { +- if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH)) ++ if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH - 1)) + continue; + + if (!IS_ENABLED(CONFIG_OF_KOBJ) && +-- +2.35.1 + diff --git a/queue-5.15/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch b/queue-5.15/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch new file mode 100644 index 00000000000..c3bc7903273 --- /dev/null +++ b/queue-5.15/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch @@ -0,0 +1,35 @@ +From 54dafccba743a2fc7677195d0193bbdca1114a1d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 17:36:57 +0800 +Subject: parisc: ccio-dma: Add missing iounmap in error path in ccio_probe() + +From: Yang Yingliang + +[ Upstream commit 38238be4e881a5d0abbe4872b4cd6ed790be06c8 ] + +Add missing iounmap() before return from ccio_probe(), if ccio_init_resources() +fails. + +Fixes: d46c742f827f ("parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources()") +Signed-off-by: Yang Yingliang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/parisc/ccio-dma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/parisc/ccio-dma.c b/drivers/parisc/ccio-dma.c +index f69ab90b5e22..6052f264bbb0 100644 +--- a/drivers/parisc/ccio-dma.c ++++ b/drivers/parisc/ccio-dma.c +@@ -1546,6 +1546,7 @@ static int __init ccio_probe(struct parisc_device *dev) + } + ccio_ioc_init(ioc); + if (ccio_init_resources(ioc)) { ++ iounmap(ioc->ioc_regs); + kfree(ioc); + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-5.15/pinctrl-qcom-sc8180x-fix-gpio_wakeirq_map.patch b/queue-5.15/pinctrl-qcom-sc8180x-fix-gpio_wakeirq_map.patch new file mode 100644 index 00000000000..85a5d99ad5f --- /dev/null +++ b/queue-5.15/pinctrl-qcom-sc8180x-fix-gpio_wakeirq_map.patch @@ -0,0 +1,40 @@ +From f045115bfb5753d11dbecc2549fcc4b8a12b69b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Aug 2022 20:26:44 +0800 +Subject: pinctrl: qcom: sc8180x: Fix gpio_wakeirq_map + +From: Molly Sophia + +[ Upstream commit 6124cec530c7d8faab96d340ab2df5161e5d1c8a ] + +Currently in the wakeirq_map, gpio36 and gpio37 have the same wakeirq +number, resulting in gpio37 being unable to trigger interrupts. +It looks like that this is a typo in the wakeirq map. So fix it. + +Signed-off-by: Molly Sophia +Fixes: 97423113ec4b ("pinctrl: qcom: Add sc8180x TLMM driver") +Tested-by: Bjorn Andersson +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220807122645.13830-2-mollysophia379@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/qcom/pinctrl-sc8180x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/qcom/pinctrl-sc8180x.c b/drivers/pinctrl/qcom/pinctrl-sc8180x.c +index 0d9654b4ab60..32a2d8c5ceae 100644 +--- a/drivers/pinctrl/qcom/pinctrl-sc8180x.c ++++ b/drivers/pinctrl/qcom/pinctrl-sc8180x.c +@@ -1582,7 +1582,7 @@ static const int sc8180x_acpi_reserved_gpios[] = { + static const struct msm_gpio_wakeirq_map sc8180x_pdc_map[] = { + { 3, 31 }, { 5, 32 }, { 8, 33 }, { 9, 34 }, { 10, 100 }, { 12, 104 }, + { 24, 37 }, { 26, 38 }, { 27, 41 }, { 28, 42 }, { 30, 39 }, { 36, 43 }, +- { 37, 43 }, { 38, 45 }, { 39, 118 }, { 39, 125 }, { 41, 47 }, ++ { 37, 44 }, { 38, 45 }, { 39, 118 }, { 39, 125 }, { 41, 47 }, + { 42, 48 }, { 46, 50 }, { 47, 49 }, { 48, 51 }, { 49, 53 }, { 50, 52 }, + { 51, 116 }, { 51, 123 }, { 53, 54 }, { 54, 55 }, { 55, 56 }, + { 56, 57 }, { 58, 58 }, { 60, 60 }, { 68, 62 }, { 70, 63 }, { 76, 86 }, +-- +2.35.1 + diff --git a/queue-5.15/pinctrl-qcom-sc8180x-fix-wrong-pin-numbers.patch b/queue-5.15/pinctrl-qcom-sc8180x-fix-wrong-pin-numbers.patch new file mode 100644 index 00000000000..69659a176e7 --- /dev/null +++ b/queue-5.15/pinctrl-qcom-sc8180x-fix-wrong-pin-numbers.patch @@ -0,0 +1,45 @@ +From 3d20ad47b3d06ec5c9f02cbf6132077cf7d40228 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Aug 2022 20:26:45 +0800 +Subject: pinctrl: qcom: sc8180x: Fix wrong pin numbers + +From: Molly Sophia + +[ Upstream commit 48ec73395887694f13c9452b4dcfb43710451757 ] + +The pin numbers for UFS_RESET and SDC2_* are not +consistent in the pinctrl driver for sc8180x. +So fix it. + +Signed-off-by: Molly Sophia +Fixes: 97423113ec4b ("pinctrl: qcom: Add sc8180x TLMM driver") +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220807122645.13830-3-mollysophia379@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/qcom/pinctrl-sc8180x.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/pinctrl/qcom/pinctrl-sc8180x.c b/drivers/pinctrl/qcom/pinctrl-sc8180x.c +index 32a2d8c5ceae..a4725ff12da0 100644 +--- a/drivers/pinctrl/qcom/pinctrl-sc8180x.c ++++ b/drivers/pinctrl/qcom/pinctrl-sc8180x.c +@@ -530,10 +530,10 @@ DECLARE_MSM_GPIO_PINS(187); + DECLARE_MSM_GPIO_PINS(188); + DECLARE_MSM_GPIO_PINS(189); + +-static const unsigned int sdc2_clk_pins[] = { 190 }; +-static const unsigned int sdc2_cmd_pins[] = { 191 }; +-static const unsigned int sdc2_data_pins[] = { 192 }; +-static const unsigned int ufs_reset_pins[] = { 193 }; ++static const unsigned int ufs_reset_pins[] = { 190 }; ++static const unsigned int sdc2_clk_pins[] = { 191 }; ++static const unsigned int sdc2_cmd_pins[] = { 192 }; ++static const unsigned int sdc2_data_pins[] = { 193 }; + + enum sc8180x_functions { + msm_mux_adsp_ext, +-- +2.35.1 + diff --git a/queue-5.15/pinctrl-rockchip-enhance-support-for-irq_type_edge_b.patch b/queue-5.15/pinctrl-rockchip-enhance-support-for-irq_type_edge_b.patch new file mode 100644 index 00000000000..1f29286ecbe --- /dev/null +++ b/queue-5.15/pinctrl-rockchip-enhance-support-for-irq_type_edge_b.patch @@ -0,0 +1,49 @@ +From 2d274b0082f37f92efc088fcf4608179d888843a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Aug 2022 02:51:20 +0000 +Subject: pinctrl: rockchip: Enhance support for IRQ_TYPE_EDGE_BOTH +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: João H. Spies + +[ Upstream commit b871656aa4f54e04207f62bdd0d7572be1d86b36 ] + +Switching between falling/rising edges for IRQ_TYPE_EDGE_BOTH on pins that +require debounce can cause the device to lose events due to a desync +between pin state and irq type. + +This problem is resolved by switching between IRQ_TYPE_LEVEL_LOW and +IRQ_TYPE_LEVEL_HIGH instead. + +Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio") +Signed-off-by: João H. Spies +Link: https://lore.kernel.org/r/20220808025121.110223-1-jhlspies@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-rockchip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-rockchip.c b/drivers/gpio/gpio-rockchip.c +index 22b8f0aa80f1..f31b0947eaaa 100644 +--- a/drivers/gpio/gpio-rockchip.c ++++ b/drivers/gpio/gpio-rockchip.c +@@ -418,11 +418,11 @@ static int rockchip_irq_set_type(struct irq_data *d, unsigned int type) + goto out; + } else { + bank->toggle_edge_mode |= mask; +- level |= mask; ++ level &= ~mask; + + /* + * Determine gpio state. If 1 next interrupt should be +- * falling otherwise rising. ++ * low otherwise high. + */ + data = readl(bank->reg_base + bank->gpio_regs->ext_port); + if (data & mask) +-- +2.35.1 + diff --git a/queue-5.15/pinctrl-sunxi-fix-name-for-a100-r_pio.patch b/queue-5.15/pinctrl-sunxi-fix-name-for-a100-r_pio.patch new file mode 100644 index 00000000000..0bb74601354 --- /dev/null +++ b/queue-5.15/pinctrl-sunxi-fix-name-for-a100-r_pio.patch @@ -0,0 +1,38 @@ +From 0efbe4e17bf54d85201813cee1ad478c588147fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 10:45:41 +0800 +Subject: pinctrl: sunxi: Fix name for A100 R_PIO + +From: Michael Wu + +[ Upstream commit 76648c867c6c03b8a468d9c9222025873ecc613d ] + +The name of A100 R_PIO driver should be sun50i-a100-r-pinctrl, +not sun50iw10p1-r-pinctrl. + +Fixes: 473436e7647d6 ("pinctrl: sunxi: add support for the Allwinner A100 pin controller") +Signed-off-by: Michael Wu +Acked-by: Samuel Holland +Link: https://lore.kernel.org/r/20220819024541.74191-1-michael@allwinnertech.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/sunxi/pinctrl-sun50i-a100-r.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/sunxi/pinctrl-sun50i-a100-r.c b/drivers/pinctrl/sunxi/pinctrl-sun50i-a100-r.c +index 21054fcacd34..18088f6f44b2 100644 +--- a/drivers/pinctrl/sunxi/pinctrl-sun50i-a100-r.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sun50i-a100-r.c +@@ -98,7 +98,7 @@ MODULE_DEVICE_TABLE(of, a100_r_pinctrl_match); + static struct platform_driver a100_r_pinctrl_driver = { + .probe = a100_r_pinctrl_probe, + .driver = { +- .name = "sun50iw10p1-r-pinctrl", ++ .name = "sun50i-a100-r-pinctrl", + .of_match_table = a100_r_pinctrl_match, + }, + }; +-- +2.35.1 + diff --git a/queue-5.15/serial-atmel-remove-redundant-assignment-in-rs485_co.patch b/queue-5.15/serial-atmel-remove-redundant-assignment-in-rs485_co.patch new file mode 100644 index 00000000000..eea83935df5 --- /dev/null +++ b/queue-5.15/serial-atmel-remove-redundant-assignment-in-rs485_co.patch @@ -0,0 +1,46 @@ +From d6fb10176b9f161716f355ba192f3a3f7ee40178 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Apr 2022 12:46:42 +0200 +Subject: serial: atmel: remove redundant assignment in rs485_config + +From: Lino Sanfilippo + +[ Upstream commit 60efd0513916f195dd85bfbf21653f74f9ab019c ] + +In uart_set_rs485_config() the serial core already assigns the passed +serial_rs485 struct to the uart port. + +So remove the assignment from the drivers rs485_config() function to avoid +redundancy. + +Reviewed-by: Claudiu Beznea +Acked-by: Richard Genoud +Signed-off-by: Lino Sanfilippo +Link: https://lore.kernel.org/r/20220410104642.32195-10-LinoSanfilippo@gmx.de +Signed-off-by: Greg Kroah-Hartman +Stable-dep-of: 692a8ebcfc24 ("tty: serial: atmel: Preserve previous USART mode if RS485 disabled") +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/atmel_serial.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c +index dd350c590880..92383c8610ee 100644 +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -298,11 +298,9 @@ static int atmel_config_rs485(struct uart_port *port, + /* Resetting serial mode to RS232 (0x0) */ + mode &= ~ATMEL_US_USMODE; + +- port->rs485 = *rs485conf; +- + if (rs485conf->flags & SER_RS485_ENABLED) { + dev_dbg(port->dev, "Setting UART to RS485\n"); +- if (port->rs485.flags & SER_RS485_RX_DURING_TX) ++ if (rs485conf->flags & SER_RS485_RX_DURING_TX) + atmel_port->tx_done_mask = ATMEL_US_TXRDY; + else + atmel_port->tx_done_mask = ATMEL_US_TXEMPTY; +-- +2.35.1 + diff --git a/queue-5.15/series b/queue-5.15/series index e69de29bb2d..1ca1df7e15a 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -0,0 +1,17 @@ +drm-tegra-vic-fix-build-warning-when-config_pm-n.patch +arm64-kexec_file-use-more-system-keyrings-to-verify-.patch +usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch +serial-atmel-remove-redundant-assignment-in-rs485_co.patch +tty-serial-atmel-preserve-previous-usart-mode-if-rs4.patch +of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch +pinctrl-qcom-sc8180x-fix-gpio_wakeirq_map.patch +pinctrl-qcom-sc8180x-fix-wrong-pin-numbers.patch +pinctrl-rockchip-enhance-support-for-irq_type_edge_b.patch +pinctrl-sunxi-fix-name-for-a100-r_pio.patch +nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch +gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch +drm-meson-correct-osd1-global-alpha-value.patch +drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch +block-blk_queue_enter-__bio_queue_enter-must-return-.patch +parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch +net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch diff --git a/queue-5.15/tty-serial-atmel-preserve-previous-usart-mode-if-rs4.patch b/queue-5.15/tty-serial-atmel-preserve-previous-usart-mode-if-rs4.patch new file mode 100644 index 00000000000..1b2abb6f319 --- /dev/null +++ b/queue-5.15/tty-serial-atmel-preserve-previous-usart-mode-if-rs4.patch @@ -0,0 +1,74 @@ +From 