From 3fa1d4146f36487233dd6f9dc180b63a412fbbe8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 13 Nov 2021 15:31:05 +0100 Subject: [PATCH] 5.14-stable patches added patches: ath10k-fix-control-message-timeout.patch ath10k-fix-division-by-zero-in-send-path.patch ath6kl-fix-control-message-timeout.patch ath6kl-fix-division-by-zero-in-send-path.patch edac-sb_edac-fix-top-of-high-memory-value-for-broadwell-haswell.patch evm-mark-evm_fixmode-as-__ro_after_init.patch hid-surface-hid-allow-driver-matching-for-target-id-1-devices.patch hid-surface-hid-use-correct-event-registry-for-managing-hid-events.patch hwmon-pmbus-lm25066-add-offset-coefficients.patch ia64-kprobes-fix-to-pass-correct-trampoline-address-to-the-handler.patch ifb-depend-on-netfilter-alternatively-to-tc.patch ipmi-watchdog-set-panic-count-to-proper-value-on-a-panic.patch kvm-ppc-tick-accounting-should-defer-vtime-accounting-til-after-irq-handling.patch kvm-vmx-unregister-posted-interrupt-wakeup-handler-on-hardware-unsetup.patch libata-fix-checking-of-dma-state.patch md-raid1-only-allocate-write-behind-bio-for-writemostly-device.patch mt76-mt7615-fix-skb-use-after-free-on-mac-reset.patch mwifiex-fix-division-by-zero-in-fw-download-path.patch mwifiex-read-a-pci-register-after-writing-the-tx-ring-write-pointer.patch mwifiex-try-waking-the-firmware-until-we-get-an-interrupt.patch pci-mark-atheros-qca6174-to-avoid-bus-reset.patch platform-surface-aggregator_registry-add-support-for-surface-laptop-studio.patch pm-sleep-do-not-let-syscore-devices-runtime-suspend-during-system-transitions.patch powerpc-kvm-fix-kvm_use_magic_page.patch regulator-dt-bindings-samsung-s5m8767-correct-s5m8767-pmic-buck-default-dvs-idx-property.patch regulator-s5m8767-do-not-use-reset-value-as-dvs-voltage-if-gpio-dvs-is-disabled.patch rsi-fix-key-enabled-check-causing-unwanted-encryption-for-vap_id-0.patch rsi-fix-module-dev_oper_mode-parameter-description.patch rsi-fix-occasional-initialisation-failure-with-bt-coex.patch rsi-fix-rate-mask-set-leading-to-p2p-failure.patch rtl8187-fix-control-message-timeouts.patch selinux-fix-race-condition-when-computing-ocontext-sids.patch wcn36xx-fix-ht40-capability-for-2ghz-band.patch wcn36xx-fix-qos-null-data-frame-bitrate-modulation.patch wcn36xx-fix-tx_status-mechanism.patch wcn36xx-handle-connection-loss-indication.patch --- .../ath10k-fix-control-message-timeout.patch | 34 ++ ...0k-fix-division-by-zero-in-send-path.patch | 43 +++ .../ath6kl-fix-control-message-timeout.patch | 33 ++ ...kl-fix-division-by-zero-in-send-path.patch | 42 +++ ...h-memory-value-for-broadwell-haswell.patch | 37 +++ ...-mark-evm_fixmode-as-__ro_after_init.patch | 31 ++ ...ver-matching-for-target-id-1-devices.patch | 35 ++ ...ent-registry-for-managing-hid-events.patch | 65 ++++ ...mbus-lm25066-add-offset-coefficients.patch | 153 +++++++++ ...ct-trampoline-address-to-the-handler.patch | 80 +++++ ...end-on-netfilter-alternatively-to-tc.patch | 33 ++ ...nic-count-to-proper-value-on-a-panic.patch | 58 ++++ ...me-accounting-til-after-irq-handling.patch | 113 +++++++ ...t-wakeup-handler-on-hardware-unsetup.patch | 53 +++ .../libata-fix-checking-of-dma-state.patch | 42 +++ ...te-behind-bio-for-writemostly-device.patch | 44 +++ ...-fix-skb-use-after-free-on-mac-reset.patch | 95 ++++++ ...division-by-zero-in-fw-download-path.patch | 61 ++++ ...er-writing-the-tx-ring-write-pointer.patch | 54 ++++ ...e-firmware-until-we-get-an-interrupt.patch | 116 +++++++ ...k-atheros-qca6174-to-avoid-bus-reset.patch | 38 +++ ...dd-support-for-surface-laptop-studio.patch | 106 ++++++ ...me-suspend-during-system-transitions.patch | 65 ++++ .../powerpc-kvm-fix-kvm_use_magic_page.patch | 32 ++ ...7-pmic-buck-default-dvs-idx-property.patch | 34 ++ ...-dvs-voltage-if-gpio-dvs-is-disabled.patch | 113 +++++++ ...ing-unwanted-encryption-for-vap_id-0.patch | 73 +++++ ...-dev_oper_mode-parameter-description.patch | 95 ++++++ ...-initialisation-failure-with-bt-coex.patch | 112 +++++++ ...rate-mask-set-leading-to-p2p-failure.patch | 294 +++++++++++++++++ ...rtl8187-fix-control-message-timeouts.patch | 87 +++++ ...ndition-when-computing-ocontext-sids.patch | 301 ++++++++++++++++++ queue-5.14/series | 36 +++ ...xx-fix-ht40-capability-for-2ghz-band.patch | 37 +++ ...s-null-data-frame-bitrate-modulation.patch | 43 +++ .../wcn36xx-fix-tx_status-mechanism.patch | 177 ++++++++++ ...xx-handle-connection-loss-indication.patch | 90 ++++++ 37 files changed, 2955 insertions(+) create mode 100644 queue-5.14/ath10k-fix-control-message-timeout.patch create mode 100644 queue-5.14/ath10k-fix-division-by-zero-in-send-path.patch create mode 100644 queue-5.14/ath6kl-fix-control-message-timeout.patch create mode 100644 queue-5.14/ath6kl-fix-division-by-zero-in-send-path.patch create mode 100644 queue-5.14/edac-sb_edac-fix-top-of-high-memory-value-for-broadwell-haswell.patch create mode 100644 queue-5.14/evm-mark-evm_fixmode-as-__ro_after_init.patch create mode 100644 queue-5.14/hid-surface-hid-allow-driver-matching-for-target-id-1-devices.patch create mode 100644 queue-5.14/hid-surface-hid-use-correct-event-registry-for-managing-hid-events.patch create mode 100644 queue-5.14/hwmon-pmbus-lm25066-add-offset-coefficients.patch create mode 100644 queue-5.14/ia64-kprobes-fix-to-pass-correct-trampoline-address-to-the-handler.patch create mode 100644 queue-5.14/ifb-depend-on-netfilter-alternatively-to-tc.patch create mode 100644 queue-5.14/ipmi-watchdog-set-panic-count-to-proper-value-on-a-panic.patch create mode 100644 queue-5.14/kvm-ppc-tick-accounting-should-defer-vtime-accounting-til-after-irq-handling.patch create mode 100644 queue-5.14/kvm-vmx-unregister-posted-interrupt-wakeup-handler-on-hardware-unsetup.patch create mode 100644 queue-5.14/libata-fix-checking-of-dma-state.patch create mode 100644 queue-5.14/md-raid1-only-allocate-write-behind-bio-for-writemostly-device.patch create mode 100644 queue-5.14/mt76-mt7615-fix-skb-use-after-free-on-mac-reset.patch create mode 100644 queue-5.14/mwifiex-fix-division-by-zero-in-fw-download-path.patch create mode 100644 queue-5.14/mwifiex-read-a-pci-register-after-writing-the-tx-ring-write-pointer.patch create mode 100644 queue-5.14/mwifiex-try-waking-the-firmware-until-we-get-an-interrupt.patch create mode 100644 queue-5.14/pci-mark-atheros-qca6174-to-avoid-bus-reset.patch create mode 100644 queue-5.14/platform-surface-aggregator_registry-add-support-for-surface-laptop-studio.patch create mode 100644 queue-5.14/pm-sleep-do-not-let-syscore-devices-runtime-suspend-during-system-transitions.patch create mode 100644 queue-5.14/powerpc-kvm-fix-kvm_use_magic_page.patch create mode 100644 queue-5.14/regulator-dt-bindings-samsung-s5m8767-correct-s5m8767-pmic-buck-default-dvs-idx-property.patch create mode 100644 queue-5.14/regulator-s5m8767-do-not-use-reset-value-as-dvs-voltage-if-gpio-dvs-is-disabled.patch create mode 100644 queue-5.14/rsi-fix-key-enabled-check-causing-unwanted-encryption-for-vap_id-0.patch create mode 100644 queue-5.14/rsi-fix-module-dev_oper_mode-parameter-description.patch create mode 100644 queue-5.14/rsi-fix-occasional-initialisation-failure-with-bt-coex.patch create mode 100644 queue-5.14/rsi-fix-rate-mask-set-leading-to-p2p-failure.patch create mode 100644 queue-5.14/rtl8187-fix-control-message-timeouts.patch create mode 100644 queue-5.14/selinux-fix-race-condition-when-computing-ocontext-sids.patch create mode 100644 queue-5.14/wcn36xx-fix-ht40-capability-for-2ghz-band.patch create mode 100644 queue-5.14/wcn36xx-fix-qos-null-data-frame-bitrate-modulation.patch create mode 100644 queue-5.14/wcn36xx-fix-tx_status-mechanism.patch create mode 100644 queue-5.14/wcn36xx-handle-connection-loss-indication.patch diff --git a/queue-5.14/ath10k-fix-control-message-timeout.patch b/queue-5.14/ath10k-fix-control-message-timeout.patch new file mode 100644 index 00000000000..cf175c2e8e9 --- /dev/null +++ b/queue-5.14/ath10k-fix-control-message-timeout.patch @@ -0,0 +1,34 @@ +From 5286132324230168d3fab6ffc16bfd7de85bdfb4 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 14:05:19 +0200 +Subject: ath10k: fix control-message timeout + +From: Johan Hovold + +commit 5286132324230168d3fab6ffc16bfd7de85bdfb4 upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: 4db66499df91 ("ath10k: add initial USB support") +Cc: stable@vger.kernel.org # 4.14 +Cc: Erik Stromdahl +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211025120522.6045-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath10k/usb.c ++++ b/drivers/net/wireless/ath/ath10k/usb.c +@@ -525,7 +525,7 @@ static int ath10k_usb_submit_ctrl_in(str + req, + USB_DIR_IN | USB_TYPE_VENDOR | + USB_RECIP_DEVICE, value, index, buf, +- size, 2 * HZ); ++ size, 2000); + + if (ret < 0) { + ath10k_warn(ar, "Failed to read usb control message: %d\n", diff --git a/queue-5.14/ath10k-fix-division-by-zero-in-send-path.patch b/queue-5.14/ath10k-fix-division-by-zero-in-send-path.patch new file mode 100644 index 00000000000..b8f51bd2e3a --- /dev/null +++ b/queue-5.14/ath10k-fix-division-by-zero-in-send-path.patch @@ -0,0 +1,43 @@ +From a006acb931317aad3a8dd41333ebb0453caf49b8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 27 Oct 2021 10:08:17 +0200 +Subject: ath10k: fix division by zero in send path + +From: Johan Hovold + +commit a006acb931317aad3a8dd41333ebb0453caf49b8 upstream. + +Add the missing endpoint max-packet sanity check to probe() to avoid +division by zero in ath10k_usb_hif_tx_sg() in case a malicious device +has broken descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Fixes: 4db66499df91 ("ath10k: add initial USB support") +Cc: stable@vger.kernel.org # 4.14 +Cc: Erik Stromdahl +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211027080819.6675-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/usb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/usb.c ++++ b/drivers/net/wireless/ath/ath10k/usb.c +@@ -853,6 +853,11 @@ static int ath10k_usb_setup_pipe_resourc + le16_to_cpu(endpoint->wMaxPacketSize), + endpoint->bInterval); + } ++ ++ /* Ignore broken descriptors. */ ++ if (usb_endpoint_maxp(endpoint) == 0) ++ continue; ++ + urbcount = 0; + + pipe_num = diff --git a/queue-5.14/ath6kl-fix-control-message-timeout.patch b/queue-5.14/ath6kl-fix-control-message-timeout.patch new file mode 100644 index 00000000000..876b1396a8c --- /dev/null +++ b/queue-5.14/ath6kl-fix-control-message-timeout.patch @@ -0,0 +1,33 @@ +From a066d28a7e729f808a3e6eff22e70c003091544e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 14:05:20 +0200 +Subject: ath6kl: fix control-message timeout + +From: Johan Hovold + +commit a066d28a7e729f808a3e6eff22e70c003091544e upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: 241b128b6b69 ("ath6kl: add back beginnings of USB support") +Cc: stable@vger.kernel.org # 3.4 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211025120522.6045-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath6kl/usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath6kl/usb.c ++++ b/drivers/net/wireless/ath/ath6kl/usb.c +@@ -912,7 +912,7 @@ static int ath6kl_usb_submit_ctrl_in(str + req, + USB_DIR_IN | USB_TYPE_VENDOR | + USB_RECIP_DEVICE, value, index, buf, +- size, 2 * HZ); ++ size, 2000); + + if (ret < 0) { + ath6kl_warn("Failed to read usb control message: %d\n", ret); diff --git a/queue-5.14/ath6kl-fix-division-by-zero-in-send-path.patch b/queue-5.14/ath6kl-fix-division-by-zero-in-send-path.patch new file mode 100644 index 00000000000..417d7d5c915 --- /dev/null +++ b/queue-5.14/ath6kl-fix-division-by-zero-in-send-path.patch @@ -0,0 +1,42 @@ +From c1b9ca365deae667192be9fe24db244919971234 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 27 Oct 2021 10:08:18 +0200 +Subject: ath6kl: fix division by zero in send path + +From: Johan Hovold + +commit c1b9ca365deae667192be9fe24db244919971234 upstream. + +Add the missing endpoint max-packet sanity check to probe() to avoid +division by zero in ath10k_usb_hif_tx_sg() in case a malicious device +has broken descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Fixes: 9cbee358687e ("ath6kl: add full USB support") +Cc: stable@vger.kernel.org # 3.5 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211027080819.6675-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath6kl/usb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/ath/ath6kl/usb.c ++++ b/drivers/net/wireless/ath/ath6kl/usb.c +@@ -340,6 +340,11 @@ static int ath6kl_usb_setup_pipe_resourc + le16_to_cpu(endpoint->wMaxPacketSize), + endpoint->bInterval); + } ++ ++ /* Ignore broken descriptors. */ ++ if (usb_endpoint_maxp(endpoint) == 0) ++ continue; ++ + urbcount = 0; + + pipe_num = diff --git a/queue-5.14/edac-sb_edac-fix-top-of-high-memory-value-for-broadwell-haswell.patch b/queue-5.14/edac-sb_edac-fix-top-of-high-memory-value-for-broadwell-haswell.patch new file mode 100644 index 00000000000..980eea69fe0 --- /dev/null +++ b/queue-5.14/edac-sb_edac-fix-top-of-high-memory-value-for-broadwell-haswell.patch @@ -0,0 +1,37 @@ +From 537bddd069c743759addf422d0b8f028ff0f8dbc Mon Sep 17 00:00:00 2001 +From: Eric Badger +Date: Sun, 10 Oct 2021 10:06:56 -0700 +Subject: EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell + +From: Eric Badger + +commit 537bddd069c743759addf422d0b8f028ff0f8dbc upstream. + +The computation of TOHM is off by one bit. This missed bit results in +too low a value for TOHM, which can cause errors in regular memory to +incorrectly report: + + EDAC MC0: 1 CE Error at MMIOH area, on addr 0x000000207fffa680 on any memory + +Fixes: 50d1bb93672f ("sb_edac: add support for Haswell based systems") +Cc: stable@vger.kernel.org +Reported-by: Meeta Saggi +Signed-off-by: Eric Badger +Signed-off-by: Tony Luck +Link: https://lore.kernel.org/r/20211010170127.848113-1-ebadger@purestorage.