4f3d08ceb9ff4501d58bcae56cda96adb22c2aa4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 17:29:03 +0300 +Subject: tty: serial: atmel: Preserve previous USART mode if RS485 disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sergiu Moga + +[ Upstream commit 692a8ebcfc24f4a5bea0eb2967e450f584193da6 ] + +Whenever the atmel_rs485_config() driver method would be called, +the USART mode is reset to normal mode before even checking if +RS485 flag is set, thus resulting in losing the previous USART +mode in the case where the checking fails. + +Some tools, such as `linux-serial-test`, lead to the driver calling +this method when doing the setup of the serial port: after setting the +port mode (Hardware Flow Control, Normal Mode, RS485 Mode, etc.), +`linux-serial-test` tries to enable/disable RS485 depending on +the commandline arguments that were passed. + +Example of how this issue could reveal itself: +When doing a serial communication with Hardware Flow Control through +`linux-serial-test`, the tool would lead to the driver roughly doing +the following: +- set the corresponding bit to 1 (ATMEL_US_USMODE_HWHS bit in the +ATMEL_US_MR register) through the atmel_set_termios() to enable +Hardware Flow Control +- disable RS485 through the atmel_config_rs485() method +Thus, when the latter is called, the mode will be reset and the +previously set bit is unset, leaving USART in normal mode instead of +the expected Hardware Flow Control mode. + +This fix ensures that this reset is only done if the checking for +RS485 succeeds and that the previous mode is preserved otherwise. + +Fixes: e8faff7330a35 ("ARM: 6092/1: atmel_serial: support for RS485 communications") +Cc: stable +Reviewed-by: Ilpo Järvinen +Signed-off-by: Sergiu Moga +Link: https://lore.kernel.org/r/20220824142902.502596-1-sergiu.moga@microchip.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/atmel_serial.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c +index 92383c8610ee..c0a86558ceaa 100644 +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -295,9 +295,6 @@ static int atmel_config_rs485(struct uart_port *port, + + mode = atmel_uart_readl(port, ATMEL_US_MR); + +- /* Resetting serial mode to RS232 (0x0) */ +- mode &= ~ATMEL_US_USMODE; +- + if (rs485conf->flags & SER_RS485_ENABLED) { + dev_dbg(port->dev, "Setting UART to RS485\n"); + if (rs485conf->flags & SER_RS485_RX_DURING_TX) +@@ -307,6 +304,7 @@ static int atmel_config_rs485(struct uart_port *port, + + atmel_uart_writel(port, ATMEL_US_TTGR, + rs485conf->delay_rts_after_send); ++ mode &= ~ATMEL_US_USMODE; + mode |= ATMEL_US_USMODE_RS485; + } else { + dev_dbg(port->dev, "Setting UART to RS232\n"); +-- +2.35.1 + diff --git a/queue-5.15/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch b/queue-5.15/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch new file mode 100644 index 00000000000..c354bc2302e --- /dev/null +++ b/queue-5.15/usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch @@ -0,0 +1,78 @@ +From 4ec57709f69f35643cc6d375e876e352e732b99f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jul 2022 11:07:10 -0400 +Subject: USB: gadget: Fix use-after-free Read in usb_udc_uevent() + +From: Alan Stern + +[ Upstream commit 2191c00855b03aa59c20e698be713d952d51fc18 ] + +The syzbot fuzzer found a race between uevent callbacks and gadget +driver unregistration that can cause a use-after-free bug: + +--------------------------------------------------------------- +BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130 +drivers/usb/gadget/udc/core.c:1732 +Read of size 8 at addr ffff888078ce2050 by task udevd/2968 + +CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google +06/29/2022 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:317 [inline] + print_report.cold+0x2ba/0x719 mm/kasan/report.c:433 + kasan_report+0xbe/0x1f0 mm/kasan/report.c:495 + usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732 + dev_uevent+0x290/0x770 drivers/base/core.c:2424 +--------------------------------------------------------------- + +The bug occurs because usb_udc_uevent() dereferences udc->driver but +does so without acquiring the udc_lock mutex, which protects this +field. If the gadget driver is unbound from the udc concurrently with +uevent processing, the driver structure may be accessed after it has +been deallocated. + +To prevent the race, we make sure that the routine holds the mutex +around the racing accesses. + +Link: +CC: stable@vger.kernel.org # fc274c1e9973 +Reported-and-tested-by: syzbot+b0de012ceb1e2a97891b@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/YtlrnhHyrHsSky9m@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/core.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c +index 61099f2d057d..eb3895ad7136 100644 +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -1739,13 +1739,14 @@ static int usb_udc_uevent(struct device *dev, struct kobj_uevent_env *env) + return ret; + } + +- if (udc->driver) { ++ mutex_lock(&udc_lock); ++ if (udc->driver) + ret = add_uevent_var(env, "USB_UDC_DRIVER=%s", + udc->driver->function); +- if (ret) { +- dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); +- return ret; +- } ++ mutex_unlock(&udc_lock); ++ if (ret) { ++ dev_err(dev, "failed to add uevent USB_UDC_DRIVER\n"); ++ return ret; + } + + return 0; +-- +2.35.1 + diff --git a/queue-5.19/block-blk_queue_enter-__bio_queue_enter-must-return-.patch b/queue-5.19/block-blk_queue_enter-__bio_queue_enter-must-return-.patch new file mode 100644 index 00000000000..47c725d3a7d --- /dev/null +++ b/queue-5.19/block-blk_queue_enter-__bio_queue_enter-must-return-.patch @@ -0,0 +1,55 @@ +From 0ac8cbdacba97c6d2e6c3566e4b3d9fa9c479973 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 09:53:25 -0700 +Subject: block: blk_queue_enter() / __bio_queue_enter() must return -EAGAIN + for nowait + +From: Stefan Roesch + +[ Upstream commit 56f99b8d06ef1ed1c9730948f9f05ac2b930a20b ] + +Today blk_queue_enter() and __bio_queue_enter() return -EBUSY for the +nowait code path. This is not correct: they should return -EAGAIN +instead. + +This problem was detected by fio. The following command exposed the +above problem: + +t/io_uring -p0 -d128 -b4096 -s32 -c32 -F1 -B0 -R0 -X1 -n24 -P1 -u1 -O0 /dev/ng0n1 + +By applying the patch, the retry case is handled correctly in the slow +path. + +Signed-off-by: Stefan Roesch +Fixes: bfd343aa1718 ("blk-mq: don't wait in blk_mq_queue_enter() if __GFP_WAIT isn't set") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/block/blk-core.c b/block/blk-core.c +index 27fb1357ad4b..cc6fbcb6d252 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -338,7 +338,7 @@ int blk_queue_enter(struct request_queue *q, blk_mq_req_flags_t flags) + + while (!blk_try_enter_queue(q, pm)) { + if (flags & BLK_MQ_REQ_NOWAIT) +- return -EBUSY; ++ return -EAGAIN; + + /* + * read pair of barrier in blk_freeze_queue_start(), we need to +@@ -368,7 +368,7 @@ int __bio_queue_enter(struct request_queue *q, struct bio *bio) + if (test_bit(GD_DEAD, &disk->state)) + goto dead; + bio_wouldblock_error(bio); +- return -EBUSY; ++ return -EAGAIN; + } + + /* +-- +2.35.1 + diff --git a/queue-5.19/drm-i915-guc-cancel-guc-engine-busyness-worker-synch.patch b/queue-5.19/drm-i915-guc-cancel-guc-engine-busyness-worker-synch.patch new file mode 100644 index 00000000000..d12ab4d8a6c --- /dev/null +++ b/queue-5.19/drm-i915-guc-cancel-guc-engine-busyness-worker-synch.patch @@ -0,0 +1,52 @@ +From 7b1f0585e0fce26daaff10fa213f164baaf25872 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 27 Aug 2022 00:21:35 +0000 +Subject: drm/i915/guc: Cancel GuC engine busyness worker synchronously + +From: Umesh Nerlige Ramappa + +[ Upstream commit aee5ae7c8492eaca2be20d202887c9c716ffc86f ] + +The worker is canceled in gt_park path, but earlier it was assumed that +gt_park path cannot sleep and the cancel is asynchronous. This caused a +race with suspend flow where the worker runs after suspend and causes an +unclaimed register access warning. Cancel the worker synchronously since +the gt_park is indeed allowed to sleep. + +v2: Fix author name and sign-off mismatch + +Signed-off-by: Umesh Nerlige Ramappa +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/4419 +Fixes: 77cdd054dd2c ("drm/i915/pmu: Connect engine busyness stats from GuC to pmu") +Reviewed-by: Ashutosh Dixit +Signed-off-by: John Harrison +Link: https://patchwork.freedesktop.org/patch/msgid/20220827002135.139349-1-umesh.nerlige.ramappa@intel.com +Signed-off-by: Joonas Lahtinen +(cherry picked from commit 31335aa8e08be3fe10c50aecd2f11aba77544a78) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c +index 96022f49f9b5..d7e4681d7297 100644 +--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c ++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c +@@ -1438,7 +1438,12 @@ void intel_guc_busyness_park(struct intel_gt *gt) + if (!guc_submission_initialized(guc)) + return; + +- cancel_delayed_work(&guc->timestamp.work); ++ /* ++ * There is a race with suspend flow where the worker runs after suspend ++ * and causes an unclaimed register access warning. Cancel the worker ++ * synchronously here. ++ */ ++ cancel_delayed_work_sync(&guc->timestamp.work); + + /* + * Before parking, we should sample engine busyness stats if we need to. +-- +2.35.1 + diff --git a/queue-5.19/drm-i915-guc-don-t-update-engine-busyness-stats-too-.patch b/queue-5.19/drm-i915-guc-don-t-update-engine-busyness-stats-too-.patch new file mode 100644 index 00000000000..7b8f7b5a2e8 --- /dev/null +++ b/queue-5.19/drm-i915-guc-don-t-update-engine-busyness-stats-too-.patch @@ -0,0 +1,124 @@ +From 274f992559949f10157934670865eee0d602b423 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Jun 2022 19:31:57 -0700 +Subject: drm/i915/guc: Don't update engine busyness stats too frequently + +From: Alan Previn + +[ Upstream commit 59bcdb564b3bac3e86cc274e5dec05d4647ce47f ] + +Using two different types of workoads, it was observed that +guc_update_engine_gt_clks was being called too frequently and/or +causing a CPU-to-lmem bandwidth hit over PCIE. Details on +the workloads and numbers are in the notes below. + +Background: At the moment, guc_update_engine_gt_clks can be invoked +via one of 3 ways. #1 and #2 are infrequent under normal operating +conditions: + 1.When a predefined "ping_delay" timer expires so that GuC- + busyness can sample the GTPM clock counter to ensure it + doesn't miss a wrap-around of the 32-bits of the HW counter. + (The ping_delay is calculated based on 1/8th the time taken + for the counter go from 0x0 to 0xffffffff based on the + GT frequency. This comes to about once every 28 seconds at a + GT frequency of 19.2Mhz). + 2.In preparation for a gt reset. + 3.In response to __gt_park events (as the gt power management + puts the gt into a lower power state when there is no work + being done). + +Root-cause: For both the workloads described farther below, it was +observed that when user space calls IOCTLs that unparks the +gt momentarily and repeats such calls many times in quick succession, +it triggers calling guc_update_engine_gt_clks as many times. However, +the primary purpose of guc_update_engine_gt_clks is to ensure we don't +miss the wraparound while the counter is ticking. Thus, the solution +is to ensure we skip that check if gt_park is calling this function +earlier than necessary. + +Solution: Snapshot jiffies when we do actually update the busyness +stats. Then get the new jiffies every time intel_guc_busyness_park +is called and bail if we are being called too soon. Use half of the +ping_delay as a safe threshold. + +NOTE1: Workload1: IGTs' gem_create was modified to create a file handle, +allocate memory with sizes that range from a min of 4K to the max supported +(in power of two step-sizes). Its maps, modifies and reads back the +memory. Allocations and modification is repeated until total memory +allocation reaches the max. Then the file handle is closed. With this +workload, guc_update_engine_gt_clks was called over 188 thousand times +in the span of 15 seconds while this test ran three times. With this patch, +the number of calls reduced to 14. + +NOTE2: Workload2: 30 transcode sessions are created in quick succession. +While these sessions are created, pcm-iio tool was used to measure I/O +read operation bandwidth consumption sampled at 100 milisecond intervals +over the course of 20 seconds. The total bandwidth consumed over 20 seconds +without this patch was measured at average at 311KBps per sample. With this +patch, the number went down to about 175Kbps which is about a 43% savings. + +Signed-off-by: Alan Previn +Reviewed-by: Umesh Nerlige Ramappa +Acked-by: Tvrtko Ursulin +Signed-off-by: John Harrison +Link: https://patchwork.freedesktop.org/patch/msgid/20220623023157.211650-2-alan.previn.teres.alexis@intel.com +Stable-dep-of: aee5ae7c8492 ("drm/i915/guc: Cancel GuC engine busyness worker synchronously") +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/gt/uc/intel_guc.h | 8 ++++++++ + drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 13 +++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc.h b/drivers/gpu/drm/i915/gt/uc/intel_guc.h +index 9feda105f913..a7acffbf15d1 100644 +--- a/drivers/gpu/drm/i915/gt/uc/intel_guc.h ++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc.h +@@ -235,6 +235,14 @@ struct intel_guc { + * @shift: Right shift value for the gpm timestamp + */ + u32 shift; ++ ++ /** ++ * @last_stat_jiffies: jiffies at last actual stats collection time ++ * We use this timestamp to ensure we don't oversample the ++ * stats because runtime power management events can trigger ++ * stats collection at much higher rates than required. ++ */ ++ unsigned long last_stat_jiffies; + } timestamp; + + #ifdef CONFIG_DRM_I915_SELFTEST +diff --git a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c +index 26a051ef119d..96022f49f9b5 100644 +--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c ++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c +@@ -1365,6 +1365,8 @@ static void __update_guc_busyness_stats(struct intel_guc *guc) + unsigned long flags; + ktime_t unused; + ++ guc->timestamp.last_stat_jiffies = jiffies; ++ + spin_lock_irqsave(&guc->timestamp.lock, flags); + + guc_update_pm_timestamp(guc, &unused); +@@ -1437,6 +1439,17 @@ void intel_guc_busyness_park(struct intel_gt *gt) + return; + + cancel_delayed_work(&guc->timestamp.work); ++ ++ /* ++ * Before parking, we should sample engine busyness stats if we need to. ++ * We can skip it if we are less than half a ping from the last time we ++ * sampled the busyness stats. ++ */ ++ if (guc->timestamp.last_stat_jiffies && ++ !time_after(jiffies, guc->timestamp.last_stat_jiffies + ++ (guc->timestamp.ping_delay / 2))) ++ return; ++ + __update_guc_busyness_stats(guc); + } + +-- +2.35.1 + diff --git a/queue-5.19/drm-i915-vdsc-set-vdsc-pic_height-before-using-for-d.patch b/queue-5.19/drm-i915-vdsc-set-vdsc-pic_height-before-using-for-d.patch new file mode 100644 index 00000000000..1010c905e79 --- /dev/null +++ b/queue-5.19/drm-i915-vdsc-set-vdsc-pic_height-before-using-for-d.patch @@ -0,0 +1,73 @@ +From abc0ec60e779ce7752d32532019a85fa83a28fcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 16:02:19 +0530 +Subject: drm/i915/vdsc: Set VDSC PIC_HEIGHT before using for DP DSC + +From: Ankit Nautiyal + +[ Upstream commit 0785691f5711a8f210bb15a5177c2999ebd3702e ] + +Currently, pic_height of vdsc_cfg structure is being used to calculate +slice_height, before it is set for DP. + +So taking out the lines to set pic_height from the helper +intel_dp_dsc_compute_params() to individual encoders, and setting +pic_height, before it is used to calculate slice_height for DP. + +Fixes: 5a6d866f8e1b ("drm/i915: Get slice height before computing rc params") +Cc: Manasi Navare +Cc: Vandita Kulkarni +Cc: Matt Roper +Signed-off-by: Ankit Nautiyal +Reviewed-by: Vandita Kulkarni +Signed-off-by: Matt Roper +Link: https://patchwork.freedesktop.org/patch/msgid/20220902103219.1168781-1-ankit.k.nautiyal@intel.com +(cherry picked from commit e72df53dcb01ec58e0410da353551adf94c8d0f1) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/i915/display/icl_dsi.c | 2 ++ + drivers/gpu/drm/i915/display/intel_dp.c | 1 + + drivers/gpu/drm/i915/display/intel_vdsc.c | 1 - + 3 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/i915/display/icl_dsi.c b/drivers/gpu/drm/i915/display/icl_dsi.c +index 19bf717fd4cb..5508ebb9eb43 100644 +--- a/drivers/gpu/drm/i915/display/icl_dsi.c ++++ b/drivers/gpu/drm/i915/display/icl_dsi.c +@@ -1629,6 +1629,8 @@ static int gen11_dsi_dsc_compute_config(struct intel_encoder *encoder, + /* FIXME: initialize from VBT */ + vdsc_cfg->rc_model_size = DSC_RC_MODEL_SIZE_CONST; + ++ vdsc_cfg->pic_height = crtc_state->hw.adjusted_mode.crtc_vdisplay; ++ + ret = intel_dsc_compute_params(crtc_state); + if (ret) + return ret; +diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c +index 41aaa6c98114..fe8b6b72970a 100644 +--- a/drivers/gpu/drm/i915/display/intel_dp.c ++++ b/drivers/gpu/drm/i915/display/intel_dp.c +@@ -1379,6 +1379,7 @@ static int intel_dp_dsc_compute_params(struct intel_encoder *encoder, + * DP_DSC_RC_BUF_SIZE for this. + */ + vdsc_cfg->rc_model_size = DSC_RC_MODEL_SIZE_CONST; ++ vdsc_cfg->pic_height = crtc_state->hw.adjusted_mode.crtc_vdisplay; + + /* + * Slice Height of 8 works for all currently available panels. So start +diff --git a/drivers/gpu/drm/i915/display/intel_vdsc.c b/drivers/gpu/drm/i915/display/intel_vdsc.c +index 43e1bbc1e303..ca530f0733e0 100644 +--- a/drivers/gpu/drm/i915/display/intel_vdsc.c ++++ b/drivers/gpu/drm/i915/display/intel_vdsc.c +@@ -460,7 +460,6 @@ int intel_dsc_compute_params(struct intel_crtc_state *pipe_config) + u8 i = 0; + + vdsc_cfg->pic_width = pipe_config->hw.adjusted_mode.crtc_hdisplay; +- vdsc_cfg->pic_height = pipe_config->hw.adjusted_mode.crtc_vdisplay; + vdsc_cfg->slice_width = DIV_ROUND_UP(vdsc_cfg->pic_width, + pipe_config->dsc.slice_count); + +-- +2.35.1 + diff --git a/queue-5.19/drm-meson-correct-osd1-global-alpha-value.patch b/queue-5.19/drm-meson-correct-osd1-global-alpha-value.patch new file mode 100644 index 00000000000..fad83397a0b --- /dev/null +++ b/queue-5.19/drm-meson-correct-osd1-global-alpha-value.patch @@ -0,0 +1,40 @@ +From 5d5080263d5f182920bf2568b13531be66805b8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 16:51:03 +0100 +Subject: drm/meson: Correct OSD1 global alpha value + +From: Stuart Menefy + +[ Upstream commit 6836829c8ea453c9e3e518e61539e35881c8ed5f ] + +VIU_OSD1_CTRL_STAT.GLOBAL_ALPHA is a 9 bit field, so the maximum +value is 0x100 not 0xff. + +This matches the vendor kernel. + +Signed-off-by: Stuart Menefy +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20220908155103.686904-1-stuart.menefy@mathembedded.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_plane.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/meson/meson_plane.c b/drivers/gpu/drm/meson/meson_plane.c +index 8640a8a8a469..44aa52629443 100644 +--- a/drivers/gpu/drm/meson/meson_plane.c ++++ b/drivers/gpu/drm/meson/meson_plane.c +@@ -168,7 +168,7 @@ static void meson_plane_atomic_update(struct drm_plane *plane, + + /* Enable OSD and BLK0, set max global alpha */ + priv->viu.osd1_ctrl_stat = OSD_ENABLE | +- (0xFF << OSD_GLOBAL_ALPHA_SHIFT) | ++ (0x100 << OSD_GLOBAL_ALPHA_SHIFT) | + OSD_BLK0_ENABLE; + + priv->viu.osd1_ctrl_stat2 = readl(priv->io_base + +-- +2.35.1 + diff --git a/queue-5.19/drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch b/queue-5.19/drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch new file mode 100644 index 00000000000..319d17e9bfb --- /dev/null +++ b/queue-5.19/drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch @@ -0,0 +1,47 @@ +From 8b1b28fb70ca7bbc4a49f25d3a73178cda30f09d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 16:52:43 +0100 +Subject: drm/meson: Fix OSD1 RGB to YCbCr coefficient + +From: Stuart Menefy + +[ Upstream commit 6463d3930ba5b6addcfc8f80a4543976a2fc7656 ] + +VPP_WRAP_OSD1_MATRIX_COEF22.Coeff22 is documented as being bits 0-12, +not 16-28. + +Without this the output tends to have a pink hue, changing it results +in better color accuracy. + +The vendor kernel doesn't use this register. However the code which +sets VIU2_OSD1_MATRIX_COEF22 also uses bits 0-12. There is a slightly +different style of registers for configuring some of the other matrices, +which do use bits 16-28 for this coefficient, but those have names +ending in MATRIX_COEF22_30, and this is not one of those. + +Signed-off-by: Stuart Menefy +Fixes: 728883948b0d ("drm/meson: Add G12A Support for VIU setup") +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20220908155243.687143-1-stuart.menefy@mathembedded.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_viu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/meson/meson_viu.c b/drivers/gpu/drm/meson/meson_viu.c +index bb7e109534de..d4b907889a21 100644 +--- a/drivers/gpu/drm/meson/meson_viu.c ++++ b/drivers/gpu/drm/meson/meson_viu.c +@@ -94,7 +94,7 @@ static void meson_viu_set_g12a_osd1_matrix(struct meson_drm *priv, + priv->io_base + _REG(VPP_WRAP_OSD1_MATRIX_COEF11_12)); + writel(((m[9] & 0x1fff) << 16) | (m[10] & 0x1fff), + priv->io_base + _REG(VPP_WRAP_OSD1_MATRIX_COEF20_21)); +- writel((m[11] & 0x1fff) << 16, ++ writel((m[11] & 0x1fff), + priv->io_base + _REG(VPP_WRAP_OSD1_MATRIX_COEF22)); + + writel(((m[18] & 0xfff) << 16) | (m[19] & 0xfff), +-- +2.35.1 + diff --git a/queue-5.19/drm-panel-edp-fix-delays-for-innolux-n116bca-ea1.patch b/queue-5.19/drm-panel-edp-fix-delays-for-innolux-n116bca-ea1.patch new file mode 100644 index 00000000000..80ed7c78fd2 --- /dev/null +++ b/queue-5.19/drm-panel-edp-fix-delays-for-innolux-n116bca-ea1.patch @@ -0,0 +1,53 @@ +From b5a477cfe1e8ae8d4b1bc9c917238d2bc90dd95d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 16:54:53 +0800 +Subject: drm/panel-edp: Fix delays for Innolux N116BCA-EA1 + +From: Chen-Yu Tsai + +[ Upstream commit 8f7115c1923cd11146525f1615beb29018001964 ] + +Commit 52824ca4502d ("drm/panel-edp: Better describe eDP panel delays") +clarified the various delays used for eDP panels, tying them to the eDP +panel timing diagram. + +For Innolux N116BCA-EA1, .prepare_to_enable would be: + + t4_min + t5_min + t6_min + max(t7_max, t8_min) + +Since t4_min and t5_min are both 0, the panel can use either .enable or +.prepare_to_enable. + +As .enable is better defined, switch to using .enable for this panel. + +Also add .disable = 50, based on the datasheet's t9_min value. This +effectively makes the delays the same as delay_200_500_e80_d50. + +Cc: Douglas Anderson +Fixes: 51d35631c970 ("drm/panel-simple: Add N116BCA-EA1") +Signed-off-by: Chen-Yu Tsai +Reviewed-by: Douglas Anderson +Signed-off-by: Douglas Anderson +Link: https://patchwork.freedesktop.org/patch/msgid/20220908085454.1024167-1-wenst@chromium.