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/sb_edac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/sb_edac.c ++++ b/drivers/edac/sb_edac.c +@@ -1052,7 +1052,7 @@ static u64 haswell_get_tohm(struct sbrid + pci_read_config_dword(pvt->info.pci_vtd, HASWELL_TOHM_1, ®); + rc = ((reg << 6) | rc) << 26; + +- return rc | 0x1ffffff; ++ return rc | 0x3ffffff; + } + + static u64 knl_get_tolm(struct sbridge_pvt *pvt) diff --git a/queue-5.14/evm-mark-evm_fixmode-as-__ro_after_init.patch b/queue-5.14/evm-mark-evm_fixmode-as-__ro_after_init.patch new file mode 100644 index 00000000000..c751a0a3e81 --- /dev/null +++ b/queue-5.14/evm-mark-evm_fixmode-as-__ro_after_init.patch @@ -0,0 +1,31 @@ +From 32ba540f3c2a7ef61ed5a577ce25069a3d714fc9 Mon Sep 17 00:00:00 2001 +From: Austin Kim +Date: Thu, 28 Oct 2021 12:26:42 +0100 +Subject: evm: mark evm_fixmode as __ro_after_init + +From: Austin Kim + +commit 32ba540f3c2a7ef61ed5a577ce25069a3d714fc9 upstream. + +The evm_fixmode is only configurable by command-line option and it is never +modified outside initcalls, so declaring it with __ro_after_init is better. + +Signed-off-by: Austin Kim +Cc: stable@vger.kernel.org +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/evm/evm_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/integrity/evm/evm_main.c ++++ b/security/integrity/evm/evm_main.c +@@ -78,7 +78,7 @@ static struct xattr_list evm_config_defa + + LIST_HEAD(evm_config_xattrnames); + +-static int evm_fixmode; ++static int evm_fixmode __ro_after_init; + static int __init evm_set_fixmode(char *str) + { + if (strncmp(str, "fix", 3) == 0) diff --git a/queue-5.14/hid-surface-hid-allow-driver-matching-for-target-id-1-devices.patch b/queue-5.14/hid-surface-hid-allow-driver-matching-for-target-id-1-devices.patch new file mode 100644 index 00000000000..74d5e65d2ef --- /dev/null +++ b/queue-5.14/hid-surface-hid-allow-driver-matching-for-target-id-1-devices.patch @@ -0,0 +1,35 @@ +From ab5fe33925c6b03f646a1153771dab047548e4d8 Mon Sep 17 00:00:00 2001 +From: Maximilian Luz +Date: Thu, 21 Oct 2021 15:09:04 +0200 +Subject: HID: surface-hid: Allow driver matching for target ID 1 devices + +From: Maximilian Luz + +commit ab5fe33925c6b03f646a1153771dab047548e4d8 upstream. + +Until now we have only ever seen HID devices with target ID 2. The new +Surface Laptop Studio however uses HID devices with target ID 1. Allow +matching this driver to those as well. + +Cc: stable@vger.kernel.org # 5.14+ +Signed-off-by: Maximilian Luz +Acked-by: Benjamin Tissoires +Link: https://lore.kernel.org/r/20211021130904.862610-4-luzmaximilian@gmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/surface-hid/surface_hid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/surface-hid/surface_hid.c ++++ b/drivers/hid/surface-hid/surface_hid.c +@@ -230,7 +230,7 @@ static void surface_hid_remove(struct ss + } + + static const struct ssam_device_id surface_hid_match[] = { +- { SSAM_SDEV(HID, 0x02, SSAM_ANY_IID, 0x00) }, ++ { SSAM_SDEV(HID, SSAM_ANY_TID, SSAM_ANY_IID, 0x00) }, + { }, + }; + MODULE_DEVICE_TABLE(ssam, surface_hid_match); diff --git a/queue-5.14/hid-surface-hid-use-correct-event-registry-for-managing-hid-events.patch b/queue-5.14/hid-surface-hid-use-correct-event-registry-for-managing-hid-events.patch new file mode 100644 index 00000000000..1d329b69f4b --- /dev/null +++ b/queue-5.14/hid-surface-hid-use-correct-event-registry-for-managing-hid-events.patch @@ -0,0 +1,65 @@ +From dc0fd0acb6e0e8025a0a43ada54513b216254fac Mon Sep 17 00:00:00 2001 +From: Maximilian Luz +Date: Thu, 21 Oct 2021 15:09:03 +0200 +Subject: HID: surface-hid: Use correct event registry for managing HID events + +From: Maximilian Luz + +commit dc0fd0acb6e0e8025a0a43ada54513b216254fac upstream. + +Until now, we have only ever seen the REG-category registry being used +on devices addressed with target ID 2. In fact, we have only ever seen +Surface Aggregator Module (SAM) HID devices with target ID 2. For those +devices, the registry also has to be addressed with target ID 2. + +Some devices, like the new Surface Laptop Studio, however, address their +HID devices on target ID 1. As a result of this, any target ID 2 +commands time out. This includes event management commands addressed to +the target ID 2 REG-category registry. For these devices, the registry +has to be addressed via target ID 1 instead. + +We therefore assume that the target ID of the registry to be used +depends on the target ID of the respective device. Implement this +accordingly. + +Note that we currently allow the surface HID driver to only load against +devices with target ID 2, so these timeouts are not happening (yet). +This is just a preparation step before we allow the driver to load +against all target IDs. + +Cc: stable@vger.kernel.org # 5.14+ +Signed-off-by: Maximilian Luz +Acked-by: Benjamin Tissoires +Link: https://lore.kernel.org/r/20211021130904.862610-3-luzmaximilian@gmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/surface-hid/surface_hid.c | 2 +- + include/linux/surface_aggregator/controller.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/hid/surface-hid/surface_hid.c ++++ b/drivers/hid/surface-hid/surface_hid.c +@@ -209,7 +209,7 @@ static int surface_hid_probe(struct ssam + + shid->notif.base.priority = 1; + shid->notif.base.fn = ssam_hid_event_fn; +- shid->notif.event.reg = SSAM_EVENT_REGISTRY_REG; ++ shid->notif.event.reg = SSAM_EVENT_REGISTRY_REG(sdev->uid.target); + shid->notif.event.id.target_category = sdev->uid.category; + shid->notif.event.id.instance = sdev->uid.instance; + shid->notif.event.mask = SSAM_EVENT_MASK_STRICT; +--- a/include/linux/surface_aggregator/controller.h ++++ b/include/linux/surface_aggregator/controller.h +@@ -792,8 +792,8 @@ enum ssam_event_mask { + #define SSAM_EVENT_REGISTRY_KIP \ + SSAM_EVENT_REGISTRY(SSAM_SSH_TC_KIP, 0x02, 0x27, 0x28) + +-#define SSAM_EVENT_REGISTRY_REG \ +- SSAM_EVENT_REGISTRY(SSAM_SSH_TC_REG, 0x02, 0x01, 0x02) ++#define SSAM_EVENT_REGISTRY_REG(tid)\ ++ SSAM_EVENT_REGISTRY(SSAM_SSH_TC_REG, tid, 0x01, 0x02) + + /** + * enum ssam_event_notifier_flags - Flags for event notifiers. diff --git a/queue-5.14/hwmon-pmbus-lm25066-add-offset-coefficients.patch b/queue-5.14/hwmon-pmbus-lm25066-add-offset-coefficients.patch new file mode 100644 index 00000000000..53849282597 --- /dev/null +++ b/queue-5.14/hwmon-pmbus-lm25066-add-offset-coefficients.patch @@ -0,0 +1,153 @@ +From ae59dc455a78fb73034dd1fbb337d7e59c27cbd8 Mon Sep 17 00:00:00 2001 +From: Zev Weiss +Date: Tue, 28 Sep 2021 02:22:35 -0700 +Subject: hwmon: (pmbus/lm25066) Add offset coefficients + +From: Zev Weiss + +commit ae59dc455a78fb73034dd1fbb337d7e59c27cbd8 upstream. + +With the exception of the lm5066i, all the devices handled by this +driver had been missing their offset ('b') coefficients for direct +format readings. + +Cc: stable@vger.kernel.org +Fixes: 58615a94f6a1 ("hwmon: (pmbus/lm25066) Add support for LM25056") +Fixes: e53e6497fc9f ("hwmon: (pmbus/lm25066) Refactor device specific coefficients") +Signed-off-by: Zev Weiss +Link: https://lore.kernel.org/r/20210928092242.30036-2-zev@bewilderbeest.net +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/lm25066.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/hwmon/pmbus/lm25066.c ++++ b/drivers/hwmon/pmbus/lm25066.c +@@ -55,22 +55,27 @@ static struct __coeff lm25066_coeff[6][P + [lm25056] = { + [PSC_VOLTAGE_IN] = { + .m = 16296, ++ .b = 1343, + .R = -2, + }, + [PSC_CURRENT_IN] = { + .m = 13797, ++ .b = -1833, + .R = -2, + }, + [PSC_CURRENT_IN_L] = { + .m = 6726, ++ .b = -537, + .R = -2, + }, + [PSC_POWER] = { + .m = 5501, ++ .b = -2908, + .R = -3, + }, + [PSC_POWER_L] = { + .m = 26882, ++ .b = -5646, + .R = -4, + }, + [PSC_TEMPERATURE] = { +@@ -82,26 +87,32 @@ static struct __coeff lm25066_coeff[6][P + [lm25066] = { + [PSC_VOLTAGE_IN] = { + .m = 22070, ++ .b = -1800, + .R = -2, + }, + [PSC_VOLTAGE_OUT] = { + .m = 22070, ++ .b = -1800, + .R = -2, + }, + [PSC_CURRENT_IN] = { + .m = 13661, ++ .b = -5200, + .R = -2, + }, + [PSC_CURRENT_IN_L] = { + .m = 6852, ++ .b = -3100, + .R = -2, + }, + [PSC_POWER] = { + .m = 736, ++ .b = -3300, + .R = -2, + }, + [PSC_POWER_L] = { + .m = 369, ++ .b = -1900, + .R = -2, + }, + [PSC_TEMPERATURE] = { +@@ -111,26 +122,32 @@ static struct __coeff lm25066_coeff[6][P + [lm5064] = { + [PSC_VOLTAGE_IN] = { + .m = 4611, ++ .b = -642, + .R = -2, + }, + [PSC_VOLTAGE_OUT] = { + .m = 4621, ++ .b = 423, + .R = -2, + }, + [PSC_CURRENT_IN] = { + .m = 10742, ++ .b = 1552, + .R = -2, + }, + [PSC_CURRENT_IN_L] = { + .m = 5456, ++ .b = 2118, + .R = -2, + }, + [PSC_POWER] = { + .m = 1204, ++ .b = 8524, + .R = -3, + }, + [PSC_POWER_L] = { + .m = 612, ++ .b = 11202, + .R = -3, + }, + [PSC_TEMPERATURE] = { +@@ -140,26 +157,32 @@ static struct __coeff lm25066_coeff[6][P + [lm5066] = { + [PSC_VOLTAGE_IN] = { + .m = 4587, ++ .b = -1200, + .R = -2, + }, + [PSC_VOLTAGE_OUT] = { + .m = 4587, ++ .b = -2400, + .R = -2, + }, + [PSC_CURRENT_IN] = { + .m = 10753, ++ .b = -1200, + .R = -2, + }, + [PSC_CURRENT_IN_L] = { + .m = 5405, ++ .b = -600, + .R = -2, + }, + [PSC_POWER] = { + .m = 1204, ++ .b = -6000, + .R = -3, + }, + [PSC_POWER_L] = { + .m = 605, ++ .b = -8000, + .R = -3, + }, + [PSC_TEMPERATURE] = { diff --git a/queue-5.14/ia64-kprobes-fix-to-pass-correct-trampoline-address-to-the-handler.patch b/queue-5.14/ia64-kprobes-fix-to-pass-correct-trampoline-address-to-the-handler.patch new file mode 100644 index 00000000000..64269714dbc --- /dev/null +++ b/queue-5.14/ia64-kprobes-fix-to-pass-correct-trampoline-address-to-the-handler.patch @@ -0,0 +1,80 @@ +From a7fe2378454cf46cd5e2776d05e72bbe8f0a468c Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Tue, 14 Sep 2021 23:40:27 +0900 +Subject: ia64: kprobes: Fix to pass correct trampoline address to the handler + +From: Masami Hiramatsu + +commit a7fe2378454cf46cd5e2776d05e72bbe8f0a468c upstream. + +The following commit: + + Commit e792ff804f49 ("ia64: kprobes: Use generic kretprobe trampoline handler") + +Passed the wrong trampoline address to __kretprobe_trampoline_handler(): it +passes the descriptor address instead of function entry address. + +Pass the right parameter. + +Also use correct symbol dereference function to get the function address +from 'kretprobe_trampoline' - an IA64 special. + +Link: https://lkml.kernel.org/r/163163042696.489837.12551102356265354730.stgit@devnote2 + +Fixes: e792ff804f49 ("ia64: kprobes: Use generic kretprobe trampoline handler") +Cc: Josh Poimboeuf +Cc: Ingo Molnar +Cc: X86 ML +Cc: Daniel Xu +Cc: Thomas Gleixner +Cc: Borislav Petkov +Cc: Peter Zijlstra +Cc: Abhishek Sagar +Cc: Andrii Nakryiko +Cc: Paul McKenney +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + arch/ia64/kernel/kprobes.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/arch/ia64/kernel/kprobes.c ++++ b/arch/ia64/kernel/kprobes.c +@@ -398,7 +398,8 @@ static void kretprobe_trampoline(void) + + int __kprobes trampoline_probe_handler(struct kprobe *p, struct pt_regs *regs) + { +- regs->cr_iip = __kretprobe_trampoline_handler(regs, kretprobe_trampoline, NULL); ++ regs->cr_iip = __kretprobe_trampoline_handler(regs, ++ dereference_function_descriptor(kretprobe_trampoline), NULL); + /* + * By returning a non-zero value, we are telling + * kprobe_handler() that we don't want the post_handler +@@ -414,7 +415,7 @@ void __kprobes arch_prepare_kretprobe(st + ri->fp = NULL; + + /* Replace the return addr with trampoline addr */ +- regs->b0 = ((struct fnptr *)kretprobe_trampoline)->ip; ++ regs->b0 = (unsigned long)dereference_function_descriptor(kretprobe_trampoline); + } + + /* Check the instruction in the slot is break */ +@@ -902,14 +903,14 @@ static struct kprobe trampoline_p = { + int __init arch_init_kprobes(void) + { + trampoline_p.addr = +- (kprobe_opcode_t *)((struct fnptr *)kretprobe_trampoline)->ip; ++ dereference_function_descriptor(kretprobe_trampoline); + return register_kprobe(&trampoline_p); + } + + int __kprobes arch_trampoline_kprobe(struct kprobe *p) + { + if (p->addr == +- (kprobe_opcode_t *)((struct fnptr *)kretprobe_trampoline)->ip) ++ dereference_function_descriptor(kretprobe_trampoline)) + return 1; + + return 0; diff --git a/queue-5.14/ifb-depend-on-netfilter-alternatively-to-tc.patch b/queue-5.14/ifb-depend-on-netfilter-alternatively-to-tc.patch new file mode 100644 index 00000000000..575b10abe90 --- /dev/null +++ b/queue-5.14/ifb-depend-on-netfilter-alternatively-to-tc.patch @@ -0,0 +1,33 @@ +From 046178e726c2977d686ba5e07105d5a6685c830e Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Tue, 26 Oct 2021 07:15:32 +0200 +Subject: ifb: Depend on netfilter alternatively to tc + +From: Lukas Wunner + +commit 046178e726c2977d686ba5e07105d5a6685c830e upstream. + +IFB originally depended on NET_CLS_ACT for traffic redirection. +But since v4.5, that may be achieved with NFT_FWD_NETDEV as well. + +Fixes: 39e6dea28adc ("netfilter: nf_tables: add forward expression to the netdev family") +Signed-off-by: Lukas Wunner +Cc: # v4.5+: bcfabee1afd9: netfilter: nft_fwd_netdev: allow to redirect to ifb via ingress +Cc: # v4.5+ +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/Kconfig ++++ b/drivers/net/Kconfig +@@ -150,7 +150,7 @@ config NET_FC + + config IFB + tristate "Intermediate Functional Block support" +- depends on NET_CLS_ACT ++ depends on NET_ACT_MIRRED || NFT_FWD_NETDEV + select NET_REDIRECT + help + This is an intermediate driver that allows sharing of diff --git a/queue-5.14/ipmi-watchdog-set-panic-count-to-proper-value-on-a-panic.patch b/queue-5.14/ipmi-watchdog-set-panic-count-to-proper-value-on-a-panic.patch new file mode 100644 index 00000000000..fd2a619edc7 --- /dev/null +++ b/queue-5.14/ipmi-watchdog-set-panic-count-to-proper-value-on-a-panic.patch @@ -0,0 +1,58 @@ +From db05ddf7f321634c5659a0cf7ea56594e22365f7 Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Mon, 20 Sep 2021 06:25:37 -0500 +Subject: ipmi:watchdog: Set panic count to proper value on a panic + +From: Corey Minyard + +commit db05ddf7f321634c5659a0cf7ea56594e22365f7 upstream. + +You will get two decrements when the messages on a panic are sent, not +one, since commit 2033f6858970 ("ipmi: Free receive messages when in an +oops") was added, but the watchdog code had a bug where it didn't set +the value properly. + +Reported-by: Anton Lundin +Cc: # v5.4+ +Fixes: 2033f6858970 ("ipmi: Free receive messages when in an oops") +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_watchdog.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/char/ipmi/ipmi_watchdog.c ++++ b/drivers/char/ipmi/ipmi_watchdog.c +@@ -497,7 +497,7 @@ static void panic_halt_ipmi_heartbeat(vo + msg.cmd = IPMI_WDOG_RESET_TIMER; + msg.data = NULL; + msg.data_len = 0; +- atomic_inc(&panic_done_count); ++ atomic_add(2, &panic_done_count); + rv = ipmi_request_supply_msgs(watchdog_user, + (struct ipmi_addr *) &addr, + 0, +@@ -507,7 +507,7 @@ static void panic_halt_ipmi_heartbeat(vo + &panic_halt_heartbeat_recv_msg, + 1); + if (rv) +- atomic_dec(&panic_done_count); ++ atomic_sub(2, &panic_done_count); + } + + static struct ipmi_smi_msg panic_halt_smi_msg = { +@@ -531,12 +531,12 @@ static void panic_halt_ipmi_set_timeout( + /* Wait for the messages to be free. */ + while (atomic_read(&panic_done_count) != 0) + ipmi_poll_interface(watchdog_user); +- atomic_inc(&panic_done_count); ++ atomic_add(2, &panic_done_count); + rv = __ipmi_set_timeout(&panic_halt_smi_msg, + &panic_halt_recv_msg, + &send_heartbeat_now); + if (rv) { +- atomic_dec(&panic_done_count); ++ atomic_sub(2, &panic_done_count); + pr_warn("Unable to extend the watchdog timeout\n"); + } else { + if (send_heartbeat_now) diff --git a/queue-5.14/kvm-ppc-tick-accounting-should-defer-vtime-accounting-til-after-irq-handling.patch b/queue-5.14/kvm-ppc-tick-accounting-should-defer-vtime-accounting-til-after-irq-handling.patch new file mode 100644 index 00000000000..3300956c1e0 --- /dev/null +++ b/queue-5.14/kvm-ppc-tick-accounting-should-defer-vtime-accounting-til-after-irq-handling.patch @@ -0,0 +1,113 @@ +From 235cee162459d96153d63651ce7ff51752528c96 Mon Sep 17 00:00:00 2001 +From: Laurent Vivier +Date: Thu, 28 Oct 2021 00:21:50 +1000 +Subject: KVM: PPC: Tick accounting should defer vtime accounting 'til after IRQ handling + +From: Laurent Vivier + +commit 235cee162459d96153d63651ce7ff51752528c96 upstream. + +Commit 112665286d08 ("KVM: PPC: Book3S HV: Context tracking exit guest +context before enabling irqs") moved guest_exit() into the interrupt +protected area to avoid wrong context warning (or worse). The problem is +that tick-based time accounting has not yet been updated at this point +(because it depends on the timer interrupt firing), so the guest time +gets incorrectly accounted to system time. + +To fix the problem, follow the x86 fix in commit 160457140187 ("Defer +vtime accounting 'til after IRQ handling"), and allow host IRQs to run +before accounting the guest exit time. + +In the case vtime accounting is enabled, this is not required because TB +is used directly for accounting. + +Before this patch, with CONFIG_TICK_CPU_ACCOUNTING=y in the host and a +guest running a kernel compile, the 'guest' fields of /proc/stat are +stuck at zero. With the patch they can be observed increasing roughly as +expected. + +Fixes: e233d54d4d97 ("KVM: booke: use __kvm_guest_exit") +Fixes: 112665286d08 ("KVM: PPC: Book3S HV: Context tracking exit guest context before enabling irqs") +Cc: stable@vger.kernel.org # 5.12+ +Signed-off-by: Laurent Vivier +[np: only required for tick accounting, add Book3E fix, tweak changelog] +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211027142150.3711582-1-npiggin@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/book3s_hv.c | 30 ++++++++++++++++++++++++++++-- + arch/powerpc/kvm/booke.c | 16 +++++++++++++++- + 2 files changed, 43 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -3687,7 +3687,20 @@ static noinline void kvmppc_run_core(str + + kvmppc_set_host_core(pcpu); + +- guest_exit_irqoff(); ++ context_tracking_guest_exit(); ++ if (!vtime_accounting_enabled_this_cpu()) { ++ local_irq_enable(); ++ /* ++ * Service IRQs here before vtime_account_guest_exit() so any ++ * ticks that occurred while running the guest are accounted to ++ * the guest. If vtime accounting is enabled, accounting uses ++ * TB rather than ticks, so it can be done without enabling ++ * interrupts here, which has the problem that it accounts ++ * interrupt processing overhead to the host. ++ */ ++ local_irq_disable(); ++ } ++ vtime_account_guest_exit(); + + local_irq_enable(); + +@@ -4462,7 +4475,20 @@ int kvmhv_run_single_vcpu(struct kvm_vcp + + kvmppc_set_host_core(pcpu); + +- guest_exit_irqoff(); ++ context_tracking_guest_exit(); ++ if (!vtime_accounting_enabled_this_cpu()) { ++ local_irq_enable(); ++ /* ++ * Service IRQs here before vtime_account_guest_exit() so any ++ * ticks that occurred while running the guest are accounted to ++ * the guest. If vtime accounting is enabled, accounting uses ++ * TB rather than ticks, so it can be done without enabling ++ * interrupts here, which has the problem that it accounts ++ * interrupt processing overhead to the host. ++ */ ++ local_irq_disable(); ++ } ++ vtime_account_guest_exit(); + + local_irq_enable(); + +--- a/arch/powerpc/kvm/booke.c ++++ b/arch/powerpc/kvm/booke.c +@@ -1047,7 +1047,21 @@ int kvmppc_handle_exit(struct kvm_vcpu * + } + + trace_kvm_exit(exit_nr, vcpu); +- guest_exit_irqoff(); ++ ++ context_tracking_guest_exit(); ++ if (!vtime_accounting_enabled_this_cpu()) { ++ local_irq_enable(); ++ /* ++ * Service IRQs here before vtime_account_guest_exit() so any ++ * ticks that occurred while running the guest are accounted to ++ * the guest. If vtime accounting is enabled, accounting uses ++ * TB rather than ticks, so it can be done without enabling ++ * interrupts here, which has the problem that it accounts ++ * interrupt processing overhead to the host. ++ */ ++ local_irq_disable(); ++ } ++ vtime_account_guest_exit(); + + local_irq_enable(); + diff --git a/queue-5.14/kvm-vmx-unregister-posted-interrupt-wakeup-handler-on-hardware-unsetup.patch b/queue-5.14/kvm-vmx-unregister-posted-interrupt-wakeup-handler-on-hardware-unsetup.patch new file mode 100644 index 00000000000..13bbda1fb42 --- /dev/null +++ b/queue-5.14/kvm-vmx-unregister-posted-interrupt-wakeup-handler-on-hardware-unsetup.patch @@ -0,0 +1,53 @@ +From ec5a4919fa7b7d8c7a2af1c7e799b1fe4be84343 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 8 Oct 2021 17:11:05 -0700 +Subject: KVM: VMX: Unregister posted interrupt wakeup handler on hardware unsetup + +From: Sean Christopherson + +commit ec5a4919fa7b7d8c7a2af1c7e799b1fe4be84343 upstream. + +Unregister KVM's posted interrupt wakeup handler during unsetup so that a +spurious interrupt that arrives after kvm_intel.ko is unloaded doesn't +call into freed memory. + +Fixes: bf9f6ac8d749 ("KVM: Update Posted-Interrupts Descriptor when vCPU is blocked") +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20211009001107.3936588-3-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx/vmx.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx/vmx.c ++++ b/arch/x86/kvm/vmx/vmx.c +@@ -7517,6 +7517,8 @@ static void vmx_migrate_timers(struct kv + + static void hardware_unsetup(void) + { ++ kvm_set_posted_intr_wakeup_handler(NULL); ++ + if (nested) + nested_vmx_hardware_unsetup(); + +@@ -7844,8 +7846,6 @@ static __init int hardware_setup(void) + vmx_x86_ops.request_immediate_exit = __kvm_request_immediate_exit; + } + +- kvm_set_posted_intr_wakeup_handler(pi_wakeup_handler); +- + kvm_mce_cap_supported |= MCG_LMCE_P; + + if (pt_mode != PT_MODE_SYSTEM && pt_mode != PT_MODE_HOST_GUEST) +@@ -7869,6 +7869,9 @@ static __init int hardware_setup(void) + r = alloc_kvm_area(); + if (r) + nested_vmx_hardware_unsetup(); ++ ++ kvm_set_posted_intr_wakeup_handler(pi_wakeup_handler); ++ + return r; + } + diff --git a/queue-5.14/libata-fix-checking-of-dma-state.patch b/queue-5.14/libata-fix-checking-of-dma-state.patch new file mode 100644 index 00000000000..d2e798662fc --- /dev/null +++ b/queue-5.14/libata-fix-checking-of-dma-state.patch @@ -0,0 +1,42 @@ +From f971a85439bd25dc7b4d597cf5e4e8dc7ffc884b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= +Date: Tue, 12 Oct 2021 08:27:44 +0200 +Subject: libata: fix checking of DMA state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Reimar Döffinger + +commit f971a85439bd25dc7b4d597cf5e4e8dc7ffc884b upstream. + +Checking if DMA is enabled should be done via the +ata_dma_enabled helper function, since the init state +0xff indicates disabled. +This meant that ATA_CMD_READ_LOG_DMA_EXT was used and probed +for before DMA was enabled, which caused hangs for some combinations +of controllers and devices. +It might also have caused it to be incorrectly disabled as broken, +but there have been no reports of that. + +Cc: stable@vger.kernel.org +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=195895 +Signed-off-by: Reimar Döffinger +Tested-by: Paul Menzel +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2004,7 +2004,7 @@ unsigned int ata_read_log_page(struct at + + retry: + ata_tf_init(dev, &tf); +- if (dev->dma_mode && ata_id_has_read_log_dma_ext(dev->id) && ++ if (ata_dma_enabled(dev) && ata_id_has_read_log_dma_ext(dev->id) && + !(dev->horkage & ATA_HORKAGE_NO_DMA_LOG)) { + tf.command = ATA_CMD_READ_LOG_DMA_EXT; + tf.protocol = ATA_PROT_DMA; diff --git a/queue-5.14/md-raid1-only-allocate-write-behind-bio-for-writemostly-device.patch b/queue-5.14/md-raid1-only-allocate-write-behind-bio-for-writemostly-device.patch new file mode 100644 index 00000000000..09ba265c298 --- /dev/null +++ b/queue-5.14/md-raid1-only-allocate-write-behind-bio-for-writemostly-device.patch @@ -0,0 +1,44 @@ +From fd3b6975e9c11c4fa00965f82a0bfbb3b7b44101 Mon Sep 17 00:00:00 2001 +From: Guoqing Jiang +Date: Mon, 4 Oct 2021 23:34:48 +0800 +Subject: md/raid1: only allocate write behind bio for WriteMostly device + +From: Guoqing Jiang + +commit fd3b6975e9c11c4fa00965f82a0bfbb3b7b44101 upstream. + +Commit 6607cd319b6b91bff94e90f798a61c031650b514 ("raid1: ensure write +behind bio has less than BIO_MAX_VECS sectors") tried to guarantee the +size of behind bio is not bigger than BIO_MAX_VECS sectors. + +Unfortunately the same calltrace still could happen since an array could +enable write-behind without write mostly device. + +To match the manpage of mdadm (which says "write-behind is only attempted +on drives marked as write-mostly"), we need to check WriteMostly flag to +avoid such unexpected behavior. + +[1]. https://bugzilla.kernel.org/show_bug.cgi?id=213181#c25 + +Cc: stable@vger.kernel.org # v5.12+ +Cc: Jens Stutte +Reported-by: Jens Stutte +Signed-off-by: Guoqing Jiang +Signed-off-by: Song Liu +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1496,7 +1496,7 @@ static void raid1_write_request(struct m + if (!r1_bio->bios[i]) + continue; + +- if (first_clone) { ++ if (first_clone && test_bit(WriteMostly, &rdev->flags)) { + /* do behind I/O ? + * Not if there are too many, or cannot + * allocate memory, or a reader on WriteMostly diff --git a/queue-5.14/mt76-mt7615-fix-skb-use-after-free-on-mac-reset.patch b/queue-5.14/mt76-mt7615-fix-skb-use-after-free-on-mac-reset.patch new file mode 100644 index 00000000000..a377c304118 --- /dev/null +++ b/queue-5.14/mt76-mt7615-fix-skb-use-after-free-on-mac-reset.patch @@ -0,0 +1,95 @@ +From b5cd1fd6043bbb7c5810067b5f93f3016bfd8a6f Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 21 Jul 2021 07:23:46 +0200 +Subject: mt76: mt7615: fix skb use-after-free on mac reset + +From: Felix Fietkau + +commit b5cd1fd6043bbb7c5810067b5f93f3016bfd8a6f upstream. + +When clearing all existing pending tx slots, mt76_tx_complete_skb needs to +be used to free the skbs, to ensure that they are cleared from the status +list as well. + +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 45 ++++++++++++------------ + 1 file changed, 23 insertions(+), 22 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c +@@ -1494,32 +1494,41 @@ out: + } + + static void +-mt7615_mac_tx_free_token(struct mt7615_dev *dev, u16 token) ++mt7615_txwi_free(struct mt7615_dev *dev, struct mt76_txwi_cache *txwi) + { + struct mt76_dev *mdev = &dev->mt76; +- struct mt76_txwi_cache *txwi; + __le32 *txwi_data; + u32 val; + u8 wcid; + +- trace_mac_tx_free(dev, token); +- txwi = mt76_token_put(mdev, token); +- if (!txwi) +- return; ++ mt7615_txp_skb_unmap(mdev, txwi); ++ if (!txwi->skb) ++ goto out; + + txwi_data = (__le32 *)mt76_get_txwi_ptr(mdev, txwi); + val = le32_to_cpu(txwi_data[1]); + wcid = FIELD_GET(MT_TXD1_WLAN_IDX, val); ++ mt76_tx_complete_skb(mdev, wcid, txwi->skb); + +- mt7615_txp_skb_unmap(mdev, txwi); +- if (txwi->skb) { +- mt76_tx_complete_skb(mdev, wcid, txwi->skb); +- txwi->skb = NULL; +- } +- ++out: ++ txwi->skb = NULL; + mt76_put_txwi(mdev, txwi); + } + ++static void ++mt7615_mac_tx_free_token(struct mt7615_dev *dev, u16 token) ++{ ++ struct mt76_dev *mdev = &dev->mt76; ++ struct mt76_txwi_cache *txwi; ++ ++ trace_mac_tx_free(dev, token); ++ txwi = mt76_token_put(mdev, token); ++ if (!txwi) ++ return; ++ ++ mt7615_txwi_free(dev, txwi); ++} ++ + static void mt7615_mac_tx_free(struct mt7615_dev *dev, struct sk_buff *skb) + { + struct mt7615_tx_free *free = (struct mt7615_tx_free *)skb->data; +@@ -2026,16 +2035,8 @@ void mt7615_tx_token_put(struct mt7615_d + int id; + + spin_lock_bh(&dev->mt76.token_lock); +- idr_for_each_entry(&dev->mt76.token, txwi, id) { +- mt7615_txp_skb_unmap(&dev->mt76, txwi); +- if (txwi->skb) { +- struct ieee80211_hw *hw; +- +- hw = mt76_tx_status_get_hw(&dev->mt76, txwi->skb); +- ieee80211_free_txskb(hw, txwi->skb); +- } +- mt76_put_txwi(&dev->mt76, txwi); +- } ++ idr_for_each_entry(&dev->mt76.token, txwi, id) ++ mt7615_txwi_free(dev, txwi); + spin_unlock_bh(&dev->mt76.token_lock); + idr_destroy(&dev->mt76.token); + } diff --git a/queue-5.14/mwifiex-fix-division-by-zero-in-fw-download-path.patch b/queue-5.14/mwifiex-fix-division-by-zero-in-fw-download-path.patch new file mode 100644 index 00000000000..1437ef6ed15 --- /dev/null +++ b/queue-5.14/mwifiex-fix-division-by-zero-in-fw-download-path.patch @@ -0,0 +1,61 @@ +From 89f8765a11d8df49296d92c404067f9b5c58ee26 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 27 Oct 2021 10:08:19 +0200 +Subject: mwifiex: fix division by zero in fw download path + +From: Johan Hovold + +commit 89f8765a11d8df49296d92c404067f9b5c58ee26 upstream. + +Add the missing endpoint sanity checks to probe() to avoid division by +zero in mwifiex_write_data_sync() in case a malicious device has broken +descriptors (or when doing descriptor fuzz testing). + +Only add checks for the firmware-download boot stage, which require both +command endpoints, for now. The driver looks like it will handle a +missing endpoint during normal operation without oopsing, albeit not +very gracefully as it will try to submit URBs to the default pipe and +fail. + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Fixes: 4daffe354366 ("mwifiex: add support for Marvell USB8797 chipset") +Cc: stable@vger.kernel.org # 3.5 +Cc: Amitkumar Karwar +Signed-off-by: Johan Hovold +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211027080819.6675-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/mwifiex/usb.