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/panel/panel-edp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/panel/panel-edp.c b/drivers/gpu/drm/panel/panel-edp.c +index a189982601a4..e8040defe607 100644 +--- a/drivers/gpu/drm/panel/panel-edp.c ++++ b/drivers/gpu/drm/panel/panel-edp.c +@@ -1270,7 +1270,8 @@ static const struct panel_desc innolux_n116bca_ea1 = { + }, + .delay = { + .hpd_absent = 200, +- .prepare_to_enable = 80, ++ .enable = 80, ++ .disable = 50, + .unprepare = 500, + }, + }; +-- +2.35.1 + diff --git a/queue-5.19/drm-rockchip-vop2-fix-edp-hdmi-sync-polarities.patch b/queue-5.19/drm-rockchip-vop2-fix-edp-hdmi-sync-polarities.patch new file mode 100644 index 00000000000..4ab18fbd061 --- /dev/null +++ b/queue-5.19/drm-rockchip-vop2-fix-edp-hdmi-sync-polarities.patch @@ -0,0 +1,46 @@ +From 662c18e901d38b7a1a9fff824581a9ccdffc9aea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Aug 2022 15:39:42 +0200 +Subject: drm/rockchip: vop2: Fix eDP/HDMI sync polarities + +From: Sascha Hauer + +[ Upstream commit 35b513a74eabf09bd718e04fd9e62b09c022807f ] + +The hsync/vsync polarities were not honoured for the eDP and HDMI ports. +Add the register settings to configure the polarities as requested by the +DRM_MODE_FLAG_PHSYNC/DRM_MODE_FLAG_PVSYNC flags. + +Signed-off-by: Sascha Hauer +Fixes: 604be85547ce ("drm/rockchip: Add VOP2 driver") +Tested-by: Michael Riesch +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20220815133942.4051532-1-s.hauer@pengutronix.de +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c +index d6e831576cd2..88271f04615b 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c +@@ -1436,11 +1436,15 @@ static void rk3568_set_intf_mux(struct vop2_video_port *vp, int id, + die &= ~RK3568_SYS_DSP_INFACE_EN_HDMI_MUX; + die |= RK3568_SYS_DSP_INFACE_EN_HDMI | + FIELD_PREP(RK3568_SYS_DSP_INFACE_EN_HDMI_MUX, vp->id); ++ dip &= ~RK3568_DSP_IF_POL__HDMI_PIN_POL; ++ dip |= FIELD_PREP(RK3568_DSP_IF_POL__HDMI_PIN_POL, polflags); + break; + case ROCKCHIP_VOP2_EP_EDP0: + die &= ~RK3568_SYS_DSP_INFACE_EN_EDP_MUX; + die |= RK3568_SYS_DSP_INFACE_EN_EDP | + FIELD_PREP(RK3568_SYS_DSP_INFACE_EN_EDP_MUX, vp->id); ++ dip &= ~RK3568_DSP_IF_POL__EDP_PIN_POL; ++ dip |= FIELD_PREP(RK3568_DSP_IF_POL__EDP_PIN_POL, polflags); + break; + case ROCKCHIP_VOP2_EP_MIPI0: + die &= ~RK3568_SYS_DSP_INFACE_EN_MIPI0_MUX; +-- +2.35.1 + diff --git a/queue-5.19/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch b/queue-5.19/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch new file mode 100644 index 00000000000..e7a81db7f22 --- /dev/null +++ b/queue-5.19/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch @@ -0,0 +1,48 @@ +From 69e4296577073a2d410de75ccb845a58c128c621 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 12:54:31 +0200 +Subject: gpio: mpc8xxx: Fix support for IRQ_TYPE_LEVEL_LOW flow_type in + mpc85xx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 279c12df8d2efb28def9d037f288cbfb97c30fe2 ] + +Commit e39d5ef67804 ("powerpc/5xxx: extend mpc8xxx_gpio driver to support +mpc512x gpios") implemented support for IRQ_TYPE_LEVEL_LOW flow type in +mpc512x via falling edge type. Do same for mpc85xx which support was added +in commit 345e5c8a1cc3 ("powerpc: Add interrupt support to mpc8xxx_gpio"). + +Fixes probing of lm90 hwmon driver on mpc85xx based board which use level +interrupt. Without it kernel prints error and refuse lm90 to work: + + [ 15.258370] genirq: Setting trigger mode 8 for irq 49 failed (mpc8xxx_irq_set_type+0x0/0xf8) + [ 15.267168] lm90 0-004c: cannot request IRQ 49 + [ 15.272708] lm90: probe of 0-004c failed with error -22 + +Fixes: 345e5c8a1cc3 ("powerpc: Add interrupt support to mpc8xxx_gpio") +Signed-off-by: Pali Rohár +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mpc8xxx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpio/gpio-mpc8xxx.c b/drivers/gpio/gpio-mpc8xxx.c +index a964e25ea620..763256efddc2 100644 +--- a/drivers/gpio/gpio-mpc8xxx.c ++++ b/drivers/gpio/gpio-mpc8xxx.c +@@ -172,6 +172,7 @@ static int mpc8xxx_irq_set_type(struct irq_data *d, unsigned int flow_type) + + switch (flow_type) { + case IRQ_TYPE_EDGE_FALLING: ++ case IRQ_TYPE_LEVEL_LOW: + raw_spin_lock_irqsave(&mpc8xxx_gc->lock, flags); + gc->write_reg(mpc8xxx_gc->regs + GPIO_ICR, + gc->read_reg(mpc8xxx_gc->regs + GPIO_ICR) +-- +2.35.1 + diff --git a/queue-5.19/net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch b/queue-5.19/net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch new file mode 100644 index 00000000000..33b32752c65 --- /dev/null +++ b/queue-5.19/net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch @@ -0,0 +1,51 @@ +From 8a0eb7e3df432d2067f908e01674f2f3cb52a007 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 15:41:11 +0200 +Subject: net: mvpp2: debugfs: fix memory leak when using debugfs_lookup() + +From: Greg Kroah-Hartman + +[ Upstream commit fe2c9c61f668cde28dac2b188028c5299cedcc1e ] + +When calling debugfs_lookup() the result must have dput() called on it, +otherwise the memory will leak over time. Fix this up to be much +simpler logic and only create the root debugfs directory once when the +driver is first accessed. That resolves the memory leak and makes +things more obvious as to what the intent is. + +Cc: Marcin Wojtas +Cc: Russell King +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: netdev@vger.kernel.org +Cc: stable +Fixes: 21da57a23125 ("net: mvpp2: add a debugfs interface for the Header Parser") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +index 4a3baa7e0142..0eec05d905eb 100644 +--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c ++++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c +@@ -700,10 +700,10 @@ void mvpp2_dbgfs_cleanup(struct mvpp2 *priv) + + void mvpp2_dbgfs_init(struct mvpp2 *priv, const char *name) + { +- struct dentry *mvpp2_dir, *mvpp2_root; ++ static struct dentry *mvpp2_root; ++ struct dentry *mvpp2_dir; + int ret, i; + +- mvpp2_root = debugfs_lookup(MVPP2_DRIVER_NAME, NULL); + if (!mvpp2_root) + mvpp2_root = debugfs_create_dir(MVPP2_DRIVER_NAME, NULL); + +-- +2.35.1 + diff --git a/queue-5.19/nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch b/queue-5.19/nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch new file mode 100644 index 00000000000..29a0f4a2dfb --- /dev/null +++ b/queue-5.19/nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch @@ -0,0 +1,69 @@ +From 5c7cc29bd44049573d956bd611359ea0a9b73aea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 14:49:05 -0400 +Subject: NFSv4: Turn off open-by-filehandle and NFS re-export for NFSv4.0 + +From: Trond Myklebust + +[ Upstream commit 2a9d683b48c8a87e61a4215792d44c90bcbbb536 ] + +The NFSv4.0 protocol only supports open() by name. It cannot therefore +be used with open_by_handle() and friends, nor can it be re-exported by +knfsd. + +Reported-by: Chuck Lever III +Fixes: 20fa19027286 ("nfs: add export operations") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 6ab5eeb000dc..5e4bacb77bfc 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -1051,22 +1051,31 @@ static void nfs_fill_super(struct super_block *sb, struct nfs_fs_context *ctx) + if (ctx->bsize) + sb->s_blocksize = nfs_block_size(ctx->bsize, &sb->s_blocksize_bits); + +- if (server->nfs_client->rpc_ops->version != 2) { +- /* The VFS shouldn't apply the umask to mode bits. We will do +- * so ourselves when necessary. ++ switch (server->nfs_client->rpc_ops->version) { ++ case 2: ++ sb->s_time_gran = 1000; ++ sb->s_time_min = 0; ++ sb->s_time_max = U32_MAX; ++ break; ++ case 3: ++ /* ++ * The VFS shouldn't apply the umask to mode bits. ++ * We will do so ourselves when necessary. + */ + sb->s_flags |= SB_POSIXACL; + sb->s_time_gran = 1; +- sb->s_export_op = &nfs_export_ops; +- } else +- sb->s_time_gran = 1000; +- +- if (server->nfs_client->rpc_ops->version != 4) { + sb->s_time_min = 0; + sb->s_time_max = U32_MAX; +- } else { ++ sb->s_export_op = &nfs_export_ops; ++ break; ++ case 4: ++ sb->s_flags |= SB_POSIXACL; ++ sb->s_time_gran = 1; + sb->s_time_min = S64_MIN; + sb->s_time_max = S64_MAX; ++ if (server->caps & NFS_CAP_ATOMIC_OPEN_V1) ++ sb->s_export_op = &nfs_export_ops; ++ break; + } + + sb->s_magic = NFS_SUPER_MAGIC; +-- +2.35.1 + diff --git a/queue-5.19/nfsv4.2-update-mode-bits-after-allocate-and-dealloca.patch b/queue-5.19/nfsv4.2-update-mode-bits-after-allocate-and-dealloca.patch new file mode 100644 index 00000000000..9d36283c5d9 --- /dev/null +++ b/queue-5.19/nfsv4.2-update-mode-bits-after-allocate-and-dealloca.patch @@ -0,0 +1,123 @@ +From cfb3c76b2680218f91ed39ef783cda9a4c48e43c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 16:34:21 -0400 +Subject: NFSv4.2: Update mode bits after ALLOCATE and DEALLOCATE + +From: Anna Schumaker + +[ Upstream commit d7a5118635e725d195843bda80cc5c964d93ef31 ] + +The fallocate call invalidates suid and sgid bits as part of normal +operation. We need to mark the mode bits as invalid when using fallocate +with an suid so these will be updated the next time the user looks at them. + +This fixes xfstests generic/683 and generic/684. + +Reported-by: Yue Cui +Fixes: 913eca1aea87 ("NFS: Fallocate should use the nfs4_fattr_bitmap") +Signed-off-by: Anna Schumaker +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/internal.h | 25 +++++++++++++++++++++++++ + fs/nfs/nfs42proc.c | 9 +++++++-- + fs/nfs/write.c | 25 ------------------------- + 3 files changed, 32 insertions(+), 27 deletions(-) + +diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h +index 8f8cd6e2d4db..597e3ce3f148 100644 +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -604,6 +604,31 @@ static inline gfp_t nfs_io_gfp_mask(void) + return GFP_KERNEL; + } + ++/* ++ * Special version of should_remove_suid() that ignores capabilities. ++ */ ++static inline int nfs_should_remove_suid(const struct inode *inode) ++{ ++ umode_t mode = inode->i_mode; ++ int kill = 0; ++ ++ /* suid always must be killed */ ++ if (unlikely(mode & S_ISUID)) ++ kill = ATTR_KILL_SUID; ++ ++ /* ++ * sgid without any exec bits is just a mandatory locking mark; leave ++ * it alone. If some exec bits are set, it's a real sgid; kill it. ++ */ ++ if (unlikely((mode & S_ISGID) && (mode & S_IXGRP))) ++ kill |= ATTR_KILL_SGID; ++ ++ if (unlikely(kill && S_ISREG(mode))) ++ return kill; ++ ++ return 0; ++} ++ + /* unlink.c */ + extern struct rpc_task * + nfs_async_rename(struct inode *old_dir, struct inode *new_dir, +diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c +index 068c45b3bc1a..6dab9e408372 100644 +--- a/fs/nfs/nfs42proc.c ++++ b/fs/nfs/nfs42proc.c +@@ -78,10 +78,15 @@ static int _nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep, + + status = nfs4_call_sync(server->client, server, msg, + &args.seq_args, &res.seq_res, 0); +- if (status == 0) ++ if (status == 0) { ++ if (nfs_should_remove_suid(inode)) { ++ spin_lock(&inode->i_lock); ++ nfs_set_cache_invalid(inode, NFS_INO_INVALID_MODE); ++ spin_unlock(&inode->i_lock); ++ } + status = nfs_post_op_update_inode_force_wcc(inode, + res.falloc_fattr); +- ++ } + if (msg->rpc_proc == &nfs4_procedures[NFSPROC4_CLNT_ALLOCATE]) + trace_nfs4_fallocate(inode, &args, status); + else +diff --git a/fs/nfs/write.c b/fs/nfs/write.c +index 5d7e1c206184..4212473c69ee 100644 +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -1497,31 +1497,6 @@ void nfs_commit_prepare(struct rpc_task *task, void *calldata) + NFS_PROTO(data->inode)->commit_rpc_prepare(task, data); + } + +-/* +- * Special version of should_remove_suid() that ignores capabilities. +- */ +-static int nfs_should_remove_suid(const struct inode *inode) +-{ +- umode_t mode = inode->i_mode; +- int kill = 0; +- +- /* suid always must be killed */ +- if (unlikely(mode & S_ISUID)) +- kill = ATTR_KILL_SUID; +- +- /* +- * sgid without any exec bits is just a mandatory locking mark; leave +- * it alone. If some exec bits are set, it's a real sgid; kill it. +- */ +- if (unlikely((mode & S_ISGID) && (mode & S_IXGRP))) +- kill |= ATTR_KILL_SGID; +- +- if (unlikely(kill && S_ISREG(mode))) +- return kill; +- +- return 0; +-} +- + static void nfs_writeback_check_extend(struct nfs_pgio_header *hdr, + struct nfs_fattr *fattr) + { +-- +2.35.1 + diff --git a/queue-5.19/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch b/queue-5.19/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch new file mode 100644 index 00000000000..93718b37cf5 --- /dev/null +++ b/queue-5.19/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch @@ -0,0 +1,41 @@ +From 3c71470b081a809b95a94cc4b412bea43fdeeb2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Aug 2022 23:34:16 +0300 +Subject: of: fdt: fix off-by-one error in unflatten_dt_nodes() + +From: Sergey Shtylyov + +[ Upstream commit 2f945a792f67815abca26fa8a5e863ccf3fa1181 ] + +Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") +forgot to fix up the depth check in the loop body in unflatten_dt_nodes() +which makes it possible to overflow the nps[] buffer... + +Found by Linux Verification Center (linuxtesting.org) with the SVACE static +analysis tool. + +Fixes: 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Rob Herring +Link: https://lore.kernel.org/r/7c354554-006f-6b31-c195-cdfe4caee392@omp.ru +Signed-off-by: Sasha Levin +--- + drivers/of/fdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c +index 520ed965bb7a..583ca847a39c 100644 +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -314,7 +314,7 @@ static int unflatten_dt_nodes(const void *blob, + for (offset = 0; + offset >= 0 && depth >= initial_depth; + offset = fdt_next_node(blob, offset, &depth)) { +- if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH)) ++ if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH - 1)) + continue; + + if (!IS_ENABLED(CONFIG_OF_KOBJ) && +-- +2.35.1 + diff --git a/queue-5.19/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch b/queue-5.19/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch new file mode 100644 index 00000000000..7f181213417 --- /dev/null +++ b/queue-5.19/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch @@ -0,0 +1,35 @@ +From d33a78e10a2762b1eb5fa9653ae178c18f112a94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 17:36:57 +0800 +Subject: parisc: ccio-dma: Add missing iounmap in error path in ccio_probe() + +From: Yang Yingliang + +[ Upstream commit 38238be4e881a5d0abbe4872b4cd6ed790be06c8 ] + +Add missing iounmap() before return from ccio_probe(), if ccio_init_resources() +fails. + +Fixes: d46c742f827f ("parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources()") +Signed-off-by: Yang Yingliang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/parisc/ccio-dma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/parisc/ccio-dma.c b/drivers/parisc/ccio-dma.c +index f69ab90b5e22..6052f264bbb0 100644 +--- a/drivers/parisc/ccio-dma.c ++++ b/drivers/parisc/ccio-dma.c +@@ -1546,6 +1546,7 @@ static int __init ccio_probe(struct parisc_device *dev) + } + ccio_ioc_init(ioc); + if (ccio_init_resources(ioc)) { ++ iounmap(ioc->ioc_regs); + kfree(ioc); + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-5.19/pinctrl-qcom-sc8180x-fix-gpio_wakeirq_map.patch b/queue-5.19/pinctrl-qcom-sc8180x-fix-gpio_wakeirq_map.patch new file mode 100644 index 00000000000..186c435a548 --- /dev/null +++ b/queue-5.19/pinctrl-qcom-sc8180x-fix-gpio_wakeirq_map.patch @@ -0,0 +1,40 @@ +From 80846931083ebc7fef7e87be93eaaa47edc624d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Aug 2022 20:26:44 +0800 +Subject: pinctrl: qcom: sc8180x: Fix gpio_wakeirq_map + +From: Molly Sophia + +[ Upstream commit 6124cec530c7d8faab96d340ab2df5161e5d1c8a ] + +Currently in the wakeirq_map, gpio36 and gpio37 have the same wakeirq +number, resulting in gpio37 being unable to trigger interrupts. +It looks like that this is a typo in the wakeirq map. So fix it. + +Signed-off-by: Molly Sophia +Fixes: 97423113ec4b ("pinctrl: qcom: Add sc8180x TLMM driver") +Tested-by: Bjorn Andersson +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220807122645.13830-2-mollysophia379@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/qcom/pinctrl-sc8180x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/qcom/pinctrl-sc8180x.c b/drivers/pinctrl/qcom/pinctrl-sc8180x.c +index 6bec7f143134..b4bf009fe23e 100644 +--- a/drivers/pinctrl/qcom/pinctrl-sc8180x.c ++++ b/drivers/pinctrl/qcom/pinctrl-sc8180x.c +@@ -1582,7 +1582,7 @@ static const int sc8180x_acpi_reserved_gpios[] = { + static const struct msm_gpio_wakeirq_map sc8180x_pdc_map[] = { + { 3, 31 }, { 5, 32 }, { 8, 33 }, { 9, 34 }, { 10, 100 }, { 12, 104 }, + { 24, 37 }, { 26, 38 }, { 27, 41 }, { 28, 42 }, { 30, 39 }, { 36, 43 }, +- { 37, 43 }, { 38, 45 }, { 39, 118 }, { 39, 125 }, { 41, 47 }, ++ { 37, 44 }, { 38, 45 }, { 39, 118 }, { 39, 125 }, { 41, 47 }, + { 42, 48 }, { 46, 50 }, { 47, 49 }, { 48, 51 }, { 49, 53 }, { 50, 52 }, + { 51, 116 }, { 51, 123 }, { 53, 54 }, { 54, 55 }, { 55, 56 }, + { 56, 57 }, { 58, 58 }, { 60, 60 }, { 68, 62 }, { 70, 63 }, { 76, 86 }, +-- +2.35.1 + diff --git a/queue-5.19/pinctrl-qcom-sc8180x-fix-wrong-pin-numbers.patch b/queue-5.19/pinctrl-qcom-sc8180x-fix-wrong-pin-numbers.patch new file mode 100644 index 00000000000..38dbba28370 --- /dev/null +++ b/queue-5.19/pinctrl-qcom-sc8180x-fix-wrong-pin-numbers.patch @@ -0,0 +1,45 @@ +From 6bd3c8f189d460e135bb74c8698fd5dc82695d44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Aug 2022 20:26:45 +0800 +Subject: pinctrl: qcom: sc8180x: Fix wrong pin numbers + +From: Molly Sophia + +[ Upstream commit 48ec73395887694f13c9452b4dcfb43710451757 ] + +The pin numbers for UFS_RESET and SDC2_* are not +consistent in the pinctrl driver for sc8180x. +So fix it. + +Signed-off-by: Molly Sophia +Fixes: 97423113ec4b ("pinctrl: qcom: Add sc8180x TLMM driver") +Reviewed-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220807122645.13830-3-mollysophia379@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/qcom/pinctrl-sc8180x.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/pinctrl/qcom/pinctrl-sc8180x.c b/drivers/pinctrl/qcom/pinctrl-sc8180x.c +index b4bf009fe23e..704a99d2f93c 100644 +--- a/drivers/pinctrl/qcom/pinctrl-sc8180x.c ++++ b/drivers/pinctrl/qcom/pinctrl-sc8180x.c +@@ -530,10 +530,10 @@ DECLARE_MSM_GPIO_PINS(187); + DECLARE_MSM_GPIO_PINS(188); + DECLARE_MSM_GPIO_PINS(189); + +-static const unsigned int sdc2_clk_pins[] = { 190 }; +-static const unsigned int sdc2_cmd_pins[] = { 191 }; +-static const unsigned int sdc2_data_pins[] = { 192 }; +-static const unsigned int ufs_reset_pins[] = { 193 }; ++static const unsigned int ufs_reset_pins[] = { 190 }; ++static const unsigned int sdc2_clk_pins[] = { 191 }; ++static const unsigned int sdc2_cmd_pins[] = { 192 }; ++static const unsigned int sdc2_data_pins[] = { 193 }; + + enum sc8180x_functions { + msm_mux_adsp_ext, +-- +2.35.1 + diff --git a/queue-5.19/pinctrl-rockchip-enhance-support-for-irq_type_edge_b.patch b/queue-5.19/pinctrl-rockchip-enhance-support-for-irq_type_edge_b.patch new file mode 100644 index 00000000000..8c08e3bee7e --- /dev/null +++ b/queue-5.19/pinctrl-rockchip-enhance-support-for-irq_type_edge_b.patch @@ -0,0 +1,49 @@ +From e70044c5b18c93c93416ef112ed70c65d69cc6bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Aug 2022 02:51:20 +0000 +Subject: pinctrl: rockchip: Enhance support for IRQ_TYPE_EDGE_BOTH +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: João H. Spies + +[ Upstream commit b871656aa4f54e04207f62bdd0d7572be1d86b36 ] + +Switching between falling/rising edges for IRQ_TYPE_EDGE_BOTH on pins that +require debounce can cause the device to lose events due to a desync +between pin state and irq type. + +This problem is resolved by switching between IRQ_TYPE_LEVEL_LOW and +IRQ_TYPE_LEVEL_HIGH instead. + +Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio") +Signed-off-by: João H. Spies +Link: https://lore.kernel.org/r/20220808025121.110223-1-jhlspies@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-rockchip.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpio/gpio-rockchip.c b/drivers/gpio/gpio-rockchip.c +index e342a6dc4c6c..bb953f647864 100644 +--- a/drivers/gpio/gpio-rockchip.c ++++ b/drivers/gpio/gpio-rockchip.c +@@ -418,11 +418,11 @@ static int rockchip_irq_set_type(struct irq_data *d, unsigned int type) + goto out; + } else { + bank->toggle_edge_mode |= mask; +- level |= mask; ++ level &= ~mask; + + /* + * Determine gpio state. If 1 next interrupt should be +- * falling otherwise rising. ++ * low otherwise high. + */ + data = readl(bank->reg_base + bank->gpio_regs->ext_port); + if (data & mask) +-- +2.35.1 + diff --git a/queue-5.19/pinctrl-sunxi-fix-name-for-a100-r_pio.patch b/queue-5.19/pinctrl-sunxi-fix-name-for-a100-r_pio.patch new file mode 100644 index 00000000000..599f475ca0c --- /dev/null +++ b/queue-5.19/pinctrl-sunxi-fix-name-for-a100-r_pio.patch @@ -0,0 +1,38 @@ +From bc56442446b8df6c64b7970558f8a67dc9d50e5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 10:45:41 +0800 +Subject: pinctrl: sunxi: Fix name for A100 R_PIO + +From: Michael Wu + +[ Upstream commit 76648c867c6c03b8a468d9c9222025873ecc613d ] + +The name of A100 R_PIO driver should be sun50i-a100-r-pinctrl, +not sun50iw10p1-r-pinctrl. + +Fixes: 473436e7647d6 ("pinctrl: sunxi: add support for the Allwinner A100 pin controller") +Signed-off-by: Michael Wu +Acked-by: Samuel Holland +Link: https://lore.kernel.org/r/20220819024541.74191-1-michael@allwinnertech.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/sunxi/pinctrl-sun50i-a100-r.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/sunxi/pinctrl-sun50i-a100-r.c b/drivers/pinctrl/sunxi/pinctrl-sun50i-a100-r.c +index 21054fcacd34..18088f6f44b2 100644 +--- a/drivers/pinctrl/sunxi/pinctrl-sun50i-a100-r.c ++++ b/drivers/pinctrl/sunxi/pinctrl-sun50i-a100-r.c +@@ -98,7 +98,7 @@ MODULE_DEVICE_TABLE(of, a100_r_pinctrl_match); + static struct platform_driver a100_r_pinctrl_driver = { + .probe = a100_r_pinctrl_probe, + .driver = { +- .name = "sun50iw10p1-r-pinctrl", ++ .name = "sun50i-a100-r-pinctrl", + .of_match_table = a100_r_pinctrl_match, + }, + }; +-- +2.35.1 + diff --git a/queue-5.19/revert-sunrpc-remove-unreachable-error-condition.patch b/queue-5.19/revert-sunrpc-remove-unreachable-error-condition.patch new file mode 100644 index 00000000000..668dfed8d8d --- /dev/null +++ b/queue-5.19/revert-sunrpc-remove-unreachable-error-condition.patch @@ -0,0 +1,41 @@ +From 93003412bd5e65279452413ebd66afc91837eb34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 17:08:51 +0300 +Subject: Revert "SUNRPC: Remove unreachable error condition" + +From: Dan Aloni + +[ Upstream commit 13bd9014180425f5a35eaf3735971d582c299292 ] + +This reverts commit efe57fd58e1cb77f9186152ee12a8aa4ae3348e0. + +The assumption that it is impossible to return an ERR pointer from +rpc_run_task() no longer holds due to commit 25cf32ad5dba ("SUNRPC: +Handle allocation failure in rpc_new_task()"). + +Fixes: 25cf32ad5dba ('SUNRPC: Handle allocation failure in rpc_new_task()') +Fixes: efe57fd58e1c ('SUNRPC: Remove unreachable error condition') +Signed-off-by: Dan Aloni +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/clnt.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index c1a01947530f..db8c0de1de42 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -2858,6 +2858,9 @@ int rpc_clnt_test_and_add_xprt(struct rpc_clnt *clnt, + + task = rpc_call_null_helper(clnt, xprt, NULL, RPC_TASK_ASYNC, + &rpc_cb_add_xprt_call_ops, data); ++ if (IS_ERR(task)) ++ return PTR_ERR(task); ++ + data->xps->xps_nunique_destaddr_xprts++; + rpc_put_task(task); + success: +-- +2.35.1 + diff --git a/queue-5.19/series b/queue-5.19/series index e69de29bb2d..be180d02a65 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -0,0 +1,20 @@ +of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch +pinctrl-qcom-sc8180x-fix-gpio_wakeirq_map.patch +pinctrl-qcom-sc8180x-fix-wrong-pin-numbers.patch +pinctrl-rockchip-enhance-support-for-irq_type_edge_b.patch +pinctrl-sunxi-fix-name-for-a100-r_pio.patch +sunrpc-fix-call-completion-races-with-call_decode.patch +nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch +gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch +nfsv4.2-update-mode-bits-after-allocate-and-dealloca.patch +revert-sunrpc-remove-unreachable-error-condition.patch +drm-panel-edp-fix-delays-for-innolux-n116bca-ea1.patch +drm-meson-correct-osd1-global-alpha-value.patch +drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch +drm-rockchip-vop2-fix-edp-hdmi-sync-polarities.patch +drm-i915-vdsc-set-vdsc-pic_height-before-using-for-d.patch +drm-i915-guc-don-t-update-engine-busyness-stats-too-.patch +drm-i915-guc-cancel-guc-engine-busyness-worker-synch.patch +block-blk_queue_enter-__bio_queue_enter-must-return-.patch +parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch +net-mvpp2-debugfs-fix-memory-leak-when-using-debugfs.patch diff --git a/queue-5.19/sunrpc-fix-call-completion-races-with-call_decode.patch b/queue-5.19/sunrpc-fix-call-completion-races-with-call_decode.patch new file mode 100644 index 00000000000..c5ff481de91 --- /dev/null +++ b/queue-5.19/sunrpc-fix-call-completion-races-with-call_decode.patch @@ -0,0 +1,59 @@ +From 771541e4cc6fe10a738572a23cc55c4a50827dea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Aug 2022 17:28:13 -0400 +Subject: SUNRPC: Fix call completion races with call_decode() + +From: Trond Myklebust + +[ Upstream commit 17814819ac9829a437e06fbb5c7056a1f4f893da ] + +We need to make sure that the req->rq_private_buf is completely up to +date before we make req->rq_reply_bytes_recvd visible to the +call_decode() routine in order to avoid triggering the WARN_ON(). + +Reported-by: Benjamin Coddington +Fixes: 72691a269f0b ("SUNRPC: Don't reuse bvec on retransmission of the request") +Tested-by: Benjamin Coddington +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprt.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c +index 53b024cea3b3..5ecafffe7ce5 100644 +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -1179,11 +1179,8 @@ xprt_request_dequeue_receive_locked(struct rpc_task *task) + { + struct rpc_rqst *req = task->tk_rqstp; + +- if (test_and_clear_bit(RPC_TASK_NEED_RECV, &task->tk_runstate)) { ++ if (test_and_clear_bit(RPC_TASK_NEED_RECV, &task->tk_runstate)) + xprt_request_rb_remove(req->rq_xprt, req); +- xdr_free_bvec(&req->rq_rcv_buf); +- req->rq_private_buf.bvec = NULL; +- } + } + + /** +@@ -1221,6 +1218,8 @@ void xprt_complete_rqst(struct rpc_task *task, int copied) + + xprt->stat.recvs++; + ++ xdr_free_bvec(&req->rq_rcv_buf); ++ req->rq_private_buf.bvec = NULL; + req->rq_private_buf.len = copied; + /* Ensure all writes are done before we update */ + /* req->rq_reply_bytes_recvd */ +@@ -1453,6 +1452,7 @@ xprt_request_dequeue_xprt(struct rpc_task *task) + xprt_request_dequeue_transmit_locked(task); + xprt_request_dequeue_receive_locked(task); + spin_unlock(&xprt->queue_lock); ++ xdr_free_bvec(&req->rq_rcv_buf); + } + } + +-- +2.35.1 + diff --git a/queue-5.4/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch b/queue-5.4/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch new file mode 100644 index 00000000000..3190c9b8715 --- /dev/null +++ b/queue-5.4/alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch @@ -0,0 +1,53 @@ +From eac446e17d621bee3e6d0d19cc35eeee19a682ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 08:07:54 -0400 +Subject: ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC + +[ Upstream commit 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d ] + +There is a small race window at snd_pcm_oss_sync() that is called from +OSS PCM SNDCTL_DSP_SYNC ioctl; namely the function calls +snd_pcm_oss_make_ready() at first, then takes the params_lock mutex +for the rest. When the stream is set up again by another thread +between them, it leads to inconsistency, and may result in unexpected +results such as NULL dereference of OSS buffer as a fuzzer spotted +recently. + +The fix is simply to cover snd_pcm_oss_make_ready() call into the same +params_lock mutex with snd_pcm_oss_make_ready_locked() variant. + +Reported-and-tested-by: butt3rflyh4ck +Reviewed-by: Jaroslav Kysela +Cc: +Link: https://lore.kernel.org/r/CAFcO6XN7JDM4xSXGhtusQfS2mSBcx50VJKwQpCq=WeLt57aaZA@mail.gmail.com +Link: https://lore.kernel.org/r/20220905060714.22549-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/oss/pcm_oss.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c +index ad4e0af2d0d0..51d2911366e9 100644 +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -1661,13 +1661,14 @@ static int snd_pcm_oss_sync(struct snd_pcm_oss_file *pcm_oss_file) + runtime = substream->runtime; + if (atomic_read(&substream->mmap_count)) + goto __direct; +- if ((err = snd_pcm_oss_make_ready(substream)) < 0) +- return err; + atomic_inc(&runtime->oss.rw_ref); + if (mutex_lock_interruptible(&runtime->oss.params_lock)) { + atomic_dec(&runtime->oss.rw_ref); + return -ERESTARTSYS; + } ++ err = snd_pcm_oss_make_ready_locked(substream); ++ if (err < 0) ++ goto unlock; + format = snd_pcm_oss_format_from(runtime->oss.format); + width = snd_pcm_format_physical_width(format); + if (runtime->oss.buffer_used > 0) { +-- +2.35.1 + diff --git a/queue-5.4/drm-i915-implement-waedplinkratedatareload.patch b/queue-5.4/drm-i915-implement-waedplinkratedatareload.patch new file mode 100644 index 00000000000..2f5b846f80a --- /dev/null +++ b/queue-5.4/drm-i915-implement-waedplinkratedatareload.patch @@ -0,0 +1,95 @@ +From 36c9ca7e117d715e270e5151e4c9ecf97f565e6e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 10:03:18 +0300 +Subject: drm/i915: Implement WaEdpLinkRateDataReload +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +[ Upstream commit 672d6ca758651f0ec12cd0d59787067a5bde1c96 ] + +A lot of modern laptops use the Parade PS8461E MUX for eDP +switching. The MUX can operate in jitter cleaning mode or +redriver mode, the first one resulting in higher link +quality. The jitter cleaning mode needs to know the link +rate used and the MUX achieves this by snooping the +LINK_BW_SET, LINK_RATE_SELECT and SUPPORTED_LINK_RATES +DPCD accesses. + +When the MUX is powered down (seems this can happen whenever +the display is turned off) it loses track of the snooped +link rates so when we do the LINK_RATE_SELECT write it no +longer knowns which link rate we're selecting, and thus it +falls back to the lower quality redriver mode. This results +in unstable high link rates (eg. usually 8.1Gbps link rate +no longer works correctly). + +In order to avoid all that let's re-snoop SUPPORTED_LINK_RATES +from the sink at the start of every link training. + +Unfortunately we don't have a way to detect the presence of +the MUX. It looks like the set of laptops equipped with this +MUX is fairly large and contains devices from multiple +manufacturers. It may also still be growing with new models. +So a quirk doesn't seem like a very easily maintainable +option, thus we shall attempt to do this unconditionally on +all machines that use LINK_RATE_SELECT. Hopefully this extra +DPCD read doesn't cause issues for any unaffected machine. +If that turns out to be the case we'll need to convert this +into a quirk in the future. + +Cc: stable@vger.kernel.org +Cc: Jason A. Donenfeld +Cc: Ankit Nautiyal +Cc: Jani Nikula +Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/6205 +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20220902070319.15395-1-ville.syrjala@linux.intel.com +Tested-by: Aaron Ma +Tested-by: Jason A. Donenfeld +Reviewed-by: Jani Nikula +(cherry picked from commit 25899c590cb5ba9b9f284c6ca8e7e9086793d641) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Sasha Levin +--- + .../drm/i915/display/intel_dp_link_training.c | 22 +++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/drivers/gpu/drm/i915/display/intel_dp_link_training.c b/drivers/gpu/drm/i915/display/intel_dp_link_training.c +index 2a1130dd1ad0..774f910364ab 100644 +--- a/drivers/gpu/drm/i915/display/intel_dp_link_training.c ++++ b/drivers/gpu/drm/i915/display/intel_dp_link_training.c +@@ -142,6 +142,28 @@ intel_dp_link_training_clock_recovery(struct intel_dp *intel_dp) + intel_dp_compute_rate(intel_dp, intel_dp->link_rate, + &link_bw, &rate_select); + ++ /* ++ * WaEdpLinkRateDataReload ++ * ++ * Parade PS8461E MUX (used on varius TGL+ laptops) needs ++ * to snoop the link rates reported by the sink when we ++ * use LINK_RATE_SET in order to operate in jitter cleaning ++ * mode (as opposed to redriver mode). Unfortunately it ++ * loses track of the snooped link rates when powered down, ++ * so we need to make it re-snoop often. Without this high ++ * link rates are not stable. ++ */ ++ if (!link_bw) { ++ struct intel_connector *connector = intel_dp->attached_connector; ++ __le16 sink_rates[DP_MAX_SUPPORTED_RATES]; ++ ++ drm_dbg_kms(&i915->drm, "[CONNECTOR:%d:%s] Reloading eDP link rates\n", ++ connector->base.base.id, connector->base.name); ++ ++ drm_dp_dpcd_read(&intel_dp->aux, DP_SUPPORTED_LINK_RATES, ++ sink_rates, sizeof(sink_rates)); ++ } ++ + if (link_bw) + DRM_DEBUG_KMS("Using LINK_BW_SET value %02x\n", link_bw); + else +-- +2.35.1 + diff --git a/queue-5.4/drm-meson-correct-osd1-global-alpha-value.patch b/queue-5.4/drm-meson-correct-osd1-global-alpha-value.patch new file mode 100644 index 00000000000..a08c709ae23 --- /dev/null +++ b/queue-5.4/drm-meson-correct-osd1-global-alpha-value.patch @@ -0,0 +1,40 @@ +From cfa7726fe7536ae925a6e9ea4db42129f53db54e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 16:51:03 +0100 +Subject: drm/meson: Correct OSD1 global alpha value + +From: Stuart Menefy + +[ Upstream commit 6836829c8ea453c9e3e518e61539e35881c8ed5f ] + +VIU_OSD1_CTRL_STAT.GLOBAL_ALPHA is a 9 bit field, so the maximum +value is 0x100 not 0xff. + +This matches the vendor kernel. + +Signed-off-by: Stuart Menefy +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20220908155103.686904-1-stuart.menefy@mathembedded.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_plane.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/meson/meson_plane.c b/drivers/gpu/drm/meson/meson_plane.c +index ed543227b00d..53f5d0581c35 100644 +--- a/drivers/gpu/drm/meson/meson_plane.c ++++ b/drivers/gpu/drm/meson/meson_plane.c +@@ -128,7 +128,7 @@ static void meson_plane_atomic_update(struct drm_plane *plane, + + /* Enable OSD and BLK0, set max global alpha */ + priv->viu.osd1_ctrl_stat = OSD_ENABLE | +- (0xFF << OSD_GLOBAL_ALPHA_SHIFT) | ++ (0x100 << OSD_GLOBAL_ALPHA_SHIFT) | + OSD_BLK0_ENABLE; + + canvas_id_osd1 = priv->canvas_id_osd1; +-- +2.35.1 + diff --git a/queue-5.4/drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch b/queue-5.4/drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch new file mode 100644 index 00000000000..7fda39833b4 --- /dev/null +++ b/queue-5.4/drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch @@ -0,0 +1,47 @@ +From a54b65092f901913981313234cf1c0ab1fa30652 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 16:52:43 +0100 +Subject: drm/meson: Fix OSD1 RGB to YCbCr coefficient + +From: Stuart Menefy + +[ Upstream commit 6463d3930ba5b6addcfc8f80a4543976a2fc7656 ] + +VPP_WRAP_OSD1_MATRIX_COEF22.Coeff22 is documented as being bits 0-12, +not 16-28. + +Without this the output tends to have a pink hue, changing it results +in better color accuracy. + +The vendor kernel doesn't use this register. However the code which +sets VIU2_OSD1_MATRIX_COEF22 also uses bits 0-12. There is a slightly +different style of registers for configuring some of the other matrices, +which do use bits 16-28 for this coefficient, but those have names +ending in MATRIX_COEF22_30, and this is not one of those. + +Signed-off-by: Stuart Menefy +Fixes: 728883948b0d ("drm/meson: Add G12A Support for VIU setup") +Reviewed-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20220908155243.687143-1-stuart.menefy@mathembedded.