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/net/wireless/marvell/mwifiex/usb.c ++++ b/drivers/net/wireless/marvell/mwifiex/usb.c +@@ -505,6 +505,22 @@ static int mwifiex_usb_probe(struct usb_ + } + } + ++ switch (card->usb_boot_state) { ++ case USB8XXX_FW_DNLD: ++ /* Reject broken descriptors. */ ++ if (!card->rx_cmd_ep || !card->tx_cmd_ep) ++ return -ENODEV; ++ if (card->bulk_out_maxpktsize == 0) ++ return -ENODEV; ++ break; ++ case USB8XXX_FW_READY: ++ /* Assume the driver can handle missing endpoints for now. */ ++ break; ++ default: ++ WARN_ON(1); ++ return -ENODEV; ++ } ++ + usb_set_intfdata(intf, card); + + ret = mwifiex_add_card(card, &card->fw_done, &usb_ops, diff --git a/queue-5.14/mwifiex-read-a-pci-register-after-writing-the-tx-ring-write-pointer.patch b/queue-5.14/mwifiex-read-a-pci-register-after-writing-the-tx-ring-write-pointer.patch new file mode 100644 index 00000000000..9b6a2bf0979 --- /dev/null +++ b/queue-5.14/mwifiex-read-a-pci-register-after-writing-the-tx-ring-write-pointer.patch @@ -0,0 +1,54 @@ +From e5f4eb8223aa740237cd463246a7debcddf4eda1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonas=20Dre=C3=9Fler?= +Date: Mon, 11 Oct 2021 15:32:23 +0200 +Subject: mwifiex: Read a PCI register after writing the TX ring write pointer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonas Dreßler + +commit e5f4eb8223aa740237cd463246a7debcddf4eda1 upstream. + +On the 88W8897 PCIe+USB card the firmware randomly crashes after setting +the TX ring write pointer. The issue is present in the latest firmware +version 15.68.19.p21 of the PCIe+USB card. + +Those firmware crashes can be worked around by reading any PCI register +of the card after setting that register, so read the PCI_VENDOR_ID +register here. The reason this works is probably because we keep the bus +from entering an ASPM state for a bit longer, because that's what causes +the cards firmware to crash. + +This fixes a bug where during RX/TX traffic and with ASPM L1 substates +enabled (the specific substates where the issue happens appear to be +platform dependent), the firmware crashes and eventually a command +timeout appears in the logs. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=109681 +Cc: stable@vger.kernel.org +Signed-off-by: Jonas Dreßler +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211011133224.15561-2-verdre@v0yd.nl +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/mwifiex/pcie.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/wireless/marvell/mwifiex/pcie.c ++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c +@@ -1479,6 +1479,14 @@ mwifiex_pcie_send_data(struct mwifiex_ad + ret = -1; + goto done_unmap; + } ++ ++ /* The firmware (latest version 15.68.19.p21) of the 88W8897 PCIe+USB card ++ * seems to crash randomly after setting the TX ring write pointer when ++ * ASPM powersaving is enabled. A workaround seems to be keeping the bus ++ * busy by reading a random register afterwards. ++ */ ++ mwifiex_read_reg(adapter, PCI_VENDOR_ID, &rx_val); ++ + if ((mwifiex_pcie_txbd_not_full(card)) && + tx_param->next_pkt_len) { + /* have more packets and TxBD still can hold more */ diff --git a/queue-5.14/mwifiex-try-waking-the-firmware-until-we-get-an-interrupt.patch b/queue-5.14/mwifiex-try-waking-the-firmware-until-we-get-an-interrupt.patch new file mode 100644 index 00000000000..916e507038b --- /dev/null +++ b/queue-5.14/mwifiex-try-waking-the-firmware-until-we-get-an-interrupt.patch @@ -0,0 +1,116 @@ +From 8e3e59c31fea5de95ffc52c46f0c562c39f20c59 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jonas=20Dre=C3=9Fler?= +Date: Mon, 11 Oct 2021 15:32:24 +0200 +Subject: mwifiex: Try waking the firmware until we get an interrupt +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonas Dreßler + +commit 8e3e59c31fea5de95ffc52c46f0c562c39f20c59 upstream. + +It seems that the PCIe+USB firmware (latest version 15.68.19.p21) of the +88W8897 card sometimes ignores or misses when we try to wake it up by +writing to the firmware status register. This leads to the firmware +wakeup timeout expiring and the driver resetting the card because we +assume the firmware has hung up or crashed. + +Turns out that the firmware actually didn't hang up, but simply "missed" +our wakeup request and didn't send us an interrupt with an AWAKE event. + +Trying again to read the firmware status register after a short timeout +usually makes the firmware wake up as expected, so add a small retry +loop to mwifiex_pm_wakeup_card() that looks at the interrupt status to +check whether the card woke up. + +The number of tries and timeout lengths for this were determined +experimentally: The firmware usually takes about 500 us to wake up +after we attempt to read the status register. In some cases where the +firmware is very busy (for example while doing a bluetooth scan) it +might even miss our requests for multiple milliseconds, which is why +after 15 tries the waiting time gets increased to 10 ms. The maximum +number of tries it took to wake the firmware when testing this was +around 20, so a maximum number of 50 tries should give us plenty of +safety margin. + +Here's a reproducer for those firmware wakeup failures I've found: + +1) Make sure wifi powersaving is enabled (iw dev wlp1s0 set power_save on) +2) Connect to any wifi network (makes firmware go into wifi powersaving +mode, not deep sleep) +3) Make sure bluetooth is turned off (to ensure the firmware actually +enters powersave mode and doesn't keep the radio active doing bluetooth +stuff) +4) To confirm that wifi powersaving is entered ping a device on the LAN, +pings should be a few ms higher than without powersaving +5) Run "while true; do iwconfig; sleep 0.0001; done", this wakes and +suspends the firmware extremely often +6) Wait until things explode, for me it consistently takes <5 minutes + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=109681 +Cc: stable@vger.kernel.org +Signed-off-by: Jonas Dreßler +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211011133224.15561-3-verdre@v0yd.nl +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/mwifiex/pcie.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/marvell/mwifiex/pcie.c ++++ b/drivers/net/wireless/marvell/mwifiex/pcie.c +@@ -17,6 +17,7 @@ + * this warranty disclaimer. + */ + ++#include + #include + + #include "decl.h" +@@ -636,11 +637,15 @@ static void mwifiex_delay_for_sleep_cook + "max count reached while accessing sleep cookie\n"); + } + ++#define N_WAKEUP_TRIES_SHORT_INTERVAL 15 ++#define N_WAKEUP_TRIES_LONG_INTERVAL 35 ++ + /* This function wakes up the card by reading fw_status register. */ + static int mwifiex_pm_wakeup_card(struct mwifiex_adapter *adapter) + { + struct pcie_service_card *card = adapter->card; + const struct mwifiex_pcie_card_reg *reg = card->pcie.reg; ++ int retval; + + mwifiex_dbg(adapter, EVENT, + "event: Wakeup device...\n"); +@@ -648,11 +653,24 @@ static int mwifiex_pm_wakeup_card(struct + if (reg->sleep_cookie) + mwifiex_pcie_dev_wakeup_delay(adapter); + +- /* Accessing fw_status register will wakeup device */ +- if (mwifiex_write_reg(adapter, reg->fw_status, FIRMWARE_READY_PCIE)) { +- mwifiex_dbg(adapter, ERROR, +- "Writing fw_status register failed\n"); +- return -1; ++ /* The 88W8897 PCIe+USB firmware (latest version 15.68.19.p21) sometimes ++ * appears to ignore or miss our wakeup request, so we continue trying ++ * until we receive an interrupt from the card. ++ */ ++ if (read_poll_timeout(mwifiex_write_reg, retval, ++ READ_ONCE(adapter->int_status) != 0, ++ 500, 500 * N_WAKEUP_TRIES_SHORT_INTERVAL, ++ false, ++ adapter, reg->fw_status, FIRMWARE_READY_PCIE)) { ++ if (read_poll_timeout(mwifiex_write_reg, retval, ++ READ_ONCE(adapter->int_status) != 0, ++ 10000, 10000 * N_WAKEUP_TRIES_LONG_INTERVAL, ++ false, ++ adapter, reg->fw_status, FIRMWARE_READY_PCIE)) { ++ mwifiex_dbg(adapter, ERROR, ++ "Firmware didn't wake up\n"); ++ return -EIO; ++ } + } + + if (reg->sleep_cookie) { diff --git a/queue-5.14/pci-mark-atheros-qca6174-to-avoid-bus-reset.patch b/queue-5.14/pci-mark-atheros-qca6174-to-avoid-bus-reset.patch new file mode 100644 index 00000000000..9d21b2b3f33 --- /dev/null +++ b/queue-5.14/pci-mark-atheros-qca6174-to-avoid-bus-reset.patch @@ -0,0 +1,38 @@ +From e3f4bd3462f6f796594ecc0dda7144ed2d1e5a26 Mon Sep 17 00:00:00 2001 +From: Ingmar Klein +Date: Fri, 9 Apr 2021 11:26:33 +0200 +Subject: PCI: Mark Atheros QCA6174 to avoid bus reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ingmar Klein + +commit e3f4bd3462f6f796594ecc0dda7144ed2d1e5a26 upstream. + +When passing the Atheros QCA6174 through to a virtual machine, the VM hangs +at the point where the ath10k driver loads. + +Add a quirk to avoid bus resets on this device, which avoids the hang. + +[bhelgaas: commit log] +Link: https://lore.kernel.org/r/08982e05-b6e8-5a8d-24ab-da1488ee50a8@web.de +Signed-off-by: Ingmar Klein +Signed-off-by: Bjorn Helgaas +Reviewed-by: Pali Rohár +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3573,6 +3573,7 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_A + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003c, quirk_no_bus_reset); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0033, quirk_no_bus_reset); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0034, quirk_no_bus_reset); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003e, quirk_no_bus_reset); + + /* + * Root port on some Cavium CN8xxx chips do not successfully complete a bus diff --git a/queue-5.14/platform-surface-aggregator_registry-add-support-for-surface-laptop-studio.patch b/queue-5.14/platform-surface-aggregator_registry-add-support-for-surface-laptop-studio.patch new file mode 100644 index 00000000000..db177b84fb1 --- /dev/null +++ b/queue-5.14/platform-surface-aggregator_registry-add-support-for-surface-laptop-studio.patch @@ -0,0 +1,106 @@ +From 4f042e40199ce8bac6bc2b853e81744ee4ea759c Mon Sep 17 00:00:00 2001 +From: Maximilian Luz +Date: Thu, 21 Oct 2021 15:09:02 +0200 +Subject: platform/surface: aggregator_registry: Add support for Surface Laptop Studio + +From: Maximilian Luz + +commit 4f042e40199ce8bac6bc2b853e81744ee4ea759c upstream. + +Add support for the Surface Laptop Studio. + +In contrast to previous Surface Laptop models, this one has its HID +devices attached to target ID 1 (instead of 2). It also has a couple +more of them, including a new notifier for when the pen is stashed / +taken out of its place, a "Sys Control" device, and two other +unidentified HID devices with unknown usages. + +Battery and performance profile interfaces remain the same. + +Cc: stable@vger.kernel.org # 5.14+ +Signed-off-by: Maximilian Luz +Link: https://lore.kernel.org/r/20211021130904.862610-2-luzmaximilian@gmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/surface/surface_aggregator_registry.c | 54 +++++++++++++++++ + 1 file changed, 54 insertions(+) + +--- a/drivers/platform/surface/surface_aggregator_registry.c ++++ b/drivers/platform/surface/surface_aggregator_registry.c +@@ -77,6 +77,42 @@ static const struct software_node ssam_n + .parent = &ssam_node_root, + }; + ++/* HID keyboard (TID1). */ ++static const struct software_node ssam_node_hid_tid1_keyboard = { ++ .name = "ssam:01:15:01:01:00", ++ .parent = &ssam_node_root, ++}; ++ ++/* HID pen stash (TID1; pen taken / stashed away evens). */ ++static const struct software_node ssam_node_hid_tid1_penstash = { ++ .name = "ssam:01:15:01:02:00", ++ .parent = &ssam_node_root, ++}; ++ ++/* HID touchpad (TID1). */ ++static const struct software_node ssam_node_hid_tid1_touchpad = { ++ .name = "ssam:01:15:01:03:00", ++ .parent = &ssam_node_root, ++}; ++ ++/* HID device instance 6 (TID1, unknown HID device). */ ++static const struct software_node ssam_node_hid_tid1_iid6 = { ++ .name = "ssam:01:15:01:06:00", ++ .parent = &ssam_node_root, ++}; ++ ++/* HID device instance 7 (TID1, unknown HID device). */ ++static const struct software_node ssam_node_hid_tid1_iid7 = { ++ .name = "ssam:01:15:01:07:00", ++ .parent = &ssam_node_root, ++}; ++ ++/* HID system controls (TID1). */ ++static const struct software_node ssam_node_hid_tid1_sysctrl = { ++ .name = "ssam:01:15:01:08:00", ++ .parent = &ssam_node_root, ++}; ++ + /* HID keyboard. */ + static const struct software_node ssam_node_hid_main_keyboard = { + .name = "ssam:01:15:02:01:00", +@@ -159,6 +195,21 @@ static const struct software_node *ssam_ + NULL, + }; + ++/* Devices for Surface Laptop Studio. */ ++static const struct software_node *ssam_node_group_sls[] = { ++ &ssam_node_root, ++ &ssam_node_bat_ac, ++ &ssam_node_bat_main, ++ &ssam_node_tmp_pprof, ++ &ssam_node_hid_tid1_keyboard, ++ &ssam_node_hid_tid1_penstash, ++ &ssam_node_hid_tid1_touchpad, ++ &ssam_node_hid_tid1_iid6, ++ &ssam_node_hid_tid1_iid7, ++ &ssam_node_hid_tid1_sysctrl, ++ NULL, ++}; ++ + /* Devices for Surface Laptop Go. */ + static const struct software_node *ssam_node_group_slg1[] = { + &ssam_node_root, +@@ -507,6 +558,9 @@ static const struct acpi_device_id ssam_ + /* Surface Laptop Go 1 */ + { "MSHW0118", (unsigned long)ssam_node_group_slg1 }, + ++ /* Surface Laptop Studio */ ++ { "MSHW0123", (unsigned long)ssam_node_group_sls }, ++ + { }, + }; + MODULE_DEVICE_TABLE(acpi, ssam_platform_hub_match); diff --git a/queue-5.14/pm-sleep-do-not-let-syscore-devices-runtime-suspend-during-system-transitions.patch b/queue-5.14/pm-sleep-do-not-let-syscore-devices-runtime-suspend-during-system-transitions.patch new file mode 100644 index 00000000000..7344e6f03f9 --- /dev/null +++ b/queue-5.14/pm-sleep-do-not-let-syscore-devices-runtime-suspend-during-system-transitions.patch @@ -0,0 +1,65 @@ +From 928265e3601cde78c7e0a3e518a93b27defed3b1 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Fri, 22 Oct 2021 14:58:23 +0200 +Subject: PM: sleep: Do not let "syscore" devices runtime-suspend during system transitions + +From: Rafael J. Wysocki + +commit 928265e3601cde78c7e0a3e518a93b27defed3b1 upstream. + +There is no reason to allow "syscore" devices to runtime-suspend +during system-wide PM transitions, because they are subject to the +same possible failure modes as any other devices in that respect. + +Accordingly, change device_prepare() and device_complete() to call +pm_runtime_get_noresume() and pm_runtime_put(), respectively, for +"syscore" devices too. + +Fixes: 057d51a1268f ("Merge branch 'pm-sleep'") +Signed-off-by: Rafael J. Wysocki +Cc: 3.10+ # 3.10+ +Reviewed-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/power/main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -1051,7 +1051,7 @@ static void device_complete(struct devic + const char *info = NULL; + + if (dev->power.syscore) +- return; ++ goto out; + + device_lock(dev); + +@@ -1081,6 +1081,7 @@ static void device_complete(struct devic + + device_unlock(dev); + ++out: + pm_runtime_put(dev); + } + +@@ -1794,9 +1795,6 @@ static int device_prepare(struct device + int (*callback)(struct device *) = NULL; + int ret = 0; + +- if (dev->power.syscore) +- return 0; +- + /* + * If a device's parent goes into runtime suspend at the wrong time, + * it won't be possible to resume the device. To prevent this we +@@ -1805,6 +1803,9 @@ static int device_prepare(struct device + */ + pm_runtime_get_noresume(dev); + ++ if (dev->power.syscore) ++ return 0; ++ + device_lock(dev); + + dev->power.wakeup_path = false; diff --git a/queue-5.14/powerpc-kvm-fix-kvm_use_magic_page.patch b/queue-5.14/powerpc-kvm-fix-kvm_use_magic_page.patch new file mode 100644 index 00000000000..87689884815 --- /dev/null +++ b/queue-5.14/powerpc-kvm-fix-kvm_use_magic_page.patch @@ -0,0 +1,32 @@ +From 0c8eb2884a42d992c7726539328b7d3568f22143 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Mon, 2 Aug 2021 13:46:19 +0200 +Subject: powerpc/kvm: Fix kvm_use_magic_page + +From: Andreas Gruenbacher + +commit 0c8eb2884a42d992c7726539328b7d3568f22143 upstream. + +When switching from __get_user to fault_in_pages_readable, commit +9f9eae5ce717 broke kvm_use_magic_page: like __get_user, +fault_in_pages_readable returns 0 on success. + +Fixes: 9f9eae5ce717 ("powerpc/kvm: Prefer fault_in_pages_readable function") +Cc: stable@vger.kernel.org # v4.18+ +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/kvm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/kvm.c ++++ b/arch/powerpc/kernel/kvm.c +@@ -669,7 +669,7 @@ static void __init kvm_use_magic_page(vo + on_each_cpu(kvm_map_magic_page, &features, 1); + + /* Quick self-test to see if the mapping works */ +- if (!fault_in_pages_readable((const char *)KVM_MAGIC_PAGE, sizeof(u32))) { ++ if (fault_in_pages_readable((const char *)KVM_MAGIC_PAGE, sizeof(u32))) { + kvm_patching_worked = false; + return; + } diff --git a/queue-5.14/regulator-dt-bindings-samsung-s5m8767-correct-s5m8767-pmic-buck-default-dvs-idx-property.patch b/queue-5.14/regulator-dt-bindings-samsung-s5m8767-correct-s5m8767-pmic-buck-default-dvs-idx-property.patch new file mode 100644 index 00000000000..9d11b9faf4d --- /dev/null +++ b/queue-5.14/regulator-dt-bindings-samsung-s5m8767-correct-s5m8767-pmic-buck-default-dvs-idx-property.patch @@ -0,0 +1,34 @@ +From a7fda04bc9b6ad9da8e19c9e6e3b1dab773d068a Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 8 Oct 2021 13:37:14 +0200 +Subject: regulator: dt-bindings: samsung,s5m8767: correct s5m8767,pmic-buck-default-dvs-idx property + +From: Krzysztof Kozlowski + +commit a7fda04bc9b6ad9da8e19c9e6e3b1dab773d068a upstream. + +The driver was always parsing "s5m8767,pmic-buck-default-dvs-idx", not +"s5m8767,pmic-buck234-default-dvs-idx". + +Cc: +Fixes: 26aec009f6b6 ("regulator: add device tree support for s5m8767") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Rob Herring +Message-Id: <20211008113723.134648-3-krzysztof.kozlowski@canonical.com> +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/regulator/samsung,s5m8767.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/regulator/samsung,s5m8767.txt ++++ b/Documentation/devicetree/bindings/regulator/samsung,s5m8767.txt +@@ -39,7 +39,7 @@ Optional properties of the main device n + + Additional properties required if either of the optional properties are used: + +- - s5m8767,pmic-buck234-default-dvs-idx: Default voltage setting selected from ++ - s5m8767,pmic-buck-default-dvs-idx: Default voltage setting selected from + the possible 8 options selectable by the dvs gpios. The value of this + property should be between 0 and 7. If not specified or if out of range, the + default value of this property is set to 0. diff --git a/queue-5.14/regulator-s5m8767-do-not-use-reset-value-as-dvs-voltage-if-gpio-dvs-is-disabled.patch b/queue-5.14/regulator-s5m8767-do-not-use-reset-value-as-dvs-voltage-if-gpio-dvs-is-disabled.patch new file mode 100644 index 00000000000..683d563de40 --- /dev/null +++ b/queue-5.14/regulator-s5m8767-do-not-use-reset-value-as-dvs-voltage-if-gpio-dvs-is-disabled.patch @@ -0,0 +1,113 @@ +From b16bef60a9112b1e6daf3afd16484eb06e7ce792 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 8 Oct 2021 13:37:13 +0200 +Subject: regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled + +From: Krzysztof Kozlowski + +commit b16bef60a9112b1e6daf3afd16484eb06e7ce792 upstream. + +The driver and its bindings, before commit 04f9f068a619 ("regulator: +s5m8767: Modify parsing method of the voltage table of buck2/3/4") were +requiring to provide at least one safe/default voltage for DVS registers +if DVS GPIO is not being enabled. + +IOW, if s5m8767,pmic-buck2-uses-gpio-dvs is missing, the +s5m8767,pmic-buck2-dvs-voltage should still be present and contain one +voltage. + +This requirement was coming from driver behavior matching this condition +(none of DVS GPIO is enabled): it was always initializing the DVS +selector pins to 0 and keeping the DVS enable setting at reset value +(enabled). Therefore if none of DVS GPIO is enabled in devicetree, +driver was configuring the first DVS voltage for buck[234]. + +Mentioned commit 04f9f068a619 ("regulator: s5m8767: Modify parsing +method of the voltage table of buck2/3/4") broke it because DVS voltage +won't be parsed from devicetree if DVS GPIO is not enabled. After the +change, driver will configure bucks to use the register reset value as +voltage which might have unpleasant effects. + +Fix this by relaxing the bindings constrain: if DVS GPIO is not enabled +in devicetree (therefore DVS voltage is also not parsed), explicitly +disable it. + +Cc: +Fixes: 04f9f068a619 ("regulator: s5m8767: Modify parsing method of the voltage table of buck2/3/4") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Rob Herring +Message-Id: <20211008113723.134648-2-krzysztof.kozlowski@canonical.com> +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/regulator/samsung,s5m8767.txt | 21 +++------- + drivers/regulator/s5m8767.c | 21 ++++------ + 2 files changed, 17 insertions(+), 25 deletions(-) + +--- a/Documentation/devicetree/bindings/regulator/samsung,s5m8767.txt ++++ b/Documentation/devicetree/bindings/regulator/samsung,s5m8767.txt +@@ -13,6 +13,14 @@ common regulator binding documented in: + + + Required properties of the main device node (the parent!): ++ - s5m8767,pmic-buck-ds-gpios: GPIO specifiers for three host gpio's used ++ for selecting GPIO DVS lines. It is one-to-one mapped to dvs gpio lines. ++ ++ [1] If either of the 's5m8767,pmic-buck[2/3/4]-uses-gpio-dvs' optional ++ property is specified, then all the eight voltage values for the ++ 's5m8767,pmic-buck[2/3/4]-dvs-voltage' should be specified. ++ ++Optional properties of the main device node (the parent!): + - s5m8767,pmic-buck2-dvs-voltage: A set of 8 voltage values in micro-volt (uV) + units for buck2 when changing voltage using gpio dvs. Refer to [1] below + for additional information. +@@ -25,19 +33,6 @@ Required properties of the main device n + units for buck4 when changing voltage using gpio dvs. Refer to [1] below + for additional information. + +- - s5m8767,pmic-buck-ds-gpios: GPIO specifiers for three host gpio's used +- for selecting GPIO DVS lines. It is one-to-one mapped to dvs gpio lines. +- +- [1] If none of the 's5m8767,pmic-buck[2/3/4]-uses-gpio-dvs' optional +- property is specified, the 's5m8767,pmic-buck[2/3/4]-dvs-voltage' +- property should specify atleast one voltage level (which would be a +- safe operating voltage). +- +- If either of the 's5m8767,pmic-buck[2/3/4]-uses-gpio-dvs' optional +- property is specified, then all the eight voltage values for the +- 's5m8767,pmic-buck[2/3/4]-dvs-voltage' should be specified. +- +-Optional properties of the main device node (the parent!): + - s5m8767,pmic-buck2-uses-gpio-dvs: 'buck2' can be controlled by gpio dvs. + - s5m8767,pmic-buck3-uses-gpio-dvs: 'buck3' can be controlled by gpio dvs. + - s5m8767,pmic-buck4-uses-gpio-dvs: 'buck4' can be controlled by gpio dvs. +--- a/drivers/regulator/s5m8767.c ++++ b/drivers/regulator/s5m8767.c +@@ -850,18 +850,15 @@ static int s5m8767_pmic_probe(struct pla + /* DS4 GPIO */ + gpio_direction_output(pdata->buck_ds[2], 0x0); + +- if (pdata->buck2_gpiodvs || pdata->buck3_gpiodvs || +- pdata->buck4_gpiodvs) { +- regmap_update_bits(s5m8767->iodev->regmap_pmic, +- S5M8767_REG_BUCK2CTRL, 1 << 1, +- (pdata->buck2_gpiodvs) ? (1 << 1) : (0 << 1)); +- regmap_update_bits(s5m8767->iodev->regmap_pmic, +- S5M8767_REG_BUCK3CTRL, 1 << 1, +- (pdata->buck3_gpiodvs) ? (1 << 1) : (0 << 1)); +- regmap_update_bits(s5m8767->iodev->regmap_pmic, +- S5M8767_REG_BUCK4CTRL, 1 << 1, +- (pdata->buck4_gpiodvs) ? (1 << 1) : (0 << 1)); +- } ++ regmap_update_bits(s5m8767->iodev->regmap_pmic, ++ S5M8767_REG_BUCK2CTRL, 1 << 1, ++ (pdata->buck2_gpiodvs) ? (1 << 1) : (0 << 1)); ++ regmap_update_bits(s5m8767->iodev->regmap_pmic, ++ S5M8767_REG_BUCK3CTRL, 1 << 1, ++ (pdata->buck3_gpiodvs) ? (1 << 1) : (0 << 1)); ++ regmap_update_bits(s5m8767->iodev->regmap_pmic, ++ S5M8767_REG_BUCK4CTRL, 1 << 1, ++ (pdata->buck4_gpiodvs) ? (1 << 1) : (0 << 1)); + + /* Initialize GPIO DVS registers */ + for (i = 0; i < 8; i++) { diff --git a/queue-5.14/rsi-fix-key-enabled-check-causing-unwanted-encryption-for-vap_id-0.patch b/queue-5.14/rsi-fix-key-enabled-check-causing-unwanted-encryption-for-vap_id-0.patch new file mode 100644 index 00000000000..753e6c1cdb2 --- /dev/null +++ b/queue-5.14/rsi-fix-key-enabled-check-causing-unwanted-encryption-for-vap_id-0.patch @@ -0,0 +1,73 @@ +From 99ac6018821253ec67f466086afb63fc18ea48e2 Mon Sep 17 00:00:00 2001 +From: Martin Fuzzey +Date: Mon, 30 Aug 2021 17:26:45 +0200 +Subject: rsi: fix key enabled check causing unwanted encryption for vap_id > 0 + +From: Martin Fuzzey + +commit 99ac6018821253ec67f466086afb63fc18ea48e2 upstream. + +My previous patch checked if encryption should be enabled by directly +checking info->control.hw_key (like the downstream driver). +However that missed that the control and driver_info members of +struct ieee80211_tx_info are union fields. + +Due to this when rsi_core_xmit() updates fields in "tx_params" +(driver_info) it can overwrite the control.hw_key, causing the result +of the later test to be incorrect. + +With the current structure layout the first byte of control.hw_key is +overlayed with the vap_id so, since we only test if control.hw_key is +NULL / non NULL, a non zero vap_id will incorrectly enable encryption. + +In basic STA and AP modes the vap_id is always zero so it works but in +P2P client mode a second VIF is created causing vap_id to be non zero +and hence encryption to be enabled before keys have been set. + +Fix this by extracting the key presence flag to a new field in the driver +private tx_params structure and populating it first. + +Fixes: 314538041b56 ("rsi: fix AP mode with WPA failure due to encrypted EAPOL") +Signed-off-by: Martin Fuzzey +CC: stable@vger.kernel.org +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1630337206-12410-3-git-send-email-martin.fuzzey@flowbird.group +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rsi/rsi_91x_core.c | 2 ++ + drivers/net/wireless/rsi/rsi_91x_hal.c | 2 +- + drivers/net/wireless/rsi/rsi_main.h | 1 + + 3 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_core.c ++++ b/drivers/net/wireless/rsi/rsi_91x_core.c +@@ -399,6 +399,8 @@ void rsi_core_xmit(struct rsi_common *co + + info = IEEE80211_SKB_CB(skb); + tx_params = (struct skb_info *)info->driver_data; ++ /* info->driver_data and info->control part of union so make copy */ ++ tx_params->have_key = !!info->control.hw_key; + wh = (struct ieee80211_hdr *)&skb->data[0]; + tx_params->sta_id = 0; + +--- a/drivers/net/wireless/rsi/rsi_91x_hal.c ++++ b/drivers/net/wireless/rsi/rsi_91x_hal.c +@@ -203,7 +203,7 @@ int rsi_prepare_data_desc(struct rsi_com + wh->frame_control |= cpu_to_le16(RSI_SET_PS_ENABLE); + + if ((!(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT)) && +- info->control.hw_key) { ++ tx_params->have_key) { + if (rsi_is_cipher_wep(common)) + ieee80211_size += 4; + else +--- a/drivers/net/wireless/rsi/rsi_main.h ++++ b/drivers/net/wireless/rsi/rsi_main.h +@@ -139,6 +139,7 @@ struct skb_info { + u8 internal_hdr_size; + struct ieee80211_vif *vif; + u8 vap_id; ++ bool have_key; + }; + + enum edca_queue { diff --git a/queue-5.14/rsi-fix-module-dev_oper_mode-parameter-description.patch b/queue-5.14/rsi-fix-module-dev_oper_mode-parameter-description.patch new file mode 100644 index 00000000000..45a5e972098 --- /dev/null +++ b/queue-5.14/rsi-fix-module-dev_oper_mode-parameter-description.patch @@ -0,0 +1,95 @@ +From 31f97cf9f0c31143a2a6fcc89c4a1286ce20157e Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Thu, 16 Sep 2021 16:42:45 +0200 +Subject: rsi: Fix module dev_oper_mode parameter description + +From: Marek Vasut + +commit 31f97cf9f0c31143a2a6fcc89c4a1286ce20157e upstream. + +The module parameters are missing dev_oper_mode 12, BT classic alone, +add it. Moreover, the parameters encode newlines, which ends up being +printed malformed e.g. by modinfo, so fix that too. + +However, the module parameter string is duplicated in both USB and SDIO +modules and the dev_oper_mode mode enumeration in those module parameters +is a duplicate of macros used by the driver. Furthermore, the enumeration +is confusing. + +So, deduplicate the module parameter string and use __stringify() to +encode the correct mode enumeration values into the module parameter +string. Finally, replace 'Wi-Fi' with 'Wi-Fi alone' and 'BT' with +'BT classic alone' to clarify what those modes really mean. + +Fixes: 898b255339310 ("rsi: add module parameter operating mode") +Signed-off-by: Marek Vasut +Cc: Amitkumar Karwar +Cc: Angus Ainslie +Cc: David S. Miller +Cc: Jakub Kicinski +Cc: Kalle Valo +Cc: Karun Eagalapati +Cc: Martin Fuzzey +Cc: Martin Kepplinger +Cc: Prameela Rani Garnepudi +Cc: Sebastian Krzyszkowiak +Cc: Siva Rebbagondla +Cc: netdev@vger.kernel.org +Cc: # 4.17+ +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210916144245.10181-1-marex@denx.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rsi/rsi_91x_sdio.c | 5 +---- + drivers/net/wireless/rsi/rsi_91x_usb.c | 5 +---- + drivers/net/wireless/rsi/rsi_hal.h | 11 +++++++++++ + 3 files changed, 13 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c ++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c +@@ -24,10 +24,7 @@ + /* Default operating mode is wlan STA + BT */ + static u16 dev_oper_mode = DEV_OPMODE_STA_BT_DUAL; + module_param(dev_oper_mode, ushort, 0444); +-MODULE_PARM_DESC(dev_oper_mode, +- "1[Wi-Fi], 4[BT], 8[BT LE], 5[Wi-Fi STA + BT classic]\n" +- "9[Wi-Fi STA + BT LE], 13[Wi-Fi STA + BT classic + BT LE]\n" +- "6[AP + BT classic], 14[AP + BT classic + BT LE]"); ++MODULE_PARM_DESC(dev_oper_mode, DEV_OPMODE_PARAM_DESC); + + /** + * rsi_sdio_set_cmd52_arg() - This function prepares cmd 52 read/write arg. +--- a/drivers/net/wireless/rsi/rsi_91x_usb.c ++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c +@@ -25,10 +25,7 @@ + /* Default operating mode is wlan STA + BT */ + static u16 dev_oper_mode = DEV_OPMODE_STA_BT_DUAL; + module_param(dev_oper_mode, ushort, 0444); +-MODULE_PARM_DESC(dev_oper_mode, +- "1[Wi-Fi], 4[BT], 8[BT LE], 5[Wi-Fi STA + BT classic]\n" +- "9[Wi-Fi STA + BT LE], 13[Wi-Fi STA + BT classic + BT LE]\n" +- "6[AP + BT classic], 14[AP + BT classic + BT LE]"); ++MODULE_PARM_DESC(dev_oper_mode, DEV_OPMODE_PARAM_DESC); + + static int rsi_rx_urb_submit(struct rsi_hw *adapter, u8 ep_num, gfp_t flags); + +--- a/drivers/net/wireless/rsi/rsi_hal.h ++++ b/drivers/net/wireless/rsi/rsi_hal.h +@@ -28,6 +28,17 @@ + #define DEV_OPMODE_AP_BT 6 + #define DEV_OPMODE_AP_BT_DUAL 14 + ++#define DEV_OPMODE_PARAM_DESC \ ++ __stringify(DEV_OPMODE_WIFI_ALONE) "[Wi-Fi alone], " \ ++ __stringify(DEV_OPMODE_BT_ALONE) "[BT classic alone], " \ ++ __stringify(DEV_OPMODE_BT_LE_ALONE) "[BT LE alone], " \ ++ __stringify(DEV_OPMODE_BT_DUAL) "[BT classic + BT LE alone], " \ ++ __stringify(DEV_OPMODE_STA_BT) "[Wi-Fi STA + BT classic], " \ ++ __stringify(DEV_OPMODE_STA_BT_LE) "[Wi-Fi STA + BT LE], " \ ++ __stringify(DEV_OPMODE_STA_BT_DUAL) "[Wi-Fi STA + BT classic + BT LE], " \ ++ __stringify(DEV_OPMODE_AP_BT) "[Wi-Fi AP + BT classic], " \ ++ __stringify(DEV_OPMODE_AP_BT_DUAL) "[Wi-Fi AP + BT classic + BT LE]" ++ + #define FLASH_WRITE_CHUNK_SIZE (4 * 1024) + #define FLASH_SECTOR_SIZE (4 * 1024) + diff --git a/queue-5.14/rsi-fix-occasional-initialisation-failure-with-bt-coex.patch b/queue-5.14/rsi-fix-occasional-initialisation-failure-with-bt-coex.patch new file mode 100644 index 00000000000..9bc3b80e85e --- /dev/null +++ b/queue-5.14/rsi-fix-occasional-initialisation-failure-with-bt-coex.patch @@ -0,0 +1,112 @@ +From 9b14ed6e11b72dd4806535449ca6c6962cb2369d Mon Sep 17 00:00:00 2001 +From: Martin Fuzzey +Date: Mon, 30 Aug 2021 17:26:44 +0200 +Subject: rsi: fix occasional initialisation failure with BT coex + +From: Martin Fuzzey + +commit 9b14ed6e11b72dd4806535449ca6c6962cb2369d upstream. + +When BT coexistence is enabled (eg oper mode 13, which is the default) +the initialisation on startup sometimes silently fails. + +In a normal initialisation we see + usb 1-1.3: Product: Wireless USB Network Module + usb 1-1.3: Manufacturer: Redpine Signals, Inc. + usb 1-1.3: SerialNumber: 000000000001 + rsi_91x: rsi_probe: Initialized os intf ops + rsi_91x: rsi_load_9116_firmware: Loading chunk 0 + rsi_91x: rsi_load_9116_firmware: Loading chunk 1 + rsi_91x: rsi_load_9116_firmware: Loading chunk 2 + rsi_91x: Max Stations Allowed = 1 + +But sometimes the last log is missing and the wlan net device is +not created. + +Running a userspace loop that resets the hardware via a GPIO shows the +problem occurring ~5/100 resets. + +The problem does not occur in oper mode 1 (wifi only). + +Adding logs shows that the initialisation state machine requests a MAC +reset via rsi_send_reset_mac() but the firmware does not reply, leading +to the initialisation sequence being incomplete. + +Fix this by delaying attaching the BT adapter until the wifi +initialisation has completed. + +With this applied I have done > 300 reset loops with no errors. + +Fixes: 716b840c7641 ("rsi: handle BT traffic in driver") +Signed-off-by: Martin Fuzzey +CC: stable@vger.kernel.org +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1630337206-12410-2-git-send-email-martin.fuzzey@flowbird.group +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rsi/rsi_91x_main.c | 16 +++++++++++++--- + drivers/net/wireless/rsi/rsi_91x_mgmt.c | 3 +++ + drivers/net/wireless/rsi/rsi_main.h | 2 ++ + 3 files changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_main.c ++++ b/drivers/net/wireless/rsi/rsi_91x_main.c +@@ -211,9 +211,10 @@ int rsi_read_pkt(struct rsi_common *comm + bt_pkt_type = frame_desc[offset + BT_RX_PKT_TYPE_OFST]; + if (bt_pkt_type == BT_CARD_READY_IND) { + rsi_dbg(INFO_ZONE, "BT Card ready recvd\n"); +- if (rsi_bt_ops.attach(common, &g_proto_ops)) +- rsi_dbg(ERR_ZONE, +- "Failed to attach BT module\n"); ++ if (common->fsm_state == FSM_MAC_INIT_DONE) ++ rsi_attach_bt(common); ++ else ++ common->bt_defer_attach = true; + } else { + if (common->bt_adapter) + rsi_bt_ops.recv_pkt(common->bt_adapter, +@@ -278,6 +279,15 @@ void rsi_set_bt_context(void *priv, void + } + #endif + ++void rsi_attach_bt(struct rsi_common *common) ++{ ++#ifdef CONFIG_RSI_COEX ++ if (rsi_bt_ops.attach(common, &g_proto_ops)) ++ rsi_dbg(ERR_ZONE, ++ "Failed to attach BT module\n"); ++#endif ++} ++ + /** + * rsi_91x_init() - This function initializes os interface operations. + * @oper_mode: One of DEV_OPMODE_*. +--- a/drivers/net/wireless/rsi/rsi_91x_mgmt.c ++++ b/drivers/net/wireless/rsi/rsi_91x_mgmt.c +@@ -2071,6 +2071,9 @@ static int rsi_handle_ta_confirm_type(st + if (common->reinit_hw) { + complete(&common->wlan_init_completion); + } else { ++ if (common->bt_defer_attach) ++ rsi_attach_bt(common); ++ + return rsi_mac80211_attach(common); + } + } +--- a/drivers/net/wireless/rsi/rsi_main.h ++++ b/drivers/net/wireless/rsi/rsi_main.h +@@ -320,6 +320,7 @@ struct rsi_common { + struct ieee80211_vif *roc_vif; + + bool eapol4_confirm; ++ bool bt_defer_attach; + void *bt_adapter; + + struct cfg80211_scan_request *hwscan; +@@ -401,5 +402,6 @@ struct rsi_host_intf_ops { + + enum rsi_host_intf rsi_get_host_intf(void *priv); + void rsi_set_bt_context(void *priv, void *bt_context); ++void rsi_attach_bt(struct rsi_common *common); + + #endif diff --git a/queue-5.14/rsi-fix-rate-mask-set-leading-to-p2p-failure.patch b/queue-5.14/rsi-fix-rate-mask-set-leading-to-p2p-failure.patch new file mode 100644 index 00000000000..9577811a579 --- /dev/null +++ b/queue-5.14/rsi-fix-rate-mask-set-leading-to-p2p-failure.patch @@ -0,0 +1,294 @@ +From b515d097053a71d624e0c5840b42cd4caa653941 Mon Sep 17 00:00:00 2001 +From: Martin Fuzzey +Date: Mon, 30 Aug 2021 17:26:46 +0200 +Subject: rsi: fix rate mask set leading to P2P failure + +From: Martin Fuzzey + +commit b515d097053a71d624e0c5840b42cd4caa653941 upstream. + +P2P client mode was only working the first time. +On subsequent connection attempts the group was successfully created but +no data was sent (no transmitted data packets were seen with a sniffer). + +The reason for this was that the hardware was being configured in fixed +rate mode with rate RSI_RATE_1 (1Mbps) which is not valid in the 5GHz band. + +In P2P mode wpa_supplicant uses NL80211_CMD_SET_TX_BITRATE_MASK to disallow +the 11b rates in the 2.4GHz band which updated common->fixedrate_mask. + +rsi_set_min_rate() then used the fixedrate_mask to calculate the minimum +allowed rate, or 0xffff = auto if none was found. +However that calculation did not account for the different rate sets +allowed in the different bands leading to the error. + +Fixing set_min_rate() would result in 6Mb/s being used all the time +which is not what we want either. + +The reason the problem did not occur on the first connection is that +rsi_mac80211_set_rate_mask() only updated the fixedrate_mask for +the *current* band. When it was called that was still 2.4GHz as the +switch is done later. So the when set_min_rate() was subsequently +called after the switch to 5GHz it still had a mask of zero, leading +to defaulting to auto mode. + +Fix this by differentiating the case of a single rate being +requested, in which case the hardware will be used in fixed rate +mode with just that rate, and multiple rates being requested, +in which case we remain in auto mode but the firmware rate selection +algorithm is configured with a restricted set of rates. + +Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver") +Signed-off-by: Martin Fuzzey +CC: stable@vger.kernel.org +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1630337206-12410-4-git-send-email-martin.fuzzey@flowbird.group +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rsi/rsi_91x_hal.c | 8 +-- + drivers/net/wireless/rsi/rsi_91x_mac80211.c | 74 ++++++++-------------------- + drivers/net/wireless/rsi/rsi_91x_mgmt.c | 21 +++++-- + drivers/net/wireless/rsi/rsi_main.h | 12 +++- + 4 files changed, 50 insertions(+), 65 deletions(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_hal.c ++++ b/drivers/net/wireless/rsi/rsi_91x_hal.c +@@ -214,15 +214,17 @@ int rsi_prepare_data_desc(struct rsi_com + RSI_WIFI_DATA_Q); + data_desc->header_len = ieee80211_size; + +- if (common->min_rate != RSI_RATE_AUTO) { ++ if (common->rate_config[common->band].fixed_enabled) { + /* Send fixed rate */ ++ u16 fixed_rate = common->rate_config[common->band].fixed_hw_rate; ++ + data_desc->frame_info = cpu_to_le16(RATE_INFO_ENABLE); +- data_desc->rate_info = cpu_to_le16(common->min_rate); ++ data_desc->rate_info = cpu_to_le16(fixed_rate); + + if (conf_is_ht40(&common->priv->hw->conf)) + data_desc->bbp_info = cpu_to_le16(FULL40M_ENABLE); + +- if ((common->vif_info[0].sgi) && (common->min_rate & 0x100)) { ++ if (common->vif_info[0].sgi && (fixed_rate & 0x100)) { + /* Only MCS rates */ + data_desc->rate_info |= + cpu_to_le16(ENABLE_SHORTGI_RATE); +--- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c ++++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c +@@ -510,7 +510,6 @@ static int rsi_mac80211_add_interface(st + if ((vif->type == NL80211_IFTYPE_AP) || + (vif->type == NL80211_IFTYPE_P2P_GO)) { + rsi_send_rx_filter_frame(common, DISALLOW_BEACONS); +- common->min_rate = RSI_RATE_AUTO; + for (i = 0; i < common->max_stations; i++) + common->stations[i].sta = NULL; + } +@@ -1228,20 +1227,32 @@ static int rsi_mac80211_set_rate_mask(st + struct ieee80211_vif *vif, + const struct cfg80211_bitrate_mask *mask) + { ++ const unsigned int mcs_offset = ARRAY_SIZE(rsi_rates); + struct rsi_hw *adapter = hw->priv; + struct rsi_common *common = adapter->priv; +- enum nl80211_band band = hw->conf.chandef.chan->band; ++ int i; + + mutex_lock(&common->mutex); +- common->fixedrate_mask[band] = 0; + +- if (mask->control[band].legacy == 0xfff) { +- common->fixedrate_mask[band] = +- (mask->control[band].ht_mcs[0] << 12); +- } else { +- common->fixedrate_mask[band] = +- mask->control[band].legacy; ++ for (i = 0; i < ARRAY_SIZE(common->rate_config); i++) { ++ struct rsi_rate_config *cfg = &common->rate_config[i]; ++ u32 bm; ++ ++ bm = mask->control[i].legacy | (mask->control[i].ht_mcs[0] << mcs_offset); ++ if (hweight32(bm) == 1) { /* single rate */ ++ int rate_index = ffs(bm) - 1; ++ ++ if (rate_index < mcs_offset) ++ cfg->fixed_hw_rate = rsi_rates[rate_index].hw_value; ++ else ++ cfg->fixed_hw_rate = rsi_mcsrates[rate_index - mcs_offset]; ++ cfg->fixed_enabled = true; ++ } else { ++ cfg->configured_mask = bm; ++ cfg->fixed_enabled = false; ++ } + } ++ + mutex_unlock(&common->mutex); + + return 0; +@@ -1378,46 +1389,6 @@ void rsi_indicate_pkt_to_os(struct rsi_c + ieee80211_rx_irqsafe(hw, skb); + } + +-static void rsi_set_min_rate(struct ieee80211_hw *hw, +- struct ieee80211_sta *sta, +- struct rsi_common *common) +-{ +- u8 band = hw->conf.chandef.chan->band; +- u8 ii; +- u32 rate_bitmap; +- bool matched = false; +- +- common->bitrate_mask[band] = sta->supp_rates[band]; +- +- rate_bitmap = (common->fixedrate_mask[band] & sta->supp_rates[band]); +- +- if (rate_bitmap & 0xfff) { +- /* Find out the min rate */ +- for (ii = 0; ii < ARRAY_SIZE(rsi_rates); ii++) { +- if (rate_bitmap & BIT(ii)) { +- common->min_rate = rsi_rates[ii].hw_value; +- matched = true; +- break; +- } +- } +- } +- +- common->vif_info[0].is_ht = sta->ht_cap.ht_supported; +- +- if ((common->vif_info[0].is_ht) && (rate_bitmap >> 12)) { +- for (ii = 0; ii < ARRAY_SIZE(rsi_mcsrates); ii++) { +- if ((rate_bitmap >> 12) & BIT(ii)) { +- common->min_rate = rsi_mcsrates[ii]; +- matched = true; +- break; +- } +- } +- } +- +- if (!matched) +- common->min_rate = 0xffff; +-} +- + /** + * rsi_mac80211_sta_add() - This function notifies driver about a peer getting + * connected. +@@ -1516,9 +1487,9 @@ static int rsi_mac80211_sta_add(struct i + + if ((vif->type == NL80211_IFTYPE_STATION) || + (vif->type == NL80211_IFTYPE_P2P_CLIENT)) { +- rsi_set_min_rate(hw, sta, common); ++ common->bitrate_mask[common->band] = sta->supp_rates[common->band]; ++ common->vif_info[0].is_ht = sta->ht_cap.ht_supported; + if (sta->ht_cap.ht_supported) { +- common->vif_info[0].is_ht = true; + common->bitrate_mask[NL80211_BAND_2GHZ] = + sta->supp_rates[NL80211_BAND_2GHZ]; + if ((sta->ht_cap.cap & IEEE80211_HT_CAP_SGI_20) || +@@ -1592,7 +1563,6 @@ static int rsi_mac80211_sta_remove(struc + bss->qos = sta->wme; + common->bitrate_mask[NL80211_BAND_2GHZ] = 0; + common->bitrate_mask[NL80211_BAND_5GHZ] = 0; +- common->min_rate = 0xffff; + common->vif_info[0].is_ht = false; + common->vif_info[0].sgi = false; + common->vif_info[0].seq_start = 0; +--- a/drivers/net/wireless/rsi/rsi_91x_mgmt.c ++++ b/drivers/net/wireless/rsi/rsi_91x_mgmt.c +@@ -276,7 +276,7 @@ static void rsi_set_default_parameters(s + common->channel_width = BW_20MHZ; + common->rts_threshold = IEEE80211_MAX_RTS_THRESHOLD; + common->channel = 1; +- common->min_rate = 0xffff; ++ memset(&common->rate_config, 0, sizeof(common->rate_config)); + common->fsm_state = FSM_CARD_NOT_READY; + common->iface_down = true; + common->endpoint = EP_2GHZ_20MHZ; +@@ -1314,7 +1314,7 @@ static int rsi_send_auto_rate_request(st + u8 band = hw->conf.chandef.chan->band; + u8 num_supported_rates = 0; + u8 rate_table_offset, rate_offset = 0; +- u32 rate_bitmap; ++ u32 rate_bitmap, configured_rates; + u16 *selected_rates, min_rate; + bool is_ht = false, is_sgi = false; + u16 frame_len = sizeof(struct rsi_auto_rate); +@@ -1364,6 +1364,10 @@ static int rsi_send_auto_rate_request(st + is_sgi = true; + } + ++ /* Limit to any rates administratively configured by cfg80211 */ ++ configured_rates = common->rate_config[band].configured_mask ?: 0xffffffff; ++ rate_bitmap &= configured_rates; ++ + if (band == NL80211_BAND_2GHZ) { + if ((rate_bitmap == 0) && (is_ht)) + min_rate = RSI_RATE_MCS0; +@@ -1389,10 +1393,13 @@ static int rsi_send_auto_rate_request(st + num_supported_rates = jj; + + if (is_ht) { +- for (ii = 0; ii < ARRAY_SIZE(mcs); ii++) +- selected_rates[jj++] = mcs[ii]; +- num_supported_rates += ARRAY_SIZE(mcs); +- rate_offset += ARRAY_SIZE(mcs); ++ for (ii = 0; ii < ARRAY_SIZE(mcs); ii++) { ++ if (configured_rates & BIT(ii + ARRAY_SIZE(rsi_rates))) { ++ selected_rates[jj++] = mcs[ii]; ++ num_supported_rates++; ++ rate_offset++; ++ } ++ } + } + + sort(selected_rates, jj, sizeof(u16), &rsi_compare, NULL); +@@ -1482,7 +1489,7 @@ void rsi_inform_bss_status(struct rsi_co + qos_enable, + aid, sta_id, + vif); +- if (common->min_rate == 0xffff) ++ if (!common->rate_config[common->band].fixed_enabled) + rsi_send_auto_rate_request(common, sta, sta_id, vif); + if (opmode == RSI_OPMODE_STA && + !