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/meson/meson_viu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/meson/meson_viu.c b/drivers/gpu/drm/meson/meson_viu.c +index 9991f0a43b1a..8d0938525978 100644 +--- a/drivers/gpu/drm/meson/meson_viu.c ++++ b/drivers/gpu/drm/meson/meson_viu.c +@@ -91,7 +91,7 @@ static void meson_viu_set_g12a_osd1_matrix(struct meson_drm *priv, + priv->io_base + _REG(VPP_WRAP_OSD1_MATRIX_COEF11_12)); + writel(((m[9] & 0x1fff) << 16) | (m[10] & 0x1fff), + priv->io_base + _REG(VPP_WRAP_OSD1_MATRIX_COEF20_21)); +- writel((m[11] & 0x1fff) << 16, ++ writel((m[11] & 0x1fff), + priv->io_base + _REG(VPP_WRAP_OSD1_MATRIX_COEF22)); + + writel(((m[18] & 0xfff) << 16) | (m[19] & 0xfff), +-- +2.35.1 + diff --git a/queue-5.4/efi-libstub-disable-shadow-call-stack.patch b/queue-5.4/efi-libstub-disable-shadow-call-stack.patch new file mode 100644 index 00000000000..702cb1cd7b0 --- /dev/null +++ b/queue-5.4/efi-libstub-disable-shadow-call-stack.patch @@ -0,0 +1,39 @@ +From 71eff1e8b6af8ea09df48e7f63fcb2585248bdc7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Apr 2020 09:00:18 -0700 +Subject: efi/libstub: Disable Shadow Call Stack + +From: Sami Tolvanen + +[ Upstream commit cc49c71d2abe99c1c2c9bedf0693ad2d3ee4a067 ] + +Shadow stacks are not available in the EFI stub, filter out SCS flags. + +Suggested-by: James Morse +Signed-off-by: Sami Tolvanen +Reviewed-by: Kees Cook +Acked-by: Ard Biesheuvel +Signed-off-by: Will Deacon +Stable-dep-of: 1a3887924a7e ("efi: libstub: Disable struct randomization") +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/Makefile | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile +index 8c5b5529dbc0..f3540d5dd276 100644 +--- a/drivers/firmware/efi/libstub/Makefile ++++ b/drivers/firmware/efi/libstub/Makefile +@@ -31,6 +31,9 @@ KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \ + $(call cc-option,-fno-addrsig) \ + -D__DISABLE_EXPORTS + ++# remove SCS flags from all objects in this directory ++KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_SCS), $(KBUILD_CFLAGS)) ++ + GCOV_PROFILE := n + KASAN_SANITIZE := n + UBSAN_SANITIZE := n +-- +2.35.1 + diff --git a/queue-5.4/efi-libstub-disable-struct-randomization.patch b/queue-5.4/efi-libstub-disable-struct-randomization.patch new file mode 100644 index 00000000000..6242b944088 --- /dev/null +++ b/queue-5.4/efi-libstub-disable-struct-randomization.patch @@ -0,0 +1,56 @@ +From e519094ca4cd30a02d34ad5d4c3f518c6fb18092 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 19:20:33 +0200 +Subject: efi: libstub: Disable struct randomization + +From: Ard Biesheuvel + +[ Upstream commit 1a3887924a7e6edd331be76da7bf4c1e8eab4b1e ] + +The EFI stub is a wrapper around the core kernel that makes it look like +a EFI compatible PE/COFF application to the EFI firmware. EFI +applications run on top of the EFI runtime, which is heavily based on +so-called protocols, which are struct types consisting [mostly] of +function pointer members that are instantiated and recorded in a +protocol database. + +These structs look like the ideal randomization candidates to the +randstruct plugin (as they only carry function pointers), but of course, +these protocols are contracts between the firmware that exposes them, +and the EFI applications (including our stubbed kernel) that invoke +them. This means that struct randomization for EFI protocols is not a +great idea, and given that the stub shares very little data with the +core kernel that is represented as a randomizable struct, we're better +off just disabling it completely here. + +Cc: # v4.14+ +Reported-by: Daniel Marth +Tested-by: Daniel Marth +Signed-off-by: Ard Biesheuvel +Acked-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/libstub/Makefile | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile +index f3540d5dd276..34e4b31010bd 100644 +--- a/drivers/firmware/efi/libstub/Makefile ++++ b/drivers/firmware/efi/libstub/Makefile +@@ -31,6 +31,13 @@ KBUILD_CFLAGS := $(cflags-y) -DDISABLE_BRANCH_PROFILING \ + $(call cc-option,-fno-addrsig) \ + -D__DISABLE_EXPORTS + ++# ++# struct randomization only makes sense for Linux internal types, which the EFI ++# stub code never touches, so let's turn off struct randomization for the stub ++# altogether ++# ++KBUILD_CFLAGS := $(filter-out $(RANDSTRUCT_CFLAGS), $(KBUILD_CFLAGS)) ++ + # remove SCS flags from all objects in this directory + KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_SCS), $(KBUILD_CFLAGS)) + +-- +2.35.1 + diff --git a/queue-5.4/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch b/queue-5.4/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch new file mode 100644 index 00000000000..3b33a1e6797 --- /dev/null +++ b/queue-5.4/gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch @@ -0,0 +1,48 @@ +From 4be39934c0ed6f29090e975df8e09ac0ce085990 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 12:54:31 +0200 +Subject: gpio: mpc8xxx: Fix support for IRQ_TYPE_LEVEL_LOW flow_type in + mpc85xx +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 279c12df8d2efb28def9d037f288cbfb97c30fe2 ] + +Commit e39d5ef67804 ("powerpc/5xxx: extend mpc8xxx_gpio driver to support +mpc512x gpios") implemented support for IRQ_TYPE_LEVEL_LOW flow type in +mpc512x via falling edge type. Do same for mpc85xx which support was added +in commit 345e5c8a1cc3 ("powerpc: Add interrupt support to mpc8xxx_gpio"). + +Fixes probing of lm90 hwmon driver on mpc85xx based board which use level +interrupt. Without it kernel prints error and refuse lm90 to work: + + [ 15.258370] genirq: Setting trigger mode 8 for irq 49 failed (mpc8xxx_irq_set_type+0x0/0xf8) + [ 15.267168] lm90 0-004c: cannot request IRQ 49 + [ 15.272708] lm90: probe of 0-004c failed with error -22 + +Fixes: 345e5c8a1cc3 ("powerpc: Add interrupt support to mpc8xxx_gpio") +Signed-off-by: Pali Rohár +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-mpc8xxx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpio/gpio-mpc8xxx.c b/drivers/gpio/gpio-mpc8xxx.c +index d72a3a5507b0..f3bf82efea8e 100644 +--- a/drivers/gpio/gpio-mpc8xxx.c ++++ b/drivers/gpio/gpio-mpc8xxx.c +@@ -190,6 +190,7 @@ static int mpc8xxx_irq_set_type(struct irq_data *d, unsigned int flow_type) + + switch (flow_type) { + case IRQ_TYPE_EDGE_FALLING: ++ case IRQ_TYPE_LEVEL_LOW: + raw_spin_lock_irqsave(&mpc8xxx_gc->lock, flags); + gc->write_reg(mpc8xxx_gc->regs + GPIO_ICR, + gc->read_reg(mpc8xxx_gc->regs + GPIO_ICR) +-- +2.35.1 + diff --git a/queue-5.4/nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch b/queue-5.4/nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch new file mode 100644 index 00000000000..b35b08a7bdb --- /dev/null +++ b/queue-5.4/nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch @@ -0,0 +1,69 @@ +From a6cf75d7c8034b60099dc7485a22ce250ba5e7ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 14:49:05 -0400 +Subject: NFSv4: Turn off open-by-filehandle and NFS re-export for NFSv4.0 + +From: Trond Myklebust + +[ Upstream commit 2a9d683b48c8a87e61a4215792d44c90bcbbb536 ] + +The NFSv4.0 protocol only supports open() by name. It cannot therefore +be used with open_by_handle() and friends, nor can it be re-exported by +knfsd. + +Reported-by: Chuck Lever III +Fixes: 20fa19027286 ("nfs: add export operations") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index a84df7d63403..ecc7277b3eda 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -2375,22 +2375,31 @@ void nfs_fill_super(struct super_block *sb, struct nfs_mount_info *mount_info) + if (data && data->bsize) + sb->s_blocksize = nfs_block_size(data->bsize, &sb->s_blocksize_bits); + +- if (server->nfs_client->rpc_ops->version != 2) { +- /* The VFS shouldn't apply the umask to mode bits. We will do +- * so ourselves when necessary. ++ switch (server->nfs_client->rpc_ops->version) { ++ case 2: ++ sb->s_time_gran = 1000; ++ sb->s_time_min = 0; ++ sb->s_time_max = U32_MAX; ++ break; ++ case 3: ++ /* ++ * The VFS shouldn't apply the umask to mode bits. ++ * We will do so ourselves when necessary. + */ + sb->s_flags |= SB_POSIXACL; + sb->s_time_gran = 1; +- sb->s_export_op = &nfs_export_ops; +- } else +- sb->s_time_gran = 1000; +- +- if (server->nfs_client->rpc_ops->version != 4) { + sb->s_time_min = 0; + sb->s_time_max = U32_MAX; +- } else { ++ sb->s_export_op = &nfs_export_ops; ++ break; ++ case 4: ++ sb->s_flags |= SB_POSIXACL; ++ sb->s_time_gran = 1; + sb->s_time_min = S64_MIN; + sb->s_time_max = S64_MAX; ++ if (server->caps & NFS_CAP_ATOMIC_OPEN_V1) ++ sb->s_export_op = &nfs_export_ops; ++ break; + } + + nfs_initialise_sb(sb); +-- +2.35.1 + diff --git a/queue-5.4/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch b/queue-5.4/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch new file mode 100644 index 00000000000..4886c089f49 --- /dev/null +++ b/queue-5.4/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch @@ -0,0 +1,41 @@ +From 456810ac4f1f9ab58e9080f08b6be28a246d9dd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Aug 2022 23:34:16 +0300 +Subject: of: fdt: fix off-by-one error in unflatten_dt_nodes() + +From: Sergey Shtylyov + +[ Upstream commit 2f945a792f67815abca26fa8a5e863ccf3fa1181 ] + +Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") +forgot to fix up the depth check in the loop body in unflatten_dt_nodes() +which makes it possible to overflow the nps[] buffer... + +Found by Linux Verification Center (linuxtesting.org) with the SVACE static +analysis tool. + +Fixes: 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Rob Herring +Link: https://lore.kernel.org/r/7c354554-006f-6b31-c195-cdfe4caee392@omp.ru +Signed-off-by: Sasha Levin +--- + drivers/of/fdt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c +index 943d2a60bfdf..6d519ef3c5da 100644 +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -315,7 +315,7 @@ static int unflatten_dt_nodes(const void *blob, + for (offset = 0; + offset >= 0 && depth >= initial_depth; + offset = fdt_next_node(blob, offset, &depth)) { +- if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH)) ++ if (WARN_ON_ONCE(depth >= FDT_MAX_DEPTH - 1)) + continue; + + if (!IS_ENABLED(CONFIG_OF_KOBJ) && +-- +2.35.1 + diff --git a/queue-5.4/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch b/queue-5.4/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch new file mode 100644 index 00000000000..c8e145d567e --- /dev/null +++ b/queue-5.4/parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch @@ -0,0 +1,35 @@ +From f431714aa38b2383b3e36e82db1bf9035bd32535 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 17:36:57 +0800 +Subject: parisc: ccio-dma: Add missing iounmap in error path in ccio_probe() + +From: Yang Yingliang + +[ Upstream commit 38238be4e881a5d0abbe4872b4cd6ed790be06c8 ] + +Add missing iounmap() before return from ccio_probe(), if ccio_init_resources() +fails. + +Fixes: d46c742f827f ("parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources()") +Signed-off-by: Yang Yingliang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/parisc/ccio-dma.