(assoc_cap & WLAN_CAPABILITY_PRIVACY) && +--- a/drivers/net/wireless/rsi/rsi_main.h ++++ b/drivers/net/wireless/rsi/rsi_main.h +@@ -61,6 +61,7 @@ enum RSI_FSM_STATES { + extern u32 rsi_zone_enabled; + extern __printf(2, 3) void rsi_dbg(u32 zone, const char *fmt, ...); + ++#define RSI_MAX_BANDS 2 + #define RSI_MAX_VIFS 3 + #define NUM_EDCA_QUEUES 4 + #define IEEE80211_ADDR_LEN 6 +@@ -230,6 +231,12 @@ struct rsi_9116_features { + u32 ps_options; + }; + ++struct rsi_rate_config { ++ u32 configured_mask; /* configured by mac80211 bits 0-11=legacy 12+ mcs */ ++ u16 fixed_hw_rate; ++ bool fixed_enabled; ++}; ++ + struct rsi_common { + struct rsi_hw *priv; + struct vif_priv vif_info[RSI_MAX_VIFS]; +@@ -255,8 +262,8 @@ struct rsi_common { + u8 channel_width; + + u16 rts_threshold; +- u16 bitrate_mask[2]; +- u32 fixedrate_mask[2]; ++ u32 bitrate_mask[RSI_MAX_BANDS]; ++ struct rsi_rate_config rate_config[RSI_MAX_BANDS]; + + u8 rf_reset; + struct transmit_q_stats tx_stats; +@@ -277,7 +284,6 @@ struct rsi_common { + u8 mac_id; + u8 radio_id; + u16 rate_pwr[20]; +- u16 min_rate; + + /* WMM algo related */ + u8 selected_qnum; diff --git a/queue-5.14/rtl8187-fix-control-message-timeouts.patch b/queue-5.14/rtl8187-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..3a4700a5f6d --- /dev/null +++ b/queue-5.14/rtl8187-fix-control-message-timeouts.patch @@ -0,0 +1,87 @@ +From 2e9be536a213e838daed6ba42024dd68954ac061 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 14:05:21 +0200 +Subject: rtl8187: fix control-message timeouts + +From: Johan Hovold + +commit 2e9be536a213e838daed6ba42024dd68954ac061 upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: 605bebe23bf6 ("[PATCH] Add rtl8187 wireless driver") +Cc: stable@vger.kernel.org # 2.6.23 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211025120522.6045-4-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtl818x/rtl8187/rtl8225.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/rtl8225.c ++++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/rtl8225.c +@@ -28,7 +28,7 @@ u8 rtl818x_ioread8_idx(struct rtl8187_pr + usb_control_msg(priv->udev, usb_rcvctrlpipe(priv->udev, 0), + RTL8187_REQ_GET_REG, RTL8187_REQT_READ, + (unsigned long)addr, idx & 0x03, +- &priv->io_dmabuf->bits8, sizeof(val), HZ / 2); ++ &priv->io_dmabuf->bits8, sizeof(val), 500); + + val = priv->io_dmabuf->bits8; + mutex_unlock(&priv->io_mutex); +@@ -45,7 +45,7 @@ u16 rtl818x_ioread16_idx(struct rtl8187_ + usb_control_msg(priv->udev, usb_rcvctrlpipe(priv->udev, 0), + RTL8187_REQ_GET_REG, RTL8187_REQT_READ, + (unsigned long)addr, idx & 0x03, +- &priv->io_dmabuf->bits16, sizeof(val), HZ / 2); ++ &priv->io_dmabuf->bits16, sizeof(val), 500); + + val = priv->io_dmabuf->bits16; + mutex_unlock(&priv->io_mutex); +@@ -62,7 +62,7 @@ u32 rtl818x_ioread32_idx(struct rtl8187_ + usb_control_msg(priv->udev, usb_rcvctrlpipe(priv->udev, 0), + RTL8187_REQ_GET_REG, RTL8187_REQT_READ, + (unsigned long)addr, idx & 0x03, +- &priv->io_dmabuf->bits32, sizeof(val), HZ / 2); ++ &priv->io_dmabuf->bits32, sizeof(val), 500); + + val = priv->io_dmabuf->bits32; + mutex_unlock(&priv->io_mutex); +@@ -79,7 +79,7 @@ void rtl818x_iowrite8_idx(struct rtl8187 + usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0), + RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE, + (unsigned long)addr, idx & 0x03, +- &priv->io_dmabuf->bits8, sizeof(val), HZ / 2); ++ &priv->io_dmabuf->bits8, sizeof(val), 500); + + mutex_unlock(&priv->io_mutex); + } +@@ -93,7 +93,7 @@ void rtl818x_iowrite16_idx(struct rtl818 + usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0), + RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE, + (unsigned long)addr, idx & 0x03, +- &priv->io_dmabuf->bits16, sizeof(val), HZ / 2); ++ &priv->io_dmabuf->bits16, sizeof(val), 500); + + mutex_unlock(&priv->io_mutex); + } +@@ -107,7 +107,7 @@ void rtl818x_iowrite32_idx(struct rtl818 + usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0), + RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE, + (unsigned long)addr, idx & 0x03, +- &priv->io_dmabuf->bits32, sizeof(val), HZ / 2); ++ &priv->io_dmabuf->bits32, sizeof(val), 500); + + mutex_unlock(&priv->io_mutex); + } +@@ -183,7 +183,7 @@ static void rtl8225_write_8051(struct ie + usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0), + RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE, + addr, 0x8225, &priv->io_dmabuf->bits16, sizeof(data), +- HZ / 2); ++ 500); + + mutex_unlock(&priv->io_mutex); + diff --git a/queue-5.14/selinux-fix-race-condition-when-computing-ocontext-sids.patch b/queue-5.14/selinux-fix-race-condition-when-computing-ocontext-sids.patch new file mode 100644 index 00000000000..65e33022370 --- /dev/null +++ b/queue-5.14/selinux-fix-race-condition-when-computing-ocontext-sids.patch @@ -0,0 +1,301 @@ +From cbfcd13be5cb2a07868afe67520ed181956579a7 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Wed, 28 Jul 2021 16:03:13 +0200 +Subject: selinux: fix race condition when computing ocontext SIDs + +From: Ondrej Mosnacek + +commit cbfcd13be5cb2a07868afe67520ed181956579a7 upstream. + +Current code contains a lot of racy patterns when converting an +ocontext's context structure to an SID. This is being done in a "lazy" +fashion, such that the SID is looked up in the SID table only when it's +first needed and then cached in the "sid" field of the ocontext +structure. However, this is done without any locking or memory barriers +and is thus unsafe. + +Between commits 24ed7fdae669 ("selinux: use separate table for initial +SID lookup") and 66f8e2f03c02 ("selinux: sidtab reverse lookup hash +table"), this race condition lead to an actual observable bug, because a +pointer to the shared sid field was passed directly to +sidtab_context_to_sid(), which was using this location to also store an +intermediate value, which could have been read by other threads and +interpreted as an SID. In practice this caused e.g. new mounts to get a +wrong (seemingly random) filesystem context, leading to strange denials. +This bug has been spotted in the wild at least twice, see [1] and [2]. + +Fix the race condition by making all the racy functions use a common +helper that ensures the ocontext::sid accesses are made safely using the +appropriate SMP constructs. + +Note that security_netif_sid() was populating the sid field of both +contexts stored in the ocontext, but only the first one was actually +used. The SELinux wiki's documentation on the "netifcon" policy +statement [3] suggests that using only the first context is intentional. +I kept only the handling of the first context here, as there is really +no point in doing the SID lookup for the unused one. + +I wasn't able to reproduce the bug mentioned above on any kernel that +includes commit 66f8e2f03c02, even though it has been reported that the +issue occurs with that commit, too, just less frequently. Thus, I wasn't +able to verify that this patch fixes the issue, but it makes sense to +avoid the race condition regardless. + +[1] https://github.com/containers/container-selinux/issues/89 +[2] https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org/thread/6DMTAMHIOAOEMUAVTULJD45JZU7IBAFM/ +[3] https://selinuxproject.org/page/NetworkStatements#netifcon + +Cc: stable@vger.kernel.org +Cc: Xinjie Zheng +Reported-by: Sujithra Periasamy +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/ss/services.c | 162 +++++++++++++++++++---------------------- + 1 file changed, 77 insertions(+), 85 deletions(-) + +--- a/security/selinux/ss/services.c ++++ b/security/selinux/ss/services.c +@@ -2375,6 +2375,43 @@ err_policy: + } + + /** ++ * ocontext_to_sid - Helper to safely get sid for an ocontext ++ * @sidtab: SID table ++ * @c: ocontext structure ++ * @index: index of the context entry (0 or 1) ++ * @out_sid: pointer to the resulting SID value ++ * ++ * For all ocontexts except OCON_ISID the SID fields are populated ++ * on-demand when needed. Since updating the SID value is an SMP-sensitive ++ * operation, this helper must be used to do that safely. ++ * ++ * WARNING: This function may return -ESTALE, indicating that the caller ++ * must retry the operation after re-acquiring the policy pointer! ++ */ ++static int ocontext_to_sid(struct sidtab *sidtab, struct ocontext *c, ++ size_t index, u32 *out_sid) ++{ ++ int rc; ++ u32 sid; ++ ++ /* Ensure the associated sidtab entry is visible to this thread. */ ++ sid = smp_load_acquire(&c->sid[index]); ++ if (!sid) { ++ rc = sidtab_context_to_sid(sidtab, &c->context[index], &sid); ++ if (rc) ++ return rc; ++ ++ /* ++ * Ensure the new sidtab entry is visible to other threads ++ * when they see the SID. ++ */ ++ smp_store_release(&c->sid[index], sid); ++ } ++ *out_sid = sid; ++ return 0; ++} ++ ++/** + * security_port_sid - Obtain the SID for a port. + * @state: SELinux state + * @protocol: protocol number +@@ -2412,17 +2449,13 @@ retry: + } + + if (c) { +- if (!c->sid[0]) { +- rc = sidtab_context_to_sid(sidtab, &c->context[0], +- &c->sid[0]); +- if (rc == -ESTALE) { +- rcu_read_unlock(); +- goto retry; +- } +- if (rc) +- goto out; ++ rc = ocontext_to_sid(sidtab, c, 0, out_sid); ++ if (rc == -ESTALE) { ++ rcu_read_unlock(); ++ goto retry; + } +- *out_sid = c->sid[0]; ++ if (rc) ++ goto out; + } else { + *out_sid = SECINITSID_PORT; + } +@@ -2471,18 +2504,13 @@ retry: + } + + if (c) { +- if (!c->sid[0]) { +- rc = sidtab_context_to_sid(sidtab, +- &c->context[0], +- &c->sid[0]); +- if (rc == -ESTALE) { +- rcu_read_unlock(); +- goto retry; +- } +- if (rc) +- goto out; ++ rc = ocontext_to_sid(sidtab, c, 0, out_sid); ++ if (rc == -ESTALE) { ++ rcu_read_unlock(); ++ goto retry; + } +- *out_sid = c->sid[0]; ++ if (rc) ++ goto out; + } else + *out_sid = SECINITSID_UNLABELED; + +@@ -2531,17 +2559,13 @@ retry: + } + + if (c) { +- if (!c->sid[0]) { +- rc = sidtab_context_to_sid(sidtab, &c->context[0], +- &c->sid[0]); +- if (rc == -ESTALE) { +- rcu_read_unlock(); +- goto retry; +- } +- if (rc) +- goto out; ++ rc = ocontext_to_sid(sidtab, c, 0, out_sid); ++ if (rc == -ESTALE) { ++ rcu_read_unlock(); ++ goto retry; + } +- *out_sid = c->sid[0]; ++ if (rc) ++ goto out; + } else + *out_sid = SECINITSID_UNLABELED; + +@@ -2585,25 +2609,13 @@ retry: + } + + if (c) { +- if (!c->sid[0] || !c->sid[1]) { +- rc = sidtab_context_to_sid(sidtab, &c->context[0], +- &c->sid[0]); +- if (rc == -ESTALE) { +- rcu_read_unlock(); +- goto retry; +- } +- if (rc) +- goto out; +- rc = sidtab_context_to_sid(sidtab, &c->context[1], +- &c->sid[1]); +- if (rc == -ESTALE) { +- rcu_read_unlock(); +- goto retry; +- } +- if (rc) +- goto out; ++ rc = ocontext_to_sid(sidtab, c, 0, if_sid); ++ if (rc == -ESTALE) { ++ rcu_read_unlock(); ++ goto retry; + } +- *if_sid = c->sid[0]; ++ if (rc) ++ goto out; + } else + *if_sid = SECINITSID_NETIF; + +@@ -2695,18 +2707,13 @@ retry: + } + + if (c) { +- if (!c->sid[0]) { +- rc = sidtab_context_to_sid(sidtab, +- &c->context[0], +- &c->sid[0]); +- if (rc == -ESTALE) { +- rcu_read_unlock(); +- goto retry; +- } +- if (rc) +- goto out; ++ rc = ocontext_to_sid(sidtab, c, 0, out_sid); ++ if (rc == -ESTALE) { ++ rcu_read_unlock(); ++ goto retry; + } +- *out_sid = c->sid[0]; ++ if (rc) ++ goto out; + } else { + *out_sid = SECINITSID_NODE; + } +@@ -2871,7 +2878,7 @@ static inline int __security_genfs_sid(s + u16 sclass; + struct genfs *genfs; + struct ocontext *c; +- int rc, cmp = 0; ++ int cmp = 0; + + while (path[0] == '/' && path[1] == '/') + path++; +@@ -2885,9 +2892,8 @@ static inline int __security_genfs_sid(s + break; + } + +- rc = -ENOENT; + if (!genfs || cmp) +- goto out; ++ return -ENOENT; + + for (c = genfs->head; c; c = c->next) { + len = strlen(c->u.name); +@@ -2896,20 +2902,10 @@ static inline int __security_genfs_sid(s + break; + } + +- rc = -ENOENT; + if (!c) +- goto out; ++ return -ENOENT; + +- if (!c->sid[0]) { +- rc = sidtab_context_to_sid(sidtab, &c->context[0], &c->sid[0]); +- if (rc) +- goto out; +- } +- +- *sid = c->sid[0]; +- rc = 0; +-out: +- return rc; ++ return ocontext_to_sid(sidtab, c, 0, sid); + } + + /** +@@ -2994,17 +2990,13 @@ retry: + + if (c) { + sbsec->behavior = c->v.behavior; +- if (!c->sid[0]) { +- rc = sidtab_context_to_sid(sidtab, &c->context[0], +- &c->sid[0]); +- if (rc == -ESTALE) { +- rcu_read_unlock(); +- goto retry; +- } +- if (rc) +- goto out; ++ rc = ocontext_to_sid(sidtab, c, 0, &sbsec->sid); ++ if (rc == -ESTALE) { ++ rcu_read_unlock(); ++ goto retry; + } +- sbsec->sid = c->sid[0]; ++ if (rc) ++ goto out; + } else { + rc = __security_genfs_sid(policy, fstype, "/", + SECCLASS_DIR, &sbsec->sid); diff --git a/queue-5.14/series b/queue-5.14/series index 7b4af809f7a..ec6a6bac2cb 100644 --- a/queue-5.14/series +++ b/queue-5.14/series @@ -98,3 +98,39 @@ tools-testing-selftests-vm-split_huge_page_test.c-fi.patch btrfs-clear-missing-device-status-bit-in-btrfs_close_one_device.patch btrfs-fix-lost-error-handling-when-replaying-directory-deletes.patch btrfs-call-btrfs_check_rw_degradable-only-if-there-is-a-missing-device.patch +kvm-vmx-unregister-posted-interrupt-wakeup-handler-on-hardware-unsetup.patch +powerpc-kvm-fix-kvm_use_magic_page.patch +kvm-ppc-tick-accounting-should-defer-vtime-accounting-til-after-irq-handling.patch +ia64-kprobes-fix-to-pass-correct-trampoline-address-to-the-handler.patch +selinux-fix-race-condition-when-computing-ocontext-sids.patch +ipmi-watchdog-set-panic-count-to-proper-value-on-a-panic.patch +md-raid1-only-allocate-write-behind-bio-for-writemostly-device.patch +hwmon-pmbus-lm25066-add-offset-coefficients.patch +regulator-s5m8767-do-not-use-reset-value-as-dvs-voltage-if-gpio-dvs-is-disabled.patch +regulator-dt-bindings-samsung-s5m8767-correct-s5m8767-pmic-buck-default-dvs-idx-property.patch +edac-sb_edac-fix-top-of-high-memory-value-for-broadwell-haswell.patch +mwifiex-fix-division-by-zero-in-fw-download-path.patch +ath6kl-fix-division-by-zero-in-send-path.patch +ath6kl-fix-control-message-timeout.patch +ath10k-fix-control-message-timeout.patch +ath10k-fix-division-by-zero-in-send-path.patch +pci-mark-atheros-qca6174-to-avoid-bus-reset.patch +rtl8187-fix-control-message-timeouts.patch +evm-mark-evm_fixmode-as-__ro_after_init.patch +ifb-depend-on-netfilter-alternatively-to-tc.patch +platform-surface-aggregator_registry-add-support-for-surface-laptop-studio.patch +mt76-mt7615-fix-skb-use-after-free-on-mac-reset.patch +hid-surface-hid-use-correct-event-registry-for-managing-hid-events.patch +hid-surface-hid-allow-driver-matching-for-target-id-1-devices.patch +wcn36xx-fix-ht40-capability-for-2ghz-band.patch +wcn36xx-fix-tx_status-mechanism.patch +wcn36xx-fix-qos-null-data-frame-bitrate-modulation.patch +pm-sleep-do-not-let-syscore-devices-runtime-suspend-during-system-transitions.patch +mwifiex-read-a-pci-register-after-writing-the-tx-ring-write-pointer.patch +mwifiex-try-waking-the-firmware-until-we-get-an-interrupt.patch +libata-fix-checking-of-dma-state.patch +wcn36xx-handle-connection-loss-indication.patch +rsi-fix-occasional-initialisation-failure-with-bt-coex.patch +rsi-fix-key-enabled-check-causing-unwanted-encryption-for-vap_id-0.patch +rsi-fix-rate-mask-set-leading-to-p2p-failure.patch +rsi-fix-module-dev_oper_mode-parameter-description.patch diff --git a/queue-5.14/wcn36xx-fix-ht40-capability-for-2ghz-band.patch b/queue-5.14/wcn36xx-fix-ht40-capability-for-2ghz-band.patch new file mode 100644 index 00000000000..5ef67e8eece --- /dev/null +++ b/queue-5.14/wcn36xx-fix-ht40-capability-for-2ghz-band.patch @@ -0,0 +1,37 @@ +From 960ae77f25631bbe4e3aafefe209b52e044baf31 Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Wed, 20 Oct 2021 15:38:53 +0200 +Subject: wcn36xx: Fix HT40 capability for 2Ghz band + +From: Loic Poulain + +commit 960ae77f25631bbe4e3aafefe209b52e044baf31 upstream. + +All wcn36xx controllers are supposed to support HT40 (and SGI40), +This doubles the maximum bitrate/throughput with compatible APs. + +Tested with wcn3620 & wcn3680B. + +Cc: stable@vger.kernel.org +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") +Signed-off-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1634737133-22336-1-git-send-email-loic.poulain@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wcn36xx/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -135,7 +135,9 @@ static struct ieee80211_supported_band w + .cap = IEEE80211_HT_CAP_GRN_FLD | + IEEE80211_HT_CAP_SGI_20 | + IEEE80211_HT_CAP_DSSSCCK40 | +- IEEE80211_HT_CAP_LSIG_TXOP_PROT, ++ IEEE80211_HT_CAP_LSIG_TXOP_PROT | ++ IEEE80211_HT_CAP_SGI_40 | ++ IEEE80211_HT_CAP_SUP_WIDTH_20_40, + .ht_supported = true, + .ampdu_factor = IEEE80211_HT_MAX_AMPDU_64K, + .ampdu_density = IEEE80211_HT_MPDU_DENSITY_16, diff --git a/queue-5.14/wcn36xx-fix-qos-null-data-frame-bitrate-modulation.patch b/queue-5.14/wcn36xx-fix-qos-null-data-frame-bitrate-modulation.patch new file mode 100644 index 00000000000..afafd0b2bae --- /dev/null +++ b/queue-5.14/wcn36xx-fix-qos-null-data-frame-bitrate-modulation.patch @@ -0,0 +1,43 @@ +From d3fd2c95c1c13ec217d43ebef3c61cfa00a6cd37 Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Mon, 25 Oct 2021 16:12:18 +0300 +Subject: wcn36xx: Fix (QoS) null data frame bitrate/modulation + +From: Loic Poulain + +commit d3fd2c95c1c13ec217d43ebef3c61cfa00a6cd37 upstream. + +We observe unexpected connection drops with some APs due to +non-acked mac80211 generated null data frames (keep-alive). +After debugging and capture, we noticed that null frames are +submitted at standard data bitrate and that the given APs are +in trouble with that. + +After setting the null frame bitrate to control bitrate, all +null frames are acked as expected and connection is maintained. + +Not sure if it's a requirement of the specification, but it seems +the right thing to do anyway, null frames are mostly used for control +purpose (power-saving, keep-alive...), and submitting them with +a slower/simpler bitrate/modulation is more robust. + +Cc: stable@vger.kernel.org +Fixes: 512b191d9652 ("wcn36xx: Fix TX data path") +Signed-off-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1634560399-15290-1-git-send-email-loic.poulain@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wcn36xx/txrx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/ath/wcn36xx/txrx.c ++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c +@@ -429,6 +429,7 @@ static void wcn36xx_set_tx_data(struct w + if (ieee80211_is_any_nullfunc(hdr->frame_control)) { + /* Don't use a regular queue for null packet (no ampdu) */ + bd->queue_id = WCN36XX_TX_U_WQ_ID; ++ bd->bd_rate = WCN36XX_BD_RATE_CTRL; + } + + if (bcast) { diff --git a/queue-5.14/wcn36xx-fix-tx_status-mechanism.patch b/queue-5.14/wcn36xx-fix-tx_status-mechanism.patch new file mode 100644 index 00000000000..13856f8f2ca --- /dev/null +++ b/queue-5.14/wcn36xx-fix-tx_status-mechanism.patch @@ -0,0 +1,177 @@ +From a9e79b116cc4d0057e912be8f40b2c2e5bdc7c43 Mon Sep 17 00:00:00 2001 +From: Loic Poulain +Date: Mon, 25 Oct 2021 16:12:18 +0300 +Subject: wcn36xx: Fix tx_status mechanism + +From: Loic Poulain + +commit a9e79b116cc4d0057e912be8f40b2c2e5bdc7c43 upstream. + +This change fix the TX ack mechanism in various ways: + +- For NO_ACK tagged packets, we don't need to wait for TX_ACK indication +and so are not subject to the single packet ack limitation. So we don't +have to stop the tx queue, and can call the tx status callback as soon +as DMA transfer has completed. + +- Fix skb ownership/reference. Only start status indication timeout +once the DMA transfer has been completed. This avoids the skb to be +both referenced in the DMA tx ring and by the tx_ack_skb pointer, +preventing any use-after-free or double-free. + +- This adds a sanity (paranoia?) check on the skb tx ack pointer. + +- Resume TX queue if TX status tagged packet TX fails. + +Cc: stable@vger.kernel.org +Fixes: fdf21cc37149 ("wcn36xx: Add TX ack support") +Signed-off-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1634567281-28997-1-git-send-email-loic.poulain@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wcn36xx/dxe.c | 37 ++++++++++++-------------------- + drivers/net/wireless/ath/wcn36xx/txrx.c | 31 +++++--------------------- + 2 files changed, 21 insertions(+), 47 deletions(-) + +--- a/drivers/net/wireless/ath/wcn36xx/dxe.c ++++ b/drivers/net/wireless/ath/wcn36xx/dxe.c +@@ -403,8 +403,21 @@ static void reap_tx_dxes(struct wcn36xx + dma_unmap_single(wcn->dev, ctl->desc->src_addr_l, + ctl->skb->len, DMA_TO_DEVICE); + info = IEEE80211_SKB_CB(ctl->skb); +- if (!(info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS)) { +- /* Keep frame until TX status comes */ ++ if (info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS) { ++ if (info->flags & IEEE80211_TX_CTL_NO_ACK) { ++ info->flags |= IEEE80211_TX_STAT_NOACK_TRANSMITTED; ++ ieee80211_tx_status_irqsafe(wcn->hw, ctl->skb); ++ } else { ++ /* Wait for the TX ack indication or timeout... */ ++ spin_lock(&wcn->dxe_lock); ++ if (WARN_ON(wcn->tx_ack_skb)) ++ ieee80211_free_txskb(wcn->hw, wcn->tx_ack_skb); ++ wcn->tx_ack_skb = ctl->skb; /* Tracking ref */ ++ mod_timer(&wcn->tx_ack_timer, jiffies + HZ / 10); ++ spin_unlock(&wcn->dxe_lock); ++ } ++ /* do not free, ownership transferred to mac80211 status cb */ ++ } else { + ieee80211_free_txskb(wcn->hw, ctl->skb); + } + +@@ -426,7 +439,6 @@ static irqreturn_t wcn36xx_irq_tx_comple + { + struct wcn36xx *wcn = (struct wcn36xx *)dev; + int int_src, int_reason; +- bool transmitted = false; + + wcn36xx_dxe_read_register(wcn, WCN36XX_DXE_INT_SRC_RAW_REG, &int_src); + +@@ -466,7 +478,6 @@ static irqreturn_t wcn36xx_irq_tx_comple + if (int_reason & (WCN36XX_CH_STAT_INT_DONE_MASK | + WCN36XX_CH_STAT_INT_ED_MASK)) { + reap_tx_dxes(wcn, &wcn->dxe_tx_h_ch); +- transmitted = true; + } + } + +@@ -479,7 +490,6 @@ static irqreturn_t wcn36xx_irq_tx_comple + WCN36XX_DXE_0_INT_CLR, + WCN36XX_INT_MASK_CHAN_TX_L); + +- + if (int_reason & WCN36XX_CH_STAT_INT_ERR_MASK ) { + wcn36xx_dxe_write_register(wcn, + WCN36XX_DXE_0_INT_ERR_CLR, +@@ -507,25 +517,8 @@ static irqreturn_t wcn36xx_irq_tx_comple + if (int_reason & (WCN36XX_CH_STAT_INT_DONE_MASK | + WCN36XX_CH_STAT_INT_ED_MASK)) { + reap_tx_dxes(wcn, &wcn->dxe_tx_l_ch); +- transmitted = true; +- } +- } +- +- spin_lock(&wcn->dxe_lock); +- if (wcn->tx_ack_skb && transmitted) { +- struct ieee80211_tx_info *info = IEEE80211_SKB_CB(wcn->tx_ack_skb); +- +- /* TX complete, no need to wait for 802.11 ack indication */ +- if (info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS && +- info->flags & IEEE80211_TX_CTL_NO_ACK) { +- info->flags |= IEEE80211_TX_STAT_NOACK_TRANSMITTED; +- del_timer(&wcn->tx_ack_timer); +- ieee80211_tx_status_irqsafe(wcn->hw, wcn->tx_ack_skb); +- wcn->tx_ack_skb = NULL; +- ieee80211_wake_queues(wcn->hw); + } + } +- spin_unlock(&wcn->dxe_lock); + + return IRQ_HANDLED; + } +--- a/drivers/net/wireless/ath/wcn36xx/txrx.c ++++ b/drivers/net/wireless/ath/wcn36xx/txrx.c +@@ -502,10 +502,11 @@ int wcn36xx_start_tx(struct wcn36xx *wcn + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; + struct wcn36xx_vif *vif_priv = NULL; + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); +- unsigned long flags; + bool is_low = ieee80211_is_data(hdr->frame_control); + bool bcast = is_broadcast_ether_addr(hdr->addr1) || + is_multicast_ether_addr(hdr->addr1); ++ bool ack_ind = (info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS) && ++ !(info->flags & IEEE80211_TX_CTL_NO_ACK); + struct wcn36xx_tx_bd bd; + int ret; + +@@ -521,30 +522,16 @@ int wcn36xx_start_tx(struct wcn36xx *wcn + + bd.dpu_rf = WCN36XX_BMU_WQ_TX; + +- if (info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS) { ++ if (unlikely(ack_ind)) { + wcn36xx_dbg(WCN36XX_DBG_DXE, "TX_ACK status requested\n"); + +- spin_lock_irqsave(&wcn->dxe_lock, flags); +- if (wcn->tx_ack_skb) { +- spin_unlock_irqrestore(&wcn->dxe_lock, flags); +- wcn36xx_warn("tx_ack_skb already set\n"); +- return -EINVAL; +- } +- +- wcn->tx_ack_skb = skb; +- spin_unlock_irqrestore(&wcn->dxe_lock, flags); +- + /* Only one at a time is supported by fw. Stop the TX queues + * until the ack status gets back. + */ + ieee80211_stop_queues(wcn->hw); + +- /* TX watchdog if no TX irq or ack indication received */ +- mod_timer(&wcn->tx_ack_timer, jiffies + HZ / 10); +- + /* Request ack indication from the firmware */ +- if (!(info->flags & IEEE80211_TX_CTL_NO_ACK)) +- bd.tx_comp = 1; ++ bd.tx_comp = 1; + } + + /* Data frames served first*/ +@@ -558,14 +545,8 @@ int wcn36xx_start_tx(struct wcn36xx *wcn + bd.tx_bd_sign = 0xbdbdbdbd; + + ret = wcn36xx_dxe_tx_frame(wcn, vif_priv, &bd, skb, is_low); +- if (ret && (info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS)) { +- /* If the skb has not been transmitted, +- * don't keep a reference to it. +- */ +- spin_lock_irqsave(&wcn->dxe_lock, flags); +- wcn->tx_ack_skb = NULL; +- spin_unlock_irqrestore(&wcn->dxe_lock, flags); +- ++ if (unlikely(ret && ack_ind)) { ++ /* If the skb has not been transmitted, resume TX queue */ + ieee80211_wake_queues(wcn->hw); + } + diff --git a/queue-5.14/wcn36xx-handle-connection-loss-indication.patch b/queue-5.14/wcn36xx-handle-connection-loss-indication.patch new file mode 100644 index 00000000000..60a7185468e --- /dev/null +++ b/queue-5.14/wcn36xx-handle-connection-loss-indication.patch @@ -0,0 +1,90 @@ +From d6dbce453b19c64b96f3e927b10230f9a704b504 Mon Sep 17 00:00:00 2001 +From: Benjamin Li +Date: Wed, 1 Sep 2021 11:06:05 -0700 +Subject: wcn36xx: handle connection loss indication + +From: Benjamin Li + +commit d6dbce453b19c64b96f3e927b10230f9a704b504 upstream. + +Firmware sends delete_sta_context_ind when it detects the AP has gone +away in STA mode. Right now the handler for that indication only handles +AP mode; fix it to also handle STA mode. + +Cc: stable@vger.kernel.org +Signed-off-by: Benjamin Li +Reviewed-by: Bryan O'Donoghue +Reviewed-by: Loic Poulain +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210901180606.11686-1-benl@squareup.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wcn36xx/smd.c | 44 ++++++++++++++++++++++++--------- + 1 file changed, 33 insertions(+), 11 deletions(-) + +--- a/drivers/net/wireless/ath/wcn36xx/smd.c ++++ b/drivers/net/wireless/ath/wcn36xx/smd.c +@@ -2623,30 +2623,52 @@ static int wcn36xx_smd_delete_sta_contex + size_t len) + { + struct wcn36xx_hal_delete_sta_context_ind_msg *rsp = buf; +- struct wcn36xx_vif *tmp; ++ struct wcn36xx_vif *vif_priv; ++ struct ieee80211_vif *vif; ++ struct ieee80211_bss_conf *bss_conf; + struct ieee80211_sta *sta; ++ bool found = false; + + if (len != sizeof(*rsp)) { + wcn36xx_warn("Corrupted delete sta indication\n"); + return -EIO; + } + +- wcn36xx_dbg(WCN36XX_DBG_HAL, "delete station indication %pM index %d\n", +- rsp->addr2, rsp->sta_id); ++ wcn36xx_dbg(WCN36XX_DBG_HAL, ++ "delete station indication %pM index %d reason %d\n", ++ rsp->addr2, rsp->sta_id, rsp->reason_code); + +- list_for_each_entry(tmp, &wcn->vif_list, list) { ++ list_for_each_entry(vif_priv, &wcn->vif_list, list) { + rcu_read_lock(); +- sta = ieee80211_find_sta(wcn36xx_priv_to_vif(tmp), rsp->addr2); +- if (sta) +- ieee80211_report_low_ack(sta, 0); ++ vif = wcn36xx_priv_to_vif(vif_priv); ++ ++ if (vif->type == NL80211_IFTYPE_STATION) { ++ /* We could call ieee80211_find_sta too, but checking ++ * bss_conf is clearer. ++ */ ++ bss_conf = &vif->bss_conf; ++ if (vif_priv->sta_assoc && ++ !memcmp(bss_conf->bssid, rsp->addr2, ETH_ALEN)) { ++ found = true; ++ wcn36xx_dbg(WCN36XX_DBG_HAL, ++ "connection loss bss_index %d\n", ++ vif_priv->bss_index); ++ ieee80211_connection_loss(vif); ++ } ++ } else { ++ sta = ieee80211_find_sta(vif, rsp->addr2); ++ if (sta) { ++ found = true; ++ ieee80211_report_low_ack(sta, 0); ++ } ++ } ++ + rcu_read_unlock(); +- if (sta) ++ if (found) + return 0; + } + +- wcn36xx_warn("STA with addr %pM and index %d not found\n", +- rsp->addr2, +- rsp->sta_id); ++ wcn36xx_warn("BSS or STA with addr %pM not found\n", rsp->addr2); + return -ENOENT; + } + -- 2.47.2