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/parisc/ccio-dma.c b/drivers/parisc/ccio-dma.c +index 6209d58e9492..fdd302d0a1c9 100644 +--- a/drivers/parisc/ccio-dma.c ++++ b/drivers/parisc/ccio-dma.c +@@ -1544,6 +1544,7 @@ static int __init ccio_probe(struct parisc_device *dev) + } + ccio_ioc_init(ioc); + if (ccio_init_resources(ioc)) { ++ iounmap(ioc->ioc_regs); + kfree(ioc); + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-5.4/sched-debug-fix-memory-corruption-caused-by-multiple.patch b/queue-5.4/sched-debug-fix-memory-corruption-caused-by-multiple.patch new file mode 100644 index 00000000000..eaccc85bd90 --- /dev/null +++ b/queue-5.4/sched-debug-fix-memory-corruption-caused-by-multiple.patch @@ -0,0 +1,75 @@ +From 6e0198428dac397668410194d2f454750ee7f1d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Oct 2020 15:11:03 +0000 +Subject: sched/debug: Fix memory corruption caused by multiple small reads of + flags + +From: Colin Ian King + +[ Upstream commit 8d4d9c7b4333abccb3bf310d76ef7ea2edb9828f ] + +Reading /proc/sys/kernel/sched_domain/cpu*/domain0/flags mutliple times +with small reads causes oopses with slub corruption issues because the kfree is +free'ing an offset from a previous allocation. Fix this by adding in a new +pointer 'buf' for the allocation and kfree and use the temporary pointer tmp +to handle memory copies of the buf offsets. + +Fixes: 5b9f8ff7b320 ("sched/debug: Output SD flag names rather than their values") +Reported-by: Jeff Bastian +Signed-off-by: Colin Ian King +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Valentin Schneider +Link: https://lkml.kernel.org/r/20201029151103.373410-1-colin.king@canonical.com +Stable-dep-of: c2e406596571 ("sched/debug: fix dentry leak in update_sched_domain_debugfs") +Signed-off-by: Sasha Levin +--- + kernel/sched/debug.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/kernel/sched/debug.c b/kernel/sched/debug.c +index df646776b7f0..5cb097382c47 100644 +--- a/kernel/sched/debug.c ++++ b/kernel/sched/debug.c +@@ -249,7 +249,7 @@ static int sd_ctl_doflags(struct ctl_table *table, int write, + unsigned long flags = *(unsigned long *)table->data; + size_t data_size = 0; + size_t len = 0; +- char *tmp; ++ char *tmp, *buf; + int idx; + + if (write) +@@ -267,17 +267,17 @@ static int sd_ctl_doflags(struct ctl_table *table, int write, + return 0; + } + +- tmp = kcalloc(data_size + 1, sizeof(*tmp), GFP_KERNEL); +- if (!tmp) ++ buf = kcalloc(data_size + 1, sizeof(*buf), GFP_KERNEL); ++ if (!buf) + return -ENOMEM; + + for_each_set_bit(idx, &flags, __SD_FLAG_CNT) { + char *name = sd_flag_debug[idx].name; + +- len += snprintf(tmp + len, strlen(name) + 2, "%s ", name); ++ len += snprintf(buf + len, strlen(name) + 2, "%s ", name); + } + +- tmp += *ppos; ++ tmp = buf + *ppos; + len -= *ppos; + + if (len > *lenp) +@@ -292,7 +292,7 @@ static int sd_ctl_doflags(struct ctl_table *table, int write, + *lenp = len; + *ppos += len; + +- kfree(tmp); ++ kfree(buf); + + return 0; + } +-- +2.35.1 + diff --git a/queue-5.4/sched-debug-output-sd-flag-names-rather-than-their-v.patch b/queue-5.4/sched-debug-output-sd-flag-names-rather-than-their-v.patch new file mode 100644 index 00000000000..a90954b3efc --- /dev/null +++ b/queue-5.4/sched-debug-output-sd-flag-names-rather-than-their-v.patch @@ -0,0 +1,107 @@ +From d023794b6b1646ba127c98be1d86ec0bac984e5c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Aug 2020 12:29:52 +0100 +Subject: sched/debug: Output SD flag names rather than their values + +From: Valentin Schneider + +[ Upstream commit 5b9f8ff7b320a34af3dbcf04edb40d9b04f22f4a ] + +Decoding the output of /proc/sys/kernel/sched_domain/cpu*/domain*/flags has +always been somewhat annoying, as one needs to go fetch the bit -> name +mapping from the source code itself. This encoding can be saved in a script +somewhere, but that isn't safe from flags being added, removed or even +shuffled around. + +What matters for debugging purposes is to get *which* flags are set in a +given domain, their associated value is pretty much meaningless. + +Make the sd flags debug file output flag names. + +Signed-off-by: Valentin Schneider +Signed-off-by: Ingo Molnar +Acked-by: Peter Zijlstra +Link: https://lore.kernel.org/r/20200817113003.20802-7-valentin.schneider@arm.com +Stable-dep-of: c2e406596571 ("sched/debug: fix dentry leak in update_sched_domain_debugfs") +Signed-off-by: Sasha Levin +--- + kernel/sched/debug.c | 56 +++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 55 insertions(+), 1 deletion(-) + +diff --git a/kernel/sched/debug.c b/kernel/sched/debug.c +index d5f7fc7099bc..df646776b7f0 100644 +--- a/kernel/sched/debug.c ++++ b/kernel/sched/debug.c +@@ -243,6 +243,60 @@ set_table_entry(struct ctl_table *entry, + entry->proc_handler = proc_handler; + } + ++static int sd_ctl_doflags(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos) ++{ ++ unsigned long flags = *(unsigned long *)table->data; ++ size_t data_size = 0; ++ size_t len = 0; ++ char *tmp; ++ int idx; ++ ++ if (write) ++ return 0; ++ ++ for_each_set_bit(idx, &flags, __SD_FLAG_CNT) { ++ char *name = sd_flag_debug[idx].name; ++ ++ /* Name plus whitespace */ ++ data_size += strlen(name) + 1; ++ } ++ ++ if (*ppos > data_size) { ++ *lenp = 0; ++ return 0; ++ } ++ ++ tmp = kcalloc(data_size + 1, sizeof(*tmp), GFP_KERNEL); ++ if (!tmp) ++ return -ENOMEM; ++ ++ for_each_set_bit(idx, &flags, __SD_FLAG_CNT) { ++ char *name = sd_flag_debug[idx].name; ++ ++ len += snprintf(tmp + len, strlen(name) + 2, "%s ", name); ++ } ++ ++ tmp += *ppos; ++ len -= *ppos; ++ ++ if (len > *lenp) ++ len = *lenp; ++ if (len) ++ memcpy(buffer, tmp, len); ++ if (len < *lenp) { ++ ((char *)buffer)[len] = '\n'; ++ len++; ++ } ++ ++ *lenp = len; ++ *ppos += len; ++ ++ kfree(tmp); ++ ++ return 0; ++} ++ + static struct ctl_table * + sd_alloc_ctl_domain_table(struct sched_domain *sd) + { +@@ -256,7 +310,7 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd) + set_table_entry(&table[2], "busy_factor", &sd->busy_factor, sizeof(int), 0644, proc_dointvec_minmax); + set_table_entry(&table[3], "imbalance_pct", &sd->imbalance_pct, sizeof(int), 0644, proc_dointvec_minmax); + set_table_entry(&table[4], "cache_nice_tries", &sd->cache_nice_tries, sizeof(int), 0644, proc_dointvec_minmax); +- set_table_entry(&table[5], "flags", &sd->flags, sizeof(int), 0444, proc_dointvec_minmax); ++ set_table_entry(&table[5], "flags", &sd->flags, sizeof(int), 0444, sd_ctl_doflags); + set_table_entry(&table[6], "max_newidle_lb_cost", &sd->max_newidle_lb_cost, sizeof(long), 0644, proc_doulongvec_minmax); + set_table_entry(&table[7], "name", sd->name, CORENAME_MAX_SIZE, 0444, proc_dostring); + /* &table[8] is terminator */ +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index e69de29bb2d..ced95b03267 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -0,0 +1,14 @@ +of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch +nfsv4-turn-off-open-by-filehandle-and-nfs-re-export-.patch +gpio-mpc8xxx-fix-support-for-irq_type_level_low-flow.patch +drm-meson-correct-osd1-global-alpha-value.patch +drm-meson-fix-osd1-rgb-to-ycbcr-coefficient.patch +parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch +efi-libstub-disable-shadow-call-stack.patch +efi-libstub-disable-struct-randomization.patch +sched-debug-output-sd-flag-names-rather-than-their-v.patch +sched-debug-fix-memory-corruption-caused-by-multiple.patch +alsa-pcm-oss-fix-race-at-sndctl_dsp_sync.patch +drm-i915-implement-waedplinkratedatareload.patch +task_stack-x86-cea-force-inline-stack-helpers.patch +tracing-hold-caller_addr-to-hardirq_-enable-disable-.patch diff --git a/queue-5.4/task_stack-x86-cea-force-inline-stack-helpers.patch b/queue-5.4/task_stack-x86-cea-force-inline-stack-helpers.patch new file mode 100644 index 00000000000..29346d9ca39 --- /dev/null +++ b/queue-5.4/task_stack-x86-cea-force-inline-stack-helpers.patch @@ -0,0 +1,53 @@ +From eab9806692fe4d9f332d0d3cff36111fa7cd699e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Mar 2022 20:02:41 +0100 +Subject: task_stack, x86/cea: Force-inline stack helpers + +From: Borislav Petkov + +[ Upstream commit e87f4152e542610d0b4c6c8548964a68a59d2040 ] + +Force-inline two stack helpers to fix the following objtool warnings: + + vmlinux.o: warning: objtool: in_task_stack()+0xc: call to task_stack_page() leaves .noinstr.text section + vmlinux.o: warning: objtool: in_entry_stack()+0x10: call to cpu_entry_stack() leaves .noinstr.text section + +Signed-off-by: Borislav Petkov +Acked-by: Peter Zijlstra (Intel) +Link: https://lore.kernel.org/r/20220324183607.31717-2-bp@alien8.de +Stable-dep-of: 54c3931957f6 ("tracing: hold caller_addr to hardirq_{enable,disable}_ip") +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/cpu_entry_area.h | 2 +- + include/linux/sched/task_stack.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/include/asm/cpu_entry_area.h b/arch/x86/include/asm/cpu_entry_area.h +index ea866c7bf31d..0d1d37d8b279 100644 +--- a/arch/x86/include/asm/cpu_entry_area.h ++++ b/arch/x86/include/asm/cpu_entry_area.h +@@ -133,7 +133,7 @@ extern void cea_set_pte(void *cea_vaddr, phys_addr_t pa, pgprot_t flags); + + extern struct cpu_entry_area *get_cpu_entry_area(int cpu); + +-static inline struct entry_stack *cpu_entry_stack(int cpu) ++static __always_inline struct entry_stack *cpu_entry_stack(int cpu) + { + return &get_cpu_entry_area(cpu)->entry_stack_page.stack; + } +diff --git a/include/linux/sched/task_stack.h b/include/linux/sched/task_stack.h +index d10150587d81..1009b6b5ce40 100644 +--- a/include/linux/sched/task_stack.h ++++ b/include/linux/sched/task_stack.h +@@ -16,7 +16,7 @@ + * try_get_task_stack() instead. task_stack_page will return a pointer + * that could get freed out from under you. + */ +-static inline void *task_stack_page(const struct task_struct *task) ++static __always_inline void *task_stack_page(const struct task_struct *task) + { + return task->stack; + } +-- +2.35.1 + diff --git a/queue-5.4/tracing-hold-caller_addr-to-hardirq_-enable-disable-.patch b/queue-5.4/tracing-hold-caller_addr-to-hardirq_-enable-disable-.patch new file mode 100644 index 00000000000..e68440c54e7 --- /dev/null +++ b/queue-5.4/tracing-hold-caller_addr-to-hardirq_-enable-disable-.patch @@ -0,0 +1,58 @@ +From 1e024ec5ba872a134c200b147a72db3ef7ef2413 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 18:45:14 +0800 +Subject: tracing: hold caller_addr to hardirq_{enable,disable}_ip + +From: Yipeng Zou + +[ Upstream commit 54c3931957f6a6194d5972eccc36d052964b2abe ] + +Currently, The arguments passing to lockdep_hardirqs_{on,off} was fixed +in CALLER_ADDR0. +The function trace_hardirqs_on_caller should have been intended to use +caller_addr to represent the address that caller wants to be traced. + +For example, lockdep log in riscv showing the last {enabled,disabled} at +__trace_hardirqs_{on,off} all the time(if called by): +[ 57.853175] hardirqs last enabled at (2519): __trace_hardirqs_on+0xc/0x14 +[ 57.853848] hardirqs last disabled at (2520): __trace_hardirqs_off+0xc/0x14 + +After use trace_hardirqs_xx_caller, we can get more effective information: +[ 53.781428] hardirqs last enabled at (2595): restore_all+0xe/0x66 +[ 53.782185] hardirqs last disabled at (2596): ret_from_exception+0xa/0x10 + +Link: https://lkml.kernel.org/r/20220901104515.135162-2-zouyipeng@huawei.com + +Cc: stable@vger.kernel.org +Fixes: c3bc8fd637a96 ("tracing: Centralize preemptirq tracepoints and unify their usage") +Signed-off-by: Yipeng Zou +Signed-off-by: Steven Rostedt (Google) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_preemptirq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_preemptirq.c b/kernel/trace/trace_preemptirq.c +index 26b06b09c9f6..e9645f829b94 100644 +--- a/kernel/trace/trace_preemptirq.c ++++ b/kernel/trace/trace_preemptirq.c +@@ -56,14 +56,14 @@ __visible void trace_hardirqs_on_caller(unsigned long caller_addr) + this_cpu_write(tracing_irq_cpu, 0); + } + +- lockdep_hardirqs_on(CALLER_ADDR0); ++ lockdep_hardirqs_on(caller_addr); + } + EXPORT_SYMBOL(trace_hardirqs_on_caller); + NOKPROBE_SYMBOL(trace_hardirqs_on_caller); + + __visible void trace_hardirqs_off_caller(unsigned long caller_addr) + { +- lockdep_hardirqs_off(CALLER_ADDR0); ++ lockdep_hardirqs_off(caller_addr); + + if (!this_cpu_read(tracing_irq_cpu)) { + this_cpu_write(tracing_irq_cpu, 1); +-- +2.35.1 + -- 2.47.3